CN116743507B - Intrusion detection method and system based on intelligent door lock - Google Patents
Intrusion detection method and system based on intelligent door lock Download PDFInfo
- Publication number
- CN116743507B CN116743507B CN202311020708.9A CN202311020708A CN116743507B CN 116743507 B CN116743507 B CN 116743507B CN 202311020708 A CN202311020708 A CN 202311020708A CN 116743507 B CN116743507 B CN 116743507B
- Authority
- CN
- China
- Prior art keywords
- network traffic
- traffic data
- intrusion detection
- door lock
- intelligent door
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 104
- 230000004044 response Effects 0.000 claims abstract description 49
- 238000013145 classification model Methods 0.000 claims abstract description 44
- 230000007246 mechanism Effects 0.000 claims abstract description 31
- 238000012544 monitoring process Methods 0.000 claims abstract description 26
- 238000012549 training Methods 0.000 claims abstract description 14
- 238000007781 pre-processing Methods 0.000 claims abstract description 10
- 230000002159 abnormal effect Effects 0.000 claims description 44
- 239000013598 vector Substances 0.000 claims description 30
- 230000006870 function Effects 0.000 claims description 15
- 238000013210 evaluation model Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 7
- 238000002372 labelling Methods 0.000 claims description 4
- 230000005484 gravity Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 description 10
- 238000012706 support-vector machine Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000006399 behavior Effects 0.000 description 7
- 206010000117 Abnormal behaviour Diseases 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000012806 monitoring device Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application relates to the technical field of intrusion detection, in particular to an intrusion detection method and system based on an intelligent door lock. The intrusion detection method based on the intelligent door lock comprises the following steps: acquiring network flow data from a network environment of an intelligent door lock; after preprocessing the network traffic data, marking normal network traffic data in the preprocessed network traffic data by using a label classification model; training an intrusion detection model through a data subset of normal network traffic data; and (3) utilizing the trained intrusion detection model to combine with the tag classification model, monitoring network flow data in the network environment of the intelligent door lock in real time, and generating and executing a corresponding response mechanism through the response mechanism model. The intrusion detection method of the intelligent door lock provides comprehensive network security guarantee for the intelligent door lock, so that the intelligent door lock can cope with increasingly complex and diversified network threats, and better use experience and security protection are brought to users.
Description
Technical Field
The application relates to the technical field of intrusion detection, in particular to an intrusion detection method and system based on an intelligent door lock.
Background
The current intelligent door lock is used as an important safety device in modern families and businesses and is widely applied to families and enterprises. However, when the smart door lock is connected to a network, there are a number of potential threats from the network. A network attacker may attempt to gain illegal access rights, tamper with door lock settings or data, or even do other malicious activities through data transmitted over the network.
In terms of home security, the intelligent door lock allows a family member to remotely control the door lock by using a mobile phone application by connecting with a home Wi-Fi network, thereby authorizing a legal user to enter home. However, network attacks may exploit vulnerabilities in the home Wi-Fi network in an attempt to gain unauthorized access rights into the home, thereby posing a threat to home properties and privacy.
In business and enterprise locations, intelligent door locks are often used to control access to areas such as offices, conference rooms, and warehouses. These areas may contain sensitive information, valuable equipment or confidential documents, and therefore the security requirements for the door lock are particularly stringent. A malicious attacker may attempt to hack the intelligent door lock, gain unauthorized access rights, steal or damage valuable assets, and even steal business secrets, posing a threat to enterprise security.
Therefore, in order to protect the smart door lock from these threats, an efficient intrusion detection method needs to be applied to ensure the security and privacy of the home and business.
Disclosure of Invention
Aiming at the defects and the actual application demands in the prior art, the application provides an intrusion detection method based on an intelligent door lock, aiming at realizing detection and response to intrusion behaviors by monitoring and analyzing network flow in the network environment of the intelligent door lock, thereby ensuring the network environment safety of the intelligent door lock. The intrusion detection method based on the intelligent door lock provided by the application comprises the following steps: acquiring network flow data from a network environment of an intelligent door lock; preprocessing the network traffic data, and marking the preprocessed network traffic data by using a label classification model to obtain a network traffic data set, wherein the network traffic data set comprises a normal network traffic data set; dividing the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset, and training an intrusion detection model by utilizing the normal network traffic data subset and the risk network traffic data subset; the trained intrusion detection model is combined with the tag classification model, and network flow data in the network environment of the intelligent door lock are monitored in real time; and generating and executing a corresponding response mechanism through the response mechanism model according to the real-time monitoring result. The intrusion detection method based on the intelligent door lock provided by the application firstly utilizes a label classification model to label the preprocessed network flow data, then divides a normal network flow data set into a normal network flow data subset and a risk network flow data subset, and trains an intrusion detection model by utilizing the normal network flow data subset and the risk network flow data subset so as to realize fine granularity monitoring and abnormal behavior detection of network flow. Furthermore, the intelligent door lock network environment can be monitored in real time by combining the intrusion detection module, the tag classification module and the response mechanism module, and corresponding response measures are generated and executed through the response mechanism module according to the monitoring result, so that the system safety is improved in all directions, and the user information and the stable operation of the intelligent door lock are ensured.
Optionally, the acquiring network traffic data from the network environment of the intelligent door lock includes the following steps: installing network monitoring equipment in the network environment, and acquiring network flow data by using the network monitoring equipment; or installing packet capturing software in the network environment, and acquiring network flow data by utilizing the packet capturing software; or reading the weblog record in the network environment, and acquiring the network traffic data through the weblog record. The selectable item provides three modes (network monitoring equipment, packet capturing software and network log record) for acquiring network flow data from the network environment of the intelligent door lock, increases flexibility and adaptability of data acquisition, can select a proper acquisition mode according to actual conditions, and improves efficiency and accuracy of data collection.
Optionally, the data labeling of the preprocessed network traffic data by using the label classification model includes the following steps: selecting one or more characteristics in the preprocessed network flow data; setting an abnormal boundary of the feature, and constructing a label classification model by utilizing the abnormal boundary; utilizing the label classification model to carry out linear classification on the preprocessed network flow data; and generating a normal network traffic data set and an abnormal network traffic data set according to the linear classification result. The selectable item enables the labeling of the network flow data to be more flexible and efficient by setting the abnormal boundary and establishing the label classification model, can accurately judge the normal and abnormal data, and provides an effective data label for the subsequent intrusion detection.
Optionally, the label classification model includes the following models:wherein->,/>Representing a feature vector consisting of a plurality of features, < >>Representing the nth feature in the feature vector, +.>Representing feature vector +.>The number of features in>A judgment function representing the setting of the abnormal boundary by the nth feature when +.>When the abnormal boundary of the nth feature is satisfied, < +.>When->When the abnormal boundary of the nth feature is not satisfied,OR represents OR logic, ">Representing feature vector +.>Is a judging function of->Feature vector +.>The characterized network traffic data is abnormal network traffic data,/-or #>Feature vector +.>The characterized network traffic data is normal network traffic data.
Optionally, the dividing the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset includes the following steps: building a risk coefficient evaluation model according to a plurality of characteristics in the normal network flow data set; evaluating risk coefficients of each piece of network traffic data in the normal network traffic data set by using the risk coefficient evaluation model; setting a risk coefficient threshold value, and comparing the risk coefficient threshold value with the risk coefficient to divide the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset. According to the method, the risk coefficient of the network traffic data is evaluated according to multiple characteristics in the normal network traffic data set, the data set is further refined, the abnormal behavior mode can be better captured, and the accuracy of the intrusion detection model is improved.
Optionally, the risk coefficient evaluation model satisfies the following formula:,wherein->Feature vector representing the i-th sample in the normal network traffic data set +.>Risk factors of->Feature vector representing the i-th sample in the normal network traffic data set +.>Risk coefficient of the mth feature; m represents the eigenvector of the i-th sample in the normal network traffic data set +.>The number of features in the medium-sized image,feature vector representing the i-th sample in the normal network traffic data set +.>The number of times the mth feature of (a) appears in the whole normal network traffic data set,/a->,/>Feature vector representing the i-th sample in the normal network traffic data set +.>Risk specific gravity of the mth feature of (a).
Optionally, the real-time monitoring of the network traffic data in the network environment of the intelligent door lock by using the trained intrusion detection model in combination with the tag classification model includes the following steps: respectively deploying a network traffic acquisition model, a label classification model and an intrusion detection model in the network environment; performing preliminary classification on the real-time network traffic data captured by the network traffic acquisition model by using the label classification model; and detecting the preliminary classification result again by using the intrusion detection model so as to determine risk network traffic data.
Optionally, the intrusion detection model includes a classifier based on SVM principle, and the classifier based on SVM principle is used for dividing network traffic data in a normal network traffic data set obtained after preliminary classification into normal network traffic data and risk network traffic data. The intrusion detection model provided by the selectable item adopts a classifier based on the SVM principle, can effectively divide normal network flow and potential risk network flow, has higher accuracy and stability, and can effectively identify intrusion behaviors.
Optionally, the generating and executing the corresponding response mechanism through the response mechanism model according to the real-time monitoring result includes the following steps: setting a response mechanism model, wherein the response mechanism model comprises a response rule base; and executing a corresponding response rule according to the real-time monitoring result through the response mechanism model. The selectable items can generate and execute corresponding response actions according to intrusion detection results by combining the response rule base with the real-time monitoring results, and the coping capacity of the system for abnormal events and the automation processing level are improved.
In a second aspect, in order to better execute the intrusion detection method based on the intelligent door lock, the application further provides an intrusion detection system based on the intelligent door lock. The intelligent door lock based intrusion detection system includes one or more processors; one or more input devices; the intelligent door lock-based intrusion detection method comprises one or more output devices and a memory, wherein the processor, the input device, the output device and the memory are connected through a bus, the memory is used for storing a computer program, the computer program comprises program instructions, and the processor is configured to call the program instructions to execute the intelligent door lock-based intrusion detection method provided by the first aspect of the application. The intrusion detection system based on the intelligent door lock, which is provided by the application, can greatly improve the safety, the instantaneity, the accuracy, the self-adaption and the flexibility of the intelligent door lock based on the intrusion detection method, so that various security threats and intrusion behaviors can be better dealt with, and more reliable intelligent door lock services can be provided for users.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. Like elements or portions are generally identified by like reference numerals throughout the several figures. In the drawings, elements or portions thereof are not necessarily drawn to scale.
Fig. 1 is a flowchart of an intrusion detection method based on an intelligent door lock according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an intrusion detection system based on an intelligent door lock according to an embodiment of the present application.
Detailed Description
Embodiments of the technical scheme of the present application will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and thus are merely examples, and are not intended to limit the scope of the present application.
It is noted that unless otherwise indicated, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs.
In an alternative embodiment, please refer to fig. 1, fig. 1 is a flowchart of an intrusion detection method based on an intelligent door lock according to an embodiment of the present application. As shown in fig. 1, the intrusion detection method based on the intelligent door lock provided by the application comprises the following steps:
and S01, acquiring network flow data from a network environment of the intelligent door lock.
It should be understood that the network environment described in step S01 refers to a network environment when the smart door lock is connected to the internet or a local area network. The smart door locks are typically connected to the network via Wi-Fi, ethernet, or other communication protocol, allowing a user to control the door lock, authorize access to or obtain door lock status, etc. via a mobile phone application, remote server, or other device.
The network traffic data refers to data traffic generated when the smart door lock communicates with other devices, servers, or users. The data traffic may be various forms of network traffic packets that contain information exchanged and transmitted between the communicating parties, such as control instructions, user authentication information, status data, etc.
In particular, the network traffic data includes, but is not limited to, the following information (the specific information depends on the packet type and protocol): the source IP address (device IP address to which the packet is sent), the destination IP address (device IP address to which the data table is to be sent), the source port number (identifying the application or service to which the packet is to be sent), the destination port number (identifying the application or service to which the packet is to be sent), the protocol type (network protocol to which the packet is to be used), the packet content (the packet may contain data content such as control instructions, authentication information, sensor data, etc. depending on the different protocols and communication content), and the timestamp (time record at which the packet is to be sent or received).
Further, the step S01 of obtaining the network traffic data from the network environment of the intelligent door lock may be implemented by means of a network monitoring device, a packet capturing software, a network log record reading, and the like. For example, in a network environment where the smart door lock is located, a network monitoring device or sensor, such as a network traffic analyzer, etc., capable of intercepting and recording data packets transmitted over the network is deployed. Packet capturing software is installed on network equipment (such as home routers and switches) connected with the intelligent door lock so as to monitor network traffic in real time and record the content of data packets, such as Wireshark and the like. And opening a network log recording function on network equipment connected with the intelligent door lock, and recording network traffic entering and exiting the intelligent door lock, wherein the network traffic comprises information such as a source, a target address, a port and the like of a data packet.
S02, preprocessing the network traffic data, and marking the preprocessed network traffic data by using a label classification model to obtain a network traffic data set, wherein the network traffic data set comprises a normal network traffic data set.
In this embodiment, the preprocessing the network traffic data includes, but is not limited to, performing operations such as feature extraction, data conversion, and data cleaning on the acquired network traffic data.
Specifically, the feature extraction refers to extracting useful features from network traffic data, such as a source IP address, a destination IP address, a port number, a protocol type, a packet size, and the like. The data conversion refers to converting the extracted features into a digitized form for subsequent processing, for example, converting the classified features into binary vectors using Encoding techniques such as One-Hot Encoding (One-Hot Encoding), or scaling the numerical features into the same numerical range using Normalization. The data cleaning means to process missing values, abnormal values and repeated data, ensuring that the quality of the input network traffic data is good.
In an optional embodiment, to label that abnormal network traffic data exists in the network traffic data, the preprocessing of the network traffic data in step S02 and the data labeling of the preprocessed network traffic data by using a label classification model include the following steps:
s021, selecting one or more characteristics in the preprocessed network flow data.
It should be appreciated that when preprocessing network traffic data, a number of useful features may be extracted to aid in data tagging and subsequent intrusion detection model training, such as: source IP address, destination IP address, source port number, destination port number, protocol type, packet size, timestamp, etc.
Further, the features selected in step S021 may be all features in the preprocessing process or may be part of features in the preprocessing process.
In this embodiment, a feature having a higher differentiation for distinguishing normal network traffic from abnormal network traffic is selected. These features should be able to present a large difference between normal traffic and attack traffic so that the classification model can better distinguish them.
In other one or some embodiments, the availability of features and computational cost may also be considered in selecting features. Features should be easily available in practical systems and computationally inexpensive to ensure real-time and efficient label classification models.
S022, setting an abnormal boundary of the feature, and constructing a label classification model by utilizing the abnormal boundary.
An anomaly boundary is a threshold value used to divide normal and anomalous data, such as a packet size exceeding a certain value, a source IP address not being within a particular range, etc.
Further, according to the set abnormal boundary, the constructed label classification model refers to a classifier for distinguishing normal network traffic from abnormal network traffic. The classifier classifies data into two categories based on the characteristics selected from the preprocessed network traffic data according to the set abnormal boundary: normal network traffic and abnormal network traffic.
In this embodiment, the label classification model is built by using the abnormal boundary, including the following models:wherein->Representing feature vector +.>Is used for the judgment function of (a),,/>representing a feature vector consisting of a plurality of features, < >>Representing the nth feature in the feature vector,,/>represents a positive integer>A judgment function representing the setting of the abnormal boundary by the nth feature when +.>When the abnormal boundary of the nth feature is satisfied, < +.>When->When the abnormal boundary of the nth feature is not satisfied, < +.>OR represents OR logic. Further, when->Feature vector +.>The characterized network traffic data is abnormal network traffic data, when +.>Feature vector +.>The characterized network traffic data is normal network traffic data.
The label classification model proposed in the present embodiment is an abnormality classification based on a feature having a higher degree of distinction, and specifically, data is marked as abnormal as long as an abnormality boundary condition of a feature having a higher degree of distinction is not satisfied. Such a label classification model can quickly determine whether network traffic data is abnormal by focusing only on features with high discrimination, without requiring excessive complicated calculation and analysis. Therefore, such a model provides an effective pre-screening step for subsequent intrusion detection models, allowing the subsequent models to learn more detailed and complex anomaly classification criteria more intensively.
S023, utilizing the label classification model to conduct linear classification on the preprocessed network flow data.
Further, step S023 uses the label classification model constructed above to perform linear classification on the preprocessed network traffic data.
In this embodiment, the label classification model is constructed based on the feature with higher distinction and the set abnormal boundary, and further the preprocessed network traffic data may be linearly classified into normal network traffic data or abnormal network traffic data.
S024, generating a normal network flow data set and an abnormal network flow data set according to the linear classification result.
Step S024 classifies the preprocessed network traffic data into two different categories according to the linear classification result: a normal network traffic data set and an abnormal network traffic data set.
Further, the normal network traffic data set contains network traffic data determined to be normal by the tag classification model. These data are identified as data without abnormal behavior in the preprocessing stage, without obvious abnormal features, but contain some potentially risky data, i.e. some unusual malicious network behavior may exist. The abnormal network traffic data set contains network traffic data determined to be abnormal by the tag classification model. These anomaly data are those network traffic that have significant anomalies in the selected features.
S03, dividing the normal network flow data set into a normal network flow data subset and a risk network flow data subset, and training an intrusion detection model by using the normal network flow data subset and the risk network flow data subset.
The purpose of dividing the normal network traffic data set into the normal network traffic data subset and the risk network traffic data subset in step S03 is to further refine the data set, and a part of the data is labeled as potential risk data, so that the intrusion detection model can learn a more detailed and complex abnormal behavior pattern.
In an alternative embodiment, the dividing the normal network traffic data set into the normal network traffic data subset and the risk network traffic data subset in step S03 includes the following steps:
s031, constructing a risk coefficient evaluation model according to a plurality of characteristics in the normal network flow data set.
In this embodiment, for any piece of network traffic data in the normal network traffic data set, the risk coefficient evaluation model satisfies the following formula:wherein->Feature vector representing the i-th sample in the normal network traffic data set +.>The risk coefficient is used for measuring the degree of the data belonging to the potential risk network flow, and the value range is [0,1]A closer to 1 indicates a more likely potential risk; />Feature vector representing the i-th sample in the normal network traffic data set +.>The risk coefficient of the m-th feature, each feature has a corresponding risk coefficient, and the risk coefficient is used for measuring the importance degree of the feature for judging the potential risk; m represents the eigenvector of the i-th sample in the normal network traffic data set +.>Number of middle characteristics->Feature vector representing the i-th sample in the normal network traffic data set +.>The number of times the mth feature appears in the whole normal network traffic data set, and the value of the mth feature is used for calculating the frequency of the feature so as to measure the universality of the feature; />,/>Feature vector representing the i-th sample in the normal network traffic data set +.>Risk specific gravity of the mth feature of (a).
Further, the risk coefficient evaluation model proposed in the present embodiment performs a risk evaluation of a feature on each piece of data in the normal network traffic data set, and calculates a risk coefficient of each feature. Wherein the risk factor of a feature is affected by the prevalence of the feature throughout the normal network traffic dataset and the degree of importance in the piece of data.
S032, evaluating risk coefficients of all pieces of network traffic data in the normal network traffic data set by using the risk coefficient evaluation model.
In this embodiment, step S032 utilizes the risk coefficient evaluation model in step S031 to perform potential risk evaluation on each piece of network traffic data in the normal network traffic data set, and obtains a corresponding risk coefficient.
S033, setting a risk coefficient threshold value, and comparing the risk coefficient threshold value with the risk coefficient to divide the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset.
It should be appreciated that the risk factor threshold may be determined based on the particular scenario and requirements. Further, in the present embodiment, a risk system is setThe number threshold is T, and then the risk coefficient of each piece of data in the normal network traffic data set is compared: risk coefficient when certain piece of dataAbove the threshold T, the piece of data is divided into subsets of risk network traffic data, as it is considered to have a higher risk, possibly potentially anomalous data; risk factor when a piece of data->Less than or equal to the threshold T, the piece of data is divided into subsets of normal network traffic data because it is considered less risky, more likely to be typical of normal network traffic data.
Further, the intrusion detection model in step S03 is used to identify and detect abnormal behavior that may exist in the normal network traffic data, so as to distinguish normal network traffic from risk network traffic (i.e., network traffic that may exist abnormal behavior). Further, the intrusion detection model can select a proper model, such as a deep learning model, a decision tree model and the like, according to specific requirements and data characteristics so as to obtain a more accurate and reliable intrusion detection effect.
In an alternative embodiment, the intrusion detection model provided in step S03 is an intrusion detection model based on SVM principles. SVM (Support Vector Machine) is a supervised learning algorithm whose goal is to find a hyperplane (linear or nonlinear), correctly separating data points of different categories so that the separation between the two categories is maximized.
Further, the intrusion detection model based on the SVM principle provided in the present embodiment satisfies the following formula by using the decision function after training the normal network traffic data subset and the risk network traffic data subset:wherein->Representing intrusion detection patternsDecision output of network traffic data samples x to be predicted, in particular when +.>Indicating that the network traffic data sample x to be predicted is normal network traffic data, when +.>The network traffic data sample x to be predicted is represented as risk network traffic data;representing a sign function, wherein the function takes the value in the brackets as a sign, namely if the value in the brackets is more than or equal to 0, the output is +1; otherwise, the output is-1; />Represents the ith training sample, +.>Is a known network traffic data sample used to construct an intrusion detection model; />A tag value representing the ith training sample, which corresponds to the network traffic data sample +.>Category of->Represents the i-th training sample->Is a Lagrangian multiplier of (1), which is a parameter obtained during the SVM training process; />Representing a kernel function for measuring a known network traffic data sample +.>And network traffic data to be predictedSimilarity between samples x;representing the hyperplane bias factor and also being a parameter obtained during the SVM training process.
It should be appreciated that the decision functionIs the core function of the intrusion detection model for the class of network traffic data samples x to be predicted. Specifically, for a new network traffic data sample x, the new network traffic data sample x and the training sample are subjected to kernel function calculation one by one, and then an accumulated value is calculated according to similarity between the new network traffic data sample x and the training sample and the weight of the Lagrange multiplier. Finally, the sign of the accumulated value is judged through a sign function, so that the category (normal network traffic data or risk network traffic data) to which the network traffic data sample x to be predicted belongs is determined.
And S04, combining the trained intrusion detection model with the tag classification model, and monitoring network flow data in the network environment of the intelligent door lock in real time.
In an optional embodiment, the monitoring of the network traffic data in the network environment of the intelligent door lock in real time by using the trained intrusion detection model in combination with the tag classification model in step S04 includes the following steps:
s041, respectively deploying a network traffic acquisition model, a label classification model and an intrusion detection model in the network environment.
It should be appreciated that the network traffic acquisition model is a component for capturing real-time network traffic data from a network environment of the smart door lock. It can monitor network traffic, capture packets transmitted through the intelligent door lock, and convert those packets into a format for subsequent processing. The model is used for providing real-time network traffic data and providing a basis for subsequent data analysis and intrusion detection.
Further, the label classification model is a classifier for dividing the normal network traffic and the abnormal network traffic in the above steps, and the intrusion detection model is a classifier trained by using the normal network traffic data subset and the risk network traffic data subset and used for dividing the network traffic data in the normal network traffic data set obtained after preliminary classification into the normal network traffic data and the risk network traffic data.
S042, performing preliminary classification on the real-time network traffic data captured by the network traffic acquisition model by using the label classification model.
When step S042 is performed, the real-time network traffic data is input into the tag classification model, and classified as normal network traffic or abnormal network traffic. The preliminary classification process can quickly divide real-time network traffic data into two types, namely normal and abnormal, so that a subsequent intrusion detection model can focus on network traffic data with potential risks in the normal network traffic data more intensively, thereby improving the accuracy and efficiency of intrusion detection.
S043, detecting the preliminary classification result again by using the intrusion detection model so as to determine risk network flow data.
Because the intrusion detection model is trained using the normal network traffic data subset and the risk network traffic data subset, the intrusion detection model has learned the characteristics and patterns of normal network traffic and potentially risk network traffic during the training phase, and can further detect data that may present a security risk from the network traffic data that is otherwise considered to be normal.
S05, generating and executing a corresponding response mechanism through a response mechanism model according to the real-time monitoring result.
In an alternative embodiment, the generating and executing the corresponding response mechanism according to the real-time monitoring result in step S05 through the response mechanism model includes the following steps:
s051, setting a response mechanism model, wherein the response mechanism model comprises a response rule base.
It should be appreciated that the response mechanism model is a set of predefined rules and behaviors for automatically deciding what actions to take to respond to a potential network threat based on intrusion detection results and network traffic monitoring conditions.
In this embodiment, a response rule base is provided, and part of response rules in the response rule base are shown in the following table:
the rule description and the corresponding response measures in the table only partially respond to the rules in the rule base, and in a specific implementation process, the rules can be adjusted and expanded according to specific functions and safety requirements of the intelligent door lock.
S052, executing a corresponding response rule according to the real-time monitoring result through the response mechanism model.
In this embodiment, step S052 executes a corresponding response rule by using the set response mechanism model according to the network traffic data monitored in real time and the intrusion detection result. I.e. risk network traffic data, i.e. marked as abnormal network traffic, is detected in step S043, the response mechanism model will execute the corresponding response measures according to the corresponding rules.
For example, assume that in real-time monitoring, a connection request is frequently initiated for a short time by detecting a certain IP address, and the IP address is marked as risky network traffic data by an intrusion detection model. The response mechanism model immediately intercepts the IP address according to the set response rule base, and prevents the IP address from further accessing the intelligent door lock so as to avoid potential attack.
According to the intelligent door lock-based intrusion detection method, the network flow data of the intelligent door lock is monitored in real time, and the attack flow is identified and intercepted by using the trained intrusion detection model, so that the safety of the intelligent door lock is effectively improved; corresponding measures are automatically triggered according to the intrusion detection result through the response mechanism model, and actions can be immediately taken when an attack occurs.
Furthermore, the application combines artificial intelligence and machine learning technology to make the intrusion detection process automatic and intelligent, i.e. the intrusion detection model provided by the application can learn and adapt to new attack modes and threats, reduces the dependence on manual intervention, and improves the accuracy and efficiency of intrusion detection. Meanwhile, the intrusion detection model provided by the application can be continuously optimized and updated, and is suitable for continuously changing attack means. This enables the intelligent door lock to continuously improve its ability to detect new attacks, maintaining its competitive advantage in a continuously changing network security environment.
In an alternative embodiment, in order to better perform the above intrusion detection method based on the intelligent door lock, the embodiment further provides an intrusion detection system based on the intelligent door lock, please refer to fig. 2, fig. 2 is a schematic structural diagram of the intrusion detection system based on the intelligent door lock according to the embodiment of the present application.
As shown in fig. 2, the intelligent door lock based intrusion detection system includes one or more processors; one or more input devices; the intelligent door lock-based intrusion detection method comprises one or more output devices and a memory, wherein the processor, the input devices, the output devices and the memory are connected through a bus, the memory is used for storing a computer program, the computer program comprises program instructions, and the processor is configured to call the program instructions to execute the intelligent door lock-based intrusion detection method.
In this embodiment, the processor is configured to invoke a computer program provided in the smart door lock based intrusion detection method, i.e. the intrusion detection algorithm and the corresponding data processing program. The input device may be a network traffic acquisition device for capturing network traffic data of the smart door lock and transmitting it to the processor for further processing and analysis. The output device may be an alarm notification device for sending an alarm notification to an administrator or user prompting possible intrusion behavior or cyber security risks. Program instructions required by the intelligent door lock-based intrusion detection method are stored in the memory, and the program instructions comprise an intrusion detection algorithm, a data processing program, a trained intrusion detection model and a trained tag classification model. The processor, the input device, the output device and the memory are connected together through a bus to realize data transmission and communication.
The intrusion detection system based on the intelligent door lock provided by the application is based on the intrusion detection method, and analyzes and classifies network flow data by utilizing a trained intrusion detection model and a label classification model while monitoring the network flow data of the intelligent door lock in real time; based on the analysis and classification results, the system generates and executes corresponding response measures according to a preset response mechanism model. The intelligent door lock-based intrusion detection system can greatly improve the safety, instantaneity, accuracy, self-adaption and flexibility of the intelligent door lock, so that various security threats and intrusion behaviors can be better dealt with, and more reliable intelligent door lock service can be provided for users.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application, and are intended to be included within the scope of the appended claims and description.
Claims (10)
1. The intelligent door lock-based intrusion detection method is characterized by comprising the following steps of:
acquiring network flow data from a network environment of an intelligent door lock;
preprocessing the network traffic data, and marking the preprocessed network traffic data by using a label classification model to obtain a network traffic data set, wherein the network traffic data set comprises a normal network traffic data set;
dividing the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset, and training an intrusion detection model by utilizing the normal network traffic data subset and the risk network traffic data subset;
the trained intrusion detection model is combined with the tag classification model, and network flow data in the network environment of the intelligent door lock are monitored in real time;
and generating and executing a corresponding response mechanism through the response mechanism model according to the real-time monitoring result.
2. The intelligent door lock-based intrusion detection method according to claim 1, wherein the acquiring network traffic data from the network environment of the intelligent door lock comprises the steps of:
installing network monitoring equipment in the network environment, and acquiring network flow data by using the network monitoring equipment; or alternatively
Installing packet capturing software in the network environment, and acquiring network flow data by utilizing the packet capturing software; or alternatively
And reading the weblog record in the network environment, and acquiring network traffic data through the weblog record.
3. The intelligent door lock-based intrusion detection method according to claim 1, wherein the data labeling of the preprocessed network traffic data by using a tag classification model comprises the following steps:
selecting one or more characteristics in the preprocessed network flow data;
setting an abnormal boundary of the feature, and constructing a label classification model by utilizing the abnormal boundary;
utilizing the label classification model to carry out linear classification on the preprocessed network flow data;
and generating a normal network traffic data set and an abnormal network traffic data set according to the linear classification result.
4. The intelligent door lock-based intrusion detection method according to claim 3, wherein the tag classification model comprises the following models:wherein->,Representing a feature vector consisting of a plurality of features, < >>Represents the nth feature in the feature vector, n represents the feature vector +.>The number of features in>A judgment function representing the setting of the abnormal boundary by the nth feature when +.>When the abnormal boundary of the nth feature is satisfied, < +.>When->When the abnormal boundary of the nth feature is not satisfied, < +.>OR represents OR logic, ">Representing feature vector +.>Is a judging function of->Feature vector +.>The characterized network traffic data is abnormal network traffic data,/-or #>Feature vector +.>The characterized network traffic data is normal network traffic data.
5. The intelligent door lock based intrusion detection method according to claim 1, wherein the dividing the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset comprises the steps of:
building a risk coefficient evaluation model according to a plurality of characteristics in the normal network flow data set;
evaluating risk coefficients of each piece of network traffic data in the normal network traffic data set by using the risk coefficient evaluation model;
setting a risk coefficient threshold value, and comparing the risk coefficient threshold value with the risk coefficient to divide the normal network traffic data set into a normal network traffic data subset and a risk network traffic data subset.
6. The intelligent door lock-based intrusion detection method according to claim 5, wherein the risk coefficient evaluation model satisfies the following formula:,/>wherein->Representing normal network traffic dataFeature vector of the i-th sample is concentrated +.>Risk factors of->Feature vector representing the i-th sample in the normal network traffic data set +.>Risk coefficient of the mth feature; m represents the eigenvector of the i-th sample in the normal network traffic data set +.>Number of middle characteristics->Feature vector representing the i-th sample in the normal network traffic data set +.>The number of times the mth feature of (a) appears in the whole normal network traffic data set,/a->,/>Feature vector representing the i-th sample in the normal network traffic data set +.>Risk specific gravity of the mth feature of (a).
7. The intelligent door lock-based intrusion detection method according to claim 1, wherein the real-time monitoring of network traffic data in a network environment of the intelligent door lock by using the trained intrusion detection model in combination with the tag classification model comprises the steps of:
respectively deploying a network traffic acquisition model, a label classification model and an intrusion detection model in the network environment;
performing preliminary classification on the real-time network traffic data captured by the network traffic acquisition model by using the label classification model;
and detecting the preliminary classification result again by using the intrusion detection model so as to determine risk network traffic data.
8. The intelligent door lock-based intrusion detection method according to claim 7, wherein the intrusion detection model comprises an SVM principle-based classifier for dividing network traffic data in a normal network traffic data set obtained after preliminary classification into normal network traffic data and risk network traffic data.
9. The intelligent door lock-based intrusion detection method according to claim 1, wherein the generating and executing the corresponding response mechanism through the response mechanism model according to the real-time monitoring result comprises the following steps:
setting a response mechanism model, wherein the response mechanism model comprises a response rule base;
and executing a corresponding response rule according to the real-time monitoring result through the response mechanism model.
10. An intelligent door lock-based intrusion detection system, comprising one or more processors; one or more input devices; one or more output devices and a memory, the processor, the input device, the output device and the memory being connected by a bus, the memory being for storing a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the smart door lock-based intrusion detection method according to any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311020708.9A CN116743507B (en) | 2023-08-15 | 2023-08-15 | Intrusion detection method and system based on intelligent door lock |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311020708.9A CN116743507B (en) | 2023-08-15 | 2023-08-15 | Intrusion detection method and system based on intelligent door lock |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116743507A CN116743507A (en) | 2023-09-12 |
| CN116743507B true CN116743507B (en) | 2023-10-10 |
Family
ID=87904765
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311020708.9A Active CN116743507B (en) | 2023-08-15 | 2023-08-15 | Intrusion detection method and system based on intelligent door lock |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116743507B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112255928A (en) * | 2020-10-30 | 2021-01-22 | 北京金山云网络技术有限公司 | Smart home control method, device and system and electronic equipment |
| CN116563986A (en) * | 2023-04-21 | 2023-08-08 | 苏州青宥信息科技有限公司 | Intelligent building access control system and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018124672A1 (en) * | 2016-12-28 | 2018-07-05 | Samsung Electronics Co., Ltd. | Apparatus for detecting anomaly and operating method for the same |
| KR20210054796A (en) * | 2019-11-06 | 2021-05-14 | 엘지전자 주식회사 | Door open monitoring for the intelligent device |
-
2023
- 2023-08-15 CN CN202311020708.9A patent/CN116743507B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112255928A (en) * | 2020-10-30 | 2021-01-22 | 北京金山云网络技术有限公司 | Smart home control method, device and system and electronic equipment |
| CN116563986A (en) * | 2023-04-21 | 2023-08-08 | 苏州青宥信息科技有限公司 | Intelligent building access control system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116743507A (en) | 2023-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190166144A1 (en) | Detection of malicious network activity | |
| US7941855B2 (en) | Computationally intelligent agents for distributed intrusion detection system and method of practicing same | |
| US20180309772A1 (en) | Method and device for automatically verifying security event | |
| US20210243226A1 (en) | Lifelong learning based intelligent, diverse, agile, and robust system for network attack detection | |
| US11700269B2 (en) | Analyzing user behavior patterns to detect compromised nodes in an enterprise network | |
| CN112953971B (en) | Network security flow intrusion detection method and system | |
| KR100950582B1 (en) | Method and Apparatus of detecting traffic flooding attack using suppoort vectort data description and Recording medium thereof | |
| CN111556473A (en) | Abnormal access behavior detection method and device | |
| CN113904795A (en) | Rapid and accurate flow detection method based on network security probe | |
| WO2021018440A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
| CN111464510A (en) | Network real-time intrusion detection method based on rapid gradient lifting tree model | |
| US20210367958A1 (en) | Autonomic incident response system | |
| CN117319090A (en) | Intelligent network safety protection system | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| CN116743507B (en) | Intrusion detection method and system based on intelligent door lock | |
| Tudosi et al. | Distributed Firewall Traffic Filtering and Intrusion Detection Using Snort on pfSense Firewalls with Random Forest Classification | |
| Walling et al. | A survey on intrusion detection systems: Types, datasets, machine learning methods for NIDS and challenges | |
| Iglesias et al. | Are network attacks outliers? a study of space representations and unsupervised algorithms | |
| Agrawal et al. | A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS. | |
| CN115643086A (en) | Unknown threat detection method based on deep neural network | |
| Gouveia et al. | Deep Learning for Network Intrusion Detection: An Empirical Assessment | |
| Bhuyan et al. | Alert management and anomaly prevention techniques | |
| CN117240598B (en) | Attack detection method, attack detection device, terminal equipment and storage medium | |
| CN114157514B (en) | Multi-channel IDS integrated detection method and device | |
| CN112887288B (en) | Internet-based E-commerce platform intrusion detection front-end computer scanning system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |