CN114205332A - Power Internet of things equipment identification method based on TCP retransmission message - Google Patents

Power Internet of things equipment identification method based on TCP retransmission message Download PDF

Info

Publication number
CN114205332A
CN114205332A CN202111341231.5A CN202111341231A CN114205332A CN 114205332 A CN114205332 A CN 114205332A CN 202111341231 A CN202111341231 A CN 202111341231A CN 114205332 A CN114205332 A CN 114205332A
Authority
CN
China
Prior art keywords
equipment
field
euclidean distance
messages
tcp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111341231.5A
Other languages
Chinese (zh)
Inventor
周自强
杨华
杨大哲
王尧
刘珊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Electric Power Research Institute Of Sepc
Original Assignee
State Grid Electric Power Research Institute Of Sepc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Electric Power Research Institute Of Sepc filed Critical State Grid Electric Power Research Institute Of Sepc
Priority to CN202111341231.5A priority Critical patent/CN114205332A/en
Publication of CN114205332A publication Critical patent/CN114205332A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention belongs to the technical field of Internet of things, and relates to a power Internet of things equipment identification method based on TCP retransmission messages; the method is realized by the following steps: s1: setting a detection side node of the power Internet of things equipment, and transmitting and receiving network messages to the terminal equipment; s2: the detection side node detects whether the terminal equipment in the power network of a certain network segment is survival equipment or not in a broadcasting mode, and transmits a TCP retransmission request message to the survival equipment; s3: acquiring and collecting retransmission response messages, screening the retransmission response messages, and storing message information with complete response to form a response message data set; s4: preprocessing the response message data set, and extracting a characteristic field; s5: evaluating each field according to the quantitative standards of consistency and difference, and selecting a feature set; s6: according to the device fingerprint, carrying out operations of steps S1-S2 on the unknown device, and collecting a corresponding header field; s7: and judging the similarity degree of the unknown device fingerprint and the prestored fingerprint by adopting a voting mechanism, and realizing the identification of the device information.

Description

Power Internet of things equipment identification method based on TCP retransmission message
Technical Field
The invention belongs to the technical field of Internet of things, relates to an Internet of things equipment identification method, and particularly relates to a power Internet of things equipment identification method based on a TCP retransmission message.
Background
With the continuous increase of the number of the devices of the internet of things, in order to solve the problems that the devices are difficult to manage, the safety cannot be guaranteed and the like, a plurality of methods for identifying the devices of the internet of things are proposed, and relevant research work is introduced from two aspects of a passive identification technology and an active identification technology of the devices of the internet of things.
In the passive identification technology, the traffic characteristics of the equipment and the signal characteristics of the wireless equipment are mainly analyzed, and the differences of the equipment are reflected through the characteristics, so that the equipment attribute information is accurately identified. Glatz et al, using 4 unused subspaces in the network space, monitor the packets sent to the four subspaces, analyze the background traffic characteristics of the network space, find their prevalence in the analysis of the background traffic, which may be classified according to the different recognition targets. (Glatz E, Dimitopoulos X. Classification interconnecting one-way traffic [ C ]// Proceedings of the 2012 ACM conference on Internet traffic conference. ACM,2012:37-50.) unidirectional traffic in the network is monitored by passive interception, and the effects of network faults are detected and analyzed using it, and the traffic is classified according to these effects. In passive identification, identification based on the change characteristics of radio frequency signals is also a common identification method, and different from flow information, the radio frequency signals reflect the physical state of equipment, so that differences among the equipment can be more clearly shown. But it can only reflect the difference of hardware of the device and cannot distinguish the firmware version of the device. (Patel H J, sample M, Baldwin R O. Impropriation ZigBee Device Network Authentication Using with Radio Frequency discrimination Nature Attribute modification [ J ]. IEEE Transactions on Reliability,2015,64(1):221-233.) Patel et al propose a measurement mode based on clock synchronization sampling, which greatly reduces timestamp quantization error. In the field of wireless communication, aiming at the security challenge of network intrusion detection and prevention in a ZigBee Ad-Hoc distributed architecture, unique original attributes of radio frequency between devices are used as fingerprints, and therefore device identification is achieved. However, the passive identification technology requires a probe or a proprietary device to be deployed to detect information such as side traffic, and is not suitable for identification and detection of large-scale power communication equipment. Therefore, the active identification technology sends the detection data packet to the target equipment, and utilizes the returned response message characteristics to identify the difference of the target equipment so as to realize the identification of the equipment of the internet of things. The existing active identification technology of the internet of things equipment is mainly divided into equipment identification based on slogans and equipment identification based on field characteristics. The internet of things device information comprises the proprietary attributes of the devices such as the types, brands, models and firmware versions of the devices. The identification of the internet of things equipment is a relatively new research field, different from the identification of a traditional operating system, the mainstream method of the identification of the internet of things equipment is to distinguish equipment differences based on application layer protocol contents, explicit information fed back by an application layer protocol message is called a Banner (Banner), the Banner is captured in a mode that a detection host sends a protocol detection message aiming at a specific service and a specific port to a target equipment, if the target equipment opens the service and the port, the target equipment returns a response message (Zhou, Liu, Yuan and the like) containing equipment Banner information, and an internet of things equipment identification framework [ J ] information safety academic newspaper based on search 2018,3(4):25-40 ]. At present, good commercial equipment identification systems Shodan, zoomeeye, Censys and the like identify equipment attribute information through slogans in application layer protocols.
However, the disadvantage of the slogan-based identification technology is that the slogan often lacks fine-grained information such as an equipment model and a firmware version, and cannot perform fine-grained identification on the internet of things equipment. The identification technology based on the field characteristics is to acquire the response message field of a specific protocol by purposefully sending some detection messages to the internet of things equipment, and then generate the equipment fingerprint by using the response message field as the characteristics, which is a relatively mature equipment identification method. The traditional identification method based on field features is mainly used for identifying an operating system. The most classical TCP/IP operating system identification technology is Nmap developed and implemented by the russian security expert Gordon Fyodor Lyon, which obtains a response packet by sending 15 probe packets to a target device, analyzes and extracts the content of a characteristic field in the 15 response packets, and uses the content as a fingerprint for identifying the type of the operating system. The method comprises The following steps of (Lyon G F. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning [ M ]. acquisition, 2009.) however, for The identification of massive heterogeneous electric power Internet of things equipment, The Nmap fingerprint characteristics are far insufficient, therefore, The method further excavates TCP retransmission message characteristics, increases The fingerprint characteristics of The existing field and improves The identification precision of The electric power Internet of things equipment.
Disclosure of Invention
The invention overcomes the problems of insufficient identification granularity and small application range of the method in the prior art, and provides a power Internet of things equipment identification method based on TCP retransmission messages.
In order to solve the technical problems, the invention adopts the technical scheme that: a power Internet of things equipment identification method based on TCP retransmission messages specifically comprises the following steps:
s1: setting a detection side node of the power Internet of things equipment, and transmitting and receiving network messages to the terminal equipment;
s2: the node on the probing side in step S1 probes whether the terminal device in the power network of a certain network segment is a surviving device in a broadcast manner, and sends a TCP retransmission request message to the surviving device;
s3: acquiring and collecting retransmission response messages, screening the retransmission response messages, and storing message information with complete response to form a response message data set;
s4: preprocessing the response message data set in the step S3, and extracting characteristic fields;
s5: evaluating each field according to the quantitative standards of consistency and difference, and selecting a feature set for equipment identification, namely an equipment fingerprint;
s6: according to the device fingerprint, carrying out operations of steps S1-S2 on unknown devices, and collecting corresponding header fields;
s7: and judging the similarity degree of the unknown device fingerprint and the prestored fingerprint by adopting a voting mechanism, and realizing the identification of the device information.
When the step S4 is to preprocess the response packet data set, the method specifically includes the following steps:
s401: extracting IP and TCP headers in each message;
s402: and generating a key value pair corresponding to the IP address and the TCP header.
In the step S4, a wireshark tool is used to split and extract the data in the pcap packet. (extraction feature field)
The step S5 specifically includes the following steps:
s501: the consistency quantization standard uses information entropy to compute the discrete cases of a field:
Figure BDA0003352152530000031
Figure BDA0003352152530000032
wherein Y represents a value of a device field, including { Y1、y1…ym},YiProbability of occurrence is Pi
S502: the difference quantization standard adopts an optimized Euclidean distance to express the difference quality of the field, and calculates the proportion occupied by points with the same value among different devices in all result combinations:
Figure BDA0003352152530000033
wherein x issameRepresenting the number of points with the same value of different devices; x is the number ofallRepresents the number of all points;
s503: calculating Euclidean distances of different equipment values in a field to form an Euclidean distance set, and solving the mean value of the Euclidean distance set:
Figure BDA0003352152530000034
Figure BDA0003352152530000035
wherein D represents a Euclidean distance set, xiAnd yiA value representing this field corresponding to the two devices; d' represents the approximate device distance;
s504: when U is less than or equal to 2.31, the Euclidean distance of the same equipment begins to become smaller along with the addition of the characteristics, and the same equipment is easier to cluster; when U is less than or equal to 4.52, although the Euclidean distance is still reduced, the change amount is obviously reduced compared with the previous characteristics; when U is larger than 4.52, adding the characteristic Euclidean distance to start to increase; when D' is less than or equal to 0.014, the Euclidean distance of different equipment begins to be reduced; when D' is more than 0.014, the Euclidean distance begins to gradually increase; similarly, after D' > 0.064, the change in euclidean distance also begins to diminish;
s505: after classification testing of the different sets, the final selection results are shown in table 1:
Figure BDA0003352152530000041
table 1 message field consistency and difference quantization results
1) 0< U <4.52,0< D' <0.06(G2) when identifying the device type;
2) 0< U <2.31,0.02< D' <0.07(G4) when identifying the device brand;
3) when identifying the device model, 0< U <8,0.02< D' <0.098 (G5).
The step S7 uses the header fields corresponding to G2, G4 and G5 to output the corresponding matching results according to the five machine learning methods, and selects the final device information according to the voting method.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention uses the TCP protocol as the information source for identification, and the extremely high universality of the TCP protocol also improves the applicability of equipment identification;
2. aiming at a TCP retransmission mechanism, the invention designs a set of lightweight detection rules, thereby reducing the detection time and cost;
3. the retransmission header field in the TCP is used for device identification, and the accuracy and recall rate of detection by combining a voting mechanism are obviously improved.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of a probing side process of the present invention;
FIG. 2 is a diagram of a connected retransmission detection rule according to the present invention;
FIG. 3 is a diagram of connectionless retransmission detection rules in accordance with the present invention;
FIG. 4 is a feature matching model of the method of the present invention.
Detailed Description
As shown in the figure, a method for identifying power internet of things equipment based on a TCP retransmission message specifically includes the following steps:
s1: and arranging a detection side node of the power Internet of things equipment, and transmitting and receiving network messages to the terminal equipment.
S2: the node on the probing side in step S1 probes whether the terminal device in the power network of a certain network segment is a surviving device in a broadcast manner, and sends a TCP retransmission request message to the surviving device.
S3: acquiring and collecting retransmission response messages, screening the retransmission response messages, and storing message information with complete response to form a response message data set.
S4: preprocessing the response message data set in the step S3, and extracting characteristic fields;
when the step S4 is to preprocess the response packet data set, the method specifically includes the following steps:
s401: extracting IP and TCP headers in each message;
s402: generating a key value pair corresponding to the IP address and the TCP header;
in the step S4, a wireshark tool is used to split and extract data in the pcap package (extract feature fields).
S5: evaluating each field according to the quantitative standards of consistency and difference, and selecting a feature set for equipment identification, namely an equipment fingerprint;
the step S5 specifically includes the following steps:
s501: the consistency quantization standard uses information entropy to compute the discrete cases of a field:
Figure BDA0003352152530000051
Figure BDA0003352152530000052
wherein Y represents a value of a device field, including { Y1、y1…ym},YiProbability of occurrence is Pi
S502: the difference quantization standard adopts an optimized Euclidean distance to express the difference quality of the field, and calculates the proportion occupied by points with the same value among different devices in all result combinations:
Figure BDA0003352152530000053
wherein x issameRepresenting the number of points with the same value of different devices; x is the number ofallRepresents the number of all points;
s503: calculating Euclidean distances of different equipment values in a field to form an Euclidean distance set, and solving the mean value of the Euclidean distance set:
Figure BDA0003352152530000061
Figure BDA0003352152530000062
wherein D represents a Euclidean distance set, xiAnd yiA value representing this field corresponding to the two devices; d' represents the approximate device distance; in order to reduce the influence of data randomness, if the number of repeated points is more, the situation that different devices on the detection side of the field generate the same value is higher, the actual distance calculated among the different devices is smaller, and the approximate device distance D' is obtained by multiplying 1-W (non-coincident proportion) by the Euclidean distance D;
s504: when U is less than or equal to 2.31, the Euclidean distance of the same equipment begins to become smaller along with the addition of the characteristics, and the same equipment is easier to cluster; when U is less than or equal to 4.52, although the Euclidean distance is still reduced, the change amount is obviously reduced compared with the previous characteristics; when U is larger than 4.52, adding the characteristic Euclidean distance to start to increase; when D' is less than or equal to 0.014, the Euclidean distance of different equipment begins to be reduced; when D' is more than 0.014, the Euclidean distance begins to gradually increase; similarly, after D' > 0.064, the change in euclidean distance also begins to diminish;
s505: after classification testing of the different sets, the final selection results are shown in table 1:
Figure BDA0003352152530000063
table 1 message field consistency and difference quantization results
1) 0< U <4.52,0< D' <0.06(G2) when identifying the device type;
2) 0< U <2.31,0.02< D' <0.07(G4) when identifying the device brand;
3) when identifying the device model, 0< U <8,0.02< D' <0.098 (G5).
S6: and performing operations S1-S2 on the unknown device according to the device fingerprint, and collecting corresponding header fields.
S7: judging the similarity degree of the unknown device fingerprint and a prestored fingerprint by adopting a voting mechanism to realize device information identification;
the step S7 uses the header fields corresponding to G2, G4 and G5 to output the corresponding matching results according to the five machine learning methods, and selects the final device information according to the voting method.
The first embodiment is as follows:
the method is used for detecting the power Internet of things equipment (Hall sensor), and the specific detection process is as shown in the figure:
1. firstly, sending a preset retransmission message to a hall sensor as shown in fig. 2, wherein fig. 2 is a retransmission detection mode with connection, and the mode establishes and maintains connection in an interaction process with detection equipment, so that detection stability can be ensured, but if the detection time is too long, and some equipment is not easy to establish connection, the rule is optimized, the optimized result is shown in fig. 3, and fig. 3 is a detection side mode without connection, so that connection establishment is not required for multiple handshaking, the time cost of detection can be reduced, and the system efficiency is improved;
2. after obtaining the message, extracting a header field of a retransmission message by using a wireshark tool;
3. after the data is obtained, five detection methods (support vector machine, decision tree, classifier LDC, K-nearest neighbor algorithm, and classifier LSTM) are used to calculate the similarity between the field set and each device fingerprint respectively, and a voting mechanism is used to finally output the detection result, as shown in fig. 4.
The above embodiments are merely illustrative of the principles of the present invention and its effects, and do not limit the present invention. It will be apparent to those skilled in the art that modifications and improvements can be made to the above-described embodiments without departing from the spirit and scope of the invention. Accordingly, it is intended that all equivalent modifications or changes be made by those skilled in the art without departing from the spirit and technical spirit of the present invention, and be covered by the claims of the present invention.

Claims (5)

1. A power Internet of things equipment identification method based on TCP retransmission messages is characterized by specifically comprising the following steps:
s1: setting a detection side node of the power Internet of things equipment, and transmitting and receiving network messages to the terminal equipment;
s2: the node on the probing side in step S1 probes whether the terminal device in the power network of a certain network segment is a surviving device in a broadcast manner, and sends a TCP retransmission request message to the surviving device;
s3: acquiring and collecting retransmission response messages, screening the retransmission response messages, and storing message information with complete response to form a response message data set;
s4: preprocessing the response message data set in the step S3, and extracting characteristic fields;
s5: evaluating each field according to the quantitative standards of consistency and difference, and selecting a feature set for equipment identification, namely an equipment fingerprint;
s6: according to the device fingerprint, carrying out operations of steps S1-S2 on unknown devices, and collecting corresponding header fields;
s7: and judging the similarity degree of the unknown device fingerprint and the prestored fingerprint by adopting a voting mechanism, and realizing the identification of the device information.
2. The method for identifying power internet of things equipment based on TCP retransmission messages according to claim 1, wherein the step S4 specifically includes the following steps when preprocessing the response message data set:
s401: extracting IP and TCP headers in each message;
s402: and generating a key value pair corresponding to the IP address and the TCP header.
3. The method for identifying the power internet of things equipment based on the TCP retransmission packet according to claim 2, wherein in step S4, a wireshark tool is used to split and extract data in the pcap packet. (extracted features field).
4. The method for identifying the power internet of things equipment based on the TCP retransmission packet according to claim 1, wherein the step S5 specifically includes the following steps:
s501: the consistency quantization standard uses information entropy to compute the discrete cases of a field:
Figure FDA0003352152520000011
Figure FDA0003352152520000012
wherein Y represents a value of a device field, including { Y1、y1…ym},YiProbability of occurrence is Pi
S502: the difference quantization standard adopts an optimized Euclidean distance to express the difference quality of the field, and calculates the proportion occupied by points with the same value among different devices in all result combinations:
Figure FDA0003352152520000021
wherein x issameRepresenting the number of points with the same value of different devices; x is the number ofallRepresents the number of all points;
s503: calculating Euclidean distances of different equipment values in a field to form an Euclidean distance set, and solving the mean value of the Euclidean distance set:
Figure FDA0003352152520000022
Figure FDA0003352152520000023
wherein D represents a Euclidean distance set, xiAnd yiA value representing this field corresponding to the two devices; d' represents the approximate device distance;
s504: when U is less than or equal to 2.31, the Euclidean distance of the same equipment begins to become smaller along with the addition of the characteristics, and the same equipment is easier to cluster; when U is less than or equal to 4.52, the Euclidean distance is still reduced, but the change quantity is obviously weakened compared with other characteristics; when U is larger than 4.52, adding the characteristic Euclidean distance to start to increase; when D' is less than or equal to 0.014, the Euclidean distance of different equipment begins to be reduced; when D' is more than 0.014, the Euclidean distance begins to gradually increase; similarly, after D' > 0.064, the change in euclidean distance also begins to diminish;
s505: after classification testing is performed on different sets, the final selection result is as follows:
1) 0< U <4.52,0< D' <0.06(G2) when identifying the device type;
2) 0< U <2.31,0.02< D' <0.07(G4) when identifying the device brand;
3) when identifying the device model, 0< U <8,0.02< D' <0.098 (G5).
5. The method for identifying the power internet of things equipment based on the TCP retransmission packet according to claim 1, wherein the step S7 uses header fields corresponding to G2, G4 and G5 to output corresponding matching results according to five machine learning methods, and selects the final equipment information according to a voting method.
CN202111341231.5A 2021-11-12 2021-11-12 Power Internet of things equipment identification method based on TCP retransmission message Pending CN114205332A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111341231.5A CN114205332A (en) 2021-11-12 2021-11-12 Power Internet of things equipment identification method based on TCP retransmission message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111341231.5A CN114205332A (en) 2021-11-12 2021-11-12 Power Internet of things equipment identification method based on TCP retransmission message

Publications (1)

Publication Number Publication Date
CN114205332A true CN114205332A (en) 2022-03-18

Family

ID=80647624

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111341231.5A Pending CN114205332A (en) 2021-11-12 2021-11-12 Power Internet of things equipment identification method based on TCP retransmission message

Country Status (1)

Country Link
CN (1) CN114205332A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101888831B1 (en) * 2017-11-07 2018-08-16 한국인터넷진흥원 Apparatus for collecting device information and method thereof
WO2018196493A1 (en) * 2017-04-24 2018-11-01 乐鑫信息科技(上海)有限公司 Fingerprint identification authority control-based internet of things control switch and method
CN108923974A (en) * 2018-06-29 2018-11-30 杭州安恒信息技术股份有限公司 A kind of Internet of Things assets fingerprint identification method and system
CN110380989A (en) * 2019-07-26 2019-10-25 东南大学 The polytypic internet of things equipment recognition methods of network flow fingerprint characteristic two-stage
CN111431872A (en) * 2020-03-10 2020-07-17 西安交通大学 Two-stage Internet of things equipment identification method based on TCP/IP protocol characteristics
US10826902B1 (en) * 2018-03-01 2020-11-03 The United States Of America As Represented By The Secretary Of The Air Force Internet of things (IoT) identifying system and associated methods
CN111917699A (en) * 2020-03-24 2020-11-10 北京融汇画方科技有限公司 Detection technology for identifying counterfeit dumb terminal of illegal equipment based on fingerprint
US20210120400A1 (en) * 2019-10-18 2021-04-22 Verizon Patent And Licensing Inc. Differentiating user equipment types based on tcp signatures

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018196493A1 (en) * 2017-04-24 2018-11-01 乐鑫信息科技(上海)有限公司 Fingerprint identification authority control-based internet of things control switch and method
KR101888831B1 (en) * 2017-11-07 2018-08-16 한국인터넷진흥원 Apparatus for collecting device information and method thereof
US10826902B1 (en) * 2018-03-01 2020-11-03 The United States Of America As Represented By The Secretary Of The Air Force Internet of things (IoT) identifying system and associated methods
CN108923974A (en) * 2018-06-29 2018-11-30 杭州安恒信息技术股份有限公司 A kind of Internet of Things assets fingerprint identification method and system
CN110380989A (en) * 2019-07-26 2019-10-25 东南大学 The polytypic internet of things equipment recognition methods of network flow fingerprint characteristic two-stage
US20210120400A1 (en) * 2019-10-18 2021-04-22 Verizon Patent And Licensing Inc. Differentiating user equipment types based on tcp signatures
CN111431872A (en) * 2020-03-10 2020-07-17 西安交通大学 Two-stage Internet of things equipment identification method based on TCP/IP protocol characteristics
CN111917699A (en) * 2020-03-24 2020-11-10 北京融汇画方科技有限公司 Detection technology for identifying counterfeit dumb terminal of illegal equipment based on fingerprint

Similar Documents

Publication Publication Date Title
CN112085039B (en) ICMP hidden channel detection method based on random forest
CN112714045B (en) Rapid protocol identification method based on device fingerprint and port
US7508768B2 (en) Traffic measurement system and traffic analysis method thereof
WO2011050545A1 (en) Automatic analysis method for unknown application layer protocols
CN102164049B (en) Universal identification method for encrypted flow
JP4553315B2 (en) Congestion path classification method, management apparatus, and program for classifying congestion path from packet delay
CN109299742A (en) Method, apparatus, equipment and the storage medium of automatic discovery unknown network stream
CN105024993A (en) Protocol comparison method based on vector operation
CN113206860A (en) DRDoS attack detection method based on machine learning and feature selection
CN108846275A (en) Unknown Method of Detecting Operating System based on RIPPER algorithm
CN110351251B (en) Industrial control equipment asset detection method based on filtering technology
CN106330584A (en) Identification method and identification device of business flow
CN111555988A (en) Big data-based network asset mapping and discovering method and device
CN112134873B (en) IoT network abnormal flow real-time detection method and system
CN109815286A (en) A kind of adaptive telemetry of launch vehicle system and its implementation
CN114422379B (en) Analysis method for multi-platform equipment wireless networking
CN104092588A (en) Network anomaly traffic flow detection method based on combination of SNMP and NetFlow
US20190190781A1 (en) Apparatus and measurement method for identifying network devices
CN114205332A (en) Power Internet of things equipment identification method based on TCP retransmission message
US20150150132A1 (en) Intrusion detection system false positive detection apparatus and method
CN113179256A (en) Time information safety fusion method and system for time synchronization system
CN116070218B (en) Industrial asset detection method, terminal equipment and storage medium
CN106850272A (en) Central server, service server and its method for detecting abnormality and system
US7318105B1 (en) Dynamically detecting topology and egress nodes in communication networks
CN116401586A (en) Intelligent sensing and accurate classifying method for full scene service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination