CN117439916A - Network security test evaluation system and method - Google Patents
Network security test evaluation system and method Download PDFInfo
- Publication number
- CN117439916A CN117439916A CN202311600802.1A CN202311600802A CN117439916A CN 117439916 A CN117439916 A CN 117439916A CN 202311600802 A CN202311600802 A CN 202311600802A CN 117439916 A CN117439916 A CN 117439916A
- Authority
- CN
- China
- Prior art keywords
- equipment
- data
- network
- network security
- test evaluation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 54
- 238000011156 evaluation Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims description 14
- 230000006399 behavior Effects 0.000 claims abstract description 40
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 34
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 30
- 230000002159 abnormal effect Effects 0.000 claims abstract description 25
- 230000005611 electricity Effects 0.000 claims abstract description 16
- 238000013210 evaluation model Methods 0.000 claims abstract description 8
- 238000007621 cluster analysis Methods 0.000 claims abstract description 7
- 238000012544 monitoring process Methods 0.000 claims abstract description 6
- 238000004458 analytical method Methods 0.000 claims abstract description 5
- 238000012549 training Methods 0.000 claims description 15
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000007405 data analysis Methods 0.000 claims description 7
- 238000004891 communication Methods 0.000 claims description 6
- 230000010354 integration Effects 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 238000004140 cleaning Methods 0.000 claims description 5
- 238000003064 k means clustering Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000001514 detection method Methods 0.000 abstract description 5
- 238000011076 safety test Methods 0.000 abstract description 3
- 238000012545 processing Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 238000012502 risk assessment Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2803—Home automation networks
- H04L12/2823—Reporting information sensed by appliance or service execution status of appliance services in a home automation network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Environmental & Geological Engineering (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security test evaluation system and a network security test evaluation method, which relate to the technical field of network security tests, wherein the network security test evaluation method comprises the following steps: collecting various data in a target network system; and establishing a network security test evaluation model, wherein the network security test evaluation model comprises a classifier and a cluster analysis algorithm which use normal behaviors and abnormal behaviors. By establishing a classifier of normal behavior and abnormal behavior, real-time monitoring and analysis are carried out on network traffic and user behavior, abnormal behavior and malicious attack are timely found and prevented, whether the equipment is in a self-running state or not can be judged by analyzing parameters, data quantity and electricity consumption of the intelligent household equipment, misjudgment of a safety network detection result caused by the problem of the self-running state of the equipment is avoided, and abnormal state of the equipment can be timely found by sending a no-operation instruction to the intelligent household terminal at a fixed frequency, so that accuracy and timeliness of network safety test evaluation are improved.
Description
Technical Field
The invention relates to the technical field of network security testing, in particular to a network security testing evaluation system and a network security testing evaluation method.
Background
With the rapid development of smart home technology, more and more families begin to use smart home devices to improve the quality of life. However, the network security problem is also increasing, and the traditional network security testing and evaluating method mainly depends on manual operation, and is low in efficiency and easy to miss some minor potential safety hazards. Therefore, a system capable of monitoring and evaluating the security of an intelligent home network in real time is urgently needed.
In the chinese application of application publication No. CN115378744a, a system and method for evaluating network security test are disclosed, wherein the evaluating method comprises the following steps: s100, setting an evaluation period, and acquiring initial information to be processed of a target network; s200, setting a test model, and performing network intrusion detection on a target network to obtain test data; s300, carrying out external security risk assessment and internal security risk assessment on the initial information to be processed and the test data to obtain an external factor assessment score and an internal factor assessment score; s400, calculating a comprehensive score according to the exogenous evaluation score and the endogenous evaluation score to obtain a comprehensive evaluation grade; s500, outputting the comprehensive evaluation result and the corresponding advice.
In combination with the above, it can be found that the prior art has the following disadvantages:
1. the network security cannot be detected and evaluated in real time, when the equipment is invaded, the equipment cannot be found in time, and the loss caused when the equipment is found cannot be recovered;
2. judging faults by acquiring messages of each fault type in the history log information, wherein when a network is invaded or the log is tampered, the specific condition of the equipment cannot be judged according to the log, and the network state of the equipment is judged by immediately acquiring the running state of the equipment, so that misjudgment is easy to be caused;
3. no further verification is performed on the control of the device, and when the device data is abnormal, no further control and verification is performed on the device to determine whether the device is intruded.
Disclosure of Invention
(one) solving the technical problems
Aiming at the defects of the prior art, the invention provides a network security test evaluation system and a network security test evaluation method, which can monitor and analyze network flow and user behaviors in real time by establishing a classifier of normal behaviors and abnormal behaviors, discover and prevent abnormal behaviors and malicious attacks in time, judge whether the equipment is in a self running state or not by analyzing parameters, data quantity and electricity consumption of intelligent household equipment, avoid misjudgment of a security network detection result caused by the problem of the self running state of the equipment, and timely discover the abnormality of the equipment and control and check the running of the equipment by sending a non-operation instruction to the intelligent household terminal at a fixed frequency, thereby solving the problems mentioned in the background art and improving the accuracy and timeliness of network security test evaluation.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme: a network security test evaluation method comprises the following steps:
collecting various data in a target network system, including equipment information, communication records and user operation records, preprocessing the collected original data to reduce interference and redundant information, and extracting characteristics related to network security from the data, including abnormal operation, malicious attack and equipment loopholes;
further, the pretreatment work includes the steps of:
data cleansing, which aims at changing dirty data into clean data, includes deleting duplicate data, processing missing values, identifying and processing outliers:
deleting duplicate data: deleting the duplicate data BY using a distict key or using a GROUP BY statement;
processing the missing values: for missing data, padding may be performed (i.e., replacing the missing value with a specific value), deleting rows or columns containing the missing value, padding using interpolation methods, etc.;
identifying and processing outliers: outliers can be identified and processed by statistical methods (e.g., mean, median, mode, etc.).
Data deduplication, after data cleansing, is followed by data deduplication, i.e., deleting duplicate or redundant data, generally comprises two types:
deletion of duplicate data: the data are identical, and the deletion operation can be directly carried out;
deletion of similar duplicate data: although the data are different in content, the data are similar in nature, and a method such as cluster analysis is needed to judge the similarity, and then the data with higher similarity are deleted.
Data integration: integrating the data in the plurality of data sources, wherein the data can be integrated in a time sequence, a logic sequence and other modes;
data format conversion: converting the data into a unified format, such as converting text data into digital data, etc.;
and (3) data storage: the cleaned and integrated data is stored in a designated database or data warehouse for subsequent analysis and processing.
According to known attack modes and network security risks, a network security test evaluation model is established, wherein the network security test evaluation model comprises a classifier and a cluster analysis algorithm of normal behaviors and abnormal behaviors, historical data are used for training the model, so that the model can accurately identify the normal behaviors and the abnormal behaviors, the trained model is applied to real-time data monitoring, and abnormal behaviors are found by continuously analyzing and comparing the differences between the data and the normal model;
acquiring and analyzing the operation state data of the intelligent household equipment, calculating the operation external state index OES of the equipment according to the temperature, the humidity and the brightness of the equipment, calculating the operation internal state index ISI of the equipment according to the data flow and the electricity consumption, further generating the operation state index OSI of the equipment, comparing the operation state index OSI with a preset operation state threshold value, and making corresponding measures according to different comparison results;
the method comprises the steps that a sending end sends a section of no-operation instruction to an intelligent home terminal at fixed frequency, after receiving the section of no-operation instruction, intelligent home equipment encrypts the section of no-operation instruction by using an SHA-256 encryption algorithm to generate a section of ciphertext, and returns the section of ciphertext to the sending end;
the sending end compares the encrypted ciphertext with the received ciphertext, and makes corresponding measures according to different comparison results.
Further, the temperature, humidity and brightness parameters of the intelligent household equipment are obtained through a temperature sensor, a humidity sensor and a light sensor which are arranged in the intelligent household equipment, and the data flow and the electricity consumption are obtained through an intelligent household cloud platform.
Further, the dimensionless processing is performed by the temperature, humidity and the running external state index of the brightness calculating device, and the calculation formula is as follows:
wherein i is the mark of different time points, n is the total number of the time points i, T i Indicating the temperature of the device at time i, H i Indicating the humidity, L, of the device at point in time i i Indicating the brightness of the device at point in time i.
Further, through the data flow and the running internal state index of the electricity consumption computing device, dimensionless processing is carried out, and the computing formula is as follows:
wherein t is the mark of different time periods, m is the total number of time periods, dat t Poc is the data traffic in time period t t Is the power consumption in the time period t.
Further, the operation external state index OES and the operation internal state index ISI of the device are synthesized to generate the operation state index OSI of the device, and the calculation formula is as follows:
OSI=α*OES+β*ISI
wherein α, β are weight coefficients, 0< α <1,0< β <1, and α+β=1.
Further, an operation state threshold value is preset, when the equipment operation state index is smaller than the operation state threshold value, the current operation state of the intelligent household equipment is indicated to be problematic, and abnormal data are uploaded to the intelligent household cloud platform;
when the equipment running state index is greater than or equal to the running state threshold, the abnormal condition of the current intelligent household equipment is indicated, early warning is sent out, and abnormal data are uploaded to the intelligent household cloud platform.
Further, the transmitting end transmits a section of no-operation instruction to the intelligent home terminal at a fixed frequency; after receiving the segment of non-operation instruction, the intelligent home equipment encrypts the segment of non-operation instruction by using an SHA-256 encryption algorithm to generate a segment of ciphertext; the intelligent home equipment returns the encrypted ciphertext to the transmitting end; after receiving the ciphertext, the sending end encrypts the sent original no-operation instruction by using the same SHA-256 encryption algorithm to generate a section of ciphertext.
Further, the sending end compares the ciphertext generated by encryption with the received ciphertext, if the ciphertext is matched with the received ciphertext, the instruction is not tampered, and the instruction source is legal; if the sending end finds that the received ciphertext is not matched with the expected ciphertext, the sending end indicates that the instruction is tampered or damaged in the transmission process, or the instruction source is illegal, and corresponding measures are taken, including sending an alarm or suspending the operation of the intelligent household equipment, and uploading the exception to the intelligent household cloud platform.
A network security test evaluation system, comprising: the system comprises a data acquisition module, a data analysis module, a normal behavior classification module, an abnormal behavior clustering module and a security policy adjustment module; wherein,
the data acquisition module is used for collecting various data in the target network system, carrying out pretreatment work of cleaning, de-duplication and integration on the collected original data, and extracting characteristics related to network safety from the data;
the data analysis module is used for analyzing the operation state data of the intelligent household equipment, calculating the operation external state index OES of the equipment according to the temperature, the humidity and the brightness of the equipment, and further generating the operation state index OSI of the equipment according to the data flow and the operation internal state index ISI of the electricity consumption calculation equipment;
the normal behavior classification module is used for learning and identifying normal household network behaviors so as to distinguish the normal network behaviors from abnormal behaviors, the classifier is trained by adopting a naive Bayesian classifier, and classification and prediction are carried out by receiving various data of the household network, including but not limited to network traffic, equipment state and user behaviors;
the abnormal behavior clustering module is used for finding and early warning abnormal network behaviors, the algorithm adopts a K-means clustering algorithm to perform clustering analysis on the network behaviors, the abnormal network behaviors are classified into the same category, and early warning is performed;
the security policy adjustment module is used for adjusting the security policy of the home network, and the security policy of the home network is automatically adjusted according to the early warning information and the equipment state information, and comprises the steps of limiting the network access of specific equipment and isolating abnormal behaviors.
(III) beneficial effects
The invention provides a network security test evaluation system and a network security test evaluation method, which have the following beneficial effects:
(1) By establishing the classifier of normal behavior and abnormal behavior, the network traffic and the user behavior can be monitored and analyzed in real time, abnormal behavior and malicious attack can be found and prevented in time, the overall security of the network is improved, a large amount of network security data can be automatically processed and analyzed, the workload of security personnel is reduced, and the working efficiency is improved.
(2) By analyzing the parameters, the data quantity and the electricity consumption of the intelligent home equipment, whether the equipment is in a running state of the equipment or not can be judged, misjudgment of a safety network detection result caused by the problem of the running state of the equipment is avoided, the result of intelligent home network safety test evaluation is affected, and the accuracy of the evaluation result is improved.
(3) By sending the no-operation instruction to the intelligent home terminal at a fixed frequency, the abnormality of the terminal can be timely found, more loss caused by time lag is avoided, and the encrypted ciphertext is unique, so that even if a hacker intercepts the ciphertext and tries to send the ciphertext again, the hacker can be identified because the same ciphertext cannot be generated again, and the hacker can be prevented from operating the intelligent home device through replay attack.
(4) By comparing the ciphertext and taking corresponding measures according to the comparison result, the intelligent household equipment can be ensured to correctly execute the instruction of the transmitting end, so that the reliability and the safe operation of the intelligent household are realized, the safety and the reliability of the intelligent household system can be further improved, malicious attackers are prevented from operating the intelligent household equipment by utilizing loopholes, and the safety and the privacy of the household are protected.
Drawings
FIG. 1 is a flow chart of a network security test evaluation method according to the present invention;
FIG. 2 is a schematic diagram of a network security test evaluation system according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the present invention provides a network security test evaluation method, in this application, taking an intelligent home network as an example, for performing test evaluation on network security, the specific evaluation method includes the following steps:
step one: collecting various data in a target network system, including equipment information, communication records, user operation records and the like, performing preprocessing work such as cleaning, de-duplication, integration and the like on the collected original data to reduce interference and redundant information, and extracting characteristics related to network security, including abnormal operation, malicious attack, equipment loopholes and the like, from the data;
the first step specifically comprises the following steps:
step 101: collecting various data in the intelligent home network system from the intelligent home cloud platform, the log file and the equipment interface, wherein the data comprise equipment information, communication records, user operation records and the like;
step 102: the preprocessing work such as cleaning, de-duplication, integration and the like is carried out on the collected original data;
step 103: features related to network security, including abnormal operations, malicious attacks, device vulnerabilities, etc., are extracted from the preprocessed data.
It should be noted that smart home devices of different brands and models may have different interfaces, log file formats, and communication protocols, so that corresponding tools and interface documents need to be provided for specific devices and vendors to collect and integrate data. At the same time, relevant privacy policies and laws are being followed, ensuring compliance with relevant legal requirements when collecting and using user data.
Combining the contents of steps 101 to 103:
by preprocessing the collected data, interference and redundant information in the data can be reduced, the accuracy of data analysis is improved, abnormal operation and malicious attack can be found by extracting features of the data, system vulnerabilities can be identified by analyzing communication records and user operation records, and appropriate measures are taken to repair the vulnerabilities, so that the safety of the system is improved.
Step two: according to known attack modes and network security risks, a network security test evaluation model is established, wherein the network security test evaluation model comprises a classifier, a cluster analysis algorithm and the like for normal behaviors and abnormal behaviors, historical data are used for training the model, so that the model can accurately identify the normal behaviors and the abnormal behaviors, the trained model is applied to real-time data monitoring, and abnormal behaviors are found through continuously analyzing and comparing the differences between the data and the normal model;
the second step specifically comprises the following steps:
step 201: extracting characteristics related to an attack mode and network security risk from the characteristic data, wherein the characteristics comprise a specific network traffic mode, abnormal log information, abnormal equipment states and the like;
step 202: for normal behavior and abnormal behavior, a classifier model is designed, and is established by using a naive Bayesian classifier, wherein the establishment process is as follows:
step 2021: data preparation: dividing the collected data into a training set and a testing set, training a classifier model by using the training set, and testing the accuracy and effect of the model by using the testing set;
step 2022: feature selection: selecting features related to attack modes and network security risks, and defining a probability distribution for each feature;
step 2023: model training: training a classifier model using the training set data, calculating probability distributions for each feature, and using the probability distributions to make classification predictions;
step 2024: model evaluation: and testing the accuracy and effect of the classifier model by using the test set data, and calculating indexes such as the accuracy, recall rate and the like of the model.
Step 203: aiming at abnormal behaviors, a cluster analysis algorithm is designed, a K-means clustering algorithm is used for building a model, and the specific building process is as follows:
step 2031: data preparation: dividing the collected data into a training set and a testing set, training a clustering model by using the training set, and testing the accuracy and effect of the model by using the testing set;
step 2032: determining the number of clusters: determining the number of abnormal behavior categories to be clustered, for example, the abnormal behavior categories can be clustered into categories such as malicious attack, illegal access and the like;
step 2033: feature selection: selecting characteristics related to attack modes and network security risks, and defining a clustering center for each characteristic;
step 2034: model training: training a clustering model by using training set data, calculating coordinates of each clustering center, and performing clustering prediction by using the clustering centers;
step 2035: model evaluation: and testing the accuracy and effect of the clustering model by using the test set data, and calculating indexes such as the accuracy, recall rate and the like of the model.
Step 204: the designed classifier model and the cluster analysis algorithm are deployed into a network security test evaluation system for real-time monitoring and early warning;
step 205: and uploading the abnormal data to the intelligent home cloud platform according to the output result of the model.
It should be noted that, the classifier model may be established using a variety of machine learning algorithms, for example, a naive bayes classifier, a Support Vector Machine (SVM) classifier, a decision tree classifier, etc., and may be established using a variety of clustering algorithms, for example, a K-means clustering algorithm, a hierarchical clustering algorithm, a DBSCAN clustering algorithm, etc., and may be selected according to the specific situation.
Combining the contents of steps 201 to 205:
by establishing the classifier of normal behavior and abnormal behavior, the network traffic and the user behavior can be monitored and analyzed in real time, abnormal behavior and malicious attack can be found and prevented in time, the overall security of the network is improved, a large amount of network security data can be automatically processed and analyzed, the workload of security personnel is reduced, and the working efficiency is improved.
Step three: acquiring and analyzing the operation state data of the intelligent household equipment, calculating the operation external state index OES of the equipment according to the temperature, the humidity and the brightness of the equipment, calculating the operation internal state index ISI of the equipment according to the data flow and the electricity consumption, further generating the operation state index OSI of the equipment, comparing the operation state index OSI with a preset operation state threshold value, and making corresponding measures according to different comparison results;
the third step specifically comprises the following steps:
step 301: acquiring parameters such as temperature, humidity, brightness and the like of the equipment through a temperature sensor, a humidity sensor, a light sensor and the like which are arranged in the intelligent household equipment;
step 302: the external state index of the operation of the equipment is calculated through temperature, humidity and brightness, and the calculation formula is as follows:
wherein i is the mark of different time points, n is the total number of the time points i, T i Indicating the temperature of the device at time i, H i Indicating the humidity, L, of the device at point in time i i Representing the brightness of the device at point in time i;
step 303: the internal state index of the operation of the equipment is calculated through the data flow and the electricity consumption, and the calculation formula is as follows:
wherein t is the mark of different time periods, and m is the timeTotal number of segments, dat t Poc is the data traffic in time period t t The electricity consumption in the time period t;
step 304: the equipment operation state index OES and the equipment operation state index ISI are synthesized to generate an equipment operation state index OSI, and the calculation formula is as follows:
OSI=α*OES+β*ISI
wherein α, β are weight coefficients, 0< α <1,0< β <1, and α+β=1;
step 305: presetting an operation state threshold, when the equipment operation state index is smaller than the operation state threshold, indicating that the current intelligent household equipment has a problem in the operation state, and uploading abnormal data to the intelligent household cloud platform;
when the equipment running state index is greater than or equal to the running state threshold, the abnormal condition of the current intelligent household equipment is indicated, early warning is sent out, and abnormal data are uploaded to the intelligent household cloud platform.
It should be noted that, when the parameters of the device include temperature, humidity and brightness are zero, and the power consumption is zero, the high probability of the device is that the running state of the device is problematic, when the temperature, humidity and brightness of the device are lower, the external running state index of the device is lower, the data flow and power consumption of the device are lower, the internal running state index is lower, the probability of the running state of the device is higher, and conversely, the probability of the running state of the device is lower.
Combining the contents of steps 301 to 305:
by analyzing the parameters, the data quantity and the electricity consumption of the intelligent home equipment, whether the equipment has a running state problem or not can be judged, misjudgment of a safety network detection result caused by the running state problem of the equipment is avoided, the evaluation result of the intelligent home network safety test is affected, and the accuracy of the evaluation result is improved.
Step four: the method comprises the steps that a sending end sends a section of no-operation instruction to an intelligent home terminal at fixed frequency, after receiving the section of no-operation instruction, intelligent home equipment encrypts the section of no-operation instruction by using an SHA-256 encryption algorithm to generate a section of ciphertext, and returns the section of ciphertext to the sending end;
the fourth step specifically comprises the following steps:
step 401: the transmitting end transmits a section of no-operation instruction to the intelligent home terminal at fixed frequency, for example, the intelligent home terminal transmits the instruction once every 10 seconds;
step 402: after receiving the segment of non-operation instruction, the intelligent home equipment encrypts the segment of non-operation instruction by using an SHA-256 encryption algorithm to generate a segment of ciphertext;
step 403: the intelligent home equipment returns the encrypted ciphertext to the transmitting end;
step 404: after receiving the ciphertext, the sending end encrypts the sent original no-operation instruction by using the same SHA-256 encryption algorithm to generate a section of ciphertext.
It should be noted that, because the encryption key is private, only the transmitting end with the key can generate the correct ciphertext, if the ciphertext does not match with the expected ciphertext of the transmitting end, the instruction may be tampered or damaged in the transmission process. Therefore, by verifying the correctness of the ciphertext, whether the received instruction is from a legal transmitting end can be verified.
Combining the contents of steps 401 to 403:
by sending the no-operation instruction to the intelligent home terminal at a fixed frequency, the abnormality of the terminal can be timely found, more loss caused by time lag is avoided, and the encrypted ciphertext is unique, so that even if a hacker intercepts the ciphertext and tries to send the ciphertext again, the hacker can be identified because the same ciphertext cannot be generated again, and the hacker can be prevented from operating the intelligent home device through replay attack.
Step five: the sending end compares the encrypted ciphertext with the received ciphertext, and makes corresponding measures according to different comparison results.
The fifth step specifically comprises the following steps:
step 501: comparing the encrypted ciphertext with the received ciphertext by the sending end, and if the encrypted ciphertext is matched with the received ciphertext, indicating that the instruction is not tampered and the instruction source is legal;
step 502: if the sender finds that the received ciphertext does not match the expected ciphertext, the sender may indicate that the instruction is tampered or damaged in the transmission process, or that the instruction source is illegal. In this case, the transmitting end may take corresponding measures, such as issuing an alarm or suspending the operation of the smart home device, and upload the abnormal data to the smart home cloud platform.
It should be noted that, in order to ensure the security of the smart home device, other measures, such as periodically updating device software and firmware, using a strong password protection device, etc., are also required, and in order to further improve the security, it is considered to use a higher level encryption algorithm or other security mechanism.
Combining the contents of steps 501 to 502:
by comparing the ciphertext and taking corresponding measures according to the comparison result, the intelligent household equipment can be ensured to correctly execute the instruction of the transmitting end, so that the reliability and the safe operation of the intelligent household are realized, the safety and the reliability of the intelligent household system can be further improved, malicious attackers are prevented from operating the intelligent household equipment by utilizing loopholes, and the safety and the privacy of the household are protected.
Referring to fig. 2, the invention further provides an intelligent home network security test evaluation system, which comprises: the system comprises a data acquisition module, a data analysis module, a normal behavior classification module, an abnormal behavior clustering module and a security policy adjustment module; wherein,
the data acquisition module is used for collecting various data in the target network system, carrying out preprocessing work such as cleaning, de-duplication, integration and the like on the collected original data, and extracting characteristics related to network safety from the data;
the data analysis module is used for analyzing the operation state data of the intelligent household equipment, calculating the operation external state index OES of the equipment according to the temperature, the humidity and the brightness of the equipment, and further generating the operation state index OSI of the equipment according to the data flow and the operation internal state index ISI of the electricity consumption calculation equipment;
the normal behavior classification module is used for learning and identifying normal household network behaviors so as to distinguish the normal network behaviors from abnormal behaviors, the classifier is trained by adopting a naive Bayesian classifier, and classification and prediction are carried out by receiving various data of the household network, including but not limited to network traffic, equipment state, user behaviors and the like;
the abnormal behavior clustering module is used for finding and early warning abnormal network behaviors, the algorithm adopts a K-means clustering algorithm to perform clustering analysis on the network behaviors, the abnormal network behaviors are classified into the same category, and early warning is performed. Meanwhile, the algorithm can also adjust the clustering quantity and feature selection according to the requirement so as to adapt to different network environments and security requirements;
the security policy adjustment module is used for adjusting the security policy of the home network, and the module can automatically adjust the security policy of the home network according to the information such as the early warning information, the equipment state and the like, such as limiting the network access of specific equipment, isolating abnormal behaviors and the like, so that the overall security of the home network is improved.
The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application.
Claims (9)
1. The network security test evaluation method is characterized by comprising the following steps of:
collecting various data in a target network system, including equipment information, communication records and user operation records; preprocessing the collected original data, and extracting characteristics related to network security from the preprocessed data, wherein the characteristics comprise abnormal operation, malicious attack and equipment loopholes;
according to known attack modes and network security risks, a network security test evaluation model is established, wherein the network security test evaluation model comprises a classifier and a cluster analysis algorithm of normal behaviors and abnormal behaviors, historical data are used for training the model, so that the model can accurately identify the normal behaviors and the abnormal behaviors, the trained model is applied to real-time data monitoring, and abnormal behaviors are found by continuously analyzing and comparing the differences between the data and the normal model;
acquiring and analyzing operation state data of intelligent household equipment, calculating an operation external state index OES of the equipment according to the temperature, the humidity and the brightness of the equipment, and calculating an operation internal state index ISI of the equipment according to data flow and electricity consumption to further generate an equipment operation state index OSI;
the method comprises the steps that a sending end sends a section of no-operation instruction to an intelligent home terminal at fixed frequency, after receiving the section of no-operation instruction, intelligent home equipment encrypts the section of no-operation instruction by using an SHA-256 encryption algorithm to generate a section of ciphertext, and returns the section of ciphertext to the sending end; the sending end compares the encrypted ciphertext with the received ciphertext, and makes corresponding measures according to different comparison results.
2. A network security test evaluation method according to claim 1 wherein,
temperature, humidity and brightness parameters of the intelligent household equipment are acquired through a temperature sensor, a humidity sensor and a light sensor which are arranged in the intelligent household equipment, and data flow and electricity consumption are acquired through an intelligent household cloud platform.
3. A network security test evaluation method according to claim 1 wherein,
and carrying out dimensionless treatment by calculating the running external state indexes of the equipment through temperature, humidity and brightness, wherein the calculation formula is as follows:
wherein i is the mark of different time points, n is the total number of the time points i, T i Indicating the temperature of the device at time i, H i Indicating the humidity, L, of the device at point in time i i Indicating the brightness of the device at point in time i.
4. A network security test evaluation method according to claim 1 wherein,
and carrying out dimensionless treatment by calculating the running internal state indexes of the equipment through data flow and electricity consumption, wherein the calculation formula is as follows:
wherein t is the mark of different time periods, m is the total number of time periods, dat t Poc is the data traffic in time period t t Is the power consumption in the time period t.
5. A network security test evaluation method according to claim 1 wherein,
the equipment operation state index OES and the equipment operation state index ISI are synthesized to generate an equipment operation state index OSI, and the calculation formula is as follows:
OSI=α*OES+β*ISI
wherein α, β are weight coefficients, 0< α <1,0< β <1, and α+β=1.
6. The network security test evaluation method of claim 5, wherein,
presetting an operation state threshold, and uploading abnormal data to the intelligent home cloud platform when the equipment operation state index is smaller than the operation state threshold; and when the equipment running state index is greater than or equal to the running state threshold, sending out early warning and uploading the abnormal data to the intelligent household cloud platform.
7. A network security test evaluation method according to claim 1 wherein,
the method comprises the steps that a sending end sends a section of no-operation instruction to an intelligent home terminal at fixed frequency; after receiving the segment of non-operation instruction, the intelligent home equipment encrypts the segment of non-operation instruction by using an SHA-256 encryption algorithm to generate a segment of ciphertext; the intelligent home equipment returns the encrypted ciphertext to the transmitting end; after receiving the ciphertext, the sending end encrypts the sent original no-operation instruction by using the same SHA-256 encryption algorithm to generate a section of ciphertext.
8. The network security test evaluation method of claim 7, wherein,
comparing the encrypted ciphertext with the received ciphertext by the sending end, and if the encrypted ciphertext is matched with the received ciphertext, indicating that the instruction is not tampered and the instruction source is legal; if the sending end finds that the received ciphertext is not matched with the expected ciphertext, the sending end indicates that the instruction is tampered or damaged in the transmission process, or the instruction source is illegal, and corresponding measures are taken, including sending an alarm or suspending the operation of the intelligent household equipment, and uploading the exception to the intelligent household cloud platform.
9. A network security test evaluation system for implementing the method of any one of claims 1 to 8, comprising: the system comprises a data acquisition module, a data analysis module, a normal behavior classification module, an abnormal behavior clustering module and a security policy adjustment module; wherein,
the data acquisition module is used for collecting various data in the target network system, carrying out pretreatment work of cleaning, de-duplication and integration on the collected original data, and extracting characteristics related to network safety from the data;
the data analysis module is used for analyzing the operation state data of the intelligent household equipment, calculating the operation external state index OES of the equipment according to the temperature, the humidity and the brightness of the equipment, and further generating the operation state index OSI of the equipment according to the data flow and the operation internal state index ISI of the electricity consumption calculation equipment;
the normal behavior classification module is used for learning and identifying normal household network behaviors so as to distinguish the normal network behaviors from abnormal behaviors, the classifier is trained by adopting a naive Bayesian classifier, and classification and prediction are carried out by receiving various data of the household network, including but not limited to network traffic, equipment state and user behaviors;
the abnormal behavior clustering module is used for finding and early warning abnormal network behaviors, the algorithm adopts a K-means clustering algorithm to perform clustering analysis on the network behaviors, the abnormal network behaviors are classified into the same category, and early warning is performed;
the security policy adjustment module is used for adjusting the security policy of the home network, and the security policy of the home network is automatically adjusted according to the early warning information and the equipment state information, and comprises the steps of limiting the network access of specific equipment and isolating abnormal behaviors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311600802.1A CN117439916A (en) | 2023-11-28 | 2023-11-28 | Network security test evaluation system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311600802.1A CN117439916A (en) | 2023-11-28 | 2023-11-28 | Network security test evaluation system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117439916A true CN117439916A (en) | 2024-01-23 |
Family
ID=89549885
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311600802.1A Withdrawn CN117439916A (en) | 2023-11-28 | 2023-11-28 | Network security test evaluation system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117439916A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117834311A (en) * | 2024-03-06 | 2024-04-05 | 成都工业职业技术学院 | Malicious behavior identification system for network security |
| CN118018325A (en) * | 2024-04-08 | 2024-05-10 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
| CN118393909A (en) * | 2024-04-22 | 2024-07-26 | 中国标准化研究院 | Intelligent household safety control method and system based on Bayesian algorithm |
| CN118590321A (en) * | 2024-08-05 | 2024-09-03 | 网思科技股份有限公司 | Network security dynamic test and monitoring method, system and medium in cloud environment |
-
2023
- 2023-11-28 CN CN202311600802.1A patent/CN117439916A/en not_active Withdrawn
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117834311A (en) * | 2024-03-06 | 2024-04-05 | 成都工业职业技术学院 | Malicious behavior identification system for network security |
| CN117834311B (en) * | 2024-03-06 | 2024-05-14 | 成都工业职业技术学院 | Malicious behavior identification system for network security |
| CN118018325A (en) * | 2024-04-08 | 2024-05-10 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
| CN118018325B (en) * | 2024-04-08 | 2024-07-09 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
| CN118393909A (en) * | 2024-04-22 | 2024-07-26 | 中国标准化研究院 | Intelligent household safety control method and system based on Bayesian algorithm |
| CN118590321A (en) * | 2024-08-05 | 2024-09-03 | 网思科技股份有限公司 | Network security dynamic test and monitoring method, system and medium in cloud environment |
| CN118590321B (en) * | 2024-08-05 | 2024-10-11 | 网思科技股份有限公司 | Network security dynamic test and monitoring method, system and medium in cloud environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN117439916A (en) | Network security test evaluation system and method | |
| CN111881452B (en) | Safety test system for industrial control equipment and working method thereof | |
| CN106888205B (en) | Non-invasive PLC anomaly detection method based on power consumption analysis | |
| CN111782484B (en) | Anomaly detection method and device | |
| CN116781430B (en) | Network information security system and method for gas pipe network | |
| CN117833464A (en) | Online operation state safety monitoring method for electricity consumption information acquisition terminal | |
| CN117421761B (en) | Database data information security monitoring method | |
| CN115378711B (en) | Intrusion detection method and system for industrial control network | |
| CN115358155A (en) | Power big data abnormity early warning method, device, equipment and readable storage medium | |
| CN112039858A (en) | Block chain service security reinforcement system and method | |
| CN117596119A (en) | Equipment data acquisition and monitoring method and system based on SNMP (simple network management protocol) | |
| Kummerow et al. | Cyber-physical data stream assessment incorporating Digital Twins in future power systems | |
| CN115632821A (en) | Transformer substation threat safety detection and protection method and device based on multiple technologies | |
| CN118157333B (en) | Intelligent monitoring method and system for distribution transformer area based on Internet of things technology | |
| CN114666117A (en) | Network security situation measuring and predicting method for power internet | |
| CN118300852A (en) | Information safety monitoring facility for heating power station | |
| CN118316188A (en) | Asset monitoring system and method applied to power grid data class | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN107623677B (en) | Method and device for determining data security | |
| CN117141265A (en) | Operation monitoring system and method for intelligent wireless charging pile | |
| CN116614258A (en) | Network danger prediction model of security situation awareness system | |
| CN115859298A (en) | Dynamic trusted computing environment architecture and method for power master station system | |
| CN118468988B (en) | Terminal data leakage event prediction method and system based on horizontal federal learning | |
| CN111103487A (en) | Non-invasive PST anomaly monitoring method based on power consumption analysis | |
| CN118400191B (en) | Industrial control network attack event tracing processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20240123 |
|
| WW01 | Invention patent application withdrawn after publication |