CN112583808B - Abnormal flow detection method for Internet of things equipment - Google Patents
Abnormal flow detection method for Internet of things equipment Download PDFInfo
- Publication number
- CN112583808B CN112583808B CN202011423222.6A CN202011423222A CN112583808B CN 112583808 B CN112583808 B CN 112583808B CN 202011423222 A CN202011423222 A CN 202011423222A CN 112583808 B CN112583808 B CN 112583808B
- Authority
- CN
- China
- Prior art keywords
- internet
- flow
- things
- information entropy
- sliding window
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 28
- 238000001514 detection method Methods 0.000 title claims abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 5
- 230000000737 periodic effect Effects 0.000 claims abstract description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000005070 sampling Methods 0.000 claims description 4
- 238000000034 method Methods 0.000 abstract description 11
- 238000005516 engineering process Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an abnormal flow detection method for Internet of things equipment, which comprises the steps of collecting flow data of the Internet of things equipment; classifying the flow data according to the service type and the destination port; the method comprises the steps of obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of a packet sending rate by adopting Fourier transform; taking the time period as a sliding window value and calculating the information entropy value of the network flow in each sliding window; and judging the size relation between the information entropy value and a set threshold value in the sliding window and realizing the abnormal flow detection of the equipment of the Internet of things. According to the method, the abnormal flow detection of the equipment of the Internet of things is realized by acquiring the flow data of the equipment of the Internet of things, setting the size of a sliding window value according to the flow data and detecting the sudden change of the flow information entropy in the sliding window; the method and the device can position the time range of the abnormal flow, and have the advantages of high reliability, wide application range and good effectiveness.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an abnormal flow detection method for Internet of things equipment.
Background
With the development of economic technology and the arrival of the intelligent era, the Internet of things is widely applied to the production and the life of people, and brings endless convenience to the production and the life of people. But with the popularization of the internet of things, attacks against the internet of things are more and more. Along with the fact that people pay more and more attention to safety, the safety of the Internet of things needs to be improved urgently.
However, current manufacturers of internet of things devices often implement lightweight protocols for internet of things devices in order to improve user experience, so that the security of the devices is sacrificed. In recent years, attacks against devices of the internet of things are endless.
At present, the mainstream intrusion detection technology is difficult to well deal with the internet of things equipment with high-speed increase, and particularly, the mainstream intrusion detection technology is more attentive when aiming at novel internet of things equipment or a novel attack method.
Disclosure of Invention
The invention aims to provide an abnormal flow detection method for Internet of things equipment, which is high in reliability, wide in application range and good in effectiveness.
The invention provides an abnormal flow detection method for equipment of the Internet of things, which comprises the following steps:
s1, collecting flow data of the Internet of things equipment;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window;
and S5, judging the size relation between the information entropy value and a set threshold value in the sliding window according to the information entropy value obtained in the step S4, and accordingly realizing abnormal flow detection of the Internet of things equipment.
The collecting of the traffic data of the internet of things device in step S1 is specifically to collect the traffic data of the internet of things device through tcpdump.
After discretizing the traffic data of the service in step S3, calculating the time period of the packet sending rate by using fourier transform, specifically, discretizing the traffic data of the specific service into a binary time sequence of one sample value per second, and then calculating the time period of the packet sending rate by using fourier transform.
The time period of the packet transmission rate is specifically a time period X converted from a frequency domain by using the following formulak:
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formulaThe time period T is calculated.
Step S4, calculating the information entropy of the network traffic in each sliding window, specifically, using a group of characteristics of the data packet sequence of the traffic in the window as a random variable, and calculating the information entropy of the random variable.
The information entropy value of the random variable is calculated by adopting the following formula:
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X; calculating the characteristic selected by the information entropy as the size of the group; and calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of the time series data for the flow captured by each device.
In step S5, the size relationship between the information entropy and the set threshold is determined in the sliding window, so as to implement abnormal traffic detection of the internet of things device, specifically, in the sliding window, if the information entropy exceeds the set threshold, it is determined that abnormal internet of things traffic exists in the sliding window.
According to the abnormal flow detection method for the equipment of the Internet of things, the abnormal flow detection of the equipment of the Internet of things is realized by acquiring the flow data of the equipment of the Internet of things, setting the size of the sliding window value according to the flow data and detecting the sudden change of the flow information entropy in the sliding window; the method of the invention not only can position the time range of abnormal flow, but also has high reliability, wide application range and good effectiveness.
Drawings
FIG. 1 is a schematic process flow diagram of the process of the present invention.
FIG. 2 is a schematic diagram of an information entropy curve of an embodiment of the method of the present invention.
Detailed Description
FIG. 1 is a schematic flow chart of the method of the present invention: the invention provides an abnormal flow detection method for equipment of the Internet of things, which comprises the following steps:
s1, collecting flow data of the Internet of things equipment; specifically, traffic data of the Internet of things equipment is collected through tcpdump;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform; the method specifically comprises the steps of discretizing flow data of a specific service into a binary time sequence of one sampling value per second, and then calculating the time period of a packet sending rate by adopting Fourier transform;
in specific implementation, the following formula is adopted to convert the frequency domain into the time domain Xk:
In the formula xnAn original binary time sequence of one sample per second; d is the number of the sequence sampling values; then, the maximum value X in the frequency domain is obtainedmaxThen by the formulaCalculating to obtain a time period T;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window; taking a group of characteristics of a data packet sequence of flow in a window as a random variable, and calculating an information entropy value of the random variable;
in specific implementation, the information entropy value h (x) is calculated by the following formula:
in the formula, p (x)i) Taking the value of X as a random event XiThe probability of (d); n is the number of different values of the random event X;
calculating the characteristic selected by the information entropy as the size of the group; calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of time series data for the flow captured by each device;
s5, judging the size relation between the information entropy value and a set threshold value in a sliding window according to the information entropy value obtained in the step S4, and accordingly achieving abnormal flow detection of the Internet of things equipment; specifically, in a sliding window, if the information entropy exceeds a set threshold, it is determined that abnormal internet of things flow exists in the sliding window.
The process of the invention is further illustrated below with reference to one example:
firstly, an anomaly detection model is deployed on each local security gateway, and traffic sent to the security gateway by a device is captured by running a tcpdump command on the security gateway;
then, the unidirectional streams sent by the TP-Link camera equipment are classified according to destination ports/different service types, and as the destination ports of the Internet of things equipment are determined by manufacturers or send traffic based on fixed services, the traffic accessing other ports can be directly taken as malicious abnormal traffic to be eliminated in the step;
next, based on the characteristic that the internet of things equipment has periodic communication flow, for different service flows (destination ports), whether a data packet is captured in a time window of 1 second or not is marked as 1, otherwise, the data packet is marked as 0, so that a binary 0-1 time sequence sampled by one value per second is constructed, and a fourier transform formula is adopted to convert a time domain into a frequency domainThen, the maximum value X in the frequency domain is obtainedmaxThen pass throughCalculating a period;
and then, taking the time period obtained by calculation as the size of a sliding window, and calculating the information entropy value of the network flow in each sliding window. Using a set of characteristics of the packet sequence of the flow in the window as random variables according to the following stepsCalculating the information entropy of the random variable
Finally, drawing a curve chart of the obtained information entropy sequence, wherein the condition that a certain sliding window has abnormal flow can be reflected in the sudden change of the entropy, and when the relative difference value of the sliding window exceeds a set threshold value gamma, the abnormal flow of the internet of things exists in the window, which is shown in an attached figure 2; and judging that the abnormal flow exists.
Claims (4)
1. An abnormal traffic detection method for Internet of things equipment comprises the following steps:
s1, collecting flow data of the Internet of things equipment;
s2, classifying the flow data obtained in the step S1 according to the service type and the destination port;
s3, obtaining periodic data of the network communication flow of the Internet of things equipment, discretizing the flow data of the service, and calculating the time period of the packet sending rate by adopting Fourier transform;
s4, taking the time period obtained in the step S3 as a sliding window value, and calculating the information entropy value of the network flow in each sliding window; taking a group of characteristics of a data packet sequence of flow in a window as a random variable, and calculating an information entropy value of the random variable; calculating information entropy value by the following formulaH(X):
In the formulap(x i ) As random eventsXIs taken asx i The probability of (d);nas random eventsXThe number of different values; calculating the characteristic selected by the information entropy as the size of the group; calculating the information entropy value of each sliding window to obtain an information entropy value sequence describing the distribution condition of time series data for the flow captured by each device;
s5, according to the information entropy obtained in the step S4, judging the size relation between the information entropy and a set threshold value in a sliding window, and therefore achieving abnormal flow detection of the Internet of things equipment; specifically, in a sliding window, if the information entropy exceeds a set threshold, it is determined that abnormal internet of things flow exists in the sliding window.
2. The abnormal traffic detection method for internet of things devices according to claim 1, wherein the step S1 is performed to collect traffic data of the internet of things devices, specifically to collect traffic data of the internet of things devices through tcpdump.
3. The abnormal traffic detection method for the internet of things device according to claim 1 or 2, wherein in step S3, after discretizing the traffic data of the service, the time period of the packet transmission rate is calculated by using fourier transform, specifically, the traffic data of the specific service is discretized into a binary time sequence of one sample value per second, and then the time period of the packet transmission rate is calculated by using fourier transform.
4. The abnormal traffic detection method for internet of things equipment as claimed in claim 3, wherein the time period of the packet transmission rate is specifically a time domain converted into a frequency domain by using the following equationX k :
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011423222.6A CN112583808B (en) | 2020-12-08 | 2020-12-08 | Abnormal flow detection method for Internet of things equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011423222.6A CN112583808B (en) | 2020-12-08 | 2020-12-08 | Abnormal flow detection method for Internet of things equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112583808A CN112583808A (en) | 2021-03-30 |
CN112583808B true CN112583808B (en) | 2022-01-07 |
Family
ID=75127707
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011423222.6A Active CN112583808B (en) | 2020-12-08 | 2020-12-08 | Abnormal flow detection method for Internet of things equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112583808B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113765896B (en) * | 2021-08-18 | 2023-06-30 | 广东三水合肥工业大学研究院 | Internet of things realization system and method based on artificial intelligence |
CN113904812B (en) * | 2021-09-18 | 2022-10-21 | 中标慧安信息技术股份有限公司 | Internet of things intrusion detection method based on isolated forest |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103618651A (en) * | 2013-12-11 | 2014-03-05 | 上海电机学院 | Network abnormality detection method and system based on information entropy and sliding window |
CN105357228A (en) * | 2015-12-19 | 2016-02-24 | 中国人民解放军信息工程大学 | Burst traffic detection method based on dynamic threshold |
US9729693B1 (en) * | 2016-06-07 | 2017-08-08 | Huami Inc. | Determining measurement confidence for data collected from sensors of a wearable device |
CN109818793A (en) * | 2019-01-30 | 2019-05-28 | 基本立子(北京)科技发展有限公司 | For the device type identification of Internet of Things and network inbreak detection method |
CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10454828B2 (en) * | 2016-12-21 | 2019-10-22 | Cisco Technology, Inc. | Machine learning-derived entropy path graph from in-situ OAM (iOAM) data |
-
2020
- 2020-12-08 CN CN202011423222.6A patent/CN112583808B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103618651A (en) * | 2013-12-11 | 2014-03-05 | 上海电机学院 | Network abnormality detection method and system based on information entropy and sliding window |
CN105357228A (en) * | 2015-12-19 | 2016-02-24 | 中国人民解放军信息工程大学 | Burst traffic detection method based on dynamic threshold |
US9729693B1 (en) * | 2016-06-07 | 2017-08-08 | Huami Inc. | Determining measurement confidence for data collected from sensors of a wearable device |
CN109818793A (en) * | 2019-01-30 | 2019-05-28 | 基本立子(北京)科技发展有限公司 | For the device type identification of Internet of Things and network inbreak detection method |
CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
Also Published As
Publication number | Publication date |
---|---|
CN112583808A (en) | 2021-03-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101686235B (en) | Device and method for analyzing abnormal network flow | |
CN107231384B (en) | DDoS attack detection and defense method and system for 5g network slices | |
Siaterlis et al. | Towards multisensor data fusion for DoS detection | |
US8503302B2 (en) | Method of detecting anomalies in a communication system using numerical packet features | |
CN112583808B (en) | Abnormal flow detection method for Internet of things equipment | |
KR101409563B1 (en) | Method and apparatus for identifying application protocol | |
CN108632224B (en) | APT attack detection method and device | |
CN104618377A (en) | NetFlow based botnet network detection system and detection method | |
CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
CN112788062A (en) | ET-EDR-based LDoS attack detection and mitigation method in SDN | |
Buragohain et al. | Anomaly based DDoS attack detection | |
Ashfaq et al. | A comparative evaluation of anomaly detectors under portscan attacks | |
Bereziński et al. | Entropy-based internet traffic anomaly detection: A case study | |
CN102801719B (en) | Method for detecting botnet based on similarity measurement of host flow power spectrum | |
Siaterlis et al. | One step ahead to multisensor data fusion for DDoS detection | |
US20210194850A1 (en) | Smart network switching systems and related methods | |
KR20110107880A (en) | Ddos detection method using fast information entropy and adaptive moving average window detector | |
CN115474219A (en) | 5G/B5G power communication network flow analysis method based on multi-time-series data mining | |
CN112367292B (en) | Encrypted flow anomaly detection method based on deep dictionary learning | |
Matoušek et al. | Security monitoring of iot communication using flows | |
Siaterlis et al. | A novel approach for a Distributed Denial of Service Detection Engine | |
Martalò et al. | Low-Complexity Classification of Unencrypted IoT Traffic Based on Skewness and Protocol Information | |
Kulandaivel et al. | A novel sensitive DDoS attacks against statistical test in network traffic fusion | |
CN115865401B (en) | APTS-based slow DoS attack real-time mitigation scheme |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |