Behavior monitoring method focusing on safety of Internet of things entityTechnical Field
The invention belongs to the technical field of information, and particularly relates to a behavior monitoring method for paying attention to the safety of an entity of the Internet of things.
Background
The internet of things is a network which is based on information carrying bodies such as the internet and a traditional telecommunication network and enables all common objects capable of performing independent functions to realize interconnection, and the internet of things has entity safety as the same as a computer information system. In order to ensure the security of the entity of the internet of things, behavior monitoring is usually performed on the entity of the internet of things.
In the existing solution, the monitor first needs to collect and clean the network data related to the internet of things entity from the communication network data, including: the method comprises the following steps that the network behavior characteristics of the Internet of things entity applied in different industries are obtained according to Internet of things entity voice, communication data of short message service, Internet of things entity surfing data, Internet of things entity basic attribute data, position data and the like; then, based on the network behavior characteristics, selecting a proper algorithm to perform abnormal behavior analysis, finding outliers and establishing an analysis model; and finally, applying and evaluating the model.
The prior scheme mainly has the following problems: firstly, the data volume needing to be collected is large, the noise in the data is more, and a large amount of time is consumed for analyzing and cleaning the data; secondly, the entity behavior of the Internet of things has no universal mode, the individuation of the network behavior characteristics is strong, and the uniform processing is difficult to be carried out; thirdly, the accuracy of the algorithm for analyzing the abnormal behaviors is not high, the existing scheme generally searches for the entity of the internet of things with the abnormal behaviors by searching for outliers, the used algorithms are all established on the basis of a large amount of reliable sample data, and the implementation process has certain uncertainty.
Disclosure of Invention
In view of the above, the invention provides a behavior monitoring method focusing on the security of an entity of the internet of things, which effectively saves the time for data acquisition, analysis and cleaning, and avoids the personalized difference of network behavior characteristics among entities of different types of the internet of things.
The invention provides a behavior monitoring method concerning the safety of an entity of the Internet of things, which comprises the following steps:
step 1, performing online operation behavior monitoring on an entity of the Internet of things, acquiring state messages and event messages sent by the entity of the Internet of things, and filtering normal messages in the state messages and the event messages according to preset conditions; when the monitoring time reaches a threshold value, performing association analysis on the normal message to obtain a conversion relation between states of the Internet of things entities to form a conversion relation set, and performing cluster analysis on the conversion relation set to form a plurality of conversion relation subsets of different types of Internet of things entities; selecting the optimal conversion relation as a behavior model of the entity of the Internet of things in the conversion relation subset of the entities of the Internet of things of different types;
and 2, adopting the behavior model to perform online operation behavior monitoring on the Internet of things entity, and responding to the abnormal Internet of things entity message when the abnormal Internet of things entity message which is not in accordance with the behavior model is found.
Further, in the step 1, a conversion relationship between states of each internet of things entity is represented by a path, and the path is constructed under the conditions that the normal messages are used as nodes, time intervals among the normal messages are used as distances, and events in the normal messages are used as conditions.
Further, the optimal transformation relationship is an optimal path.
Further, the best path may be the longest path, the average path, or the shortest path.
Further, the process for judging the abnormal internet of things entity message is as follows: in the behavior monitoring process, the information of the Internet of things entity and the time interval of the sending time of the adjacent information are recorded to form a current behavior path of the Internet of things entity, the current behavior path is compared with the behavior models of the various Internet of things entities for analysis, and if the current behavior path does not exist in any behavior model of the various Internet of things entities, the finally received Internet of things entity information is the abnormal Internet of things entity information.
Further, when the set usage time threshold of the behavior model is reached, the step 1 is executed to update the behavior model, and when the nth update is performed, the n-1 th behavior model is used as one of the inputs of the clustering operation.
Further, the response is to notify a system administrator.
Further, the preset condition is that a behavior list is prohibited for a preset internet of things entity when the behavior model is not formed; otherwise, the behavior model is obtained.
Has the advantages that:
1. according to the method, the clustering of the network behavior characteristics of the Internet of things entity is realized by acquiring the message sent by the Internet of things entity within the time threshold, the behavior model of the Internet of things entity is formed, massive data do not need to be extracted from a communication network, the time for data acquisition, analysis and cleaning is effectively saved, and the personalized difference of the network behavior characteristics among different types of Internet of things entities is avoided; based on the established behavior model, whether the current entity message of the Internet of things is an abnormal message or not can be determined, and the uncertainty caused by the adoption of a machine learning method in the prior art is effectively avoided;
2. according to the invention, the continuously acquired entity messages of the Internet of things and the formed behavior model are clustered together, so that the behavior model is updated, the continuous optimization and improvement of the behavior model are ensured, the accuracy of suspicious message identification is further enhanced, and the entity of the Internet of things is protected from being attacked by malicious messages.
Detailed Description
The present invention will be described in detail with reference to examples.
The invention provides a behavior monitoring method concerning the safety of an entity of the Internet of things, which has the following basic idea: the behavior monitoring method comprises the steps of automatically generating a behavior model of an entity of the Internet of things through behavior monitoring of the entity of the Internet of things during online operation, and realizing the behavior monitoring of the entity of the Internet of things based on the behavior model.
The invention provides a behavior monitoring method concerning the safety of an entity of the Internet of things, which specifically comprises the following steps:
step 1, aiming at the Internet of things equipment accessed to a network, establishing a behavior model of the equipment.
The method comprises the steps of monitoring behaviors of an entity of the Internet of things during online operation for a period of time to obtain state messages and event messages sent by the entity of the Internet of things, filtering normal messages in the messages according to preset conditions, carrying out correlation analysis on the normal messages to obtain a conversion relation between states of the entity of the Internet of things, namely, converting the states triggered when a certain event occurs to form a conversion relation set, carrying out cluster analysis on the conversion relation set to form conversion relation subsets of the entities of the Internet of things of different types, and then selecting the optimal conversion relation as a behavior model of the entity of the Internet of things in the conversion relation subsets of the entities of the Internet of things of different types.
The state message comprises the state of the Internet of things entity under the response timestamp, and the event message comprises the event of the Internet of things entity in the current state. When the behavior model is not formed, the normal message sent by the entity of the internet of things can be judged by adopting a preset forbidden behavior list of the entity of the internet of things; otherwise, the behavior model or a new forbidden behavior list of the internet of things entity can be adopted for judgment.
If the conversion relation of the Internet of things entity is represented by adopting the path, the establishment process of the behavior model provided by the invention is concretely as follows:
monitoring the running of the Internet of things entities, filtering normal state messages and event messages by adopting a preset Internet of things entity forbidden behavior list, and recording the normal messages sent by each Internet of things entity and the time interval of the sending time of the adjacent normal messages;
when a set recording time threshold is reached, performing correlation analysis on the normal messages to form behavior paths of the Internet of things entities, wherein the behavior paths take the normal messages as nodes, time intervals among the normal messages as distances and events contained in the normal messages as conditions, and form behavior path sets by the behavior paths of all the Internet of things entities; and performing cluster analysis on the behavior path sets to form different types of Internet of things entity behavior path sets, and selecting the optimal path from the different types of Internet of things entity behavior path sets as behavior models of various Internet of things entities.
The determination of the optimal path can be determined according to actual needs. Generally, each path is actually a vector, and for all paths in a path set, a mean vector is calculated, and then the mean vector can represent a class to which the set belongs, that is, an average path can be used as a behavior module of an entity of the internet of things; when higher security is achieved, the longest path can be selected as a behavior model of the entity of the Internet of things; when the monitoring algorithm is expected to be fuzzy, the shortest path can be selected as a behavior model of the entity of the internet of things.
And 2, monitoring the entity of the Internet of things according to the established behavior model, and responding to the abnormal entity message of the Internet of things when the abnormal entity message of the Internet of things which is not in accordance with the behavior model is found.
The behavior model of the entity of the Internet of things established by the invention standardizes the states of the entity of the Internet of things and events required by the conversion between the states. And performing online operation behavior monitoring on the Internet of things entities, when the behavior of a certain Internet of things entity deviates too far from the behavior model, namely the behavior of the Internet of things entity is different from the behavior specified by the behavior model, determining that the Internet of things entity is abnormal, responding to the message if the message of the Internet of things entity received at the moment is an abnormal Internet of things entity message, and for example, notifying an administrator and the like.
Generally, a blacklist mechanism can be adopted to determine an abnormal internet of things entity message, that is, when the internet of things entity message is in an internet of things message blacklist, the internet of things entity message is considered to be the abnormal internet of things entity message. In the process of monitoring the behavior of the entity of the internet of things, the message of the entity of the internet of things and the time interval of the sending time of the adjacent message are recorded to form a current behavior path of the entity of the internet of things, and the current behavior path is compared and analyzed with the behavior models of the various entities of the internet of things.
For example, the behavior model of the intelligent door lock specifies that the intelligent door lock has two states of open/close, the triggering event for transitioning from the open state to the close state is a door locking behavior, and if the intelligent door lock sends a door locking event message but the sent state information shows that the intelligent door lock is still in the open state, the intelligent door lock is abnormal, or the door locking event itself is deceptive, or the door lock is in failure. In short, when the behavior which is not in accordance with the behavior model appears, the abnormality of the entity of the internet of things is detected.
In addition, the behavior model established by the invention can be automatically updated. When the set usage time threshold of the behavior model is reached, step 1 is repeatedly executed, and the current behavior model is added when the clustering analysis is performed on the behavior path set in step 1, that is, when the nth update is performed, the (n-1) th behavior model is taken as one of the inputs of the clustering operation. Therefore, the behavior model can be continuously improved, suspicious internet of things entity information and malicious internet of things entities can be better identified, and the internet of things entities are effectively protected from interoperation of the malicious entities.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.