CN110113348A - A method of Internet of Things threat detection is carried out based on machine learning - Google Patents
A method of Internet of Things threat detection is carried out based on machine learning Download PDFInfo
- Publication number
- CN110113348A CN110113348A CN201910399217.7A CN201910399217A CN110113348A CN 110113348 A CN110113348 A CN 110113348A CN 201910399217 A CN201910399217 A CN 201910399217A CN 110113348 A CN110113348 A CN 110113348A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- machine learning
- data
- threat detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of methods for carrying out Internet of Things threat detection based on machine learning, for realizing the threat detection to internet of things equipment, comprising the following steps: acquire data on flows in the internet of things environment;Characteristic processing is carried out to collected data on flows;Processed data on flows is used for machine learning model training;Trained model is deployed in environment of internet of things equipment, threat detection and identification are used for.Method of the invention is by using attack type known to machine learning, it realizes known and unknown attack the threat that discovery internet of things equipment is subjected in time, and machine can be made constantly to learn new attack type, and discovery threatens in time, to take safety prevention measure, to reduce loss.
Description
Technical field
It is the present invention relates to Internet of Things security technology area, in particular to a kind of that Internet of Things threat inspection is carried out based on machine learning
The method of survey.
Background technique
Although more and more Internet of Things (IoT) equipment are connected to internet, since internet of things equipment is large number of, lead
Causing it becomes the direction paid close attention to of attacker, and many equipment and dangerous so that Botnet have an attack can
The machine multiplied, such as carry out ddos attack, malice digging mine, external port scan using Botnet and implement invasion.
Ever-increasing threat promotes to develop new technology to identify and prevent the attack traffic from Internet of Things Botnet.
There is non-intellectual since Internet of Things threatens, it is difficult to form ready-made rule and impend match cognization, therefore engineering can be used
Practise known attack type, to find in time internet of things equipment be subjected to known to and unknown attack threat, to take peace
Full protection measure, to reduce loss.
Summary of the invention
It is insufficient in above-mentioned background technique the purpose of the present invention is overcoming, it provides a kind of based on machine learning progress Internet of Things prestige
The method for coercing detection realizes that discovery internet of things equipment is subjected to known in time by using attack type known to machine learning
And the threat of unknown attack, to take safety prevention measure, to reduce loss.
In order to reach above-mentioned technical effect, the present invention takes following technical scheme:
A method of Internet of Things threat detection being carried out based on machine learning, for realizing the threat inspection to internet of things equipment
It surveys, comprising the following steps:
A. data on flows is acquired in the internet of things environment;
B. characteristic processing is carried out to collected data on flows;
C. processed data on flows is used for machine learning model training;
D. trained model is deployed in environment of internet of things equipment, is used for threat detection and identification.
Further, the step A specifically:
A1. a local network is established, wherein routing device and internet of things equipment are included at least in the local network;
A2. data on flows is acquired in the internet of things environment.
Further, specific acquisition mode is the mode of local area network packet capturing when acquiring flow in the step A.
Further, normal discharge acquisition is specifically divided into when acquiring flow in the step A to acquire with abnormal flow.
Further, normal discharge of the normal discharge acquisition for acquisition internet of things equipment within a certain period of time;Institute
Stating abnormal flow acquisition is by carrying out abnormal in the external DOS data on flows of the external port scan of internet of things equipment terminal simulation
Flow collection.
Further, the step B specially analyzes the feature for the data on flows collected, and carries out feature information extraction.
Further, the feature information extraction specifically includes at least extracts normal discharge data and abnormal flow number respectively
According to data package size information, data packet send interval information, ip five-tuple characteristic information, and the characteristic value of extraction is divided
Group echo is specifically divided into normal discharge data group and abnormal flow data group.
Further, the step C specifically: the data on flows handled through feature extraction is used for machine learning model instruction
Practice, so that training generates the machine learning model for being used for threat identification.
Further, its learning algorithm uses random forest or depth nerve net when the machine learning model is trained
Network.
Further, in the step D, machine learning model impend detection and identification when be specifically to the object of input
Data on flows in networked environment parses data using preset characteristic processing mode, and impending identification and exports threat
Recognition result.
Compared with prior art, the present invention have it is below the utility model has the advantages that
The method for carrying out Internet of Things threat detection based on machine learning of the invention, is attacked by using known to machine learning
Type is hit, realizes known and unknown attack the threat that discovery internet of things equipment is subjected in time, and machine can be made constantly to learn newly
Attack type, and in time discovery threaten, to take safety prevention measure, to reduce loss.
Detailed description of the invention
Fig. 1 is the local network schematic diagram established in one embodiment of the present of invention.
Fig. 2 is the flow diagram of the method for the invention that Internet of Things threat detection is carried out based on machine learning.
Specific embodiment
Below with reference to the embodiment of the present invention, the invention will be further elaborated.
Embodiment:
Embodiment one:
As shown in Fig. 2, a kind of method for carrying out Internet of Things threat detection based on machine learning, sets for realizing to Internet of Things
Standby threat detection, comprising the following steps:
Step 1: data on flows is acquired in the internet of things environment;Specifically: a local network is first established, then, in object
Data on flows is acquired in networked environment;Wherein, routing device and internet of things equipment, such as Fig. 1 are included at least in the local network
It is shown, it include router, internet of things equipment television set in the local network established in the present embodiment.
Specifically, acquiring specific acquisition mode when flow in the present embodiment and being the mode of local area network packet capturing, and acquire stream
It is specifically divided into normal discharge acquisition when amount to acquire with abnormal flow, wherein normal discharge acquisition is acquisition internet of things equipment one
The normal discharge fixed time in section;The abnormal flow acquisition is by the external port scan pair of internet of things equipment terminal simulation
Outer DOS data on flows carries out abnormal flow acquisition.
Step 2: characteristic processing is carried out to collected data on flows;Specially analyze the normal discharge data collected
Feature and abnormal flow data feature, and carry out feature information extraction, in the present embodiment, feature information extraction is specifically included
The data package size information of normal discharge data and abnormal flow data is extracted respectively, data packet sends interval information, five yuan of IP
Group characteristic information, and label is grouped to the characteristic value of extraction, specific label is data group and abnormal flow number
According to group.
Step 3: processed data on flows is used for machine learning model training;Specifically: it will be handled through feature extraction
Data on flows for machine learning model training, thus training generate be used for threat identification machine learning model, engineering
Practising its learning algorithm when model is trained uses random forest or deep neural network to realize supervised learning.
Step 4: trained model is deployed in environment of internet of things equipment, is used for threat detection and identification;Wherein,
Machine learning model impend detection and identification when be specifically to the data on flows in the environment of internet of things of input, using default
Characteristic processing mode parse data, such as extract the feature of the data on flows of input, and respectively and normally by the feature of extraction
Data on flows feature and abnormal flow data characteristics are compared, so that impending identification and exports threat identification result.
From the foregoing, it will be observed that the method for the invention that Internet of Things threat detection is carried out based on machine learning, by using engineering
Known attack type is practised, realizes known and unknown attack the threat that discovery internet of things equipment is subjected in time, and machine can be made
Constantly study new attack type, and discovery threatens in time, to take safety prevention measure, to reduce loss.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses
Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from
In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.
Claims (10)
1. a kind of method for carrying out Internet of Things threat detection based on machine learning, for realizing the threat inspection to internet of things equipment
It surveys, which comprises the following steps:
A. data on flows is acquired in the internet of things environment;
B. characteristic processing is carried out to collected data on flows;
C. processed data on flows is used for machine learning model training;
D. trained model is deployed in environment of internet of things equipment, is used for threat detection and identification.
2. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1, which is characterized in that
The step A specifically:
A1. a local network is established, wherein routing device and internet of things equipment are included at least in the local network;
A2. data on flows is acquired in the internet of things environment.
3. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1 or 2, feature exist
In specific acquisition mode is the mode of local area network packet capturing when acquiring flow in the step A.
4. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1 or 2, feature exist
In, in the step A acquire flow when be specifically divided into normal discharge acquisition with abnormal flow acquire.
5. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 4, which is characterized in that
Normal discharge of the normal discharge acquisition for acquisition internet of things equipment within a certain period of time;The abnormal flow acquisition is logical
It crosses in the external DOS data on flows of the external port scan of internet of things equipment terminal simulation, carries out abnormal flow acquisition.
6. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 4, which is characterized in that
The step B specially analyzes the feature for the data on flows collected, and carries out feature information extraction.
7. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 6, which is characterized in that
The feature information extraction specifically includes the data package size letter at least extracting normal discharge data and abnormal flow data respectively
Breath, data packet send interval information, ip five-tuple characteristic information, and are grouped label to the characteristic value of extraction, are specifically divided into
Normal discharge data group and abnormal flow data group.
8. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 7, which is characterized in that
The step C specifically: the data on flows handled through feature extraction is used for machine learning model training, is used so that training generates
In the machine learning model of threat identification.
9. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 8, which is characterized in that
Its learning algorithm uses random forest or deep neural network when the machine learning model is trained.
10. a kind of method for carrying out Internet of Things threat detection based on machine learning according to claim 1, feature exist
In, in the step D, machine learning model impend detection and identification when be specifically to the stream in the environment of internet of things of input
Data are measured, parse data using preset characteristic processing mode, impending identification and exports threat identification result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910399217.7A CN110113348A (en) | 2019-05-14 | 2019-05-14 | A method of Internet of Things threat detection is carried out based on machine learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910399217.7A CN110113348A (en) | 2019-05-14 | 2019-05-14 | A method of Internet of Things threat detection is carried out based on machine learning |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110113348A true CN110113348A (en) | 2019-08-09 |
Family
ID=67489880
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910399217.7A Pending CN110113348A (en) | 2019-05-14 | 2019-05-14 | A method of Internet of Things threat detection is carried out based on machine learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110113348A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111399435A (en) * | 2020-03-20 | 2020-07-10 | 重庆成峰水务工程有限责任公司 | Intelligent pump room data acquisition terminal |
CN111695118A (en) * | 2020-06-17 | 2020-09-22 | 安徽三实信息技术服务有限公司 | Network threat identification system |
CN112203282A (en) * | 2020-08-28 | 2021-01-08 | 中国科学院信息工程研究所 | 5G Internet of things intrusion detection method and system based on federal transfer learning |
WO2022151815A1 (en) * | 2021-01-15 | 2022-07-21 | 中国银联股份有限公司 | Method and apparatus for determining security state of terminal device |
CN116319114A (en) * | 2023-05-25 | 2023-06-23 | 广州鲁邦通物联网科技股份有限公司 | Method and system for network intrusion detection |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108881322A (en) * | 2018-09-17 | 2018-11-23 | 苏州爱开客信息技术有限公司 | The system of defense and method of Internet of things system reply DDOS attack |
CN109167798A (en) * | 2018-11-01 | 2019-01-08 | 四川长虹电器股份有限公司 | A kind of household internet of things equipment DDoS detection method based on machine learning |
-
2019
- 2019-05-14 CN CN201910399217.7A patent/CN110113348A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108881322A (en) * | 2018-09-17 | 2018-11-23 | 苏州爱开客信息技术有限公司 | The system of defense and method of Internet of things system reply DDOS attack |
CN109167798A (en) * | 2018-11-01 | 2019-01-08 | 四川长虹电器股份有限公司 | A kind of household internet of things equipment DDoS detection method based on machine learning |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111399435A (en) * | 2020-03-20 | 2020-07-10 | 重庆成峰水务工程有限责任公司 | Intelligent pump room data acquisition terminal |
CN111695118A (en) * | 2020-06-17 | 2020-09-22 | 安徽三实信息技术服务有限公司 | Network threat identification system |
CN112203282A (en) * | 2020-08-28 | 2021-01-08 | 中国科学院信息工程研究所 | 5G Internet of things intrusion detection method and system based on federal transfer learning |
WO2022151815A1 (en) * | 2021-01-15 | 2022-07-21 | 中国银联股份有限公司 | Method and apparatus for determining security state of terminal device |
CN116319114A (en) * | 2023-05-25 | 2023-06-23 | 广州鲁邦通物联网科技股份有限公司 | Method and system for network intrusion detection |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110113348A (en) | A method of Internet of Things threat detection is carried out based on machine learning | |
CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
CN106027559B (en) | Large scale network scanning detection method based on network session statistical nature | |
CN109117634B (en) | Malicious software detection method and system based on network traffic multi-view fusion | |
CN109714343B (en) | Method and device for judging network traffic abnormity | |
CN107483458A (en) | The recognition methods of network attack and device, computer-readable recording medium | |
CN112738015A (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
Fadlil et al. | Review of detection DDOS attack detection using naive bayes classifier for network forensics | |
CN101383694A (en) | Defense method and system rejecting service attack based on data mining technology | |
Cahyo et al. | Performance comparison of intrusion detection system based anomaly detection using artificial neural network and support vector machine | |
CN101753562A (en) | Detection methods, device and network security protecting device for botnet | |
CN103840983A (en) | WEB tunnel detection method based on protocol behavior analysis | |
Ramadhan et al. | Comparative analysis of K-nearest neighbor and decision tree in detecting distributed denial of service | |
CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
CN109951419A (en) | A kind of APT intrusion detection method based on attack chain attack rule digging | |
CN107222491A (en) | A kind of inbreak detection rule creation method based on industrial control network mutation attacks | |
CN105592044B (en) | Message aggression detection method and device | |
Sun et al. | Detection and classification of malicious patterns in network traffic using Benford's law | |
Zhang et al. | A real-time DDoS attack detection and prevention system based on per-IP traffic behavioral analysis | |
CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
CN104468507A (en) | Torjan detection method based on uncontrolled end flow analysis | |
CN106357434A (en) | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network | |
CN106850571A (en) | The recognition methods of Botnet family and device | |
Hu et al. | Network data analysis and anomaly detection using CNN technique for industrial control systems security | |
Fadil et al. | A novel ddos attack detection based on gaussian naive bayes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190809 |
|
RJ01 | Rejection of invention patent application after publication |