CN112134875B - IoT network abnormal flow detection method and system - Google Patents

IoT network abnormal flow detection method and system Download PDF

Info

Publication number
CN112134875B
CN112134875B CN202010986424.5A CN202010986424A CN112134875B CN 112134875 B CN112134875 B CN 112134875B CN 202010986424 A CN202010986424 A CN 202010986424A CN 112134875 B CN112134875 B CN 112134875B
Authority
CN
China
Prior art keywords
fingerprint
data
fingerprint code
abnormal
normal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010986424.5A
Other languages
Chinese (zh)
Other versions
CN112134875A (en
Inventor
侯路
刘明峰
韩然
程辉
陈琛
李祥新
李玉顺
田小川
刘子良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
QINGDAO POWER SUPPLY Co OF STATE GRID SHANDONG ELECTRIC POWER Co
Original Assignee
QINGDAO POWER SUPPLY Co OF STATE GRID SHANDONG ELECTRIC POWER Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by QINGDAO POWER SUPPLY Co OF STATE GRID SHANDONG ELECTRIC POWER Co filed Critical QINGDAO POWER SUPPLY Co OF STATE GRID SHANDONG ELECTRIC POWER Co
Priority to CN202010986424.5A priority Critical patent/CN112134875B/en
Publication of CN112134875A publication Critical patent/CN112134875A/en
Application granted granted Critical
Publication of CN112134875B publication Critical patent/CN112134875B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an IoT network abnormal flow detection method and system, which can be used in the Internet of things as a supplement of an Internet of things firewall to analyze and detect IoT network flow in real time. Analyzing flow information in an Internet of things in unit time, extracting fingerprint information and flow fingerprint information of Internet of things equipment, converting non-numerical information into data information by adopting a word2vector technology, and recombining fingerprint codes with the fingerprint information; secondly, balancing the abnormal flow fingerprint code and the normal flow fingerprint code by using a few-sample-based oversampling technology so as to accurately detect the baseline threshold value of the model; and finally, calculating a detection threshold value based on the extreme learning machine of the noise reduction self-coding, and determining a baseline detection threshold value by calculating the reconstruction error distribution after the normal fingerprint code and the abnormal fingerprint code are input into the model. The invention ensures the confidentiality, integrity and availability of the Internet of things and can improve the detection efficiency of network abnormal traffic.

Description

IoT network abnormal flow detection method and system
Technical Field
The invention relates to the field of Internet of Things (IoT) security, in particular to an IoT network abnormal traffic detection method and system.
Background
With the rapid development of the internet of things, the equipment and the technology based on the internet of things are widely applied to various intelligent scenes. The continuous development of the communication technology in the internet of things system also causes a plurality of network security problems, and the security threats of communication and terminals in the internet of things are also endless, especially an attacker can invade the internet of things system through the communication process, and steals data in the internet of things system and destroys equipment by using equipment bugs, thereby causing the function loss of the whole internet of things system. In order to effectively deal with the security threat in the internet of things and cut off the attack path, the attack behavior in the network can be found in time by analyzing the traffic characteristics of the network in the internet of things. The existing method for detecting the network traffic abnormality in the Internet of things is mainly realized based on a feature matching rule, the method strongly depends on events occurring in the network, and an updating rule needs to be continuously established to judge whether an attack behavior exists or not. Therefore, it is necessary to analyze the traffic characteristics in the internet of things, and a precise and efficient lightweight method for detecting abnormal traffic in the internet of things is designed to ensure the safety and stability of the internet of things and even the whole network.
Disclosure of Invention
The invention aims to provide an IoT network abnormal flow detection method and system, which aim to solve the problems that the existing network abnormal flow detection method needs to set detection rules continuously, the subjectivity is high, and the network abnormal flow monitoring efficiency is low.
In order to achieve the purpose, the invention provides the following scheme:
an IoT network abnormal traffic detection method comprises the following steps:
acquiring the fingerprint information of a network terminal in the Internet of things at any moment and capturing the flow fingerprint information within a period of time taking the any moment as a starting point; the network terminal fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform; the traffic fingerprint information comprises maximum and average message load length, uplink traffic message number, downlink traffic message number, interaction protocol type, message interaction rate, supported communication protocol type and maximum communication port number in a time window;
converting non-numerical fingerprint information in the network terminal fingerprint information into numerical fingerprint information by using a text data characterization technology, and determining a normal fingerprint code vector only containing numerical values by combining the numerical fingerprint information and the flow fingerprint information;
acquiring false hypothesis backup fingerprint data and false flow fingerprint data by using forged Internet of things equipment, and constructing an abnormal fingerprint code vector according to the false hypothesis backup fingerprint data and the false flow fingerprint data; the false traffic fingerprint data is generated based on attack traffic; the attack traffic comprises telnet remote login, FTP remote login, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack;
utilizing a minority class oversampling technology to balance the normal fingerprint code vectors and the abnormal fingerprint code vectors, and determining balanced normal fingerprint code vectors and balanced abnormal fingerprint code vectors;
dividing the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determining a training set and a testing set, training an extreme learning machine based on a noise reduction self-coding network according to the training set, and generating a data reconstruction model;
determining reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model, and determining a detection threshold value according to the reconstruction errors;
and detecting the network abnormal flow in the Internet of things according to the detection threshold.
Optionally, the converting, by using a text data characterization technique, non-numerical fingerprint information in the network terminal fingerprint information into numerical fingerprint information, and determining, by combining the numerical fingerprint information and the traffic fingerprint information, a normal fingerprint code vector that only contains a numerical value specifically includes:
generating a data dictionary by using a corpus, selecting 50000 words with highest use frequency in the corpus, and establishing an index;
traversing the index and comparing the index with the non-numerical fingerprint data to determine the index corresponding to the non-numerical fingerprint data;
evaluating the frequency of the indexes corresponding to the non-numerical fingerprint data appearing in the whole data dictionary, and taking the non-numerical fingerprint data with the frequency higher than a frequency threshold value as numerical fingerprint information;
and determining a normal fingerprint code vector only containing numerical values by combining the numerical value fingerprint information and the flow fingerprint information.
Optionally, the determining, by combining the numerical fingerprint information and the traffic fingerprint information, a normal fingerprint code vector only containing a numerical value further includes:
calculating the standard deviation and the mean value of the fingerprint code data in the normal fingerprint code vector;
according to the formula
Figure BDA0002689434160000031
The fingerprint code data in the normal fingerprint code vector is standardized to generate new standard fingerprint code data, and the new standard fingerprint code data is recombined into the standard fingerprint code vector: d'nFor new standard fingerprint code data, dnFingerprint code data in a normal fingerprint code vector; σ is the standard deviation; μ is the mean value.
Optionally, the balancing the normal fingerprint code vector and the abnormal fingerprint code vector by using a minority oversampling technology, and determining the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector specifically include:
determining a positive integer according to the quantity number proportion of the normal fingerprint code vectors to the abnormal fingerprint code vectors;
calculating a plurality of adjacent sample data corresponding to any sample data in the abnormal fingerprint code vector; the sample data is fingerprint code data;
randomly selecting one sample data from the adjacent sample data, determining random sample data, determining new sample data according to the random sample data, and circulating the steps of calculating a plurality of adjacent sample data corresponding to any sample data in the abnormal fingerprint code vector, and determining a balanced normal fingerprint code vector and a balanced abnormal fingerprint code vector based on the positive integer until the difference value between the number of samples in the normal fingerprint code vector and the number of the new sample data is within a preset difference value range.
Optionally, the dividing the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determining a training set and a test set, training an extreme learning machine based on a noise reduction self-coding network according to the training set, and generating a data reconstruction model specifically includes:
taking the fingerprint code data in the balanced normal fingerprint code vector and the fingerprint code data in the balanced abnormal fingerprint code vector as a data set, and dividing the training set and the test set according to the principle that the ratio of the training data to the test data is 7:3 and the ratio of the normal fingerprint code data to the abnormal fingerprint code data is 1: 1;
inputting all the normal fingerprint code data in the training set into a noise reduction self-coding network, optimizing the noise reduction self-coding network and determining coding parameters; the coding parameters comprise an input layer weight matrix, a hidden layer bias and hidden layer output;
and taking the hidden layer output as the input of an extreme learning machine, taking the input layer weight matrix and the hidden layer bias as initialization parameters of the extreme learning machine, and constructing a data reconstruction model.
Optionally, the determining, according to the data reconstruction model, reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set, and determining a detection threshold according to the reconstruction errors specifically include:
inputting the normal fingerprint code data into the extreme learning machine based on the noise reduction self-coding, calculating the reconstruction error of the normal fingerprint code data, and determining a normal reconstruction error distribution histogram according to the reconstruction error of the normal fingerprint code data;
inputting the abnormal fingerprint code data into the extreme learning machine based on the noise reduction self-encoding, calculating the reconstruction error of the abnormal fingerprint code data and determining an abnormal reconstruction error distribution histogram according to the reconstruction error of the abnormal fingerprint code data;
and determining a detection threshold value according to the normal reconstruction error distribution histogram and the abnormal reconstruction error distribution histogram.
Optionally, the determining a detection threshold according to the normal reconstruction error distribution histogram and the abnormal reconstruction error distribution histogram further includes:
inputting the test set into the extreme learning machine based on the noise reduction self-encoding, and calculating sample data under different detection thresholds; the sample data comprises the number of correctly detected samples of normal fingerprint code data, the number of incorrectly detected samples of normal fingerprint code data, the number of correctly detected samples of abnormal fingerprint code data and the number of incorrectly detected samples of abnormal fingerprint code data;
calculating the detection accuracy under different detection thresholds according to the sample data, and determining an optimal detection threshold; the optimal detection threshold is the detection threshold at the highest detection accuracy.
An IoT network anomaly traffic detection system, comprising:
the system comprises a fingerprint information acquisition module, a traffic fingerprint acquisition module and a traffic fingerprint acquisition module, wherein the fingerprint information acquisition module is used for acquiring the fingerprint information of a network terminal in the Internet of things at any moment and capturing the traffic fingerprint information within a period of time with the any moment as a starting point; the network terminal fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform; the traffic fingerprint information comprises maximum and average message load length, uplink traffic message number, downlink traffic message number, interaction protocol type, message interaction rate, supported communication protocol type and maximum communication port number in a time window;
the normal fingerprint code vector determining module only containing numerical values is used for converting non-numerical value fingerprint information in the network terminal fingerprint information into numerical value fingerprint information by utilizing a text data characterization technology and determining normal fingerprint code vectors only containing numerical values by combining the numerical value fingerprint information and the flow fingerprint information;
the abnormal fingerprint code vector construction module is used for acquiring false standby fingerprint data and false flow fingerprint data by utilizing forged Internet of things equipment and constructing an abnormal fingerprint code vector according to the false standby fingerprint data and the false flow fingerprint data; the false traffic fingerprint data is generated based on attack traffic; the attack traffic comprises telnet remote login, FTP remote login, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack;
the balancing processing module is used for carrying out balancing processing on the normal fingerprint code vectors and the abnormal fingerprint code vectors by utilizing a minority class oversampling technology, and determining balanced normal fingerprint code vectors and balanced abnormal fingerprint code vectors;
the data reconstruction model generation module is used for dividing the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determining a training set and a test set, training an extreme learning machine based on a noise reduction self-coding network according to the training set and generating a data reconstruction model;
a detection threshold determination module, configured to determine reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model, and determine a detection threshold according to the reconstruction errors;
and the network abnormal flow detection module is used for detecting the network abnormal flow in the Internet of things according to the detection threshold value.
Optionally, the module for determining a normal fingerprint code vector that only contains a numerical value specifically includes:
the index establishing unit is used for generating a data dictionary by using the corpus, selecting 50000 words with highest use frequency in the corpus and establishing an index;
the index determining unit corresponding to the non-numerical fingerprint data is used for traversing the index and comparing the index with the non-numerical fingerprint data to determine the index corresponding to the non-numerical fingerprint data;
the evaluation unit is used for evaluating the frequency of the indexes corresponding to the non-numerical fingerprint data appearing in the whole data dictionary and taking the non-numerical fingerprint data with the frequency higher than a frequency threshold value as numerical fingerprint information;
and the normal fingerprint code vector determining unit is used for determining the normal fingerprint code vector only containing the numerical value by combining the numerical value fingerprint information and the flow fingerprint information.
Optionally, the method further includes:
the standard deviation and mean value calculating unit is used for calculating the standard deviation and mean value of the fingerprint code data in the normal fingerprint code vector;
a normalization processing unit for normalizing the equation
Figure BDA0002689434160000061
The fingerprint code data in the normal fingerprint code vector is standardized to generate new standard fingerprint code data, and the new standard fingerprint code data is recombined into the standard fingerprint code vector: d'nFor new standard fingerprint code data, dnFingerprint code data in a normal fingerprint code vector; σ is the standard deviation; μ is the mean value.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects: the invention provides an IoT network abnormal flow detection method and system, which are used for analyzing the flow in an IoT network, counting the fingerprint information of network terminals and flow fingerprint information in an IoT network to form fingerprint code vector data, generating abnormal fingerprint code data with the quantity basically the same as that of normal fingerprint code data by adopting a few-sample oversampling technology, reconstructing the fingerprint code by utilizing a limit learning machine based on a denoising self-coding network, and calculating a baseline detection threshold value according to the reconstruction error distribution of the normal fingerprint code data and the abnormal fingerprint code data so as to realize the lightweight detection of the abnormal flow in the IoT. The invention does not need to set detection rules continuously, thus having high detection accuracy and no need of a large amount of data set support, being capable of improving the detection efficiency of network abnormal flow and belonging to a lightweight detection method.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a flowchart of an IoT network abnormal traffic detection method provided in the present invention;
fig. 2 is a flowchart of another IoT network abnormal traffic detection method provided in the present invention;
FIG. 3 is a diagram illustrating a distribution of errors in reconstructing fingerprint code data according to the present invention;
FIG. 4 is a graph illustrating operational characteristics of a recipient according to the present invention;
fig. 5 is a structural diagram of an IoT network abnormal traffic detection system provided in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide an IoT network abnormal flow detection method and system, which can improve the detection efficiency of network abnormal flow.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
The fingerprint information and the flow fingerprint information of the equipment of the Internet of things can visually reflect the current network flow characteristics, so that abnormal flow detection in the Internet of things can be realized by setting a detection threshold value through analyzing the distribution difference of fingerprint codes corresponding to normal network flow and abnormal network flow. In addition, abnormal traffic in the internet of things environment is less, and in order to fully excavate the distribution difference between normal traffic and abnormal traffic, the invention can balance the number of abnormal traffic fingerprint codes and normal traffic fingerprint codes by using a sampling Oversampling technology (SMOTE) so as to improve the accuracy of the detection threshold; meanwhile, a data reconstruction method of the extreme learning machine based on the noise reduction self-coding network is provided, and abnormal flow detection is achieved by counting the reconstruction error distribution of different flow fingerprint codes.
Fig. 1 is a flowchart of an IoT network abnormal traffic detection method provided in the present invention, and as shown in fig. 1, an IoT network abnormal traffic detection method includes:
step 101: acquiring the fingerprint information of a network terminal in the Internet of things at any moment and capturing the flow fingerprint information within a period of time taking the any moment as a starting point; the network terminal fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform; the traffic fingerprint information includes maximum and average message load lengths within a time window, an uplink traffic message number, a downlink traffic message number, an interaction protocol type, a message interaction rate, a supported communication protocol type, and a maximum communication port number.
Step 102: and converting non-numerical fingerprint information in the network terminal fingerprint information into numerical fingerprint information by using a text data characterization technology, and determining a normal fingerprint code vector only containing numerical values by combining the numerical fingerprint information and the flow fingerprint information.
Step 103: acquiring false hypothesis backup fingerprint data and false flow fingerprint data by using forged Internet of things equipment, and constructing an abnormal fingerprint code vector according to the false hypothesis backup fingerprint data and the false flow fingerprint data; the false traffic fingerprint data is generated based on attack traffic; the attack traffic comprises telnet, FTP telnet, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack.
Step 104: and balancing the normal fingerprint code vectors and the abnormal fingerprint code vectors by utilizing a minority oversampling technology, and determining balanced normal fingerprint code vectors and balanced abnormal fingerprint code vectors.
Step 105: and dividing the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determining a training set and a testing set, training an extreme learning machine based on a noise reduction self-coding network according to the training set, and generating a data reconstruction model.
Step 106: determining reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model, and determining a detection threshold value according to the reconstruction errors;
step 107: and detecting the network abnormal flow in the Internet of things according to the detection threshold.
In practical application, the detection flow chart of the extreme learning machine of the internet of things device and network flow fingerprint code data is extracted, fingerprint code data balance based on a few sample oversampling technology and noise reduction self-coding network is shown in fig. 2, and the method comprises the following steps:
step S1: at time t, using Nmap intranet scanning software to collect fingerprint information of the Internet of things network terminal in unit time, wherein the fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform;
step S2: capturing traffic fingerprint information from time t to t + delta by using a Wireshark attack, wherein the traffic fingerprint information comprises maximum and average message load length, uplink traffic message number, downlink traffic message number, interaction protocol type, message interaction rate, supported communication protocol type and maximum communication port number in a time window;
step S3: converting the non-numerical fingerprint information in the step S1 into numerical fingerprint information by using a text data characterization technology, and generating a numerical fingerprint code data vector by combining the numerical fingerprint information with the traffic fingerprint information acquired in the step S2, wherein the text data characterization technology specifically comprises the following steps:
step S301: generating a data dictionary by using a corpus, selecting 50000 words with highest use frequency in the corpus, and establishing indexes;
step S302: traversing the index, comparing the index with the non-numerical fingerprint data, and selecting and recording the index corresponding to the non-numerical fingerprint data;
step S303: evaluating the frequency of the index corresponding to the non-numerical fingerprint data in the whole data dictionary by using SPSS software, taking the index as numerical fingerprint information, and recombining the numerical fingerprint data into a fingerprint code vector;
step S4: calculating the mean value and the standard deviation of fingerprint data in the fingerprint code, and standardizing the fingerprint data in the fingerprint code, wherein the method specifically comprises the following steps:
step S401: suppose the fingerprint code vector is D ═ D1,d2,...,dn]N is 1,2, calculating a standard deviation sigma and a mean value mu of data in the fingerprint code vector;
step S402: and normalizing the data in the fingerprint code vector according to the following formula to generate new standard data, and recombining the new standard data into a standard vector D':
Figure BDA0002689434160000091
step S5: constructing an abnormal fingerprint code, acquiring virtual fake device fingerprint data and flow fingerprint data by using fake Internet of things devices according to the steps S1-S3, and carrying out standardized processing on the abnormal fingerprint code according to the step S4, wherein the flow fingerprint data are generated based on attack flow, and the attack comprises telnet remote login, FTP remote login, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack;
step S6: considering that the abnormal fingerprint codes in the real internet of things environment are less than the normal fingerprint codes, the two types of fingerprint code data are balanced by adopting a few-sample oversampling technology, and the method comprises the following specific steps:
step S601: determining the size of a positive integer N according to the ratio of the number of the normal fingerprint code data to the number of the abnormal fingerprint code data, and if the normal fingerprint code data is L and the abnormal fingerprint code data is H, determining N as N
Figure BDA0002689434160000101
Step S602: assuming that the abnormal fingerprint code data set generated in step S5 contains S samples, any one of the samples S is calculatediK neighbors corresponding to i ∈ {1, 2.,. S }Near sample si(near),near∈{1,2,...,k};
Step S603: randomly selecting a sample s from k adjacent samplesi(r), r ∈ {1, 2.,. near }, and a random number in the range of 0 to 1 is selected according to the following formula to synthesize a new sample:
Figure BDA0002689434160000104
step S604: step S602 is repeated N times, so that N new samples can be synthesized: sinew,new=1,2,...N;
Step S605: executing the steps S601-S603 on each sample in the abnormal fingerprint code data set to generate SN samples;
step S7: using the balanced normal and abnormal fingerprint code data as a data set, dividing the training set and the test set according to the principle that the ratio of training data to test data is 7:3 and the ratio of normal data to abnormal data is 1:1, and using the normal fingerprint code data in the training set to pre-train the noise reduction self-coding extreme learning machine to generate an optimal data reconstruction model, wherein the method specifically comprises the following steps:
step S701: assume that a set of n input data can be represented as X ═ { X(1),x(2),...,x(p)Where the input sample vector is x(p)={x1,x2,...,xqAdding noise into the sample data to generate a sample vector containing noise
Figure BDA0002689434160000102
Wherein p is a sample vector within the set of input data and q is a sample within the sample vector;
step S702: and taking the noise-added data sample as an input sample of the noise-reduced self-coding network, mapping the input sample to the hidden layer according to the following formula and outputting the mapped sample:
Figure BDA0002689434160000103
wherein s (x) is a sigmoid activation function, theta is a coding parameter, W is a weight matrix of m multiplied by t, and b is a bias execution of a hidden layer; m the number of rows of the weight matrix, and t the number of columns of the weight matrix.
Step S703: let the final output of the noise-reduced self-coding network be z ═ { z ═ z1,z2,...,ztAnd realizing the mapping from the hidden layer output to the final output according to the following formula:
z=gθ'(y)=s(W'y+b') (4)
wherein W 'is a weight matrix of m × t, and b' is a bias of the hidden layer;
step S704: and (5) repeatedly executing the steps S701-S703, inputting all the normal fingerprint code data in the training set into the noise reduction self-coding network, and optimizing the network model according to the following objective function to obtain coding parameters:
Figure BDA0002689434160000111
step S705: recalculating the hidden layer output o ═ o { o } corresponding to the normal fingerprint code in the training set by using the optimal noise reduction self-coding network generated in steps S701-S7041,o2,...,ok};
Step S706: based on the normal fingerprint code in the training set, the optimal noise reduction self-coding network generated in the steps S701-S704 is used for recalculating the weight matrix w of the input layer2Implicit layer bias b2And hidden layer output y2
Step S707: taking the hidden layer output generated in the step S705 as the input of the extreme learning machine, the input layer weight generated in the step S706, and the hidden layer bias as the initialization parameter of the extreme learning machine;
step S708: setting the number of hidden layer neurons in the Extreme Learning Machine to hn, the input sample to x, the hidden layer function to g (x), and the hidden layer output to y, modeling the Extreme Learning Machine (ELM) according to the following formula by using the initialization parameters determined in step S707, and defining the relationship between the hidden layer output and the output layer output:
h=g(ax+b) (6)
h(x)β=y (7)
wherein a and b are input layer weight and bias, beta is hidden layer weight;
step S709: writing a formula (7) into a matrix form H beta ═ Y, and solving an optimal weight between a hidden layer node and an output node in the extreme learning machine according to the following formula to form an optimal extreme learning and model:
Figure BDA0002689434160000112
where H is the output matrix of the hidden layer and T is the expected output of the sample, without considering the regularization,
Figure BDA0002689434160000113
wherein
Figure BDA0002689434160000114
A generalized inverse matrix which is an output weight matrix H;
step S710: inputting the training set into a trained extreme learning machine based on a denoising self-coding network, calculating input and output reconstruction errors, counting the reconstruction Error distribution of normal and abnormal fingerprint codes in the training set, determining a baseline detection threshold value through a distribution fitting curve, and calculating the reconstruction errors by adopting Mean Absolute Error (MAE) according to the following formula:
Figure BDA0002689434160000121
wherein xiFor the original input data, ziIs the output of the extreme learning machine based on denoised self-encoding;
step S8: inputting the fingerprint codes in the training data set into the extreme learning machine trained in the step S7 and based on the noise reduction self-encoding, calculating and recording the reconstruction errors of the normal and abnormal fingerprint code data in the training set, counting the reconstruction error distribution histogram of the normal and abnormal fingerprint code data, and determining the optimal detection threshold value through the histogram distribution fitting curve, wherein the steps are as follows:
step S801: and inputting the normal fingerprint code data into an extreme learning machine based on noise reduction self-coding, calculating the reconstruction error of the data and drawing a reconstruction error distribution histogram, wherein the abscissa is the size of the reconstruction error, and the ordinate is the number of data corresponding to the current reconstruction error. Adding a fitted curve to the histogram and recording the intersection x of the curve and the horizontal axisr
Step S802: and inputting the abnormal fingerprint code data into an extreme learning machine based on noise reduction self-coding, calculating the reconstruction error of the data and drawing a reconstruction error distribution histogram, wherein the abscissa is the size of the reconstruction error, and the ordinate is the number of data corresponding to the current reconstruction error. Adding a fitted curve to the histogram and recording the intersection x of the curve and the horizontal axisl
Step S803: setting an initial value x of a threshold rlAnd r increases to x with a magnitude of d 0.001r. Inputting the test data set into a self-coding extreme learning machine based on noise reduction, calculating the number of correctly detected normal samples (TN), the number of incorrectly detected normal samples (FN), the number of correctly detected abnormal samples (TP) and the number of incorrectly detected abnormal samples (FP) under different detection thresholds r, calculating the detection accuracy (Acc ═ TP + TN)/(TP + FN + TN + FP) under different detection thresholds r, and recording the detection threshold r under the highest detection accuracymaxAs an optimal detection threshold.
Step S9: inputting the test data set into an extreme learning machine based on noise reduction self-coding, recording False Positive Rate (FPR) and False Negative Rate (FNR) under the optimal detection threshold in step S8, and evaluating the comprehensive performance of the detection method by drawing an operation characteristic curve of a receiver.
In order to verify the correctness and the effectiveness of the method provided by the invention, three raspberry pies from RS, E network alliance and Amazon are adopted as IoT terminals and connected through one host in the local area network, and the other host is used as a controller to communicate with the raspberry pies in the local area network through a route. Aiming at the first host, when the controller communicates with the raspberry group, the intranet equipment is scanned through the Nmap, the fingerprint information of the Internet of things terminal at a certain moment is recorded in a targeted manner, and the two types of fingerprint information are recombined into fingerprint codes.
Network traffic was collected for 1 consecutive day with the last 5 minutes of each hour being attack traffic. According to experience, the method selects 2 seconds as a time window for capturing the flow, generates vectors containing 39600 normal fingerprint code data and 3600 abnormal fingerprint code data, and generates 36000 abnormal fingerprint code data vectors by using a few-sample oversampling algorithm so that the number of the abnormal fingerprint code data vectors is balanced with the number of the normal fingerprint code data vectors. According to the following steps: 3, dividing the data set into training data and testing data, training an extreme learning and reconstruction model based on noise reduction self-coding by using normal fingerprint code data in the training set, calculating reconstruction errors of the normal fingerprint code data and the abnormal fingerprint code data in the training set, and counting the distribution of the reconstruction errors to determine a detection threshold.
Fig. 3 is a schematic diagram of distribution of reconstruction errors of fingerprint code data in the present invention, and fig. 3 illustrates an example of a histogram of reconstruction errors of normal fingerprint code data, where an abscissa in fig. 3 is a reconstruction error and an ordinate is a sample number. The optimal detection threshold finally determined in step 8 is 0.043, and Under this threshold, a receiver characteristic Curve is drawn by calculating the false alarm rate Under different false alarm rates, as shown in fig. 4, and the Area Under the Curve (AUC) at this time is 0.974.
Respectively inputting a test data set into a noise reduction self-coding-based extreme learning machine trained on balanced data and unbalanced data, recording the reconstruction error of the test data and comparing the reconstruction error with a detection threshold, counting the number of test samples with correct or wrong detection of the test data, such as the number of samples (TN) with correct detection of normal samples, the number of samples (FN) with wrong detection of normal samples, the number of samples (TP) with correct detection of abnormal samples and the number of samples (FP) with wrong detection of abnormal samples, and calculating the detection accuracy (Acc ═ TP + TN)/(TP + FN + TN + FP)) of the method according to the four data indexes. Table 1 is a schematic table of threshold values and corresponding detection effects determined before and after data balance by the proposed detection method, and specific results are shown in table 1.
TABLE 1
Figure BDA0002689434160000131
Fig. 5 is a structural diagram of an IoT network abnormal traffic detection system provided in the present invention, and as shown in fig. 5, an IoT network abnormal traffic detection system includes:
a fingerprint information obtaining module 501, configured to obtain fingerprint information of a network terminal in the internet of things at any time and capture traffic fingerprint information within a period of time with the any time as a starting point; the network terminal fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform; the traffic fingerprint information includes maximum and average message load lengths within a time window, an uplink traffic message number, a downlink traffic message number, an interaction protocol type, a message interaction rate, a supported communication protocol type, and a maximum communication port number.
A normal fingerprint code vector determination module 502 only containing numerical values, configured to convert non-numerical value fingerprint information in the network terminal fingerprint information into numerical value fingerprint information by using a text data characterization technique, and determine a normal fingerprint code vector only containing numerical values by combining the numerical value fingerprint information and the traffic fingerprint information.
The module 502 for determining normal fingerprint code vector only containing numerical value specifically includes: the index establishing unit is used for generating a data dictionary by using the corpus, selecting 50000 words with highest use frequency in the corpus and establishing an index; the index determining unit corresponding to the non-numerical fingerprint data is used for traversing the index and comparing the index with the non-numerical fingerprint data to determine the index corresponding to the non-numerical fingerprint data; the evaluation unit is used for evaluating the frequency of the indexes corresponding to the non-numerical fingerprint data appearing in the whole data dictionary and taking the non-numerical fingerprint data with the frequency higher than a frequency threshold value as numerical fingerprint information; and the normal fingerprint code vector determining unit is used for determining the normal fingerprint code vector only containing the numerical value by combining the numerical value fingerprint information and the flow fingerprint information.
The invention also includes: the standard deviation and mean value calculating unit is used for calculating the standard deviation and mean value of the fingerprint code data in the normal fingerprint code vector; a normalization processing unit for normalizing the equation
Figure BDA0002689434160000141
The fingerprint code data in the normal fingerprint code vector is standardized to generate new standard fingerprint code data, and the new standard fingerprint code data is recombined into the standard fingerprint code vector: d'nFor new standard fingerprint code data, dnFingerprint code data in a normal fingerprint code vector; σ is the standard deviation; μ is the mean value.
An abnormal fingerprint code vector construction module 503, configured to obtain dummy standby fingerprint data and dummy traffic fingerprint data by using a forged internet of things device, and construct an abnormal fingerprint code vector according to the dummy standby fingerprint data and the dummy traffic fingerprint data; the false traffic fingerprint data is generated based on attack traffic; the attack traffic comprises telnet, FTP telnet, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack.
A balancing processing module 504, configured to perform balancing processing on the normal fingerprint code vector and the abnormal fingerprint code vector by using a minority class oversampling technology, and determine a balanced normal fingerprint code vector and a balanced abnormal fingerprint code vector.
And the data reconstruction model generation module 505 is configured to divide the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determine a training set and a test set, train an extreme learning machine based on a noise reduction self-coding network according to the training set, and generate a data reconstruction model.
A detection threshold determining module 506, configured to determine reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model, and determine a detection threshold according to the reconstruction errors.
And a network abnormal flow detection module 507, configured to detect a network abnormal flow in the internet of things according to the detection threshold.
Firstly, collecting device fingerprint information and Internet of things flow fingerprint information by adopting an active and passive combination method to form a fingerprint code data vector; secondly, balancing the number of the normal fingerprint code data and the abnormal fingerprint code data by using a few-sample oversampling technology; and finally, reconstructing training data by using an extreme learning machine based on noise reduction self-coding, determining a detection threshold according to normal fingerprint code data and abnormal fingerprint code reconstruction error distribution, and realizing lightweight detection of abnormal flow in IoT.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.

Claims (8)

1. An IoT network abnormal traffic detection method is characterized by comprising the following steps:
acquiring the fingerprint information of a network terminal in the Internet of things at any moment and capturing the flow fingerprint information within a period of time taking the any moment as a starting point; the network terminal fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform; the traffic fingerprint information comprises maximum and average message load length, uplink traffic message number, downlink traffic message number, interaction protocol type, message interaction rate, supported communication protocol type and maximum communication port number in a time window;
converting non-numerical fingerprint information in the network terminal fingerprint information into numerical fingerprint information by using a text data characterization technology, and determining a normal fingerprint code vector only containing numerical values by combining the numerical fingerprint information and the flow fingerprint information;
acquiring false hypothesis backup fingerprint data and false flow fingerprint data by using forged Internet of things equipment, and constructing an abnormal fingerprint code vector according to the false hypothesis backup fingerprint data and the false flow fingerprint data; the false traffic fingerprint data is generated based on attack traffic; the attack traffic comprises telnet remote login, FTP remote login, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack;
utilizing a minority class oversampling technology to balance the normal fingerprint code vectors and the abnormal fingerprint code vectors, and determining balanced normal fingerprint code vectors and balanced abnormal fingerprint code vectors;
dividing the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determining a training set and a testing set, training an extreme learning machine based on a noise reduction self-coding network according to the training set, and generating a data reconstruction model;
determining reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model, and determining a detection threshold value according to the reconstruction errors;
detecting network abnormal flow in the Internet of things according to the detection threshold;
the method for determining the normal fingerprint code vector only containing numerical values by utilizing the text data characterization technology to convert non-numerical value fingerprint information in the network terminal fingerprint information into numerical value fingerprint information and combining the numerical value fingerprint information and the flow fingerprint information specifically comprises the following steps:
generating a data dictionary by using a corpus, selecting 50000 words with highest use frequency in the corpus, and establishing an index;
traversing the index and comparing the index with the non-numerical fingerprint data to determine the index corresponding to the non-numerical fingerprint data;
evaluating the frequency of the indexes corresponding to the non-numerical fingerprint data appearing in the whole data dictionary, and taking the non-numerical fingerprint data with the frequency higher than a frequency threshold value as numerical fingerprint information;
and determining a normal fingerprint code vector only containing numerical values by combining the numerical value fingerprint information and the flow fingerprint information.
2. The method of claim 1, wherein the determining a normal fingerprint code vector containing only numerical values in combination with the numerical fingerprint information and the traffic fingerprint information further comprises:
calculating the standard deviation and the mean value of the fingerprint code data in the normal fingerprint code vector;
according to the formula
Figure FDA0003514507260000021
The fingerprint code data in the normal fingerprint code vector is standardized to generate new standard fingerprint code data, and the new standard fingerprint code data is recombined into the standard fingerprint code vector: d'nFor new standard fingerprint code data, dnFingerprint code data in a normal fingerprint code vector; σ is the standard deviation; μ is the mean value.
3. The method of claim 2, wherein the balancing the normal fingerprint code vectors and the abnormal fingerprint code vectors by using a minority over-sampling technique to determine balanced normal fingerprint code vectors and balanced abnormal fingerprint code vectors specifically comprises:
determining a positive integer according to the quantity number proportion of the normal fingerprint code vectors to the abnormal fingerprint code vectors;
calculating a plurality of adjacent sample data corresponding to any sample data in the abnormal fingerprint code vector; the sample data is fingerprint code data;
randomly selecting one sample data from the adjacent sample data, determining random sample data, determining new sample data according to the random sample data, and circulating the steps of calculating a plurality of adjacent sample data corresponding to any sample data in the abnormal fingerprint code vector, and determining a balanced normal fingerprint code vector and a balanced abnormal fingerprint code vector based on the positive integer until the difference value between the number of samples in the normal fingerprint code vector and the number of the new sample data is within a preset difference value range.
4. The method for detecting abnormal traffic in an IoT network according to claim 3, wherein the dividing the balanced normal fingerprint code vectors and the balanced abnormal fingerprint code vectors to determine a training set and a test set, and training an extreme learning machine based on a noise reduction self-coding network according to the training set to generate a data reconstruction model specifically comprises:
taking the fingerprint code data in the balanced normal fingerprint code vector and the fingerprint code data in the balanced abnormal fingerprint code vector as a data set, and dividing the training set and the test set according to the principle that the ratio of the training data to the test data is 7:3 and the ratio of the normal fingerprint code data to the abnormal fingerprint code data is 1: 1;
inputting all the normal fingerprint code data in the training set into a noise reduction self-coding network, optimizing the noise reduction self-coding network and determining coding parameters; the coding parameters comprise an input layer weight matrix, a hidden layer bias and hidden layer output;
and taking the hidden layer output as the input of an extreme learning machine, taking the input layer weight matrix and the hidden layer bias as initialization parameters of the extreme learning machine, and constructing a data reconstruction model.
5. The method for detecting abnormal traffic in an IoT network according to claim 4, wherein the determining the reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model and determining the detection threshold according to the reconstruction errors specifically comprises:
inputting the normal fingerprint code data into the extreme learning machine based on the noise reduction self-coding, calculating the reconstruction error of the normal fingerprint code data, and determining a normal reconstruction error distribution histogram according to the reconstruction error of the normal fingerprint code data;
inputting the abnormal fingerprint code data into the extreme learning machine based on the noise reduction self-encoding, calculating the reconstruction error of the abnormal fingerprint code data and determining an abnormal reconstruction error distribution histogram according to the reconstruction error of the abnormal fingerprint code data;
and determining a detection threshold value according to the normal reconstruction error distribution histogram and the abnormal reconstruction error distribution histogram.
6. The method for detecting abnormal traffic in an IoT network according to claim 5, wherein the determining a detection threshold according to the normal reconstruction error distribution histogram and the abnormal reconstruction error distribution histogram further comprises:
inputting the test set into the extreme learning machine based on the noise reduction self-encoding, and calculating sample data under different detection thresholds; the sample data comprises the number of correctly detected samples of normal fingerprint code data, the number of incorrectly detected samples of normal fingerprint code data, the number of correctly detected samples of abnormal fingerprint code data and the number of incorrectly detected samples of abnormal fingerprint code data;
calculating the detection accuracy under different detection thresholds according to the sample data, and determining an optimal detection threshold; the optimal detection threshold is the detection threshold at the highest detection accuracy.
7. An IoT network anomaly traffic detection system, comprising:
the system comprises a fingerprint information acquisition module, a traffic fingerprint acquisition module and a traffic fingerprint acquisition module, wherein the fingerprint information acquisition module is used for acquiring the fingerprint information of a network terminal in the Internet of things at any moment and capturing the traffic fingerprint information within a period of time with the any moment as a starting point; the network terminal fingerprint information comprises equipment ID, serial number, equipment type, terminal IP, MAC address, operating system version, open port and hardware platform; the traffic fingerprint information comprises maximum and average message load length, uplink traffic message number, downlink traffic message number, interaction protocol type, message interaction rate, supported communication protocol type and maximum communication port number in a time window;
the normal fingerprint code vector determining module only containing numerical values is used for converting non-numerical value fingerprint information in the network terminal fingerprint information into numerical value fingerprint information by utilizing a text data characterization technology and determining normal fingerprint code vectors only containing numerical values by combining the numerical value fingerprint information and the flow fingerprint information;
the abnormal fingerprint code vector construction module is used for acquiring false standby fingerprint data and false flow fingerprint data by utilizing forged Internet of things equipment and constructing an abnormal fingerprint code vector according to the false standby fingerprint data and the false flow fingerprint data; the false traffic fingerprint data is generated based on attack traffic; the attack traffic comprises telnet remote login, FTP remote login, Ping of death attack, ICMP flooding attack, ultra-long packet and ultra-short packet attack;
the balancing processing module is used for carrying out balancing processing on the normal fingerprint code vectors and the abnormal fingerprint code vectors by utilizing a minority class oversampling technology, and determining balanced normal fingerprint code vectors and balanced abnormal fingerprint code vectors;
the data reconstruction model generation module is used for dividing the balanced normal fingerprint code vector and the balanced abnormal fingerprint code vector, determining a training set and a test set, training an extreme learning machine based on a noise reduction self-coding network according to the training set and generating a data reconstruction model;
a detection threshold determination module, configured to determine reconstruction errors of the normal fingerprint code vectors and the abnormal fingerprint code vectors in the training set according to the data reconstruction model, and determine a detection threshold according to the reconstruction errors;
the network abnormal flow detection module is used for detecting the network abnormal flow in the Internet of things according to the detection threshold;
the module for determining normal fingerprint code vector only containing numerical value specifically comprises:
the index establishing unit is used for generating a data dictionary by using the corpus, selecting 50000 words with highest use frequency in the corpus and establishing an index;
the index determining unit corresponding to the non-numerical fingerprint data is used for traversing the index and comparing the index with the non-numerical fingerprint data to determine the index corresponding to the non-numerical fingerprint data;
the evaluation unit is used for evaluating the frequency of the indexes corresponding to the non-numerical fingerprint data appearing in the whole data dictionary and taking the non-numerical fingerprint data with the frequency higher than a frequency threshold value as numerical fingerprint information;
and the normal fingerprint code vector determining unit is used for determining the normal fingerprint code vector only containing the numerical value by combining the numerical value fingerprint information and the flow fingerprint information.
8. The IoT network anomaly traffic detection system in accordance with claim 7, further comprising:
the standard deviation and mean value calculating unit is used for calculating the standard deviation and mean value of the fingerprint code data in the normal fingerprint code vector;
a normalization processing unit for normalizing the equation
Figure FDA0003514507260000061
The fingerprint code data in the normal fingerprint code vector is standardized to generate new standard fingerprint code data, and the new standard fingerprint code data is recombined into the standard fingerprint code vector: d'nFor new standard fingerprint code data, dnFingerprint code data in a normal fingerprint code vector; σ is the standard deviation; μ is the mean value.
CN202010986424.5A 2020-09-18 2020-09-18 IoT network abnormal flow detection method and system Active CN112134875B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010986424.5A CN112134875B (en) 2020-09-18 2020-09-18 IoT network abnormal flow detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010986424.5A CN112134875B (en) 2020-09-18 2020-09-18 IoT network abnormal flow detection method and system

Publications (2)

Publication Number Publication Date
CN112134875A CN112134875A (en) 2020-12-25
CN112134875B true CN112134875B (en) 2022-04-05

Family

ID=73841335

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010986424.5A Active CN112134875B (en) 2020-09-18 2020-09-18 IoT network abnormal flow detection method and system

Country Status (1)

Country Link
CN (1) CN112134875B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285916B (en) * 2021-04-06 2022-11-11 国家工业信息安全发展研究中心 Intelligent manufacturing system abnormal flow detection method and detection device
CN113469257B (en) * 2021-07-07 2023-02-07 云南大学 Distribution transformer fault detection method and system
CN116633705B (en) * 2023-07-26 2023-10-13 山东省计算中心(国家超级计算济南中心) Industrial control system abnormality detection method and system based on composite automatic encoder

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462581A (en) * 2014-12-30 2015-03-25 成都因纳伟盛科技股份有限公司 Micro-channel memory mapping and Smart-Slice based ultrafast file fingerprint extraction system and method
CN106991328A (en) * 2017-03-30 2017-07-28 兴华永恒(北京)科技有限责任公司 A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis
CN108833437A (en) * 2018-07-05 2018-11-16 成都康乔电子有限责任公司 One kind being based on flow fingerprint and the matched APT detection method of communication feature
CA2974604A1 (en) * 2017-07-27 2019-01-27 Ig2 Group Inc. A method for detecting and isolating infected iot (internet of things) devices; using advanced packets inspection and behavior analytics

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324944B (en) * 2013-06-26 2016-11-16 电子科技大学 A kind of based on SVM with the false fingerprint detection method of rarefaction representation
CN106411597A (en) * 2016-10-14 2017-02-15 广东工业大学 Network traffic abnormality detection method and system
CN109639739B (en) * 2019-01-30 2020-05-19 大连理工大学 Abnormal flow detection method based on automatic encoder network
CN111222133A (en) * 2019-11-14 2020-06-02 辽宁工程技术大学 Multistage self-adaptive coupling method for industrial control network intrusion detection
CN111556016B (en) * 2020-03-25 2021-02-26 中国科学院信息工程研究所 Network flow abnormal behavior identification method based on automatic encoder
CN111600905A (en) * 2020-06-01 2020-08-28 广州鹄志信息咨询有限公司 Anomaly detection method based on Internet of things

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462581A (en) * 2014-12-30 2015-03-25 成都因纳伟盛科技股份有限公司 Micro-channel memory mapping and Smart-Slice based ultrafast file fingerprint extraction system and method
CN106991328A (en) * 2017-03-30 2017-07-28 兴华永恒(北京)科技有限责任公司 A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis
CA2974604A1 (en) * 2017-07-27 2019-01-27 Ig2 Group Inc. A method for detecting and isolating infected iot (internet of things) devices; using advanced packets inspection and behavior analytics
CN108833437A (en) * 2018-07-05 2018-11-16 成都康乔电子有限责任公司 One kind being based on flow fingerprint and the matched APT detection method of communication feature

Also Published As

Publication number Publication date
CN112134875A (en) 2020-12-25

Similar Documents

Publication Publication Date Title
CN112134875B (en) IoT network abnormal flow detection method and system
CN107154950B (en) Method and system for detecting log stream abnormity
CN111181901B (en) Abnormal flow detection device and abnormal flow detection method thereof
CN113468071B (en) Fuzzy test case generation method, system, computer equipment and storage medium
CN104899513B (en) A kind of datagram detection method of industrial control system malicious data attack
CN115208680B (en) Dynamic network risk prediction method based on graph neural network
CN113206860B (en) DRDoS attack detection method based on machine learning and feature selection
CN113094707B (en) Lateral movement attack detection method and system based on heterogeneous graph network
JP2006079479A (en) Time series data determination method
CN112134873B (en) IoT network abnormal flow real-time detection method and system
CN112491860A (en) Industrial control network-oriented collaborative intrusion detection method
CN117113262A (en) Network traffic identification method and system
CN111478921A (en) Method, device and equipment for detecting communication of hidden channel
CN112153081A (en) Method for detecting abnormal state of industrial network
David et al. Blind automatic malicious activity detection in honeypot data
CN115098864A (en) Evaluation method and device of image recognition model, medium and electronic equipment
Kopylova et al. Mutual information applied to anomaly detection
CN114697230A (en) Energy station safety monitoring system and method based on zero trust
Yang et al. IoT botnet detection with feature reconstruction and interval optimization
Wüstrich et al. Cyber-physical anomaly detection for ICS
Wang et al. MBM-IoT: Intelligent multi-baseline modeling of heterogeneous device behaviors against iot botnet
Belej et al. Development of a network attack detection system based on hybrid neuro-fuzzy algorithms.
CN113904831B (en) Security defense method and system for power line carrier communication network of voltage
CN116016298B (en) 5G communication protocol anomaly detection method based on hidden semi-Markov model
CN117318985A (en) SVM-based vehicle-mounted terminal intrusion detection test method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant