CN111641621B - Internet of things security event identification method and device and computer equipment - Google Patents

Internet of things security event identification method and device and computer equipment Download PDF

Info

Publication number
CN111641621B
CN111641621B CN202010437015.XA CN202010437015A CN111641621B CN 111641621 B CN111641621 B CN 111641621B CN 202010437015 A CN202010437015 A CN 202010437015A CN 111641621 B CN111641621 B CN 111641621B
Authority
CN
China
Prior art keywords
attribute
internet
things
threshold interval
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010437015.XA
Other languages
Chinese (zh)
Other versions
CN111641621A (en
Inventor
徐丽丽
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010437015.XA priority Critical patent/CN111641621B/en
Publication of CN111641621A publication Critical patent/CN111641621A/en
Application granted granted Critical
Publication of CN111641621B publication Critical patent/CN111641621B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application relates to a method, a device and computer equipment for identifying security events of the Internet of things, wherein the method for identifying the security events of the Internet of things comprises the following steps: acquiring a plurality of attribute characteristics of an entity of the Internet of things and associated information among the attribute characteristics; constructing a knowledge graph network associated with a plurality of attribute characteristics according to the attribute characteristics and the associated information; and identifying the safety event of the Internet of things according to the characteristic values corresponding to the knowledge graph network and the attribute characteristics. Through the application, the problem that the safety events of the Internet of things cannot be accurately identified is solved.

Description

Internet of things security event identification method and device and computer equipment
Technical Field
The application relates to the technical field of Internet of things security, in particular to a method and a device for identifying Internet of things security events and computer equipment.
Background
With the rapid development of the technology of the internet of things, the application range of the technology of the internet of things is wider and wider, and the safety problem of the internet of things is more and more generated. When an enterprise network is attacked by data, if timely detection and maintenance cannot be achieved, huge economic loss can be brought to the enterprise. The safety events of the Internet of things are identified through the experience accumulated by the safety experts, and part of the safety problems of the Internet of things can be solved. However, the security experts cannot concern the security events of the internet of things under the association of multiple network devices.
In the related technology, an internet of things information platform based on a traditional data mode is adopted to identify the internet of things security event, and the automatic monitoring of the internet of things security event is realized. However, the method is used for identifying through the acquired isolated data, so that the identification result of the security event of the internet of things is not accurate enough.
At present, no effective solution is provided for the problem that the security incident of the internet of things cannot be accurately identified in the related technology.
Disclosure of Invention
The embodiment of the application provides a method and a device for identifying security events of the Internet of things and computer equipment, and at least solves the problem that the security events of the Internet of things cannot be accurately identified in the related technology.
In a first aspect, an embodiment of the present application provides a method for identifying a security event of an internet of things, including:
acquiring a plurality of attribute characteristics of an entity of the Internet of things and associated information among the attribute characteristics;
constructing a knowledge graph network associated with the attribute characteristics according to the attribute characteristics and the associated information;
and identifying the safety event of the Internet of things according to the characteristic values corresponding to the knowledge graph network and the attribute characteristics.
In some embodiments, the constructing a knowledge-graph network associated with a plurality of the attribute features according to the attribute features and the associated information includes:
abstracting the attribute features into nodes;
abstracting the associated information into edges;
and inputting the nodes and the edges into a graph database to obtain a knowledge graph network associated with the attribute features.
In some of these embodiments, after inputting the nodes and the edges into a graph database, resulting in a network of knowledge-graphs associated with a plurality of the attribute features, the method further comprises:
acquiring experience data of a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics;
determining a first threshold interval and a second threshold interval of each attribute characteristic according to the associated information, the empirical data and a 3sigma principle; the first threshold interval is obtained by calculation according to the empirical data of the attribute characteristics, and the second threshold interval is obtained by calculation according to the empirical data of the attribute characteristics and the empirical data of the associated attribute characteristics;
and writing the first threshold interval and the second threshold interval into attribute information of corresponding attribute features in the knowledge graph network.
In some of these embodiments, the empirical data includes empirical values of the attribute features; the determining a first threshold interval and a second threshold interval of each attribute feature according to the associated information, the empirical data, and a 3sigma principle includes:
determining a first threshold interval of each attribute feature according to the empirical value of the attribute feature and a 3sigma principle;
obtaining an empirical value of the associated attribute feature corresponding to the attribute feature according to the associated information and the empirical data;
calculating a comprehensive characteristic value of each attribute characteristic according to the empirical value of the attribute characteristic and the empirical value of the corresponding associated attribute characteristic;
and determining a second threshold interval of each attribute feature according to the comprehensive feature value.
In some embodiments, the identifying, according to feature values corresponding to the knowledgegraph network and the attribute features, an internet of things security event includes:
determining abnormal nodes according to the characteristic values of the attribute characteristics in the knowledge graph network and the first threshold interval;
calculating the comprehensive characteristic value of the attribute characteristic corresponding to the abnormal node;
and if the comprehensive characteristic value is outside the second threshold value interval, determining that the safety event of the Internet of things exists in the abnormal node.
In some of these embodiments, the method further comprises:
acquiring security data of the Internet of things; the Internet of things safety data comprises characteristic values of a plurality of attribute characteristics of an Internet of things entity;
determining a plurality of abnormal attribute characteristics according to the characteristic values of the attribute characteristics and a preset threshold interval function;
obtaining an abnormal feature vector of the entity of the Internet of things according to the feature values of the abnormal attribute features;
and determining the identification result of the safety data of the Internet of things according to a preset similarity function, the abnormal characteristic vector and a preset reference characteristic vector.
In some embodiments, the determining, according to a preset similarity function, the abnormal feature vector, and a preset reference feature vector, an identification result of the internet of things security data includes:
calculating the similarity of the abnormal feature vector and a preset reference feature vector according to the preset similarity function;
if the similarity is larger than a preset similarity threshold, determining the safety data as abnormal data; otherwise, determining the safety data to be normal data.
In a second aspect, an embodiment of the present application provides an internet of things security event identification device, including:
the acquisition module is used for acquiring a plurality of attribute characteristics of an entity of the Internet of things and associated information among the attribute characteristics;
the building module is used for building a knowledge graph network associated with the attribute characteristics according to the attribute characteristics and the associated information;
and the identification module is used for identifying the Internet of things security event according to the knowledge graph network and the characteristic value corresponding to the attribute characteristic.
In a third aspect, an embodiment of the present application provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the method for identifying a security event of an internet of things according to the first aspect is implemented.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for identifying an internet of things security event according to the first aspect.
Compared with the related art, the method, the device and the computer equipment for identifying the security event of the internet of things provided by the embodiment of the application acquire a plurality of attribute features of an entity of the internet of things and associated information among the attribute features; constructing a knowledge graph network associated with the attribute characteristics according to the attribute characteristics and the associated information; and identifying the security event of the Internet of things according to the knowledge graph network and the characteristic value corresponding to the attribute characteristic, thereby solving the problem that the security event of the Internet of things cannot be accurately identified.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a method for identifying a security event of the internet of things according to an embodiment of the present application;
FIG. 2 is a flow diagram of the construction of a knowledge-graph network in an embodiment of the present application;
FIG. 3 is a schematic diagram of a knowledge-graph network in an embodiment of the present application;
FIG. 4 is a flow chart of setting knowledge-graph network attribute information in an embodiment of the present application;
FIG. 5 is a flowchart of determining a first threshold interval and a second threshold interval in an embodiment of the present application;
fig. 6 is a flowchart illustrating identification of an internet of things security event in an embodiment of the present application;
fig. 7 is a flowchart illustrating identification of an internet of things security event in an embodiment of the present application;
FIG. 8 is a flow chart of determining recognition results in an embodiment of the present application;
fig. 9 is a flowchart of a method for identifying security events of the internet of things according to an embodiment of the present application;
fig. 10 is a block diagram illustrating a structure of an internet-of-things security event recognition apparatus according to an embodiment of the present disclosure;
fig. 11 is a schematic diagram of a hardware structure of an internet of things security event identification device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The various technologies described in this application may be applied to, but are not limited to, an internet of things security monitoring platform and an internet of things security monitoring device.
The embodiment provides a method for identifying a security event of the Internet of things. Fig. 1 is a flowchart of a method for identifying a security event of an internet of things according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S110, obtaining a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics.
The Internet of things entity is used for representing various Internet of things devices. The types of attribute features include online time, fingerprint information, login user name information, traffic information, device ID, external IP, and file information. The association information includes an association relationship between a plurality of attribute features.
And step S120, constructing a knowledge graph network associated with the attribute characteristics according to the attribute characteristics and the associated information.
It can be understood that the multiple attribute features of the entity of the internet of things are associated according to the association information, so that the knowledge graph network with the multiple associated attribute features is obtained.
And S130, identifying the Internet of things security event according to the characteristic values corresponding to the knowledge graph network and the attribute characteristics.
It should be noted that risk information among multiple attribute features is mined according to the knowledge graph network and the feature values corresponding to the attribute features, and the risk information is evaluated through the pre-acquired empirical data, so that the security event of the internet of things is determined according to the evaluation result.
Through the steps S110 to S130, risk information among the attribute features is mined according to the knowledge graph network and the feature values corresponding to the attribute features, the risk information is evaluated by using the pre-acquired empirical data, and the security event of the internet of things is determined according to the evaluation result. By constructing a knowledge graph network with a plurality of attribute characteristics correlated with each other, data fusion is realized, and identification errors caused by data isolation are avoided, so that the security events of the Internet of things are effectively identified, and the problem that the security events of the Internet of things cannot be accurately identified is solved.
In some embodiments, fig. 2 is a flowchart of constructing a knowledge-graph network in the embodiments of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S210, abstracting the attribute features into nodes.
Step S220, abstracting the associated information into edges.
Step S230, the nodes and edges are input into the graph database to obtain a knowledge graph network associated with the plurality of attribute features.
The graph database is a tool for automatically modeling a graph, and a knowledge graph network can be automatically generated by abstracting attribute characteristics into nodes, abstracting associated information into edges, and inputting the nodes and the edges into the graph database.
Fig. 3 is a schematic diagram of a knowledge graph network in an embodiment of the application, and the process of constructing the knowledge graph network is described by taking fig. 3 as an example, and the knowledge graph network in which the number information, the login user name information, the login state information, and the access content information are associated with each other is established by abstracting the login user name information, the login state information, and the access content information into nodes and abstracting the association relationship among the number information, the login user name information, the login state information, and the access content information of the internet of things device. The ip represents the number information of the internet of things equipment, the uid represents login user name information, the login state information is represented by the logic, and the content represents the access content information.
Through the steps S210 to S230, the attribute features are abstracted into the nodes, the association information is abstracted into the edges, the nodes and the edges are input into the graph database, the visual knowledge graph network is automatically generated, the association relationship between the structural features of the data and the data can be clearly observed through the knowledge graph network, so that the risk information between the complex data of the Internet of things can be better mined, the potential security events can be identified, and the identification accuracy is further improved.
In some embodiments, fig. 4 is a flowchart of setting knowledge-graph network attribute information in the embodiments of the present application, and as shown in fig. 4, the flowchart includes the following steps:
step S410, acquiring experience data of a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics.
Specifically, historical data of the internet of things devices in the last week can be collected, and the empirical value of each attribute feature can be set according to the historical data, so that empirical data of a plurality of attribute features can be obtained.
Step S420, determining a first threshold interval and a second threshold interval of each attribute characteristic according to the associated information, the empirical data and the 3sigma principle; the first threshold interval is obtained by calculation according to empirical data of the attribute characteristics, and the second threshold interval is obtained by calculation according to empirical data of the attribute characteristics and empirical data of associated attribute characteristics.
Under the 3sigma principle, a group of data is supposed to only contain random errors, the errors outside the preset threshold interval are determined to be coarse errors, and the data containing the coarse errors need to be removed to ensure the validity of the group of data. Therefore, the first threshold interval of the attribute feature, that is, the normal threshold interval of the feature value of the attribute feature is set according to the empirical data and the 3sigma principle of each attribute feature.
Step S430, writing the first threshold interval and the second threshold interval into attribute information of corresponding attribute features in the knowledge-graph network.
The abnormal attribute features in the knowledge graph network can be determined according to the first threshold interval and the second threshold interval, and therefore risk information among multiple attribute features can be mined
Through the steps S410 to S430, a more accurate first threshold interval and second threshold interval can be obtained by using a mathematical 3sigma principle, so that the accuracy of identification can be further improved. The attribute information of the corresponding attribute features in the knowledge graph network is written in through the first threshold interval and the second threshold interval, so that the safety events of the internet of things can be conveniently identified according to the feature values corresponding to the knowledge graph network and the attribute features.
In some embodiments, fig. 5 is a flowchart of determining a first threshold interval and a second threshold interval in this embodiment, and as shown in fig. 5, the flowchart includes the following steps:
step S510, a first threshold interval of each attribute feature is determined according to the empirical value of the attribute feature and the 3sigma principle.
According to the 3sigma model and the empirical value of the attribute characteristics, determining a first threshold interval of each attribute characteristic as
Figure BDA0002502656560000071
When the feature value of the attribute feature exceeds 3 times the standard deviation, the attribute feature is regarded as an abnormal attribute feature.
Step S520, obtaining an empirical value of the associated attribute characteristic corresponding to the attribute characteristic according to the associated information and the empirical data.
Step S530, a comprehensive feature value of each attribute feature is calculated according to the empirical value of the attribute feature and the empirical value of the corresponding associated attribute feature.
Step S540, determining a second threshold interval of each attribute feature according to the integrated feature value.
Through the steps S510 to S540, the first threshold interval of each attribute feature is determined according to the empirical value of the attribute feature and the 3sigma principle, so that the abnormal attribute feature can be screened out in the first threshold interval. The first threshold interval is determined by adopting a mathematical rule, so that the accuracy and the scientificity of calculation can be improved.
In some embodiments, fig. 6 is a flowchart illustrating identification of a security event of the internet of things in the embodiment of the present application, and as shown in fig. 6, the flowchart includes the following steps:
step S610, determining abnormal nodes according to the characteristic values of the attribute characteristics in the knowledge graph network and the first threshold interval.
Specifically, a node of a characteristic value of an attribute feature in the knowledge graph network in a first threshold interval is obtained, and the node is determined to be an abnormal node. For example, when the password is frequently modified and the login failure times are outside the first threshold interval, a database collision security event may exist, and the node corresponding to the login times is determined to be an abnormal node.
Step S620, calculating the comprehensive characteristic value of the attribute characteristics corresponding to the abnormal node.
And acquiring the attribute characteristics associated with the attribute characteristics corresponding to the abnormal node, and calculating to obtain the comprehensive characteristic value of the attribute characteristics corresponding to the abnormal node according to the characteristic value of the attribute characteristics corresponding to the abnormal node and the characteristic value of the associated attribute characteristics.
Step S630, if the comprehensive characteristic value is outside the second threshold interval, it is determined that the internet of things security event exists in the abnormal node.
For example, according to the characteristic values corresponding to the access content, the access times and the access time, a comprehensive characteristic value corresponding to the abnormal node is calculated, and if the comprehensive characteristic value is out of the second threshold interval, it is determined that the hacker group behavior exists in the abnormal node.
Through the steps S610 to S630, through two times of identification, the abnormal node is screened out, then the comprehensive characteristic value is calculated according to the characteristic value of the attribute characteristic corresponding to the abnormal node and the characteristic value of the associated attribute characteristic of the abnormal node, whether the abnormal node has the Internet of things safety event or not is determined according to the comprehensive characteristic value and the second threshold interval, the condition that some abnormal nodes are omitted can be avoided, the association relation among data is considered, and the obtained identification result is accurate.
In some embodiments, fig. 7 is a flowchart illustrating a process of identifying a security event of the internet of things in the embodiment of the present application, where as shown in fig. 7, the process includes the following steps:
step S710, obtaining Internet of things safety data; the internet of things security data comprises characteristic values of a plurality of attribute characteristics of the internet of things entity.
The safety data of the Internet of things comprises the CPU utilization rate, the external connection IP and a process list.
Step S720, determining a plurality of abnormal attribute features according to the feature values of the attribute features and a preset threshold interval function.
The preset threshold interval function may be an empirical threshold interval function of a security expert, or may be a sigma abnormal threshold interval function, and the embodiment does not limit the type of the preset threshold interval function. And acquiring the attribute characteristics of which the characteristic values are outside the preset threshold interval according to the preset threshold interval function, and determining the attribute characteristics as abnormal attribute characteristics.
And step S730, obtaining an abnormal feature vector of the entity of the Internet of things according to the feature values of the plurality of abnormal attribute features.
For example, according to the online time x of a certain internet of things device11CPU utilization x12And the number of times of login x13And number of login failures x14Determining abnormal characteristic vector S of the equipment of the Internet of things1Comprises the following steps:
S1=(x11,x12,x13,x14) (1)
and step S740, determining the identification result of the safety data of the Internet of things according to the preset similarity function, the abnormal characteristic vector and the preset reference characteristic vector.
The preset similarity function is used for calculating the similarity between the abnormal feature vector and the preset reference feature vector. The preset similarity function may be a cosine similarity function, or may be other similarity functions, which is not limited in this embodiment.
Through the steps S710 to S740, the abnormal feature vector of the entity of the Internet of things is calculated according to the feature values of the abnormal attribute features, and the safety of the entity of the Internet of things is evaluated by fusing a plurality of isolated abnormal data, so that the security event of the Internet of things can be effectively identified, and the identification accuracy is improved.
In some embodiments, fig. 8 is a flowchart of determining a recognition result in the embodiments of the present application, and as shown in fig. 8, the flowchart includes the following steps:
step S810, calculating the similarity between the abnormal feature vector and the preset reference feature vector according to the preset similarity function.
For example, the cosine similarity function is used to calculate the abnormal feature vector S1And a preset reference feature vector S0The similarity between them.Calculating an abnormal feature vector S according to n-dimensional sample points through a cosine similarity function1(x11,x12,...,x1n) And a preset reference feature vector S0(x21,x22,...,x2n) And determining the similarity according to the cosine value of the included angle cos (theta). The larger the included angle is, the larger the difference between the abnormal feature vector and the preset reference feature vector is, and the higher the abnormal degree is. Abnormal feature vector S can be obtained1Is denoted as a (x)11,x12,...,x1n) And a predetermined reference feature vector S0Is denoted by b (x)21,x22,...,x2n) And calculating a cosine value cos (theta) of an included angle between the abnormal characteristic vector and the preset reference characteristic vector according to a formula (2).
Figure BDA0002502656560000101
Step S820, if the similarity is greater than a preset similarity threshold, determining that the safety data are abnormal data; otherwise, the security data is determined to be normal data.
Calculating the similarity between the comprehensive characteristic vector and a preset reference characteristic vector, comparing the calculated similarity with a preset similarity threshold, and if the similarity is greater than the preset similarity threshold, determining the safety data as abnormal data; otherwise, the safety data are determined to be normal data, and the smaller the similarity is, the higher the abnormal degree is.
Through the steps from the step S810 to the step S820, whether the safety data is abnormal data is determined by calculating the similarity between the comprehensive characteristic vector and the preset reference characteristic vector and according to the calculated similarity and the preset similarity threshold, so that the abnormal degree of the data is simply and quickly determined, and the identification efficiency is improved.
The embodiments of the present application are described and illustrated below by way of specific examples.
Fig. 9 is a flowchart of an internet of things security event identification method according to a specific embodiment of the present application, and as shown in fig. 9, the internet of things security event identification method includes the following steps:
step S910, obtaining a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics.
Step S920, abstracting attribute characteristics into nodes; abstracting the associated information into edges; the nodes and edges are input into a graph database to obtain a knowledge graph network associated with a plurality of attribute features.
Step S930, acquiring experience data of a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics; and determining a first threshold interval and a second threshold interval of each attribute characteristic according to the associated information, empirical data and a 3sigma principle. Writing the first threshold interval and the second threshold interval into attributes of the knowledge-graph network.
And S940, identifying the Internet of things security event according to the characteristic values corresponding to the knowledge graph network and the attribute characteristics.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here. For example, with reference to fig. 2, the execution sequence of step S210 and step S220 may be interchanged, that is, step S210 may be executed first, and then step S220 may be executed; step S220 may be performed first, and then step S210 may be performed. For another example, in conjunction with fig. 5, the order of step S510 and step S530 may also be interchanged.
The embodiment also provides an internet of things security event identification device, which is used for implementing the foregoing embodiments and preferred embodiments, and the description of the device is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 10 is a block diagram of a structure of an internet of things security event recognition device according to an embodiment of the present application, and as shown in fig. 10, the device includes:
an obtaining module 1010, configured to obtain multiple attribute features of an entity of the internet of things and associated information between the multiple attribute features;
a constructing module 1020 for constructing a knowledge graph network associated with the plurality of attribute features according to the attribute features and the associated information;
the identifying module 1030 is configured to identify an internet of things security event according to the feature values corresponding to the knowledge graph network and the attribute features.
In some embodiments, the building module 1020 includes a first abstraction unit 1021, a second abstraction unit 1022, and a graph building unit 1023, wherein:
a first abstraction unit 1021, configured to abstract the attribute characteristics into nodes.
A second abstraction unit 1022, configured to abstract the association information into an edge.
A graph construction unit 1023, configured to input the nodes and the edges into a graph database, resulting in a knowledge-graph network associated with a plurality of the attribute features.
In some embodiments, the construction module 1020 further includes a data acquisition unit 1024, a threshold determination unit 1025, and an attribute setting unit 1026, wherein:
the data obtaining unit 1024 is configured to obtain experience data of a plurality of attribute features of the entity of the internet of things and association information between the plurality of attribute features.
A threshold determination unit 1025, configured to determine a first threshold interval and a second threshold interval of each attribute feature according to the correlation information, the empirical data, and a 3sigma principle; the first threshold interval is obtained by calculation according to the empirical data of the attribute characteristics, and the second threshold interval is obtained by calculation according to the empirical data of the attribute characteristics and the empirical data of the associated attribute characteristics.
An attribute setting unit 1026, configured to write the first threshold interval and the second threshold interval into attribute information of corresponding attribute features in the knowledgegraph network.
In some embodiments, the threshold determination unit 1025 is further configured to determine a first threshold interval for each of the attribute features according to the empirical value of the attribute feature and a 3sigma rule; obtaining an experience value of the associated attribute feature corresponding to the attribute feature according to the associated information and the experience data; calculating a comprehensive characteristic value of each attribute characteristic according to the empirical value of the attribute characteristic and the empirical value of the corresponding associated attribute characteristic; and determining a second threshold interval of each attribute feature according to the comprehensive feature value.
In some of these embodiments, the recognition module 1030 includes an anomaly determination unit 1031, a feature value calculation unit 1032, and a security event recognition unit 1033, where:
an anomaly determination unit 1031, configured to determine an abnormal node according to the feature value of the attribute feature in the knowledge-graph network and the first threshold interval.
A feature value calculating unit 1032, configured to calculate the comprehensive feature value of the attribute feature corresponding to the abnormal node.
A security event identifying unit 1033, configured to determine that an internet of things security event exists in the abnormal node if the comprehensive characteristic value is outside the second threshold interval.
In some embodiments, internet of things security data is obtained; the Internet of things safety data comprises characteristic values of a plurality of attribute characteristics of an Internet of things entity; determining a plurality of abnormal attribute characteristics according to the characteristic values of the attribute characteristics and a preset threshold interval function; obtaining an abnormal feature vector of the entity of the Internet of things according to the feature values of the abnormal attribute features; and determining the identification result of the safety data of the Internet of things according to a preset similarity function, the abnormal characteristic vector and a preset reference characteristic vector.
In some embodiments, according to the preset similarity function, calculating the similarity between the abnormal feature vector and a preset reference feature vector; if the similarity is larger than a preset similarity threshold, determining the safety data as abnormal data; otherwise, determining the safety data to be normal data.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In addition, the method for identifying the internet of things security event described in the embodiment of the present application with reference to fig. 1 may be implemented by an internet of things security event identification device. Fig. 11 is a schematic diagram of a hardware structure of an internet of things security event identification device according to an embodiment of the present application.
The internet of things security event identification device may include a processor 111 and a memory 112 storing computer program instructions.
Specifically, the processor 111 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 115 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 115 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 115 may include removable or non-removable (or fixed) media, where appropriate. The memory 115 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 115 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 115 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (earrom), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
Memory 115 may be used to store or cache various data files that need to be processed and/or used for communication, as well as possibly computer program instructions, executed by processor 112.
The processor 111 reads and executes the computer program instructions stored in the memory 112 to implement any one of the internet of things security event identification methods in the above embodiments.
In some of these embodiments, the internet of things security event identification device may further include a communication interface 113 and a bus 110. As shown in fig. 11, the processor 111, the memory 112, and the communication interface 113 are connected via the bus 110 to complete communication therebetween.
The communication interface 113 is used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present application. The communication port 113 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 110 includes hardware, software, or both to couple the components of the internet of things security event identification device to each other. Bus 110 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 110 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 110 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The internet of things security event identification device can execute the internet of things security event identification method in the embodiment of the application based on the acquired internet of things security event identification, so that the internet of things security event identification method described with reference to fig. 1 is realized.
In addition, in combination with the method for identifying the security event of the internet of things in the foregoing embodiments, embodiments of the present application may provide a computer-readable storage medium for implementation. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by the processor, implement any of the internet of things security event identification methods in the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (9)

1. An Internet of things security event identification method is characterized by comprising the following steps:
acquiring a plurality of attribute characteristics of an entity of the Internet of things and associated information among the attribute characteristics;
constructing a knowledge graph network associated with the attribute characteristics according to the attribute characteristics and the associated information;
identifying the security event of the Internet of things according to the knowledge graph network and the characteristic value corresponding to the attribute characteristic;
after the constructing a knowledge-graph network associated with a plurality of the attribute features, the method further comprises:
acquiring experience data of a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics;
determining a first threshold interval and a second threshold interval of each attribute characteristic according to the associated information, the empirical data and a 3sigma principle; the first threshold interval is obtained by calculation according to the empirical data of the attribute characteristics, and the second threshold interval is obtained by calculation according to the empirical data of the attribute characteristics and the empirical data of the associated attribute characteristics;
and writing the first threshold interval and the second threshold interval into attribute information of corresponding attribute features in the knowledge graph network.
2. The method of claim 1, wherein constructing a knowledge-graph network associated with a plurality of the attribute features based on the attribute features and the association information comprises:
abstracting the attribute features into nodes;
abstracting the associated information into edges;
and inputting the nodes and the edges into a graph database to obtain a knowledge graph network associated with the attribute features.
3. The method of claim 1, wherein the empirical data comprises empirical values of the attribute feature; the determining a first threshold interval and a second threshold interval of each attribute feature according to the associated information, the empirical data, and a 3sigma principle includes:
determining a first threshold interval of each attribute feature according to the empirical value of the attribute feature and a 3sigma principle;
obtaining an empirical value of the associated attribute feature corresponding to the attribute feature according to the associated information and the empirical data;
calculating a comprehensive characteristic value of each attribute characteristic according to the empirical value of the attribute characteristic and the empirical value of the corresponding associated attribute characteristic;
and determining a second threshold interval of each attribute feature according to the comprehensive feature value.
4. The method of claim 3, wherein identifying an Internet of things security event according to feature values corresponding to the knowledge-graph network and the attribute features comprises:
determining abnormal nodes according to the characteristic values of the attribute characteristics in the knowledge graph network and the first threshold interval;
calculating the comprehensive characteristic value of the attribute characteristic corresponding to the abnormal node;
and if the comprehensive characteristic value is outside the second threshold value interval, determining that the safety event of the Internet of things exists in the abnormal node.
5. The method of claim 1, further comprising:
acquiring security data of the Internet of things; the Internet of things safety data comprises characteristic values of a plurality of attribute characteristics of an Internet of things entity;
determining a plurality of abnormal attribute characteristics according to the characteristic values of the attribute characteristics and a preset threshold interval function;
obtaining an abnormal feature vector of the entity of the Internet of things according to the feature values of the abnormal attribute features;
and determining the identification result of the safety data of the Internet of things according to a preset similarity function, the abnormal characteristic vector and a preset reference characteristic vector.
6. The method according to claim 5, wherein the determining the recognition result of the Internet of things safety data according to the preset similarity function, the abnormal feature vector and a preset reference feature vector comprises:
calculating the similarity of the abnormal feature vector and a preset reference feature vector according to the preset similarity function;
if the similarity is larger than a preset similarity threshold, determining the safety data as abnormal data; otherwise, determining the safety data to be normal data.
7. An Internet of things security event identification device, comprising:
the acquisition module is used for acquiring a plurality of attribute characteristics of an entity of the Internet of things and associated information among the attribute characteristics;
the construction module is used for constructing a knowledge graph network associated with the attribute characteristics according to the attribute characteristics and the associated information;
the identification module is used for identifying the Internet of things security event according to the knowledge graph network and the characteristic value corresponding to the attribute characteristic;
thing networking security incident recognition device still is used for:
acquiring experience data of a plurality of attribute characteristics of the entity of the Internet of things and associated information among the attribute characteristics;
determining a first threshold interval and a second threshold interval of each attribute characteristic according to the associated information, the empirical data and a 3sigma principle; the first threshold interval is obtained by calculation according to the empirical data of the attribute characteristics, and the second threshold interval is obtained by calculation according to the empirical data of the attribute characteristics and the empirical data of the associated attribute characteristics;
and writing the first threshold interval and the second threshold interval into attribute information of corresponding attribute features in the knowledge graph network.
8. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program implements the internet of things security event identification method of any of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the internet of things security event identification method according to any one of claims 1 to 6.
CN202010437015.XA 2020-05-21 2020-05-21 Internet of things security event identification method and device and computer equipment Active CN111641621B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010437015.XA CN111641621B (en) 2020-05-21 2020-05-21 Internet of things security event identification method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010437015.XA CN111641621B (en) 2020-05-21 2020-05-21 Internet of things security event identification method and device and computer equipment

Publications (2)

Publication Number Publication Date
CN111641621A CN111641621A (en) 2020-09-08
CN111641621B true CN111641621B (en) 2022-05-20

Family

ID=72331491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010437015.XA Active CN111641621B (en) 2020-05-21 2020-05-21 Internet of things security event identification method and device and computer equipment

Country Status (1)

Country Link
CN (1) CN111641621B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112487208B (en) * 2020-12-14 2023-06-30 杭州安恒信息技术股份有限公司 Network security data association analysis method, device, equipment and storage medium
CN112540832B (en) * 2020-12-24 2022-01-28 中山大学 Cloud native system fault analysis method based on knowledge graph
CN114945028B (en) * 2021-02-10 2023-08-01 中国移动通信有限公司研究院 Information processing method based on Internet of things equipment, related equipment and storage medium
CN113364766B (en) * 2021-06-03 2022-09-27 中国工商银行股份有限公司 APT attack detection method and device
CN114218197A (en) * 2021-12-17 2022-03-22 上海繁易信息科技股份有限公司 Object-oriented industrial Internet of things data modeling method and system
CN114114950B (en) * 2022-01-20 2022-04-12 广州优刻谷科技有限公司 Intelligent household abnormity detection method and system based on semantic analysis
CN115086004B (en) * 2022-06-10 2023-08-29 中山大学 Security event identification method and system based on heterogeneous graph

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108399180B (en) * 2017-02-08 2021-11-26 腾讯科技(深圳)有限公司 Knowledge graph construction method and device and server
CN110598021B (en) * 2018-05-25 2023-03-21 阿里巴巴集团控股有限公司 Method, device and system for acquiring knowledge graph of picture
US10915820B2 (en) * 2018-08-09 2021-02-09 Accenture Global Solutions Limited Generating data associated with underrepresented data based on a received data input
CN109587008B (en) * 2018-12-28 2020-11-06 华为技术服务有限公司 Method, device and storage medium for detecting abnormal flow data
CN109922075B (en) * 2019-03-22 2020-06-02 中国南方电网有限责任公司 Network security knowledge graph construction method and device and computer equipment
CN110322349B (en) * 2019-06-25 2023-08-22 创新先进技术有限公司 Data processing method, device and equipment
CN110611651B (en) * 2019-07-19 2022-05-27 中国工商银行股份有限公司 Network monitoring method, network monitoring device and electronic equipment
CN110909129B (en) * 2019-11-14 2022-11-04 上海秒针网络科技有限公司 Abnormal complaint event identification method and device
CN110933101B (en) * 2019-12-10 2022-11-04 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN111177417B (en) * 2020-04-13 2020-06-30 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph

Also Published As

Publication number Publication date
CN111641621A (en) 2020-09-08

Similar Documents

Publication Publication Date Title
CN111641621B (en) Internet of things security event identification method and device and computer equipment
CN109347787B (en) Identity information identification method and device
US10785241B2 (en) URL attack detection method and apparatus, and electronic device
CN111404887B (en) Service processing method and device
CN109409050B (en) Protection system including machine learning snapshot evaluation
US10341294B2 (en) Unauthorized communication detection system and unauthorized communication detection method
CN111968625A (en) Sensitive audio recognition model training method and recognition method fusing text information
CN110633211A (en) Multi-interface testing method, device, server and medium
WO2021051578A1 (en) Method and device for performance feature dimensionality reduction, electronic device, and storage medium
CN113132311A (en) Abnormal access detection method, device and equipment
CN114662602A (en) Outlier detection method and device, electronic equipment and storage medium
CN110309154B (en) Entity feature selection method, device and equipment based on map and storage medium
CN111885034B (en) Internet of things attack event tracking method and device and computer equipment
CN111651658A (en) Method and computer equipment for automatically identifying website based on deep learning
CN112532625A (en) Network situation awareness evaluation data updating method and device and readable storage medium
CN110135326B (en) Identity authentication method, electronic equipment and computer readable storage medium
CN114760113B (en) Abnormality alarm detection method and device, electronic equipment and storage medium
CN110598115A (en) Sensitive webpage identification method and system based on artificial intelligence multi-engine
CN113792291B (en) Host recognition method and device infected by domain generation algorithm malicious software
CN114237981A (en) Data recovery method, device, equipment and storage medium
CN114265813A (en) Snapshot query method, device, equipment and storage medium
CN111556042B (en) Malicious URL detection method and device, computer equipment and storage medium
CN111694588B (en) Engine upgrade detection method and device, computer equipment and readable storage medium
CN114039765A (en) Safety management and control method and device for power distribution Internet of things and electronic equipment
CN113204706A (en) Data screening and extracting method and system based on MapReduce

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant