CN114125847B - Terminal identity authentication method based on equipment fingerprint under ubiquitous electric power Internet of things - Google Patents
Terminal identity authentication method based on equipment fingerprint under ubiquitous electric power Internet of things Download PDFInfo
- Publication number
- CN114125847B CN114125847B CN202010875529.3A CN202010875529A CN114125847B CN 114125847 B CN114125847 B CN 114125847B CN 202010875529 A CN202010875529 A CN 202010875529A CN 114125847 B CN114125847 B CN 114125847B
- Authority
- CN
- China
- Prior art keywords
- scanning
- similarity
- equipment
- node
- queue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000004044 response Effects 0.000 claims abstract description 50
- 238000001514 detection method Methods 0.000 claims abstract description 42
- 230000002159 abnormal effect Effects 0.000 claims abstract description 7
- 238000004364 calculation method Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 23
- 239000011159 matrix material Substances 0.000 claims description 20
- 230000008859 change Effects 0.000 claims description 17
- 230000007123 defense Effects 0.000 claims description 9
- 239000013598 vector Substances 0.000 claims description 8
- 238000007781 pre-processing Methods 0.000 claims description 7
- 230000004083 survival effect Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 230000001186 cumulative effect Effects 0.000 claims description 3
- 230000002776 aggregation Effects 0.000 claims 1
- 238000004220 aggregation Methods 0.000 claims 1
- 238000012216 screening Methods 0.000 claims 1
- 230000008901 benefit Effects 0.000 abstract description 4
- 238000005265 energy consumption Methods 0.000 abstract description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/231—Hierarchical techniques, i.e. dividing or merging pattern sets so as to obtain a dendrogram
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/50—Indexing scheme relating to G06F9/50
- G06F2209/5018—Thread allocation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention provides a terminal identity authentication method based on equipment fingerprints under a ubiquitous electric power internet of things, and relates to the technical field of identity authentication. The terminal identity authentication method based on the equipment fingerprint comprises the following steps: firstly, after the scanning time is reached, the application layer response data of the equipment is obtained by using network scanning, the next time for starting scanning is calculated by using a scanning time prediction algorithm based on an exponential increment, secondly, the obtained scanning data is clustered by using equipment fingerprint automatic collection based on hierarchical clustering and a detection algorithm to obtain a detection template, unknown equipment can be classified according to the template, an identity authentication request identified as normal equipment is responded normally, and the identity authentication request identified as abnormal equipment is discarded. The invention has the advantages of low energy consumption, universality, hierarchical authentication and the like.
Description
Technical Field
The invention relates to the technical field of identity authentication, in particular to a terminal identity authentication method based on equipment fingerprints under ubiquitous electric power Internet of things.
Background
The ubiquitous power Internet of things, namely, a strong smart grid carrying power flows and the ubiquitous power Internet of things carrying data flows jointly form an energy source Internet of three-in-one energy source, a business flow and a data flow. However, as most of the devices of the internet of things in the preset scene are devices of the internet of things, and the running stability of the whole power system is threatened by the attack of a single device, the security of the terminal node is protected, and the establishment of a sufficiently robust and efficient identity authentication mechanism for the terminal node is a key technical problem in the ubiquitous power internet of things construction process. At present, the identity authentication mode of the terminal node of the internet of things still mainly adopts a user name and a password, and the mode has the problems that:
1) The complicated key negotiation process increases the energy consumption of the internet of things equipment;
2) The huge number of terminals makes efficient hierarchical key management impossible for an authentication server;
3) The highly heterogeneous terminal environment requires a wide variety of authentication protocols, thereby increasing deployment difficulty.
The device fingerprint acquisition and processing technology can replace the application password technology to realize the identity authentication of the Internet of things device. Device fingerprint refers to the feature of the extracted device itself, including some inherent, more difficult to tamper with, unique device identification. Almost all terminal devices can have services of an application layer running, and developers of the application services can feed back service names and versions developed by the developers to users to distinguish other services, and other developers cannot modify the services, so that a method for identifying the terminal devices through device fingerprint information is still effective. The existing identity authentication scheme based on the device fingerprint has a typical solution idea that BonneauJ et al propose to enhance wireless device identity authentication based on a plurality of unique characteristics of the Internet of things device. Specifically, a weighted combination of a plurality of internet of things specific characteristics is used as a new device fingerprint for a device authenticator. This fingerprint is then applied to a hypothesis test to authenticate the internet of things device. Furthermore, optimal weights for the feature combinations are derived to maximize non-repeatability of the authentication device features. However, the method is low in efficiency when acquiring the fingerprints of the multi-characteristic device, and lacks a detection gap calculating module after the initialization detection is finished, so that a new execution is started immediately after the single scanning detection task is executed, and extra system execution overhead is caused.
Disclosure of Invention
(one) solving the technical problems
Aiming at the defects of the prior art, the invention provides a terminal identity authentication method based on equipment fingerprints in the ubiquitous electric power Internet of things, which solves the problems that the energy consumption of the equipment of the Internet of things can not be effectively classified key management and the deployment difficulty is increased.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme: a terminal identity authentication method based on equipment fingerprints under the ubiquitous electric power Internet of things comprises the following steps: and firstly, after the scanning time is reached, using the network scanning to acquire application layer response data of the equipment, and using a scanning time prediction algorithm based on exponential increment to calculate the next time for starting scanning. Secondly, for the obtained scanning data, the device fingerprint automatic collection based on hierarchical clustering and the detection algorithm cluster response data of similar structures to obtain a detection template, unknown devices can be classified according to the template, the identity authentication request identified as normal devices is responded normally, the identity authentication request identified as abnormal devices is discarded, the index increment scanning time prediction algorithm adopts a ZMap and Nmap combined mode to divide scanning into two steps, firstly, the ZMap is used for detecting the survival of a host, then the Nmap is used for acquiring response data of an application layer of the survival host, and the newly-appearing devices and the frequently-changing devices are focused according to the set key links and the set protection ranges, so that the scanning range is shortened, the scanning time interval is dynamically adjusted, the scanning frequency is reduced, the efficiency of incremental scanning is improved, and the resource consumption caused by scanning is greatly reduced.
Preferably, the process of the scan time prediction algorithm of the exponential increment is as follows:
the algorithm constructs two scanning queues, (1) an area scanning queue and (2) a node scanning queue, wherein the area scanning queue aims at survivability detection in scanning, and incremental IP scanning is carried out on all nodes in a defense range by using ZMap, so that an IP list of all surviving hosts is obtained. The node scanning queue obtains the response data of the application layer of all surviving hosts, and rapidly and accurately discovers abnormal nodes. The calculation method of the time interval is respectively as follows:
a. for the area scanning queue A, a scanning time interval of 2×s (s is the number of IPs in the queue) is set, the next scanning time is calculated, and the system only scans the IPs of which the next scanning time is at the current time or before each time. The scanning adopts the incremental IP scanning method to scan the area comprehensively, if the scanning finds new IP, the IP is added into the node scanning queue, and the area scanning interval uses SI A Representing and letting SI A =SI A ×2 -1 Calculating the next scanning time; if no new IP is found, the SI is made A =SI A +SI A ×2 i-3 (where i is the number of scans of the area), if SI A > η (η is the maximum interval of the region scan), SI A =η. The area needs to be scanned regularly to ensure information security, so η is set to 1 month.
b. Aiming at a node scanning queue B, calculating an IP scanning urgency SC for each node in the queue, updating the device fingerprint if the device fingerprint changes according to a final scanning result, recalculating the SC of the node, and using SI for a node scanning interval B Representing and letting SI B =SI B ×2 -1 Calculating the next scanning time; if the device fingerprint does not change, the SI is caused to be B =SI B +SI B ×2 i-3 , SC=SC-(1/2) i (where i is the number of scans, as SC-2 i Sc=0) if sc=0 for IP, the IP is removed from the node scan queue.
The process is described as follows:
s1, according to a given defense range, performing one-time complete scanning on all nodes, and storing scanning data of each node so as to facilitate historical inquiry; the IP scan urgency SC is calculated in terms of node importance NI and depth ND of the node, and if SC >0, the node is added to the node scan queue. The time ds taken for this complete scan is recorded.
S2, scanning interval SI of the area scanning queue A The initialization is set to 2×s (s is the number of IPs in the queue), and the next scan time is calculated.
S3, according to the complete scanning time ds value obtained in the first step, then scanning the scanning interval SI of the node scanning queue B Set to ds, calculate the next scan time.
S4, the scanning system is divided into double threads to run for a long time, one thread scans the queue for the node, and the other thread scans the queue for the region. The respective threads scan the web pages and sites in the queue at or before the current time for the next scan. Firstly, judging whether the equipment fingerprint of the IP exists, if so, reading the previous equipment fingerprint, comparing the previous equipment fingerprint with the newly generated fingerprint, and if not, updating an equipment fingerprint library, and setting the change times of the equipment fingerprint library to be added with 1; if not, a new device fingerprint is added to the device fingerprint library. Calculating the change frequency CF of the device fingerprint according to the change times and the scanning times aiming at the changed IP and the newly added IP, calculating or updating the IP scanning urgency SC, and adding the node into a node scanning queue if the IP is the newly appeared IP and the SC is more than 0; if the IP already exists and the SC changes from non-0 to 0, the IP is removed from the node scan queue. And re-calculating the scanning interval of the area and the node and the next time of starting scanning according to the calculation method of the time interval.
Preferably, the hierarchical clustering device fingerprint automatic collection and detection algorithm process is as follows: firstly, executing a data preprocessing process, and outputting a response packet header into a structured field in the form of < field name: value >; secondly, similarity calculation is carried out, and field similarity and value similarity are combined; then, hierarchical clustering is carried out, and data fingerprints of different types are combined into similar clusters from bottom to top until the data fingerprints are clustered into one cluster; and finally, generating a detection template, wherein the detection process is to calculate the similarity between the head of the response to be detected and the detection template, and if the similarity between the fingerprint of the unknown device and the template exceeds a set threshold value, the device is considered as a malicious device, and the identity authentication request sent by the device is discarded. The data preprocessing is to filter scanning data, invalid response packets and malformed data packets to obtain valid data packets, then intercept a response data header part, output a response packet header as a structured field in a form of < field name: value > by using a Python dictionary set, and calculate the similarity: to cluster similar devices, the similarity between each response header needs to be calculated, and for two parts of the resulting structured field < field name: value > the field similarity and value similarity will be considered, respectively.
Preferably, the field similarity refers to different types of fields of different devices, the calculation of the field similarity is to count the set of all the fields existing in the response header, list the corresponding word frequency vectors, and obtain the field similarity Sim by calculating the rest chord similarity, wherein the word frequency vectors are 1 and not 0 A The larger the cosine similarity is, the larger the field similarity is;
the similarity of the values refers to the similarity of the contents, and dis is obtained by calculating the editing distance of the two, and the similarity is obtainedThe smaller the edit distance, the higher the similarity of the two, so that the similarity of each field needs to be calculated, and for only one field, the similarity is 0, and the final similarity SimB is obtained by cumulative summation.
The final similarity Sim is calculated as follows:
Sim=Sim A ×Sim B
the hierarchical clustering means that response heads of similar devices have similar structures, so that the devices are divided into a plurality of classes by using a hierarchical clustering algorithm, the similarity between each response head is obtained in the last step, a similarity matrix is constructed, each IP is used as a cluster according to the similarity matrix, and then similar clusters are combined from bottom to top until the clusters are clustered into one cluster;
description of the procedure:
1) Searching the two nearest classes, namely the maximum value on the non-diagonal line in the similarity matrix, according to the obtained similarity matrix, and adding P m And P n Is classified as P r The total number of the classes is reduced by one, the clustering hierarchy is increased by one, and if the maximum value is more than one, the classes can be combined at the same time;
2) Recalculating the newly generated class P using the longest distance method r With any kind P k Similarity Sim between kr =max(Sim km ,Sim kn ) Replacing the original similarity matrix;
3) Repeating the step 1 and the step 2 until all the sample points are classified into one type.
The template generation is to perform de-duplication processing on repeated parts in the fields because similar response heads are clustered into one type after the clustering is completed, and obtain the union of the field contents in the clustering for each field as the value of the field in the template, thereby generating a detection template.
Preferably, the unknown device detection process is as follows: matching with the detection template, namely calculating the similarity between the head of the response to be detected and the detection template, wherein the similarity calculation method is consistent with the previous method, and the same request head field in the template can have a plurality of values, so that the calculation process is to take the value with the highest similarity. Finally, if the similarity between the fingerprint of the unknown device and the template exceeds a set threshold, the device is considered to be a malicious device.
(III) beneficial effects
The invention provides a terminal identity authentication method based on equipment fingerprints under ubiquitous power Internet of things. The beneficial effects are as follows:
1. the invention adopts a network scanning method to acquire the device fingerprint, sends the detection packet to the device, acquires the corresponding response packet, acquires the device fingerprint from the response packet, does not need to be deployed on a terminal node, does not increase the calculation cost and the storage cost of the terminal device, is not influenced by the heterogeneous type of the device, and has the advantages of low energy consumption and universality;
2. according to the invention, key links with important protection are required to be preset in advance in a scanning time prediction algorithm based on the index increment, higher weight is allocated to key nodes on the key links, the dynamics of the key nodes are found more efficiently, and the method has the advantage of hierarchical authentication;
3. according to the invention, in the hierarchical clustering-based automatic equipment fingerprint collection and detection algorithm, hierarchical clustering can be realized without manual labeling on various kinds of equipment of the Internet of things and calculating the fingerprint similarity, similar equipment is automatically clustered into one class, and as for scanned data obtained by scanning, the position of equipment information appears randomly and dispersedly, the data of the whole response header is selected, and the method has the advantage of wide fingerprint collection range, and on the basis, the field and value can be comprehensively considered to calculate the overall similarity. Therefore, the availability and the effectiveness of the identity authentication of the Internet of things are improved, and the cost for changing equipment during expansion is reduced.
Drawings
FIG. 1 is a schematic diagram of a process for generating a detection template of the device of the present invention;
FIG. 2 is a schematic diagram of the unknown device detection process of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment one:
as shown in fig. 1-2, the embodiment of the invention provides a terminal identity authentication method based on equipment fingerprint under a ubiquitous electric internet of things, which comprises the following steps: and firstly, after the scanning time is reached, using the network scanning to acquire application layer response data of the equipment, and using a scanning time prediction algorithm based on exponential increment to calculate the next time for starting scanning. Secondly, for the obtained scanning data, the device fingerprint automatic collection based on hierarchical clustering and the detection algorithm cluster response data of similar structures to obtain a detection template, unknown devices can be classified according to the template, the identity authentication request identified as normal devices is responded normally, the identity authentication request identified as abnormal devices is discarded, the index increment scanning time prediction algorithm adopts a ZMap and Nmap combined mode to divide scanning into two steps, firstly, the ZMap is used for detecting the survival of a host, then the Nmap is used for acquiring the response data of an application layer of the survival host, and the key links and the defense range of the key precautions are set for scanning, so that the newly-appearing devices and the frequently-changed devices are focused on, the scanning range is narrowed, the scanning time interval is dynamically adjusted, the scanning frequency is reduced, the efficiency of incremental scanning is improved, and the resource consumption caused by scanning is greatly reduced.
The scan time prediction algorithm for exponential increase is as follows:
the algorithm constructs two scanning queues, (1) an area scanning queue and (2) a node scanning queue, wherein the area scanning queue aims at survivability detection in scanning, and incremental IP scanning is carried out on all nodes in a defense range by using ZMap, so that an IP list of all surviving hosts is obtained. The node scanning queue obtains the response data of the application layer of all surviving hosts, and rapidly and accurately discovers abnormal nodes. The calculation method of the time interval is respectively as follows:
a. for the area scanning queue A, a scanning time interval of 2×s (s is the number of IPs in the queue) is set, the next scanning time is calculated, and the system only scans the IPs of which the next scanning time is at the current time or before each time. The scanning adopts the incremental IP scanning method to scan the area comprehensively, if the scanning finds new IP, the IP is added into the node scanning queue, and the area scanning interval uses SI A Representing and letting SI A =SI A ×2 -1 Calculating the next scanning time; if no new IP is found, the SI is made A =SI A +SI A ×2 i-3 (where i is the number of scans of the area), if SI A > η (η is the maximum interval of the region scan), SI A =η. The area needs to be scanned regularly to ensure information security, so η is set to 1 month.
b. Aiming at a node scanning queue B, calculating an IP scanning urgency SC for each node in the queue, updating the device fingerprint if the device fingerprint changes according to a final scanning result, recalculating the SC of the node, and using SI for a node scanning interval B Representing and letting SI B =SI B ×2 -1 Calculating the next scanning time; if the device fingerprint does not change, the SI is caused to be B =SI B +SI B ×2 i-3 ,SC=SC-(1/2) i (where i is the number of scans, as SC-2 i Sc=0) if sc=0 for IP, the IP is removed from the node scan queue.
The process is described as follows:
s1, according to a given defense range, performing one-time complete scanning on all nodes, and storing scanning data of each node so as to facilitate historical inquiry; the IP scan urgency SC is calculated in terms of node importance NI and depth ND of the node, and if SC >0, the node is added to the node scan queue. The time ds taken for this complete scan is recorded.
S2, scanning interval SI of the area scanning queue A The initialization is set to 2×s (s is the number of IPs in the queue), and the next scan time is calculated.
S3, according to the complete scanning time ds value obtained in the first step, then scanning the scanning interval SI of the node scanning queue B Set to ds, calculate the next scan time.
S4, the scanning system is divided into double threads to run for a long time, one thread scans the queue for the node, and the other thread scans the queue for the region. The respective threads scan the web pages and sites in the queue at or before the current time for the next scan. Firstly, judging whether the equipment fingerprint of the IP exists, if so, reading the previous equipment fingerprint, comparing the previous equipment fingerprint with the newly generated fingerprint, and if not, updating an equipment fingerprint library, and setting the change times of the equipment fingerprint library to be added with 1; if not, a new device fingerprint is added to the device fingerprint library. Calculating the change frequency CF of the device fingerprint according to the change times and the scanning times aiming at the changed IP and the newly added IP, calculating or updating the IP scanning urgency SC, and adding the node into a node scanning queue if the IP is the newly appeared IP and the SC is more than 0; if the IP already exists and the SC changes from non-0 to 0, the IP is removed from the node scan queue. And re-calculating the scanning interval of the area and the node and the next time of starting scanning according to the calculation method of the time interval.
The automatic equipment fingerprint collection and detection algorithm process of hierarchical clustering is as follows:
firstly, executing a data preprocessing process, and outputting a response packet header into a structured field in the form of < field name: value >; secondly, similarity calculation is carried out, and field similarity and value similarity are combined; then, hierarchical clustering is carried out, and data fingerprints of different types are combined into similar clusters from bottom to top until the data fingerprints are clustered into one cluster; and finally, generating a detection template, wherein the detection process is to calculate the similarity between the head of the response to be detected and the detection template, and if the similarity between the fingerprint of the unknown device and the template exceeds a set threshold value, the device is considered as a malicious device, and the identity authentication request sent by the device is discarded.
Data preprocessing: filtering the scanned data, filtering invalid response packets and malformed data packets to obtain valid data packets, intercepting a response data header part, and outputting a response packet header as a structured field in a form of < field name: value > by using a Python dictionary set.
Similarity calculation: to cluster similar devices, the similarity between each response header needs to be calculated, and for two parts of the resulting structured field < field name: value > the field similarity and value similarity will be considered, respectively.
The field similarity refers to the different kinds of fields of different devices, the calculation of the field similarity is a set of all existing fields in the statistic response header, the word frequency vectors corresponding to the field similarity are listed, the word frequency vectors appear as 1, the word frequency vectors do not appear as 0,the field similarity Sim can be obtained by calculating the similarity of the rest strings A The larger the cosine similarity is, the larger the field similarity is;
the similarity of the values refers to the similarity of the contents, and dis is obtained by calculating the editing distance between the two, and the similarity is obtainedThe smaller the edit distance, the higher the similarity of the two, so that the similarity of each field needs to be calculated, and for only one field, the similarity is 0, and the final similarity Sim is obtained by cumulative summation B 。
The final similarity Sim is calculated as follows:
Sim=Sim A ×Sim B
hierarchical clustering: the response heads of similar equipment have similar structures, so that the equipment is divided into a plurality of classes by using a hierarchical clustering algorithm, the similarity between each response header is obtained in the last step, a similarity matrix is constructed, each IP is used as a cluster according to the similarity matrix, and then similar clusters are combined from bottom to top until the clusters are clustered into one cluster;
description of the procedure:
1) Searching the two nearest classes, namely the maximum value on the non-diagonal line in the similarity matrix, according to the obtained similarity matrix, and adding P m And P n Is classified as P r The total number of the classes is reduced by one, the clustering hierarchy is increased by one, and if the maximum value is more than one, the classes can be combined at the same time;
2) Recalculating the newly generated class P using the longest distance method r With any kind P k Similarity Sim between kr =max(Sim km ,Sim kn ) Replacing the original similarity matrix;
3) Repeating the step 1 and the step 2 until all the sample points are classified into one type.
Generating a template: after the clustering is completed, because similar response heads are clustered into one class, repeated parts in the fields are subjected to de-duplication processing, and a union of the contents of the fields in the clustering is obtained for each field as a value of the field in the template, so that a detection template is generated.
The unknown equipment detection process comprises the following steps: matching with the detection template, namely calculating the similarity between the head of the response to be detected and the detection template, wherein the similarity calculation method is consistent with the previous method, and the same request head field in the template can have a plurality of values, so that the calculation process is to take the value with the highest similarity. Finally, if the similarity between the fingerprint of the unknown device and the template exceeds a set threshold, the device is considered to be a malicious device.
Related concepts and definitions
Assume that m key links/are currently set i (i=1, 2, …, m) and a region with a defense range within a distance d, the region having a total of s nodes, each node being n s (n=1,2,…,s)。
Definition 1 node importance NI (Importance of Node), representing node n s Whether or not to locate at critical link l i In the method, the determination of the specific value can be set in a self-defined way, and a given default value calculation formula is as follows:
defining a 2-node depth ND (Node Depth), representing node n s (n=1, 2, …, s) distance to the scan server.
Defining 3 the change frequency CF (Change Frequency) of the device fingerprint, wherein the measurement value is determined by the Scanning Times (ST) of the IP and the Change Times (CT) of the device fingerprint, and the calculation formula is as follows:
defining 4IP scan urgency SC (Scan Criticalness) for measuring the urgency of IP to be scanned, wherein the determinants include node importance NI, node depth ND, and device fingerprint change frequency CF, and the calculation formula is as follows:
SC=NI×(ND×α+CF×β)
α+β=1
wherein α and β are weight coefficients, and the specific value can be defined and set, and the default value is α=0.5, and β=0.5.
The scanning interval time SI (Scan Interval) is defined to be 5, which represents the time difference between the time of the next scanning and the time when the current scanning is finished, and the value SI is dynamically set according to the real-time condition of the scanning.
1. Scanning time prediction algorithm based on exponential increase
Assuming that the given scanning range is five Internet of things devices, the given scanning ranges correspond to IP respectively 1 ,IP 2 ,…,IP 5 An IP is arranged therein 1 For the nodes on the key link, the first complete scanning is performed, the time for the complete scanning is recorded to be 60 minutes, and the scanning urgency of each node is calculated as shown in the following table.
| IP | NI | ND | SC |
| 1 | 60% | 10 | 3 |
| 2 | 40% | 12 | 2.4 |
| 3 | 40% | 11 | 2.2 |
| 4 | 40% | 1 | 0.2 |
| 5 | 40% | 12 | 2.4 |
The scanning interval of the area scanning queue A is SI A Initializing and setting to 10min, and node scanning SI of a queue B Set to 60min. SC >0 of each node, and the scanning sequence of the node scanning queue is IP in turn 1 ,IP 2 ,IP 5 ,IP 3 ,IP 4 。
Assuming no change in the second scan, the third scan regional scan queue discovers new non-important node IP 6 Node scan queue discovery IP 5 The device fingerprint of (c) changes and the scan urgency SC has been updated twice as shown in the table below.
After the second scan is completed, IP 4 Sc=0, is removed from the node scan queue, the scan order of the node scan queue changes, and IP is in turn 1 ,IP 2 ,IP 5 ,IP 3 . The scan interval of the area scan queue a becomes 12.5min and the scan interval of the node scan queue B becomes 75min.
The third scan node has SC >0 and is handed to the node scan queue. The scanning sequence of the node scanning queue is IP in turn 1 ,IP 5 ,IP 2 ,IP 3 ,IP 6 . The scan interval of the area scan queue a becomes 6.25min and the scan interval of the node scan queue B becomes 37.5min.
2. Hierarchical clustering-based automatic equipment fingerprint collection and detection algorithm
Assume that after data preprocessing, two structured fields of IP are obtained
IP 1 {<A:affcd>,<B:ade><C:bck>≤E:fdsdf
IP 2 {<A:acd>,<B:ade><C:bcdef><D:ed
1) The field similarity, the set of fields { A, B, C, D, E, F }, the word frequency vector of IP1 is [1, 0,1], the word frequency vector of IP2 is [1,1,1,1,0,1], thus
2) Similarity of values, edit distance and similarity of { A, B, C, D, E, F } fields are calculated as follows:
Sim 4 =0
Sim 5 =0
Sim B =Sim 1 +Sim 1 +Sim 1 +Sim 1 +Sim 1 +Sim 1 =0.93
the final similarity Sim is calculated as follows:
Sim=Sim A ×Sim B =0.8×0.93=0.744
assuming that the final generated similarity matrix is
Searching the nearest two classes among the classes according to the obtained similarity matrix, namely, searching the maximum value 0.744 on the non-diagonal line in the similarity matrix, and obtaining { P } 1 ,P 2 The components are classified into a new class P 6 Recalculating P using the longest distance method 6 Similarity to each old class
Sim i6 =max(D i1 ,D i2 )i=3,4,5
Thus (2)
Sim 36 =max(D 31 ,D 32 )=0.7
Sim 46 =max(D 41 ,D 42 )=0.4
Sim 56 =max(D 51 ,D 52 )=0.2
The updated similarity matrix is
The execution is repeated until all sample points are classified as one type.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (2)
1. The utility model provides a terminal identity authentication method based on equipment fingerprint under ubiquitous electric power internet of things, which is characterized in that: the specific authentication method comprises the following steps: firstly, after the scanning time is reached, using the network scanning to acquire the application layer response data of the equipment, calculating the next time of starting scanning by using a scanning time prediction algorithm based on an exponential increment, and constructing two scanning queues by using the algorithm: (1) the method comprises the steps of (1) a regional scanning queue and (2) a node scanning queue, wherein the regional scanning queue is used for detecting survivability in scanning, ZMap is used for carrying out incremental IP scanning on all nodes in a defense range so as to obtain IP lists of all surviving hosts, the node scanning queue is used for acquiring application layer response data of all surviving hosts, abnormal nodes are rapidly and accurately found, and the calculation method of time intervals is respectively as follows:
a. setting a scanning time interval of 2×s and s as the number of IP in the queue for the area scanning queue A, calculating the next scanning time, scanning the IP with the next scanning time being the current time or before each time by the system, scanning the area comprehensively by adopting an incremental IP scanning method, adding the IP into the node scanning queue if the new IP is found by scanning, and using SI for the area scanning interval A Representing and letting SI A =SI A ×2 -1 Calculating the next scanning time; if no new IP is found, the SI is made A =SI A +SI A ×2 i-3 Where i is the number of scans of the region, if SI A >η, η is the maximum interval of region scan, then SI A =η, the area needs to be scanned regularly to ensure information security, so η is set to 1 month;
b. aiming at a node scanning queue B, calculating an IP scanning urgency SC for each node in the queue, updating the device fingerprint if the device fingerprint changes according to a final scanning result, recalculating the SC of the node, and using SI for a node scanning interval B Representing and letting SI B =SI B ×2 -1 Calculating the next scanning time; if the device fingerprint does not change, the SI is caused to be B =SI B +SI B ×2 i-3 ,SC=SC-(1/2) i Where i is the number of scans, when SC-2 i <When 0, sc=0, if sc=0 of the IP, removing the IP from the node scan queue;
the scanning time prediction algorithm process of the index increment is as follows:
s1, according to a given defense range, performing one-time complete scanning on all nodes, and storing scanning data of each node so as to facilitate historical inquiry; calculating an IP scanning urgency SC according to the node importance NI and the depth ND of the node, if SC >0, adding the node into a node scanning queue, and recording the time ds used by the complete scanning;
s2, scanning interval SI of the area scanning queue A Initializing and setting the number of the IPs in the queue to be 2 x s, and calculating the next scanning time;
s3, according to the complete scanning time ds value obtained in the first step, then scanning the scanning interval SI of the node scanning queue B Setting the scanning time to be ds, and calculating the next scanning time;
s4, the scanning system is divided into two threads to run for a long time, one thread scans a queue for a node, the other thread scans a webpage and a site in the queue at the current time or before the next scanning time for an area scanning queue, firstly, whether the equipment fingerprint of the IP exists or not is judged, if yes, the previous equipment fingerprint is read and compared with the newly generated fingerprint, if not, an equipment fingerprint library is updated, and the change times of the equipment fingerprint library is increased by 1; if the IP is not present, adding a new device fingerprint into a device fingerprint library, calculating the change frequency CF of the device fingerprint according to the change times and the scanning times aiming at the changed IP and the newly added IP, calculating or updating the IP scanning urgency SC, and if the IP is the newly appeared IP and the SC is more than 0, adding the node into a node scanning queue; if the IP already exists and SC is changed from non-0 to 0, removing the IP from the node scanning queue, and recalculating the scanning interval of the area and the node and the time of the next starting scanning according to a time interval calculation method;
secondly, for the obtained scanning data, the equipment fingerprint automatic collection based on hierarchical clustering and the detection algorithm cluster the response data with similar structures, and the process is as follows: firstly, executing a data preprocessing process, and outputting a response packet header into a structured field in the form of < field name: value >; secondly, similarity calculation is carried out, and field similarity and value similarity are combined; then, hierarchical clustering is carried out, and data fingerprints of different types are combined into similar clusters from bottom to top until the data fingerprints are clustered into one cluster; finally, generating a detection template, classifying unknown equipment according to the template, carrying out normal response on an identity authentication request which is identified as normal equipment, discarding the identity authentication request which is identified as abnormal equipment, wherein the index increment scanning time prediction algorithm adopts a mode of combining ZMap and NMap, and divides scanning into two steps, firstly, detecting the survival of a host by using the ZMap, then, acquiring application layer response data of the surviving host by using the NMap, and scanning according to a key link and a defense range which are set for important precaution, screening the newly-appearing equipment and equipment which are changed frequently, reducing the scanning range, dynamically adjusting the scanning time interval, reducing the scanning frequency, improving the increment scanning efficiency and reducing the resource consumption caused by scanning;
the automatic equipment fingerprint aggregation and detection algorithm detection process of hierarchical clustering is to calculate the similarity between the head of the response to be detected and the detection template, and if the similarity between the fingerprint of the unknown equipment and the template exceeds a set threshold, the equipment is considered to be malicious equipment, and the identity authentication request sent by the equipment is discarded;
the data preprocessing is to filter scanning data, invalid response packets and malformed data packets to obtain valid data packets, then intercept a response data header part, and output a response packet header as a structured field in a form of < field name: value > by using a Python dictionary set;
the similarity calculation: to cluster similar devices, the similarity between each response header needs to be calculated, and for two parts in the obtained structured field < field name: value > the field similarity and the value similarity are considered respectively;
the hierarchical clustering refers to that similar equipment is divided into a plurality of classes according to a similarity matrix, and similar clusters are combined from bottom to top until the similar clusters are clustered into one cluster;
the unknown equipment detection process comprises the following steps: matching with the detection template, namely calculating the similarity between the head of the response to be detected and the detection template, wherein the similarity calculation method is consistent with the previous method, and the same request head field in the template has a plurality of values, so that the calculation process is to take the value with the highest similarity, and finally, if the similarity between the fingerprint of the unknown equipment and the template exceeds a set threshold value, the equipment is considered to be malicious equipment.
2. The ubiquitous power internet of things-based terminal identity authentication method based on device fingerprints of claim 1, wherein the method is characterized by comprising the following steps of: the field similarity refers to the difference of the types of fields of different devices, the calculation of the field similarity is to count the collection of all the fields existing in the response header, list the corresponding word frequency vectors, appear as 1, and not appear as 0, and the field similarity Sim can be obtained by calculating the rest chord similarity A The larger the cosine similarity is, the larger the field similarity is;
the similarity of the values refers to the similarity of the contents, and dis is obtained by calculating the editing distance of the two, and the similarity is obtainedThe smaller the edit distance, the higher the similarity of the two, so that the similarity of each field needs to be calculated, and for only one field, the similarity is 0, and the final similarity Sim is obtained by cumulative summation B ,
The final similarity Sim is calculated as follows:
Sim=Sim A ×Sim B
the hierarchical clustering means that response heads of similar devices have similar structures, so that the devices are divided into a plurality of classes by using a hierarchical clustering algorithm, the similarity between each response head is obtained in the last step, a similarity matrix is constructed, each IP is used as a cluster according to the similarity matrix, and then similar clusters are combined from bottom to top until the clusters are clustered into one cluster;
description of the procedure:
1) Searching the two nearest classes, namely the maximum value on the non-diagonal line in the similarity matrix, according to the obtained similarity matrix, and adding P m And P n Is classified asP r Subtracting one from the total number of classes, adding one to the cluster hierarchy, and if the maximum value is more than one, merging the obtained maximum values at the same time;
2) Recalculating the newly generated class P using the longest distance method r With any kind P k Similarity Sim between kr =max(Sim km ,Sim kn ) Replacing the original similarity matrix;
3) Repeating the step 1 and the step 2 until all the sample points are classified,
the generation of the detection template means that after the clustering is completed, because similar response heads are clustered into one type, repeated parts in the fields are subjected to de-duplication processing, and a union of the contents of the fields in the clustering is obtained for each field and used as a value of the field in the template, so that the detection template is generated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010875529.3A CN114125847B (en) | 2020-08-27 | 2020-08-27 | Terminal identity authentication method based on equipment fingerprint under ubiquitous electric power Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010875529.3A CN114125847B (en) | 2020-08-27 | 2020-08-27 | Terminal identity authentication method based on equipment fingerprint under ubiquitous electric power Internet of things |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114125847A CN114125847A (en) | 2022-03-01 |
| CN114125847B true CN114125847B (en) | 2023-12-15 |
Family
ID=80374492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010875529.3A Active CN114125847B (en) | 2020-08-27 | 2020-08-27 | Terminal identity authentication method based on equipment fingerprint under ubiquitous electric power Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114125847B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108121211A (en) * | 2017-12-12 | 2018-06-05 | 美的智慧家居科技有限公司 | Control method, server and the computer readable storage medium of home appliance |
| CN109115908A (en) * | 2018-08-30 | 2019-01-01 | 北京工商大学 | The discrimination flag method of feature cut up to cheese identity is extracted based on hierarchical clustering |
| CN110024330A (en) * | 2016-12-30 | 2019-07-16 | 英特尔公司 | The service of IoT device is provided |
| CN110263703A (en) * | 2019-06-18 | 2019-09-20 | 腾讯科技(深圳)有限公司 | Personnel's flow statistical method, device and computer equipment |
| CN110571936A (en) * | 2019-09-29 | 2019-12-13 | 浙江巨磁智能技术有限公司 | automatic association pairing method for intelligent electric meter and off-meter circuit breaker |
| CN110958262A (en) * | 2019-12-15 | 2020-04-03 | 国网山东省电力公司电力科学研究院 | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry |
| CN111343163A (en) * | 2020-02-14 | 2020-06-26 | 东南大学 | Internet of things equipment identity certificate generation method based on network traffic characteristic fusion |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3446211A1 (en) * | 2016-04-21 | 2019-02-27 | Philips Lighting Holding B.V. | Systems and methods for authenticating wireless modules |
| US20210019429A1 (en) * | 2018-01-15 | 2021-01-21 | Jason Ryan Cooner | Internet of things devices for use with an encryption service |
-
2020
- 2020-08-27 CN CN202010875529.3A patent/CN114125847B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110024330A (en) * | 2016-12-30 | 2019-07-16 | 英特尔公司 | The service of IoT device is provided |
| CN108121211A (en) * | 2017-12-12 | 2018-06-05 | 美的智慧家居科技有限公司 | Control method, server and the computer readable storage medium of home appliance |
| CN109115908A (en) * | 2018-08-30 | 2019-01-01 | 北京工商大学 | The discrimination flag method of feature cut up to cheese identity is extracted based on hierarchical clustering |
| CN110263703A (en) * | 2019-06-18 | 2019-09-20 | 腾讯科技(深圳)有限公司 | Personnel's flow statistical method, device and computer equipment |
| CN110571936A (en) * | 2019-09-29 | 2019-12-13 | 浙江巨磁智能技术有限公司 | automatic association pairing method for intelligent electric meter and off-meter circuit breaker |
| CN110958262A (en) * | 2019-12-15 | 2020-04-03 | 国网山东省电力公司电力科学研究院 | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry |
| CN111343163A (en) * | 2020-02-14 | 2020-06-26 | 东南大学 | Internet of things equipment identity certificate generation method based on network traffic characteristic fusion |
Non-Patent Citations (4)
| Title |
|---|
| Authentication Mechanism For Intrusion Detection And Prevention In IOT Devices;P.Ananthi;INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH;全文 * |
| Internet of Things device authentication via electromagnetic fingerprints;Artur Souza;Engineering Reports;全文 * |
| 泛在电力物联网可信安全接入方案;吴金宇;张丽娟;孙宏棣;赖宇阳;;计算机与现代化(第04期);全文 * |
| 身份认证技术在电力行业移动应用中的应用;尹蕊;高阳;李凯;何伟;;中国新通信(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114125847A (en) | 2022-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111212053B (en) | Industrial control honeypot-oriented homologous attack analysis method | |
| CN113676464A (en) | Network security log alarm processing method based on big data analysis technology | |
| Vaca et al. | An ensemble learning based wi-fi network intrusion detection system (wnids) | |
| JP2012108934A (en) | Access control method of data storage | |
| CN107222511B (en) | Malicious software detection method and device, computer device and readable storage medium | |
| JP6904307B2 (en) | Specific device, specific method and specific program | |
| CN106789849B (en) | CC attack identification method, node and system | |
| CN110365636B (en) | Method and device for judging attack data source of industrial control honeypot | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| CN114356989A (en) | Audit abnormal data detection method and device | |
| CN110097120B (en) | Network flow data classification method, equipment and computer storage medium | |
| US11412063B2 (en) | Method and apparatus for setting mobile device identifier | |
| Weber et al. | Unsupervised clustering for identification of malicious domain campaigns | |
| Steinebach et al. | Efficient cropping-resistant robust image hashing | |
| CN114125847B (en) | Terminal identity authentication method based on equipment fingerprint under ubiquitous electric power Internet of things | |
| CN115174205B (en) | Network space safety real-time monitoring method, system and computer storage medium | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| CN115392238A (en) | Equipment identification method, device, equipment and readable storage medium | |
| CN114124417B (en) | Vulnerability assessment method with enhanced expandability under large-scale network | |
| CN115277178A (en) | Method, device and storage medium for monitoring abnormity based on enterprise network traffic | |
| Sumalatha et al. | Data collection and audit logs of digital forensics in cloud | |
| Sija et al. | Automatic payload signature generation for accurate identification of internet applications and application services | |
| CN114048344A (en) | Similar face searching method, device, equipment and readable storage medium | |
| CN113660095B (en) | Method, system, storage medium and terminal device for searching real IP address | |
| CN113630425B (en) | Financial data safe transmission method for multiple power bodies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |