CN115119209A - Real-time intelligent attack method based on integration strategy for RPL network - Google Patents

Real-time intelligent attack method based on integration strategy for RPL network Download PDF

Info

Publication number
CN115119209A
CN115119209A CN202210754200.0A CN202210754200A CN115119209A CN 115119209 A CN115119209 A CN 115119209A CN 202210754200 A CN202210754200 A CN 202210754200A CN 115119209 A CN115119209 A CN 115119209A
Authority
CN
China
Prior art keywords
attack
network
rpl
real
attacks
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210754200.0A
Other languages
Chinese (zh)
Inventor
周瀚阁
马慧
宿浩
张赟
张静
李婉青
姜雪娜
闫雅彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ocean University of China
Original Assignee
Ocean University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ocean University of China filed Critical Ocean University of China
Priority to CN202210754200.0A priority Critical patent/CN115119209A/en
Publication of CN115119209A publication Critical patent/CN115119209A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/06Testing, supervising or monitoring using simulated traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a real-time intelligent attack method based on an integration strategy for an RPL network, which comprises the following steps: firstly, performing off-line model training by combining a Bi-LSTM mechanism and an attention mechanism; deploying the trained model to an online RPL real-time network environment, and continuously sniffing network traffic as model input; thirdly, the model outputs weights of nine attacks and one non-attack behavior, and whether the attack is carried out currently is judged according to the weights; and fourthly, if the attack is selected, attacking is carried out based on the time window, and after the attack is finished, the sniffing is returned to continue a new iteration. The attack model designed by the invention respectively shows stronger attack effect under the states of no defense and defense of the network, and the resistance to an intrusion detection system, and the attack effect is kept to be nearly 70% under three defense mechanisms.

Description

Real-time intelligent attack method based on integration strategy for RPL network
Technical Field
The invention belongs to the technical field of intelligent Internet of things, and particularly relates to a real-time intelligent attack method based on an integration strategy for an RPL network.
Background
Internet of things (IoT) security has become a key research area in recent years, and due to resource limitation and network heterogeneity of IoT devices, a series of potential safety hazards and attacks have been generated for the IoT. For example, in the year 2016 of Mirai attack, a hacker initiates a large distributed denial of service attack (DDoS) using internet of things devices such as a network monitoring camera, a home router, and an intelligent refrigerator, and 60 ten thousand IoT devices with vulnerabilities are affected.
In the IoT field, there exists networking based on a plurality of Network protocols, wherein a Routing Protocol for Low-Power and loss Network (RPL) is a Protocol based on 802.15.4, is specially designed for communication of a wireless sensor Network with limited resources, and is widely applied to the field of internet of things. Due to the functional complexity of the control message and the vulnerability of the constructed DODAG Network topology structure, the RPL protocol causes a series of attacks to the RPL Network, wherein the attacks include not only traditional attacks from a Wireless Sensor Network (Wireless Sensor Network) such as black hole Attack (Blackhole Attack) and worm hole Attack (Wormhole Attack), but also attacks specially aiming at RPL protocol vulnerabilities such as Rank Attack (Rank Attack) and Network Version Number Attack (Version Number Attack).
The black hole attack means that a certain malicious node discards all received data packets and does not forward the data packets to cause the data packets to disappear, so that a black hole scene is formed; the wormhole attack is that tunnel communication is carried out between attackers through an out-of-band channel, an attacker A directly transmits data packets sent by adjacent nodes around to an attacker B at a far distance through a tunnel, so that the adjacent nodes near the attacker A and the adjacent nodes near the attacker B are mistakenly considered to be close to each other, and wrong routing table information is updated; the rank attack utilizes the structure of an RPL network, namely, a node with a smaller rank value is always close to a root node, and a data packet sent by a child node with a larger rank value below is forwarded by a parent node with a smaller rank value, so that an attacker can forge the rank value of the attacker and set the rank value to be very small, and a large number of child nodes below select the rank value as the parent node, so that the collected data packet can be tampered and discarded, and negative effects are generated on end-to-end time delay, network load and data packet delivery of the network; the network version number attack is to use another mechanism of the RPL network, namely, a global repair mechanism (global repair), when the network topology needs to be changed or a new node needs to be added to reconstruct the network topology structure, the root node adds one to the original network version number, then adds the added network version number to a control message and broadcasts data, and after all child nodes receive the new network version number, the child nodes reset their states, namely participate in the construction of the network topology again.
Generally, attacks against RPL can be classified into three categories according to the attack target: attacks against network traffic, attacks against network topology and attacks against network resources, as shown in fig. 1. These attacks are called single target attacks because they only destroy a certain characteristic of the network, and although some of them can be integrated together to form a hybrid attack, the number of single attacks integrated by the hybrid attack is limited at present, and the integrated method and the selection of the single target attack are both based on the experience of the attacker, and do not take into account the real-time state of the RPL network, so the attack effect is not prominent, and the attack mode is the same as the single target attack because the attack mode is easily detected by an Intrusion Detection System (IDS).
Meanwhile, the current RPL defense mechanisms can be divided into two major categories: a protocol embedded defense mechanism and an external specially developed defense architecture. The RPL protocol internally specifies some security methods, such as coding error correction of network data link layer, time-out retransmission mechanism, and three modes provided by RPL: an Unsecure Mode (Unsecure Mode), a Preinstalled Mode (Preinstalled Mode), and an Authenticated Mode (Authenticated Mode). The pre-installation mode provides a symmetric key for data encryption communication, and the authentication mode utilizes a more complicated encryption mode. Meanwhile, in order to prevent replay attacks in the network, a Consistency Check (Consistency Check) mechanism is provided inside the RPL protocol, however, the CC mechanism is not turned on by default, which causes an increase in network load due to the need to add extra information to the data packet header. By default, the implementation of the RPL protocol does not turn on the latter two secure modes, but only works in the unsecure mode, because the RSA encryption algorithm, the SHA-256 algorithm, and the data signature provided by the latter two secure modes consume a lot of resources of the device, which is not suitable for devices with insufficient computing power and storage resources in the RPL network. For the defense architecture specially deployed outside, the current mainstream defense architecture has a distributed type, a mixed type and a central decision type, wherein defense mechanisms such as SVELTE and INTI respectively detect and defend specific attacks, so that the effect of the specific attacks is seriously reduced, but the defense mechanisms still have a more serious problem at present: the generalization capability is weak, namely various defense architectures only defend against one or more specific attacks, and the generalization to other attacks or novel characteristic attacks is not considered. Although current defense such as SVELTE, INTI, Real-Time IDS and the like claims in their paper studies that generalize to other attacks for defense, no specific experimental proof is given. Thus, similar to most security domains, the current attack and defense of RPL networks have evolved from one another in constant confrontation.
Disclosure of Invention
The invention aims to provide an integration strategy-based real-time intelligent attack method for an RPL network, which utilizes network transaction data under nine kinds of attacks and IDS to perform offline training on a model based on a Bi-LSTM frame and an Attention mechanism, and after the model is deployed in an online RPL real-time network environment, the main aim is to judge whether to attack or not according to the current flow and the weight of each kind of attack, and if the attack is finished, the iteration is continued, namely, each time period can generate specific attacks according to different states of the network.
In order to solve the problems in the prior art, the invention adopts the technical scheme that:
an integration strategy-based real-time intelligent attack method for an RPL network comprises the following steps:
s1: data collection: collecting network transaction data of the RPL network under nine attacks and network transaction data when the network deploys intrusion detection defense, preprocessing the data, and then selecting characteristics highly related to the network state through characteristic engineering;
s2: model training: considering the time sequence characteristics of network data, constructing a training model by combining a bidirectional LSTM framework and an Attention mechanism, and inputting preprocessed data into the model for model training;
s3: building a network environment: the method comprises the steps that an RPL network simulation environment is built based on ContikiOS 3.0 and Cooja simulation software, a simulation node simulates real sensor hardware by using an MSPsim tool, runs the same binary code with the real hardware, meanwhile adopts a Z1 node in the Cooja simulation software as a wireless sensor node for communication, provides an ultra-low power consumption controller based on an MSP430 architecture and a CC2420 radio transceiver with the frequency of 2.4GHz, and is beneficial to tracking and analyzing the energy consumption of equipment by using a Cooja plug-in Powertrace;
s4: attack flow: deploying the trained model into a simulation environment, taking sniffed real-time network traffic as input, passing through a Bi-LSTM layer, an attention layer and a full connection layer, and finally outputting classification probabilities of nine kinds of attacks and one kind of non-attack choices as weights by the model, wherein the weights are transformed by Softmax:
Figure BDA0003719196650000051
therefore, when the weight of non-attack is more than or equal to 0.5, the IDS defense possibly exists in the current network environment, and the attack is not suitable; otherwise, when the sum of the weights of the nine attacks is greater than 0.5, the attacks are carried out based on the time window, iteration is continued after the attacks are finished until the attacks are successful, and the attack expression based on the time window is as follows:
Figure BDA0003719196650000052
wherein window _ size is set to 100 seconds, w by default i The weight of each attack output by the model, namely the final attack duration is the size of a time window, and each attack strategy in the window is launched according to the distributed attack time in a descending order;
s5: and (3) attack effect evaluation: the attack strategy is compared with other single target attacks and three mixed attacks respectively in the states of no defense and defense of the RPL network, and the loss effect of the attacks on the network is measured from four aspects of data packet delivery rate, average end-to-end time delay, network load, network energy consumption and the like.
The calculation of the Attention mechanism in step S2 adopts an addition method, which is specifically as follows:
Figure BDA0003719196650000053
Figure BDA0003719196650000054
in the step S2, after the model is constructed, the model needs to be evaluated, and the model evaluation adopts the accuracy and F1-score:
Figure BDA0003719196650000061
Figure BDA0003719196650000062
in step S4, when performing model simulation, it is necessary to give the current flow rate input:
Figure BDA0003719196650000063
the encoder learns a mapping function: h is t =F(h t-1 ,x t ) Wherein the F function is a unit of LSTM, and each LSTM unit records the state S at the current time t t And three gating functions: input door i t Output gate o t And a forgetting door f t (ii) a The principle of each gating cell is specifically as follows:
f t =σ(W f [h t-1 ;x t ]+b f )
c t =σ(W i [h t-1 ;x t ]+b i )
o t =σ(W o [h t-1 ;x t ]+b o )
s t =f t ⊙s t-1 +i t ⊙tanh(W s [h t-1 ;x t ]+b s )
h t =o t ⊙tanh(s t )。
the method for determining success of the attack in step S4 includes: and judging the current network state, if detecting that the network is paralyzed due to the overweight RPL network load, indicating that the total target is successful, stopping attack, otherwise, hiding the malicious characteristics of the target, and continuously sniffing and waiting for a proper attack opportunity.
In step S5, the packet delivery rate is calculated by the ratio of all packets received by the root node to the total amount of packets sent by all other N child nodes, and the specific calculation formula is as follows:
Figure BDA0003719196650000064
the calculation formula of the average end-to-end delay in step S5 is as follows:
Figure BDA0003719196650000071
wherein
Figure BDA0003719196650000076
And N is the total amount of data packets received by the root node from the child nodes.
The calculation formula of the network load in step S5 is as follows:
Figure BDA0003719196650000072
wherein the content of the first and second substances,
Figure BDA0003719196650000073
is the control data packet sent by the ith node, and N is the number of all nodes in the network.
The calculation formula of the network energy consumption in step S5 is as follows:
Figure BDA0003719196650000074
wherein the content of the first and second substances,
Figure BDA0003719196650000075
representing the energy consumed by node i in transmit data, listen receive, CPU mode and low power mode, respectively.
Compared with the prior art, the invention has the beneficial effects that:
1) different from single target attack, the method provided by the invention has the advantages that the real-time state of the network is considered to generate specific integrated attack according to the current RPL network condition by utilizing deep learning, and the method has stronger self-adaptability.
2) The invention integrates nine kinds of single attacks, generates a multi-target attack mode based on the weight and the time window, and carries out performance destruction on the network from three aspects of network resources, network flow and network topology.
3) The performance effect of the method is explored under the condition of no defense and three defense mechanisms, compared with other various single attacks and three mixed attacks, the attack provided by the invention has stronger attack effect, and when the IDS defense is faced, the loss of the attack effect is minimum, and certain defense resistance and defense bypassing capability are shown.
Drawings
Fig. 1 is a schematic diagram of the RPL network attack category according to the present invention.
FIG. 2 is a schematic diagram of a Bi-LSTM and attention mechanism based training model of the present invention.
FIG. 3 is a schematic diagram of the model training process of the present invention.
Fig. 4 is a schematic diagram of the real-time attack flow of the present invention.
Fig. 5 is a schematic diagram of the RPL network attack architecture of the present invention.
FIG. 6 is a graph comparing the attack effect of the present invention and Sink-Clone, Rank-work and Copycat-VN attacks in an unprotected state.
Fig. 7 is a comparison graph of the present invention and five single attacks and three mixed attacks under an intrusion detection system.
Detailed Description
The invention is further elucidated with reference to the drawings and reference numerals.
In order that the above objects, features and advantages of the present invention can be more clearly understood, a detailed description of the present invention will be given below with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
As shown in fig. 1, the real-time intelligent attack method based on an integration policy for an RPL network according to the present invention specifically includes the following contents:
1) and (6) collecting data. Network transaction data of the RPL network under nine attacks and network transaction data when the network deploys intrusion detection defense are collected. Wherein the data sources refer to the relevant switch source databases WSN-DS and RPL-NIDDS. As shown in fig. 1, approximately fifty thousand pieces of each type of data are sampled separately, where each type of data samples network transaction data from a malicious state and a benign state, respectively. For attack-type data, a malicious state is network traffic data when the attack is initiated, and a benign state is network traffic data immediately before the attack (the attack has not been initiated). For non-attack type data, the malicious state refers to network transaction data in a scene that an attacked IDS defends down, and the benign state refers to network transaction data when the IDS is not attacked and opened. Preprocessing training data, including dirty data cleaning, data conversion, normalization and the like, and then selecting 20 characteristics highly related to the network state through characteristic engineering.
2) And (5) training a model. Considering the time series characteristics of network data, an LSTM framework is applied to the present attack model, as shown in fig. 2, a bidirectional LSTM is applied in conjunction with an attention mechanism model framework. Sniffed real-time network flow is used as input, the real-time network flow passes through a Bi-LSTM layer, an attention layer and a full connection layer, finally, the model outputs nine kinds of attack and one kind of classification probability selected without attack as weight (weight), and the weight is converted through Softmax:
Figure BDA0003719196650000091
therefore, when the weight of non-attack is more than or equal to 0.5, the IDS defense possibly exists in the current network environment, and the attack is not suitable; otherwise, the sum of the weights of nine attacks>At 0.5, the attack is performed based on the time window (window size defaults to 100 seconds). Given the current flow input:
Figure BDA0003719196650000092
encoder learns a mapping function: h is t =F(h t-1 ,x t ) Wherein the F function is a unit of LSTM, and each LSTM unit records the state St at the current time t, and has three gatesFunction: input door i t Output gate o t And forget door f t . The principle of each gating cell is specifically as follows:
f t =σ(W f [h t-1 ;x t ]+b f )
c t =σ(W i [h t-1 ;x t ]+b i )
o t =σ(W o [h t-1 ;x t ]+b o )
s t =f t ⊙s t-1 +i t ⊙tanh(W s [h t-1 ;x t ]+b s )
h t =o t ⊙tanh(s t )。
meanwhile, another advantage of using the LSTM as a training model is that the problem of gradient disappearance can be effectively dealt with, and meanwhile, the long-term dependence problem can be more effectively captured by using the attention mechanism, so as to ensure the time sequence of network traffic data, while the calculation of the attention mechanism of the present invention adopts an addition mode:
Figure BDA0003719196650000101
Figure BDA0003719196650000102
and (3) evaluating the model under the line, and adopting the precision and F1-score:
Figure BDA0003719196650000103
Figure BDA0003719196650000104
the whole model training and deployment process is shown in fig. 3, the model is deployed in an online simulation environment after offline training, real-time traffic data generated by the network is processed and classified, then attack selection and judgment are performed according to model output, and iteration is continued after the attack is finished until the attack is successful, namely the network paralysis is caused by the overweight load of the RPL network.
3) And (5) attack flow. As shown in fig. 4, firstly, an attacker uses nodes inside an RPL network as a springboard to perform network sniffing, and then, the sniffed network traffic data is processed and input into a model; the trained model outputs nine kinds of attack and one kind of non-attack classification probability, namely weight, according to the input of the current network flow; when the sum of the weights of all attack behaviors is larger than the weight which is not attacked, attacking is carried out based on a time window; if the weight of the non-attack behavior is larger, an IDS defense system may exist in the current network or the network is overloaded and crashed, the current network state is further judged, if the network paralysis is detected, the attack target is reached, the attack is stopped, otherwise, the malicious characteristics of the network are hidden, and the sniffing is continued to wait for a proper attack opportunity. The time window based attack is expressed as follows:
Figure BDA0003719196650000111
wherein window _ size is set to 100 seconds, w by default i The weight of each attack output by the model, i.e. the final attack duration, is the size of a time window, and each attack strategy in the window is launched in descending order according to the assigned attack time.
4) And (5) building a network environment. The invention builds the RPL network based on the ContikiOS 3.0 and the Cooja simulation software, and the simulation environment is adopted by most current research works. The simulation node can simulate real sensor hardware by using an MSPsim tool and runs the same binary codes with the real hardware, the Z1 node in Cooja simulation software is used as a wireless sensor node for communication, an MSP430 architecture and a CC2420 radio transceiver with the frequency of 2.4GHz are used as a base, an ultra-low power consumption controller is provided, and the energy consumption tracking and analysis of equipment are facilitated by using a plug-in Powertrace of Cooja. Meanwhile, in order to compare the effects of various attacks, the invention adopts four network state evaluation indexes, namely Packet Delivery Rate (PDR), average end-to-end delay (AE 2ED), network load (network overhead) and network energy consumption (AEC):
the calculation of the delivery rate of the data packets is the ratio of all the data packets received by the root node to the total amount of the data packets sent by all the other N child nodes, and the calculation formula of the delivery rate of the data packets is as follows:
Figure BDA0003719196650000112
the average end-to-end delay calculation formula is as follows:
Figure BDA0003719196650000121
wherein
Figure BDA0003719196650000122
And N is the total amount of data packets received by the root node from the child nodes.
The network load calculation formula is as follows:
Figure BDA0003719196650000123
wherein the content of the first and second substances,
Figure BDA0003719196650000124
is the control data packet sent by the ith node, and N is the number of all nodes in the network.
The network energy consumption calculation formula is as follows:
Figure BDA0003719196650000125
wherein the content of the first and second substances,
Figure BDA0003719196650000126
representing the energy consumed by node i in transmit data (TX), listen Receive (RX), CPU Mode and Low Power Mode (LPM), respectively. After the simulation environment required by the experimental network is built, the operation and storage expenses of the intelligent attack model are considered, and the intelligent attack model cannot be deployed on the nodes with limited resources in the simulation environment, so that the model runs on a host, the simulation environment runs in a virtual machine, and information data are transmitted through the network. In addition, most traditional attack strategies are initiated based on a certain node inside an RPL network, and the invention is also based on the assumption that a certain node or certain internal nodes in the network are controlled by an attacker, which is highly likely to be applied to the field of Internet of things with incomplete defense mechanism deployment. As shown in fig. 5, a malicious node inside an RPL network performs network sniffing, sends current network state information to an intelligent model on a host as an input, the model outputs decision weight, and then the internal malicious node receives the decision and performs attack judgment and selection.
5) And (5) evaluating the attack effect. In the process, the attack strategy designed by the invention is compared with other single target attacks and three mixed attacks respectively in the states of no defense and defense of the RPL network, and the loss effect of the attacks on the network is measured from four aspects of packet loss rate, average end-to-end time delay, network load, network energy consumption and the like. In order to achieve fairness and accuracy of comparison experiments, network evaluation environments of each type of attack are guaranteed to be consistent as far as possible, 20 times of simulation is executed for each type of attack, and the experiment results are averaged.
6) Fig. 6 shows the attack effect of the present invention and three mixed attacks, namely Sink-Clone, Rank-work and Copycat-VN attack under the condition that the RPL network is not deployed with a defense mechanism, from the experimental result, the packet loss rate caused by the present invention under the condition of consuming less energy and load is the largest, and we consider that the feature of smaller network load can help the present attack avoid being detected by the IDS.
7) Fig. 7 shows the attack effect of the present invention and five single attacks and three mixed attacks, where the attack effect of five single attacks is seriously reduced and returns to the network state with no attack, which illustrates that these five attacks are detected by the IDS and defended; while the three mixed attacks show some resistance, they still show a huge loss of performance before and after defense; the invention shows the best attack effect on packet loss rate, end-to-end time delay, network load and network energy consumption after the RPL network deploys a defense mechanism. When facing IDS, the invention can still cause the network packet loss rate of about 50% and the network time delay of 35 times of the normal index.
In general, the invention can still maintain about 70% of attack effect when facing a defense mechanism, which is considered as the effect realized by real-time judgment and non-attack selection of an intelligent model together, thereby achieving certain defense and bypassing problems, and also explaining that a defense strategy with stronger generalization capability needs to be provided aiming at the current RPL network.
The invention is not limited to the above alternative embodiments, and any other various products can be obtained by anyone in the light of the present invention, but any changes in shape or structure thereof, all of which fall within the scope of the present invention, are within the scope of the present invention.

Claims (9)

1. An integration strategy-based real-time intelligent attack method for an RPL network is characterized by comprising the following steps:
s1: data collection: collecting network transaction data of the RPL under nine attacks and network transaction data when intrusion detection defense is deployed in the network, preprocessing the data, and selecting characteristics highly related to the network state through characteristic engineering;
s2: model training: considering the time sequence characteristics of network data, constructing a training model by combining a bidirectional LSTM framework and an Attention mechanism, and inputting preprocessed data into the model for model training;
s3: building a network environment: the method comprises the steps that an RPL network simulation environment is built based on ContikiOS 3.0 and Cooja simulation software, a simulation node simulates real sensor hardware by using an MSPsim tool, runs the same binary code with the real hardware, meanwhile adopts a Z1 node in the Cooja simulation software as a wireless sensor node for communication, provides an ultra-low power consumption controller based on an MSP430 architecture and a CC2420 radio transceiver with the frequency of 2.4GHz, and is beneficial to tracking and analyzing the energy consumption of equipment by using a Cooja plug-in Powertrace;
s4: attack flow: deploying the trained model into a simulation environment, taking sniffed real-time network flow as input, passing through a Bi-LSTM layer, an attention layer and a full connection layer, and finally outputting classification probabilities of nine kinds of attacks and one kind of non-attack selection by the model as weights, wherein the weights are transformed by Softmax:
Figure FDA0003719196640000011
therefore, when the weight of non-attack is more than or equal to 0.5, the IDS defense possibly exists in the current network environment, and the attack is not suitable; otherwise, when the sum of the weights of the nine attacks is greater than 0.5, the attacks are carried out based on the time window, iteration is continued after the attacks are finished until the attacks are successful, and the attack expression based on the time window is as follows:
Figure FDA0003719196640000021
wherein window _ size is set to 100 seconds, w by default i The weight of each attack output by the model, namely the final attack duration is the size of a time window, and each attack strategy in the window is launched according to the distributed attack time in a descending order;
s5: and (3) attack effect evaluation: the attack strategy is compared with other single target attacks and three mixed attacks respectively in the states of no defense and defense of the RPL network, and the loss effect of the attacks on the network is measured from four aspects of data packet delivery rate, average end-to-end time delay, network load, network energy consumption and the like.
2. The real-time intelligent attack method based on the integrated strategy for the RPL network as claimed in claim 1, wherein: the calculation of the Attention mechanism in step S2 adopts an addition method, which is specifically as follows:
Figure FDA0003719196640000022
Figure FDA0003719196640000023
3. the real-time intelligent attack method based on the integrated strategy for the RPL network as claimed in claim 1, wherein: in the step S2, after the model is constructed, the model needs to be evaluated, and the model evaluation adopts the accuracy and F1-score:
Figure FDA0003719196640000024
Figure FDA0003719196640000031
4. the real-time intelligent attack method based on the integrated strategy for the RPL network as claimed in claim 1, wherein: in step S4, when performing model simulation, it is necessary to give the current flow rate input:
Figure FDA0003719196640000033
the encoder learns a mapping function: h is t =F(h t-1 ,x t ) Wherein the F function isOne unit of LSTM, and each LSTM unit records the state S at the current time t t And three gating functions: input door i t Output gate o t And forget door f t (ii) a The principle of each gating cell is specifically as follows:
f t =σ(W f [h t-1 ;x t ]+b f )
c t =σ(W i [h t-1 ;x t ]+b i )
o t =σ(W o [h t-1 ;x t ]+b o )
s t =f t ⊙s t-1 +i t ⊙tanh(W s [h t-1 ;x t ]+b s )
h t =o t ⊙tanh(s t )。
5. the method for real-time intelligent attack on an RPL network based on an integrated policy according to claim 1, wherein the method for determining success of the attack in step S4 is: judging the current network state, if detecting that the RPL network is overloaded to cause network paralysis, indicating that the totalized target is successful, stopping attack, otherwise hiding the malicious characteristics of the RPL network, and continuously sniffing and waiting for a proper attack opportunity.
6. The method according to claim 1, wherein the packet delivery rate in step S5 is calculated as a ratio of all packets received by the root node to a total amount of packets sent by all other N child nodes, and the specific calculation formula is as follows:
Figure FDA0003719196640000032
7. the method for real-time intelligent attack based on integrated policy on RPL network according to claim 1, wherein the calculation formula of the average end-to-end delay in step S5 is as follows:
Figure FDA0003719196640000041
wherein
Figure FDA0003719196640000046
And N is the total amount of data packets received by the root node from the child nodes.
8. The method for real-time intelligent attack on RPL network based on integrated strategy according to claim 1, wherein the calculation formula of the network load in step S5 is as follows:
Figure FDA0003719196640000042
wherein the content of the first and second substances,
Figure FDA0003719196640000043
is the control data packet sent by the ith node, and N is the number of all nodes in the network.
9. The method for real-time intelligent attack based on integrated policy on RPL network as claimed in claim 1, wherein the calculation formula of network energy consumption in step S5 is as follows:
Figure FDA0003719196640000044
wherein the content of the first and second substances,
Figure FDA0003719196640000045
respectively representing the nodes i transmitting data, listening and receiving,The energy consumed in the CPU mode and the low power mode.
CN202210754200.0A 2022-06-28 2022-06-28 Real-time intelligent attack method based on integration strategy for RPL network Pending CN115119209A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210754200.0A CN115119209A (en) 2022-06-28 2022-06-28 Real-time intelligent attack method based on integration strategy for RPL network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210754200.0A CN115119209A (en) 2022-06-28 2022-06-28 Real-time intelligent attack method based on integration strategy for RPL network

Publications (1)

Publication Number Publication Date
CN115119209A true CN115119209A (en) 2022-09-27

Family

ID=83330385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210754200.0A Pending CN115119209A (en) 2022-06-28 2022-06-28 Real-time intelligent attack method based on integration strategy for RPL network

Country Status (1)

Country Link
CN (1) CN115119209A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115622820A (en) * 2022-12-20 2023-01-17 东南大学 Internet of things intrusion detection method based on statistical analysis

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115622820A (en) * 2022-12-20 2023-01-17 东南大学 Internet of things intrusion detection method based on statistical analysis

Similar Documents

Publication Publication Date Title
Tang et al. MF-Adaboost: LDoS attack detection based on multi-features and improved Adaboost
Zhijun et al. Low-rate DDoS attack detection based on factorization machine in software defined network
Li et al. Detection and defense of DDoS attack–based on deep learning in OpenFlow‐based SDN
Premkumar et al. DLDM: Deep learning-based defense mechanism for denial of service attacks in wireless sensor networks
Li et al. LSTM-BA: DDoS detection approach combining LSTM and Bayes
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
Loukas et al. Likelihood ratios and recurrent random neural networks in detection of denial of service attacks
Peng et al. Network intrusion detection based on deep learning
Tang et al. Performance and features: Mitigating the low-rate TCP-targeted DoS attack via SDN
Khedr et al. FMDADM: A multi-layer DDoS attack detection and mitigation framework using machine learning for stateful SDN-based IoT networks
Dong et al. Overview of botnet detection based on machine learning
Dong et al. BotDetector: An extreme learning machine‐based Internet of Things botnet detection model
CN115119209A (en) Real-time intelligent attack method based on integration strategy for RPL network
Raghavendra et al. An Intelligent RPL attack detection using machine learning-based intrusion detection system for Internet of Things
Servin et al. Multi-agent reinforcement learning for intrusion detection: A case study and evaluation
Kipongo et al. Design and implementation of intrusion detection systems using RPL and AOVD protocols-based wireless sensor networks
Tang et al. AKN-FGD: adaptive kohonen network based fine-grained detection of ldos attacks
Khoei et al. Residual convolutional network for detecting attacks on intrusion detection systems in smart grid
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Sun et al. Bridging the Last‐Mile Gap in Network Security via Generating Intrusion‐Specific Detection Patterns through Machine Learning
Abdallah et al. An Optimal Framework for SDN Based on Deep Neural Network
Gebremariam et al. Secure Intrusion Detection System for Hierarchically Distributed Wireless Sensor Networks
Dinh et al. Economic Denial of Sustainability (EDoS) detection using GANs in SDN-based cloud
Balarengadurai et al. Detection of exhaustion attacks over IEEE 802.15. 4 MAC layer using fuzzy logic system
Bhale et al. ML for IEEE 802.15. 4e/TSCH: Energy Efficient Approach to Detect DDoS Attack Using Machine Learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination