CN115038088A - Intelligent network security detection early warning system and method - Google Patents
Intelligent network security detection early warning system and method Download PDFInfo
- Publication number
- CN115038088A CN115038088A CN202210955318.XA CN202210955318A CN115038088A CN 115038088 A CN115038088 A CN 115038088A CN 202210955318 A CN202210955318 A CN 202210955318A CN 115038088 A CN115038088 A CN 115038088A
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal
- nodes
- node
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/67—Risk-dependent, e.g. selecting a security level depending on risk profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0609—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
Abstract
The invention discloses an intelligent network security detection early warning system and a method, wherein the system and the method comprise the following steps: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment for processing and abnormal analysis, processed abnormal information data or abnormal indication information is reported to a next node or an edge server, the edge server receives the abnormal information data or abnormal indication information reported by all nodes, calculates whether the abnormal entropy of the current system exceeds a threshold value or not based on the abnormal information data reported by all nodes, if so, continuously determines the abnormal level of the system, and reports the abnormal level of the system to an early warning background. According to the invention, the node equipment of the Internet of things transmits the processed data to the server after being judged based on the built-in network abnormity judgment model, so that the network transmission pressure is reduced, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the network security level of the system, and reliable early warning triggering is realized.
Description
Technical Field
The invention belongs to the technical field of computer internet of things, and particularly relates to an intelligent network security detection early warning system and method.
Background
With the increase of the number of accessible devices supported by the 5G technology, large-scale Internet of things devices access the 5G network for data transmission, and network security problems of the large-scale accessed Internet of things devices need to be solved, including network security faults caused by illegal access and traffic overload in the Internet of things. Meanwhile, as the amount of data transmitted by the network increases, calculation based on the server generally results in too high load on the server, and too high transmission pressure of the mobile network, which results in that the potential safety hazard of the network cannot be reported in time, and further serious consequences are caused.
The processing capacity of the artificial intelligence algorithm chip is continuously enhanced, and the local artificial intelligence algorithm analysis and calculation can be supported.
Therefore, based on the characteristics of the upgrading and application scenarios of the existing network and equipment, an intelligent network security early warning system with low delay, high reliability and high system resource utilization rate is needed.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an intelligent network safety detection early warning system, which comprises: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other nodes, reports the processed collected data information and the processed data received from other nodes to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal; the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by each node after receiving the abnormal information data or the abnormal indication information, if so, the edge server determines the abnormal grade of the system and reports the abnormal grade of the system to the early warning background; the early warning background carries out early warning according to the received abnormal grade of the system;
the node equipment of the Internet of things performs anomaly analysis on the acquired data and the data received from other nodes, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the Internet of things to perform anomaly analysis on the acquired data and the data received from other nodes; the method comprises the following steps that after the edge server calculates that the abnormal entropy of the current system exceeds a threshold value, the abnormal level of the system is judged, and the method comprises the following steps:
Wherein the content of the first and second substances,for reporting network abnormal information in period to edge serverThe node equipment of the Internet of things,for the number of hops the single node is away from the edge server,from the other in the cycleThe number of data streams accepted at all nodes,the number of packets included in the data stream,for the size of the data packet as described above,the maximum amount of data that can be received in the period allocated to receive data from other nodes within the cycle,the number of other nodes received for a single node,the data size of the acquired information obtained in a single node period,the size of the normal data volume allocated to the period of time during which data is collected within a cycle,to be aligned withThe number of unmatched address pairs of the network layer address and the data link layer address detected by the data transmitted by other nodes,to be aligned withThe number of mismatching pieces of network layer addresses and port numbers found by the detection of the transmission data of the other nodes,to be aligned withThe number of unmatched data link layer addresses and port numbers detected by the data sent by other nodes;
step two, the edge server calculates the abnormal entropy of the current system,Wherein, in the step (A),the number of abnormal information reported by the node equipment received by the edge server is counted;
step three, the edge server judges the abnormal entropy of the current systemWhether or not it is greater than a threshold value;
Step five, mixingAnd comparing the abnormal grade interval with the abnormal grade interval to determine the current abnormal grade of the system.
The node equipment of the Internet of things periodically acquires data and receives information transmitted by other node equipment, wherein the data is acquired in a first time period in the period, and the information transmitted by other node equipment is received in other time periods except the first time period in the period.
The node equipment of the Internet of things processes the acquired data and the data received from other nodes, and the number of data streams received from all other nodes in the period of the node equipment of the Internet of things is acquiredNumber of data packets contained in said data streamSize of the data packetMaximum amount of data that can be received in a period of time allocated to receiving data from other nodes within a cycleNumber of other nodes received by a single nodeData size of acquisition information obtained in a single node cycleNormal data size of the period of time allocated to the data acquisition within a cycleTo the secondNumber of unmatched address pairs of network layer address and data link layer address detected and discovered by data transmitted by other nodesTo the firstOf one other nodeNumber of unmatched network layer addresses and port numbers for sending data for detectionTo the secondNumber of unmatched data link layer addresses and port numbers detected by data transmitted by other nodes。
The method comprises the steps that the node equipment of the Internet of things carries out abnormity analysis on collected data and data received from other nodes, the node equipment of the Internet of things carries out abnormity analysis on the collected data and the data received from other nodes according to a built-in network abnormity judgment model, the network abnormity judgment model is trained according to historical network data of each equipment at least comprising the system, the historical network data are respectively stored according to the data collected and received in each equipment historical period, and the historical network data are used as input data of a KNN model to be trained so as to obtain a network abnormity judgment model of a single equipment.
The network abnormity judgment model comprises two KNN models, wherein the two KNN models respectively correspond to the KNN model for collecting the data in the first time period and the KNN model for receiving the data in the first time period in the period, and the abnormal conditions are judged by combining the two KNN models.
Wherein the threshold valueIs the mean value of system abnormal entropy according to system network abnormality in system historical dataAnd the mean value of the system abnormal entropy without system network abnormality in the system historical dataAnd (4) setting.
Wherein the threshold valueIs set to be (a) in (b),wherein, in the process,andmean value of system anomaly entropy for system network anomaly occurring in system historical dataAnd the mean value of the system abnormal entropy without system network abnormality in the system historical dataThe corresponding weight of the weight is set to be,andsatisfy the quantitative relationship of。
The invention also provides a network security detection early warning method based on the system, which comprises the following steps: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes the collected data and the data received from other nodes abnormally, when the analysis result is abnormal, the processed collected data information and the processed data received from other nodes are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server; after the edge server receives abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal level of the system is determined, and the abnormal level of the system is reported to an early warning background; and the early warning background carries out early warning according to the received abnormal grade of the system.
The node equipment of the Internet of things periodically acquires data and receives information transmitted by other node equipment, wherein the data is acquired in a first time period in the period, and the information transmitted by other node equipment is received in other time periods except the first time period in the period.
When the node equipment of the Internet of things transmits data to another node equipment of the Internet of things, the data transmission is carried out on the time-frequency resources distributed to the equipment in advance by the access network.
In the invention, after the node equipment of the Internet of things judges the abnormal condition based on the built-in network abnormality judgment model, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description, which proceeds with reference to the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
fig. 1 is a schematic diagram illustrating a method for intelligent network security early warning according to an embodiment of the present invention.
Fig. 2 is a diagram illustrating calculation of abnormal entropy according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a plurality" typically includes at least two.
It should be understood that although the terms first, second, third, etc. may be used to describe … … in embodiments of the present invention, these … … should not be limited to these terms. These terms are used only to distinguish … …. For example, the first … … can also be referred to as the second … … and similarly the second … … can also be referred to as the first … … without departing from the scope of embodiments of the present invention.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The words "if", as used herein, may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (a stated condition or event)" may be interpreted as "upon determining" or "in response to determining" or "upon detecting (a stated condition or event)" or "in response to detecting (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of additional like elements in the article or device in which the element is contained.
Alternative embodiments of the present invention are described in detail below with reference to the accompanying drawings.
The first embodiment, as shown in fig. 1, discloses a network security detection early warning method based on the above system, the method comprising: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes abnormity of the collected data and the data received from other nodes, when an analysis result is abnormal, the processed collected data information and the processed data received from other nodes are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server. After the edge server receives the abnormal information data or abnormal indication information reported by all the nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all the nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to an early warning background. And the early warning background carries out early warning according to the received abnormal grade of the system.
Optionally, in order to facilitate unifying the data structure of the generative model training and determination, the node device of the internet of things periodically collects data and receives information transmitted by other node devices, including collecting data in a first time period in the cycle and receiving information transmitted by other node devices in other time periods except the first time period in the cycle, where the length and position of the first time period in each cycle are fixed.
Optionally, when the node device of the internet of things transmits data to another node device of the internet of things, the access network performs data transmission on the time-frequency resource allocated to the device in advance, the transmission mode may be data transmission on the measurement link SL established through D2D, the measurement link SL may be configured by the access device, and the transmission period may be negotiated in advance among the devices, or may be allocated to each device by the base station in advance through scheduling.
In the invention, after the node equipment of the Internet of things judges the abnormal condition, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
The embodiment II discloses an intelligent network safety early warning system, which comprises the following network units and corresponding functions: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other nodes, reports the processed collected data information and the processed data received from other nodes to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal. And after the edge server receives the abnormal information data or abnormal indication information reported by all the nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all the nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to the early warning background. And the early warning background carries out early warning according to the received abnormal grade of the system.
The node equipment of the internet of things performs anomaly analysis on the acquired data and the data received from other nodes, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the internet of things to perform anomaly analysis on the acquired data and the data received from other nodes.
As shown in fig. 2, after calculating that the abnormal entropy of the current system exceeds the threshold, the edge server determines the abnormal level of the system, including the following steps:
Wherein the content of the first and second substances,for reporting network abnormal information in period to edge serverThe node equipment of the Internet of things,for the number of hops the single node is away from the edge server,the number of data streams received from all other nodes in a cycle,the number of packets included in the data stream,for the size of the data packet as described above,the maximum amount of data that can be received in the period allocated to receive data from other nodes within the cycle,the number of other nodes received for a single node,the data size of the acquired information obtained in a single node period,the size of the normal data volume allocated to the period of time during which data is collected within a cycle,to be aligned withThe number of unmatched address pairs of the network layer address and the data link layer address detected by the data transmitted by other nodes,to be aligned withThe number of mismatching pieces of network layer addresses and port numbers found by the detection of the transmission data of the other nodes,to be aligned withThe number of unmatched data link layer addresses and port numbers detected by the data sent by other nodes;
step two, the edge server calculates the abnormal entropy of the current system,Wherein, in the step (A),the number of abnormal information reported by the node equipment received by the edge server is counted;
step three, the edge server judges the abnormal entropy of the current systemWhether or not it is greater than a threshold value;
Step five, mixingAnd comparing the abnormal grade interval with the abnormal grade interval to determine the current abnormal grade of the system.
Optionally, in order to facilitate unifying the data structure of the training and determination of the generative model, the node device of the internet of things periodically collects data and receives information transmitted by other node devices, including collecting data in a first time period of the period, and receiving information transmitted by other node devices in other time periods except the first time period of the period, where the length and position of the first time period are fixed in each period.
The node equipment of the Internet of things processes the acquired data and the data received from other nodes, including acquiring the data from other nodes in the node period of the equipment of the Internet of thingsThere are number of data streams accepted at a nodeThe number of data packets contained in said data streamSize of the data packetMaximum amount of data that can be received in a period allocated to receiving data from other nodes within a cycleNumber of other nodes received by a single nodeData size of acquisition information obtained in a single node cycleNormal data size of the period of time allocated to the data acquisition within the cycleTo the secondNumber of unmatched address pairs of network layer address and data link layer address detected and discovered by data transmitted by other nodesTo the firstNumber of unmatched network layer addresses and port numbers detected and discovered by data sent by other nodesTo the secondNumber of unmatched data link layer addresses and port numbers detected by data transmitted by other nodes. And the node equipment of the Internet of things directly or indirectly sends the processed data to the edge server, and after the edge server receives all data abnormal or abnormal indication, the edge server calculates the abnormal entropy of the system according to a system abnormal entropy calculation method and compares the abnormal entropy with a threshold value to determine the abnormal level.
In a certain embodiment, the node device of the internet of things performs anomaly analysis on the collected data and the data received from other nodes, including that the node device of the internet of things performs anomaly analysis on the collected data and the data received from other nodes according to a built-in network anomaly judgment model, the network anomaly judgment model is trained according to historical network data of each device at least including the system, the historical network data is respectively stored according to the data collected and received in the historical period of each device, and the historical network data is used as input data of a KNN model to be trained so as to obtain a network anomaly judgment model of a single device.
In one embodiment, the network anomaly determination model includes two KNN models, which respectively correspond to a KNN model for a first time period of data acquisition and a KNN model for a first time period of data reception outside the period, and the two are combined to determine an anomaly.
In a certain embodiment, the threshold valueIs the mean value of system abnormal entropy according to system network abnormality in system historical dataAnd system without system network exception in system history dataMean of abnormal entropyAnd (4) setting.
In a certain embodiment, the threshold valueIs set to be in a state of being,wherein, in the process,andmean value of system anomaly entropy for system network anomaly occurring in system historical dataAnd the mean value of the system abnormal entropy without system network abnormality in the system historical dataThe corresponding weight of the weight is set to be,andsatisfy the quantitative relationship of. For example, can beAndset to 0.6 and 0.4, respectively. The network manager can also set the edge server management area according to the differenceThe same weight meets the requirements of different systems on different safety requirements.
In one embodiment, the anomaly level interval may be determined according to historical system anomaly entropy for which the level has been determined.
The disclosed embodiments provide a plurality of network elements including a communication node, a server, and a background, where each network element includes a non-volatile computer storage medium, where the computer storage medium stores computer-executable instructions that may perform the method steps described in the above embodiments.
In the invention, after the node equipment of the Internet of things judges the abnormal condition, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all the nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a local Area Network (AN) or a Wide Area Network (WAN), or the connection may be made to AN external computer (for example, through the internet using AN internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Wherein the name of an element does not in some cases constitute a limitation on the element itself.
The foregoing describes preferred embodiments of the present invention, and is intended to make the spirit and scope of the present invention clear and understandable, but not to limit the present invention, and modifications, substitutions and improvements made within the spirit and principle of the present invention are included in the scope of the present invention as outlined by the appended claims.
Claims (10)
1. An intelligent network security detection early warning system, the system comprising:
the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other nodes, reports the processed collected data information and the processed data received from other nodes to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal; the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by each node after receiving the abnormal information data or the abnormal indication information, if so, the edge server determines the abnormal grade of the system and reports the abnormal grade of the system to the early warning background; the early warning background carries out early warning according to the received abnormal grade of the system; the node equipment of the Internet of things performs anomaly analysis on the acquired data and the data received from other nodes, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the Internet of things to perform anomaly analysis on the acquired data and the data received from other nodes; the method comprises the following steps that after the edge server calculates that the abnormal entropy of the current system exceeds a threshold value, the abnormal level of the system is judged, and the method comprises the following steps:
Wherein the content of the first and second substances,for reporting network abnormal information in period to edge serverThe node equipment of the Internet of things,for the number of hops the single node is away from the edge server,the number of data streams received from all other nodes in a cycle,the number of packets included in the data stream,for the size of the data packet as described above,the maximum amount of data that can be received in the period allocated to receive data from other nodes within the cycle,the number of other nodes received for a single node,the data size of the acquired information obtained in a single node period,the size of the normal data volume allocated to the period of time during which data is collected within a cycle,to be aligned withThe number of unmatched address pairs of the network layer address and the data link layer address detected by the data transmitted by other nodes,to be aligned withThe transmitted data of the other nodes detect the found unmatched number of network layer addresses and port numbers,to be aligned withThe number of unmatched data link layer addresses and port numbers detected by the data sent by other nodes;
step two, the edge server calculates the abnormal entropy of the current system,Wherein, in the step (A),the number of abnormal information reported by the node equipment received by the edge server;
step three, the edge server judges the abnormal entropy of the current systemWhether or not it is greater than the threshold;
2. The intelligent network security detection and early warning system of claim 1, wherein the node devices of the internet of things periodically collect data and receive information transmitted by other node devices, including collecting data in a first time period of the period and receiving information transmitted by other node devices in other time periods outside the first time period of the period.
3. The intelligent network security detection and early warning system as claimed in claim 1, wherein the processing of the data collected by the node device of the internet of things and the data received from other nodes includes obtaining the number of data streams received from all other nodes in the period of the node device of the internet of thingsThe number of data packets contained in said data streamSize of the data packetMaximum amount of data that can be received in a period allocated to receiving data from other nodes within a cycleNumber of other nodes received by a single nodeData size of acquisition information obtained in a single node cycleNormal data size of the period of time allocated to the data acquisition within a cycleTo the firstNumber of unmatched address pairs of network layer address and data link layer address detected and discovered by data transmitted by other nodesTo the firstMismatching pieces of network layer address and port number detected by data sent by other nodes,To be aligned withAnd the number of unmatched data link layer addresses and port numbers detected by the data transmitted by other nodes is detected.
4. The intelligent network security detection and early warning system according to claim 1, wherein the abnormality analysis of the collected data and the data received from other nodes by the node device of the internet of things comprises the abnormality analysis of the collected data and the data received from other nodes by the node device of the internet of things according to a built-in network abnormality judgment model, the network abnormality judgment model is trained according to historical network data of at least each device of the system, the historical network data is stored according to the data collected and received in each device historical period, and the historical network data is trained as input data of a KNN model to obtain a network abnormality judgment model of a single device.
5. The intelligent network security detection and early warning system of claim 1, wherein the network anomaly judgment model comprises two KNN models, which respectively correspond to the KNN model for the first time period of data acquisition and the KNN model for the data received in the first time period of the cycle, and the abnormal conditions are judged by using the combination of the two models.
6. The intelligent network security detection and pre-warning system of claim 1, wherein the threshold valueIs the mean value of system abnormal entropy according to system network abnormality in system historical dataAnd the mean value of the system abnormal entropy without system network abnormality in the system historical dataAnd (4) setting.
7. The intelligent network security detection and pre-warning system of claim 6, wherein the threshold valueIs set to be (a) in (b),wherein, in the process,andmean value of system anomaly entropy for system network anomaly occurring in system historical dataAnd the mean value of the system abnormal entropy without system network abnormality in the system historical dataThe corresponding weight of the weight is set to be,andsatisfy the quantitative relationship of。
8. The network security detection and early warning method of the intelligent security detection and early warning system of any one of claims 1 to 7, the method comprising: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes the collected data and the data received from other nodes abnormally, when the analysis result is abnormal, the processed collected data information and the processed data received from other nodes are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server; after the edge server receives abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to an early warning background; and the early warning background carries out early warning according to the received abnormal grade of the system.
9. The network security detection and early warning method of the intelligent security detection and early warning system according to any one of claims 1 to 7, wherein the node devices of the internet of things periodically collect data and receive information transmitted by other node devices, including collecting data in a first time period of the period and receiving information transmitted by other node devices in other time periods except the first time period of the period.
10. The network security detection and early warning method of the intelligent security detection and early warning system of any one of claims 1 to 7, wherein when the node device of the internet of things transmits data to another node device of the internet of things, the access network transmits data on the time-frequency resources allocated to the device pairs in advance.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210955318.XA CN115038088B (en) | 2022-08-10 | 2022-08-10 | Intelligent network security detection early warning system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210955318.XA CN115038088B (en) | 2022-08-10 | 2022-08-10 | Intelligent network security detection early warning system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115038088A true CN115038088A (en) | 2022-09-09 |
CN115038088B CN115038088B (en) | 2022-11-08 |
Family
ID=83130530
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210955318.XA Active CN115038088B (en) | 2022-08-10 | 2022-08-10 | Intelligent network security detection early warning system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115038088B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115695032A (en) * | 2022-11-07 | 2023-02-03 | 广东网安科技有限公司 | Network security detection system |
CN116614319A (en) * | 2023-07-20 | 2023-08-18 | 河北神玥软件科技股份有限公司 | Network security control method based on big data and artificial intelligence |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100150008A1 (en) * | 2007-03-08 | 2010-06-17 | Seon Gyoung Sohn | Apparatus and method for displaying state of network |
CN104660464A (en) * | 2015-01-22 | 2015-05-27 | 贵州电网公司信息通信分公司 | Network anomaly detection method based on non-extensive entropy |
US20150341376A1 (en) * | 2014-05-26 | 2015-11-26 | Solana Networks Inc. | Detection of anomaly in network flow data |
CN109951420A (en) * | 2017-12-20 | 2019-06-28 | 广东电网有限责任公司电力调度控制中心 | A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship |
CN111935172A (en) * | 2020-08-25 | 2020-11-13 | 珠海市一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
CN112788066A (en) * | 2021-02-26 | 2021-05-11 | 中南大学 | Abnormal flow detection method and system for Internet of things equipment and storage medium |
-
2022
- 2022-08-10 CN CN202210955318.XA patent/CN115038088B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100150008A1 (en) * | 2007-03-08 | 2010-06-17 | Seon Gyoung Sohn | Apparatus and method for displaying state of network |
US20150341376A1 (en) * | 2014-05-26 | 2015-11-26 | Solana Networks Inc. | Detection of anomaly in network flow data |
CN104660464A (en) * | 2015-01-22 | 2015-05-27 | 贵州电网公司信息通信分公司 | Network anomaly detection method based on non-extensive entropy |
CN109951420A (en) * | 2017-12-20 | 2019-06-28 | 广东电网有限责任公司电力调度控制中心 | A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship |
CN111935172A (en) * | 2020-08-25 | 2020-11-13 | 珠海市一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
CN112788066A (en) * | 2021-02-26 | 2021-05-11 | 中南大学 | Abnormal flow detection method and system for Internet of things equipment and storage medium |
Non-Patent Citations (2)
Title |
---|
GUAN WU 等: "Gyro anomaly detection method based on information entropy", 《2021 GLOBAL RELIABILITY AND PROGNOSTICS AND HEALTH MANAGEMENT (PHM-NANJING)》 * |
孙海丽 等: "工业物联网异常检测技术综述", 《通信学报》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115695032A (en) * | 2022-11-07 | 2023-02-03 | 广东网安科技有限公司 | Network security detection system |
CN115695032B (en) * | 2022-11-07 | 2023-05-30 | 广东网安科技有限公司 | Network security detection system |
CN116614319A (en) * | 2023-07-20 | 2023-08-18 | 河北神玥软件科技股份有限公司 | Network security control method based on big data and artificial intelligence |
CN116614319B (en) * | 2023-07-20 | 2023-10-03 | 河北神玥软件科技股份有限公司 | Network security control method based on big data and artificial intelligence |
Also Published As
Publication number | Publication date |
---|---|
CN115038088B (en) | 2022-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN115038088A (en) | Intelligent network security detection early warning system and method | |
CN110166462B (en) | Access control method, system, electronic device and computer storage medium | |
EP3598329A1 (en) | Information processing method, information processing system, and program | |
CN103220173B (en) | A kind of alarm monitoring method and supervisory control system | |
KR101853676B1 (en) | Appratus and method for detecting vehicle intrusion | |
CN110784355B (en) | Fault identification method and device | |
CN109995555A (en) | Monitoring method, device, equipment and medium | |
CN107682354B (en) | Network virus detection method, device and equipment | |
EP2899918A1 (en) | Method, apparatus and system for detecting network element load imbalance | |
CN111654405B (en) | Method, device, equipment and storage medium for fault node of communication link | |
CN110139278B (en) | Method of safety type collusion attack defense system under Internet of vehicles | |
CN115294771B (en) | Monitoring method and device for road side equipment, electronic equipment and storage medium | |
CN115150289B (en) | Anomaly handling method and system based on composite monitoring | |
CN114116128B (en) | Container instance fault diagnosis method, device, equipment and storage medium | |
CN113835961B (en) | Alarm information monitoring method, device, server and storage medium | |
CN109699041A (en) | A kind of RRU channel failure diagnosis processing method and RRU device | |
CN109379211B (en) | Network monitoring method and device, server and storage medium | |
CN113810332A (en) | Encrypted data message judgment method and device and computer equipment | |
CN113807697A (en) | Alarm association-based order dispatching method and device | |
CN114330944A (en) | Scheduling method and system, and computer storage medium | |
US6434713B1 (en) | Processor management method of mobile communication home location register (HLR) system | |
CN112381386A (en) | Vehicle inspection and control method and device, electronic equipment and storage medium | |
CN113971093A (en) | Message processing method, device, equipment and computer storage medium | |
WO2024007615A1 (en) | Model training method and apparatus, and related device | |
WO2023241484A1 (en) | Method for processing abnormal event, and electronic device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |