CN-122001642-A - Intelligent linkage method for user security equipment based on Internet of things

Abstract

The invention belongs to the technical field of the Internet of things, and particularly relates to an intelligent linkage method of user security equipment based on the Internet of things. The method comprises the steps of dynamically generating high-simulation virtual equipment at a family fog node to trap an attacker, capturing interaction behaviors of the attacker and generating a standardized log, identifying attack intention through a pre-trained multi-layer perceptron model, isolating real equipment and broadcasting attack characteristics to a community security network when the confidence level exceeds a threshold value, constructing an isolation sandbox by cooperating with neighbor nodes, redirecting attack flow and injecting false information to consume resources of the attack flow. According to the technical scheme, active trapping, intelligent identification and group collaborative reaction are realized, early warning and defending capability of the home Internet of things on zero-day attack is remarkably improved, and high-value threat information is generated.

Inventors

• CAI ZHIPENG
• ZHAO HAOKE
• Xu Tengxiao
• YANG HUIYONG
• Pu Dongfang
• DU SONGFENG

Assignees

• 洛阳新奥华油燃气有限公司

Dates

Publication Date

20260508

Application Date

20260129

Claims (10)

1. 1. The intelligent linkage method of the user security equipment based on the Internet of things is characterized by comprising the following steps of: Dynamically generating high-simulation virtual equipment on a fog computing node of a home network, wherein the high-simulation virtual equipment is constructed in real time based on a current network topology structure, deployed real equipment types and a public vulnerability database, comprises false service ports and simulation vulnerability characteristics, and is registered in a local service discovery protocol; Capturing and recording interaction behaviors of an attacker and the high-simulation virtual equipment, completely recording a communication protocol, load content, a time stamp, a source address and a session sequence, and packaging the communication protocol, the load content, the time stamp, the source address and the session sequence into a standardized behavior log; Inputting the standardized behavior log into a pre-trained multi-layer perceptron classifier, wherein the multi-layer perceptron classifier is obtained through historical attack sample training and is used for judging whether the current interaction forms malicious attack behaviors or not and outputting confidence scores; when the confidence score is larger than a preset threshold value, automatically isolating the real equipment which is threatened, and broadcasting an attack characteristic abstract to a community security collaboration network; After receiving a response instruction from the community security collaboration network, redirecting the subsequent flow of an attack source to an isolated sandbox network constructed by at least 3 neighbor nodes, simulating real equipment response in the isolated sandbox, and simultaneously injecting false geographic position information and invalid credentials.
2. 2. The intelligent linkage method of the user security equipment based on the internet of things according to claim 1, wherein the generation strategy of the high-simulation virtual equipment is dynamically adjusted according to real-time threat information, the real-time threat information comprises a latest family internet of things equipment vulnerability list acquired from a national information security vulnerability sharing platform, and a local equipment fingerprint library is combined to enable service types, response delays and version identifications of the high-simulation virtual equipment to be kept highly consistent with those of real equipment.
3. 3. The intelligent linkage method of the user security equipment based on the Internet of things according to claim 1, wherein the collection of the standardized behavior log adopts a full protocol stack mirror image technology, a complete interaction process from a transmission layer to an application layer is covered, a log format conforms to a unified security event log standard, and the log format comprises an event unique identifier, a high-simulation virtual equipment instance identifier, a source address, a target address, a protocol type, a timestamp, the number of data packets, the number of uplink and downlink bytes and an original load code.
4. 4. The intelligent linkage method of the user security equipment based on the internet of things according to claim 1, wherein the input feature vector of the multi-layer perceptron classifier comprises request frequency, protocol anomaly, load entropy value, session duration, port scanning mode and known attack tool feature code matching result, the model training adopts a migration learning method, and initial weight is derived from an attack sample of an enterprise-level honeypot system and is subjected to home scene fine adjustment.
5. 5. The intelligent linkage method of the user security equipment based on the Internet of things according to claim 1, wherein the community security collaboration network is composed of a plurality of geographically adjacent family fog nodes, each node verifies the authenticity of an attack characteristic abstract through a lightweight block chain consensus mechanism, and the number of the nodes required by consensus is not less than 2/3 of the total number of the nodes.
6. 6. The intelligent linkage method of the user security equipment based on the Internet of things according to claim 1, wherein the isolation sandbox network adopts a containerized isolation technology, independent container examples are started on each participating node, a logic closed loop trapping environment is formed among containers through virtual private network interconnection, and attack traffic is limited in bandwidth in the sandbox and response delay is forcedly prolonged.
7. 7. The intelligent linkage method of the user security equipment based on the internet of things according to claim 6, wherein the false information injected into the isolation sandbox network comprises fake global positioning system coordinates, longitude and latitude of which are randomly disturbed by not more than 500 meters on the basis of a real position, and false equipment manufacturer information and firmware version numbers.
8. 8. The intelligent linkage method of the user security equipment based on the internet of things according to claim 1, further comprising a threat intelligence feedback mechanism, wherein tool chain features, command and control server addresses and transverse movement attempt records of attackers are continuously collected during the operation of the sandbox, and desensitized structured intelligence is uploaded to a regional security operation center for updating global high-simulation virtual equipment templates and machine learning model parameters.
9. 9. The intelligent linkage method of the user security equipment based on the Internet of things according to claim 1, wherein the resource scheduling module of the fog computing node dynamically allocates the number of high-simulation virtual equipment according to the idle memory of the equipment and the load of the central processing unit, and automatically reduces non-key virtual service examples when the load of the system is greater than a preset resource use threshold value, so that the running performance of the real security equipment is preferentially ensured.
10. 10. The intelligent linkage method of the user security equipment based on the Internet of things, which is characterized by supporting multi-level linkage response, can initiate linkage request to an upper-level community gateway or a city-level security platform besides a community-level sandbox, and implements IP address blocking, flow cleaning or reverse tracking in a larger range to form a three-level active defense system from home to community to city.

Description

Intelligent linkage method for user security equipment based on Internet of things Technical Field The invention belongs to the technical field of the Internet of things, and particularly relates to an intelligent linkage method of user security equipment based on the Internet of things. Background With the wide application of the internet of things technology, intelligent home and home security systems are gradually evolving towards high interconnection and automation directions. A large number of intelligent terminal devices, such as cameras, door locks, sensors and the like, are deployed in a modern home network, and the devices expose a huge attack surface while improving the convenience of life. Traditional security systems mainly rely on static defense mechanisms such as firewall, intrusion detection and the like, can only identify and alarm after attack occurs, lack active trapping and depth perception capability for attack behaviors, and are difficult to deal with increasingly intelligent and automatic network threats. Active security policies based on fraud defense are becoming a research hotspot. According to the active security strategy, false targets with confusion are deployed in the network, and an attacker is induced to expose behavior characteristics of the false targets, so that early warning and attack tracing are realized. The existing scheme is concentrated in an enterprise-level network environment, has complex architecture and high resource consumption, and is difficult to adapt to the family fog node with limited computing and storage capacity. The current honeypot technology generally adopts static configuration, and cannot dynamically generate targeted virtual equipment according to a real-time threat situation, so that the cheating effect is limited. Even if the attack behavior is successfully captured, most systems only execute local isolation, lack the collaborative countering capability of cross-equipment and cross-network, and cannot effectively consume attacker resources or generate high-value threat information. Therefore, what is needed is an intelligent linkage method for user security equipment based on the internet of things, which can dynamically construct high-simulation virtual equipment in a family mist computing environment, realize accurate recognition of attack intention by combining behavior analysis and machine learning, and cooperatively complete flow drainage, sandbox isolation and reverse interference through community-level security nodes, so as to construct a new-generation family network security system with active defense, intelligent response and group cooperation capability. Disclosure of Invention The invention provides an intelligent linkage method of user security equipment based on the Internet of things, which can effectively solve the problems in the background technology. An intelligent linkage method of user security equipment based on the Internet of things comprises the following specific steps: Dynamically generating high-simulation virtual equipment on a fog computing node of a home network, namely constructing a high-simulation virtual equipment instance containing false service ports and simulation vulnerability characteristics in real time based on a current network topological structure, deployed real equipment types and a public vulnerability database, and registering the high-simulation virtual equipment instance into a local service discovery protocol to induce potential attackers to interact; Capturing and recording interaction behaviors of an attacker and virtual equipment, namely when external network traffic tries to connect the high-simulation virtual equipment, completely recording a communication protocol, load content, a time stamp, a source address and a session sequence of the high-simulation virtual equipment by a system, and packaging the interaction data into a standardized behavior log; Inputting the standardized behavior log into a pre-trained multi-layer perceptron classifier, wherein the multi-layer perceptron classifier is obtained through historical attack sample training and is used for judging whether the current interaction forms malicious attack behaviors or not and outputting confidence scores; Triggering a cross-node cooperative countercheck mechanism, wherein when the confidence score is larger than a preset threshold value, the system automatically isolates the real equipment which is threatened and broadcasts an attack characteristic abstract to a community security cooperative network; And executing flow drainage and sandbox countering, namely redirecting subsequent flow of an attack source to an isolated sandbox network jointly constructed by at least 3 neighbor nodes after receiving a response instruction from the cooperative network, simulating real equipment response in the isolated sandbox, and simultaneously injecting false geographic position information and invalid credentials to consume attacker co