[go: up one dir, main page]

CN119094216B - An Internet of Things network intrusion detection method, device, medium and product - Google Patents

An Internet of Things network intrusion detection method, device, medium and product

Info

Publication number
CN119094216B
CN119094216B CN202411282290.3A CN202411282290A CN119094216B CN 119094216 B CN119094216 B CN 119094216B CN 202411282290 A CN202411282290 A CN 202411282290A CN 119094216 B CN119094216 B CN 119094216B
Authority
CN
China
Prior art keywords
network
bytes
per
data
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411282290.3A
Other languages
Chinese (zh)
Other versions
CN119094216A (en
Inventor
陶醉
聂来森
袁奇恩东
范瑞鹏
张俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202411282290.3A priority Critical patent/CN119094216B/en
Publication of CN119094216A publication Critical patent/CN119094216A/en
Application granted granted Critical
Publication of CN119094216B publication Critical patent/CN119094216B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种物联网网络入侵检测方法、设备、介质及产品,涉及网络入侵检测技术领域,该方法通过引入数字孪生技术感知和预测网络流量数据,结合网络流量特征数据构建训练数据集,然后对训练数据集中的难分样本利用K聚类算法进行标记,最后通过控制深度学习网络模型的奖励值来提高对难分样本的检测准确性,从整体上实现高精度的入侵检测。

The present application discloses an Internet of Things network intrusion detection method, device, medium and product, which relate to the field of network intrusion detection technology. The method introduces digital twin technology to perceive and predict network traffic data, combines network traffic feature data to construct a training data set, and then uses the K clustering algorithm to mark the difficult-to-distinguish samples in the training data set. Finally, by controlling the reward value of the deep learning network model, the detection accuracy of the difficult-to-distinguish samples is improved, thereby achieving high-precision intrusion detection as a whole.

Description

Internet of things network intrusion detection method, equipment, medium and product
Technical Field
The application relates to the technical field of network intrusion detection, in particular to an Internet of things network intrusion detection method, equipment, medium and product based on deep reinforcement learning and K clustering.
Background
The internet of things is the internet of things, and various objects (such as a sensor, intelligent equipment and the like) are connected through the internet, so that state information change of the objects is sensed and processed at any moment, and finally a series of automatic operations such as intelligent management, monitoring and the like of the objects are realized. The continuous expansion of the scale of the internet of things makes the network security problem of the internet of things increasingly prominent. How to ensure the safety of the Internet of things and ensure the high-speed development of the Internet of things, and how to further provide safe, reliable, intelligent and efficient services for people is a problem to be solved at present. Intrusion detection is taken as an active defense means, and by actively detecting the current environment in real time, alarming is carried out on malicious behaviors in the current environment and further corresponding measures are taken, so that the intrusion detection plays a vital role in improving the network and information security of the Internet of things, and becomes a current research hotspot problem.
In the current field of network intrusion detection of the internet of things, researchers have conducted a great deal of research work and have achieved certain effects. IDS efficiency further increases with the development of artificial intelligence technology. The artificial intelligence technology suitable for network intrusion detection has a very wide range, and various machine learning technologies such as random forest, principal component analysis method, support vector machine method and the like are widely used for detecting abnormal behavior patterns in a network. However, the traditional machine learning has the problems of high false alarm rate, low detection rate, difficult detection caused by large data volume and the like.
In addition, the application field of the internet of things is very wide at present, the wide application scene means that the network system structure and the network communication process of the internet of things are more complex, and with the development of network technology and artificial intelligence technology, network attack means are also continuously advancing. Under a complex internet of things network environment, facing a network attack means which is also continuously updated in an iterative way, high accuracy is one of main challenges of the intrusion detection technology under the current internet of things network.
Disclosure of Invention
The application aims to provide an Internet of things network intrusion detection method, equipment, medium and product, which can effectively improve the accuracy of Internet of things network intrusion detection and the intrusion detection performance.
In order to achieve the above object, the present application provides the following solutions:
in a first aspect, the present application provides a method for detecting network intrusion of the internet of things, including:
Constructing a training data set according to network flow characteristic data and a network flow predicted value, wherein the network flow characteristic data is obtained by extracting characteristics of network communication data of the Internet of things, and the network flow predicted value is obtained by processing the network flow characteristic data by utilizing a digital twin technology;
Processing the training data set by adopting a K clustering algorithm to obtain a difficult-to-separate sample set;
Selecting a current moment state from the training data set, and selecting a current moment action corresponding to the current moment state by using a greedy strategy, wherein the current moment state represents the network flow characteristic data and the network flow predicted value at the current moment, and the current moment action represents that the Internet of things is invaded at the current moment or the Internet of things is normal at the current moment;
Calculating a current time reward obtained after executing the current time action, and obtaining a next time state, wherein the current time reward is determined according to a reward coefficient, the reward coefficient is a coefficient obtained through determination of a first judgment result, and the first judgment result is a result representing that the network flow characteristic data and the network flow predicted value at the current time belong to the refractory sample set, or the network flow characteristic data and the network flow predicted value at the current time do not belong to the refractory sample set;
Constructing a state transition quadruple according to the current time state, the current time action, the current time rewards and the next time state, and storing the state transition quadruple into an experience playback pool;
selecting a plurality of state transition quaternions from the experience playback pool as training samples, and training a deep learning network model;
and predicting whether the Internet of things is invaded according to the trained deep learning network model.
Optionally, the network traffic characteristic data includes: the number of network flows per second, the number of data packets per second, the total number of bytes of the header of the data packet per second, the average number of bytes of the header of the data packet per second, the standard deviation of the number of bytes of the header of the data packet per second, the total number of bytes of the packet message per second, the average number of bytes of the packet message per second, the standard deviation of the number of bytes of the packet message per second, the number of forward packets per second, the number of the data packets per second total number of bytes of forward transmitted packet header per second, average number of bytes of forward transmitted packet header per second, standard deviation of number of bytes of forward transmitted packet header per second, total number of bytes of forward transmitted packet message per second, average number of bytes of forward transmitted packet message per second, standard deviation of number of bytes of forward transmitted packet per second, number of reverse transmitted packet per second the total number of bytes of the data packet header of the reverse transmission per second, the average number of bytes of the data packet header of the reverse transmission per second, the standard deviation of the data packet header of the reverse transmission per second, the number of TCP data packets per second, the total number of bytes of the data packet header of the TCP data packet per second, the standard deviation of the data packet header of the TCP data packet per second, the number of UDP data packet per second, the total number of bytes of the UDP data packet header of the UDP data packet per second, the total number of bytes of UDP data packet header of the UDP data packet per second, the average number of bytes of UDP data packet header of the UDP data packet per second, the UDP data packet header of the UDP data packet per second, the number of bytes per second standard deviation of UDP data packet, the average time interval of data packet, the standard time interval of data packet, the average time interval of forward data packet, the standard time interval of forward data packet and the number of ACK marks.
Optionally, before performing the step of constructing a training data set according to the network traffic characteristic data and the network traffic predicted value, the internet of things network intrusion detection method further includes:
And carrying out normalization processing on the network flow characteristic data and the network flow predicted value.
Optionally, a K clustering algorithm is adopted to process the training data set to obtain a difficult-to-separate sample set, which specifically comprises:
Randomly selecting a sample from the training data set as an initial cluster center;
Calculating a first distance between all samples in the training data set and the initial clustering center;
Calculating the probability of each sample being selected as a cluster center according to the first distance;
selecting a plurality of new initial clustering centers according to the probability to serve as first clustering centers;
Calculating a second distance between each sample and each first cluster center;
Dividing the sample into corresponding clusters according to the second distance;
calculating the average value of all sample points in each cluster, taking the average value as a new first cluster center, and returning to the step of calculating the second distance between each sample and each first cluster center;
when the preset iteration condition is met, a clustering result is obtained;
determining an attack sample set and a benign sample set according to the clustering result;
the difficult-to-separate sample set is determined from the attack sample set and the benign sample set.
Optionally, the expression of the current time rewards is:
Wherein r t(st,at) is a current t moment rewarding, s t is a current t moment state, a t is a current t moment action, lambda (t) is a rewarding coefficient of the current t moment, r is a basic rewarding, H I is a refractory sample set, and v is a refractory sample rewarding coefficient.
Optionally, the deep learning network model is a DQN network.
Optionally, the expression of the loss function of the deep learning network model is:
L(θ)=E[rt+γmaxQ(st+1,at+1,θ′)-Q(st,at,θ)]2;
Wherein r t is a current t moment reward, gamma is a reward attenuation factor, Q (s t+1,at+1, theta ') is a Q value calculated after a target network in the DQN network performs an action in a t+1 moment state, s t+1 is a t+1 moment state, theta' is a target network parameter, Q (s t,at, theta) is a Q value calculated after the Q network in the DQN network performs an action in a current t moment state, s t is a current t moment state, a t is a current t moment action, and theta is a Q network parameter.
In a second aspect, the application provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the computer program to implement a method of intrusion detection for the internet of things according to any one of the first aspects.
In a third aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for intrusion detection of the internet of things network according to any one of the first aspects above.
In a fourth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements a method for intrusion detection of an internet of things network according to any one of the first aspects above.
According to the specific embodiment provided by the application, the application discloses the following technical effects:
The application provides a network intrusion detection method, equipment, medium and product of the Internet of things, which are characterized in that network flow data are perceived and predicted by introducing a digital twin technology, a training data set is constructed by combining network flow characteristic data, difficult-to-separate samples in the training data set are marked by using a K clustering algorithm, and finally the detection accuracy of the difficult-to-separate samples is improved by controlling the reward value of a deep learning network model, so that high-precision intrusion detection is realized on the whole.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application environment diagram of an intrusion detection method for an internet of things network in embodiment 1 of the present application;
fig. 2 is a flow chart of an intrusion detection method for an internet of things according to embodiment 1 of the present application;
FIG. 3 is a schematic diagram of an intrusion detection procedure based on DQN in embodiment 1 of the present application;
Fig. 4 is a schematic structural diagram of a computer device according to embodiment 2 of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The foregoing objects, features, and advantages of the application will be more readily apparent from the following detailed description of the application when taken in conjunction with the accompanying drawings and detailed description.
Example 1
The method for detecting the network intrusion of the Internet of things, which is provided by the embodiment of the application, can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be provided separately, may be integrated on the server 104, or may be placed on a cloud or other server. The terminal 102 can send original network communication data of the internet of things to the server 104, after the server 104 receives the network communication data, perform feature extraction on the network communication data to obtain network flow feature data, process the network flow feature data by adopting a digital twin technology to obtain a network flow predicted value, process a training data set comprising the network flow feature data and the network flow predicted value by adopting a K clustering algorithm to obtain a refractory sample set, then construct a deep learning network model, select a current moment state from the training data set, select a current moment action corresponding to the current moment state by utilizing a greedy strategy, calculate a current moment reward obtained after executing the current moment action, obtain a next moment state, obtain a state transition quadruple, train the deep learning network model by utilizing a plurality of state transition quadruple, and output a detection result when training of the deep learning network model is completed, namely whether the internet of things is invaded. The server 104 may feed back the obtained detection result to the terminal 102. In addition, in some embodiments, the method for detecting the network intrusion of the internet of things may be implemented by the server 104 or the terminal 102 alone, for example, the terminal 102 may directly detect the network communication data by using the method for detecting the network intrusion of the internet of things, or the server 104 may acquire the network communication data from the data storage system and detect the network communication data by using the method for detecting the network intrusion of the internet of things.
The terminal 102 may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or a server cluster composed of a plurality of servers, or may be a cloud server.
In an exemplary embodiment, as shown in fig. 2, the present embodiment provides a method for detecting network intrusion of the internet of things, where the method is executed by a computer device, specifically, may be executed by a computer device such as a terminal or a server, or may be executed by the terminal and the server together, and in an embodiment of the present application, the method is applied to the server 104 in fig. 1 and is described as an example, and includes the following steps 1) to 3). Wherein:
1) Building a training data set:
Step 201, extracting features of the network communication data and processing the network communication data by utilizing a digital twin technology to obtain network flow feature data and a network flow predicted value.
The collected network original communication data is preprocessed by a network security dataset flow characteristic extraction tool (CICFlowMeter) in a network management center to generate network flow characteristic data based on network communication data from all source IP to destination IP in a period of time.
And processing the network flow characteristic data by a digital twin technology to obtain a network flow predicted value.
The network traffic characteristic data and the network traffic prediction values are combined to form 40 data characteristic types as used in the present embodiment shown in table 1.
Table 1 simulation verification of features used
Step 202, normalizing the obtained network flow characteristic data and the network flow predicted value in a network management center, wherein the mathematical expression process is as follows:
Where X' represents the normalized result of the selected feature, X represents the attribute value of the selected feature, X max represents the maximum value of the feature, and X min represents the minimum value of the feature.
And 203, constructing a training data set according to the normalized network flow characteristic data and the network flow predicted value.
2) Difficult-to-separate sample marking based on K clustering algorithm:
And 204, processing the training data set by adopting a K clustering algorithm to obtain a difficult-to-separate sample set, wherein the K-Means algorithm is preferably adopted in the embodiment.
The specific process of step 204 includes:
Step 204-1, randomly selecting a sample from the obtained preprocessed training data set X as an initial cluster center c 1 in the network management center.
Step 204-2, calculating a first distance d j, j ε X, from all samples in X to the initial cluster center c 1.
Step 204-3, according to the formulaThe probability p j that each sample is selected as the cluster center is calculated.
And 204-4, selecting new K initial cluster centers c i and i epsilon K as the first cluster centers according to the probability.
Step 204-5, calculating a second distance d ji=||xj-ci||2 between the training data set X sample X j and each cluster center c i.
Step 204-6. The partition of sample x j is determined from the second distance, lambda j=argmini=1,...,Kdji, and the samples are partitioned accordingly into corresponding clusters C λj=Cλj∪{xj.
And step 204-7, calculating the average value of all sample points in each cluster, taking the average value as a new first cluster center, and returning to step 204-4.
And 204-8, obtaining a clustering result { C 1,C2,...,Ck }, after the preset iteration condition is met.
Step 204-9, obtaining attack sample set A k and benign sample set N k in all clusters { C 1,C2,...,Ck }.
Step 204-10, obtaining a difficult-to-separate sample set according to the attack sample set and the benign sample set:
HI={Ai}∪{Nj},i=arg mink=1,...,K|Ak|,j=arg mink=1,...,K|Nk|。
3) Intrusion detection based on deep learning network model:
Step 205, selecting a current time state from the training data set, and selecting a current time action corresponding to the current time state by using a greedy strategy, where the current time state represents the network flow characteristic data and the network flow predicted value at the current time, and the current time action represents that the internet of things is invaded at the current time or that the internet of things is normal at the current time, and in this embodiment, the greedy strategy is preferred.
And 206, calculating a current time reward obtained after the current time action is executed, and obtaining a next time state, wherein the current time reward is determined according to a reward coefficient, the reward coefficient is a coefficient determined according to a first judgment result, and the first judgment result is a result representing that the network flow characteristic data and the network flow predicted value at the current time belong to the refractory sample set, or the network flow characteristic data and the network flow predicted value at the current time do not belong to the refractory sample set.
And step 207, constructing a state transition quadruple according to the current time state, the current time action, the current time rewards and the next time state, and storing the state transition quadruple into an experience playback pool.
And step 208, selecting a plurality of state transition quaternions from the experience playback pool as training samples, and training a deep learning network model.
And step 209, predicting whether the Internet of things is invaded according to the trained deep learning network model.
The deep learning network model in this embodiment may be a convolutional neural network, a generating countermeasure network, a self-encoder, or the like.
Although the detection method can improve the accuracy of the intrusion detection of the Internet of things network, and improve the intrusion detection performance. However, the inventor also discovers that due to the characteristics of the Internet of things, various nodes are deployed in the Internet of things, the number and the scale of the nodes are far larger than those of the Internet, and mass data flows are generated in the Internet of things by the ubiquitous terminal equipment and application processes. An excellent network intrusion detection technology must be capable of effectively processing massive data in the internet of things. Secondly, due to the limitation of storage and computing resources of the network nodes of the internet of things, the traditional intrusion detection technology is not suitable for the network of the internet of things. The complex network behavior modeling process and the model training requiring more calculation resources can cause larger loss on the node, and influence the normal operation of the node.
Therefore, in order to further realize efficient network behavior modeling and lightweight intrusion detection on the basis of being capable of improving the accuracy of network intrusion detection of the internet of things, the DQN network model is preferably used as a deep learning network model in the embodiment.
To make the present embodiment more clear to a person skilled in the art, the intrusion detection process based on the DQN network model is specifically explained in connection with fig. 3.
(1) The method comprises the steps of performing intrusion detection on a marked data set (namely a training data set which comprises a difficult-to-separate sample set after being processed by adopting a K clustering algorithm) by using DQN in a network management center, and establishing a target network theta' and an online Q network theta, and an experience playback pool R.
(2) Obtaining a current state s t = { X '(t), F (t) }, wherein X' (t) represents a network traffic prediction value, and F (t) represents a network traffic characteristic.
(3) Setting exploration rate epsilon i =epsilon by adopting an epsilon-greedy strategy, randomly selecting action a t or action a t=argmaxa Q(st,at and theta according to the probability of exploration epsilon i, feeding back a reward value R t according to action a t by the environment, transferring to the next state s t+1, and storing state transition tuples (s t,at,rt,st+1) into R. Wherein the method comprises the steps ofThe prize value calculation formula is: where λ (t) represents a prize value coefficient at time t and r represents a base prize value. The mathematical expression of λ (t) is specifically as follows: Wherein H I represents a difficult-to-separate sample set, and v represents a difficult-to-separate sample reward coefficient.
(4) Randomly sampling batch tuples from R, and updating Q network parameters theta according to a neural network loss function L (theta) =E [ R t+γmaxQ(st+1,at+1,θ′)-Q(st,at,θ)]2 ], wherein Q (s t+1,at+1, theta') is a Q value calculated after the target network performs actions in a t+1 moment state, and Q (s t,at, theta) ] is a Q value calculated after the Q network performs actions in a t moment state.
Every e times learning, updating target network parameter theta' ≡theta, and updating local exploration rateWhere gamma is the prize decay factor,To explore the step down step.
(5) Setting the next state as the current state, and repeating the steps (2) to (5) M times.
(6) And outputting the Q network with the training completed.
According to the embodiment, network flow data are perceived and predicted by introducing a digital twin technology, on the basis, difficult-to-separate samples in the Network flow data are marked by using K-means, and finally, the accuracy of detecting the difficult-to-separate samples is improved by controlling the reward value of a Deep Q Network (DQN), so that lightweight and high-precision intrusion detection is realized on the whole.
The performance of the proposed intrusion detection method is evaluated by five performance indexes, namely Accuracy (Accuracy), precision (Precision), recall (Recall), false alarm rate (FALSEALARM) and F value (F Measures), and the definition is as follows:
In the formula, TP represents that an agent successfully detects an attack sample, TN represents that an agent successfully detects a normal sample (namely a benign sample), FP represents that an agent erroneously detects an attack sample, and FN represents that an agent erroneously detects a normal sample.
The present embodiment introduces the existing intrusion detection method and compares it with the proposed method (in this embodiment, DQN network model) to verify the effectiveness of the intrusion detection method proposed by this embodiment. Methods for comparison are a superposition and contraction automatic encoder and support vector machine (Stacked Contractive Auto-Encoder and Support Vector Machine, SCAE +svm) method, a Stacked asymmetric depth automatic encoder (Stacked Non-SYMMETRIC DEEP Auto-Encoders, S-NDAE) method, and a vector convolution deep learning (Vector Convolutional DEEP LEARNING, VCDL) method.
The SCAE +SVM method uses an overlapped shrinkage type automatic encoder to extract the characteristics, extracts and converts high-dimensional original characteristic data into lower-dimensional data, and then uses a support vector machine method to realize classification. The S-NDAE method combines the overlapped asymmetric depth automatic encoder with a random forest method to realize efficient feature extraction and intrusion detection. The VCDL method realizes feature extraction based on a convolutional neural network, and realizes intrusion detection by constructing a VCDL model.
Meanwhile, in order to verify the effectiveness of the proposed intrusion detection method based on K-Means and DQN combined with digital twin, the present embodiment also compares the intrusion detection method based on K-Means and DQN combined with digital twin data with the DQN based method combined with digital twin data.
The key parameters of the method based on the training of the CSE-CIC-IDS2018 and CIC-DDOS2019 data set models are shown in tables 2 and 3.
TABLE 2 training parameters based on CSE-CIC-IDS2018 dataset
TABLE 3 training parameters based on CIC-DDOS2019 dataset
The experimental results are shown in tables 4 and 5.
TABLE 4 evaluation of intrusion detection results based on CSE-CIC-IDS2018
TABLE 5 evaluation of intrusion detection results based on CIC-DDOS2019
As shown in Table 4, the method according to this embodiment has the highest accuracy, precision and F-value compared with the prior art method. The recall rate is slightly lower than the intrusion detection method based on DQN, which shows that the difficult-to-separate sample marking method based on K-Means can effectively improve the accuracy, precision, false alarm rate and F1 value on the CSE-CIC-IDS2018 data set, but slightly reduce the recall rate. Similarly, compared with sce+svm, the method provided in this embodiment is superior to the method in terms of accuracy, precision, false alarm rate and F1 value, but the method still has a very low false alarm rate. The VCDL method and the S-NDAE method perform poorly on the CSE-CIC-IDS2018 dataset and do not enable efficient intrusion detection. Finally, according to the comparison result of the K-Means and DQN-based intrusion detection method without digital twinning, it can be obviously seen that after the network flow predicted value obtained by digital twinning is combined, five evaluation performances are obviously improved, which Means that the flow predicted result is a characteristic with obvious effect on improving intrusion detection performance aiming at the CSE-CIC-IDS2018 dataset.
According to Table 5, the method of the present embodiment is highest in terms of accuracy, recall, false alarm rate, and F value, but slightly lower in terms of accuracy than the three methods of the prior art. Different from the performance on the CSE-CIC-IDS2018 data set, the VCDL and the S-NDAE have better performance on the CIC-DDOS2019 data set, especially in terms of detection accuracy, the three existing methods are more than 97%, but the three existing methods are poorer in terms of detection false alarm rate and more than 10%, and the false alarm rate of the method provided by the embodiment is only 3.13%. By comparing with an uncombined digital twin intrusion detection method based on K-Means and DQN, the flow prediction features and the K-Means-based refractory sample marking method provided by the embodiment can effectively improve the intrusion detection performance aiming at the CIC-DDOS2019 data set.
It can be seen from table 4 and table 5 that the method provided by the embodiment has better intrusion detection accuracy compared with the existing method, and the method for marking refractory samples based on K-Means and combining the network flow prediction characteristics of digital twinning can effectively improve the intrusion detection performance. Meanwhile, as can be seen from the observation of experimental results, the detection precision of the uncombined flow prediction is lower than that of the detection precision of the method without adopting the difficult-to-separate sample marking method, and the flow prediction characteristic is reflected from the side surface, so that the method is one of important characteristics for realizing high-precision intrusion detection.
The intrusion detection method provided by the embodiment comprises the steps of extracting characteristics of collected network original communication data, carrying out flow prediction through a digital twin technology, then merging the characteristic data (namely, the network flow characteristic data and the network flow prediction value), preprocessing to establish a training data set, carrying out sample marking on the training data set through the proposed K-Means-based refractory sample marking method, and finally carrying out intrusion detection on the marked data by adopting the proposed DQN-based intrusion detection method, so that high-precision and lightweight intrusion detection on the Internet of things is realized.
The application also provides an application scene, which applies the method for detecting the network intrusion of the Internet of things. The method for detecting the network intrusion of the Internet of things can be applied to industrial Internet of things safety protection scenes. In an industrial environment, the internet of things equipment is used for monitoring and controlling factory equipment, sensors, robots and the like, and the intrusion detection system accurately detects whether malicious attacks or unauthorized access attempts exist on the industrial control system by applying the internet of things network intrusion detection method of the embodiment, so that the safety and reliability of an industrial production process are improved.
Example 2
The present embodiment provides a computer device, which may be a server or a terminal, and an internal structure diagram thereof may be as shown in fig. 4. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer equipment is used for storing required data and a final detection result in the Internet of things network intrusion detection method. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method for intrusion detection in the internet of things network in embodiment 1.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 4 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
Example 3
The embodiment provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method for detecting network intrusion of the internet of things in embodiment 1 when executing the computer program.
Example 4
The present embodiment provides a computer-readable storage medium storing a computer program that when executed by a processor implements a network intrusion detection method for the internet of things in embodiment 1.
Example 5
The present embodiment provides a computer program product, including a computer program, which when executed by a processor implements a method for detecting network intrusion of the internet of things in embodiment 1.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are both information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to meet the related regulations.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive RandomAccess Memory, MRAM), ferroelectric Memory (Ferroelectric RandomAccess Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (RandomAccess Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static RandomAccess Memory, SRAM) or dynamic random access memory (Dynamic RandomAccess Memory, DRAM), etc.
The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The principles and embodiments of the present application have been described herein with reference to specific examples, which are intended to facilitate an understanding of the principles and concepts of the application and are to be varied in scope and detail by persons of ordinary skill in the art based on the teachings herein. In view of the foregoing, this description should not be construed as limiting the application.

Claims (9)

1.一种物联网网络入侵检测方法,其特征在于,所述物联网网络入侵检测方法包括:1. A method for detecting intrusion in an Internet of Things network, characterized in that the method comprises: 根据网络流量特征数据和网络流量预测值构建训练数据集,其中,所述网络流量特征数据是通过对物联网的网络通信数据进行特征提取后得到的数据,所述网络流量预测值是利用数字孪生技术对所述网络流量特征数据进行处理后得到的数据;Constructing a training data set based on network traffic feature data and network traffic prediction values, wherein the network traffic feature data is data obtained by extracting features from the network communication data of the Internet of Things, and the network traffic prediction values are data obtained by processing the network traffic feature data using digital twin technology; 采用K聚类算法对所述训练数据集进行处理,获得难分样本集;Using a K clustering algorithm to process the training data set to obtain a difficult-to-classify sample set; 从所述训练数据集中选取当前时刻状态,并利用贪婪策略选择所述当前时刻状态下所对应的当前时刻动作,其中,所述当前时刻状态表征当前时刻下的所述网络流量特征数据和所述网络流量预测值,所述当前时刻动作表征当前时刻所述物联网遭到入侵或者当前时刻所述物联网正常;Selecting a current state from the training data set, and selecting a current action corresponding to the current state using a greedy strategy, wherein the current state represents the network traffic characteristic data and the network traffic prediction value at the current moment, and the current action represents whether the Internet of Things is invaded at the current moment or whether the Internet of Things is normal at the current moment; 根据探索率随机选择当前时刻动作,计算执行所述当前时刻动作后获得的当前时刻奖励,并获取下一时刻状态,其中,所述当前时刻奖励是根据奖励系数确定的,其中,所述奖励系数是通过第一判断结果确定得到的系数,所述第一判断结果为表征当前时刻下的所述网络流量特征数据和所述网络流量预测值属于所述难分样本集的结果,或者当前时刻下的所述网络流量特征数据和所述网络流量预测值不属于所述难分样本集的结果;所述当前时刻奖励的表达式为:Randomly select a current moment action according to the exploration rate, calculate the current moment reward obtained after executing the current moment action, and obtain the next moment state, wherein the current moment reward is determined according to the reward coefficient, wherein the reward coefficient is a coefficient determined by a first judgment result, and the first judgment result is a result indicating that the network traffic feature data and the network traffic prediction value at the current moment belong to the difficult sample set, or a result indicating that the network traffic feature data and the network traffic prediction value at the current moment do not belong to the difficult sample set; the expression of the current moment reward is: 其中,rt(st,at)为当前t时刻奖励;st为当前t时刻状态;at为当前t时刻动作;λ(t)为当前t时刻的奖励系数;r为基础奖励;HI为难分样本集;υ为难分样本奖励系数;Where r t (s t , a t ) is the reward at the current time t; s t is the current state at the current time t; a t is the current action at the current time t; λ(t) is the reward coefficient at the current time t; r is the basic reward; H I is the difficult sample set; υ is the difficult sample reward coefficient; 根据所述当前时刻状态、所述当前时刻动作、所述当前时刻奖励和所述下一时刻状态,构建状态转移四元组,并将所述状态转移四元组存储至经验回放池中;Constructing a state transition quadruple according to the current state, the current action, the current reward, and the next state, and storing the state transition quadruple in an experience replay pool; 从所述经验回放池中选择若干个所述状态转移四元组作为训练样本,训练深度学习网络模型;Selecting a number of the state transition quadruple from the experience replay pool as training samples to train a deep learning network model; 根据训练好的所述深度学习网络模型,预测所述物联网是否遭到入侵。Based on the trained deep learning network model, predict whether the Internet of Things has been invaded. 2.根据权利要求1所述的一种物联网网络入侵检测方法,其特征在于,所述网络流量特征数据包括:每秒的网络流个数、每秒传输的数据包数目、每秒传输的数据包头部总字节数、每秒传输的数据包头部平均字节数、每秒传输的数据包头部字节数标准差、每秒传输的数据包报文总字节数、每秒传输的数据包报文平均字节数、每秒传输的数据包报文字节数标准差、每秒前向传输的数据包数目、每秒前向传输的数据包头部总字节数、每秒前向传输的数据包头部平均字节数、每秒前向传输的数据包头部字节数标准差、每秒前向传输的数据包报文总字节数、每秒前向传输的数据包报文平均字节数、每秒前向传输的数据包报文字节数标准差、每秒反向传输的数据包数目、每秒反向传输的数据包头部总字节数、每秒反向传输的数据包头部平均字节数、每秒反向传输的数据包头部字节数标准差、每秒反向传输的数据包报文总字节数、每秒反向传输的数据包报文平均字节数、每秒反向传输的数据包报文字节数标准差、每秒TCP数据包数目、每秒TCP数据包头部总字节数、每秒TCP数据包头部平均字节数、每秒TCP数据包头部字节数标准差、每秒TCP数据包报文总字节数、每秒TCP数据包报文平均字节数、每秒TCP数据包报文字节数标准差、每秒UDP数据包数目、每秒UDP数据包头部总字节数、每秒UDP数据包报文总字节数、每秒UDP数据包报文平均字节数、每秒UDP数据包报文字节数标准差、数据包的平均时间间隔、数据包的标准时间间隔、前向数据包的平均时间间隔、前向数据包的标准时间间隔和ACK标记数量。2. The method for detecting intrusion in an Internet of Things network according to claim 1, wherein the network traffic characteristic data comprises: the number of network flows per second, the number of data packets transmitted per second, the total number of bytes of data packet headers transmitted per second, the average number of bytes of data packet headers transmitted per second, the standard deviation of the number of bytes of data packet headers transmitted per second, the total number of bytes of data packet messages transmitted per second, the average number of bytes of data packet messages transmitted per second, the standard deviation of the number of bytes of data packet messages transmitted per second, the number of data packets transmitted in the forward direction per second, the total number of bytes of data packet headers transmitted in the forward direction per second, the average number of bytes of data packet headers transmitted in the forward direction per second, the standard deviation of the number of bytes of data packet headers transmitted in the forward direction per second, the total number of bytes of data packet messages transmitted in the forward direction per second, the average number of bytes of data packet messages transmitted in the forward direction per second, the standard deviation of the number of bytes of data packet messages transmitted in the forward direction per second, the number of data packets transmitted in the reverse direction per second, the total number of bytes of data packet headers transmitted in the reverse direction per second, the number of data packets transmitted in the reverse direction per second, the number of data packets transmitted in the reverse direction per second, the total number of bytes of data packet headers transmitted in the reverse direction per second, the number of data packets transmitted in the reverse direction per second, the total number of bytes of data packet messages ... Average number of bytes in packet headers, standard deviation of number of bytes in reverse packet headers per second, total number of bytes in reverse packet messages per second, average number of bytes in reverse packet messages per second, standard deviation of number of bytes in reverse packet messages per second, number of TCP packets per second, total number of bytes in TCP packet headers per second, average number of bytes in TCP packet headers per second, standard deviation of number of bytes in TCP packet headers per second, total number of bytes in TCP packet messages per second, average number of bytes in TCP packet messages per second, standard deviation of number of bytes in TCP packet messages per second, number of UDP packets per second, total number of bytes in UDP packet messages per second, average number of bytes in UDP packet messages per second, standard deviation of number of bytes in UDP packet messages per second, average time interval between packets, standard time interval between packets, average time interval between forward packets, standard time interval between forward packets, and number of ACK flags. 3.根据权利要求1所述的一种物联网网络入侵检测方法,其特征在于,在执行步骤“根据网络流量特征数据和网络流量预测值构建训练数据集”之前,所述物联网网络入侵检测方法还包括:3. The method for detecting intrusion in an Internet of Things network according to claim 1, wherein before executing the step of "constructing a training data set based on network traffic characteristic data and network traffic prediction values", the method further comprises: 对所述网络流量特征数据和所述网络流量预测值进行归一化处理。The network traffic characteristic data and the network traffic prediction value are normalized. 4.根据权利要求1所述的一种物联网网络入侵检测方法,其特征在于,采用K聚类算法对所述训练数据集进行处理,获得难分样本集,具体包括:4. The method for detecting intrusion in an Internet of Things network according to claim 1, wherein the method further comprises: processing the training data set using a K clustering algorithm to obtain a difficult-to-classify sample set; and 从所述训练数据集中随机选择一个样本作为初始聚类中心;Randomly select a sample from the training data set as an initial cluster center; 计算所述训练数据集中所有样本到所述初始聚类中心之间的第一距离;Calculating a first distance between all samples in the training data set and the initial cluster center; 根据所述第一距离计算每个样本被选为聚类中心的概率;Calculating the probability of each sample being selected as a cluster center according to the first distance; 根据所述概率选择若干个新的初始聚类中心,作为第一聚类中心;Selecting a number of new initial cluster centers according to the probability as first cluster centers; 计算每个所述样本与各个所述第一聚类中心之间的第二距离;Calculating a second distance between each of the samples and each of the first cluster centers; 根据所述第二距离对所述样本划分为对应的簇;Dividing the samples into corresponding clusters according to the second distance; 计算每个簇中所有样本点的平均值,并将所述平均值作为新的第一聚类中心,返回步骤“计算每个所述样本与各个所述第一聚类中心之间的第二距离”;Calculate the average value of all sample points in each cluster, and use the average value as the new first cluster center, and return to the step of "calculating the second distance between each sample and each first cluster center"; 当满足预设的迭代条件后,获得聚类结果;When the preset iteration conditions are met, the clustering results are obtained; 根据所述聚类结果确定攻击样本集和良性样本集;Determining an attack sample set and a benign sample set according to the clustering result; 根据所述攻击样本集和所述良性样本集确定所述难分样本集。The difficult-to-separate sample set is determined according to the attack sample set and the benign sample set. 5.根据权利要求1所述的一种物联网网络入侵检测方法,其特征在于,所述深度学习网络模型为DQN网络。5. The method for detecting intrusion into an Internet of Things network according to claim 1, wherein the deep learning network model is a DQN network. 6.根据权利要求5所述的一种物联网网络入侵检测方法,其特征在于,所述深度学习网络模型的损失函数的表达式为:6. The method for detecting intrusion in an Internet of Things network according to claim 5, wherein the loss function of the deep learning network model is expressed as: L(θ)=E[rt+γmaxQ(st+1,at+1,θ′)-Q(st,at,θ)]2L(θ)=E[r t +γmaxQ(s t+1 ,a t+1 ,θ′)-Q(s t ,a t ,θ)] 2 ; 其中,rt为当前t时刻奖励;γ为奖励衰减因子;Q(st+1,at+1,θ′)为所述DQN网络中的目标网络在t+1时刻状态下执行动作后计算的Q值;st+1为t+1时刻状态;θ′为目标网络参数;Q(st,at,θ)为所述DQN网络中的Q网络在当前t时刻状态下执行动作后计算的Q值;st为当前t时刻状态;at为当前t时刻动作;θ为Q网络参数。Among them, rt is the reward at the current time t; γ is the reward attenuation factor; Q(st +1 ,at +1 ,θ′) is the Q value calculated by the target network in the DQN network after performing the action in the state at time t+1; st +1 is the state at time t+1; θ′ is the target network parameter; Q( st , at ,θ) is the Q value calculated by the Q network in the DQN network after performing the action in the current state at time t; st is the current state at time t; at is the current action at time t; θ is the Q network parameter. 7.一种计算机设备,包括:存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序以实现权利要求1-6中任一项所述的一种物联网网络入侵检测方法。7. A computer device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement an Internet of Things network intrusion detection method according to any one of claims 1 to 6. 8.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现权利要求1-6中任一项所述的一种物联网网络入侵检测方法。8. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the method for detecting intrusion into an Internet of Things network according to any one of claims 1 to 6 is implemented. 9.一种计算机程序产品,包括计算机程序,其特征在于,该计算机程序被处理器执行时实现权利要求1-6中任一项所述的一种物联网网络入侵检测方法。9. A computer program product, comprising a computer program, characterized in that when the computer program is executed by a processor, it implements the Internet of Things network intrusion detection method according to any one of claims 1 to 6.
CN202411282290.3A 2024-09-13 2024-09-13 An Internet of Things network intrusion detection method, device, medium and product Active CN119094216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411282290.3A CN119094216B (en) 2024-09-13 2024-09-13 An Internet of Things network intrusion detection method, device, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411282290.3A CN119094216B (en) 2024-09-13 2024-09-13 An Internet of Things network intrusion detection method, device, medium and product

Publications (2)

Publication Number Publication Date
CN119094216A CN119094216A (en) 2024-12-06
CN119094216B true CN119094216B (en) 2025-10-03

Family

ID=93698778

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411282290.3A Active CN119094216B (en) 2024-09-13 2024-09-13 An Internet of Things network intrusion detection method, device, medium and product

Country Status (1)

Country Link
CN (1) CN119094216B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3246875A2 (en) * 2016-05-18 2017-11-22 Siemens Healthcare GmbH Method and system for image registration using an intelligent artificial agent
CN111741002A (en) * 2020-06-23 2020-10-02 广东工业大学 A method and device for training a network intrusion detection model

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633639B (en) * 2023-05-30 2024-04-12 北京交通大学 Network intrusion detection method based on unsupervised and supervised fusion reinforcement learning
CN117336034A (en) * 2023-09-22 2024-01-02 国网江苏省电力有限公司苏州供电分公司 Network intrusion detection method for power information system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3246875A2 (en) * 2016-05-18 2017-11-22 Siemens Healthcare GmbH Method and system for image registration using an intelligent artificial agent
CN111741002A (en) * 2020-06-23 2020-10-02 广东工业大学 A method and device for training a network intrusion detection model

Also Published As

Publication number Publication date
CN119094216A (en) 2024-12-06

Similar Documents

Publication Publication Date Title
Agrawal et al. NovelADS: A novel anomaly detection system for intra-vehicular networks
Li et al. LNNLS‐KH: A Feature Selection Method for Network Intrusion Detection
CN119449445B (en) Anomaly detection method and system based on dynamic traceability graph
CN116095100B (en) Internal intrusion detection method for Internet of Vehicles based on abnormal behavior discovery
CN115273372A (en) Park equipment alarm method, system, device and storage medium
CN110677437A (en) User camouflage attack detection method and system based on latent space adversarial clustering
Huang Network Intrusion Detection Based on an Improved Long‐Short‐Term Memory Model in Combination with Multiple Spatiotemporal Structures
CN119254507B (en) Cyberspace counter-mapping method, device, computer equipment and storage medium
CN116614859A (en) Method and system for identifying key nodes in Ad Hoc network
CN120498762A (en) Method, device, equipment, storage medium and program product for controlling network attack of digital power grid
CN117061254B (en) Abnormal traffic detection method, device and computer equipment
CN114896591B (en) A real-time APT detection and analysis method based on heterogeneous graph
CN119094216B (en) An Internet of Things network intrusion detection method, device, medium and product
CN112468487A (en) Method and device for realizing model training and method and device for realizing node detection
CN116633695B (en) Security rule base management method, device, computer equipment and storage medium
CN112651422A (en) Time-space sensing network flow abnormal behavior detection method and electronic device
CN116866060A (en) Multi-step sustainable attack detection method based on multi-source logs
Zhao et al. Transferable watermarking to self-supervised pre-trained graph encoders by trigger embeddings
CN118171184A (en) A graph node classification method, device and medium based on security policy
CN119740256B (en) Privacy protection record linking method, device, electronic equipment and storage medium
CN118611946B (en) Method and device for detecting malicious program, storage medium and computer equipment
CN117216660B (en) A method and apparatus for detecting anomalies and clusters in time-series network traffic
CN119397417B (en) Model backdoor reprogramming defense method, device, computer equipment and medium
CN119484167B (en) Sensor attack detection method, device, medium and product in Internet of vehicles
Liu et al. Unsupervised Intrusion Detection Based on Asymmetric Auto-Encoder Feature Extraction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant