CN110113348A - A method of Internet of Things threat detection is carried out based on machine learning - Google Patents

A method of Internet of Things threat detection is carried out based on machine learning Download PDF

Info

Publication number
CN110113348A
CN110113348A CN201910399217.7A CN201910399217A CN110113348A CN 110113348 A CN110113348 A CN 110113348A CN 201910399217 A CN201910399217 A CN 201910399217A CN 110113348 A CN110113348 A CN 110113348A
Authority
CN
China
Prior art keywords
internet
things
machine learning
data
threat detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910399217.7A
Other languages
Chinese (zh)
Inventor
龚致
肖建
江佳峻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201910399217.7A priority Critical patent/CN110113348A/en
Publication of CN110113348A publication Critical patent/CN110113348A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of methods for carrying out Internet of Things threat detection based on machine learning, for realizing the threat detection to internet of things equipment, comprising the following steps: acquire data on flows in the internet of things environment;Characteristic processing is carried out to collected data on flows;Processed data on flows is used for machine learning model training;Trained model is deployed in environment of internet of things equipment, threat detection and identification are used for.Method of the invention is by using attack type known to machine learning, it realizes known and unknown attack the threat that discovery internet of things equipment is subjected in time, and machine can be made constantly to learn new attack type, and discovery threatens in time, to take safety prevention measure, to reduce loss.

Description

A method of Internet of Things threat detection is carried out based on machine learning
Technical field
It is the present invention relates to Internet of Things security technology area, in particular to a kind of that Internet of Things threat inspection is carried out based on machine learning The method of survey.
Background technique
Although more and more Internet of Things (IoT) equipment are connected to internet, since internet of things equipment is large number of, lead Causing it becomes the direction paid close attention to of attacker, and many equipment and dangerous so that Botnet have an attack can The machine multiplied, such as carry out ddos attack, malice digging mine, external port scan using Botnet and implement invasion.
Ever-increasing threat promotes to develop new technology to identify and prevent the attack traffic from Internet of Things Botnet. There is non-intellectual since Internet of Things threatens, it is difficult to form ready-made rule and impend match cognization, therefore engineering can be used Practise known attack type, to find in time internet of things equipment be subjected to known to and unknown attack threat, to take peace Full protection measure, to reduce loss.
Summary of the invention
It is insufficient in above-mentioned background technique the purpose of the present invention is overcoming, it provides a kind of based on machine learning progress Internet of Things prestige The method for coercing detection realizes that discovery internet of things equipment is subjected to known in time by using attack type known to machine learning And the threat of unknown attack, to take safety prevention measure, to reduce loss.
In order to reach above-mentioned technical effect, the present invention takes following technical scheme:
A method of Internet of Things threat detection being carried out based on machine learning, for realizing the threat inspection to internet of things equipment It surveys, comprising the following steps:
A. data on flows is acquired in the internet of things environment;
B. characteristic processing is carried out to collected data on flows;
C. processed data on flows is used for machine learning model training;
D. trained model is deployed in environment of internet of things equipment, is used for threat detection and identification.
Further, the step A specifically:
A1. a local network is established, wherein routing device and internet of things equipment are included at least in the local network;
A2. data on flows is acquired in the internet of things environment.
Further, specific acquisition mode is the mode of local area network packet capturing when acquiring flow in the step A.
Further, normal discharge acquisition is specifically divided into when acquiring flow in the step A to acquire with abnormal flow.
Further, normal discharge of the normal discharge acquisition for acquisition internet of things equipment within a certain period of time;Institute Stating abnormal flow acquisition is by carrying out abnormal in the external DOS data on flows of the external port scan of internet of things equipment terminal simulation Flow collection.
Further, the step B specially analyzes the feature for the data on flows collected, and carries out feature information extraction.
Further, the feature information extraction specifically includes at least extracts normal discharge data and abnormal flow number respectively According to data package size information, data packet send interval information, ip five-tuple characteristic information, and the characteristic value of extraction is divided Group echo is specifically divided into normal discharge data group and abnormal flow data group.
Further, the step C specifically: the data on flows handled through feature extraction is used for machine learning model instruction Practice, so that training generates the machine learning model for being used for threat identification.
Further, its learning algorithm uses random forest or depth nerve net when the machine learning model is trained Network.
Further, in the step D, machine learning model impend detection and identification when be specifically to the object of input Data on flows in networked environment parses data using preset characteristic processing mode, and impending identification and exports threat Recognition result.
Compared with prior art, the present invention have it is below the utility model has the advantages that
The method for carrying out Internet of Things threat detection based on machine learning of the invention, is attacked by using known to machine learning Type is hit, realizes known and unknown attack the threat that discovery internet of things equipment is subjected in time, and machine can be made constantly to learn newly Attack type, and in time discovery threaten, to take safety prevention measure, to reduce loss.
Detailed description of the invention
Fig. 1 is the local network schematic diagram established in one embodiment of the present of invention.
Fig. 2 is the flow diagram of the method for the invention that Internet of Things threat detection is carried out based on machine learning.
Specific embodiment
Below with reference to the embodiment of the present invention, the invention will be further elaborated.
Embodiment:
Embodiment one:
As shown in Fig. 2, a kind of method for carrying out Internet of Things threat detection based on machine learning, sets for realizing to Internet of Things Standby threat detection, comprising the following steps:
Step 1: data on flows is acquired in the internet of things environment;Specifically: a local network is first established, then, in object Data on flows is acquired in networked environment;Wherein, routing device and internet of things equipment, such as Fig. 1 are included at least in the local network It is shown, it include router, internet of things equipment television set in the local network established in the present embodiment.
Specifically, acquiring specific acquisition mode when flow in the present embodiment and being the mode of local area network packet capturing, and acquire stream It is specifically divided into normal discharge acquisition when amount to acquire with abnormal flow, wherein normal discharge acquisition is acquisition internet of things equipment one The normal discharge fixed time in section;The abnormal flow acquisition is by the external port scan pair of internet of things equipment terminal simulation Outer DOS data on flows carries out abnormal flow acquisition.
Step 2: characteristic processing is carried out to collected data on flows;Specially analyze the normal discharge data collected Feature and abnormal flow data feature, and carry out feature information extraction, in the present embodiment, feature information extraction is specifically included The data package size information of normal discharge data and abnormal flow data is extracted respectively, data packet sends interval information, five yuan of IP Group characteristic information, and label is grouped to the characteristic value of extraction, specific label is data group and abnormal flow number According to group.
Step 3: processed data on flows is used for machine learning model training;Specifically: it will be handled through feature extraction Data on flows for machine learning model training, thus training generate be used for threat identification machine learning model, engineering Practising its learning algorithm when model is trained uses random forest or deep neural network to realize supervised learning.
Step 4: trained model is deployed in environment of internet of things equipment, is used for threat detection and identification;Wherein, Machine learning model impend detection and identification when be specifically to the data on flows in the environment of internet of things of input, using default Characteristic processing mode parse data, such as extract the feature of the data on flows of input, and respectively and normally by the feature of extraction Data on flows feature and abnormal flow data characteristics are compared, so that impending identification and exports threat identification result.
From the foregoing, it will be observed that the method for the invention that Internet of Things threat detection is carried out based on machine learning, by using engineering Known attack type is practised, realizes known and unknown attack the threat that discovery internet of things equipment is subjected in time, and machine can be made Constantly study new attack type, and discovery threatens in time, to take safety prevention measure, to reduce loss.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.

Claims (10)

1. a kind of method for carrying out Internet of Things threat detection based on machine learning, for realizing the threat inspection to internet of things equipment It surveys, which comprises the following steps:
A. data on flows is acquired in the internet of things environment;
B. characteristic processing is carried out to collected data on flows;
C. processed data on flows is used for machine learning model training;
D. trained model is deployed in environment of internet of things equipment, is used for threat detection and identification.
2. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1, which is characterized in that The step A specifically:
A1. a local network is established, wherein routing device and internet of things equipment are included at least in the local network;
A2. data on flows is acquired in the internet of things environment.
3. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1 or 2, feature exist In specific acquisition mode is the mode of local area network packet capturing when acquiring flow in the step A.
4. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1 or 2, feature exist In, in the step A acquire flow when be specifically divided into normal discharge acquisition with abnormal flow acquire.
5. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 4, which is characterized in that Normal discharge of the normal discharge acquisition for acquisition internet of things equipment within a certain period of time;The abnormal flow acquisition is logical It crosses in the external DOS data on flows of the external port scan of internet of things equipment terminal simulation, carries out abnormal flow acquisition.
6. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 4, which is characterized in that The step B specially analyzes the feature for the data on flows collected, and carries out feature information extraction.
7. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 6, which is characterized in that The feature information extraction specifically includes the data package size letter at least extracting normal discharge data and abnormal flow data respectively Breath, data packet send interval information, ip five-tuple characteristic information, and are grouped label to the characteristic value of extraction, are specifically divided into Normal discharge data group and abnormal flow data group.
8. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 7, which is characterized in that The step C specifically: the data on flows handled through feature extraction is used for machine learning model training, is used so that training generates In the machine learning model of threat identification.
9. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 8, which is characterized in that Its learning algorithm uses random forest or deep neural network when the machine learning model is trained.
10. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1, feature exist In, in the step D, machine learning model impend detection and identification when be specifically to the stream in the environment of internet of things of input Data are measured, parse data using preset characteristic processing mode, impending identification and exports threat identification result.
CN201910399217.7A 2019-05-14 2019-05-14 A method of Internet of Things threat detection is carried out based on machine learning Pending CN110113348A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910399217.7A CN110113348A (en) 2019-05-14 2019-05-14 A method of Internet of Things threat detection is carried out based on machine learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910399217.7A CN110113348A (en) 2019-05-14 2019-05-14 A method of Internet of Things threat detection is carried out based on machine learning

Publications (1)

Publication Number Publication Date
CN110113348A true CN110113348A (en) 2019-08-09

Family

ID=67489880

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910399217.7A Pending CN110113348A (en) 2019-05-14 2019-05-14 A method of Internet of Things threat detection is carried out based on machine learning

Country Status (1)

Country Link
CN (1) CN110113348A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111399435A (en) * 2020-03-20 2020-07-10 重庆成峰水务工程有限责任公司 Intelligent pump room data acquisition terminal
CN111695118A (en) * 2020-06-17 2020-09-22 安徽三实信息技术服务有限公司 Network threat identification system
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
WO2022151815A1 (en) * 2021-01-15 2022-07-21 中国银联股份有限公司 Method and apparatus for determining security state of terminal device
CN116319114A (en) * 2023-05-25 2023-06-23 广州鲁邦通物联网科技股份有限公司 Method and system for network intrusion detection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881322A (en) * 2018-09-17 2018-11-23 苏州爱开客信息技术有限公司 The system of defense and method of Internet of things system reply DDOS attack
CN109167798A (en) * 2018-11-01 2019-01-08 四川长虹电器股份有限公司 A kind of household internet of things equipment DDoS detection method based on machine learning

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881322A (en) * 2018-09-17 2018-11-23 苏州爱开客信息技术有限公司 The system of defense and method of Internet of things system reply DDOS attack
CN109167798A (en) * 2018-11-01 2019-01-08 四川长虹电器股份有限公司 A kind of household internet of things equipment DDoS detection method based on machine learning

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111399435A (en) * 2020-03-20 2020-07-10 重庆成峰水务工程有限责任公司 Intelligent pump room data acquisition terminal
CN111695118A (en) * 2020-06-17 2020-09-22 安徽三实信息技术服务有限公司 Network threat identification system
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
WO2022151815A1 (en) * 2021-01-15 2022-07-21 中国银联股份有限公司 Method and apparatus for determining security state of terminal device
CN116319114A (en) * 2023-05-25 2023-06-23 广州鲁邦通物联网科技股份有限公司 Method and system for network intrusion detection

Similar Documents

Publication Publication Date Title
CN110113348A (en) A method of Internet of Things threat detection is carried out based on machine learning
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
CN106027559B (en) Large scale network scanning detection method based on network session statistical nature
CN109117634B (en) Malicious software detection method and system based on network traffic multi-view fusion
CN109714343B (en) Method and device for judging network traffic abnormity
CN107483458A (en) The recognition methods of network attack and device, computer-readable recording medium
CN112738015A (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
Fadlil et al. Review of detection DDOS attack detection using naive bayes classifier for network forensics
CN101383694A (en) Defense method and system rejecting service attack based on data mining technology
Cahyo et al. Performance comparison of intrusion detection system based anomaly detection using artificial neural network and support vector machine
CN101753562A (en) Detection methods, device and network security protecting device for botnet
CN103840983A (en) WEB tunnel detection method based on protocol behavior analysis
Ramadhan et al. Comparative analysis of K-nearest neighbor and decision tree in detecting distributed denial of service
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN109951419A (en) A kind of APT intrusion detection method based on attack chain attack rule digging
CN107222491A (en) A kind of inbreak detection rule creation method based on industrial control network mutation attacks
CN105592044B (en) Message aggression detection method and device
Sun et al. Detection and classification of malicious patterns in network traffic using Benford's law
Zhang et al. A real-time DDoS attack detection and prevention system based on per-IP traffic behavioral analysis
CN110460611B (en) Machine learning-based full-flow attack detection technology
CN104468507A (en) Torjan detection method based on uncontrolled end flow analysis
CN106357434A (en) Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network
CN106850571A (en) The recognition methods of Botnet family and device
Hu et al. Network data analysis and anomaly detection using CNN technique for industrial control systems security
Fadil et al. A novel ddos attack detection based on gaussian naive bayes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190809

RJ01 Rejection of invention patent application after publication