CN109547504B - Network intrusion detection and adaptive response method for mobile sensor - Google Patents

Network intrusion detection and adaptive response method for mobile sensor Download PDF

Info

Publication number
CN109547504B
CN109547504B CN201910075324.4A CN201910075324A CN109547504B CN 109547504 B CN109547504 B CN 109547504B CN 201910075324 A CN201910075324 A CN 201910075324A CN 109547504 B CN109547504 B CN 109547504B
Authority
CN
China
Prior art keywords
network
value
intrusion
attack
adaptive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201910075324.4A
Other languages
Chinese (zh)
Other versions
CN109547504A (en
Inventor
秦丹阳
赵敏
徐广超
马宏斌
王英丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Heilongjiang University
Original Assignee
Heilongjiang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Heilongjiang University filed Critical Heilongjiang University
Priority to CN201910075324.4A priority Critical patent/CN109547504B/en
Publication of CN109547504A publication Critical patent/CN109547504A/en
Application granted granted Critical
Publication of CN109547504B publication Critical patent/CN109547504B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a mobile sensor network intrusion detection and adaptive response method, and relates to a mobile sensor network intrusion detection and adaptive response method. The invention aims to solve the problems that the existing intrusion attack on a mobile sensor network is usually focused on the targeted detection of certain attack, the defense method also has clear directivity, and the uncertain intrusion attack of the network cannot be solved. The process is as follows: monitoring a network and collecting data; secondly, processing the collected data, and storing the processed data in an initial configuration file; thirdly, the management node identifies the intrusion in the network by using the parameters in the network characteristic matrix and adopting an intrusion detection method based on the abnormity; and fourthly, establishing a decision table based on the attack trust level, the network performance degradation level and the self-adaptive intrusion response behavior list, and selecting the intrusion response according to the established decision table. The invention is used for the safety protection field of the mobile sensor network.

Description

Network intrusion detection and adaptive response method for mobile sensor
Technical Field
The invention relates to the field of security protection of a mobile sensor network, in particular to an intrusion detection and adaptive response method of the mobile sensor network.
Background
The mobile sensor network is in a network form with a dynamic topological structure and formed by mobile terminals, and is widely applied to various fields of military use or civil use. No matter sensitive information transmission in the military field or private information processing in the civil field, the mobile sensor network lacks characteristics of centralized control, dynamic topological structure, energy limitation and the like, so that the network layer is vulnerable to various attacks, such as black hole attack, grey hole attack, flooding attack, rapid attack and the like. Bringing great potential safety hazard to users. Therefore, security threats of the mobile sensor network must be addressed. If only encryption technology and authentication technology are relied on in the communication process, the aim of completely protecting information is difficult to achieve. Therefore, in order to guarantee higher security, it is essential to deploy defense systems on key nodes of the network system. Compared with a firewall, the intrusion detection system is an active defense technology, and makes up for some defects of the firewall technology. The intrusion detection system can actively acquire information in a network or a system in real time, then analyze and judge the information, and if the conclusion that the information violates the relevant safety rules is obtained, the detection system can give an alarm and respond to the intrusion behavior so as to achieve the purpose of protection. However, most of the existing researches on intrusion attacks of the mobile sensor network at present are focused on the targeted detection of a certain attack, and the defense method also has clear directionality, so that the situation of network uncertain intrusion attacks cannot be solved.
Disclosure of Invention
The invention aims to provide a mobile sensor network intrusion detection and adaptive response method for solving the problems that the existing intrusion attack on a mobile sensor network is usually focused on the targeted detection of certain attack, the defense method also has clear directivity and the uncertain network intrusion attack cannot be solved.
A mobile sensor network intrusion detection and adaptive response method comprises the following specific processes:
monitoring a network and collecting data;
step two, processing the collected data, and storing the processed data in an initial configuration file;
step three, based on the step two, the management node identifies the intrusion in the network by using the parameters in the network characteristic matrix and adopting an intrusion detection method based on the abnormity;
step four, calculating an attack trust value and a network performance degradation value based on the step three; establishing a self-adaptive intrusion response behavior list according to the attack trust value and the network performance degradation value; and establishing a decision table based on the attack trust level, the network performance degradation level and the self-adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table.
The invention has the beneficial effects that:
the invention provides a reliable and effective Intrusion Detection and Adaptive Response Mechanism (IDARM) of a mobile sensor network. The IDARM core part is an adaptive intrusion response mechanism and has the main tasks: firstly, the management node calculates an attack trust value according to the detection information and the command information. Then, the parameters in the performance matrix are used for calculating the performance degradation value of the network, and therefore the severity degree of the attack is evaluated. And finally, selecting a proper response behavior to realize effective intrusion response. The IDARM solves the problems that the existing intrusion attack on the mobile sensor network is usually focused on the target detection of certain attack, the defense method also has clear directivity, and the uncertain intrusion attack of the network cannot be solved.
Fig. 4 to 6 show the success rate and the false alarm rate of idram in flood attack, black and gray holes and blast attack. Using the average speed of the test nodes, 40 runs without intrusion and 40 runs with intruders are performed in each node with a network size of 25, 50 or 100. Data results indicate that idram has a high success rate and a low false alarm rate in these attacks.
And (3) evaluation of IDARM selection intrusion response behavior:
fig. 7 and 8 show the behavior of the idram selecting intrusion response system in the black hole attack, and the results show that, for the black hole attack, the idram selects complete isolation to respond to intrusion in 90% of cases on average.
Fig. 9 shows the behavior of the IDARM selective intrusion response system in the flooding attack, and the result shows that the IDARM selects the isolated intrusion node in 78% of cases on average, and overall, the suitability of the selection behavior is shown, and the IDARM has good flexibility for a larger network with the node number exceeding 100.
Fig. 10 shows the behavior of the idram selective intrusion response system in a blast attack. It is shown that for a slight attack such as a rapid attack, the IDARM chooses not to penalize the intrusion node in most cases. This is because a brute force attack typically has a low impact on network performance, which actually results in degradation of network performance in view of taking strict isolation measures when the attack is small. Thus, the data results show the flexibility and effectiveness of IDARM.
Effect of idram on network performance:
figures 11 and 12 are graphs showing the effectiveness of the intrusion response mechanism in a network of 25 nodes and 50 nodes, respectively. The attack was performed 30 times in networks of 25 and 50 nodes, respectively: the attack is performed 10 times when no response is made to the intrusion, 10 times when a fixed response is responded to (isolating the intruder) in all cases, and 10 times when an adaptive intrusion response is used. The data shows that the average network performance degradation value is minimal when using the adaptive response mechanism. The adaptive response mechanism not only minimizes the negative impact on network performance in all attacks, but also significantly reduces the degradation of network performance in some mild attacks (e.g., blast attacks or some gray-hole attacks).
Drawings
FIG. 1 is a diagram of an architecture model of IDARM;
FIG. 2 is a diagram of an architectural model of an adaptive intrusion response method;
FIG. 3 shows P in the case of different values of P in the test sliding window with P equal to 5cA graph of the change of the value of d;
FIG. 4 is a graph illustrating success and false alarm rates for a flooding attack;
FIG. 5 is a graph of success and false alarm rates in black and gray holes;
FIG. 6 is a graph illustrating the success rate and false alarm rate of a rapid attack;
FIG. 7 is a graph illustrating intrusion response behavior selection in a black hole attack;
FIG. 8 is a graph of intrusion response behavior selection in a black hole attack in a modified NP level;
FIG. 9 is a graph illustrating intrusion response behavior selection in a flooding attack;
FIG. 10 is a graph of intrusion response behavior selection in a blast attack;
FIG. 11 is a graph of the effectiveness of an intrusion response against various attacks in a 25 node network;
fig. 12 is a graph of the effectiveness of an intrusion response against various attacks in a 50-node network.
Detailed Description
The first embodiment is as follows: the method for intrusion detection and adaptive response of the mobile sensor network in the embodiment comprises the following specific processes:
monitoring a network and collecting data;
step two, processing the collected data, and storing the processed data in an initial configuration file (ITP);
step three, based on the step two, the management node identifies the intrusion in the network by using the parameters in the network characteristic matrix and adopting an intrusion detection method based on the abnormity;
step four, calculating an Attack Confidence Value (ACV) and a network performance degradation value (NP) based on the step three; establishing a self-adaptive intrusion response behavior list according to an Attack Confidence Value (ACV) and a network performance degradation value (NP); and establishing a decision table based on the attack trust level, the network performance degradation level and the self-adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table. As shown in FIG. 2;
firstly, the management node calculates an attack trust value according to detection information and instruction control information; then, calculating a network performance degradation value by using parameters in the performance matrix, thereby measuring the severity of the attack; finally, selecting a proper response behavior to realize effective intrusion response;
wherein the selection of the response behavior is performed according to a decision table; the decision table defines the selection standard of the intrusion response behavior according to the attack trust level, the network performance degradation level and the intrusion response behavior appropriateness under the current environment.
The principle and process of the present embodiment will be described in detail below, and it should be noted that the present invention considers that the adaptive protection mechanism can also be effectively applied to attacks at the physical layer and the data link layer through appropriate matrix selection.
And assume that the initial behavior of the network is not abnormal. And a cluster type mobile network organization form is introduced in the research, wherein all network nodes are divided into three roles of management nodes, cluster heads and cluster nodes to operate according to different functions.
A network intrusion detection and adaptive response mechanism of a mobile sensor is called IDARM for short, and a knowledge base model of the IDARM is as follows:
Figure BDA0001958563140000041
the second embodiment is as follows: the first embodiment is different from the first embodiment in that the first step monitors the network and collects data; the specific process is as follows:
fig. 1 shows the architecture of the idram, wherein the first step is network monitoring and data collection. In order to realize intrusion detection and provide prevention and protection in the whole network life cycle, the IDARM mechanism collects data in the network periodically so as to realize monitoring of the whole network.
Collecting data refers to the cluster head collecting data from the cluster nodes from their virtual clusters after each interval; the data is stored in a network characteristic matrix and a performance matrix in a matrix form;
the cluster head reports the network characteristic matrix and the performance matrix to the management node;
wherein the network characteristic matrix is composed of 7 parameters of route reply, route request, route error, survival time value, route request source sequence, route reply destination sequence and route request destination sequence; (detecting direct data);
the network characteristic matrix is a (r multiplied by c) two-dimensional matrix, wherein r is the number of rows and c is the number of columns; the number of rows is 7, the first row stores a route reply sequence, the second row stores a route request sequence, the third row stores a route error sequence, the fourth row stores a time-to-live value sequence, the fifth row stores a route request source sequence, the sixth row stores a route reply destination sequence, and the seventh row stores a route request destination sequence, so that the rows represent different parameters, the columns represent data contents contained in the parameters, the length of each column depends on the data length of the different parameters, and each row is supplemented into an equal-length sequence by zero padding at the end of the sequence;
thus, its memory structure is dynamically allocated by the adaptive protection mechanism monitor.
Network characteristic matrix [ route reply, route request, route error, time-to-live value, route request source sequence, route reply destination sequence, route request destination sequence ]
The performance matrix consists of 4 parameters of routing protocol overhead, data packet transmission ratio, loss control packet quantity and throughput; the performance matrix parameters are obtained by calculation according to 7 parameters of the network feature matrix;
performance matrix ═ routing protocol overhead, data packet transmission ratio, number of lost control packets, throughput (is a normal one-dimensional matrix);
in the performance matrix, the routing protocol overhead refers to the ratio of the number of data packets sent to a destination node in the network to the total data packets required in the whole process;
the data packet transmission ratio is the ratio of the number of data packets received by the destination node to the initial number of data packets of the source node;
the number of lost control packets is the number of lost routing data packets in the routing process, and the routing process comprises the route discovery and route maintenance processes in the network;
the last parameter of the performance matrix is the throughput, i.e. the amount of successfully transmitted data per unit time; here representing the average throughput of the network.
Other steps and parameters are the same as those in the first embodiment.
The third concrete implementation mode: the second embodiment is different from the first or second embodiment in that the collected data is processed in the second step, and the processed data is stored in an initial configuration file (ITP); the specific process is as follows:
the cluster heads constantly collect data from the cluster nodes from their virtual clusters; the data is stored in a network characteristic matrix and a performance matrix in a matrix form; the cluster head reports the network characteristic matrix and the performance matrix to the management node within a fixed time interval;
expected values of the network characteristic matrix are set by
Figure BDA0001958563140000051
It is shown that,
Figure BDA0001958563140000052
is a set of random variables representing a network feature matrix;
wherein a represents the a-th time interval, b represents the b-th parameter of the network characteristic matrix, c represents the number of random variables in the b-th parameter of the network characteristic matrix, c is more than or equal to 1 and less than or equal to M, and M is the maximum value of the random variables of the b-th parameter of the network characteristic matrix in the a-th time interval;
expected value of the performance matrix is set by
Figure BDA0001958563140000053
Represents;
the management node calculates the expected value of the probability distribution of the network characteristic matrix in the a-th time interval
Figure BDA0001958563140000061
Calculating performance matrix parameters at the a-th time interval, namely routing protocol overhead, data packet transmission ratio, loss control packet quantity and throughput, according to the 7 parameters of the network characteristic matrix;
the management node calculates an expected value of the probability distribution of the performance matrix in the a-th time interval
Figure BDA0001958563140000062
1≤a≤N;
The management node calculates the average values of the network characteristic matrix and the performance matrix of N time intervals respectively, and then stores the average values in an initial configuration file (ITP) of the network characteristic matrix and the performance matrix.
These initial training profiles reflect the normal behavior of the nodes in the network and the network performance.
Network feature matrix
Figure BDA0001958563140000063
Performance matrix
Figure BDA0001958563140000064
As expected.
Other steps and parameters are the same as those in the first or second embodiment.
The fourth concrete implementation mode: the difference between this embodiment and the first to third embodiments is that, in the third step, based on the second step, the management node identifies the intrusion in the network by using the parameters in the network feature matrix and by using an intrusion detection method based on the anomaly; the specific process is as follows:
calculating the probability distribution of each network characteristic matrix parameter, and storing the probability distribution of each network characteristic matrix parameter as an observed value;
the observations are derived from network monitoring and data collection, which is performed at all times throughout the network. In the early stage, collected data are used as expected values when the network is normal, and comparison is carried out for the later time; at this point, it is unknown that the network is not normal, and the collected data is called the observed value.
The management node assumes H with zero for each parameter b of the network characteristic matrix of the observed values in the a-th time interval0[b]Performing hypothesis testing (the observed value of the network characteristic matrix is in accordance with the expected value), namely calculating formula (1);
Figure BDA0001958563140000065
in the formula, X2[b]In order to verify the value for the chi-square,
Figure BDA0001958563140000066
is the observed value of the network characteristic matrix;
the management node performs joint hypothesis test on all parameters of the network feature matrix at the a-th time interval;
if joint zero hypothesis H0(the observed value of each parameter of the network signature matrix corresponds to the expected value) is rejected, step four is executed (so the next phase is entered) assuming that an intrusion occurred in the a-th time interval;
if joint zero hypothesis H0Accepted, and assuming no intrusion occurred in the a-th time interval, an initial profile (ITP) is updated, which reflects the current behavior of the network (from which it can be known whether the current network is normal).
Other steps and parameters are the same as those in one of the first to third embodiments.
The fifth concrete implementation mode: the difference between the present embodiment and one of the first to the fourth embodiments is that in the fourth step, an Attack Confidence Value (ACV) and a network performance degradation (NP) value are calculated based on the third step; establishing a self-adaptive intrusion response behavior list according to an Attack Confidence Value (ACV) and a network performance degradation value (NP); establishing a decision table based on the attack trust level, the network performance degradation level and the adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table; as shown in FIG. 2; the specific process is as follows:
firstly, the management node calculates an attack trust value according to detection information and instruction control information; then, calculating the network performance degradation value by using the parameters in the performance matrix, thereby measuring the severity of the attack; finally, selecting a proper response behavior to realize effective intrusion response;
wherein the selection of the response behavior is performed according to a decision table; the decision table defines the selection standard of the intrusion response behavior according to the attack trust level, the network performance degradation level and the intrusion response behavior appropriateness under the current environment.
Step four, calculating an attack trust value (ACV) and a network performance degradation (NP) value;
step two, establishing a self-adaptive intrusion response behavior list according to an attack trust value (ACV) and a network performance degradation (NP) value;
and step three, establishing a decision table based on the attack trust level, the network performance degradation level and the adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table.
The principle and process of the present embodiment will be described in detail below, and it should be noted that the present invention considers that the adaptive protection mechanism can also be effectively applied to attacks at the physical layer and the data link layer through appropriate matrix selection.
And assume that the initial behavior of the network is not abnormal. And a cluster type mobile network organization form is introduced in the research, wherein all network nodes are divided into three roles of management nodes, cluster heads and cluster nodes to operate according to different functions.
Other steps and parameters are the same as in one of the first to fourth embodiments.
The sixth specific implementation mode: the difference between the present embodiment and one of the first to fifth embodiments is that in the first step, an Attack Confidence Value (ACV) and a network performance degradation (NP) value are calculated; the specific process is as follows:
as can be seen from fig. 3, when P is 80% and d is 1, 2 or 3, the probability of correctly identifying a node as an intruder exceeds 90%. However, it is also important to avoid false positives, e.g., if P is 20%, the probability of correctly identifying a node as an intruder can be low.
In the current test sliding window, the management node executes an adaptive intrusion response mechanism for all nodes identified as intruders. According to the detection information and the command control information, the management node calculates an attack trust value (ACV):
ACV=w1·CI+w2·Pc (2)
in the formula, w1Is a weight factor, the sum of weights is equal to 1, CI is a confidence interval of chi-square detection in the intrusion detection stage, w2Is a weighting factor, the sum of the weights is equal to 1; pcIs the probability of confirming the node as an intruder;
the management node calculates a network performance degradation value (NP):
this is a weighted sum of the changes in the performance matrix parameter values (i.e., throughput, packet transfer ratio, routing protocol overhead, and number of lost control packets) to the current value when not under attack.
NP=w1·ΔThroughput+w2·ΔPTR+w3·ΔRPO+w4·ΔCPD (3)
In the formula, Δ Throughput is a Throughput variation value; the delta PTR is a data packet transmission ratio change value; the delta RPO is a routing protocol overhead change value; the delta CPD is a change value of the number of the lost control packets; w is a3Is a weighting factor, the sum of the weights is equal to 1; w is a4The sum of the weights is equal to 1, which is a weighting factor.
Table 1 defines 4 attack trust levels, i.e. low, medium, high or very high.
TABLE 1 ACV value to ACV level mapping table
Figure BDA0001958563140000081
Other steps and parameters are the same as those in one of the first to fifth embodiments.
The seventh embodiment: the difference between this embodiment and one of the first to sixth embodiments is that, in the second step, a self-adaptive intrusion response behavior list is established according to an Attack Confidence Value (ACV) and a network performance degradation value (NP); the specific process is as follows:
the list of selected adaptive intrusion response actions includes:
in the list of possible intrusion response actions in the literature, the adequacy of the response action is judged according to the magnitude of the adverse effect that the response action may have on the network performance. The effectiveness of these response actions in reducing the damage caused by the attack and preventing further attacks from the intruding node is further analyzed. Finally, based on the credibility of the detected attack and the influence of the attack on the network performance, a response mechanism with three intrusion response behaviors is provided. The set of selected intrusion response actions is listed below:
1. and (3) complete isolation: when the detected attack trust value is larger than 70%, and the network performance degradation value is larger than 30%; and this response behavior is used when network performance is degraded after attack initiation. By isolating the intrusion, other nodes in the network will treat the intruder as not present. While this will result in rerouting, it still significantly improves overall network performance.
2. Bypassing the attacker: when 25% < attack confidence value ≦ 70% and 10% ≦ network performance degradation value ≦ 30% are detected, the response mechanism may bypass the attacker. This can both keep the data forwarding service in the network in progress and also prevent further attacks by intruders.
3. Without penalty, the response mechanism herein will simply ignore attacks when 0% < attack confidence value ≦ 25% and 0% ≦ network performance degradation value <% 10 are detected. This avoids negative impact on network performance.
Other steps and parameters are the same as those in one of the first to sixth embodiments.
The specific implementation mode is eight: the difference between the embodiment and one of the first to seventh embodiments is that, in the third step, a decision table is established based on the attack trust level, the network performance degradation level and the adaptive intrusion response behavior list, and the intrusion response is selected according to the established decision table; the specific process is as follows:
table 2 (a knowledge base constructed by a network administrator) selects intrusion responses in a decision table using the attack confidence level and network performance degradation level set forth above. Simulation of intrusion response selection through a decision table allows a network administrator to configure and modify the intrusion response selection process for different network environments.
TABLE 2 IDARM decision table
Figure BDA0001958563140000091
M represents medium, H represents high, L represents low, H + represents very high;
establishing a decision table:
the first behavior is attack trust level, and the attack trust level is divided into 4 levels, which are respectively:
low grade: 0% < the attack confidence value is less than or equal to 25%;
medium: 25% < the attack confidence value is less than or equal to 50%;
high, etc.: 50% < attack confidence value less than or equal to 70%;
very high, etc.: attack confidence value > 70%;
the network performance degradation level of the second behavior is divided into 4 levels, which are respectively:
low grade: 0% < the network performance degradation value is less than or equal to 10%;
medium: 10% < the network performance degradation value is less than or equal to 20%;
high, etc.: 20 percent < the network performance degradation value is less than or equal to 30 percent;
very high, etc.: network performance degradation value > 30%;
the third row is completely isolated;
the fourth is to bypass the attacker;
the fifth row is no penalty;
selecting an intrusion response according to the established decision table;
if the selected intrusion response is completely isolated or bypasses an attacker, the management node informs all nodes with intrusion response behaviors by broadcasting an instruction packet; when the node receives the command packet, the node firstly checks the broadcast address and the source address of the command packet, if the command packet commands the intruder VjIf the packet is permanently or temporarily blacklisted, the node ignores and deletes the instruction packet to prevent unnecessary network traffic; otherwise, the node will check the command packet for intruder VjA specified intrusion response behavior;
1) if the selected intrusion response is not punished, the management node ignores the intrusion;
2) if the intrusion response behavior is completely isolated, the node first isolates the intruder VjAdds to its blacklist and then isolates the intruder V among all nodes of the networkjImmediately deleting all data packets in the blacklist node, and ignoring all data packets in the queue in the blacklist node;
3) if it is invadedThe response action is to bypass the attacker, the node first sends the intruder VjAdd to its temporary blacklist table; to implement this intrusion response activity, all nodes will ignore and delete routing packets including routing queries, routing replies, and the intruding node VjGenerating or forwarding data packets to prevent further attacks by intruders;
all nodes will intruder VjExcluded from new route discovery, i.e. they choose not to include VjA path of (a);
at the same time, the node sends the slave VjThe received data packet is forwarded to the existing route to maintain the current data forwarding service, and the node receives the data packet from VjTo reduce the likelihood of adverse effects on network performance until the node is at VjA new route is found around.
The response behavior is also applicable to the current node VjAt the position of a key node or an isolated node V in a network topologyjA situation that may have a significant negative impact on network performance.
Other steps and parameters are the same as those in one of the first to seventh embodiments.
The specific implementation method nine: the present embodiment is different from the first to eighth embodiments in that the probability P that the confirmation node is an intruder (in the sixth embodiment)cThe calculation process comprises the following steps:
to increase the probability of correctly identifying an intruder (i.e., using low-level false positives), the management node uses a test sliding window; therefore, the IDARM will respond to the intrusion only if a node is determined to be an intruding node for a plurality of time intervals. Specifically, only when a certain node is determined to be an invasive node in a plurality of test sliding windows with the time interval p, an intrusion response occurs; p is the size of the test sliding window in the time interval, namely the checking times, d is the minimum times of detection needed for confirming that the detected node is an attacker; the detection of an intrusion node within a test sliding window is a bernoulli test. (that is, the experiments performed in the test sliding window are identical and independent replicates with two possible outcomes: detection or no detection.) thus, the probability of determining intrusion in a Bernoulli test sequence is known;
Figure BDA0001958563140000111
wherein, P represents the size of the test sliding window in the time interval, namely the checking times; d is the minimum number of detections required to confirm that the detected node is an attacker;
Figure BDA0001958563140000112
is a coefficient of a binomial form, PcIs the probability of confirming the node as an intruder.
Other steps and parameters are the same as those in one to eight of the embodiments.
The detailed implementation mode is ten: the difference between this embodiment and one of the first to ninth embodiments is that the procedure of updating the initial configuration file (ITP) (in the fourth embodiment) is as follows:
updating an initial configuration file (ITP) of a network feature matrix by an exponentially weighted moving average;
Figure BDA0001958563140000113
each time interval is divided into q periods;
in the formula (I), the compound is shown in the specification,
Figure BDA0001958563140000114
and
Figure BDA0001958563140000115
respectively representing the expected value and the observed value of the network characteristic matrix parameter b when the updating period number is q;
the q value is increasing in the time interval;
beta is a weighting factor, beta is 2/q-1;
thus, the updated expected support file model reflects the current behavior of the network.
Other steps and parameters are the same as those in one of the first to ninth embodiments.
The following examples were used to demonstrate the beneficial effects of the present invention:
the first embodiment is as follows:
the preparation method comprises the following steps:
the outstanding effects of the present invention compared to the prior art can be specifically explained according to fig. 4 to 12:
evaluation criteria for attack identification:
fig. 4 to 6 show the success rate and the false alarm rate of idram in flood attack, black and gray holes and blast attack. Using the average speed of the test nodes, 40 runs without intrusion and 40 runs with intrusion are performed in each node with the size of 25, 50 or 100 networks. Data results indicate that idram has a high success rate and a low false alarm rate in these attacks.
And (3) evaluation of IDARM selection intrusion response behavior:
fig. 7 and 8 show the behavior of the idram selective intrusion response system in the black hole attack. Where figure 8 uses an improved network performance degradation level setting. And after starting the black hole attack by using a random intrusion node, testing the performance of the IDARM. The results show that for black hole attacks, idram chooses isolation to respond to an intrusion in 90% of cases.
Fig. 9 shows the behavior of the idram selective intrusion response system in a flooding attack. We have adopted the approach used in black hole attacks using an improved network performance degradation level setting. The result shows that IDARM selects isolation intrusion nodes under 78% of conditions on average, and shows the appropriateness of selection behavior in general, and IDARM has good flexibility on a larger network with more than 100 nodes.
Fig. 10 shows the behavior of the idram selective intrusion response system in a blast attack. It is shown that for a slight attack such as a rapid attack, the IDARM chooses not to penalize the intrusion node in most cases. This is because a brute force attack typically has a low impact on network performance, which actually results in degradation of network performance in view of taking strict isolation measures when the attack is small. Thus, the data results show the flexibility and effectiveness of IDARM.
Effect of idram on network performance:
figures 11 and 12 are graphs showing the effectiveness of the intrusion response mechanism in a network of 25 nodes and 50 nodes, respectively. The attack was performed 30 times in networks of 25 and 50 nodes, respectively: the attack is performed 10 times when no response is made to the intrusion, 10 times when a fixed response is responded to (isolating the intruder) in all cases, and 10 times when an adaptive intrusion response is used. The data shows that the average network degradation is minimal when using the adaptive response mechanism. The adaptive response mechanism not only minimizes the negative impact on network performance in all attacks, but also significantly reduces the degradation of network performance in some mild attacks (e.g., blast attacks or some gray-hole attacks).
Compared with the prior two typical technologies:
fig. 11, fig. 12, table 3 show a comparison of idram with generalized intrusion detection and prevention mechanisms and cost-sensitive intrusion response models, respectively. Data show that IDARM has better effect in the link of enhancing network performance.
TABLE 3 comparison of cost sensitive models and IDARM
Figure BDA0001958563140000131
The present invention is capable of other embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and scope of the present invention.

Claims (10)

1. A mobile sensor network intrusion detection and adaptive response method is characterized in that: the method comprises the following specific processes:
monitoring a network and collecting data;
step two, processing the collected data, and storing the processed data in an initial configuration file;
step three, based on the step two, the management node identifies the intrusion in the network by using the parameters in the network characteristic matrix and adopting an intrusion detection method based on the abnormity;
step four, calculating an attack trust value and a network performance degradation value based on the step three; establishing a self-adaptive intrusion response behavior list according to the attack trust value and the network performance degradation value; and establishing a decision table based on the attack trust level, the network performance degradation level and the self-adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table.
2. The intrusion detection and adaptive response method of the mobile sensor network according to claim 1, wherein: monitoring the network and collecting data in the first step; the specific process is as follows:
collecting data refers to the cluster head collecting data from the cluster nodes from the virtual cluster after each interval; the data can be stored in a network characteristic matrix and a performance matrix in a matrix form;
the cluster head reports the network characteristic matrix and the performance matrix to the management node;
wherein the network characteristic matrix is composed of 7 parameters of route reply, route request, route error, survival time value, route request source sequence, route reply destination sequence and route request destination sequence;
network characteristic matrix [ route reply, route request, route error, time-to-live value, route request source sequence, route reply destination sequence, route request destination sequence ]
The performance matrix consists of 4 parameters of routing protocol overhead, data packet transmission ratio, loss control packet quantity and throughput;
the performance matrix is [ routing protocol overhead, data packet transmission ratio, number of lost control packets, throughput ].
3. The intrusion detection and adaptive response method of the mobile sensor network according to claim 1 or 2, wherein: processing the collected data in the second step, and storing the processed data in an initial configuration file; the specific process is as follows:
expected values of the network characteristic matrix are set by
Figure FDA0002972200010000011
It is shown that,
Figure FDA0002972200010000012
is a set of random variables representing a network feature matrix;
wherein a represents the a-th time interval, b represents the b-th parameter of the network characteristic matrix, c represents the number of random variables in the b-th parameter of the network characteristic matrix, c is more than or equal to 1 and less than or equal to M, and M is the maximum value of the random variables of the b-th parameter of the network characteristic matrix in the a-th time interval;
expected value of the performance matrix is set by
Figure FDA0002972200010000021
Represents;
the management node calculates the expected value of the probability distribution of the network characteristic matrix in the a-th time interval
Figure FDA0002972200010000022
Calculating performance matrix parameters at the a-th time interval, namely routing protocol overhead, data packet transmission ratio, loss control packet quantity and throughput, according to the 7 parameters of the network characteristic matrix;
the management node calculates an expected value of the probability distribution of the performance matrix in the a-th time interval
Figure FDA0002972200010000023
1≤a≤N;
The management node respectively calculates the average values of the N time interval network characteristic matrixes and the N time interval performance matrixes, and then stores the average values in an initial configuration file of the network characteristic matrixes and the N time interval performance matrixes.
4. The intrusion detection and adaptive response method of the mobile sensor network according to claim 3, wherein: in the third step, based on the second step, the management node identifies the intrusion in the network by using the parameters in the network characteristic matrix and adopting an intrusion detection method based on abnormity; the specific process is as follows:
calculating the probability distribution of each network characteristic matrix parameter, and storing the probability distribution of each network characteristic matrix parameter as an observed value;
the management node assumes H with zero for each parameter b of the network characteristic matrix of the observed values in the a-th time interval0[b]Performing hypothesis testing, i.e., calculating equation (1);
Figure FDA0002972200010000024
in the formula, X2[b]In order to verify the value for the chi-square,
Figure FDA0002972200010000025
is the observed value of the network characteristic matrix;
the management node performs joint hypothesis test on all parameters of the network feature matrix at the a-th time interval;
if joint zero hypothesis H0Refusing, and executing a step four on the assumption that the intrusion occurs in the a-th time interval;
if joint zero hypothesis H0Accepted and, assuming no intrusion occurred in the a-th time interval, the initial configuration file is updated.
5. The intrusion detection and adaptive response method of the mobile sensor network according to claim 4, wherein: in the fourth step, the attack trust value and the network performance degradation value are calculated based on the third step; establishing a self-adaptive intrusion response behavior list according to the attack trust value and the network performance degradation value; establishing a decision table based on the attack trust level, the network performance degradation level and the adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table; the specific process is as follows:
step four, calculating an attack trust value and a network performance degradation value;
step two, establishing a self-adaptive intrusion response behavior list according to the attack trust value and the network performance degradation value;
and step three, establishing a decision table based on the attack trust level, the network performance degradation level and the adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table.
6. The intrusion detection and adaptive response method of mobile sensor network according to claim 5, wherein: calculating an attack trust value and a network performance degradation value in the first step; the specific process is as follows:
the management node calculates an attack trust value:
ACV=w1·CI+w2·Pc (2)
in the formula, w1Is a weight factor, the sum of weights is equal to 1, CI is a confidence interval, w2Is a weighting factor, the sum of the weights is equal to 1; pcIs the probability of confirming the node as an intruder;
the management node calculates a network performance degradation value:
NP=w1·ΔThroughput+w2·ΔPTR+w3·ΔRPO+w4·ΔCPD (3)
in the formula, Δ Throughput is a Throughput variation value; the delta PTR is a data packet transmission ratio change value; the delta RPO is a routing protocol overhead change value; the delta CPD is a change value of the number of the lost control packets; w is a3Is a weighting factor, the sum of the weights is equal to 1; w is a4The sum of the weights is equal to 1, which is a weighting factor.
7. The intrusion detection and adaptive response method of the mobile sensor network according to claim 6, wherein: in the fourth step, a self-adaptive intrusion response behavior list is established according to the attack trust value and the network performance degradation value; the specific process is as follows:
the list of selected adaptive intrusion response actions includes:
1. and (3) complete isolation: when the detected attack trust value is larger than 70%, and the network performance degradation value is larger than 30%;
2. bypassing the attacker: when the detected 25% attack trust value is less than or equal to 70%, and the network performance degradation value is more than or equal to 10% and less than or equal to 30%;
3. no penalty: when the detected value of 0% < attack confidence is less than or equal to 25%, and the value of 0% < network performance degradation is less than 10%.
8. The intrusion detection and adaptive response method of the mobile sensor network according to claim 7, wherein: establishing a decision table based on the attack trust level, the network performance degradation level and the adaptive intrusion response behavior list, and selecting an intrusion response according to the established decision table; the specific process is as follows:
establishing a decision table:
the first behavior is attack trust level, and the attack trust level is divided into 4 levels, which are respectively:
low grade: 0% < the attack confidence value is less than or equal to 25%;
medium: 25% < the attack confidence value is less than or equal to 50%;
high, etc.: 50% < attack confidence value less than or equal to 70%;
very high, etc.: attack confidence value > 70%;
the network performance degradation level of the second behavior is divided into 4 levels, which are respectively:
low grade: 0% < the network performance degradation value is less than or equal to 10%;
medium: 10% < the network performance degradation value is less than or equal to 20%;
high, etc.: 20 percent < the network performance degradation value is less than or equal to 30 percent;
very high, etc.: network performance degradation value > 30%;
the third row is completely isolated;
the fourth is to bypass the attacker;
the fifth row is no penalty;
selecting an intrusion response according to the established decision table;
1) if the selected intrusion response is not punished, the management node ignores the intrusion;
2) if the intrusion response behavior is completely isolated, the node first isolates the intruder VjAdds to its blacklist and then isolates the intruder V among all nodes of the networkjImmediately deleting all data packets in the blacklist node, and ignoring all data packets in the queue in the blacklist node;
3) if the intrusion response behavior is to bypass an attacker, the node first sends an intruder VjAdd to its temporary blacklist table; all nodes ignore and delete routing data packets including routing inquiries, routing replies and intrusion nodes VjA generated or forwarded data packet;
all nodes will intruder VjExcluding from new route discovery, choosing not to include VjA path of (a);
at the same time, the node sends the slave VjThe received data packet is forwarded to the existing route until the node is at VjA new route is found around.
9. The intrusion detection and adaptive response method of the mobile sensor network according to claim 8, wherein: probability P that the confirmation node is an intrudercThe calculation process comprises the following steps:
Figure FDA0002972200010000041
wherein, p represents the size of the test sliding window in the time interval, namely the checking times; p is probability, d is the minimum number of times that the detected node is confirmed to be an attacker;
Figure FDA0002972200010000042
is a coefficient of a binomial form, PcIs the probability of confirming the node as an intruder.
10. The intrusion detection and adaptive response method of the mobile sensor network according to claim 9, wherein: the process of updating the initial configuration file comprises the following steps:
updating an initial profile of the network feature matrix by exponentially weighted moving averages:
Figure FDA0002972200010000051
each time interval is divided into q periods;
in the formula (I), the compound is shown in the specification,
Figure FDA0002972200010000052
and
Figure FDA0002972200010000053
respectively representing the expected value and the observed value of the network characteristic matrix parameter b when the updating period number is q;
beta is a weighting factor, beta is 2/q-1.
CN201910075324.4A 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor Expired - Fee Related CN109547504B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910075324.4A CN109547504B (en) 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910075324.4A CN109547504B (en) 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor

Publications (2)

Publication Number Publication Date
CN109547504A CN109547504A (en) 2019-03-29
CN109547504B true CN109547504B (en) 2021-05-25

Family

ID=65838663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910075324.4A Expired - Fee Related CN109547504B (en) 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor

Country Status (1)

Country Link
CN (1) CN109547504B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102314A (en) * 2007-06-21 2008-01-09 北京联合大学 A 3-level modular intrusion detection system based on risk model
CN101772012A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, system and device for determining network node confidence
CN102546638A (en) * 2012-01-12 2012-07-04 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system
CN104994091A (en) * 2015-06-30 2015-10-21 东软集团股份有限公司 Method and device for detecting abnormal flow, and method and device for defending against Web attack
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN108462714A (en) * 2018-03-23 2018-08-28 中国人民解放军战略支援部队信息工程大学 A kind of APT systems of defense and its defence method based on system resilience

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102314A (en) * 2007-06-21 2008-01-09 北京联合大学 A 3-level modular intrusion detection system based on risk model
CN101772012A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, system and device for determining network node confidence
CN102546638A (en) * 2012-01-12 2012-07-04 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system
CN104994091A (en) * 2015-06-30 2015-10-21 东软集团股份有限公司 Method and device for detecting abnormal flow, and method and device for defending against Web attack
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN108462714A (en) * 2018-03-23 2018-08-28 中国人民解放军战略支援部队信息工程大学 A kind of APT systems of defense and its defence method based on system resilience

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
入侵容忍系统中自适应响应的研究;黄建华等;《电脑与信息技术》;20060815;全文 *
基于信任感知的无线传感器网络安全路由机制研究;秦丹阳等;《通信学报》;20171025;第38卷(第10期);全文 *

Also Published As

Publication number Publication date
CN109547504A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
Nadeem et al. An intrusion detection & adaptive response mechanism for MANETs
Chen et al. Defending against TCP SYN flooding attacks under different types of IP spoofing
Prasad et al. DoS and DDoS attacks: defense, detection and traceback mechanisms-a survey
Hande et al. A survey on intrusion detection system for software defined networks (SDN)
Al-issa et al. Using machine learning to detect DoS attacks in wireless sensor networks
Thamilarasu et al. A cross-layer approach to detect jamming attacks in wireless ad hoc networks
Andropov et al. Network anomaly detection using artificial neural networks
Ju et al. An improved intrusion detection scheme based on weighted trust evaluation for wireless sensor networks
Kumar et al. An agent based intrusion detection system for wireless network with artificial immune system (AIS) and negative clone selection
Das et al. Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics
Ma An effective method for defense against IP spoofing attack
Althubaity et al. Specification-based distributed detection of rank-related attacks in RPL-based resource-constrained real-time wireless networks
Krishnan et al. A QOS parameter based solution for black hole denial of service attack in wireless sensor networks
Kavisankar et al. Efficient syn spoofing detection and mitigation scheme for ddos attack
Khudhur et al. Physical cyber-security algorithm for wireless sensor networks
Rong et al. A novel intrusion detection algorithm for wireless sensor networks
Hariri et al. Quality-of-protection (QoP)-an online monitoring and self-protection mechanism
Sahoo et al. Defense against on-off attack in trust establishment scheme for wireless sensor network
CN109547504B (en) Network intrusion detection and adaptive response method for mobile sensor
Darwish et al. Attack detection and mitigation techniques in industrial control system-smart grid dnp3
RU2531878C1 (en) Method of detection of computer attacks in information and telecommunication network
Guo et al. A flow based detection mechanism against flooding attacks in mobile ad hoc networks
Belavagi et al. Improved intrusion detection system using quantal response equilibrium-based game model and rule-based classification
Sen et al. Mitigating black hole attacks in MANETs using a trust-based threshold mechanism
Nadeem et al. A generalized intrusion detection & prevention mechanism for securing MANETs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210525

Termination date: 20220125