CN117955754A - Abnormality detection method, device, equipment and storage medium of Internet of things equipment - Google Patents

Abnormality detection method, device, equipment and storage medium of Internet of things equipment Download PDF

Info

Publication number
CN117955754A
CN117955754A CN202410358309.1A CN202410358309A CN117955754A CN 117955754 A CN117955754 A CN 117955754A CN 202410358309 A CN202410358309 A CN 202410358309A CN 117955754 A CN117955754 A CN 117955754A
Authority
CN
China
Prior art keywords
target
abnormality detection
internet
behavior
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410358309.1A
Other languages
Chinese (zh)
Other versions
CN117955754B (en
Inventor
杨家海
林海
李城龙
胡海娜
张辉
王之梁
权晓文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202410358309.1A priority Critical patent/CN117955754B/en
Priority claimed from CN202410358309.1A external-priority patent/CN117955754B/en
Publication of CN117955754A publication Critical patent/CN117955754A/en
Application granted granted Critical
Publication of CN117955754B publication Critical patent/CN117955754B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention provides an anomaly detection method, an anomaly detection device and an anomaly detection storage medium for equipment of the Internet of things, and relates to the technical field of equipment anomaly detection, wherein the anomaly detection method comprises the following steps: acquiring behavior diagrams corresponding to at least two intelligent home platforms, wherein the behavior diagrams are constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms; and performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among cross-automation rules and interference abnormality detection among at least two automation rules. The invention can realize cross-platform anomaly detection and improve the comprehensiveness of anomaly detection.

Description

Abnormality detection method, device, equipment and storage medium of Internet of things equipment
Technical Field
The present invention relates to the field of equipment anomaly detection technologies, and in particular, to an anomaly detection method, apparatus, device, and storage medium for an internet of things device.
Background
In the smart home environment, automation rules define which actions are to be performed when events of certain internet of things devices trigger. The automation rule may have an abnormality after deployment, which results in failure, illegal operation or continuous operation of the corresponding internet of things device, thereby causing a series of security problems. Therefore, anomaly detection of the internet of things device is required to eliminate the potential safety hazards.
In the prior art, when the abnormality detection of the internet of things equipment is performed, due to the isomerism of different intelligent home platforms, the abnormality detection methods of the different intelligent home platforms are mutually different, the abnormality types covered by the abnormality detection methods corresponding to the intelligent home platforms are single, and the abnormality indirect results are on one side.
Disclosure of Invention
The invention provides an anomaly detection method, an anomaly detection device and a storage medium of Internet of things equipment, which are used for solving the defects of low detection comprehensiveness and universality of the anomaly detection method in the prior art, realizing cross-platform anomaly detection and improving the comprehensiveness of anomaly detection.
The invention provides an anomaly detection method of Internet of things equipment, which comprises the following steps:
Acquiring behavior diagrams corresponding to at least two intelligent home platforms, wherein the behavior diagrams are constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms;
And performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among cross-automation rules and interference abnormality detection among at least two automation rules.
According to the anomaly detection method for the internet of things equipment provided by the invention, the target anomaly detection is carried out based on the behavior diagram, and the anomaly detection result is determined, which comprises the following steps:
Determining a first abnormality detection result based on the target flow corresponding to the target internet of things device and the behavior diagram under the condition that the target abnormality detection comprises abnormality detection executed by the target automation rule; the target internet of things device is an internet of things device executing the target automation rule;
Judging whether a first sub-graph meeting the interaction abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interaction abnormality detection among the cross-automation rules, and determining a second abnormality detection result based on a first judgment result; the interaction abnormal condition is that a command with a first automation rule exists or a result generated after the command with the first automation rule is executed is the same as an event in a second automation rule;
Judging whether a second sub-graph meeting the interference abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interference abnormality detection between at least two automation rules, and determining a third abnormality detection result based on a second judgment result;
Determining the abnormality detection result based on at least two of the first abnormality detection result, the second abnormality detection result, and the third abnormality detection result.
According to the anomaly detection method for the internet of things equipment provided by the invention, the first anomaly detection result is determined based on the target flow corresponding to the target internet of things equipment and the behavior diagram, and the method comprises the following steps:
Acquiring a preset fingerprint set; the preset fingerprint set comprises a mapping relation between preset features and behaviors;
Determining an execution behavior corresponding to the target internet of things device based on the preset fingerprint set and the target flow corresponding to the target internet of things device;
constructing a target execution graph based on the execution behavior;
And matching the target execution graph with the behavior graph, and determining the first abnormality detection result.
According to the anomaly detection method of the Internet of things equipment, the preset features in the preset fingerprint set comprise preset stream level features and preset package level features;
The determining, based on the preset fingerprint set and the target flow corresponding to the target internet of things device, the execution behavior corresponding to the target internet of things device includes:
Splitting the target flow corresponding to the target internet of things equipment to obtain at least two data flows;
Determining a reason data stream and an effect data stream corresponding to the target flow based on the time stamps corresponding to the at least two data streams respectively;
Determining a first Manhattan distance between the cause data stream and each of the preset stream level features in the preset fingerprint set, and a second Manhattan distance between the cause data stream and each of the preset packet level features in the preset fingerprint set;
Determining a third Manhattan distance between the effect data stream and each of the preset stream level features in the preset fingerprint set, and a fourth Manhattan distance between the effect data stream and each of the preset packet level features in the preset fingerprint set;
Determining an execution event corresponding to the reason data stream based on the first Manhattan distance and the second Manhattan distance, and determining an execution command corresponding to the effect data stream based on the third Manhattan distance and the fourth Manhattan distance;
And determining the corresponding execution behavior of the target Internet of things equipment based on the execution event and the execution command.
According to the anomaly detection method for the internet of things equipment provided by the invention, the matching of the target execution graph and the behavior graph, and the determination of the first anomaly detection result comprise the following steps:
Positioning in the behavior graphs based on a starting node and a terminating node corresponding to the target execution graph, and determining at least one similar behavior graph;
Determining similarity scores between the target execution graph and each similar behavior graph respectively;
and determining the first abnormality detection result based on each similarity score and a first preset threshold value.
According to the anomaly detection method of the Internet of things equipment, the behavior diagram is constructed based on the following steps:
acquiring all automation rules and device states corresponding to at least two pieces of Internet of things equipment corresponding to the automation rules;
For each automation rule, determining nodes in the behavior graph based on the device states of the at least two internet of things devices corresponding to the automation rule, determining event edges in the behavior graph based on events corresponding to the automation rule, and determining command edges in the behavior graph based on commands corresponding to the automation rule to construct the behavior graph.
According to the anomaly detection method of the Internet of things equipment, the interference anomaly conditions comprise an action conflict condition, an action repetition condition, an action re-lifting condition and an action circulation condition.
The invention also provides an abnormality detection device of the Internet of things equipment, which comprises:
The system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring a behavior diagram corresponding to at least two intelligent home platforms, the behavior diagram is constructed based on an automation rule corresponding to each of the at least two intelligent home platforms, and the automation rule is a corresponding relation between an event and a command and Internet of things equipment corresponding to the at least two intelligent home platforms;
The abnormality detection module is used for carrying out target abnormality detection based on the behavior diagram and determining an abnormality detection result, and the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among the cross-automation rules and interference abnormality detection among at least two automation rules.
The invention also provides electronic equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the abnormality detection method of the Internet of things equipment according to any one of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the anomaly detection method of the internet of things device as described in any one of the above.
According to the anomaly detection method, the anomaly detection device, the anomaly detection equipment and the storage medium of the Internet of things equipment, after the behavior patterns constructed according to the corresponding automation rules of at least two intelligent home platforms are obtained, a more complete anomaly exploration space is provided through the cross-platform behavior patterns, at least two of anomaly detection executed by the target automation rules, interaction anomaly detection among the cross-automation rules and interference anomaly detection among the at least two automation rules are carried out, so that more kinds of potential safety hazards are mined, the integrity and the comprehensiveness of anomaly detection results are improved, and the safe operation of the Internet of things equipment in a user home is guaranteed to the greatest extent.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an anomaly detection method of an internet of things device according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a flow chart for constructing a behavior diagram according to an embodiment of the present invention;
FIG. 3 is a second schematic diagram of a flow chart for constructing a behavior diagram according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a target execution diagram according to an embodiment of the present invention;
Fig. 5 is a schematic structural diagram of an abnormality detection device of an internet of things device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Aiming at the problem of low detection comprehensiveness and universality of the anomaly detection method in the prior art, the embodiment of the invention provides the anomaly detection method of the Internet of things equipment, and fig. 1 is a schematic flow chart of the anomaly detection method of the Internet of things equipment, as shown in fig. 1, comprising the following steps:
Step 110, obtaining a behavior diagram corresponding to at least two intelligent home platforms, wherein the behavior diagram is constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms.
Optionally, the behavior diagram is a benign diagram compatible with all automation rules corresponding to each intelligent home platform, can adapt to the difference of different intelligent home platforms, and provides a complete anomaly exploration space for anomaly detection of subsequent internet of things equipment.
Optionally, the smart home platform may include Amazon (Amazon Alexa), samsung (Samsung SmartThings), apple (Apple Homekit), millet (Xiaomi Home), and the like, which is not limited by the embodiment of the present invention.
Optionally, for each intelligent home platform, description sentences corresponding to the automation rules are extracted from automation rule description interfaces and automation rule configuration interfaces with different granularities in apps (Application programs) corresponding to the intelligent home platforms, and the description sentences are analyzed by a natural language processing method to extract the corresponding automation rules.
By way of example, taking "When you return home, turn on LIGHTS AND AIR conditioning and close the curtains" as an example of a description sentence corresponding to the automation rule description interface, the step of extracting the automation rule includes the following steps:
1) The description statement is converted using natural language processing (Natural Language Processing, NLP) techniques into a dependency tree, which is a graphical structure representing the relationships between words in the description statement. The dependency tree is tagged and segmented, and the segmented result is "white" you (human pronoun) return (verb) home (noun), turn (verb) on (small word) lights and (connective) air (noun) and (connective) close (verb) curtains (noun) ". Analyzing the result after the word segmentation, for example, both and are connective words, so that lights and air conditioning are in parallel relationship, and the verb turn on can be shared, and therefore, the result after the word segmentation can be converted into: "When you return home, turn on lights, turn on air conditioning, close the curtains". And analyzing the causal relationship corresponding to the conversion result, dividing the conversion result into an event part and a command part, wherein the event part is used for representing a trigger condition, and the command part is used for representing an executed action. The event part corresponding to the description sentence is "When you return home", and the command part corresponding to the description sentence is "turn on lights, turn on air conditioning, close the curtains".
2) And acquiring a configuration file of the App corresponding to the intelligent home platform, and extracting all equipment attributes in the configuration file.
3) The event part, the command part and all the device attributes are input into a BERT (Bidirectional Encoder Representations from Transformers, bi-directional encoder representation from Transformers) model, the device attribute with the highest association score is determined as the target event device attribute matched with the event part by calculating the association score of the event part corresponding to each device attribute, namely, the target event device attribute is an Arrival Sensor (presence), meanwhile, the target command device attribute matched with the command part is determined by calculating the association score of the command part corresponding to each device attribute, and the determined target command device attribute comprises: SMART LIGHT Bulb (switch. On), fan Light (switch. On), AC (switch. On), CUR (curtain. Down).
4) Combining according to the target event equipment attribute and the target command equipment attribute to obtain two automation rules, wherein the two automation rules are respectively as follows:
wherein LT1 represents SMART LIGHT Bulb (Intelligent Bulb), LT2 represents Fan Light (atmosphere lamp), Representing events in two automation rules,/>、/>And/>Respectively representing three commands in the first automation rule,/>Representing the actions switch. On,/>, performed by the smart light bulbRepresenting the actions switch. On,/>, performed by an alternating current deviceRepresenting the action curtain. Down performed by the curtain; /(I)、/>And/>Respectively representing three commands in the second automation rule,/>The other two commands are identical to those in the first automation rule, indicating the action switch. On performed by the atmosphere lamp.
5) In order to improve the accuracy of the subsequent anomaly detection, make up for the defect of ambiguous description sentences in the automation rule description interface, an event part is "If time to 20:16" and a command part is "Send notification to members, shower" can be extracted from the automation rule configuration interface, and the steps 2) to 3) are repeated to obtain a complementary automation rule as follows: The SD represents a message sending device, which may be a terminal, a tablet computer, or the like, where the APP is installed, which is not limited in the embodiment of the present invention. The acquired automation rules can be more comprehensive through the supplement of the automation rule configuration interface.
6) Repeating the steps 1) to 5) for each intelligent home platform to obtain all automation rules corresponding to all intelligent home platforms.
Further, the behavior diagram is constructed based on the following steps:
acquiring all automation rules and device states corresponding to at least two pieces of Internet of things equipment corresponding to the automation rules;
For each automation rule, determining nodes in the behavior graph based on the device states of the at least two internet of things devices corresponding to the automation rule, determining event edges in the behavior graph based on events corresponding to the automation rule, and determining command edges in the behavior graph based on commands corresponding to the automation rule to construct the behavior graph.
Specifically, after all the automation rules are determined, the device states corresponding to at least two pieces of internet of things devices corresponding to each automation rule can be obtained, and taking the internet of things device as a water heater as an example, the two device states of the water heater are switch.on and switch.off respectively. When the behavior diagram is built according to the automation rules, at least two pieces of equipment of the Internet of things related to each automation rule can be built into equipment nodes, the equipment state is used as a state node, and then, as the equipment state change of the equipment of the Internet of things is accompanied with the generation of an event, an event edge is built among the nodes of different states of the same equipment of the Internet of things, and a command edge between at least two pieces of equipment of the Internet of things is built according to commands in the automation rules.
For example, fig. 2 is one of the schematic flow diagrams for constructing the behavior diagram provided in the embodiment of the present invention, as shown in fig. 2, taking an example that an automation rule R1 includes an event and a command and two devices of the internet of things are involved, first, respectively determining the device states corresponding to the devices D 1 of the internet of thingsAnd device status/>And device state/>, corresponding to the internet of things device D 2 And device status/>And respectively constructing device state representations of two pieces of Internet of things devices shown in fig. 2, wherein the Internet of things device D 1 and the device states/>, respectivelyAnd device status/>The edge of (1) represents the behavior of the user actively controlling the internet of things device D 1, and the internet of things device D 2 and the device state/>, respectivelyAnd device status/>The edge of (a) represents the behavior of the user actively controlling the internet of things device D 2. Second, connect device status/>And device status/>Simultaneously connect device state/>And device status/>An event edge representation as shown in fig. 2 is constructed. Thereafter, in event edge representation, device state/>, is connected according to the commands in the automation rule R1And device status/>And constructing a command edge to obtain a rule integration representation. Finally, the device states/>, which are involved in the automation rule R1, are determined from the events and commands in the automation rule R1Device status/>Device statusAnd combining the event side E1 and the command side C1 to obtain a behavior subgraph corresponding to the automation rule R1 and shown in fig. 2.
For example, fig. 3 is a second schematic diagram of a construction flow of a behavior diagram provided in an embodiment of the present invention, as shown in fig. 3, taking an example that an automation rule R2 includes two events and one command and three devices of the internet of things are involved, first, device states corresponding to devices D 1 of the internet of things are respectively determinedAnd device status/>Device state/>, corresponding to the internet of things device D 2 And device status/>And device state/>, corresponding to the internet of things device D 3 And device status/>And respectively constructing device state representations of three internet of things devices as shown in fig. 3. Second, connect device status/>And device status/>Connected device state/>And device status/>Connected device state/>And device status/>An event edge representation as shown in fig. 3 is constructed. Then, in the event edge representation, since the two events are triggered simultaneously and then the command is executed, a Union (Union) node U1 is introduced, and the Union node is used for judging whether the two events are triggered simultaneously, and can be used as an intermediate state of three internet of things devices. Thereafter, the federation node U1 and device state/>, are connected according to the commands in the automation rule R2A command edge is constructed and the device state/>, is connected according to two events in the automation rule R2And federation node U1, and device state/>And the alliance node U1, obtaining a rule integration representation. Finally, the device states/>, which are involved in the automation rule R2, are determined from the events and commands in the automation rule R2Device status/>Device status/>Device status/>Federation node U1 and device state/>And combining the event edge E6, the event edge E8 and the command edge C2 to obtain a behavior subgraph corresponding to the automation rule R2 and shown in fig. 3.
And determining the behavior graphs corresponding to all the automation rules according to the behavior subgraphs corresponding to all the automation rules. If the number of the intelligent home platforms is increased or decreased, the behavior diagram can be updated, and the accuracy of subsequent abnormality detection is ensured.
And 120, performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among the automation rules and interference abnormality detection among at least two automation rules.
Specifically, after the behavior diagram is obtained, at least two of abnormality detection executed by the target automation rule, interaction abnormality detection among the cross-automation rules and interference abnormality detection among at least two automation rules can be performed according to the behavior diagram, so that an abnormality detection result is determined, the abnormality detection is more comprehensive, and the provided system defense is more comprehensive. The abnormal detection executed by the target automation rule can be understood as the difference between the equipment state corresponding to the internet of things equipment and the labeling in the behavior diagram when the single automation rule is executed; cross-automation rule interaction anomaly detection can be understood as an event in which a command of one of two automation rules affects the other automation rule; the detection of interference anomalies between at least two automation rules may be understood as the existence of interference anomalies such as collisions, repetitions, re-lifting, or loops, etc. of at least two automation rules when executed.
Further, the target abnormality detection based on the behavior diagram, and determining an abnormality detection result, includes:
Determining a first abnormality detection result based on the target flow corresponding to the target internet of things device and the behavior diagram under the condition that the target abnormality detection comprises abnormality detection executed by the target automation rule; the target internet of things device is an internet of things device executing the target automation rule.
Judging whether a first sub-graph meeting the interaction abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interaction abnormality detection among the cross-automation rules, and determining a second abnormality detection result based on a first judgment result; the interaction abnormal condition is that a command of a first automation rule exists or a result generated after the command of the first automation rule is executed is the same as an event in a second automation rule.
Judging whether a second sub-graph meeting the interference abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interference abnormality detection between at least two automation rules, and determining a third abnormality detection result based on a second judgment result;
Determining the abnormality detection result based on at least two of the first abnormality detection result, the second abnormality detection result, and the third abnormality detection result.
Specifically, when the target anomaly detection is the anomaly detection executed by the target automation rule, the execution behavior of the target internet of things device when executing the target automation rule can be identified according to the target flow of the target internet of things device, and the first anomaly detection result is determined by matching the execution behavior with each benign behavior in the behavior diagram, namely, whether the target internet of things device is abnormal when executing the target automation rule is determined. When the target abnormality detection is inter-automation rule interaction abnormality detection, whether a first sub-graph corresponding to two automation rules exists is mined from the behavior graph, wherein a command of the first automation rule influences an event of the second automation rule, if so, the fact that the interaction abnormality exists between the two automation rules is indicated, and then a second abnormality detection result is determined. When the target abnormality detection comprises interference abnormality detection between at least two automation rules, whether two automation rule interference abnormality conditions exist is mined from the behavior diagram, and then a third abnormality detection result is determined. According to at least two of the first abnormality detection result, the second abnormality detection result and the third abnormality detection result, a comprehensive abnormality detection result can be obtained, namely, potential safety hazards existing on an automation rule deployed in the intelligent home platform by a user can be detected, and the potential safety hazards can cause the failure, illegal work or continuous work of the functions of the Internet of things equipment, so that the safety problems such as fire, flood and the like are caused. Through the behavior diagram, more kinds of potential safety hazards can be mined, and safe operation of all Internet of things equipment in the intelligent home platform can be guaranteed to the greatest extent.
Further, the determining, based on the target flow and the behavior diagram corresponding to the target internet of things device, a first anomaly detection result includes:
Acquiring a preset fingerprint set; the preset fingerprint set comprises a mapping relation between preset features and behaviors;
Determining an execution behavior corresponding to the target internet of things device based on the preset fingerprint set and the target flow corresponding to the target internet of things device;
constructing a target execution graph based on the execution behavior;
And matching the target execution graph with the behavior graph, and determining the first abnormality detection result.
Specifically, when the target anomaly detection is performed by the target automation rule, firstly, sequentially matching the characteristics in the target flow with each preset characteristic in the preset fingerprint set, and determining the behavior corresponding to the preset characteristics matched with the characteristics in the target flow as the execution behavior corresponding to the target flow, namely, the behavior generated when the target automation rule is performed by the target internet of things equipment, constructing a target execution diagram corresponding to the target internet of things equipment through the execution behavior, and determining whether the target internet of things equipment is abnormal in the execution of the target automation rule or not through matching the target execution diagram with the behavior diagram, namely, determining a first anomaly detection result.
Further, the preset features in the preset fingerprint set comprise preset stream level features and preset package level features;
The determining, based on the preset fingerprint set and the target flow corresponding to the target internet of things device, the execution behavior corresponding to the target internet of things device includes:
Splitting the target flow corresponding to the target internet of things equipment to obtain at least two data flows;
Determining a reason data stream and an effect data stream corresponding to the target flow based on the time stamps corresponding to the at least two data streams respectively;
Determining a first Manhattan distance between the cause data stream and each of the preset stream level features in the preset fingerprint set, and a second Manhattan distance between the cause data stream and each of the preset packet level features in the preset fingerprint set;
Determining a third Manhattan distance between the effect data stream and each of the preset stream level features in the preset fingerprint set, and a fourth Manhattan distance between the effect data stream and each of the preset packet level features in the preset fingerprint set;
Determining an execution event corresponding to the reason data stream based on the first Manhattan distance and the second Manhattan distance, and determining an execution command corresponding to the effect data stream based on the third Manhattan distance and the fourth Manhattan distance;
And determining the corresponding execution behavior of the target Internet of things equipment based on the execution event and the execution command.
Specifically, after the target flow is obtained, the target flow can be split according to router/hub addresses corresponding to different internet of things device types, so as to obtain different data flows, which can be expressed asWherein P represents a target flow rate,/>And (3) representing the ith data flow obtained after splitting, Q representing the number of data flows obtained by splitting the target flow, and N representing the number of data packets included in the target flow. Each data stream represents one or more events. And comparing the time stamp corresponding to each data stream with a time threshold value to determine the category corresponding to each data stream, if the time stamp of the data stream is larger than the time threshold value, determining that the data stream belongs to the effect data stream, and if the time stamp of the data stream is smaller than or equal to the time threshold value, determining that the data stream belongs to the reason data stream. Then, the reason data stream and the effect data stream are split to obtain tuples, and each tuple only comprises one action, wherein the action comprises an event or a command. For each tuple in the reason data stream, matching the stream level feature of the tuple with each preset stream level feature in the preset fingerprint set, namely, calculating a first Manhattan distance between the stream level feature of the tuple and each preset stream level feature, and matching the packet level feature of the tuple with each preset packet level feature in the preset fingerprint set, namely, calculating a second Manhattan distance between the packet level feature of the tuple and each preset packet level feature. And then, calculating a weighted sum between each first Manhattan distance and each second Manhattan distance, and determining an event corresponding to the calculated minimum distance sum value as an execution event corresponding to the reason data stream. Similarly, for each tuple in the effect data stream, matching the stream level feature of the tuple with each preset stream level feature in the preset fingerprint set, i.e., calculating a third manhattan distance between the stream level feature of the tuple and each preset stream level feature, and matching the packet level feature of the tuple with each preset packet level feature in the preset fingerprint set, i.e., calculating a fourth manhattan distance between the packet level feature of the tuple and each preset packet level feature. And then, calculating a weighted sum between each third Manhattan distance and each fourth Manhattan distance, and determining a command corresponding to the calculated minimum distance sum value as an execution command corresponding to the effect data stream. According to the execution event and the execution command, the execution behavior corresponding to the target internet of things device can be determined, namely, after the execution event is triggered, the action corresponding to the execution command is executed.
Optionally, the minimum distance and the value are determined as shown in formula (1), where formula (1) is:
Wherein, Representing the minimum distance sum,/>Representing a first Manhattan distance or a third Manhattan distance,/>Representing preset stream level features in the fingerprint of an event Ei or command Ci,/>Stream level features in a fingerprint representing the jth data stream when an automation rule is executed,/>Representing a weight factor corresponding to the first manhattan distance or the third manhattan distance,Representing a second Manhattan distance or a fourth Manhattan distance,/>Preset packet-level features in fingerprints representing events Ei or commands Ci,/>Packet-level features in fingerprints representing jth data stream when an automation rule is executed,/>Weight factor corresponding to the second Manhattan distance or the fourth Manhattan distance is expressed by/>,/>,/>Representing a distance threshold.
It should be noted that, the fingerprint corresponding to each event/command may be obtained by executing each device action multiple times in advance, so as to construct a preset fingerprint set of all devices, for example, after executing each device action 100 times, obtaining the fingerprint corresponding to each event/command through Kmeans clustering, where the preset fingerprint set includes a mapping relationship between preset features and behaviors. The fingerprint comprises a preset stream level characteristic and a preset packet level characteristic, wherein:
1) The preset stream level characteristics may be expressed as Wherein/>Represents the average packet interval of the jth data stream,/>Indicating the packet sequence length of the j-th data stream.
2) The preset package level feature may be expressed asWherein/>The data packet size in the data packet sequence of different events is changed, which represents the size of the kth data packet; /(I)The protocol corresponding to the kth data packet is represented, when s2=0, the protocol is represented as a WiFi protocol, when s2=1, the protocol is represented as a ZWave protocol, when s2=2, the protocol is represented as a Zigbee protocol, and when s2=3, the protocol is represented as a Bluetooth protocol; /(I)The direction corresponding to the kth data packet is indicated, when s3=0, the direction is transmitted from the internet of things device to the router, and when s3=1, the direction is transmitted from the router to the internet of things device.
It should be noted that if the data streams corresponding to the same type of the internet of things device exist in the target traffic, it may be determined whether the interval between the state termination packet and the state start packet exceeds a second preset threshold, and if so, two different data streams may be split from the target traffic.
Fig. 4 is a schematic flow chart of construction of a target execution diagram according to an embodiment of the present invention, as shown in fig. 4, after a target flow is obtained, the target flow may be split to obtain a data stream 1, a data stream 2, and a data stream 3 corresponding to different internet of things devices, where time stamps of initial data packets corresponding to the data stream 1, the data stream 2, and the data stream 3 are different. Each time stamp is compared with a time threshold T1, and data stream 1 is determined as the cause data stream, and data stream 2 and data stream 3 are both determined as the effect data streams. Respectively matching each preset characteristic in the data stream 1, the data stream 2 and the data stream 3 with preset fingerprints to obtain an execution event E1 matched with the data stream 1, an execution command C1 matched with the data stream 2 and an execution command C2 matched with the data stream 3, and constructing two causal sequences according to the causal relationship between the execution event and the two execution commands, wherein the two causal sequences are respectively as follows:
1) and/>
2)
Then, the two cause and effect sequences are respectively converted into respective corresponding target execution charts as shown in fig. 4.
Further, the matching the target execution graph with the behavior graph, and determining the first anomaly detection result includes:
Positioning in the behavior graphs based on a starting node and a terminating node corresponding to the target execution graph, and determining at least one similar behavior graph;
Determining similarity scores between the target execution graph and each similar behavior graph respectively;
and determining the first abnormality detection result based on each similarity score and a first preset threshold value.
Specifically, after the target execution graph is built, matching can be performed according to a start node and a stop node corresponding to the target execution graph, at least one similar behavior graph similar to the behavior graph is found, then graph matching is performed on each similar behavior graph and the target execution graph by using GRAPHSAGE, the similarity score between the target execution graph and each similar behavior graph is determined by calculating the edge attribute and the node attribute, if the similarity score is equal to a first preset threshold, it can be determined that the target execution graph is at least identical to one similar behavior graph in the behavior graph, and at this moment, it is indicated that the execution of the target automation rule is not abnormal. If all the similarity scores are smaller than the first preset threshold, it can be determined that the target execution graph is not identical to any one of the similar behavior graphs, and at this time, it indicates that the execution of the target automation rule is abnormal, and then a first abnormality detection result is determined.
It should be noted that the first preset threshold may be 1, which is used to indicate that the target execution graph is identical to the similar behavior graph.
Optionally, the interaction abnormal condition includes a network interaction condition and a physical interaction condition, wherein:
1) The network interaction condition is that the command of the first automation rule is identical to the event of the second automation rule under the condition that the device attribute, the system attribute and the function attribute of the two automation rules are identical. And if a first sub-graph meeting the network interaction condition exists in the behavior graph, indicating that the network interaction abnormality exists in the first automation rule and the second automation rule.
2) Under the condition that the equipment attribute, the system attribute and the function attribute of the two automation rules are not identical, the result generated after the command of the first automation rule is executed is identical to the event of the second automation rule, namely, the change of the external environment is caused after the command of the first automation rule is executed, and the change of the external environment triggers the execution of the second automation rule. When the physical interaction exists in the mining behavior diagram, calculating the association degree score of each automation rule and each physical channel through the BERT model, if the association degree score exceeds a third preset threshold value, indicating that the automation rule is associated with the physical channel, then, for any two automation rules associated with the same physical channel, judging whether a result generated after executing a command of one automation rule is the same as an event of the other automation rule, if so, indicating that the physical interaction between the two automation rules is abnormal. For example, taking an event of the first automation rule as a temperature lower, a command of the first automation rule as an on heater, an event of the second automation rule as an event of the temperature higher, a command of the second automation rule as an event of the second automation rule, and the first automation rule and the second automation rule are both associated with a temperature physical channel as examples, after the command of the first automation rule is executed, the temperature is raised, and the same result as the event of the second automation rule is generated along with the rise of the temperature, and the second automation rule is triggered, so that a physical interaction abnormality exists between the first automation rule and the second automation rule, therefore, a physical interaction edge can be constructed by connecting a subsequent node of the command of the first automation rule with a previous node of the event of the second automation rule, and the physical interaction edge is named by the physical channel, namely, the physical interaction edge is named as "temperature".
Further, the interference abnormal condition includes an action conflict condition, an action repetition condition, an action re-extraction condition, and an action cycle condition.
Specifically, four types of interferometric exception conditions are shown in Table 1. As can be seen from table 1, the action conflict condition indicates that, in any two automation rules, the internet of things device corresponding to the command of the first automation rule and the command of the second automation rule are the same, but the executed actions are different, for example, the commands of the two automation rules are all to operate the heater, the command of the first automation rule is to turn on the heater, and the command of the second automation rule is to turn off the heater, if the two automation rules are executed simultaneously, the action conflict condition is satisfied, that is, the action conflict exception exists. The action repetition condition indicates that the two commands of the automation rule are identical, for example, the two commands of the automation rule are both heater-on, and at this time, the action repetition condition is satisfied, that is, there is an action repetition abnormality. The action re-providing condition indicates that n automation rules with interaction abnormality exist, and the first automation rule and the n automation rules have action conflict abnormality. The action cycle condition indicates that n automation rules with interaction abnormality are cyclically executed, that is, a first automation rule triggers a second automation rule … … and an nth automation rule triggers the first automation rule. When the second sub-graph meeting the conditions is mined in the behavior graph, if the action conflict condition or the action repetition condition is met, two automation rules can be mined on the behavior graph, and if the action re-lifting condition or the action circulation condition is met, at least two automation rules can be mined on the behavior graph.
TABLE 1
Wherein,Representing automation rules/>Command set of/>Representing command set/>One command or one command edge,/>Representing command edges/>Successor node of/>Representing successor node,/>Attribute name representing successor node,/>Representing attribute values of successor nodes,/>Automated rule pair set representing presence of network interactions,/>Automated rule pair set representing the existence of physical interactions,/>Representing automation rules/>And Automation rules/>There is network interaction abnormality or physical interaction abnormality between the two,/>
According to the anomaly detection method for the Internet of things equipment, after the behavior patterns constructed according to the corresponding automation rules of at least two intelligent home platforms are obtained, a more complete anomaly exploration space is provided through the cross-platform behavior patterns, at least two of anomaly detection executed by the target automation rules, interaction anomaly detection among the cross-automation rules and interference anomaly detection among the at least two automation rules are carried out, so that more kinds of potential safety hazards are mined, the integrity and the comprehensiveness of anomaly detection results are improved, and the safe operation of the Internet of things equipment in a user home is guaranteed to the greatest extent.
The abnormality detection device of the internet of things equipment provided by the invention is described below, and the abnormality detection device of the internet of things equipment described below and the abnormality detection method of the internet of things equipment described above can be correspondingly referred to each other.
The embodiment of the invention also provides an abnormality detection device for an internet of things device, and fig. 5 is a schematic structural diagram of the abnormality detection device for an internet of things device provided by the embodiment of the invention, as shown in fig. 5, an abnormality detection device 500 for an internet of things device includes: an acquisition module 510 and an anomaly detection module 520, wherein:
The obtaining module 510 is configured to obtain a behavior diagram corresponding to at least two smart home platforms, where the behavior diagram is constructed based on an automation rule corresponding to each of the at least two smart home platforms, and the automation rule is a correspondence between an event, a command, and an internet of things device corresponding to the at least two smart home platforms;
the anomaly detection module 520 is configured to perform target anomaly detection based on the behavior diagram, and determine an anomaly detection result, where the target anomaly detection includes at least two of anomaly detection performed by a target automation rule, interactive anomaly detection across automation rules, and interference anomaly detection between at least two automation rules.
According to the abnormality detection device for the Internet of things equipment, after the behavior patterns constructed according to the corresponding automation rules of at least two intelligent home platforms are obtained, a more complete abnormality exploration space is provided through the cross-platform behavior patterns, at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among the cross-automation rules and interference abnormality detection among at least two automation rules are carried out, so that more kinds of potential safety hazards are mined, the integrity and the comprehensiveness of abnormality detection results are improved, and the safe operation of the Internet of things equipment in a user home is guaranteed to the greatest extent.
Optionally, the anomaly detection module 520 is specifically configured to:
Determining a first abnormality detection result based on the target flow corresponding to the target internet of things device and the behavior diagram under the condition that the target abnormality detection comprises abnormality detection executed by the target automation rule; the target internet of things device is an internet of things device executing the target automation rule;
Judging whether a first sub-graph meeting the interaction abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interaction abnormality detection among the cross-automation rules, and determining a second abnormality detection result based on a first judgment result; the interaction abnormal condition is that a command with a first automation rule exists or a result generated after the command with the first automation rule is executed is the same as an event in a second automation rule;
Judging whether a second sub-graph meeting the interference abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interference abnormality detection between at least two automation rules, and determining a third abnormality detection result based on a second judgment result;
Determining the abnormality detection result based on at least two of the first abnormality detection result, the second abnormality detection result, and the third abnormality detection result.
Optionally, the anomaly detection module 520 is specifically configured to:
Acquiring a preset fingerprint set; the preset fingerprint set comprises a mapping relation between preset features and behaviors;
Determining an execution behavior corresponding to the target internet of things device based on the preset fingerprint set and the target flow corresponding to the target internet of things device;
constructing a target execution graph based on the execution behavior;
And matching the target execution graph with the behavior graph, and determining the first abnormality detection result.
Optionally, the preset features in the preset fingerprint set include preset stream level features and preset packet level features.
Optionally, the anomaly detection module 520 is specifically configured to:
Splitting the target flow corresponding to the target internet of things equipment to obtain at least two data flows;
Determining a reason data stream and an effect data stream corresponding to the target flow based on the time stamps corresponding to the at least two data streams respectively;
Determining a first Manhattan distance between the cause data stream and each of the preset stream level features in the preset fingerprint set, and a second Manhattan distance between the cause data stream and each of the preset packet level features in the preset fingerprint set;
Determining a third Manhattan distance between the effect data stream and each of the preset stream level features in the preset fingerprint set, and a fourth Manhattan distance between the effect data stream and each of the preset packet level features in the preset fingerprint set;
Determining an execution event corresponding to the reason data stream based on the first Manhattan distance and the second Manhattan distance, and determining an execution command corresponding to the effect data stream based on the third Manhattan distance and the fourth Manhattan distance;
And determining the corresponding execution behavior of the target Internet of things equipment based on the execution event and the execution command.
Optionally, the anomaly detection module 520 is specifically configured to:
Positioning in the behavior graphs based on a starting node and a terminating node corresponding to the target execution graph, and determining at least one similar behavior graph;
Determining similarity scores between the target execution graph and each similar behavior graph respectively;
and determining the first abnormality detection result based on each similarity score and a first preset threshold value.
Optionally, the abnormality detection apparatus 500 of the internet of things device further includes a construction module, where the construction module is specifically configured to:
acquiring all automation rules and device states corresponding to at least two pieces of Internet of things equipment corresponding to the automation rules;
For each automation rule, determining nodes in the behavior graph based on the device states of the at least two internet of things devices corresponding to the automation rule, determining event edges in the behavior graph based on events corresponding to the automation rule, and determining command edges in the behavior graph based on commands corresponding to the automation rule to construct the behavior graph.
Optionally, the interference abnormal condition includes an action conflict condition, an action repetition condition, an action re-extraction condition and an action cycle condition.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, as shown in fig. 6, the electronic device may include: processor 610, communication interface (Communications Interface) 620, memory 630, and communication bus 640, wherein processor 610, communication interface 620, memory 630 communicate with each other via communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform an anomaly detection method for an internet of things device, the method comprising:
Acquiring behavior diagrams corresponding to at least two intelligent home platforms, wherein the behavior diagrams are constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms;
And performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among cross-automation rules and interference abnormality detection among at least two automation rules.
Further, the logic instructions in the memory 630 may be implemented in the form of software functional units and stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer is capable of executing the anomaly detection method of the internet of things device provided by the above methods, and the method includes:
Acquiring behavior diagrams corresponding to at least two intelligent home platforms, wherein the behavior diagrams are constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms;
And performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among cross-automation rules and interference abnormality detection among at least two automation rules.
In still another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, is implemented to perform the anomaly detection method of the internet of things device provided by the above methods, the method comprising:
Acquiring behavior diagrams corresponding to at least two intelligent home platforms, wherein the behavior diagrams are constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms;
And performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among cross-automation rules and interference abnormality detection among at least two automation rules.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. The abnormality detection method for the Internet of things equipment is characterized by comprising the following steps of:
Acquiring behavior diagrams corresponding to at least two intelligent home platforms, wherein the behavior diagrams are constructed based on automation rules corresponding to the at least two intelligent home platforms, and the automation rules are corresponding relations between events and commands and Internet of things equipment corresponding to the at least two intelligent home platforms;
And performing target abnormality detection based on the behavior diagram, and determining an abnormality detection result, wherein the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among cross-automation rules and interference abnormality detection among at least two automation rules.
2. The anomaly detection method for the internet of things device according to claim 1, wherein the performing target anomaly detection based on the behavior diagram, determining an anomaly detection result, includes:
Determining a first abnormality detection result based on the target flow corresponding to the target internet of things device and the behavior diagram under the condition that the target abnormality detection comprises abnormality detection executed by the target automation rule; the target internet of things device is an internet of things device executing the target automation rule;
Judging whether a first sub-graph meeting the interaction abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interaction abnormality detection among the cross-automation rules, and determining a second abnormality detection result based on a first judgment result; the interaction abnormal condition is that a command with a first automation rule exists or a result generated after the command with the first automation rule is executed is the same as an event in a second automation rule;
Judging whether a second sub-graph meeting the interference abnormal condition exists in the behavior graph or not under the condition that the target abnormality detection comprises interference abnormality detection between at least two automation rules, and determining a third abnormality detection result based on a second judgment result;
Determining the abnormality detection result based on at least two of the first abnormality detection result, the second abnormality detection result, and the third abnormality detection result.
3. The anomaly detection method for the internet of things device according to claim 2, wherein the determining the first anomaly detection result based on the target flow rate corresponding to the target internet of things device and the behavior diagram includes:
Acquiring a preset fingerprint set; the preset fingerprint set comprises a mapping relation between preset features and behaviors;
Determining an execution behavior corresponding to the target internet of things device based on the preset fingerprint set and the target flow corresponding to the target internet of things device;
constructing a target execution graph based on the execution behavior;
And matching the target execution graph with the behavior graph, and determining the first abnormality detection result.
4. The anomaly detection method of internet of things equipment according to claim 3, wherein the preset features in the preset fingerprint set comprise preset stream level features and preset packet level features;
The determining, based on the preset fingerprint set and the target flow corresponding to the target internet of things device, the execution behavior corresponding to the target internet of things device includes:
Splitting the target flow corresponding to the target internet of things equipment to obtain at least two data flows;
Determining a reason data stream and an effect data stream corresponding to the target flow based on the time stamps corresponding to the at least two data streams respectively;
Determining a first Manhattan distance between the cause data stream and each of the preset stream level features in the preset fingerprint set, and a second Manhattan distance between the cause data stream and each of the preset packet level features in the preset fingerprint set;
Determining a third Manhattan distance between the effect data stream and each of the preset stream level features in the preset fingerprint set, and a fourth Manhattan distance between the effect data stream and each of the preset packet level features in the preset fingerprint set;
Determining an execution event corresponding to the reason data stream based on the first Manhattan distance and the second Manhattan distance, and determining an execution command corresponding to the effect data stream based on the third Manhattan distance and the fourth Manhattan distance;
And determining the corresponding execution behavior of the target Internet of things equipment based on the execution event and the execution command.
5. The method for detecting an anomaly of an internet of things device according to claim 3, wherein the matching the target execution graph with the behavior graph, and determining the first anomaly detection result, comprises:
Positioning in the behavior graphs based on a starting node and a terminating node corresponding to the target execution graph, and determining at least one similar behavior graph;
Determining similarity scores between the target execution graph and each similar behavior graph respectively;
and determining the first abnormality detection result based on each similarity score and a first preset threshold value.
6. The abnormality detection method of an internet of things device according to any one of claims 1 to 5, wherein the behavior diagram is constructed based on:
acquiring all automation rules and device states corresponding to at least two pieces of Internet of things equipment corresponding to the automation rules;
For each automation rule, determining nodes in the behavior graph based on the device states of the at least two internet of things devices corresponding to the automation rule, determining event edges in the behavior graph based on events corresponding to the automation rule, and determining command edges in the behavior graph based on commands corresponding to the automation rule to construct the behavior graph.
7. The method of any of claims 2-5, wherein the interferometric anomaly condition comprises an action conflict condition, an action repetition condition, an action re-qualification condition, and an action cycle condition.
8. An anomaly detection device of an internet of things device, comprising:
The system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring a behavior diagram corresponding to at least two intelligent home platforms, the behavior diagram is constructed based on an automation rule corresponding to each of the at least two intelligent home platforms, and the automation rule is a corresponding relation between an event and a command and Internet of things equipment corresponding to the at least two intelligent home platforms;
The abnormality detection module is used for carrying out target abnormality detection based on the behavior diagram and determining an abnormality detection result, and the target abnormality detection comprises at least two of abnormality detection executed by a target automation rule, interaction abnormality detection among the cross-automation rules and interference abnormality detection among at least two automation rules.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the anomaly detection method for an internet of things device according to any one of claims 1-7 when the program is executed by the processor.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the anomaly detection method of the internet of things device of any one of claims 1-7.
CN202410358309.1A 2024-03-27 Abnormality detection method, device, equipment and storage medium of Internet of things equipment Active CN117955754B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410358309.1A CN117955754B (en) 2024-03-27 Abnormality detection method, device, equipment and storage medium of Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410358309.1A CN117955754B (en) 2024-03-27 Abnormality detection method, device, equipment and storage medium of Internet of things equipment

Publications (2)

Publication Number Publication Date
CN117955754A true CN117955754A (en) 2024-04-30
CN117955754B CN117955754B (en) 2024-06-25

Family

ID=

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104238466A (en) * 2013-06-08 2014-12-24 华北电力大学(保定) Smart power and energy using system platform based on Cloud of Things
CN108983625A (en) * 2018-07-20 2018-12-11 山东大学深圳研究院 A kind of smart home system and service creation method
KR20210001170A (en) * 2019-06-27 2021-01-06 유니트론 주식회사 Learning based life pattern recognition and monitoring of living alone method and system with IoT network
US20220043703A1 (en) * 2020-07-28 2022-02-10 Electronics And Telecommunications Research Institute Method and apparatus for intelligent operation management of infrastructure
CN116956192A (en) * 2023-07-19 2023-10-27 中国电信股份有限公司技术创新中心 Abnormal data detection method, device, medium and equipment
CN117061569A (en) * 2023-10-11 2023-11-14 工福(北京)科技发展有限公司 Internet of things-based industrial and social interaction digital information monitoring system
CN117131379A (en) * 2023-09-19 2023-11-28 广东财经大学 Neural network-based intelligent household abnormity monitoring method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104238466A (en) * 2013-06-08 2014-12-24 华北电力大学(保定) Smart power and energy using system platform based on Cloud of Things
CN108983625A (en) * 2018-07-20 2018-12-11 山东大学深圳研究院 A kind of smart home system and service creation method
KR20210001170A (en) * 2019-06-27 2021-01-06 유니트론 주식회사 Learning based life pattern recognition and monitoring of living alone method and system with IoT network
US20220043703A1 (en) * 2020-07-28 2022-02-10 Electronics And Telecommunications Research Institute Method and apparatus for intelligent operation management of infrastructure
CN116956192A (en) * 2023-07-19 2023-10-27 中国电信股份有限公司技术创新中心 Abnormal data detection method, device, medium and equipment
CN117131379A (en) * 2023-09-19 2023-11-28 广东财经大学 Neural network-based intelligent household abnormity monitoring method and system
CN117061569A (en) * 2023-10-11 2023-11-14 工福(北京)科技发展有限公司 Internet of things-based industrial and social interaction digital information monitoring system

Similar Documents

Publication Publication Date Title
Ma et al. Detect rumors in microblog posts using propagation structure via kernel learning
CN107885999B (en) Vulnerability detection method and system based on deep learning
CN106709345B (en) Method, system and equipment for deducing malicious code rules based on deep learning method
US10218716B2 (en) Technologies for analyzing uniform resource locators
KR102291869B1 (en) Method and apparatus for anomaly detection of traffic pattern
Wu et al. Intelligent smoke alarm system with wireless sensor network using ZigBee
WO2023045417A1 (en) Fault knowledge graph construction method and apparatus
CN112579469A (en) Source code defect detection method and device
CN106295346B (en) Application vulnerability detection method and device and computing equipment
US20180309648A1 (en) Ultra-Fast Pattern Generation Algorithm for the Heterogeneous Logs
WO2021051955A1 (en) Method and apparatus for controlling electrical appliance, and computer-readable storage medium
CN107273294A (en) A kind of duplicated code detection method based on neutral net language model
TW201631502A (en) Systems and methods for pattern matching and relationship discovery
US20210027167A1 (en) Model structure extraction for analyzing unstructured text data
WO2018090580A1 (en) Method and apparatus for sensing optical access network service stream and computer storage medium
CN107111609A (en) Lexical analyzer for neural language performance identifying system
CN113157385A (en) Intelligent contract vulnerability automatic detection method based on graph neural network
CN109688112A (en) Industrial Internet of Things unusual checking device
CN106446341A (en) Process algebra-based real-time protocol analysis and verification system
CN117955754B (en) Abnormality detection method, device, equipment and storage medium of Internet of things equipment
CN117955754A (en) Abnormality detection method, device, equipment and storage medium of Internet of things equipment
Chen et al. Multi-platform application interaction extraction for iot devices
CN113837302A (en) City safety management monitoring method and system based on Internet of things and electronic equipment
CN117134958A (en) Information processing method and system for network technology service
CN111967003A (en) Automatic wind control rule generation system and method based on black box model and decision tree

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant