CN111818009A - Protection method and device for message based on MQTT protocol - Google Patents

Protection method and device for message based on MQTT protocol Download PDF

Info

Publication number
CN111818009A
CN111818009A CN202010450082.5A CN202010450082A CN111818009A CN 111818009 A CN111818009 A CN 111818009A CN 202010450082 A CN202010450082 A CN 202010450082A CN 111818009 A CN111818009 A CN 111818009A
Authority
CN
China
Prior art keywords
message
attack
protection
characteristic
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010450082.5A
Other languages
Chinese (zh)
Inventor
赵莉
王晖南
翟峰
梁晓斌
张崇超
刘伟
韩思雨
刘峰
岑炜
刘佳易
胡宇宣
蔡昊
陈世辉
刘浏
李燕超
陈艳菲
姚雨欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Siji Network Security Beijing Co ltd
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
State Grid Shanxi Electric Power Co Ltd
Original Assignee
State Grid Siji Network Security Beijing Co ltd
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
State Grid Shanxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Siji Network Security Beijing Co ltd, State Grid Corp of China SGCC, State Grid Information and Telecommunication Co Ltd, State Grid Shanxi Electric Power Co Ltd filed Critical State Grid Siji Network Security Beijing Co ltd
Priority to CN202010450082.5A priority Critical patent/CN111818009A/en
Publication of CN111818009A publication Critical patent/CN111818009A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/03Protocol definition or specification 
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a protection method and a device for messages based on an MQTT protocol, wherein the method comprises the following steps: after receiving a message based on an MQTT protocol, extracting values of corresponding fields from the message according to the characteristic fields set in the protection rule; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result; the protection rule is generated according to the feature vector output by the trained classifier by initially training the classifier by using the known type of attack message in advance. The invention can realize the safety analysis and protection of the message based on the MQTT protocol and improve the protection capability and safety when the message based on the MQTT protocol is transmitted between the devices.

