CN112333023A - Intrusion detection system based on flow of Internet of things and detection method thereof - Google Patents
Intrusion detection system based on flow of Internet of things and detection method thereof Download PDFInfo
- Publication number
- CN112333023A CN112333023A CN202011231137.XA CN202011231137A CN112333023A CN 112333023 A CN112333023 A CN 112333023A CN 202011231137 A CN202011231137 A CN 202011231137A CN 112333023 A CN112333023 A CN 112333023A
- Authority
- CN
- China
- Prior art keywords
- data
- internet
- things
- flow
- deep
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intrusion detection system based on Internet of things flow, which comprises a basic data acquisition module, an Internet of things protocol identification module, a data flow abnormity detection module and a visual analysis module. The invention also discloses an intrusion detection method based on the flow of the Internet of things, which comprises the steps of acquiring initial data of the data flow of the Internet of things, determining the protocol type of the acquired data flow of the Internet of things, carrying out anomaly detection on the deep packet of the data flow of the Internet of things, carrying out anomaly detection on the deep flow of the data flow of the Internet of things, judging whether the data flow of the Internet of things is abnormal according to the detection result of the deep packet and the detection result of the deep flow, and the like. The invention goes deep into the process from flow acquisition to detection of the intrusion detection system of the Internet of things, perfects the intrusion detection system under the Internet of things, improves the intrusion detection efficiency, reminds security personnel to engage in an event response plan, and provides powerful guarantee for the security precaution of the Internet of things.
Description
Technical Field
The invention belongs to the technical field of Internet of things safety, and particularly relates to an intrusion detection system based on Internet of things flow and a detection method thereof.
Background
Aiming at the dynamics, complexity, network and equipment heterogeneity of the Internet of things, the Internet of things has more and more security problems, most intrusion behaviors aiming at the Internet of things are penetrated in a network mode, new Internet of things communication protocols continuously appear in order to be suitable for new scenes of the Internet of things, and at present, no intrusion detection system specially aiming at the data traffic of the Internet of things protocols exists. In order to ensure the safe operation of the internet of things equipment and the safe storage of data, the research on the safety of the data packet detection of the internet of things protocol is very slow.
Disclosure of Invention
The invention aims to solve the problems and provides an intrusion detection system and a detection method thereof, wherein data traffic in an application environment of the internet of things is used as a main detection object, and the data traffic in the environment of the internet of things is subjected to network environment security detection to find out security problems in time so as to realize data packet traffic detection.
The purpose of the invention is realized by the following technical scheme: an intrusion detection system based on internet of things traffic, comprising:
the basic data acquisition module is used for acquiring network data traffic in an Internet of things environment and generating initial data of the data traffic;
the Internet of things protocol identification module is used for identifying the protocol type of the data stream;
the data flow abnormity detection module is used for detecting whether the data flow is abnormal or not;
and the visual analysis module is used for presenting the detection result information of the data flow.
Further, the basic data acquisition module comprises:
the interface module is used for connecting the Internet of things equipment;
the data traffic acquisition module is used for acquiring network data traffic under the Internet of things environment in real time or in an off-line state;
the data flow caching module is used for caching the acquired network data flow;
and the data flow recombination module is used for carrying out session flow recombination on the network data flow to generate initial data of the data flow.
The internet of things protocol identification module comprises:
the protocol feature extraction module is used for extracting feature information of the data stream, wherein the feature information comprises port information, header content information and single packet protocol semantic information of initial data of the data stream;
the protocol characteristic knowledge base is used for storing Internet of things protocol data resources;
and the protocol feature matching module is used for matching the extracted data stream feature information with the stored Internet of things protocol data resources to obtain the protocol category of the acquired data stream.
The data traffic anomaly detection module comprises:
the deep packet/deep stream feature extraction module is used for extracting features of a deep packet in data traffic and features of a deep stream in the data traffic;
the deep packet anomaly detection rule base is used for storing the data of the data traffic anomaly rule of the Internet of things, performing standard detection on the extracted deep packet characteristics and the stored data of the data traffic anomaly rule of the Internet of things, and outputting a deep packet detection result;
the deep flow classifier is used for comparing the extracted deep flow characteristics with a set normal threshold value, detecting whether the deep flow is abnormal or not and outputting a deep flow detection result;
and the flow abnormity judging module is used for judging whether the data flow is abnormal or not according to the deep packet detection result and the deep flow detection result.
An intrusion detection method based on Internet of things traffic comprises the following steps:
step 1: acquiring initial data of the data stream of the Internet of things;
step 2: determining the protocol type of the acquired data stream of the Internet of things;
and step 3: carrying out anomaly detection on the deep packet of the data stream of the Internet of things;
and 4, step 4: carrying out anomaly detection on the depth flow of the data flow of the Internet of things;
and 5: judging whether the data flow of the Internet of things is abnormal or not according to the detection result of the depth packet and the detection result of the depth flow; if yes, judging that the equipment of the Internet of things has the intrusion risk, and if not, judging that the equipment of the Internet of things does not have the intrusion risk.
Further, the step 1 of obtaining the initial data of the data stream of the internet of things includes the following steps:
A. acquiring an Internet of things data traffic packet from an Internet of things link layer or equipment operating in the Internet of things environment, and storing the traffic packet on a buffer area;
B. and carrying out session stream recombination on the data traffic of the Internet of things to obtain initial data of the data stream.
The step 2 of determining the protocol type of the acquired data stream of the internet of things comprises the following steps:
a. extracting characteristic information of initial data of the data stream; the extracting of the characteristic information of the initial data of the data stream comprises: port information, header content information and single packet protocol semantic information of initial data;
b. and matching the extracted characteristic information of the initial data of the data stream with the stored Internet of things protocol data resource, and determining the protocol type of the acquired Internet of things data stream.
The step 3 of performing anomaly detection on the deep packet of the data stream of the internet of things comprises the following steps:
i, extracting features of deep packets in data traffic; wherein, the deep packet features in the extracted data traffic include: the size, type and length of the data packet, suspicious information contained in the load and a data packet header;
and II, carrying out standard detection on each extracted feature of the deep packet and the stored data traffic abnormality rule data of the Internet of things, detecting whether each feature of the deep packet is abnormal or not, judging that the deep packet is abnormal when any feature in the deep packet is abnormal, and outputting a detection result of the deep packet.
The step 4 of performing anomaly detection on the depth stream of the data stream of the internet of things comprises the following steps:
firstly, extracting the characteristics of a depth flow in data flow; wherein, the depth flow characteristics in the extracted data flow comprise: the method comprises the steps of obtaining a large-small chain vector, a total number of packets in the obtained data stream, a total size of the packets in the data stream, a time chain vector, duration of the data stream, a direction chain vector, a mean square error of packets in the depth of the data stream in the same direction, a mean square error of time in the depth of the data stream in the same direction and a sum of the packets in the depth of the data stream in the same direction;
comparing each feature of the depth flow in the extracted data flow with each set normal threshold value, detecting whether each feature is abnormal, judging that the depth flow is abnormal when any feature in the depth flow is abnormal, and outputting a depth flow detection result.
And in the step 5, when any one of the deep packet and the deep stream is abnormal or both of the deep packet and the deep stream are abnormal, judging that the acquired data stream of the internet of things is abnormal.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the invention designs and constructs a basic data acquisition module, when the ultra-large flow comes, under the condition that a common detection system does not respond to the service and even breaks down, the invention can carry out distributed deployment, and leads the data into the mirror flow to be cut and then handed over to the system for analysis; the invention provides an Internet of things detection framework with behavior monitoring by combining with a networking protocol mode, and realizes Internet of things data packet detection from multiple dimensionalities of data packet specification detection, data packet load detection and the like through the research on cross fusion of security events, security standards and security vulnerabilities.
(2) According to the invention, an anomaly detection module based on a reverse analysis mechanism of the Internet of things data packet is designed and constructed, so that the detection accuracy and reliability of the Internet of things flow are improved. The method realizes flow detection by linkage of multiple dimensions such as data packet specification detection, data packet load detection, data stream size and behavior and the like so as to improve the detection rate of intrusion detection.
(3) According to the invention, data flow under the application environment of the Internet of things is taken as a main detection object, the generation and transmission processes of the communication protocol of the Internet of things are researched, a large number of nodes of the sensing layer of the Internet of things in the industries of traffic, energy and the like communicate with a central control platform through information infrastructures such as gateways, routers or switches, so that data collection is carried out on the information infrastructures such as the gateways, the routers or the switches of the Internet of things while service is not influenced, the data are transmitted to an Internet of things protocol identification module, and the Internet of things protocol is determined through comprehensive identification of an Internet of things protocol library. The Internet of things data flow abnormity detection module is combined with a concentration packet detection mode and a concentration flow detection mode, a characteristic character string, a characteristic port, a characteristic semantic meaning, a flow interval, a flow size, a flow duration time and the like are mined, a detection result is output, and data are displayed in the visualization analysis module. Network environment safety detection is carried out on data flow in the environment of the Internet of things, so that safety problems are found in time, and data packet flow detection is realized.
Drawings
Fig. 1 is a block diagram of an intrusion detection system based on traffic of the internet of things according to the present invention.
Fig. 2 is a block diagram of the basic data acquisition module according to the present invention.
Fig. 3 is a block diagram of a protocol identification module of the internet of things according to the present invention.
Fig. 4 is a block diagram of a data traffic anomaly detection module according to the present invention.
Fig. 5 is a flowchart of an intrusion detection method based on traffic of the internet of things according to the present invention.
Fig. 6 is a flowchart of a method for acquiring initial data of an internet of things data stream according to the present invention.
Fig. 7 is a flowchart of a method for determining a protocol type of an acquired data stream of the internet of things according to the present invention.
Fig. 8 is a flowchart of a method for performing anomaly detection on a deep packet of an internet of things data stream according to the present invention.
Fig. 9 is a flowchart of a method for performing anomaly detection on a deep stream of an internet of things data stream according to the present invention.
Fig. 10 is a visualized flow chart of the anomaly detection of the data packet of the internet of things.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1
As shown in fig. 1, the intrusion detection system based on the internet of things flow includes a basic data acquisition module, an internet of things protocol identification module connected with the basic data acquisition module, a data flow anomaly detection module connected with the internet of things protocol identification module, and a visual analysis module connected with the data flow anomaly detection module.
Specifically, the basic data acquisition module runs or is mounted in third-party equipment of the internet of things, and is used for acquiring network data traffic in the internet of things environment, generating initial data of data flow and transmitting the initial data to the internet of things protocol identification module; the basic data acquisition module can capture data packets flowing through the network card on the link layer of the Internet of things in real time, and can also derive the data packets of the Internet of things to be processed from equipment running in the environment of the Internet of things, at the moment, common flow is directly led into the Internet of things protocol identification module, and super-large flow is cut and separated and then led into the Internet of things protocol identification module.
The basic data acquisition module comprises an interface module, a data flow acquisition module, a data flow cache module and a data flow recombination module. The data traffic collection module is connected to the interface module, the data traffic cache module is connected to the data traffic collection module, and the data traffic recombination module is connected to the data traffic cache module, as shown in fig. 2.
Specifically, the interface module is connected to an internet of things device such as a router, a gateway or a switch, and may be a router interface, a gateway interface or a switch interface.
The data traffic acquisition module is used for capturing data packets flowing through the link layer of the Internet of things in real time; meanwhile, the data packet of the internet of things to be processed can be derived from equipment operating in the environment of the internet of things, the data packet is cut and separated when the data packet is in ultra-large flow, and the acquired network data flow is transmitted to the data flow caching module.
The data flow caching module is used for caching the acquired network data flow. The data flow recombination module is used for carrying out session flow recombination on network data flow to enable the network data flow to generate initial data of the data flow and transmitting the initial data to the Internet of things protocol identification module.
The internet of things protocol identification module is used for identifying the protocol category of the data stream, and as shown in fig. 3, the internet of things protocol identification module comprises a protocol feature extraction module, a protocol feature matching module connected with the protocol feature extraction module, and a protocol feature knowledge base connected with the protocol feature matching module.
Specifically, the protocol feature extraction module is used for extracting feature information of the data stream transmitted by the basic data acquisition module; the extracted feature information includes port information of initial data of the data stream, header content information, semantic information of a single packet protocol, and the like.
The protocol characteristic knowledge base is used for storing internet of things protocol data resources. The protocol feature matching module is used for matching the data stream feature information extracted by the protocol feature extraction module with Internet of things protocol data resources stored in a protocol feature knowledge base and identifying the protocol type of the acquired data stream. The protocol feature knowledge base reuses data resources related to the Internet of things protocol all over the world to extract key features of the Internet of things protocol; therefore, the protocol feature matching module can find and identify the protocol category of the acquired data stream in the protocol feature knowledge base.
And the data flow abnormity detection module is used for detecting whether the data flow is abnormal or not. Specifically, as shown in fig. 4, the data traffic anomaly detection module includes a deep packet/deep stream feature extraction module, a deep packet anomaly detection rule base and a deep stream classifier respectively connected to the deep packet/deep stream feature extraction module, and a traffic anomaly determination module connected to the deep packet anomaly detection rule base and the deep stream classifier.
The deep packet/deep stream feature extraction module is used for extracting features of deep packets in the acquired data traffic and features of deep streams in the data traffic. The extracted features of the deep packet in the data traffic include the size, type and length of the data packet, suspicious information contained in the load, data packet header information and the like; the characteristics of the depth stream in the data traffic include: the method comprises the steps of obtaining a large-small chain vector, obtaining the total number of packets in a data stream, obtaining the total size of the packets in the data stream, obtaining a time chain vector, the duration time of the data stream, a direction chain vector, the mean square error of the packets in the depth of the data stream in the same direction, the mean square error of the time in the depth of the data stream in the same direction and the sum of the packets in the depth of the data stream in the same direction. The deep packet/deep stream feature extraction module extracts deep packet features and sends the deep packet/deep stream feature extracted by the deep packet/deep stream feature extraction module to a deep packet anomaly detection rule base, and the deep stream features extracted by the deep packet/deep stream feature extraction module are sent to a deep stream classifier.
The deep packet anomaly detection rule base is used for storing data traffic anomaly rule data of the Internet of things, carrying out standard detection on the deep packet features extracted by the deep packet/deep flow feature extraction module and the data traffic anomaly rule data of the Internet of things stored in the deep packet/deep flow feature extraction module, judging whether the deep packet is abnormal or not, and outputting a deep packet detection result to the traffic anomaly judgment module.
The deep flow classifier is used for comparing each extracted characteristic of the deep flow with each set normal threshold value, detecting whether the deep flow is abnormal or not, and outputting a deep flow detection result to the flow abnormity judging module.
And the flow abnormity judging module judges whether the acquired data flow is abnormal according to the deep packet detection result transmitted by the deep packet abnormity detection rule base and the deep flow detection result transmitted by the deep flow classifier, and transmits the judgment information to the visual analysis module.
After receiving the information transmitted by the flow abnormity judging module, the visual analysis module extracts the session data of the detection result and generates a detection report so as to present the detection result information of the data flow; meanwhile, the equipment of the Internet of things can be monitored, managed and protected in a safety interface of the visual analysis module, and remote management of the equipment is realized.
Example 2
In this embodiment, a detection method of the intrusion detection system based on the traffic of the internet of things in embodiment 1 is adopted, and as shown in fig. 5, the method specifically includes the following steps:
step 1: the basic data acquisition module acquires initial data of the data stream of the Internet of things. As shown in fig. 6, the acquiring of the initial data of the data stream of the internet of things by the basic data acquisition module includes the following steps:
A. the basic data acquisition module is connected to a router, a gateway or a switch through an interface module on the basic data acquisition module, when the basic data acquisition module is started, the data traffic acquisition module on the basic data acquisition module acquires an Internet of things data traffic packet from an Internet of things link layer or equipment running in the Internet of things environment, and stores the traffic packet in a data traffic cache module. When the internet of things data flow packet is acquired from the equipment operating in the internet of things environment and is in the ultra-large flow, the flow packet can be cut and separated and then stored in the data flow cache module.
B. And the data flow recombination module performs session flow recombination on the acquired data flow of the Internet of things to obtain initial data of the data flow.
Step 2: and the internet of things protocol identification module determines the protocol type of the internet of things data stream generated in the step 1. As shown in fig. 7, the specific steps are as follows:
a. and the protocol feature extraction module extracts feature information of the initial data of the data stream. The extracting of the characteristic information of the initial data of the data stream comprises: port information of the initial data, header content information, and single packet protocol semantic information.
b. And the protocol feature matching module matches the extracted feature information of the initial data of the data stream with the Internet of things protocol data resources stored in the protocol feature knowledge base to determine the protocol type of the acquired Internet of things data stream.
And step 3: and the data flow abnormity detection module is used for carrying out abnormity detection on the deep packet of the data flow of the Internet of things. As shown in fig. 8, the specific detection steps are as follows:
i, extracting the characteristics of the deep packet in the data flow by a deep packet/deep flow characteristic extraction module, and transmitting the characteristics to a deep packet abnormity detection rule base. Wherein, the deep packet features in the extracted data traffic include: the size, type, length of the data packet, suspicious information contained in the payload, and the header of the data packet.
And II, combining the protocol type of the internet of things data flow with the extracted features of the deep packet and the stored data traffic anomaly rule data of the internet of things by packet-by-packet analysis and mode matching in the deep packet anomaly detection rule base, and when the extracted features are not consistent with the stored data traffic anomaly rule data of the internet of things, indicating that the features are abnormal. And when any one feature in the deep packet is abnormal, judging that the deep packet is abnormal, and outputting a detection result of the deep packet.
And 4, step 4: and the data flow abnormity detection module is used for carrying out abnormity detection on the depth flow of the data flow of the Internet of things. As shown in fig. 9, the specific detection steps are as follows:
firstly, a deep packet/deep stream feature extraction module extracts features of a deep stream in data traffic and transmits the features to a deep stream classifier. Wherein, the depth flow characteristics in the extracted data flow comprise: the method comprises the steps of obtaining a large-small chain vector, obtaining the total number of packets in a data stream, obtaining the total size of the packets in the data stream, obtaining a time chain vector, the duration time of the data stream, a direction chain vector, the mean square error of the packets in the depth of the data stream in the same direction, the mean square error of the time in the depth of the data stream in the same direction and the sum of the packets in the depth of the data stream in the same direction.
And secondly, comparing each feature of the deep flow in the extracted data flow with each set normal feature parameter threshold by the deep flow classifier, and when one extracted feature exceeds the set normal feature parameter threshold, indicating that the feature is abnormal. And when any one feature in the depth stream is abnormal, judging that the depth stream is abnormal in reproduction, and outputting a detection result of the depth stream.
And 5: the flow abnormity judgment module judges whether the data flow of the Internet of things is abnormal according to the detection result of the depth packet and the detection result of the depth flow; if yes, judging that the equipment of the Internet of things has the intrusion risk, and if not, judging that the equipment of the Internet of things does not have the intrusion risk. Specifically, when any one of the deep packet and the deep stream is abnormal or both of the deep packet and the deep stream are abnormal, it is determined that the acquired data stream of the internet of things is abnormal.
In addition, as shown in fig. 10, after step 5, information such as abnormal positions and abnormal contents of the data stream can be presented through the visual analysis module, and a detection report is generated, so that the detection report is convenient for a worker to review and perform subsequent processing.
As described above, the present invention can be preferably realized.
Claims (10)
1. An intrusion detection system based on internet of things traffic, comprising:
the basic data acquisition module is used for acquiring network data traffic in an Internet of things environment and generating initial data of the data traffic;
the Internet of things protocol identification module is used for identifying the protocol type of the data stream;
the data flow abnormity detection module is used for detecting whether the data flow is abnormal or not;
and the visual analysis module is used for presenting the detection result information of the data flow.
2. The system of claim 1, wherein the basic data acquisition module comprises:
the interface module is used for connecting the Internet of things equipment;
the data traffic acquisition module is used for acquiring network data traffic under the Internet of things environment in real time or in an off-line state;
the data flow caching module is used for caching the acquired network data flow;
and the data flow recombination module is used for carrying out session flow recombination on the network data flow to generate initial data of the data flow.
3. The system of claim 1, wherein the IOT protocol recognition module comprises:
the protocol feature extraction module is used for extracting feature information of the data stream, wherein the feature information comprises port information, header content information and single packet protocol semantic information of initial data of the data stream;
the protocol characteristic knowledge base is used for storing Internet of things protocol data resources;
and the protocol feature matching module is used for matching the extracted data stream feature information with the stored Internet of things protocol data resources to obtain the protocol category of the acquired data stream.
4. The system of claim 1, wherein the data traffic anomaly detection module comprises:
the deep packet/deep stream feature extraction module is used for extracting features of a deep packet in data traffic and features of a deep stream in the data traffic;
the deep packet anomaly detection rule base is used for storing the data of the data traffic anomaly rule of the Internet of things, performing standard detection on the extracted deep packet characteristics and the stored data of the data traffic anomaly rule of the Internet of things, and outputting a deep packet detection result;
the deep flow classifier is used for comparing the extracted deep flow characteristics with a set normal threshold value, detecting whether the deep flow is abnormal or not and outputting a deep flow detection result;
and the flow abnormity judging module is used for judging whether the data flow is abnormal or not according to the deep packet detection result and the deep flow detection result.
5. An intrusion detection method based on the flow of the Internet of things is characterized by comprising the following steps:
step 1: acquiring initial data of the data stream of the Internet of things;
step 2: determining the protocol type of the acquired data stream of the Internet of things;
and step 3: carrying out anomaly detection on the deep packet of the data stream of the Internet of things;
and 4, step 4: carrying out anomaly detection on the depth flow of the data flow of the Internet of things;
and 5: judging whether the data flow of the Internet of things is abnormal or not according to the detection result of the depth packet and the detection result of the depth flow; if yes, judging that the equipment of the Internet of things has the intrusion risk, and if not, judging that the equipment of the Internet of things does not have the intrusion risk.
6. The intrusion detection method based on the traffic of the internet of things according to claim 5, wherein the step 1 of obtaining the initial data of the data stream of the internet of things comprises the following steps:
A. acquiring an Internet of things data traffic packet from an Internet of things link layer or equipment operating in the Internet of things environment, and storing the traffic packet on a buffer area;
B. and carrying out session stream recombination on the data traffic of the Internet of things to obtain initial data of the data stream.
7. The method according to claim 5, wherein the step 2 of determining the protocol type of the acquired data stream of the Internet of things comprises the following steps:
a. extracting characteristic information of initial data of the data stream; the extracting of the characteristic information of the initial data of the data stream comprises: port information, header content information and single packet protocol semantic information of initial data;
b. and matching the extracted characteristic information of the initial data of the data stream with the stored Internet of things protocol data resource, and determining the protocol type of the acquired Internet of things data stream.
8. The intrusion detection method based on the traffic of the internet of things according to claim 5, wherein the step 3 of performing anomaly detection on the deep packet of the data stream of the internet of things comprises the following steps:
i, extracting features of deep packets in data traffic; wherein, the deep packet features in the extracted data traffic include: the size, type and length of the data packet, suspicious information contained in the load and a data packet header;
and II, carrying out standard detection on each extracted feature of the deep packet and the stored data traffic abnormality rule data of the Internet of things, detecting whether each feature of the deep packet is abnormal or not, judging that the deep packet is abnormal when any feature in the deep packet is abnormal, and outputting a detection result of the deep packet.
9. The method for intrusion detection based on internet of things traffic according to claim 5, wherein the step 4 of performing anomaly detection on the deep stream of the internet of things data stream comprises the following steps:
firstly, extracting the characteristics of a depth flow in data flow; wherein, the depth flow characteristics in the extracted data flow comprise: the method comprises the steps of obtaining a large-small chain vector, a total number of packets in the obtained data stream, a total size of the packets in the data stream, a time chain vector, duration of the data stream, a direction chain vector, a mean square error of packets in the depth of the data stream in the same direction, a mean square error of time in the depth of the data stream in the same direction and a sum of the packets in the depth of the data stream in the same direction;
comparing each feature of the depth flow in the extracted data flow with each set normal threshold value, detecting whether each feature is abnormal, judging that the depth flow is abnormal when any feature in the depth flow is abnormal, and outputting a depth flow detection result.
10. The intrusion detection method based on the traffic of the internet of things according to claim 5, wherein in the step 5, when any one or both of the deep packet and the deep stream is abnormal, it is determined that the acquired data stream of the internet of things is abnormal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011231137.XA CN112333023A (en) | 2020-11-06 | 2020-11-06 | Intrusion detection system based on flow of Internet of things and detection method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011231137.XA CN112333023A (en) | 2020-11-06 | 2020-11-06 | Intrusion detection system based on flow of Internet of things and detection method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112333023A true CN112333023A (en) | 2021-02-05 |
Family
ID=74316496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011231137.XA Pending CN112333023A (en) | 2020-11-06 | 2020-11-06 | Intrusion detection system based on flow of Internet of things and detection method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112333023A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904812A (en) * | 2021-09-18 | 2022-01-07 | 中标慧安信息技术股份有限公司 | Internet of things intrusion detection method based on isolated forest |
| CN113949589A (en) * | 2021-12-20 | 2022-01-18 | 四川师范大学 | Markov image characterization method for network traffic |
| CN114374530A (en) * | 2021-11-25 | 2022-04-19 | 江苏开博科技有限公司 | IDS system and detection method for monitoring and analyzing based on real-time network flow |
| CN115134306A (en) * | 2022-09-01 | 2022-09-30 | 杭州安恒信息技术股份有限公司 | Data traffic detection method, device, equipment and medium for terminal of Internet of things |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138920A1 (en) * | 2008-12-03 | 2010-06-03 | Electronics And Telecommunications Research Institute | Method and system for detecting and responding to harmful traffic |
| CN101997700A (en) * | 2009-08-11 | 2011-03-30 | 上海大学 | Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection |
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
| CN102833263A (en) * | 2012-09-07 | 2012-12-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for intrusion detection and intrusion protection |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
-
2020
- 2020-11-06 CN CN202011231137.XA patent/CN112333023A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138920A1 (en) * | 2008-12-03 | 2010-06-03 | Electronics And Telecommunications Research Institute | Method and system for detecting and responding to harmful traffic |
| CN101997700A (en) * | 2009-08-11 | 2011-03-30 | 上海大学 | Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection |
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
| CN102833263A (en) * | 2012-09-07 | 2012-12-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for intrusion detection and intrusion protection |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
Non-Patent Citations (2)
| Title |
|---|
| 李焕洲等: "在网络信息系统安全平台中增加入侵检测功能", 《四川师范大学学报》 * |
| 苏春: "DPI技术的研究与设计实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904812A (en) * | 2021-09-18 | 2022-01-07 | 中标慧安信息技术股份有限公司 | Internet of things intrusion detection method based on isolated forest |
| CN114374530A (en) * | 2021-11-25 | 2022-04-19 | 江苏开博科技有限公司 | IDS system and detection method for monitoring and analyzing based on real-time network flow |
| CN113949589A (en) * | 2021-12-20 | 2022-01-18 | 四川师范大学 | Markov image characterization method for network traffic |
| CN115134306A (en) * | 2022-09-01 | 2022-09-30 | 杭州安恒信息技术股份有限公司 | Data traffic detection method, device, equipment and medium for terminal of Internet of things |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112333023A (en) | Intrusion detection system based on flow of Internet of things and detection method thereof | |
| CN104937886B (en) | Log analysis device, information processing method | |
| CN107040517B (en) | Cognitive intrusion detection method oriented to cloud computing environment | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| US8065722B2 (en) | Semantically-aware network intrusion signature generator | |
| CN109995740A (en) | Threat detection method based on depth protocal analysis | |
| US8903749B2 (en) | Method of identifying a protocol giving rise to a data flow | |
| CN110430191A (en) | Safe early warning method and device in dispatch data net based on protocol identification | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN106953833A (en) | A kind of ddos attack detecting system | |
| KR102097305B1 (en) | Network security monitoring method and system for smart manufacturing on ethernet/ip-cip industrial network environments | |
| CN101364981A (en) | Hybrid intrusion detection method based on Internet protocol version 6 | |
| CN112953971A (en) | Network security traffic intrusion detection method and system | |
| CN113079150B (en) | Intrusion detection method for power terminal equipment | |
| CN112491849B (en) | Power terminal vulnerability attack protection method based on flow characteristics | |
| CN110266680B (en) | Industrial communication anomaly detection method based on dual similarity measurement | |
| CN117336055A (en) | Network abnormal behavior detection method and device, electronic equipment and storage medium | |
| CN116800458A (en) | Internet of things equipment anomaly monitoring method and system based on data stream sampling analysis | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN113721569A (en) | Attack intrusion detection device and method for distributed control system | |
| US9398040B2 (en) | Intrusion detection system false positive detection apparatus and method | |
| KR20170081543A (en) | Apparatus and method for detecting symptom based on context information | |
| EP3576365B1 (en) | Data processing device and method | |
| CN115801441A (en) | Safety protection system and method of train communication network | |
| CN110636077A (en) | Network security protection system and method based on unified platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210205 |