CN111614614A - Safety monitoring method and device applied to Internet of things - Google Patents
Safety monitoring method and device applied to Internet of things Download PDFInfo
- Publication number
- CN111614614A CN111614614A CN202010292015.5A CN202010292015A CN111614614A CN 111614614 A CN111614614 A CN 111614614A CN 202010292015 A CN202010292015 A CN 202010292015A CN 111614614 A CN111614614 A CN 111614614A
- Authority
- CN
- China
- Prior art keywords
- intranet
- behavior
- information
- same type
- behavior information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y10/00—Economic sectors
- G16Y10/75—Information technology; Communication
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Accounting & Taxation (AREA)
- Development Economics (AREA)
- Economics (AREA)
- General Business, Economics & Management (AREA)
- Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a safety monitoring method and a safety monitoring device applied to the Internet of things, wherein the method comprises the following steps: the threat sensing platform collects flow behavior information collected by an internet of things gateway arranged in an intranet; integrating the flow behavior information of the internal networks belonging to the same type and extracting effective behavior characteristics from the flow behavior information; and based on the effective behavior characteristics, identifying the intranet of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold as the intranet with abnormal network behavior. This application can carry out safety monitoring to the intranet, improves the security.
Description
[ technical field ] A method for producing a semiconductor device
The application relates to the technical field of computer networks, in particular to a security monitoring method, a security monitoring device, security monitoring equipment and a computer storage medium applied to the Internet of things.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The Internet of Things (IoT) is an information carrier based on The Internet, traditional telecommunication networks, etc. that allows all common physical objects that can be addressed independently to form an inter-working network. With the development of internet of things Technology, more and more enterprises deploy more internet of things devices in an intranet (i.e., a local area network) for manufacturing and production processes and enterprise production management, the environment of the enterprise intranet becomes increasingly complex, and IT (Information Technology) and OT (Operation Technology) are fused with each other, which also brings more security management difficulty and threat hidden danger to the security of the enterprise intranet.
[ summary of the invention ]
In view of this, the present application provides a security monitoring method, apparatus, device and computer storage medium applied to the internet of things, so as to perform security monitoring on an intranet and improve security.
The specific technical scheme is as follows:
in a first aspect, the present application provides a security monitoring method applied to the internet of things, including:
the threat sensing platform collects flow behavior information collected by an internet of things gateway arranged in an intranet;
integrating the flow behavior information of the internal networks belonging to the same type and extracting effective behavior characteristics from the flow behavior information;
and based on the effective behavior characteristics, identifying the intranet of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold as the intranet with abnormal network behavior.
According to a preferred embodiment of the present application, the traffic behavior information includes one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
According to a preferred embodiment of the present application, the integrating traffic behavior information of intranets belonging to the same type includes:
and carrying out data cleaning and normalization processing on the flow behavior information of the internal networks belonging to the same type.
According to a preferred embodiment of the present application, the extracting effective behavior features from the data includes:
and inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
According to a preferred embodiment of the present application, based on the effective behavior characteristics, identifying an intranet, for which an effective behavior characteristic deviates from a baseline behavior characteristic of the intranet of the same type by more than a preset threshold, as an intranet with abnormal network behavior includes:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet;
and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
According to a preferred embodiment of the present application, before integrating traffic behavior information of intranets belonging to the same type, the method further includes:
judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not;
and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
In a second aspect, the present application further provides a security monitoring device applied to the internet of things, which is disposed on the threat sensing platform and includes:
the collecting unit is used for collecting flow behavior information collected by an internet of things gateway arranged in an intranet;
the integration unit is used for integrating the flow behavior information of the internal networks belonging to the same type;
and the first identification unit is used for extracting effective behavior characteristics from the integrated flow behavior information, and identifying the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than a preset threshold value as the intranet with abnormal network behavior based on the effective behavior characteristics.
According to a preferred embodiment of the present application, the traffic behavior information includes one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
According to a preferred embodiment of the present application, the integration unit is specifically configured to perform data cleaning and normalization processing on traffic behavior information belonging to the same type of intranet.
According to a preferred embodiment of the present application, when extracting the effective behavior feature, the first identifying unit specifically performs:
and inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
According to a preferred embodiment of the present application, the first identification unit specifically executes, when identifying, as an intranet with abnormal network behavior, an intranet whose effective behavior characteristic deviates from a baseline behavior characteristic of the intranet of the same type by more than a preset threshold based on the effective behavior characteristic:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet;
and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
According to a preferred embodiment of the present application, the apparatus further comprises:
the second identification unit is used for judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not before the integration unit integrates the flow behavior information of the intranet belonging to the same type; and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
In a third aspect, the present application further provides an apparatus, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method as in any above.
In a fourth aspect, the present application also provides a storage medium containing computer-executable instructions for performing the method as described in any one of the above when executed by a computer processor.
According to the technical scheme, the safety detection method of the Internet of things can be used for carrying out safety monitoring on the abnormal Internet of things terminal and improving safety.
[ description of the drawings ]
Fig. 1 illustrates an exemplary system architecture of a security monitoring method or apparatus of the internet of things to which embodiments of the present invention may be applied;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a schematic diagram of an exemplary embodiment of an encoder-decoder;
fig. 4 is a structural diagram of a safety detection device according to an embodiment of the present application;
FIG. 5 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 shows an exemplary system architecture of a security monitoring method or apparatus of the internet of things to which an embodiment of the present invention can be applied.
As shown in fig. 1, the system architecture may include an intranet, an internet of things gateway, an extranet server, and a threat awareness platform. The intranet is a private network, can be a local area network set by an enterprise, a school, a factory and the like generally, can contain equipment such as an internet of things terminal, a computer terminal and an intranet server in the intranet, and is also provided with an internet of things gateway in the application, wherein the internet of things gateway is responsible for data exchange between intranet subnets.
The extranet can be the internet, and equipment in the intranet interacts with an extranet server through the internet. Various applications such as voice interaction applications, web browser applications, communication applications and the like can be installed on the internet of things terminal and the computer terminal.
The internet of things terminal can include, but is not limited to, smart home devices, smart wearable devices, smart transportation devices, smart environment monitoring devices, smart office devices, and the like. The threat awareness platform provided by the invention can be arranged and operated in an extranet server. It may be implemented as a plurality of software or software modules (for example, for providing distributed services), or as a single software or software module, which is not specifically limited herein. The extranet server may be a single server or a server group including a plurality of servers.
It should be understood that the number of intranet, internet of things terminal, computer terminal, network and server in fig. 1 is merely illustrative. According to the implementation requirement, any number of internal networks, internet of things terminals, computer terminals, networks and servers can be provided.
Fig. 2 is a flowchart of a method provided by an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
in 201, the threat awareness platform collects traffic behavior information collected by an internet of things gateway disposed in an intranet.
In the embodiment of the application, a program responsible for monitoring and acquiring traffic behavior information can be compiled for the internet of things gateways arranged in each intranet, and the program is embedded and operated in the internet of things gateways. The program can reside in a system of an internet of things gateway, and continuously monitors and acquires flow behavior information generated by an intranet.
The traffic behavior information may include one or any combination of communication quintuple information, protocol type information, network instruction information, network data payload information, time when the traffic behavior occurs, and the like.
The communication quintuple information may include: protocol of the traffic, source address, destination address, source port and destination port information.
The protocol type information may be a protocol adopted by network instructions or network data transmitted via the gateway of the internet of things, such as HTTP, FTP, VOIP, and the like. For different types of networks, especially for special purpose networks, the protocol type also serves as one of the traffic network behavior information to be monitored, because the protocol behavior may be different.
The network instruction information may be information such as the type and content of the network instruction transmitted via the gateway of the internet of things.
The network data payload information may be information such as payload content or a hash value of the payload of the network data transmitted via the gateway of the internet of things.
The time when the traffic behavior occurs may be time information of the network behavior information acquired through the internet of things gateway.
The internet of things gateway can send the collected flow behavior information to the threat sensing platform through an external network in a streaming or periodic mode, and the flow behavior information is collected and stored by the threat sensing platform.
At 202, traffic behavior information of the same type of intranet is integrated and effective behavior features are extracted therefrom.
The type of intranet may be an enterprise intranet, an industrial control intranet, a school intranet, or the like. Generally, there is a certain difference in network behaviors generated by different types of intranets on traffic, but the same type of intranet should have more consistent behavior characteristics on the network behaviors generated by traffic. When the network behavior characteristics of some or some intranet deviate from the baseline, the possibility of being invaded is high. The application is a technical scheme based on the core idea.
After the threat perception platform collects the flow behavior information collected by each internet of things gateway, the flow behavior information belonging to the same type of intranet can be subjected to data cleaning and normalization processing during integration. The data cleaning can filter out traffic behavior information with data missing, invalid traffic behavior information and the like, so that the left traffic behavior information is valid.
In general, when the industry performs anomaly identification of an intranet, a clustering method such as K-Means is generally adopted, but the method mostly depends on manual experience when a threshold is selected, so that misjudgment is caused, and the accuracy is low.
The method and the device adopt a more intelligent neural network-based automatic encoder algorithm to realize unsupervised anomaly detection. When the valid behavior feature is extracted, the vector representation of the traffic behavior information of the intranet may be input to the encoder for dimension reduction processing, and the obtained vector representation may be used as the vector representation of the valid behavior feature.
After the flow behavior information of the intranet is normalized, vector representation formed by the flow behavior information of the intranet can be obtained through mapping, and the dimensionality represented by the vector is consistent with the type number of the flow behavior information of the intranet. For example, thirty kinds of traffic behavior information are collected for each intranet, and the traffic behavior information of one intranet can be represented as a thirty-dimensional vector. As shown in fig. 3, the vector representation is input to a self-encoder formed by a multi-layer neural network to reduce the dimension of the multidimensional vector representation of the intranet, for example, to reduce a thirty-dimensional vector such as communication quintuple information, protocol type information, network command information, network data payload information, and time when traffic behavior occurs to five dimensions. In the process, the multilayer neural network automatically learns effective behavior characteristics, and the effective behavior characteristics are obtained by the five-dimensional vector obtained by dimension reduction. That is to say, flow behavior information of five dimensions is automatically learned from a thirty-dimensional vector, and behavior features represented by the flow behavior information are effective behavior features. Wherein the thirty and five dimensions are only those listed in the present application, but the present application is not limited to the specific dimensions.
In 203, based on the effective behavior features, the intranet of which the degree of deviation of the effective behavior features from the baseline behavior features of the same type of intranet exceeds a preset threshold is identified as the intranet with abnormal network behavior.
In this step, the vector representation of the effective behavior characteristics can be input into a decoder formed by a multilayer neural network for dimension increasing processing, and then the difference degree between the vector representation obtained by the dimension increasing processing and the vector representation of the flow behavior information of the intranet before dimension reduction is determined; and identifying the internal network with the difference degree in the same type of internal network, wherein the average difference value of the internal networks exceeds a preset threshold value, as the internal network with abnormal network behavior. For example, as shown in fig. 3, the five-dimensional vector obtained after dimensionality reduction is raised back to thirty-dimensional by a decoder formed by a multilayer neural network, and the thirty-dimensional vector is compared with the thirty-dimensional vector before the initial dimensionality reduction to determine the degree of difference. The difference degree can be determined for all the internal networks of the same type, and the difference degrees of the internal networks of the same type are averaged. If the difference degree of a certain intranet deviates from the average value and exceeds a preset threshold value, the intranet is identified as the intranet with abnormal network behavior.
That is, the vector representation obtained by the dimension reduction processing is restored. For the learned effective behavior features to be the features capable of reflecting the flow behavior of the intranet most, based on an ideal condition, the difference between the vector before dimensionality reduction and the vector after restoration should be within a normal range, and the normal range is the difference degree basically reflected by the same type of intranet. If the front and back vector errors of a certain intranet deviate from the normal range, the intranet can be considered as the intranet with abnormal network behavior, and the intranet can be invaded.
In the method, the effective behavior characteristics are obtained through self-learning of the multilayer neural network, the characteristic threshold does not need to be set manually, the algorithm based on the self-coding can greatly reduce misjudgment caused by manually selecting the characteristic threshold by the clustering algorithm, and the efficiency is higher.
For the identified intranet with the network behavior abnormality, the threat awareness platform may send an abnormality notification to the administrator, where the abnormality notification may include intranet information with the network behavior abnormality, such as information of an ID, a location, a type, and the like of the intranet, and may further include traffic behavior information of the intranet. The exception notification may be provided to the administrator visually, for example, through a system interface, or may be sent to a terminal of the administrator. Through innovation on the intranet safety monitoring technology, the enterprise safety team can more effectively discover threats and respond in time.
Further, before performing step 202, it may be first determined whether the traffic behavior information of the intranet contains known malicious characteristic behaviors, and if so, the intranet containing the known malicious characteristic behaviors may be identified as the intranet with abnormal network behaviors. The known malicious characteristic behaviors can be manually configured according to experience, can also be known malicious characteristic behaviors accurately identified by other modes, and can also be characteristic behaviors obtained by performing behavior characteristic analysis on an intranet with abnormal network behaviors, which is identified by the mode provided by the embodiment of the application.
The above is a detailed description of the method provided in the present application, and the following is a detailed description of the apparatus provided in the present application with reference to the embodiments.
Fig. 4 is a structural diagram of a security detection apparatus according to an embodiment of the present application, and as shown in fig. 4, the apparatus is disposed on a threat awareness platform in the foregoing method to implement the functions of the security awareness platform. The method specifically comprises the following steps: the collecting unit 01, the integrating unit 02 and the first identifying unit 03, and may further include a second identifying unit 04. The main functions of each component unit are as follows:
the collection unit 01 is responsible for collecting traffic behavior information collected by the internet of things gateway arranged in the intranet.
Wherein, the traffic behavior information includes one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
The integration unit 02 is responsible for integrating traffic behavior information of the same type of intranet. Specifically, the integration unit 02 may perform data cleaning and normalization processing on the traffic behavior information belonging to the same type of intranet.
The first identification unit 03 is responsible for extracting effective behavior features from the integrated flow behavior information, and based on the effective behavior features, identifies the intranet of which the degree of deviation of the effective behavior features from the baseline behavior features of the same type of intranet exceeds a preset threshold as the intranet with abnormal network behavior.
As a preferred embodiment, when extracting the effective behavior feature, the first identifying unit 03 may input a vector representation of the traffic behavior information of the intranet to the encoder to perform the dimension reduction processing, and may use the obtained vector representation as a vector representation of the effective behavior feature.
When the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than the preset threshold is identified as the intranet with abnormal network behavior based on the effective behavior characteristics, the first identification unit 03 may input the vector representation of the effective behavior characteristics into a decoder for performing dimension-increasing processing, and determine the difference degree between the vector representation obtained by the dimension-increasing processing and the vector representation of the flow behavior information of the intranet; and identifying the internal network with the difference degree in the same type of internal network, wherein the average difference value of the internal networks exceeds a preset threshold value, as the internal network with abnormal network behavior.
Before the integration unit 02 integrates the traffic behavior information of the internal networks belonging to the same type, the second identification unit 04 judges whether the traffic behavior information of the internal networks contains known malicious characteristic behaviors; and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the unit is only a logical division, and other divisions may be realized in practice. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
FIG. 5 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention. The computer system/server 012 shown in fig. 5 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in fig. 5, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 5, other hardware and/or software modules may be used in conjunction with the computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of media is more and more extensive, and the propagation path of computer programs is not limited to tangible media any more, and can also be downloaded from a network directly and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (14)
1. A safety monitoring method applied to the Internet of things is characterized by comprising the following steps:
the threat sensing platform collects flow behavior information collected by an internet of things gateway arranged in an intranet;
integrating the flow behavior information of the internal networks belonging to the same type and extracting effective behavior characteristics from the flow behavior information;
and based on the effective behavior characteristics, identifying the intranet of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold as the intranet with abnormal network behavior.
2. The method of claim 1, wherein the traffic behavior information comprises one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
3. The method according to claim 1, wherein the integrating traffic behavior information of intranets belonging to the same type comprises:
and carrying out data cleaning and normalization processing on the flow behavior information of the internal networks belonging to the same type.
4. The method of claim 1, wherein said extracting valid behavior features therefrom comprises:
and inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
5. The method according to claim 4, wherein identifying, based on the valid behavior features, an intranet for which a degree of the valid behavior features deviating from a baseline behavior feature of the intranet of the same type by more than a preset threshold as having abnormal network behavior comprises:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet;
and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
6. The method according to claim 1, further comprising, before the integrating traffic behavior information of intranets belonging to the same type:
judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not;
and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
7. The utility model provides a be applied to safety monitoring device of thing networking, its characterized in that, the device sets up in threat perception platform, includes:
the collecting unit is used for collecting flow behavior information collected by an internet of things gateway arranged in an intranet;
the integration unit is used for integrating the flow behavior information of the internal networks belonging to the same type;
and the first identification unit is used for extracting effective behavior characteristics from the integrated flow behavior information, and identifying the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than a preset threshold value as the intranet with abnormal network behavior based on the effective behavior characteristics.
8. The apparatus of claim 7, wherein the traffic behavior information comprises one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
9. The apparatus according to claim 7, wherein the integration unit is specifically configured to perform data cleaning and normalization processing on traffic behavior information belonging to the same type of intranet.
10. The apparatus according to claim 7, wherein the first identification unit, when extracting the valid behavior feature, specifically performs:
and inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
11. The apparatus according to claim 10, wherein the first identifying unit specifically performs, when, based on the valid behavior feature, an intranet whose valid behavior feature deviates from a baseline behavior feature of the intranet of the same type by more than a preset threshold is identified as an intranet with abnormal network behavior:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet;
and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
12. The apparatus of claim 7, further comprising:
the second identification unit is used for judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not before the integration unit integrates the flow behavior information of the intranet belonging to the same type; and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
13. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
14. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-6 when executed by a computer processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010292015.5A CN111614614B (en) | 2020-04-14 | 2020-04-14 | Safety monitoring method and device applied to Internet of things |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010292015.5A CN111614614B (en) | 2020-04-14 | 2020-04-14 | Safety monitoring method and device applied to Internet of things |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111614614A true CN111614614A (en) | 2020-09-01 |
CN111614614B CN111614614B (en) | 2022-08-05 |
Family
ID=72203681
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010292015.5A Active CN111614614B (en) | 2020-04-14 | 2020-04-14 | Safety monitoring method and device applied to Internet of things |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111614614B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113364739A (en) * | 2021-05-13 | 2021-09-07 | 北京亚鸿世纪科技发展有限公司 | Method and system for identifying abnormal flow of Internet of things equipment |
CN113705714A (en) * | 2021-09-03 | 2021-11-26 | 上海观安信息技术股份有限公司 | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
CN109040141A (en) * | 2018-10-17 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
CN109359686A (en) * | 2018-10-18 | 2019-02-19 | 西安交通大学 | A kind of user's portrait method and system based on Campus Network Traffic |
CN109600363A (en) * | 2018-11-28 | 2019-04-09 | 南京财经大学 | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method |
US20190171187A1 (en) * | 2016-05-09 | 2019-06-06 | StrongForce IoT Portfolio 2016, LLC | Methods and systems for the industrial internet of things |
CN109962903A (en) * | 2017-12-26 | 2019-07-02 | 中移(杭州)信息技术有限公司 | A kind of home gateway method for safety monitoring, device, system and medium |
CN110033014A (en) * | 2019-01-08 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The detection method and its system of abnormal data |
CN110392032A (en) * | 2018-04-23 | 2019-10-29 | 华为技术有限公司 | Detect the method, apparatus and storage medium of exception URL |
CN110807518A (en) * | 2019-11-06 | 2020-02-18 | 国网山东省电力公司威海供电公司 | Outlier detection method for power grid data |
-
2020
- 2020-04-14 CN CN202010292015.5A patent/CN111614614B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
US20190171187A1 (en) * | 2016-05-09 | 2019-06-06 | StrongForce IoT Portfolio 2016, LLC | Methods and systems for the industrial internet of things |
CN109962903A (en) * | 2017-12-26 | 2019-07-02 | 中移(杭州)信息技术有限公司 | A kind of home gateway method for safety monitoring, device, system and medium |
CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
CN110392032A (en) * | 2018-04-23 | 2019-10-29 | 华为技术有限公司 | Detect the method, apparatus and storage medium of exception URL |
CN109040141A (en) * | 2018-10-17 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
CN109359686A (en) * | 2018-10-18 | 2019-02-19 | 西安交通大学 | A kind of user's portrait method and system based on Campus Network Traffic |
CN109600363A (en) * | 2018-11-28 | 2019-04-09 | 南京财经大学 | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method |
CN110033014A (en) * | 2019-01-08 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The detection method and its system of abnormal data |
CN110807518A (en) * | 2019-11-06 | 2020-02-18 | 国网山东省电力公司威海供电公司 | Outlier detection method for power grid data |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113364739A (en) * | 2021-05-13 | 2021-09-07 | 北京亚鸿世纪科技发展有限公司 | Method and system for identifying abnormal flow of Internet of things equipment |
CN113364739B (en) * | 2021-05-13 | 2022-05-13 | 北京亚鸿世纪科技发展有限公司 | Method and system for identifying abnormal flow of Internet of things equipment |
CN113705714A (en) * | 2021-09-03 | 2021-11-26 | 上海观安信息技术股份有限公司 | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence |
CN113705714B (en) * | 2021-09-03 | 2024-06-11 | 上海观安信息技术股份有限公司 | Abnormal behavior detection method and device for power distribution Internet of things equipment based on behavior sequence |
Also Published As
Publication number | Publication date |
---|---|
CN111614614B (en) | 2022-08-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113965404B (en) | Network security situation self-adaptive active defense system and method | |
US9251345B2 (en) | Detecting malicious use of computer resources by tasks running on a computer system | |
CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
CN112953971B (en) | Network security flow intrusion detection method and system | |
JP2021515498A (en) | Attribute-based policies for integrity monitoring and network intrusion detection | |
CN111614614B (en) | Safety monitoring method and device applied to Internet of things | |
US10652255B2 (en) | Forensic analysis | |
CN114374565A (en) | Intrusion detection method and device for vehicle CAN network, electronic equipment and medium | |
CN111585799A (en) | Network fault prediction model establishing method and device | |
CN112839014B (en) | Method, system, equipment and medium for establishing abnormal visitor identification model | |
CN113468530A (en) | Real-time risk management safety monitoring method based on cloud computing | |
CN115865525B (en) | Log data processing method, device, electronic equipment and storage medium | |
CN111865959B (en) | Detection method and device based on multi-source safety detection framework | |
CN113472803A (en) | Vulnerability attack state detection method and device, computer equipment and storage medium | |
CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
CN113343228B (en) | Event credibility analysis method and device, electronic equipment and readable storage medium | |
CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
CN111565377B (en) | Security monitoring method and device applied to Internet of things | |
CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
CN112822683B (en) | Method for detecting illegal external connection by using mobile network | |
CN114938300A (en) | Industrial control system situation perception method and system based on equipment behavior analysis | |
CN114978629A (en) | Safety monitoring, early warning and emergency disposal system based on industrial internet | |
CN114915446A (en) | Intelligent network security detection method fusing priori knowledge | |
CN114707144A (en) | Virtual machine escape behavior detection method and device | |
CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |