CN110602041A - White list-based Internet of things equipment identification method and device and network architecture - Google Patents

White list-based Internet of things equipment identification method and device and network architecture Download PDF

Info

Publication number
CN110602041A
CN110602041A CN201910717616.3A CN201910717616A CN110602041A CN 110602041 A CN110602041 A CN 110602041A CN 201910717616 A CN201910717616 A CN 201910717616A CN 110602041 A CN110602041 A CN 110602041A
Authority
CN
China
Prior art keywords
equipment
model
internet
things
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910717616.3A
Other languages
Chinese (zh)
Inventor
郭渊博
杨威超
甄帅辉
钟雅
琚安康
张瑞杰
李涛
方晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201910717616.3A priority Critical patent/CN110602041A/en
Publication of CN110602041A publication Critical patent/CN110602041A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of network security, and particularly relates to a white list-based Internet of things equipment identification method, a white list-based Internet of things equipment identification device and a network architecture, wherein the method comprises the following steps: capturing a data packet in a network, acquiring communication flow data of different equipment models and extracting flow communication characteristics; carrying out data modeling on the flow communication characteristics to obtain fingerprint identification models of different equipment models, and constructing a characteristic fingerprint library based on the flow communication characteristics according to the fingerprint identification models, wherein the flow communication characteristics of white list equipment acquired in advance are stored in the characteristic fingerprint library; constructing an equipment identification model according to the fingerprint identification model, and periodically training the equipment identification model through a characteristic fingerprint library; and identifying the access equipment in real time through the trained equipment identification model. The method and the system can respectively adopt corresponding safety management measures for the white list equipment and the non-white list equipment in a targeted manner, improve the identification efficiency of the Internet of things equipment, facilitate the development and application in practical analysis, and have better application prospect.

Description

White list-based Internet of things equipment identification method and device and network architecture
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a white list-based Internet of things equipment identification method and device and a network architecture.
Background
The proliferation of internet of things (IOT) devices is a future trend with the number of internet of things. According to recent predictions, the internet of things equipment is exponentially increased according to market demands, and the number of the internet of things equipment reaches 1250 hundred million in 2030. Various application scenes of the internet of things are emerging continuously, such as smart power grids, smart cities, intelligent buildings, smart medical treatment, intelligent transportation and the like, and the systems have the characteristics of large scale, distribution, complexity and heterogeneity. The devices in the system are various, and for example, an intelligent home system is taken as an example, and a camera, an intelligent door lock, an intelligent television, an intelligent refrigerator, an intelligent lighting system and various intelligent sensors are equipped in a future home. The use of massive internet of things devices and the popularization of application technologies thereof have facilitated our lives, but the heterogeneity of services, technologies, devices and protocols (e.g., wireless, cable, satellite, cellular, bluetooth, etc.) has made the management of the internet of things increasingly complex. Since many production suppliers of intelligent devices are traditional household appliance manufacturers without network security expertise, many devices are inherently vulnerable. The device with the holes is utilized by an attacker to access the target network, and the attack is initiated at random, so that the target network faces serious security threat.
Within a large company or organization, access control and internal security management for a compromised device is particularly important. Employees tend to connect a large number of internet of things devices to the home network, while 25-50% of employees represent that one of these internet of things devices has been connected to the enterprise network. These devices, which are connected to the home or enterprise intranet by employees, become the site for an attacker to launch an attack. Such as a smart tv installed in a conference room, a widget may use a Skype application to raise the rights, then take the desired image, and leak the image information to a remote FTP server. There is another type of attack where the display is turned off, but the embedded malware is still able to capture ambient sounds and illegally transmit them to third parties via WiFi. In the face of these kinds of complicated and path-diverse attacks, the internal networks of various organizations should reconsider whether to allow these devices to easily connect to the network and how to manage the devices connected to the internal network. Conventional device identification techniques are widely used in wireless communications, and early wireless communication fingerprinting mainly identified hardware and driver-based device characteristics. The equipment identification technology for the Internet of things mainly utilizes characteristics related to a sensor to uniquely identify equipment. Since internal drivers or hardware and the like used by a large amount of cheap internet of things equipment are approximately the same, and not all the equipment is provided with sensors, the existing methods cannot be used for accurately identifying the equipment model of the internet of things.
Disclosure of Invention
Therefore, the invention provides a white list-based Internet of things equipment identification method, a white list-based Internet of things equipment identification device and a network architecture.
According to the design scheme provided by the invention, the white list-based Internet of things equipment identification method comprises the following steps:
capturing a data packet in a network, acquiring communication flow data of different equipment models and extracting flow communication characteristics;
carrying out data modeling on the flow communication characteristics to obtain fingerprint identification models of different equipment models, and constructing a characteristic fingerprint library based on the flow communication characteristics according to the fingerprint identification models, wherein the flow communication characteristics of white list equipment acquired in advance are stored in the characteristic fingerprint library;
constructing an equipment identification model according to the fingerprint identification model, and periodically training the equipment identification model through a characteristic fingerprint library;
and identifying the access equipment in real time through the trained equipment identification model.
The extracted traffic communication features at least include: protocol type, packet size, IP address change, and port number size.
The method for periodically training the equipment identification model by using the random forest algorithm comprises the following steps: dividing data in the characteristic fingerprint database into a plurality of training sample sets, and performing classification training on each training sample set through a classifier of each training sample set; and performing comprehensive voting aiming at the classification training result of the classifier, and determining the output of the equipment identification model.
In the above, in the device identification model training, whether the internet of things device belongs to the white list is judged according to the traffic communication characteristics, if not, the connection between the internet of things device and the intranet is blocked, and if so, the security measures of the internet of things device in the intranet are deployed according to the set security management model.
The security management model is used for carrying out persistent flow anomaly monitoring on the Internet of things equipment in the white list and constructing a threat perception model for deploying security measures according to monitoring results.
In the above, the threat perception model is an internet of things security ontology model which is constructed by an ontology modeling method and contains assets, vulnerabilities, alarms, threats, security mechanisms and relationships.
Further, the present invention also provides a white list-based device for identifying an internet of things, including: a flow acquisition module, a model construction module, a model training module and an equipment identification module, wherein,
the flow acquisition module is used for capturing data packets in a network, acquiring communication flow data of different equipment models and extracting flow communication characteristics;
the fingerprint construction module is used for carrying out data modeling on the flow communication characteristics to obtain fingerprint identification models of different equipment models, and constructing a characteristic fingerprint library based on the flow communication characteristics according to the fingerprint identification models, wherein the flow communication characteristics of the white list equipment which is acquired in advance are stored in the characteristic fingerprint library;
the model training module is used for constructing an equipment identification model according to the fingerprint identification model and periodically training the equipment identification model through a characteristic fingerprint library;
and the equipment identification module is used for identifying the access equipment in real time through the trained equipment identification model.
Furthermore, the invention provides a distributed network architecture, which is realized based on the internet of things equipment recognition device and comprises a security gateway for analyzing and processing the traffic of the internet of things equipment and a security server for training and testing the traffic characteristics of the internet of things equipment through a model, wherein the internet of things equipment is connected with the security server through the security gateway; the traffic acquisition module and the fingerprint construction module are arranged on the security gateway, and the model training module and the equipment identification module are arranged on the security server.
In the network architecture, a threat perception model is further arranged in the security server and used for deploying corresponding security measures for potential threats or threat of the internet of things equipment.
In the network architecture, the threat perception model is an internet of things security ontology model which is constructed by adopting an ontology modeling method and contains assets, vulnerabilities, alarms, threats, security mechanisms and relationships.
The invention has the beneficial effects that:
the method takes the device flow communication characteristics as main parameters, analyzes the fingerprint difference between unknown devices and white list devices, constructs fingerprints according to the device flow characteristics by using a machine learning technology and trains a classifier to identify the devices, and takes corresponding safety management measures for the white list devices and the non-white list devices respectively in a targeted manner based on the identification result of the device model. And further, non-white list equipment is detected by a random forest method, effective communication restriction and other safety measures can be deployed for the equipment in the white list, and therefore safer guarantee is provided for the intranet.
Aiming at the condition that the prior threat detection technology has lower efficiency in detecting the directional attack, the invention ensures that the directional attack is difficult to access the internal network on one hand and faces the continuous traffic monitoring and the corresponding safety control measures even if the directional attack is happened to access the internal network by the access control of the non-white list equipment and the 'two-step method' deployed by the internal safety measures of the white list equipment. In addition, the model adopts the flow communication fingerprint in the equipment setting stage, has the characteristics of light weight and high detection speed, and is convenient to deploy in the environment of the Internet of things. Finally, due to the fact that the ontology threat modeling framework is adopted and connected with the device vulnerability database at the cloud end, the model can also efficiently discover vulnerability threats of different device models, help security management personnel to respond quickly and deploy security measures, and has a good application prospect.
Description of the drawings:
fig. 1 is one of flowcharts of an internet-of-things device identification method in the embodiment;
FIG. 2 is a schematic diagram of the construction of a feature fingerprint database in an embodiment;
FIG. 3 is a second flowchart of the apparatus identification method in the embodiment;
FIG. 4 is a diagram of a random forest algorithm in the embodiment;
FIG. 5 is a schematic diagram of an embodiment of a threat awareness model;
FIG. 6 is a schematic diagram of an apparatus for identifying devices in an embodiment;
fig. 7 is a schematic diagram of a distributed network architecture according to an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
In view of the situations of high identification accuracy, limited application and the like in wireless communication in the conventional device identification technology, in an embodiment of the present invention, referring to fig. 1, a white list-based internet of things device identification method is provided, which includes the following contents:
s101) capturing data packets in a network, acquiring communication flow data of different equipment models and extracting flow communication characteristics;
s102) carrying out data modeling on the flow communication characteristics to obtain fingerprint identification models of different equipment models, and constructing a characteristic fingerprint library based on the flow communication characteristics according to the fingerprint identification models, wherein the characteristic fingerprint library stores the flow communication characteristics of the equipment with a pre-acquired white list;
s103) constructing an equipment identification model according to the fingerprint identification model, and periodically training the equipment identification model through a characteristic fingerprint library;
s104) identifying the access equipment in real time through the trained equipment identification model.
The method comprises the steps of constructing fingerprints according to device flow characteristics by using a machine learning technology, training a classifier to identify devices, and taking corresponding safety management measures for white list devices and non-white list devices respectively in a targeted manner based on an identification result of a device model, so that the identification efficiency of the internet of things devices is improved on the premise of ensuring the identification accuracy of the internet of things devices, and the method is convenient for development and application in practical analysis.
When extracting traffic communication features from devices, it is assumed that the devices at this time are all normal devices that are not invaded by an attacker, that is, all communication fingerprints of the normal devices are in the feature fingerprint library. Further, in the embodiment of the present invention, the extracted traffic communication features at least include: protocol type, packet size, IP address change, and port number size. Referring to fig. 2, there is no infected device in the learning mode. And extracting a digital model in the features by using mathematical modeling according to the extracted feature information, and combining the digital models to construct a fingerprint library based on the communication flow features.
After the characteristic fingerprint is constructed, the fingerprint library stores the device communication fingerprints in the white list device list. Further, in the embodiment of the present invention, the device identification model is periodically trained by using a random forest algorithm, which includes the following contents: dividing data in the characteristic fingerprint database into a plurality of training sample sets, and performing classification training on each training sample set through a classifier of each training sample set; and performing comprehensive voting aiming at the classification training result of the classifier, and determining the output of the equipment identification model.
Referring to fig. 3, by using a data packet capture-based acquisition method, a Wireshark packet capturing tool in a linux system is used to capture data packets in a network in real time, so as to obtain communication traffic of different device models. Under a distributed flow acquisition and monitoring model, the model of the equipment is detected through analyzing the communication flow data of the equipment, and an access control and internal equipment safety management system based on the model of the equipment is constructed. Capturing an original flow data packet, and extracting flow communication characteristics; performing mathematical modeling on the characteristic information to construct a characteristic fingerprint database; periodically training a detection model by adopting a random forest algorithm, and detecting equipment; judging whether the equipment belongs to a white list or not according to the model identification result; according to the white list judgment result, performing access control on the non-white list equipment; according to the white list judgment result, performing continuous flow anomaly detection and ontology threat modeling on the internal equipment of the white list; and deploying corresponding safety management measures according to the modeling result.
In machine learning, a random forest is a classifier comprising a plurality of decision trees, and the class of its output is determined by the mode of the class output by the individual trees; the random forest algorithm can be designed as follows: the number of training cases (samples) is represented by N, and the number of features is represented by M. Inputting a characteristic number m for determining a decision result of a node on a decision tree; where M should be much smaller than M. Sampling N times from N training cases (samples) in a manner of sampling back to form a training set (i.e. bootstrap sampling), and using the cases (samples) which are not extracted as a prediction to evaluate the error. For each node, m features are randomly selected, and the decision for each node on the decision tree is determined based on these features. Based on the m features, the optimal splitting mode is calculated. Each tree grows completely without pruning, which may be employed after a normal tree classifier is built). Referring to fig. 4, the fingerprint identification models of different equipment models are trained through a random forest algorithm, so that the learning speed is high, the efficiency is high, and the identification effect of the access equipment of the internet of things can be effectively improved.
Further, in the embodiment of the invention, in the device identification model training, whether the internet of things device belongs to a white list is judged according to the traffic communication characteristics, if not, the connection between the internet of things device and the intranet is blocked, and if yes, the security measures of the internet of things device in the intranet are deployed according to the set security management model. And according to the white list judgment result, continuously monitoring abnormal flow of the internal equipment of the white list, performing body threat modeling according to the equipment model, and finally deploying safety management measures based on the equipment model according to the threat modeling result.
Further, in the embodiment of the invention, the security management model is used for carrying out persistent flow anomaly monitoring on the internet of things equipment in the white list and constructing the threat perception model for deploying security measures according to monitoring results. The device identification model is responsible for judging whether the access device is a white list internal device or not, so that different control strategies are adopted for the device, access control is carried out on the non-white list device, continuous flow abnormity detection is adopted for the white list internal device, a threat model based on the device model is constructed, and corresponding safety measures are deployed.
Further, in the embodiment of the invention, the threat perception model is an internet of things security ontology model which is constructed by adopting an ontology modeling method and contains assets, vulnerabilities, alarms, threats, security mechanisms and relationships. Referring to fig. 5, the asset as an abstract concept in the ontology includes physical assets, i.e. devices, software on the devices, and communication modes WiFi, Ethernet, etc. used by the devices, the asset requires security attributes to be considered as secure, such as availability, confidentiality, integrity, etc.; each threat may affect one or more security attributes that the security mechanism may satisfy. The bugs are defects in the devices or software, and when they are discovered, a general supplier may issue patches to repair, but for the internet of things devices, patching is often not timely, so a security mechanism needs to be used to prevent an attacker from utilizing the discovered bugs. Security mechanisms describe tools and methods for protecting known vulnerabilities, the most important aspect of selecting a security mechanism depends on the level of asset invaluity, proper protection is implemented based on cost, etc., security mechanisms generally include: detective, preventive, corrective, restorative, responsive, etc. Threats represent attacks that can be initiated using vulnerabilities of devices, software, etc., typically using one or more vulnerabilities, and threat levels represent the degree of damage to the asset, including data leakage, data corruption, etc. The alarm represents a threat type perceived by the anomaly detection model, and when the device communication has abnormal behavior, the security mechanism responds, such as increasing the security protection level, limiting the device communication and the like.
Based on the foregoing method, an embodiment of the present invention provides an internet of things device identification apparatus based on a white list, as shown in fig. 6, including: a traffic collection module 101, a model construction module 102, a model training module 103, and a device identification module 104, wherein,
the traffic acquisition module 101 is used for capturing data packets in a network, acquiring communication traffic data of different equipment models and extracting traffic communication characteristics;
the fingerprint construction module 102 is configured to perform data modeling on traffic communication characteristics to obtain fingerprint identification models of different device models, and construct a characteristic fingerprint library based on the traffic communication characteristics according to the fingerprint identification models, where the traffic communication characteristics of white list devices acquired in advance are stored in the characteristic fingerprint library;
the model training module 103 is used for constructing an equipment identification model according to the fingerprint identification model and periodically training the equipment identification model through a characteristic fingerprint database;
and the device identification module 104 is configured to identify the access device in real time through the trained device identification model.
Furthermore, based on the method and the device, the embodiment of the invention also provides a distributed network architecture, which comprises a security gateway for analyzing and processing the traffic of the internet of things equipment and a security server for training and testing the traffic characteristics of the internet of things equipment through a model, wherein the internet of things equipment is connected with the security server through the security gateway; the traffic acquisition module and the fingerprint construction module are arranged on the security gateway, and the model training module and the equipment identification module are arranged on the security server.
Referring to fig. 7, by using a security management system model of a distributed network architecture, the internet of things device is connected to the security server through the security gateway, and the security gateway undertakes the traffic analysis work, thereby relieving the pressure of the security server on processing huge amount of data generated by a large amount of devices. The security gateway and the security server play a role in mutual assistance and mutual complementation in the model, the gateway of the internet of things is used for monitoring and collecting device traffic, constructing device fingerprints, device identification and anomaly detection and feeding back the results of the device identification and the anomaly detection to the security server, and the security server of the internet of things is used for executing training of the device identification model and the anomaly detection model based on the device model, constructing a threat perception model according to the feedback result of the security gateway and deploying corresponding security measures for potential threats or occurred threats in internal devices. The device identification model is responsible for judging whether the access device is a white list internal device or not, so that different control strategies are adopted for the device, access control is carried out on non-white list devices, continuous flow abnormity detection is adopted for the white list internal device, a threat model based on the device model is constructed, corresponding safety measures are deployed, and a basic effect is achieved in the safety management model.
In the network architecture, a threat perception model is further arranged in the security server and used for deploying corresponding security measures for potential threats or threat of the internet of things equipment.
In the network architecture, the threat perception model is an internet of things security ontology model which is constructed by adopting an ontology modeling method and contains assets, vulnerabilities, alarms, threats, security mechanisms and relationships.
In the preferred embodiment of the invention, the original flow data packet is captured, and the communication characteristics in the flow are extracted; secondly, performing mathematical modeling on the characteristic information to construct a characteristic fingerprint database; then, periodically training a detection model by adopting a random forest algorithm, and detecting equipment; and finally, judging whether the equipment belongs to a white list according to the identification result, performing equipment access control on non-white list equipment, performing continuous flow monitoring and body threat modeling on the equipment in the white list, and deploying corresponding safety measures according to the modeling result. By constructing the white list-based Internet of things equipment identification model, illegal equipment can be effectively detected and found, and powerful guarantee is provided for the network security of the Internet of things internal equipment.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A white list-based Internet of things equipment identification method is characterized by comprising the following steps:
capturing a data packet in a network, acquiring communication flow data of different equipment models and extracting flow communication characteristics;
carrying out data modeling on the flow communication characteristics to obtain fingerprint identification models of different equipment models, and constructing a characteristic fingerprint library based on the flow communication characteristics according to the fingerprint identification models, wherein the flow communication characteristics of white list equipment acquired in advance are stored in the characteristic fingerprint library;
constructing an equipment identification model according to the fingerprint identification model, and periodically training the equipment identification model through a characteristic fingerprint library;
and identifying the access equipment in real time through the trained equipment identification model.
2. The white list-based internet of things device identification method according to claim 1, wherein the extracted traffic communication features at least include: protocol type, packet size, IP address change, and port number size.
3. The white list-based internet of things equipment identification method according to claim 1, wherein the equipment identification model is periodically trained by using a random forest algorithm, and the method comprises the following steps: dividing data in the characteristic fingerprint database into a plurality of training sample sets, and performing classification training on each training sample set through a classifier of each training sample set; and performing comprehensive voting aiming at the classification training result of the classifier, and determining the output of the equipment identification model.
4. The white list-based Internet of things equipment identification method according to claim 1 or 3, wherein in equipment identification model training, whether the Internet of things equipment belongs to the white list or not is judged according to flow communication characteristics, if not, the connection between the Internet of things equipment and the intranet is blocked, and if yes, safety measures of the Internet of things equipment in the intranet are deployed according to a set safety management model.
5. The white-list-based Internet of things equipment identification method as claimed in claim 4, wherein the security management model is used for carrying out persistent flow anomaly monitoring on the Internet of things equipment in the white list and constructing a threat perception model for deploying security measures according to monitoring results.
6. The whitelist-based internet of things device identification method of claim 5, wherein the threat awareness model is an internet of things security ontology model including assets, vulnerabilities, alerts, threats, security mechanisms, and relationships, constructed using an ontology modeling method.
7. The utility model provides a thing networking device recognition device based on white list which characterized in that contains: a flow acquisition module, a model construction module, a model training module and an equipment identification module, wherein,
the flow acquisition module is used for capturing data packets in a network, acquiring communication flow data of different equipment models and extracting flow communication characteristics;
the fingerprint construction module is used for carrying out data modeling on the flow communication characteristics to obtain fingerprint identification models of different equipment models, and constructing a characteristic fingerprint library based on the flow communication characteristics according to the fingerprint identification models, wherein the flow communication characteristics of the white list equipment which is acquired in advance are stored in the characteristic fingerprint library;
the model training module is used for constructing an equipment identification model according to the fingerprint identification model and periodically training the equipment identification model through a characteristic fingerprint library;
and the equipment identification module is used for identifying the access equipment in real time through the trained equipment identification model.
8. A distributed network architecture is characterized in that the Internet of things equipment recognition device is realized based on the Internet of things equipment recognition device of claim 5, and comprises a security gateway for analyzing and processing Internet of things equipment traffic and a security server for training and testing the Internet of things equipment traffic characteristics through a model, wherein the Internet of things equipment is connected with the security server through the security gateway; the traffic acquisition module and the fingerprint construction module are arranged on the security gateway, and the model training module and the equipment identification module are arranged on the security server.
9. The distributed network architecture of claim 8, wherein a threat awareness model is further provided in the security server for deploying corresponding security measures for potential threats or threat to devices of the internet of things.
10. The distributed network architecture of claim 9, wherein the threat awareness model is an internet of things security ontology model constructed using an ontology modeling approach that includes assets, vulnerabilities, alarms, threats, security mechanisms, and relationships.
CN201910717616.3A 2019-08-05 2019-08-05 White list-based Internet of things equipment identification method and device and network architecture Pending CN110602041A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910717616.3A CN110602041A (en) 2019-08-05 2019-08-05 White list-based Internet of things equipment identification method and device and network architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910717616.3A CN110602041A (en) 2019-08-05 2019-08-05 White list-based Internet of things equipment identification method and device and network architecture

Publications (1)

Publication Number Publication Date
CN110602041A true CN110602041A (en) 2019-12-20

Family

ID=68853445

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910717616.3A Pending CN110602041A (en) 2019-08-05 2019-08-05 White list-based Internet of things equipment identification method and device and network architecture

Country Status (1)

Country Link
CN (1) CN110602041A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111757378A (en) * 2020-06-03 2020-10-09 湃方科技(北京)有限责任公司 Equipment identification method and device in wireless network
CN112068926A (en) * 2020-07-31 2020-12-11 中国科学院信息工程研究所 Method for identifying virtual machine in local area network
CN112073988A (en) * 2020-07-31 2020-12-11 中国科学院信息工程研究所 Detection method for hidden camera in local area network
CN112464295A (en) * 2020-12-14 2021-03-09 国网辽宁省电力有限公司抚顺供电公司 Communication maintenance safety device based on electric power edge gateway equipment
CN112769623A (en) * 2021-01-19 2021-05-07 河北大学 Internet of things equipment identification method under edge environment
CN112953961A (en) * 2021-03-14 2021-06-11 国网浙江省电力有限公司电力科学研究院 Equipment type identification method in power distribution room Internet of things
CN113079052A (en) * 2021-04-29 2021-07-06 恒安嘉新(北京)科技股份公司 Model training method, device, equipment and storage medium, and method and device for identifying data of Internet of things
CN113420791A (en) * 2021-06-02 2021-09-21 国网河北省电力有限公司信息通信分公司 Access control method and device for edge network equipment and terminal equipment
CN113765891A (en) * 2021-08-13 2021-12-07 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113839941A (en) * 2021-09-22 2021-12-24 国网湖北省电力有限公司检修公司 Internet of things equipment access detection method and system based on SMOTE and parallel random forest
CN113904795A (en) * 2021-08-27 2022-01-07 北京工业大学 Rapid and accurate flow detection method based on network security probe
WO2022083345A1 (en) * 2020-10-20 2022-04-28 华为技术有限公司 Method for detecting video monitoring device, and electronic device
CN115085274A (en) * 2022-07-27 2022-09-20 北京智芯微电子科技有限公司 Automatic identification method and device for new energy equipment access, electronic equipment and medium
CN115668878A (en) * 2020-05-28 2023-01-31 西门子加拿大有限公司 Artificial intelligence-based device identification
CN115834190A (en) * 2022-11-22 2023-03-21 中国联合网络通信集团有限公司 Host management and control method, device, equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899586A (en) * 2017-02-21 2017-06-27 上海交通大学 A kind of dns server software fingerprinting identifying system and method based on machine learning
CN106936667A (en) * 2017-04-17 2017-07-07 东南大学 A kind of main frame real-time identification method based on application rs traffic distributed analysis
WO2018044282A1 (en) * 2016-08-30 2018-03-08 Visa International Service Association Biometric identification and verification among iot devices and applications
CN109033471A (en) * 2018-09-05 2018-12-18 中国信息安全测评中心 A kind of information assets recognition methods and device
CN109063745A (en) * 2018-07-11 2018-12-21 南京邮电大学 A kind of types of network equipment recognition methods and system based on decision tree
CN109151880A (en) * 2018-11-08 2019-01-04 中国人民解放军国防科技大学 Mobile application flow identification method based on multilayer classifier
CN109600317A (en) * 2018-11-25 2019-04-09 北京亚鸿世纪科技发展有限公司 A kind of automatic identification flow simultaneously extracts method and device using rule
CN109818793A (en) * 2019-01-30 2019-05-28 基本立子(北京)科技发展有限公司 For the device type identification of Internet of Things and network inbreak detection method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018044282A1 (en) * 2016-08-30 2018-03-08 Visa International Service Association Biometric identification and verification among iot devices and applications
CN106899586A (en) * 2017-02-21 2017-06-27 上海交通大学 A kind of dns server software fingerprinting identifying system and method based on machine learning
CN106936667A (en) * 2017-04-17 2017-07-07 东南大学 A kind of main frame real-time identification method based on application rs traffic distributed analysis
CN109063745A (en) * 2018-07-11 2018-12-21 南京邮电大学 A kind of types of network equipment recognition methods and system based on decision tree
CN109033471A (en) * 2018-09-05 2018-12-18 中国信息安全测评中心 A kind of information assets recognition methods and device
CN109151880A (en) * 2018-11-08 2019-01-04 中国人民解放军国防科技大学 Mobile application flow identification method based on multilayer classifier
CN109600317A (en) * 2018-11-25 2019-04-09 北京亚鸿世纪科技发展有限公司 A kind of automatic identification flow simultaneously extracts method and device using rule
CN109818793A (en) * 2019-01-30 2019-05-28 基本立子(北京)科技发展有限公司 For the device type identification of Internet of Things and network inbreak detection method

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115668878A (en) * 2020-05-28 2023-01-31 西门子加拿大有限公司 Artificial intelligence-based device identification
CN111757378B (en) * 2020-06-03 2024-04-02 中科时代(深圳)计算机***有限公司 Method and device for identifying equipment in wireless network
CN111757378A (en) * 2020-06-03 2020-10-09 湃方科技(北京)有限责任公司 Equipment identification method and device in wireless network
CN112068926A (en) * 2020-07-31 2020-12-11 中国科学院信息工程研究所 Method for identifying virtual machine in local area network
CN112073988A (en) * 2020-07-31 2020-12-11 中国科学院信息工程研究所 Detection method for hidden camera in local area network
CN114448530B (en) * 2020-10-20 2023-06-20 华为技术有限公司 Method for detecting video monitoring equipment and electronic equipment
WO2022083345A1 (en) * 2020-10-20 2022-04-28 华为技术有限公司 Method for detecting video monitoring device, and electronic device
CN114448530A (en) * 2020-10-20 2022-05-06 华为技术有限公司 Method for detecting video monitoring equipment and electronic equipment
CN112464295A (en) * 2020-12-14 2021-03-09 国网辽宁省电力有限公司抚顺供电公司 Communication maintenance safety device based on electric power edge gateway equipment
CN112464295B (en) * 2020-12-14 2023-06-30 国网辽宁省电力有限公司抚顺供电公司 Maintenance communication safety device based on electric power edge gateway equipment
CN112769623A (en) * 2021-01-19 2021-05-07 河北大学 Internet of things equipment identification method under edge environment
CN112953961A (en) * 2021-03-14 2021-06-11 国网浙江省电力有限公司电力科学研究院 Equipment type identification method in power distribution room Internet of things
CN113079052A (en) * 2021-04-29 2021-07-06 恒安嘉新(北京)科技股份公司 Model training method, device, equipment and storage medium, and method and device for identifying data of Internet of things
CN113079052B (en) * 2021-04-29 2023-04-07 恒安嘉新(北京)科技股份公司 Model training method, device, equipment and storage medium, and method and device for identifying data of Internet of things
CN113420791A (en) * 2021-06-02 2021-09-21 国网河北省电力有限公司信息通信分公司 Access control method and device for edge network equipment and terminal equipment
CN113420791B (en) * 2021-06-02 2022-08-30 国网河北省电力有限公司信息通信分公司 Access control method and device for edge network equipment and terminal equipment
CN113765891A (en) * 2021-08-13 2021-12-07 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113765891B (en) * 2021-08-13 2024-04-09 深圳番多拉信息科技有限公司 Equipment fingerprint identification method and device
CN113904795A (en) * 2021-08-27 2022-01-07 北京工业大学 Rapid and accurate flow detection method based on network security probe
CN113904795B (en) * 2021-08-27 2024-06-04 北京工业大学 Flow rapid and accurate detection method based on network security probe
CN113839941B (en) * 2021-09-22 2023-08-29 国网湖北省电力有限公司检修公司 Internet of things equipment access detection method and system based on SMOTE and parallel random forest
CN113839941A (en) * 2021-09-22 2021-12-24 国网湖北省电力有限公司检修公司 Internet of things equipment access detection method and system based on SMOTE and parallel random forest
CN115085274A (en) * 2022-07-27 2022-09-20 北京智芯微电子科技有限公司 Automatic identification method and device for new energy equipment access, electronic equipment and medium
CN115834190A (en) * 2022-11-22 2023-03-21 中国联合网络通信集团有限公司 Host management and control method, device, equipment and storage medium
CN115834190B (en) * 2022-11-22 2024-04-09 中国联合网络通信集团有限公司 Host management and control method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110602041A (en) White list-based Internet of things equipment identification method and device and network architecture
Kalech Cyber-attack detection in SCADA systems using temporal pattern recognition techniques
Banerjee et al. A blockchain future for internet of things security: a position paper
Tuptuk et al. Security of smart manufacturing systems
US10812499B2 (en) Detection of adversary lateral movement in multi-domain IIOT environments
US11316891B2 (en) Automated real-time multi-dimensional cybersecurity threat modeling
US9661003B2 (en) System and method for forensic cyber adversary profiling, attribution and attack identification
CN112637220B (en) Industrial control system safety protection method and device
US20220188634A1 (en) Artificial Intelligence with Cyber Security
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN109639634B (en) Self-adaptive safety protection method and system for Internet of things
Lee et al. A review on honeypot-based botnet detection models for smart factory
Herrero et al. A neural-visualization IDS for honeynet data
US11777961B2 (en) Asset remediation trend map generation and utilization for threat mitigation
CN116781430B (en) Network information security system and method for gas pipe network
US11762991B2 (en) Attack kill chain generation and utilization for threat analysis
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
Mubarak et al. Anomaly Detection in ICS Datasets with Machine Learning Algorithms.
Sen et al. On using contextual correlation to detect multi-stage cyber attacks in smart grids
CN112565278A (en) Attack capturing method and honeypot system
CN117527412A (en) Data security monitoring method and device
Anton et al. The global state of security in industrial control systems: An empirical analysis of vulnerabilities around the world
CN117056951A (en) Data security management method for digital platform
Pappaterra Implementing Bayesian Networks for online threat detection
Robles Durazno Industrial control systems cybersecurity analysis and countermeasures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191220