CN110855602B - Internet of things cloud platform event identification method and system - Google Patents
Internet of things cloud platform event identification method and system Download PDFInfo
- Publication number
- CN110855602B CN110855602B CN201810955881.0A CN201810955881A CN110855602B CN 110855602 B CN110855602 B CN 110855602B CN 201810955881 A CN201810955881 A CN 201810955881A CN 110855602 B CN110855602 B CN 110855602B
- Authority
- CN
- China
- Prior art keywords
- cloud platform
- data packet
- internet
- characteristic value
- communication event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000001174 ascending effect Effects 0.000 claims abstract description 8
- 230000006854 communication Effects 0.000 claims description 146
- 238000004891 communication Methods 0.000 claims description 145
- 238000012790 confirmation Methods 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 4
- 230000006855 networking Effects 0.000 claims 1
- 238000004458 analytical method Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000002131 composite material Substances 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000003973 irrigation Methods 0.000 description 1
- 230000002262 irrigation Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides an Internet of things cloud platform event identification method and system. The method comprises the following steps: acquiring data packets ascending and/or descending at a port of an Internet of things cloud platform, and identifying the data packets layer by layer to obtain an application layer protocol corresponding to the data packets; if the application layer protocol is judged to be matched with a target application layer protocol in at least one preset application layer protocol, writing the data packet into a preset class according to a target format corresponding to the target application layer protocol, and reading a characteristic value of the data packet from the preset class; and if the characteristic value is judged to belong to the target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform event corresponding to the target characteristic value database. According to the embodiment of the invention, the characteristic value of the data packet of the port of the Internet of things cloud platform is extracted, and the cloud platform event is determined according to the characteristic value, so that the Internet of things cloud platform event can be accurately identified, and a precondition guarantee is provided for a subsequent method for solving the safety problem of the Internet of things.
Description
Technical Field
The embodiment of the invention relates to the field of data analysis of the Internet of things, in particular to an event identification method and system of a cloud platform of the Internet of things.
Background
The internet of things is distributed in various production and living scenes in the world, such as manufacturing, energy exploration and transportation in the industrial field, automatic irrigation, temperature and humidity sensing and state monitoring in the agricultural and animal husbandry field, and various smart home devices, smart security devices, medical health devices and the like in life.
The cloud platforms provide important core nodes for the Internet of things, bear important functions of connecting the user and the Internet of things equipment, and can access the Internet of things equipment information in the intranet to the public network where the user is located. However, once the information of the internet of things is intercepted, a serious data leakage accident is caused, and meanwhile, an attacker can also enter an intranet of the internet of things equipment by using a vulnerability of the cloud platform to implement an attack, so that a serious security problem is caused.
However, as people pay more and more attention to data security, more and more data are transmitted in an encrypted manner, and information of corresponding cloud platform events cannot be directly carried in communication between a cloud platform and a terminal. In a data packet generated in the communication process, any obvious cloud platform event information is difficult to find. In this case, it is very difficult to semantically analyze the packets and identify the cloud platform events to which they correspond.
The prior art has not yet solved the above-mentioned problem. Therefore, a technology capable of accurately identifying the internet-of-things cloud platform event is urgently needed to be provided, and therefore a precondition guarantee is provided for a method for solving the communication security problem of the internet of things, such as subsequent cloud platform behavior modeling, security analysis and potential network threat positioning.
Disclosure of Invention
Embodiments of the present invention provide an internet of things cloud platform event identification method and system that overcome the above problems or at least partially solve the above problems.
In a first aspect, an embodiment of the present invention provides an event identification method for an internet of things cloud platform, including: acquiring data packets ascending and/or descending at a port of an Internet of things cloud platform, and identifying the data packets layer by layer to obtain an application layer protocol corresponding to the data packets; if the application layer protocol is judged to be matched with a target application layer protocol in at least one preset application layer protocol, writing the data packet into a preset class according to a target format corresponding to the target application layer protocol, and reading a characteristic value of the data packet from the preset class; and if the characteristic value is judged to belong to the target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform event corresponding to the target characteristic value database.
In a second aspect, an embodiment of the present invention provides an event identification system for a cloud platform of an internet of things, including: the acquisition and identification module is used for acquiring data packets of the Internet of things cloud platform port uplink and/or downlink, and identifying the data packets layer by layer to obtain an application layer protocol corresponding to the data packets; the judging and matching module is used for writing the data packet into a preset class according to a target format corresponding to the target application layer protocol and reading the characteristic value of the data packet from the preset class if the application layer protocol is judged to be matched with the target application layer protocol in at least one preset application layer protocol; and the judgment confirmation module is used for confirming that the data packet belongs to the target cloud platform event corresponding to the target characteristic value database if the characteristic value is judged to belong to the target characteristic value database in at least one characteristic value database.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, where the processor implements the steps of the internet of things cloud platform event identification method in the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the internet of things cloud platform event identification method of the first aspect.
According to the embodiment of the invention, the data packets of the cloud platform port of the Internet of things are collected, the corresponding application layer protocols of the data packets are obtained through identification layer by layer, the characteristic values of the data packets matched with the application layer protocols are extracted, and the cloud platform events corresponding to the data packets are finally determined according to the matching results of the characteristic values and the characteristic value database of the corresponding cloud platform events, so that the cloud platform events of the Internet of things can be accurately identified, and the premise guarantee is provided for the method for solving the safety problems of the communication of the Internet of things, such as subsequent cloud platform behavior modeling, safety analysis, potential network threat positioning and the like.
Drawings
Fig. 1 is a schematic flow chart of an event identification method of an internet of things cloud platform according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of collecting traffic data of an internet of things cloud platform according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of extracting feature values of a data packet according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of an event identification method of an internet of things cloud platform according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an event recognition system of an internet of things cloud platform according to an embodiment of the present invention;
fig. 6 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
The Internet of things expands the Internet to all corners in the world and closely links everything together, and by 2017, the connection between equipment of the Internet of things and equipment reaches billions, the composite annual average growth rate reaches 27% compared with 2016, and the connection number is estimated to exceed billions in 2021; the internet of things traffic has reached more than 3 megabytes per month, the composite annual average growth rate reaches 49% compared with 2016, and the traffic is expected to exceed 10 megabytes per month in 2021. The cloud platforms provide important core nodes for the Internet of things, bear important functions of connecting the user and the Internet of things equipment, and can access the Internet of things equipment information in the intranet to the public network where the user is located. The internet of things equipment is large in quantity, various in service and various in implementation standard, unified behavior modeling and anomaly detection can be achieved from a cloud platform port, and the first task of achieving the function is to accurately identify events or service interfaces corresponding to cloud platform traffic, such as equipment registration, information acquisition, data flow updating and the like. After the event type corresponding to each piece of cloud platform data is identified, modeling can be performed on different events, normal behaviors can be traced, and attacks and anomalies can be detected. Meanwhile, the cloud platform event is recognized, so that the characteristics of the cloud platform and the connected Internet of things equipment can be known, the functional requirements of the cloud platform can be deeply analyzed, and the improvement is insufficient.
Fig. 1 is a schematic flow chart of an event identification method of an internet of things cloud platform according to an embodiment of the present invention. As shown in fig. 1, the method includes:
and 103, if the characteristic value is judged to belong to a target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform event corresponding to the target characteristic value database.
Specifically, in step 101, the internet of things device communicates with the internet of things cloud platform through a port of the internet of things cloud platform, and communication data between the internet of things device and the internet of things cloud platform can be acquired by collecting uplink and/or downlink data packets of the port of the internet of things cloud platform. Identifying the data packet layer by layer, specifically, identifying an Ethernet layer of the data packet first to obtain a payload (payload) of the Ethernet layer; then, identifying the IP layer of the payload of the Ethernet layer to obtain the payload of the IP layer; and finally, identifying a TCP layer of payload of the IP layer to obtain a corresponding application layer protocol in the data packet.
And 103, presetting at least one characteristic value database corresponding to different cloud platform events. And comparing the characteristic value of the data packet with the at least one characteristic value database. If the characteristic value of the data packet belongs to the target characteristic value database in the at least one characteristic value database. The data packet is confirmed to belong to the cloud platform event corresponding to the target characteristic value database. For example, the feature value of the data packet is a, the feature value database corresponding to the cloud platform event 1 is a, and if a belongs to a, the data packet corresponds to the cloud platform event 1.
According to the embodiment of the invention, the data packets of the cloud platform port of the Internet of things are collected, the corresponding application layer protocols of the data packets are obtained through identification layer by layer, the characteristic values of the data packets matched with the application layer protocols are extracted, and the cloud platform events corresponding to the data packets are finally determined according to the matching results of the characteristic values and the characteristic value database of the corresponding cloud platform events, so that the cloud platform events of the Internet of things can be accurately identified, and the premise guarantee is provided for the method for solving the safety problems of the communication of the Internet of things, such as subsequent cloud platform behavior modeling, safety analysis, potential network threat positioning and the like.
On the basis of the above embodiments, as an optional embodiment, collecting data packets of an internet of things cloud platform port ascending and/or descending includes: collecting uplink and/or downlink flow data of a port of an Internet of things cloud platform to obtain a text file of the flow data; and carrying out binary conversion on the text file to obtain a data packet.
Specifically, table 1 is the format of the raw traffic data. As shown in table 1, the original traffic data includes source IP, destination IP, other IP packet header fields, and TCP/UDP packets. The source port and the destination port of the original flow data can be obtained by sequentially identifying the Ethernet layer, the IP layer and the TCP layer of the original flow data. And calibrating a transmission layer protocol of the original flow data into a TCP protocol, and combining the source IP and the target IP to obtain quintuple flow data comprising the source IP, the target IP, the TCP protocol, the source port and the target port. In addition, a time stamp of the arrival of the traffic data packet and a payload of the Ethernet layer are added to obtain a text file of the traffic data. And carrying out binary conversion on the text file of the flow data, and obtaining a data packet by combining information such as a timestamp in the text file.
Table 1 raw traffic data format
Source IP | Destination IP | Other IP data packet header field | TCP/UDP data packet |
According to the embodiment of the invention, the text form of the uplink and/or downlink data traffic of the port of the cloud platform of the Internet of things is collected, and the corresponding data packet is obtained through binary reduction, so that a foundation is laid for the identification of the subsequent cloud platform event.
On the basis of the above embodiment, as an alternative embodiment, the data packet includes a source IP and a destination IP; correspondingly, after collecting the data packets ascending and/or descending on the ports of the internet of things cloud platform, the method further comprises the following steps: and acquiring cloud platform basic information and node position information of the cloud platform of the Internet of things according to the source IP and the destination IP of the data packet.
Specifically, source IP and destination IP information can be obtained from the data packet, and the positions of the platforms to which the source IP and the destination IP belong can be identified by comparing the source IP and the destination IP with an IP address database of the internet of things cloud platform. For example, there are N internet of things cloud platforms, and the source IP is IPsrcThe destination IP is IPdstThe IP address database corresponding to the cloud platform is IPDBn(N ═ 1, 2,. N), then:
for n=1 to N
if(IPsrc∈IPDBn||IPdst∈IPDBn)
then IoT-Platform-flag=n
the position of the internet of things cloud platform to which the data packet belongs can be determined. After the position of the internet of things cloud platform is determined, basic information of the corresponding cloud platform can be obtained by inquiring the filing information of the corresponding internet of things cloud platform, for example: name of cloud platform, etc.
After the positions of the cloud platforms of the internet of things to which the data packets belong are determined, it is known that one of a source IP and a destination IP of each data packet is a cloud platform server IP, and the other is a node IP of the cloud platform. Comparing the source IP and the destination IP of each data packet with the IP database of the cloud platform server to determine the IP of the cloud platform server, thereby determining the node IP of the cloud platform. And determining the node position information of the node IP of the cloud platform by inquiring the IP node position database, namely obtaining the node position information of the cloud platform.
According to the embodiment of the invention, the source IP and the destination IP of the data packet are analyzed to obtain the cloud platform basic information and the node position information of the Internet of things cloud platform corresponding to the data packet.
On the basis of the above embodiment, as an optional embodiment, acquiring traffic data of an internet of things cloud platform port uplink and/or downlink to obtain a text file of the traffic data includes: collecting uplink and/or downlink flow data of a port of an Internet of things cloud platform; analyzing the flow data through a DNS (domain name system) to obtain an IP (Internet protocol) address database of the cloud platform of the Internet of things; and filtering the uplink and downlink flow data by using the IP address database to obtain a text file of the flow data.
Specifically, fig. 2 is a schematic flow chart of collecting traffic data of an internet of things cloud platform according to an embodiment of the present invention. As shown in fig. 2, uplink and/or downlink traffic data of a port of the internet of things cloud platform are acquired first, and then the acquired traffic data are filtered. And obtaining an IP address database of the Internet of things cloud platform through DNS analysis, filtering the acquired data traffic by taking the IP address database of the Internet of things cloud platform as a filter, namely filtering the traffic data of the IP address database which does not belong to the Internet of things cloud platform, and finally obtaining a text file of the data traffic. The internet of things cloud platform address database and the filter are updated continuously.
According to the embodiment of the invention, the acquired flow data is filtered by the IP address database of the cloud platform of the Internet of things through DNS analysis of the flow data, so that the flow data meeting the conditions can be screened out.
On the basis of the above embodiment, as an optional embodiment, the cloud platform event includes: the method comprises the following steps that a cloud platform interface communication event and a cloud platform service communication event are carried out; correspondingly, if the characteristic value is judged to belong to the target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform event corresponding to the target characteristic value database, including: if the characteristic value is judged to belong to the characteristic value database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the characteristic value is judged to belong to the characteristic value database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event.
Specifically, the cloud platform event comprises a cloud platform interface communication event and a cloud platform service communication event. Wherein the cloud platform interface communication event comprises: the device comprises a device information inquiry interface, a device information updating interface, a device information deleting interface, a device registering interface, a data flow information acquiring interface, a data flow updating interface, a data flow deleting interface, a state inquiry interface, a state updating interface, a state deleting interface and the like. The cloud platform service connection event comprises the following steps: equipment access, equipment management, data acquisition, state management, basic information, infrastructure, intelligent gateways, data management, data analysis, fault maintenance, and the like.
And establishing at least one corresponding characteristic value database for the cloud platform interface communication event. And comparing the characteristic value of the data packet with a corresponding characteristic value database established by the cloud platform interface communication event, and if the characteristic value belongs to a target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform interface communication event corresponding to the target characteristic value database.
And similarly, establishing at least one corresponding characteristic value database for the cloud platform service connection event. And comparing the characteristic value of the data packet with a corresponding characteristic value database established by the cloud platform service communication event, and if the characteristic value belongs to a target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform service communication event corresponding to the target characteristic value database.
According to the embodiment of the invention, at least one corresponding characteristic value database is established for the cloud platform interface communication event and the cloud platform service communication event respectively, and the cloud platform interface communication event and the cloud platform service communication event are determined by comparing the characteristic value of the data packet with the corresponding characteristic value database.
On the basis of the above embodiment, as an alternative embodiment, the characteristic value includes: keyword and message type information; if the characteristic value is judged to belong to the characteristic value database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or, if the characteristic value is judged to belong to the characteristic value database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event, including: if the data comprises message type information, judging the message type information; if the obtained message type information is judged to belong to a message type information database of the cloud platform interface communication event, and the keyword belongs to a keyword database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the acquired message type information belongs to a message type information database of the cloud platform service communication event and the keyword belongs to a keyword database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event; if the data packet does not contain the message type information, directly judging the keywords; if the keyword is judged to belong to the keyword database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the keyword is judged to belong to the keyword database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event.
Specifically, the feature value includes a keyword stored in the form of a character string and message type information stored in the form of a character string. Fig. 3 is a schematic flowchart of a process of extracting feature values of a data packet according to an embodiment of the present invention. As shown in fig. 3, the data packet is sequentially identified layer by layer according to the Ethernet layer, the IP layer, and the TCP layer, and finally the application layer protocol of the data packet is identified, and the data packet matched with the preset application layer protocol is written into the predefined class according to the target format corresponding to the target application layer protocol. Because the format of the data packet in the preset class is written according to the target format corresponding to the target application layer protocol, the corresponding field of the data packet in the preset class is directly read, and the read field is stored in a character string form, so that the corresponding keyword and/or message type information can be obtained. For example, under publish/subscribe mode, the three protocols MQTT, DDS, and AMQT for message transmission directly read the key fields of the corresponding data packets, and store the read key fields in the form of character strings, so as to obtain the corresponding keywords. For the MQTT protocol, the Msgtype field of the corresponding data packet is directly read, and the read Msgtype field is stored in a character string mode, so that the corresponding message type information is obtained.
If the data packet contains the message type information, the message type information of the data packet is firstly judged. And establishing at least one corresponding message type information database for the communication events of the cloud platform interface. And comparing the message type information of the data packet with a corresponding message type information database established by the cloud platform interface communication event, and if the message type information belongs to a target message type information database in at least one message type information database, determining that the data packet may belong to the cloud platform interface communication event corresponding to the target message type information database. And judging the keywords of the data packet, and establishing at least one corresponding keyword database for the communication event of the cloud platform interface. And comparing the keywords of the data packet with corresponding keyword databases established by the cloud platform interface communication events, and if the keywords belong to a target keyword database in at least one keyword database, determining that the data packet belongs to the cloud platform interface communication events corresponding to the target keyword database. Or at least one corresponding message type information database is established for the cloud platform service connection event. And comparing the message type information of the data packet with a corresponding message type information database established by the cloud platform service communication event, and if the message type information belongs to a target message type information database in at least one message type information database, determining that the data packet possibly belongs to the cloud platform service communication event corresponding to the target message type information database. And judging the keywords of the data packet, and establishing at least one corresponding keyword database for the cloud platform service communication event. And comparing the keywords of the data packet with corresponding keyword databases established by the cloud platform service communication events, and if the keywords belong to a target keyword database in at least one keyword database, determining that the data packet belongs to the cloud platform service communication events corresponding to the target keyword database.
And if the data does not contain the message type information, directly judging the keywords of the data packet. And establishing at least one corresponding keyword database for the cloud platform interface communication event. And comparing the keywords of the data packet with corresponding keyword databases established by the cloud platform interface communication events, and if the keywords belong to a target keyword database in at least one keyword database, determining that the data packet belongs to the cloud platform interface communication events corresponding to the target keyword database. Or at least one corresponding keyword database is established for the cloud platform service connection event. And comparing the keywords of the data packet with corresponding keyword databases established by the cloud platform service communication events, and if the keywords belong to a target keyword database in at least one keyword database, determining that the data packet belongs to the cloud platform service communication events corresponding to the target keyword database.
The cloud platform event to which the data packet belongs is determined according to the key words and the message type information of the data packet, the data packet with the message type information and the key words is firstly screened by the message type database, and then the key word database is used for judging the cloud event to which the data packet belongs.
On the basis of the above embodiment, as an optional embodiment, the cloud platform basic information, the node position information, the cloud platform interface communication event and the cloud platform service communication event of the internet of things cloud platform are counted, and the cloud platform basic information, the node position information, the cloud platform service communication event and the cloud platform service communication event are updated at regular time.
Specifically, cloud platform basic information, node position information, a cloud platform interface communication event and a cloud platform service communication event of the internet of things cloud platform corresponding to each data packet are marked on each corresponding data packet in a label mode. And then counting the number of each kind of cloud platform basic information, each kind of node position information, each kind of cloud platform interface communication event and each kind of cloud platform service communication event of the Internet of things cloud platform. For example spark to compute statistics. Updating the basic information of each cloud platform, the position information of each node, the communication event of each cloud platform interface and the number of the communication events of each cloud platform service of the cloud platform of the internet of things in batches, for example, updating the basic information of each cloud platform, the position information of each node, the communication event of each cloud platform interface and the number of the communication events of each cloud platform service of the cloud platform of the internet of things in batches between 24:00 and 24:00 of the day in the past by taking the day as a unit and 24:00 of each day.
According to the embodiment of the invention, the cloud platform basic information, the node position information, the cloud platform interface communication event and the cloud platform service communication event of the cloud platform of the Internet of things are counted and updated, so that the cloud platform event of the Internet of things and the like can be managed conveniently.
Fig. 4 is a schematic flow chart of an event identification method of an internet of things cloud platform according to a specific embodiment of the present invention. As shown in fig. 4, the data packet is analyzed to obtain a source IP and a destination IP of the data packet, and the source IP and the destination IP are compared with the database of the IP addresses of the internet of things cloud platform, so that the location of the platform to which the source IP and the destination IP belong can be identified. After the position of the Internet of things cloud platform is determined, basic information of the corresponding cloud platform can be obtained by inquiring the filing information of the corresponding Internet of things cloud platform. And simultaneously, after the position of the Internet of things cloud platform to which the data packet belongs is determined, comparing the source IP and the destination IP of the data packet with the IP database of the cloud platform server to determine the IP of the cloud platform server, wherein one of the source IP and the destination IP of the data packet is known to be the IP of the cloud platform server, and the other is known to be the node IP of the cloud platform. And determining the node position information of the cloud platform by inquiring the node position database of the node IP.
And identifying an application layer protocol of the data packet, and extracting message type information and keywords of the data packet. If the data packet contains the message type information, comparing the message type information of the data packet with a corresponding message type information database of the cloud platform interface communication event or a corresponding message type information database of the cloud platform service communication event, judging the keyword of the data packet only when the message type information of the data packet belongs to the message type information database of the cloud platform interface communication event or the message type information database of the cloud platform service communication event, and correspondingly determining that the data packet belongs to the cloud platform interface communication event or the cloud platform service communication event when the keyword of the data packet belongs to the keyword database of the cloud platform interface communication event or the keyword database of the cloud platform service communication event.
And if the data packet does not contain the message type information, directly judging the keywords of the data packet. When the keyword of the data packet belongs to the keyword database of the cloud platform interface communication event or the keyword database of the cloud platform service communication event, the data packet can be correspondingly determined to belong to the cloud platform interface communication event or the cloud platform service communication event.
And marking the cloud platform basic information, the node position information, the cloud platform interface communication event and the cloud platform service communication event of the Internet of things cloud platform corresponding to each data packet on each corresponding data packet in a label mode. And counting the number of basic information of each cloud platform, the position information of each node, each cloud platform interface communication event and each cloud platform service communication event, and updating in batches at regular time.
According to the embodiment of the invention, the data packets of the cloud platform port of the Internet of things are identified layer by layer to obtain the corresponding application layer protocol of the data packets, the keyword and the message type information of the data packets matched with the application layer protocol and the preset application layer protocol are extracted, and the cloud platform interface communication event or the cloud platform service communication event corresponding to the data packets is finally determined according to the matching results of the keyword and the message type information and the corresponding cloud platform interface communication event or the keyword database and the message type information database of the cloud platform service communication event, so that the cloud platform event of the Internet of things can be accurately identified, and further, the precondition guarantee is provided for the subsequent cloud platform behavior modeling, the safety analysis, the positioning of potential network threats and the like to solve the safety problem of the communication of the Internet of things.
Fig. 5 is a schematic structural diagram of an event recognition system of an internet of things cloud platform according to an embodiment of the present invention. As shown in fig. 5, the system includes a collecting and identifying module 501, a judging and matching module 502 and a judging and confirming module 503. The acquisition and identification module 501 is used for acquiring data packets of an internet of things cloud platform port in an uplink and/or downlink manner, and identifying the data packets layer by layer to obtain an application layer protocol corresponding to the data packets; the matching judgment module 502 is configured to, if it is judged that the application layer protocol matches a target application layer protocol in at least one preset application layer protocol, write the data packet into a preset class according to a target format corresponding to the target application layer protocol, and read a characteristic value of the data packet from the preset class; the judgment confirming module 503 is configured to confirm that the data packet belongs to a target cloud platform event corresponding to the target characteristic value database if it is judged that the acquired characteristic value belongs to the target characteristic value database in the at least one characteristic value database.
Specifically, the internet of things device communicates with the internet of things cloud platform through the internet of things cloud platform port, and the uplink and/or downlink data packets of the internet of things cloud platform port are collected through the collection and recognition module 501, so that the communication data between the internet of things device and the internet of things cloud platform can be acquired. The data packet is identified layer by the acquisition and identification module 501, the acquisition and identification module 501 identifies the Ethernet layer of the data packet first, and payload of the Ethernet layer is obtained; then, identifying the IP layer of the payload of the Ethernet layer to obtain the payload of the IP layer; and finally, identifying a TCP layer of payload of the IP layer to obtain a corresponding application layer protocol in the data packet.
At least one preset application layer Protocol is preset, for example, an application layer Protocol of a Message queue Telemetry Transport Protocol (MQTT), an application layer Protocol of a Data Distribution Service for Real-Time Systems (DDS), and an application layer Protocol of an Advanced Message Queue Protocol (AMQP). The matching determining module 502 compares the corresponding application layer protocol in the data packet with the at least one preset application layer protocol. And if the corresponding application layer protocol in the data packet is matched with a target preset application layer protocol in at least one preset application layer protocol, writing the data packet into a preset class according to a target format corresponding to the target application layer protocol, such as an MQTT format. The preset class is a storage unit for storing the data packets meeting the matching condition. The determining and matching module 502 then reads the characteristic values of the data packets stored therein from the preset class. The characteristic value is a value of the characteristic of different cloud platform events corresponding to the characteristic data packet.
At least one characteristic value database corresponding to different cloud platform events is preset. The determination and confirmation module 503 compares the characteristic value of the data packet with the at least one characteristic value database. If the characteristic value of the data packet belongs to the target characteristic value database in the at least one characteristic value database. The determination and confirmation module 503 confirms that the data packet belongs to the cloud platform event corresponding to the target characteristic value database. For example, the feature value of the data packet is a, the feature value database corresponding to the cloud platform event 1 is a, and if a belongs to a, the data packet corresponds to the cloud platform event 1.
According to the embodiment of the invention, the data packets of the IOT cloud platform port are acquired by the acquisition and identification module, the corresponding application layer protocols of the data packets are identified layer by layer, the characteristic values of the data packets matched with the application layer protocols and the preset application layer protocols are extracted by the judgment and matching module, and the cloud platform events corresponding to the data packets are finally determined by the judgment and confirmation module according to the matching results of the characteristic values and the characteristic value database of the corresponding cloud platform events, so that the IOT cloud platform events can be accurately identified, and the premise guarantee is provided for the subsequent methods for solving the safety problems of IOT communication, such as cloud platform behavior modeling, safety analysis, potential network threat positioning and the like.
On the basis of the foregoing embodiment, as an optional embodiment, the acquiring and identifying module 501 is configured to acquire data packets of an internet of things cloud platform port uplink and/or downlink, and includes: the acquisition and identification module 501 is used for acquiring uplink and/or downlink traffic data of a port of the cloud platform of the internet of things to obtain a text file of the traffic data; the acquisition and identification module 501 is configured to perform binary conversion on the text file to obtain a data packet.
On the basis of the foregoing embodiment, as an optional embodiment, the data packet includes a source IP and a destination IP, and the determination module 503 is configured to obtain the cloud platform basic information and the node location information of the internet of things cloud platform according to the source IP and the destination IP of the data packet.
On the basis of the foregoing embodiment, as an optional embodiment, the acquiring and identifying module 501 is configured to acquire traffic data of an internet of things cloud platform port uplink and/or downlink, and obtain a text file of the traffic data, including: the acquisition and identification module 501 is used for acquiring uplink and/or downlink traffic data of a port of an internet of things cloud platform; the acquisition and identification module 501 is configured to analyze the traffic data through a DNS to obtain an IP address database of the internet of things cloud platform; the collecting and identifying module 501 is configured to filter the uplink and downlink traffic data by using the IP address database, and obtain a text file of the traffic data.
On the basis of the above embodiment, as an optional embodiment, the cloud platform event includes: the method comprises the following steps that a cloud platform interface communication event and a cloud platform service communication event are carried out; the determination confirming module 503 is configured to confirm that the data packet belongs to a cloud platform event corresponding to the target characteristic value database if it is determined that the characteristic value belongs to the target characteristic value database in the at least one characteristic value database, and includes: the judgment and confirmation module 503 is configured to determine that the data packet belongs to the cloud platform interface communication event if it is judged that the characteristic value belongs to the characteristic value database of the cloud platform interface communication event; or, the judgment and confirmation module 503 is configured to determine that the data packet belongs to the cloud platform service communication event if it is judged that the characteristic value belongs to the characteristic value database of the cloud platform service communication event.
On the basis of the above embodiment, as an alternative embodiment, the characteristic value includes: keyword and message type information; the judgment and confirmation module 503 is configured to determine that the data packet belongs to the cloud platform interface communication event if it is judged that the characteristic value belongs to the characteristic value database of the cloud platform interface communication event; or, the judgment and confirmation module 503 is configured to determine that the data packet belongs to the cloud platform service communication event if it is judged that the feature value belongs to the feature value database of the cloud platform service communication event, and includes: if the data includes the message type information, the determination module 503 first determines the message type information; if the acquired message type information is judged to belong to a message type information database of the cloud platform interface communication event and the keyword belongs to a keyword database of the cloud platform interface communication event, the judgment and confirmation module 503 determines that the data packet belongs to the cloud platform interface communication event; or, if the acquired message type information is judged to belong to the message type information database of the cloud platform service communication event, and the keyword belongs to the keyword database of the cloud platform service communication event, the judgment and confirmation module 503 determines that the data packet belongs to the cloud platform service communication event; if the data packet does not contain the message type information, the judgment confirmation module 503 directly judges the keyword; if the keyword is judged to belong to the keyword database of the cloud platform interface communication event, the judgment and confirmation module 503 determines that the data packet belongs to the cloud platform interface communication event; or, if it is determined that the keyword belongs to the keyword database of the cloud platform service connection event, the determination module 503 determines that the data packet belongs to the cloud platform service connection event.
On the basis of the foregoing embodiment, as an optional embodiment, the determination module 503 is further configured to count cloud platform basic information, node position information, a cloud platform interface communication event, and a cloud platform service communication event of the internet of things cloud platform, and update the cloud platform basic information, the node position information, the cloud platform service communication event, and the cloud platform service communication event at regular time.
Fig. 6 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 6, the electronic device may include: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and a bus 640, wherein the processor 610, the communication Interface 620 and the memory 630 complete communication with each other through the bus 640. The communication interface 640 may be used for information transmission between the internet of things cloud platform event recognition system and the electronic device. The processor 610 may call logic instructions in the memory 630 to perform the following method: acquiring data packets of an Internet of things cloud platform port ascending and/or descending, and identifying the data packets layer by layer to obtain corresponding application layer protocols in the data packets; if the application layer protocol is judged to be matched with a target application layer protocol in at least one preset application layer protocol, writing the data packet into a preset class according to a target format corresponding to the target application layer protocol, and reading a characteristic value of the data packet from the preset class; and if the characteristic value is judged to belong to the target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform event corresponding to the target characteristic value database.
In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions enable a computer to execute the method for identifying an event of an internet of things cloud platform provided in the foregoing embodiment, for example, the method includes: acquiring data packets of an Internet of things cloud platform port ascending and/or descending, and identifying the data packets layer by layer to obtain corresponding application layer protocols in the data packets; if the application layer protocol is judged to be matched with a target application layer protocol in at least one preset application layer protocol, writing the data packet into a preset class according to a target format corresponding to the target application layer protocol, and reading a characteristic value of the data packet from the preset class; and if the characteristic value is judged to belong to the target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to the cloud platform event corresponding to the target characteristic value database.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. An Internet of things cloud platform event identification method is characterized by comprising the following steps:
acquiring data packets of an Internet of things cloud platform port uplink and/or downlink, and identifying the data packets layer by layer to obtain an application layer protocol corresponding to the data packets;
if the application layer protocol is judged to be matched with a target application layer protocol in at least one preset application layer protocol, writing the data packet into a preset class according to a target format corresponding to the target application layer protocol, and reading a characteristic value of the data packet from the preset class;
if the characteristic value is judged to belong to a target characteristic value database in at least one characteristic value database, confirming that the data packet belongs to a cloud platform event corresponding to the target characteristic value database;
the data packet comprises a source IP and a destination IP;
correspondingly, after the collecting the data packets ascending and/or descending on the port of the internet of things cloud platform, the method further comprises the following steps: acquiring cloud platform basic information and node position information of the Internet of things cloud platform according to the source IP and the destination IP of the data packet;
the cloud platform event comprises: the method comprises the following steps that a cloud platform interface communication event and a cloud platform service communication event are carried out; the characteristic value comprises: keyword and message type information;
correspondingly, if it is determined that the characteristic value belongs to a target characteristic value database in at least one characteristic value database, determining that the data packet belongs to a cloud platform event corresponding to the target characteristic value database, including:
if the data contains the message type information, judging the message type information; if the message type information is judged to belong to the message type information database of the cloud platform interface communication event and the keyword belongs to the keyword database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the message type information is judged to belong to the message type information database of the cloud platform service communication event and the keyword belongs to the keyword database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event;
if the data packet does not contain the message type information, directly judging the keywords; if the keyword is judged to belong to the keyword database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the keyword is judged to belong to the keyword database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event.
2. The internet of things cloud platform event identification method according to claim 1, wherein the collecting internet of things cloud platform port uplink and/or downlink data packets comprises:
collecting uplink and/or downlink flow data of a port of the cloud platform of the Internet of things to obtain a text file of the flow data;
and carrying out binary conversion on the text file to obtain the data packet.
3. The internet of things cloud platform event identification method according to claim 2, wherein the acquiring traffic data of the internet of things cloud platform port uplink and/or downlink to obtain a text file of the traffic data comprises:
collecting uplink and/or downlink flow data of the port of the cloud platform of the Internet of things;
analyzing the flow data through a DNS (domain name system) to obtain an IP (Internet protocol) address database of the cloud platform of the Internet of things;
and filtering the uplink and downlink flow data by using the IP address database to obtain a text file of the flow data.
4. The Internet of things cloud platform event identification method according to claim 1, further comprising:
and counting the cloud platform basic information, the node position information, the cloud platform interface communication event and the cloud platform service communication event of the Internet of things cloud platform, and updating the cloud platform basic information, the node position information, the cloud platform service communication event and the cloud platform service communication event at regular time.
5. The utility model provides a thing networking cloud platform event identification system which characterized in that: the method comprises the following steps:
the system comprises an acquisition and identification module, a data packet processing module and a data packet processing module, wherein the acquisition and identification module is used for acquiring an uplink data packet and/or a downlink data packet of a cloud platform port of the Internet of things, the data packet comprises a source IP and a destination IP, the cloud platform basic information and node position information of the cloud platform of the Internet of things are acquired according to the source IP and the destination IP of the data packet, the data packet is identified layer by layer, and an application layer protocol corresponding to the data packet is acquired;
the judging and matching module is used for writing the data packet into a preset class according to a target format corresponding to the target application layer protocol and reading a characteristic value of the data packet from the preset class if the application layer protocol is judged to be matched with a target application layer protocol in at least one preset application layer protocol;
the judgment confirmation module is used for confirming that the data packet belongs to a target cloud platform event corresponding to the target characteristic value database if the characteristic value is judged to belong to a target characteristic value database in at least one characteristic value database; the cloud platform event comprises: the method comprises the following steps that a cloud platform interface communication event and a cloud platform service communication event are carried out; the characteristic value comprises: keyword and message type information; if the data contains the message type information, judging the message type information; if the message type information is judged to belong to the message type information database of the cloud platform interface communication event and the keyword belongs to the keyword database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the message type information is judged to belong to the message type information database of the cloud platform service communication event and the keyword belongs to the keyword database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event; if the data packet does not contain the message type information, directly judging the keywords; if the keyword is judged to belong to the keyword database of the cloud platform interface communication event, determining that the data packet belongs to the cloud platform interface communication event; or if the keyword is judged to belong to the keyword database of the cloud platform service communication event, determining that the data packet belongs to the cloud platform service communication event.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the internet of things cloud platform event recognition method according to any one of claims 1 to 4.
7. A non-transitory computer readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the internet of things cloud platform event identification method according to any one of claims 1 to 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810955881.0A CN110855602B (en) | 2018-08-21 | 2018-08-21 | Internet of things cloud platform event identification method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810955881.0A CN110855602B (en) | 2018-08-21 | 2018-08-21 | Internet of things cloud platform event identification method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110855602A CN110855602A (en) | 2020-02-28 |
CN110855602B true CN110855602B (en) | 2022-02-25 |
Family
ID=69595745
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810955881.0A Active CN110855602B (en) | 2018-08-21 | 2018-08-21 | Internet of things cloud platform event identification method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110855602B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109067762B (en) * | 2018-08-29 | 2020-10-27 | 深信服科技股份有限公司 | Identification method, device and equipment of Internet of things equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20020049462A (en) * | 2000-12-19 | 2002-06-26 | 노병희 | A method and system for distinguishing higher layer protocols of the internet traffic |
CN103067360A (en) * | 2012-12-18 | 2013-04-24 | 北京奇虎科技有限公司 | Method and system for procedure network behavior identification |
CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
CN104348677A (en) * | 2013-08-05 | 2015-02-11 | 华为技术有限公司 | Deep packet inspection method and equipment and coprocessor |
CN105162626A (en) * | 2015-08-20 | 2015-12-16 | 西安工程大学 | Network traffic depth identification system and method based on many-core processor |
CN107181736A (en) * | 2017-04-21 | 2017-09-19 | 湖北微源卓越科技有限公司 | Based on 7 layers of network data packet classification method applied and system |
CN107888605A (en) * | 2017-11-27 | 2018-04-06 | 国家计算机网络与信息安全管理中心 | A kind of Internet of Things cloud platform traffic security analysis method and system |
-
2018
- 2018-08-21 CN CN201810955881.0A patent/CN110855602B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20020049462A (en) * | 2000-12-19 | 2002-06-26 | 노병희 | A method and system for distinguishing higher layer protocols of the internet traffic |
CN103067360A (en) * | 2012-12-18 | 2013-04-24 | 北京奇虎科技有限公司 | Method and system for procedure network behavior identification |
CN104348677A (en) * | 2013-08-05 | 2015-02-11 | 华为技术有限公司 | Deep packet inspection method and equipment and coprocessor |
CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
CN105162626A (en) * | 2015-08-20 | 2015-12-16 | 西安工程大学 | Network traffic depth identification system and method based on many-core processor |
CN107181736A (en) * | 2017-04-21 | 2017-09-19 | 湖北微源卓越科技有限公司 | Based on 7 layers of network data packet classification method applied and system |
CN107888605A (en) * | 2017-11-27 | 2018-04-06 | 国家计算机网络与信息安全管理中心 | A kind of Internet of Things cloud platform traffic security analysis method and system |
Also Published As
Publication number | Publication date |
---|---|
CN110855602A (en) | 2020-02-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106464577B (en) | Network system, control device, communication device and communication control method | |
CN109271793B (en) | Internet of things cloud platform equipment category identification method and system | |
CN107404400A (en) | A kind of network situation awareness implementation method and device | |
CN109587125B (en) | Network security big data analysis method, system and related device | |
CN113612763B (en) | Network attack detection device and method based on network security malicious behavior knowledge base | |
CN107360118B (en) | Advanced persistent threat attack protection method and device | |
CN102546625A (en) | Semi-supervised clustering integrated protocol identification system | |
CN107172022A (en) | APT threat detection method and system based on intrusion feature | |
CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
CN111224988A (en) | Network security information filtering method | |
CN105429977A (en) | Method for monitoring abnormal flows of deep packet detection equipment based on information entropy measurement | |
CN106055608A (en) | Method and apparatus for automatically collecting and analyzing switch logs | |
CN113378899B (en) | Abnormal account identification method, device, equipment and storage medium | |
CN112751835B (en) | Flow early warning method, system, equipment and storage medium | |
CN105959290A (en) | Detection method and device of attack message | |
CN115883236A (en) | Power grid intelligent terminal cooperative attack monitoring system | |
US20220309034A1 (en) | Method and system for performing unification processing on multi-format logs in security situation awareness system | |
CN115277113A (en) | Power grid network intrusion event detection and identification method based on ensemble learning | |
CN110855602B (en) | Internet of things cloud platform event identification method and system | |
US11916942B2 (en) | Automated identification of false positives in DNS tunneling detectors | |
CN109067778B (en) | Industrial control scanner fingerprint identification method based on honeynet data | |
CN118264473A (en) | Method and system for detecting network attack of telecommunication network signaling system | |
CN104021348A (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
CN106446720A (en) | IDS rule optimization system and optimization method | |
CN118018229A (en) | Network threat detection method based on big data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |