| CPC H04W 12/122 (2021.01) [H04L 63/1425 (2013.01); H04W 4/80 (2018.02); H04W 12/69 (2021.01); H04W 24/08 (2013.01); H04L 2101/659 (2022.05); H04W 84/18 (2013.01)] | 5 Claims |
|
1. An improved KNN (K-Nearest Neighbor)—based 6LoWPAN (IPv6 over Low-power Wireless Personal Area Networks) network intrusion detection method, characterized in that: comprises following steps:
S1: learning process:
establishing a state data table of network elements, and completing networking by nodes, wherein there are m network elements in a network; setting a state data set of a plurality of network elements cached in a table as {y1, . . . , yi}, selecting q features of network elements of a 6LoWPAN network, and recording constructed feature set of the network elements as {Feature1, Feature2, Feature q};
reflecting state data of a certain network element x through the q features of network elements, and recording as yx={yx1, . . . , yxq}, wherein number of features of different network elements is q; and after a network starts operating, recording all feature data of network elements by a console; and
selecting and capturing the feature data of network elements;
S2: detecting process: collecting all data needed for intrusion detection, forming a state data table of network elements on the console, and conducting intrusion detection by the console; and supposing that normal data points appear in a dense neighborhood, making abnormal data points be far away from a nearest neighbor; and
S3: on-line updating,
characterized in that: a judge process for the intrusion detection comprises: direct judgment based on features of a certain network element and comprehensive judgment on a state data table of network elements established based on features of several network elements,
characterized in that: the comprehensive judgment on the state data table of network elements established based on the features of several network elements is: in process of collecting the features of network elements, an intrusion detection system collects multiple quantifiable security features that can reflect self-security states of network elements of a 6LoWPAN network, establishes a state data table of network elements, and comprehensively judges whether intrusion exists in the network,
characterized in that: the comprehensive judgment on a state data table of network elements established based on features of several network elements is specifically:
selecting state data amount of network elements, thus determining a number of samples in the state data table of network elements, i.e., number of rows;
constructing a feature set of network elements, thus determining the features related to 6LoWPAN intrusion detection in the state data table of network elements, and determining a dimension of the data, i.e., the number of columns;
filling the state data table of network elements; and
conducting data preprocessing and completing orthogonal normalization processing;
a specific construction is as follows:
(1) selection of the state data amount of network elements
the number of sample state data in the state data table of network elements shall not be less than the number of network elements in the network, nor more than two times the total number of network elements, that is, the number of samples that can find outliers is optimal;
the state set of a plurality of network elements cached in the table is set as {y1, . . . , yi};
m<i<2m is specified; three time periods of T0→T1, T1→T2 and T2→T3 are specified; before T0, the network has started and a node joining process is completed; before T0, the network has started and the node joining process is completed; an acquisition for the state data set {y1, . . . , ym} of network elements is completed in T0→T1; the acquisition for the state data set {ym+1, . . . , yi} of network elements is completed in T1→T2; an update for the state data table of network elements is completed in T2→T3 (that is, a previous cache is cleared and new data are reloaded); and at this time, a state set of a plurality of network elements cached in the table is
 and p is score probability;
two time periods of T0→T1, and T1→T2 will pass only when the state data table of network elements is firstly formed, and then a forming process in the table will follow a mode of a T2→T3 time period;
in the firstly formed state data table of network elements, states ym+x and yx are the states of the same network element in different time periods;
in addition, in the T2→T3 time period, the state of network elements in the network needs to be captured in
 time periods; and └x┘ is a function representation for an integer part of a decimal;
the parameter p is used during an updating process and is a parameter in an updating algorithm, and a value of p is specified by the console;
at this time, states y(m−1)+x, y2(m−1)+x, . . . ,
 and yx are the states of the same network element in different time periods, and the data in the table are updated after these state data are screened according to the probability of p;
the states of network elements in the table have been converted into the data, the console does not need to reflect time when the table is constructed, and previous states of the network elements do not need to be replaced; and
the data amount of the states of network elements will be determined;
(2) construction of feature set of network elements
some features are time-based statistical features of network traffic, i.e.,
 and in order to avoid an influence of
time period on statistical feature data, these features are uniformly represented by the “occurrence frequency of messages”;
the features are as follows:
Feature1: occurrence frequency of address unreachable response messages, with the weight of weight1;
Feature2: the number of topology changes/establishments in a time period, with the weight of weight2;
Feature3: the number of sub-network elements calculated by a parent network element item, with the weight of weight3;
Feature4: differences that a proxy network element and an intrusion detection auxiliary device 1 detect a CON (confirm) message, with the weight of weight4;
Feature5: differences that the proxy network element and the intrusion detection auxiliary device 1 detect an ACK (acknowledge) message, with the weight of weight5;
Feature6: occurrence frequency of response messages when a message is overlarge, with the weight of weight6;
Feature7: the number of certain sub-network element data packets received, with the weight of weight7;
Feature8: consumed energy of a certain sub-network element data packet received, with the weight of weight8;
Feature9: forwarding rate of network element data packet, with the weight of weight9; the weights are assigned according to an impact factor console of each feature, satisfying Σweight=1; and the assigned weights can reduce a bias caused by distinct features; and
in this table, a process that a series of features of network elements are constructed as a feature set is:
since the state data of network elements in the table are captured at different times in the process of firstly forming the state data table of network elements, cases of capturing data in the T0→T1 and T1→T2 time periods will be explained in the process of constructing the following feature set; and except that the cases of capturing the data in different time periods exist in the process of firstly forming the table, the other cases are that the data are captured in a T2→T3 time period;
a process of constructing the state data table of network elements in time sequence is that:
firstly, describing a first forming process of the state data table of network elements:
in a T0→T1 time period,
1) Network element feature Feature1
capturing, by an intrusion detection auxiliary device 2, an address unreachable message that the network element sends to an upper-level network element, conducting statistical monitoring on the address unreachable message in T0→T1, monitoring the occurrence frequency, and recording a feature as viemp1; and recording the network element feature of vicmp1 in the table;
2) Network element features Feature2 and Feature3
a MN (monitoring network element) in T0→T1 time period: detecting any change related to a preferred parent network element in a network element DIO (DODAG information object) message of the network, taking DODAG ID (Destination-Oriented Directed Acyclic Graph Identification) changes or levels of the network element to be an infinitive, and recording the feature as Numtopo;
the monitoring network element MN in T0→T1 time period: detecting the increment of statistical sub-network elements through the parent network element; recording the feature as Numsub; recording the features of Numtopo and Numsub in the table;
3) Network element feature Feature4
an intrusion detection auxiliary device 1 and a proxy network element in T0→T1 time period: conducting statistics on network element notification messages; comparing the difference between the notification messages obtained by both; and monitoring the difference number of the messages and recording the feature as ΔCON;
4) Network element feature Feature5
the intrusion detection auxiliary device 1 in T0→T1, time period: conducting statistics on the rate at which the gateway returns an ACK message; the proxy network element 6R in T0→T1: conducting statistics on the ACK message rate; comparing the difference between the ACK messages obtained by both; and monitoring the difference number of the messages and recording the feature as Δack; and recording the feature of Δack in the table;
5) network element feature Feature6
an intrusion detection auxiliary device 2 in T0→T1 time period: capturing an error report message returned to the network element, and conducting statistic detection on the message; monitoring the frequency of occurrence and recording the feature as vicmp2; and recording the feature of vicmp2 in the table;
6) Network element energy feature
FFD (full function device) and 6R in T0→T1 time period: conducting statistics on self-energy, and processing the message obtained through the statistics, to obtain an energy feature, comprising the number RcvAk of data packets received by network elements, the consumed energy EnergyRcvAk of the data packets received by the network elements, and forwarding rate Rateforward of a network element data packet;
after the completion of a construction for the state data table of the network elements, a processing mode of the console for specific feature data of network elements in the state data table of network elements will be specially illustrated;
(3) data preprocessing after the state data table of network elements is filled
1) Denoising process:
the console checks whether there are some non-numerical variables and obviously unreasonable data in the state data table of network elements, which are invalid; and after the denoising process is completed, the feature data set of network elements of the nth feature in the table is set as y|n={y1ny2n, . . . , yin}, i.e., the nth column of the state data table of network elements, and, threshold values of the y|n set are maxn and minn, where minn is a minimum value in the set and maxn is a maximum value; and
at this time, the console needs to pre-process a threshold range of each feature, and the console converts the threshold range (mini, maxi) of each feature to that between (0,1) through normalization function processing, that is, an eigenvalue is converted to
 and in addition, the console also needs to rematch the weight of each feature according to the impact factor of the feature;
2) The console constructs q dimensional coordinate space, and takes q=10, and the feature data of the network elements in the state data table of network elements need to be located in a coordinate space; and at this time, the console introduces an echo coefficient c to transfer zero, so that the entire feature space is moved to a positive coordinate space, where the coefficient c is set to:
c>|min|,min=min{mini, i=1, 2, . . . , q}.
|