CN114513369B - Deep packet inspection-based internet of things behavior analysis method and system - Google Patents
Deep packet inspection-based internet of things behavior analysis method and system Download PDFInfo
- Publication number
- CN114513369B CN114513369B CN202210401399.9A CN202210401399A CN114513369B CN 114513369 B CN114513369 B CN 114513369B CN 202210401399 A CN202210401399 A CN 202210401399A CN 114513369 B CN114513369 B CN 114513369B
- Authority
- CN
- China
- Prior art keywords
- behavior
- behavior analysis
- message
- internet
- things
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention provides a deep packet inspection-based internet of things behavior analysis method and system, wherein the method comprises the following steps: acquiring a message detected by a transmission layer based on a network layer; inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages. According to the method and the device, the message detected by the transmission layer is obtained based on the network layer, the behavior analysis model is used for performing behavior analysis based on the Internet of things protocol and the weight label pair to obtain a behavior analysis result, customized behavior analysis is performed aiming at different Internet of things protocols, the risk behavior detection accuracy of the Internet of things application is improved, and the false alarm rate is reduced.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a deep packet inspection-based Internet of things behavior analysis method and system.
Background
The internet of things is an extension of a communication network and the internet, and the sensing technology and an intelligent device are utilized to sense and identify the physical world, and the sensing technology and the intelligent device are interconnected through network transmission and are used for calculation, processing and knowledge mining so as to realize information interaction and seamless link between people and objects and between objects and achieve the purposes of real-time control, accurate management and scientific decision-making of the physical world. With hundreds of millions of devices continuously accessing the internet of things, the industrial scale of the internet of things is continuously large, and security attacks aiming at user privacy and basic network environments are continuously increased, so that the network security problem becomes one of barriers for limiting the wide deployment of services of the internet of things.
At present, as a large number of access devices are various in types, and the application protocols of the internet of things are more than five-fold, it is difficult to uniformly construct a behavior model of the access devices in the internet of things by using one or more application protocols, which causes low detection and identification accuracy, and makes specific attacks for different internet of things protocols endless.
Disclosure of Invention
The invention provides an Internet of things behavior analysis method and system based on deep packet inspection, which are used for solving the defect of poor behavior detection accuracy caused by multiple Internet of things protocols in the prior art, and customized behavior analysis is performed on different Internet of things protocols, so that the risk behavior detection accuracy of Internet of things application is improved, and the false alarm rate is reduced.
The invention provides an Internet of things behavior analysis method based on deep packet inspection, which comprises the following steps: receiving a message sent by a transmission layer, wherein the message is obtained by detecting the transmission layer based on information sent by a network layer; inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the behavior characteristics obtained by the messages and the Internet of things protocol and the weight labels corresponding to the messages.
According to the internet of things behavior analysis method based on deep packet inspection provided by the invention, the behavior analysis model comprises the following steps: the deep message detection engine selects a corresponding message detection handle for analysis based on an Internet of things protocol corresponding to an input message to obtain a message analysis result; and the behavior analysis engine is used for analyzing in combination with the corresponding Internet of things protocol and the corresponding weight label based on the message analysis result to obtain a behavior analysis result.
According to the internet of things behavior analysis method based on deep packet inspection provided by the invention, the behavior analysis engine comprises: behavior analysis handles which correspond to the message detection handles one by one, and perform behavior analysis according to the corresponding Internet of things protocol and the message analysis result output by the corresponding message detection handles to obtain behavior characteristics; and the behavior characteristic classification analysis layer is used for obtaining a behavior summarizing result based on the behavior characteristics and the corresponding weight labels thereof, and judging whether the behavior summarizing result belongs to abnormal behaviors or not based on a preset threshold value to obtain a behavior analysis result.
According to the method for analyzing the behavior of the Internet of things based on the deep packet inspection, provided by the invention, the packet comprises an Internet of things protocol packet.
According to the internet of things behavior analysis method based on deep packet inspection provided by the invention, the behavior analysis model further comprises the following steps: based on the behavior analysis result, calling an abnormal behavior record handle corresponding to the Internet of things protocol, and writing the message judged to be abnormal behavior and the corresponding quintuple into an abnormal behavior database; the quintuple comprises a source IP, a destination IP, a source port, a destination port and a corresponding Internet of things protocol.
According to the internet of things behavior analysis method based on deep packet inspection provided by the invention, after the behavior analysis result output by the behavior analysis model is obtained, the method comprises the following steps: and determining whether to report an abnormal behavior log according to the behavior analysis result.
According to the internet of things behavior analysis method based on deep packet inspection provided by the invention, whether to report an abnormal behavior log is determined according to the behavior analysis result, and the method further comprises the following steps: determining whether to report an abnormal behavior log or not based on the behavior analysis result and a preset abnormal behavior grade distribution rule, and executing a corresponding action based on user pre-configuration; wherein the action comprises at least one of dropping, blocking, passing, limiting the number of user accesses, and probing source IP availability.
The invention also provides an internet of things behavior analysis system based on deep packet inspection, which comprises: the message acquisition module is used for receiving a message sent by a transmission layer, wherein the message is obtained by detecting the information sent by the transmission layer based on a network layer; the behavior analysis module is used for inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the behavior characteristics obtained by the messages and the Internet of things protocol and the weight labels corresponding to the messages.
The invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the steps of any one of the above methods for analyzing the behavior of the internet of things based on the deep packet inspection.
The present invention also provides a non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the method for analyzing behavior of the internet of things based on deep packet inspection as described in any one of the above.
According to the method and the system for analyzing the behavior of the Internet of things based on the deep message detection, the message detected by the transmission layer is obtained based on the network layer, the behavior analysis model is used for performing behavior analysis based on the Internet of things protocol and the weight label pair to obtain a behavior analysis result, customized behavior analysis is performed aiming at different Internet of things protocols, the accuracy of detecting the risk behavior applied to the Internet of things is improved, and the false alarm rate is reduced; in addition, different behavior analysis results are brought into a unified computing framework by the risk analysis, so that the potential risks of various dangerous behaviors are considered comprehensively, the correlation among different behaviors is fully considered, a quantifiable risk evaluation result is obtained finally, and the accuracy of risk behavior detection is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow diagram of an internet of things behavior analysis method based on deep packet inspection according to the present invention;
fig. 2 is a schematic diagram of an architecture of an internet of things behavior analysis method based on deep packet inspection according to the present invention;
fig. 3 is a schematic structural diagram of an internet of things behavior analysis system based on deep packet inspection provided by the present invention;
fig. 4 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows a schematic flow diagram of an internet of things behavior analysis method based on deep packet inspection, where the method includes:
s11, receiving a message sent by a transmission layer, wherein the message is obtained by detecting the transmission layer based on information sent by a network layer;
s12, inputting the message into the behavior analysis model to obtain the behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages.
It should be noted that S1N in this specification does not represent the order of the behavior analysis method of the internet of things based on deep packet inspection, and the behavior analysis method of the internet of things based on deep packet inspection according to the present invention is described below with reference to fig. 2.
Step S11, receiving a message sent by the transport layer, where the message is obtained by detecting the transport layer based on the information sent by the network layer.
It should be noted that the message includes an internet of things protocol message, and specifically may include at least one of an XMPP message, an MQTT message, an ovif message, a CoAP message, and a UPnP message, and the following text only takes XMPP and MQTT as examples, where XMPP (extensible Messaging and Presence protocol) is an extensible communication and presentation protocol, and represents a network instant Messaging protocol generated by an open source form organization; MQTT (message Queuing telemeasurement transport) is a message queue Telemetry transport, and represents an instant messaging Protocol developed by IBM, and MQTT is relatively suitable for a communication Protocol of an internet of things scene, and in addition, the MQTT Protocol adopts a publish/subscribe mode, all internet of things terminals are connected to a cloud terminal through a Transmission Control Protocol (TCP), and the cloud terminal manages communication contents concerned by each device in a subject manner and is responsible for forwarding messages between devices.
Step S12, inputting the message into the behavior analysis model to obtain the behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages.
In this embodiment, the behavior analysis model includes: the deep message detection engine selects a corresponding message detection handle for analysis based on an Internet of things protocol corresponding to an input message to obtain a message analysis result; and the behavior analysis engine is used for analyzing by combining the corresponding Internet of things protocol and the corresponding weight label based on the message analysis result to obtain a behavior analysis result.
Specifically, referring to fig. 2, first, the deep packet inspection engine selects a corresponding packet inspection handle for analysis based on an internet of things protocol corresponding to an input packet, so as to obtain a packet analysis result. It should be noted that before the message is input into the behavior analysis model, the method further includes: based on the internet of things protocol, a deep message detection engine is configured, namely a message detection handle is configured. For example, if the message types to be detected include an XMPP message and an MQTT message, an XMPP message detection handle and an MQTT message detection handle are configured correspondingly, and when the input message is an XMPP message, only the XMPP message detection handle can correctly analyze the message content, and accordingly, the corresponding message is identified as the XMPP message, and the message analysis result is sent to the behavior analysis engine.
And secondly, the behavior analysis engine analyzes the message by combining the corresponding Internet of things protocol and the corresponding weight label based on the message analysis result to obtain a behavior analysis result.
Still further, a behavior analysis engine, comprising: behavior analysis handles which correspond to the message detection handles one by one, and the behavior analysis is carried out according to the corresponding Internet of things protocol and the message analysis result output by the corresponding message detection handles to obtain behavior characteristics; and the behavior characteristic classification analysis layer obtains a behavior summarizing result based on the behavior characteristics and the corresponding weight labels thereof, and judges whether the behavior summarizing result belongs to abnormal behaviors or not based on a preset threshold value to obtain a behavior analysis result.
It should be noted that before the message is input into the behavior analysis model, the method further includes: based on the internet of things protocol, a behavior analysis engine is configured, namely a behavior analysis handle is configured. For example, if the message types to be detected include an XMPP message and an MQTT message, an XMPP behavior analysis handle and an MQTT behavior analysis handle are configured correspondingly, and after a message analysis result is obtained based on the XMPP message detection handle, the message analysis result is sent to the XMPP behavior analysis handle for behavior analysis.
In an alternative embodiment, the message comprises an XMPP message; the internet of things protocol corresponding to the message comprises at least one of whether a secure transport layer protocol is adopted or not, whether the password field is encrypted or not, whether weak password detection is successful or not, whether the access rate of the target IP exceeds a preset access threshold or not and whether the authentication rate of the XMPP entity ID exceeds a preset authentication threshold or not. For example, an XMPP behavior analysis handle that processes XMPP messages can be directed through the XMPP message detection handle and computationally analyzed according to the contents of the XMPP protocol, such as whether TLS is employed, whether cipher field encryption/weak cipher detection is successful, whether access rate to destination IP exceeds an access threshold, and whether authentication rate for a given XMPP entity ID (Jabber ID, JID) exceeds an authentication threshold. It should be noted that behavior analysis handles of different internet of things protocols can perform behavior analysis on own protocols and predefined behaviors in a targeted manner.
It should be added that the behavior characteristics include Weak Password (Weak Password), denial of service (DDOS), non-Authentication (Miss Authentication), invalid transmission (invalid Message), clear transmission (No Encryption), amplified attack (Packet Amplification), IP Address Spoofing (IP Address Spoofing), Repeated attempts (Repeated attacks), and setting Sensitive information (Sensitive Data Set).
After behavior characteristics are obtained based on the behavior analysis handles, behavior characteristic classification analysis layers are utilized, behavior summarizing results are obtained based on the behavior characteristics and the corresponding weight labels, whether the behavior summarizing results belong to abnormal behaviors or not is judged based on preset thresholds, namely the risk levels of the corresponding messages are judged, and accordingly behavior analysis results are obtained. It should be noted that, various behavior features are calculated and summarized according to the categories and the weight labels to which the behavior features belong, and then the behavior features are judged by a preset threshold and/or other detection engines to determine whether the behavior belongs to an abnormal behavior. In addition, the abnormal behavior may be the current message, for example, the weak password library detects that the current message contains a weak password; for another example, the current message is an accumulative effect of the previous continuous message; as another example, the authentication rate of an XMPP message for a given JID exceeds a predefined threshold.
In an alternative embodiment, the behavior summary result w (x) is expressed as:
wherein, x is a behavior characteristic set obtained by behavior analysis handles of a certain internet of things protocol, and may be one or more of the behavior characteristics defined by the system; w (x) represents the sum of the risk weights that are successively accumulated over the system-defined behavior signature for the detected behavior signature.
k is a behavior characteristic defined in the system, and comprises the following 9 types:
further, f (k, x) represents a risk weight of the behavior feature set x detected by calculation from the behavior feature k defined by the system, and is specifically represented as:
wherein, x represents a behavior feature set obtained by a behavior analysis handle of a certain internet of things protocol, and may be one or more of the behavior features defined by the system. k represents that the behavior characteristics defined in the system comprise the 9 types, and a (k, x) represents whether a behavior characteristic set x identified by a certain internet of things protocol contains the behavior characteristics defined by the system or not:
c (k, x) represents the risk weight of the identified internet of things behavior feature set x to be superposed on the system-defined behavior feature k:
in an alternative embodiment, the behavior analysis result risk is expressed as:
for example, taking a calculation example of the risk level of the internet of things as an example, in the deep packet inspection of a certain data stream, it is found that the data stream adopts the CoAP protocol, and has behavior characteristics of weak password, amplification attack, and plaintext transmission, the final risk level is calculated as follows:
x = { “Weak Password”, “No Encryption”, “Packet Amplification”}
w(x) = (10×a(“Weak Password”, x) + 0 + 0 + 0 + (10 + c(“No Encryption”,x) × a(“No Encryption”, x)) + 5×a(“Packet Amplification”, x) + 0 + 0 + 0) = (10 +(10 + 10× 1)+ 5)=35
risk = 10
in an alternative embodiment, the behavior analysis model further comprises: based on the behavior analysis result, calling an abnormal behavior record handle corresponding to the Internet of things protocol, and writing the message judged to be abnormal behavior and the corresponding quintuple into an abnormal behavior database; the quintuple comprises a source IP, a destination IP, a source port, a destination port and a corresponding Internet of things protocol. It should be noted that by writing the abnormal behavior into the abnormal behavior database, it is available for subsequent display, tracing and searching.
In addition, the newly added internet of things protocol can register own message detection handle, behavior analysis handle and abnormal behavior record handle in the initialization stage, so that the whole system has good expandability.
In an optional embodiment, after obtaining the behavior analysis result output by the behavior analysis model, the method includes: and determining whether to report an abnormal behavior log according to the behavior analysis result.
More specifically, determining whether to report an abnormal behavior log according to the behavior analysis result further includes: determining whether to report an abnormal behavior log or not based on the behavior analysis result and a preset abnormal behavior grade distribution rule, and executing a corresponding action based on user pre-configuration; wherein the action comprises at least one of dropping, blocking, passing, limiting the number of user accesses, and probing the source IP availability.
It should be added that the abnormal behavior level assignment rule includes a Weak Password (Weak Password) corresponding to a high risk level, a denial of service (DDOS) to application risk level, a non-Authentication (Miss Authentication) to application risk level, an invalid transmission (invalid Message) to application risk level, a clear transmission (No Encryption) to application risk level, an amplified attack (Packet Authentication) to application risk level, an IP Address Spoofing (IP Address Spoofing) to application risk level, a Repeated attempt (Repeated attempts) to application risk level, and a setting Sensitive information (Sensitive Data Set) to application risk level.
It should be noted that weak passwords include, but are not limited to, default passwords, clear passwords, anonymous users, and detection of weak password libraries, among others; different internet of things protocols detect different DDOS, such as the rate of sending a packet access from a source IP exceeds a threshold, such as the rate of connection creation exceeds a threshold, such as the rate of connection authentication exceeds a threshold, and such as the rate of accessing a resource exceeds a threshold; different categories or behavior calculation of multiple DDOS attacks are accumulated; setting sensitive information includes, but is not limited to, setting/changing the Admin password and setting port forwarding.
In summary, in the embodiments of the present invention, a message detected by a transport layer is obtained based on a network layer, and a behavior analysis model is used to perform behavior analysis based on an internet of things protocol and a weight label pair to obtain a behavior analysis result, so as to perform customized behavior analysis for different internet of things protocols, improve the accuracy of risk behavior detection for internet of things application, and reduce the false alarm rate; in addition, different behavior analysis results are brought into a unified computing framework by the risk analysis, so that the potential risks of various dangerous behaviors are considered comprehensively, the correlation among different behaviors is fully considered, a quantifiable risk evaluation result is obtained finally, and the accuracy of risk behavior detection is further improved.
The deep packet inspection-based behavior analysis system of the internet of things provided by the invention is described below, and the deep packet inspection-based behavior analysis system of the internet of things described below and the deep packet inspection-based behavior analysis method of the internet of things described above can be referred to in a corresponding manner.
Fig. 3 shows a schematic structural diagram of an internet of things behavior analysis system based on deep packet inspection, where the system includes:
the message acquisition module 31 receives a message sent by a transport layer, wherein the message is obtained by detecting the transport layer based on information sent by a network layer;
the behavior analysis module 32 is used for inputting the message into the behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages.
Specifically, the packet obtaining module 31 includes: and the data acquisition unit is used for receiving the message sent by the transmission layer, wherein the message is obtained by detecting the transmission layer based on the information sent by the network layer. It should be noted that the message includes an internet of things protocol message, specifically, the message may include at least one of an XMPP message, an MQTT message, an ovif message, a CoAP message, and a UPnP message, and the following text only takes XMPP and MQTT as examples, where XMPP (extensible Messaging and Presence protocol) is an extensible communication and presentation protocol and represents a network instant Messaging protocol generated by an open source form organization; mqtt (message Queuing telemeasurement transport) is a message queue Telemetry transport, representing the instant messaging protocol developed by IBM.
A behavior analysis module 32 comprising: the data input unit inputs the message into the behavior analysis model, and the behavior analysis model unit performs behavior analysis based on the input message to obtain a behavior analysis result; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages; and the data output unit is used for outputting the behavior analysis result obtained by the behavior analysis model unit.
Still further, a behavior analysis model unit includes: the deep message detection engine subunit selects a corresponding message detection handle for analysis based on an Internet of things protocol corresponding to the input message to obtain a message analysis result; and the behavior analysis engine subunit is used for analyzing by combining the corresponding Internet of things protocol and the corresponding weight label based on the message analysis result to obtain a behavior analysis result.
It should be noted that the behavior analysis module 32 further includes: and the message detection handle configuration unit is used for configuring a deep message detection engine based on the Internet of things protocol, namely configuring a message detection handle. For example, if the message types to be detected include an XMPP message and an MQTT message, an XMPP message detection handle and an MQTT message detection handle are configured correspondingly, and when the input message is an XMPP message, only the XMPP message detection handle can correctly analyze the message content, and accordingly, the corresponding message is identified as the XMPP message, and the message analysis result is sent to the behavior analysis engine.
A behavior analysis engine subunit comprising: the behavior analysis handle grandchild unit corresponds to the message detection handles one by one, and performs behavior analysis according to the corresponding Internet of things protocol and the message analysis result output by the corresponding message detection handles to obtain behavior characteristics; and the behavior characteristic classification analysis unit obtains a behavior summarizing result based on the behavior characteristics and the corresponding weight labels thereof, and judges whether the behavior summarizing result belongs to abnormal behaviors or not based on a preset threshold value to obtain a behavior analysis result.
In an alternative embodiment, the behavior analysis model unit further includes: and the behavior analysis configuration subunit is used for configuring a behavior analysis engine based on the Internet of things protocol, namely configuring a behavior analysis handle. For example, if the message types to be detected include an XMPP message and an MQTT message, an XMPP behavior analysis handle and an MQTT behavior analysis handle are configured correspondingly, and after a message analysis result is obtained based on the XMPP message detection handle, the message analysis result is sent to the XMPP behavior analysis handle for behavior analysis.
In an alternative embodiment, the message comprises an XMPP message; the internet of things protocol corresponding to the message comprises at least one of whether a secure transport layer protocol is adopted or not, whether the password field is encrypted or not, whether weak password detection is successful or not, whether the access rate of the target IP exceeds a preset access threshold or not and whether the authentication rate of the XMPP entity ID exceeds a preset authentication threshold or not.
In addition, the behavior characteristics include Weak Password (Weak Password), denial of service (DDOS), non-Authentication (Miss Authentication), invalid transmission (invalid Message), clear transmission (No Encryption), amplified attack (Packet Authentication), IP Address Spoofing (IP Address Spoofing), Repeated attempts (reproduced attacks), and setting Sensitive information (Sensitive Data Set).
In an alternative embodiment, the behavior analysis model unit further includes: the abnormal behavior data writing subunit calls an abnormal behavior record handle corresponding to the Internet of things protocol based on the behavior analysis result, and writes the message judged to be abnormal behavior and the corresponding quintuple thereof into an abnormal behavior database; the quintuple comprises a source IP, a destination IP, a source port, a destination port and a corresponding Internet of things protocol. It should be noted that by writing the abnormal behavior into the abnormal behavior database, it is available for subsequent display, tracing and searching.
In addition, the newly added internet of things protocol can register own message detection handle, behavior analysis handle and abnormal behavior record handle in the initialization stage, so that the whole system has good expandability.
In an alternative embodiment, the behavior analysis model unit further includes: and the log reporting subunit determines whether to report the abnormal behavior log according to the behavior analysis result.
More specifically, the log reporting subunit includes: the log reporting sun unit is used for determining whether to report the abnormal behavior log or not based on the behavior analysis result and a preset abnormal behavior grade distribution rule; the action execution grandchild unit executes the corresponding action based on the user pre-configuration; wherein the action comprises at least one of dropping, blocking, passing, limiting the number of user accesses, and probing the source IP availability.
In summary, in the embodiment of the present invention, the message acquisition module acquires the message detected by the transmission layer based on the network layer, and the behavior analysis module performs behavior analysis based on the internet of things protocol and the weight label pair by using the behavior analysis model to obtain the behavior analysis result, so as to perform customized behavior analysis for different internet of things protocols, improve the accuracy of detecting the risk behavior applied to the internet of things, and reduce the false alarm rate; in addition, different behavior analysis results are brought into a unified computing framework by the risk analysis, so that the potential risks of various dangerous behaviors are considered comprehensively, the correlation among different behaviors is fully considered, a quantifiable risk evaluation result is obtained finally, and the accuracy of risk behavior detection is further improved.
Fig. 4 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 4: a processor (processor)41, a communication Interface (communication Interface)42, a memory (memory)43 and a communication bus 44, wherein the processor 41, the communication Interface 42 and the memory 43 complete communication with each other through the communication bus 44. The processor 41 may call logic instructions in the memory 43 to execute a method for analyzing behavior of the internet of things based on deep packet inspection, where the method includes: receiving a message sent by a transmission layer, wherein the message is obtained by detecting the transmission layer based on information sent by a network layer; inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages.
Furthermore, the logic instructions in the memory 43 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, is implemented to perform the method for analyzing behaviors of an internet of things based on deep packet inspection provided by the foregoing methods, where the method includes: receiving a message sent by a transmission layer, wherein the message is obtained by detecting the transmission layer based on information sent by a network layer; inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the messages and the behavior characteristics obtained by the Internet of things protocol and the weight labels corresponding to the messages.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. An Internet of things behavior analysis method based on deep packet inspection is characterized by comprising the following steps:
receiving a message sent by a transmission layer, wherein the message is obtained by detecting the transmission layer based on information sent by a network layer;
inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the behavior characteristics obtained by the messages and the Internet of things protocol and the weight labels corresponding to the messages;
the behavior analysis model comprises:
the deep message detection engine selects a corresponding message detection handle for analysis based on an Internet of things protocol corresponding to an input message to obtain a message analysis result;
the behavior analysis engine is used for analyzing in combination with the corresponding Internet of things protocol and the corresponding weight label based on the message analysis result to obtain a behavior analysis result;
the behavior analysis engine comprises:
behavior analysis handles which correspond to the message detection handles one by one, and perform behavior analysis according to the corresponding Internet of things protocol and the message analysis result output by the corresponding message detection handles to obtain behavior characteristics;
and the behavior characteristic classification analysis layer is used for obtaining a behavior summarizing result based on the behavior characteristics and the corresponding weight labels thereof, and judging whether the behavior summarizing result belongs to abnormal behaviors or not based on a preset threshold value to obtain a behavior analysis result.
2. The deep packet inspection-based behavior analysis method for the internet of things of claim 1, wherein the packet comprises an internet of things protocol packet.
3. The internet of things behavior analysis method based on deep packet inspection according to claim 1, wherein the behavior analysis model comprises:
based on the behavior analysis result, calling an abnormal behavior record handle corresponding to the Internet of things protocol, and writing the message judged to be abnormal behavior and the corresponding quintuple into an abnormal behavior database; the quintuple comprises a source IP, a destination IP, a source port, a destination port and a corresponding Internet of things protocol.
4. The internet of things behavior analysis method based on deep packet inspection according to claim 1, wherein after obtaining the behavior analysis result output by the behavior analysis model, the method comprises:
and determining whether to report an abnormal behavior log according to the analysis result.
5. The internet of things behavior analysis method based on deep packet inspection according to claim 4, wherein the determining whether to report the abnormal behavior log according to the analysis result further comprises:
determining whether to report an abnormal behavior log or not based on the behavior summarizing result and a preset abnormal behavior grade distribution rule, and executing a corresponding action based on user pre-configuration; wherein the action comprises at least one of dropping, blocking, passing, limiting the number of user accesses, and probing source IP availability.
6. The utility model provides a thing networking behavior analysis system based on degree of depth message detection which characterized in that includes:
the message acquisition module is used for receiving a message sent by a transmission layer, wherein the message is obtained by detecting the information sent by the transmission layer based on a network layer;
the behavior analysis module is used for inputting the message into a behavior analysis model to obtain a behavior analysis result output by the behavior analysis model; the behavior analysis model is used for analyzing abnormal behaviors based on the behavior characteristics obtained by the messages and the Internet of things protocol and the weight labels corresponding to the messages;
the behavior analysis model comprises:
the deep message detection engine subunit selects a corresponding message detection handle to analyze based on an Internet of things protocol corresponding to the input message to obtain a message analysis result;
the behavior analysis engine subunit is used for analyzing in combination with the corresponding Internet of things protocol and the corresponding weight label based on the message analysis result to obtain a behavior analysis result;
the behavior analysis engine subunit comprises:
the behavior analysis handle grandchild unit corresponds to the message detection handles one by one, and performs behavior analysis according to the corresponding Internet of things protocol and the message analysis result output by the corresponding message detection handles to obtain behavior characteristics;
and the behavior feature classification analysis unit obtains a behavior summarizing result based on the behavior features and the corresponding weight labels thereof, and judges whether the behavior summarizing result belongs to abnormal behaviors or not based on a preset threshold value to obtain a behavior analysis result.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for analyzing behavior of the internet of things based on deep packet inspection according to any one of claims 1 to 5 when executing the program.
8. A non-transitory computer readable storage medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, implements the steps of the method for analyzing behavior of the internet of things based on deep packet inspection according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210401399.9A CN114513369B (en) | 2022-04-18 | 2022-04-18 | Deep packet inspection-based internet of things behavior analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210401399.9A CN114513369B (en) | 2022-04-18 | 2022-04-18 | Deep packet inspection-based internet of things behavior analysis method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114513369A CN114513369A (en) | 2022-05-17 |
| CN114513369B true CN114513369B (en) | 2022-07-08 |
Family
ID=81555184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210401399.9A Active CN114513369B (en) | 2022-04-18 | 2022-04-18 | Deep packet inspection-based internet of things behavior analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114513369B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420830A (en) * | 2010-12-16 | 2012-04-18 | 北京大学 | Peer-to-peer (P2P) protocol type identification method |
| CN108476208A (en) * | 2015-12-28 | 2018-08-31 | 亚马逊技术股份有限公司 | Multi-path transmission designs |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
| CN110417675A (en) * | 2019-07-29 | 2019-11-05 | 广州竞远安全技术股份有限公司 | The network shunt method, apparatus and system of high-performance probe under a kind of SOC |
| CN111049843A (en) * | 2019-12-18 | 2020-04-21 | 国网浙江省电力有限公司宁波供电公司 | Intelligent substation network abnormal flow analysis method |
| CN111163043A (en) * | 2018-11-08 | 2020-05-15 | 全球能源互联网研究院有限公司 | Deep analysis method and system for real-time interactive protocol of source-network-load system |
| CN111478940A (en) * | 2020-03-03 | 2020-07-31 | 视联动力信息技术股份有限公司 | Data processing method and device |
| CN113132297A (en) * | 2019-12-30 | 2021-07-16 | 北京国双科技有限公司 | Data leakage detection method and device |
-
2022
- 2022-04-18 CN CN202210401399.9A patent/CN114513369B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420830A (en) * | 2010-12-16 | 2012-04-18 | 北京大学 | Peer-to-peer (P2P) protocol type identification method |
| CN108476208A (en) * | 2015-12-28 | 2018-08-31 | 亚马逊技术股份有限公司 | Multi-path transmission designs |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
| CN111163043A (en) * | 2018-11-08 | 2020-05-15 | 全球能源互联网研究院有限公司 | Deep analysis method and system for real-time interactive protocol of source-network-load system |
| CN110417675A (en) * | 2019-07-29 | 2019-11-05 | 广州竞远安全技术股份有限公司 | The network shunt method, apparatus and system of high-performance probe under a kind of SOC |
| CN111049843A (en) * | 2019-12-18 | 2020-04-21 | 国网浙江省电力有限公司宁波供电公司 | Intelligent substation network abnormal flow analysis method |
| CN113132297A (en) * | 2019-12-30 | 2021-07-16 | 北京国双科技有限公司 | Data leakage detection method and device |
| CN111478940A (en) * | 2020-03-03 | 2020-07-31 | 视联动力信息技术股份有限公司 | Data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114513369A (en) | 2022-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Karatas et al. | Increasing the performance of machine learning-based IDSs on an imbalanced and up-to-date dataset | |
| US20230421593A1 (en) | System and method for comprehensive data loss prevention and compliance management | |
| US20220124108A1 (en) | System and method for monitoring security attack chains | |
| US11799900B2 (en) | Detecting and mitigating golden ticket attacks within a domain | |
| US11818169B2 (en) | Detecting and mitigating attacks using forged authentication objects within a domain | |
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| US20210359980A1 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform | |
| US20220377093A1 (en) | System and method for data compliance and prevention with threat detection and response | |
| CN108471429B (en) | Network attack warning method and system | |
| CN110798472B (en) | Data leakage detection method and device | |
| CN108833186B (en) | Network attack prediction method and device | |
| US8356001B2 (en) | Systems and methods for application-level security | |
| US20160019388A1 (en) | Event correlation based on confidence factor | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| CN111885007B (en) | Information tracing method, device, system and storage medium | |
| US20230362200A1 (en) | Dynamic cybersecurity scoring and operational risk reduction assessment | |
| CN111049786A (en) | Network attack detection method, device, equipment and storage medium | |
| EP3343421A1 (en) | System to detect machine-initiated events in time series data | |
| CN111049783A (en) | Network attack detection method, device, equipment and storage medium | |
| Prasath et al. | A meta‐heuristic Bayesian network classification for intrusion detection | |
| Seewald et al. | On the detection and identification of botnets | |
| CN115378619A (en) | Sensitive data access method, electronic equipment and computer readable storage medium | |
| CN113518042A (en) | Data processing method, device, equipment and storage medium | |
| He et al. | A novel method to detect encrypted data exfiltration | |
| CN114513369B (en) | Deep packet inspection-based internet of things behavior analysis method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |