CN112954689A - Lightweight network intrusion detection system and method for Bluetooth wireless transmission - Google Patents

Lightweight network intrusion detection system and method for Bluetooth wireless transmission Download PDF

Info

Publication number
CN112954689A
CN112954689A CN202110179359.XA CN202110179359A CN112954689A CN 112954689 A CN112954689 A CN 112954689A CN 202110179359 A CN202110179359 A CN 202110179359A CN 112954689 A CN112954689 A CN 112954689A
Authority
CN
China
Prior art keywords
data
probability
training
detection
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110179359.XA
Other languages
Chinese (zh)
Inventor
潘志文
孙伟豪
邢云冰
陈益强
王永斌
张忠平
肖益珊
刘廉如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN202110179359.XA priority Critical patent/CN112954689A/en
Publication of CN112954689A publication Critical patent/CN112954689A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a lightweight network intrusion detection system and method aiming at Bluetooth wireless transmission. The off-line training comprises four stages of data collection, feature selection, data training and generation of a machine learning model, wherein the data training aims at data with labels, and the labels represent normal data or abnormal data. The data training stage comprises three steps of feature compression, probability model construction and array occurrence probability calculation. The on-line detection comprises data collection, feature selection, feature compression, calculation of array occurrence probability and smoothing probability and real-time detection result obtaining through the generated model. The intrusion detection method provided by the invention can provide higher accuracy and less false alarms.

Description

Lightweight network intrusion detection system and method for Bluetooth wireless transmission
Technical Field
The invention relates to the technical field of Bluetooth wireless network intrusion detection, in particular to a lightweight network intrusion detection system and method aiming at Bluetooth wireless transmission.
Background
At present, the development of the internet of things is faster and faster, and correspondingly, the security of the internet of things also needs to be continuously improved. At present, the communication basis of most of Internet of things equipment is a WIFI wireless network and a Bluetooth wireless network. Intrusion detection systems can play a key role in improving the security of wireless networks. Once a wireless network is attacked, security accidents with different damage degrees can be caused, and even crises such as secret disclosure can be caused. For a wireless network, the security performance of the wireless network can be effectively improved by arranging the intrusion detection system, so that users of the wireless network are protected.
As can be seen from the related background, Wi-Fi is typically the preferred network for Local Area Networks (LANs), bluetooth is the preferred network for Personal Area Networks (PANs); Wi-Fi wireless networks are used for communication over short ranges (up to hundreds of meters), while Bluetooth is used for communication between devices that are in close contact (within tens of meters). Bluetooth is used as an alternative to data transmission using data lines, cables.
For the existing internet of things equipment such as intelligent automobiles and the like, the deployed Bluetooth equipment is easily attacked by PIN guessing, and after the attack, an attacker can send any information to the Bluetooth network to further attack the network. In addition, the internet of things equipment is easily limited by the battery power, and an attacker can quickly exhaust the battery power of the Bluetooth equipment by sending repeated pairing requests or equipment information requests.
Although the designed bluetooth protocol defines security measures, these measures are not generally followed during deployment. In fact, bluetooth deployments of internet of things devices such as smart cars are vulnerable to PIN guessing, allowing an attacker to send arbitrary messages to the car network. In addition, the internet of things equipment is easily limited by the battery power. These "battery drain attacks" will cause the sensor's battery to drain faster, resulting in a denial of service (DoS) attack on the bluetooth sensor network. Therefore, there is a need for an Intrusion Detection System (IDS) that can accurately detect attacks on bluetooth devices and their applications.
Currently, most intrusion detection systems require a large amount of data to train a system model, and then the system model can be generated for classification and debugging, which requires a long debugging period. Correspondingly, the longer the debugging time is, the more accurate the detection model is. Some intrusion detection systems directly use a manual specified mode, and the processes of establishing a model and training the model are omitted, so that the detection accuracy is greatly reduced.
Disclosure of Invention
Aiming at the defects of the existing intrusion detection system, the invention provides a multilayer intrusion detection system based on machine learning in order to meet the requirements of light-weight process and short debugging period, and detection is carried out by using the existing Abnormal Behavior Analysis (ABA) method for reference. The invention is advanced by the following steps: 1) first, the intrusion detection system of the present invention can provide higher accuracy and fewer false alarms. 2) Secondly, with some models of machine learning, we can use lightweight data to generate models quickly.
Specifically, the invention provides a lightweight network intrusion detection method aiming at Bluetooth wireless transmission, which comprises the following steps:
step 1, acquiring Bluetooth traffic information marked with class labels as training data, wherein the class labels represent whether the corresponding Bluetooth traffic information belongs to network intrusion data, and extracting the features of the training data according to preset data classes to obtain the data features of the training data;
step 2, compressing the data characteristics of the training data to obtain a plurality of characteristic arrays, and training to obtain a Bluetooth network intrusion detection model according to the probability of the characteristic arrays appearing in the data characteristics and in combination with the class labels and the data link format of the training data;
and 3, acquiring Bluetooth flow information to be analyzed as detection data, acquiring a data link format of the detection data as a current format, performing feature extraction on the detection data according to the preset data type to obtain data features of the detection data, compressing the data features of the detection data to obtain a plurality of feature arrays, acquiring the probability of the feature arrays of the detection data appearing in the data features of the detection data, performing data smoothing on the probability to obtain a smooth probability, and inputting the current format and the smooth probability into the Bluetooth network intrusion detection model to obtain a type label of the detection data as an intrusion detection result.
The lightweight network intrusion detection method aiming at Bluetooth wireless transmission is characterized in that the compression process of the data characteristics in the step 2 and the step 3 is specifically to compress the data characteristics with continuous time series into a plurality of discrete characteristic arrays by adding a sliding window.
The lightweight network intrusion detection method aiming at the Bluetooth wireless transmission comprises the following specific probability of the appearance of the feature array in the data features in the step 2 and the step 3:
Figure BDA0002940995780000021
p (w | C) is the probability of the feature array w appearing in the training data or the detection data according with the data link format C, K is the data quantity in the training data or the detection data according with the data link format C, and K is the number of appearance times of the feature array w.
The method for detecting the lightweight network intrusion aiming at the Bluetooth wireless transmission comprises the following steps that step 2, a characteristic array occurrence probability base corresponding to a data link format is established according to the occurrence probability of the characteristic array in the data characteristic and the data link format of training data;
and step 3, adopting data smoothing based on linear interpolation:
P(w|D)=λP(w|C)+(1-λ)P(w|d)
where P (w | D) represents the probability of occurrence of the feature array w calculated from the detected data, P (w | C) is the probability of occurrence of the feature array w from the feature array occurrence probability library, λ is a smoothing parameter for adjusting the weight between probabilities, and P (w | D) represents the smoothing probability.
The lightweight network intrusion detection method aiming at the Bluetooth wireless transmission comprises the step 2 of adopting a support vector machine or a naive Bayesian training classification network to obtain the Bluetooth network intrusion detection model.
The invention also provides a lightweight network intrusion detection system aiming at the Bluetooth wireless transmission, which comprises the following components:
the module 1 is used for acquiring Bluetooth traffic information marked with a class label as training data, wherein the class label represents whether the corresponding Bluetooth traffic information belongs to network intrusion data, and extracting features of the training data according to a preset data class to obtain data features of the training data;
the module 2 is used for compressing the data characteristics of the training data to obtain a plurality of characteristic arrays, and training to obtain a Bluetooth network intrusion detection model according to the probability of the characteristic arrays appearing in the data characteristics and in combination with the class labels and the data link format of the training data;
a module 3, configured to obtain bluetooth traffic information to be analyzed as detection data, obtain a data link format of the detection data as a current format, perform feature extraction on the detection data according to the preset data type, obtain data features of the detection data, compress the data features of the detection data to obtain multiple feature arrays, obtain a probability that the feature arrays of the detection data appear in the data features of the detection data, perform data smoothing on the probability, obtain a smooth probability, and input the current format and the smooth probability to the bluetooth network intrusion detection model to obtain a type tag of the detection data, which is used as an intrusion detection result.
The lightweight network intrusion detection system aiming at Bluetooth wireless transmission is characterized in that a module 2 and a module 3 compress data characteristics specifically by adding a sliding window, and compress the continuous data characteristics of a time sequence into a plurality of discrete characteristic arrays.
The lightweight network intrusion detection system aiming at the Bluetooth wireless transmission is characterized in that the probability of the feature array in the module 2 and the module 3 appearing in the data features is as follows:
Figure BDA0002940995780000041
p (w | C) is the probability of the feature array w appearing in the training data or the detection data according with the data link format C, K is the data quantity in the training data or the detection data according with the data link format C, and K is the number of appearance times of the feature array w.
The lightweight network intrusion detection system aiming at the Bluetooth wireless transmission, wherein the module 2 also comprises a characteristic array occurrence probability database which is established according to the occurrence probability of the characteristic array in the data characteristics and the data link format of training data;
data smoothing based on linear interpolation is used in block 3:
P(w|D)=λP(w|C)+(1-λ)P(w|d)
where P (w | D) represents the probability of occurrence of the feature array w calculated from the detected data, P (w | C) is the probability of occurrence of the feature array w from the feature array occurrence probability library, λ is a smoothing parameter for adjusting the weight between probabilities, and P (w | D) represents the smoothing probability.
The lightweight network intrusion detection system aiming at the Bluetooth wireless transmission is characterized in that a support vector machine or a naive Bayesian training classification network is adopted in a module 2 to obtain the Bluetooth network intrusion detection model.
According to the scheme, the invention has the advantages that:
the intrusion detection system based on machine learning can effectively cope with data frame streams under different conditions after training and correctly detect whether the network is attacked or not. A small amount of data is adopted to train the model, the detection has higher precision and lower calculation complexity, the process is light, and the detection speed is accelerated.
Drawings
FIG. 1 is a diagram of an intrusion detection system architecture according to the present invention;
FIG. 2 is a flowchart of a method for detecting intrusion in a Bluetooth network;
FIG. 3 is a schematic diagram of a process for generating a feature array by N-gram;
FIG. 4 is a graph of model accuracy effect;
FIG. 5 is a graph of model recall effect.
Detailed Description
The invention provides an intrusion detection system for Bluetooth equipment, which is based on a machine learning model and automatically learns to obtain parameter indexes of the model through some training data. The generated model can then be used to detect information received by the bluetooth device, classifying the information as normal or abnormal, thereby completing intrusion detection.
In order to make the aforementioned features and effects of the present invention more comprehensible, embodiments accompanied with figures are described in detail below.
The invention provides an intelligent, high-precision and low-computing-resource-consumption intrusion detection system for a Bluetooth network. The system, as a software or software module, can detect data for a wireless network in real time. The system mainly comprises two sub-modules, and a specific software architecture diagram is shown in figure 1.
1. The sniffer module comprises two parts, an N/W sniffer and an information extractor. The N/W sniffer is responsible for collecting data frames from the Bluetooth network and transmitting the collected data frames to the information extractor. The information extractor extracts a data unit with analysis value from the data frame received from the N/W sniffer, and then extracts and converts the characteristic data which can be used for intrusion detection classification in the data unit into storage.
2. The behavior analysis module comprises three sub-modules which are respectively a flow generator, an N-element generator and a detection and classification unit. The flow generator and the N-element generator are responsible for converting the information transmitted by the information extractor into a data frame stream in an N-gram sliding window coding form, and then transmitting the data frame stream into the detection and classification unit to detect whether the classified current data frame is normal or not in real time.
The invention provides a high-precision low-computation-complexity Bluetooth network intrusion detection method. The method comprises two working states, namely off-line training and on-line detection. The off-line training comprises four stages of data collection, feature selection, data training and generation of a machine learning model, wherein the data training aims at labeled data, and labels represent normal data or abnormal (attack) data. The data training stage comprises three steps of feature compression, probability model construction and array occurrence probability calculation. The on-line detection comprises data collection, feature selection, feature compression, calculation of array occurrence probability and smoothing probability and real-time detection result obtaining through the generated model. The specific flow chart of the method is shown in fig. 2. In the real-time detection part, the probability of the occurrence of the array obtained by calculation is smoothed and then calculated with a model obtained by off-line training, and if the probability exceeds a threshold value, the data is abnormal data.
(A) Feature selection
The Bluetooth traffic information contains various characteristic information. Wirereshark can grab 811 characterizable bluetooth traffic profiles. But for such a huge feature set, it is not only difficult to handle, but also from observations, it is shown that too much feature data is used, resulting in a very sparse matrix. Therefore, based on the feature information collected from the sniffer module, we select 10 kinds of feature data as the detection classification, which simplifies the larger feature data set, and of course, the selected features do not necessarily have to be the 10, but can also be selected from other features. Table 1 is the set of characteristic data we use.
Serial number Characteristic data Specific information
1 frame_epoch_time Time of arrival
2 hci_h4_type HCI packet type
3 bthci_evt_code HCI Bluetooth event code
4 btchi_cmd_opcode HCI Bluetooth command operation code
5 btl2cap_scid Bluetooth L2CAP protocol source CID
6 btchi_acl_dst_bd_addr Target address
7 bthci_acl_dst_name Target device name
8 bthci_acl_dst_role Target device name
9 bthci_acl_src_bd_addr Source address
10 bthci_acl_src_name Source device name
TABLE 1 characteristic data set
(B) Feature compression
Anomaly-based intrusion detection systems rely on a high degree of knowledge of the normal behavior of the target protocol. In our method, the behavior of the protocol is obtained by using N-gram sliding window coding. N-gram sliding window coding is a sliding window of a predefined size sampled from the data stream that is used to model the temporal behavior of the target protocol (Bluetooth protocol). FIG. 3 shows how feature data sets are converted into N-gram sliding window encodings. As shown in fig. 3, the features hci _ h4_ type, bthci _ evt _ code, btci _ cmd _ opcode and btl2cap _ scid are compressed using a hash function, thereby reducing the dimensionality of data and reducing the computational complexity. Of course, here, compression of the m features may be chosen. If there are K features in one dataset, we will get [ K/m ] feature arrays after compression, for example, in fig. 3, the last four features are compressed into one feature, and the first 6 features are not compressed, i.e., m is 4, K is 4, and 1 new feature is obtained by compression.
(C) Constructing a probability model and calculating the probability
And after the N-gram sliding window code is obtained, calculating the obtained array probability in the training set. Classifying according to different data link formats, and respectively calculating the appearance of the feature arrays under four types of data, namely an HCI command frame, an ACL data frame, an SCO data frame and an HCI data frameEach of these four classes of data contains the aforementioned 10-dimensional features. Assuming that there are K N-gram sliding window coded data in SCO physical link, wherein a specific feature array w appears K times, its appearance probability is
Figure BDA0002940995780000061
At the end of the processing of each data stream, we obtained a probabilistic database comprising C1, C2, C3, C4, where C1 represents the probability of different feature arrays appearing in the HCL command frame class. Similarly, C2 corresponds to the ACL data frame class, C3 corresponds to the SCO data frame class, and C4 corresponds to the HCL data frame class.
In the real-time detection stage, for the current feature array w, the type of the current Bluetooth data frame (namely which type of the four types of data frames) is judged at first, so that a corresponding database is selected from the four probability databases; then, based on the selected probabilistic database, a calculation is performed
Figure BDA0002940995780000071
As the probability of the current feature array w.
(D) Smoothing data using linear interpolation method
When calculating the probability of occurrence of the feature array, a small number of data streams with probability approaching 0 may occur in the training set. At run-time we may see N-gram sliding window coding that we have not observed during the training phase. Therefore, in order to reduce these effects, smoothing of data is required when calculating the feature array probability in online detection. We smooth the probabilities using a linear interpolation method.
P(w|D)=λP(w|C)+(1-λ)P(w|d)
The above equation is a linear interpolation smoothing method, where P (w | d) represents the probability of occurrence of the feature array w calculated from the data stream to be detected. P (w | C) is the probability of the feature array w estimated from the probability database. λ is a smoothing parameter, adjusting the weight between the two probabilities. P (w | D) represents the smoothed probability value.
(E) Machine learning
Using the resulting probabilistic database storing feature array probabilities we can machine learn the data. In the experiment, a model is trained by using methods such as C4.5, a support vector machine, naive Bayes and the like, and a skleran packet in python is used in the model training process. The models have the characteristics of high calculation speed and light weight. And loading the data of the training set into a classifier, and obtaining a Bluetooth traffic classification model through fitting and calculation. After the training set is used to train the model, the model can be used to perform intrusion detection on the bluetooth data stream.
3. Results of the experiment
Two bluetooth devices and an attack server are used as experimental devices in the experiment. The intrusion detection system is deployed on the bluetooth device 1. Training and testing of IDS was performed on the device 1. In the training phase, normal operation traffic is collected through the bluetooth device 1 and bluetooth device 2 network to form a normal traffic training set. Then, some abnormal traffic aiming at some known attacks is collected to form an attack traffic training set, and the size of the attack traffic training set is 10 times that of the normal traffic training set. These data sets are used to train a machine learning model that can classify normal traffic from abnormal traffic.
We have performed power consumption attacks and bluetooth vulnerability attacks on the generated models. A power-consuming attack is the repeated sending of a pairing request and a device identification request to a target device, resulting in the battery of the device being drained in a short time. A bluetooth vulnerability attack is an attack on the traditional bluetooth protocol. The coefficient of the linear interpolation is set to 0.5. The accuracy and recall of the various classifiers are shown in the following figures 4 and 5, respectively. The accuracy and recall formulas are as follows:
Figure BDA0002940995780000081
Figure BDA0002940995780000082
wherein P represents the accuracy rate, R represents the recall rate, TP represents the number of detection results in which normal traffic is classified as normal, FP represents the number of detection results in which attack traffic is classified as normal, and FN represents the number of detection results in which normal traffic is classified as attack traffic.
The following are system examples corresponding to the above method examples, and this embodiment can be implemented in cooperation with the above embodiments. The related technical details mentioned in the above embodiments are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the above-described embodiments.
The invention also provides a lightweight network intrusion detection system aiming at the Bluetooth wireless transmission, which comprises the following components:
the module 1 is used for acquiring Bluetooth traffic information marked with a class label as training data, wherein the class label represents whether the corresponding Bluetooth traffic information belongs to network intrusion data, and extracting features of the training data according to a preset data class to obtain data features of the training data;
the module 2 is used for compressing the data characteristics of the training data to obtain a plurality of characteristic arrays, and training to obtain a Bluetooth network intrusion detection model according to the probability of the characteristic arrays appearing in the data characteristics and in combination with the class labels and the data link format of the training data;
a module 3, configured to obtain bluetooth traffic information to be analyzed as detection data, obtain a data link format of the detection data as a current format, perform feature extraction on the detection data according to the preset data type, obtain data features of the detection data, compress the data features of the detection data to obtain multiple feature arrays, obtain a probability that the feature arrays of the detection data appear in the data features of the detection data, perform data smoothing on the probability, obtain a smooth probability, and input the current format and the smooth probability to the bluetooth network intrusion detection model to obtain a type tag of the detection data, which is used as an intrusion detection result.
The lightweight network intrusion detection system aiming at Bluetooth wireless transmission is characterized in that a module 2 and a module 3 compress data characteristics specifically by adding a sliding window, and compress the continuous data characteristics of a time sequence into a plurality of discrete characteristic arrays.
The lightweight network intrusion detection system aiming at the Bluetooth wireless transmission is characterized in that the probability of the feature array in the module 2 and the module 3 appearing in the data features is as follows:
Figure BDA0002940995780000091
p (wc) is a probability of occurrence of the feature array w in the training data or the detection data that conforms to the data link format C, K is a data amount in the training data or the detection data that conforms to the data link format C, and K is an occurrence number of the feature array w.
The lightweight network intrusion detection system aiming at the Bluetooth wireless transmission, wherein the module 2 also comprises a characteristic array occurrence probability database which is established according to the occurrence probability of the characteristic array in the data characteristics and the data link format of training data;
data smoothing based on linear interpolation is used in block 3:
P(w|D)=λP(w|C)+(1-λ)P(w|d)
where P (w | D) represents the probability of occurrence of the feature array w calculated from the detected data, P (w | C) is the probability of occurrence of the feature array w from the feature array occurrence probability library, λ is a smoothing parameter for adjusting the weight between probabilities, and P (w | D) represents the smoothing probability.

Claims (10)

1. A lightweight network intrusion detection method for Bluetooth wireless transmission is characterized by comprising the following steps:
step 1, acquiring Bluetooth traffic information marked with class labels as training data, wherein the class labels represent whether the corresponding Bluetooth traffic information belongs to network intrusion data, and extracting the features of the training data according to preset data classes to obtain the data features of the training data;
step 2, compressing the data characteristics of the training data to obtain a plurality of characteristic arrays, and training to obtain a Bluetooth network intrusion detection model according to the probability of the characteristic arrays appearing in the data characteristics and in combination with the class labels and the data link format of the training data;
and 3, acquiring Bluetooth flow information to be analyzed as detection data, acquiring a data link format of the detection data as a current format, performing feature extraction on the detection data according to the preset data type to obtain data features of the detection data, compressing the data features of the detection data to obtain a plurality of feature arrays, acquiring the probability of the feature arrays of the detection data appearing in the data features of the detection data, performing data smoothing on the probability to obtain a smooth probability, and inputting the current format and the smooth probability into the Bluetooth network intrusion detection model to obtain a type label of the detection data as an intrusion detection result.
2. The method for detecting lightweight network intrusion for bluetooth wireless transmission according to claim 1, wherein the step 2 and step 3 compress the data features by adding a sliding window to compress the data features with continuous time series into a plurality of discrete feature arrays.
3. The method for detecting lightweight network intrusion for bluetooth wireless transmission according to claim 1, wherein the probability of the feature array appearing in the data features in step 2 and step 3 is specifically:
Figure FDA0002940995770000011
p (W | C) is the probability of the feature array W appearing in the training data or the detection data according with the data link format C, K is the data quantity in the training data or the detection data according with the data link format C, and K is the number of appearance times of the feature array W.
4. The method as claimed in claim 3, wherein the step 2 further comprises establishing a feature array occurrence probability library corresponding to a data link format according to the probability of occurrence of the feature array in the data features and in conjunction with the data link format of the training data;
and step 3, adopting data smoothing based on linear interpolation:
P(w|D)=λP(w|C)+(1-λ)P(w|d)
where P (w | D) represents the probability of occurrence of the feature array w calculated from the detected data, P (w | C) is the probability of occurrence of the feature array w from the feature array occurrence probability library, λ is a smoothing parameter for adjusting the weight between probabilities, and P (w | D) represents the smoothing probability.
5. The method as claimed in claim 1, wherein step 2 is performed by using a support vector machine or a naive bayes training classification network to obtain the bluetooth network intrusion detection model.
6. A lightweight network intrusion detection system for Bluetooth wireless transmission, comprising:
the module 1 is used for acquiring Bluetooth traffic information marked with a class label as training data, wherein the class label represents whether the corresponding Bluetooth traffic information belongs to network intrusion data, and extracting features of the training data according to a preset data class to obtain data features of the training data;
the module 2 is used for compressing the data characteristics of the training data to obtain a plurality of characteristic arrays, and training to obtain a Bluetooth network intrusion detection model according to the probability of the characteristic arrays appearing in the data characteristics and in combination with the class labels and the data link format of the training data;
a module 3, configured to obtain bluetooth traffic information to be analyzed as detection data, obtain a data link format of the detection data as a current format, perform feature extraction on the detection data according to the preset data type, obtain data features of the detection data, compress the data features of the detection data to obtain multiple feature arrays, obtain a probability that the feature arrays of the detection data appear in the data features of the detection data, perform data smoothing on the probability, obtain a smooth probability, and input the current format and the smooth probability to the bluetooth network intrusion detection model to obtain a type tag of the detection data, which is used as an intrusion detection result.
7. The system of claim 1, wherein the data features in modules 2 and 3 are compressed by adding a sliding window to compress time-series continuous data features into a plurality of discrete feature arrays.
8. The system of claim 1, wherein the probability of the occurrence of the feature arrays in the module 2 and the module 3 in the data features is specifically:
Figure FDA0002940995770000021
p (W | C) is the probability of the feature array W appearing in the training data or the detection data according with the data link format C, K is the data quantity in the training data or the detection data according with the data link format C, and K is the number of appearance times of the feature array W.
9. The system of claim 3, wherein the module 2 further comprises a feature array occurrence probability database corresponding to a data link format according to the probability of occurrence of the feature array in the data feature and training the data link format of the data;
data smoothing based on linear interpolation is used in block 3:
P(w|D)=λP(w|C)+(1-λ)P(w|d)
where P (w | D) represents the probability of occurrence of the feature array w calculated from the detected data, P (w | C) is the probability of occurrence of the feature array w from the feature array occurrence probability library, λ is a smoothing parameter for adjusting the weight between probabilities, and P (w | D) represents the smoothing probability.
10. The system of claim 1, wherein the model 2 is obtained by using a support vector machine or a naive Bayesian training classification network.
CN202110179359.XA 2021-02-07 2021-02-07 Lightweight network intrusion detection system and method for Bluetooth wireless transmission Pending CN112954689A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110179359.XA CN112954689A (en) 2021-02-07 2021-02-07 Lightweight network intrusion detection system and method for Bluetooth wireless transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110179359.XA CN112954689A (en) 2021-02-07 2021-02-07 Lightweight network intrusion detection system and method for Bluetooth wireless transmission

Publications (1)

Publication Number Publication Date
CN112954689A true CN112954689A (en) 2021-06-11

Family

ID=76244875

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110179359.XA Pending CN112954689A (en) 2021-02-07 2021-02-07 Lightweight network intrusion detection system and method for Bluetooth wireless transmission

Country Status (1)

Country Link
CN (1) CN112954689A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115320538A (en) * 2022-07-20 2022-11-11 国汽智控(北京)科技有限公司 Intelligent network automobile intrusion detection system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818976A (en) * 2019-03-15 2019-05-28 杭州迪普科技股份有限公司 A kind of anomalous traffic detection method and device
CN110012019A (en) * 2019-04-11 2019-07-12 鸿秦(北京)科技有限公司 A kind of network inbreak detection method and device based on confrontation model
CN110958271A (en) * 2019-12-24 2020-04-03 国家计算机网络与信息安全管理中心 Vehicle-mounted external network intrusion detection system
US20200210590A1 (en) * 2018-12-28 2020-07-02 Tenable, Inc. Threat score prediction model

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200210590A1 (en) * 2018-12-28 2020-07-02 Tenable, Inc. Threat score prediction model
CN109818976A (en) * 2019-03-15 2019-05-28 杭州迪普科技股份有限公司 A kind of anomalous traffic detection method and device
CN110012019A (en) * 2019-04-11 2019-07-12 鸿秦(北京)科技有限公司 A kind of network inbreak detection method and device based on confrontation model
CN110958271A (en) * 2019-12-24 2020-04-03 国家计算机网络与信息安全管理中心 Vehicle-mounted external network intrusion detection system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PRATIK SATAM等: "Bluetooth Intrusion Detection System(BIDS)", 《2018 IEEE/ACS 15TH INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS (AICCSA)》 *
SHALAKA SATAM等: "Multi-level Bluetooth Intrusion Detection System", 《2020 IEEE/ACS 17TH INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS (AICCSA)》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115320538A (en) * 2022-07-20 2022-11-11 国汽智控(北京)科技有限公司 Intelligent network automobile intrusion detection system and method

Similar Documents

Publication Publication Date Title
CN110909811B (en) OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system
CN107770263B (en) safe access method and system for Internet of things terminal based on edge calculation
CN112987675B (en) Method, device, computer equipment and medium for anomaly detection
CN103246265B (en) Electromechanical equipment detection maintaining method
CN110895526A (en) Method for correcting data abnormity in atmosphere monitoring system
Nakhodchi et al. Steeleye: An application-layer attack detection and attribution model in industrial control systems using semi-deep learning
CN109714324B (en) User network abnormal behavior discovery method and system based on machine learning algorithm
CN112822189A (en) Traffic identification method and device
CN104363106A (en) Electric power information communication fault early warning analysis method based on big-data technique
Alkhatib et al. Can-bert do it? controller area network intrusion detection system based on bert language model
Janabi et al. Convolutional neural network based algorithm for early warning proactive system security in software defined networks
CN117113262B (en) Network traffic identification method and system
CN116823227A (en) Intelligent equipment management system and method based on Internet of things
CN113556319B (en) Intrusion detection method based on long-short term memory self-coding classifier under internet of things
WO2022078353A1 (en) Vehicle driving state determination method and apparatus, and computer device and storage medium
CN115640915A (en) Intelligent gas pipe network compressor safety management method and Internet of things system
CN111523588A (en) Method for classifying APT attack malicious software traffic based on improved LSTM
CN113067798B (en) ICS intrusion detection method and device, electronic equipment and storage medium
CN117749409A (en) Large-scale network security event analysis system
CN115348080B (en) Comprehensive analysis system and method for vulnerability of network equipment based on big data
CN116112283A (en) CNN-LSTM-based power system network security situation prediction method and system
CN112954689A (en) Lightweight network intrusion detection system and method for Bluetooth wireless transmission
CN112019529A (en) New forms of energy power network intrusion detection system
Ageyev et al. Traffic Abnormality Detection ML-based Method for IoT
CN117113266B (en) Unmanned factory anomaly detection method and device based on graph isomorphic network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210611