CN109818793A - For the device type identification of Internet of Things and network inbreak detection method - Google Patents

For the device type identification of Internet of Things and network inbreak detection method Download PDF

Info

Publication number
CN109818793A
CN109818793A CN201910089779.1A CN201910089779A CN109818793A CN 109818793 A CN109818793 A CN 109818793A CN 201910089779 A CN201910089779 A CN 201910089779A CN 109818793 A CN109818793 A CN 109818793A
Authority
CN
China
Prior art keywords
internet
things
feature
pkt
period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910089779.1A
Other languages
Chinese (zh)
Inventor
季文翀
王永斌
刘廉如
范文翰
张忠平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Basic Lizi (beijing) Science And Technology Development Co Ltd
Original Assignee
Basic Lizi (beijing) Science And Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Basic Lizi (beijing) Science And Technology Development Co Ltd filed Critical Basic Lizi (beijing) Science And Technology Development Co Ltd
Priority to CN201910089779.1A priority Critical patent/CN109818793A/en
Publication of CN109818793A publication Critical patent/CN109818793A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the device type identification for being directed to Internet of Things and network inbreak detection methods, intruding detection system is made of device type identification matching system with abnormality detection system, the characteristics of identification system can be communicated according to device periodically extract equipment feature, statistical property according to the period etc. carries out Classifying Sum, and equipment is divided into abstract type;Pattern recognition system of the abnormality detection system based on GRU neural network can learning and memory normal communication behavior to establishing normal behaviour series model, since GRU neural network is separately designed for each device type, accuracy of identification is higher, and rate of false alarm substantially reduces;It monitors the signal intelligence of all internet of things equipment in network using gateway, all internet of things equipment are made directly or indirectly to be connected to gateway, to can detect the local communication between their all communications and internet of things equipment to internet, the stronger gateway of passage capacity carries out local data processing, and Internet of Things is avoided to set change resource scarcity.

Description

For the device type identification of Internet of Things and network inbreak detection method
Technical field
The present invention relates to Internet technical fields, and in particular to a kind of to enter for the device type identification of Internet of Things and network Invade detection method.
Background technique
In recent years, as technology of Internet of things rises, the electronic equipments such as more and more smart homes enter people's sight, give People, which live, to be provided more convenient, changes people's lives ubiquitously, major various productions of producer based on Internet of Things Product it is also growing day by day.However, the internet of things product quality produced at present is irregular, and standard disunity, and producer exists The problem of often ignoring safety when design production product, Internet of Things also becomes the severely afflicated area of information safety protection.To guarantee Safety needs the security protection system for Internet of Things, and current common solution can be divided into two kinds: upgrading is by shadow Loud equipment firmware and intruding detection system.Inefficiency, only supplier be more when identifying novel attack for phase these two kinds of methods Novel attack could be newly detected, and this may cause great delay, causes security loss, can not cope with the object of rapid growth very well Networked marketplace.And it is based on Internet of Things feature, the system of design often faces following problems: having a large amount of new internet of things product to ask daily Generation, and wherein there are security risks for significant portion.Invader also for these equipment loopholes exploitation Malware at any time, thus Resource needed for guaranteeing the safety of internet of things equipment, energy are that dynamic increases variation;Internet of things equipment free memory, Computing resource, capacity of power are limited, thus not applicable conventional needle is to the intrusion detection in equipment;Internet of things equipment has heterogeneous Property, the feature distribution of equipment individual is more dispersed, and everyway has bigger difference between different types of equipment, and every class is set Standby function is relatively limited;Compare other high-end devices, the network flow that internet of things equipment generates is less, and wherein most of is Irregular user's access queries.
Summary of the invention
In view of the defects and deficiencies of the prior art, the present invention intends to provide a kind of device types for Internet of Things Identification and network inbreak detection method, the signal intelligence of all internet of things equipment in network is monitored using gateway, makes property Networked devices are directly or indirectly connected to gateway, thus between can detect their all communications and internet of things equipment to internet Local communication, the stronger gateway of passage capacity carry out local data processing, Internet of Things are avoided to set change resource scarcity.
To achieve the above object, the technical solution adopted by the present invention is that: it includes device type identification matching system and different Normal detection system;Device type, which identifies, is equipped with device-fingerprint identification module in matching system;It is equipped in abnormality detection system abnormal Detection module;In local area network, all internet of things equipment are directly or indirectly connected to pacify with PC, smart mobile phone application Full gateway accesses internet, and device-fingerprint identification module monitoring all communication behaviors of internet of things equipment in security gateway simultaneously mention The mathematical feature of communication behavior is taken, then feature is sent to the normal communication of abnormality detection module and central Internet of Things service centre Behavioural characteristic data set;Abnormality detection module in security gateway is based on normal communication behavioural characteristic number in the data training stage Abnormality detection mathematical model is generated according to collection, and abnormality detection mathematical model is uploaded to the backup of security service center;It is examined in real time In the survey stage, abnormality detection module is using mathematical feature of the abnormality detection mathematical model based on present communications behavior to present communications row For whether exception determines, and to abnormal behaviour trigger alerts in real time.
Further, it is comprised the following steps for the device type detection method of internet of things:
One, the communication cycle of internet of things equipment flow is extracted: according to the periodically special of internet of things equipment network traffic Point analyzes its communication feature, finds out the period, provides preprocessed data further to extract feature;Security gateway is by unpacking number According to the different equipment of the mac Address Recognition of link layer offer, the equipment different to the address mac is handled respectively;Security gateway according to Device network flow extracts its period using Fourier transformation and seeks two kinds of mathematical methods of auto-correlation function;
The method for extracting the communication cycle of internet of things equipment flow comprises the following steps:
A, signal intelligence of the audiomonitor in (0~d) s, since network traffic statistics format is not quite similar, for system One format, carries out sliding-model control to flow information in seconds first, and specific practice is according to equipment i-th of period Inside whether have and exports y in communication definitions moment sectioniWhether being 1, (such as taking 1s is unit, yiIndicate the equipment in is to (i+1) s Whether communication behavior is had);Following formula is 1s definition with the period;
B, according to formula a pair of yiDo discrete fourier variation:
Formula one:Wherein
If YmaxFor the maximum value in frequency domain, records value in frequency domain and be greater than 0.8*YmaxAll frequency values, be denoted as ki, make For Candidate Frequency, according toObtain the pre-selection period;Firstly, ignoring too short to improve calculating speed, enhancing recognition capability With the too long period;Secondly, to determine pre-selection period YiCan the periodicity that communication be measured calculate y (n) every according to formula two Auto-correlation function value at a candidate periodic:
Formula two:
If Ryy(Ti) in section [0.9*Ti,1.1*Ti] in can be in liPlace gets maximum value, then determines cycle memory in week Phase, and by TiIt is updated to li
C, r is definediWith rni: security gateway measures cycle T by formula three and formula fouriAccuracy:
Formula three:
Formula four:
Wherein riThe expression period is TiThe frequency that occurs in (0~d) s of signal, stable periodic communication should meet ri= 1;rniCalculate TiAnd the period adjacent with it frequency of occurrences in 0~ds, stable periodic communication should meet ri≈rni≈1;
It is thus possible to convert { (T for (0~d) the s communication information acquired1,r1,rn1),(T2,r2,rn2),…,(Tn, rn,rnn)}。
Two, extracting cycle feature: the utilization rate in order to further increase data, the statistics in the period that the measuring and calculating first step obtains One section of period is divided into several segments by characteristic, security gateway, and recycling is according to the { (T converted by flow1,r1,rn1), (T2,r2,rn2),…,(Tn,rn,rnn) data, the feature of extraction is divided into four classes, is respectively as follows: (1) period essential information;(2) all Phase infers accuracy, due to that will be divided into multiple segments the period, security gateway calculate the mean value obtained from each segment, variance, Whether the statistical informations such as standard deviation are sufficiently stable, accurate come the period for measuring calculating;(3) cycle duration, by the week of calculating Phase is divided into corresponding interval range, and the difference of different internet of things equipment is calculated convenient for Clustering Model later, facilitates classification, mentions Height distinguishes accuracy;(4) infer the statistical stability in period, security gateway calculates each section of ri,rni, use ri、rniIt is locating Interval range measured;
Three, the tagsort of extraction is summarized, obtains specific classification: after periodicity extraction feature, will be adopted using KNN algorithm The feature of the distinct device of collection is classified;The specific method is as follows:
After security gateway detection device flow, extracts its feature and be transmitted to Internet of Things security service aggregation process;Internet of Things The gap between the feature for the different internet of things equipment that multiple security gateways provide, benefit are measured in net security service by Euclidean distance With KNN algorithm by device class;Receive distribution security gateway offer feature when, Internet of Things security service calculate it with There is the Euclidean distance of feature to measure gap, if the immediate k equipment of feature Euclidean distance of this feature matching and the equipment In most of belonging types, then it is attributed to such, and for reinforcing the type recognition training, is otherwise recorded as it newly Type;New type is the virtual that clustering algorithm obtains;If this feature mismatches a certain known type, marked Note, and when the sample in certain region is enough, it is new device type by the equipment annotation in the region;Internet of Things safety clothes Business center returns to local gateway after judging, by court verdict and KNN training result;It accumulates at any time, model learning More characteristic types, the identifiable number of devices of Internet of Things security service are consequently increased, and are identified also more accurate.
Further, whether the period essential information in step 2 includes the number of cycles detected, is the monocycle, used The frequency whether communication protocol, source port change with variation;
Further, it is comprised the following steps for the device type detection method of internet of things:
One, normal data collection phase: system deployment initial stage, security gateway monitor internet of things equipment normal communication;Safety Normal data packet flow < pkt that gateway obtains initial stage1,pkt2,…,pktn>it is converted into symbol sebolic addressing<s1,s2,…,sn>, lead to Cross extraction feature, pktiIt is mapped as si, security gateway marks according to device type, extracts feature, different device types respectively By the different GRU training identification model of correspondence;Security gateway general < pkt1,pkt2,…,pktn> feature is extracted, it is converted into symbol sequence Column < s1,s2,…,sn>, for the GRU model learning training for respective type;
The feature of extraction includes direction of the traffic, the source port of communication and destination port, the length of communication data, flow transmission The generation interval of the value of flag, the protocol type specifically used, data packet in layer Transmission Control Protocol HEAD;
Two, normal data training:
Local security gateway utilizes the feature < s extracted1,s2,…,sn>, training local GRU neural network will then train As a result Internet of Things security service center is uploaded to, service centre summarizes training result and system from multiple LAN safety gateways One integration, forms the GRU neural network for integrating all data, then integrated results are issued to each local gateway, as into one The discrimination model of step;
Three, real-time abnormality detection:
If the internet of things equipment in Internet of Things is infected by rogue program, security gateway starts to identify exceptional communication;Safety net Monitoring internet of things equipment is closed to communicate and extract feature < s1,s2,…,sn>, using symbol sebolic addressing as input, with Internet of Things safety clothes The GRU neural network of business central integration is identified, the probability of occurrence of the exportable respective symbol of GRU neural network;It retouches for convenience It states, is defined as follows:
Define 1: when by flow pktiThe symbol s of mappingiProbability of occurrence piMeet piWhen < δ, claim flow pktiIt is suspicious flow Amount, wherein δ is the threshold value of setting;
Define 2: for flow sequence < pkt1,pkt2,…,pktω>, ω is length of window;When the number of wherein suspicious traffic When mesh is more than threshold value ω * γ, claim flow sequence < pkt1,pkt2,…,pktω>it is suspicious, i.e. flow sequence<pkt1, pkt2,…,pktω> be it is suspicious, and if only if
By the training of first step normal discharge, the output probability of GRU network normal stream amount is higher, and abnormal flow exists Without training in the first step, the probability that GRU is provided is small;By setting suitable threshold value, security gateway can identify exception Flow;After identification, if normal discharge, then local gateway strengthens the training of GRU network using it;In order to reduce rate of false alarm, pacify Full gateway defines abnormal flow sequence, only just sounds an alarm when there is multiple flows to occur abnormal in window;Due to Internet of Things The heterogeneity of net equipment, the communication feature of Different LANs has larger difference, therefore recognition result is uploaded to Internet of Things by security gateway Net security service center, security centre's integral data form new whole identification model again, are issued to each local gateway, mention High recognition capability.
After adopting the above scheme, the invention has the following beneficial effects: the device type of the present invention for Internet of Things identifies And network inbreak detection method, can efficiently detect in local area network internet of things equipment type and classified, monitoring network it is logical Believe and identifies abnormal behaviour;Intruding detection system is by device type identification matching system and abnormality detection system two subsystems structure At, the characteristics of identification system can be communicated according to device periodically extract equipment feature, according to the statistical property etc. in period Classifying Sum is carried out, equipment is divided into abstract type;Pattern recognition system of the abnormality detection system based on GRU neural network can be learned Memory normal communication behavior is practised to establish normal behaviour series model, since GRU neural network is for each device type point It does not design, so accuracy of identification is higher, rate of false alarm is substantially reduced.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is concrete configuration diagram of the invention.
Specific embodiment
With reference to the accompanying drawing, the present invention is further illustrated.
Present embodiment the technical solution adopted is that: it includes device type identification matching system and abnormality detection system System;Device type, which identifies, is equipped with device-fingerprint identification module in matching system;Abnormality detection module is equipped in abnormality detection system; Referring to shown in Fig. 1, in local area network, all internet of things equipment and PC, smart mobile phone application direct or indirect connection Internet is accessed to security gateway, all communication behaviors of the device-fingerprint identification module monitoring internet of things equipment in security gateway And the mathematical feature of communication behavior is extracted, then feature is sent to the normal of abnormality detection module and central Internet of Things service centre Communication behavior characteristic data set;Abnormality detection module in security gateway is in the data training stage, based on normal communication behavior spy Data set generation abnormality detection mathematical model is levied, and abnormality detection mathematical model is uploaded to the backup of security service center;In reality When detection-phase, abnormality detection module is using mathematical feature of the abnormality detection mathematical model based on present communications behavior to current logical Whether letter behavior determines extremely, and to abnormal behaviour trigger alerts in real time.
It is comprised the following steps for the device type detection method of internet of things:
One, the communication cycle of internet of things equipment flow is extracted: according to the periodically special of internet of things equipment network traffic Point analyzes its communication feature, finds out the period, provides preprocessed data further to extract feature;Security gateway is by unpacking number According to the different equipment of the mac Address Recognition of link layer offer, the equipment different to the address mac is handled respectively;Security gateway according to Device network flow extracts its period using Fourier transformation and seeks two kinds of mathematical methods of auto-correlation function;
The method for extracting the communication cycle of internet of things equipment flow comprises the following steps:
A, signal intelligence of the audiomonitor in (0~d) s, since network traffic statistics format is not quite similar, for system One format, carries out sliding-model control to flow information in seconds first, and specific practice is according to equipment i-th of period Inside whether have and exports y in communication definitions moment sectioniWhether being 1, (such as taking 1s is unit, yiIndicate the equipment in is to (i+1) s Whether communication behavior is had);Following formula is 1s definition with the period;
B, according to formula a pair of yiDo discrete fourier variation:
Formula one:Wherein
If YmaxFor the maximum value in frequency domain, records value in frequency domain and be greater than 0.8*YmaxAll frequency values, be denoted as ki, make For Candidate Frequency, according toObtain the pre-selection period;Firstly, ignoring too short to improve calculating speed, enhancing recognition capability With the too long period;Secondly, to determine pre-selection period YiCan the periodicity that communication be measured calculate y (n) every according to formula two Auto-correlation function value at a candidate periodic:
Formula two:
If Ryy(Ti) in section [0.9*Ti,1.1*Ti] in can be in liPlace gets maximum value, then determines cycle memory in week Phase, and by TiIt is updated to li
C, r is definediWith rni: security gateway measures cycle T by formula three and formula fouriAccuracy:
Formula three:
Formula four:
Wherein riThe expression period is TiThe frequency that occurs in (0~d) s of signal, stable periodic communication should meet ri= 1;rniCalculate TiAnd the period adjacent with it frequency of occurrences in 0~ds, stable periodic communication should meet ri≈rni≈1;
It is thus possible to convert { (T for (0~d) the s communication information acquired1,r1,rn1),(T2,r2,rn2),…,(Tn, rn,rnn)}。
Two, extracting cycle feature: the utilization rate in order to further increase data, the statistics in the period that the measuring and calculating first step obtains One section of period is divided into several segments by characteristic, security gateway, and recycling is according to the { (T converted by flow1,r1,rn1), (T2,r2,rn2),…,(Tn,rn,rnn) data, the feature of extraction is divided into four classes, is respectively as follows: (1) period essential information, period Whether essential information includes the number of cycles detected, is whether monocycle, communication protocol used, source port change and become The frequency of change;(2) period infers accuracy, and due to that will be divided into multiple segments the period, security gateway calculating is obtained from each segment Whether the statistical informations such as mean value, variance, standard deviation out are sufficiently stable, accurate come the period for measuring calculating;(3) when the period continues Between, the period of calculating is divided into corresponding interval range, the difference of different internet of things equipment is calculated convenient for Clustering Model later Not, facilitate classification, improve and distinguish accuracy;(4) infer the statistical stability in period, security gateway calculates each section of ri, rni, use ri、rniLocating interval range is measured;
Three, the tagsort of extraction is summarized, obtains specific classification: after periodicity extraction feature, will be adopted using KNN algorithm The feature of the distinct device of collection is classified;The specific method is as follows:
After security gateway detection device flow, extracts its feature and be transmitted to Internet of Things security service aggregation process;Internet of Things The gap between the feature for the different internet of things equipment that multiple security gateways provide, benefit are measured in net security service by Euclidean distance With KNN algorithm by device class;Receive distribution security gateway offer feature when, Internet of Things security service calculate it with There is the Euclidean distance of feature to measure gap, if the immediate k equipment of feature Euclidean distance of this feature matching and the equipment In most of belonging types, then it is attributed to such, and for reinforcing the type recognition training, is otherwise recorded as it newly Type;New type is the virtual that clustering algorithm obtains;If this feature mismatches a certain known type, marked Note, and when the sample in certain region is enough, it is new device type by the equipment annotation in the region;Internet of Things safety clothes Business center returns to local gateway after judging, by court verdict and KNN training result;It accumulates at any time, model learning More characteristic types, the identifiable number of devices of Internet of Things security service are consequently increased, and are identified also more accurate.
For the principle of the device type detection method of internet of things are as follows: Internet of Things rogue program is when infecting normal device The normal work that will affect equipment generates abnormal communication flows, as it is assumed that system initial operating stage, internet of things equipment not by Infection, security gateway can recorde the normal traffic characteristic of collecting device and be learnt at this time;At work, security gateway records The communication feature of internet of things equipment simultaneously extracts characteristic information, carries out discriminating whether to occur abnormal.
Normal data packet flow < pkt that security gateway obtains initial stage1,pkt2,…,pktn>be converted into symbol sebolic addressing< s1,s2,…,sn>, by extracting feature, pktiIt is mapped as si
To solve the problems, such as that the communication flows that single lan generates is few, it is representative not have, used in local security gateway Above < s1,s2,…,snAfter > glossary of symbols data training study GRU network, training result is uploaded in Internet of Things security service The heart, the training result that Internet of Things security service uploads each security gateway summarize, and are issued to each local network relationship System is to reinforce local security gateway recognition capability;GRU study establishes normal discharge by the symbol sebolic addressing that proper network flow generates Series model;In real-time detection, series model can test the abnormality degree of present flow rate, if present flow rate is multiple The abnormality degree of continuous sequence is more than threshold value, will be judged as abnormal flow and sound an alarm.
Therefore, it for the device type detection method of internet of things, comprises the following steps:
One, normal data collection phase: system deployment initial stage, security gateway monitor internet of things equipment normal communication;Safety Normal data packet flow < pkt that gateway obtains initial stage1,pkt2,…,pktn>it is converted into symbol sebolic addressing<s1,s2,…,sn>, lead to Cross extraction feature, pktiIt is mapped as si, security gateway marks according to device type, extracts feature, different device types respectively By the different GRU training identification model of correspondence;Security gateway general < pkt1,pkt2,…,pktn> feature is extracted, it is converted into symbol sequence Column < s1,s2,…,sn>, for the GRU model learning training for respective type;
The feature of extraction includes direction of the traffic, the source port of communication and destination port, the length of communication data, flow transmission The generation interval of the value of flag, the protocol type specifically used, data packet in layer Transmission Control Protocol HEAD;
Two, normal data training:
Local security gateway utilizes the feature < s extracted1,s2,…,sn>, training local GRU neural network will then train As a result Internet of Things security service center is uploaded to, service centre summarizes training result and system from multiple LAN safety gateways One integration, forms the GRU neural network for integrating all data, then integrated results are issued to each local gateway, as into one The discrimination model of step;
Three, real-time abnormality detection:
If the internet of things equipment in Internet of Things is infected by rogue program, security gateway starts to identify exceptional communication;Safety net Monitoring internet of things equipment is closed to communicate and extract feature < s1,s2,…,sn>, using symbol sebolic addressing as input, with Internet of Things safety clothes The GRU neural network of business central integration is identified, the probability of occurrence of the exportable respective symbol of GRU neural network;It retouches for convenience It states, is defined as follows:
Define 1: when by flow pktiThe symbol s of mappingiProbability of occurrence piMeet piWhen < δ, claim flow pktiIt is suspicious flow Amount, wherein δ is the threshold value of setting;
Define 2: for flow sequence < pkt1,pkt2,…,pktω>, ω is length of window;When the number of wherein suspicious traffic When mesh is more than threshold value ω * γ, claim flow sequence < pkt1,pkt2,…,pktω>it is suspicious, i.e. flow sequence<pkt1, pkt2,…,pktω> be it is suspicious, and if only if
By the training of first step normal discharge, the output probability of GRU network normal stream amount is higher, and abnormal flow exists Without training in the first step, the probability that GRU is provided is small;By setting suitable threshold value, security gateway can identify exception Flow;After identification, if normal discharge, then local gateway strengthens the training of GRU network using it;In order to reduce rate of false alarm, pacify Full gateway defines abnormal flow sequence, only just sounds an alarm when there is multiple flows to occur abnormal in window;Due to Internet of Things The heterogeneity of net equipment, the communication feature of Different LANs has larger difference, therefore recognition result is uploaded to Internet of Things by security gateway Net security service center, security centre's integral data form new whole identification model again, are issued to each local gateway, mention High recognition capability.
Described in present embodiment for Internet of Things device type identification and network inbreak detection method, have with Lower advantage:
1, the signal intelligence that all internet of things equipment in network are monitored provided with gateway keeps all internet of things equipment direct Or it is connected to gateway indirectly, to can detect the local communication between their all communications and internet of things equipment to internet, lead to It crosses the stronger gateway of performance and carries out local data processing, Internet of Things is avoided to set change resource scarcity;
2, according to the feature of internet of things equipment heterogeneity, every class equipment is modeled, guarantees each abnormality detection model The input of receiving is substantially limited and close, so that system is more sensitive to the detection of anomalous variation, recognition capability is stronger, reduces False alarm rate;
3, system with the communication data of equipment required for automatic identification and can extract feature, then with unsupervised machine Learning method is by equipment tagsort, and except special circumstances do not need manpower, and system does not need primary data, and transplantability is strong, Adapt to the number of devices and type of rapid growth;
4, using central Internet of Things service, the information that multiple gateways provide is integrated, and selects and needs less trained number According to neural network algorithm GRU, it is few to solve the problems, such as that internet of things equipment communicates.
The above is merely illustrative of the technical solution of the present invention, rather than limits those of ordinary skill in the art to this hair The other modifications or equivalent replacement that bright technical solution is made, as long as it does not depart from the spirit and scope of the technical scheme of the present invention, It is intended to be within the scope of the claims of the invention.

Claims (4)

1. for the device type identification of Internet of Things and network inbreak detection method, it is characterised in that it is identified comprising device type Matching system and abnormality detection system;Device type, which identifies, is equipped with device-fingerprint identification module in matching system;Abnormality detection system Abnormality detection module is equipped in system;In local area network, all internet of things equipment and PC, smart mobile phone application directly or It is connected indirectly to security gateway access internet, the device-fingerprint identification module monitoring internet of things equipment in security gateway is all Communication behavior and the mathematical feature for extracting communication behavior, then feature is sent in abnormality detection module and central Internet of Things service The normal communication behavioural characteristic data set of the heart;Abnormality detection module in security gateway is based on positive normal open in the data training stage Believe behavioural characteristic data set generation abnormality detection mathematical model, and it is standby that abnormality detection mathematical model is uploaded to security service center Part;In the real-time detection stage, abnormality detection module uses mathematical feature of the abnormality detection mathematical model based on present communications behavior Whether present communications behavior is determined extremely, and to abnormal behaviour trigger alerts in real time.
2. according to claim 1 exist for the device type identification of Internet of Things and network inbreak detection method, feature It is comprised the following steps in the device type detection method for internet of things:
One, it extracts the communication cycle of internet of things equipment flow: according to the periodic characteristics of internet of things equipment network traffic, dividing Its communication feature is analysed, the period is found out, provides preprocessed data further to extract feature;Security gateway passes through unpacked data link The different equipment of the mac Address Recognition that layer provides, the equipment different to the address mac are handled respectively;Security gateway is according to facility network Network flow extracts its period using Fourier transformation and seeks two kinds of mathematical methods of auto-correlation function;
The method for extracting the communication cycle of internet of things equipment flow comprises the following steps:
A, signal intelligence of the audiomonitor in (0~d) s, since network traffic statistics format is not quite similar, for unified lattice Formula, carries out sliding-model control to flow information in seconds first, and specific practice is to be within i-th of period according to equipment It is no to have output y in communication definitions moment sectioniWhether being 1, (such as taking 1s is unit, yiWhether indicate the interior equipment of is to (i+1) s There is communication behavior);Following formula is 1s definition with the period;
B, according to formula a pair of yiDo discrete fourier variation:
Formula one:Wherein
If YmaxFor the maximum value in frequency domain, records value in frequency domain and be greater than 0.8*YmaxAll frequency values, be denoted as ki, as time Selected frequency, according toObtain the pre-selection period;Firstly, ignoring too short and mistake to improve calculating speed, enhancing recognition capability The long period;Secondly, to determine pre-selection period YiCan the periodicity that communication be measured calculate y (n) in each time according to formula two Select the auto-correlation function value at the period:
Formula two:
If Ryy(Ti) in section [0.9*Ti, 1.1*Ti] in can be in liPlace gets maximum value, then determine cycle memory in the period, And by TiIt is updated to li
C, r is definediWith rni: security gateway measures cycle T by formula three and formula fouriAccuracy:
Formula three:
Formula four:
Wherein riThe expression period is TiThe frequency that occurs in (0~d) s of signal, stable periodic communication should meet ri=1;rni Calculate TiAnd the period adjacent with it frequency of occurrences in 0~ds, stable periodic communication should meet ri≈rni≈1;
It is thus possible to convert { (T for (0~d) the s communication information acquired1, r1, rn1), (T2, r2, rn2) ..., (Tn, rn, rnn)}。
Two, extracting cycle feature: the statistics of the utilization rate in order to further increase data, the period that the measuring and calculating first step obtains is special Property, one section of period is divided into several segments, the { (T that recycling basis is converted by flow by security gateway1, r1, rn1), (T2, r2, rn2) ..., (Tn, rn, rnn) data, the feature of extraction is divided into four classes, is respectively as follows: (1) period essential information;(2) period Infer accuracy, due to that will be divided into multiple segments the period, security gateway calculates mean value, the variance, mark obtained from each segment Whether the statistical informations such as quasi- difference are sufficiently stable, accurate come the period for measuring calculating;(3) cycle duration, by the period of calculating It is divided into corresponding interval range, the difference of different internet of things equipment is calculated convenient for Clustering Model later, facilitate classification, improve Distinguish accuracy;(4) infer the statistical stability in period, security gateway calculates each section of ri, rni, use ri、rniLocating Interval range is measured;
Three, the tagsort of extraction is summarized, obtains specific classification: after periodicity extraction feature, using KNN algorithm by acquisition The feature of distinct device is classified;The specific method is as follows:
After security gateway detection device flow, extracts its feature and be transmitted to Internet of Things security service aggregation process;Internet of Things peace The gap between the feature for the different internet of things equipment that multiple security gateways provide is measured in full service by Euclidean distance, is utilized KNN algorithm is by device class;When receiving the feature of distribution security gateway offer, Internet of Things security service calculates it and has The Euclidean distance of feature measures gap, if this feature matching in the feature Euclidean distance immediate k equipment of the equipment It, then be attributed to such by most of belonging types, and for reinforcing the type recognition training, is otherwise recorded as it new Type;New type is the virtual that clustering algorithm obtains;If this feature mismatches a certain known type, marked, And when the sample in certain region is enough, it is new device type by the equipment annotation in the region;Internet of Things security service Center returns to local gateway after judging, by court verdict and KNN training result;It accumulates at any time, model learning is more More characteristic types, the identifiable number of devices of Internet of Things security service are consequently increased, and are identified also more accurate.
3. according to claim 2 exist for the device type identification of Internet of Things and network inbreak detection method, feature Whether the period essential information in step 2 includes the number of cycles detected, is monocycle, communication protocol used, source port The frequency whether to change with variation.
4. according to claim 1 exist for the device type identification of Internet of Things and network inbreak detection method, feature It is comprised the following steps in the device type detection method for internet of things:
One, normal data collection phase: system deployment initial stage, security gateway monitor internet of things equipment normal communication;Security gateway Normal data packet flow < pkt that initial stage is obtained1, pkt2..., pktn>it is converted into symbol sebolic addressing<s1, s2..., sn>, pass through Extract feature, pktiIt is mapped as si, security gateway marks according to device type, extracts feature respectively, and different device types will Corresponding different GRU training identification model;Security gateway general < pkt1, pkt2..., pktn> feature is extracted, it is converted into symbol sequence Column < s1, s2..., sn>, for the GRU model learning training for respective type;
The feature of extraction includes direction of the traffic, the source port of communication and destination port, the length of communication data, flow transport layer The generation interval of the value of flag, the protocol type specifically used, data packet in Transmission Control Protocol HEAD;
Two, normal data training:
Local security gateway utilizes the feature < s extracted1, s2..., sn>, training local GRU neural network then ties training Fruit uploads to Internet of Things security service center, and service centre summarizes the training result from multiple LAN safety gateways and uniformly Integration forms the GRU neural network for integrating all data, then integrated results is issued to each local gateway, as further Discrimination model;
Three, real-time abnormality detection:
If the internet of things equipment in Internet of Things is infected by rogue program, security gateway starts to identify exceptional communication;Security gateway prison It listens internet of things equipment to communicate and extracts feature < s1, s2..., sn>, using symbol sebolic addressing as input, in Internet of Things security service The GRU neural network of heart integration is identified, the probability of occurrence of the exportable respective symbol of GRU neural network;For convenience of description, do Such as give a definition:
Define 1: when by flow pktiThe symbol s of mappingiProbability of occurrence piMeet piWhen < δ, claim flow pktiIt is suspicious traffic, Wherein δ is the threshold value of setting;
Define 2: for flow sequence < pkt1, pkt2..., pktω>, ω is length of window;When the number of wherein suspicious traffic is super When crossing threshold value ω * γ, claim flow sequence < pkt1, pkt2..., pktω>it is suspicious, i.e. flow sequence<pkt1, pkt2..., pktω> be it is suspicious, and if only if
By the training of first step normal discharge, the output probability of GRU network normal stream amount is higher, and abnormal flow is first Without training in step, the probability that GRU is provided is small;By setting suitable threshold value, security gateway can identify abnormal flow; After identification, if normal discharge, then local gateway strengthens the training of GRU network using it;In order to reduce rate of false alarm, security gateway Abnormal flow sequence is defined, is only just sounded an alarm when there are multiple flows to occur abnormal in window;Due to internet of things equipment Heterogeneity, the communication feature of Different LANs has a larger difference, therefore recognition result is uploaded to Internet of Things safety by security gateway Service centre, security centre's integral data form new whole identification model again, are issued to each local gateway, improve identification Ability.
CN201910089779.1A 2019-01-30 2019-01-30 For the device type identification of Internet of Things and network inbreak detection method Pending CN109818793A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910089779.1A CN109818793A (en) 2019-01-30 2019-01-30 For the device type identification of Internet of Things and network inbreak detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910089779.1A CN109818793A (en) 2019-01-30 2019-01-30 For the device type identification of Internet of Things and network inbreak detection method

Publications (1)

Publication Number Publication Date
CN109818793A true CN109818793A (en) 2019-05-28

Family

ID=66605900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910089779.1A Pending CN109818793A (en) 2019-01-30 2019-01-30 For the device type identification of Internet of Things and network inbreak detection method

Country Status (1)

Country Link
CN (1) CN109818793A (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110290022A (en) * 2019-06-24 2019-09-27 中国人民解放军陆军工程大学 Unknown application layer protocol identification method based on adaptive clustering
CN110348526A (en) * 2019-07-15 2019-10-18 武汉绿色网络信息服务有限责任公司 A kind of device type recognition methods and device based on semi-supervised clustering algorithm
CN110365703A (en) * 2019-07-30 2019-10-22 国家电网有限公司 Internet-of-things terminal abnormal state detection method, apparatus and terminal device
CN110381088A (en) * 2019-08-21 2019-10-25 牡丹江师范学院 A kind of data safety support method based on Internet of Things
CN110602041A (en) * 2019-08-05 2019-12-20 中国人民解放军战略支援部队信息工程大学 White list-based Internet of things equipment identification method and device and network architecture
CN110874646A (en) * 2020-01-16 2020-03-10 支付宝(杭州)信息技术有限公司 Exception handling method and device for federated learning and electronic equipment
CN111526087A (en) * 2020-04-10 2020-08-11 浙江远东工业开发有限公司 Automatic access method for various gateways based on platform of Internet of things
CN111711946A (en) * 2020-06-28 2020-09-25 北京司马科技有限公司 IoT (Internet of things) equipment identification method and identification system under encrypted wireless network
CN112153044A (en) * 2020-09-23 2020-12-29 腾讯科技(深圳)有限公司 Flow data detection method and related equipment
CN112311611A (en) * 2019-07-29 2021-02-02 中国移动通信集团广东有限公司 Data anomaly monitoring method and device and electronic equipment
CN112333706A (en) * 2019-07-16 2021-02-05 中国移动通信集团浙江有限公司 Internet of things equipment anomaly detection method and device, computing equipment and storage medium
CN112423296A (en) * 2020-11-19 2021-02-26 成都渊数科技有限责任公司 Method and system for identifying iot equipment behavior safety
CN112564974A (en) * 2020-12-08 2021-03-26 武汉大学 Deep learning-based fingerprint identification method for Internet of things equipment
CN112583808A (en) * 2020-12-08 2021-03-30 国网湖南省电力有限公司 Abnormal flow detection method for Internet of things equipment
CN112600792A (en) * 2020-11-23 2021-04-02 国网山东省电力公司青岛供电公司 Abnormal behavior detection method and system for Internet of things equipment
CN112653677A (en) * 2020-12-13 2021-04-13 北京哈工信息产业股份有限公司 Network isolation method based on Internet of things terminal classification management system
CN112769623A (en) * 2021-01-19 2021-05-07 河北大学 Internet of things equipment identification method under edge environment
CN112769790A (en) * 2020-12-30 2021-05-07 杭州迪普科技股份有限公司 Traffic processing method, device, equipment and storage medium
CN112822208A (en) * 2021-02-01 2021-05-18 北京邮电大学 Internet of things equipment identification method and system based on block chain
CN112953961A (en) * 2021-03-14 2021-06-11 国网浙江省电力有限公司电力科学研究院 Equipment type identification method in power distribution room Internet of things
CN113037687A (en) * 2019-12-24 2021-06-25 中移物联网有限公司 Flow identification method and electronic equipment
CN113452656A (en) * 2020-03-26 2021-09-28 百度在线网络技术(北京)有限公司 Method and device for identifying abnormal behaviors
CN113516228A (en) * 2021-07-08 2021-10-19 哈尔滨理工大学 Network anomaly detection method based on deep neural network
CN113705714A (en) * 2021-09-03 2021-11-26 上海观安信息技术股份有限公司 Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence
CN113765891A (en) * 2021-08-13 2021-12-07 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113992419A (en) * 2021-10-29 2022-01-28 上海交通大学 User abnormal behavior detection and processing system and method thereof
WO2022083345A1 (en) * 2020-10-20 2022-04-28 华为技术有限公司 Method for detecting video monitoring device, and electronic device
WO2022083641A1 (en) * 2020-10-23 2022-04-28 华为技术有限公司 Device identification method, apparatus and system
CN114731290A (en) * 2019-11-26 2022-07-08 国际商业机器公司 Anomaly detection method for privacy protection in internet of things
US11436611B2 (en) * 2019-12-12 2022-09-06 At&T Intellectual Property I, L.P. Property archivist enabled customer service

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107135093A (en) * 2017-03-17 2017-09-05 西安电子科技大学 A kind of Internet of Things intrusion detection method and detecting system based on finite automata
CN107833416A (en) * 2017-10-27 2018-03-23 芜湖乐锐思信息咨询有限公司 A kind of smart home remote antitheft alarm system based on Internet of Things
CN109067753A (en) * 2018-08-15 2018-12-21 中用科技有限公司 A method of for managing internet of things equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107135093A (en) * 2017-03-17 2017-09-05 西安电子科技大学 A kind of Internet of Things intrusion detection method and detecting system based on finite automata
CN107833416A (en) * 2017-10-27 2018-03-23 芜湖乐锐思信息咨询有限公司 A kind of smart home remote antitheft alarm system based on Internet of Things
CN109067753A (en) * 2018-08-15 2018-12-21 中用科技有限公司 A method of for managing internet of things equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
THIEN DUC NGUYEN: "IoT: A Self-learning System for Detecting Compromised IoT Devices", 《ARXIV》 *

Cited By (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110290022B (en) * 2019-06-24 2021-02-26 中国人民解放军陆军工程大学 Unknown application layer protocol identification method based on adaptive clustering
CN110290022A (en) * 2019-06-24 2019-09-27 中国人民解放军陆军工程大学 Unknown application layer protocol identification method based on adaptive clustering
CN110348526A (en) * 2019-07-15 2019-10-18 武汉绿色网络信息服务有限责任公司 A kind of device type recognition methods and device based on semi-supervised clustering algorithm
CN112333706B (en) * 2019-07-16 2022-08-23 中国移动通信集团浙江有限公司 Internet of things equipment anomaly detection method and device, computing equipment and storage medium
CN112333706A (en) * 2019-07-16 2021-02-05 中国移动通信集团浙江有限公司 Internet of things equipment anomaly detection method and device, computing equipment and storage medium
CN112311611B (en) * 2019-07-29 2022-04-12 中国移动通信集团广东有限公司 Data anomaly monitoring method and device and electronic equipment
CN112311611A (en) * 2019-07-29 2021-02-02 中国移动通信集团广东有限公司 Data anomaly monitoring method and device and electronic equipment
CN110365703A (en) * 2019-07-30 2019-10-22 国家电网有限公司 Internet-of-things terminal abnormal state detection method, apparatus and terminal device
CN110602041A (en) * 2019-08-05 2019-12-20 中国人民解放军战略支援部队信息工程大学 White list-based Internet of things equipment identification method and device and network architecture
CN110381088A (en) * 2019-08-21 2019-10-25 牡丹江师范学院 A kind of data safety support method based on Internet of Things
CN110381088B (en) * 2019-08-21 2021-11-12 牡丹江师范学院 Data security guarantee method based on Internet of things
CN114731290A (en) * 2019-11-26 2022-07-08 国际商业机器公司 Anomaly detection method for privacy protection in internet of things
CN114731290B (en) * 2019-11-26 2023-01-06 国际商业机器公司 Method, system, and computer-readable storage medium for anomaly detection for privacy protection in the internet of things
US11436611B2 (en) * 2019-12-12 2022-09-06 At&T Intellectual Property I, L.P. Property archivist enabled customer service
CN113037687A (en) * 2019-12-24 2021-06-25 中移物联网有限公司 Flow identification method and electronic equipment
CN110874646A (en) * 2020-01-16 2020-03-10 支付宝(杭州)信息技术有限公司 Exception handling method and device for federated learning and electronic equipment
CN113452656B (en) * 2020-03-26 2022-10-11 百度在线网络技术(北京)有限公司 Method, apparatus, electronic device and computer readable medium for identifying abnormal behavior
CN113452656A (en) * 2020-03-26 2021-09-28 百度在线网络技术(北京)有限公司 Method and device for identifying abnormal behaviors
CN111526087A (en) * 2020-04-10 2020-08-11 浙江远东工业开发有限公司 Automatic access method for various gateways based on platform of Internet of things
CN111526087B (en) * 2020-04-10 2021-12-24 浙江远东工业开发有限公司 Automatic access method for various gateways based on platform of Internet of things
CN111711946A (en) * 2020-06-28 2020-09-25 北京司马科技有限公司 IoT (Internet of things) equipment identification method and identification system under encrypted wireless network
CN112153044A (en) * 2020-09-23 2020-12-29 腾讯科技(深圳)有限公司 Flow data detection method and related equipment
CN112153044B (en) * 2020-09-23 2021-11-12 腾讯科技(深圳)有限公司 Flow data detection method and related equipment
WO2022083345A1 (en) * 2020-10-20 2022-04-28 华为技术有限公司 Method for detecting video monitoring device, and electronic device
WO2022083641A1 (en) * 2020-10-23 2022-04-28 华为技术有限公司 Device identification method, apparatus and system
CN112423296A (en) * 2020-11-19 2021-02-26 成都渊数科技有限责任公司 Method and system for identifying iot equipment behavior safety
CN112600792A (en) * 2020-11-23 2021-04-02 国网山东省电力公司青岛供电公司 Abnormal behavior detection method and system for Internet of things equipment
CN112583808A (en) * 2020-12-08 2021-03-30 国网湖南省电力有限公司 Abnormal flow detection method for Internet of things equipment
CN112564974B (en) * 2020-12-08 2022-06-14 武汉大学 Deep learning-based fingerprint identification method for Internet of things equipment
CN112564974A (en) * 2020-12-08 2021-03-26 武汉大学 Deep learning-based fingerprint identification method for Internet of things equipment
CN112583808B (en) * 2020-12-08 2022-01-07 国网湖南省电力有限公司 Abnormal flow detection method for Internet of things equipment
CN112653677A (en) * 2020-12-13 2021-04-13 北京哈工信息产业股份有限公司 Network isolation method based on Internet of things terminal classification management system
CN112653677B (en) * 2020-12-13 2021-12-07 北京哈工信息产业股份有限公司 Network isolation method based on Internet of things terminal classification management system
CN112769790A (en) * 2020-12-30 2021-05-07 杭州迪普科技股份有限公司 Traffic processing method, device, equipment and storage medium
CN112769790B (en) * 2020-12-30 2022-06-28 杭州迪普科技股份有限公司 Traffic processing method, device, equipment and storage medium
CN112769623A (en) * 2021-01-19 2021-05-07 河北大学 Internet of things equipment identification method under edge environment
CN112822208A (en) * 2021-02-01 2021-05-18 北京邮电大学 Internet of things equipment identification method and system based on block chain
CN112953961A (en) * 2021-03-14 2021-06-11 国网浙江省电力有限公司电力科学研究院 Equipment type identification method in power distribution room Internet of things
CN113516228A (en) * 2021-07-08 2021-10-19 哈尔滨理工大学 Network anomaly detection method based on deep neural network
CN113765891A (en) * 2021-08-13 2021-12-07 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113765891B (en) * 2021-08-13 2024-04-09 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113705714A (en) * 2021-09-03 2021-11-26 上海观安信息技术股份有限公司 Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence
CN113992419A (en) * 2021-10-29 2022-01-28 上海交通大学 User abnormal behavior detection and processing system and method thereof
CN113992419B (en) * 2021-10-29 2023-09-01 上海交通大学 System and method for detecting and processing abnormal behaviors of user

Similar Documents

Publication Publication Date Title
CN109818793A (en) For the device type identification of Internet of Things and network inbreak detection method
He et al. Software-defined-networking-enabled traffic anomaly detection and mitigation
CN105577679B (en) A kind of anomalous traffic detection method based on feature selecting and density peaks cluster
CN112381121A (en) Unknown class network flow detection and identification method based on twin network
CN103581186B (en) A kind of network security situational awareness method and system
CN106817248B (en) APT attack detection method
CN106899435B (en) A kind of complex attack recognition methods towards wireless invasive detection system
CN113645232B (en) Intelligent flow monitoring method, system and storage medium for industrial Internet
CN108322445A (en) A kind of network inbreak detection method based on transfer learning and integrated study
CN106878307B (en) A kind of unknown communication protocol recognition method based on bit error rate model
CN108632269A (en) Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms
US11706236B2 (en) Autonomous application of security measures to IoT devices
CN111191720B (en) Service scene identification method and device and electronic equipment
CN110162968A (en) A kind of Network Intrusion Detection System based on machine learning
CN110225001A (en) A kind of dynamic self refresh net flow assorted method based on topic model
CN109450957A (en) A kind of low speed Denial of Service attack detection method based on cloud model
Niandong et al. Detection of probe flow anomalies using information entropy and random forest method
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
Portela et al. Evaluation of the performance of supervised and unsupervised Machine learning techniques for intrusion detection
CN116150688A (en) Lightweight Internet of things equipment identification method and device in smart home
CN109660656A (en) A kind of intelligent terminal method for identifying application program
Fan et al. AutoIoT: Automatically updated IoT device identification with semi-supervised learning
Hammerschmidt et al. Behavioral clustering of non-stationary IP flow record data
CN117729047A (en) Intelligent learning engine method and system for industrial control network flow audit
CN113268735A (en) Distributed denial of service attack detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190528