CN114760104A - Distributed abnormal flow detection method in Internet of things environment - Google Patents
Distributed abnormal flow detection method in Internet of things environment Download PDFInfo
- Publication number
- CN114760104A CN114760104A CN202210276715.4A CN202210276715A CN114760104A CN 114760104 A CN114760104 A CN 114760104A CN 202210276715 A CN202210276715 A CN 202210276715A CN 114760104 A CN114760104 A CN 114760104A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- distributed
- detection
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 119
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 75
- 238000013528 artificial neural network Methods 0.000 claims abstract description 24
- 238000000034 method Methods 0.000 claims description 12
- 238000003708 edge detection Methods 0.000 claims description 11
- 210000001783 ELP Anatomy 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 4
- 238000012549 training Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 2
- 230000006872 improvement Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 8
- 230000004807 localization Effects 0.000 abstract description 5
- 239000010410 layer Substances 0.000 description 23
- 239000011159 matrix material Substances 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000013527 convolutional neural network Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013135 deep learning Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y10/00—Economic sectors
- G16Y10/75—Information technology; Communication
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/10—Detection; Monitoring
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Mathematical Physics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Probability & Statistics with Applications (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Development Economics (AREA)
- Economics (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a distributed abnormal flow detection method in an Internet of things environment. The model is deployed on the equipment of the Internet of things to be detected, the equipment and the structure of the Internet of things to be detected are respectively used as nodes and edges of a graph structure, and the flow anomaly detection localization is realized on the graph structure by using a distributed architecture, so that the traditional detection method running on a virtual server or a cloud is replaced, and the detection delay and the time overhead are reduced. And as the improved graph neural network is used for extracting the features, the complex communication mode between the network structure and the node equipment can be learned, and the structural features and the relation in the data flow can be captured in a display mode, so that a more concealed novel attack means can be detected, and the detection efficiency is further improved.
Description
Technical Field
The invention belongs to the technical field of Internet of things safety, and particularly relates to a distributed abnormal flow detection method in an Internet of things environment based on a graph neural network.
Background
With the development of the ecosystem of the internet of things becoming mature, a large number of intelligent terminal devices are widely distributed in a plurality of application fields of the internet of things, such as smart homes, smart medical treatment, smart transportation, industry 4.0 and the like. The number of the devices on the edge of the Internet of things is increased sharply, so that a plurality of serious potential safety hazards are brought, and the data generated by the devices of the Internet of things is easy to leak, attack or interrupt due to a complex network environment. On one hand, the terminal equipment of the internet of things is often limited by resources such as calculation, memory and bandwidth, and the self limitation thereof brings higher-requirement security challenge to the internet of things; on the other hand, the internet of things devices have relatively close relevance, so that once the devices are invaded, conditions such as user privacy data leakage, abnormal operation of network infrastructure, network congestion or paralysis and the like can be caused, even huge economic and social losses can be caused, and the safety of enterprises and countries can be threatened.
In the past few years, the research in the security field is promoted by the rise and development of machine learning and deep learning, and various types of neural networks (such as convolutional neural network CNN, long-short term memory LSTM, and automatic encoder AE) are widely applied to intrusion detection of the internet of things. Most of the previous machine learning and deep learning methods are applied to a fixed Euclidean space of a neighbor node, but in a real scene of the Internet of things, a large number of edge devices and sensors are connected together in a complex and nonlinear mode, so that the traditional method of the non-Euclidean space with unfixed adjacent nodes is mostly shallow learning, and the traditional method only analyzes the abnormality of flow data of a single node from the statistical perspective and does not explicitly learn the existing relationship or structure among variables, so that the performance of the conventional deep learning method on processing the non-Euclidean space data is still difficult to satisfy. Some sophisticated intruders will launch attacks with low-strength, high-pertinence anomalous traffic, which is very similar to legitimate traffic and will not statistically cause significant changes to network traffic that relies on strength attacks, and such new attacks are often difficult to detect by conventional methods.
Disclosure of Invention
In order to solve the problems, the invention provides a distributed abnormal flow detection method which is suitable for the environment of the Internet of things and can improve the detection precision and speed, and adopts the following technical scheme:
the invention provides a distributed abnormal flow detection method in an Internet of things environment, which is used for detecting abnormal flow of Internet of things equipment and is characterized by comprising the following steps: step S1, improving the graph convolution neural network; step S2, introducing a distributed abnormal flow detection module based on the improved graph convolution neural network, thereby obtaining a distributed abnormal flow detection model; step S3, deploying the distributed abnormal traffic detection model to a plurality of Internet of things devices to be detected; step S4, collecting data based on a plurality of Internet of things devices to be detected, and carrying out graph structure preprocessing on the collected data so as to generate a graph structure; and S5, inputting the graph structure into the distributed abnormal traffic detection model for detection, and outputting an abnormal traffic detection result corresponding to the Internet of things equipment to be detected, wherein the graph structure comprises nodes and edges, the nodes correspond to the Internet of things equipment to be detected, and the edges correspond to the relationship structures among the Internet of things equipment to be detected.
The distributed abnormal traffic detection method in the internet of things environment provided by the invention can also have the technical characteristics that the improvement in the step S1 is as follows: and removing a message transfer module of the graph convolution neural network, implicitly introducing adjacent information to combine with a multilayer perceptron for training when calculating a loss function, and comparing the loss function by utilizing the field, so that the graph convolution neural network based on the multilayer perceptron can learn the connection characteristics of graph nodes without a displayed message transfer module.
The distributed abnormal traffic detection method in the environment of the internet of things provided by the invention can also have the technical characteristics that the distributed abnormal detection module comprises an edge detection unit and a node detection unit, wherein the edge detection unit consists of an edge GMLP and is used for classifying the states of the nodes and the edges based on the characteristics and predicting the abnormal probability of the adjacent nodes, and the node detection unit consists of a node GMLP and is used for updating the characteristics of the nodes and detecting the probability of the abnormal state of the nodes.
The distributed abnormal traffic detection method in the internet of things environment provided by the invention can also have the technical characteristics that the equipment of the internet of things to be detected at least comprises terminal equipment and an SDN edge repeater, and the equipment is deployed on one side of the terminal equipment or the SDN edge repeater so as to replace detection on a cloud or a virtual server.
The distributed abnormal flow detection method under the environment of the internet of things provided by the invention can also have the technical characteristics that each unit of the distributed abnormal flow detection module is also provided with an attention mechanism module, the graph multilayer perceptron is provided with an input layer, an output layer, a hidden layer, a full connection layer and a SoftMax classifier, the attention mechanism module is arranged in front of the SoftMax classifier, when each node updates the output of the hidden layer, different weights are distributed to each adjacent node by calculating the attention degree of the adjacent nodes, and the node with the higher weight is used as the focus of the distributed abnormal flow detection model.
The distributed abnormal flow detection method in the environment of the internet of things provided by the invention can also have the technical characteristics that the abnormal flow detection process comprises the following steps: step S5-1, training and feature extracting the input graph structure by the edge detection unit and the node detection unit; step S5-2, the extracted characteristics of any node or edge are transmitted in the public information exchange field and then input to the edge detection unit and the node detection unit in the adjacent area of any node or edge; step S5-3, repeating the steps S5-1 to S5-2 until the characteristics of all subgraphs in the graph structure are obtained; and step S5-4, inputting the characteristics of each subgraph into a full connection layer in the attention module, thereby obtaining an abnormal flow detection result.
Action and effects of the invention
According to the distributed abnormal flow detection method under the environment of the Internet of things, a distributed abnormal flow detection model is constructed on the basis of a graph neural network introduced with a multilayer perceptron and a distributed abnormal flow detection module introduced with the multilayer perceptron, and the model is used for detecting the abnormal flow of the Internet of things. The model is deployed on the equipment of the Internet of things to be detected, the equipment and the structural relation of the Internet of things to be detected are used as nodes and edges of a graph structure, and the distribution architecture is used for realizing localization of flow abnormity detection on the graph structure, namely the equipment of the Internet of things, so that the traditional detection method running on a virtual server or a cloud is replaced, and detection delay and time overhead are reduced. And because the improved graph neural network is used for extracting the features, the network can also learn a complex communication mode between a network structure and node equipment and capture the structural features and the relation in data flow, so that a more concealed novel attack means can be detected, and the detection efficiency is further improved.
In summary, the distributed abnormal flow detection method suitable for the environment of the internet of things is provided by combining the detection requirements of complexity, low time delay and high precision of equipment nodes in the environment of the internet of things. The method not only can effectively improve the detection precision, but also can reduce the time overhead in network communication, thereby accelerating the detection speed.
Drawings
Fig. 1 is a flowchart of a distributed abnormal traffic detection method in an internet of things environment according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a multi-layered sensor according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a distributed anomaly detection module according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a deployment architecture in an embodiment of the invention;
FIG. 5 is a pseudo code diagram of an algorithm in an embodiment of the invention.
Detailed Description
The invention provides a distributed abnormal flow detection scheme in an Internet of things environment, and aims to overcome the defects of the prior art, better capture the structural characteristics of flow data of the Internet of things and deal with the propagation and infection of novel network attacks.
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the following describes the distributed abnormal traffic detection method in the internet of things environment in detail with reference to the embodiments and the accompanying drawings.
< example >
Fig. 1 is a flowchart of a distributed abnormal traffic detection method in an internet of things environment in an embodiment of the present invention.
As shown in fig. 1, the distributed abnormal traffic detection method in the environment of the internet of things includes the following steps:
Step S1, a graph convolutional neural network (GCN) is improved for learning spatiotemporal relationships between network streams.
The graph-convolutional neural network can learn internal relationships in the static network, including how the nodes in the network interact in normal behavior patterns, and how to communicate traffic to and from the stations.
In this embodiment, the message transfer module of the graph convolution neural network is removed, and when the loss function is calculated, the adjacency information is implicitly introduced to perform training in combination with the multi-layer perceptron. The multilayer perceptron machine is provided with an input layer, an output layer, a hidden layer, a full connection layer and a SoftMax classifier. And a domain contrast loss function is also utilized, so that the graph convolution neural network based on the multilayer perceptron can learn the connection characteristics of the graph nodes without a displayed message transfer module. Specifically, the method comprises the following steps:
given the graph relationship formula G ═ V, E, where E ∈ R | V × | V | is the set of all vertices, and R is the adjacency matrix whose elements represent the relationship of the individual vertices to each other. The frequency domain convolution on the graph is mainly realized by utilizing Fourier transform of the graph, and can be defined as that an input signal x epsilon RNThe product with the filter g in the fourier domain, diag (θ), as shown by the following equation:
g*x=U((UTg)⊙(UTx))=Ugθ(∧)UTx
Wherein, U is a matrix composed of eigenvectors of the normalized Laplace matrix, and the formula is as follows:
in the formula INIs a matrix of size N × N, A is an adjacency matrix, and the degree matrix is defined as Dij=∑iAij。
To reduce computational cost, some researchers have adopted the chebyshev polynomial Tk(x)K order truncated approximation
Thereby simplifying the method of calculating gx using chebyshev polynomials, as shown in the following equation:
through the above derivation, the final formula of the graph convolution neural network (single layer) in this embodiment is:
wherein the first layer is characterized by X(l+1)∈RN×DN is the number of nodes, each node is due toD-dimensional feature vector representation, W(l)Is the weight of the i-th single linear layer to be trained, σ is the activation function, the normalization matrix
For communicating information between neighboring nodes:
step S2, constructing a distributed abnormal flow detection model: a distributed anomaly detection module consisting of two Graph multilayer perceptrons Graph-MLP (shown in figure 2) is introduced based on the improved Graph convolution neural network, and the states of the nodes and the edges are classified through the distributed anomaly detection module for updating the attributes of the nodes and the corresponding edges.
In this embodiment, in order to better integrate the convolutional neural network into the intrusion detection of the internet of things, feature processing is performed on the bottommost layer of the model. The original node characteristics X are subjected to a set of classical neural network processing modules (linear layer-activation function-layer normalization-Dropout) to obtain a preprocessed node characteristic representation 
Followed by
The loss function used for the two partial computation models:
obtaining a feature representation Z through a layer of linear change, wherein the feature representation Z is used for calculating Ncotast (neighbor contrast Loss); z is subjected to a layer of linear variation to obtain a feature representation Y (here, the model output layer, the same number of dimensions and classes) for calculating CE (cross entropy) loss. The resulting distributed abnormal traffic detection model can be expressed as:
X(1)=Dropout(LN(σ(XW0)))
Z=X(l)W1
Y=ZW2
fig. 3 is a schematic structural diagram of a distributed anomaly detection module in the embodiment of the present invention.
As shown in fig. 3, in this embodiment, the distributed anomaly detection module includes an edge detection unit and a node detection unit. The edge detection unit consists of edge GMLPs and is used for classifying the states of the nodes and the edges based on characteristics and predicting the abnormal probability of adjacent nodes; the node detection unit is composed of nodes GMLP and is used for updating the characteristics of the nodes and detecting the probability of causing the abnormal state of the nodes.
And step S3, deploying the distributed abnormal traffic detection model to a plurality of pieces of equipment of the Internet of things to be detected.
FIG. 4 is a schematic diagram of a deployment architecture in an embodiment of the invention.
In this embodiment, the internet of things device to be tested includes a terminal device (i.e., an edge device in fig. 4), an SDN edge forwarder, and a core forwarder.
As shown in fig. 4, in order to better capture the structural features of the traffic data of the internet of things, in this embodiment, a distributed abnormal traffic detection model, that is, a distributed abnormal detection module, is deployed on one side of a terminal device of the internet of things to be detected or on an SDN edge forwarder, instead of a detection method that is run on a virtual server or a cloud in the past, and these detection modules are implemented by low-power AI processors on the edge forwarder.
Each distributed detection module pays attention to a subset of data transmission services, and module information and abnormal states of neighbor nodes are detected, so that localization of flow abnormal detection is finally achieved.
And S4, acquiring data based on the multiple pieces of equipment of the Internet of things to be detected, and carrying out graph structure preprocessing on the acquired data to generate a graph structure, wherein the graph structure comprises nodes and edges, the nodes correspond to the pieces of equipment of the Internet of things to be detected, and the edges correspond to the relationship structures and behaviors among the multiple pieces of equipment of the Internet of things to be detected.
In order to reduce resource overhead and improve the detection effect, in this embodiment, a network formed by the internet of things devices to be detected is regarded as a graph formed by the node devices and communication channels between the node devices, the structure and behavior of the network can be analogized to edges of each node in the graph, an abnormal behavior in the network can be regarded as an abnormal node or an abnormal edge, and the graph neural network can directly process data of the graph structure. With this feature, many structural features present in the network can be extracted and used to classify nodes. Each SDN edge forwarder and each core forwarder are viewed as nodes of the graph, each node corresponds to a label describing node behaviors, and bottom layer connections among the nodes are viewed as edges, so that tasks of abnormal traffic detection can be viewed as abnormal nodes or abnormal edges in the detection graph.
Step S5, performing abnormal flow rate detection by using the graph structure as a model input:
firstly, a distributed anomaly detection module trains and extracts features of a graph structure; secondly, the extracted characteristics of any node or edge are input to a detection module in an adjacent area after being subjected to characteristic transmission in the public information exchange field; then, repeating until the characteristics of all sub-graphs in the graph structure are obtained. And finally, inputting the characteristics of each sub-graph into a full connection layer in the attention module, thereby obtaining a corresponding abnormal flow detection result.
Unlike conventional graph neural network model operations, this embodiment implements a communication channel in which an information exchange neighborhood is established for combining information of edge GMLP and node GMLP. The inputs to the model represent 3 attributes of edge features and 5 attributes of node features, respectively, with each neuron connected by a unidirectional link. Specifically, the method comprises the following steps:
define inputs and outputs: assuming that there is a node j and its neighboring node i equal to 1,2,3, … N, the edge is input by the edge feature vector corresponding to the neighbor (at time t-1, it is
) Information of the node itself
And neighbor corresponding edge feature vector
And then, updating the edge characteristic vector of the data through the output of the full connection layer. Meanwhile, the edge detection unit updates the feature representation of the node according to the collected information, then the updated edge feature vector is spliced with the feature of the ith node to be used as the input of the SoftMax classifier, and finally the abnormal probability of the node j is generated through classification.
Compared with other centralized IDSs (Intrusion detection systems), the information exchange mode does not need explicit message transmission, thereby effectively reducing the occupation of resources.
In addition, in the forward propagation process of the graph neural network, the node information playing an important role needs to be concerned, and the node information playing a secondary role needs to be ignored. In order to further improve the detection accuracy, in this embodiment, an attention mechanism module is added before the last layer of classifier, and the basic principle is that when each node updates the output of the hidden layer, different weights are assigned to each adjacent node by calculating the attention of the adjacent node, and the node with the higher weight is used as the focus of the neural network. The introduction of the attention mechanism reduces the calculation burden of processing high-dimensional data, enables a detection system to concentrate on finding significant relevant useful information in the data, and improves the output quality.
In summary, the embodiment provides a distributed abnormal traffic detection method suitable for an internet of things environment, which starts from a complex communication mode between a network structure and node equipment, and firstly improves an graph neural network in combination with the internet of things environment, and identifies a complex graph structure relationship between nodes by using the improved graph network. Secondly, detection models are deployed on the Internet of things equipment, the repeaters and the fog nodes, and localization of flow anomaly detection is achieved through a distributed detection architecture, so that detection delay and time overhead are reduced. And an attention module is also introduced to strengthen the extraction of key features, enhance the model interpretability and further improve the detection precision. The pseudo code of the distributed abnormal traffic detection algorithm is shown in fig. 5.
Effects and effects of the embodiments
According to the distributed abnormal flow detection method under the environment of the Internet of things, combined with the detection requirements of complex equipment nodes, low time delay and high precision in the environment of the Internet of things, a distributed abnormal flow detection model suitable for the environment of the Internet of things is constructed based on a graph neural network introduced with a multilayer perceptron and a distributed abnormal flow detection module introduced with the multilayer perceptron, and abnormal flow detection of the Internet of things is carried out by utilizing the model. Compared with other existing detection technologies, the detection method of the embodiment can explicitly capture the implicit structure and relationship in the flow data, better cope with the propagation and infection of novel network attacks, and reduce the time overhead in network communication, thereby effectively improving the accuracy and efficiency of detecting abnormal network flow.
In the embodiment, because the improved graph neural network is used for extracting the features, the network can learn a complex communication mode between a network structure and node equipment and capture structural features and relationships in data flow, so that a more concealed novel attack means can be detected, and the detection efficiency is further improved.
In the embodiment, the model is deployed on the equipment of the Internet of things to be detected, the equipment and the structural relation of the Internet of things to be detected are respectively used as the nodes and the edges of the graph structure, and the distributed architecture is used for realizing the localization of the flow anomaly detection on the graph structure, namely the equipment of the Internet of things, so that the traditional detection method running on a virtual server or a cloud is replaced, and the detection delay and the time overhead are reduced.
In addition, an attention mechanism is added in each detection unit of the distributed anomaly detection module, and extraction of key features is enhanced through weight optimization, so that attention loss between adjacent nodes is avoided, and the detection progress is effectively improved.
The above-described embodiments are merely illustrative of specific embodiments of the present invention, and the present invention is not limited to the scope of the description of the above-described embodiments.
Claims (6)
1. A distributed abnormal flow detection method in an Internet of things environment is used for detecting abnormal flow of equipment of the Internet of things, and is characterized by comprising the following steps:
step S1, improving the graph convolution neural network;
step S2, a distributed abnormal flow detection module composed of two graph multilayer perceptrons is introduced based on the improved graph convolution neural network, so as to obtain a distributed abnormal flow detection model;
step S3, deploying the distributed abnormal traffic detection model to a plurality of Internet of things devices to be detected;
step S4, collecting data based on the Internet of things equipment to be detected, and carrying out graph structure preprocessing on the collected data so as to generate a graph structure;
step S5, inputting the graph structure into the distributed abnormal traffic detection model for detection, thereby outputting an abnormal traffic detection result corresponding to the Internet of things equipment to be detected,
The graph structure comprises nodes and edges, the nodes correspond to the Internet of things equipment to be tested, and the edges correspond to the relationship structures among the Internet of things equipment to be tested.
2. The distributed abnormal traffic detection method in the environment of the internet of things according to claim 1, characterized in that:
wherein the improvement in step S1 is:
and removing the message transfer module of the graph convolution neural network, implicitly introducing adjacent information to combine with a multilayer perceptron for training when calculating the loss function, and utilizing the domain contrast loss function to enable the graph convolution neural network based on the multilayer perceptron to learn the connection characteristics of the graph nodes without the displayed message transfer module.
3. The distributed abnormal traffic detection method in the environment of the internet of things according to claim 2, characterized in that:
wherein the distributed anomaly detection module comprises an edge detection unit and a node detection unit,
the edge detection unit is composed of edge GMLPs and is used for classifying the states of the nodes and the edges based on features and predicting the probability of abnormity on adjacent nodes,
the node detection unit is composed of nodes GMLP and is used for updating the characteristics of the nodes and detecting the probability of causing the abnormal state of the nodes.
4. The distributed abnormal traffic detection method in the environment of the internet of things according to claim 3, wherein:
wherein the equipment of the Internet of things to be tested at least comprises terminal equipment and an SDN edge repeater,
the deployment is either on the side of the terminal device or on the SDN edge forwarder, replacing on-cloud or virtual server detection.
5. The distributed abnormal traffic detection method in the environment of the internet of things according to claim 4, wherein:
wherein each unit of the distributed anomaly detection module is also provided with an attention mechanism module,
the graph multilayer perceptron has an input layer, an output layer, a hidden layer, a fully connected layer and a SoftMax classifier,
the attention mechanism module is arranged before the SoftMax classifier, when each node updates the output of the hidden layer, different weights are distributed to each adjacent node by calculating the attention of the adjacent nodes, and the node with the higher weight is used as the focus of the distributed abnormal traffic detection model.
6. The distributed abnormal traffic detection method in the environment of the internet of things according to claim 5, wherein:
The detection process of the abnormal flow comprises the following steps:
step S5-1, the edge detection unit and the node detection unit train and extract the features of the input graph structure;
step S5-2, inputting the extracted feature of any node or edge into the edge detection unit and the node detection unit in the adjacent area of the any node or edge after the feature of the any node or edge is transferred in the public information exchange field;
step S5-3, repeating the step S5-1 to the step S5-2 until the characteristics of all sub-graphs of the graph structure are obtained;
and step S5-4, inputting the characteristics of each sub-graph into a full connection layer in the attention module, thereby obtaining the abnormal flow detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210276715.4A CN114760104A (en) | 2022-03-21 | 2022-03-21 | Distributed abnormal flow detection method in Internet of things environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210276715.4A CN114760104A (en) | 2022-03-21 | 2022-03-21 | Distributed abnormal flow detection method in Internet of things environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114760104A true CN114760104A (en) | 2022-07-15 |
Family
ID=82326547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210276715.4A Pending CN114760104A (en) | 2022-03-21 | 2022-03-21 | Distributed abnormal flow detection method in Internet of things environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760104A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488943A (en) * | 2023-06-19 | 2023-07-25 | 杭州海康威视数字技术股份有限公司 | Multimedia data leakage tracing detection method, device and equipment |
-
2022
- 2022-03-21 CN CN202210276715.4A patent/CN114760104A/en active Pending
Non-Patent Citations (1)
| Title |
|---|
| 丁庆丰等: "一种物联网环境下的分布式异常流量检测方案", 《计算机工程(网络首发论文)》, 26 February 2022 (2022-02-26) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488943A (en) * | 2023-06-19 | 2023-07-25 | 杭州海康威视数字技术股份有限公司 | Multimedia data leakage tracing detection method, device and equipment |
| CN116488943B (en) * | 2023-06-19 | 2023-08-25 | 杭州海康威视数字技术股份有限公司 | Multimedia data leakage tracing detection method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Intrusion detection of industrial internet-of-things based on reconstructed graph neural networks | |
| CN111723645A (en) | Multi-camera high-precision pedestrian re-identification method for in-phase built-in supervised scene | |
| Idrissi et al. | An unsupervised generative adversarial network based-host intrusion detection system for internet of things devices | |
| CN114462520A (en) | Network intrusion detection method based on traffic classification | |
| CN114781609A (en) | Traffic flow prediction method based on multi-mode dynamic residual image convolution network | |
| CN115761900B (en) | Internet of things cloud platform for practical training base management | |
| CN115907001A (en) | Knowledge distillation-based federal diagram learning method and automatic driving method | |
| CN115964670A (en) | Frequency spectrum anomaly detection method | |
| CN114760104A (en) | Distributed abnormal flow detection method in Internet of things environment | |
| KR102120443B1 (en) | Entropy-based neural networks partial learning method and system | |
| Yan et al. | TL-CNN-IDS: transfer learning-based intrusion detection system using convolutional neural network | |
| He et al. | Classification of metro facilities with deep neural networks | |
| CN111598032B (en) | Group behavior recognition method based on graph neural network | |
| CN113254580A (en) | Special group searching method and system | |
| CN117272195A (en) | Block chain abnormal node detection method and system based on graph convolution attention network | |
| Ji et al. | Traffic classification based on graph convolutional network | |
| CN116318925A (en) | Multi-CNN fusion intrusion detection method, system, medium, equipment and terminal | |
| Clarkson | Applications of neural networks in telecommunications | |
| CN113076963B (en) | Image recognition method and device and computer readable storage medium | |
| Arshad et al. | Anomalous Situations Recognition in Surveillance Images Using Deep Learning | |
| Zhang et al. | A new method of image data fusion based on FNN | |
| Zhang et al. | Progressively diffused networks for semantic image segmentation | |
| CN111008687A (en) | Neural network monitoring model for safety of edge nodes of Internet of things | |
| CN117421723B (en) | SERVER MESH-based microservice system | |
| CN116628358B (en) | Social robot detection system and method based on multi-view Graph Transformer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |