CN110995721A - Malicious node physical layer detection method and system based on automatic labeling and learning - Google Patents
Malicious node physical layer detection method and system based on automatic labeling and learning Download PDFInfo
- Publication number
- CN110995721A CN110995721A CN201911260379.9A CN201911260379A CN110995721A CN 110995721 A CN110995721 A CN 110995721A CN 201911260379 A CN201911260379 A CN 201911260379A CN 110995721 A CN110995721 A CN 110995721A
- Authority
- CN
- China
- Prior art keywords
- access node
- node
- identity
- channel information
- legal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 238000002372 labelling Methods 0.000 title claims abstract description 29
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 22
- 238000010801 machine learning Methods 0.000 claims abstract description 22
- 238000002347 injection Methods 0.000 claims abstract description 7
- 239000007924 injection Substances 0.000 claims abstract description 7
- 238000012549 training Methods 0.000 claims description 25
- 238000007635 classification algorithm Methods 0.000 claims description 10
- 238000013528 artificial neural network Methods 0.000 claims description 4
- 238000010367 cloning Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 2
- 238000012360 testing method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000010363 phase shift Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of communication safety, and discloses a malicious node physical layer detection method and a detection system based on automatic labeling and learning. The detection method identifies the type of the access node in the network based on the physical layer authentication strategy of channel difference, and can simultaneously detect the malicious node which initiates clone attack and Sybil attack; corresponding labels are automatically injected according to the types of the access nodes, so that the problem of manually injecting attack labels is solved, and the difficulty that attack label samples are lacked when a supervision type machine learning algorithm is used for channel authentication is solved; by utilizing physical layer channel difference, the attack tag sample is automatically injected by a threshold setting method, and an offline tagged sample set is provided for a machine learning algorithm, so that automatic tag injection and learning are realized, and the malicious node detection rate of an access node is improved. The method can effectively solve the problem of malicious node detection of the edge computing node on various industrial wireless devices in the asymmetric scene of the industrial edge computing Internet of things.
Description
Technical Field
The invention relates to the technical field of communication security, in particular to a malicious node physical layer detection method based on automatic labeling and learning, a malicious node physical layer detection system based on automatic labeling and learning and a malicious node physical layer detection device based on automatic labeling and learning.
Background
A large number of attacks exist in the edge computing industrial scene, and once the system is attacked, the effect is not obvious. For example, an attacker launches a clone node attack in an unsupervised industrial wireless scenario. An attacker firstly captures a legal node, steals ID, key and data information of the legal node, then deploys a large number of clone nodes at different positions in the industrial network, and captures all information of the legal node by using the clone nodes. Cloning is detrimental to almost all network operations, such as routing, data collection, and key distribution, and is susceptible to concurrent internal attacks, such as DOS attacks, leading to the breakdown of industrial wireless networks. There is also a Sybil attack in an industrial network where an attacker deploys malicious nodes in the network, impersonates or spoofs multiple IDs through the malicious nodes, fooling the control center of the edge computing into thinking that there are multiple false legitimate nodes at multiple different locations in the network. The Sybil attack consumes a large amount of network resources, resulting in increased network delay, a large amount of industrial automation equipment cannot be reasonably scheduled, and even equipment is out of control. How to timely detect various attacks in an industrial wireless network and make driving-away and prevention on attack nodes is an important problem to be solved urgently.
Physical layer authentication is based on generalized channel responses with space-time variability, taking into account correlations in the time, frequency and spatial domains. Based on physical layer authentication, an attack detection method based on channel information difference is provided, but under the condition that both DOS attack and Sybil attack occur, the detection rate of malicious nodes is very low. In order to further improve the detection rate, a cheating attack detection strategy combined with a machine learning algorithm is provided, but the premise is that a sample with an attack label needs to be provided for the machine learning algorithm in an off-line training stage to optimize the machine learning algorithm. At present, the existing physical layer authentication method based on machine learning needs to manually inject attack tag samples, and the acquisition of the attack samples in advance is very difficult.
Disclosure of Invention
The invention aims to provide a malicious node physical layer detection method and system based on automatic labeling and learning, so as to solve the problems of label injection of machine learning offline sample sets in attack detection and low malicious node detection rate.
In order to achieve the above object, a first aspect of the present invention provides a malicious node physical layer detection method based on automatic labeling and learning, where the method includes:
s1) acquiring the channel information and the identity information of the legal access node;
s2) according to the identity information of the legal access node, the identity authentication is carried out on the request access node, and the channel information of the request access node is obtained;
s3) comparing the channel information of the request access node with the channel information of the legal access node, and judging the type of the request access node by combining the identity authentication information of the request access node;
s4) injecting corresponding labels to the request access nodes according to the types of the request access nodes, and combining the legal access node data and the request access node data into a training set;
s5) performing off-line training according to the training set by adopting a machine learning classification algorithm based on a channel to generate a model;
s6) authenticating the node to be accessed by utilizing the model so as to realize the detection of the malicious node.
Further, step S2) performs identity authentication on the requesting access node according to the identity information of the legitimate access node, including: and comparing the identity ID of the request access node with the identity ID of the legal access node, and judging whether the identity ID of the request access node is consistent with the identity ID of the legal access node.
Further, step S3) compares the channel information of the requesting access node with the channel information of the legitimate access node, and determines the type of the requesting access node by combining the identity authentication information of the requesting access node, including:
if the channel information of the request access node is consistent with the channel information of the legal access node, and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
and if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, or the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a malicious node.
Further, if the channel information of the requesting access node is consistent with the channel information of the legitimate access node and the identity ID of the requesting access node is inconsistent with the identity ID of the legitimate access node, or the channel information of the requesting access node is inconsistent with the channel information of the legitimate access node and the identity ID of the requesting access node is consistent with the identity ID of the legitimate access node, determining that the requesting access node is a malicious node, including:
if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is a Sybil node;
and if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a clone node.
Further, step S3) compares the channel information of the requesting access node with the channel information of the legitimate access node, and determines the type of the requesting access node by combining the identity authentication information of the requesting access node, including:
the following assumptions were made using the binary assumption:
wherein,
channel information indicating a legitimate access node,
channel information representing a requesting access node;
null hypothesis H0Represents: the channel information of the request access node is consistent with that of the legal access node, and the request access node and the legal access node are located at the same physical position;
alternative hypothesis H1Represents: the channel information of the request access node is inconsistent with the channel information of the legal access node, and the request access node and the legal access node are located at different physical positions;
the above hypothetical formula is converted by normalizing the statistics to:
wherein T is a normalized statistic, i and j respectively represent different nodes, η represents a threshold value, and diff is a method for calculating the correlation degree of the channel information.
When IDi=IDjAnd T > η1When the ID of the node i and the ID of the node j are consistent, the node i and the node j are located at different physical locations, and the node j is a clone node, here η1Obtaining an optimal cloning threshold value in a local range by adopting a manual traversal method;
when IDi=IDjAnd T<η1When the ID of the node i and the ID of the node j are consistent, the node i and the node j are located at the same physical position, and the node j is a legal access node;
when IDi≠IDjAnd T > η2In case of inconsistent ID of the two nodes i and j, the two nodes are located at the same physical location, and the j node is Sybil node, η2Obtaining an optimal Sybil threshold value in a local range by adopting a manual traversal method;
when IDi≠IDjAnd T<η2And then, under the condition that the IDs of the i node and the j node are not consistent, the i node and the j node are located at different physical positions, and the j node is a legal access node.
Further, step S6) authenticates the node to be accessed by using the model to implement detection of a malicious node, including: and receiving an information packet of a node to be accessed, and judging whether the information packet is a malicious node or not by using the model so as to realize the detection of the malicious node.
The second aspect of the present invention provides a malicious node physical layer detection system based on automatic labeling and learning, the system comprising:
the acquisition module is used for acquiring the channel information and the identity information of a legal access node and acquiring the channel information of the request access node;
the authentication module is used for authenticating the identity of the request access node according to the identity information of the legal access node, comparing the channel information of the request access node with the channel information of the legal access node, and judging the type of the request access node by combining the identity authentication information of the request access node;
a label injection module for injecting a corresponding label to the request access node according to the type of the request access node, and combining the legal access node data and the request access node data into a training set;
the training module is used for performing off-line training according to the training set by adopting a machine learning classification algorithm based on a channel to generate a model;
the authentication module is also used for authenticating the node to be accessed by utilizing the model so as to realize the detection of the malicious node.
Further, the performing identity authentication on the requesting access node according to the identity information of the legitimate access node, comparing the channel information of the requesting access node with the channel information of the legitimate access node, and determining the type of the requesting access node by combining the identity authentication information of the requesting access node includes:
comparing the identity ID of the request access node with the identity ID of the legal access node, and judging whether the identity ID of the request access node is consistent with the identity ID of the legal access node;
if the channel information of the request access node is consistent with the channel information of the legal access node, and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
and if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, or the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a malicious node.
Further, the machine learning classification algorithm comprises a neural network algorithm, a SVM algorithm or a clustering algorithm.
The third aspect of the present invention provides a malicious node physical layer detection apparatus based on automatic labeling and learning, the apparatus comprising: a memory and a processor;
the memory to store program instructions;
the processor is used for calling the program instructions stored in the memory to realize the malicious node physical layer detection method based on automatic labeling and learning.
The technical scheme of the invention identifies the type of the access node in the network through the physical layer authentication strategy based on the channel difference, and can simultaneously detect the malicious node which initiates the clone attack and the Sybil attack; corresponding labels are automatically injected according to the types of the access nodes, so that the problem of manually injecting attack labels is solved, and the difficulty that attack label samples are lacked when a supervision type machine learning algorithm is used for channel authentication is solved; by utilizing physical layer channel difference, the attack tag sample is automatically injected by a threshold setting method, and an offline tagged sample set is provided for a machine learning algorithm, so that automatic tag injection and learning are realized, and the malicious node detection rate of an access node is improved. The malicious node physical layer detection system based on automatic labeling and learning can effectively solve the problem of malicious node detection of edge computing nodes on various industrial wireless devices in an asymmetric scene of an industrial edge computing Internet of things, and improve the accuracy of attack detection.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention without limiting the embodiments of the invention. In the drawings:
fig. 1 is a flowchart of a malicious node physical layer detection method based on automatic labeling and learning according to an embodiment of the present invention;
fig. 2 is a block diagram of a malicious node physical layer detection system based on automatic labeling and learning according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Fig. 1 is a flowchart of a malicious node physical layer detection method based on automatic labeling and learning according to an embodiment of the present invention. As shown in fig. 1, the malicious node physical layer detection method based on automatic labeling and learning according to the embodiment of the present invention includes the following steps:
s1) acquiring channel information and identity information of a legitimate access node.
For example, a legal access node in the network performs upper layer authentication with an edge control device R and extracts channel information, the edge control device R stores identity declaration information sent from the legal access node, and the format of the identity declaration information is as follows:
wherein, IDiIs the identity number of the node and,
the method comprises the steps that channel information extracted from a node i is shown, k is the number of frames, the channel information between continuous frames has similarity, and the channel information has the characteristic of space-time uniqueness and cannot be cloned.
In addition, the edge control device R performs channel estimation on the requesting access node through the pilot signal, and the channel estimation method includes, for example, an LS channel estimation method and an MMSE channel estimation method.
S2) according to the identity information of the legal access node, the identity authentication is carried out on the request access node, and the channel information of the request access node is obtained.
Authenticating the identity of the requesting access node, comprising: and comparing the identity ID of the request access node with the identity ID of the legal access node, and judging whether the identity ID of the request access node is consistent with the identity ID of the legal access node.
For example, the edge control device R performs identity authentication on the requesting access node and extracts channel information of the requesting access node, and determines whether the IDs of the requesting access node and the legitimate access node are consistent.
If IDi=IDjThe extracted i, j nodes claim equal ID, and may be clone attacks;
if IDi≠IDjIt shows that the extracted i, j nodes claim unequal ID, possibly Sybil attack
The node i is information stored in a legal node, and the node j is information of a node to be tested.
S3) comparing the channel information of the request access node with the channel information of the legal access node, and judging the type of the request access node by combining the identity authentication information of the request access node.
If the channel information of the request access node is consistent with the channel information of the legal access node, and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
and if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, or the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a malicious node. If the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is a Sybil node; and if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a clone node.
Step S3), a physical layer authentication strategy based on a channel threshold is adopted to compare whether the channel information (CSI) of the i node and the j node are consistent, and the following implementation mode is specifically adopted:
the following assumptions were made using the binary assumption:
wherein,
channel information indicating a legitimate access node,
channel information representing a requesting access node;
null hypothesis H0Represents: the channel information of the request access node is consistent with that of the legal access node, and the request access node and the legal access node are located at the same physical position;
alternative hypothesis H1 represents: the channel information of the request access node is inconsistent with that of the legal access node, and the request access node and the legal access node are located at different physical positions.
The above assumptions are translated into:
where T is a normalized statistic, i and j represent different nodes, and η represents a threshold, and diff is a method of calculating the degree of correlation of channel information, and for example, the method of the present embodiment uses a test statistic Ta based on amplitude, a test statistic Tb based on combination of amplitude and phase, and a test statistic Tc. based on corrected phase shift, and the normalized statistics are not limited to the three statistics Ta, Tb, and Tc.
When IDi=IDjAnd T > η1When the alleged IDs of the i node and the j node are consistent, the i node and the j node are located at different physical positions, and the j node is a clone node, wherein η 1 is obtained by adopting a manual traversal method to obtain an optimal clone threshold value in a local range;
when IDi=IDjAnd T<η1When the node I and the node J are judged to be consistent in claim ID, the node I and the node J are located at the same physical position, and the node J is a legal access node;
when IDi≠IDjAnd T > η2When, zero assumes H0If it is true that the asserted IDs of the nodes i and j are not identical, the nodes i and j are in the same physical location, and the node j is the Sybil node, η2Obtaining an optimal Sybil threshold value in a local range by adopting a manual traversal method;
when IDi≠IDjAnd T<η2And then, under the condition that the alleged IDs of the i node and the j node are not consistent, the i node and the j node are located at different physical positions, and the j node is a legal access node.
Through the physical layer authentication strategy based on the channel difference, malicious nodes which initiate clone attacks and Sybil attacks can be identified at the same time.
S4) according to the type of the request access node, injecting corresponding label to the request access node, and combining the legal access node data and the request access node data into a training set.
For example, the edge control device R will
And
the data of the node is extracted, corresponding labels are added according to the type of the request access node, the label of a legal access node is +1, the label of a malicious node is-1, and the data are combined into a training set SSS:
based on the channel-differentiated physical layer authentication policy of step S3), step S4) automatically provides an offline labeled sample set for the supervised machine learning algorithm using a channel-differentiated threshold method.
S5) performing off-line training according to the training set by adopting a machine learning classification algorithm based on a channel to generate a model. The edge control equipment R obtains a model with the standard recognition rate through repeated training.
The machine learning classification algorithm may adopt a supervised machine learning algorithm, such as a neural network algorithm, an SVM algorithm, a clustering algorithm, and the like.
S6) authenticating the node to be accessed by utilizing the model so as to realize the detection of the malicious node.
The edge control device R receives the information packet of the node to be accessed
And judging whether the information packet is a malicious node or not by utilizing a model with the standard identification rate so as to realize the detection of the malicious node. Since the learning in the embodiment of the present invention is supervised learning, the node to be accessed needs to be a trained user, that is, the channel information of the node to be accessed is collected and stored.
According to the malicious node physical layer detection method based on automatic labeling and learning, the type of the access node in the network is identified through a physical layer authentication strategy based on channel difference, and malicious nodes which initiate clone attack and Sybil attack can be detected at the same time; corresponding labels are automatically injected according to the types of the access nodes, namely, an offline labeled sample set is automatically provided for a supervised machine learning algorithm by using a channel difference threshold method, the labels do not need to be manually generated, and the malicious node detection rate of the wireless access nodes is improved.
Fig. 2 is a block diagram of a malicious node physical layer detection system based on automatic labeling and learning according to an embodiment of the present invention. As shown in fig. 2, the malicious node physical layer detection system based on automatic labeling and learning according to an embodiment of the present invention includes: the system comprises an acquisition module, an authentication module, a label injection module and a training module.
The acquisition module is used for acquiring the channel information and the identity information of the legal access node and acquiring the channel information of the request access node.
The authentication module is used for authenticating the identity of the request access node according to the identity information of the legal access node, comparing the channel information of the request access node with the channel information of the legal access node, and judging the type of the request access node by combining the identity authentication information of the request access node. The method specifically comprises the following steps: comparing the identity ID of the request access node with the identity ID of the legal access node, and judging whether the identity ID of the request access node is consistent with the identity ID of the legal access node; if the channel information of the request access node is consistent with the channel information of the legal access node, and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is the legal access node; if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is the legal access node; and if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, or the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a malicious node.
And the label injection module is used for injecting corresponding labels into the request access nodes according to the types of the request access nodes, and combining the legal access node data and the request access node data into a training set.
And the training module is used for performing off-line training according to the training set by adopting a machine learning classification algorithm based on a channel to generate a model. The machine learning classification algorithm may employ a neural network algorithm, an SVM algorithm, or a clustering algorithm.
The authentication module is also used for authenticating the node to be accessed by utilizing the model so as to realize the detection of the malicious node.
The malicious node physical layer detection system based on automatic labeling and learning provided by the embodiment of the invention can effectively solve the problem of malicious node detection of edge computing nodes on various industrial wireless devices in an asymmetric scene of an industrial edge computing Internet of things, and improve the accuracy of attack detection.
The embodiment of the invention also provides a malicious node physical layer detection device based on automatic labeling and learning, which comprises: a memory and a processor; the memory to store program instructions; the processor is used for calling the program instructions stored in the memory to realize the malicious node physical layer detection method based on automatic labeling and learning.
Those skilled in the art will appreciate that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, which is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the details of the above embodiments, and various simple modifications can be made to the technical solution of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and the simple modifications are within the scope of the embodiments of the present invention. In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as disclosed in the embodiments of the present invention as long as it does not depart from the spirit of the embodiments of the present invention.
Claims (10)
1. A malicious node physical layer detection method based on automatic labeling and learning is characterized by comprising the following steps:
s1) acquiring the channel information and the identity information of the legal access node;
s2) according to the identity information of the legal access node, the identity authentication is carried out on the request access node, and the channel information of the request access node is obtained;
s3) comparing the channel information of the request access node with the channel information of the legal access node, and judging the type of the request access node by combining the identity authentication information of the request access node;
s4) injecting corresponding labels to the request access nodes according to the types of the request access nodes, and combining the legal access node data and the request access node data into a training set;
s5) performing off-line training according to the training set by adopting a machine learning classification algorithm based on a channel to generate a model;
s6) authenticating the node to be accessed by utilizing the model so as to realize the detection of the malicious node.
2. The method for detecting the physical layer of the malicious node based on automatic labeling and learning of claim 1, wherein the step S2) of authenticating the identity of the requesting access node according to the identity information of the legitimate access node comprises:
and comparing the identity ID of the request access node with the identity ID of the legal access node, and judging whether the identity ID of the request access node is consistent with the identity ID of the legal access node.
3. The method for detecting the physical layer of the malicious node based on automatic tagging and learning of claim 2, wherein the step S3) compares the channel information of the requesting access node with the channel information of the legitimate access node, and determines the type of the requesting access node by combining the identity authentication information of the requesting access node, and comprises:
if the channel information of the request access node is consistent with the channel information of the legal access node, and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
and if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, or the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a malicious node.
4. The method as claimed in claim 3, wherein if the channel information of the requesting access node is consistent with the channel information of the legitimate access node and the identity ID of the requesting access node is inconsistent with the identity ID of the legitimate access node, or the channel information of the requesting access node is inconsistent with the channel information of the legitimate access node and the identity ID of the requesting access node is consistent with the identity ID of the legitimate access node, determining that the requesting access node is a malicious node comprises:
if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is a Sybil node;
and if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a clone node.
5. The malicious node physical layer detection method based on automatic tagging and learning of claim 4, wherein the step S3) of comparing the channel information of the requesting access node with the channel information of the legitimate access node, and determining the type of the requesting access node by combining the identity authentication information of the requesting access node comprises:
the following assumptions were made using the binary assumption:
wherein,
channel information indicating a legitimate access node,
channel information representing a requesting access node;
null hypothesis H0Represents: the channel information of the request access node is consistent with that of the legal access node, and the request access node and the legal access node are positioned in the same physical channelA location;
alternative hypothesis H1Represents: the channel information of the request access node is inconsistent with the channel information of the legal access node, and the request access node and the legal access node are located at different physical positions;
the above hypothetical formula is converted by normalizing the statistics to:
wherein T is a normalized statistic, i and j respectively represent different nodes, η represents a threshold value, and diff is a method for calculating the correlation degree of the channel information.
When IDi=IDjAnd T > η1When the ID of the node i and the ID of the node j are consistent, the node i and the node j are located at different physical locations, and the node j is a clone node, here η1Obtaining an optimal cloning threshold value in a local range by adopting a manual traversal method;
when IDi=IDjAnd T<η1When the ID of the node i and the ID of the node j are consistent, the node i and the node j are located at the same physical position, and the node j is a legal access node;
when IDi≠IDjAnd T > η2In case of inconsistent ID of the two nodes i and j, the two nodes are located at the same physical location, and the j node is Sybil node, η2Obtaining an optimal Sybil threshold value in a local range by adopting a manual traversal method;
when IDi≠IDjAnd T<η2And then, under the condition that the IDs of the i node and the j node are not consistent, the i node and the j node are located at different physical positions, and the j node is a legal access node.
6. The method for detecting the physical layer of the malicious node based on automatic labeling and learning of claim 1, wherein step S6) authenticates the node to be accessed by using the model to detect the malicious node, which comprises:
and receiving an information packet of a node to be accessed, and judging whether the information packet is a malicious node or not by using the model so as to realize the detection of the malicious node.
7. A malicious node physical layer detection system based on automatic labeling and learning, which is characterized by comprising:
the acquisition module is used for acquiring the channel information and the identity information of a legal access node and acquiring the channel information of the request access node;
the authentication module is used for authenticating the identity of the request access node according to the identity information of the legal access node, comparing the channel information of the request access node with the channel information of the legal access node, and judging the type of the request access node by combining the identity authentication information of the request access node;
a label injection module for injecting a corresponding label to the request access node according to the type of the request access node, and combining the legal access node data and the request access node data into a training set;
the training module is used for performing off-line training according to the training set by adopting a machine learning classification algorithm based on a channel to generate a model;
the authentication module is also used for authenticating the node to be accessed by utilizing the model so as to realize the detection of the malicious node.
8. The system of claim 7, wherein the automatically labeling and learning based malicious node physical layer detection system performs identity authentication on a requesting access node according to the identity information of the legitimate access node, compares the channel information of the requesting access node with the channel information of the legitimate access node, and determines the type of the requesting access node by combining the identity authentication information of the requesting access node, and comprises:
comparing the identity ID of the request access node with the identity ID of the legal access node, and judging whether the identity ID of the request access node is consistent with the identity ID of the legal access node;
if the channel information of the request access node is consistent with the channel information of the legal access node, and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
if the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, judging that the request access node is the legal access node;
and if the channel information of the request access node is consistent with the channel information of the legal access node and the identity ID of the request access node is inconsistent with the identity ID of the legal access node, or the channel information of the request access node is inconsistent with the channel information of the legal access node and the identity ID of the request access node is consistent with the identity ID of the legal access node, judging that the request access node is a malicious node.
9. The automatic labeling and learning-based malicious node physical layer detection system according to claim 7, wherein the machine learning classification algorithm comprises a neural network algorithm, a SVM algorithm or a clustering algorithm.
10. A malicious node physical layer detection device based on automatic labeling and learning, the device comprising: a memory and a processor;
the memory to store program instructions;
the processor, configured to invoke the program instructions stored in the memory to implement the automatic tagging and learning based malicious node physical layer detection method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911260379.9A CN110995721A (en) | 2019-12-10 | 2019-12-10 | Malicious node physical layer detection method and system based on automatic labeling and learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911260379.9A CN110995721A (en) | 2019-12-10 | 2019-12-10 | Malicious node physical layer detection method and system based on automatic labeling and learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110995721A true CN110995721A (en) | 2020-04-10 |
Family
ID=70092033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911260379.9A Pending CN110995721A (en) | 2019-12-10 | 2019-12-10 | Malicious node physical layer detection method and system based on automatic labeling and learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995721A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217830A (en) * | 2020-10-20 | 2021-01-12 | 曲阜师范大学 | Method for identifying clone block in edge computing system based on block chain |
| CN112396132A (en) * | 2021-01-19 | 2021-02-23 | 国网江苏省电力有限公司南京供电分公司 | SVM-based wireless terminal secure access method |
| CN114884691A (en) * | 2021-12-28 | 2022-08-09 | 尚承科技股份有限公司 | System and method for artificial intelligence to resist network attack |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104660594A (en) * | 2015-02-09 | 2015-05-27 | 中国科学院信息工程研究所 | Method for identifying virtual malicious nodes and virtual malicious node network in social networks |
| US20150188941A1 (en) * | 2013-12-26 | 2015-07-02 | Telefonica Digital Espana, S.L.U. | Method and system for predicting victim users and detecting fake user accounts in online social networks |
| CN105873085A (en) * | 2016-06-17 | 2016-08-17 | 电子科技大学 | Wireless sensor network clone node identifying method based on physical channel information and credibility |
| CN108932535A (en) * | 2018-07-13 | 2018-12-04 | 南方电网科学研究院有限责任公司 | Edge computing clone node identification method based on machine learning |
-
2019
- 2019-12-10 CN CN201911260379.9A patent/CN110995721A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150188941A1 (en) * | 2013-12-26 | 2015-07-02 | Telefonica Digital Espana, S.L.U. | Method and system for predicting victim users and detecting fake user accounts in online social networks |
| CN104660594A (en) * | 2015-02-09 | 2015-05-27 | 中国科学院信息工程研究所 | Method for identifying virtual malicious nodes and virtual malicious node network in social networks |
| CN105873085A (en) * | 2016-06-17 | 2016-08-17 | 电子科技大学 | Wireless sensor network clone node identifying method based on physical channel information and credibility |
| CN108932535A (en) * | 2018-07-13 | 2018-12-04 | 南方电网科学研究院有限责任公司 | Edge computing clone node identification method based on machine learning |
Non-Patent Citations (2)
| Title |
|---|
| 陈洁 等: "基于神经网络的边缘计算克隆节点识别方法", 《通信技术》 * |
| 陈洁: "边缘计算下无线通信接入认证技术研究", 《万方数据库》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217830A (en) * | 2020-10-20 | 2021-01-12 | 曲阜师范大学 | Method for identifying clone block in edge computing system based on block chain |
| CN112396132A (en) * | 2021-01-19 | 2021-02-23 | 国网江苏省电力有限公司南京供电分公司 | SVM-based wireless terminal secure access method |
| CN112396132B (en) * | 2021-01-19 | 2022-04-08 | 国网江苏省电力有限公司南京供电分公司 | SVM-based wireless terminal secure access method |
| US11678189B2 (en) | 2021-01-19 | 2023-06-13 | State Grid Jiangsu Electric Power Co., Ltd | SVM-based secure access method for wireless terminals |
| CN114884691A (en) * | 2021-12-28 | 2022-08-09 | 尚承科技股份有限公司 | System and method for artificial intelligence to resist network attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9923913B2 (en) | System and method for malware detection learning | |
| US10805346B2 (en) | Phishing attack detection | |
| Hamad et al. | Iot device identification via network-flow based fingerprinting and learning | |
| CN110995721A (en) | Malicious node physical layer detection method and system based on automatic labeling and learning | |
| CN107046468B (en) | Physical layer authentication threshold determination method and system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20180150635A1 (en) | Apparatus and Method for Using a Support Vector Machine and Flow-Based Features to Detect Peer-to-Peer Botnet Traffic | |
| CN103401845B (en) | A kind of detection method of website safety, device | |
| US11983611B2 (en) | System and method for determining device attributes using a classifier hierarchy | |
| Song et al. | Enhancing Packet‐Level Wi‐Fi Device Authentication Protocol Leveraging Channel State Information | |
| Peng et al. | A differential constellation trace figure based device identification method for ZigBee nodes | |
| Kovanen et al. | Survey: Intrusion detection systems in encrypted traffic | |
| Uras et al. | MAC address de-randomization for WiFi device counting: Combining temporal-and content-based fingerprints | |
| Chen et al. | Enhancing Wi-Fi Device Authentication Protocol Leveraging Channel State Information | |
| Costa et al. | Improving ddos detection in iot networks through analysis of network traffic characteristics | |
| Lee et al. | AI-based network security enhancement for 5G industrial Internet of things environments | |
| Maurice et al. | Improving 802.11 fingerprinting of similar devices by cooperative fingerprinting | |
| CN108282551A (en) | Message identifying processing method, apparatus, audiomonitor and readable storage medium storing program for executing | |
| KR101836481B1 (en) | Apparatus and Method for Detecting Rogue AP | |
| CN111586689B (en) | Multi-attribute lightweight physical layer authentication method based on principal component analysis algorithm | |
| CN113627215B (en) | ECU (electronic control unit) identification method based on CAN (controller area network) signal characteristics and storage medium | |
| CN110912906B (en) | Edge calculation malicious node identification method | |
| Fu et al. | Spectrum sensing defending against PUE attack based on fractal dimension | |
| Shali et al. | Investigations on IoT Security System using Machine Learning Algorithm | |
| Gupta et al. | Radtec: Re-authentication of iot devices with machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200410 |
|
| RJ01 | Rejection of invention patent application after publication |