CN113935438B - Internet of things equipment anomaly detection method, system and device based on equipment roles - Google Patents
Internet of things equipment anomaly detection method, system and device based on equipment roles Download PDFInfo
- Publication number
- CN113935438B CN113935438B CN202111523646.4A CN202111523646A CN113935438B CN 113935438 B CN113935438 B CN 113935438B CN 202111523646 A CN202111523646 A CN 202111523646A CN 113935438 B CN113935438 B CN 113935438B
- Authority
- CN
- China
- Prior art keywords
- dns
- internet
- things
- category
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method, a system and a device for detecting abnormality of Internet of things equipment based on equipment roles. In this embodiment, the detection of the internet of things device based on the device role is realized by using behaviors (such as a DNS request role (for initiating a DNS request), a DNS response role (for responding to a received DNS request), a DNS server (for domain name resolution), and the like) initiated by the device role of the internet of things device in the DNS resolution process within a certain period of time, such as initiating the DNS request, responding to the DNS request, domain name resolution, and the like, constructing a feature vector of the internet of things device by using the behaviors (a DNS packet via an internet of things core switch), and finally determining a class to which the internet of things device belongs based on a distance between the feature vector and a central feature vector corresponding to each class label trained in the detection model, without depending on a rule base or a rule table.
Description
Technical Field
The application relates to the Internet of things, in particular to a method, a system and a device for detecting abnormality of equipment of the Internet of things based on equipment roles.
Background
At present, the exception analyzed by the Domain Name System (DNS) is realized based on a rule base or a rule table, for example: and identifying a malicious domain name or a suspicious IP address and the like through a rule base or a rule table, and then considering the domain name or the suspicious IP address as abnormal. However, in the current method of resolving an exception based on a rule base or a rule table, the exception, such as an attacked device, cannot be found in time due to the configuration delay of the rule base or the rule table, and the workload is increased by configuring the rule base or the rule table.
Disclosure of Invention
The embodiment of the application provides a role-based Internet of things equipment detection method, system and device, so that the Internet of things equipment detection is realized based on the role of the equipment, and the technical problem caused by the analysis exception of the existing rule base or rule table is prevented.
The embodiment of the application provides an Internet of things device detection method based on device roles, which is applied to electronic devices and comprises the following steps:
obtaining a domain name system DNS message passing through an Internet of things core switch in a first specified time period; the DNS message comprises a DNS request and a DNS response;
determining a target characteristic vector of at least one target Internet of things device according to the obtained DNS message in the first specified time period; the target feature vector includes at least: the DNS request number of DNS requests initiated by the target Internet of things equipment, the DNS response number of DNS responses sent to the target Internet of things equipment and DNS analysis success information; the DNS analysis success information refers to information that a domain name in a DNS request initiated by the target Internet of things equipment is successfully analyzed;
calculating the distance between a target characteristic vector of the target Internet of things equipment and a central characteristic vector corresponding to each class of label in the trained detection model;
determining a target category to which the target internet of things device belongs according to a distance between a target feature vector of the target internet of things device and a center feature vector corresponding to each category label in the detection model, wherein the target category is a category corresponding to one category label in the detection model or is unknown abnormal, and the category label in the detection model at least comprises: normal service equipment tags, DNS server tags, and abnormal service equipment tags.
The embodiment of the application also provides a role-based internet of things equipment anomaly detection system, which comprises:
the system comprises an Internet of things core switch and electronic equipment for executing the method;
the electronic equipment is deployed at a bypass of a core switch of the Internet of things or is independent of the Internet of things
A core switch.
The embodiment of the application also provides the electronic equipment. The electronic device includes: a processor and a machine-readable storage medium;
the machine-readable storage medium stores machine-executable instructions executable by the processor;
the processor is configured to execute machine-executable instructions to implement the steps of the above-disclosed method.
As can be seen from the above technical solutions, in this embodiment, through behaviors (such as a DNS request role (for initiating a DNS request), a DNS response role (for responding to a received DNS request), a DNS server (for domain name resolution), and the like) initiated by an internet-of-things device in a DNS resolution process within a certain period of time, such as initiating the DNS request, responding to the DNS request, domain name resolution, and the like, a feature vector of the internet-of-things device is constructed by the behaviors (a DNS packet via an internet-of-things core switch), and finally, a class to which the internet-of-things device belongs is determined based on a distance between the feature vector and a central feature vector corresponding to each class label trained in a detection model, and detection of the internet-of-things device based on the device role is achieved without depending on a rule base or a rule table.
Further, in this embodiment, when the device detection of the internet of things is performed, the device role (such as a DNS request role (for initiating a DNS request), a DNS response role (for responding to a received DNS request), a DNS server (for domain name resolution), and the like) of the device of the internet of things in the DNS resolution process within a certain time period is relied on, such as initiating the DNS request, responding to the DNS request, domain name resolution, and the like (a DNS packet via the core switch of the internet of things is finally formed), and basic information of the device of the internet of things, such as information of a process, a memory, a network, and the like, is not relied on any more, and thus, no influence or interference is generated on the device of the internet of things.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart of a method provided by an embodiment of the present application;
FIG. 2 is a flow chart of training a detection model according to an embodiment of the present disclosure;
FIG. 3 is a flowchart of determining category labels in step 203 provided by an embodiment of the present application;
FIG. 4 is a flowchart of an implementation of step 104 provided by an embodiment of the present application;
fig. 5 is a system configuration diagram provided in the embodiment of the present application;
FIG. 6 is a block diagram of an apparatus according to an embodiment of the present disclosure;
fig. 7 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects such as the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the application of the Internet of things, the domain name resolution has the following characteristics that: and initiating a request of domain name resolution through the DNS request, and receiving a result of domain name resolution of the DNS server through the DNS response. Normally a DNS request must have a DNS response. Accordingly, domain name resolution may involve the following three device roles: a DNS request role (for initiating DNS requests), a DNS response role (for responding to received DNS requests), a DNS server (for domain name resolution). Under normal circumstances, the DNS server assumes a DNS response role, but for some attacks, it often results in the DNS server not being in accordance with the DNS response role.
In specific application, the three device roles related to domain name resolution have the following characteristics:
for the DNS server, the DNS server receives a larger number of DNS requests and sends a larger number of DNS responses, but the DNS server usually does not initiate a DNS request;
for the DNS request role, if the service device (which is called a service device and is compared with the DNS server, where the service device refers to a device running the service related to the internet of things, such as a terminal, a server, etc.) in the DNS request role is normal, the number of DNS requests initiated by the service device is small, and accordingly, the number of DNS responses received is small; if a service device serving as a DNS request is abnormal, such as being attacked, the number of DNS requests initiated by the service device is large, the number of received DNS responses is large, or no normal response is obtained for all the initiated DNS requests. Optionally, in this embodiment, the service device may be, for example, a security device such as an Internet Protocol Camera (IPC), a digital video recorder (DNR), and a Network Video Recorder (NVR), and this embodiment is not particularly limited.
Based on the characteristics of the domain name resolution and the characteristics of the role of the Internet of things equipment involved in the domain name resolution process, the application provides the method for detecting the abnormality of the Internet of things equipment based on the role of the equipment. In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart of a method provided in an embodiment of the present application. In one example, the method may be applied to an electronic device.
Optionally, as an embodiment, the electronic device may be deployed on an internet of things core switch (specifically, as one of logic modules of the internet of things core switch). Or, as another embodiment, the electronic device may also be independent of the core switch of the internet of things, for example, a bypass disposed in the core switch of the internet of things, and the embodiment is not particularly limited.
As shown in fig. 1, the process may include the following steps:
In this embodiment, the first designated time period may be set according to actual requirements, for example, the first designated time period may be a past time period, such as a last week, a last day, and the like, and may further be a future time period, such as a day, a week, and the like, which is not particularly limited in this embodiment.
Optionally, as an embodiment, when the electronic device is deployed on a core switch of the internet of things, once the DNS packet reaches the core switch of the internet of things, the electronic device copies the DNS packet and sends the DNS packet to the electronic device on the premise that forwarding of the DNS packet is not affected. That is, the electronic device finally obtains the DNS message.
Optionally, as another embodiment, when the electronic device is independent of the core switch of the internet of things, once the DNS packet reaches the core switch of the internet of things, the core switch of the internet of things copies the DNS packet in a mirror image manner and forwards the DNS packet to the electronic device on the premise that forwarding of the DNS packet is not affected. That is, the electronic device finally obtains the DNS message.
In this embodiment, the DNS message includes a DNS request and a DNS response. Here, the DNS request and the DNS response are a request message and a response message defined by the DNS protocol, respectively.
And step 102, determining a feature vector of at least one target Internet of things device according to the obtained DNS message in the first specified time period.
In this embodiment, after obtaining the DNS message, the electronic device may identify whether the DNS message is a DNS request or a DNS response. Based on the DNS protocol, when a message is a DNS request, the message carries a request identifier for indicating the DNS request. Similarly, when a message is a DNS response, the message carries a response identifier indicating the DNS response. Based on this, if the DNS message carries the request identifier, it is determined that the DNS message is a DNS request, and if the DNS message carries the response identifier, it is determined that the DNS message is a DNS response.
As an embodiment, in the first specified time period, when the obtained DNS message is a DNS request, increasing a DNS request number of the internet of things device corresponding to the source IP address in the DNS request (which is marked as a target internet of things device belonging to the first specified time period at this time) by a set value, and increasing a DNS response number of the internet of things device corresponding to the destination IP address in the DNS request (which is marked as a target internet of things device belonging to the first specified time period at this time) by a set value.
Similarly, in the first specified time period, when the obtained DNS message is a DNS response, increasing a set value for the DNS response number of the internet of things device corresponding to the source IP address in the DNS response (which is marked as a target internet of things device belonging to the first specified time period at this time), increasing a set value for the DNS request number of the internet of things device corresponding to the destination IP address in the DNS response (which is marked as a target internet of things device belonging to the first specified time period at this time), and identifying a DNS resolution result carried in the DNS response, when the DNS resolution result includes an identifier indicating that DNS resolution is successful, increasing a set value for the DNS resolution success number of the internet of things device corresponding to the destination IP address in the DNS response (which is marked as a target internet of things device belonging to the first specified time period at this time).
Optionally, the set value here may be set according to an actual situation, for example, the value is 1, and the present embodiment is not particularly limited.
It should be noted that, in this embodiment, for any one of the target internet of things devices, before a DNS request is first initiated or a DNS response is first received within the first specified time period, the DNS request number, the DNS response number, and the DNS resolution success number of the target internet of things device are preset values, such as 0 or other values, and this embodiment is not particularly limited.
And then, after the first designated time period is ended, for each target internet of things device, determining the successful DNS analysis information of the target internet of things device according to the successful DNS analysis number of the target internet of things device, and determining the successful DNS analysis information of the target internet of things device, the DNS request number of the target internet of things device and the DNS response number of the target internet of things device as the feature vector of the target internet of things device. Finally, the determination of the target feature vector of each target internet of things device in the first specified time period in the step 102 is realized.
In an example, the DNS resolution success information of the target internet of things device may be a DNS resolution success ratio, and specifically may be a ratio obtained by dividing the DNS resolution success number of the target internet of things device by the DNS request number of the target internet of things device.
And 103, calculating the distance between the target characteristic vector of the target Internet of things equipment and the central characteristic vector corresponding to each class of label in the trained detection model.
Optionally, in this embodiment, before executing step 103, a normalization process may be performed on the target feature vectors of each target internet of things device, so as to ensure that the difference between values at the same position in each target feature vector is relatively small (for example, within the same preset range), and eliminate an influence on a subsequent determination category caused by the relatively large difference between values at the same position in each target feature vector.
In this embodiment, the trained detection model supports at least one class label, which has a corresponding central feature vector for each class label. The central feature vector corresponding to the category label will be described below, and will not be described here.
And step 104, determining the target category of the target Internet of things device according to the distance between the target Internet of things device feature vector and the center feature vector corresponding to each category of label in the detection model.
Optionally, in this embodiment, the target class is a class corresponding to a class tag in the detection model (i.e., a class tag supported by the detection model) or is an unknown anomaly.
As an embodiment, the class labels of the detection model (i.e. the class labels supported by the detection model) at least comprise: normal service equipment tags, DNS server tags, and abnormal service equipment tags. The following will specifically describe the class label of the detection model, which is not described herein for the sake of brevity.
Finally, through the steps 101 to 104, the feature vectors of the internet of things devices are determined based on the roles of the internet of things devices (the DNS request role, the DNS response role, the DNS server) to determine the class of the internet of things devices, and the detection based on the roles of the internet of things devices (the DNS request role, the DNS response role, the DNS server) is realized.
Thus, the flow shown in fig. 1 is completed.
As can be seen from the flow shown in fig. 1, in this embodiment, behavior (such as a DNS request role (for initiating a DNS request), a DNS response role (for responding to a received DNS request), a DNS server (for domain name resolution), and the like) initiated by an internet-of-things device in a DNS resolution process within a certain period of time is used, such as initiating a DNS request, responding to a DNS request, domain name resolution, and the like, a feature vector of the internet-of-things device is constructed by means of the behavior (a DNS packet via an internet-of-things core switch), and finally a class to which the internet-of-things device belongs is determined based on a distance between the feature vector and a central feature vector corresponding to each class label trained in a detection model, and detection of the internet-of-things device based on the device role is achieved without depending on a rule base or a rule table.
Further, in this embodiment, when the device detection of the internet of things is performed, the device role (such as a DNS request role (for initiating a DNS request), a DNS response role (for responding to a received DNS request), a DNS server (for domain name resolution), and the like) of the device of the internet of things in the DNS resolution process within a certain time period is relied on, such as initiating the DNS request, responding to the DNS request, domain name resolution, and the like (a DNS packet via the core switch of the internet of things is finally formed), and basic information of the device of the internet of things, such as information of a process, a memory, a network, and the like, is not relied on any more, and thus, no influence or interference is generated on the device of the internet of things.
The training of the detection model is described below with reference to fig. 2:
referring to fig. 2, fig. 2 is a flowchart of training a detection model according to an embodiment of the present disclosure. As shown in fig. 2, the process may include the following steps:
Here, the second designated time period is different from the above-described first designated time period, and may be one time end that has elapsed and is before the first designated time period.
Similar to the step 102, in this embodiment, when the DNS message passing through the core switch of the internet of things in the second specified time period is a DNS request, a set value is added to the DNS request number of the internet of things device (denoted as a sample internet of things device for detecting model training in the second specified time period) corresponding to the source IP address in the DNS request, and a set value is added to the DNS response number of the internet of things device (denoted as a sample internet of things device for detecting model training in the second specified time period) corresponding to the destination IP address in the DNS request.
Similarly, when a DNS message passing through the core switch of the internet of things in the second designated time period is a DNS response, increasing a set value for the DNS response number of the internet of things device (marked as a sample internet of things device for detecting model training in the second designated time period) corresponding to the source IP address in the DNS response, increasing a set value for the DNS request number of the internet of things device (marked as a sample internet of things device for detecting model training in the second designated time period) corresponding to the destination IP address in the DNS response, and identifying a DNS resolution result carried by the DNS response.
As described above, the setting value here may be set according to actual requirements, such as set to 1 or other values, and the present embodiment is not particularly limited.
And when the second designated time period is over, determining DNS analysis success information of the sample Internet of things equipment according to the DNS analysis success quantity of the sample Internet of things equipment for each sample Internet of things equipment. In an example, the DNS resolution success information of the sample internet of things device may be a DNS resolution success ratio, and specifically may be a ratio obtained by dividing the DNS resolution success number of the sample internet of things device by the DNS request number of the sample internet of things device.
Then, as an embodiment, the DNS resolution success information of the sample internet of things device, the DNS request number of the sample internet of things device, and the DNS response number of the sample internet of things device may be determined as the sample feature vector of the sample internet of things device. That is, the sample feature vector at least includes: the DNS analysis method comprises the steps of obtaining DNS request quantity of DNS requests initiated by sample Internet of things equipment, DNS response quantity of DNS responses sent to the sample Internet of things equipment and DNS analysis success information.
Optionally, in this embodiment, before classifying each sample internet of things device, a normalization process may be performed on the sample feature vector of each sample internet of things device to ensure that a difference between values at the same position in each sample feature vector is relatively small (for example, within the same preset range), and eliminate an influence on subsequent clustering caused by a relatively large difference between values at the same position in each sample feature vector.
Optionally, in this embodiment, the calculation in step 202 may be performed using a K-means algorithm. The K-means algorithm is a typical non-hierarchical clustering algorithm, and the distance between sample Internet of things devices is calculated as an index of classification.
Finally, through step 202, the sample internet of things devices can be classified, and each sample internet of things device only belongs to one category.
In this embodiment, the class label determined to correspond to each class in step 203 may be determined according to a DNS attack characteristic, and an implementation manner of determining the class label corresponding to each class is described below by way of example in fig. 3, which is not described herein for the sake of brevity.
In this embodiment, the central feature vector corresponding to the category label is determined based on the sample feature vector of each sample internet of things device in the category corresponding to the category label, for example, for each category, a sample feature vector at the center may be determined from the sample feature vectors of each sample internet of things device in the category, and the sample feature vector at the center is determined as the central feature vector corresponding to the category (that is, the category label corresponding to the category). The central feature vector corresponding to the category label is described herein by way of example only and is not intended to be limiting.
Finally, the training of the detection model is realized through the process shown in fig. 2. Finally, the trained detection model has the above-mentioned each class label and the central feature vector corresponding to each class label.
The following describes, by way of example, the category label determined to correspond to each category in step 203:
referring to fig. 3, fig. 3 is a flowchart of determining a category label in step 203 provided in this embodiment of the present application. As shown in fig. 3, the process may include the following steps:
Optionally, the total number of DNS messages may be a sum of the DNS request number and the DNS response number of each sample internet of things device in the category.
For DNS resolution, the DNS request and the initiated DNS received by the DNS server are the most, so the category label corresponding to the category with the largest value of the total number of DNS packets is the DNS server category label. As for other categories, the category label corresponding to the category needs to be determined according to the DNS request number, DNS response number, and DNS resolution success information of the sample internet of things device in the category.
Optionally, in this embodiment, the determining, according to the DNS request number, the DNS response number, and the DNS resolution success information of the sample internet of things device in the category, the category label corresponding to the category includes:
step a1, for each category except the first category, determining the average number of DNS requests, the average number of DNS responses, and the average percentage of DNS resolution success corresponding to the category.
Here, the DNS request average number is determined according to the DNS request number of each sample internet of things device in the category and the total number of devices of the sample internet of things devices in the category, for example, a result obtained by dividing the sum of the DNS request numbers of each sample internet of things device in the category by the total number of devices of the sample internet of things devices in the category.
The DNS response average is determined according to the DNS response number of each sample internet of things device in the category and the total number of devices of the sample internet of things devices in the category, for example, the DNS response average may be a result obtained by dividing the sum of the DNS response numbers of each sample internet of things device in the category by the total number of devices of the sample internet of things devices in the category.
The DNS analysis success average ratio is determined according to DNS analysis success information of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category. Taking the DNS resolution success information of each sample internet of things device including the DNS resolution success ratio of each sample internet of things device as an example, the DNS resolution success average ratio may be a result obtained by dividing the sum of the DNS resolution success ratios of each sample internet of things device in the category by the total number of devices of the sample internet of things devices in the category.
Step a2, determining the category label corresponding to the category according to the DNS request average number, DNS response average number, and DNS resolution success average ratio corresponding to the category.
For example, for each category except the first category, calculating a ratio between the average number of DNS requests and the average number of DNS responses corresponding to the category;
if the ratio is smaller than a first set threshold, determining that the class label corresponding to the class is a first abnormal service equipment class label, wherein the first abnormal service equipment class label is used for indicating DNS reflection attack;
if the ratio is greater than a second set threshold, determining that the class label corresponding to the class is a second abnormal service equipment class label, wherein the second abnormal service equipment class label is used for indicating DNS flooding attack;
if the DNS analysis success average ratio is smaller than a third set threshold, determining that the category label corresponding to the category is a third abnormal service equipment category label, wherein the third abnormal service equipment category label is used for indicating a malicious program;
and if the ratio is between the first set threshold and the second set threshold and the average ratio of successful DNS analysis is greater than the third set threshold, determining that the class label corresponding to the class is the normal service equipment class label.
In this embodiment, the first set threshold, the second set threshold, and the third set threshold may be set according to actual requirements, but it is necessary to ensure that the second set threshold is greater than the first set threshold when setting, and as for the third set threshold, the third set threshold may be the same as the first set threshold and the second set threshold. Alternatively, for example, the first set threshold is 0.1, the second set threshold is 10, and the third set threshold is 0.1.
That is, the category label corresponding to each category is finally determined by the above description.
How to determine the target class to which the target internet of things device belongs according to the distance between the target feature vector of each target internet of things device and the center feature vector corresponding to each class label in the detection model in the step 104 is described as follows:
referring to fig. 4, fig. 4 is a flowchart of step 104 implemented by an embodiment of the present application. As shown in fig. 4, the process may include:
In this embodiment, the detection model further has the following parameters: sample distance corresponding to each class label. Optionally, the sample distance corresponding to each class label may be determined by: and aiming at each class label, obtaining a sample feature vector of each sample Internet of things device in a class corresponding to the class label, calculating the distance between each obtained sample feature vector and a central feature vector corresponding to the class label, and selecting the maximum value in the maximum distances as the sample distance corresponding to the class label.
In this regard, in this embodiment, the maximum distance MAX is a maximum value among sample distances corresponding to the respective class labels in the detection model. That is, the maximum distance MAX is a distance with a maximum value selected from the sample distances corresponding to the category labels.
The above-described manner of determining the maximum distance MAX is merely an example, and is not intended to be limiting.
Once the distances between the target feature vector of the target internet of things device and the center feature vectors corresponding to the class labels in the detection model are greater than the maximum distance MAX, it indicates that the target class to which the target internet of things device belongs is not the class corresponding to the class label in the detection model, and at this time, the target class to which the target internet of things device belongs may be determined as unknown anomaly temporarily.
If the distances between the target feature vector of the target internet of things device and the center feature vectors corresponding to the various types of labels in the detection model are not both greater than the maximum distance MAX, it is indicated that the target type to which the target internet of things device belongs is the type label in the detection model, and as to which type, it needs to be determined further based on the following step 402.
Optionally, in this embodiment, the specified distance condition may be that the distance is the minimum, that is, the distance between the center feature vector corresponding to the finally selected target category tag and the target feature vector of the target internet of things device is the minimum, and both the distance and the target feature vector are smaller than the distance between the center feature vector corresponding to any other category tag in the detection model and the target feature vector of the target internet of things device.
Finally, how to determine the target class to which the target internet of things device belongs according to the distance between the target feature vector of each target internet of things device and the center feature vector corresponding to each class of label in the detection model is described by way of example in fig. 4.
Optionally, in this embodiment, after the target class to which the target internet of things device belongs is determined, when the target class is a class corresponding to the abnormal service device class label, exception processing may be further performed, for example, when the target class to which the target internet of things device belongs is determined to be a class corresponding to a first abnormal device class label used for indicating DNS reflection attack, the DNS response times for each target internet of things device in the class are limited on the domain name DNS server, for example, the DNS server is limited to respond only 10 times per minute for the target internet of things device in the class.
For another example, when the target class to which the target internet-of-things device belongs is determined to be the class corresponding to the second abnormal device class label for indicating the DNS flooding attack, basic configuration check and/or security scanning are performed on each target internet-of-things device in the class, for example, basic configuration is performed on each target internet-of-things device in the class firstly, DNS flooding caused by a basic configuration error is prevented, and then security scanning is performed on each target internet-of-things device in the class, so that possible virus files are searched and killed.
For another example, when it is determined that the target category to which the target internet-of-things device belongs is a category corresponding to a third abnormal device category tag used for indicating a malicious program, the configured security device, such as a firewall, is linked to perform security reinforcement on each target internet-of-things device in the category, for example, the security device, such as the firewall, is linked to perform security check and virus killing reinforcement on each target internet-of-things device in the category.
In addition, in this embodiment, since the environment in the network may change, the detection model needs to be further updated to cope with the change.
Optionally, in this embodiment, when a model update event is detected, the detection model may be retrained and updated.
As an embodiment, the model update event herein includes at least: and when the model updating time is up, or the target class of the target Internet of things equipment is detected to be unknown abnormal.
So far, the description of the method provided by the embodiment of the present application is completed. The following describes a system and an apparatus provided in an embodiment of the present application:
referring to fig. 5, fig. 5 is a system structure diagram provided in the embodiment of the present application. As shown in fig. 5, the system includes: thing networking core switch, electronic equipment.
Optionally, the electronic device is disposed in a bypass of the core switch of the internet of things or independent of the core of the internet of things
A central switch. In this embodiment, the electronic device is configured to execute the flow shown in fig. 1.
The following describes the software structure of the electronic device:
referring to fig. 6, fig. 6 is a structural diagram of an apparatus according to an embodiment of the present disclosure. The apparatus corresponds to the process shown in fig. 1, and may include:
the device comprises an obtaining unit, a processing unit and a sending unit, wherein the obtaining unit is used for obtaining a domain name system DNS message passing through a core switch of the Internet of things in a first specified time period; the DNS message comprises a DNS request and a DNS response;
the determining unit is used for determining a target feature vector of at least one target Internet of things device according to the obtained DNS message in the first specified time period; the target feature vector includes at least: the DNS request number of DNS requests initiated by the target Internet of things equipment, the DNS response number of DNS responses sent to the target Internet of things equipment and DNS analysis success information; the DNS analysis success information refers to information that a domain name in a DNS request initiated by the target Internet of things equipment is successfully analyzed;
the calculation unit is used for calculating the distance between the target characteristic vector of each target Internet of things device and the central characteristic vector corresponding to each class of label in the trained detection model respectively aiming at each target Internet of things device;
a processing unit, configured to determine a target class to which the target internet of things device belongs according to a distance between a target feature vector of each target internet of things device and a center feature vector corresponding to each class of tag in the detection model, where the target class is a class corresponding to one class tag in the detection model or is an unknown anomaly, and the class tag in the detection model at least includes: normal business equipment category labels, DNS server category labels and abnormal business equipment category labels.
Optionally, the determining, by the determining unit, according to the obtained DNS packet in the first specified time period, determining the internet of things device feature vector corresponding to at least one internet of things device includes:
when the DNS message is a DNS request, increasing the DNS request quantity of target Internet of things equipment corresponding to a source IP address in the DNS request by a set value, and increasing the DNS response quantity of the target Internet of things equipment corresponding to a target IP address in the DNS request by a set value;
when the DNS message is a DNS response, increasing a set value for the DNS response number of target Internet of things equipment corresponding to a source IP address in the DNS response, increasing a set value for the DNS request number of the target Internet of things equipment corresponding to a target IP address in the DNS response, identifying a DNS analysis result carried in the DNS response, and increasing a set value for the DNS analysis success number of the target Internet of things equipment corresponding to the target IP address in the DNS response when the DNS analysis result contains an identifier indicating that the DNS analysis is successful;
and when the first designated time period is over, determining DNS analysis success information of each target Internet of things device according to the DNS analysis success quantity of the target Internet of things device, and determining the DNS request quantity of the target Internet of things device, the DNS response quantity of the target Internet of things device and the DNS analysis success information of the target Internet of things device as the feature vector of the target Internet of things device.
Optionally, the detection model is trained by:
determining a sample feature vector of a sample Internet of things device based on a DNS message passing through the core switch of the Internet of things in a second specified time period, wherein the sample feature vector at least comprises: the DNS request quantity of DNS requests initiated by the sample Internet of things equipment, the DNS response quantity of DNS responses sent to the sample Internet of things equipment and DNS analysis success information; the DNS analysis success information refers to information that a domain name in a DNS request initiated by the sample Internet of things equipment is successfully analyzed; the second specified time period is different from the first specified time period;
classifying the sample Internet of things equipment according to the sample feature vectors of the sample Internet of things equipment;
determining a class label corresponding to each class, and training according to each class label and a central feature vector corresponding to the class label to obtain the detection model, wherein the central feature vector corresponding to the class label is determined based on the sample feature vector of each sample Internet of things device in the class corresponding to the class label.
Wherein the determining a sample feature vector of a sample internet of things device based on the DNS packet via the core switch of the internet of things within a second specified time period comprises:
when the DNS message passing through the core switch of the Internet of things in a second designated time period is a DNS request, increasing the DNS request quantity of the sample Internet of things equipment corresponding to the source IP address in the DNS request by a set value, and increasing the DNS response quantity of the sample Internet of things equipment corresponding to the destination IP address in the DNS request by a set value;
when a DNS message passing through the Internet of things core switch in a second designated time period is a DNS response, increasing the DNS response quantity of sample Internet of things equipment corresponding to a source IP address in the DNS response by a set value, increasing the DNS request quantity of the sample Internet of things equipment corresponding to a destination IP address in the DNS response by a set value, identifying a DNS analysis result carried by the DNS response, and increasing the DNS analysis success quantity of the sample Internet of things equipment corresponding to the destination IP address in the DNS response by a set value when the DNS analysis result contains a DNS analysis success identifier;
and when the second designated time period is finished, for each sample internet of things device, determining the DNS analysis success information of the sample internet of things device according to the DNS analysis success quantity of the sample internet of things device, and determining the DNS analysis success information of the sample internet of things device, the DNS request quantity of the sample internet of things device and the DNS response quantity of the sample internet of things device as the sample feature vector of the sample internet of things device.
Wherein the determining the category label corresponding to each category comprises:
for each category, determining category label analysis parameters corresponding to the category according to the sample feature vectors of the sample internet of things devices in the category, wherein the category label analysis parameters at least comprise: the total number of DNS messages; the total number of the DNS messages is determined according to the DNS request number and the DNS response number of each sample Internet of things device in the category;
selecting a first category with the largest DNS message total quantity value from all categories, determining that a category label corresponding to the first category is a DNS server category label, and determining the category label corresponding to each category except the first category according to the DNS request quantity, the DNS response quantity and the DNS analysis success information of the sample Internet of things equipment in the category.
Determining the category label corresponding to the category according to the DNS request number, the DNS response number and the DNS analysis success information of the sample Internet of things equipment in the category comprises the following steps:
for each category other than the first category,
determining the DNS request average number, the DNS response average number and the DNS analysis success average ratio corresponding to the category; the DNS request average number is determined according to the DNS request number of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category, and the DNS response average number is determined according to the DNS response number of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category; the DNS analysis success average ratio is determined according to DNS analysis success information of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category;
and determining the category label corresponding to the category according to the DNS request average number, the DNS response average number and the DNS analysis success average ratio corresponding to the category.
Optionally, the determining the category label corresponding to the category according to the DNS request average number, the DNS response average number, and the DNS resolution success average ratio corresponding to the category includes:
for each category other than the first category,
calculating the ratio of the DNS request average number corresponding to the category to the DNS response average number;
if the ratio is smaller than a first set threshold, determining that the class label corresponding to the class is a first abnormal service equipment class label, wherein the first abnormal service equipment class label is used for indicating DNS reflection attack;
if the ratio is larger than a second set threshold, determining that the class label corresponding to the class is a second abnormal service equipment class label, wherein the second abnormal service equipment class label is used for indicating DNS flooding attack; wherein the second set threshold is greater than the first set threshold;
if the DNS analysis success average ratio is smaller than a third set threshold, determining that the category label corresponding to the category is a third abnormal service equipment category label, wherein the third abnormal service equipment category label is used for indicating a malicious program;
and if the ratio is between the first set threshold and the second set threshold and the average ratio of successful DNS analysis is greater than a third set threshold, determining that the class label corresponding to the class is a normal service equipment class label.
In this embodiment, the determining, by the processing unit, the target class to which the target internet of things device belongs according to the distance between the target feature vector of each target internet of things device and the center feature vector corresponding to each class of tag in the detection model includes:
for each target internet of things device, if the distance between the target feature vector of the target internet of things device and the center feature vector corresponding to each class label in the detection model is greater than the maximum distance MAX, determining that the class of the target to which the target internet of things device belongs is unknown abnormal, otherwise,
and determining a target class label from the class labels of the detection model, wherein the distance between the central feature vector corresponding to the target class label and the target feature vector of the target Internet of things equipment meets a specified distance condition, and determining the target class of the target Internet of things equipment as the class corresponding to the target class label.
Optionally, a sample distance corresponding to each class label also exists in the detection model, and the sample distance corresponding to each class label is the maximum value in the distances between the sample feature vector of each sample internet of things device in the class corresponding to the class label and the center feature vector corresponding to the class label;
the maximum distance MAX is a maximum value among sample distances corresponding to the labels of each category in the detection model.
In this embodiment, the processing unit further limits, on the DNS server, the number of DNS responses for each target internet-of-things device in the category when determining that the target category to which the target internet-of-things device belongs is a category corresponding to the first abnormal device category tag used for indicating DNS reflection attack; when the target class to which the target Internet of things equipment belongs is determined to be the class corresponding to the second abnormal equipment class label for indicating the DNS flooding attack, performing basic configuration check and/or security scanning on each target Internet of things equipment in the class; and when the target class to which the target Internet of things equipment belongs is determined to be the class corresponding to the third abnormal equipment class label for indicating the malicious program, linking the configured safety equipment to perform safety reinforcement on each target Internet of things equipment in the class.
In this embodiment, the processing unit further retrains and updates the detection model when detecting a model update event; the model update event comprises at least: and when the model updating time is up, or the class of the target Internet of things equipment is detected to be unknown abnormal.
Thus, the description of the device structure shown in fig. 6 is completed.
The embodiment of the application also provides a hardware structure of the electronic equipment. Referring to fig. 7, fig. 7 is a hardware structure diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 7, the hardware structure may include: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the methods disclosed in the above examples of the present application.
Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored, and when the computer instructions are executed by a processor, the method disclosed in the above example of the present application can be implemented.
The machine-readable storage medium may be, for example, any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (13)
1. An Internet of things device detection method based on device roles is applied to electronic devices and comprises the following steps:
obtaining a domain name system DNS message passing through an Internet of things core switch in a first specified time period; the DNS message comprises a DNS request and a DNS response;
determining a target feature vector of the target Internet of things equipment based on the Internet of things equipment role related to the target Internet of things equipment according to the obtained DNS message in the first specified time period; the internet of things device roles related to the target internet of things device comprise: a DNS request role for initiating DNS requests, a DNS response role for responding to received DNS requests, and a DNS server for domain name resolution; the target feature vector includes at least: the DNS request number of DNS requests initiated by the target Internet of things equipment, the DNS response number of DNS responses sent to the target Internet of things equipment and DNS analysis success information; the DNS analysis success information refers to information that a domain name in a DNS request initiated by the target Internet of things equipment is successfully analyzed;
calculating the distance between a target characteristic vector of the target Internet of things equipment and a central characteristic vector corresponding to each class of label in the trained detection model;
determining a target category to which the target internet of things device belongs according to a distance between a target feature vector of the target internet of things device and a center feature vector corresponding to each category label in the detection model, wherein the target category is a category corresponding to one category label in the detection model or is unknown abnormal, and the category label in the detection model at least comprises: normal business equipment label, DNS server label, unusual business equipment label, normal business equipment label includes at least: the target Internet of things device has a normal role as a DNS request or a normal role as a DNS response.
2. The method according to claim 1, wherein the determining, according to the obtained DNS packet in the first specified time period, a target feature vector of a target internet of things device based on an internet of things device role involved by the target internet of things device comprises:
when the DNS message is a DNS request, increasing the DNS request quantity of target Internet of things equipment corresponding to a source IP address in the DNS request by a set value, and increasing the DNS response quantity of the target Internet of things equipment corresponding to a target IP address in the DNS request by a set value;
when the DNS message is a DNS response, increasing a set value for the DNS response number of target Internet of things equipment corresponding to a source IP address in the DNS response, increasing a set value for the DNS request number of the target Internet of things equipment corresponding to a target IP address in the DNS response, identifying a DNS analysis result carried in the DNS response, and increasing a set value for the DNS analysis success number of the target Internet of things equipment corresponding to the target IP address in the DNS response when the DNS analysis result contains an identifier indicating that the DNS analysis is successful;
and when the first designated time period is over, determining DNS analysis success information of each target Internet of things device according to the DNS analysis success quantity of the target Internet of things device, and determining the DNS request quantity of the target Internet of things device, the DNS response quantity of the target Internet of things device and the DNS analysis success information of the target Internet of things device as the feature vector of the target Internet of things device.
3. The method of claim 1, wherein the detection model is trained by:
determining a sample feature vector of a sample Internet of things device based on a DNS message passing through the core switch of the Internet of things in a second specified time period, wherein the sample feature vector at least comprises: the DNS request quantity of DNS requests initiated by the sample Internet of things equipment, the DNS response quantity of DNS responses sent to the sample Internet of things equipment and DNS analysis success information; the DNS analysis success information refers to information that a domain name in a DNS request initiated by the sample Internet of things equipment is successfully analyzed; the second specified time period is different from the first specified time period;
classifying the sample Internet of things equipment according to the sample feature vectors of the sample Internet of things equipment;
determining a class label corresponding to each class, and training according to each class label and a central feature vector corresponding to the class label to obtain the detection model, wherein the central feature vector corresponding to the class label is determined based on the sample feature vector of each sample Internet of things device in the class corresponding to the class label.
4. The method of claim 3, wherein determining the sample feature vector for the sample Internet of things device based on the DNS message via the core switch of the Internet of things for the second specified time period comprises:
when the DNS message passing through the core switch of the Internet of things in a second designated time period is a DNS request, increasing the DNS request quantity of the sample Internet of things equipment corresponding to the source IP address in the DNS request by a set value, and increasing the DNS response quantity of the sample Internet of things equipment corresponding to the destination IP address in the DNS request by a set value;
when a DNS message passing through the Internet of things core switch in a second designated time period is a DNS response, increasing the DNS response quantity of sample Internet of things equipment corresponding to a source IP address in the DNS response by a set value, increasing the DNS request quantity of the sample Internet of things equipment corresponding to a destination IP address in the DNS response by a set value, identifying a DNS analysis result carried by the DNS response, and increasing the DNS analysis success quantity of the sample Internet of things equipment corresponding to the destination IP address in the DNS response by a set value when the DNS analysis result contains a DNS analysis success identifier;
and when the second designated time period is finished, for each sample internet of things device, determining the DNS analysis success information of the sample internet of things device according to the DNS analysis success quantity of the sample internet of things device, and determining the DNS analysis success information of the sample internet of things device, the DNS request quantity of the sample internet of things device and the DNS response quantity of the sample internet of things device as the sample feature vector of the sample internet of things device.
5. The method of claim 3, wherein the determining the class label corresponding to each class comprises:
for each category, determining category label analysis parameters corresponding to the category according to the sample feature vectors of the sample internet of things devices in the category, wherein the category label analysis parameters at least comprise: the total number of DNS messages; the total number of the DNS messages is determined according to the DNS request number and the DNS response number of each sample Internet of things device in the category;
selecting a first category with the largest DNS message total quantity value from all categories, determining that a category label corresponding to the first category is a DNS server category label, and determining the category label corresponding to each category except the first category according to the DNS request quantity, the DNS response quantity and the DNS analysis success information of the sample Internet of things equipment in the category.
6. The method of claim 5, wherein the determining the class label corresponding to the class according to the DNS request number, the DNS response number and the DNS resolution success information of the sample Internet of things device in the class comprises:
for each category other than the first category,
determining the DNS request average number, the DNS response average number and the DNS analysis success average ratio corresponding to the category; the DNS request average number is determined according to the DNS request number of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category, and the DNS response average number is determined according to the DNS response number of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category; the DNS analysis success average ratio is determined according to DNS analysis success information of each sample Internet of things device in the category and the total number of the sample Internet of things devices in the category;
and determining the category label corresponding to the category according to the DNS request average number, the DNS response average number and the DNS analysis success average ratio corresponding to the category.
7. The method according to claim 6, wherein the determining the category label corresponding to the category according to the average number of DNS requests, the average number of DNS responses, and the average duty ratio of DNS resolution success comprises:
for each category other than the first category,
calculating the ratio of the DNS request average number corresponding to the category to the DNS response average number;
if the ratio is smaller than a first set threshold, determining that the class label corresponding to the class is a first abnormal service equipment class label, wherein the first abnormal service equipment class label is used for indicating DNS reflection attack;
if the ratio is larger than a second set threshold, determining that the class label corresponding to the class is a second abnormal service equipment class label, wherein the second abnormal service equipment class label is used for indicating DNS flooding attack; wherein the second set threshold is greater than the first set threshold;
if the DNS analysis success average ratio is smaller than a third set threshold, determining that the category label corresponding to the category is a third abnormal service equipment category label, wherein the third abnormal service equipment category label is used for indicating a malicious program;
and if the ratio is between the first set threshold and the second set threshold and the average ratio of successful DNS analysis is greater than a third set threshold, determining that the class label corresponding to the class is a normal service equipment class label.
8. The method of claim 1, wherein the determining the target class to which the target internet of things device belongs according to the distance between the target feature vector of each target internet of things device and the center feature vector corresponding to each class label in the detection model comprises:
for each target internet of things device, if the distance between the target feature vector of the target internet of things device and the center feature vector corresponding to each class label in the detection model is greater than the maximum distance MAX, determining that the class of the target to which the target internet of things device belongs is unknown abnormal, otherwise,
and determining a target class label from the class labels of the detection model, wherein the distance between the central feature vector corresponding to the target class label and the target feature vector of the target Internet of things equipment meets a specified distance condition, and determining the target class of the target Internet of things equipment as the class corresponding to the target class label.
9. The method according to claim 8, wherein there are also sample distances corresponding to the labels of each category in the detection model, and the sample distance corresponding to each label of each category is a maximum value among distances between a sample feature vector of each sample internet of things device in the category corresponding to the label of the category and a center feature vector corresponding to the label of the category;
the maximum distance MAX is a maximum value among sample distances corresponding to the labels of each category in the detection model.
10. The method of any one of claims 1 to 9, further comprising:
when the target class to which the target Internet of things equipment belongs is determined to be the class corresponding to the first abnormal equipment class label for indicating the DNS reflection attack, limiting the DNS response times aiming at each target Internet of things equipment in the class on a DNS server;
when the target class to which the target Internet of things equipment belongs is determined to be the class corresponding to the second abnormal equipment class label for indicating the DNS flooding attack, performing basic configuration check and/or security scanning on each target Internet of things equipment in the class;
and when the target class to which the target Internet of things equipment belongs is determined to be the class corresponding to the third abnormal equipment class label for indicating the malicious program, linking the configured safety equipment to perform safety reinforcement on each target Internet of things equipment in the class.
11. The method of claim 1, further comprising:
retraining and updating the detection model when a model updating event is detected; the model update event comprises at least: and when the model updating time is up, or the class of the target Internet of things equipment is detected to be unknown abnormal.
12. A role-based Internet of things equipment anomaly detection system is characterized by comprising:
an internet of things core switch, an electronic device for performing the method of any of claims 1 to 11; the electronic equipment is deployed at a bypass of an Internet of things core switch or is independent of the Internet of things core
A central switch.
13. An electronic device, comprising: a processor and a machine-readable storage medium;
the machine-readable storage medium stores machine-executable instructions executable by the processor;
the processor is configured to execute machine executable instructions to perform the method steps of any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111523646.4A CN113935438B (en) | 2021-12-14 | 2021-12-14 | Internet of things equipment anomaly detection method, system and device based on equipment roles |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111523646.4A CN113935438B (en) | 2021-12-14 | 2021-12-14 | Internet of things equipment anomaly detection method, system and device based on equipment roles |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113935438A CN113935438A (en) | 2022-01-14 |
| CN113935438B true CN113935438B (en) | 2022-04-26 |
Family
ID=79288895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111523646.4A Active CN113935438B (en) | 2021-12-14 | 2021-12-14 | Internet of things equipment anomaly detection method, system and device based on equipment roles |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113935438B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114679386B (en) * | 2022-05-25 | 2022-08-05 | 杭州海康威视数字技术股份有限公司 | Cloud-edge cooperative Internet of things device role judgment and management method, system and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200054A (en) * | 2017-12-29 | 2018-06-22 | 北京奇安信科技有限公司 | A kind of malice domain name detection method and device based on dns resolution |
| CN110933156A (en) * | 2019-11-26 | 2020-03-27 | 杭州迪普科技股份有限公司 | Domain name resolution method and device |
| CN112600792A (en) * | 2020-11-23 | 2021-04-02 | 国网山东省电力公司青岛供电公司 | Abnormal behavior detection method and system for Internet of things equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11005871B2 (en) * | 2018-01-10 | 2021-05-11 | AVAST Software s.r.o. | Cloud-based anomalous traffic detection and protection in a remote network via DNS properties |
-
2021
- 2021-12-14 CN CN202111523646.4A patent/CN113935438B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200054A (en) * | 2017-12-29 | 2018-06-22 | 北京奇安信科技有限公司 | A kind of malice domain name detection method and device based on dns resolution |
| CN110933156A (en) * | 2019-11-26 | 2020-03-27 | 杭州迪普科技股份有限公司 | Domain name resolution method and device |
| CN112600792A (en) * | 2020-11-23 | 2021-04-02 | 国网山东省电力公司青岛供电公司 | Abnormal behavior detection method and system for Internet of things equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113935438A (en) | 2022-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10148690B2 (en) | Accurate real-time identification of malicious BGP hijacks | |
| CN109861985B (en) | IP wind control method, device, equipment and storage medium based on risk grade division | |
| US9171151B2 (en) | Reputation-based in-network filtering of client event information | |
| EP3507960B1 (en) | Clustering approach for detecting ddos botnets on the cloud from ipfix data | |
| EP3178011B1 (en) | Method and system for facilitating terminal identifiers | |
| EP3264312A1 (en) | Model-based computer attack analytics orchestration | |
| CN110011932B (en) | Network traffic classification method capable of identifying unknown traffic and terminal equipment | |
| US10601847B2 (en) | Detecting user behavior activities of interest in a network | |
| CN111625841B (en) | Virus processing method, device and equipment | |
| CN112118249B (en) | Security protection method and device based on log and firewall | |
| US20180139142A1 (en) | Network traffic pattern based machine readable instruction identification | |
| CN113935438B (en) | Internet of things equipment anomaly detection method, system and device based on equipment roles | |
| CN113486339A (en) | Data processing method, device, equipment and machine-readable storage medium | |
| CN113328994A (en) | Malicious domain name processing method, device, equipment and machine readable storage medium | |
| CN111510434A (en) | Network intrusion detection method, system and related equipment | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN111010362B (en) | Monitoring method and device for abnormal host | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN110752996A (en) | Message forwarding method and device | |
| CN108259214B (en) | Configuration command management method, device and machine-readable storage medium | |
| CN112491820B (en) | Abnormity detection method, device and equipment | |
| CN115955333A (en) | C2 server identification method and device, electronic equipment and readable storage medium | |
| CN115314319A (en) | Network asset identification method and device, electronic equipment and storage medium | |
| CN111079144B (en) | Virus propagation behavior detection method and device | |
| CN111615124B (en) | Service detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |