WO2024120186A1 - Internet of things intrusion detection method and apparatus, device, and storage medium - Google Patents

Internet of things intrusion detection method and apparatus, device, and storage medium Download PDF

Info

Publication number
WO2024120186A1
WO2024120186A1 PCT/CN2023/133080 CN2023133080W WO2024120186A1 WO 2024120186 A1 WO2024120186 A1 WO 2024120186A1 CN 2023133080 W CN2023133080 W CN 2023133080W WO 2024120186 A1 WO2024120186 A1 WO 2024120186A1
Authority
WO
WIPO (PCT)
Prior art keywords
intrusion detection
detection data
recommendation system
internet
source domain
Prior art date
Application number
PCT/CN2023/133080
Other languages
French (fr)
Chinese (zh)
Inventor
吴嘉澍
王洋
须成忠
叶可江
Original Assignee
中国科学院深圳先进技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院深圳先进技术研究院 filed Critical 中国科学院深圳先进技术研究院
Publication of WO2024120186A1 publication Critical patent/WO2024120186A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application belongs to the field of network communication technology, and in particular, relates to an Internet of Things intrusion detection method, device, equipment and storage medium.
  • IoT devices With the rapid progress and development of IoT devices, more and more IoT devices are being used in daily production and life, making more and more applications more intelligent, such as IoT-driven smart cities, IoT-driven smart medical care and elderly care, etc.
  • IoT devices themselves have some defects. For example, most IoT devices have extremely limited computing and storage capabilities, and their energy supply is also very limited. Therefore, it is not feasible to deploy a more powerful intrusion detection mechanism on IoT devices, which makes IoT devices more vulnerable to malicious intrusion attacks, thereby compromising the security of IoT devices themselves, and the safety of their applications and users is therefore difficult to guarantee.
  • an effective intrusion detection mechanism is needed to detect possible intrusion behaviors, thereby ensuring the security of IoT devices.
  • the rule-based intrusion detection method relies on a pre-established intrusion rule base. When a communication is detected to meet a certain rule in the intrusion rule base, the communication is judged as an illegal intrusion.
  • the machine learning-based intrusion detection method requires a machine learning model to be pre-trained with a fully labeled data set, and intrusion detection is performed through the trained machine learning model.
  • the present application provides an Internet of Things intrusion detection method, device, equipment and storage medium, which aims to solve at least one of the above-mentioned technical problems in the prior art to a certain extent.
  • An Internet of Things intrusion detection method comprising:
  • Step S1 inputting the Internet source domain intrusion detection data into the source domain feature mapper, and inputting the IoT target domain intrusion detection data into the target domain feature mapper;
  • Step S2 Using the Internet source domain intrusion detection data as input, a recommendation system based on source domain training is constructed;
  • Step S3 using the source domain training-based recommendation system to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data;
  • Step S4 using the IoT target domain intrusion detection data as input, building a target domain training-based recommendation system;
  • Step S5 using the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data;
  • Step S6 Calculate the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category to obtain the recommendation system matching loss;
  • Step S7 Calculate the supervision loss according to the Internet source domain intrusion detection data
  • Step S8 Optimize the supervision loss and the recommendation system matching loss and update the neural network Network parameters
  • Step S9 If the cosine similarity of the Internet source domain intrusion detection data recommended by the recommendation system for the IoT target domain is greater than the set threshold, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type; if the set threshold is not reached, a neural network classifier is used to perform intrusion detection on the IoT target domain intrusion detection data.
  • step S2 includes:
  • the Latent Semantic Indexing algorithm is used to construct a recommendation system based on source domain training with Internet source domain intrusion detection data as input; its mathematical expression is:
  • M matrix is the source domain feature matrix
  • U is the feature-latent space matrix
  • T is the latent space transformation matrix
  • V is the communication data-latent space matrix
  • R is the dimension parameter.
  • step S3 includes:
  • the recommendation system based on source domain training is used to recommend an Internet source domain intrusion detection data that is most similar to each IoT target domain intrusion detection data.
  • the intrusion category label of the recommended Internet source domain intrusion detection data is used as the recommendation system label of the IoT target domain intrusion detection data.
  • RS S (x T j ) represents the Internet source domain data recommended for the j-th IoT target domain communication data
  • PL is the recommendation system label of the j-th IoT target domain communication data
  • the mean vector is taken by class according to its recommendation system label.
  • step S5 includes:
  • All Internet source domain intrusion detection data are averaged by category, and the recommendation system based on target domain training is used to recommend the top N similar objects for the mean vector of each Internet source domain intrusion detection data.
  • the target domain intrusion detection data of the Internet of Things is obtained, and a mean vector is taken for the N similar target domain intrusion detection data of the Internet of Things.
  • step S6 includes:
  • L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
  • step S7 includes:
  • L SUP is the supervision loss of Internet source domain intrusion detection data
  • n S is the amount of Internet source domain intrusion detection data
  • L CE is the cross entropy loss function
  • C is the common classifier, which is a one-layer neural network
  • f is the feature mapper
  • x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
  • step S8 includes:
  • the supervision loss and the recommendation system matching loss are optimized by using a gradient descent optimization algorithm, and the network parameters are updated; and whether the model converges is determined: if the model converges, step S9 is executed; otherwise, step S1 is returned to.
  • an Internet of Things intrusion detection device comprising:
  • Input module used to input the Internet source domain intrusion detection data into the source domain feature mapper, and input the IoT target domain intrusion detection data into the target domain feature mapper;
  • Building module used to take Internet source domain intrusion detection data as input and build a recommendation system based on source domain training;
  • Recommendation module used to adopt the recommendation system based on source domain training for each IoT target
  • the domain intrusion detection data recommends an Internet source domain intrusion detection data that is most similar to it;
  • Building module It is also used to build a target domain training-based recommendation system using IoT target domain intrusion detection data as input;
  • Recommendation module also used to adopt the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data;
  • Matching loss calculation module used to calculate the Euclidean distance between the recommendation results of the recommendation system based on source domain training and the recommendation results of the recommendation system based on target domain training for each communication category, and obtain the matching loss of the recommendation system;
  • a supervision loss calculation module used to calculate the supervision loss according to the Internet source domain intrusion detection data
  • Update module used to optimize the supervision loss and the recommendation system matching loss and update the parameters of the neural network
  • Intrusion detection module When the cosine similarity of the Internet source domain intrusion detection data recommended by the recommendation system for the IoT target domain is greater than the set threshold, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type; when the set threshold is not reached, the neural network classifier is used to perform intrusion detection on the IoT target domain intrusion detection data.
  • a device includes a processor and a memory coupled to the processor, wherein:
  • the memory stores program instructions for implementing the Internet of Things intrusion detection method
  • the processor is used to execute the program instructions stored in the memory to control the Internet of Things intrusion detection.
  • a storage medium storing program instructions executable by a processor, wherein the program instructions are used to execute the Internet of Things intrusion detection method.
  • the beneficial effects of this application are: it involves an Internet intrusion data field, which includes intrusion detection data collected from the Internet field, such as intrusion detection data collected from network center servers, and an Internet of Things field that is completely unlabeled.
  • the detection knowledge is transferred from the Internet intrusion field to the Internet of Things intrusion field with scarce data, and the accuracy of knowledge transfer is enhanced through the recommendation system, so that the Internet of Things field with scarce data can perform more effective intrusion detection, overcoming the difficulty of scarce Internet of Things data.
  • this application has at least the following beneficial effects:
  • This application adopts a transfer learning-based approach to perform intrusion detection on IoT devices. Its advantage is that compared with traditional intrusion detection methods, this application can perform effective IoT intrusion detection in unsupervised scenarios with scarce data, and can overcome the feature heterogeneity between the Internet intrusion data source domain and the IoT intrusion data target domain.
  • This application adopts a recommendation system recommendation result matching method, so that the transfer learning method can be more refined when transferring intrusion detection knowledge.
  • the recommendation system recommendation result matching mechanism can promote a more refined matching of intrusion data between two data fields, and more refined feature matching can further enable the recommendation system to better mine intrusion information and knowledge, thus forming a virtuous cycle between recommendation system matching and feature space matching.
  • This application uses a combination of recommendation system and neural network classifier to make intrusion detection decisions.
  • the recommendation system can fully mine and learn features of different intrusion categories when well trained, thereby making more accurate intrusion detection judgments than neural networks.
  • FIG1 is a flow chart of an IoT intrusion detection method according to an embodiment of the present application.
  • FIG2 is a schematic diagram of the structure of an IoT intrusion detection device according to an embodiment of the present application.
  • FIG3 is a schematic diagram of the device structure of an embodiment of the present application.
  • FIG. 4 is a schematic diagram of the structure of a storage medium according to an embodiment of the present application.
  • FIG1 is a flow chart of an IoT intrusion detection method according to an embodiment of the present application.
  • the IoT intrusion detection method according to an embodiment of the present application comprises the following steps:
  • Step S1 inputting the Internet source domain intrusion detection data into the source domain feature mapper, and inputting the IoT target domain intrusion detection data into the target domain feature mapper.
  • the Internet source domain intrusion detection data is input into the source domain feature mapper, and the IoT target domain intrusion detection data is input into the target domain feature mapper.
  • Both the source domain feature mapper and the target domain feature mapper are two-layer fully connected neural networks with LeakyRelu as the activation function.
  • the source domain feature mapper and the target domain feature mapper map the Internet source domain intrusion detection data and the IoT target domain intrusion detection data into a common feature space.
  • Step S2 using the Internet source domain intrusion detection data as input, constructs a recommendation system based on source domain training. Specifically:
  • the Latent Semantic Indexing (LSI) algorithm is used to construct a recommendation system based on source domain training using Internet source domain intrusion detection data as input. Its mathematical expression is as follows:
  • M matrix is the source domain feature matrix
  • U is the feature-latent space matrix
  • T is the latent space transformation matrix
  • V is the communication data-latent space matrix
  • R is the dimension parameter.
  • Step S3 using the source domain training-based recommendation system, recommends the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data. Specifically:
  • the source domain training-based recommendation system is used to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data.
  • the intrusion category label of the intrusion detection data is used as the recommendation system label of the intrusion detection data of the target domain of the Internet of Things. Its mathematical expression is as follows:
  • RSS ( xTj ) represents the Internet source domain data recommended for the j-th IoT target domain communication data
  • PL is the recommendation system label of the j-th IoT target domain communication data.
  • the recommendation rule is based on the maximization of the cosine distance. After that, for all IoT target domain intrusion detection data, the mean vector is taken by class according to its recommendation system label.
  • Step S4 using the IoT target domain intrusion detection data as input, construct a recommendation system based on target domain training. Specifically:
  • the Latent Semantic Indexing (LSI) algorithm is adopted to take the intrusion detection data of the target domain of IoT as input, and a recommendation system based on target domain training is constructed.
  • step S2 The specific construction process is similar to step S2 and will not be repeated here.
  • Step S5 Using the target domain training-based recommendation system, recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data. Specifically including:
  • All Internet source domain intrusion detection data are averaged by category, and the recommendation system based on target domain training is used to recommend the top N similar Internet of Things target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data, and the mean vector of the N similar Internet of Things target domain intrusion detection data is taken.
  • Step S6 Calculate the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category, and obtain the recommendation system matching loss. Specifically:
  • L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
  • Step S7 Calculate the supervision loss based on the Internet source domain intrusion detection data. Specifically:
  • L SUP is the supervision loss of Internet source domain intrusion detection data
  • n S is the amount of Internet source domain intrusion detection data
  • L CE is the cross entropy loss function
  • C is the common classifier, which is a one-layer neural network
  • f is the feature mapper
  • x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
  • Step S8 Optimize the supervision loss and the recommendation system matching loss, and update the parameters of the neural network. Specifically:
  • the supervision loss and the recommendation system matching loss are optimized by using a gradient descent optimization algorithm to update the network parameters. Determine whether the model has converged: if the model has converged, execute step S9; otherwise, return to step S1.
  • Step S9 Perform IoT intrusion detection. Specifically:
  • the neural network classifier is used to perform intrusion detection judgment on the IoT target domain intrusion detection data.
  • FIG2 is a schematic diagram of the structure of the IoT intrusion detection device of the embodiment of the present application.
  • the IoT intrusion detection device 10 of the embodiment of the present application comprises: an input module 101, a construction module 102, a recommendation module 103, a matching loss calculation module 104, a supervision loss calculation module 105, an update module 106, and an intrusion detection module 107.
  • an input module 101 a construction module 102, a recommendation module 103, a matching loss calculation module 104, a supervision loss calculation module 105, an update module 106, and an intrusion detection module 107.
  • the input module 101 is used to input the Internet source domain intrusion detection data into the source domain feature mapper, and input the Internet of Things target domain intrusion detection data into the target domain feature mapper. Specifically:
  • the input module 101 inputs the Internet source domain intrusion detection data into the source domain feature mapper, and inputs the Internet of Things target domain intrusion detection data into the target domain feature mapper.
  • Both the source domain feature mapper and the target domain feature mapper are two-layer fully connected neural networks with LeakyRelu as the activation function.
  • the source domain feature mapper and the target domain feature mapper map the Internet source domain intrusion detection data and the Internet of Things target domain intrusion detection data into a common feature space.
  • the construction module 102 is used to construct a recommendation system based on source domain training using Internet source domain intrusion detection data as input. Specifically:
  • the construction module 102 uses the Latent Semantic Indexing (LSI) algorithm, takes the Internet source domain intrusion detection data as input, and constructs a recommendation system based on source domain training. Its mathematical expression is as follows:
  • M matrix is the source domain feature matrix
  • U is the feature-latent space matrix
  • T is the latent space transformation matrix
  • V is the communication data-latent space matrix
  • R is the dimension parameter.
  • the recommendation module 103 is used to use the recommendation system based on source domain training to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data. Specifically:
  • the recommendation module 103 uses the recommendation system based on source domain training to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data.
  • the intrusion category label of the Internet source domain intrusion detection data is used as the recommendation system label of the IoT target domain intrusion detection data. Its mathematical expression is as follows:
  • RSS ( xTj ) represents the Internet source domain data recommended for the j-th IoT target domain communication data
  • PL is the recommendation system label of the j-th IoT target domain communication data.
  • the recommendation rule is based on the maximization of the cosine distance. After that, for all IoT target domain intrusion detection data, the mean vector is taken by class according to its recommendation system label.
  • the construction module 102 is also used to construct a recommendation system based on target domain training using the IoT target domain intrusion detection data as input. Specifically:
  • the construction module 102 adopts Latent Semantic Indexing (LSI) algorithm, takes the intrusion detection data of the target domain of the Internet of Things as input, and constructs a recommendation system based on target domain training.
  • LSI Latent Semantic Indexing
  • the recommendation module 103 is also used to use the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data. Specifically including:
  • the recommendation module 103 averages all Internet source domain intrusion detection data by category, and adopts the recommendation system based on target domain training to recommend the top N similar Internet of Things target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data, and takes the mean vector of the N similar Internet of Things target domain intrusion detection data.
  • the matching loss calculation module 104 is used to calculate the Euclidean distance between the recommendation results of the recommendation system based on source domain training and the recommendation results of the recommendation system based on target domain training for each communication category, and obtain the matching loss of the recommendation system. Specifically:
  • the matching loss calculation module 104 minimizes the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category, and its mathematical expression is as follows:
  • L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
  • the supervision loss calculation module 105 is used to calculate the supervision loss based on the Internet source domain intrusion detection data. Specifically:
  • the supervision loss calculation module 105 calculates the supervision loss of Internet source domain intrusion detection data, and its mathematical expression is as follows:
  • L SUP is the supervision loss of Internet source domain intrusion detection data
  • n S is the amount of Internet source domain intrusion detection data
  • L CE is the cross entropy loss function
  • C is the common classifier, which is a one-layer neural network
  • f is the feature mapper
  • x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
  • the updating module 106 is used to optimize the supervision loss and the recommendation system matching loss and update the parameters of the neural network. Specifically:
  • the updating module 106 optimizes the supervision loss and the recommendation system matching loss using a gradient descent optimization algorithm to update network parameters.
  • the intrusion detection module 107 is used to perform intrusion detection on the Internet of Things. Specifically:
  • the intrusion detection module 107 performs intrusion detection: if the cosine similarity when the recommendation system recommends Internet source domain intrusion detection data for the IoT target domain is greater than a set threshold, such as 0.6, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type judgment; if the set threshold is not reached, a neural network classifier is used to perform intrusion detection judgment on the IoT target domain intrusion detection data.
  • a set threshold such as 0.6
  • FIG3 is a schematic diagram of the device structure of an embodiment of the present application.
  • the device 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
  • the memory 52 stores program instructions for implementing the above-mentioned Internet of Things intrusion detection method.
  • the processor 51 is used to execute program instructions stored in the memory 52 to control the Internet of Things intrusion detection.
  • the processor 51 may also be referred to as a CPU (Central Processing Unit).
  • the processor 51 may be an integrated circuit chip having signal processing capabilities.
  • the processor 51 may also be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • FPGA field-programmable gate array
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.
  • FIG 4 is a schematic diagram of the structure of the storage medium of the embodiment of the present application.
  • the storage medium of the embodiment of the present application stores a program file 61 that can implement all the above methods, wherein the program file 61 can be stored in the above storage medium in the form of a software product, including a number of instructions to enable a computer device (which can be a personal computer, server, or network device, etc.) or a processor (processor) to perform all or part of the steps of the methods of each embodiment of the present invention.
  • a computer device which can be a personal computer, server, or network device, etc.
  • processor processor
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes, or computers, servers, mobile phones, tablets and other devices.
  • this application has general applicability and can be used for a variety of communication detections, such as intrusion detection, security detection, task detection, etc.
  • This application is robust to the characteristics and distribution of source domain data and target domain data.
  • This application can act on homogeneous or heterogeneous source domain data and target domain data.
  • This application can act on IoT data to be tested that has no supervisory information at all.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Molecular Biology (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The present application relates to an Internet of Things intrusion detection method and apparatus, a device, and a storage medium. The method comprises: inputting Internet source domain intrusion detection data into a source domain feature mapper, and inputting Internet of Things target domain intrusion detection data into a target domain feature mapper; constructing a source domain training-based recommendation system; recommending to each piece of Internet of Things target domain intrusion detection data a piece of Internet source domain intrusion detection data most similar to said piece of Internet of Things target domain intrusion detection data; constructing a target domain training-based recommendation system; recommending to a mean vector of the Internet source domain intrusion detection data the top N pieces of similar Internet of Things target domain intrusion detection data; calculating an Euclidean distance between the recommendation result of the source domain training-based recommendation system and the recommendation result of the target domain training-based recommendation system to obtain a recommendation system matching loss; calculating a supervision loss; updating parameters of a neural network; and carrying out Internet of Things intrusion detection. The present application can more effectively carry out Internet of Things intrusion detection.

Description

一种物联网入侵检测方法、装置、设备以及存储介质An Internet of Things intrusion detection method, device, equipment and storage medium 技术领域Technical Field
本申请属于网络通讯技术领域,特别涉及一种物联网入侵检测方法、装置、设备以及存储介质。The present application belongs to the field of network communication technology, and in particular, relates to an Internet of Things intrusion detection method, device, equipment and storage medium.
背景技术Background technique
随着物联网设备的快速进步与发展,越来越多的物联网设备被应用在日常生产生活之中,并使得越来越多的应用变得更加智能化,如物联网驱动的智慧城市,物联网驱动的智慧医疗养老等等。然而,物联网设备自身具有一些缺陷,如,大多数的物联网设备具有极其有限的计算、存储能力,其能源供应也十分有限,因此,在物联网设备上部署较为强有力的入侵检测机制变得较为不可行,这就使得物联网设备更加容易受到恶意入侵攻击,从而使得物联网设备自身的安全性受损,其应用以及用户的安全也因此难以得到保障。With the rapid progress and development of IoT devices, more and more IoT devices are being used in daily production and life, making more and more applications more intelligent, such as IoT-driven smart cities, IoT-driven smart medical care and elderly care, etc. However, IoT devices themselves have some defects. For example, most IoT devices have extremely limited computing and storage capabilities, and their energy supply is also very limited. Therefore, it is not feasible to deploy a more powerful intrusion detection mechanism on IoT devices, which makes IoT devices more vulnerable to malicious intrusion attacks, thereby compromising the security of IoT devices themselves, and the safety of their applications and users is therefore difficult to guarantee.
为了保障物联网设备、其运行的应用以及用户的安全,需要一个有效的入侵检测机制,对可能的入侵行为进行检测,从而保障物联网设备的安全。传统的入侵检测机制主要有两种:一种是基于规则库的入侵检测方法;另一种是基于机器学习的入侵检测方法。基于规则库的入侵检测方法依赖于一个预先建立好的入侵规则库。当检测到某一次通讯符合入侵规则库中的某种规则时,判定该次通讯为非法入侵。而基于机器学习的入侵检测方法则需要用一个具有完整标记的数据集预先训练一个机器学习模型,并通过训练好的机器学习模型进行入侵检测。In order to ensure the security of IoT devices, their running applications and users, an effective intrusion detection mechanism is needed to detect possible intrusion behaviors, thereby ensuring the security of IoT devices. There are two main traditional intrusion detection mechanisms: one is the rule-based intrusion detection method; the other is the machine learning-based intrusion detection method. The rule-based intrusion detection method relies on a pre-established intrusion rule base. When a communication is detected to meet a certain rule in the intrusion rule base, the communication is judged as an illegal intrusion. The machine learning-based intrusion detection method requires a machine learning model to be pre-trained with a fully labeled data set, and intrusion detection is performed through the trained machine learning model.
然而,传统的两种入侵检测方法均具有很强的数据依赖性。基于规则库的入侵检测方法依赖于一个完备的知识库,然而构建该知识库并时常更新需要很强的专家知识。基于机器学习的入侵检测方法依赖于一个完整标记的训 练数据集,然而构建该数据集需要大量的时间与人力,成本昂贵。此外,物联网设备的一些自身限制,如较弱的存储与通讯能力,以及一些用户隐私信息的考虑使得物联网通讯数据较少被采集并获取,如此进一步使得上述两种对数据依赖性强的传统入侵检测方法在面对物联网入侵检测时效果大大受损。However, both traditional intrusion detection methods have strong data dependence. The rule-based intrusion detection method relies on a complete knowledge base, but building and updating the knowledge base requires strong expert knowledge. The machine learning-based intrusion detection method relies on a complete labeled training set. However, building this dataset requires a lot of time and manpower, which is expensive. In addition, some inherent limitations of IoT devices, such as weak storage and communication capabilities, and some user privacy considerations make IoT communication data less collected and obtained, which further makes the above two traditional intrusion detection methods that are highly dependent on data have greatly reduced effectiveness when facing IoT intrusion detection.
发明内容Summary of the invention
本申请提供了一种物联网入侵检测方法、装置、设备以及存储介质,旨在至少在一定程度上解决现有技术中的上述技术问题之一。The present application provides an Internet of Things intrusion detection method, device, equipment and storage medium, which aims to solve at least one of the above-mentioned technical problems in the prior art to a certain extent.
为了解决上述问题,本申请提供了如下技术方案:In order to solve the above problems, this application provides the following technical solutions:
一种物联网入侵检测方法,包括:An Internet of Things intrusion detection method, comprising:
步骤S1:将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器;Step S1: inputting the Internet source domain intrusion detection data into the source domain feature mapper, and inputting the IoT target domain intrusion detection data into the target domain feature mapper;
步骤S2:以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***;Step S2: Using the Internet source domain intrusion detection data as input, a recommendation system based on source domain training is constructed;
步骤S3,采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据;Step S3, using the source domain training-based recommendation system to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data;
步骤S4,以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***;Step S4, using the IoT target domain intrusion detection data as input, building a target domain training-based recommendation system;
步骤S5:采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据;Step S5: using the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data;
步骤S6:计算得到每个通讯类别之间的基于源域训练的推荐***的推荐结果与基于目标域训练的推荐***的推荐结果之间的欧式距离,得到推荐***匹配损失;Step S6: Calculate the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category to obtain the recommendation system matching loss;
步骤S7:根据所述互联网源域入侵检测数据,计算得到监督损失;Step S7: Calculate the supervision loss according to the Internet source domain intrusion detection data;
步骤S8:对所述监督损失与所述推荐***匹配损失进行优化,更新神经网 络的参数;Step S8: Optimize the supervision loss and the recommendation system matching loss and update the neural network Network parameters;
步骤S9:若推荐***为物联网目标域推荐互联网源域入侵检测数据的余弦相似度大于设定阈值,则使用推荐***所推荐的互联网源域入侵检测数据的入侵类型作为最终入侵类型;若未达到设定阈值,则使用神经网络分类器对物联网目标域入侵检测数据进行入侵检测。Step S9: If the cosine similarity of the Internet source domain intrusion detection data recommended by the recommendation system for the IoT target domain is greater than the set threshold, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type; if the set threshold is not reached, a neural network classifier is used to perform intrusion detection on the IoT target domain intrusion detection data.
本申请实施例采取的技术方案还包括:所述步骤S2包括:The technical solution adopted in the embodiment of the present application also includes: the step S2 includes:
采用Latent Semantic Indexing算法,以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***;其数学表达式为:
The Latent Semantic Indexing algorithm is used to construct a recommendation system based on source domain training with Internet source domain intrusion detection data as input; its mathematical expression is:
其中,M矩阵为源域特征矩阵,U为特征-隐空间矩阵,T为隐空间变换矩阵,V为通讯数据-隐空间矩阵,R为维度参数,为互联网源域第i条通讯数据,为物联网目标域第j条通讯数据,为物联网目标域第j条通讯数据经推荐***处理后的数据表示。Among them, M matrix is the source domain feature matrix, U is the feature-latent space matrix, T is the latent space transformation matrix, V is the communication data-latent space matrix, and R is the dimension parameter. is the ith communication data in the Internet source domain, is the jth communication data of the IoT target domain, It is the data representation of the jth communication data in the IoT target domain after being processed by the recommendation system.
本申请实施例采取的技术方案还包括:所述步骤S3包括:The technical solution adopted in the embodiment of the present application also includes: the step S3 includes:
采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据,被推荐的所述互联网源域入侵检测数据的入侵类别标签作为所述物联网目标域入侵检测数据的推荐***标签,其数学表达式如下:
The recommendation system based on source domain training is used to recommend an Internet source domain intrusion detection data that is most similar to each IoT target domain intrusion detection data. The intrusion category label of the recommended Internet source domain intrusion detection data is used as the recommendation system label of the IoT target domain intrusion detection data. The mathematical expression is as follows:
其中,RSS(xT j)表示为第j个物联网目标域通讯数据推荐的互联网源域数据,PL为第j个物联网目标域通讯数据的推荐***标签;Among them, RS S (x T j ) represents the Internet source domain data recommended for the j-th IoT target domain communication data, and PL is the recommendation system label of the j-th IoT target domain communication data;
之后,对所有物联网目标域入侵检测数据,根据其推荐***标签按类取均值向量。Afterwards, for all IoT target domain intrusion detection data, the mean vector is taken by class according to its recommendation system label.
本申请实施例采取的技术方案还包括:所述步骤S5包括:The technical solution adopted in the embodiment of the present application also includes: the step S5 includes:
对所有互联网源域入侵检测数据按类取平均,并采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物 联网目标域入侵检测数据,并对所述N个相似的物联网目标域入侵检测数据取均值向量。All Internet source domain intrusion detection data are averaged by category, and the recommendation system based on target domain training is used to recommend the top N similar objects for the mean vector of each Internet source domain intrusion detection data. The target domain intrusion detection data of the Internet of Things is obtained, and a mean vector is taken for the N similar target domain intrusion detection data of the Internet of Things.
本申请实施例采取的技术方案还包括:所述步骤S6包括:The technical solution adopted in the embodiment of the present application also includes: the step S6 includes:
最小化每个通讯类别之间的基于源域训练的推荐***的推荐结果以及基于目标域训练的推荐***的推荐结果之间的欧式距离,其数学表达式如下:
Minimize the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category. The mathematical expression is as follows:
其中,LABR为推荐***匹配损失,以及分别为基于源域训练的推荐***为物联网目标域的推荐,以及基于目标域训练的推荐***为互联网源域的推荐。Among them, L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
本申请实施例采取的技术方案还包括:所述步骤S7包括:The technical solution adopted in the embodiment of the present application also includes: the step S7 includes:
计算互联网源域入侵检测数据监督损失,其数学表达式如下:
Calculate the supervision loss of Internet source domain intrusion detection data. Its mathematical expression is as follows:
其中:LSUP为互联网源域入侵检测数据监督损失;nS为互联网源域入侵检测数据量;LCE为交叉熵损失函数;C为公共分类器,其为一个一层的神经网络;f为特征映射器;x与y分别为互联网源域入侵检测数据的特征及其对应标签。Among them: L SUP is the supervision loss of Internet source domain intrusion detection data; n S is the amount of Internet source domain intrusion detection data; L CE is the cross entropy loss function; C is the common classifier, which is a one-layer neural network; f is the feature mapper; x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
本申请实施例采取的技术方案还包括:所述步骤S8包括:The technical solution adopted in the embodiment of the present application also includes: the step S8 includes:
采用梯度下降优化算法对所述监督损失与所述推荐***匹配损失进行优化,更新网络参数;判断模型是否收敛:如果模型收敛,则执行步骤S9;否则,返回步骤S1。The supervision loss and the recommendation system matching loss are optimized by using a gradient descent optimization algorithm, and the network parameters are updated; and whether the model converges is determined: if the model converges, step S9 is executed; otherwise, step S1 is returned to.
本申请实施例采取的另一技术方案为:一种物联网入侵检测装置,包括:Another technical solution adopted by the embodiment of the present application is: an Internet of Things intrusion detection device, comprising:
输入模块:用于将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器;Input module: used to input the Internet source domain intrusion detection data into the source domain feature mapper, and input the IoT target domain intrusion detection data into the target domain feature mapper;
构建模块:用于以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***;Building module: used to take Internet source domain intrusion detection data as input and build a recommendation system based on source domain training;
推荐模块:用于采用所述基于源域训练的推荐***,为每一个物联网目标 域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据;Recommendation module: used to adopt the recommendation system based on source domain training for each IoT target The domain intrusion detection data recommends an Internet source domain intrusion detection data that is most similar to it;
构建模块:还用于以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***;Building module: It is also used to build a target domain training-based recommendation system using IoT target domain intrusion detection data as input;
推荐模块:还用于采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据;Recommendation module: also used to adopt the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data;
匹配损失计算模块:用于计算得到每个通讯类别之间的基于源域训练的推荐***的推荐结果与基于目标域训练的推荐***的推荐结果之间的欧式距离,得到推荐***匹配损失;Matching loss calculation module: used to calculate the Euclidean distance between the recommendation results of the recommendation system based on source domain training and the recommendation results of the recommendation system based on target domain training for each communication category, and obtain the matching loss of the recommendation system;
监督损失计算模块:用于根据所述互联网源域入侵检测数据,计算得到监督损失;A supervision loss calculation module: used to calculate the supervision loss according to the Internet source domain intrusion detection data;
更新模块:用于对所述监督损失与所述推荐***匹配损失进行优化,更新神经网络的参数;Update module: used to optimize the supervision loss and the recommendation system matching loss and update the parameters of the neural network;
入侵检测模块:用于当推荐***为物联网目标域推荐互联网源域入侵检测数据的余弦相似度大于设定阈值时,使用推荐***所推荐的互联网源域入侵检测数据的入侵类型作为最终入侵类型;当未达到设定阈值时,则使用神经网络分类器对物联网目标域入侵检测数据进行入侵检测。Intrusion detection module: When the cosine similarity of the Internet source domain intrusion detection data recommended by the recommendation system for the IoT target domain is greater than the set threshold, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type; when the set threshold is not reached, the neural network classifier is used to perform intrusion detection on the IoT target domain intrusion detection data.
本申请实施例采取的又一技术方案为:一种设备,所述设备包括处理器、与所述处理器耦接的存储器,其中,Another technical solution adopted by the embodiment of the present application is: a device, the device includes a processor and a memory coupled to the processor, wherein:
所述存储器存储有用于实现所述物联网入侵检测方法的程序指令;The memory stores program instructions for implementing the Internet of Things intrusion detection method;
所述处理器用于执行所述存储器存储的所述程序指令以控制物联网入侵检测。The processor is used to execute the program instructions stored in the memory to control the Internet of Things intrusion detection.
本申请实施例采取的又一技术方案为:一种存储介质,存储有处理器可运行的程序指令,所述程序指令用于执行所述物联网入侵检测方法。Another technical solution adopted by the embodiment of the present application is: a storage medium storing program instructions executable by a processor, wherein the program instructions are used to execute the Internet of Things intrusion detection method.
相对于现有技术,本申请产生的有益效果在于:涉及一个互联网入侵数据领域,其包含从互联网领域采集的入侵检测数据,如从网络中心服务器上采集的入侵检测数据,以及一个完全没有标记的物联网领域。通过将丰富的入侵检 测知识从互联网入侵领域迁移至数据稀少的物联网入侵领域,并通过推荐***增强知识迁移时的准确性,从而使得数据稀少的物联网领域可以进行更加有效的入侵检测,克服物联网数据稀少的困难。相对于现有技术,本申请至少具有以下有益效果:Compared with the prior art, the beneficial effects of this application are: it involves an Internet intrusion data field, which includes intrusion detection data collected from the Internet field, such as intrusion detection data collected from network center servers, and an Internet of Things field that is completely unlabeled. The detection knowledge is transferred from the Internet intrusion field to the Internet of Things intrusion field with scarce data, and the accuracy of knowledge transfer is enhanced through the recommendation system, so that the Internet of Things field with scarce data can perform more effective intrusion detection, overcoming the difficulty of scarce Internet of Things data. Compared with the prior art, this application has at least the following beneficial effects:
1、本申请采用了基于迁移学习的方式,对物联网设备进行入侵检测,其优势在于相较于传统的入侵检测方法而言,本申请能够在数据稀少的无监督场景下进行有效的物联网入侵检测,且能够克服互联网入侵数据源域与物联网入侵数据目标域之间的特征异构性。1. This application adopts a transfer learning-based approach to perform intrusion detection on IoT devices. Its advantage is that compared with traditional intrusion detection methods, this application can perform effective IoT intrusion detection in unsupervised scenarios with scarce data, and can overcome the feature heterogeneity between the Internet intrusion data source domain and the IoT intrusion data target domain.
2、本申请采用一种推荐***推荐结果匹配的方式,使得迁移学习方法在进行入侵检测知识迁移时可以更加细化。推荐***推荐结果匹配机制能够促使入侵数据在两个数据领域之间实现更加细化的匹配,而更加细化的特征匹配则可以进一步使得推荐***可以更好的挖掘入侵信息与知识,从而形成一个推荐***匹配与特征空间匹配之间的良性循环。2. This application adopts a recommendation system recommendation result matching method, so that the transfer learning method can be more refined when transferring intrusion detection knowledge. The recommendation system recommendation result matching mechanism can promote a more refined matching of intrusion data between two data fields, and more refined feature matching can further enable the recommendation system to better mine intrusion information and knowledge, thus forming a virtuous cycle between recommendation system matching and feature space matching.
3、本申请采用推荐***与神经网络分类器相结合的方式进行入侵检测的决断。推荐***作为一个可以有效挖掘类别兴趣的工具,其在进行良好训练的情况下可以充分的对不同入侵类别进行特征挖掘与学习,从而相较于神经网络而言做出更加准确的入侵检测判断。3. This application uses a combination of recommendation system and neural network classifier to make intrusion detection decisions. As a tool that can effectively mine category interests, the recommendation system can fully mine and learn features of different intrusion categories when well trained, thereby making more accurate intrusion detection judgments than neural networks.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例的物联网入侵检测方法的流程图;FIG1 is a flow chart of an IoT intrusion detection method according to an embodiment of the present application;
图2为本申请实施例的物联网入侵检测装置结构示意图;FIG2 is a schematic diagram of the structure of an IoT intrusion detection device according to an embodiment of the present application;
图3为本申请实施例的设备结构示意图;FIG3 is a schematic diagram of the device structure of an embodiment of the present application;
图4为本申请实施例的存储介质的结构示意图。FIG. 4 is a schematic diagram of the structure of a storage medium according to an embodiment of the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实 施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solutions and advantages of this application more clear, the following is a It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.
请参阅图1,是本申请实施例的物联网入侵检测方法的流程图。本申请实施例的物联网入侵检测方法包括以下步骤:Please refer to FIG1 , which is a flow chart of an IoT intrusion detection method according to an embodiment of the present application. The IoT intrusion detection method according to an embodiment of the present application comprises the following steps:
步骤S1,将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器。具体而言:Step S1, inputting the Internet source domain intrusion detection data into the source domain feature mapper, and inputting the IoT target domain intrusion detection data into the target domain feature mapper. Specifically:
将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器。源域特征映射器与目标域特征映射器均为两层的全连接神经网络,以LeakyRelu作为激活函数。源域特征映射器与目标域特征映射器将互联网源域入侵检测数据以及物联网目标域入侵检测数据映射至一个公共特征空间中。The Internet source domain intrusion detection data is input into the source domain feature mapper, and the IoT target domain intrusion detection data is input into the target domain feature mapper. Both the source domain feature mapper and the target domain feature mapper are two-layer fully connected neural networks with LeakyRelu as the activation function. The source domain feature mapper and the target domain feature mapper map the Internet source domain intrusion detection data and the IoT target domain intrusion detection data into a common feature space.
步骤S2,以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***。具体而言:Step S2, using the Internet source domain intrusion detection data as input, constructs a recommendation system based on source domain training. Specifically:
采用Latent Semantic Indexing(潜在语义索引,LSI)算法,以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***。其数学表达式如下:
The Latent Semantic Indexing (LSI) algorithm is used to construct a recommendation system based on source domain training using Internet source domain intrusion detection data as input. Its mathematical expression is as follows:
其中,M矩阵为源域特征矩阵,U为特征-隐空间矩阵,T为隐空间变换矩阵,V为通讯数据-隐空间矩阵,R为维度参数,为互联网源域第i条通讯数据,为物联网目标域第j条通讯数据,为物联网目标域第j条通讯数据经推荐***处理后的数据表示。Among them, M matrix is the source domain feature matrix, U is the feature-latent space matrix, T is the latent space transformation matrix, V is the communication data-latent space matrix, and R is the dimension parameter. is the ith communication data in the Internet source domain, is the jth communication data of the IoT target domain, It is the data representation of the jth communication data in the IoT target domain after being processed by the recommendation system.
步骤S3,采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据。具体而言:Step S3, using the source domain training-based recommendation system, recommends the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data. Specifically:
采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据。被推荐的所述互联网源域入 侵检测数据的入侵类别标签作为所述物联网目标域入侵检测数据的推荐***标签。其数学表达式如下:
The source domain training-based recommendation system is used to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data. The intrusion category label of the intrusion detection data is used as the recommendation system label of the intrusion detection data of the target domain of the Internet of Things. Its mathematical expression is as follows:
其中,RSS(xT j)表示为第j个物联网目标域通讯数据推荐的互联网源域数据,PL为第j个物联网目标域通讯数据的推荐***标签。Among them, RSS ( xTj ) represents the Internet source domain data recommended for the j-th IoT target domain communication data, and PL is the recommendation system label of the j-th IoT target domain communication data.
推荐规则基于余弦距离的最大化。之后,对所有物联网目标域入侵检测数据,根据其推荐***标签按类取均值向量。The recommendation rule is based on the maximization of the cosine distance. After that, for all IoT target domain intrusion detection data, the mean vector is taken by class according to its recommendation system label.
步骤S4,以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***。具体而言:Step S4, using the IoT target domain intrusion detection data as input, construct a recommendation system based on target domain training. Specifically:
采用Latent Semantic Indexing(潜在语义索引,LSI)算法,以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***。The Latent Semantic Indexing (LSI) algorithm is adopted to take the intrusion detection data of the target domain of IoT as input, and a recommendation system based on target domain training is constructed.
具体构建过程与步骤S2类似,此处不再赘述。The specific construction process is similar to step S2 and will not be repeated here.
步骤S5:采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据。具体包括:Step S5: Using the target domain training-based recommendation system, recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data. Specifically including:
对所有互联网源域入侵检测数据按类取平均,并采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据,并对所述N个相似的物联网目标域入侵检测数据取均值向量。All Internet source domain intrusion detection data are averaged by category, and the recommendation system based on target domain training is used to recommend the top N similar Internet of Things target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data, and the mean vector of the N similar Internet of Things target domain intrusion detection data is taken.
步骤S6:计算得到每个通讯类别之间的基于源域训练的推荐***的推荐结果与基于目标域训练的推荐***的推荐结果之间的欧式距离,得到推荐***匹配损失。具体而言:Step S6: Calculate the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category, and obtain the recommendation system matching loss. Specifically:
最小化每个通讯类别之间的基于源域训练的推荐***的推荐结果以及基于目标域训练的推荐***的推荐结果之间的欧式距离,其数学表达式如下:
Minimize the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category. The mathematical expression is as follows:
其中,LABR为推荐***匹配损失,以及分别为基于源域训练的推荐***为物联网目标域的推荐,以及基于目标域训练的推荐***为互联网源域的推荐。Among them, L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
步骤S7:根据所述互联网源域入侵检测数据,计算得到监督损失。具体而言:Step S7: Calculate the supervision loss based on the Internet source domain intrusion detection data. Specifically:
计算互联网源域入侵检测数据监督损失,其数学表达式如下:
Calculate the supervision loss of Internet source domain intrusion detection data. The mathematical expression is as follows:
其中:LSUP为互联网源域入侵检测数据监督损失;nS为互联网源域入侵检测数据量;LCE为交叉熵损失函数;C为公共分类器,其为一个一层的神经网络;f为特征映射器;x与y分别为互联网源域入侵检测数据的特征及其对应标签。Among them: L SUP is the supervision loss of Internet source domain intrusion detection data; n S is the amount of Internet source domain intrusion detection data; L CE is the cross entropy loss function; C is the common classifier, which is a one-layer neural network; f is the feature mapper; x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
步骤S8:对所述监督损失与所述推荐***匹配损失进行优化,更新神经网络的参数。具体而言:Step S8: Optimize the supervision loss and the recommendation system matching loss, and update the parameters of the neural network. Specifically:
采用梯度下降优化算法对所述监督损失与所述推荐***匹配损失进行优化,更新网络参数。判断模型是否收敛:如果模型收敛,则执行步骤S9;否则,返回步骤S1。The supervision loss and the recommendation system matching loss are optimized by using a gradient descent optimization algorithm to update the network parameters. Determine whether the model has converged: if the model has converged, execute step S9; otherwise, return to step S1.
步骤S9:进行物联网入侵检测。具体而言:Step S9: Perform IoT intrusion detection. Specifically:
进行入侵检测:若推荐***为物联网目标域推荐互联网源域入侵检测数据时的余弦相似度大于设定阈值,如0.6,则使用推荐***所推荐的互联网源域入侵检测数据的入侵类型作为最终入侵类型判断;若未达到设定阈值,则使用神经网络分类器对物联网目标域入侵检测数据进行入侵检测判断。 Perform intrusion detection: If the cosine similarity when the recommendation system recommends Internet source domain intrusion detection data for the IoT target domain is greater than the set threshold, such as 0.6, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type judgment; if the set threshold is not reached, the neural network classifier is used to perform intrusion detection judgment on the IoT target domain intrusion detection data.
请参阅图2,为本申请实施例的物联网入侵检测装置结构示意图。本申请实施例的物联网入侵检测装置10包括:输入模块101、构建模块102、推荐模块103、匹配损失计算模块104、监督损失计算模块105、更新模块106、入侵检测模块107。其中:Please refer to FIG2 , which is a schematic diagram of the structure of the IoT intrusion detection device of the embodiment of the present application. The IoT intrusion detection device 10 of the embodiment of the present application comprises: an input module 101, a construction module 102, a recommendation module 103, a matching loss calculation module 104, a supervision loss calculation module 105, an update module 106, and an intrusion detection module 107. Among them:
所述输入模块101用于将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器。具体而言:The input module 101 is used to input the Internet source domain intrusion detection data into the source domain feature mapper, and input the Internet of Things target domain intrusion detection data into the target domain feature mapper. Specifically:
所述输入模块101将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器。源域特征映射器与目标域特征映射器均为两层的全连接神经网络,以LeakyRelu作为激活函数。源域特征映射器与目标域特征映射器将互联网源域入侵检测数据以及物联网目标域入侵检测数据映射至一个公共特征空间中。The input module 101 inputs the Internet source domain intrusion detection data into the source domain feature mapper, and inputs the Internet of Things target domain intrusion detection data into the target domain feature mapper. Both the source domain feature mapper and the target domain feature mapper are two-layer fully connected neural networks with LeakyRelu as the activation function. The source domain feature mapper and the target domain feature mapper map the Internet source domain intrusion detection data and the Internet of Things target domain intrusion detection data into a common feature space.
所述构建模块102用于以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***。具体而言:The construction module 102 is used to construct a recommendation system based on source domain training using Internet source domain intrusion detection data as input. Specifically:
所述构建模块102采用Latent Semantic Indexing(潜在语义索引,LSI)算法,以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***。其数学表达式如下:
The construction module 102 uses the Latent Semantic Indexing (LSI) algorithm, takes the Internet source domain intrusion detection data as input, and constructs a recommendation system based on source domain training. Its mathematical expression is as follows:
其中,M矩阵为源域特征矩阵,U为特征-隐空间矩阵,T为隐空间变换矩阵,V为通讯数据-隐空间矩阵,R为维度参数,为互联网源域第i条通讯数据,为物联网目标域第j条通讯数据,为物联网目标域第j条通讯数据经推荐***处理后的数据表示。Among them, M matrix is the source domain feature matrix, U is the feature-latent space matrix, T is the latent space transformation matrix, V is the communication data-latent space matrix, and R is the dimension parameter. is the ith communication data in the Internet source domain, is the jth communication data of the IoT target domain, It is the data representation of the jth communication data in the IoT target domain after being processed by the recommendation system.
所述推荐模块103用于采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据。具体而言:The recommendation module 103 is used to use the recommendation system based on source domain training to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data. Specifically:
所述推荐模块103采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据。被推荐的所 述互联网源域入侵检测数据的入侵类别标签作为所述物联网目标域入侵检测数据的推荐***标签。其数学表达式如下:
The recommendation module 103 uses the recommendation system based on source domain training to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data. The intrusion category label of the Internet source domain intrusion detection data is used as the recommendation system label of the IoT target domain intrusion detection data. Its mathematical expression is as follows:
其中,RSS(xT j)表示为第j个物联网目标域通讯数据推荐的互联网源域数据,PL为第j个物联网目标域通讯数据的推荐***标签。Among them, RSS ( xTj ) represents the Internet source domain data recommended for the j-th IoT target domain communication data, and PL is the recommendation system label of the j-th IoT target domain communication data.
推荐规则基于余弦距离的最大化。之后,对所有物联网目标域入侵检测数据,根据其推荐***标签按类取均值向量。The recommendation rule is based on the maximization of the cosine distance. After that, for all IoT target domain intrusion detection data, the mean vector is taken by class according to its recommendation system label.
所述构建模块102还用于以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***。具体而言:The construction module 102 is also used to construct a recommendation system based on target domain training using the IoT target domain intrusion detection data as input. Specifically:
所述构建模块102采用Latent Semantic Indexing(潜在语义索引,LSI)算法,以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***。The construction module 102 adopts Latent Semantic Indexing (LSI) algorithm, takes the intrusion detection data of the target domain of the Internet of Things as input, and constructs a recommendation system based on target domain training.
所述推荐模块103还用于采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据。具体包括:The recommendation module 103 is also used to use the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data. Specifically including:
所述推荐模块103对所有互联网源域入侵检测数据按类取平均,并采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据,并对所述N个相似的物联网目标域入侵检测数据取均值向量。The recommendation module 103 averages all Internet source domain intrusion detection data by category, and adopts the recommendation system based on target domain training to recommend the top N similar Internet of Things target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data, and takes the mean vector of the N similar Internet of Things target domain intrusion detection data.
所述匹配损失计算模块104用于计算得到每个通讯类别之间的基于源域训练的推荐***的推荐结果与基于目标域训练的推荐***的推荐结果之间的欧式距离,得到推荐***匹配损失。具体而言:The matching loss calculation module 104 is used to calculate the Euclidean distance between the recommendation results of the recommendation system based on source domain training and the recommendation results of the recommendation system based on target domain training for each communication category, and obtain the matching loss of the recommendation system. Specifically:
所述匹配损失计算模块104最小化每个通讯类别之间的基于源域训练的推荐***的推荐结果以及基于目标域训练的推荐***的推荐结果之间的欧式距离,其数学表达式如下:
The matching loss calculation module 104 minimizes the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category, and its mathematical expression is as follows:
其中,LABR为推荐***匹配损失,以及分别为基于源域训练的推荐***为物联网目标域的推荐,以及基于目标域训练的推荐***为互联网源域的推荐。Among them, L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
所述监督损失计算模块105用于根据所述互联网源域入侵检测数据,计算得到监督损失。具体而言:The supervision loss calculation module 105 is used to calculate the supervision loss based on the Internet source domain intrusion detection data. Specifically:
所述监督损失计算模块105计算互联网源域入侵检测数据监督损失,其数学表达式如下:
The supervision loss calculation module 105 calculates the supervision loss of Internet source domain intrusion detection data, and its mathematical expression is as follows:
其中:LSUP为互联网源域入侵检测数据监督损失;nS为互联网源域入侵检测数据量;LCE为交叉熵损失函数;C为公共分类器,其为一个一层的神经网络;f为特征映射器;x与y分别为互联网源域入侵检测数据的特征及其对应标签。Among them: L SUP is the supervision loss of Internet source domain intrusion detection data; n S is the amount of Internet source domain intrusion detection data; L CE is the cross entropy loss function; C is the common classifier, which is a one-layer neural network; f is the feature mapper; x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
所述更新模块106用于对所述监督损失与所述推荐***匹配损失进行优化,更新神经网络的参数。具体而言:The updating module 106 is used to optimize the supervision loss and the recommendation system matching loss and update the parameters of the neural network. Specifically:
所述更新模块106采用梯度下降优化算法对所述监督损失与所述推荐***匹配损失进行优化,更新网络参数。The updating module 106 optimizes the supervision loss and the recommendation system matching loss using a gradient descent optimization algorithm to update network parameters.
所述入侵检测模块107用于进行物联网入侵检测。具体而言:The intrusion detection module 107 is used to perform intrusion detection on the Internet of Things. Specifically:
所述入侵检测模块107进行入侵检测:若推荐***为物联网目标域推荐互联网源域入侵检测数据时的余弦相似度大于设定阈值,如0.6,则使用推荐***所推荐的互联网源域入侵检测数据的入侵类型作为最终入侵类型判断;若未达到设定阈值,则使用神经网络分类器对物联网目标域入侵检测数据进行入侵检测判断。The intrusion detection module 107 performs intrusion detection: if the cosine similarity when the recommendation system recommends Internet source domain intrusion detection data for the IoT target domain is greater than a set threshold, such as 0.6, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type judgment; if the set threshold is not reached, a neural network classifier is used to perform intrusion detection judgment on the IoT target domain intrusion detection data.
请参阅图3,为本申请实施例的设备结构示意图。该设备50包括处理器51、与处理器51耦接的存储器52。 Please refer to FIG3 , which is a schematic diagram of the device structure of an embodiment of the present application. The device 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
存储器52存储有用于实现上述物联网入侵检测方法的程序指令。The memory 52 stores program instructions for implementing the above-mentioned Internet of Things intrusion detection method.
处理器51用于执行存储器52存储的程序指令以控制物联网入侵检测。The processor 51 is used to execute program instructions stored in the memory 52 to control the Internet of Things intrusion detection.
其中,处理器51还可以称为CPU(Central Processing Unit,中央处理单元)。处理器51可能是一种集成电路芯片,具有信号的处理能力。处理器51还可以是通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 51 may also be referred to as a CPU (Central Processing Unit). The processor 51 may be an integrated circuit chip having signal processing capabilities. The processor 51 may also be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.
请参阅图4,为本申请实施例的存储介质的结构示意图。本申请实施例的存储介质存储有能够实现上述所有方法的程序文件61,其中,该程序文件61可以以软件产品的形式存储在上述存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施方式方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质,或者是计算机、服务器、手机、平板等设备。Please refer to Figure 4, which is a schematic diagram of the structure of the storage medium of the embodiment of the present application. The storage medium of the embodiment of the present application stores a program file 61 that can implement all the above methods, wherein the program file 61 can be stored in the above storage medium in the form of a software product, including a number of instructions to enable a computer device (which can be a personal computer, server, or network device, etc.) or a processor (processor) to perform all or part of the steps of the methods of each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes, or computers, servers, mobile phones, tablets and other devices.
需要说明的是:本申请具有普遍适用性,可以用于进行多种多样的通讯检测,如入侵检测、安全检测、任务检测等等。本申请对于源域数据与目标域数据的特征与分布具有鲁棒性。本申请可以作用于同构或是异构的源域数据与目标域数据上。本申请可以作用于完全没有监督信息的物联网待测数据上。It should be noted that: this application has general applicability and can be used for a variety of communication detections, such as intrusion detection, security detection, task detection, etc. This application is robust to the characteristics and distribution of source domain data and target domain data. This application can act on homogeneous or heterogeneous source domain data and target domain data. This application can act on IoT data to be tested that has no supervisory information at all.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本申请中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本申请所示的这些实施例,而是要符合与本申请所公开的原理和新颖特点相一致的最宽的范围。 The above description of the disclosed embodiments enables professionals and technicians in the field to implement or use the present application. Various modifications to these embodiments will be apparent to professionals and technicians in the field, and the general principles defined in this application can be implemented in other embodiments without departing from the spirit or scope of the present application. Therefore, the present application will not be limited to the embodiments shown in the present application, but will conform to the widest scope consistent with the principles and novel features disclosed in the present application.

Claims (10)

  1. 一种物联网入侵检测方法,其特征在于,包括:An Internet of Things intrusion detection method, characterized by comprising:
    步骤S1:将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器;Step S1: inputting the Internet source domain intrusion detection data into the source domain feature mapper, and inputting the IoT target domain intrusion detection data into the target domain feature mapper;
    步骤S2:以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***;Step S2: Using the Internet source domain intrusion detection data as input, a recommendation system based on source domain training is constructed;
    步骤S3,采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据;Step S3, using the source domain training-based recommendation system to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data;
    步骤S4,以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***;Step S4, using the IoT target domain intrusion detection data as input, building a target domain training-based recommendation system;
    步骤S5:采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据;Step S5: using the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data;
    步骤S6:计算得到每个通讯类别之间的基于源域训练的推荐***的推荐结果与基于目标域训练的推荐***的推荐结果之间的欧式距离,得到推荐***匹配损失;Step S6: Calculate the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category to obtain the recommendation system matching loss;
    步骤S7:根据所述互联网源域入侵检测数据,计算得到监督损失;Step S7: Calculate the supervision loss according to the Internet source domain intrusion detection data;
    步骤S8:对所述监督损失与所述推荐***匹配损失进行优化,更新神经网络的参数;Step S8: Optimizing the supervision loss and the recommendation system matching loss, and updating the parameters of the neural network;
    步骤S9:若推荐***为物联网目标域推荐互联网源域入侵检测数据的余弦相似度大于设定阈值,则使用推荐***所推荐的互联网源域入侵检测数据的入侵类型作为最终入侵类型;若未达到设定阈值,则使用神经网络分类器对物联网目标域入侵检测数据进行入侵检测。Step S9: If the cosine similarity of the Internet source domain intrusion detection data recommended by the recommendation system for the IoT target domain is greater than the set threshold, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type; if the set threshold is not reached, a neural network classifier is used to perform intrusion detection on the IoT target domain intrusion detection data.
  2. 根据权利要求1所述的物联网入侵检测方法,其特征在于,所述步骤S2包括:The IoT intrusion detection method according to claim 1, wherein step S2 comprises:
    采用Latent Semantic Indexing算法,以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***;其数学表达式为:
    The Latent Semantic Indexing algorithm is used to construct a recommendation system based on source domain training with Internet source domain intrusion detection data as input; its mathematical expression is:
    其中,M矩阵为源域特征矩阵,U为特征-隐空间矩阵,T为隐空间变换矩阵,V为通讯数据-隐空间矩阵,R为维度参数,为互联网源域第i条通讯数据,为物联网目标域第j条通讯数据,为物联网目标域第j条通讯数据经推荐***处理后的数据表示。Among them, M matrix is the source domain feature matrix, U is the feature-latent space matrix, T is the latent space transformation matrix, V is the communication data-latent space matrix, and R is the dimension parameter. is the ith communication data in the Internet source domain, is the jth communication data of the IoT target domain, It is the data representation of the jth communication data in the IoT target domain after being processed by the recommendation system.
  3. 根据权利要求2所述的物联网入侵检测方法,其特征在于,所述步骤S3包括:The IoT intrusion detection method according to claim 2, wherein step S3 comprises:
    采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据,被推荐的所述互联网源域入侵检测数据的入侵类别标签作为所述物联网目标域入侵检测数据的推荐***标签,其数学表达式如下:
    The recommendation system based on source domain training is used to recommend an Internet source domain intrusion detection data that is most similar to each IoT target domain intrusion detection data. The intrusion category label of the recommended Internet source domain intrusion detection data is used as the recommendation system label of the IoT target domain intrusion detection data. The mathematical expression is as follows:
    其中,RSS(xT j)表示为第j个物联网目标域通讯数据推荐的互联网源域数据,PL为第j个物联网目标域通讯数据的推荐***标签;Among them, RS S (x T j ) represents the Internet source domain data recommended for the j-th IoT target domain communication data, and PL is the recommendation system label of the j-th IoT target domain communication data;
    之后,对所有物联网目标域入侵检测数据,根据其推荐***标签按类取均值向量。Afterwards, for all IoT target domain intrusion detection data, the mean vector is taken by class according to its recommendation system label.
  4. 根据权利要求3所述的物联网入侵检测方法,其特征在于,所述步骤S5包括:The IoT intrusion detection method according to claim 3, wherein step S5 comprises:
    对所有互联网源域入侵检测数据按类取平均,并采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据,并对所述N个相似的物联网目标域入侵检测数据取均值向量。All Internet source domain intrusion detection data are averaged by category, and the recommendation system based on target domain training is used to recommend the top N similar Internet of Things target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data, and the mean vector of the N similar Internet of Things target domain intrusion detection data is taken.
  5. 根据权利要求4所述的物联网入侵检测方法,其特征在于,所述步骤S6包括: The IoT intrusion detection method according to claim 4, wherein step S6 comprises:
    最小化每个通讯类别之间的基于源域训练的推荐***的推荐结果以及基于目标域训练的推荐***的推荐结果之间的欧式距离,其数学表达式如下:
    Minimize the Euclidean distance between the recommendation results of the recommendation system based on the source domain training and the recommendation results of the recommendation system based on the target domain training for each communication category. The mathematical expression is as follows:
    其中,LABR为推荐***匹配损失,以及分别为基于源域训练的推荐***为物联网目标域的推荐,以及基于目标域训练的推荐***为互联网源域的推荐。Among them, L ABR is the matching loss of the recommendation system, as well as They are respectively the recommendation system based on source domain training for the IoT target domain and the recommendation system based on target domain training for the Internet source domain.
  6. 根据权利要求5所述的物联网入侵检测方法,其特征在于,所述步骤S7包括:The IoT intrusion detection method according to claim 5, wherein step S7 comprises:
    计算互联网源域入侵检测数据监督损失,其数学表达式如下:
    Calculate the supervision loss of Internet source domain intrusion detection data. The mathematical expression is as follows:
    其中:LSUP为互联网源域入侵检测数据监督损失;nS为互联网源域入侵检测数据量;LCE为交叉熵损失函数;C为公共分类器,其为一个一层的神经网络;f为特征映射器;x与y分别为互联网源域入侵检测数据的特征及其对应标签。Among them: L SUP is the supervision loss of Internet source domain intrusion detection data; n S is the amount of Internet source domain intrusion detection data; L CE is the cross entropy loss function; C is the common classifier, which is a one-layer neural network; f is the feature mapper; x and y are the features of Internet source domain intrusion detection data and their corresponding labels, respectively.
  7. 根据权利要求6所述的物联网入侵检测方法,其特征在于,所述步骤S8包括:The IoT intrusion detection method according to claim 6, wherein step S8 comprises:
    采用梯度下降优化算法对所述监督损失与所述推荐***匹配损失进行优化,更新网络参数;判断模型是否收敛:如果模型收敛,则执行步骤S9;否则,返回步骤S1。The supervision loss and the recommendation system matching loss are optimized by using a gradient descent optimization algorithm, and the network parameters are updated; and whether the model converges is determined: if the model converges, step S9 is executed; otherwise, step S1 is returned.
  8. 一种物联网入侵检测装置,其特征在于,包括:An Internet of Things intrusion detection device, characterized by comprising:
    输入模块:用于将互联网源域入侵检测数据输入至源域特征映射器,将物联网目标域入侵检测数据输入至目标域特征映射器;Input module: used to input the Internet source domain intrusion detection data into the source domain feature mapper, and input the IoT target domain intrusion detection data into the target domain feature mapper;
    构建模块:用于以互联网源域入侵检测数据作为输入,构建基于源域训练的推荐***;Building module: used to take Internet source domain intrusion detection data as input and build a recommendation system based on source domain training;
    推荐模块:用于采用所述基于源域训练的推荐***,为每一个物联网目标域入侵检测数据推荐一个与其最相似的互联网源域入侵检测数据; Recommendation module: used to use the recommendation system based on source domain training to recommend the most similar Internet source domain intrusion detection data to each IoT target domain intrusion detection data;
    构建模块:还用于以物联网目标域入侵检测数据作为输入,构建基于目标域训练的推荐***;Building module: It is also used to build a target domain training-based recommendation system using IoT target domain intrusion detection data as input;
    推荐模块:还用于采用所述基于目标域训练的推荐***,为每个互联网源域入侵检测数据的均值向量推荐前N个相似的物联网目标域入侵检测数据;Recommendation module: also used to adopt the target domain training-based recommendation system to recommend the top N similar IoT target domain intrusion detection data for the mean vector of each Internet source domain intrusion detection data;
    匹配损失计算模块:用于计算得到每个通讯类别之间的基于源域训练的推荐***的推荐结果与基于目标域训练的推荐***的推荐结果之间的欧式距离,得到推荐***匹配损失;Matching loss calculation module: used to calculate the Euclidean distance between the recommendation results of the recommendation system based on source domain training and the recommendation results of the recommendation system based on target domain training for each communication category, and obtain the matching loss of the recommendation system;
    监督损失计算模块:用于根据所述互联网源域入侵检测数据,计算得到监督损失;A supervision loss calculation module: used to calculate the supervision loss according to the Internet source domain intrusion detection data;
    更新模块:用于对所述监督损失与所述推荐***匹配损失进行优化,更新神经网络的参数;Update module: used to optimize the supervision loss and the recommendation system matching loss and update the parameters of the neural network;
    入侵检测模块:用于当推荐***为物联网目标域推荐互联网源域入侵检测数据的余弦相似度大于设定阈值时,使用推荐***所推荐的互联网源域入侵检测数据的入侵类型作为最终入侵类型;当未达到设定阈值时,则使用神经网络分类器对物联网目标域入侵检测数据进行入侵检测。Intrusion detection module: When the cosine similarity of the Internet source domain intrusion detection data recommended by the recommendation system for the IoT target domain is greater than the set threshold, the intrusion type of the Internet source domain intrusion detection data recommended by the recommendation system is used as the final intrusion type; when the set threshold is not reached, the neural network classifier is used to perform intrusion detection on the IoT target domain intrusion detection data.
  9. 一种设备,其特征在于,所述设备包括处理器、与所述处理器耦接的存储器,其中,A device, characterized in that the device comprises a processor and a memory coupled to the processor, wherein:
    所述存储器存储有用于实现权利要求1-7任一项所述的物联网入侵检测方法的程序指令;The memory stores program instructions for implementing the Internet of Things intrusion detection method according to any one of claims 1 to 7;
    所述处理器用于执行所述存储器存储的所述程序指令以控制物联网入侵检测。The processor is used to execute the program instructions stored in the memory to control the Internet of Things intrusion detection.
  10. 一种存储介质,其特征在于,存储有处理器可运行的程序指令,所述程序指令用于执行权利要求1至7任一项所述物联网入侵检测方法。 A storage medium, characterized in that it stores program instructions executable by a processor, wherein the program instructions are used to execute the Internet of Things intrusion detection method described in any one of claims 1 to 7.
PCT/CN2023/133080 2022-12-07 2023-11-21 Internet of things intrusion detection method and apparatus, device, and storage medium WO2024120186A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211561759.8 2022-12-07
CN202211561759.8A CN115955336A (en) 2022-12-07 2022-12-07 Internet of things intrusion detection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2024120186A1 true WO2024120186A1 (en) 2024-06-13

Family

ID=87297462

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/133080 WO2024120186A1 (en) 2022-12-07 2023-11-21 Internet of things intrusion detection method and apparatus, device, and storage medium

Country Status (2)

Country Link
CN (1) CN115955336A (en)
WO (1) WO2024120186A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955336A (en) * 2022-12-07 2023-04-11 中国科学院深圳先进技术研究院 Internet of things intrusion detection method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170220951A1 (en) * 2016-02-02 2017-08-03 Xerox Corporation Adapting multiple source classifiers in a target domain
CN110224987A (en) * 2019-05-08 2019-09-10 西安电子科技大学 The construction method of Internet Intrusion Detection Model based on transfer learning, detection system
CN113191478A (en) * 2020-01-14 2021-07-30 阿里巴巴集团控股有限公司 Training method, device and system of neural network model
CN115374843A (en) * 2022-08-04 2022-11-22 中国科学院深圳先进技术研究院 Internet of things intrusion detection model training method, device, equipment and storage medium
CN115955336A (en) * 2022-12-07 2023-04-11 中国科学院深圳先进技术研究院 Internet of things intrusion detection method, device, equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170220951A1 (en) * 2016-02-02 2017-08-03 Xerox Corporation Adapting multiple source classifiers in a target domain
CN110224987A (en) * 2019-05-08 2019-09-10 西安电子科技大学 The construction method of Internet Intrusion Detection Model based on transfer learning, detection system
CN113191478A (en) * 2020-01-14 2021-07-30 阿里巴巴集团控股有限公司 Training method, device and system of neural network model
CN115374843A (en) * 2022-08-04 2022-11-22 中国科学院深圳先进技术研究院 Internet of things intrusion detection model training method, device, equipment and storage medium
CN115955336A (en) * 2022-12-07 2023-04-11 中国科学院深圳先进技术研究院 Internet of things intrusion detection method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Master’s Theses", 12 June 2021, BEIJING UNIVERSITY OF POSTS AND TELECOMMUNICATIONS, China, article NIU, JIE: " Research on Network Intrusion Detection Technology Based on Artificial Intelligence", pages: 1 - 64, XP009555251 *

Also Published As

Publication number Publication date
CN115955336A (en) 2023-04-11

Similar Documents

Publication Publication Date Title
Sarker Machine learning: Algorithms, real-world applications and research directions
Ali et al. Hybrid intelligent phishing website prediction using deep neural networks with genetic algorithm‐based feature selection and weighting
Wang et al. HAST-IDS: Learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection
Yan et al. Learning URL embedding for malicious website detection
WO2022104540A1 (en) Cross-modal hash retrieval method, terminal device, and storage medium
Imran et al. An intelligent and efficient network intrusion detection system using deep learning
US11995155B2 (en) Adversarial image generation method, computer device, and computer-readable storage medium
Zhao et al. A malware detection method of code texture visualization based on an improved faster RCNN combining transfer learning
WO2024120186A1 (en) Internet of things intrusion detection method and apparatus, device, and storage medium
Liang et al. Survey of graph neural networks and applications
Qiu et al. An adaptive social spammer detection model with semi-supervised broad learning
Xiao et al. Addressing Overfitting Problem in Deep Learning‐Based Solutions for Next Generation Data‐Driven Networks
Lu et al. An efficient communication intrusion detection scheme in AMI combining feature dimensionality reduction and improved LSTM
Huang Network Intrusion Detection Based on an Improved Long‐Short‐Term Memory Model in Combination with Multiple Spatiotemporal Structures
Duan et al. A Survey of Few‐Shot Learning: An Effective Method for Intrusion Detection
Chen et al. Survey on AI sustainability: emerging trends on learning algorithms and research challenges
Yin et al. Intrusion detection for capsule networks based on dual routing mechanism
Xu et al. I2DS: interpretable intrusion detection system using autoencoder and additive tree
Amara et al. Cross-network representation learning for anchor users on multiplex heterogeneous social network
Song et al. Intrusion detection model using gene expression programming to optimize parameters of convolutional neural network for energy internet
Ding et al. User identification across multiple social networks based on naive Bayes model
Sharma et al. Windows and IoT malware visualization and classification with deep CNN and Xception CNN using Markov images
Wang et al. Intrusion detection algorithm based on image enhanced convolutional neural network
Wu et al. Heterogeneous representation learning and matching for few-shot relation prediction
Lu et al. A Few-Shot-Based Model-Agnostic Meta-Learning for Intrusion Detection in Security of Internet of Things