CN117220940A - Method for sensing network situation of ThingsBoard Internet of things based on Wazuh - Google Patents

Method for sensing network situation of ThingsBoard Internet of things based on Wazuh Download PDF

Info

Publication number
CN117220940A
CN117220940A CN202311166883.9A CN202311166883A CN117220940A CN 117220940 A CN117220940 A CN 117220940A CN 202311166883 A CN202311166883 A CN 202311166883A CN 117220940 A CN117220940 A CN 117220940A
Authority
CN
China
Prior art keywords
internet
wazuh
data
things
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311166883.9A
Other languages
Chinese (zh)
Inventor
王茂帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong New Generation Information Industry Technology Research Institute Co Ltd
Original Assignee
Shandong New Generation Information Industry Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong New Generation Information Industry Technology Research Institute Co Ltd filed Critical Shandong New Generation Information Industry Technology Research Institute Co Ltd
Priority to CN202311166883.9A priority Critical patent/CN117220940A/en
Publication of CN117220940A publication Critical patent/CN117220940A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for sensing the situation of a ThingsBoard Internet of things network based on Wazuh relates to the technical field of Internet of things, and combines an open source safety monitoring platform Wazuh with an open source IoT platform ThingsBoard, so that comprehensive situation sensing of the Internet of things network is realized. Through Wazuh's data acquisition and threat detection, the state and the security threat of thing networking equipment can be monitored comprehensively, comprehensive guarantee is provided for network security.

Description

Method for sensing network situation of ThingsBoard Internet of things based on Wazuh
Technical Field
The invention relates to the technical field of the Internet of things, in particular to a method for sensing the network situation of the ThingsBoard Internet of things based on Wazuh.
Background
With the rapid development of internet of things (IoT), various devices and objects are connected to the internet, constituting a huge internet of things network. However, this wide connection also causes serious network security problems, and conventional network security methods are often difficult to cope with in the environment of the internet of things. The internet of things device generally has the characteristics of limited resources, various operating systems, distributed deployment and the like, which makes the traditional security solution inflexible and efficient.
Traditional Intrusion Detection Systems (IDS) can be used to detect abnormal behavior in network traffic, but often cannot accurately monitor anomalies inside internet of things devices. On the other hand, some specialized IoT security platforms may perform device management and access control, but lack a comprehensive awareness of network real-time status.
Disclosure of Invention
In order to overcome the defects of the technology, the invention provides the method for sensing the situation of the Internet of things network, which can more accurately identify potential threats and reduce the false alarm rate.
The technical scheme adopted for overcoming the technical problems is as follows:
a method for sensing network situation of the ThingsBoard Internet of things based on Wazuh comprises the following steps:
data generated by the Internet of things equipment are collected in real time, wherein the data comprise: log data, network traffic, system index data;
threat detection is carried out on data generated by the collected internet of things equipment by utilizing a rule engine of the Wazuh system, and the threat detection comprises: abnormal flow detection, weak password detection, malicious software scanning, equipment vulnerability detection, data anomaly detection, instruction tampering detection and geographic position anomaly detection;
according to threat detection, the Wazuh system generates corresponding security events and alarms;
storing the detected security event in a database;
and visually displaying the data in the database in a chart or image form through a ThingsBoard platform, and realizing the butt joint of the data access of the Wazuh system through a flow engine of the ThingsBoard.
Preferably, log data, network flow and system index data of the Internet of things equipment are collected in real time through deployment of the Wazuh system agent.
Further, the abnormal flow detection method comprises the following steps: and using an open source intrusion detection system Surica and combining a random forest algorithm to detect abnormal flow of data generated by the Internet of things equipment.
Further, the weak password detection method comprises the following steps: and (3) carrying out password policy check on data generated by the internet of things equipment by using the OWASP Passfault to check whether the password accords with a security policy.
Further, the method for scanning malicious software comprises the following steps: and using the ClamAV as a malicious software scanning engine to scan data generated by the Internet of things equipment, and detecting malicious software.
Further, the method for detecting the equipment loopholes comprises the following steps: and periodically scanning data generated by the Internet of things equipment by using Nessus to detect known vulnerabilities.
Further, the method for detecting the data abnormality comprises the following steps:
constructing a model by using an Isolation Forest algorithm;
extracting frequency domain information through Fourier transformation, capturing periodicity and frequency characteristics of data generated by the Internet of things equipment, and obtaining frequency domain characteristics;
extracting the mean value, standard deviation and median of data generated by the Internet of things equipment to obtain basic statistical characteristics;
coding the type characteristics of the data generated by the Internet of things equipment to obtain coding or labeling characteristics;
combining a source IP and a target IP of data generated by the Internet of things equipment into a joint characteristic to obtain a cross characteristic;
the model randomly selects frequency domain features, basic statistical features, coding or labeling features, fork features and segmentation points to construct a binary tree for data anomaly detection.
Further, the method for detecting the command tampering comprises the following steps: the data generated by the internet of things device is encrypted using RSA or HMAC digital signature and encryption algorithms.
Further, the method for detecting the geographic position abnormality comprises the following steps: the GPS module and the IP geographic position library are used for periodically acquiring the geographic position of the physical network equipment, the acquired geographic position is compared with a preset range, and if the acquired geographic position is out of the preset range, an alarm is triggered.
Further, the method for generating the corresponding security event and alarm by the Wazuh system comprises the following steps:
the Wazuh system monitors data generated by the Internet of things equipment through the safety rule, and when the data are matched with the rule, the rule matching is triggered;
when rule matching occurs, the Wazuh system triggers an event which is contained in the ID, rule name and timestamp of the matching rule;
the triggering event is transmitted to an event processor of the Wazuh system;
the Wazuh system classifies the event into a specified threat type according to the classification of the rule and the attribute of the event;
the Wazuh system aggregates the same type of events triggered repeatedly, and when the events are aggregated or the events are events needing to be notified to an administrator, the Wazuh system generates corresponding alarms.
The beneficial effects of the invention are as follows: the open source security monitoring platform Wazuh is combined with the open source IoT platform thinsbard, so that comprehensive situation awareness of the internet of things network is realized. Through Wazuh's data acquisition and threat detection, the state and the security threat of thing networking equipment can be monitored comprehensively, comprehensive guarantee is provided for network security. Has the following advantages:
real-time monitoring and response: the state of the equipment can be monitored in real time, potential threats can be responded rapidly, and network security of the Internet of things is guaranteed.
Multidimensional analysis: by comprehensively analyzing various data sources, the threat detection accuracy is improved, and the false alarm rate is reduced.
Visual display: through the visualization forms of diagrams, images and the like, a user intuitively knows the network situation and makes a decision better.
Automatic data processing: and a flow engine is introduced to realize automatic processing and distribution of data, so that the flexibility of the system is improved.
And (3) an open source platform: and an open source platform is adopted, so that development and maintenance cost is reduced, and community cooperation and innovation are promoted.
Detailed Description
The present invention will be further described below.
A method for sensing network situation of the ThingsBoard Internet of things based on Wazuh comprises the following steps:
data generated by the Internet of things equipment are collected in real time, wherein the data comprise: log data, network traffic, system index data.
Threat detection is carried out on data generated by the collected Internet of things equipment by using a rule engine of the Wazuh system, the rule engine judges based on a known common mode, abnormal behaviors and the like, and the specific threat detection comprises: abnormal traffic detection, weak password detection, malware scanning, device vulnerability detection, data anomaly detection, instruction tampering detection, and geographic location anomaly detection.
Based on threat detection, the Wazuh system generates corresponding security events and alarms.
The detected security event is stored in a database. For subsequent analysis, querying and backtracking. This helps build threat intelligence libraries, supporting security decisions.
Through the ThingsBoard platform, the data in the database are visually displayed in the form of a chart or an image, a user can intuitively know the state, threat trend and the like of the Internet of things, and the data access of the Wazuh system is realized through the flow engine of the ThingsBoard. The process engine can automatically process and distribute data, and flexibility and expansibility of the system are improved.
Based on two open source platforms of Wazuh and ThingsBoard, through integration and customization, real-time monitoring, threat detection, event analysis and visual display of the Internet of things equipment are realized, and meanwhile, a process engine is introduced to realize automatic processing of data, so that the safety and management efficiency of the Internet of things network are greatly improved. An efficient and flexible network situation awareness system of the Internet of things is created. And a flow engine is introduced to realize data processing automation, so that the expandability and the adaptability of the system are enhanced. Can be applied in other fields. For example, in industrial automation, by collecting operation data and status information of industrial equipment, status monitoring and anomaly detection of the industrial equipment are achieved by using a similar method, so that safety and efficiency of industrial production are improved. In addition, in the intelligent traffic field, the method can be applied to monitoring of vehicles and traffic facilities, so that real-time traffic flow analysis and safety event detection are realized, and support is provided for traffic management and planning. In conclusion, the method has important significance in the field of the Internet of things and has wide potential application value.
In one embodiment of the invention, log data, network traffic and system index data of the Internet of things equipment are collected in real time by deploying the Wazuh system agent. The Wazuh agent is used as a data collector to transmit the original data to a subsequent processing link.
In one embodiment of the present invention, the method for detecting abnormal traffic is: and using an open source intrusion detection system Surica and combining a random forest algorithm to detect abnormal flow of data generated by the Internet of things equipment. And collecting communication data between devices, including information such as source IP, target IP, port, data packet size and the like of the communication. The following method is used for feature extraction, and basic statistical features are adopted: basic statistical information about the flow is extracted, such as flow average, standard deviation, maximum, minimum. These statistical features can help capture the overall distribution of traffic. Frequency domain characteristics: the flow data is converted from the time domain to the frequency domain using fourier transform, and frequency domain features are extracted. This may help detect periodic traffic patterns, such as DDoS attacks. Time sequence characteristics: features about time, such as flow fluctuations, time intervals, are extracted. This helps identify periodic changes in traffic and abnormal behavior. Flow distribution characteristics: features are extracted by analyzing the distribution of the flow, e.g. the distribution of the flow size over different time periods. This helps to find an unusual distribution of traffic. Feature crossover: and crossing the different features to generate new features. The source IP, target IP, and ports are combined to generate a combined feature to capture more traffic patterns. Data packet statistics characteristics: features about the data packets, such as average data packet size, number of data packets, are extracted. This may help detect abnormal packet transmissions. Auto-correlation features: an autocorrelation function of the flow data is calculated for measuring the correlation between the flow data. Data distribution characteristics: features about the flow distribution, such as kurtosis and skewness of the distribution, are extracted. This may help identify unusual shapes of flow distribution. Path characteristics: for network traffic data, path-related features, such as path length, path change, etc., of the traffic may be extracted. Rate of change of flow: and extracting the rate characteristics of the flow change, such as the increase rate, the decrease rate and the like of the flow. The above method is used to extract the time sequence characteristics and divide the data into a training set and a testing set. The training set is used for constructing a random forest model, and the testing set is used for evaluating the performance of the model. A random forest model is constructed using the training set. A random forest is made up of multiple decision trees, each trained on a different subset of data. And predicting the data in the test set. If a data point is classified as anomalous on multiple decision trees, it may be an outlier data point. The above are all the contents of the random forest algorithm, which are the prior art, and therefore are not described in detail.
In one embodiment of the invention, the method for detecting the weak password is as follows: and (3) carrying out password policy check on data generated by the internet of things equipment by using OWASP Passfault, and checking whether the password accords with a security policy (such as password length and character complexity).
In one embodiment of the invention, the method of malware scanning is: and using the ClamAV as a malicious software scanning engine to scan data generated by the Internet of things equipment, and detecting malicious software.
In one embodiment of the invention, the method for detecting the device loopholes comprises the following steps: and periodically scanning data generated by the Internet of things equipment by using Nessus to detect known vulnerabilities.
In one embodiment of the present invention, the method for detecting data anomalies is:
the model was built using the Isolation Forest algorithm.
And extracting frequency domain information through Fourier transformation, capturing the periodicity and frequency characteristics of data generated by the Internet of things equipment, and obtaining frequency domain characteristics.
And extracting the mean value, standard deviation and median of the data generated by the Internet of things equipment to obtain basic statistical characteristics.
And encoding the type characteristics of the data generated by the Internet of things equipment to obtain encoded or labeled characteristics.
Combining a source IP and a target IP of data generated by the Internet of things equipment into a joint characteristic to obtain a cross characteristic.
The model randomly selects frequency domain features, basic statistical features, coding or labeling features, fork features and segmentation points to construct a binary tree for data anomaly detection.
In one embodiment of the invention, the method for detecting instruction tampering is as follows: the data generated by the internet of things device is encrypted using RSA or HMAC digital signature and encryption algorithms. In the refrigeration generation and transmission process, the digital signature is used for protecting the instruction, so that the integrity and the authenticity of the instruction are ensured.
In one embodiment of the invention, the method for detecting the geographic position abnormality comprises the following steps: the GPS module and the IP geographic position library are used for periodically acquiring the geographic position of the physical network equipment, the acquired geographic position is compared with a preset range, and if the acquired geographic position is out of the preset range, an alarm is triggered.
In one embodiment of the invention, the method for generating the corresponding security event and alarm by the Wazuh system comprises the following steps:
the Wazuh system monitors data generated by the Internet of things equipment through the safety rules, and when the data are matched with the rules, the rules are triggered to be matched.
When rule matching occurs, the Wazuh system triggers an event that is contained in the ID, rule name, timestamp of the matching rule.
The trigger event is passed to the event handler of the Wazuh system. During the event processing phase, the Wazuh system processes and analyzes the event to determine its severity and extent of impact.
The Wazuh system classifies the event into a specified threat type according to the classification of the rule and the attribute of the event. In addition, wazuh also associates events with other context information, such as source IP, target IP, event type.
The Wazuh system aggregates the same type of events triggered repeatedly so as to avoid frequent alarms and redundant information, and generates corresponding alarms when the events are aggregated or the events are events needing to be notified to an administrator. Alarms may include details of events such as threat type, scope of influence, triggering rules. In an alert, wazuh will typically provide a suggested response measure. These measures may include isolating the affected system, analyzing details of the event, repairing the vulnerability. The Wazuh system will record the generated events and alarms in a historical database for subsequent analysis, auditing and reporting. This helps track the development and evolution of threat events.
Finally, it should be noted that: the foregoing description is only a preferred embodiment of the present invention, and the present invention is not limited thereto, but it is to be understood that modifications and equivalents of some of the technical features described in the foregoing embodiments may be made by those skilled in the art, although the present invention has been described in detail with reference to the foregoing embodiments. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. The method for sensing the situation of the Internet of things based on the ThingsBoard of Wazuh is characterized by comprising the following steps:
data generated by the Internet of things equipment are collected in real time, wherein the data comprise: log data, network traffic, system index data;
threat detection is carried out on data generated by the collected internet of things equipment by utilizing a rule engine of the Wazuh system, and the threat detection comprises: abnormal flow detection, weak password detection, malicious software scanning, equipment vulnerability detection, data anomaly detection, instruction tampering detection and geographic position anomaly detection;
according to threat detection, the Wazuh system generates corresponding security events and alarms;
storing the detected security event in a database;
and visually displaying the data in the database in a chart or image form through a ThingsBoard platform, and realizing the butt joint of the data access of the Wazuh system through a flow engine of the ThingsBoard.
2. The method for aware of the network situation of the thinsbard internet of things based on Wazuh according to claim 1, which is characterized in that: and acquiring log data, network flow and system index data of the Internet of things equipment in real time by deploying the Wazuh system agent.
3. The method for sensing the network situation of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for detecting abnormal traffic is as follows: and using an open source intrusion detection system Surica and combining a random forest algorithm to detect abnormal flow of data generated by the Internet of things equipment.
4. The method for sensing the situation of the network of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for detecting the weak password is as follows: and (3) carrying out password policy check on data generated by the internet of things equipment by using the OWASP Passfault to check whether the password accords with a security policy.
5. The method for aware of the network situation of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for scanning malicious software is as follows: and using the ClamAV as a malicious software scanning engine to scan data generated by the Internet of things equipment, and detecting malicious software.
6. The method for aware of the network situation of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for detecting the equipment vulnerability is as follows: and periodically scanning data generated by the Internet of things equipment by using Nessus to detect known vulnerabilities.
7. The method for sensing the situation of the network of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for detecting the data anomaly is as follows:
constructing a model by using an Isolation Forest algorithm;
extracting frequency domain information through Fourier transformation, capturing periodicity and frequency characteristics of data generated by the Internet of things equipment, and obtaining frequency domain characteristics;
extracting the mean value, standard deviation and median of data generated by the Internet of things equipment to obtain basic statistical characteristics;
coding the type characteristics of the data generated by the Internet of things equipment to obtain coding or labeling characteristics;
combining a source IP and a target IP of data generated by the Internet of things equipment into a joint characteristic to obtain a cross characteristic;
the model randomly selects frequency domain features, basic statistical features, coding or labeling features, fork features and segmentation points to construct a binary tree for data anomaly detection.
8. The method for sensing the situation of the network of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for detecting the command tampering is as follows: the data generated by the internet of things device is encrypted using RSA or HMAC digital signature and encryption algorithms.
9. The method for sensing the situation of the network of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for detecting the abnormal geographic position is as follows: the GPS module and the IP geographic position library are used for periodically acquiring the geographic position of the physical network equipment, the acquired geographic position is compared with a preset range, and if the acquired geographic position is out of the preset range, an alarm is triggered.
10. The method for sensing the network situation of the thinsbard internet of things based on Wazuh according to claim 1, wherein the method for generating the corresponding security event and alarm by the Wazuh system is as follows:
the Wazuh system monitors data generated by the Internet of things equipment through the safety rule, and when the data are matched with the rule, the rule matching is triggered;
when rule matching occurs, the Wazuh system triggers an event which is contained in the ID, rule name and timestamp of the matching rule;
the triggering event is transmitted to an event processor of the Wazuh system;
the Wazuh system classifies the event into a specified threat type according to the classification of the rule and the attribute of the event;
the Wazuh system aggregates the same type of events triggered repeatedly, and when the events are aggregated or the events are events needing to be notified to an administrator, the Wazuh system generates corresponding alarms.
CN202311166883.9A 2023-09-12 2023-09-12 Method for sensing network situation of ThingsBoard Internet of things based on Wazuh Pending CN117220940A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311166883.9A CN117220940A (en) 2023-09-12 2023-09-12 Method for sensing network situation of ThingsBoard Internet of things based on Wazuh

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311166883.9A CN117220940A (en) 2023-09-12 2023-09-12 Method for sensing network situation of ThingsBoard Internet of things based on Wazuh

Publications (1)

Publication Number Publication Date
CN117220940A true CN117220940A (en) 2023-12-12

Family

ID=89041881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311166883.9A Pending CN117220940A (en) 2023-09-12 2023-09-12 Method for sensing network situation of ThingsBoard Internet of things based on Wazuh

Country Status (1)

Country Link
CN (1) CN117220940A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118677676A (en) * 2024-07-01 2024-09-20 深圳开鸿数字产业发展有限公司 Safety detection method, system and terminal of internet of things (IoT) equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118677676A (en) * 2024-07-01 2024-09-20 深圳开鸿数字产业发展有限公司 Safety detection method, system and terminal of internet of things (IoT) equipment

Similar Documents

Publication Publication Date Title
CN112651006B (en) Power grid security situation sensing system
CN110620759B (en) Evaluation method and system of network security event hazard index based on multi-dimensional correlation
CN109818985B (en) Industrial control system vulnerability trend analysis and early warning method and system
Yang et al. Anomaly-based intrusion detection for SCADA systems
US8418247B2 (en) Intrusion detection method and system
KR102225460B1 (en) Method of detecting threat based on threat hunting using multi sensor data and apparatus using the same
US7607169B1 (en) User interface for network security console
US9369484B1 (en) Dynamic security hardening of security critical functions
Gómez et al. Design of a snort-based hybrid intrusion detection system
CN113381980B (en) Information security defense method and system, electronic device and storage medium
CN117375985A (en) Method and device for determining security risk index, storage medium and electronic device
CN118337485B (en) Network information security analysis method and system based on big data
CN112261033A (en) Network security protection method based on enterprise intranet
CN119051990A (en) Enterprise network security test evaluation method and system
CN118214590A (en) Method for reporting and early warning of classified and identified various network behaviors
CN118018231A (en) Security policy management method, device, equipment and storage medium for isolation area
CN117220940A (en) Method for sensing network situation of ThingsBoard Internet of things based on Wazuh
CN116896462A (en) Smart mine network situation awareness system based on network security management
CN115766235A (en) Network security early warning system and early warning method
CN117609990B (en) An adaptive security protection method and device based on scene correlation analysis engine
TianYu et al. Research on security threat assessment for power iot terminal based on knowledge graph
CN114006719B (en) AI verification method, device and system based on situation awareness
CN116471093A (en) Safety risk high-intensity monitoring system for different information domains
CN117792733A (en) Network threat detection method and related device
Liu et al. An entropy-based method for attack detection in large scale network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination