CN116389131A - Internet of things flow auditing method and device suitable for white list policy - Google Patents
Internet of things flow auditing method and device suitable for white list policy Download PDFInfo
- Publication number
- CN116389131A CN116389131A CN202310385573.XA CN202310385573A CN116389131A CN 116389131 A CN116389131 A CN 116389131A CN 202310385573 A CN202310385573 A CN 202310385573A CN 116389131 A CN116389131 A CN 116389131A
- Authority
- CN
- China
- Prior art keywords
- monitoring
- flow
- internet
- vector
- things
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012544 monitoring process Methods 0.000 claims abstract description 136
- 239000013598 vector Substances 0.000 claims abstract description 97
- 230000002159 abnormal effect Effects 0.000 claims abstract description 18
- 230000002776 aggregation Effects 0.000 claims abstract description 13
- 238000004220 aggregation Methods 0.000 claims abstract description 13
- 230000006870 function Effects 0.000 claims description 79
- 238000012550 audit Methods 0.000 claims description 17
- 238000012423 maintenance Methods 0.000 claims description 11
- 238000013135 deep learning Methods 0.000 claims description 10
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 230000002068 genetic effect Effects 0.000 claims description 9
- 238000004088 simulation Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 8
- 238000013528 artificial neural network Methods 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 5
- 230000005856 abnormality Effects 0.000 claims description 4
- 230000006855 networking Effects 0.000 claims 1
- 230000008859 change Effects 0.000 abstract description 10
- 230000008569 process Effects 0.000 description 16
- 230000006399 behavior Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 10
- 230000035772 mutation Effects 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241000196324 Embryophyta Species 0.000 description 1
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses an Internet of things flow auditing method and device suitable for a white list policy, wherein the method comprises the following steps: collecting flow data in an aggregation switch of the Internet of things, and identifying an instruction type in the flow data; establishing a standard vector according to the instruction type of the first flow data; according to the second flow data, a monitoring vector is established; calculating an included angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence; and when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value, sending out a flow abnormal alarm. By adopting the embodiment of the invention, the standard function is used as a white list, and the establishment of the standard vector and the monitoring vector does not depend on the grasp of instructions; in addition, the change of the instruction sequence is rapidly identified by comparing the deviation amplitude between the monitoring sequence and the reference function, so that the real-time judgment of the flow safety of the Internet of things is realized.
Description
Technical Field
The invention relates to the technical field of network security management, in particular to an Internet of things flow auditing method and device suitable for a white list policy.
Background
In the environment of the internet of things, particularly a large-range internet of things with high security level, a core backbone network is a TCP/TP network, WIFI, bluetooth, RFID and the like are only access network modes, and the modes can be converted into TCP/IP protocols to continue communication through nearby gateways. The flow environment of the Internet of things is similar to an industrial control scene, and the terminal equipment is simple and has a limited instruction set; and the device has weak processing capability on abnormal instructions, has weak protocol security capability and is extremely easy to introduce attack devices, for example: the man-in-the-middle attacks or directly sends malicious behavior instructions, so that a terminal in the Internet of things environment executes error instructions, and the whole Internet of things service and control process are disordered. In order to solve the problems in the industrial control field, the prior art mainly adopts two technical means: one is the audit product of the flow of the white list, it is through analyzing the industrial control flow, and set up instruction sequence and instruction parameter threshold value alarm strategy, once find some instruction inconsistent with original expectation, consider the apparatus has appeared the abnormal behavior, thus guide the operation and maintenance personnel to intervene, realize monitoring the network in the subnetwork; the other is the traditional network security intrusion monitoring product and the traditional anti-virus product, the products need to be accessed into the Internet, the technical support of product manufacturers can be obtained, and the malicious code behavior library of the products can be updated in time, so that the flow auditing and judging are more accurate. The audit facing the instruction sequence and the threshold value adopts a white list mode, and the authentication of the trusted behavior can be completed only by learning the existing scene; in the monitoring process, only the behaviors except the trusted behaviors need to be uniformly alarmed; the working mode which is not connected with the Internet and is used for life is set once, and the method is widely accepted in the industrial control field. However, in engineering practice, only the white list formed by manually setting or completely recording the flow is relied on, and the white list comprises a process instruction sequence and an instruction threshold value and cannot have a real white list effect; the main reasons are that the factory does not really grasp the instruction sequence in the flow, and the instruction sequence is not unchanged in the actual engineering, and a simple instruction sequence white list has no engineering practical significance.
Disclosure of Invention
The invention provides an Internet of things flow auditing method and device suitable for a white list policy, which are used for solving the technical problem that the real-time judgment of the traffic safety of the Internet of things is difficult to realize because the instruction sequence and the change of the instruction sequence in the traffic are difficult to grasp when the white list policy in the existing auditing system is applied to a working condition scene.
In order to solve the technical problems, an embodiment of the present invention provides an internet of things traffic auditing method applicable to a whitelist policy, including:
collecting flow data in an aggregation switch of the Internet of things, and identifying an instruction type in the flow data; the flow data includes: first flow data in a first preset time period and second flow data acquired at preset time intervals;
establishing a standard vector according to the instruction type of the first flow data; establishing a monitoring vector according to the second flow data;
calculating an included angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence;
and when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value, sending out a flow abnormal alarm.
According to the invention, the flow data of the Internet of things are relatively fixed in a communication form for a period of time, a standard vector is established through the first flow data in a first preset time, and then second flow data are gradually collected according to a preset time interval to form a monitoring vector, and a monitoring sequence and a reference function required by flow audit are formed through calculation of an included angle cosine value; the standard function is used as a white list, and the establishment of the standard vector and the monitoring vector is independent of mastering and understanding of each instruction, so that the problem that the instruction sequence in the flow is difficult to master in the existing white list strategy is avoided; in addition, through comparing the deviation amplitude between the monitoring sequence and the reference function, the change of the instruction sequence can be rapidly identified under the condition of not depending on the specific understanding of each instruction, and the real-time judgment of the flow safety of the Internet of things is realized.
Further, the collecting the flow data in the aggregation switch of the internet of things and identifying the instruction type in the flow data specifically includes:
accessing the internet of things convergence switch through a bypass mode to acquire flow data of the internet of things convergence switch;
and carrying out protocol analysis and data stripping on the flow data to obtain a source address, a source port, a target address, a target port, a protocol type, a variable parameter and the instruction type.
According to the invention, the convergent switch of the Internet of things is accessed through the bypass mode to acquire flow data, and the instruction types required for forming the monitoring sequence and the reference function are obtained through protocol analysis and data stripping.
Further, the calculating the cosine value of the included angle between the standard vector and the monitoring vector, obtaining a monitoring sequence and generating a reference function corresponding to the monitoring sequence, specifically comprises:
gradually calculating the included angle cosine values of the standard vector and the monitoring vector at each preset time interval to obtain the monitoring sequence containing a plurality of included angle cosine values;
and inputting the monitoring sequence into a generation countermeasure neural network, and adopting a genetic algorithm to perform generation simulation to obtain a reference function corresponding to the monitoring sequence.
The method comprises the steps of obtaining a monitoring sequence for judging flow safety conditions by calculating cosine values of a standard vector and a plurality of monitoring vectors at preset time intervals, and obtaining a reference function serving as a white list by generating an countermeasure network and performing generation simulation by a genetic algorithm; and further, the change of the instruction sequence is identified in real time by comparing the deviation degree between the monitoring sequence and the reference function, the flow safety of the Internet of things is judged in real time, and the specific understanding of the instruction sequence is avoided.
Further, after the sending out the abnormal flow alarm when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value, the method comprises the following steps:
and when the deviation amplitude of the cosine values of the included angles exceeding the preset number in the monitoring sequence and the reference function is larger than the preset value, prompting intervention of maintenance personnel so that the maintenance personnel replace the problem equipment and carry out safety inspection on the problem equipment.
According to the method, the abnormal situation of local mutation in the instruction sequence can be identified through setting the preset quantity, and the maintenance personnel is prompted to replace the problem equipment, perform security inspection and other operations through timely alarming, so that the real-time judgment of the flow security of the Internet of things is further realized.
Further, after the sending out the abnormal flow alarm when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value, the method comprises the following steps:
when the deviation amplitude of the cosine value of the included angle in the whole period of the monitoring sequence and the reference function is larger than a preset value, the reference function is saved, and the flow data in the aggregation switch of the Internet of things is collected again;
and calculating and forming a new reference function according to the re-collected flow data.
The method can identify the abnormal situation of full-segment mutation in the instruction sequence, so as to realize the timely identification of the change of the instruction sequence and update as the reference function of the white list when the whole process activity control process of the working condition scene changes, thereby ensuring the real-time judgment of the flow safety of the Internet of things; in addition, the old reference function is stored, so that the method can be used for comparing the historical reference function of the next abnormal situation, the judgment accuracy is improved, and false alarm is reduced.
Further, after calculating the cosine value of the included angle between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence, the method comprises the following steps:
and recording flow data corresponding to a certain included angle cosine value and the certain included angle cosine value as an abnormality when the deviation amplitude of the monitoring sequence and the reference function is smaller than a preset value and the deviation amplitude of the certain included angle cosine value and the reference function is larger than the preset value.
The method and the system also judge the situation of single value mutation under the condition that the monitoring sequence is not recognized as abnormal, and when the cosine value of the included angle of the monitoring sequence is in single value mutation, the monitoring sequence can be returned to the original reference function curve again, and the method and the system have no attack significance on the flow safety, but record the situation of single value mutation, so that maintenance personnel can conveniently master the real-time situation of the flow safety of the Internet of things.
Further, the standard vector and the monitor vector include various instruction types and numbers corresponding to the various instruction types.
Further, the standard vector and the monitor vector also contain weights for the various instruction types; the weights are obtained by weighting the various instruction types.
The invention establishes the standard vector and the monitoring vector by adding the number of the corresponding instruction types to the instruction types or combining the weight of the instruction types, thereby avoiding grasping the specific meaning of each instruction sequence.
On the other hand, the embodiment of the invention also provides an internet of things flow auditing device suitable for the white list policy, which comprises the following steps: the system comprises a data acquisition module, a vector establishment module, a deep learning engine module and an alarm module;
the data acquisition module is used for acquiring flow data in the aggregation switch of the Internet of things and identifying the instruction type in the flow data; the flow data includes: first flow data in a first preset time period and second flow data acquired at preset time intervals;
the vector establishing module is used for establishing a standard vector according to the instruction type of the first flow data; establishing a monitoring vector according to the second flow data;
the deep learning engine module is used for calculating an included angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence;
and the alarm module is used for sending out abnormal flow alarm when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value.
According to the invention, the flow data of the Internet of things are relatively fixed in a communication form for a period of time, a standard vector is established through the first flow data in a first preset time, and then second flow data are gradually collected according to a preset time interval to form a monitoring vector, and a monitoring sequence and a reference function required by flow audit are formed through calculation of an included angle cosine value; the standard function is used as a white list, and the establishment of the standard vector and the monitoring vector is independent of mastering and understanding of each instruction, so that the problem that the instruction sequence in the flow is difficult to master in the existing white list strategy is avoided; in addition, through comparing the deviation amplitude between the monitoring sequence and the reference function, the change of the instruction sequence can be rapidly identified under the condition of not depending on the specific understanding of each instruction, and the real-time judgment of the flow safety of the Internet of things is realized.
Further, the deep learning engine module includes: the monitoring sequence building unit and the reference function generating unit;
the monitoring sequence establishing unit is used for gradually calculating the included angle cosine value of the standard vector and the monitoring vector of each preset time interval to obtain the monitoring sequence containing a plurality of included angle cosine values;
the reference function generating unit is used for inputting the monitoring sequence into the generation countermeasure neural network, and generating simulation by adopting a genetic algorithm to obtain a reference function corresponding to the monitoring sequence.
The method comprises the steps of obtaining a monitoring sequence for judging flow safety conditions by calculating cosine values of a standard vector and a plurality of monitoring vectors at preset time intervals, and obtaining a reference function serving as a white list by generating an countermeasure network and performing generation simulation by a genetic algorithm; and further, the change of the instruction sequence is identified in real time by comparing the deviation degree between the monitoring sequence and the reference function, the flow safety of the Internet of things is judged in real time, and the specific understanding of the instruction sequence is avoided.
Drawings
Fig. 1 is a schematic flow chart of an embodiment of an internet of things flow auditing method applicable to a whitelist policy provided by the present invention;
fig. 2 is a schematic structural diagram of an embodiment of an internet of things flow audit system provided by the present invention;
fig. 3 is a schematic flow chart of another embodiment of an auditing method of internet of things flow applicable to a whitelist policy provided by the present invention;
fig. 4 is a schematic flow chart of still another embodiment of an auditing method of internet of things flow, which is applicable to a whitelist policy and provided by the invention;
fig. 5 is a schematic structural diagram of an embodiment of an internet of things flow audit device applicable to a whitelist policy provided in the present invention;
fig. 6 is a schematic structural diagram of another embodiment of an internet of things flow audit device applicable to a whitelist policy.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The existing flow auditing products mainly comprise a flow probe and an industrial control flow auditing product.
The flow probe is used as a traditional network security intrusion monitoring product and an anti-virus product, adopts a blacklist mode, needs to access the Internet, and periodically obtains the latest malicious behavior library from manufacturers. The main working modes are as follows: the attack process is divided into steps of scanning, obtaining information, utilizing loopholes, forming attacks, eliminating traces and the like, the network mode of each step is abstracted into a protection strategy, and once similar behaviors are found, an alarm is generated. b) Virus interception: and analyzing the flow, matching the flow with the virus feature code, and generating an alarm once the matching is successful. c) Intelligent sandbox (atp): analyzing the file in the flow, then placing the file in a virtual operating system environment, wherein the virtual operating system only has an important interface of the operating system, accelerating the analyzed file through a time accelerator, and generating an alarm once the file calls the important interface of the operating system. A problem with such products is that the understanding of the behavior of hackers is too stiff. The existing hacking is clearer in work target, the process is more complex, the hacking can be performed through social workers and phishing, and the hacking is performed in a mode of being similar to normal operation; the prior malicious software is not simplified as a main object any more, but is directly written into the form of an application program to perform work. Taking the case of the lux virus and its related variants, the above functions are difficult to effectively prevent at the network monitoring level.
For the industrial control flow audit system, a white list strategy is mainly adopted, namely, trusted behavior is constructed as a strategy, and for all untrusted strategies, an alarm is formed. Trusted behavior on the network includes a peer-to-peer communication model, a peer-to-peer communication protocol family, a peer-to-peer instruction sequence, and the like. The white list has the advantages of being strict in limitation, free of connecting with the Internet, capable of updating the behavior library and suitable for industrial control networks isolated from the Internet. A problem with such products is that the trusted policy is difficult to formulate. On one hand, the control system of the factory adopts a key exchange engineering mode, namely, a design institute, an integrator and a product manufacturer are built according to the requirements of the owner, the owner only needs to be responsible for production control after the construction is finished, and as for the system operation principle and working details, the owner cannot be delivered, and the owner also cannot have the capability of mastering network communication details. On the other hand, the production process is not constant, and often small changes are generated due to changes of materials, environment and production personnel. Therefore, white list formulation is unsuccessful in practical applications. In order to solve the problem of the white list policy, the invention provides an Internet of things flow auditing method and device suitable for the white list policy, and the specific embodiment is as follows:
example 1
Referring to fig. 1, a flow chart of an embodiment of an auditing method of internet of things flow for a whitelist policy according to the present invention mainly includes steps 101-104, specifically as follows:
step 101: collecting flow data in an aggregation switch of the Internet of things, and identifying an instruction type in the flow data; the flow data includes: first flow data within a first preset time period, and second flow data acquired at preset time intervals.
In this embodiment, the collecting the flow data in the aggregation switch of the internet of things and identifying the instruction type in the flow data specifically includes: accessing the internet of things convergence switch through a bypass mode to acquire flow data of the internet of things convergence switch; and carrying out protocol analysis and data stripping on the flow data to obtain a source address, a source port, a target address, a target port, a protocol type, a variable parameter and the instruction type.
In this embodiment, the variable parameters include: variable name and variable value. Furthermore, the protocol type includes an application protocol in an application data segment for a TCP/IP packet.
In this embodiment, the protocol parsing is specifically: and using a protocol analysis library, and analyzing the TCP/IP communication packet according to the protocol identification header of the flow data and the industrial control protocol. The protocol parsing library includes MODBUS, PROFINET, IEC105 power protocols, EIPs, etc. The data stripping is specifically as follows: and calling an identification module corresponding to the protocol type, and resolving a source address, a source port, a target address, a target port, the protocol type, an instruction type, a variable name and a variable value from a communication packet of the flow data.
In this embodiment, the obtaining the flow data of the aggregation switch of the internet of things specifically includes: and receiving the communication packet which is conducted by the bypass flow through a physical interface, and filtering the packet of the bottom layer protocols such as ARP protocol.
In this embodiment, the flow auditing method of the internet of things applicable to the whitelist policy may be applied to a flow auditing system of the internet of things; referring to fig. 2, a schematic structural diagram of an embodiment of an internet of things flow audit system provided by the present invention is shown, wherein the internet of things flow audit system is connected with a convergence switch in a bypass mode, and the convergence switch can collect bluetooth, zigbee, wifi or 4G/5G LTE base stations of a base layer. The gateways of these terminal networks perform protocol conversion at the base layer and finally communicate with the industrial network protocol based on TCP/IP. And the flow auditing system of the Internet of things can obtain all exchange flows on the aggregation switch layer to carry out bypass audit.
In this embodiment, the flow data after protocol analysis is put into a cache data buffer, and waits for processing by the learning engine. The data cache uses the memory preferentially according to the flow and the memory condition, and the data cache is put into a disk after the memory is insufficient, so that the flow and the speed of the learning engine are ensured to be consistent.
In this embodiment, all the processes of filtering, protocol parsing, data cache reading and writing, and learning engine calculation of the network interface may also be used, and the calculation process log is used to record the processes for subsequent tracing analysis.
According to the invention, the convergent switch of the Internet of things is accessed through the bypass mode to acquire flow data, and the instruction types required for forming the monitoring sequence and the reference function are obtained through protocol analysis and data stripping.
Step 102: establishing a standard vector according to the instruction type of the first flow data; and establishing a monitoring vector according to the second flow data.
In this embodiment, the preset time interval starts after a first preset time period; that is, the acquisition of the second flow data starts after the acquisition of the first flow data required to establish the standard vector, and the acquisition is gradually performed at preset time intervals.
In this embodiment, the preset time interval is 1 minute.
Step 103: and calculating an included angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence.
In this embodiment, step 103 may be performed in a deep learning framework in the flow audit system of the internet of things, where the collected flow data in step 101 may be classified according to the consistency of the source address, the source port, the target address, the target port and the protocol type, and the classified flow data is pushed to a corresponding learning engine to calculate the cosine value of the included angle.
In this embodiment, the learning engine pool for executing step 103 is composed of a plurality of learning engines, and is configured according to the hardware condition. The learning engine obtains data from the data cache, performs vector construction, performs cosine and length calculation and comparison with the standard vector and the threshold value, and obtains whether the current vector accords with the monitoring strategy.
Step 104: and when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value, sending out a flow abnormal alarm.
In this embodiment, the preset value is 5%, that is, when the deviation amplitude between the monitoring sequence and the reference function exceeds 5%, the monitoring sequence is judged to be abnormal, and an alarm is sent.
In this embodiment, for different working conditions, data traffic may be collected and monitored in different time periods, for example: under the condition of clear day and night, such as peak-valley electricity condition in a transformer substation, respectively making two time periods from 8 points to 22 points and from 22 points to 8 points in the next day for monitoring; for petrochemical plants or similar working conditions, continuous monitoring can be performed for 24 hours; for the process type environment such as warehouse picking, the time period triggering can be performed according to the instruction type, for example, the picking instruction is received as the beginning of the time period, and the picking instruction is executed as the ending of the time period.
In the practical process, if the control process of the Internet of things is given, the generation of the reference function can be basically completed within 1-2 days, and the normal condition covering more than 90% of the annual process is basically achieved through monitoring and learning for one week, and the details of aspects in the process control process can be continuously mastered along with continuous monitoring.
Referring to fig. 3, a flow chart of another embodiment of the flow auditing method of the internet of things applicable to the whitelist policy provided by the present invention is shown. The main difference between fig. 3 and fig. 1 is that fig. 3 includes steps 201-202, specifically as follows:
in this embodiment, step 103 specifically includes steps 201 to 202.
Step 201: gradually calculating the included angle cosine values of the standard vector and the monitoring vector at each preset time interval to obtain the monitoring sequence containing a plurality of included angle cosine values.
Step 202: and inputting the monitoring sequence into a generation countermeasure neural network, and adopting a genetic algorithm to perform generation simulation to obtain a reference function corresponding to the monitoring sequence.
The method comprises the steps of obtaining a monitoring sequence for judging flow safety conditions by calculating cosine values of a standard vector and a plurality of monitoring vectors at preset time intervals, and obtaining a reference function serving as a white list by generating an countermeasure network and performing generation simulation by a genetic algorithm; and further, the change of the instruction sequence is identified in real time by comparing the deviation degree between the monitoring sequence and the reference function, the flow safety of the Internet of things is judged in real time, and the specific understanding of the instruction sequence is avoided.
Referring to fig. 4, a flow chart of still another embodiment of the flow auditing method of the internet of things applicable to the whitelist policy provided by the present invention is shown. The main difference between fig. 4 and fig. 3 is that fig. 4 includes steps 301-304, which are specifically as follows:
in this embodiment, step 301 is performed after step 104.
Step 301: and when the deviation amplitude of the cosine values of the included angles exceeding the preset number in the monitoring sequence and the reference function is larger than the preset value, prompting intervention of maintenance personnel so that the maintenance personnel replace the problem equipment and carry out safety inspection on the problem equipment.
According to the method, the abnormal situation of local mutation in the instruction sequence can be identified through setting the preset quantity, and the maintenance personnel is prompted to replace the problem equipment, perform security inspection and other operations through timely alarming, so that the real-time judgment of the flow security of the Internet of things is further realized.
In this embodiment, step 302 is also performed after step 104, and step 303 is performed after step 302.
Step 302: when the deviation amplitude of the cosine value of the included angle in the whole period of the monitoring sequence and the reference function is larger than a preset value, the reference function is saved, and the flow data in the internet of things convergence switch are collected again.
Step 303: and calculating and forming a new reference function according to the re-collected flow data.
The method can identify the abnormal situation of full-segment mutation in the instruction sequence, so as to realize the timely identification of the change of the instruction sequence and update as the reference function of the white list when the whole process activity control process of the working condition scene changes, thereby ensuring the real-time judgment of the flow safety of the Internet of things; in addition, the old reference function is stored, so that the method can be used for comparing the historical reference function of the next abnormal situation, the judgment accuracy is improved, and false alarm is reduced.
In this embodiment, step 304 is performed after step 103.
Step 304: and recording flow data corresponding to a certain included angle cosine value and the certain included angle cosine value as an abnormality when the deviation amplitude of the monitoring sequence and the reference function is smaller than a preset value and the deviation amplitude of the certain included angle cosine value and the reference function is larger than the preset value.
The method and the system also judge the situation of single value mutation under the condition that the monitoring sequence is not recognized as abnormal, and when the cosine value of the included angle of the monitoring sequence is in single value mutation, the monitoring sequence can be returned to the original reference function curve again, and the method and the system have no attack significance on the flow safety, but record the situation of single value mutation, so that maintenance personnel can conveniently master the real-time situation of the flow safety of the Internet of things.
Further, the standard vector and the monitor vector include various instruction types and numbers corresponding to the various instruction types.
Further, the standard vector and the monitor vector also contain weights for the various instruction types; the weights are obtained by weighting the various instruction types.
The invention establishes the standard vector and the monitoring vector by adding the number of the corresponding instruction types to the instruction types or combining the weight of the instruction types, thereby avoiding grasping the specific meaning of each instruction sequence.
Referring to fig. 5, a schematic structural diagram of an embodiment of an internet of things flow audit device applicable to a whitelist policy according to the present invention mainly includes: a data acquisition module 401, a vector creation module 402, a deep learning engine module 403, and an alert module 404.
In this embodiment, the data collection module 401 is configured to collect flow data in an aggregation switch of the internet of things, and identify a type of an instruction in the flow data; the flow data includes: first flow data within a first preset time period, and second flow data acquired at preset time intervals.
The vector establishing module 402 is configured to establish a standard vector according to an instruction type of the first flow data; and establishing a monitoring vector according to the second flow data.
The deep learning engine module 403 is configured to calculate an angle cosine value between the standard vector and the monitor vector, obtain a monitor sequence, and generate a reference function corresponding to the monitor sequence.
The alarm module 404 is configured to issue a flow abnormality alarm when the deviation between the monitoring sequence and the reference function is greater than a preset value.
Referring to fig. 6, a schematic structural diagram of another embodiment of an internet of things flow audit device applicable to a whitelist policy according to the present invention is shown. The main difference between fig. 6 and fig. 5 is that fig. 6 includes: a monitoring sequence establishing unit 501 and a reference function generating unit 502.
In the present embodiment, the deep learning engine module 403 specifically includes a monitoring sequence establishing unit 501 and a reference function generating unit 502.
In this embodiment, the monitoring sequence establishing unit 501 is configured to gradually calculate an angle cosine value between the standard vector and the monitoring vector at each preset time interval, so as to obtain the monitoring sequence including a plurality of angle cosine values.
The reference function generating unit 502 is configured to input the monitoring sequence to a generation countermeasure neural network, and perform generation simulation by using a genetic algorithm, so as to obtain a reference function corresponding to the monitoring sequence.
Compared with the prior art, the scheme has the following advantages:
1) The degree of automation is high: the method introduces an artificial intelligence supervised learning method, so that the original more complex white list making method becomes simple and feasible. The staff only needs to judge and confirm the alarm event, the system can adjust the standard vector and the threshold value, and a feasible supervision method can be established after a period of application. Even if a security event occurs later, the flow at the time can be backtracked, and the strategy is automatically adjusted, so that the effect of preventing the occurrence of the security event is achieved.
2) The universality is strong: the method also supports the establishment of a wide area monitoring system. Because the flow monitoring is established into a general vector model, the method can be popularized in certain industries, and the safety event occurring in certain places of certain factories can also be used as training flow to perform popularization and training of all factories, all regions and even all industries, so that the defensive capability of other products is improved.
3) The application prospect is wide: because vector standardization is performed, the security product disclosed by the invention can be applied to the whole Internet of things industry, and has no special industry adaptability.
According to the invention, the flow data of the Internet of things are relatively fixed in a communication form for a period of time, a standard vector is established through the first flow data in a first preset time, and then second flow data are gradually collected according to a preset time interval to form a monitoring vector, and a monitoring sequence and a reference function required by flow audit are formed through calculation of an included angle cosine value; the standard function is used as a white list, and the establishment of the standard vector and the monitoring vector is independent of mastering and understanding of each instruction, so that the problem that the instruction sequence in the flow is difficult to master in the existing white list strategy is avoided; in addition, through comparing the deviation amplitude between the monitoring sequence and the reference function, the change of the instruction sequence can be rapidly identified under the condition of not depending on the specific understanding of each instruction, and the real-time judgment of the flow safety of the Internet of things is realized.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention, and are not to be construed as limiting the scope of the invention. It should be noted that any modifications, equivalent substitutions, improvements, etc. made by those skilled in the art without departing from the spirit and principles of the present invention are intended to be included in the scope of the present invention.
Claims (10)
1. The Internet of things flow auditing method suitable for the white list policy is characterized by comprising the following steps:
collecting flow data in an aggregation switch of the Internet of things, and identifying an instruction type in the flow data; the flow data includes: first flow data in a first preset time period and second flow data acquired at preset time intervals;
establishing a standard vector according to the instruction type of the first flow data; establishing a monitoring vector according to the second flow data;
calculating an included angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence;
and when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value, sending out a flow abnormal alarm.
2. The method for auditing the flow of the internet of things applicable to the whitelist policy according to claim 1, wherein the method is characterized in that the method collects the flow data in the convergent switch of the internet of things and identifies the instruction type in the flow data, specifically comprises the following steps:
accessing the internet of things convergence switch through a bypass mode to acquire flow data of the internet of things convergence switch;
and carrying out protocol analysis and data stripping on the flow data to obtain a source address, a source port, a target address, a target port, a protocol type, a variable parameter and the instruction type.
3. The method for auditing the flow of the internet of things applicable to the whitelist policy according to claim 1, wherein the calculating the cosine value of the included angle between the standard vector and the monitoring vector, obtaining a monitoring sequence and generating a reference function corresponding to the monitoring sequence, specifically comprises:
gradually calculating the included angle cosine values of the standard vector and the monitoring vector at each preset time interval to obtain the monitoring sequence containing a plurality of included angle cosine values;
and inputting the monitoring sequence into a generation countermeasure neural network, and adopting a genetic algorithm to perform generation simulation to obtain a reference function corresponding to the monitoring sequence.
4. The method for auditing the flow of the internet of things applicable to the whitelist policy according to claim 1, wherein after the step of issuing a flow anomaly alarm when the deviation amplitude of the monitoring sequence from the reference function is greater than a preset value, the method comprises the steps of:
and when the deviation amplitude of the cosine values of the included angles exceeding the preset number in the monitoring sequence and the reference function is larger than the preset value, prompting intervention of maintenance personnel so that the maintenance personnel replace the problem equipment and carry out safety inspection on the problem equipment.
5. The method for auditing the flow of the internet of things applicable to the whitelist policy according to claim 1, wherein after the step of issuing a flow anomaly alarm when the deviation amplitude of the monitoring sequence from the reference function is greater than a preset value, the method comprises the steps of:
when the deviation amplitude of the cosine value of the included angle in the whole period of the monitoring sequence and the reference function is larger than a preset value, the reference function is saved, and the flow data in the aggregation switch of the Internet of things is collected again;
and calculating and forming a new reference function according to the re-collected flow data.
6. The method for auditing flow rates of internet of things according to any one of claims 1-5, wherein after calculating an angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence, the method comprises:
and recording flow data corresponding to a certain included angle cosine value and the certain included angle cosine value as an abnormality when the deviation amplitude of the monitoring sequence and the reference function is smaller than a preset value and the deviation amplitude of the certain included angle cosine value and the reference function is larger than the preset value.
7. The method for auditing traffic of internet of things according to any one of claims 1-5, wherein the standard vector and the monitoring vector contain various instruction types and numbers corresponding to the various instruction types.
8. The internet of things traffic audit method according to claim 7 wherein said standard vector and said monitor vector further include weights for said various instruction types; the weights are obtained by weighting the various instruction types.
9. The utility model provides an thing networking flow audit device suitable for whitelist policy which characterized in that includes: the system comprises a data acquisition module, a vector establishment module, a deep learning engine module and an alarm module;
the data acquisition module is used for acquiring flow data in the aggregation switch of the Internet of things and identifying the instruction type in the flow data; the flow data includes: first flow data in a first preset time period and second flow data acquired at preset time intervals;
the vector establishing module is used for establishing a standard vector according to the instruction type of the first flow data; establishing a monitoring vector according to the second flow data;
the deep learning engine module is used for calculating an included angle cosine value between the standard vector and the monitoring vector to obtain a monitoring sequence and generating a reference function corresponding to the monitoring sequence;
and the alarm module is used for sending out abnormal flow alarm when the deviation amplitude of the monitoring sequence and the reference function is larger than a preset value.
10. The internet of things traffic auditing apparatus according to claim 9 that is applicable to a whitelist policy, the deep learning engine module comprising: the monitoring sequence building unit and the reference function generating unit;
the monitoring sequence establishing unit is used for gradually calculating the included angle cosine value of the standard vector and the monitoring vector of each preset time interval to obtain the monitoring sequence containing a plurality of included angle cosine values;
the reference function generating unit is used for inputting the monitoring sequence into the generation countermeasure neural network, and generating simulation by adopting a genetic algorithm to obtain a reference function corresponding to the monitoring sequence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310385573.XA CN116389131A (en) | 2023-04-11 | 2023-04-11 | Internet of things flow auditing method and device suitable for white list policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310385573.XA CN116389131A (en) | 2023-04-11 | 2023-04-11 | Internet of things flow auditing method and device suitable for white list policy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116389131A true CN116389131A (en) | 2023-07-04 |
Family
ID=86974799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310385573.XA Pending CN116389131A (en) | 2023-04-11 | 2023-04-11 | Internet of things flow auditing method and device suitable for white list policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116389131A (en) |
-
2023
- 2023-04-11 CN CN202310385573.XA patent/CN116389131A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lin et al. | Cyber attack and defense on industry control systems | |
| US10862902B2 (en) | System and methodology providing automation security analysis and network intrusion protection in an industrial environment | |
| Fovino et al. | Modbus/DNP3 state-based intrusion detection system | |
| CN107566163B (en) | Alarm method and device for user behavior analysis association | |
| CN109739203B (en) | Industrial network boundary protection system | |
| CN107204975B (en) | Industrial control system network attack detection technology based on scene fingerprints | |
| CN105939334A (en) | Anomaly detection in industrial communications networks | |
| CN113671909B (en) | Safety monitoring system and method for steel industrial control equipment | |
| Flaus | Cybersecurity of industrial systems | |
| CN107579986B (en) | Network security detection method in complex network | |
| CN112799358B (en) | Industrial control safety defense system | |
| US12088614B2 (en) | Systems and methods for detecting anomalies in network communication | |
| CN112738063A (en) | Industrial control system network safety monitoring platform | |
| CN110113336B (en) | Network flow abnormity analysis and identification method for transformer substation network environment | |
| CN115618353B (en) | Industrial production safety identification system and method | |
| CN114760103A (en) | Industrial control system abnormity detection system, method, equipment and storage medium | |
| CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
| CN109768971A (en) | A method of based on network flow real-time detection industrial control host state | |
| US11657150B2 (en) | Two-dimensionality detection method for industrial control system attacks | |
| CN110266680A (en) | A kind of industrial communication method for detecting abnormality based on dual similarity measurement | |
| Iturbe et al. | On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control | |
| Al Ghazo et al. | ICS/SCADA device recognition: A hybrid communication-patterns and passive-fingerprinting approach | |
| CN109743339B (en) | Network security monitoring method and device for power plant station and computer equipment | |
| CN114125083A (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| Eid et al. | IIoT network intrusion detection using machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |