CN112512073A - Internet of things equipment anomaly detection method based on fingerprint identification technology - Google Patents

Internet of things equipment anomaly detection method based on fingerprint identification technology Download PDF

Info

Publication number
CN112512073A
CN112512073A CN202011463012.XA CN202011463012A CN112512073A CN 112512073 A CN112512073 A CN 112512073A CN 202011463012 A CN202011463012 A CN 202011463012A CN 112512073 A CN112512073 A CN 112512073A
Authority
CN
China
Prior art keywords
equipment
internet
flow
fingerprint
things
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011463012.XA
Other languages
Chinese (zh)
Inventor
俞研
张小娟
邓芳伟
苏铓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Science and Technology
Original Assignee
Nanjing University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Science and Technology filed Critical Nanjing University of Science and Technology
Priority to CN202011463012.XA priority Critical patent/CN112512073A/en
Publication of CN112512073A publication Critical patent/CN112512073A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/10Detection; Monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/06Testing, supervising or monitoring using simulated traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Computational Linguistics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computer Security & Cryptography (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an Internet of things equipment anomaly detection method based on a fingerprint identification technology. Wherein the method comprises the following steps: the method comprises the steps that the Internet of things equipment is connected into a gateway, and the gateway extracts features according to a data packet of the access equipment to obtain fingerprint features of the equipment; identifying the type of the equipment by utilizing an equipment classification model according to the fingerprint characteristics; collecting flow data of the equipment in real time, and judging whether the equipment has an abnormal state or not by using an abnormal detection model in combination with the equipment type; if yes, sending an alarm to the user, and recording the flow data of the equipment; if not, judging that the equipment normally operates. The invention combines the multivariate information of the Internet of things equipment to form the fingerprint characteristics, and judges the running state of the equipment by combining the equipment type and the fingerprint characteristics, thereby effectively ensuring the correctness of the abnormal detection.

Description

Internet of things equipment anomaly detection method based on fingerprint identification technology
Technical Field
The invention belongs to the technical field of Internet of things, and particularly relates to an Internet of things equipment anomaly detection method based on a fingerprint identification technology.
Background
With the rapid popularization of internet of things equipment and the rapid application of internet of things technology, application scenes of smart homes, smart medical treatment, smart traffic, smart buildings, smart cities and the like are emerging continuously. The Internet of things equipment brings convenience to human life and brings new threat to network security. The research on the safety of the equipment of the Internet of things is the key point for protecting the safety of the Internet of things, and the research on the equipment of the Internet of things in the network space can play an important role in guaranteeing the safety of key information infrastructures.
The Internet of things has the following characteristics: 1) the resources of the internet of things equipment are limited, such as insufficient storage, electric quantity and operational capacity; 2) the flow patterns of the Internet of things equipment are simple and fixed, the flow patterns of similar equipment are similar, and the difference of the flow patterns of different equipment is large; 3) the quantity of the Internet of things equipment is large, and the types of the Internet of things equipment are various; 4) the mode of the internet of things equipment for generating the flow has a great relationship with the behavior habit of the user, and the difference of the flow modes in different time periods is large.
In consideration of the characteristics of the internet of things, the traditional anomaly detection method cannot meet the safety requirements of the internet of things, so that a more intelligent, accurate and effective processing method is needed, and the safety detection capability of the internet of things is further improved.
Disclosure of Invention
The invention aims to provide an Internet of things equipment abnormity detection method based on a fingerprint identification technology to solve the problem that the safety detection capability level of the Internet of things is insufficient in the prior art.
The technical solution for achieving the above purpose is as follows:
an Internet of things equipment anomaly detection method based on a fingerprint identification technology comprises the following steps:
step 1: the Internet of things equipment is connected into the gateway, and the gateway generates fingerprint characteristic data according to a data packet of the access equipment to obtain the fingerprint characteristic data of the equipment;
step 2: identifying the type of the equipment by utilizing an equipment classification model according to the fingerprint characteristic data;
and step 3: collecting the flow data of the equipment in real time, judging whether the equipment has an abnormal state by using an abnormal detection model in combination with the equipment type,
if yes, sending an alarm to the user, and recording the flow data of the equipment;
if not, judging that the equipment normally operates.
Further, the step 1 specifically includes the following steps:
step 1.1: splitting the source mac address and the target mac address of the equipment into 6 groups of numbers respectively, converting 16-system numbers into 10-system numbers, and generating 12 characteristic data T1;
taking a protocol source port, a protocol destination port, a protocol length and a protocol type of the device as characteristic data T2;
step 1.2: the signature data T1 and the signature data T2 are combined to obtain fingerprint signature data of the device and processed into a 4 x 4 fingerprint signature matrix.
Further, the step 2 specifically includes the following steps:
the fingerprint characteristic data is input into a device classification model as input quantity, the device classification model outputs the device type, and the device classification model is a pre-trained CNN network classification.
Further, the step 3 of using the abnormality detection model to judge whether the equipment has an abnormal state includes the following steps:
step 3.1: selecting 4 different time windows and generating flow characteristics of flow changing along with time in real time;
the flow characteristics are generated by each time window and comprise flow generated by a source IP, flow transmitted between the source IP and a destination IP, a source TCP/UDP socket, flow between the destination TCP/UDP sockets and unit time flow information;
step 3.2: based on the flow characteristics, reducing the dimension of the flow characteristics of the Internet of things equipment by using a principal component analysis method, and selecting principal components with contribution rate of more than 90% for abnormal flow detection;
step 3.3: and inputting the flow characteristics after the dimensionality reduction into a pre-trained anomaly detection model, and judging whether the equipment has an abnormal state or not.
Further, the 4 different time windows in step 3.1 are 100ms, 500ms, 1s, 100s time windows.
Further, the pre-trained anomaly detection model is an XGBOOST-based classification model.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides an Internet of things equipment anomaly detection method based on fingerprint identification, wherein multiple information such as a data packet of equipment is synthesized to form fingerprint characteristics, the running state of the equipment is judged by combining the equipment type and the fingerprint characteristics, the correctness of anomaly detection is effectively ensured, and if the running state or flow data of the equipment is abnormal, alarm information of possible abnormal running of the equipment is sent out to remind related personnel to check and confirm the processing; if the equipment flow information is not different from the normal flow information, the equipment is considered to run normally, the abnormality detection of the equipment integrates the multielement information such as a data packet, flow, equipment type and the like, and the running data can be stored and marked as a training data increment training equipment detection model and an abnormality detection model manually, so that the detection precision is improved.
Drawings
FIG. 1: the invention discloses an overall architecture diagram of a monitoring system.
FIG. 2: the invention relates to an Internet of things equipment anomaly detection flow chart based on a fingerprint identification technology.
FIG. 3: the invention relates to an Internet of things equipment anomaly detection model updating flow chart based on a fingerprint identification technology.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
The invention provides an Internet of things equipment anomaly detection method based on a fingerprint identification technology, which comprises the following steps of:
and the Internet of things equipment is connected into the gateway, and fingerprint characteristic data is generated according to the data packet of the equipment.
The fingerprint feature data includes the following information: protocol source port, protocol destination port, protocol length, protocol type, source mac address, and destination mac address information. When the device starts a communication gateway, a source mac address and a target mac address are split into 6 groups of numbers, 16-system numbers are converted into 10-system numbers, 12 pieces of feature data are generated, and 16 pieces of fingerprint feature data including a protocol source port, a protocol destination port, a protocol length and a protocol type are added.
Converting the fingerprint characteristic data into a 4 x 4 fingerprint characteristic matrix, inputting the trained CNN network classification, and outputting the category information of the Internet of things equipment connected to the gateway by the CNN network.
And after the equipment is connected, the abnormal monitoring service monitors the flow data of the equipment in real time to detect abnormal flow.
It should be noted here that, in order to fully characterize the flow statistics over time, the device needs to have several different time windows for collecting the flow characteristic data, and a single time window generates 10 statistical characteristics.
Wherein, select 100ms, 500ms, 1s, 100s time window, each time window produces 4 flow characteristics: traffic generated by the source IP, traffic transmitted between the source IP and the destination IP, source TCP/UDP sockets, traffic between destination TCP/UDP sockets, and traffic information per unit time. The 16 traffic characteristics for the 4 time windows plus the class information for the device together yield 17 statistical characteristics.
Based on the acquired flow characteristics, the flow characteristic data of the intelligent Internet of things equipment is subjected to dimensionality reduction by using a principal component analysis method, and principal components with contribution rates of more than 90% are selected for abnormal flow detection.
It should be noted here that the anomaly monitoring service includes a classification model based on XGBOOST, and the traffic characteristics after dimensionality reduction are used for judging an anomaly state and giving an alarm through the anomaly monitoring service of different types of devices.
The Internet of things equipment anomaly detection system based on the fingerprint identification technology is shown in the figure 1, anomaly monitoring service is a monitoring core of the system and is responsible for monitoring whether real-time traffic of an Internet of things terminal is abnormal or not, real-time traffic data interaction is carried out between the anomaly monitoring service and a communication gateway, meanwhile, the monitoring service can be manually intervened, a black and white list of monitoring equipment is provided, the blacklist equipment directly refuses to access the system, and the white list equipment does not monitor the traffic.
It should be noted here that the monitoring gateway identifies the device type of the newly-accessed device and determines whether the device is abnormal, the real-time traffic of the device is transmitted to an abnormal monitoring service to perform abnormal detection of the real-time traffic, and the monitoring gateway is in remote communication with the cloud service and receives control of the cloud to the internet-of-things device.
The process of updating the fingerprint identification and anomaly detection model of the internet of things equipment in the embodiment of the invention is shown in fig. 3, the monitoring gateway stores fingerprint characteristic data in the internet of things equipment by using a relational database, the stored data is subjected to standardization processing, and the standardized data is used for training the equipment type identification model and the anomaly flow detection model: 1. extracting equipment fingerprint identification characteristic data, manually marking the equipment type, and using the processed data for equipment type identification model training; 2. extracting abnormal flow detection characteristic data, manually marking whether the abnormal flow detection characteristic data is abnormal or not, reducing the dimension of the abnormal flow detection characteristic data by using a principal component analysis method, obtaining and selecting principal components with contribution rate of more than 90%, and using the processed data for training an abnormal flow detection model. The training data is used for training the equipment type recognition model and the abnormal flow detection model, so that incremental updating of the abnormal flow detection model is realized, and the accuracy of the abnormal flow detection model is ensured.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. An Internet of things equipment anomaly detection method based on a fingerprint identification technology is characterized by comprising the following steps:
step 1: the Internet of things equipment is connected into the gateway, and the gateway generates fingerprint characteristic data according to a data packet of the access equipment to obtain the fingerprint characteristic data of the equipment;
step 2: identifying the type of the equipment by utilizing an equipment classification model according to the fingerprint characteristic data;
and step 3: collecting the flow data of the equipment in real time, judging whether the equipment has an abnormal state by using an abnormal detection model in combination with the equipment type,
if yes, sending an alarm to the user, and recording the flow data of the equipment;
if not, judging that the equipment normally operates.
2. The method for detecting the abnormality of the internet of things equipment based on the fingerprint identification technology as claimed in claim 1, wherein the step 1 specifically comprises the following steps:
step 1.1: splitting the source mac address and the target mac address of the equipment into 6 groups of numbers respectively, converting 16-system numbers into 10-system numbers, and generating 12 characteristic data T1;
taking a protocol source port, a protocol destination port, a protocol length and a protocol type of the device as characteristic data T2;
step 1.2: the signature data T1 and the signature data T2 are combined to obtain fingerprint signature data of the device and processed into a 4 x 4 fingerprint signature matrix.
3. The method for detecting the abnormality of the internet of things equipment based on the fingerprint identification technology as claimed in claim 2, wherein the step 2 specifically comprises the following steps:
the fingerprint characteristic data is input into a device classification model as input quantity, the device classification model outputs the device type, and the device classification model is a pre-trained CNN network classification.
4. The method for detecting the abnormality of the internet of things equipment based on the fingerprint identification technology as claimed in claim 3, wherein the step 3 of using the abnormality detection model to judge whether the equipment has the abnormal state comprises the following steps:
step 3.1: selecting 4 different time windows and generating flow characteristics of flow changing along with time in real time;
the flow characteristics are generated by each time window and comprise flow generated by a source IP, flow transmitted between the source IP and a destination IP, a source TCP/UDP socket, flow between the destination TCP/UDP sockets and unit time flow information;
step 3.2: based on the flow characteristics, reducing the dimension of the flow characteristics of the Internet of things equipment by using a principal component analysis method, and selecting principal components with contribution rate of more than 90% for abnormal flow detection;
step 3.3: and inputting the flow characteristics after the dimensionality reduction into a pre-trained anomaly detection model, and judging whether the equipment has an abnormal state or not.
5. The method for detecting abnormality of internet of things equipment based on fingerprint identification technology as claimed in claim 4, wherein the 4 different time windows in the step 3.1 are 100ms, 500ms, 1s, 100s time windows.
6. The Internet of things equipment anomaly detection method based on the fingerprint identification technology as claimed in claim 4 or 5, wherein the pre-trained anomaly detection model is an XGBOOST-based classification model.
CN202011463012.XA 2020-12-14 2020-12-14 Internet of things equipment anomaly detection method based on fingerprint identification technology Withdrawn CN112512073A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011463012.XA CN112512073A (en) 2020-12-14 2020-12-14 Internet of things equipment anomaly detection method based on fingerprint identification technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011463012.XA CN112512073A (en) 2020-12-14 2020-12-14 Internet of things equipment anomaly detection method based on fingerprint identification technology

Publications (1)

Publication Number Publication Date
CN112512073A true CN112512073A (en) 2021-03-16

Family

ID=74972562

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011463012.XA Withdrawn CN112512073A (en) 2020-12-14 2020-12-14 Internet of things equipment anomaly detection method based on fingerprint identification technology

Country Status (1)

Country Link
CN (1) CN112512073A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765891A (en) * 2021-08-13 2021-12-07 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN115001790A (en) * 2022-05-27 2022-09-02 国网智能电网研究院有限公司 Secondary authentication method and device based on equipment fingerprint and electronic equipment
CN117675622A (en) * 2024-01-15 2024-03-08 广东云百智联科技有限公司 Visual display system of thing networking equipment flow
CN118138370A (en) * 2024-04-30 2024-06-04 中国电子科技集团公司第三十研究所 Internet of things security access gateway and non-invasive access control method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨威超等: "基于设备型号分类和BP神经网络的物联网流量异常检测", 《信息网络安全》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765891A (en) * 2021-08-13 2021-12-07 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113765891B (en) * 2021-08-13 2024-04-09 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN115001790A (en) * 2022-05-27 2022-09-02 国网智能电网研究院有限公司 Secondary authentication method and device based on equipment fingerprint and electronic equipment
CN115001790B (en) * 2022-05-27 2024-03-26 国网智能电网研究院有限公司 Device fingerprint-based secondary authentication method and device and electronic device
CN117675622A (en) * 2024-01-15 2024-03-08 广东云百智联科技有限公司 Visual display system of thing networking equipment flow
CN117675622B (en) * 2024-01-15 2024-08-27 广东云百智联科技有限公司 Visual display system of thing networking equipment flow
CN118138370A (en) * 2024-04-30 2024-06-04 中国电子科技集团公司第三十研究所 Internet of things security access gateway and non-invasive access control method

Similar Documents

Publication Publication Date Title
CN112512073A (en) Internet of things equipment anomaly detection method based on fingerprint identification technology
CN112953971B (en) Network security flow intrusion detection method and system
CN109861957A (en) A kind of the user behavior fining classification method and system of the privately owned cryptographic protocol of mobile application
CN112365265B (en) Internet financial intelligent wind control system
CN112822189A (en) Traffic identification method and device
CN114448830B (en) Equipment detection system and method
CN116366374B (en) Security assessment method, system and medium for power grid network management based on big data
CN111698209A (en) Network abnormal flow detection method and device
CN112491849B (en) Power terminal vulnerability attack protection method based on flow characteristics
CN117955745B (en) Network attack homology analysis method integrating network flow characteristics and threat information
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
CN118094531B (en) Safe operation and maintenance real-time early warning integrated system
CN111586075B (en) Hidden channel detection method based on multi-scale stream analysis technology
CN116150688A (en) Lightweight Internet of things equipment identification method and device in smart home
CN116662184A (en) Industrial control protocol fuzzy test case screening method and system based on Bert
CN116471381A (en) AI-based power transformation and distribution room personnel appliance state monitoring method
CN113660267B (en) Botnet detection system, method and storage medium for IoT environment
CN118214612A (en) Real-time monitoring safety service system based on Internet
CN115883626A (en) Internet-based multifunctional information technology consultation service system
CN110851414B (en) Method and system for analyzing boundary data by clustering method
CN112866189A (en) Attack modeling analysis method based on power terminal attack behavior characteristics
CN115766297B (en) Information data safety protection method based on Internet of things
CN112153081A (en) Method for detecting abnormal state of industrial network
CN116980483A (en) Fire-fighting Internet of things data access method and system
CN115333915B (en) Heterogeneous host-oriented network management and control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210316