CN118473730A - Electric power internet of things terminal network risk behavior identification method, equipment and medium - Google Patents

Abstract

The invention discloses a method, equipment and medium for identifying network risk behaviors of an electric power Internet of things terminal. The method comprises the following steps: acquiring network access flow of the associated electric power internet of things terminal; forming a multithreading consumption message queue according to the network access flow of each associated electric power internet of things terminal, and determining a risk characteristic value of the network behavior of the multithreading consumption message queue; and clustering the characteristic values according to the risk characteristic values and the preset weight set, and identifying attack characteristic behaviors in the multithreaded consumption message queue. The network risk attack behavior is identified by collecting the received and transmitted network access flow in real time, determining the corresponding risk characteristic value and carrying out cluster analysis by combining the preset weight set. The real-time detection of the network risk behaviors is realized, so that the network risk behaviors can be treated in time later, the safety protection level of data transmission is further improved, and the safety of the associated electric power Internet of things terminal is ensured.

Description

A method, device and medium for identifying network risk behavior of power Internet of Things terminal

Technical Field

The present invention relates to the technical field of electric power Internet of Things, and in particular to a method, device and medium for identifying network risk behaviors of electric power Internet of Things terminals.

Background Art

With the expansion of the scale of the Internet of Things in the power industry and the increase in the number of smart terminals, on the one hand, real-time monitoring of the operating status of power grid equipment is realized, so that energy scheduling and optimization configuration can be carried out more accurately. On the other hand, real-time monitoring and analysis of user electricity consumption behavior can be achieved, so as to provide more personalized and intelligent electricity consumption services.

Various smart power IoT devices can achieve remote control, intelligent connection, and comprehensive perception, which can manage electric energy more efficiently and accurately, improve the efficiency of electric energy use, and provide users with better power services.

However, while the smart power Internet of Things brings intelligent convenience, related security issues and risks such as network security and data security have also become prominent. In terms of network security, DDoS attacks, brute force cracking, and malicious access are widely used. It is necessary to detect and block malicious access behaviors from the network access level to prevent malicious attacks from attackers. In terms of data security, with more and more smart IoT terminals participating in the business, a large amount of sensitive data such as customer electricity usage information of smart meters will be stored on the terminals and transmitted over the network.

Summary of the invention

The present invention provides a method, device and medium for identifying network risk behavior of a power Internet of Things terminal to achieve real-time detection of network attack events.

According to a first aspect of the present invention, a method for identifying network risk behaviors of a power IoT terminal is provided, comprising:

Obtain network access traffic of associated power IoT terminals;

According to the network access traffic of each of the associated power IoT terminals, a multi-threaded consumption message queue is formed, and a risk characteristic value of the network behavior of the multi-threaded consumption message queue is determined;

Characteristic value clustering is performed according to each of the risk characteristic values and the preset weight set to identify attack characteristic behaviors in the multi-threaded consumer message queue.

According to another aspect of the present invention, a device for identifying network risk behavior of a power Internet of Things terminal is provided, comprising:

A traffic acquisition module, used to acquire network access traffic associated with the power IoT terminal;

A characteristic value determination module, used to form a multi-threaded consumption message queue according to the network access flow of each of the associated power Internet of Things terminals, and determine the risk characteristic value of the network behavior of the multi-threaded consumption message queue;

The behavior determination module is used to cluster the characteristic values according to each of the risk characteristic values and the preset weight set, and identify the attack characteristic behaviors in the multi-threaded consumption message queue.

According to another aspect of the present invention, an electronic device is provided, the electronic device comprising:

at least one processor; and

a memory communicatively connected to the at least one processor; wherein,

The memory stores a computer program that can be executed by the at least one processor, and the computer program is executed by the at least one processor so that the at least one processor can execute the method for identifying network risk behavior of power Internet of Things terminals described in any embodiment of the present invention.

According to another aspect of the present invention, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions, and the computer instructions are used to enable a processor to implement the method for identifying network risk behavior of a power Internet of Things terminal described in any embodiment of the present invention when executed.

The technical solution of the embodiment of the present invention is to obtain the network access traffic of the associated power IoT terminals; form a multi-threaded consumption message queue according to the network access traffic of each associated power IoT terminal, and determine the risk characteristic value of the network behavior of the multi-threaded consumption message queue; cluster the characteristic values according to each risk characteristic value and the preset weight set, and identify the attack characteristic behavior in the multi-threaded consumption message queue. By collecting the sent and received network access traffic in real time, and determining the corresponding risk characteristic value and combining it with the preset weight set for cluster analysis, the network risk attack behavior is identified. Real-time detection of network risk behavior is achieved, so that the network risk behavior can be dealt with in a timely manner later, thereby improving the security protection level of data transmission and ensuring the security of the associated power IoT terminals.

It should be understood that the content described in this section is not intended to identify the key or important features of the embodiments of the present invention, nor is it intended to limit the scope of the present invention. Other features of the present invention will become easily understood through the following description.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

FIG1 is a flow chart of a method for identifying network risk behaviors of power IoT terminals provided according to a first embodiment of the present invention;

2 is a flow chart of a method for identifying network risk behaviors of power IoT terminals provided according to a second embodiment of the present invention;

3 is a schematic diagram of the structure of a device for identifying network risk behavior of a power IoT terminal provided according to a third embodiment of the present invention;

FIG. 4 is a schematic diagram of the structure of an electronic device implementing an embodiment of the present invention.

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the scheme of the present invention, the technical scheme in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of the present invention.

It should be noted that the terms "first", "second", etc. in the specification and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchanged where appropriate, so that the embodiments of the present invention described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

It is understandable that before using the technical solutions disclosed in the embodiments of the present disclosure, the types, scopes of use, usage scenarios, etc. of the personal information and network access traffic involved in the present disclosure should be informed to the user and the user's authorization should be obtained in an appropriate manner in accordance with relevant laws and regulations.

Embodiment 1

Figure 1 is a flow chart of a method for identifying network risk behavior of a power Internet of Things terminal provided in accordance with a first embodiment of the present invention. This embodiment can be applicable to risk identification situations of terminal devices, edge computing devices and cloud applications. The method can be executed by a power Internet of Things terminal network risk behavior identification device. The power Internet of Things terminal network risk behavior identification device can be implemented in the form of hardware and/or software. The power Internet of Things terminal network risk behavior identification device can be configured in an electronic device.

Exemplarily, the present invention can be applied to the smart Internet of Things in the electric power industry (hereinafter referred to as the power Internet of Things), which is connected to various related electric power smart terminal devices through the power industry Internet of Things, including the increasing number of terminal devices and the diversification of terminal device types, including smart meters, temperature detection devices, humidity detection devices, power distribution devices, etc. In terms of data transmission, the smart Internet of Things sends the data of each distribution network and substation to the data center, and the data between the data centers are transmitted to each other. At the same time, the data is sent to the cloud platform, and the control center monitors and controls the power grid in real time through massive data analysis. There will be network security issues during network transmission, and the present invention can be used to identify network risk behaviors in network transmission. The processor can be equipped with the power Internet of Things and connected to each power smart terminal device through the power Internet of Things.

As shown in FIG1 , the method includes:

S110: Obtain network access traffic of the associated power IoT terminal.

In this embodiment, the associated power IoT terminal can be understood as an already connected terminal, edge computing device, and cloud application terminal for sending and receiving, and can include, for example, a smart meter, a temperature detection device, a humidity detection device, and a power distribution device. Network access traffic can be understood as data transmitted through the network.

Specifically, the processor may be pre-connected to an associated power Internet of Things terminal associated with the processor, and the processor may collect network access traffic sent by or to the associated power Internet of Things terminal.

Among them, with the increase in the number of connected power IoT terminals, some of the connected power IoT terminals have user information. The data processing process of these connected power IoT terminals involves data collection, transmission, sharing and storage. Due to the imperfect data encryption mechanism, it brings great security risks to the information communication security of the IoT system. Intruders can obtain or even use users' sensitive data without permission, which poses a risk of personal privacy and data leakage in the terminal. Effective security protection measures need to be taken to ensure the security of IoT communication. Lightweight encryption is mainly used to perform security protection and end-to-end encrypted transmission from the source, encrypt data from sensors, collectors, and edge computing centers, and encrypt and decrypt data in the end-to-end transmission link to ensure data transmission security.

This type of lightweight encryption uses a combination of AES and RSA, and maintains the security of encryption without affecting IoT network resources or terminal performance by improving the encryption method.

AES encryption is a symmetric advanced encryption standard that uses a block encryption method. It includes five modes: ECB, CBC, OFB, CTR and CFB. The key length supports 128, 192, and 256 bits. This type of encryption method has fast operation speed and small memory usage, and is suitable for encryption during IoT data transmission.

RSA encryption is an asymmetric encryption that includes a pair of public and private keys. The key length of RSA is 1024 bits or more, so it has strong security, but it takes up a certain amount of resources for large amounts of data transmission. The RSA encryption of this method is mainly used for the transmission of symmetric keys, achieving a combination of security and efficiency to ensure the secure transmission of keys.

During data transmission, the processor can use AES-256 encryption by default and dynamic key encryption and decryption. When the user receives the encrypted data, it uses RSA's private key to decrypt AES-Key, obtains the symmetric encryption key and then uses this key to decrypt the data, thereby ensuring the confidentiality of terminal data during collection, transmission, use and storage, and preventing the leakage of important information.

S120. Form a multi-threaded consumption message queue according to the network access traffic of each associated power IoT terminal, and determine the risk characteristic value of the network behavior of the multi-threaded consumption message queue.

In this embodiment, the multi-threaded consumer message queue can be understood as a queue composed of multi-threaded and highly concurrent network access traffic. Network behavior can be understood as behavior used to access the network, such as API access or terminal account login. Risk feature values can be understood as feature values used to characterize the attack risks contained in network behavior, such as source address, access destination address, destination port, network access User-Agent, and event type.

Specifically, the processor can perform traffic analysis on the network access traffic of each associated power IoT terminal, receive network access traffic information of multiple threads with high concurrency, clean invalid traffic data, convert traffic data, and enrich traffic data to form analyzed traffic data, and perform keyword parsing based on the analyzed traffic data to obtain the data content included therein, extract access attributes from the network log, obtain information characterizing the risk from the access attributes and data content, and encapsulate them in a specific format to form risk characteristic values corresponding to each network behavior.

S130: clustering the feature values according to the risk feature values and the preset weight set, and identifying the attack feature behaviors in the multi-threaded consumer message queue.

In this embodiment, the preset weight set can be understood as a set of weights corresponding to the risk characteristic values of different network behaviors. For example, the risk characteristic value includes four parameters, A, B, C and D. The preset weight corresponding to the risk characteristic value (A, B, C, D) of network behavior A can be (a, b, c, d). Attack characteristic behavior can be understood as behavior that endangers network security.

Specifically, after obtaining the risk characteristic value, it is necessary to aggregate the network access behaviors received within a unit time and discover the access bulge events within a unit time. For example, the abnormal URL access behavior initiated within a unit time is defined as a DDoS attack, that is, the attacker continuously sends data packet streams from the invaded distributed edge device to the target server, thereby exhausting the hardware resources of the target server and making it unable to process any legitimate requests in time; the behavior of initiating access to a certain account login and failing to log in within a unit time is defined as an account brute force cracking attack, that is, the attacker initiates brute force cracking on the IoT terminal device, which may lead to data leakage of the device, loss of authorized accounts, etc. How to protect against such risks, the processor can use the risk characteristic value clustering algorithm combined with the preset weight set to determine the Euclidean distance from each object to each cluster center, and determine the final cluster center and cluster cluster through the Euclidean distance, determine the number of network access behaviors through the cluster center and cluster cluster, determine whether the network access behavior is an attack characteristic behavior through the number of network access behaviors and the tolerable threshold, and then identify which behaviors have attack characteristic behaviors from the network access behaviors of the multi-threaded consumer message queue.

The technical solution of the embodiment of the present invention is to obtain the network access traffic of the associated power IoT terminals; form a multi-threaded consumption message queue according to the network access traffic of each associated power IoT terminal, and determine the risk characteristic value of the network behavior of the multi-threaded consumption message queue; cluster the characteristic values according to each risk characteristic value and the preset weight set, and identify the attack characteristic behavior in the multi-threaded consumption message queue. By collecting the sent and received network access traffic in real time, and determining the corresponding risk characteristic value and combining it with the preset weight set for cluster analysis, the network risk attack behavior is identified. Real-time detection of network risk behavior is achieved, so that the network risk behavior can be dealt with in a timely manner later, thereby improving the security protection level of data transmission and ensuring the security of the associated power IoT terminals.

As a first optional embodiment of the first embodiment, after identifying the attack characteristic behaviors in the multi-threaded consumption message queue according to each risk characteristic value and the preset weight set, it also includes:

Block attack characteristic behaviors and archive risk management information of attack characteristic behaviors.

In this embodiment, the risk handling information can be understood as the information corresponding to the handling of the risk.

Specifically, when the processor finds the existence of attack characteristic behaviors, on the one hand, it needs to block and deal with the attack events, and quickly issue time-based disposal by connecting to network protection devices, such as connecting to WAF to timely ban the network access IP of the attack behavior, connecting to firewall devices to ban such IPs, and connecting to IPS devices to ban IPs and UAs, so as to timely block the attack and protect the security of edge computing devices and terminal devices; on the other hand, the processor can collect detailed information on attack characteristic behaviors, such as attack event name, attack description, impact range, disposal suggestions, etc., and notify the security operation personnel and the person in charge of the business party of such attacks in a timely manner through email or enterprise messaging software to protect the overall network security of the smart IoT system. For the attack characteristic behaviors that have been dealt with, the processor can collect information such as the time type, level, and impact range of the network security events corresponding to the attack characteristic behaviors; at the same time, collect risk descriptions and disposal measures of such security events, organize and classify these information, form risk disposal information, and archive the risk disposal information, and extract features of common security events, such as access thresholds fed back to the algorithm library, and regularly update and maintain the archived risk disposal information to ensure the accuracy and timeliness of the information.

In the first optional embodiment of the first embodiment, such a setting is used to effectively and timely handle blocking attacks, thereby reducing network security risks and improving transmission security. In addition, archiving provides an improved basis for subsequent risk identification.

Since the environments where IoT terminal devices are located are complex and diverse, and most of the devices are deployed in unmonitored environments, they face multiple security issues. For example, terminal devices may be impersonated, forged and copied, and devices may be invaded. For the above issues, terminal devices need to be authenticated to achieve trusted access.

As a second optional embodiment of the first embodiment, based on the above embodiment, it also includes:

When receiving an access request from a device to be accessed, the access request is decrypted according to a preset private key to obtain decrypted authentication information, and access authentication is performed on the device to be accessed based on the decrypted authentication information.

In this embodiment, the device to be accessed can be understood as a terminal device that needs to perform data transmission with the processor. The access request can be understood as a request for establishing a data transmission relationship between the device to be accessed and the processor. The decrypted authentication information can be understood as the decrypted information used to authenticate the device to be accessed, such as time parameters and device serial codes.

Specifically, when the device to be connected applies to join, identity authentication and information authentication are used. When the device to be connected accesses the processor, it can initiate an access request and perform asymmetric public key encryption on the time parameters and the device serial code. After receiving the access request, the processor uses the private key to decrypt the received request information. If the time parameters and the device serial code cannot be obtained after decryption, it proves that the device to be connected was not assembled according to the agreed parameters during the public key encryption, the authentication fails, and the device to be connected is impersonated. When the decrypted authentication information formed by the time parameters and the device serial code is obtained through private key decryption, the processor can check the device serial code to determine the correctness of the device serial code. If it is correct and legal, the access authentication is completed and the processor connects the device to be connected, otherwise the authentication fails. If the authentication fails, the processor will intercept the device to be connected and add it to the blacklist, and send a warning message to the relevant platform, so as to timely prevent the system from being invaded by malicious access.

The second optional embodiment of the first embodiment of the present invention, through such a setting, prevents security risks such as impersonation and forgery and copying of the device to be connected, and adopts identity authentication and information authentication methods, digital signature encryption, and serial code authentication to ensure reliable access of the Internet of Things terminal.

Embodiment 2

FIG2 is a flow chart of a method for identifying network risk behaviors of power IoT terminals provided in the second embodiment of the present invention. This embodiment is a further refinement of the above embodiment. As shown in FIG2 , the method includes:

S201. Obtain network access traffic of associated power IoT terminals.

S202: Mirror the network access traffic of each associated power IoT terminal to obtain mirrored traffic.

In this embodiment, the mirrored traffic can be understood as traffic obtained by duplicating the network access traffic.

Specifically, the processor can obtain mirrored traffic by mirroring the network access traffic of the interface of the network switch, and the mirrored traffic has no impact on the access to the service. After obtaining the mirrored traffic, the processor can asynchronously transmit the original log of the network access traffic to the back-end data structured hierarchical cluster for storage.

S203: Transmit each mirrored traffic to the consumption queue of the corresponding thread in the message queue cluster to form a multi-threaded message consumption queue.

In this embodiment, the message queue cluster can be understood as a cluster composed of consumer queues of multiple threads.

Specifically, the processor can copy and synchronously transmit each mirrored traffic to the consumption queue of the corresponding thread in the message queue cluster, such as different consumption queues corresponding to each type of business, to form their own corresponding multi-threaded message consumption queues, so as to perform traffic content analysis.

S204. Determine risk characteristic values of network behaviors that meet preset time conditions according to each multi-threaded message consumption queue.

In this embodiment, the preset time condition can be understood as a set time range for determining an attack event. For example, a unit time is set, and the preset time condition is the unit time, for example, it can be within 10 minutes.

Specifically, the processor can clean invalid traffic data, convert traffic data, and enrich traffic numbers for the network access traffic included in each multi-threaded message consumption queue, and then parse the processed network access traffic according to preset time conditions, and extract risk feature values from the parsed data.

Further, based on the above embodiment, the step of determining the risk characteristic value of the network behavior that meets the preset time condition according to each multi-threaded message consumption queue can be optimized as follows:

a1. Read the pending traffic data that meets the preset reading conditions from each multi-threaded message consumption queue.

In this embodiment, the preset reading condition can be understood as a condition for determining whether the network flow data in the multi-threaded message consumption queue can be read, such as the Topic of the network flow data is IoT_net_flow message. The flow data to be processed can be understood as data that can be processed.

Specifically, a multi-threaded method is first adopted to process each network traffic data message in a multi-threaded message consumption queue with high concurrency, and network traffic data that meets the preset reading conditions is read from each multi-threaded message consumption queue as traffic data to be processed. For example, if the Topic is read as IoT_net_flow message, the traffic data message to be processed after reading is in a consumed state, thereby ensuring the consistency of data processing.

b1. Perform data cleaning and format standardization on the traffic data to be processed to obtain intermediate traffic data.

In this embodiment, the intermediate flow data can be understood as flow data after cleaning and standardization.

Specifically, the processor can reprocess and clean the traffic data to be processed after reading because the data formats are different and not uniform. This processing process includes: eliminating invalid data, erroneous data, and expired data to maintain the atomicity of the data. Since some common attribute parameter formats of the collected network traffic data are different, such as: time parameter format, source parameter format, etc., the processor can standardize and regularize these common attributes of the data obtained after data cleaning to form unified data information with high recognition.

c1. Process the intermediate flow data based on the collected public parameter information to obtain the target flow data.

In this embodiment, the public parameter information can be understood as parameters required for all interface calls, such as the data source, collection time, and storage time of the collection, etc. The target flow data can be understood as the flow data enriched with the public parameter information.

Specifically, the intermediate traffic data has a high degree of recognition, but it may lack public parameter information used later, such as the source of the data, the time of collection, and the storage time. Therefore, the processor can enrich these public parameter information to obtain the target traffic data, which is convenient for better data traceability and standardized format.

d1. Analyze the target traffic data and determine the risk characteristic value of the network behavior corresponding to the target traffic data.

Specifically, the processor may parse the target traffic data, determine the content of the parsed data, and extract corresponding risk feature values therefrom.

Among them, based on the above embodiment, the step of parsing the target traffic data and determining the risk characteristic value of the network behavior corresponding to the target traffic data can be optimized as follows:

Parse the target traffic data to obtain parsed data in the target format; perform network behavior analysis on the access attributes in the network log corresponding to the target traffic data to determine the behavioral feature information of the target traffic data; obtain the risk feature value of the network behavior corresponding to the target traffic data based on the behavioral feature information and the extracted target information in the parsed data.

In this embodiment, the target format can be understood as a set format condition, such as JSON format. Parsed data can be understood as the data content obtained after parsing. Network logs can be understood as information recorded by an individual or user on the network. Access attributes can be understood as attribute information that characterizes network access behavior. Behavioral feature information can be understood as information that characterizes the behavior pattern and attack characteristics of network users.

Specifically, the processor can parse the target traffic data to obtain the parsed data in the target format, such as the parsed data in JSON format. The data content of the parsed data includes network access host information, content length, Agent, connection status, source address, network access destination address, destination port, network access type, and network access User-Agent. The network attack behavior of the Internet of Things is often hidden in the normal network access behavior. How can these attack behaviors and attack events be discovered from normal network access? The processor can first extract the access attributes from the network log, infer the network user's behavior pattern and attack characteristics through network behavior analysis, and obtain the behavior feature information corresponding to the target traffic data. The processor can obtain the network access source address, access destination address, destination port, network access User-Agent, and event type information from the parsed data through Key-Value. The processor can assemble such information into risk feature values in Str format and put them into cache information to provide pre-resources for subsequent risk feature value clustering operations.

S205: Classify each risk behavior feature and determine candidate feature information under the same character string.

In this embodiment, the candidate feature information can be understood as the classified risk feature value.

Specifically, after the processor obtains the risk feature value, it needs to aggregate the network access behaviors received within the preset time conditions to find the access bulge events within the preset time conditions. For example, the abnormal URL access behavior initiated within the preset time conditions is defined as a DdoS attack, that is, the attacker continuously sends network access traffic from the invaded distributed edge device to the target server, thereby exhausting the hardware resources of the target server and making it unable to process any legitimate requests in time; the behavior of initiating access to a certain account login and failing to log in within a unit time is defined as an account brute force attack, that is, the attacker initiates brute force cracking on the IoT terminal device, which may cause data leakage of the device, loss of authorized accounts, etc. How to protect against such risks, use the risk feature value clustering algorithm to identify which behaviors have attack characteristics from the network access behavior. The processor can first obtain the risk feature value: source address, access destination address, destination port, network access User-Agent, event type; then cache and store the feature value Str to obtain candidate feature information. If there is an identical Str string in this process, it will be merged into the same candidate feature information.

S206: Clustering feature values according to each candidate feature information and a preset weight set to determine a final cluster center and cluster type information.

In this embodiment, the final cluster center can be understood as the determined cluster center category. The cluster type information can be understood as the number of clusters finally determined.

Specifically, the processor can cluster the feature values according to the time sequence corresponding to the preset time conditions, and in turn according to the candidate feature information and the preset weight set, to obtain the Euclidean distance of each object to the cluster center based on the corresponding weight. When the cluster center no longer changes, the risk feature value obtained within another set time is calculated to update the cluster center with the Euclidean distance to each cluster center, and the final cluster center and cluster type information are output.

Further, based on the above embodiment, the step of clustering the feature values according to each candidate feature information and the preset weight set and determining the final cluster center and cluster type information can be optimized as follows:

Initialize a set number of initial cluster centers according to candidate feature information that meets the preset initial time condition; determine the Euclidean distance from each object in the target feature information string to each initial cluster center according to the target feature information string that meets the first time condition and the preset weight set in the candidate feature information; update the initial cluster center according to each Euclidean distance to obtain the intermediate cluster center; when each intermediate cluster center meets the center stability condition, determine the final cluster center and cluster type information according to the feature information string that meets the second time condition and the intermediate cluster center; when each intermediate cluster center does not meet the center stability condition, use the intermediate cluster center as the updated initial cluster center and return to the step of determining the Euclidean distance.

In this embodiment, the preset initial time condition can be understood as the time range for updating the cluster center, which is smaller than the preset time condition. For example, if the preset time condition is 13s, the preset initial time condition can be 5s. The first time condition can be understood as the time condition for dividing the cluster objects, for example, each risk feature value within 2 minutes is regarded as each object. The Euclidean distance can be understood as the distance from each object to each cluster center. The target feature information string can be understood as the feature information string composed of all candidate feature information in the first time condition in chronological order. The initial cluster center can be understood as the cluster center obtained after initialization. The intermediate cluster center can be understood as the updated cluster center. The center stability condition can be understood as the condition for judging whether the change range of the cluster center is stable. The second time condition can be understood as the time condition for determining the final cluster center and cluster type information, such as 3 minutes.

Specifically, the processor can first initialize a set number of initial cluster centers according to the candidate feature information that meets the preset initial time condition through step a, for example, initialize k initial cluster centers: each network behavior C corresponds to 5 candidate feature values, that is, the attribute of C = {source address, access destination address, destination port, network access User-Agent, event type}; then k cluster centers = {C1, C2, C3, C4, C5..., Ck}. Then the processor can calculate the Euclidean distance from each object to each cluster center through step b, that is, under the premise of the previous step, the processor can determine the target feature information string that meets the first time condition according to the candidate feature information, for example, the target feature information string in the access behavior of the Internet of Things within the next 2 minutes as each object, and then combine the preset weight set to determine the Euclidean distance from each object in the target feature information string to each initial cluster center, such as the Euclidean distance dis(X _i ,C _j ) can be determined by the following formula:

Where _Wt represents the weight of the t-th attribute: when t=1, it represents the weight of the source address; when t=2, it represents the weight of the destination address; when t=3, it represents the weight of the destination port; when t=4, it represents the weight of the visitor's User-Agent. _Xi represents the ith object, _Cj represents the k-th cluster center, _Xit represents the t-th attribute of the ith object, and _Ckt represents the t-th attribute of the k-th cluster center.

The weights of the above four attributes are divided according to the event type. The weights of all event types are recorded in the preset weight set. For example, if it is a brute force cracking, the corresponding weight is W _t ={0.2, 0.4, 0.3, 0.1}, that is, different source addresses or different UAs initiate access to similar ports of the same address, and the Euclidean distance is considered to be close; if it is an API traversal, the response weight is W _t ={0.3, 0.2, 0.3, 0.2}, that is, similar source addresses or similar UAs initiate access to the same port of different addresses, and the Euclidean distance is considered to be close.

The processor may further, through step c, determine to use the sample mean of each cluster to update the cluster center, that is, use the object in the above step b to re-update the k cluster centers to obtain the intermediate cluster center.

Step d, repeat steps b and c until the intermediate cluster center meets the center stability condition and no longer changes, determine the final cluster center and cluster type information based on the feature information string that meets the second time condition and the intermediate cluster center, that is, continue to obtain network access behavior in the Internet of Things within the next 3 minutes, take the risk feature value in this behavior as the object to calculate the Euclidean distance from this object to the k cluster centers, then update the k value in the cluster again, and output the final cluster center and cluster type information, that is, k cluster divisions.

S207: Determine the number of network access behaviors according to the final cluster center and cluster type information.

In this embodiment, the network access behavior number information can be understood as the number used to characterize each type of network access behavior.

Specifically, the processor can obtain the network access behavior within a unit time (such as within 10 minutes) through K-means aggregation including the final cluster center and cluster type information to obtain the number of network access behaviors, that is, AC = Bi/Ti, where AC is the number of network access behaviors aggregated within a unit time; Bi is all the clustering clusters within a unit time; Ti is the unit time.

S208: Determine the network access behavior category corresponding to the network access behavior number information according to the target risk characteristic value of the target network access traffic to which the network access behavior number information belongs.

In this embodiment, the network access behavior category can be understood as the access type of the network access behavior, such as terminal account login and the like.

Specifically, since the network access behavior number information is calculated through the risk characteristic value corresponding to the network access traffic, the processor can search for the target network access traffic to which the network access behavior number information belongs, and then determine the target risk characteristic value corresponding to the target network access traffic, and then determine the item representing the category in the target risk characteristic value, and obtain the network access behavior category corresponding to the network access behavior number information.

S209: According to the network access behavior number information, network access behavior category and preset tolerance threshold list, determine whether the network access behavior corresponding to the target network access traffic is an attack characteristic behavior, and obtain the identification result of the network access behavior.

In this embodiment, the preset tolerance threshold list can be understood as the thresholds for tolerating different types of network attack behaviors. The identification result can be understood as the identification result used to indicate whether the network access behavior is an attack behavior.

Specifically, the processor can search in the preset tolerance threshold list according to the network access behavior category, determine the tolerance threshold corresponding to the network access behavior category, and then compare the network access behavior number information with the tolerance threshold. When the network access behavior number information is greater than or equal to the tolerance threshold, it is judged that the network access behavior corresponding to the target network access traffic is an attack characteristic behavior, and the identification result of the network access behavior is the category to which the corresponding network attack behavior belongs, otherwise it is not.

For example, if the value of AC is 1000 and the network access behavior category is terminal account login, and the login return parameter is a failure state, the tolerable threshold of this type of login behavior per unit time is 10 times, from which it can be inferred that this network access behavior has a network attack behavior of brute force cracking of the account of a certain terminal device. If the data value of AC is 1500 and the type of network access behavior is API access, and there are a large number of APIs returning a failure state, the tolerable value of this type of API access behavior per unit time is 100, from which it can be inferred that this network access behavior has an API traversal attack behavior on the edge computing system.

S210: Determine attack feature behaviors in the multi-threaded consumer message queue according to each identification result.

Specifically, the processor may use each identification result as an attack feature behavior in a multi-threaded consumption message queue.

The technical solution of the embodiment of the present invention obtains the network access flow of the associated power Internet of Things terminal, generates a multi-threaded message consumption queue according to the network access flow, performs data cleaning, format standardization and public parameter information enrichment processing on the to-be-processed flow data that meets the preset reading conditions, obtains the target flow data with unified and standardized format and high recognition, extracts the parsed data under the target format by parsing the target flow data, and performs network behavior analysis on the access attributes in the network log to obtain behavior feature information, and generates risk feature values based on the behavior feature information and the target information extracted from the parsed data. The risk feature value provides a pre-resource for feature value clustering. The weights of the risk feature values under different categories are corrected by a preset weight set, and then the Euclidean distance is determined by the preset weight set and the risk feature value, and the cluster center is updated by the Euclidean distance to obtain the intermediate cluster center, and then the final cluster center and cluster type information are determined by the intermediate cluster center, and the network defense behavior number information is determined by the final cluster center and cluster type information, and the network access behavior number information and the corresponding network access behavior category and the preset tolerance threshold list are used to determine whether the network access behavior is an attack feature behavior, and obtain the identification result. It realizes real-time detection of network risk behaviors, improves the recognition accuracy and the corresponding categories of identified network attack behaviors, so as to facilitate the subsequent timely disposal of network risk behaviors, thereby improving the security protection level of data transmission and ensuring the security of related power Internet of Things terminals.

Embodiment 3

Fig. 3 is a schematic diagram of the structure of a device for identifying network risk behavior of a power IoT terminal provided in Embodiment 3 of the present invention. As shown in Fig. 3 , the device includes: a flow acquisition module 31 , a feature value determination module 32 , and a behavior determination module 33 .

A traffic acquisition module 31 is used to acquire network access traffic associated with a power IoT terminal;

A characteristic value determination module 32, configured to form a multi-threaded consumption message queue according to the network access flow of each of the associated power IoT terminals, and determine a risk characteristic value of the network behavior of the multi-threaded consumption message queue;

The behavior determination module 33 is used to perform feature value clustering according to each of the risk feature values and a preset weight set, and identify attack feature behaviors in the multi-threaded consumption message queue.

The technical solution of the embodiment of the present invention is to obtain the network access traffic of the associated power IoT terminals; form a multi-threaded consumption message queue according to the network access traffic of each associated power IoT terminal, and determine the risk characteristic value of the network behavior of the multi-threaded consumption message queue; cluster the characteristic values according to each risk characteristic value and the preset weight set, and identify the attack characteristic behavior in the multi-threaded consumption message queue. By collecting the sent and received network access traffic in real time, and determining the corresponding risk characteristic value and combining it with the preset weight set for cluster analysis, the network risk attack behavior is identified. Real-time detection of network risk behavior is achieved, so that the network risk behavior can be dealt with in a timely manner later, thereby improving the security protection level of data transmission and ensuring the security of the associated power IoT terminals.

Furthermore, the feature value determination module 32 includes:

A traffic mirroring unit, used for mirroring the network access traffic of each of the associated power IoT terminals to obtain mirrored traffic;

A queue forming unit, used for transmitting each mirrored traffic to a consumption queue of a corresponding thread in a message queue cluster to form a multi-threaded message consumption queue;

The characteristic value determination unit is used to determine the risk characteristic value of the network behavior that meets the preset time condition according to each of the multi-threaded message consumption queues.

Furthermore, the characteristic value determination unit includes:

A data reading subunit, used to read the to-be-processed traffic data that meets the preset reading conditions from each of the multi-threaded message consumption queues;

A first processing subunit is used to perform data cleaning and format standardization processing on the to-be-processed flow data to obtain intermediate flow data;

A second processing subunit is used to process the intermediate flow data based on the collected public parameter information to obtain target flow data;

A determination subunit is used to parse the target traffic data and determine the risk characteristic value of the network behavior corresponding to the target traffic data.

Wherein, the determination subunit is specifically used for:

Parsing the target flow data to obtain parsed data in a target format;

Performing network behavior analysis on access attributes in the network log corresponding to the target traffic data to determine behavior feature information of the target traffic data;

According to the behavior characteristic information and the extraction target information in the parsed data, a risk characteristic value of the network behavior corresponding to the target traffic data is obtained.

Furthermore, the behavior determination module 33 includes:

A first determination unit, used to classify each of the risk behavior features and determine candidate feature information under the same character string;

A second determination unit, configured to cluster feature values according to each of the candidate feature information and a preset weight set, and determine a final cluster center and cluster type information;

A third determining unit, configured to determine network access behavior quantity information according to the final cluster center and the cluster type information;

A fourth determining unit, configured to determine a network access behavior category corresponding to the network access behavior number information according to a target risk characteristic value of a target network access flow to which the network access behavior number information belongs;

A fifth determination unit, configured to determine whether the network access behavior corresponding to the target network access traffic is an attack characteristic behavior according to the network access behavior number information, the network access behavior category and a preset tolerance threshold list, and obtain an identification result of the network access behavior;

A behavior determination unit is used to determine the attack characteristic behavior in the multi-threaded consumption message queue according to each of the identification results.

The second determining unit is specifically used for:

Initialize a set number of initial cluster centers according to the candidate feature information that meets the preset initial time conditions;

Determine the Euclidean distance from each object in the target feature information string to each of the initial cluster centers according to the target feature information string that satisfies the first time condition and the preset weight set in the candidate feature information;

According to each of the Euclidean distances, the initial cluster center is updated to obtain an intermediate cluster center;

When each of the intermediate cluster centers meets the center stability condition, determining the final cluster center and cluster type information according to the feature information string that meets the second time condition and the intermediate cluster center;

When each of the intermediate cluster centers does not satisfy the center stability condition, the intermediate cluster center is used as the updated initial cluster center, and the process returns to the step of determining the Euclidean distance.

Optionally, the device further comprises:

The information archiving module is used to block the attack characteristic behavior after identifying the attack characteristic behavior in the multi-threaded consumer message queue according to each risk characteristic value and a preset weight set, and to archive the risk handling information of the attack characteristic behavior.

Optionally, the device further comprises:

The authentication module is used to, when receiving an access request from a device to be accessed, decrypt the access request according to a preset private key to obtain decrypted authentication information, and perform access authentication on the device to be accessed based on the decrypted authentication information.

The device for identifying network risk behavior of a power Internet of Things terminal provided in an embodiment of the present invention can execute the method for identifying network risk behavior of a power Internet of Things terminal provided in any embodiment of the present invention, and has functional modules and beneficial effects corresponding to the execution method.

Embodiment 4

FIG4 shows a block diagram of an electronic device 40 that can be used to implement an embodiment of the present invention. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices (such as helmets, glasses, watches, etc.) and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely examples and are not intended to limit the implementation of the present invention described and/or required herein.

As shown in FIG4 , the electronic device 40 includes at least one processor 41, and a memory connected to the at least one processor 41 in communication, such as a read-only memory (ROM) 42, a random access memory (RAM) 43, etc., wherein the memory stores a computer program that can be executed by at least one processor, and the processor 41 can perform various appropriate actions and processes according to the computer program stored in the read-only memory (ROM) 42 or the computer program loaded from the storage unit 48 to the random access memory (RAM) 43. In the RAM 43, various programs and data required for the operation of the electronic device 40 can also be stored. The processor 41, the ROM 42, and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to the bus 44.

A number of components in the electronic device 40 are connected to the I/O interface 45, including: an input unit 46, such as a keyboard, a mouse, etc.; an output unit 47, such as various types of displays, speakers, etc.; a storage unit 48, such as a disk, an optical disk, etc.; and a communication unit 49, such as a network card, a modem, a wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices through a computer network such as the Internet and/or various telecommunication networks.

The processor 41 may be a variety of general and/or special processing components with processing and computing capabilities. Some examples of the processor 41 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various dedicated artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, digital signal processors (DSPs), and any appropriate processors, controllers, microcontrollers, etc. The processor 41 executes the various methods and processes described above, such as the method for identifying network risk behaviors of power IoT terminals.

In some embodiments, the method for identifying network risk behavior of a power Internet of Things terminal may be implemented as a computer program, which is tangibly contained in a computer-readable storage medium, such as a storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed on the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into the RAM 43 and executed by the processor 41, one or more steps of the method for identifying network risk behavior of a power Internet of Things terminal described above may be performed. Alternatively, in other embodiments, the processor 41 may be configured to execute the method for identifying network risk behavior of a power Internet of Things terminal in any other appropriate manner (e.g., by means of firmware).

Various implementations of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on chips (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various implementations can include: being implemented in one or more computer programs that can be executed and/or interpreted on a programmable system including at least one programmable processor, which can be a special purpose or general purpose programmable processor that can receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.

Computer programs for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, so that when the computer program is executed by the processor, the functions/operations specified in the flow chart and/or block diagram are implemented. The computer program may be executed entirely on the machine, partially on the machine, partially on the machine and partially on a remote machine as a stand-alone software package, or entirely on a remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that may contain or store a computer program for use by an instruction execution system, device or equipment or used in combination with an instruction execution system, device or equipment. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices or equipment, or any suitable combination of the foregoing. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. A more specific example of a machine-readable storage medium may include an electrical connection based on one or more lines, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide interaction with a user, the systems and techniques described herein may be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and a pointing device (e.g., a mouse or trackball) through which the user can provide input to the electronic device. Other types of devices may also be used to provide interaction with the user; for example, the feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form (including acoustic input, voice input, or tactile input).

The systems and techniques described herein may be implemented in a computing system that includes backend components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes frontend components (e.g., a user computer with a graphical user interface or a web browser through which a user can interact with implementations of the systems and techniques described herein), or a computing system that includes any combination of such backend components, middleware components, or frontend components. The components of the system may be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: a local area network (LAN), a wide area network (WAN), a blockchain network, and the Internet.

A computing system may include a client and a server. The client and the server are generally remote from each other and usually interact through a communication network. The client and server relationship is generated by computer programs running on the corresponding computers and having a client-server relationship with each other. The server may be a cloud server, also known as a cloud computing server or cloud host, which is a host product in the cloud computing service system to solve the defects of difficult management and weak business scalability in traditional physical hosts and VPS services.

It should be understood that the various forms of processes shown above can be used to reorder, add or delete steps. For example, the steps described in the present invention can be executed in parallel, sequentially or in different orders, as long as the desired results of the technical solution of the present invention can be achieved, and this document does not limit this.

The above specific implementations do not constitute a limitation on the protection scope of the present invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions can be made according to design requirements and other factors. Any modification, equivalent substitution and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for identifying network risk behaviors of power Internet of Things terminals, comprising: Obtain network access traffic of associated power IoT terminals; According to the network access traffic of each of the associated power IoT terminals, a multi-threaded consumption message queue is formed, and a risk characteristic value of the network behavior of the multi-threaded consumption message queue is determined; Characteristic value clustering is performed according to each of the risk characteristic values and the preset weight set to identify attack characteristic behaviors in the multi-threaded consumer message queue. 2. The method according to claim 1 is characterized in that forming a multi-threaded consumption message queue according to the network access traffic of each of the associated power IoT terminals and determining the risk characteristic value of the network behavior of the multi-threaded consumption message queue comprises: Mirroring the network access traffic of each of the associated power IoT terminals to obtain mirrored traffic; Transmit each of the mirrored traffic to the consumer queue of the corresponding thread in the message queue cluster to form a multi-threaded message consumption queue; According to each of the multi-threaded message consumption queues, a risk characteristic value of the network behavior that meets a preset time condition is determined. 3. The method according to claim 2 is characterized in that the step of determining the risk characteristic value of the network behavior that meets the preset time condition according to each of the multi-threaded message consumption queues comprises: Reading the to-be-processed traffic data that meets the preset reading conditions from each of the multi-threaded message consumption queues; Performing data cleaning and format standardization on the traffic data to be processed to obtain intermediate traffic data; Processing the intermediate flow data based on the collected public parameter information to obtain target flow data; The target traffic data is analyzed to determine the risk characteristic value of the network behavior corresponding to the target traffic data. 4. The method according to claim 3, characterized in that the step of parsing the target traffic data to determine the risk characteristic value of the network behavior corresponding to the target traffic data comprises: Parsing the target flow data to obtain parsed data in a target format; Performing network behavior analysis on access attributes in the network log corresponding to the target traffic data to determine behavior feature information of the target traffic data; According to the behavior characteristic information and the extraction target information in the parsed data, a risk characteristic value of the network behavior corresponding to the target traffic data is obtained. 5. The method according to claim 1, characterized in that the clustering of feature values according to each of the risk feature values and the preset weight set to identify the attack feature behavior in the multi-threaded consumption message queue comprises: Classifying each of the risk behavior features to determine candidate feature information under the same character string; Performing feature value clustering according to each of the candidate feature information and the preset weight set to determine the final cluster center and cluster type information; Determining network access behavior count information according to the final cluster center and the cluster type information; Determine the network access behavior category corresponding to the network access behavior number information according to the target risk characteristic value of the target network access traffic to which the network access behavior number information belongs; According to the network access behavior number information, the network access behavior category and the preset tolerance threshold list, determine whether the network access behavior corresponding to the target network access traffic is an attack characteristic behavior, and obtain the identification result of the network access behavior; According to each of the identification results, the attack characteristic behavior in the multi-threaded consumption message queue is determined. 6. The method according to claim 5, characterized in that the step of clustering the feature values according to the candidate feature information and the preset weight set to determine the final cluster center and cluster type information comprises: Initialize a set number of initial cluster centers according to the candidate feature information that meets the preset initial time conditions; Determine the Euclidean distance from each object in the target feature information string to each of the initial cluster centers according to the target feature information string that satisfies the first time condition and the preset weight set in the candidate feature information; According to each of the Euclidean distances, the initial cluster center is updated to obtain an intermediate cluster center; When each of the intermediate cluster centers meets the center stability condition, determining the final cluster center and cluster type information according to the feature information string that meets the second time condition and the intermediate cluster center; When each of the intermediate cluster centers does not satisfy the center stability condition, the intermediate cluster center is used as the updated initial cluster center, and the process returns to the step of determining the Euclidean distance. 7. The method according to claim 1 is characterized in that, after identifying the attack characteristic behaviors in the multi-threaded consumption message queue according to each of the risk characteristic values and the preset weight set, it also includes: The attack characteristic behavior is blocked, and risk handling information of the attack characteristic behavior is archived. 8. The method according to claim 1, further comprising: When receiving an access request from a device to be accessed, the access request is decrypted according to a preset private key to obtain decrypted authentication information, and access authentication is performed on the device to be accessed based on the decrypted authentication information. 9. An electronic device, characterized in that the electronic device comprises: at least one processor; and a memory communicatively connected to the at least one processor; wherein, The memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor so that the at least one processor can execute the method for identifying network risk behavior of a power Internet of Things terminal according to any one of claims 1-8. 10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions, and the computer instructions are used to enable a processor to implement the method for identifying network risk behavior of a power Internet of Things terminal according to any one of claims 1 to 8 when executed.