[go: up one dir, main page]

CN107135093B - Internet of things intrusion detection method and detection system based on finite automaton - Google Patents

Internet of things intrusion detection method and detection system based on finite automaton Download PDF

Info

Publication number
CN107135093B
CN107135093B CN201710158735.0A CN201710158735A CN107135093B CN 107135093 B CN107135093 B CN 107135093B CN 201710158735 A CN201710158735 A CN 201710158735A CN 107135093 B CN107135093 B CN 107135093B
Authority
CN
China
Prior art keywords
event
data
label
abnormal
conversion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710158735.0A
Other languages
Chinese (zh)
Other versions
CN107135093A (en
Inventor
付玉龙
闫峥
李晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201710158735.0A priority Critical patent/CN107135093B/en
Publication of CN107135093A publication Critical patent/CN107135093A/en
Application granted granted Critical
Publication of CN107135093B publication Critical patent/CN107135093B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种基于有限自动机的物联网入侵检测方法及检测系统,采用有限自动机理论对联网终端的通用协议群进行建模,同时针对交互中的物联网终端所执行的动作进行实时监控、建模,并使其与有限自动机模型预测的正常交互行为进行匹配,从而判断出异常攻击行为的方法。本发明可以使用简略的可组合标签转换模型表示复杂的物联网系统,因此在很大程度上降低了IDS对于存储空间的要求。同时,我们使用的比较算法的复杂度是根据对应的物联网设备运行协议的Glued‑IOLTS(可组合标签转换模型)图的深度来决定的,因此,这种基于有限自动机遍历的检测方法将可被应用于物联网系统中。本发明具有体量小,占用资源少,执行效率高的特点,使用方便,投入成本较低。

Figure 201710158735

The invention relates to an intrusion detection method and detection system for the Internet of Things based on finite automata. The finite automaton theory is used to model the general protocol group of networked terminals, and at the same time, real-time monitoring is performed for the actions performed by the Internet of Things terminals in interaction. , modeling, and matching it with the normal interaction behavior predicted by the finite automaton model, so as to judge the method of abnormal attack behavior. The present invention can use a simple composable label conversion model to represent the complex Internet of Things system, thus reducing the storage space requirement of the IDS to a great extent. At the same time, the complexity of the comparison algorithm we use is determined according to the depth of the Glued‑IOLTS (Composable Label Transformation Model) graph of the corresponding IoT device operating protocol. Therefore, this detection method based on finite automata traversal will It can be applied to the Internet of Things system. The invention has the characteristics of small volume, low resource occupation, high execution efficiency, convenient use and low input cost.

Figure 201710158735

Description

Internet of things intrusion detection method and detection system based on finite automaton
Technical Field
The invention belongs to the technical field of Internet of things mobile communication network security, and particularly relates to an Internet of things intrusion detection method based on a finite automaton.
Background
The internet of things is a main trend of future network development, and the internet of things is a main direction of future 5G network development due to the fact that the internet of things can greatly expand the network boundary of the internet. Research and investment into the internet of things has gradually become a consensus of current high-tech companies. On one hand, the performance of most terminal equipment of the Internet of things is low, and the single-point computing capability is insufficient; the terminal equipment is widely distributed and is easily captured by the enemy; the network topology networking is flexible, and the attack and other characteristics are easy to launch from the inside of the network, so that the traditional safety protocol design scheme based on algorithm complexity is not suitable for protecting the safety of the equipment of the Internet of things any more. On the other hand, the intrusion detection system is a posterior security protection method and a security protection system which is highly approved by academia and industry.
The traditional intrusion detection system can prejudge the suspected network communication behavior of the attack according to the characteristics of the existing attack such as flow, behavior, statistical rules and the like, thereby protecting the safety of network equipment and users to a certain extent. A conventional Intrusion Detection System (IDS) is a system that analyzes system behavior data using intrusion detection techniques to detect intrusion behavior, i.e., a combination of hardware and software for intrusion detection. Although intrusion detection systems have been developed into many different categories, their basic processes are consistent and are broadly divided into several modules of information collection, information analysis, and result processing (as shown in fig. 1). Different intrusion detection systems differ in the data sources they employ, and in the information analysis and detection methods. In summary, the intrusion detection system, the latter shield of active defense, plays a very critical role in computer and network security.
The concept of intrusion detection was first proposed by Anderson in 1980 and thus began research on intrusion detection systems. Denning introduced the first IDS expert system in 1988, while Heberlein developed the first intrusion detection system NSM suitable for network systems in 1990. Research on intrusion detection systems has then gradually progressed towards distributed, large-scale detection. In recent years, along with the development of technologies such as mobile internet of things, intelligent hardware, virtual reality and the like, an intrusion detection method under the internet of things has become a mainstream trend of the current technology development, but the research on an intrusion identification system of the whole internet of things is still in a starting stage. Researchers mostly start to research on intrusion detection technologies suitable for the Internet of Things from various main aspects included in the IoT (Internet of Things) technology. Hichem et al proposed a dynamic intrusion detection method for IoT networks based on a hybrid usage of game theory based on a signature detection method and based on an anomaly detection method. And introducing a game-theometic method in an intrusion judgment stage, calculating an optimal NE value by establishing game models of an intruder and a normal user, and determining when to start an abnormal intrusion detection method by using the NE value. Chen et al propose a real-time pattern matching system for Internet of things devices using Complex Event Processing (CEP) technology. The method has the advantage of utilizing the event stream characteristics to make judgment, thereby reducing the false alarm rate of the traditional intrusion detection method. This approach, while increasing the consumption of system computing resources to some extent, does significantly reduce the feedback latency of the IDS system. Nadeem and Howarth summarize an intrusion detection system of a MANET network, which is a common network structure of the Internet of things, and analyze intrusion detection frameworks such as CRADs, GIDPs and the like facing the MANET network through analyzing and comparing an attack method and a detection algorithm of characteristics of the MANET network. Yan et al also propose an undesirable data detection and defense method for MANET networks based on a distributed trust management mechanism. Modia et al have studied intrusion threats and detection methods for a back-end cloud service system of the internet of things, generalize methods and principles for cloud system intrusion detection and defense in recent years, but have not given relevant suggestions for the development of future cloud system intrusion detection and defense. Although the existing methods and systems solve certain problems to be solved by the intrusion detection of the internet of things on different levels, the existing methods and systems still cannot provide corresponding evaluation for the whole internet of things system, namely, cannot solve the problem of consistency of evaluation standards such as data and models among all parts of the internet of things on the whole. As indicated in the general research of the existing IoT system intrusion detection method by Audrey et al, the research of the internet-of-things-oriented intrusion detection system needs to mainly solve the problems of "standardized variable evaluation system with high interaction capability" and "more underlying real data modeling".
In the internet of things, sensing devices with a large number of sensors, RFID (radio frequency identification) tag devices, CCTV (closed circuit television) network cameras and the like only having simple calculation and storage capabilities are used, so that the network boundary of the current internet is greatly expanded, and the functions of information acquisition and information service are provided for the future network. However, these sensing devices may work in an insecure environment, and due to the limitation of their computing capabilities, cannot protect themselves using a complex cryptographic mechanism, and are easily interfered, captured, decoded, and even tampered and embedded with malicious attack programs by adversaries, resulting in security attacks on other devices and core networks of the internet of things. Aiming at the potential safety hazard in the internet of things, a lightweight active defense mechanism is needed to protect the safety of the internet of things system.
Disclosure of Invention
In order to solve the problems that the performance of terminal equipment of the Internet of things is low and a complex cryptographic algorithm and a complex authentication protocol cannot be used due to insufficient single-point computing capability in the prior art, the invention provides the Internet of things intrusion detection method and detection system based on the finite automata. Meanwhile, the model of the system state machine is easy to understand, and the system state machine is convenient to use and low in investment cost. The technical problem to be solved by the invention is realized by the following technical scheme:
an Internet of things intrusion detection method based on finite automata comprises the following steps:
step 1, establishing a combinable label conversion model for carrying out standardized representation on channels among label conversion models by adopting a general protocol group of the terminal of the Internet of things through a finite automata theory, wherein the combinable label conversion model represents a plurality of label conversion models which are mutually connected through media, and is defined as a quadruple
Figure BDA0001247897700000021
Figure BDA0001247897700000031
Wherein S isglu=<S1∪S2∪…∪Sn∪SM>,
Lglu=<L1∪L2∪…∪Ln>,
Figure BDA0001247897700000032
Figure BDA0001247897700000033
Figure BDA0001247897700000034
Figure BDA0001247897700000035
slRepresenting a low-level state of the composable label transition model; m represents a medium for which the number of bits is equal to,
Figure BDA0001247897700000036
i.e. representing a transition within the medium M, wherein
Figure BDA0001247897700000037
Indicating a state siLow level representation of (a); sMRepresenting the state of the medium, i, j and m all represent natural numbers and 1 < i < m, α represents the label in the label conversion model;
Figure BDA0001247897700000039
representing a plurality of label conversion models, wherein S is a set of all states of the depicted equipment, L is a set of main behavior abstract representation of the equipment, and T is the state transition of the label conversion models caused by one or more behaviors in L; s0Is an initial state of the finite automaton, and LISet of input actions for causing a state transition of the tag transition model, LOTo set the output behavior that causes the state transition of the tag transition model, and to make LI∪LoIs equal to L and
Figure BDA0001247897700000038
step 2, establishing an event database on the cloud server, wherein the data in the event database comprises data of a standard protocol, possible operation flows and abnormal action flows, and the event database directly accesses the IDS event analyzer;
the data of the standard protocol is the description of the standard protocol through the combinable label conversion model;
a possible operational flow is data created for data passing through a standard protocol;
the abnormal action flow is data of known abnormal intrusion events;
step 3, collecting control flow data on the Internet of things through an event monitor, repackaging the control flow data into requirement packaged data according to requirements, and sending the requirement packaged data to an event database and an IDS event analyzer;
step 41, the IDS event analyzer receives the requirement package data and analyzes the information of the requirement package data, identifies the internet of things device in the network device, generates a network topology view, and then records the ID information of the identified internet of things device;
step 42, the IDS event analyzer firstly groups the required packed data according to the network topology view and ID information, and the specific grouping step is: grouping the data packets with the same session ID into a group, and sorting the data packets with the same session ID according to the protocol type in a time sequence to generate grouped data;
then, the IDS event analyzer converts each group of grouped data into a conversion event stream through the combinable label conversion model, and the specific steps are as follows: acquiring the protocol type of the message sequence in each group of grouped data according to the protocol type in the data packet with the same session ID, comparing the protocol type of the message sequence with the data of the standard protocol to acquire a basic formalized action primitive of the protocol type of the message sequence, combining the action primitive with the information in each group of grouped data and expressing the grouped data as an automaton primitive, namely converting each group of grouped data into a conversion event stream;
step 43, the IDS event analyzer compares the transformed event stream with the abnormal action stream, and performs intrusion detection based on signature;
if the conversion event stream contains an event signature which is the same as the intrusion event signature in the abnormal action stream, judging the conversion event stream to be an abnormal intrusion event, and outputting an abnormal result to a response unit;
if the conversion event stream does not contain the event signature which is the same as the known intrusion event signature in the abnormal action stream, the conversion event stream is continuously compared with the data in the possible operation stream to judge whether the conversion event stream is an abnormal intrusion event, if the conversion event stream is judged to be the abnormal intrusion event, the abnormal intrusion event is recorded, and meanwhile, a judgment request is sent to a user;
if the user judges that the event is an abnormal intrusion event, outputting an abnormal result to a response unit, and extracting and storing the characteristics of the abnormal intrusion event into abnormal action flow data in an event database;
and 5, generating an intrusion risk warning report after the response unit receives the abnormal result.
Further, in step 43, the conversion event stream is continuously compared with the data in the possible operation stream, and a specific method for determining whether the conversion event stream is an abnormal intrusion event is as follows:
comparing the label of the conversion event stream with the label in the possible operation stream, and storing the conversion event stream with the same label as the label in the possible operation stream in an intermediate variable after the comparison;
when all the labels in the conversion event stream have the same label in the possible operation stream, if the corresponding end point state of the label in the possible operation stream is the end state of the corresponding label in the possible operation stream, the label is judged to be a safety behavior; otherwise, judging as a blocking abnormal invasion event;
when the labels of the conversion event stream are different in the labels in the possible operation streams, checking a first item causing the difference in the conversion event stream, and if the difference item is an item in the intermediate variable, judging that the conversion event stream is a replay abnormal intrusion event; otherwise, judging the conversion event flow as a fake abnormal intrusion event.
Further, the request packed data in step 3 includes source IP data, destination IP data, port number data, timestamp data, and protocol type data.
A detection system of an Internet of things intrusion detection method based on finite automata comprises a modeling unit, a label conversion unit and a label conversion unit, wherein the modeling unit is used for establishing the combinable label conversion model;
an event database for storing data of standard protocols, possible operation flows and abnormal action flows, and directly accessing the IDS event analyzer;
the event database includes:
the standard protocol library is used for storing the data of the quasi protocol described by the combinable label conversion model;
the normal action library is used for storing possible operation action flows created by data of a standard protocol;
the abnormal action library is used for storing an abnormal action flow of a known abnormal intrusion event;
the event monitor is used for collecting control flow data on the Internet of things, repackaging the control flow data into requirement packaged data according to requirements and sending the requirement packaged data to the event database and the IDS event analyzer;
an IDS event analyzer for converting the packed data into converted event flow through the combinable label conversion model and judging whether the converted event flow is abnormal invasion event;
the IDS event analyzer comprises:
the network structure learning module is used for receiving the requirement packaging data, analyzing the information of the requirement packaging data, identifying the Internet of things equipment in the network equipment, generating a network topology view, recording the ID information of the identified Internet of things equipment and sending the ID information to the action flow abstraction module;
the action flow abstraction module is used for receiving the network topology view and the ID information, firstly grouping the required packed data according to the network topology view and the ID information, and then converting each group into a conversion event flow through the combinable label conversion model;
the intrusion detection module is used for detecting the abnormal intrusion event of the conversion event stream and outputting an abnormal result;
and the response unit is used for generating an intrusion risk warning report after receiving the abnormal result.
Further, the intrusion detection module includes a detection analysis sub-module, configured to compare the tag of the conversion event stream with the tag in the possible operation stream, and store the conversion event stream having the same tag as the tag in the possible operation stream in an intermediate variable after the comparison;
when all the labels in the conversion event stream have the same label in the possible operation stream, if the corresponding end point state of the label in the possible operation stream is the end state of the corresponding label in the possible operation stream, the label is judged to be a safety behavior; otherwise, judging as a blocking abnormal invasion event;
when the labels of the conversion event stream are different in the labels in the possible operation streams, checking a first item causing the difference in the conversion event stream, and if the difference item is an item in the intermediate variable, judging that the conversion event stream is a replay abnormal intrusion event; otherwise, judging the conversion event flow as a fake abnormal intrusion event.
The invention has the beneficial effects that:
the invention is an Intrusion Detection method and a Detection system specially designed for the Internet of things system based on the automaton theory, and because of the application of the formalization method, the invention can use a simple combinable label conversion model to represent the complicated Internet of things system, thereby reducing the requirement of IDS (Intrusion Detection Systems) on the storage space to a great extent. Meanwhile, the complexity of the comparison algorithm used by the user is determined according to the depth of a glue-IOLTS (combinable label conversion model) graph of a corresponding Internet of things device operation protocol, and the device can not run a particularly complex program in consideration of the limitation of Internet of things device resources, so that the detection method based on finite automata traversal can be applied to an Internet of things system. Based on the above willing, the invention has the characteristics of small volume, less occupied resource and high execution efficiency compared with the traditional intrusion detection system. Meanwhile, the model of the system state machine is easy to understand, and the system state machine is convenient to use and low in investment cost.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
FIG. 1 is a schematic diagram of a conventional intrusion detection system;
FIG. 2 is a schematic diagram of an IEEE802.15.4 star topology;
figure 3 is a schematic diagram of an ieee802.15.4 mesh topology;
FIG. 4 is a schematic diagram of an IEEE802.15.4 cluster tree topology;
FIG. 5 is a schematic diagram of a form of a network attack replaying an anomalous intrusion event;
FIG. 6 is a schematic diagram of a form of network attack blocking an anomalous intrusion event;
FIG. 7 is a schematic diagram of a form of a network attack to forge an anomalous intrusion event;
FIG. 8 is a diagram of a finite automaton for NSPK based symmetric key protocol to securely connect two devices in accordance with the present invention;
FIG. 9 is a schematic diagram of a system reference architecture of the Internet of things of the present invention;
FIG. 10 is a schematic diagram of an intrusion detection system architecture according to the present invention;
FIG. 11 is a schematic diagram of a request packet process of the present invention;
FIG. 12 is a diagram of a hardware architecture in accordance with an embodiment of the present invention;
FIG. 13 is a diagram illustrating a method for packetizing data on demand according to an embodiment of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the following detailed description of the embodiments, structural features and effects of the present invention will be made with reference to the accompanying drawings and examples.
In the internet of things, sensing devices with a large number of sensors, RFID (radio frequency identification) tag devices, CCTV (closed circuit television) network cameras and the like only having simple calculation and storage capabilities are used, so that the network boundary of the current internet is greatly expanded, and the functions of information acquisition and information service are provided for the future network. However, these sensing devices may work in an insecure environment, and due to the limitation of their computing capabilities, cannot protect themselves using a complex cryptographic mechanism, and are easily interfered, captured, decoded, and even tampered and embedded with malicious attack programs by adversaries, resulting in security attacks on other devices and core networks of the internet of things. Aiming at the potential safety hazard in the internet of things, a lightweight active defense mechanism is needed to protect the safety of the internet of things system.
(1) Reference model of Internet of things
The internet of things is a comprehensive heterogeneous network, which may include multiple network types including WSN, MANET, Zigbee and the like, so that it is difficult for our research on the security of the internet of things to obtain a uniform representation method. However, generally speaking, the internet of things system needs to have three basic properties, namely: unique identification, object communication capability and the ability to perceive the external environment. Under the current TCP/IP network architecture, the unique identity refers to an IP address. However, as is known, in the IPv4 mechanism commonly used at present, the IP address has become a scarce resource, and it is basically impossible to uniquely identify a network participant by the IP address. Although the number of usable addresses is expanded by the IPv6, the number of addresses provided by the IPv6 cannot meet the requirement for future mass-connected Internet of things devices. Therefore, in the currently approved networking method of the internet of things, internet of things routing (IoT Gateway) becomes an essential existence. For example, in IEEE802.15.4, internet of things is implemented by a personal network tuner (PAN). Based on this, we believe that the network structure of the future internet of things will generally present a central state, and the topology thereof can refer to the setting of ieee 802.15.4. As shown in fig. 2 to 4, R denotes an RFD (Reduced Function Device) and F denotes an FFD (full Function Device).
(1) Attack type
Aiming at the network characteristics of the internet of things, the following three attack scenes are considered to possibly appear and are difficult to defend in the internet of things equipment through a traditional password mechanism:
attack scenario 1: replay abnormal intrusion events (replay attack)
As shown in fig. 5, this is a relatively traditional network attack form, and an attacker User2 implements an attack on the internet of things system by monitoring communication between the User1 and the internet of things system. Such as a fake signature attack, a replay attack, etc. The defense against such attacks traditionally requires the use of an identity authentication mechanism, and thus the resource consumption of the internet of things equipment is large.
Attack scenario 2: blocking abnormal intrusion event (blocking attack, jam-attack)
As shown in fig. 6, due to the openness of the internet of things system, an attacker-controlled internet of things device may also apply for joining the internet of things. Such attacker devices may have more powerful computing power and resources, and may obtain relevant information of the internet of things by monitoring broadcasts and the like, and launch DoS/DDoS and other types of attacks on the network.
Attack scenario 3: fake abnormal intrusion event (fake attack, fake-attack,)
As shown in fig. 7, due to the dynamic characteristics of the network structure of the internet of things system, an authorized device may be captured by an attacker, and software such as trojans, viruses and the like is injected on the authorized device to form a threat to the whole internet of things system. Since such a device is itself an authorized device, it will be able to join the network again, so that attacks can be made on the system from within the network. This type of attack would be difficult to protect by traditional key-based methods.
Aiming at the three types of internet of things attack scenes, the concept of intrusion detection in the traditional network needs to be introduced, and a posterior active safety protection method suitable for internet of things equipment is provided. However, in the existing research, although a corresponding detection method has been proposed on different network structure levels (such as MANET network, WSN network, Zigbee network, etc.) related to the internet of things, an intrusion detection method facing the whole internet of things system with a standardized evaluation system has not been proposed yet.
The technical scheme for realizing the invention is as follows: aiming at the characteristics that the performance of the equipment of the Internet of things is low, only specific and simple interaction functions can be provided usually, and the transmission and interaction modes are relatively fixed, the finite automaton theory is adopted to model a general protocol group of the networking terminal, and meanwhile, the action executed by the terminal of the Internet of things in interaction is monitored and modeled in real time, and is matched with the normal interaction behavior predicted by the finite automaton model, so that the scheme of the abnormal attack behavior is judged. The specific definition and steps are as follows:
combined label switching system (blue-IOLTS)
According to the IoT alliance proposed IoT-a (Internet of Things-Architecture) Architecture and Hannelore et al proposed Internet of Things hierarchical reference Architecture (RILA), a typical Internet of Things system will accomplish aggregation and management of multiple layers around the Internet of Things devices (Things), and the key to the implementation of the Internet of Things system is how to achieve standardization between different Things.
To achieve this, the currently popular approach is an extension to the application of the Context Toolkit (Context Toolkit) framework proposed by andink. Namely, the context (context) condition of the current system operation and the target (goal) of the system are analyzed, so as to determine the action of the next step. However, this method has a problem that not all context can be expressed in a standardized manner, and therefore, in the context toolkit framework, these context elements that cannot be immediately standardized are further referred to as high-level contexts, which are generally difficult to process. To solve this standardization problem, we first propose the concept of combinable tag transformation model by extending the system automata (automata) model.
The traditional finite automata model can effectively model and analyze a computer system by utilizing the knowledge of set theory and graph theory. In a finite automaton, we typically define the system as a triple, i.e., a triplet<S,L,T>Where S represents the set of all states of the device being characterized, L represents the set of device primary behavior abstraction representations, and T represents the transition of the state of the system caused by some behavior or behaviors within L. If in a finite automaton, the initial state s of the device can be specified0And classifying the behavior causing the system state transition into an input behavior set LIAnd output behavior set LoAnd let LI∪LOIs equal to L and
Figure BDA0001247897700000081
then the system's corresponding quadruple<s0,S,L,T>Referred to as a label conversion model (IOLTS). In practice, each IOLTS may represent a separate system, however in a network environment, the systems we are looking at are typically interrelated. To be able to represent these interrelated systems in a system state machine, we have extended the tag transformation model, proposing the concept of the combinable tag transformation model, the glue-IOLTS. A glue-IOLTS is based on IOLTS, in order to realize the communication and conversion among different systems, further divide the system state into two categories: high level state(s)u) And low level state(s)l). The high-level state is used to connect and transition with the internal state of the same system, and the low-level state is used to represent the state and information transfer between IOLTS systems. With such a simple classification representation, channels between different IOLTS systems can be represented by a label switching model.
Defining: a combinable label transformation model (blue-IOLTS) represents a series of label transformation models (IOLTS)
Figure BDA0001247897700000098
And a medium (M) connecting these systems, which can be defined as a quadruplet
Figure BDA0001247897700000091
Wherein S isglu=<S1∪S2∪…∪Sn∪SM>,
Lglu=<L1∪L2∪…∪Ln>,
Figure BDA0001247897700000092
Figure BDA0001247897700000093
Figure BDA0001247897700000094
Figure BDA0001247897700000095
Attention is paid to
Figure BDA0001247897700000096
I.e. representing a transition within a connection medium M, wherein
Figure BDA0001247897700000097
Indicating a state siThe lower level of (a). i. j and m both represent natural numbers and 1 < i < m, which represents the ordinal number of S in the S set. siAnd sjα corresponds to any input or output event, namely a label in IOLTS
With the use of glue-IOLTS, we can conveniently represent a connected system, for example, two devices that complete a secure connection based on the symmetric key protocol of NSPK, and can simply represent the state machine of the system shown in FIG. 8.
By using the combinable label transformation model, the cont mutext information + Goals ═ Actions model used in IOT-A can be passed through the state transition TMAre shown. Meanwhile, because highly abstract formal statements are used in the model, the standardization problem of the expression is solved at the definition level, so that the method disclosed by the invention can overcome the standardization problem of the traditional Context Toolkit framework.
Secondly, implementing safety detection in the environment of the Internet of things:
the method provided by the inventor finds out potential abnormal behaviors by acquiring and standardizing control flow data in the equipment of the Internet of things in real time and comparing the control flow data with a behavior prediction model on execution and specification provided when corresponding equipment is registered. To achieve our detection goal, we need the deployment of the internet of things system around the IOT-a architecture and the RILA reference model, and the recommended architecture is shown in fig. 9.
In actual execution, the functions of different layers will be implemented on different interactive devices. Under the reference model, the control flow information of the internet of things equipment is analyzed and managed by the data management layer equipment. Therefore, the data acquisition devices required by the users can be deployed on the data management layer device, the acquired data are uploaded to the cloud server, and the strong computing power of the cloud server is utilized for analysis and processing. And finally, feeding back the result to the data management layer equipment to provide a basis for processing the non-secure data. The architecture diagram of our security detection system is shown in fig. 10:
the specific process of safety detection and management is divided into the following steps:
an Internet of things intrusion detection method based on finite automata comprises the following steps:
step 1, establishing a combinable label conversion model for carrying out standardized representation on channels among label conversion models by adopting a general protocol group of the terminal of the Internet of things through a finite automata theory, wherein the combinable label conversion model represents a plurality of label conversion models which are mutually connected through media, and is defined as a quadruple
Figure BDA0001247897700000101
Figure BDA0001247897700000102
Wherein S isglu=<S1∪S2∪…∪Sn∪SM>,
Lglu=<L1∪L2∪…∪Ln>,
Figure BDA0001247897700000103
Figure BDA0001247897700000104
Figure BDA0001247897700000105
suRepresenting high level states of a combinable label transformation model, slRepresenting a low-level state of the composable label transition model; m represents a medium for which the number of bits is equal to,
Figure BDA0001247897700000106
i.e. representing a transition within the medium M, wherein
Figure BDA0001247897700000107
Indicating a state siLow level representation of (a); sMRepresenting the state of the medium;
Figure BDA0001247897700000108
representing a plurality of label conversion models, wherein S is a set of all states of the depicted equipment, L is a set of main behavior abstract representation of the equipment, and T is the state transition of the label conversion models caused by one or more behaviors in L; s0Is an initial state of the finite automaton, and LOSet of input actions for causing a state transition of the tag transition model, LOTo set the output behavior that causes the state transition of the tag transition model, and to make LI∪LoIs equal to L and
Figure BDA0001247897700000109
step 2, establishing an event database on the cloud server, wherein the data in the event database comprises data of a standard protocol, possible operation flows and abnormal action flows, and the event database directly accesses the IDS event analyzer; in our approach, network events are described as abstract action streams, and such network actions can be described in terms of our proposed GULED-IOLTS model.
The data of the standard protocol is the description of the standard protocol through the combinable label conversion model;
a possible operational flow is data created for data passing through a standard protocol;
the abnormal action flow is data of known abnormal intrusion events;
the event database includes a standard protocol library for storing quasi-protocol data describing the standard protocol by a combinable tag translation model, a normal action library for storing possible action flows created by the standard protocol data, and an abnormal action library for storing abnormal action flows of known abnormal intrusion events. These three databases should be stored on the cloud and have direct access to the event analyzer.
Step 3, collecting control flow data on the Internet of things through an event monitor, repackaging the control flow data into requirement packaged data according to requirements, and sending the requirement packaged data to an event database and an IDS event analyzer; the requirement packed data comprises source IP data, destination IP data, port number data, timestamp data and protocol type data.
Steps 41-43 are performed by the IDS event analyzer. Wherein step 41 is performed by the network structure learning module, step 42 is performed by the action flow abstraction module, and step 43 is performed by the intrusion detection module.
And step 41, the IDS event analyzer receives the requirement packed data and analyzes the information of the requirement packed data, identifies the Internet of things equipment in the network equipment, generates a network topology view, and then records the ID information of the identified Internet of things equipment.
Step 41 first requires sending the collected demand packaged data to the network structure learning module for the IDS system to obtain a general view of the network topology. Because the internet of things equipment can be distinguished through the unique ID, the internet of things equipment can be distinguished from other equipment by analyzing collected data packet information, such as a source IP, a destination IP, a port number, a timestamp, a protocol type and the like. For example, because internet of things devices are typically connected to the same internet of things gateway, the first three fields of IPv4 addresses of these devices will likely comply with certain laws. In this case, by counting the frequency of each IPv4 field, we can authenticate the IP segment of the internet of things device. These unique IDs of the IoT devices will be recorded and sent to the action flow abstraction module.
Step 42, the IDS event analyzer firstly groups the required packed data according to the network topology view and ID information, and the specific grouping step is: grouping the data packets with the same session ID into a group, and sorting the data packets with the same session ID according to the protocol type in a time sequence to generate grouped data;
then, the IDS event analyzer converts each group of grouped data into a conversion event stream through the combinable label conversion model, and the specific steps are as follows: acquiring the protocol type of the message sequence in each group of grouped data according to the protocol type in the data packet with the same session ID, comparing the protocol type of the message sequence with the data of the standard protocol to acquire a basic formalized action primitive of the protocol type of the message sequence, combining the action primitive with the information in each group of grouped data and expressing the grouped data as an automaton primitive, namely converting each group of grouped data into a conversion event stream;
as shown in fig. 11, the demand packaged data collected from the IoT also needs to be sent into the action flow abstraction module. Through this module, packets will be assigned based on device attributes, session IDs, timestamps, and protocol types identified with the aid of a network structure learning module and a standard protocol library. With the detected information, the network traffic can be classified into a sequence of messages. We then need to convert these messages into an abstract action flow. To this end, the help of a standard protocol library is required. From the result of the message assignment, together with the protocol type information for each packet data, we can know the primary protocol type of the message so selected. Then, after we obtain the protocol type of the selected message, we can search the standard protocol library for the basic formalized action primitive. And by comparing with each packet data we can represent the packet data as an automaton primitive. One network action corresponds to one tag, and the network action flow is a sequence formed by a plurality of network actions, namely a tag sequence formed by a plurality of tags, namely a message sequence.
Step 43, the IDS event analyzer compares the transformed event stream with the abnormal action stream, and performs intrusion detection based on signature;
if the conversion event stream contains an event signature which is the same as the intrusion event signature in the abnormal action stream, judging the conversion event stream to be an abnormal intrusion event, and outputting an abnormal result to a response unit;
if the conversion event stream does not contain the event signature which is the same as the known intrusion event signature in the abnormal action stream, the conversion event stream is continuously compared with the data in the possible operation stream to judge whether the conversion event stream is an abnormal intrusion event, if the conversion event stream is judged to be the abnormal intrusion event, the abnormal intrusion event is recorded, and meanwhile, a judgment request is sent to a user;
and if the user judges the abnormal intrusion event, outputting an abnormal result to a response unit, and extracting and storing the characteristics of the abnormal intrusion event into the abnormal action flow.
After the transition event stream is obtained (transition trace), a two-step intrusion detection phase is required. The first stage is to compare the converted event stream converted into automaton primitives with the data in the abnormal action library for signature-based intrusion detection. If an event stream does not contain known intrusion event segments (signatures), such event stream will be subjected to the second stage of intrusion determination, i.e. it needs to be compared with the possible operation streams in the normal action library to determine whether there is an abnormality in the event stream. If the judgment result is abnormal, the intrusion system records the event and submits the judgment of manual intervention. If the abnormal event is judged to be abnormal manually, the abnormal result is fed back and output, and the characteristics of the event are extracted and stored in the abnormal action library. The intrusion judgment of the second stage comprises the following specific processes:
when the same walk exists in the combinable label conversion model diagram of the conversion event stream, if the end state of the walk is the end state of converting the grouped data into the conversion event stream, the conversion event stream is judged to be safe; otherwise, judging as a blocking abnormal invasion event;
when the conversion event flow does not have corresponding walking in the combinable label conversion model diagram and the walking of the conversion event flow is already terminated, comparing the walking causing the cycle termination with the walking of the possible operation flow, and if the walking same as the walking causing the cycle termination exists in the possible operation flow, judging that the abnormal invasion event is replayed; if there is no walk in the operational flow that is the same as the walk causing the loop termination, it is determined to be a false abnormal intrusion event.
The automatic discrimination algorithm based on the intrusion decision of the second phase of the system represented by our proposed Glued-IOLTS is as follows:
Figure BDA0001247897700000131
Figure BDA0001247897700000141
interpretation of the code: we use the JAVA-like language to represent this algorithm. In this algorithm, an array l of type Label is inputidsAnd an array T of type TransitionsysWherein Label represents L in the combinable Label conversion modelgluI.e., a collection of tags; transition represents T in combinable tag transformation modelgluWherein l isidsRepresenting the data collected by the collection end (converted into a representation form of transition); t issysRepresenting the corresponding protocol system (possible operation flow) stored in the normal behavior library, which may be represented by a finite automaton. The output is l to be investigatedidsThe results may be secure, fake-attack, jam-attack, and replay-attack.
The algorithm proceeds as follows:
defining the array t _ temp of Transition type, t _ next as intermediate variables, result of String type, and flag of int type, and making flag equal to 0.
When running a program, first at a given TsysMiddle search heelidsThe first transition stored in the array has the same transition represented by label,and saves the result in t temp. Then, for each transitiont in t _ tempiComparing the tiAt TsysLabel and l of the next transition in (1)idsIf the corresponding next label in the sequence is consistent, if not, t is determinediRemove from t _ temp; if they are consistent, t isiIs recorded in t _ temp and the contents of t _ temp are backed up in t _ temp _ bac. This comparison process is then repeated until l is traversedidsOr t _ temp is empty. In this process, the program will align lidsLabel in (1) is recorded as lpass
When the segment ends, if we are at TsysTherein find out lidsFor all labels, we need to further examine the corresponding transition at the end of the examination at TsysThe end state of (1). If the end state of this transition is exactly TsysThen we can judge the lidsIs secure, the program returns secure. Otherwise, the corresponding lidsMay contain a Jam-attack and the program returns "Jam-attack".
If the program is in comparison lidsInnAt the end of time since t _ temp is empty, then all transitions in t _ temp _ bacjComparing tjAnd l is the next labelpassIni. If the results are the same, t is addedjIs recorded in t _ temp and t _ temp _ bac is updated. Then look up l in t _ tempn. If l isnIs found, will lnRecord topassIn (1). If l is consideredpassAfter the label in (1) is detected, the corresponding l still can not be foundnThen we judge the corresponding lidsMust contain the corresponding modifications. This is a program return "fake-attack". At the same time, if lpassIn which contains lnThen such aidsPossibly involving replay of a preceding field and therefore possibly a replay attack, the program returning "replay-attack"
And 5, generating an intrusion risk warning report after the response unit receives the abnormal result. The response unit generates a report to alert the internet of things of the risk of intrusion. In the report, three types of attacks will be identified through analysis of the exceptional context, which will correspond to the previously proposed attack scenarios, respectively.
A detection system of an Internet of things intrusion detection method based on finite automata comprises a modeling unit, a label conversion unit and a label conversion unit, wherein the modeling unit is used for establishing the combinable label conversion model;
an event database for storing data of standard protocols, possible operation flows and abnormal action flows, and directly accessing the IDS event analyzer;
the event database includes:
the standard protocol library is used for storing the data of the quasi protocol described by the combinable label conversion model;
the normal action library is used for storing possible operation action flows created by data of a standard protocol;
the abnormal action library is used for storing an abnormal action flow of a known abnormal intrusion event;
the event monitor is used for collecting control flow data on the Internet of things, repackaging the control flow data into requirement packaged data according to requirements and sending the requirement packaged data to the event database and the IDS event analyzer;
an IDS event analyzer for converting the packed data into converted event flow through the combinable label conversion model and judging whether the converted event flow is abnormal invasion event;
the IDS event analyzer comprises:
the network structure learning module is used for receiving the requirement packaging data, analyzing the information of the requirement packaging data, identifying the Internet of things equipment in the network equipment, generating a network topology view, recording the ID information of the identified Internet of things equipment and sending the ID information to the action flow abstraction module;
the action flow abstraction module is used for receiving the network topology view and the ID information, firstly grouping the required packed data according to the network topology view and the ID information, and then converting each group into a conversion event flow through the combinable label conversion model;
the intrusion detection module is used for detecting the abnormal intrusion event of the conversion event stream and outputting an abnormal result;
the intrusion detection module comprises a detection analysis submodule and a detection analysis submodule, wherein the detection analysis submodule is used for judging that when the same walk exists in the combinable label conversion model diagram of the conversion event stream, if the end state of the walk is the end state of converting the grouped data into the conversion event stream, the safety behavior is judged; otherwise, judging as a blocking abnormal invasion event;
when the conversion event flow does not have corresponding walking in the combinable label conversion model diagram and the walking of the conversion event flow is already terminated, comparing the walking causing the cycle termination with the walking of the possible operation flow, and if the walking same as the walking causing the cycle termination exists in the possible operation flow, judging that the abnormal invasion event is replayed; if the same walking as the walking causing the loop termination does not exist in the possible operation flow, judging the abnormal intrusion event as a fake;
and the response unit is used for generating an intrusion risk warning report after receiving the abnormal result.
The invention is an intrusion detection method specially designed for the Internet of things system based on the automata theory, and because of the application of the formalization method, the method can use a simple label transfer system to represent the complicated Internet of things system, thereby reducing the requirement of the IDS system on the storage space to a great extent. Meanwhile, the complexity of the comparison algorithm used by the user is determined according to the depth of a Glued-IOLTS graph of a corresponding Internet of things device operation protocol, and the device does not run a particularly complex program in consideration of the limitation of Internet of things device resources, so that the detection method based on the finite automaton traversal can be applied to the Internet of things system. Based on the above willing, the invention has the characteristics of small volume, less occupied resource and high execution efficiency compared with the traditional intrusion detection system. Meanwhile, the model of the system state machine is easy to understand, and the system state machine is convenient to use and low in investment cost. An easy-to-use interactive GUI management interface is developed for the method, so that the state condition of the system on the Internet of things and the comparison condition of the system and a standard prediction model can be conveniently and visually checked, and the deployment and the use of a user are facilitated.
In a test environment, we carried out the content of the present invention, and the design of the platform for the test is shown in fig. 12.
In the test, 2 Raspberry pies (Raspberry Pi 3) are used as RFD devices, 1 Android mobile phone is used as FFD devices, a router with a port mirroring function is selected as a PAN device, and a wireless port on the router is mirrored to a port connected with a server to monitor data. Although the test environment simplifies the communication volume in the Internet of things, the test environment has good expansibility and typicality.
A. The concrete implementation method of data acquisition and modeling comprises the following steps:
network traffic monitoring and analyzing software, such as network tools like Wireshark, Snort, Tcpdump, etc., can be installed on the server to acquire and monitor network data. In this example, we install Wireshark on the server and specify that it analyzes packets for network interfaces connected to the PAN. When software such as Wireshake is used, the software can analyze the packet header of the data to obtain the protocol type used in transmission. Therefore, in this step, the protocol format corresponding to the acquired data can be conveniently obtained. Therefore, according to the corresponding protocol format, the standardized format of the current acquired data can be pre-judged, so that the conversion from the streaming data to the standardized data representation through the combinable label conversion model is realized.
For the network data obtained in the foregoing, we can implement preliminary aggregation of relevant data according to some characteristics (standardized representation) of the data, such as sid, port number, time, and other information. For example, we can connect the data with the same source ip and adjacent time segments together in time sequence for uniform consideration. It is assumed here that the timestamps of all the acquired data are not uniform, i.e. a distinction can be made in the time dimension. Thus, after obtaining the previously aggregated data set, we can select a time window N and use N to truncate the current data set, thereby obtaining data sets in different time slices of time length N. For example, in fig. 13, for a TCP protocol packet of an internet of things system, we can obtain a corresponding behavior stream by slicing time. By the method, interactive data traffic on different Internet of things equipment terminals can be obtained.
B. The standard library, the abnormal action library and the normal action library are realized by the following methods:
for the construction of a database, MySQL is installed on a corresponding server, 3 different forms are built, and a standard protocol, abnormal action flow and possible operation flow are stored respectively. In the standard library, since network events can be represented as transitions of the blue-IOLTS, we only need to record the start point (state), the end point (state), the tag (label) and the protocol type (type). Standard protocol libraries need to be built and accumulated manually to achieve coverage of common protocols. The normal action library can be obtained by generalizing the standard library. We obtain the normal action library by varying transitions in the alignment protocol library using Fuzzy and robust security building methods of the corresponding system. The abnormal action library is automatically generated according to the training of data in the actual operation. The data structure recorded in the abnormal action library is slightly different from that in the normal action library, and it needs to record a context, so it needs to record a pre-condition (pre-con), a post-condition (after-con), and a keyword (key-word).
C. Method for realizing safety detection
Security detection is the process of comparing the collected data stream, as expressed in a standardized form, with predicted behavior obtained from a standard action library to determine whether the current behavior is normal and what attacks may be present. In the present invention, we classify possible attacks into three categories: namely, forgery attacks, replay attacks, and blocking attacks. A blocking attack means that an attacker may take an unknown behavior to issue a request to a corresponding system, again with the aim of exhausting the communication and computing resources of the system. The attacks are derived from a large number of attacks, such as DoS attacks and DDoS attacks, and after it is determined that a counterfeit attack behavior may occur on a corresponding device, the device needs to be correspondingly monitored, so as to determine whether the DoS/DDoS attacks occur. The forgery attack means that an attacker roughly knows the message type required in a communication protocol, so that the attacker artificially manufactures information with the same format but unmatched content and sends the information to an attacker. Many common network attacks are characterized by spoofing attacks, such as ip flooding attacks, where an attacker is attacking a victim by spoofing ip packets. And replay attacks, i.e. attacks in which the attacker records the normal behavior that has been used before or used by other users, are played back by the attacker to the attacked device. Such attacks may also underlie DoS/DDoS attacks and may also introduce more complex types of synthetic attacks, such as zero-day attacks and the like.
In the scheme, a corresponding graphical user interface is designed to reveal the whole comparison process, and through the algorithm and the program designed by the user, the event stream acquired in real time can be compared, possible abnormal events can be judged, and the possible abnormal events can be warned to an administrator of the Internet of things. The administrator can later use our software to perform a follow-up check on the alarm to clearly determine whether the alarm is correct. By the method, the false alarm rate of the invention can be greatly reduced.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (5)

