Disclosure of Invention
The present invention has been made in view of the above-described problems occurring in the prior art.
Therefore, the invention provides a network security communication control method and system based on the Internet of things, which solve the problems that the traditional protective measures are worry about the breadth and the dynamics of the Internet of things, especially the defects in the aspects of space-time characteristic analysis and dynamic behavior learning are overcome, and the complex and variable security threats are difficult to effectively cope with.
In order to solve the technical problems, the invention provides the following technical scheme:
In a first aspect, an embodiment of the present invention provides a network security communication control method based on the internet of things, which includes acquiring network data, adding a timestamp to the network data, and then preprocessing the network data;
based on the preprocessed network data, extracting the time stamp and geographical position information of equipment interaction, constructing a time-space sequence data set, and carrying out time sequence analysis and spatial clustering;
Based on the results of time sequence analysis and spatial clustering, constructing a space-time baseline model, training, and calculating a predicted baseline value to obtain a standard baseline value;
After the network data collected in real time are subjected to the same pretreatment, inputting a trained space-time baseline model to obtain a real-time baseline value;
calculating the real-time baseline value and the standard baseline value by adopting an abnormal score, and judging whether the behavior deviates or not;
when the behaviors deviate, early warning is immediately triggered, abnormal behavior data are collected, and a network safety communication control method is adjusted.
As a preferable scheme of the network security communication control method based on the Internet of things, the invention comprises the following steps: the network data includes: network traffic data, inter-device communication records, device status update information, geographic location information, and log records;
The pretreatment method comprises the following steps: data cleaning and data normalization.
As a preferable scheme of the network security communication control method based on the Internet of things, the invention comprises the following steps: the preprocessing is performed after adding the time stamp to the network data, and the method specifically comprises the following steps:
the addition timestamp expression is:
In the method, in the process of the invention,Representing network data with a time stamp, T representing a time stamp value of a current time, and D representing the network data;
Using data cleansing, time-stamped network dataRemoving repeated and invalid data, and normalizing the data to obtain preprocessed network data。
As a preferable scheme of the network security communication control method based on the Internet of things, the invention comprises the following steps: based on the preprocessed network data, extracting the time stamp and the geographic position information of equipment interaction, constructing a time-space sequence data set, and carrying out time sequence analysis and spatial clustering, wherein the time sequence analysis and the spatial clustering are specifically as follows:
The preprocessed network data is represented asWhere n represents the total number of data,Representing a record in the preprocessed network data,=1, 2,.. Each record contains a time stampAnd geographic location coordinates,AndAnd respectively extracting the longitude and latitude coordinates of the record to obtain the following data, wherein the expression is as follows: Wherein n represents the total number of data;
screening and integrating based on the extracted data, wherein the expression is as follows:
In the method, in the process of the invention,Representing a filtered and potentially spatio-temporal sequence candidate set including hours of time stamp aggregationAnd corresponding average geographic location coordinates,Is an identifier of one hour, conditionRepresenting screening dataIs provided with a record of all the records in the database,Determining a time stampThe time is converted into hours and then matched to the hours,Indicating a specific flow threshold condition set,Representing geographic coordinates must be well-defined;
Constructing a space-time sequence data set S, wherein the expression is as follows:
Wherein each ofRepresenting a time stamp in the spatio-temporal sequence data set SRepresenting geographical location coordinates under these timestamps, i=1, 2,..m, m representing the total number of data after screening, m being smaller than n;
And applying time sequence analysis and spatial clustering to the space-time sequence data set S, wherein the formula is as follows:
In the method, in the process of the invention,Representing the predicted target variable value at time point t,The intercept term of the model is represented,Representing p time points in the pastThe value of the sum of the values,Represents the autoregressive coefficients, where p is the order of the autoregressive term,Represents a running average coefficient, where q is the order of the running average term,Representing the random error term of the model at time t,Representing past q error values;
In the method, in the process of the invention,Representing the j-th cluster of clusters,Representing one data point in the data set,Representing data pointsAnd cluster withA core point of (a)The distance between the two plates is set to be equal,Representing the radius of the neighborhood,Representing data pointsIs a number of points in the neighborhood of (a),Representing a minimum neighborhood point threshold.
As a preferable scheme of the network security communication control method based on the Internet of things, the invention comprises the following steps: based on the results of time sequence analysis and spatial clustering, a space-time baseline model is constructed and trained, and a predicted baseline value is calculated, specifically as follows:
Constructing a space-time baseline model, wherein the expression of a predicted baseline value is as follows:
In the method, in the process of the invention,Representing the predicted baseline value at time t,Is a normalization factor that is used to normalize the data,Representing the dynamic update factor(s),The number of clusters is represented and,The attenuation rate is indicated as a function of the attenuation rate,The function of the distance is represented as such,Representing the center of the j-th cluster,The feature vector representing the prediction is presented as a result of the prediction,Representing the predicted target variable value at time point t,The weight of the j-th cluster is represented,Representing the j-th cluster of clusters,Representing the predicted value of the space-time baseline model of the last time step t-1,Representing the center of the kth cluster, exp representing an exponential function;
And training a model by using the historical data, and learning the characteristics and modes of normal behaviors to obtain a standard base line B.
As a preferable scheme of the network security communication control method based on the Internet of things, the invention comprises the following steps: after the network data collected in real time are subjected to the same pretreatment, the network data are input into a trained space-time baseline model to obtain real-time baseline values, and the method comprises the following steps of:
Instant accurate time stamping of each piece of data collected at tForming a real-time data streamNext, the process willThe preprocessing step and the extraction step are carried out to obtain a real-time space-time sequence data set;
Based on real-time spatio-temporal sequence data setsExtractingAnd calculates a predictive feature vectorInputting the model to obtain real-time baseline value。
As a preferable scheme of the network security communication control method based on the Internet of things, the invention comprises the following steps: calculating the real-time baseline value and the standard baseline value by adopting an abnormal score, judging whether the behavior deviates, immediately triggering early warning when the behavior deviates, then collecting abnormal behavior data, and adjusting a network safety communication control method, wherein the method comprises the following specific steps:
will be the real-time baseline valueCombining with standard baseline value B into feature vectorThe anomaly score expression is:
In the method, in the process of the invention,Representing feature vectors for a point in time tE represents the expected value,Representation pair functionAt all ofThe average value over the value is the value,Indicating the desired path length, z indicating the number of samples,Representing the depth of the tree, wherein an anomaly scoreThe value range of (2) is [0,1];
When abnormality scoresWhen the value is=0, the network is safe and does not operate;
When abnormality scoresWhen the system is in the abnormal behavior when the system is in the range of the abnormal behavior, the network abnormality is indicated, the early warning is immediately triggered, then abnormal behavior data are collected, the network isolation is carried out on equipment and service with the abnormal behavior, the abnormal behavior is prevented from being spread, the deep inspection is carried out on the isolated equipment or system, once the loopholes or the weaknesses are confirmed, the repairing measures are immediately taken, the safety risk is eliminated, and the network safety strategy is revised and perfected according to the nature of the abnormal behavior, so that the network safety communication control method is adjusted.
In a second aspect, the invention provides a network security communication control system based on the internet of things, which comprises a data preprocessing module, a data processing module and a data processing module, wherein the data preprocessing module is responsible for receiving and preprocessing original network data;
The space-time data construction module is used for extracting a time stamp and geographic position information based on the preprocessed data, constructing a space-time sequence data set S and carrying out time sequence analysis and spatial clustering;
The space-time base line model construction module is used for constructing a space-time base line model based on the results of time sequence analysis and spatial clustering and adoptsCalculating a predicted baseline value;
The real-time baseline calculation module is used for continuously receiving real-time network data, performing the same data processing flow as the preprocessing module, and inputting a trained space-time baseline model to obtain a real-time baseline value;
The abnormality detection module is used for calculating the real-time baseline value and the standard baseline value by adopting an abnormality score and judging whether the behavior deviates or not;
And the strategy adjustment module is used for immediately executing a series of response measures after the abnormal early warning is received, wherein the response measures comprise network isolation of abnormal equipment, deep security check to identify loopholes and weaknesses and repair security risks, and revising and perfecting network security strategies according to the nature of abnormal behaviors.
In a third aspect, embodiments of the present invention provide a computer apparatus comprising a memory and a processor, the memory storing a computer program, wherein: the computer program when executed by a processor implements any step of the network security communication control method based on the internet of things according to the first aspect of the present invention.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having a computer program stored thereon, wherein: the computer program when executed by a processor implements any step of the network security communication control method based on the internet of things according to the first aspect of the present invention.
The invention has the beneficial effects that: by extracting and analyzing the time stamp and the geographic position information of the network data, the invention constructs a time-space sequence data set, and effectively integrates time-space characteristics by using a time sequence analysis and spatial clustering technology, thereby improving the analysis dimension and the anomaly detection precision of the data; the constructed space-time baseline model combines history learning and dynamic updating, accurately predicts baseline values, and realizes real-time monitoring of network behaviors; real-time data processing and model input strategies ensure the instantaneity of model prediction and quickly identify network state changes; by combining an anomaly score algorithm, the system can automatically detect deviation behaviors, immediately trigger early warning and take isolation measures, conduct deep investigation and repair, dynamically adjust a safety strategy and remarkably enhance network safety monitoring efficiency and anomaly response capability in the environment of the Internet of things.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1, in a first embodiment of the present invention, the embodiment provides a network security communication control method based on the internet of things, including the following steps:
S1, acquiring network data, adding a time stamp to the network data, and preprocessing;
based on the preprocessed network data, extracting the time stamp and geographical position information of equipment interaction, constructing a time-space sequence data set, and carrying out time sequence analysis and spatial clustering;
Based on the results of time sequence analysis and spatial clustering, constructing a space-time baseline model, training, and calculating a predicted baseline value to obtain a standard baseline value;
After the network data collected in real time are subjected to the same pretreatment, inputting a trained space-time baseline model to obtain a real-time baseline value;
calculating the real-time baseline value and the standard baseline value by adopting an abnormal score, and judging whether the behavior deviates or not;
when the behaviors deviate, early warning is immediately triggered, abnormal behavior data are collected, and a network safety communication control method is adjusted.
The network data includes: network traffic data, inter-device communication records, device status update information, geographic location information, and log records;
the pretreatment method comprises the following steps: data cleaning and data normalization.
The preprocessing is performed after adding a timestamp to the network data, and the method specifically comprises the following steps:
the addition timestamp expression is:
In the method, in the process of the invention,Representing network data with a time stamp, T representing a time stamp value of a current time, and D representing the network data;
Using data cleansing, time-stamped network dataRemoving repeated and invalid data, and normalizing the data to obtain preprocessed network data。
S2, based on the preprocessed network data, extracting equipment interaction time stamps and geographic position information, constructing a time-space sequence data set, and carrying out time sequence analysis and spatial clustering, wherein the method comprises the following steps of:
The preprocessed network data is represented asWhere n represents the total number of data,Representing a record in the preprocessed network data,=1, 2,.. Each record contains a time stampAnd geographic location coordinates,AndAnd respectively extracting the longitude and latitude coordinates of the record to obtain the following data, wherein the expression is as follows: Wherein n represents the total number of data;
screening and integrating based on the extracted data, wherein the expression is as follows:
In the method, in the process of the invention,Representing a filtered and potentially spatio-temporal sequence candidate set including hours of time stamp aggregationAnd corresponding average geographic location coordinates,Is an identifier of one hour, conditionRepresenting screening dataIs provided with a record of all the records in the database,Determining a time stampThe time is converted into hours and then matched to the hours,Indicating a specific flow threshold condition set,Representing geographic coordinates must be well-defined;
Constructing a space-time sequence data set S, wherein the expression is as follows:
Wherein each ofRepresenting a time stamp in the spatio-temporal sequence data set SRepresenting geographical location coordinates under these timestamps, i=1, 2,..m, m representing the total number of data after screening, m being smaller than n;
And applying time sequence analysis and spatial clustering to the space-time sequence data set S, wherein the formula is as follows:
In the method, in the process of the invention,Representing the predicted target variable value at time point t,The intercept term of the model is represented,Representing p time points in the pastThe value of the sum of the values,Represents the autoregressive coefficients, where p is the order of the autoregressive term,Represents a running average coefficient, where q is the order of the running average term,Representing the random error term of the model at time t,Representing past q error values;
In the method, in the process of the invention,Representing the j-th cluster of clusters,Representing one data point in the data set,Representing data pointsAnd cluster withA core point of (a)The distance between the two plates is set to be equal,Representing the radius of the neighborhood,Representing data pointsIs a number of points in the neighborhood of (a),Representing a minimum neighborhood point threshold;
It should be noted that, by screening and integrating the space-time information and constructing a space-time sequence data set, the space distribution and time dynamics of the network activity can be comprehensively depicted, an intuitive and rich information basis is provided for subsequent analysis, the time sequence analysis can reveal the change rule and trend of the data along with time, the spatial clustering analysis can find the mode on the geographic position, and the two are combined, so that the space-time characteristics of the network behavior can be captured more accurately, and a strong support is provided for anomaly detection.
S3, based on the results of time sequence analysis and spatial clustering, constructing a space-time baseline model, training, and calculating a predicted baseline value, wherein the method specifically comprises the following steps:
Constructing a space-time baseline model, wherein the expression of a predicted baseline value is as follows:
In the method, in the process of the invention,Representing the predicted baseline value at time t,Is a normalization factor that is used to normalize the data,Representing the dynamic update factor(s),The number of clusters is represented and,The attenuation rate is indicated as a function of the attenuation rate,The function of the distance is represented as such,Representing the center of the j-th cluster,The feature vector representing the prediction is presented as a result of the prediction,Representing the predicted target variable value at time point t,The weight of the j-th cluster is represented,Representing the j-th cluster of clusters,Representing the predicted value of the space-time baseline model of the last time step t-1,Representing the center of the kth cluster, exp representing an exponential function;
Training a model by utilizing historical data, and learning the characteristics and modes of normal behaviors to obtain a standard base line B;
It should be noted that, by constructing the space-time baseline model, the model of normal network behavior can be learned based on the historical data, the baseline value under normal condition can be predicted, a reference standard is provided for real-time monitoring, in the model training process, the model can be better fitted with the historical data through optimizing parameters, so that the prediction accuracy is improved, the dynamic update factor and the normalization factor are introduced, the model can be flexibly adapted to new data, and the real-time property and accuracy of prediction are maintained.
S4, after the network data collected in real time are subjected to the same pretreatment, inputting a trained space-time baseline model to obtain a real-time baseline value, wherein the real-time baseline value is specifically as follows:
Instant accurate time stamping of each piece of data collected at tForming a real-time data streamNext, the process willThe preprocessing step and the extraction step are carried out to obtain a real-time space-time sequence data set;
Based on real-time spatio-temporal sequence data setsExtractingAnd calculates a predictive feature vectorInputting the model to obtain real-time baseline value;
It should be noted that, processing network data in real time and inputting a model can obtain the baseline predicted value of the current behavior in real time, which enables the system to monitor the network state in real time, respond to any abnormal change quickly, real-time is the key of network security monitoring, discover and process threats in time, reduce loss, and improve the security and reliability of the system.
S5, calculating the real-time baseline value and the standard baseline value by adopting an abnormal score, judging whether the behavior deviates, immediately triggering early warning when the behavior deviates, then collecting abnormal behavior data, and adjusting a network safety communication control method, wherein the method comprises the following specific steps:
will be the real-time baseline valueCombining with standard baseline value B into feature vectorThe anomaly score expression is:
In the method, in the process of the invention,Representing feature vectors for a point in time tE represents the expected value,Representation pair functionAt all ofThe average value over the value is the value,Indicating the desired path length, z indicating the number of samples,Representing the depth of the tree, wherein an anomaly scoreThe value range of (2) is [0,1];
When abnormality scoresWhen the value is=0, the network is safe and does not operate;
When abnormality scoresWhen=1, the network is abnormal, which is indicated by abnormal behavior;
When the network behavior is detected to deviate from a normal baseline remarkably, the system immediately triggers an early warning mechanism, an emergency response flow is started immediately, firstly, data related to the abnormal behavior is automatically collected, the full view of an abnormal event is ensured to be recorded thoroughly, a foundation is laid for subsequent analysis, and then network isolation is implemented on equipment or service for confirming the abnormal behavior, and the rapid isolation strategy aims at suppressing abnormal propagation, preventing potential threat from spreading to other parts of the network and protecting the safety of the whole system;
Subsequently, a deep security check is performed on the isolated devices and services, which is a careful inspection process aimed at identifying the root cause of the abnormal behavior, whether software vulnerabilities, configuration errors or external attacks, and once the check confirms a specific vulnerability or system vulnerability, the response team will immediately perform repair measures, including patching, closing unsafe ports, adjusting the configuration to quickly eliminate the identified security risk, and restoring the security of the affected part;
On the basis, the characteristics of abnormal behaviors are deeply analyzed, the original network security policy is revised by utilizing the holes, the strengthening weak links are adjusted by the targeted policy, the flexibility and the defense strength of network communication control are improved, including, the system can better adapt to the newly-appearing security challenges through the ordered series of response and policy adjustment, and ensure the long-term network security and communication stability;
It should be noted that, by calculating the anomaly score to determine the deviation of the behavior, the potential threat can be identified efficiently, and the early warning mechanism is triggered, which is a key step of active defense, collecting anomaly data and adjusting the control strategy, so that the current problem can be solved pertinently, the long-term network security strategy can be optimized, the similar problem is avoided from happening again, and the measures of isolation, inspection, repair and strategy adjustment form a closed loop, thereby ensuring effective management and continuous improvement of network security events and improving the overall defense capability.
The embodiment also provides a network security communication control system based on the Internet of things, which comprises a data preprocessing module, a data processing module and a data processing module, wherein the data preprocessing module is responsible for receiving and preprocessing original network data;
The space-time data construction module is used for extracting a time stamp and geographic position information based on the preprocessed data, constructing a space-time sequence data set S and carrying out time sequence analysis and spatial clustering;
The space-time base line model construction module is used for constructing a space-time base line model based on the results of time sequence analysis and spatial clustering and adoptsCalculating a predicted baseline value;
The real-time baseline calculation module is used for continuously receiving real-time network data, performing the same data processing flow as the preprocessing module, and inputting a trained space-time baseline model to obtain a real-time baseline value;
The abnormality detection module is used for calculating the real-time baseline value and the standard baseline value by adopting an abnormality score and judging whether the behavior deviates or not;
And the strategy adjustment module is used for immediately executing a series of response measures after the abnormal early warning is received, wherein the response measures comprise network isolation of abnormal equipment, deep security check to identify loopholes and weaknesses and repair security risks, and revising and perfecting network security strategies according to the nature of abnormal behaviors.
The embodiment also provides a computer device, which is applicable to the situation of the network security communication control method based on the internet of things, and comprises the following steps: a memory and a processor; the memory is used for storing computer executable instructions, and the processor is used for executing the computer executable instructions to realize the network security communication control method based on the internet of things according to the embodiment.
The computer device may be a terminal comprising a processor, a memory, a communication interface, a display screen and input means connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
The present embodiment also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the network security communication control method based on the internet of things set forth in the above embodiment; the storage medium may be implemented by any type or combination of volatile or nonvolatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM), electrically erasable Programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
In summary, the beneficial effects of the specific steps of the invention are analyzed as follows:
Preprocessing after adding a timestamp to the network data: by adding accurate time stamps to the network data, the time sequence and timeliness of the data can be ensured, the subsequent time sequence analysis is convenient, useless information and abnormal values are removed when the data are cleaned and standardized, the analysis result is more accurate and reliable, the data in different dimensions can be compared on the same scale through the standardized processing, and the deviation caused by inconsistent dimensions is avoided.
Constructing a space-time sequence data set, and carrying out time sequence analysis and spatial clustering: by screening and integrating the space-time information and constructing a space-time sequence data set, the space distribution and time dynamics of network activities can be comprehensively depicted, an intuitive and rich information basis is provided for subsequent analysis, the time sequence analysis can reveal the change rule and trend of data along with time, the spatial clustering analysis can find the mode on the geographic position, and the two are combined, so that the space-time characteristics of network behaviors can be captured more accurately, and a strong support is provided for anomaly detection.
Building a space-time baseline model and training: by constructing the space-time baseline model, the baseline value under the normal condition can be predicted based on the mode of the normal network behavior of the historical data, a reference standard is provided for real-time monitoring, and in the model training process, the model can be better fitted with the historical data through optimizing parameters, so that the prediction accuracy is improved, the dynamic update factors and the normalization factors are introduced, the model can be flexibly adapted to new data, and the real-time property and accuracy of prediction are maintained.
Calculating a real-time baseline value: the network data is processed in real time and is input into a model, and the baseline predicted value of the current behavior can be obtained in real time, so that the system can monitor the network state in real time, respond to any abnormal change quickly, the real-time performance is the key of network security monitoring, the threat can be found and processed in time, the loss is reduced, and the security and the reliability of the system are improved.
And (3) judging whether the behavior deviates or not by adopting anomaly score calculation, so as to adjust the network security communication control method: the potential threat can be identified efficiently by calculating the abnormal score judgment behavior deviation, and the early warning mechanism is triggered, which is a key step of active defense, abnormal data is collected and a control strategy is adjusted, so that the current problem can be solved pertinently, a long-term network security strategy can be optimized, the similar problem is avoided from happening again, the measures of isolation, inspection, repair and strategy adjustment form a closed loop, the effective management and continuous improvement of network security events are ensured, and the integral defense capability is improved.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.