Description

Protection method and device for message based on MQTT protocol
Technical Field
The invention relates to the technical field of network security, in particular to a message protection method and device based on an MQTT protocol.
Background
The MQTT (Message Queuing Telemetry Transport) protocol is a "lightweight" communication protocol based on publish/subscribe (publish/subscribe) mode, which is built on TCP/IP (transmission control protocol/internet protocol) protocol and published by IBM (international business machines corporation) in 1999. MQTT (message queue telemetry transport) has the great advantage that a connected remote device can be provided with real-time reliable message service with very little code and limited bandwidth. As an instant messaging protocol with low overhead and low bandwidth occupation, the instant messaging protocol has been widely applied in the aspects of internet of things, small-sized devices, mobile applications and the like.
The MQTT is a lightweight communication protocol, is originally only oriented to the field of industrial control, and the security model is designed simply, so that a developer needs to design and perfect a security protection mechanism based on the protocol, and particularly, the MQTT is designed comprehensively in combination with the security requirements of an actual scene in the dimensions of protocol identity identification, access authentication, authority management and the like. The identification is identification and identification of the communication object; authentication is a way to provide authentication of an object; and rights are rights that govern the rights granted to an object. Therefore, in an application scenario based on the MQTT communication protocol, security holes do not necessarily exist in the protocol itself, but exist in a specific implementation method of the protocol. In the design of various communication mechanisms, if the design is not reasonable, the system is easy to be attacked.
At present, a mature comprehensive analysis method and a mature comprehensive analysis tool for network attacks based on the MQTT protocol do not exist, most gateway products are not enough to master the characteristics of the MQTT network attacks, and are usually basic and universal security methods, and lack of targeted security measures, so that comprehensive analysis and security protection for the MQTT protocol cannot be formed. The current Internet of things faces complex environment, various threats such as botnet, denial of service, man-in-the-middle (MITM), identity and data theft, social engineering, advanced persistent threat, Lesox software and remote recording exist, basic protection measures have insufficient protection capability on botnet, denial of service, advanced persistent threat, Lesox software, remote recording and the like, and meanwhile, the basic protection measures have no protection capability on a large number of deployed terminal devices which lack safety design.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for protecting a message based on MQTT protocol, which can implement security analysis and protection for the message based on MQTT protocol, and improve protection capability and security when transmitting information based on MQTT protocol between devices.
Based on the above purpose, the present invention provides a protection method for a message based on MQTT protocol, which includes:
after receiving a message based on an MQTT protocol, extracting values of corresponding fields from the message according to the characteristic fields set in the protection rule;
comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result;
the protection rule is obtained in advance according to the following method:
carrying out initial training on the classifier by using the attack message of the known type to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to the attack messages of various types;
and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message.
The initial training of the classifier by using the attack packet of the known type specifically includes:
collecting various attack messages based on an MQTT protocol as attack samples;
mapping each attack sample to a vector space to perform text-to-vector conversion to obtain a sample vector of each attack sample;
classifying the attack samples by adopting a clustering method;
and carrying out initial training on the classifier by using the sample vector of each attack sample and the classification result of each attack sample.
Generating the value characteristics of the corresponding fields of the attack message in the protection rule according to the value characteristics of the fields in the attack message, specifically comprising:
and for each type of attack message, generating the value-taking characteristics of the corresponding field of the type of attack message in the protection rule according to the value-taking characteristics of the field corresponding to the characteristic value in the characteristic vector of the type of attack message in the type of attack message.
The method specifically includes the steps of comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, determining the message as the attack message according to the comparison result, and then performing corresponding protection, wherein the method specifically includes the following steps:
for each type of attack message, comparing the extracted value of the field with the value characteristics of the corresponding field of the type of attack message in the protection rule, and judging whether the currently received message is the type of attack message or not according to the comparison result; if so, processing the currently received message according to the protection operation of the attack message of the type set in the protection rule.
Further, after receiving the message based on the MQTT protocol, the method further includes: continuing to train the classifier by using the message:
mapping the message to a vector space to perform text-to-vector conversion to obtain a sample vector of the message;
inputting the sample vector of the message into the classifier;
after the classifier calculates the feature vector of the message, similarity calculation is carried out on the feature vector and the feature vectors of various attack messages respectively;
if the calculated similarity is larger than the set threshold, the message is taken as an attack message of unknown type, and the feature vector of the message is taken as the feature vector of the attack message of unknown type to be output.
Further, after the feature vector of the packet is output as the feature vector of the attack packet of unknown type, the method further includes: updating the protection rule:
increasing the characteristic fields in the protection rule according to the fields in the message corresponding to the characteristic values in the characteristic vectors of the attack messages of unknown types output by the classifier; and generating the value characteristics of the corresponding field corresponding to the attack message of the unknown type in the protection rule according to the value characteristics of the field in the attack message of the unknown type.
The invention also provides a protection device for messages based on the MQTT protocol, which comprises the following steps:
the safety protection module is used for extracting values of corresponding fields from a message according to characteristic fields set in a protection rule after receiving the message based on the MQTT protocol; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result;
the protection rule is obtained in advance according to the following method:
carrying out initial training on the classifier by using the attack message of the known type to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to the attack messages of various types;
and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to implement the protection method for the message based on the MQTT protocol.
In the technical scheme of the invention, after an analysis engine deployed in a firewall receives a message based on an MQTT protocol, values of corresponding fields are extracted from the message according to characteristic fields set in a protection rule; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result; the protection rules are generated according to feature vectors which are output by the classifier and respectively correspond to various types of attack messages. Therefore, the security analysis and protection of the message based on the MQTT protocol are realized, and the protection capability and the security when the information based on the MQTT protocol is transmitted between the devices are improved. Moreover, the classifier is trained by combining with a technical principle and a related algorithm based on deep learning, and a large amount of learning and training are carried out to obtain the classifier so as to form the protection rule, so that the method has the characteristics of high performance, strong applicability and high recognition capability.
Furthermore, the technical scheme of the invention can utilize the received message to continue training the classifier when generating the protection rule and applying the protection rule to protect the message, can update the protection rule under the condition of not additionally arranging original equipment, provides the special network protocol analysis capability by upgrading the rule, and has the advantages of flexibility, high cost, dynamic expansion and the like.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for training a classifier and generating protection rules according to an embodiment of the present invention;
fig. 2 is a flowchart of a protection method for a message based on MQTT protocol according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for continuing training classifiers and updating protection rules according to an embodiment of the present invention;
fig. 4 is a block diagram of an internal structure of a guard device for a message based on MQTT protocol according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
It is to be noted that technical terms or scientific terms used in the embodiments of the present invention should have the ordinary meanings as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In the technical scheme of the invention, an AI (artificial intelligence) analysis engine is used for analyzing and protecting the MQTT protocol message, an MQTT firewall structure is deployed between a terminal device and an MQTT server to realize the flow capture of the MQTT, an MQTT characteristic-based network characteristic analysis model is established through a machine learning algorithm, and the AI analysis engine is designed to realize the rapid safety analysis and protection of the protocol message. The analysis engine analyzes and excavates MQTT network attacks through a machine learning method, automatically generates protection rules, and utilizes the protection rules to realize analysis, diagnosis and protection of messages based on MQTT protocols.
Therefore, in the technical scheme of the invention, after an analysis engine deployed in a firewall receives a message based on an MQTT protocol, values of corresponding fields are extracted from the message according to characteristic fields set in a protection rule; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result; the protection rules are generated according to feature vectors which are output by the classifier and respectively correspond to various types of attack messages. Therefore, the security analysis and protection of the message based on the MQTT protocol are realized, and the protection capability and the security when the information based on the MQTT protocol is transmitted between the devices are improved. Moreover, the classifier is trained by combining with a technical principle and a related algorithm based on deep learning, and a large amount of learning and training are carried out to obtain the classifier so as to form the protection rule, so that the method has the characteristics of high performance, strong applicability and high recognition capability.
The technical solution of the embodiments of the present invention is described in detail below with reference to the accompanying drawings.
The protection rule applied in the protection method for the message based on the MQTT protocol provided by the embodiment of the invention is generated by initially training a classifier in advance, and the specific method flow is shown in fig. 1 and comprises the following steps:
step S101: collecting various attack messages based on the MQTT protocol as attack samples.
Specifically, random collection can be performed among different IP (Internet protocol) addresses, messages based on the MQTT protocol are collected for 3-7 days at least in different time periods as samples, and are collected under normal flow as much as possible, so that the possibility that the samples are polluted by hacker attacks is reduced, the accuracy of 99.99% is ensured, and tens of thousands of samples at least need to be collected. The collected sample needs to be complete data, and the sample comprises the headers and body (body) of all MQTT protocol messages.
And the noise filtering process can be carried out on the completed collected sample. Less than 3% of samples are removed, in the processing process, different processing methods are required to be adopted for different noise filtering scenes, and the specific mode and the rule are as follows:
1) json (JS object profile) parameter filtering. For example, normally, { "id": xxx, "token": xxx }, and if less than 1% is { "sql": xxx, "xss": xxx }, filtering is performed.
2) Name length filtering. The string length values are distributed, mean μ, variance σ 3, outside the Chebyshev inequality range, filtered.
3) And (5) filtering the parameter value length. Parameters such as tolken ═ xxx, where the length value distribution of xxx, mean μ, variance σ 3, is outside the chebyshev inequality, are filtered.
4) Attack filtering is known. And filtering by utilizing a feature library of the known general attack message.
Dividing the sample into a normal sample (white sample) and an abnormal sample (black sample) after the noise filtering treatment is finished, wherein the normal sample is an attack message based on an MQTT protocol, namely the attack sample; the abnormal sample is a non-attack message based on the MQTT protocol, namely a non-attack sample.
And then removing the filtered abnormal samples, constructing a minimum model of the white samples through a correlation algorithm, and forming a Profile (configuration file) of the MQTT characteristic model so as to accelerate the subsequent operation speed.
Through the analysis of MQTT flow data, the inventor can find the following characteristics:
1) more than 90% of the requests are normal access requests, and malicious attack behaviors account for a small part of the total request amount;
2) the change among the normal access parameter forms is very small, and the clustering characteristic is very good;
3) the malicious attack and the normal sample mode have larger difference, and the clustering characteristic is poorer.
4) Normally, the traffic is repeated in a large quantity, and the intrusion behavior is very rare.
Therefore, the inventor of the invention classifies attack samples, namely white samples, by using the good clustering characteristic among attack samples of the same type in the subsequent steps and adopting a clustering method.
Step S102: and mapping each attack sample to a vector space to perform text-to-vector conversion, thereby obtaining a sample vector of each attack sample.
Specifically, the text of the attack sample (white sample) in the Profile (configuration file) is reduced in dimension and converted into a variable that can be understood by the machine. The traditional dimension reduction method is divided into linear dimension reduction and nonlinear dimension reduction, is completely different from the analysis of graphic images in the field of Internet of things security, and mainly relates to natural language processing, in particular to text recognition.
In this step, the text of the attack sample (white sample) may be analyzed first: the method comprises digital processing, letter processing, character processing and text structure analysis, aiming at each tool in WEB attack types, such as SQL (structured query Language) or script injection, typical SQL or script injection has significant characteristics including SQL or script keywords, high numerical proportion and the like, text analysis mainly carries out some statistical processing, some obvious characteristic points are extracted to serve as classified vectors, including characteristic words and weights, keywords and specific information, characteristic extraction mainly takes each attack in MQTT (message queue telemetry transmission) attack types, such as SQL or script injection keywords as keywords of a space vector model, words of character strings are stripped by adopting a word segmentation method, and then word frequency is counted and mapped to the space vector.
And performing data statistics on the samples and mapping the samples into a space vector. The statistical items mainly comprise: whether typical SQL or script injection keywords are present, the percentage of numeric characters in the sample text, the percentage of uppercase characters, the percentage of truncated characters, the percentage of special characters, etc. Mapping the text samples using a spatial vector model yields vector values for this text space. That is, mapping the text of the attack sample using the spatial vector model may result in a vector value for the space of the attack sample.
Preferably, a bag-of-words model is adopted to firstly vectorize text data of the MQTT protocol message through an N-Gram (N-Gram), bag-of-words segmentation is used to generate a feature vector, feature extraction statistical features and basic features (number of sensitive keywords) generated by text analysis, and final features are formed for training of a classification algorithm.
Step S103: and classifying the attack samples by adopting a clustering method.
Specifically, the attack samples (white samples) in the Profile (configuration file) may be clustered in a K-means (K-means) manner: the attack samples (white samples) are randomly divided into K groups, K attack samples are randomly selected from the K groups as initial seed clustering centers, then the distance between each attack sample (object) and each seed clustering center is calculated, and each attack sample (object) is allocated to the seed clustering center closest to the attack sample (object). The seed cluster centers and the attack samples (objects) assigned to them represent a cluster. For each assigned attack sample, the seed cluster center of the cluster is recalculated based on the existing attack samples (objects) in the cluster. This process will be repeated until some termination condition is met. The termination condition may be: no (or minimum number) attack samples (objects) are reassigned to different clusters;
alternatively, no (or minimal) seed cluster centers change again;
or the sum of squared errors of the clusters is locally minimal.
The known attack samples are clustered through the steps, and known attack white samples are constructed for use in the subsequent learning process.
Step S104: and carrying out initial training on the classifier by using the sample vector of each attack sample and the classification result of each attack sample.
In this step, the classifier is initially trained by using an attack packet of a known type: and carrying out initial training on the classifier by using the sample vector of each attack sample and the classification result of each attack sample.
Specifically, the current mainstream classifier includes algorithms such as a Support Vector Machine (SVM), a random forest, and an xgboost (distributed gradient enhancement library), and the random forest algorithm is selected in the scheme. The classification link comprises a random forest algorithm, model training, a classifier and a classification result, and the process of carrying out initial training on the classifier mainly comprises the steps of selecting parameters of impuity (impurity removal level), maxDepth (maximum depth), maxBins (maximum box number) and numTrees (tree number), so as to obtain the initially trained classifier and the classification result output by the classifier.
The random forest algorithm combines the classification trees into a random forest, namely randomizing on the use of variables (columns) and data (rows) to generate a plurality of classification trees, and then summarizing the results of the classification trees. The random forest improves the prediction precision on the premise that the calculation amount is not obviously improved. The random forest is insensitive to multivariate collinearity, the result is more stable to missing data and unbalanced data, and the effect of thousands of interpretation variables can be well predicted.
When feature selection and effective classifier construction are carried out on the random forest model, a plurality of huge trees are generated for target attributes, and then a feature subset with the largest information amount is found according to the statistical result of each attribute. For example, very shallow trees are generated for a very large data set, each tree training only a small set of attributes of the data. If an attribute is often the best split attribute, it is likely to be an information feature that needs to be preserved. The application of the random forest algorithm has the following advantages:
1) the training can be highly parallelized, and the method has an advantage on the training speed of a large sample in a big data era;
2) because the decision tree node division characteristics can be randomly selected, the model can still be efficiently trained when the characteristic dimension of the sample is high;
3) after training, the importance of each feature to the output can be given;
4) because random sampling is adopted, the trained model has small variance and strong generalization capability;
5) compared with Boosting (lifting method algorithm) series Adaboost (iterative algorithm) and GBDT (gradient descent tree algorithm), the random forest implementation is simpler;
6) is insensitive to partial characteristic deletion;
7) the adaptability to the data set is strong: the method can process discrete data and continuous data, and a data set does not need to be normalized;
8) when a random forest is created, unbiased estimation is used for generation error;
9) in the training process, the mutual influence among features can be detected.
Step S105: and generating a protection rule applied by an analysis engine in the firewall according to the output of the classifier obtained by the initial training.
Specifically, after the classifier is initially trained, aiming at each type of attack message, outputting a feature vector corresponding to the type of attack message; in this step, the feature fields in the protection rule are generated according to the fields in the message corresponding to the feature values in the feature vector output by the classifier, and the value characteristics of the corresponding fields in the attack message in the protection rule are generated according to the value characteristics of the fields in the attack message. Specifically, for each type of attack message, the value-taking characteristics of the corresponding field of the type of attack message in the protection rule are generated according to the value-taking characteristics of the field corresponding to the characteristic value in the characteristic vector of the type of attack message in the type of attack message.
Preferably, one skilled in the art can also empirically perform a numerical feature extraction and analysis of normal flow. The method comprises the following steps of carrying out feature distribution statistics on a large number of samples to establish a mathematical model, wherein the feature extraction comprises the following steps: the number of JSON parameters, the mean and variance of parameter values, parameter character distribution, TOPIC access frequency, etc., are shown in table 1 below:
TABLE 1
Figure BDA0002507206320000111
Figure BDA0002507206320000121
Those skilled in the art will use these extracted features as part of the protection rules to increase the analysis, diagnosis and protection effects on messages based on MQTT protocol.
The protection rule may be set in an MQTT firewall deployed between the terminal device and the MQTT server, and an AI (artificial intelligence) analysis engine in the MQTT firewall may analyze and protect a message of an MQTT protocol based on the protection rule. The flexible AI analytics engine is a key capability of MQTT (message queue telemetry transport) firewall, while the protection rules are the souls of MQTT firewall. To improve processing performance, an AI (artificial intelligence) analysis engine first compiles predefined protection rules to generate a syntax tree. After receiving the data packet, the MQTT agent analyzes and generates structured data, the structured data are sent to an AI (artificial intelligence) analysis engine, the AI (artificial intelligence) analysis engine traverses all protection rules, the structured data are applied to a compiled syntax tree by taking the structured data as variables to perform operation and matching, after the rules are matched, the AI (artificial intelligence) analysis engine sends the strategy defined by the rules to the MQTT agent, the MQTT agent implements a corresponding rule strategy on the received message and makes log records, the strategy comprises multiple strategies such as passing, blocking, rewriting, alarming and the like, and multiple strategies can be combined and configured. The MQTT agent mirrors the analyzed flow, and the AI (artificial intelligence) analysis engine can also analyze and mine the attack behavior of the flow through an AI (artificial intelligence) algorithm and can generate a new protection rule to be added into a rule base.
Specifically, the flow of the protection method for a message based on MQTT protocol provided in the embodiment of the present invention is shown in fig. 2, and includes the following steps:
step S201: after receiving a message based on an MQTT protocol, extracting values of corresponding fields from the message according to the characteristic fields set in the protection rules.
Specifically, after receiving a message based on an MQTT protocol, an MQTT firewall analyzes the message to generate structured data, and sends the structured data to an AI (artificial intelligence) analysis engine, and the AI (artificial intelligence) analysis engine extracts values of corresponding variables from the structured data according to variables in a compiled syntax tree corresponding to characteristic fields set in a protection rule, so as to obtain values of corresponding fields in the message.
For example, the MQTT firewall analyzes the received packet of the packet, and extracts values of corresponding variables from the analysis result, where the variables include system preset variables, such as command, QoS, Topic, payload, and client _ addr of the MQTT protocol. Each protection rule may specify one or more variables, which may be separated by "|" for multiple variables, or by "\\" if the set protection rule exceeds multiple lines.
Step S202: and comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result.
In the step, for each type of attack message, the extracted field value is compared with the value characteristics of the corresponding field of the type of attack message in the protection rule, and whether the currently received message is the type of attack message is judged according to the comparison result; if so, processing the currently received message according to the protection operation of the attack message of the type set in the protection rule. Specifically, the AI analysis engine compares the extracted value of the variable with the value characteristics of the corresponding variable in the syntax tree; if the comparison result of each variable in one protection rule is consistent, determining that the message is in accordance with the protection rule, and if the protection rule is a rule for protecting a certain type of attack message, performing corresponding protection on the message according to corresponding protection operation in the protection rule.
For example, when performing a comparison of values of variables, the AI analysis engine may use common numerical comparison and text comparison operators, and the comparison process may employ a Regular Expression (Regular Expression), for example, SecRuleCLIENT _ ADDR "^ 192\ 168\ 1\ 101 $", CLIENT _ ADDR: the variable object is designated as the IP address of the remote online, "^ 192\ 168\ 1\ 101": the comparison is made for the above variables, and if not 192.168.1.101, then a match can be made, which protection operation is to be performed.
The protection operation in the protection rule describes how to do and what action to perform when the values of the variables are successfully matched, for example, passing, blocking, message rewriting, variable definition, variable assignment, log recording, script execution, and the like.
Preferably, while protecting a message based on an MQTT (message queue telemetry transport) protocol by using a protection rule, an AI analysis engine in an MQTT (message queue telemetry transport) firewall may further continue to train a classifier by using a currently received message, and update the protection rule, where a specific method flow is shown in fig. 3, and includes the following steps:
step S301: and mapping the message to a vector space to perform text-to-vector conversion, thereby obtaining a sample vector of the message.
Step S302: the sample vector of the message is input to the classifier.
Step S303: after the classifier calculates the feature vector of the message, similarity calculation is carried out on the feature vector and the feature vectors of various attack messages respectively.
Step S304: if the calculated similarity is larger than the set threshold, the message is used as an attack message of unknown type, the feature vector of the message is used as the feature vector of the attack message of unknown type to be output, and the protection rule is updated.
Specifically, in this step, if it is determined that the calculated similarity is greater than the set threshold, the message is used as an attack message of unknown type, and the feature vector of the message is output as the feature vector of the attack message of unknown type; and further updating the protection rule: adding a characteristic field in the protection rule to a corresponding field in the message according to a characteristic value in a characteristic vector of an attack message of unknown type output by the classifier; and generating the value characteristics of the corresponding field corresponding to the attack message of the unknown type in the protection rule according to the value characteristics of the field in the attack message of the unknown type.
In the technical scheme of the invention, the deployment of the MQTT firewall can be implemented by capturing MQTT flow data, analyzing and mining potential attacks by applying an AI (artificial intelligence) big data analysis technology, verifying the accuracy of AI (artificial intelligence) analysis by a rule engine, forming a strict closed-loop analysis system and improving the comprehensiveness and accuracy of MQTT network attack analysis. Various protection rules are comprehensively applied by the MQTT firewall, and the characteristics of various known attacks on a specific system are further detected through the rules, so that a targeted safety protection scheme is formulated.
Based on the above protection method for a message based on MQTT protocol, a protection device for a message based on MQTT protocol provided in an embodiment of the present invention may be disposed in an AI analysis engine of an MQTT firewall deployed between a terminal device and an MQTT server, and an internal structure of the protection device is shown in fig. 4, and includes: a security module 401.
The safety protection module 401 is configured to, after receiving a message based on an MQTT protocol, extract values of corresponding fields from the message according to feature fields set in a protection rule; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result; specifically, the method for implementing the function of the safety protection module 401 may refer to the method of each step in the flow shown in fig. 2, and is not described herein again.
The protection rule is obtained in advance according to the following method:
carrying out initial training on the classifier by using the attack message of the known type to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to the attack messages of various types; and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message.
Further, the apparatus for protecting a packet based on MQTT protocol according to an embodiment of the present invention may further include: a training module 402.
The training module 402 is configured to use collected multiple types of attack messages based on the MQTT protocol as attack samples, map each attack sample to a vector space, and perform text-to-vector conversion to obtain a sample vector of each attack sample; classifying the attack samples by adopting a clustering method; carrying out initial training on the classifier by using the sample vector of each attack sample and the classification result of each attack sample to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to various types of attack messages; and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message. Specifically, the specific method for initially training the classifier and generating the protection rule by the training module 402 may refer to the method in each step in the flow illustrated in fig. 1, which is not described herein again.
Further, the training module 402 may be further configured to continue training the classifier using the currently received packet: mapping the message to a vector space to perform text-to-vector conversion to obtain a sample vector of the message; inputting the sample vector of the message into the classifier; after the classifier calculates the feature vector of the message, similarity calculation is carried out on the feature vector and the feature vectors of various attack messages respectively; if the calculated similarity is larger than the set threshold, the message is taken as an attack message of unknown type, and the feature vector of the message is taken as the feature vector of the attack message of unknown type to be output. Specifically, the specific method for the training module 402 to continue training the classifier by using the currently received packet may refer to the method of each step in the flow shown in fig. 3, which is not described herein again.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute a related program, so as to implement the method for protecting a message based on an MQTT (message queue telemetry transport) protocol according to an embodiment of the present invention.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. Furthermore, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement embodiments of the present invention, and need not include all of the components shown in the figures.
In the technical scheme of the invention, after an analysis engine deployed in a firewall receives a message based on an MQTT (message queue telemetry transport) protocol, values of corresponding fields are extracted from the message according to characteristic fields set in a protection rule; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result; the protection rules are generated according to feature vectors which are output by the classifier and respectively correspond to various types of attack messages. Therefore, the security analysis and protection of the message based on the MQTT protocol are realized, and the protection capability and the security when the information based on the MQTT protocol is transmitted between the devices are improved. Moreover, the classifier is trained by combining with a technical principle and a related algorithm based on deep learning, and a large amount of learning and training are carried out to obtain the classifier so as to form the protection rule, so that the method has the characteristics of high performance, strong applicability and high recognition capability.
Furthermore, the technical scheme of the invention can utilize the received message to continue training the classifier when generating the protection rule and applying the protection rule to protect the message, can update the protection rule under the condition of not additionally arranging original equipment, provides the special network protocol analysis capability by upgrading the rule, and has the advantages of flexibility, high cost, dynamic expansion and the like.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (10)

1. A protection method for messages based on MQTT protocol is characterized by comprising the following steps:
after receiving a message based on an MQTT protocol, extracting values of corresponding fields from the message according to the characteristic fields set in the protection rule;
comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result;
the protection rule is obtained in advance according to the following method:
carrying out initial training on the classifier by using the attack message of the known type to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to the attack messages of various types;
and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message.
2. The method according to claim 1, wherein the initial training of the classifier using the known type of attack packet specifically comprises:
collecting various attack messages based on an MQTT protocol as attack samples;
mapping each attack sample to a vector space to perform text-to-vector conversion to obtain a sample vector of each attack sample;
classifying the attack samples by adopting a clustering method;
and carrying out initial training on the classifier by using the sample vector of each attack sample and the classification result of each attack sample.
3. The method according to claim 2, wherein the generating, according to the value characteristics of the fields in the attack message, the value characteristics of the corresponding fields in the attack message in the protection rule specifically includes:
and for each type of attack message, generating the value-taking characteristics of the corresponding field of the type of attack message in the protection rule according to the value-taking characteristics of the field corresponding to the characteristic value in the characteristic vector of the type of attack message in the type of attack message.
4. The method according to claim 3, wherein the comparing the extracted field value with the value characteristic of the corresponding field of the attack packet set in the protection rule, and performing corresponding protection after determining that the packet is the attack packet according to the comparison result specifically comprises:
for each type of attack message, comparing the extracted value of the field with the value characteristics of the corresponding field of the type of attack message in the protection rule, and judging whether the currently received message is the type of attack message or not according to the comparison result; if so, processing the currently received message according to the protection operation of the attack message of the type set in the protection rule.
5. The method according to claim 1, further comprising, after said receiving the MQTT protocol-based message: continuing to train the classifier by using the message:
mapping the message to a vector space to perform text-to-vector conversion to obtain a sample vector of the message;
inputting the sample vector of the message into the classifier;
after the classifier calculates the feature vector of the message, similarity calculation is carried out on the feature vector and the feature vectors of various attack messages respectively;
if the calculated similarity is larger than the set threshold, the message is taken as an attack message of unknown type, and the feature vector of the message is taken as the feature vector of the attack message of unknown type to be output.
6. The method according to claim 5, wherein after outputting the feature vector of the packet as the feature vector of the attack packet of unknown type, the method further comprises: updating the protection rule:
increasing the characteristic fields in the protection rule according to the fields in the message corresponding to the characteristic values in the characteristic vectors of the attack messages of unknown types output by the classifier; and generating the value characteristics of the corresponding field corresponding to the attack message of the unknown type in the protection rule according to the value characteristics of the field in the attack message of the unknown type.
7. A protection device for messages based on MQTT protocol is characterized by comprising the following components:
the safety protection module is used for extracting values of corresponding fields from a message according to characteristic fields set in a protection rule after receiving the message based on the MQTT protocol; comparing the extracted value of the field with the value characteristics of the corresponding field of the attack message set in the protection rule, and performing corresponding protection after determining that the message is the attack message according to the comparison result;
the protection rule is obtained in advance according to the following method:
carrying out initial training on the classifier by using the attack message of the known type to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to the attack messages of various types;
and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message.
8. The apparatus of claim 7, further comprising:
the training module is used for taking collected various attack messages based on the MQTT protocol as attack samples, mapping each attack sample to a vector space to perform text-to-vector conversion, and obtaining a sample vector of each attack sample; classifying the attack samples by adopting a clustering method; carrying out initial training on the classifier by using the sample vector of each attack sample and the classification result of each attack sample to obtain the classifier after the initial training and the feature vectors which are output by the classifier and respectively correspond to various types of attack messages; and generating a characteristic field in the protection rule according to a field in the message corresponding to the characteristic value in the characteristic vector, and generating a value characteristic of a corresponding field of the attack message in the protection rule according to the value characteristic of the field in the attack message.
9. The apparatus of claim 7,
the training module is further configured to continue training the classifier using the currently received packet: mapping the message to a vector space to perform text-to-vector conversion to obtain a sample vector of the message; inputting the sample vector of the message into the classifier; after the classifier calculates the feature vector of the message, similarity calculation is carried out on the feature vector and the feature vectors of various attack messages respectively; if the calculated similarity is larger than the set threshold, the message is taken as an attack message of unknown type, and the feature vector of the message is taken as the feature vector of the attack message of unknown type to be output.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1-6 when executing the program.
CN202010450082.5A 2020-05-25 2020-05-25 Protection method and device for message based on MQTT protocol Pending CN111818009A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010450082.5A CN111818009A (en) 2020-05-25 2020-05-25 Protection method and device for message based on MQTT protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010450082.5A CN111818009A (en) 2020-05-25 2020-05-25 Protection method and device for message based on MQTT protocol

Publications (1)

Publication Number Publication Date
CN111818009A true CN111818009A (en) 2020-10-23

Family

ID=72847751

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010450082.5A Pending CN111818009A (en) 2020-05-25 2020-05-25 Protection method and device for message based on MQTT protocol

Country Status (1)

Country Link
CN (1) CN111818009A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112911004A (en) * 2021-02-03 2021-06-04 北京寄云鼎城科技有限公司 Method and device for ensuring safe operation of Internet of things system and computing equipment
CN113452700A (en) * 2021-06-25 2021-09-28 阿波罗智联(北京)科技有限公司 Method, device, equipment and storage medium for processing safety information
CN113783889A (en) * 2021-09-22 2021-12-10 南方电网数字电网研究院有限公司 Firewall control method for linkage access of network layer and application layer and firewall thereof
CN114172973A (en) * 2021-11-30 2022-03-11 深圳市国电科技通信有限公司 Data conversion processing method based on MQTT protocol and 698 protocol and electronic equipment
CN116471344A (en) * 2023-04-27 2023-07-21 无锡沐创集成电路设计有限公司 Keyword extraction method, device and medium for data message

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160226894A1 (en) * 2015-02-04 2016-08-04 Electronics And Telecommunications Research Institute System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model
US20170026391A1 (en) * 2014-07-23 2017-01-26 Saeed Abu-Nimeh System and method for the automated detection and prediction of online threats
US20180048669A1 (en) * 2016-08-12 2018-02-15 Tata Consultancy Services Limited Comprehensive risk assessment in a heterogeneous dynamic network
CN109194684A (en) * 2018-10-12 2019-01-11 腾讯科技(深圳)有限公司 A kind of method, apparatus and calculating equipment of simulation Denial of Service attack
CN109829299A (en) * 2018-11-29 2019-05-31 电子科技大学 A kind of unknown attack recognition methods based on depth self-encoding encoder
CN110120950A (en) * 2019-05-13 2019-08-13 四川长虹电器股份有限公司 It is a kind of to be impended the system and method for analysis based on Internet of Things flow
CN110351303A (en) * 2019-07-29 2019-10-18 海南大学 A kind of DDoS feature extracting method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170026391A1 (en) * 2014-07-23 2017-01-26 Saeed Abu-Nimeh System and method for the automated detection and prediction of online threats
US20160226894A1 (en) * 2015-02-04 2016-08-04 Electronics And Telecommunications Research Institute System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model
US20180048669A1 (en) * 2016-08-12 2018-02-15 Tata Consultancy Services Limited Comprehensive risk assessment in a heterogeneous dynamic network
CN109194684A (en) * 2018-10-12 2019-01-11 腾讯科技(深圳)有限公司 A kind of method, apparatus and calculating equipment of simulation Denial of Service attack
CN109829299A (en) * 2018-11-29 2019-05-31 电子科技大学 A kind of unknown attack recognition methods based on depth self-encoding encoder
CN110120950A (en) * 2019-05-13 2019-08-13 四川长虹电器股份有限公司 It is a kind of to be impended the system and method for analysis based on Internet of Things flow
CN110351303A (en) * 2019-07-29 2019-10-18 海南大学 A kind of DDoS feature extracting method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
冯胥睿瑞等: "基于特征提取的恶意软件行为及能力分析方法研究", 《信息网络安全》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112911004A (en) * 2021-02-03 2021-06-04 北京寄云鼎城科技有限公司 Method and device for ensuring safe operation of Internet of things system and computing equipment
CN113452700A (en) * 2021-06-25 2021-09-28 阿波罗智联(北京)科技有限公司 Method, device, equipment and storage medium for processing safety information
CN113452700B (en) * 2021-06-25 2022-12-27 阿波罗智联(北京)科技有限公司 Method, device, equipment and storage medium for processing safety information
CN113783889A (en) * 2021-09-22 2021-12-10 南方电网数字电网研究院有限公司 Firewall control method for linkage access of network layer and application layer and firewall thereof
CN114172973A (en) * 2021-11-30 2022-03-11 深圳市国电科技通信有限公司 Data conversion processing method based on MQTT protocol and 698 protocol and electronic equipment
CN114172973B (en) * 2021-11-30 2023-12-19 深圳市国电科技通信有限公司 Data conversion processing method based on MQTT protocol and 698 protocol and electronic equipment
CN116471344A (en) * 2023-04-27 2023-07-21 无锡沐创集成电路设计有限公司 Keyword extraction method, device and medium for data message
CN116471344B (en) * 2023-04-27 2023-11-21 无锡沐创集成电路设计有限公司 Keyword extraction method, device and medium for data message

Similar Documents

Publication Publication Date Title
Yang et al. MTH-IDS: A multitiered hybrid intrusion detection system for internet of vehicles
Ding et al. Intrusion detection system for NSL-KDD dataset using convolutional neural networks
CN111818009A (en) Protection method and device for message based on MQTT protocol
Min et al. TR-IDS: Anomaly-based intrusion detection through text-convolutional neural network and random forest
Disha et al. Performance analysis of machine learning models for intrusion detection system using Gini Impurity-based Weighted Random Forest (GIWRF) feature selection technique
Mendonça et al. Intrusion detection system based on fast hierarchical deep convolutional neural network
Bartos et al. Optimized invariant representation of network traffic for detecting unseen malware variants
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
US10341391B1 (en) Network session based user behavior pattern analysis and associated anomaly detection and verification
JP6290659B2 (en) Access management method and access management system
CN104426906A (en) Identifying malicious devices within a computer network
Alani et al. Paired: An explainable lightweight android malware detection system
CN111371778B (en) Attack group identification method, device, computing equipment and medium
CN111953665B (en) Server attack access identification method and system, computer equipment and storage medium
CN111598711A (en) Target user account identification method, computer equipment and storage medium
CN111709022B (en) Hybrid alarm association method based on AP clustering and causal relationship
Harikrishna et al. SDN-based DDoS attack mitigation scheme using convolution recursively enhanced self organizing maps
Ripan et al. An isolation forest learning based outlier detection approach for effectively classifying cyber anomalies
Ageyev et al. Traffic monitoring and abnormality detection methods analysis
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
Chen et al. Using adversarial examples to bypass deep learning based url detection system
Manzano et al. Design of a machine learning based intrusion detection framework and methodology for iot networks
Niu et al. Using XGBoost to discover infected hosts based on HTTP traffic
Sinha A Study on Supervised Machine Learning Technique to Detect Anomalies in Networks
EP4024252A1 (en) A system and method for identifying exploited cves using honeypots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination