CN112583808A - Abnormal flow detection method for Internet of things equipment - Google Patents
Abnormal flow detection method for Internet of things equipment Download PDFInfo
- Publication number
- CN112583808A CN112583808A CN202011423222.6A CN202011423222A CN112583808A CN 112583808 A CN112583808 A CN 112583808A CN 202011423222 A CN202011423222 A CN 202011423222A CN 112583808 A CN112583808 A CN 112583808A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- information entropy
- sliding window
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses an abnormal flow detection method for Internet of things equipment, which comprises the steps of collecting flow data of the Internet of things equipment; classifying the flow data according to the service type and the destination port; the method comprises the steps of obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of a packet sending rate by adopting Fourier transform; taking the time period as a sliding window value and calculating the information entropy value of the network flow in each sliding window; and judging the size relation between the information entropy value and a set threshold value in the sliding window and realizing the abnormal flow detection of the equipment of the Internet of things. According to the method, the abnormal flow detection of the equipment of the Internet of things is realized by acquiring the flow data of the equipment of the Internet of things, setting the size of a sliding window value according to the flow data and detecting the sudden change of the flow information entropy in the sliding window; the method and the device can position the time range of the abnormal flow, and have the advantages of high reliability, wide application range and good effectiveness.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an abnormal flow detection method for Internet of things equipment.
Background
With the development of economic technology and the arrival of the intelligent era, the Internet of things is widely applied to the production and the life of people, and brings endless convenience to the production and the life of people. But with the popularization of the internet of things, attacks against the internet of things are more and more. Along with the fact that people pay more and more attention to safety, the safety of the Internet of things needs to be improved urgently.
However, current manufacturers of internet of things devices often implement lightweight protocols for internet of things devices in order to improve user experience, so that the security of the devices is sacrificed. In recent years, attacks against devices of the internet of things are endless.
At present, the mainstream intrusion detection technology is difficult to well deal with the internet of things equipment with high-speed increase, and particularly, the mainstream intrusion detection technology is more attentive when aiming at novel internet of things equipment or a novel attack method.
Disclosure of Invention
The invention aims to provide an abnormal flow detection method for Internet of things equipment, which is high in reliability, wide in application range and good in effectiveness.
The invention provides an abnormal flow detection method for equipment of the Internet of things, which comprises the following steps:
s1, collecting flow data of the Internet of things equipment;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window;
and S5, judging the size relation between the information entropy value and a set threshold value in the sliding window according to the information entropy value obtained in the step S4, and accordingly realizing abnormal flow detection of the Internet of things equipment.
The collecting of the traffic data of the internet of things device in step S1 is specifically to collect the traffic data of the internet of things device through tcpdump.
After discretizing the traffic data of the service in step S3, calculating the time period of the packet sending rate by using fourier transform, specifically, discretizing the traffic data of the specific service into a binary time sequence of one sample value per second, and then calculating the time period of the packet sending rate by using fourier transform.
The time period of the packet transmission rate is specifically a time period X converted from a frequency domain by using the following formulak:
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formula
The time period T is calculated.
Step S4, calculating the information entropy of the network traffic in each sliding window, specifically, using a group of characteristics of the data packet sequence of the traffic in the window as a random variable, and calculating the information entropy of the random variable.
The information entropy value of the random variable is calculated by adopting the following formula:
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X; calculating the characteristic selected by the information entropy as the size of the group; and calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of the time series data for the flow captured by each device.
In step S5, the size relationship between the information entropy and the set threshold is determined in the sliding window, so as to implement abnormal traffic detection of the internet of things device, specifically, in the sliding window, if the information entropy exceeds the set threshold, it is determined that abnormal internet of things traffic exists in the sliding window.
According to the abnormal flow detection method for the equipment of the Internet of things, the abnormal flow detection of the equipment of the Internet of things is realized by acquiring the flow data of the equipment of the Internet of things, setting the size of the sliding window value according to the flow data and detecting the sudden change of the flow information entropy in the sliding window; the method of the invention not only can position the time range of abnormal flow, but also has high reliability, wide application range and good effectiveness.
Drawings
FIG. 1 is a schematic process flow diagram of the process of the present invention.
FIG. 2 is a schematic diagram of an information entropy curve of an embodiment of the method of the present invention.
Detailed Description
FIG. 1 is a schematic flow chart of the method of the present invention: the invention provides an abnormal flow detection method for equipment of the Internet of things, which comprises the following steps:
s1, collecting flow data of the Internet of things equipment; specifically, traffic data of the Internet of things equipment is collected through tcpdump;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform; the method specifically comprises the steps of discretizing flow data of a specific service into a binary time sequence of one sampling value per second, and then calculating the time period of a packet sending rate by adopting Fourier transform;
in specific implementation, the following formula is adopted to convert the frequency domain into the time domain Xk:
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formula
Calculating to obtain a time period T;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window; taking a group of characteristics of a data packet sequence of flow in a window as a random variable, and calculating an information entropy value of the random variable;
in specific implementation, the information entropy value h (x) is calculated by the following formula:
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X;
calculating the characteristic selected by the information entropy as the size of the group; calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of time series data for the flow captured by each device;
s5, judging the size relation between the information entropy value and a set threshold value in a sliding window according to the information entropy value obtained in the step S4, and accordingly achieving abnormal flow detection of the Internet of things equipment; specifically, in a sliding window, if the information entropy exceeds a set threshold, it is determined that abnormal internet of things flow exists in the sliding window.
The process of the invention is further illustrated below with reference to one example:
firstly, an anomaly detection model is deployed on each local security gateway, and traffic sent to the security gateway by a device is captured by running a tcpdump command on the security gateway;
then, the unidirectional streams sent by the TP-Link camera equipment are classified according to destination ports/different service types, and as the destination ports of the Internet of things equipment are determined by manufacturers or send traffic based on fixed services, the traffic accessing other ports can be directly taken as malicious abnormal traffic to be eliminated in the step;
next, based on the characteristic that the internet of things device has periodic communication traffic, for different service flows (destination ports), the time is 1 secondWhether a data packet is captured in the inter-window and is marked as 1, otherwise, the data packet is marked as 0, so that a binary 0-1 time sequence sampled by one value per second is constructed, and a Fourier transform formula is adopted to convert a time domain into a frequency domain
Then, the maximum value X in the frequency domain is obtainedmaxThen pass through
Calculating a period;
and then, taking the time period obtained by calculation as the size of a sliding window, and calculating the information entropy value of the network flow in each sliding window. Taking a group of characteristics of a data packet sequence of the flow in the window as a random variable, and calculating the information entropy of the random variable according to the following method
Finally, drawing a curve chart of the obtained information entropy sequence, wherein the condition that a certain sliding window has abnormal flow can be reflected in the sudden change of the entropy, and when the relative difference value of the sliding window exceeds a set threshold value gamma, the abnormal flow of the internet of things exists in the window, which is shown in an attached figure 2; and judging that the abnormal flow exists.
Claims (7)
1. An abnormal traffic detection method for Internet of things equipment comprises the following steps:
s1, collecting flow data of the Internet of things equipment;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window;
and S5, judging the size relation between the information entropy value and a set threshold value in the sliding window according to the information entropy value obtained in the step S4, and accordingly realizing abnormal flow detection of the Internet of things equipment.
2. The abnormal traffic detection method for internet of things devices according to claim 1, wherein the step S1 is performed to collect traffic data of the internet of things devices, specifically to collect traffic data of the internet of things devices through tcpdump.
3. The abnormal traffic detection method for the internet of things device according to claim 1 or 2, wherein in step S3, after discretizing the traffic data of the service, the time period of the packet transmission rate is calculated by using fourier transform, specifically, the traffic data of the specific service is discretized into a binary time sequence of one sample value per second, and then the time period of the packet transmission rate is calculated by using fourier transform.
4. The abnormal traffic detection method for internet of things equipment as claimed in claim 3, wherein the time period of the packet transmission rate is specifically a time period of converting a frequency domain into a time domain X by using the following formulak:
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formula
The time period T is calculated.
5. The method for detecting abnormal traffic of internet of things devices according to claim 4, wherein in step S4, the information entropy value of the network traffic in each sliding window is calculated, specifically, a group of characteristics of a data packet sequence of the traffic in the window is used as a random variable, and the information entropy value of the random variable is calculated.
6. The abnormal traffic detection method for internet of things equipment according to claim 5, wherein the information entropy of the random variable is calculated by using the following formula:
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X; calculating the characteristic selected by the information entropy as the size of the group; and calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of the time series data for the flow captured by each device.
7. The method for detecting abnormal traffic of internet of things equipment according to claim 6, wherein in step S5, the size relationship between the information entropy and the set threshold is determined in the sliding window, so as to implement abnormal traffic detection of internet of things equipment, specifically, in the sliding window, if the information entropy exceeds the set threshold, it is determined that abnormal internet of things traffic exists in the sliding window.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011423222.6A CN112583808B (en) | 2020-12-08 | 2020-12-08 | Abnormal flow detection method for Internet of things equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011423222.6A CN112583808B (en) | 2020-12-08 | 2020-12-08 | Abnormal flow detection method for Internet of things equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112583808A true CN112583808A (en) | 2021-03-30 |
| CN112583808B CN112583808B (en) | 2022-01-07 |
Family
ID=75127707
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011423222.6A Active CN112583808B (en) | 2020-12-08 | 2020-12-08 | Abnormal flow detection method for Internet of things equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112583808B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113765896A (en) * | 2021-08-18 | 2021-12-07 | 广东三水合肥工业大学研究院 | Internet of things implementation system and method based on artificial intelligence |
| CN113904812A (en) * | 2021-09-18 | 2022-01-07 | 中标慧安信息技术股份有限公司 | Internet of things intrusion detection method based on isolated forest |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618651A (en) * | 2013-12-11 | 2014-03-05 | 上海电机学院 | Network abnormality detection method and system based on information entropy and sliding window |
| CN105357228A (en) * | 2015-12-19 | 2016-02-24 | 中国人民解放军信息工程大学 | Burst traffic detection method based on dynamic threshold |
| US9729693B1 (en) * | 2016-06-07 | 2017-08-08 | Huami Inc. | Determining measurement confidence for data collected from sensors of a wearable device |
| US20180176134A1 (en) * | 2016-12-21 | 2018-06-21 | Cisco Technology, Inc. | MACHINE LEARNING-DERIVED ENTROPY PATH GRAPH FROM IN-SITU OAM (iOAM) DATA |
| CN109818793A (en) * | 2019-01-30 | 2019-05-28 | 基本立子(北京)科技发展有限公司 | For the device type identification of Internet of Things and network inbreak detection method |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
-
2020
- 2020-12-08 CN CN202011423222.6A patent/CN112583808B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618651A (en) * | 2013-12-11 | 2014-03-05 | 上海电机学院 | Network abnormality detection method and system based on information entropy and sliding window |
| CN105357228A (en) * | 2015-12-19 | 2016-02-24 | 中国人民解放军信息工程大学 | Burst traffic detection method based on dynamic threshold |
| US9729693B1 (en) * | 2016-06-07 | 2017-08-08 | Huami Inc. | Determining measurement confidence for data collected from sensors of a wearable device |
| US20180176134A1 (en) * | 2016-12-21 | 2018-06-21 | Cisco Technology, Inc. | MACHINE LEARNING-DERIVED ENTROPY PATH GRAPH FROM IN-SITU OAM (iOAM) DATA |
| CN109818793A (en) * | 2019-01-30 | 2019-05-28 | 基本立子(北京)科技发展有限公司 | For the device type identification of Internet of Things and network inbreak detection method |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113765896A (en) * | 2021-08-18 | 2021-12-07 | 广东三水合肥工业大学研究院 | Internet of things implementation system and method based on artificial intelligence |
| CN113904812A (en) * | 2021-09-18 | 2022-01-07 | 中标慧安信息技术股份有限公司 | Internet of things intrusion detection method based on isolated forest |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112583808B (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101686235B (en) | Device and method for analyzing abnormal network flow | |
| CN107231384B (en) | DDoS attack detection and defense method and system for 5g network slices | |
| US8503302B2 (en) | Method of detecting anomalies in a communication system using numerical packet features | |
| US11343116B2 (en) | Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy | |
| Siaterlis et al. | Towards multisensor data fusion for DoS detection | |
| Lu et al. | Network anomaly detection based on wavelet analysis | |
| CN112583808B (en) | Abnormal flow detection method for Internet of things equipment | |
| CN112788062B (en) | ET-EDR-based LDoS attack detection and mitigation method in SDN | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
| CN111200600B (en) | Internet of things equipment flow sequence fingerprint feature extraction method | |
| Yan et al. | Low-rate dos attack detection based on improved logistic regression | |
| Bereziński et al. | Entropy-based internet traffic anomaly detection: A case study | |
| CN102801719B (en) | Method for detecting botnet based on similarity measurement of host flow power spectrum | |
| CN114444096B (en) | Network data storage encryption detection system based on data analysis | |
| CN103269337B (en) | Data processing method and device | |
| CN115474219A (en) | 5G/B5G power communication network flow analysis method based on multi-time-series data mining | |
| EP3576365B1 (en) | Data processing device and method | |
| KR20050065125A (en) | Apparatus and method for sorting data flow based on bandwidth | |
| CN112367292B (en) | Encrypted flow anomaly detection method based on deep dictionary learning | |
| Martalò et al. | Low-Complexity Classification of Unencrypted IoT Traffic Based on Skewness and Protocol Information | |
| Kulandaivel et al. | A novel sensitive DDoS attacks against statistical test in network traffic fusion | |
| CN115865401B (en) | APTS-based slow DoS attack real-time mitigation scheme | |
| CN117955704A (en) | Attention-based CNN-BiLSTM algorithm Internet of vehicles intrusion detection method and system | |
| Zhang et al. | Neural Network-Based DDoS Detection on Edge Computing Architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |