CN115038088A - Intelligent network security detection early warning system and method - Google Patents

Intelligent network security detection early warning system and method Download PDF

Info

Publication number
CN115038088A
CN115038088A CN202210955318.XA CN202210955318A CN115038088A CN 115038088 A CN115038088 A CN 115038088A CN 202210955318 A CN202210955318 A CN 202210955318A CN 115038088 A CN115038088 A CN 115038088A
Authority
CN
China
Prior art keywords
data
abnormal
nodes
node
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210955318.XA
Other languages
Chinese (zh)
Other versions
CN115038088B (en
Inventor
顾建龙
周荣建
赵磊
柏晓雷
尤为刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lanswon Technologies Co ltd
Original Assignee
Lanswon Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lanswon Technologies Co ltd filed Critical Lanswon Technologies Co ltd
Priority to CN202210955318.XA priority Critical patent/CN115038088B/en
Publication of CN115038088A publication Critical patent/CN115038088A/en
Application granted granted Critical
Publication of CN115038088B publication Critical patent/CN115038088B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • H04L41/0609Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition

Abstract

The invention discloses an intelligent network security detection early warning system and a method, wherein the system and the method comprise the following steps: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment for processing and abnormal analysis, processed abnormal information data or abnormal indication information is reported to a next node or an edge server, the edge server receives the abnormal information data or abnormal indication information reported by all nodes, calculates whether the abnormal entropy of the current system exceeds a threshold value or not based on the abnormal information data reported by all nodes, if so, continuously determines the abnormal level of the system, and reports the abnormal level of the system to an early warning background. According to the invention, the node equipment of the Internet of things transmits the processed data to the server after being judged based on the built-in network abnormity judgment model, so that the network transmission pressure is reduced, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the network security level of the system, and reliable early warning triggering is realized.

Description

Intelligent network security detection early warning system and method
Technical Field
The invention belongs to the technical field of computer internet of things, and particularly relates to an intelligent network security detection early warning system and method.
Background
With the increase of the number of accessible devices supported by the 5G technology, large-scale Internet of things devices access the 5G network for data transmission, and network security problems of the large-scale accessed Internet of things devices need to be solved, including network security faults caused by illegal access and traffic overload in the Internet of things. Meanwhile, as the amount of data transmitted by the network increases, calculation based on the server generally results in too high load on the server, and too high transmission pressure of the mobile network, which results in that the potential safety hazard of the network cannot be reported in time, and further serious consequences are caused.
The processing capacity of the artificial intelligence algorithm chip is continuously enhanced, and the local artificial intelligence algorithm analysis and calculation can be supported.
Therefore, based on the characteristics of the upgrading and application scenarios of the existing network and equipment, an intelligent network security early warning system with low delay, high reliability and high system resource utilization rate is needed.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an intelligent network safety detection early warning system, which comprises: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other nodes, reports the processed collected data information and the processed data received from other nodes to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal; the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by each node after receiving the abnormal information data or the abnormal indication information, if so, the edge server determines the abnormal grade of the system and reports the abnormal grade of the system to the early warning background; the early warning background carries out early warning according to the received abnormal grade of the system;
the node equipment of the Internet of things performs anomaly analysis on the acquired data and the data received from other nodes, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the Internet of things to perform anomaly analysis on the acquired data and the data received from other nodes; the method comprises the following steps that after the edge server calculates that the abnormal entropy of the current system exceeds a threshold value, the abnormal level of the system is judged, and the method comprises the following steps:
step one, the edge server calculates the abnormal entropy of a single node
Figure DEST_PATH_IMAGE001
:
Figure DEST_PATH_IMAGE002
Wherein the content of the first and second substances,
Figure 594021DEST_PATH_IMAGE001
for reporting network abnormal information in period to edge server
Figure DEST_PATH_IMAGE003
The node equipment of the Internet of things,
Figure DEST_PATH_IMAGE004
for the number of hops the single node is away from the edge server,
Figure DEST_PATH_IMAGE005
from the other in the cycleThe number of data streams accepted at all nodes,
Figure DEST_PATH_IMAGE006
the number of packets included in the data stream,
Figure DEST_PATH_IMAGE007
for the size of the data packet as described above,
Figure DEST_PATH_IMAGE008
the maximum amount of data that can be received in the period allocated to receive data from other nodes within the cycle,
Figure DEST_PATH_IMAGE009
the number of other nodes received for a single node,
Figure DEST_PATH_IMAGE010
the data size of the acquired information obtained in a single node period,
Figure DEST_PATH_IMAGE011
the size of the normal data volume allocated to the period of time during which data is collected within a cycle,
Figure DEST_PATH_IMAGE012
to be aligned with
Figure DEST_PATH_IMAGE013
The number of unmatched address pairs of the network layer address and the data link layer address detected by the data transmitted by other nodes,
Figure DEST_PATH_IMAGE014
to be aligned with
Figure 253105DEST_PATH_IMAGE013
The number of mismatching pieces of network layer addresses and port numbers found by the detection of the transmission data of the other nodes,
Figure DEST_PATH_IMAGE015
to be aligned with
Figure 173787DEST_PATH_IMAGE013
The number of unmatched data link layer addresses and port numbers detected by the data sent by other nodes;
step two, the edge server calculates the abnormal entropy of the current system
Figure DEST_PATH_IMAGE016
Figure DEST_PATH_IMAGE017
Wherein, in the step (A),
Figure DEST_PATH_IMAGE018
the number of abnormal information reported by the node equipment received by the edge server is counted;
step three, the edge server judges the abnormal entropy of the current system
Figure 506680DEST_PATH_IMAGE016
Whether or not it is greater than a threshold value
Figure DEST_PATH_IMAGE019
Step four, when
Figure DEST_PATH_IMAGE020
The edge server computing
Figure DEST_PATH_IMAGE021
Step five, mixing
Figure DEST_PATH_IMAGE022
And comparing the abnormal grade interval with the abnormal grade interval to determine the current abnormal grade of the system.
The node equipment of the Internet of things periodically acquires data and receives information transmitted by other node equipment, wherein the data is acquired in a first time period in the period, and the information transmitted by other node equipment is received in other time periods except the first time period in the period.
The node equipment of the Internet of things processes the acquired data and the data received from other nodes, and the number of data streams received from all other nodes in the period of the node equipment of the Internet of things is acquired
Figure 524314DEST_PATH_IMAGE005
Number of data packets contained in said data stream
Figure 612356DEST_PATH_IMAGE006
Size of the data packet
Figure 879389DEST_PATH_IMAGE007
Maximum amount of data that can be received in a period of time allocated to receiving data from other nodes within a cycle
Figure 343869DEST_PATH_IMAGE008
Number of other nodes received by a single node
Figure 153693DEST_PATH_IMAGE009
Data size of acquisition information obtained in a single node cycle
Figure 412636DEST_PATH_IMAGE010
Normal data size of the period of time allocated to the data acquisition within a cycle
Figure 432545DEST_PATH_IMAGE011
To the second
Figure DEST_PATH_IMAGE023
Number of unmatched address pairs of network layer address and data link layer address detected and discovered by data transmitted by other nodes
Figure DEST_PATH_IMAGE024
To the first
Figure DEST_PATH_IMAGE025
Of one other nodeNumber of unmatched network layer addresses and port numbers for sending data for detection
Figure 107239DEST_PATH_IMAGE014
To the second
Figure 896204DEST_PATH_IMAGE025
Number of unmatched data link layer addresses and port numbers detected by data transmitted by other nodes
Figure DEST_PATH_IMAGE026
The method comprises the steps that the node equipment of the Internet of things carries out abnormity analysis on collected data and data received from other nodes, the node equipment of the Internet of things carries out abnormity analysis on the collected data and the data received from other nodes according to a built-in network abnormity judgment model, the network abnormity judgment model is trained according to historical network data of each equipment at least comprising the system, the historical network data are respectively stored according to the data collected and received in each equipment historical period, and the historical network data are used as input data of a KNN model to be trained so as to obtain a network abnormity judgment model of a single equipment.
The network abnormity judgment model comprises two KNN models, wherein the two KNN models respectively correspond to the KNN model for collecting the data in the first time period and the KNN model for receiving the data in the first time period in the period, and the abnormal conditions are judged by combining the two KNN models.
Wherein the threshold value
Figure 732573DEST_PATH_IMAGE019
Is the mean value of system abnormal entropy according to system network abnormality in system historical data
Figure DEST_PATH_IMAGE027
And the mean value of the system abnormal entropy without system network abnormality in the system historical data
Figure DEST_PATH_IMAGE028
And (4) setting.
Wherein the threshold value
Figure 646302DEST_PATH_IMAGE019
Is set to be (a) in (b),
Figure DEST_PATH_IMAGE029
wherein, in the process,
Figure DEST_PATH_IMAGE030
and
Figure DEST_PATH_IMAGE031
mean value of system anomaly entropy for system network anomaly occurring in system historical data
Figure 718163DEST_PATH_IMAGE027
And the mean value of the system abnormal entropy without system network abnormality in the system historical data
Figure 499650DEST_PATH_IMAGE028
The corresponding weight of the weight is set to be,
Figure 100396DEST_PATH_IMAGE030
and
Figure 94897DEST_PATH_IMAGE031
satisfy the quantitative relationship of
Figure DEST_PATH_IMAGE032
The invention also provides a network security detection early warning method based on the system, which comprises the following steps: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes the collected data and the data received from other nodes abnormally, when the analysis result is abnormal, the processed collected data information and the processed data received from other nodes are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server; after the edge server receives abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal level of the system is determined, and the abnormal level of the system is reported to an early warning background; and the early warning background carries out early warning according to the received abnormal grade of the system.
The node equipment of the Internet of things periodically acquires data and receives information transmitted by other node equipment, wherein the data is acquired in a first time period in the period, and the information transmitted by other node equipment is received in other time periods except the first time period in the period.
When the node equipment of the Internet of things transmits data to another node equipment of the Internet of things, the data transmission is carried out on the time-frequency resources distributed to the equipment in advance by the access network.
In the invention, after the node equipment of the Internet of things judges the abnormal condition based on the built-in network abnormality judgment model, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description, which proceeds with reference to the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
fig. 1 is a schematic diagram illustrating a method for intelligent network security early warning according to an embodiment of the present invention.
Fig. 2 is a diagram illustrating calculation of abnormal entropy according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a plurality" typically includes at least two.
It should be understood that although the terms first, second, third, etc. may be used to describe … … in embodiments of the present invention, these … … should not be limited to these terms. These terms are used only to distinguish … …. For example, the first … … can also be referred to as the second … … and similarly the second … … can also be referred to as the first … … without departing from the scope of embodiments of the present invention.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The words "if", as used herein, may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (a stated condition or event)" may be interpreted as "upon determining" or "in response to determining" or "upon detecting (a stated condition or event)" or "in response to detecting (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of additional like elements in the article or device in which the element is contained.
Alternative embodiments of the present invention are described in detail below with reference to the accompanying drawings.
The first embodiment, as shown in fig. 1, discloses a network security detection early warning method based on the above system, the method comprising: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes abnormity of the collected data and the data received from other nodes, when an analysis result is abnormal, the processed collected data information and the processed data received from other nodes are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server. After the edge server receives the abnormal information data or abnormal indication information reported by all the nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all the nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to an early warning background. And the early warning background carries out early warning according to the received abnormal grade of the system.
Optionally, in order to facilitate unifying the data structure of the generative model training and determination, the node device of the internet of things periodically collects data and receives information transmitted by other node devices, including collecting data in a first time period in the cycle and receiving information transmitted by other node devices in other time periods except the first time period in the cycle, where the length and position of the first time period in each cycle are fixed.
Optionally, when the node device of the internet of things transmits data to another node device of the internet of things, the access network performs data transmission on the time-frequency resource allocated to the device in advance, the transmission mode may be data transmission on the measurement link SL established through D2D, the measurement link SL may be configured by the access device, and the transmission period may be negotiated in advance among the devices, or may be allocated to each device by the base station in advance through scheduling.
In the invention, after the node equipment of the Internet of things judges the abnormal condition, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
The embodiment II discloses an intelligent network safety early warning system, which comprises the following network units and corresponding functions: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other nodes, reports the processed collected data information and the processed data received from other nodes to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal. And after the edge server receives the abnormal information data or abnormal indication information reported by all the nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all the nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to the early warning background. And the early warning background carries out early warning according to the received abnormal grade of the system.
The node equipment of the internet of things performs anomaly analysis on the acquired data and the data received from other nodes, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the internet of things to perform anomaly analysis on the acquired data and the data received from other nodes.
As shown in fig. 2, after calculating that the abnormal entropy of the current system exceeds the threshold, the edge server determines the abnormal level of the system, including the following steps:
step one, the edge server calculates the abnormal entropy of a single node
Figure 580236DEST_PATH_IMAGE001
:
Figure 343792DEST_PATH_IMAGE002
Wherein the content of the first and second substances,
Figure 381019DEST_PATH_IMAGE001
for reporting network abnormal information in period to edge server
Figure 597236DEST_PATH_IMAGE003
The node equipment of the Internet of things,
Figure 620687DEST_PATH_IMAGE004
for the number of hops the single node is away from the edge server,
Figure 238750DEST_PATH_IMAGE005
the number of data streams received from all other nodes in a cycle,
Figure 446878DEST_PATH_IMAGE006
the number of packets included in the data stream,
Figure 150391DEST_PATH_IMAGE007
for the size of the data packet as described above,
Figure 711954DEST_PATH_IMAGE008
the maximum amount of data that can be received in the period allocated to receive data from other nodes within the cycle,
Figure 450103DEST_PATH_IMAGE009
the number of other nodes received for a single node,
Figure 829131DEST_PATH_IMAGE010
the data size of the acquired information obtained in a single node period,
Figure 754362DEST_PATH_IMAGE011
the size of the normal data volume allocated to the period of time during which data is collected within a cycle,
Figure DEST_PATH_IMAGE033
to be aligned with
Figure 385195DEST_PATH_IMAGE023
The number of unmatched address pairs of the network layer address and the data link layer address detected by the data transmitted by other nodes,
Figure 712271DEST_PATH_IMAGE014
to be aligned with
Figure 262201DEST_PATH_IMAGE023
The number of mismatching pieces of network layer addresses and port numbers found by the detection of the transmission data of the other nodes,
Figure 940307DEST_PATH_IMAGE026
to be aligned with
Figure 109251DEST_PATH_IMAGE025
The number of unmatched data link layer addresses and port numbers detected by the data sent by other nodes;
step two, the edge server calculates the abnormal entropy of the current system
Figure 556413DEST_PATH_IMAGE016
Figure 11665DEST_PATH_IMAGE017
Wherein, in the step (A),
Figure 177067DEST_PATH_IMAGE018
the number of abnormal information reported by the node equipment received by the edge server is counted;
step three, the edge server judges the abnormal entropy of the current system
Figure 884123DEST_PATH_IMAGE016
Whether or not it is greater than a threshold value
Figure 451371DEST_PATH_IMAGE019
Step four, when
Figure 77524DEST_PATH_IMAGE020
The edge server computing
Figure 730223DEST_PATH_IMAGE021
Step five, mixing
Figure 240969DEST_PATH_IMAGE022
And comparing the abnormal grade interval with the abnormal grade interval to determine the current abnormal grade of the system.
Optionally, in order to facilitate unifying the data structure of the training and determination of the generative model, the node device of the internet of things periodically collects data and receives information transmitted by other node devices, including collecting data in a first time period of the period, and receiving information transmitted by other node devices in other time periods except the first time period of the period, where the length and position of the first time period are fixed in each period.
The node equipment of the Internet of things processes the acquired data and the data received from other nodes, including acquiring the data from other nodes in the node period of the equipment of the Internet of thingsThere are number of data streams accepted at a node
Figure 397144DEST_PATH_IMAGE005
The number of data packets contained in said data stream
Figure 459778DEST_PATH_IMAGE006
Size of the data packet
Figure 334193DEST_PATH_IMAGE007
Maximum amount of data that can be received in a period allocated to receiving data from other nodes within a cycle
Figure 651561DEST_PATH_IMAGE008
Number of other nodes received by a single node
Figure 927821DEST_PATH_IMAGE009
Data size of acquisition information obtained in a single node cycle
Figure 161357DEST_PATH_IMAGE010
Normal data size of the period of time allocated to the data acquisition within the cycle
Figure 523068DEST_PATH_IMAGE011
To the second
Figure 375617DEST_PATH_IMAGE013
Number of unmatched address pairs of network layer address and data link layer address detected and discovered by data transmitted by other nodes
Figure 506384DEST_PATH_IMAGE012
To the first
Figure 910821DEST_PATH_IMAGE013
Number of unmatched network layer addresses and port numbers detected and discovered by data sent by other nodes
Figure 494249DEST_PATH_IMAGE014
To the second
Figure 9544DEST_PATH_IMAGE013
Number of unmatched data link layer addresses and port numbers detected by data transmitted by other nodes
Figure DEST_PATH_IMAGE034
. And the node equipment of the Internet of things directly or indirectly sends the processed data to the edge server, and after the edge server receives all data abnormal or abnormal indication, the edge server calculates the abnormal entropy of the system according to a system abnormal entropy calculation method and compares the abnormal entropy with a threshold value to determine the abnormal level.
In a certain embodiment, the node device of the internet of things performs anomaly analysis on the collected data and the data received from other nodes, including that the node device of the internet of things performs anomaly analysis on the collected data and the data received from other nodes according to a built-in network anomaly judgment model, the network anomaly judgment model is trained according to historical network data of each device at least including the system, the historical network data is respectively stored according to the data collected and received in the historical period of each device, and the historical network data is used as input data of a KNN model to be trained so as to obtain a network anomaly judgment model of a single device.
In one embodiment, the network anomaly determination model includes two KNN models, which respectively correspond to a KNN model for a first time period of data acquisition and a KNN model for a first time period of data reception outside the period, and the two are combined to determine an anomaly.
In a certain embodiment, the threshold value
Figure 401342DEST_PATH_IMAGE019
Is the mean value of system abnormal entropy according to system network abnormality in system historical data
Figure 976680DEST_PATH_IMAGE027
And system without system network exception in system history dataMean of abnormal entropy
Figure 312983DEST_PATH_IMAGE028
And (4) setting.
In a certain embodiment, the threshold value
Figure 507335DEST_PATH_IMAGE019
Is set to be in a state of being,
Figure 612695DEST_PATH_IMAGE029
wherein, in the process,
Figure 358934DEST_PATH_IMAGE030
and
Figure 916954DEST_PATH_IMAGE031
mean value of system anomaly entropy for system network anomaly occurring in system historical data
Figure 914997DEST_PATH_IMAGE027
And the mean value of the system abnormal entropy without system network abnormality in the system historical data
Figure 874863DEST_PATH_IMAGE028
The corresponding weight of the weight is set to be,
Figure 792003DEST_PATH_IMAGE030
and
Figure 102899DEST_PATH_IMAGE031
satisfy the quantitative relationship of
Figure DEST_PATH_IMAGE035
. For example, can be
Figure 639054DEST_PATH_IMAGE030
And
Figure 719005DEST_PATH_IMAGE031
set to 0.6 and 0.4, respectively. The network manager can also set the edge server management area according to the differenceThe same weight meets the requirements of different systems on different safety requirements.
In one embodiment, the anomaly level interval may be determined according to historical system anomaly entropy for which the level has been determined.
The disclosed embodiments provide a plurality of network elements including a communication node, a server, and a background, where each network element includes a non-volatile computer storage medium, where the computer storage medium stores computer-executable instructions that may perform the method steps described in the above embodiments.
In the invention, after the node equipment of the Internet of things judges the abnormal condition, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all the nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a local Area Network (AN) or a Wide Area Network (WAN), or the connection may be made to AN external computer (for example, through the internet using AN internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Wherein the name of an element does not in some cases constitute a limitation on the element itself.
The foregoing describes preferred embodiments of the present invention, and is intended to make the spirit and scope of the present invention clear and understandable, but not to limit the present invention, and modifications, substitutions and improvements made within the spirit and principle of the present invention are included in the scope of the present invention as outlined by the appended claims.

Claims (10)

1. An intelligent network security detection early warning system, the system comprising:
the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other nodes, reports the processed collected data information and the processed data received from other nodes to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal; the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by each node after receiving the abnormal information data or the abnormal indication information, if so, the edge server determines the abnormal grade of the system and reports the abnormal grade of the system to the early warning background; the early warning background carries out early warning according to the received abnormal grade of the system; the node equipment of the Internet of things performs anomaly analysis on the acquired data and the data received from other nodes, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the Internet of things to perform anomaly analysis on the acquired data and the data received from other nodes; the method comprises the following steps that after the edge server calculates that the abnormal entropy of the current system exceeds a threshold value, the abnormal level of the system is judged, and the method comprises the following steps:
step one, the edge server calculates the abnormal entropy of a single node
Figure 682263DEST_PATH_IMAGE001
:
Figure 699897DEST_PATH_IMAGE002
Wherein the content of the first and second substances,
Figure 787939DEST_PATH_IMAGE001
for reporting network abnormal information in period to edge server
Figure 54972DEST_PATH_IMAGE003
The node equipment of the Internet of things,
Figure 706402DEST_PATH_IMAGE004
for the number of hops the single node is away from the edge server,
Figure 640860DEST_PATH_IMAGE005
the number of data streams received from all other nodes in a cycle,
Figure 837486DEST_PATH_IMAGE006
the number of packets included in the data stream,
Figure 857395DEST_PATH_IMAGE007
for the size of the data packet as described above,
Figure 797669DEST_PATH_IMAGE008
the maximum amount of data that can be received in the period allocated to receive data from other nodes within the cycle,
Figure 586634DEST_PATH_IMAGE009
the number of other nodes received for a single node,
Figure 485319DEST_PATH_IMAGE010
the data size of the acquired information obtained in a single node period,
Figure 179475DEST_PATH_IMAGE011
the size of the normal data volume allocated to the period of time during which data is collected within a cycle,
Figure 720178DEST_PATH_IMAGE012
to be aligned with
Figure 566911DEST_PATH_IMAGE013
The number of unmatched address pairs of the network layer address and the data link layer address detected by the data transmitted by other nodes,
Figure 167657DEST_PATH_IMAGE014
to be aligned with
Figure 99840DEST_PATH_IMAGE013
The transmitted data of the other nodes detect the found unmatched number of network layer addresses and port numbers,
Figure 444234DEST_PATH_IMAGE015
to be aligned with
Figure 145474DEST_PATH_IMAGE013
The number of unmatched data link layer addresses and port numbers detected by the data sent by other nodes;
step two, the edge server calculates the abnormal entropy of the current system
Figure 182700DEST_PATH_IMAGE016
Figure 585868DEST_PATH_IMAGE017
Wherein, in the step (A),
Figure 937215DEST_PATH_IMAGE018
the number of abnormal information reported by the node equipment received by the edge server;
step three, the edge server judges the abnormal entropy of the current system
Figure 555278DEST_PATH_IMAGE016
Whether or not it is greater than the threshold
Figure 701089DEST_PATH_IMAGE019
Step four, when
Figure 404603DEST_PATH_IMAGE020
The edge server computing
Figure 28482DEST_PATH_IMAGE021
Step five, mixing
Figure 766631DEST_PATH_IMAGE022
Comparing with the abnormal grade interval to determine the current abnormal grade of the system。
2. The intelligent network security detection and early warning system of claim 1, wherein the node devices of the internet of things periodically collect data and receive information transmitted by other node devices, including collecting data in a first time period of the period and receiving information transmitted by other node devices in other time periods outside the first time period of the period.
3. The intelligent network security detection and early warning system as claimed in claim 1, wherein the processing of the data collected by the node device of the internet of things and the data received from other nodes includes obtaining the number of data streams received from all other nodes in the period of the node device of the internet of things
Figure 598190DEST_PATH_IMAGE005
The number of data packets contained in said data stream
Figure 726683DEST_PATH_IMAGE006
Size of the data packet
Figure 216570DEST_PATH_IMAGE007
Maximum amount of data that can be received in a period allocated to receiving data from other nodes within a cycle
Figure 278067DEST_PATH_IMAGE008
Number of other nodes received by a single node
Figure 765680DEST_PATH_IMAGE009
Data size of acquisition information obtained in a single node cycle
Figure 443786DEST_PATH_IMAGE010
Normal data size of the period of time allocated to the data acquisition within a cycle
Figure 675047DEST_PATH_IMAGE011
To the first
Figure 122209DEST_PATH_IMAGE023
Number of unmatched address pairs of network layer address and data link layer address detected and discovered by data transmitted by other nodes
Figure 764412DEST_PATH_IMAGE024
To the first
Figure 929814DEST_PATH_IMAGE023
Mismatching pieces of network layer address and port number detected by data sent by other nodes
Figure 699187DEST_PATH_IMAGE014
Figure 266434DEST_PATH_IMAGE025
To be aligned with
Figure 830271DEST_PATH_IMAGE023
And the number of unmatched data link layer addresses and port numbers detected by the data transmitted by other nodes is detected.
4. The intelligent network security detection and early warning system according to claim 1, wherein the abnormality analysis of the collected data and the data received from other nodes by the node device of the internet of things comprises the abnormality analysis of the collected data and the data received from other nodes by the node device of the internet of things according to a built-in network abnormality judgment model, the network abnormality judgment model is trained according to historical network data of at least each device of the system, the historical network data is stored according to the data collected and received in each device historical period, and the historical network data is trained as input data of a KNN model to obtain a network abnormality judgment model of a single device.
5. The intelligent network security detection and early warning system of claim 1, wherein the network anomaly judgment model comprises two KNN models, which respectively correspond to the KNN model for the first time period of data acquisition and the KNN model for the data received in the first time period of the cycle, and the abnormal conditions are judged by using the combination of the two models.
6. The intelligent network security detection and pre-warning system of claim 1, wherein the threshold value
Figure 482969DEST_PATH_IMAGE019
Is the mean value of system abnormal entropy according to system network abnormality in system historical data
Figure 56033DEST_PATH_IMAGE026
And the mean value of the system abnormal entropy without system network abnormality in the system historical data
Figure 212208DEST_PATH_IMAGE027
And (4) setting.
7. The intelligent network security detection and pre-warning system of claim 6, wherein the threshold value
Figure 461792DEST_PATH_IMAGE019
Is set to be (a) in (b),
Figure 336207DEST_PATH_IMAGE028
wherein, in the process,
Figure 712962DEST_PATH_IMAGE029
and
Figure 989223DEST_PATH_IMAGE030
mean value of system anomaly entropy for system network anomaly occurring in system historical data
Figure 426020DEST_PATH_IMAGE026
And the mean value of the system abnormal entropy without system network abnormality in the system historical data
Figure 725415DEST_PATH_IMAGE027
The corresponding weight of the weight is set to be,
Figure 702598DEST_PATH_IMAGE029
and
Figure 20316DEST_PATH_IMAGE030
satisfy the quantitative relationship of
Figure 424752DEST_PATH_IMAGE031
8. The network security detection and early warning method of the intelligent security detection and early warning system of any one of claims 1 to 7, the method comprising: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes the collected data and the data received from other nodes abnormally, when the analysis result is abnormal, the processed collected data information and the processed data received from other nodes are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server; after the edge server receives abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to an early warning background; and the early warning background carries out early warning according to the received abnormal grade of the system.
9. The network security detection and early warning method of the intelligent security detection and early warning system according to any one of claims 1 to 7, wherein the node devices of the internet of things periodically collect data and receive information transmitted by other node devices, including collecting data in a first time period of the period and receiving information transmitted by other node devices in other time periods except the first time period of the period.
10. The network security detection and early warning method of the intelligent security detection and early warning system of any one of claims 1 to 7, wherein when the node device of the internet of things transmits data to another node device of the internet of things, the access network transmits data on the time-frequency resources allocated to the device pairs in advance.
CN202210955318.XA 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method Active CN115038088B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210955318.XA CN115038088B (en) 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210955318.XA CN115038088B (en) 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method

Publications (2)

Publication Number Publication Date
CN115038088A true CN115038088A (en) 2022-09-09
CN115038088B CN115038088B (en) 2022-11-08

Family

ID=83130530

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210955318.XA Active CN115038088B (en) 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method

Country Status (1)

Country Link
CN (1) CN115038088B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695032A (en) * 2022-11-07 2023-02-03 广东网安科技有限公司 Network security detection system
CN116614319A (en) * 2023-07-20 2023-08-18 河北神玥软件科技股份有限公司 Network security control method based on big data and artificial intelligence

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100150008A1 (en) * 2007-03-08 2010-06-17 Seon Gyoung Sohn Apparatus and method for displaying state of network
CN104660464A (en) * 2015-01-22 2015-05-27 贵州电网公司信息通信分公司 Network anomaly detection method based on non-extensive entropy
US20150341376A1 (en) * 2014-05-26 2015-11-26 Solana Networks Inc. Detection of anomaly in network flow data
CN109951420A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN111935172A (en) * 2020-08-25 2020-11-13 珠海市一知安全科技有限公司 Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
CN112788066A (en) * 2021-02-26 2021-05-11 中南大学 Abnormal flow detection method and system for Internet of things equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100150008A1 (en) * 2007-03-08 2010-06-17 Seon Gyoung Sohn Apparatus and method for displaying state of network
US20150341376A1 (en) * 2014-05-26 2015-11-26 Solana Networks Inc. Detection of anomaly in network flow data
CN104660464A (en) * 2015-01-22 2015-05-27 贵州电网公司信息通信分公司 Network anomaly detection method based on non-extensive entropy
CN109951420A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN111935172A (en) * 2020-08-25 2020-11-13 珠海市一知安全科技有限公司 Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
CN112788066A (en) * 2021-02-26 2021-05-11 中南大学 Abnormal flow detection method and system for Internet of things equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GUAN WU 等: "Gyro anomaly detection method based on information entropy", 《2021 GLOBAL RELIABILITY AND PROGNOSTICS AND HEALTH MANAGEMENT (PHM-NANJING)》 *
孙海丽 等: "工业物联网异常检测技术综述", 《通信学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695032A (en) * 2022-11-07 2023-02-03 广东网安科技有限公司 Network security detection system
CN115695032B (en) * 2022-11-07 2023-05-30 广东网安科技有限公司 Network security detection system
CN116614319A (en) * 2023-07-20 2023-08-18 河北神玥软件科技股份有限公司 Network security control method based on big data and artificial intelligence
CN116614319B (en) * 2023-07-20 2023-10-03 河北神玥软件科技股份有限公司 Network security control method based on big data and artificial intelligence

Also Published As

Publication number Publication date
CN115038088B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
CN115038088A (en) Intelligent network security detection early warning system and method
CN110166462B (en) Access control method, system, electronic device and computer storage medium
EP3598329A1 (en) Information processing method, information processing system, and program
CN103220173B (en) A kind of alarm monitoring method and supervisory control system
KR101853676B1 (en) Appratus and method for detecting vehicle intrusion
CN110784355B (en) Fault identification method and device
CN109995555A (en) Monitoring method, device, equipment and medium
CN107682354B (en) Network virus detection method, device and equipment
EP2899918A1 (en) Method, apparatus and system for detecting network element load imbalance
CN111654405B (en) Method, device, equipment and storage medium for fault node of communication link
CN110139278B (en) Method of safety type collusion attack defense system under Internet of vehicles
CN115294771B (en) Monitoring method and device for road side equipment, electronic equipment and storage medium
CN115150289B (en) Anomaly handling method and system based on composite monitoring
CN114116128B (en) Container instance fault diagnosis method, device, equipment and storage medium
CN113835961B (en) Alarm information monitoring method, device, server and storage medium
CN109699041A (en) A kind of RRU channel failure diagnosis processing method and RRU device
CN109379211B (en) Network monitoring method and device, server and storage medium
CN113810332A (en) Encrypted data message judgment method and device and computer equipment
CN113807697A (en) Alarm association-based order dispatching method and device
CN114330944A (en) Scheduling method and system, and computer storage medium
US6434713B1 (en) Processor management method of mobile communication home location register (HLR) system
CN112381386A (en) Vehicle inspection and control method and device, electronic equipment and storage medium
CN113971093A (en) Message processing method, device, equipment and computer storage medium
WO2024007615A1 (en) Model training method and apparatus, and related device
WO2023241484A1 (en) Method for processing abnormal event, and electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant