CN116582372A

CN116582372A - Internet of things intrusion detection method, system, electronic equipment and storage medium

Info

Publication number: CN116582372A
Application number: CN202310860006.5A
Authority: CN
Inventors: 谭帅帅; 潘文俊; 薛润博; 唐靖豪; 黄泽楷; 陈磊
Original assignee: Shenzhen Qianhai New Internet Switching Center Co ltd
Current assignee: Shenzhen Qianhai New Internet Switching Center Co ltd
Priority date: 2023-07-13
Filing date: 2023-07-13
Publication date: 2023-08-11
Anticipated expiration: 2043-07-13
Also published as: CN116582372B

Abstract

The invention relates to the technical field of network security, and discloses an Internet of things intrusion detection method, an Internet of things intrusion detection system, electronic equipment and a storage medium. The method comprises the steps of capturing intrusion flow data, obtaining a target network flow, carrying out feature extraction to obtain flow parameters, and inputting the flow parameters into a target detection model integrated with an incremental learning parameter updating algorithm to obtain a detection result. During training, an attack fingerprint layer of an old data set is expanded by a plurality of new sublayers to update an initial state of a target detection model into a first state, then a new output layer is added to update the first state into a second state, the target detection model is updated according to a cross distillation loss function and gradient descent, the new output layer and the old output layer are combined, old class data matched with preset features are deleted, new class data are added to update a memory, and finally the first loss function is utilized for optimization. The performance in detecting the legacy attack and the new attack can be ensured, and the network information security is improved.

Description

Internet of things intrusion detection method, system, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network security technologies, and in particular, to an intrusion detection method and system for an internet of things, an electronic device, and a storage medium.

Background

With the continuous development of the internet, the increasing internet traffic reflects the characteristics of online business transfer, complex sources and diversification of carried information of enterprises. With the rapid development of the internet of things, millions of sensors and devices continue to generate data and exchange important information. As a wide-ranging and highly open network, network security threats must be more focused.

In order to ensure the security of the network, it is important to use intrusion detection mechanisms in the network environment. Previous work has shown that large-scale internet of things devices remain vulnerable to emerging vulnerabilities. Some internet of things scenarios, such as the network physical system (CPS), are critical to security and once compromised, can cause terrible damage to humans and the environment. In order to protect the internet of things network, conventional research has focused on modeling intrusions using Machine Learning (ML).

However, the traditional intrusion detection model cannot realize online updating, and all old training data resources need to be completely accessed during detection, so that the method is difficult to adapt to the attack environment of the Internet of things with huge data volume and rapid change.

Therefore, how to provide efficient intrusion detection for the rapidly changing attack environment of the internet of things is a problem to be solved.

Disclosure of Invention

In order to solve the defects of the technical problems, the invention provides an Internet of things intrusion detection method, an Internet of things intrusion detection system, electronic equipment and a storage medium, so as to provide efficient intrusion detection for rapidly changing Internet of things attack environments, ensure the performance of the Internet of things intrusion detection system in terms of detecting legacy attacks and new attacks, and improve the network information security.

In order to solve the above problems, an embodiment of the present invention provides an intrusion detection method for internet of things, including:

capturing the intrusion flow data of the Internet of things and obtaining a target network flow;

extracting characteristics of the target network flow to obtain flow parameters;

inputting the flow parameters into a target detection model for detection to obtain a detection result, wherein the detection result comprises a flow category;

the target detection model integrates an incremental learning parameter updating algorithm, the target detection model carries out parameter updating through the incremental learning parameter updating algorithm, and the incremental learning parameter updating algorithm is obtained through the following training:

expanding an attack fingerprint layer of an old data set with new sublayers of a plurality of neurons to update an initial state of the target detection model to a first state; the number of new sublayers of the neuron corresponds to the number of new attack categories in the new dataset;

Adding a new output layer to the target detection model according to new class data to update the first state to a second state;

updating the target detection model according to the cross distillation loss function and gradient descent and combining a new output layer and an old output layer of the target detection model;

deleting old category data matched with preset features from the memory of the target detection model, and adding new category data to update the memory of the target detection model;

and optimizing the target detection model by using a first loss function.

Optionally, the initial state is:the first state is: />The method comprises the steps of carrying out a first treatment on the surface of the The second state is: />；

wherein ,is a statistical feature of flow, +.>Is a neural network layer->Is a softmax layer,/->Is an attack fingerprint layer that generates probabilities for each attack traffic class and normal traffic class.

Optionally, the target detection model in the initial state is a DNN deep neural network; the predicted result of the DNN deep neural network is thatAnd the forward propagation model is +.>；

wherein ,for the parameters of each level->For each level of output, ++>For the bias factor of each layer,and->，/>For inputting vectors, ++>For the number of layers of the neural network, < > >Is an activation function;

updating parameters of each level of the DNN deep neural network according to a second loss function and gradient descentThe second loss function is: />；

Where n is the number of training samples, each sampleIncludes the number of the first i packets extracted +.>And true total packet count->，/>Is a super parameter that adjusts the super-long prediction penalty, < ->Is the threshold for controlling the determination of the overlength prediction,/-)> ，，/>Is a feature vector.

Optionally, the updating the target detection model according to the cross-distillation loss function and gradient descent and merging the new output layer and the old output layer of the target detection model includes:

according to the cross entropy loss function, gradient descent is carried out on the new data set and the old data set together so as to update the target detection model and obtain an old output layer;

gradient descent of the old data set according to the distillation loss to update the target detection model and obtain a new output layer;

the old output layer and the new output layer are merged.

Optionally, the cross-distillation loss function is:；

wherein ,the method comprises the steps of carrying out a first treatment on the surface of the Distillation loss is defined as，/>Representation->Loss of distillation->Classifying the total number of layers for the old dataset, +.>Indicate->A classification layer; />，/>N is the total number of traffic samples in the new data set, T is the number of new attack categories in the new data set, S is the number of attack categories in the old data set, < > >For the real label of the sample, +.>G is a super parameter of temperature for the estimated probability of sample class.

Optionally, the deleting the old category data matched with the preset feature from the memory of the target detection model includes:

determining an average feature vector in the old category data;

obtaining a target distance between each old category data and the average feature vector;

judging whether the target distance is smaller than a preset boundary value or not;

and deleting the corresponding old category data from the memory of the target detection model when the target distance is greater than or equal to the preset boundary value.

Optionally, when the incremental learning parameter update algorithm is trained, after the optimizing the target detection model with the first loss function, the method further includes:

training the target detection model according to a stream length distribution algorithm, wherein the stream length distribution algorithm is as follows:

, wherein ,/>Representing different stream length intervals +.>Is a positive integer;

the method for inputting the flow parameters into the target detection model for detection to obtain a detection result specifically comprises the following steps:

and selecting a corresponding stream length section according to the actual stream length of the target network stream to detect so as to obtain a detection result.

In order to solve the above problems, the embodiment of the present invention further provides an intrusion detection system for the internet of things, the system comprising a network monitoring module, a flow processing module, an intrusion detection module and an incremental learning parameter updating module, wherein,

the network monitoring module is used for capturing the intrusion flow data of the Internet of things, obtaining a target network flow and transmitting the target network flow to the flow processing module;

the flow processing module is used for extracting the characteristics of the target network flow to obtain flow parameters and transmitting the flow parameters to the intrusion detection module;

the intrusion detection module is used for inputting the flow parameters into a target detection model for detection to obtain a detection result, wherein the detection result comprises a flow class;

the incremental learning parameter updating module is used for updating parameters of the target detection model through the incremental learning parameter updating algorithm, and the incremental learning parameter updating algorithm is obtained through the following training:

and optimizing the target detection model by using a first loss function.

In order to solve the above problem, an embodiment of the present invention further provides an electronic device, including:

at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the internet of things intrusion detection method as described above.

To solve the above-mentioned problems, an embodiment of the present invention further provides a computer-readable storage medium storing a computer program, which when executed by a processor, implements the method for intrusion detection of the internet of things as described above.

The technical scheme provided by the embodiment of the invention can comprise the following beneficial effects:

in the embodiment of the invention, the flow parameter is obtained by capturing the intrusion flow data of the Internet of things and obtaining the target network flow, then carrying out feature extraction, the flow parameter is input into a target detection model integrated with an incremental learning parameter updating algorithm, and a detection result is output. During training, expanding an attack fingerprint layer of an old data set by using new sublayers of a plurality of neurons to update the initial state of a target detection model into a first state, wherein the number of the new sublayers of the neurons corresponds to the number of new attack categories in the new data set; and adding a new output layer to the target detection model according to the new class data to update the first state to the second state, updating the target detection model according to the cross distillation loss function and gradient descent, merging the new output layer and the old output layer of the target detection model, deleting the old class data matched with the preset characteristics from the memory of the target detection model, adding the new class data to update the memory of the target detection model, and finally optimizing the target detection model by using the first loss function. By the method, the parameters of the target detection model and the samples in the memory are updated, so that the method for detecting the intrusion of the Internet of things has the capability of continuously learning new flow and keeping the original detection precision of old flow, ensures the performance of the method in detecting legacy attacks and new attacks, avoids the cost of retraining, solves the problems that the traditional intrusion detection model cannot realize online updating, needs to completely access all old training data resources during detection, is difficult to adapt to the large-data-volume and fast-changing attack environment of the Internet of things, and can provide efficient intrusion detection for the fast-changing attack environment of the Internet of things and improve the network information security.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

Fig. 1 is a schematic diagram of an intrusion detection method of the internet of things according to an embodiment of the present invention.

Fig. 2 is a flow chart of an intrusion detection method of the internet of things according to an embodiment of the present invention.

Fig. 3 is a schematic flow chart of incremental learning parameter update algorithm training according to an embodiment of the present invention.

Fig. 4 is a schematic flow chart of an output layer of a merging target detection model according to an embodiment of the present invention.

Fig. 5 is a schematic flow chart of deleting old category data according to an embodiment of the present invention.

Fig. 6 is a schematic flow chart of training another incremental learning parameter update algorithm according to an embodiment of the present invention.

Fig. 7 is a functional block diagram of an intrusion detection system of the internet of things according to an embodiment of the present invention.

Fig. 8 is a functional block diagram of an incremental learning parameter update module according to an embodiment of the present invention.

Fig. 9 is a functional block diagram of a merging sub-module according to an embodiment of the present application.

Fig. 10 is a functional block diagram of a memory update sub-module according to an embodiment of the present application.

FIG. 11 is a functional block diagram of another incremental learning parameter update module according to an embodiment of the present application.

Fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.

Furthermore, in the description of the present specification and the appended claims, the terms "first" and "second" and the like are used solely to distinguish one from another, and are not to be construed as indicating or implying a relative importance.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise.

The embodiment of the application provides an internet of things intrusion detection method, and an execution subject of the internet of things intrusion detection method comprises, but is not limited to, at least one of a server, a terminal and the like which can be configured to execute the electronic equipment of the method provided by the embodiment of the application. In other words, the internet of things intrusion detection method may be performed by software or hardware installed in a terminal device or a server device, where the software may be a blockchain platform. The service end includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server may be an independent server, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (ContentDelivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.

Referring to fig. 1 and fig. 2, fig. 1 is a schematic diagram of an intrusion detection method of the internet of things according to an embodiment of the present invention. Fig. 2 is a flow chart of an intrusion detection method of the internet of things according to an embodiment of the present invention. The method for detecting the intrusion of the Internet of things comprises the following steps:

s101, capturing the intrusion flow data of the Internet of things and obtaining a target network flow.

S102, extracting characteristics of the target network flow to obtain flow parameters.

S103, inputting the flow parameters into a target detection model for detection to obtain a detection result, wherein the detection result comprises a flow category; the target detection model integrates an incremental learning parameter updating algorithm, and the target detection model performs parameter updating through the incremental learning parameter updating algorithm.

In the embodiment of the invention, the initial state of the target detection model is DNN deep neural network, and the DNN deep neural networkIs composed of input layer, hidden layer and output layer via network. The DNN deep neural network is defined as, wherein ,/>Is a statistical feature of flow, +.>Is a neural network layer->Is a softmax layer,/->Is an attack fingerprint layer that generates probabilities for each attack traffic class and normal traffic class.

Assume thatFor the predicted result, the forward propagation model of the DNN deep neural network is that ；

wherein ,for the parameters of each level->For each level of output, ++>For the bias factor of each layer, and +.>，/>For inputting vectors, ++>Is a neural netLayer number of collaterals, 10>To activate the function.

It can be appreciated that the prediction results of the forward propagation modelNamely +.>Is->。

Further, in the embodiment of the present invention, parameters of each level of the DNN deep neural network may be updated according to the second loss function and gradient descent. Specifically, the second loss function is:

In step S101, internet of things intrusion traffic data may be captured by a honeypot system. In the embodiment of the invention, the honeypot system is an active defense technology, and attacks can be induced to an attacker by actively exposing some holes and setting some baits, so that the attack behavior can be captured and analyzed. The intrusion flow data of the Internet of things, which is captured by the honeypot system, comprises a flow data set of abnormal flow and normal flow.

Specifically, the capturing the intrusion traffic data of the internet of things and obtaining the target network flow in step S101 includes: and capturing the Internet of things intrusion flow data, and preprocessing the Internet of things intrusion flow data to obtain a target network flow.

More specifically, the method for preprocessing the intrusion traffic data of the internet of things to obtain the target network flow specifically includes: splitting the intrusion flow data of the Internet of things into individual flows and filtering noisy data packets to obtain a target network flow.

In the embodiment of the invention, the expression of the target network flow is as followsWhere n is the actual number of packets of the network flow,/->Representing an nth network flow packet.

Optionally, tools such as ppapplus or Tshark (Wireshark) may be used to split the captured intrusion traffic data of the internet of things into separate flows and filter noisy packets, so as to obtain a complete target network flow.

In step S102, the method for extracting features of the target network flow to obtain the flow parameter specifically includes: extracting a target network flowIs marked as +.>Extracted->Is a statistical feature of traffic including packet length, packet interval time, etc. Wherein->Is a feature extractor, m represents the number of feature values, and is determined by the feature values selected.

Referring to fig. 3, fig. 3 is a schematic flow chart of training an incremental learning parameter update algorithm according to an embodiment of the present invention. In the embodiment of the invention, the incremental learning parameter updating algorithm is obtained through the following training:

S11, expanding an attack fingerprint layer of an old data set by using new sublayers of a plurality of neurons so as to update an initial state of a target detection model into a first state; wherein the number of new sublayers of neurons corresponds to the number of new attack categories in the new dataset.

And S12, adding a new output layer to the target detection model according to the new category data so as to update the first state to the second state.

And S13, updating the target detection model according to the cross distillation loss function and gradient descent and combining the new output layer and the old output layer of the target detection model.

S14, deleting the old type data matched with the preset features from the memory of the target detection model, and adding the new type data to update the memory of the target detection model.

And S15, optimizing the target detection model by using the first loss function.

It will be appreciated that the new data set contains new category data that includes both new attack categories and normal categories.

It will be appreciated that the attack fingerprint layer of the old data setNew sublayers with T neurons->And expanding to update the initial state of the target detection model to a first state, wherein T is the number of new attack categories in the new data set.

In the embodiment of the invention, S is defined as the number of attack categories in the old data set, and the input layer comprises the old data set during model updating，0≤/>S and New dataset +.>，S＜/>Data set +.T +.>Data set +.>Stored in Memory for use as the old data store next time.

In the embodiment of the invention, the new output layer is a new softmax layer, and the old output layer is an old softmax layer. The step S12 specifically includes: a new softmax layer is attached to the target detection model according to the new category data to update the first state to the second state. And, step S13 specifically includes: the target detection model is updated according to the cross-distillation loss function and gradient descent and the new and old softmax layers of the target detection model are combined.

In the embodiment of the invention, the initial state is as follows:. The first state is: />. The second state is:. wherein ,/>Is a statistical feature of flow, +.>Is a neural network layer->Is a softmax layer,/->Is an attack fingerprint layer that generates probabilities for each attack traffic class and normal traffic class.

It will be understood that the target detection model updated in step S13 is the target detection model updated in step S12 to the second state.

Specifically, in the embodiment of the present invention, the new softmax layer and the old softmax layer of the target detection model are combined into one softmax layer, and the specific expression is as follows:

wherein ,is an old softmax layer +.>For the new softmax layer,/>is a combined softmax layer.

Referring to fig. 4, fig. 4 is a flow chart of an output layer of a merging target detection model according to an embodiment of the invention. Specifically, the updating the target detection model according to the cross-distillation loss function and gradient descent and merging the new output layer and the old output layer of the target detection model in step S13 includes:

s131, according to the cross entropy loss function, gradient descent is carried out on the new data set and the old data set together, so that the target detection model is updated, and an old output layer is obtained.

And S132, carrying out gradient descent on the old data set according to the distillation loss so as to update the target detection model and obtain a new output layer.

And S133, combining the old output layer and the new output layer.

In the embodiment of the present invention, the manner of merging the old output layer and the new output layer in step S133 is specifically: and adding the vector of the old output layer and the vector of the new output layer, and then carrying out average processing.

In the embodiment of the invention, the cross distillation loss function is:。

wherein ,for cross entropy loss, define +.>. Define distillation loss as +.>，/>Representation of/>Loss of distillation- >Classifying the total number of layers for the old dataset, +.>Indicate->A classification layer; />，/>N is the total number of traffic samples in the new data set, T is the number of new attack categories in the new data set, S is the number of attack categories in the old data set, < >>For the real label of the sample, +.>G is a super parameter of temperature for the estimated probability of sample class.

Specifically, G is an empirical constant, typically taking the value 2.

In step S14, the old category data matched with the preset feature is deleted from the memory of the target detection model, and the new category data is added to update the memory of the target detection model, and the specific expression is as follows:

wherein ,representing the updated data set of Memory,/->Indicating the data set after deleting part of the old data, is->Representing the originally stored dataset,/->Representing old category data matching the preset features,representing new class data, 0.ltoreq.L ≡>≤S，S＜/>≤T。

In the embodiment of the invention, the selection of the representative old category data in the old data set is required to follow the common distance calculation methods such as Euclidean distance or Chebyshev. The method is specifically as follows:

referring to fig. 5, fig. 5 is a schematic flow chart of deleting old category data according to an embodiment of the invention. Specifically, step S14 deletes old category data matching with the preset feature from the memory of the target detection model, including:

S141, determining average feature vectors in the old category data.

S142, obtaining the target distance between each old category data and the average feature vector.

S143, judging whether the target distance is smaller than a preset boundary value; if yes, go to step S144; otherwise, step S145 is performed.

S144, the old category data is reserved in the memory of the target detection model.

S145, deleting the corresponding old category data from the memory of the target detection model.

In the embodiment of the present invention, the preset boundary value is an empirical value obtained through a large number of experimental results, which is not particularly limited in the embodiment of the present invention.

For example, assuming that K old samples are reserved at most, the target detection model can identify class S traffic at most, the traffic space of each class isAfter training by the incremental learning parameter updating algorithm, the flow data set should be provided withThe traffic is stored in Memory for the next time as old data storage.

More specifically, the specific expression of adding new class data to update the memory of the object detection model is as follows:

the specific expression of deleting the old category data matched with the preset characteristics from the memory of the target detection model is as follows:

wherein ,is a statistical feature of flow, +.>Is->The feature vector set of this class, originally stored in Memory,/for the Memory>Is->Average value of this class,/>Sample data representing one of the S old sample categories of the old dataset.

In step S15, the first loss function is Adam loss function. By fine tuning the target detection model by using the Adam loss function, the fitting capacity of the target detection model to the training set can be strongest. The specific expression is as follows:

as another alternative implementation manner, the first loss function may also be a mean square error loss function or a cross entropy loss function, and embodiments of the present invention are not limited in particular.

Referring to fig. 6, fig. 6 is a schematic flow chart of training another incremental learning parameter update algorithm according to an embodiment of the present invention. Further, when the incremental learning parameter updating algorithm is trained, after the target detection model is optimized by using the first loss function in step S15, the method for detecting the intrusion of the internet of things further includes:

s16, training a target detection model according to a stream length distribution algorithm.

In the embodiment of the invention, the stream length distribution algorithm is as follows:，/>is a positive integer. Wherein (1) >Representing different stream length intervals +.>Is a positive integer.

And, in step S103, the manner of inputting the flow parameter to the target detection model for detection to obtain the detection result is specifically as follows: and selecting a corresponding stream length section according to the actual stream length of the target network stream to detect so as to obtain a detection result.

For example, training the target detection model according to the stream length distribution algorithm results in different stream length intervals,assuming that the actual flow length of one network flow is 25, call +.>The model of the flow length interval can map the flow to be detected to the corresponding classifier for classification detection, improves the response efficiency of the intrusion detection of the Internet of things,the detection precision is higher and more accurate.

In summary, in the embodiment of the invention, the target network flow is obtained by capturing the intrusion flow data of the internet of things and preprocessing, then the flow parameters are obtained by feature extraction, the flow parameters are input into the target detection model integrated with the incremental learning parameter updating algorithm, and the detection result is output. During training, the attack fingerprint layer of old data setNew sublayers with T neurons->Expanding to update the initial state of the target detection model to a first state, adding a new softmax layer to the target detection model according to new category data to update the first state to a second state, updating the target detection model according to a cross distillation loss function and gradient descent, merging the new softmax layer and the old softmax layer of the target detection model, deleting the old category data matched with the preset characteristics from the memory of the target detection model, adding the new category data to update the memory of the target detection model, and finally optimizing the target detection model by using the first loss function. By implementing the method, the parameters of the target detection model and the samples in the memory are updated, so that the method for detecting the intrusion of the Internet of things has the capability of continuously learning new flow and keeping the original detection precision of old flow, ensures the performance of the method in detecting legacy attacks and new attacks, avoids the cost of retraining, solves the problems that the traditional intrusion detection model cannot realize online updating, needs to completely access all old training data resources during detection, is difficult to adapt to the large-data-volume and fast-changing attack environment of the Internet of things, and can provide efficient intrusion detection for the fast-changing attack environment of the Internet of things and improve the network information security.

In addition, by implementing the method, the target detection model can accommodate old representative samples and is used for maintaining the performance of the model on old attack categories when updating, so that the target detection model can maintain high-efficiency and good detection capability in a resource-limited scene.

The invention also discloses an Internet of things intrusion detection system 100, as shown in fig. 7, fig. 7 is a functional block diagram of the Internet of things intrusion detection system provided by the embodiment of the invention. The internet of things intrusion detection system 100 may include a network monitoring module 101, a traffic processing module 102, an intrusion detection module 103, and an incremental learning parameter update module 104. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.

In the embodiment of the present invention, the functions of each module/unit are as follows:

the network monitoring module 101 is configured to capture intrusion traffic data of the internet of things, obtain a target network flow, and transmit the target network flow to the traffic processing module 102;

the flow processing module 102 is configured to perform feature extraction on the target network flow to obtain a flow parameter and transmit the flow parameter to the intrusion detection module 103;

The intrusion detection module 103 is configured to input a flow parameter to the target detection model for detection to obtain a detection result, where the detection result includes a flow class;

the incremental learning parameter updating module 104 is configured to update parameters of the target detection model through an incremental learning parameter updating algorithm.

In the embodiment of the invention, the initial state of the target detection model is a DNN deep neural network, and the DNN deep neural network consists of an input layer, a hidden layer and an output layer. The DNN deep neural network is defined as, wherein ,/>Is a statistical feature of flow, +.>Is a neural network layer->Is a softmax layer,/->Is an attack fingerprint layer that generates probabilities for each attack traffic class and normal traffic class.

Assume thatFor the predicted result, the forward propagation model of the DNN deep neural network is that；

wherein ,for the parameters of each level->For each level of output, ++>For the bias factor of each layer, and +.>，/>For inputting vectors, ++>For the number of layers of the neural network, < >>To activate the function.

Further, the incremental learning parameter updating module 104 is further configured to update parameters of each level of the DNN deep neural network according to the second loss function and gradient descent . Specifically, the second loss function is: />

Specifically, the network monitoring module 101 may capture the internet of things intrusion traffic data through a honeypot system.

Specifically, the network monitoring module 101 is specifically configured to pre-process the intrusion traffic data of the internet of things to obtain a target network flow. More specifically, the network monitoring module 101 performs preprocessing on the intrusion traffic data of the internet of things to obtain a target network flow specifically includes: splitting the intrusion flow data of the Internet of things into individual flows and filtering noisy data packets to obtain a target network flow.

Optionally, the network monitoring module 101 may use tools such as ppaplusplus or Tshark (Wireshark) to split the captured intrusion flow data of the internet of things into separate flows and filter noisy data packets, so as to obtain a complete target network flow.

Specifically, the flow processing module 102 performs feature extraction on the target network flow to obtain a flow parameter in a specific manner: extracting a target network flowIs marked as +.>Extracting, extractingIs a statistical feature of traffic including packet length, packet interval time, etc. Wherein->Is a feature extractor, m represents the number of feature values, and is determined by the feature values selected.

Referring to fig. 8, fig. 8 is a functional block diagram of an incremental learning parameter update module according to an embodiment of the present invention. As shown in fig. 8, the incremental learning parameter update module 104 includes:

a first updating sub-module 1041, configured to extend an attack fingerprint layer of an old data set with new sub-layers of a plurality of neurons, so as to update an initial state of the object detection model to a first state; wherein the number of new sublayers of neurons corresponds to the number of new attack categories in the new dataset.

The second updating sub-module 1042 is used for adding a new output layer to the target detection model according to the new class data to update the first state to the second state.

A merging sub-module 1043, configured to update the target detection model according to the cross distillation loss function and the gradient descent and merge the new output layer and the old output layer of the target detection model.

The memory updating sub-module 1044 is configured to delete old category data matching with the preset feature from the memory of the target detection model, and add new category data to update the memory of the target detection model.

An optimization submodule 1045 is configured to optimize the target detection model with the first loss function.

It will be appreciated that the first update sub-module 1041 will attack the fingerprint layer of the old data setNew sublayers with T neurons->And expanding to update the initial state of the target detection model to a first state, wherein T is the number of new attack categories in the new data set.

In the embodiment of the invention, the new output layer is a new softmax layer, and the old output layer is an old softmax layer. The second updating sub-module 1042 is specifically configured to attach a new softmax layer to the target detection model according to the new category data to update the first state to the second state. And, a merge sub-module 1043 is specifically configured to update the target detection model according to the cross-distillation loss function and gradient descent and merge the new and old softmax layers of the target detection model.

In the embodiment of the invention, the initial state is as follows:. The first state is: />. The second state is:. wherein ,/>Is a statistical feature of flow, +.>Is a neural network layer->Is a softmax layer,/->Is to generate each attack traffic class andattack fingerprint layer of normal traffic class probability.

It will be appreciated that the object detection model updated by the merging sub-module 1043 is the object detection model updated by the second updating sub-module 1042 to the second state.

Specifically, in an embodiment of the present invention, the merge submodule 1043 merges the new and old softmax layers of the target detection model into one softmax layer, as follows:

Referring to fig. 9, fig. 9 is a functional block diagram of a merging sub-module according to an embodiment of the invention. As shown in fig. 9, the merging sub-module 1043 includes:

a first updating unit 10431, configured to perform gradient descent on the new data set and the old data set together according to the cross entropy loss function, so as to update the target detection model and obtain an old output layer.

A second updating unit 10432, configured to gradient down the old data set according to the distillation loss, so as to update the target detection model and obtain a new output layer.

A merging subunit 10433, configured to merge the old output layer and the new output layer.

In the embodiment of the present invention, the merging subunit 10433 specifically performs the merging of the old output layer and the new output layer: and adding the vector of the old output layer and the vector of the new output layer, and then carrying out average processing.

In the embodiment of the invention, the cross distillation loss function is as follows:。

wherein ,for cross entropy loss, define +.>. Define distillation loss as +.>，/>Representation of/>Loss of distillation->Classifying the total number of layers for the old dataset, +.>Indicate->A classification layer;

，/>n is the total number of traffic samples in the new data set, T is the number of new attack categories in the new data set, S is the number of attack categories in the old data set, < >>For the real label of the sample, +.>G is a super parameter of temperature for the estimated probability of sample class.

Specifically, G is an empirical constant, typically taking the value 2.

Specifically, the memory updating sub-module 1044 deletes old category data matching with the preset feature from the memory of the target detection model, and adds new category data to update the memory of the target detection model, where the specific expression is as follows:

wherein ,representing the updated data set of Memory,/- >Indicating the data set after deleting part of the old data, is->Representing the originally stored dataset,/->Representing old category data matching the preset features,representing new class data, 0.ltoreq.L ≡>≤S，S＜/>≤T。

referring to fig. 10, fig. 10 is a functional block diagram of a memory update sub-module according to an embodiment of the present invention. As shown in fig. 10, the memory update submodule 1044 includes:

a determining subunit 10441, configured to determine an average feature vector in the old category data.

An acquiring subunit 10442 is configured to acquire a target distance between each old category data and the average feature vector.

The judging subunit 10443 is configured to judge whether the target distance is smaller than a preset boundary value.

A retaining subunit 10444, configured to retain the old class data for the object detection model in the memory when the determining subunit 10443 determines that the object distance is smaller than the preset boundary value.

And a deleting subunit 10445, configured to delete the corresponding old category data from the memory of the target detection model when the determining subunit 10443 determines that the target distance is greater than or equal to the preset boundary value.

Further, the memory update sub-module 1044 further includes an adding sub-unit 10446, and the adding sub-unit 10446 is configured to add new class data to update the memory of the object detection model.

Specifically, the first loss function is an Adam loss function. The optimization sub-module 1045 can make the fitting capability of the target detection model to the training set strongest by fine tuning the target detection model using Adam loss function. The specific expression is as follows:

As another alternative implementation manner, the optimization submodule 1045 may also optimize the target detection model by using a mean square error loss function or a cross entropy loss function, which is not limited in particular by the embodiment of the present invention.

Further, referring to fig. 11, fig. 11 is a functional block diagram of another incremental learning parameter update module according to an embodiment of the present invention. As shown in fig. 11, the incremental learning parameter update module 104 may further include a stream length training submodule 1046, where the stream length training submodule 1046 is configured to train the target detection model according to a stream length distribution algorithm after the optimization submodule 1045 optimizes the target detection model with the first loss function.

In the embodiment of the invention, the stream length distribution algorithm is as follows:，/>is a positive integer. Wherein (1)>Representing different stream length intervals +.>Is a positive integer.

And, the manner in which the intrusion detection module 103 inputs the flow parameter to the target detection model to detect to obtain the detection result is specifically: and selecting a corresponding stream length section according to the actual stream length of the target network stream to detect so as to obtain a detection result.

In detail, each module in the internet of things intrusion detection system 100 in the embodiment of the present invention adopts the same technical means as the internet of things intrusion detection method described in fig. 2-6 and can produce the same technical effects when in use, and will not be described in detail herein.

The invention also discloses an electronic device 1, please refer to fig. 12, fig. 12 is a schematic structural diagram of the electronic device according to the embodiment of the invention.

The electronic device 1 may comprise at least one processor 10; and a memory 11 communicatively coupled to the at least one processor 10. Wherein the memory 11 stores a computer program executable by the at least one processor 10, the computer program being executable by the at least one processor 10 to enable the at least one processor 10 to perform the internet of things intrusion detection method as described above.

The processor 10 may be formed by an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be formed by a plurality of integrated circuits packaged with the same function or different functions, including one or more central processing units (Central Processing unit, CPU), a microprocessor, a digital processing chip, a graphics processor, a combination of various control chips, and so on. The processor 10 is a control core (control unit) of the electronic device 1, connects the respective components of the entire electronic device 1 using various interfaces and lines, executes or executes programs or modules (for example, executes an internet of things intrusion detection program or the like) stored in the memory 11, and invokes data stored in the memory 11 to perform various functions of the electronic device 1 and process the data.

Further, the modules/units integrated in the electronic device 1 may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as separate products. The computer readable storage medium may be volatile or nonvolatile. For example, the computer-readable storage medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM).

The present invention also provides a computer readable storage medium comprising a computer program executable by the processor 10 to perform an intrusion detection method such as internet of things.

It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.

The present embodiments are, therefore, to be considered as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.

It should be understood that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and that although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the technical solution of the present invention.

Claims

1. An intrusion detection method for the internet of things, which is characterized by comprising the following steps:

and optimizing the target detection model by using a first loss function.

2. The internet of things intrusion detection method of claim 1, wherein: the initial state is as follows:the first state is:the method comprises the steps of carrying out a first treatment on the surface of the The second state is:；

3. The internet of things intrusion detection method of claim 2, wherein: the target detection model in the initial state is a DNN deep neural network; the predicted result of the DNN deep neural network is thatAnd the forward propagation model is ；

wherein ,for the parameters of each level->For each level of output, ++>For the bias factor of each layer, and +.>，/>For inputting vectors, ++>For the number of layers of the neural network, < >>Is an activation function;

4. The internet of things intrusion detection method of claim 1, wherein: the updating the target detection model according to the cross distillation loss function and gradient descent and combining the new output layer and the old output layer of the target detection model comprises the following steps:

the old output layer and the new output layer are merged.

5. The internet of things intrusion detection method of claim 4, wherein: the cross distillation loss function is:；

wherein ,the method comprises the steps of carrying out a first treatment on the surface of the Distillation loss is defined as，/>Representation->Loss of distillation->Classifying the total number of layers for the old dataset, +.>Indicate->A classification layer; />，/>N is the total number of traffic samples in the new data set, T is the number of new attack categories in the new data set, S is the number of attack categories in the old data set, < >>For the real label of the sample, +.>G is a super parameter of temperature for the estimated probability of sample class.

6. The internet of things intrusion detection method of claim 1, wherein: the deleting the old category data matched with the preset characteristics from the memory of the target detection model comprises the following steps:

determining an average feature vector in the old category data;

7. The internet of things intrusion detection method of claim 1, wherein: during training of the incremental learning parameter update algorithm, after the optimizing the target detection model using the first loss function, the method further includes:

8. An Internet of things intrusion detection system is characterized by comprising a network monitoring module, a flow processing module, an intrusion detection module and an incremental learning parameter updating module, wherein,

and optimizing the target detection model by using a first loss function.

9. An electronic device, the electronic device comprising:

at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the internet of things intrusion detection method according to any one of claims 1 to 7.

10. A computer readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the internet of things intrusion detection method according to any one of claims 1 to 7.