CN113037586B - Universal and robust event fingerprint extraction method and device for smart home equipment - Google Patents
Universal and robust event fingerprint extraction method and device for smart home equipment Download PDFInfo
- Publication number
- CN113037586B CN113037586B CN202110220363.6A CN202110220363A CN113037586B CN 113037586 B CN113037586 B CN 113037586B CN 202110220363 A CN202110220363 A CN 202110220363A CN 113037586 B CN113037586 B CN 113037586B
- Authority
- CN
- China
- Prior art keywords
- probability distribution
- reference probability
- event
- fingerprint information
- standard reference
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000605 extraction Methods 0.000 title claims description 32
- 238000009826 distribution Methods 0.000 claims abstract description 118
- 238000000034 method Methods 0.000 claims abstract description 46
- 238000004590 computer program Methods 0.000 claims description 17
- 230000001960 triggered effect Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 abstract description 8
- 230000008859 change Effects 0.000 abstract description 5
- 230000000875 corresponding effect Effects 0.000 description 26
- 238000012549 training Methods 0.000 description 15
- 238000004422 calculation algorithm Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000005259 measurement Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention provides a universal and robust method and a device for extracting event fingerprints of smart home equipment, wherein the method comprises the following steps: extracting standard reference probability distribution serving as preset fingerprint information from a network traffic data set with event labels; detecting the flow of the intelligent household equipment according to a preset time window and a preset step length, and acquiring a binary group of the length and the direction of a message corresponding to each time window; calculating the reference probability distribution of the message binary group corresponding to each time window; and if the reference probability distribution is consistent with the standard reference probability distribution of the preset fingerprint information, generating a trigger event occurrence report containing the fingerprint information corresponding to the target standard reference probability distribution. Therefore, the method can be directly applied to the management of the network equipped with the intelligent household equipment, the working state change conditions of various intelligent household equipment in the network can be sensed in real time according to the extracted fingerprint information, and the abnormity detection is carried out.
Description
Technical Field
The invention relates to the technical field of application of the Internet of things, in particular to a universal and robust method and device for extracting event fingerprints of smart home equipment.
Background
As an application of the internet of things technology, smart home devices have shown a trend of becoming more and more popular, and various networked home devices can cooperate with each other and implement various home automation functions under remote control of a user. However, since the working state of smart home devices is closely related to people's daily life, the failure or functional failure of these devices may threaten the safety of the user's home, such as improperly turning on some appliances, generating a wrong fire alarm, or even being utilized by a thief. In order to prevent these situations, it is usually an indispensable technical means to sense the operating states of various smart home devices in real time and perform corresponding strategic inspections.
The intelligent home devices complete cooperation through network communication and synchronize states with cloud service providers and user smart phones. The network flow generated by the equipment usually contains characteristics capable of reflecting the working state change of the equipment, and the technology of extracting the characteristics and coding the characteristics into fingerprint information is the basis of numerous safety bases for monitoring the intelligent household equipment. The working state of the smart home device is usually driven by direct operation of a user or by changes of environmental variables, which are called driving events, such as device turning on, turning off, mode switching, and the like. The technique of extracting fingerprint information of these driven events from network traffic may be referred to as event-level fingerprint extraction.
The existing event-level fingerprint extraction method for the intelligent household equipment can be mainly divided into two types. One type of method uses feature engineering and a machine learning model to identify events occurring on equipment, and the method generally uses statistical features which are not accurate enough and relies on the machine learning model to mine the mapping relation between implicit features and events, so that the operation efficiency of the whole system is not high, the maintenance is not easy, and fingerprint information cannot be directly understood by network management personnel. The other type of method adopts simple and direct numerical characteristics in the flow as fingerprints and carries out recognition in a mode of pattern matching, however, the existing methods are limited to specific services and protocols (Web services and TCP protocols), cannot be generally applied to various devices, have insufficient robustness, and are easily affected by phenomena such as packet loss, retransmission and disorder, and the like, so that the method is ineffective.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, a first objective of the present invention is to provide a universal and robust method for extracting event fingerprints of smart home devices, so as to implement management directly applied to a network equipped with smart home devices, sense a change condition of a working state of each smart home device in the network in real time according to the extracted fingerprint information, and perform anomaly detection.
The second purpose of the invention is to provide a general and robust event fingerprint extraction device for smart home equipment.
A third object of the invention is to propose a computer device.
A fourth object of the invention is to propose a non-transitory computer-readable storage medium.
A fifth object of the invention is to propose a computer program product.
In order to achieve the above object, an embodiment of the first aspect of the present invention provides a universal and robust method for extracting event fingerprints of smart home devices, including:
detecting the flow of the intelligent household equipment according to a preset time window and a preset step length, and acquiring a message length and direction binary group corresponding to each time window;
calculating the reference probability distribution of the message binary group corresponding to each time window;
matching the reference probability distribution with a standard reference probability distribution of preset fingerprint information, and determining whether a target standard reference probability distribution matched with the reference probability distribution exists according to a matching result;
and if the target standard reference probability distribution exists, generating a trigger event occurrence report containing fingerprint information corresponding to the target standard reference probability distribution.
In order to achieve the above object, a second aspect of the present invention provides a universal and robust event fingerprint extraction apparatus for smart home devices, including:
the extraction module is used for extracting standard reference probability distribution serving as preset fingerprint information from the network traffic data set with the event labels;
the acquisition module is used for detecting the flow of the intelligent household equipment according to a preset time window and a preset step and acquiring a message binary group corresponding to each time window;
the calculation module is used for calculating the reference probability distribution of the message binary group corresponding to each time window;
the determining module is used for matching the reference probability distribution with the standard reference probability distribution of the preset fingerprint information and determining whether a target standard reference probability distribution matched with the reference probability distribution exists or not according to a matching result;
and the generating module is used for generating a trigger event occurrence report containing fingerprint information corresponding to the target standard reference probability distribution when the target standard reference probability distribution exists.
In order to achieve the above object, a third aspect of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the general and robust smart home device event fingerprint extraction method as described in the first aspect of the present invention.
In order to achieve the above object, a fourth embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the general and robust smart home device event fingerprint extraction method as described in the first embodiment.
In order to achieve the above object, a fifth embodiment of the present invention provides a computer program product, wherein when being executed by an instruction processor of the computer program product, the method for extracting event fingerprints of smart home devices is implemented, which is universal and robust as described in the first embodiment.
The embodiment of the invention at least has the following technical effects:
the intelligent household equipment event-level fingerprint extraction and identification algorithm for directly matching the flow statistical characteristics is provided, has universality and higher robustness, and can adapt to the interference of various network jitters and other phenomena.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flowchart of a general and robust smart home device event fingerprint extraction method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a general and robust smart home device event fingerprint extraction scenario according to an embodiment of the present invention;
FIG. 3 is a curve of variation of Hellinger distance metric during switching of working states of the D-Link networked smart sockets;
FIG. 4 is a KL divergence value variation curve during switching of the working states of the D-Link networked smart sockets; and
fig. 5 is a schematic structural diagram of a general and robust event fingerprint extraction apparatus for smart home devices according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
In order to make up for the defects of the existing method, the invention integrates the two methods, and provides an event-level fingerprint extraction and identification algorithm for the intelligent household equipment, which is used for directly matching flow statistical characteristics, so that the method has universality and higher robustness, and can adapt to the interference of various network jitter and other phenomena.
The following describes a general and robust smart home device event fingerprint extraction method and apparatus according to an embodiment of the present invention with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a general and robust event fingerprint extraction method for smart home devices according to an embodiment of the present invention. The invention aims to design a general event-level fingerprint extraction and identification algorithm for intelligent household equipment with higher robustness. The universal method is not limited by the protocol adopted by the equipment, the robust method is realized by extracting the fingerprint information with almost no difference under the conditions of various network jitter phenomena such as packet loss, retransmission, disorder and the like, and the method still has higher identification accuracy. In addition, the method is different from a machine learning-based method, does not depend on training and processing of a black box model, is high in operation efficiency and easy to maintain, and fingerprint information can be directly understood by network management personnel. As shown in fig. 1, the general and robust smart home device event fingerprint extraction method includes the following steps:
In this embodiment, the method includes a training stage and a testing stage, and in the training stage, a standard reference probability distribution of the preset fingerprint information is obtained by training according to the preset time window and the preset stride, where a formula of the standard reference probability distribution is the following formula (1):
wherein X is a discrete random variable corresponding to each sample binary group, (l, d) is a sample binary group, i, j is a value index of the random variable, p is a probability value of a value of the corresponding random variable, and l ja Is an upper bound of the range of continuous message lengths,/ jb Is and l ja The lower bound of the corresponding range of continuous message lengths.
Specifically, the training phase of the present invention takes as input a traffic data set labeled with the time of occurrence of an event. The generation of training data may be triggered manually or may be accomplished through an automated script. In the training data, a series of device events of which fingerprint information is to be extracted are triggered repeatedly N times, and the triggering of two adjacent events has enough time interval so that the traffic related to the events is generated completely. Suppose an event denoted as E is triggered N times, denoted as { E } 1 ,E 2 ,…,E n Its corresponding timestamp labeled t 1 ,t 2 ,…,t n }. Next, the process of extracting fingerprint information according to the present invention will be described by taking this event as an example.
Firstly, for each event triggering time t, the method only focuses on the flow of the intelligent household equipment in a time window [ t, t + delta t ]. At is the time interval required to cover the traffic generation associated with the event, and may be understood as a preset step, which is a settable hyper-parameter, and usually takes 10 seconds as a suitable value, so that too short a time may cause a part of valid information to be missing from the finally extracted fingerprint information, and too long a time may cause a small amount of noise to be encoded into the fingerprint information.
Then, the present invention only concerns the length and direction of the message in the flow within the time window. Due to the limitation of the maximum transmission unit of the network, the length of the message is within a limited discrete interval. Because the direction of the message only has two values for receiving and sending, the binary group of the length and the direction of the message as an integral attribute also has a limited value space. The length and the direction of a message are expressed by a binary group (l, d), wherein the first element is the length of the message in bytes, and the second element is the message direction from the perspective of the intelligent household equipment. The invention regards the length and direction binary group of the message in the flow within the time delta t after the triggering of the device event as a discrete random variable X, and takes the probability distribution as the fingerprint information of the event. Next, the present invention needs to determine which length and direction tuples (hereinafter referred to as "tuples") of the message should be assumed to be the sample space of X. Only those duplets of messages that have a strong correlation with the trigger event should be encoded into the fingerprint information, and evidence as a strong correlation results from the proportion of the co-occurrence of the event trigger with the message having the particular duplet, i.e. the message with the higher proportion of co-occurrence with the event trigger should be added to the sample space of X.
An event that is triggered N times in the training dataset, if a couple occurs more than 0.9N times in the time window after the N events, then the invention considers it to be highly correlated with the event and adds it to the sample space of X. Here, the factor 0.9 is an adjustable threshold used for determining the strong correlation between the message binary group and the event, and the closer to 1, the higher the accuracy of the extracted fingerprint is, but the matching accuracy and robustness of the fingerprint may also be reduced. In particular if having a fixed direction and lengthThe messages in a continuous interval sequentially appear after different triggers of the same event, and the sum of the occurrences of the number of the messages exceeds 0.9N, so that the duplet in the interval can be added into the sample space of X as a whole and is marked as ([ l ] is marked a ,l b ]And d) are used. It is emphasized that it lies in the interval ([ l ] a ,l b ]Any individual message doublet (l, d) within d), where l a ≤l≤l b All the messages must be in a time window after a certain event in the training set is triggered, and then the messages in the range can be added into the sample space of X as a whole.
After the sample space of X is determined, the probability distribution of X is obtained in a frequency probability estimation mode, namely, the probability is obtained by taking the proportion of the occurrence times of each message binary group in the sample space in all N time windows. In the form of the above equation (1). The probability distribution is the output of the present invention in the training phase for event E, which will be used as the fingerprint information of the event in the subsequent detection phase.
In the detection stage, the real-time flow of the intelligent home equipment in the network and the fingerprint information of the trigger event of the equipment extracted in the training stage are used as input, a flow segment matched with the fingerprint information is tried to be found in the flow, and the flow segment is used as the detected event to be reported. Assuming that fingerprint information of an event E is a discrete random variable with k dimensions, the probability distribution is expressed as a vector P ═ P 1 ,p 2 ,…,p k )。
The invention maintains a time window during the detection phase that is the same as the length (at) of the training phase, and the event window is moved forward in real time in steps of 1 second. And for the event to be detected with the fingerprint of P and each sliding time window, the event to be detected corresponding to each sliding time window is a message binary group.
And 103, calculating the reference probability distribution of the message binary group corresponding to each time window.
In this embodiment, the binary message in the sample space of P in the traffic corresponding to the smart home device in the event window is calculated according to the same algorithm in the training phaseThe probability distribution of the group (referred to above as the reference probability distribution), i.e. a probability distribution Q equal to the P sample space is obtained (Q) 1 ,q 2 ,…,q k )。
And 104, matching the reference probability distribution with the standard reference probability distribution of the preset fingerprint information, and determining whether a target standard reference probability distribution matched with the reference probability distribution exists according to a matching result.
In this embodiment, the reference probability distribution is matched with a standard reference probability distribution of preset fingerprint information, and whether a target standard reference probability distribution matching the reference probability distribution exists is determined according to a matching result, for example, the standard reference probability distribution with a matching degree greater than a certain value is used as the target standard probability distribution matching the reference probability distribution.
Since the fingerprint information in the present invention is a discrete probability distribution, any metric capable of measuring the similarity or difference between two discrete probability distributions can be used in the present invention. The Hellinger distance is a simulation of the euclidean distance in the probabilistic probability space. While the KL divergence, also known as relative entropy, is widely used in the machine learning field as a loss function for optimization algorithms, it is also possible to measure the difference between two discrete probability distributions. Both of these measures can be used in the present invention.
In an embodiment of the present invention, a Hellinger distance between the reference probability distribution and a standard reference probability of preset fingerprint information is calculated, where the Hellinger distance is calculated according to the following formula (2):
wherein H is the Hellinger distance, P is the reference probability distribution, Q is the currently observed probability distribution extracted in real time and in the same discrete probability space as P, k is the dimension of the probability space where P is located, and P is i Representing the probability value of an element in the probability distribution P, q i Representing the probability value of an element in the probability distribution Q.
In an embodiment of the present invention, a KL divergence of the reference probability distribution from a standard reference probability of preset fingerprint information is calculated, wherein the calculation formula of the KL divergence is formula (3):
wherein D is KL For the KL divergence, Q is the currently observed probability distribution in the same discrete probability space as P, extracted in real time, k is the dimension of the probability space where P is located, P i Representing the probability value of an element in the probability distribution P, q i Representing the probability value of an element in the probability distribution Q.
In one embodiment of the present invention, similar differential metrics can be freely selected as desired, which is not particularly required in the design of the present invention. However, considering that some message tuples may have only a small probability value in the fingerprint information, even if these tuples do not appear during matching, i.e. the probability is 0, these tuples will not cause a large disparity value in the general disparity metric. However, in the present invention, the message doublet used as event fingerprint information should not be of lesser importance because of its lesser probability. In this regard, the present invention designs a special probability distribution metric, called appearance difference (ocmeans), which is defined as formula (4):
wherein OD is the value of the occurrence difference, f (p) is the weight of the message duplet corresponding to the reference probability distribution, p i And p j All represent the probability value of an element in the probability distribution P, q j Representing the probability value of an element in the probability distribution Q. k is the dimension of the probability space in which P is located. Wherein f (p) determines the weight of a message doublet in the fingerprint in the metric, i.e. the smaller the probability the greater the weight,and meanwhile, in order to avoid that certain values obtain too large weight to influence the robustness of the fingerprint, an upper weight bound is set in the formula. In the occurrence difference, only when the current statistical probability of the message binary group existing in the sample space of the fingerprint information is 0, the current statistical probability will contribute to the difference metric value. Meanwhile, it can be noted that in the measurement mode, the message duplet with a higher probability in the fingerprint information only has a small weight, because the measurement mode needs to be used in cooperation with other measurement modes, and once the message duplet with a high probability in the fingerprint information is lost, the difference is reflected in the measurement value similar to Hellinger distance.
And 105, if the target standard reference probability distribution exists, generating a trigger event occurrence report containing fingerprint information corresponding to the target standard reference probability distribution.
In this embodiment, if there is a target standard reference probability distribution, a trigger event occurrence report including fingerprint information corresponding to the target standard reference probability distribution is generated.
When all the adopted difference measurement values between the probability distribution of the message binary group in the event window at a certain moment and the fingerprint information are smaller than the corresponding threshold values, the invention considers that the triggering event corresponding to the fingerprint information occurs on the intelligent household equipment at the current moment and reports the triggering event. The selection of the threshold value of the difference metric may be determined based on a metric value between the probability distribution extracted within the event window of the corresponding event label in the training phase and the fingerprint information. Experiments show that due to the high distinguishing capability of the fingerprint information extracted by the invention, the threshold values are reasonably selected in a larger range.
Finally, the present invention adds anti-jitter processing to the reporting of detected events. This is because the length of the time window selected in the present invention is usually larger than the step length of the time window movement, so that the event matching occurs in several consecutive sliding windows after a certain time trigger, and the fingerprint matching in these windows actually results from one event trigger. Therefore, in the present invention, for fingerprint matching of the same event with an event interval not longer than the length of the sliding window, the event is reported only for the first matching, and the subsequent matching is not reported when a sufficient time interval is not reached.
Therefore, referring to fig. 2, the invention designs an algorithm which takes the length probability distribution of network messages generated by the smart home internet of things equipment within a certain time as event-level fingerprint information, the working process of the algorithm is divided into two stages, namely a training stage and a detection stage, and the task of extracting the fingerprint information and identifying equipment events from real-time traffic according to the existing fingerprint information is respectively carried out.
The method has the effect that the flow data generated by the intelligent household equipment at the current flow is tested in a centralized manner. The result shows that the method can successfully perform event-level fingerprint extraction on the intelligent household equipment adopting different communication protocols (a TCP protocol and a UDP protocol). And in comparison with the similar method, the method achieves higher event detection accuracy and lower error matching rate.
Fig. 3 and fig. 4 are graphs showing variation curves of two differential metrics of Hellinger distance and KL divergence when detecting 100 consecutive state switching events of a device D-Link networking smart jack according to the present invention. The upper line in the graph is a change curve of the minimum value of the corresponding fingerprint difference metric value in the rest dozens of kinds of intelligent household equipment in the same network, and the lower curve in the graph is an event detection distance metric value change curve of the corresponding equipment D-Link Plug.
As can be seen from the figure, the event-level fingerprints extracted by the method have enough discrimination and can accurately identify the occurrence of the event. Meanwhile, in the area in the red rectangular frame in the figure, it can be seen that although the difference metric value is slightly improved under the condition that part of messages are lost, as long as the threshold value is reasonably selected, the method can better adapt to the interference, and shows better robustness.
In summary, the universal and robust event fingerprint extraction method for the smart home devices in the embodiments of the present invention extracts and identifies event-level fingerprints of the smart home devices directly matching flow statistics features, has universality and higher robustness, and can adapt to interference of various network jitter and other phenomena.
In order to implement the embodiment, the invention further provides a universal and robust intelligent household equipment event fingerprint extraction device.
Fig. 5 is a schematic structural diagram of a general and robust event fingerprint extraction apparatus for smart home devices according to an embodiment of the present invention.
As shown in fig. 5, the universal and robust smart home device event fingerprint extraction apparatus includes: an extraction module 501, an acquisition module 520, a calculation module 530, a determination module 540, and a generation module 550.
The extracting module 510 is configured to extract a standard reference probability distribution as preset fingerprint information from a network traffic data set with event labels;
an obtaining module 520, configured to detect a flow of the smart home device according to a preset time window and a preset stride, and obtain a message length and direction binary group corresponding to each time window;
a calculating module 530, configured to calculate a reference probability distribution of the message binary group corresponding to each time window;
a determining module 540, configured to match the reference probability distribution with a standard reference probability distribution of the preset fingerprint information, and determine whether a target standard reference probability distribution matching the reference probability distribution exists according to a matching result;
a generating module 550, configured to generate, when the target standard reference probability distribution exists, an occurrence report of a trigger event that includes fingerprint information corresponding to the target standard reference probability distribution.
It should be noted that the explanation of the embodiment of the general and robust smart home device event fingerprint extraction method is also applicable to the general and robust smart home device event fingerprint extraction apparatus of the embodiment, and details are not repeated here.
In order to implement the foregoing embodiments, the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the general and robust smart home device event fingerprint extraction method described in the foregoing embodiments.
In order to implement the foregoing embodiments, the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the universal and robust smart home device event fingerprint extraction method as described in the foregoing embodiments.
In order to implement the foregoing embodiments, the present invention further provides a computer program product, which when executed by an instruction processor in the computer program product, implements the general and robust smart home device event fingerprint extraction method described in the foregoing embodiments.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Moreover, various embodiments or examples and features of various embodiments or examples described in this specification can be combined and combined by one skilled in the art without being mutually inconsistent.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are exemplary and not to be construed as limiting the present invention, and that changes, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (9)
1. A general and robust event fingerprint extraction method for smart home equipment is characterized by comprising the following steps:
extracting standard reference probability distribution serving as preset fingerprint information from a network traffic data set with event labels; detecting the flow of the intelligent household equipment according to a preset time window and a preset step length, and acquiring a message length and direction binary group corresponding to each time window;
calculating the reference probability distribution of the message binary group corresponding to each time window;
matching the reference probability distribution with the standard reference probability distribution of the preset fingerprint information, and determining whether a target standard reference probability distribution matched with the reference probability distribution exists according to a matching result;
and if the target standard reference probability distribution exists, generating a trigger event occurrence report containing fingerprint information corresponding to the target standard reference probability distribution.
2. The method according to claim 1, before the detecting the flow of the smart home devices according to the preset time window and the preset step, further comprising:
acquiring corresponding flow in a preset continuous interval of the event triggered for N times, wherein N is a natural number greater than 1, the event E triggered for N times is marked as { E1, E2, … and En }, and corresponding timestamps are marked as { t1, t2, … and tn };
judging whether a binary group (l, d) of the corresponding message length and direction appears in the flow corresponding to each event in the N events within a time window [ t, t + delta t ] corresponding to the time t of the occurrence of each event;
determining whether the frequency of the events of the corresponding binary group (l, d) is more than or equal to 0.9N from the messages in the N time windows;
determining a doublet (l) corresponding to the event greater than or equal to 0.9N 1 ,d 1 );
Determining that the messages in a continuous interval sequentially appear in different triggers of the same event, and the binary group with the sum of the occurrence times exceeding 0.9N is a sample binary group interval ([ l) a2 ,l b2 ],d 2 ) Wherein l is a2 ≤l≤l b2 ,
WhereinThe sample binary interval ([ l ] a2 ,l b2 ],d 2 ) Any single message binary group (l, d) in the interval appears at least once in the messages in N time windows, and the sum of the occurrence times of all the message binary groups in the interval is more than 0.9N;
the binary group (l) is divided into two groups 1 ,d 1 ) Or sample binary component interval ([ l ] a2 ,l b2 ],d 2 ) Taking the proportion of the occurrence times of each message binary group in the sample space in all N time windows as a probability to obtain the probability distribution of X as a sample space of a discrete random variable X, and taking the probability distribution as the standard reference probability distribution of the preset fingerprint information, wherein the formula of the standard reference probability distribution is as follows:
wherein X is a discrete random variable corresponding to each sample binary group, (l, d) is a sample binary group, i, j are value indexes of the random variables, p is a probability value of the corresponding random variable, and l ja Is an upper bound of the range of continuous message lengths,/ jb Is a reaction of ja The lower bound of the corresponding continuous message length range.
3. The method of claim 2, wherein the calculating the reference probability distribution of the message duplet corresponding to each time window comprises:
and calculating the probability distribution of the elements in the sample space of S in each time window in the time window by adopting the same method as the standard reference probability for a specific standard reference probability distribution S so as to obtain a real-time reference probability distribution with the same sample space as S.
4. The method of claim 1, wherein matching the reference probability distribution with a standard reference probability distribution of preset fingerprint information comprises:
calculating a Hellinger distance between the reference probability distribution and a standard reference probability of preset fingerprint information, wherein a calculation formula of the Hellinger distance is as follows:
wherein H is the Hellinger distance, P is the reference probability distribution, Q is the probability distribution of the currently observed and the P in the same discrete probability space extracted in real time, k is the dimension of the probability space of the P, and P is i Representing the probability value of an element in the probability distribution P, q i Representing the probability value of an element in the probability distribution Q.
5. The method of claim 1, wherein matching the reference probability distribution with a standard reference probability distribution of preset fingerprint information comprises:
calculating KL divergence of the reference probability distribution and a standard reference probability of preset fingerprint information, wherein the calculation formula of the KL divergence is as follows:
wherein D is KL For the KL divergence, P is the reference probability distribution, Q is the probability distribution of the currently observed probability space in the same discrete probability space as P extracted in real time, k is the dimension of the probability space where P is located, and P is the number of the P's in the discrete probability space i Representing the probability value of an element in the probability distribution P, q i Representing the probability value of an element in the probability distribution Q.
6. The method of claim 1, wherein matching the reference probability distribution with a standard reference probability distribution of preset fingerprint information comprises:
calculating the matching degree of the reference probability distribution and a standard reference probability distribution of preset fingerprint information according to a preset occurrence difference formula, wherein the occurrence difference formula is as follows:
wherein OD is the value of the occurrence difference, f (p) is the weight of the message duplet corresponding to the reference probability distribution, p i And p j All represent the probability value of an element in the probability distribution P, q j Representing the probability value of an element in the probability distribution Q, k being the dimension of the probability space in which P is located.
7. The utility model provides a general and smart home devices event fingerprint extraction element of robust which characterized in that includes:
the extraction module is used for extracting standard reference probability distribution serving as preset fingerprint information from the network traffic data set with the event labels;
the acquisition module is used for detecting the flow of the intelligent household equipment according to a preset time window and a preset step, and acquiring a message length and direction binary group corresponding to each time window;
the calculation module is used for calculating the reference probability distribution of the message length and the direction binary group corresponding to each time window;
the determining module is used for matching the reference probability distribution with the standard reference probability distribution of the preset fingerprint information and determining whether a target standard reference probability distribution matched with the reference probability distribution exists or not according to a matching result;
and the generating module is used for generating a trigger event occurrence report containing fingerprint information corresponding to the target standard reference probability distribution when the target standard reference probability distribution exists.
8. A computer arrangement comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method according to any of claims 1-6 when executing the computer program.
9. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110220363.6A CN113037586B (en) | 2021-02-26 | 2021-02-26 | Universal and robust event fingerprint extraction method and device for smart home equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110220363.6A CN113037586B (en) | 2021-02-26 | 2021-02-26 | Universal and robust event fingerprint extraction method and device for smart home equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113037586A CN113037586A (en) | 2021-06-25 |
| CN113037586B true CN113037586B (en) | 2022-08-19 |
Family
ID=76461984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110220363.6A Active CN113037586B (en) | 2021-02-26 | 2021-02-26 | Universal and robust event fingerprint extraction method and device for smart home equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113037586B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113997989B (en) * | 2021-11-29 | 2024-03-29 | 中国人民解放军国防科技大学 | Safety detection method, device, equipment and medium for single-point suspension system of maglev train |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556473A (en) * | 2020-05-08 | 2020-08-18 | 国家计算机网络与信息安全管理中心 | Abnormal access behavior detection method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7707285B2 (en) * | 2006-09-27 | 2010-04-27 | Integrien Corporation | System and method for generating and using fingerprints for integrity management |
| US9998483B2 (en) * | 2015-12-22 | 2018-06-12 | Mcafee, Llc | Service assurance and security of computing systems using fingerprinting |
| CN112019574B (en) * | 2020-10-22 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Abnormal network data detection method and device, computer equipment and storage medium |
-
2021
- 2021-02-26 CN CN202110220363.6A patent/CN113037586B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556473A (en) * | 2020-05-08 | 2020-08-18 | 国家计算机网络与信息安全管理中心 | Abnormal access behavior detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113037586A (en) | 2021-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10235231B2 (en) | Anomaly fusion on temporal casualty graphs | |
| US10373065B2 (en) | Generating database cluster health alerts using machine learning | |
| JP6823501B2 (en) | Anomaly detection device, anomaly detection method and program | |
| EP3364157A1 (en) | Method and system of outlier detection in energy metering data | |
| US10866939B2 (en) | Alignment and deduplication of time-series datasets | |
| US9235463B2 (en) | Device and method for fault management of smart device | |
| CN113037586B (en) | Universal and robust event fingerprint extraction method and device for smart home equipment | |
| CN116684878B (en) | 5G information transmission data safety monitoring system | |
| CN113516174B (en) | Call chain abnormality detection method, computer device, and readable storage medium | |
| CN111800389A (en) | Port network intrusion detection method based on Bayesian network | |
| CN117406026A (en) | Power distribution network fault detection method suitable for distributed power supply | |
| CN117749409A (en) | Large-scale network security event analysis system | |
| CN117560300B (en) | Intelligent internet of things flow prediction and optimization system | |
| CN116743637B (en) | Abnormal flow detection method and device, electronic equipment and storage medium | |
| CN117456707A (en) | Intelligent bus duct temperature and humidity abnormality early warning method and device | |
| CN112882898A (en) | Anomaly detection method, system, device and medium based on big data log analysis | |
| CN114936614B (en) | Operation risk identification method and system based on neural network | |
| CN110990236A (en) | SaaS software performance problem recognition method based on hidden Markov random field | |
| CN114338206B (en) | DDOS attack detection method, device, equipment and storage medium | |
| CN112995995A (en) | Anomaly detector, anomaly detection network and method for detecting anomalous activity | |
| CN118381679B (en) | Intelligent control cabinet safety communication transmission system and method based on big data | |
| CN103533570A (en) | Method for maintaining sensor node in wireless sensor network under multi-dimensional data environment | |
| CN114418036B (en) | Method, device and storage medium for testing and training performance of neural network | |
| CN113093703A (en) | Behavior monitoring and abnormity diagnosis method for automation equipment | |
| CN118740364A (en) | Private communication protocol management method and system based on intelligent contract |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |