CN109547504A - A kind of mobile sensor network intrusion detection and automated response method - Google Patents
A kind of mobile sensor network intrusion detection and automated response method Download PDFInfo
- Publication number
- CN109547504A CN109547504A CN201910075324.4A CN201910075324A CN109547504A CN 109547504 A CN109547504 A CN 109547504A CN 201910075324 A CN201910075324 A CN 201910075324A CN 109547504 A CN109547504 A CN 109547504A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- intrusion
- matrix
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of mobile sensor network intrusion detection and automated response method, the present invention relates to mobile sensor network intrusion detections and adaptive response method.The purpose of the present invention is to solve the existing Network Intrusions to mobile sensor network to often focus on the targeting detection to a certain kind attack, and defence method also has specific directive property, can not solve the problems, such as network uncertainty Network Intrusion.Process are as follows: one, network is monitored and collects data;Two, the data being collected into are handled, by treated, data are stored in initial configuration file;Three, management node is using the parameter in network characterization matrix, using based on the invasion in abnormal intrusion detection method identification network;Four, decision table is established based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list, according to the decision table of foundation, selects intrusion response.The present invention is used for the safety protection field of mobile sensor network.
Description
Technical field
The present invention relates to the safety protection fields of mobile sensor network, and in particular to mobile sensor network intrusion detection
With adaptive response method.
Background technique
The network morphology with dynamic topological structure that mobile sensor network is made of mobility terminal, is widely applied
In military or civilian various fields.Whether the sensitive information transmission in military domain or the secret letter in civil field
Breath processing, mobile sensor network lack the features such as centralized control, dynamic topological structure and energy constraint and network layer are subject to
By various attacks, such as black hole attack, gray holes, extensive aggression and rapidly attack etc..Bring very big safety hidden to user
Suffer from.Therefore, mobile sensor network must be resolved in the threat that secure context is subject to.If during communication, only
It is the purpose for being extremely difficult to protect information completely by encryption technology and authentication techniques.Therefore, in order to guarantee higher safety,
It is essential that system of defense is disposed on the key node of network system.Compared with firewall, intruding detection system is one
The defense technique of kind active, it compensates for some shortcomings of firewall technology.Intruding detection system can be acquired initiatively in real time
Then information in network or system carries out analysis and judgement to these information, if having shown that these information violate correlation
Safety regulation conclusion, then detection system can be alarmed and be responded to intrusion behavior, to achieve the purpose that protection.
However, the existing research of most of Network Intrusions for mobile sensor network at present is often focused on to a certain kind attack
The case where targeting detection, defence method also has specific directive property, can not solve network uncertainty Network Intrusion.
Summary of the invention
The purpose of the present invention is to solve the existing Network Intrusions to mobile sensor network to often focus on to a certain
The targeting detection of kind attack, defence method also have specific directive property, can not solve the problems, such as network uncertainty Network Intrusion,
And propose a kind of mobile sensor network intrusion detection and automated response method.
A kind of mobile sensor network intrusion detection and automated response method detailed process are as follows:
Step 1: being monitored to network and collecting data;
Step 2: handling the data being collected into, by treated, data are stored in initial configuration file;
Step 3: being based on step 2, management node is using the parameter in network characterization matrix, using based on abnormal invasion
Detection method identifies the invasion in network;
Step 4: calculating attack based on step 3 trusts angle value and network performance degradation values;According to attack trust angle value and
Network performance degradation values establish adaptive intrusion response behavior list;Based on attack degree of belief rank, network performance deteriorated Grade
Decision table is established with adaptive intrusion response behavior list, according to the decision table of foundation, selects intrusion response.
The invention has the benefit that
The present invention proposes a kind of reliable and effective mobile sensor network intrusion detection and automated response mechanism
(IDARM).The core IDARM is adaptive intrusion response mechanism, main task: firstly, management node is believed according to detection
Breath and charge information calculate attack and trust angle value.Then, the parameter in utility matrix calculates network performance degradation values, thus
Evaluate the severity of attack.Finally, selecting suitable respondent behavior, effective intrusion response is realized.IDARM solves existing
Have to often focus on the Network Intrusion of mobile sensor network and the targeting of a certain kind attack is detected, defence method also has clear
Directive property, can not solve the problems, such as network uncertainty Network Intrusion.
Fig. 4 to fig. 6 illustrates success rate and wrong report of the IDARM in extensive aggression, black hole and grey hole and rapidly in attack
Rate.It is to execute 40 times not invade in 25,50 or 100 nodes in each network size using test node average speed
Operation has the operation of invader for 40 times.Data result shows that IDARM has high success rate and low rate of false alarm in these attacks.
The assessment of IDARM selection intrusion response behavior:
Fig. 7 and Fig. 8 illustrates the case where IDARM selects the behavior of intrusion response system in black hole attack, the results show that for black
Hole attack, IDARM is average to be selected completely isolated to respond invasion in the case where 90%.
Fig. 9 illustrates the case where IDARM selects the behavior of intrusion response system in extensive aggression, the results showed that IDARM averagely exists
Selection isolation invasion node generally speaking shows the appropriateness of housing choice behavior, and IDARM is to section in the case where 78%
Points be more than 100 larger network with good retractility.
Figure 10 illustrates the case where IDARM selection intrusion response system behavior in rapidly attack.Display is directed to and rapidly attacks in figure
It hits for this attack, IDARM majority of case all selects not punishing invasion node.This is because rapidly attacking to network
The influence of performance is usually very low, it is contemplated that takes stringent quarantine measures when attacking small, actually will lead to internetworking
The degeneration of energy.Therefore, data result shows the flexibility and validity of IDARM.
Influence of the IDARM to network performance:
The figure of Figure 11 and Figure 12 respectively illustrates in the network of 25 nodes and 50 nodes, and intrusion response mechanism has
Effect property.It performs 30 attacks respectively in the network of 25 and 50 nodes: when being not responding to invasion, executing 10 attacks, when
When responding fixing response (isolation invader) in all cases, 10 attacks are executed, when using adaptive intrusion response
When, execute 10 attacks.Statistics indicate that averaging network performance degradation value is minimum when using automated response mechanism.Adaptively
Response mechanism not only in all attacks, minimizes the negative effect of network performance, and in some slight attacks (as suddenly
Speed attack or some gray holes) in, which has been significantly reduced the degeneration of network performance.
Detailed description of the invention
Fig. 1 is the architectural model figure of IDARM;
Fig. 2 is the architectural model figure of adaptive intrusion response method;
Fig. 3 is in the test sliding window of p=5, and P is in the case where different value, PcWith the curve of the value situation of change of d
Figure;
Fig. 4 is the success rate and rate of false alarm curve graph in extensive aggression;
Fig. 5 is the success rate and rate of false alarm curve graph in black hole and grey hole;
Fig. 6 is the success rate and rate of false alarm curve graph in rapidly attack;
Fig. 7 is intrusion response action selection curve graph in black hole attack;
Fig. 8 is the intrusion response action selection curve graph in black hole attack in improved NP rank;
Fig. 9 is intrusion response action selection curve graph in extensive aggression;
Figure 10 is intrusion response action selection curve graph in rapidly attack;
Figure 11 is the validity curve graph that intrusion response is directed to various attacks in 25 meshed networks;
Figure 12 is the validity curve graph that intrusion response is directed to various attacks in 50 meshed networks.
Specific embodiment
Specific embodiment 1: a kind of mobile sensor network intrusion detection of present embodiment and automated response method have
Body process are as follows:
Step 1: being monitored to network and collecting data;
Step 2: handling the data being collected into, by treated, data are stored in initial configuration file (ITP)
In;
Step 3: being based on step 2, management node is using the parameter in network characterization matrix, using based on abnormal invasion
Detection method identifies the invasion in network;
Step 4: calculating attack based on step 3 trusts angle value (ACV) and network performance degradation values (NP);Believed according to attack
Angle value (ACV) and network performance degradation values (NP) is appointed to establish adaptive intrusion response behavior list;Based on attack degree of belief rank,
Decision table is established in network performance deteriorated Grade and adaptive intrusion response behavior list, according to the decision table of foundation, selection invasion
Response.Such as Fig. 2;
Firstly, management node is according to detection information and accuses that information calculates attack and trusts angle value;Then, utility matrix
In parameter calculate network performance degradation values, thus measure the severity of attack;Finally, suitable respondent behavior is selected,
Realize effective intrusion response;
Wherein, the selection of respondent behavior will be executed according to decision table;Decision table is according to attack degree of belief rank, network
Respondent behavior appropriateness, the selection criteria of Lai Dingyi intrusion response behavior are invaded under performance degradation rank, current environment.
The principle and process of present embodiment is specifically described below, it should be noted that it is considered herein that by appropriate
Matrix selection, adaptive guard mechanism are also effectively applied to the attack of physical layer and data link layer.
And assume the initial behavior of network without abnormal.And concentrating type mobile network organizational form is introduced under study for action,
All network nodes therein are different according to its function and are divided into three roles of management node, cluster head and clustered node
Middle operation.
A kind of mobile sensor network intrusion detection and automated response mechanism, the knowledge base mould of abbreviation IDARM, IDARM
Type are as follows:
Specific embodiment 2: the present embodiment is different from the first embodiment in that, to network in the step 1
It is monitored and collects data;Detailed process are as follows:
Fig. 1 is the architecture of IDARM, and wherein the first step is to carry out network monitor and data collection.IDARM is in order to whole
Intrusion detection is realized in a Network morals and prevention and protection are provided, which can periodically collect data in a network
To realize the monitoring to whole network.
It collects data and refers to that after each interval cluster head is collected from their Virtual Cluster from clustered node
Data;These data can be stored in a matrix type in network characterization matrix and performance matrix;
Cluster head reports network characterization matrix and performance matrix to management node;
Wherein network characterization matrix is by routing reply, route requests, routing error, lifetime value, route requests source sequence
7 column, routing reply aim sequence and route requests aim sequence parameter compositions;(detection directly has data);
Network characterization matrix is the two-dimensional matrix of one (r × c), and r is line number, and c is columns;Line number is 7, the first row storage
Routing reply sequence, the second row store route requests sequence, and the third line stores routing error sequence, and fourth line stores life span
Value sequence, fifth line store route requests source sequence, and the 6th row stores routing reply aim sequence, and the 7th row stores route requests
Aim sequence, because this journey represents different parameters, the length of the data content that column representation parameter includes, each column depends on different parameters
Data length, by supplementing every a line for isometric sequence in sequence ending zero padding;
Therefore, its storage organization is dynamically distributed by adaptive guard mechanism monitors device.
Network characterization matrix=[routing reply, route requests, routing error, lifetime value, route requests source sequence,
Routing reply aim sequence, route requests aim sequence]
Performance matrix is by routing protocol overhead, data packet transfer ratio, loss control 4 parameter groups of packet quantity and handling capacity
At;Performance matrix parameter needs are calculated according to 7 parameters of network characterization matrix;
Performance matrix=[routing protocol overhead, data packet transfer ratio lose control packet quantity, handling capacity] (is normal
One-dimensional matrix);
In performance matrix, routing protocol overhead refers to the data packet number that destination node is sent in network and entire mistake
The ratio of required total data packet in journey;
Data packet transfer ratio be the data packet that destination node receives quantity and the initial data packet number of source node it
Than;
The quantity that control packet quantity is the routing data packet lost in routing procedure is lost, routing procedure includes in network
Route discovery and route maintenance procedure;
The last one parameter of performance matrix is handling capacity, i.e., the quantity of successful data transmission in the unit time;Here generation
Table network average throughput.
Other steps and parameter are same as the specific embodiment one.
Specific embodiment 3: the present embodiment is different from the first and the second embodiment in that, it is right in the step 2
The data being collected into are handled, and by treated, data are stored in initial configuration file (ITP);Detailed process are as follows:
Cluster head constantly collects the data from clustered node from their Virtual Cluster;These data can be with matrix
Form be stored in network characterization matrix and performance matrix;Cluster head can be spaced interior by network characterization square at a fixed time
Battle array and performance matrix are reported to management node;
The desired value of network characterization matrix byIt indicates,It is one group and represents network characterization square
The stochastic variable of battle array;
Wherein a indicates a-th of time interval, and b indicates b-th of parameter of network characterization matrix, and c represents network characterization matrix the
The quantity of stochastic variable in b parameter, 1≤c≤M, M are b-th of parameters of the network eigenmatrix in a-th of time interval
The maximum value of stochastic variable;
The desired value of performance matrix byIt indicates;
Management node calculates the desired value of the probability distribution of network eigenmatrix in a-th of time interval
The performance matrix parameter in a-th of time interval, i.e. Routing Protocol are calculated according to 7 parameters of network characterization matrix
Expense, loses control packet quantity and handling capacity at data packet transfer ratio;
Management node calculates the desired value of the probability distribution of performance matrix in a-th of time interval
1≤a≤N;
Management node calculates separately the average value of N number of time interval network characterization matrix and performance matrix, then, average
Value is stored in the initial configuration file (ITP) of a network characterization matrix and performance matrix.
These initial training configuration files reflect the normal behaviour and network performance of nodes.
By network characterization matrixPerformance matrixAs desired value.
Other steps and parameter are the same as one or two specific embodiments.
Specific embodiment 4: unlike one of present embodiment and specific embodiment one to three, the step 3
In be based on step 2, management node is identified using the parameter in network characterization matrix using based on abnormal intrusion detection method
Invasion in network;Detailed process are as follows:
The probability distribution for calculating each network characterization matrix parameter deposits the probability distribution of each network characterization matrix parameter
Storage is observation;
Observation is got from network monitor and data collection, and network detection and data collection are in the entire network
Constantly carry out.Early period when network is normal using the data of collection as desired value, in order to be compared later;Do not know at this time
Network is just abnormal, and the data being collected at this time are just observation.
Management node is in a-th of time interval to each parameter b null hypothesis H of the network characterization matrix of observation0
[b] executes hypothesis testing (observation of network characterization matrix meets desired value), i.e. calculating formula (1);
In formula, X2[b] is Chi-square Test value,For the observation of network characterization matrix;
Management node carries out joint hypothesis inspection in a-th of time interval to all parameters of network characterization matrix;
If joint null hypothesis H0(observation of each parameter of network characterization matrix meets desired value) is rejected, it is assumed that
It is invaded in a-th of time interval, executes step 4 (then entering next stage);
If joint null hypothesis H0Received, it is assumed that there is no invasions in a-th of time interval, then update and initially match
It sets file (ITP), initial configuration file reflects the current behavior of network (by initial configuration file it is known that current network
It is whether normal).
Other steps and parameter are identical as one of specific embodiment one to three.
Specific embodiment 5: unlike one of present embodiment and specific embodiment one to four, the step 4
In based on step 3 calculate attack trust angle value (ACV) and network performance degeneration (NP) value;According to attack trust angle value (ACV) and
Network performance degradation values (NP) establish adaptive intrusion response behavior list;It is degenerated based on attack degree of belief rank, network performance
Decision table is established in rank and adaptive intrusion response behavior list, according to the decision table of foundation, selects intrusion response;Such as Fig. 2;Tool
Body process are as follows:
Firstly, management node is according to detection information and accuses that information calculates attack and trusts angle value;Then, utility matrix
In parameter network performance degradation values are calculated, thus measure the severity of attack;Finally, the suitable response of selection
Effective intrusion response is realized in behavior;
Wherein, the selection of respondent behavior will be executed according to decision table;Decision table is according to attack degree of belief rank, network
Respondent behavior appropriateness, the selection criteria of Lai Dingyi intrusion response behavior are invaded under performance degradation rank, current environment.
Step 4 one calculates attack trust angle value (ACV) and network performance degeneration (NP) value;
Step 4 two, (NP) value of being degenerated according to attack trust angle value (ACV) and network performance establish adaptive intrusion response
Behavior list;
Step 4 three is based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list
Decision table is established, according to the decision table of foundation, selects intrusion response.
The principle and process of present embodiment is specifically described below, it should be noted that it is considered herein that by appropriate
Matrix selection, adaptive guard mechanism are also effectively applied to the attack of physical layer and data link layer.
And assume the initial behavior of network without abnormal.And concentrating type mobile network organizational form is introduced under study for action,
All network nodes therein are different according to its function and are divided into three roles of management node, cluster head and clustered node
Middle operation.
Other steps and parameter are identical as one of specific embodiment one to four.
Specific embodiment 6: unlike one of present embodiment and specific embodiment one to five, the step 4
Attack is calculated in one trusts angle value (ACV) and network performance degeneration (NP) value;Detailed process are as follows:
From figure 3, it can be seen that correct one node of identification is the probability of invader as P=80% and d=1,2 or 3
More than 90%.However, avoiding wrong report also critically important, for example, if correctly identifying that a node is invader when P=20%
Probability can be relatively low.
In current test sliding window, for all nodes for being identified as invader, management node executes adaptive
Answer intrusion response mechanism.According to detection information and accuse information, management node calculates attack and trusts angle value (ACV):
ACV=w1·CI+w2·Pc (2)
In formula, w1It is the confidence interval of Chi-square statistic in the intrusion detection stage, w for weight factor, weight and equal to 1, CI2
For weight factor, weight and equal to 1;PcIt is to confirm that node is the probability of invader;
Management node calculates network performance degradation values (NP):
This be when no under attack to current value when, performance matrix parameter value (i.e. handling capacity, data packet transfer ratio,
Routing protocol overhead and lose control packet quantity) variation weighted sum.
NP=w1·ΔThroughput+w2·ΔPTR+w3·ΔRPO+w4·ΔCPD (3)
In formula, Δ Throughput is handling capacity changing value;Δ PTR is data packet transfer ratio changing value;Δ RPO is routing
Protocol overhead changing value;Δ CPD is to lose control packet quantity changing value;w3For weight factor, weight and equal to 1;w4For weight because
Son, weight and be equal to 1.
Table 1 defines 4 attack degree of belief ranks, i.e., basic, normal, high or very high.
The mapping table of table 1 ACV value and ACV rank
Other steps and parameter are identical as one of specific embodiment one to five.
Specific embodiment 7: unlike one of present embodiment and specific embodiment one to six, the step 4
Angle value (ACV) is trusted according to attack in two and network performance degradation values (NP) establish adaptive intrusion response behavior list;Specifically
Process are as follows:
The adaptive intrusion response behavior list of selection includes:
In the literature in possible intrusion response behavior list, behavior may be generated network performance unfavorable according to response
The size of influence judges the appropriateness of respondent behavior.It is made in addition, also further analyzing these response activities in reduction attack
At injury, and prevent from invasion node further attack validity.Finally, based on to the attack detected
The influence of confidence level and attack to network performance, proposes the response mechanism there are three types of intrusion response behavior.This group selection enters
Respondent behavior is invaded to be listed as follows:
1, completely isolated: to trust angle value when the attack detected and be greater than 70%, and network performance degradation values are greater than 30%;And
And when network performance will reduce after attack starting, this respondent behavior is used.It is invaded by isolation, it is other in network
Node, which will be considered as invader, to be not present.Although this will will lead to rerouting, it still significantly improves whole network
Performance.
2, attacker is bypassed: when angle value≤70%, and 10%≤network performance degradation values are trusted in 25% detected < attack
≤ 30%, it is bypassed then response mechanism just will use attacker.This be both able to maintain the data forwarding service in network it is normal into
Row, while the further attack of invader can also be prevented.
3, it does not punish: when angle value≤25%, and 0%≤network performance degradation values are trusted in 0% detected < attack
The response mechanism of < %10, this paper will simply ignore attack.This avoids the negative effects to network performance.
Other steps and parameter are identical as one of specific embodiment one to six.
Specific embodiment 8: unlike one of present embodiment and specific embodiment one to seven, the step 4
Decision table, root are established based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list in three
According to the decision table of foundation, intrusion response is selected;Detailed process are as follows:
Using the attack degree of belief rank and network performance deteriorated Grade formulated above in decision table, with table 2 (by network
The knowledge base of administrator's building) select intrusion response.It is selected by decision table simulation intrusion response, network administrator is allowed to match
Set and modify the intrusion response selection course of different network environments.
2 IDARM decision table of table
M indicates medium, and H indicates high, and L indicates low, and H+ indicates very high;
Establish decision table:
Degree of belief rank is attacked in first behavior, and attack degree of belief rank is divided into 4 grades, is respectively as follows:
Low: angle value≤25% is trusted in 0% < attack;
Medium: angle value≤50% is trusted in 25% < attack;
High: angle value≤70% is trusted in 50% < attack;
Very high: angle value > 70% is trusted in attack;
Second behavior network performance deteriorated Grade, network performance deteriorated Grade are divided into 4 grades, are respectively as follows:
It is low: 0% < network performance degradation values≤10%;
It is medium: 10% < network performance degradation values≤20%;
It is high: 20% < network performance degradation values≤30%;
It is very high: network performance degradation values > 30%;
Third behavior is completely isolated;
Fourth line is around attacker;
Fifth line is not punish;
According to the decision table of foundation, intrusion response is selected;
If the intrusion response of selection is entirely isolated or around attacker, management node passes through one charge packet of broadcast
Notice has all nodes of intrusion response behavior;When node receives charge packet, node is with first checking for accusing the broadcast of packet
Location and source address, if the invader V that the charge packet is accusedjIt is permanently or temporarily piped off, then node will neglect
The charge packet is omited and deletes, to prevent unnecessary network flow;Otherwise, node will check charge Bao Zhongwei invader VjRefer to
Fixed intrusion response behavior;
1) if the intrusion response selected is not punish, management node can ignore invasion;
If 2) intrusion response behavior is entirely isolated, node is first invader VjIncrease to its blacklist list
In, invader V is then isolated in all nodes of networkj, and data packet all in blacklist node is deleted immediately, and is neglected
Data packet slightly in blacklist node in all queues;
3) if intrusion response behavior is to bypass attacker, node is first invader VjIt is added to its interim blacklist
In table;In order to realize this intrusion response behavior, routing data packet will all be ignored and be deleted to all nodes, route data packet packet
Include routing inquiry, routing reply and invasion node VjThe data packet for generating or forwarding, to prevent invader from further attacking;
All nodes are all by invader VjIt excludes outside new route discovery, that is to say, that they select not including VjRoad
Diameter;
Meanwhile node is from VjThe data packet received is transmitted to existing route, to safeguard current data forwarding service,
Node receives to come from VjData forwarding service to reduce the adverse effect to network performance a possibility that, until node is in VjWeek
It encloses and finds new routing.
The respondent behavior is also applied for as node VjPosition or isolation node V in network topology in key nodej
The case where significant negative effect may being generated to network performance.
Other steps and parameter are identical as one of specific embodiment one to seven.
Specific embodiment 9: unlike one of present embodiment and specific embodiment one to eight, it is described (specific real
Apply in mode six) confirm that node is the probability P of invadercFinding process are as follows:
In order to improve the probability (using low-level wrong report) of correct identification invader, management node has used a survey
Try sliding window;Therefore, when determining certain node all in multiple time intervals only to invade node, IDARM just can be to invasion
It makes a response.Specifically, only all determining certain node for invasion section in the test sliding window of multiple time interval p sizes
When point, intrusion response can just occur;P is the size for indicating test sliding window in a time interval, i.e. inspection number, and d is true
Recognizing the node detected is the minimum number detected needed for attacker;In the detection that one is tested in sliding window to invasion node
It is a Bernoulli trials.(that is, the test carried out in test sliding window is that identical and independent repetition is real
Test, there are two types of possible results: whether detection or not) therefore, determine that the probability of invasion is known in sequence of Bernoulli trials
's;
In formula, P is the size for indicating test sliding window in a time interval, i.e. inspection number;D confirmation detects
Node is the minimum number detected needed for attacker;It is binomial coefficient, PcIt is to confirm that node is invader
Probability.
Other steps and parameter are identical as one of specific embodiment one to eight.
Specific embodiment 10: unlike one of present embodiment and specific embodiment one to nine, it is described (specific real
Apply in mode four) update initial configuration file (ITP) process are as follows:
The initial configuration file (ITP) of network characterization matrix is updated by exponentially weighted moveing average;
Each time interval is divided into q period;
In formula,WithRespectively represent the desired value of the network characterization matrix parameter b when update cycle number is q
And observation;
Q value is increased in a time interval;
β is weight factor, β=2/q-1;
Therefore, the expected current behavior for supporting file model to reflect network of update.
Other steps and parameter are identical as one of specific embodiment one to nine.
Beneficial effects of the present invention are verified using following embodiment:
Embodiment one:
The present embodiment is specifically to be prepared according to the following steps:
The protrusion effect of the present invention compared with the prior art can be specifically described according to Fig. 4 to Figure 12:
The evaluation criterion of attack recognition:
Fig. 4 to fig. 6 illustrates success rate and wrong report of the IDARM in extensive aggression, black hole and grey hole and rapidly in attack
Rate.It is to execute 40 times not invade in 25,50 or 100 nodes in each network size using test node average speed
Operation has the operation of invasion for 40 times.Data result shows that IDARM has high success rate and low rate of false alarm in these attacks.
The assessment of IDARM selection intrusion response behavior:
Fig. 7 and Fig. 8 illustrates the case where IDARM selects the behavior of intrusion response system in black hole attack.Wherein Fig. 8, which has been used, changes
Into network performance deteriorated Grade setting.After a random invasion node starting black hole attack, the performance of IDARM is tested.
The results show that being directed to black hole attack, IDARM selects isolation to respond to invasion in the case where 90%.
Fig. 9 illustrates the case where IDARM selects the behavior of intrusion response system in extensive aggression.We use in black hole attack
The method used has used improved network performance deteriorated Grade to be arranged.It is selected in the case where 78% the result shows that IDARM is average
Select isolation invasion node and generally speaking show the appropriateness of housing choice behavior, and IDARM super to number of nodes more 100 compared with
Big network has good retractility.
Figure 10 illustrates the case where IDARM selection intrusion response system behavior in rapidly attack.Display is directed to and rapidly attacks in figure
It hits for this attack, IDARM majority of case all selects not punishing invasion node.This is because rapidly attacking to network
The influence of performance is usually very low, it is contemplated that takes stringent quarantine measures when attacking small, actually will lead to internetworking
The degeneration of energy.Therefore, data result shows the flexibility and validity of IDARM.
Influence of the IDARM to network performance:
The figure of Figure 11 and Figure 12 respectively illustrates in the network of 25 nodes and 50 nodes, and intrusion response mechanism has
Effect property.It performs 30 attacks respectively in the network of 25 and 50 nodes: when being not responding to invasion, executing 10 attacks, when
When responding fixing response (isolation invader) in all cases, 10 attacks are executed, when using adaptive intrusion response
When, execute 10 attacks.Statistics indicate that averaging network degree of degeneration is minimum when using automated response mechanism.It is adaptive to ring
It answers mechanism not only in all attacks, minimizes the negative effect of network performance, and in some slight attacks (as rapidly
Attack or some gray holes) in, which has been significantly reduced the degeneration of network performance.
With now, there are two types of compared with typical technology:
Figure 11, Figure 12, table 3 respectively illustrate the intrusion detection of IDARM and broad sense and entering for defense mechanism and cost sensitivity
Invade the comparison of response model.Data show that IDARM has better effect in enhancing this link of network performance.
The comparison of table 3 cost sensitivity model and IDARM
The present invention can also have other various embodiments, without deviating from the spirit and substance of the present invention, this field
Technical staff makes various corresponding changes and modifications in accordance with the present invention, but these corresponding changes and modifications all should belong to
The protection scope of the appended claims of the present invention.
Claims (10)
1. a kind of mobile sensor network intrusion detection and automated response method, it is characterised in that: the method detailed process
Are as follows:
Step 1: being monitored to network and collecting data;
Step 2: handling the data being collected into, by treated, data are stored in initial configuration file;
Step 3: being based on step 2, management node is using the parameter in network characterization matrix, using based on abnormal intrusion detection
Method identifies the invasion in network;
Step 4: calculating attack based on step 3 trusts angle value and network performance degradation values;Angle value and network are trusted according to attack
Performance degradation value establishes adaptive intrusion response behavior list;Based on attack degree of belief rank, network performance deteriorated Grade and from
It adapts to intrusion response behavior list and establishes decision table, according to the decision table of foundation, select intrusion response.
2. a kind of mobile sensor network intrusion detection and automated response method according to claim 1, it is characterised in that:
Network is monitored in the step 1 and collects data;Detailed process are as follows:
It collects data and refers to that after each interval cluster head collects the data from clustered node from Virtual Cluster;Data
It can be stored in a matrix type in network characterization matrix and performance matrix;
Cluster head reports network characterization matrix and performance matrix to management node;
Wherein network characterization matrix is by routing reply, route requests, routing error, lifetime value, route requests source sequence, road
It is made of 7 parameters of reply aim sequence and route requests aim sequence;
Network characterization matrix=[routing reply, route requests, routing error, lifetime value, route requests source sequence, routing
Reply aim sequence, route requests aim sequence]
Performance matrix is made of routing protocol overhead, data packet transfer ratio, loss control 4 parameters of packet quantity and handling capacity;
Performance matrix=[routing protocol overhead, data packet transfer ratio lose control packet quantity, handling capacity].
3. a kind of mobile sensor network intrusion detection according to claim 1 or claim 2 and automated response method, feature exist
In: the data being collected into are handled in the step 2, by treated, data are stored in initial configuration file;Specifically
Process are as follows:
The desired value of network characterization matrix byIt indicates,Be one group represent network characterization matrix with
Machine variable;
Wherein a indicates a-th of time interval, and b indicates b-th of parameter of network characterization matrix, and c represents network characterization matrix b-th
The quantity of stochastic variable in parameter, 1≤c≤M, M be b-th of parameter of the network eigenmatrix in a-th of time interval with
The maximum value of machine variable;
The desired value of performance matrix byIt indicates;
Management node calculates the desired value of the probability distribution of network eigenmatrix in a-th of time interval
The performance matrix parameter in a-th of time interval is calculated according to 7 parameters of network characterization matrix, i.e. Routing Protocol is opened
Pin, loses control packet quantity and handling capacity at data packet transfer ratio;
Management node calculate in a-th of time interval the probability distribution of performance matrix desired value P (bYc a);
1≤a≤N;
Then the average value that management node calculates separately N number of time interval network characterization matrix and performance matrix is deposited average value
Storage is in the initial configuration file of a network characterization matrix and performance matrix.
4. a kind of mobile sensor network intrusion detection and automated response method according to claim 3, it is characterised in that:
Step 2 is based in the step 3, management node is examined using the parameter in network characterization matrix using based on abnormal invasion
Survey method identifies the invasion in network;Detailed process are as follows:
The probability distribution of each network characterization matrix parameter is stored as by the probability distribution for calculating each network characterization matrix parameter
Observation;
Management node is in a-th of time interval to each parameter b null hypothesis H of the network characterization matrix of observation0[b] is held
Row hypothesis testing, i.e. calculating formula (1);
In formula, X2[b] is Chi-square Test value,For the observation of network characterization matrix;
Management node carries out joint hypothesis inspection in a-th of time interval to all parameters of network characterization matrix;
If joint null hypothesis H0It is rejected, it is assumed that invaded in a-th of time interval, execute step 4;
If joint null hypothesis H0Received, it is assumed that there is no invasions in a-th of time interval, then update initial configuration text
Part.
5. a kind of mobile sensor network intrusion detection and automated response method according to claim 4, it is characterised in that:
Attack is calculated based on step 3 in the step 4 and trusts angle value and network performance degradation values;Angle value and network are trusted according to attack
Performance degradation value establishes adaptive intrusion response behavior list;Based on attack degree of belief rank, network performance deteriorated Grade and from
It adapts to intrusion response behavior list and establishes decision table, according to the decision table of foundation, select intrusion response;Detailed process are as follows:
Step 4 one calculates attack trust angle value and network performance degradation values;
Step 4 two establishes adaptive intrusion response behavior list according to attack trust angle value and network performance degradation values;
Step 4 three is established based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list
Decision table selects intrusion response according to the decision table of foundation.
6. a kind of mobile sensor network intrusion detection and automated response mechanism according to claim 5, it is characterised in that:
Attack is calculated in the step 4 one trusts angle value and network performance degradation values;Detailed process are as follows:
Management node calculates attack and trusts angle value:
ACV=w1·CI+w2·Pc (2)
In formula, w1It is confidence interval, w for weight factor, weight and equal to 1, CI2For weight factor, weight and equal to 1;PcIt is true
Recognize the probability that node is invader;
Management node calculates network performance degradation values:
NP=w1·ΔThroughput+w2·ΔPTR+w3·ΔRPO+w4·ΔCPD (3)
In formula, Δ Throughput is handling capacity changing value;Δ PTR is data packet transfer ratio changing value;Δ RPO is Routing Protocol
Expense changing value;Δ CPD is to lose control packet quantity changing value;w3For weight factor, weight and equal to 1;w4For weight factor,
Weight and be equal to 1.
7. a kind of mobile sensor network intrusion detection and automated response method according to claim 6, it is characterised in that:
Angle value is trusted according to attack in the step 4 two and network performance degradation values establish adaptive intrusion response behavior list;Specifically
Process are as follows:
The adaptive intrusion response behavior list of selection includes:
1, completely isolated: to trust angle value when the attack detected and be greater than 70%, and network performance degradation values are greater than 30%;
2, attacker is bypassed: when 25% detected < attack trust angle value≤70%, and 10%≤network performance degradation values≤
30%;
3, it does not punish: when angle value≤25%, and 0%≤network performance degradation values < %10 are trusted in 0% detected < attack.
8. a kind of mobile sensor network intrusion detection and automated response method according to claim 7, it is characterised in that:
It is established in the step 4 three based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list
Decision table selects intrusion response according to the decision table of foundation;Detailed process are as follows:
Establish decision table:
Degree of belief rank is attacked in first behavior, and attack degree of belief rank is divided into 4 grades, is respectively as follows:
Low: angle value≤25% is trusted in 0% < attack;
Medium: angle value≤50% is trusted in 25% < attack;
High: angle value≤70% is trusted in 50% < attack;
Very high: angle value > 70% is trusted in attack;
Second behavior network performance deteriorated Grade, network performance deteriorated Grade are divided into 4 grades, are respectively as follows:
It is low: 0% < network performance degradation values≤10%;
It is medium: 10% < network performance degradation values≤20%;
It is high: 20% < network performance degradation values≤30%;
It is very high: network performance degradation values > 30%;
Third behavior is completely isolated;
Fourth line is around attacker;
Fifth line is not punish;
According to the decision table of foundation, intrusion response is selected;
1) if the intrusion response selected is not punish, management node can ignore invasion;
If 2) intrusion response behavior is entirely isolated, node is first invader VjIncrease in its blacklist list, then
Invader V is isolated in all nodes of networkj, and data packet all in blacklist node is deleted immediately, and ignores black name
Data packet in single node in all queues;
3) if intrusion response behavior is to bypass attacker, node is first invader VjIt is added in its interim blacklist table;
Routing data packet will all be ignored and be deleted to all nodes, and routing data packet includes routing inquiry, routing reply and invasion node
VjThe data packet for generating or forwarding;
All nodes are all by invader VjIt excludes outside new route discovery, selection does not include VjPath;
Meanwhile node is from VjThe data packet received is transmitted to existing route, until node is in VjSurrounding finds new routing.
9. a kind of mobile sensor network intrusion detection and automated response method according to claim 8, it is characterised in that:
The confirmation node is the probability P of invadercFinding process are as follows:
In formula, P is the size for indicating test sliding window in a time interval, i.e. inspection number;D is the node that confirmation detects
It is the minimum number detected needed for attacker;It is binomial coefficient, PcIt is to confirm that node is the general of invader
Rate.
10. a kind of mobile sensor network intrusion detection and automated response method, feature exist according to claim 9
In: the update initial configuration file process are as follows:
The initial configuration file of network characterization matrix is updated by exponentially weighted moveing average:
Each time interval is divided into q period;
In formula,WithRespectively represent the desired value and sight of the network characterization matrix parameter b when update cycle number is q
Measured value;
β is weight factor, β=2/q-1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910075324.4A CN109547504B (en) | 2019-01-25 | 2019-01-25 | Network intrusion detection and adaptive response method for mobile sensor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910075324.4A CN109547504B (en) | 2019-01-25 | 2019-01-25 | Network intrusion detection and adaptive response method for mobile sensor |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109547504A true CN109547504A (en) | 2019-03-29 |
CN109547504B CN109547504B (en) | 2021-05-25 |
Family
ID=65838663
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910075324.4A Expired - Fee Related CN109547504B (en) | 2019-01-25 | 2019-01-25 | Network intrusion detection and adaptive response method for mobile sensor |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109547504B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101102314A (en) * | 2007-06-21 | 2008-01-09 | 北京联合大学 | A 3-level modular intrusion detection system based on risk model |
CN101772012A (en) * | 2009-01-04 | 2010-07-07 | 中国移动通信集团公司 | Method, system and device for determining network node confidence |
CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
CN104994091A (en) * | 2015-06-30 | 2015-10-21 | 东软集团股份有限公司 | Method and device for detecting abnormal flow, and method and device for defending against Web attack |
CN106899435A (en) * | 2017-02-21 | 2017-06-27 | 浙江大学城市学院 | A kind of complex attack identification technology towards wireless invasive detecting system |
CN108462714A (en) * | 2018-03-23 | 2018-08-28 | 中国人民解放军战略支援部队信息工程大学 | A kind of APT systems of defense and its defence method based on system resilience |
-
2019
- 2019-01-25 CN CN201910075324.4A patent/CN109547504B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101102314A (en) * | 2007-06-21 | 2008-01-09 | 北京联合大学 | A 3-level modular intrusion detection system based on risk model |
CN101772012A (en) * | 2009-01-04 | 2010-07-07 | 中国移动通信集团公司 | Method, system and device for determining network node confidence |
CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
CN104994091A (en) * | 2015-06-30 | 2015-10-21 | 东软集团股份有限公司 | Method and device for detecting abnormal flow, and method and device for defending against Web attack |
CN106899435A (en) * | 2017-02-21 | 2017-06-27 | 浙江大学城市学院 | A kind of complex attack identification technology towards wireless invasive detecting system |
CN108462714A (en) * | 2018-03-23 | 2018-08-28 | 中国人民解放军战略支援部队信息工程大学 | A kind of APT systems of defense and its defence method based on system resilience |
Non-Patent Citations (2)
Title |
---|
秦丹阳等: "基于信任感知的无线传感器网络安全路由机制研究", 《通信学报》 * |
黄建华等: "入侵容忍系统中自适应响应的研究", 《电脑与信息技术》 * |
Also Published As
Publication number | Publication date |
---|---|
CN109547504B (en) | 2021-05-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Collins et al. | Using uncleanliness to predict future botnet addresses | |
Hande et al. | A survey on intrusion detection system for software defined networks (SDN) | |
Chen et al. | Defending against TCP SYN flooding attacks under different types of IP spoofing | |
Nadeem et al. | An intrusion detection & adaptive response mechanism for MANETs | |
Jung et al. | Fast portscan detection using sequential hypothesis testing | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
Yang et al. | Security evaluation of the cyber networks under advanced persistent threats | |
Seufert et al. | Machine learning for automatic defence against distributed denial of service attacks | |
US7672283B1 (en) | Detecting unauthorized wireless devices in a network | |
CN108512837A (en) | A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game | |
Al-issa et al. | Using machine learning to detect DoS attacks in wireless sensor networks | |
CN109756515B (en) | Black hole attack detection and tracking method based on suspicion degree accumulation | |
Liu et al. | TrustGuard: A flow-level reputation-based DDoS defense system | |
Ju et al. | An improved intrusion detection scheme based on weighted trust evaluation for wireless sensor networks | |
CN110138759A (en) | The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment | |
Wan et al. | Foureye: Defensive deception against advanced persistent threats via hypergame theory | |
Wang et al. | Local detection of selfish routing behavior in ad hoc networks | |
CN114095232A (en) | Power information system dynamic threat quantitative analysis method based on hidden Markov | |
Kavisankar et al. | Efficient syn spoofing detection and mitigation scheme for ddos attack | |
Zhao et al. | Measurement integrity attacks against network tomography: Feasibility and defense | |
CN109547504A (en) | A kind of mobile sensor network intrusion detection and automated response method | |
RU2531878C1 (en) | Method of detection of computer attacks in information and telecommunication network | |
Sahu et al. | A survey on detection of malicious nodes in wireless sensor networks | |
Anbar et al. | Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS) | |
Abou Haidar et al. | High perception intrusion detection system using neural networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210525 Termination date: 20220125 |
|
CF01 | Termination of patent right due to non-payment of annual fee |