基于设备型号分类和BP神经网络的物联网流量异常检测

doi:10.3969/j.issn.1671-1122.2019.12.007

摘要/Abstract

摘要：

物联网的快速发展,带来的安全威胁层出不穷,尤其是攻击者利用设备漏洞事先入侵潜伏,进而发动网络攻击的例子屡见不鲜。为了有效地应对物联网安全威胁,结合物联网系统的特点,文章设计了基于设备型号的流量异常检测模型,模型采用设置阻尼时间窗口的方法提取时间统计特征并构建指纹,然后根据设备类型对指纹进行分类,最后用主成分分析法对特征进行降维并用BP神经网络算法进行异常检测的训练和识别。为进一步验证设备型号分类对异常检测效果的贡献,文章比较了随机森林、支持向量机方法在检测中的效果并对实验结果进行了评估,结果表明,基于设备型号的异常检测准确度能够提高10%左右,BP神经网络具有最好的检测效果,检出率平均达到90%以上。

关键词: 异常检测, 设备型号分类, BP神经网络, 主成分分析, 阻尼时间窗口

Abstract:

The rapid development of the Internet of Things has brought about numerous security threats. In particular, it is not uncommon for an attacker to use a device vulnerability to invade a device in advance and launch a network attack. In order to effectively deal with the security threat of the Internet of Things, combined with the characteristics of the Internet of Things system, In this paper, the traffic anomaly detection model based on the device model is designed. The model uses the method of setting the damped time window to extract the time statistical features and construct the fingerprint. Then the fingerprint is classified according to the device type. Finally, the principal component analysis method is used to reduce the features and use BP neural network algorithm for training and identification of anomaly detection. In order to further verify the contribution of equipment model classification to anomaly detection, this paper compares the effects of random forest, support vector machine in detection and evaluates the experimental results. The results show that the accuracy of anomaly detection based on equipment model can be increased by 10%. BP neural network has the best detection effect, with an average of more than 90%.

Key words: anomaly detection, device type identification, BP neural network, principal component analysis, damped time window

中图分类号:

TP309

杨威超, 郭渊博, 钟雅, 甄帅辉. 基于设备型号分类和BP神经网络的物联网流量异常检测[J]. 信息网络安全, 2019, 19(12): 53-63.

Weichao YANG, Yuanbo GUO, Ya ZHONG, Shuaihui ZHEN. IoT Traffic Anomaly Detection Based on Device Type Identification and BP Neural Network[J]. Netinfo Security, 2019, 19(12): 53-63.

图/表 16

图1

图2

图3

图4

表1

表2

图5

表3

表4

表5

图6

表6

图7

图8

图9

图10

参考文献 20

[1]	HOWELL J. Number of Connected IoT Devices will Surge to 125 Billion by 2030[EB/OL]. , 2018-11-7/2019-7-15.
[2]	CALERO. 3 Ways the Internet of Things will Impact Enterprise Security[EB/OL]. , 2018-6-17/2019-7-15.
[3]	STANKOVIC J A.Research Directions for the Internet of Things[J]. IEEE Internet of Things Journal, 2014, 3(1): 3-9.
[4]	KOLIAS C, KAMBOURAKIS G, STAVROU A, et al.DDoS in the IoT: Mirai and Other Botnets[J]. Computer, 2017, 50(7): 80-84.
[5]	HOQUE N, BHATTACHARYYA D K, KALITA J K, et al.Botnet in DDoS Attacks: Trends and Challenges[J]. IEEE Communications Surveys & Tutorials, 2015, 17(4): 2242-2270.
[6]	AHMED M, MAHMOOD A N, HU J,et al.A Survey of Network Anomaly Detection Techniques[J]. Journal of Network and Computer Applications, 2016, 60(5): 19-31.
[7]	NGUYEN T D, MARCHAL S, MIETTINEN M, et al.Diot: A Crowdsourced Self-learning Approach for Detecting Compromised IoT Devices[J]. arXiv preprint, 2018, 18(4): 13-19.
[8]	APTHORPE N, REISMAN D, FEAMSTER N.A Smart Home is no Castle: Privacy Vulnerabilities of Encrypted IoT Traffic[J]. arXiv preprint, 2017, 17(5): 6-11.
[9]	DOSHI R, APTHORPE N, FEAMSTER N.Machine Learning DDoS Detection for Consumer Internet of Things Devices[C]//IEEE. 2018 IEEE Security and Privacy Workshops(SPW), Auguest 11-15, 2018, Los Angeles, USA. New York: IEEE, 2018: 29-35.
[10]	HAFEEZ I, ANTIKAINEN M, DING A Y, et al.IoT-KEEPER: Securing IoT Communications in Edge Networks[J]. arXiv preprint, 2018, 18(10): 84-95.
[11]	MCMAHAN H B, MOORE E, RAMAGE D, et al.Communication-efficient Learning of Deep Networks from Decentralized Data[J]. preprint, 2016, 16(2): 16-29.
[12]	MIRSKY Y, DOITSHMAN T, ELOVICI Y, et al.Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection[J]. arXiv preprint, 2018, 18(2): 90-99.
[13]	MO Yun.Research on Location Fingerprint Indoor Location Method Based on Spatial Partitioning and Dimensionality Reduction Technology[D]. Harbin: Harbin Institute of Technology, 2016.
	莫云. 基于空间分区与降维技术的位置指纹室内定位方法研究[D].哈尔滨:哈尔滨工业大学,2016.
[14]	WANG Tao, ZHANG Lisha, GAO Yan.Diagnosis of the Abnormal State of Long-span Arch Bridge Based on BP Neural Network Improved Novel Detection Technology[J]. Journal of Beijing Institute of Technology, 2016, 36(2): 157-162.
	王涛,张丽莎,高岩.基于BP神经网络的改进型新奇检测技术诊断大跨度拱桥异常状态[J].北京理工大学学报,2016,36(2):157-162.
[15]	BREIMAN L.Random Forests[J]. Machine Learning, 2001, 45(1): 5-32.
[16]	GAO S, ZHANG H, ZHENG X, et al.Improving SVM Classifiers with Link Structure for Web Spam Detection[J]. Journal of Computational Information Systems, 2014, 10(6): 2435-2443.
[17]	MEIDAN Y, BOHADANA M, MATHOV Y, et al.N-BaIoT—Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders[J]. IEEE Pervasive Computing, 2018, 17(3): 12-22.
[18]	SHI W, CAO J, ZHANG Q, et al.Edge Computing: Vision and Challenges[J]. IEEE Internet of Things Journal, 2016, 3(5): 637-646.
[19]	JOLLIFFE I T, CADIMA J.Principal Component Analysis: A Review and Recent Developments[J]. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 2016, 374(5): 29-37.
[20]	APTHORPE N, REISMAN D, SUNDARESAN S, et al.Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic[J]. arXiv preprint, 2017, 17(8): 44-50.

参数	值
输入层节点数	90
输出层节点数	2
隐含层节点数	13
激活函数	Sigmoid函数[S(x)=1/(1+e^-^x)]
学习率	0.01
迭代次数	100

设备类别	攻击数据	正常数据
Provision_PT_737E_Security_Camera	5000	5000
Provision_PT_838_Security_Camera	5000	5000
SimpleHome_XCS7_1002_WHT_Security_Camera	5000	5000
SimpleHome_XCS7_1003_WHT_Security_Camera	5000	5000
Ecobee_Thermostat	5000	5000
Danmini_Doorbell	5000	5000
Ennio_Doorbell	5000	5000
Samsung_SNH_1011_N_Webcam	5000	5000
Philips_B120Na0_Baby_Monitor	5000	5000

	预测为正例	预测为负例
实际为正例	真正例（TP）	假正例（FP）
实际为负例	假负例（FN）	真负例（TN）