CN112583808B - Abnormal flow detection method for Internet of things equipment - Google Patents

Abnormal flow detection method for Internet of things equipment Download PDF

Info

Publication number
CN112583808B
CN112583808B CN202011423222.6A CN202011423222A CN112583808B CN 112583808 B CN112583808 B CN 112583808B CN 202011423222 A CN202011423222 A CN 202011423222A CN 112583808 B CN112583808 B CN 112583808B
Authority
CN
China
Prior art keywords
internet
flow
things
information entropy
sliding window
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011423222.6A
Other languages
Chinese (zh)
Other versions
CN112583808A (en
Inventor
孙毅臻
高隽
曹琳婧
张士庚
余建疆
田峥
田建伟
陈中伟
封靖川
魏如意
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Hunan Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Hunan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Hunan Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Hunan Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202011423222.6A priority Critical patent/CN112583808B/en
Publication of CN112583808A publication Critical patent/CN112583808A/en
Application granted granted Critical
Publication of CN112583808B publication Critical patent/CN112583808B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an abnormal flow detection method for Internet of things equipment, which comprises the steps of collecting flow data of the Internet of things equipment; classifying the flow data according to the service type and the destination port; the method comprises the steps of obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of a packet sending rate by adopting Fourier transform; taking the time period as a sliding window value and calculating the information entropy value of the network flow in each sliding window; and judging the size relation between the information entropy value and a set threshold value in the sliding window and realizing the abnormal flow detection of the equipment of the Internet of things. According to the method, the abnormal flow detection of the equipment of the Internet of things is realized by acquiring the flow data of the equipment of the Internet of things, setting the size of a sliding window value according to the flow data and detecting the sudden change of the flow information entropy in the sliding window; the method and the device can position the time range of the abnormal flow, and have the advantages of high reliability, wide application range and good effectiveness.

Description

Abnormal flow detection method for Internet of things equipment
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an abnormal flow detection method for Internet of things equipment.
Background
With the development of economic technology and the arrival of the intelligent era, the Internet of things is widely applied to the production and the life of people, and brings endless convenience to the production and the life of people. But with the popularization of the internet of things, attacks against the internet of things are more and more. Along with the fact that people pay more and more attention to safety, the safety of the Internet of things needs to be improved urgently.
However, current manufacturers of internet of things devices often implement lightweight protocols for internet of things devices in order to improve user experience, so that the security of the devices is sacrificed. In recent years, attacks against devices of the internet of things are endless.
At present, the mainstream intrusion detection technology is difficult to well deal with the internet of things equipment with high-speed increase, and particularly, the mainstream intrusion detection technology is more attentive when aiming at novel internet of things equipment or a novel attack method.
Disclosure of Invention
The invention aims to provide an abnormal flow detection method for Internet of things equipment, which is high in reliability, wide in application range and good in effectiveness.
The invention provides an abnormal flow detection method for equipment of the Internet of things, which comprises the following steps:
s1, collecting flow data of the Internet of things equipment;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window;
and S5, judging the size relation between the information entropy value and a set threshold value in the sliding window according to the information entropy value obtained in the step S4, and accordingly realizing abnormal flow detection of the Internet of things equipment.
The collecting of the traffic data of the internet of things device in step S1 is specifically to collect the traffic data of the internet of things device through tcpdump.
After discretizing the traffic data of the service in step S3, calculating the time period of the packet sending rate by using fourier transform, specifically, discretizing the traffic data of the specific service into a binary time sequence of one sample value per second, and then calculating the time period of the packet sending rate by using fourier transform.
The time period of the packet transmission rate is specifically a time period X converted from a frequency domain by using the following formulak
Figure BDA0002823496640000021
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formula
Figure BDA0002823496640000022
The time period T is calculated.
Step S4, calculating the information entropy of the network traffic in each sliding window, specifically, using a group of characteristics of the data packet sequence of the traffic in the window as a random variable, and calculating the information entropy of the random variable.
The information entropy value of the random variable is calculated by adopting the following formula:
Figure BDA0002823496640000023
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X; calculating the characteristic selected by the information entropy as the size of the group; and calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of the time series data for the flow captured by each device.
In step S5, the size relationship between the information entropy and the set threshold is determined in the sliding window, so as to implement abnormal traffic detection of the internet of things device, specifically, in the sliding window, if the information entropy exceeds the set threshold, it is determined that abnormal internet of things traffic exists in the sliding window.
According to the abnormal flow detection method for the equipment of the Internet of things, the abnormal flow detection of the equipment of the Internet of things is realized by acquiring the flow data of the equipment of the Internet of things, setting the size of the sliding window value according to the flow data and detecting the sudden change of the flow information entropy in the sliding window; the method of the invention not only can position the time range of abnormal flow, but also has high reliability, wide application range and good effectiveness.
Drawings
FIG. 1 is a schematic process flow diagram of the process of the present invention.
FIG. 2 is a schematic diagram of an information entropy curve of an embodiment of the method of the present invention.
Detailed Description
FIG. 1 is a schematic flow chart of the method of the present invention: the invention provides an abnormal flow detection method for equipment of the Internet of things, which comprises the following steps:
s1, collecting flow data of the Internet of things equipment; specifically, traffic data of the Internet of things equipment is collected through tcpdump;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform; the method specifically comprises the steps of discretizing flow data of a specific service into a binary time sequence of one sampling value per second, and then calculating the time period of a packet sending rate by adopting Fourier transform;
in specific implementation, the following formula is adopted to convert the frequency domain into the time domain Xk
Figure BDA0002823496640000041
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formula
Figure BDA0002823496640000042
Calculating to obtain a time period T;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window; taking a group of characteristics of a data packet sequence of flow in a window as a random variable, and calculating an information entropy value of the random variable;
in specific implementation, the information entropy value h (x) is calculated by the following formula:
Figure BDA0002823496640000043
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X;
calculating the characteristic selected by the information entropy as the size of the group; calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of time series data for the flow captured by each device;
s5, judging the size relation between the information entropy value and a set threshold value in a sliding window according to the information entropy value obtained in the step S4, and accordingly achieving abnormal flow detection of the Internet of things equipment; specifically, in a sliding window, if the information entropy exceeds a set threshold, it is determined that abnormal internet of things flow exists in the sliding window.
The process of the invention is further illustrated below with reference to one example:
firstly, an anomaly detection model is deployed on each local security gateway, and traffic sent to the security gateway by a device is captured by running a tcpdump command on the security gateway;
then, the unidirectional streams sent by the TP-Link camera equipment are classified according to destination ports/different service types, and as the destination ports of the Internet of things equipment are determined by manufacturers or send traffic based on fixed services, the traffic accessing other ports can be directly taken as malicious abnormal traffic to be eliminated in the step;
next, based on the characteristic that the internet of things equipment has periodic communication flow, for different service flows (destination ports), whether a data packet is captured in a time window of 1 second or not is marked as 1, otherwise, the data packet is marked as 0, so that a binary 0-1 time sequence sampled by one value per second is constructed, and a fourier transform formula is adopted to convert a time domain into a frequency domain
Figure BDA0002823496640000051
Then, the maximum value X in the frequency domain is obtainedmaxThen pass through
Figure BDA0002823496640000052
Calculating a period;
and then, taking the time period obtained by calculation as the size of a sliding window, and calculating the information entropy value of the network flow in each sliding window. Using a set of characteristics of the packet sequence of the flow in the window as random variables according to the following stepsCalculating the information entropy of the random variable
Figure BDA0002823496640000053
Finally, drawing a curve chart of the obtained information entropy sequence, wherein the condition that a certain sliding window has abnormal flow can be reflected in the sudden change of the entropy, and when the relative difference value of the sliding window exceeds a set threshold value gamma, the abnormal flow of the internet of things exists in the window, which is shown in an attached figure 2; and judging that the abnormal flow exists.

Claims (4)

1. An abnormal traffic detection method for Internet of things equipment comprises the following steps:
s1, collecting flow data of the Internet of things equipment;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of the network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window; taking a group of characteristics of a data packet sequence of flow in a window as a random variable, and calculating an information entropy value of the random variable; calculating information entropy value by the following formulaH(X):
Figure DEST_PATH_IMAGE002
In the formulap(x i ) As random eventsXIs taken asx i The probability of (d);nas random eventsXThe number of different values; calculating the characteristic selected by the information entropy as the size of the group; calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of time series data for the flow captured by each device;
s5, according to the information entropy obtained in the step S4, judging the size relation between the information entropy and a set threshold value in a sliding window, and therefore achieving abnormal flow detection of the Internet of things equipment; specifically, in a sliding window, if the information entropy exceeds a set threshold, it is determined that abnormal internet of things flow exists in the sliding window.
2. The abnormal traffic detection method for internet of things devices according to claim 1, wherein the step S1 is performed to collect traffic data of the internet of things devices, specifically to collect traffic data of the internet of things devices through tcpdump.
3. The abnormal traffic detection method for the internet of things device according to claim 1 or 2, wherein in step S3, after discretizing the traffic data of the service, the time period of the packet transmission rate is calculated by using fourier transform, specifically, the traffic data of the specific service is discretized into a binary time sequence of one sample value per second, and then the time period of the packet transmission rate is calculated by using fourier transform.
4. The abnormal traffic detection method for internet of things equipment as claimed in claim 3, wherein the time period of the packet transmission rate is specifically a time domain converted into a frequency domain by using the following equationX k
Figure DEST_PATH_IMAGE004
In the formulax n An original binary time sequence of one sample per second;dthe number of the sequence sampling values; then obtaining the maximum value in the frequency domainX max Then by the formula
Figure DEST_PATH_IMAGE006
Calculating to obtain the time periodT
CN202011423222.6A 2020-12-08 2020-12-08 Abnormal flow detection method for Internet of things equipment Active CN112583808B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011423222.6A CN112583808B (en) 2020-12-08 2020-12-08 Abnormal flow detection method for Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011423222.6A CN112583808B (en) 2020-12-08 2020-12-08 Abnormal flow detection method for Internet of things equipment

Publications (2)

Publication Number Publication Date
CN112583808A CN112583808A (en) 2021-03-30
CN112583808B true CN112583808B (en) 2022-01-07

Family

ID=75127707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011423222.6A Active CN112583808B (en) 2020-12-08 2020-12-08 Abnormal flow detection method for Internet of things equipment

Country Status (1)

Country Link
CN (1) CN112583808B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765896B (en) * 2021-08-18 2023-06-30 广东三水合肥工业大学研究院 Internet of things realization system and method based on artificial intelligence
CN113904812B (en) * 2021-09-18 2022-10-21 中标慧安信息技术股份有限公司 Internet of things intrusion detection method based on isolated forest

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618651A (en) * 2013-12-11 2014-03-05 上海电机学院 Network abnormality detection method and system based on information entropy and sliding window
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold
US9729693B1 (en) * 2016-06-07 2017-08-08 Huami Inc. Determining measurement confidence for data collected from sensors of a wearable device
CN109818793A (en) * 2019-01-30 2019-05-28 基本立子(北京)科技发展有限公司 For the device type identification of Internet of Things and network inbreak detection method
CN109951491A (en) * 2019-03-28 2019-06-28 腾讯科技(深圳)有限公司 Network attack detecting method, device, equipment and storage medium
CN110275508A (en) * 2019-05-08 2019-09-24 西安电子科技大学 Vehicle-mounted CAN bus network method for detecting abnormality and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10454828B2 (en) * 2016-12-21 2019-10-22 Cisco Technology, Inc. Machine learning-derived entropy path graph from in-situ OAM (iOAM) data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618651A (en) * 2013-12-11 2014-03-05 上海电机学院 Network abnormality detection method and system based on information entropy and sliding window
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold
US9729693B1 (en) * 2016-06-07 2017-08-08 Huami Inc. Determining measurement confidence for data collected from sensors of a wearable device
CN109818793A (en) * 2019-01-30 2019-05-28 基本立子(北京)科技发展有限公司 For the device type identification of Internet of Things and network inbreak detection method
CN109951491A (en) * 2019-03-28 2019-06-28 腾讯科技(深圳)有限公司 Network attack detecting method, device, equipment and storage medium
CN110275508A (en) * 2019-05-08 2019-09-24 西安电子科技大学 Vehicle-mounted CAN bus network method for detecting abnormality and system

Also Published As

Publication number Publication date
CN112583808A (en) 2021-03-30

Similar Documents

Publication Publication Date Title
CN101686235B (en) Device and method for analyzing abnormal network flow
CN107231384B (en) DDoS attack detection and defense method and system for 5g network slices
Siaterlis et al. Towards multisensor data fusion for DoS detection
US8503302B2 (en) Method of detecting anomalies in a communication system using numerical packet features
CN112583808B (en) Abnormal flow detection method for Internet of things equipment
KR101409563B1 (en) Method and apparatus for identifying application protocol
CN108632224B (en) APT attack detection method and device
CN104618377A (en) NetFlow based botnet network detection system and detection method
CN102271068A (en) Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
US7903657B2 (en) Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
CN112788062A (en) ET-EDR-based LDoS attack detection and mitigation method in SDN
Buragohain et al. Anomaly based DDoS attack detection
Ashfaq et al. A comparative evaluation of anomaly detectors under portscan attacks
Bereziński et al. Entropy-based internet traffic anomaly detection: A case study
CN102801719B (en) Method for detecting botnet based on similarity measurement of host flow power spectrum
Siaterlis et al. One step ahead to multisensor data fusion for DDoS detection
US20210194850A1 (en) Smart network switching systems and related methods
KR20110107880A (en) Ddos detection method using fast information entropy and adaptive moving average window detector
CN115474219A (en) 5G/B5G power communication network flow analysis method based on multi-time-series data mining
CN112367292B (en) Encrypted flow anomaly detection method based on deep dictionary learning
Matoušek et al. Security monitoring of iot communication using flows
Siaterlis et al. A novel approach for a Distributed Denial of Service Detection Engine
Martalò et al. Low-Complexity Classification of Unencrypted IoT Traffic Based on Skewness and Protocol Information
Kulandaivel et al. A novel sensitive DDoS attacks against statistical test in network traffic fusion
CN115865401B (en) APTS-based slow DoS attack real-time mitigation scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant