CN-121985009-A - Internet of things-oriented training exercise scene simulation method

Abstract

The invention discloses a training scene simulation method oriented to the Internet of things, which relates to the technical field of network space safety and Internet of things system simulation, and the training scene simulation method comprises the steps of carrying out parallel processing according to terminal identification partitions, keeping the same terminal event in order, carrying out parallel propulsion of different terminal events, and carrying out downsampling or delay processing when queue backlog is triggered, so that the training system can still maintain continuity of event processing and instruction processing under load sudden increase, and the lag accumulation of state synchronization relative attack rhythm is reduced; and the high-risk treatment instruction is scheduled preferentially through a preemption mechanism of the priority queue and an asynchronous issuing channel, retries or degrades alarms are selected according to branches of the running state of the terminal when timeout is not confirmed, extra disturbance is avoided from being introduced by repeated actions in a key state, and simultaneously, the timeout event is reflowed into a new event to participate in subsequent detection and recording, so that a traceable treatment closed loop is formed.

Inventors

• YIN WENJI
• LIN BING
• HE QIN

Assignees

• 上海势炎信息科技有限公司

Dates

Publication Date

20260505

Application Date

20260313

Claims (10)

1. 1. The practical training scene simulation method for the Internet of things is characterized by comprising the following steps of: Step S1, receiving concurrent event data streams reported by a plurality of terminal simulators; s2, carrying out partition parallel processing on the event data stream according to the terminal identification to obtain an event sequence; s3, analyzing the event sequence and generating a semantic embedded vector sequence; s4, inputting the semantic embedded vector sequence to an online anomaly detection model to output anomaly scores; s5, determining a dynamic threshold value based on the abnormal score, and when the abnormal score meets a superthreshold condition, constructing a dynamic event relation graph in a sliding time window and executing attack element graph pattern matching; step S6, when the matching is successful, generating a defense response instruction and issuing the defense response instruction to a target terminal simulator or a defense execution agent according to a priority queue; And S7, updating the running state of the terminal simulator according to the defense response instruction or the injection event, and feeding the updated state back to the event data stream as a new event to form a drilling closed loop.
2. 2. The method for simulating the training exercise scene for the Internet of things according to claim 1, wherein each event of the concurrent event data stream at least comprises at least two of a terminal identifier, a timestamp, an event type, a key field key value pair and network session metadata.
3. 3. The training scenario simulation method for the internet of things according to claim 1, wherein the partitioning according to the terminal identification comprises: And when detecting that the queue backlog exceeds a preset threshold value, performing downsampling or postponing processing on the low-priority event, and participating in subsequent detection on the missing test event along the state corresponding to the last sliding time window or marked as the missing test state.
4. 4. The method for simulating the training scene for the internet of things according to claim 1, wherein analyzing and generating the semantic embedded vector sequence comprises: generating fixed dimension embedding according to a mapping table from field to vector, and splicing the embedding of the same terminal in a window into the semantic embedding vector sequence according to time sequence.
5. 5. The training scenario simulation method for the internet of things according to claim 1, wherein the online anomaly detection model outputs anomaly scores based on reconstruction errors; The dynamic threshold is adaptively determined by the abnormal score statistical distribution of the latest N sliding time windows; the threshold exceeding condition is that the abnormal score is more than or equal to the dynamic threshold value in continuous K sliding time windows, or more than or equal to the dynamic threshold value in a single window, and the terminal key grade is high.
6. 6. The method for simulating the training exercise scene for the Internet of things according to claim 1, wherein the constructing of the dynamic event relation graph comprises the following steps: And taking the event in the window as a node, taking a time sequence relation or a session association relation as a directed edge, and adding a time interval and event type label to the node and the edge.
7. 7. The training scenario simulation method for the Internet of things according to claim 1, wherein the attack metagraph mode is a directed acyclic graph, nodes of the directed acyclic graph represent attack stage event types, and edges of the directed acyclic graph represent time sequence constraints; the pattern matching comprises synonymous mapping matching of event types and tolerance interval matching of time intervals, and outputting matching confidence; and judging that the matching fails when the matching confidence is smaller than a confidence threshold.
8. 8. The method for simulating the training exercise scene for the Internet of things according to claim 1, wherein the defending response instruction at least comprises a target identifier, an action type, an action parameter and an effective duration; And determining the comprehensive priority as at least three gears according to the terminal key level, the matching confidence level and the influence range through a segmentation rule, and triggering different action type sets according to the gears.
9. 9. The training scenario simulation method for the internet of things according to claim 1, wherein the priority queue has a preemption mechanism: The method comprises the steps of receiving a high-gear instruction, stopping or delaying the low-gear instruction when the high-gear instruction arrives, distributing the instruction to a terminal simulator or a defense execution agent by adopting an asynchronous communication channel, and executing retry frequency upper limit or degrading to alarm output when timeout is not confirmed; The preemption mechanism comprises a cancel type preemption and a suspension restoration type preemption, wherein when a high-gear instruction arrives, the cancel type preemption or suspension restoration type preemption is executed on a low-gear instruction which conflicts with the high-gear instruction, the cancel type preemption sets the low-gear instruction into a cancel state and terminates subsequent issuing, the suspension restoration type preemption sets the low-gear instruction into a suspension state and resumes issuing according to a rollback point after the high-gear instruction is completed; The processing when the overtime is not confirmed is bound with the running state of the target terminal simulator, when the target terminal simulator is in a key state, the action type instruction is not retried and degraded into alarm output when the overtime is not confirmed, when the target terminal simulator is in a non-key state, the action type instruction is retried within the upper limit of the retrying times, and is degraded into alarm output after exceeding the upper limit of the retrying times, wherein the action type instruction is an instruction of which the action type is used for triggering the terminal state change or defending the execution of the action, and the instruction corresponding to the alarm output is an alarm type instruction.
10. 10. The training scene simulation method for the Internet of things according to claim 1 is characterized in that a sample pool at least records a window event, an anomaly score, a matching confidence coefficient, an execution action and a result, when the sample pool meets a sample size threshold and is in a non-alarm suppression state, periodic parameter updating is performed on a semantic embedding generation model or an online anomaly detection model, and the model rolls back to a previous version parameter when updating fails, wherein the semantic embedding generation model is a model for executing semantic embedding mapping in step S3.

Description

Internet of things-oriented training exercise scene simulation method Technical Field The invention relates to the technical field of network space safety and Internet of things system simulation, in particular to an Internet of things-oriented training scene simulation method. Background With the scale growth of the terminals of the Internet of things and the evolution of the attack technology, the requirements of high concurrency configuration, anomaly detection, real-time treatment evaluation and the like are simultaneously met for the safety practical training and the countermeasure training of a large number of terminals, in the prior art, a controlled environment is generally constructed by a network target range/training range in a virtualization or simulation mode, and a safe isolation and repeatable scene is provided for training. The method comprises the steps of carrying out mirror image modeling on terminal groups and network behaviors by adopting a digital twin/high-fidelity model and carrying out attack injection, introducing immersive visual interaction such as XR (X-ray) and the like to assist topology understanding and operation, carrying out observation of sample behaviors and generating analysis results by sandboxed execution of malicious codes, and carrying out sandboxed execution can run unreliable codes and observe behaviors in an isolation environment, but can still be limited in the aspects of countermeasure avoidance and large-scale resource consumption. However, when the exercise is directed to a massive terminal and requires low latency response, the existing scheme still has the following defects that firstly, under the condition of large-scale concurrent event injection or frequent state change, if a centralized arrangement and state synchronization mechanism is adopted by a platform, state update is easy to lag due to synchronization and scheduling overhead, so that the time consistency and operation effectiveness of the exercise are affected; secondly, under the continuous countermeasure and unknown attack scene, if the detection and disposal link mainly depends on static signature/rule or fixed response script, the coverage capability for novel or zero-day attack is limited, and false alarm may increase, thereby affecting the exercise closed loop and evaluation accuracy. Disclosure of Invention The present invention has been made in view of the above-described problems occurring in the prior art. The invention provides an Internet of things-oriented training exercise scene simulation method, which solves the problems that the existing Internet of things (IoT) exercise is easy to lag under massive concurrency, and unknown slow attacks are difficult to cover in static detection. In order to solve the technical problems, the invention provides the following technical scheme: the embodiment of the invention provides an Internet of things-oriented training scene simulation method, which comprises the following steps: Step S1, receiving concurrent event data streams reported by a plurality of terminal simulators; s2, carrying out partition parallel processing on the event data stream according to the terminal identification to obtain an event sequence; s3, analyzing the event sequence and generating a semantic embedded vector sequence; s4, inputting the semantic embedded vector sequence to an online anomaly detection model to output anomaly scores; s5, determining a dynamic threshold value based on the abnormal score, and when the abnormal score meets a superthreshold condition, constructing a dynamic event relation graph in a sliding time window and executing attack element graph pattern matching; step S6, when the matching is successful, generating a defense response instruction and issuing the defense response instruction to a target terminal simulator or a defense execution agent according to a priority queue; And S7, updating the running state of the terminal simulator according to the defense response instruction or the injection event, and feeding the updated state back to the event data stream as a new event to form a drilling closed loop. As an optimal scheme of the training scene simulation method oriented to the Internet of things, each event of the concurrent event data stream at least comprises at least two of a terminal identifier, a time stamp, an event type, a key field key value pair and network session metadata. As a preferable scheme of the training scene simulation method facing the Internet of things, the method comprises the following steps of: And when detecting that the queue backlog exceeds a preset threshold value, performing downsampling or postponing processing on the low-priority event, and participating in subsequent detection on the missing test event along the state corresponding to the last sliding time window or marked as the missing test state. The invention discloses a preferable scheme of a training scene simulation method oriented to the Intern