1.一种基于有限自动机的物联网入侵检测方法,其特征在于:包括以下步骤:1. a kind of Internet of Things intrusion detection method based on finite automata, is characterized in that: comprise the following steps: 步骤1,采用有限自动机理论对物联网终端的通用协议群建立用于将标签转换模型间的信道进行标准化表示的可组合标签转换模型,该可组合标签转换模型表示通过媒介相互连接的多个标签转换模型,且该可组合标签转换模型定义为四元组
Figure FDA0002292482100000011
Step 1, using finite automata theory to establish a composable label conversion model for standardizing the channel between the label conversion models for the general protocol group of the Internet of Things terminals. The composable label conversion model represents multiple interconnected through media. A label transformation model, and the composable label transformation model is defined as a quadruple
Figure FDA0002292482100000011
 其中,Sglu=<S1∪S2∪...∪Sn∪SM>,where, S glu =<S 1 ∪S 2 ∪...∪S n ∪S M >, Lglu=<L1∪L2∪...∪Ln>,L glu =<L 1 ∪L 2 ∪...∪L n >,
Figure FDA0002292482100000012
Figure FDA0002292482100000012
Figure FDA0002292482100000013
Figure FDA0002292482100000013
Figure FDA0002292482100000014
Figure FDA0002292482100000014
Figure FDA0002292482100000015
Figure FDA0002292482100000015
 sl表示可组合标签转换模型的低层状态;M表示媒介,
Figure FDA0002292482100000016
即表示媒介M内的一个转换,其中
Figure FDA0002292482100000017
表示的是状态si的低层表示;SM表示媒介的状态;i、j和m均表示自然数且1<i<m;d表示标签转换模型中的标签;s l represents the low-level state of the composable label transformation model; M represents the medium,
Figure FDA0002292482100000016
is a transformation within medium M, where
Figure FDA0002292482100000017
represents the low-level representation of state si ; S M represents the state of the medium; i, j and m all represent natural numbers and 1<i<m; d represents the label in the label conversion model;
Figure FDA0002292482100000018
表示多个标签转换模型,S为所刻画的设备的所有状态的集合,L为设备主要行为抽象表示的集合,T为L内的某个或多个行为导致所述标签转换模型的状态的转移;s0为有限自动机的初始状态,且LI为引起所述标签转换模型的状态转移的输入行为集合,LO为引起所述标签转换模型的状态转移的输出行为集合,并使LI∪LO=L且
Figure FDA0002292482100000019
Figure FDA00022924821000000110
Figure FDA0002292482100000018
Represents multiple label transition models, S is the set of all states of the described device, L is the set of abstract representations of the main behavior of the device, T is the transition of the state of the label transition model caused by one or more behaviors in L ; s 0 is the initial state of the finite automaton, and L I is the set of input behaviors that cause the state transition of the label transition model, L O is the set of output behaviors that cause the state transition of the label transition model, and make L I ∪L O =L and
Figure FDA0002292482100000019
Figure FDA00022924821000000110
 s′i表示S集合中与si连通的另外一个状态点;Si表示的是第i个标签转换模型中的S集合,Ti表示的是第i个标签转换模型中的T的集合;s′ i represents another state point in the S set that is connected to si ; Si represents the S set in the ith label conversion model, and Ti represents the set of T in the ith label conversion model; μ表示的是某个标签转换模型自身的一种内部行为,即该行为不会使其他的标签转换模型产生可见的输入或输出,但会使其自身的状态发生转移;μ represents an internal behavior of a label conversion model itself, that is, the behavior will not make other label conversion models produce visible input or output, but will make its own state transfer;
Figure FDA0002292482100000021
表示第i个标签转换模型中第1个状态的所有输出的标签的集合;
Figure FDA0002292482100000021
The set of labels representing all outputs of the 1st state in the ith label transition model;
Figure FDA0002292482100000022
表示第j个标签转换模型中第1个状态的所有输入的标签的集合;
Figure FDA0002292482100000022
The set of labels representing all inputs of the 1st state in the jth label transition model;
Figure FDA0002292482100000023
表示n个标签转换模型的初始状态,即
Figure FDA0002292482100000024
表示第1个标签转换模型的s0
Figure FDA0002292482100000025
表示第n个标签转换模型的s0
Figure FDA0002292482100000023
represents the initial state of n label transformation models, i.e.
Figure FDA0002292482100000024
s 0 representing the first label transformation model,
Figure FDA0002292482100000025
s 0 representing the nth label translation model; S1∪S2∪...∪Sn∪SM中的S1,S2,...,Sn表示第i到第n个标签转换模型的状态集合;S 1 ∪S 2 ∪...∪S n ∪S M in S 1 , S 2 , ..., Sn represents the state set of the i-th to n-th label transition model; 步骤2,在云服务器上建立事件数据库,事件数据库中的数据包括标准协议的数据、可能操作流和异常动作流,且该事件数据库直接访问IDS事件分析器;Step 2, establish an event database on the cloud server, the data in the event database includes the data of the standard protocol, the possible operation flow and the abnormal action flow, and the event database directly accesses the IDS event analyzer; 标准协议的数据为通过所述可组合标签转换模型对标准协议的描述;The data of the standard protocol is the description of the standard protocol through the composable label conversion model; 可能操作流为通过标准协议的数据创建的数据;The possible operation streams are data created through standard protocols; 异常动作流为已知异常入侵事件的数据;The abnormal action flow is the data of known abnormal intrusion events; 步骤3,通过事件监视器采集物联网上的控制流数据,并把控制流数据根据需求重新打包成需求打包数据发送至事件数据库和IDS事件分析器;Step 3, collect the control flow data on the Internet of Things through the event monitor, and repackage the control flow data into the demand packaged data according to the requirements and send it to the event database and the IDS event analyzer; 步骤41,IDS事件分析器接收所述需求打包数据并分析需求打包数据的信息,识别出网络设备中的物联网设备,并生成网络拓扑视图,然后记录被识别的物联网设备的ID信息;Step 41, the IDS event analyzer receives the demand package data and analyzes the information of the demand package data, identifies the IoT device in the network device, and generates a network topology view, and then records the ID information of the identified IoT device; 步骤42,IDS事件分析器首先根据所述网络拓扑视图和ID信息将所述需求打包数据进行分组,具体分组步骤为:将具有相同会话ID的数据包分为一组,同时将相同会话ID的数据包根据协议类型,按时间顺序整理,生成分组数据;Step 42, the IDS event analyzer firstly groups the demand packaged data according to the network topology view and ID information. The specific grouping steps are: grouping the data packets with the same session ID into one group, and simultaneously grouping the data packets with the same session ID into one group. The data packets are sorted in chronological order according to the protocol type to generate packet data; 然后,IDS事件分析器将每组分组数据通过所述可组合标签转换模型转换为转换事件流,具体步骤为:根据相同会话ID的数据包中的协议类型获取每组分组数据中消息序列的协议类型,再将消息序列的协议类型与所述标准协议的数据进行比对,获取所述消息序列的协议类型的基本的形式化动作原语,将动作原语与每组分组数据中的信息进行组合后将分组数据表示为自动机原语,即将每组分组数据转换为转换事件流;Then, the IDS event analyzer converts each group of packet data into a conversion event stream through the composable tag conversion model, and the specific steps are: acquiring the protocol of the message sequence in each group of packet data according to the protocol type in the data packets with the same session ID. Then compare the protocol type of the message sequence with the data of the standard protocol, obtain the basic formalized action primitive of the protocol type of the message sequence, and compare the action primitive with the information in each group of packet data. After the combination, the grouped data is represented as an automaton primitive, that is, each group of grouped data is converted into a transformation event stream; 步骤43,IDS事件分析器将转换事件流与异常动作流进行比对,进行基于签名的入侵检测;Step 43, the IDS event analyzer compares the conversion event flow with the abnormal action flow, and performs signature-based intrusion detection; 如转换事件流中含有与异常动作流中的入侵事件签名相同的事件签名,则判断为异常入侵事件,则将异常结果输出至响应单元;If the conversion event stream contains the same event signature as the intrusion event signature in the abnormal action stream, it is judged as an abnormal intrusion event, and the abnormal result is output to the response unit; 如转换事件流中不含有与异常动作流中的已知入侵事件签名相同的事件签名,则该转换事件流继续与可能操作流中的数据进行比对,判断是否为异常入侵事件,如判断为异常入侵事件,则记录该异常入侵事件,同时向用户发送判断请求;If the conversion event stream does not contain the same event signature as the known intrusion event signature in the abnormal action stream, the conversion event stream continues to compare with the data in the possible operation stream to determine whether it is an abnormal intrusion event. If there is an abnormal intrusion event, the abnormal intrusion event will be recorded, and a judgment request will be sent to the user at the same time; 如用户判断为异常入侵事件,则将异常结果输出至响应单元,并将该异常入侵事件的特征进行提取存储至事件数据库中的异常动作流数据中;If the user determines that it is an abnormal intrusion event, the abnormal result is output to the response unit, and the characteristics of the abnormal intrusion event are extracted and stored in the abnormal action flow data in the event database; 步骤5,响应单元接收到异常结果后生成警告入侵风险报告。Step 5, the response unit generates a warning intrusion risk report after receiving the abnormal result. 2.根据权利要求1所述的一种基于有限自动机的物联网入侵检测方法,其特征在于:所述步骤43中,转换事件流继续与可能操作流中的数据进行比对,判断是否为异常入侵事件的具体判断方法为:2. a kind of Internet of Things intrusion detection method based on finite automata according to claim 1, is characterized in that: in described step 43, the conversion event flow continues to compare with the data in the possible operation flow, and judges whether it is The specific method for judging abnormal intrusion events is as follows: 将转换事件流的标签与可能操作流中的标签进行比对,比对后将与可能操作流中的标签具有相同标签的转换事件流存储在中间变量中;Compare the label of the transition event flow with the label in the possible operation flow, and store the transition event flow with the same label as the label in the possible operation flow in an intermediate variable after the comparison; 当转换事件流中的所有标签在可能操作流中均存在相同的标签时,如果该标签在可能操作流中对应的结束点状态为可能操作流中对应标签的终止状态,则判断为安全行为;否则,判断为阻塞异常入侵事件;When all the tags in the conversion event flow have the same tag in the possible operation flow, if the corresponding end point state of the tag in the possible operation flow is the termination state of the corresponding tag in the possible operation flow, it is judged as a safe behavior; Otherwise, it is judged that the abnormal intrusion event is blocked; 当转换事件流的标签在所述可能操作流中的标签存在差异时,查看转换事件流中的首个引起差异的项,如果该差异项为中间变量中的项,则判断该转换事件流为重放异常入侵事件;否则,判断该转换事件流为伪造异常入侵事件。When there is a difference between the labels of the conversion event stream and the labels of the possible operation streams, check the first item in the conversion event stream that causes the difference, and if the difference item is an item in the intermediate variable, judge that the conversion event stream is The abnormal intrusion event is replayed; otherwise, the converted event stream is judged to be a forged abnormal intrusion event. 3.根据权利要求1或2所述的一种基于有限自动机的物联网入侵检测方法,其特征在于:所述步骤3中的所述需求打包数据中包括源IP数据、目的IP数据、端口号数据、时间戳数据以及协议类型数据。3. a kind of Internet of Things intrusion detection method based on finite automata according to claim 1 and 2, is characterized in that: in described demand packaged data in described step 3, comprise source IP data, destination IP data, port number data, timestamp data, and protocol type data. 4.根据权利要求3所述的一种基于有限自动机的物联网入侵检测方法的检测系统,其特征在于:包括建模单元,用于建立所述可组合标签转换模型;4. The detection system of a finite automaton-based Internet of Things intrusion detection method according to claim 3, characterized in that: comprising a modeling unit for establishing the composable label conversion model; 事件数据库,用于存储标准协议的数据、可能操作流和异常动作流,且直接访问IDS事件分析器;Event database, used to store data of standard protocols, possible operation flow and abnormal action flow, and directly access IDS event analyzer; 所述事件数据库包括:The event database includes: 标准协议库,用于存储通过可组合标签转换模型对标准协议的描述的准协议的数据;Standard protocol library for storing quasi-protocol data describing standard protocols through composable label transformation models; 正常动作库,用于存储通过标准协议的数据创建的可能操动作流;A normal action library to store possible operational action flows created by data through standard protocols; 异常动作库,用于存储已知异常入侵事件的异常动作流;Abnormal action library, used to store abnormal action flow of known abnormal intrusion events; 事件监视器,用于采集物联网上的控制流数据,并把控制流数据根据需求重新打包成需求打包数据发送至事件数据库和IDS事件分析器;The event monitor is used to collect control flow data on the Internet of Things, and repackage the control flow data into demand packaged data according to requirements and send it to the event database and IDS event analyzer; IDS事件分析器,用于将需求打包数据通过可组合标签转换模型转换成转换事件流,并判断该转换事件流是否为异常入侵事件;The IDS event analyzer is used to convert the demand package data into a conversion event stream through a composable tag conversion model, and determine whether the conversion event stream is an abnormal intrusion event; 所述IDS事件分析器包括:The IDS event analyzer includes: 网络结构学习模块,用于接收所述需求打包数据并分析需求打包数据的信息,识别出网络设备中的物联网设备,生成网络拓扑视图,然后记录被识别的物联网设备的ID信息并发送至动作流抽象模块;The network structure learning module is used to receive the demand package data and analyze the information of the demand package data, identify the IoT devices in the network equipment, generate a network topology view, and then record the ID information of the identified IoT devices and send it to Action flow abstraction module; 动作流抽象模块,用于接收所述网络拓扑视图和ID信息,首先根据所述网络拓扑视图和ID信息将所述需求打包数据进行分组,然后将每个分组通过所述可组合标签转换模型转换为转换事件流;The action flow abstraction module is used to receive the network topology view and ID information, firstly group the demand package data according to the network topology view and ID information, and then convert each grouping through the composable label transformation model to transform the event stream; 入侵检测模块,用于将转换事件流进行异常入侵事件的检测和输出异常结果;The intrusion detection module is used to detect abnormal intrusion events by converting the event stream and output abnormal results; 响应单元,用于接收异常结果后生成警告入侵风险报告。The response unit is used to generate a warning intrusion risk report after receiving abnormal results. 5.根据权利要求4所述的一种基于有限自动机的物联网入侵检测方法的检测系统,其特征在于:所述入侵检测模块包括检测分析子模块,用于将转换事件流的标签与可能操作流中的标签进行比对,比对后将与可能操作流中的标签具有相同标签的转换事件流存储在中间变量中;5. The detection system of a finite automaton-based Internet of Things intrusion detection method according to claim 4, wherein the intrusion detection module comprises a detection and analysis sub-module, which is used to compare the label of the conversion event stream with the possible The tags in the operation flow are compared, and after the comparison, the conversion event flow with the same tag as the tag in the possible operation flow is stored in the intermediate variable; 当转换事件流中的所有标签在可能操作流中均存在相同的标签时,如果该标签在可能操作流中对应的结束点状态为可能操作流中对应标签的终止状态,则判断为安全行为;否则,判断为阻塞异常入侵事件;When all the tags in the conversion event flow have the same tag in the possible operation flow, if the corresponding end point state of the tag in the possible operation flow is the termination state of the corresponding tag in the possible operation flow, it is judged as a safe behavior; Otherwise, it is judged that the abnormal intrusion event is blocked; 当转换事件流的标签在所述可能操作流中的标签存在差异时,查看转换事件流中的首个引起差异的项,如果该差异项为中间变量中的项,则判断该转换事件流为重放异常入侵事件;否则,判断该转换事件流为伪造异常入侵事件。When there is a difference between the labels of the conversion event stream and the labels of the possible operation streams, check the first item in the conversion event stream that causes the difference, and if the difference item is an item in the intermediate variable, judge that the conversion event stream is The abnormal intrusion event is replayed; otherwise, the converted event stream is judged to be a forged abnormal intrusion event.
CN201710158735.0A 2017-03-17 2017-03-17 Internet of things intrusion detection method and detection system based on finite automaton Active CN107135093B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710158735.0A CN107135093B (en) 2017-03-17 2017-03-17 Internet of things intrusion detection method and detection system based on finite automaton

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710158735.0A CN107135093B (en) 2017-03-17 2017-03-17 Internet of things intrusion detection method and detection system based on finite automaton

Publications (2)

Publication Number Publication Date
CN107135093A CN107135093A (en) 2017-09-05
CN107135093B true CN107135093B (en) 2020-05-05

Family

ID=59721154

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710158735.0A Active CN107135093B (en) 2017-03-17 2017-03-17 Internet of things intrusion detection method and detection system based on finite automaton

Country Status (1)

Country Link
CN (1) CN107135093B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12438774B2 (en) 2018-12-31 2025-10-07 Palo Alto Networks, Inc. Multi-layered policy management

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9774604B2 (en) 2015-01-16 2017-09-26 Zingbox, Ltd. Private cloud control
US10212178B2 (en) 2015-04-07 2019-02-19 Zingbox, Ltd. Packet analysis based IoT management
US10380348B2 (en) 2016-11-21 2019-08-13 ZingBox, Inc. IoT device risk assessment
US11070568B2 (en) 2017-09-27 2021-07-20 Palo Alto Networks, Inc. IoT device management visualization
US11082296B2 (en) 2017-10-27 2021-08-03 Palo Alto Networks, Inc. IoT device grouping and labeling
US11443230B2 (en) 2018-01-26 2022-09-13 Cisco Technology, Inc. Intrusion detection model for an internet-of-things operations environment
CN110166409B (en) * 2018-02-13 2021-12-28 华为技术有限公司 Device access method, related platform and computer storage medium
CN112640381B (en) * 2018-06-18 2024-03-08 帕洛阿尔托网络公司 Methods and systems for detecting undesirable behavior of Internet of Things devices
CN109067763B (en) 2018-08-29 2020-05-29 阿里巴巴集团控股有限公司 Safety detection method, equipment and device
US12294482B2 (en) 2018-09-04 2025-05-06 Palo Alto Networks, Inc. IoT application learning
EP3867756A4 (en) 2018-10-15 2022-07-06 Palo Alto Networks, Inc. MULTIDIMENSIONAL PERIODICITY DETECTION OF IOT DEVICE BEHAVIOR
US11451571B2 (en) 2018-12-12 2022-09-20 Palo Alto Networks, Inc. IoT device risk assessment and scoring
CN109818793A (en) * 2019-01-30 2019-05-28 基本立子(北京)科技发展有限公司 For the device type identification of Internet of Things and network inbreak detection method
CN109947835B (en) * 2019-03-12 2023-05-23 东华大学 Printing and dyeing quotation structured demand data extraction method based on finite state automaton
CN111447115B (en) * 2020-03-25 2021-08-27 北京奥陌科技有限公司 State monitoring method for entity of Internet of things
US11115799B1 (en) 2020-06-01 2021-09-07 Palo Alto Networks, Inc. IoT device discovery and identification
US12302451B2 (en) 2020-06-01 2025-05-13 Palo Alto Networks, Inc. IoT security policy on a firewall
US20220174076A1 (en) * 2020-11-30 2022-06-02 Microsoft Technology Licensing, Llc Methods and systems for recognizing video stream hijacking on edge devices
CN112737865B (en) * 2021-01-18 2022-05-03 清华大学 Internet of things equipment flow modeling and detecting method and device based on automaton
CN113158184B (en) * 2021-03-03 2023-05-19 中国人民解放军战略支援部队信息工程大学 Attack script generation method and related device based on finite state automata
US11552975B1 (en) 2021-10-26 2023-01-10 Palo Alto Networks, Inc. IoT device identification with packet flow behavior machine learning model
US12301600B2 (en) 2022-01-18 2025-05-13 Palo Alto Networks, Inc. IoT device identification by machine learning with time series behavioral and statistical features
CN118316736B (en) * 2024-06-07 2024-08-06 中国电子科技网络信息安全有限公司 Network threat active defense system and method based on large model

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7356663B2 (en) * 2004-11-08 2008-04-08 Intruguard Devices, Inc. Layered memory architecture for deterministic finite automaton based string matching useful in network intrusion detection and prevention systems and apparatuses
CN101976313A (en) * 2010-09-19 2011-02-16 四川大学 Frequent subgraph mining based abnormal intrusion detection method
CN102184197A (en) * 2011-04-22 2011-09-14 湖南亿谷信息科技发展有限公司 Regular expression matching method based on smart finite automaton (SFA)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10009372B2 (en) * 2014-07-23 2018-06-26 Petabi, Inc. Method for compressing matching automata through common prefixes in regular expressions
US20160381076A1 (en) * 2015-06-23 2016-12-29 Avocado Systems Inc. Service level agreements and application defined security policies for application and data security registration

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7356663B2 (en) * 2004-11-08 2008-04-08 Intruguard Devices, Inc. Layered memory architecture for deterministic finite automaton based string matching useful in network intrusion detection and prevention systems and apparatuses
CN101976313A (en) * 2010-09-19 2011-02-16 四川大学 Frequent subgraph mining based abnormal intrusion detection method
CN102184197A (en) * 2011-04-22 2011-09-14 湖南亿谷信息科技发展有限公司 Regular expression matching method based on smart finite automaton (SFA)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12438774B2 (en) 2018-12-31 2025-10-07 Palo Alto Networks, Inc. Multi-layered policy management

Also Published As

Publication number Publication date
CN107135093A (en) 2017-09-05

Similar Documents

Publication Publication Date Title
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
Lima Filho et al. Smart detection: an online approach for DoS/DDoS attack detection using machine learning
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
US11201882B2 (en) Detection of malicious network activity
Rizvi et al. Application of artificial intelligence to network forensics: Survey, challenges and future directions
Rahal et al. A distributed architecture for DDoS prediction and bot detection
US9275224B2 (en) Apparatus and method for improving detection performance of intrusion detection system
Cheng et al. Machine learning based low-rate DDoS attack detection for SDN enabled IoT networks
US8631464B2 (en) Method of detecting anomalous behaviour in a computer network
US20160352759A1 (en) Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls
CN114143037B (en) Malicious encrypted channel detection method based on process behavior analysis
CN113259943B (en) A method and system for analyzing and blocking abnormal traffic in a power wireless private network
Fei et al. The abnormal detection for network traffic of power iot based on device portrait
Aleroud et al. Identifying DoS attacks on software defined networks: A relation context approach
Frye et al. An ontology-based system to identify complex network attacks
Fenil et al. Towards a secure software defined network with adaptive mitigation of DDoS attacks by machine learning approaches
CN119996085A (en) Network/security device security policy generation and evaluation method and system based on large language model
Gu et al. IoT device identification based on network traffic
Tan et al. You can glimpse but you cannot identify: Protect IoT devices from being fingerprinted
Pan et al. Anomaly behavior analysis for building automation systems
Sun et al. IoT‐IE: An Information‐Entropy‐Based Approach to Traffic Anomaly Detection in Internet of Things
Sayadi et al. Detection of covert channels over icmp protocol
CN114362972B (en) A Botnet Hybrid Detection Method and System Based on Traffic Summary and Graph Sampling
KR100977827B1 (en) Connection detection device and method of malicious web server system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant