Search

CN-122027357-A - Network security risk dynamic assessment and early warning method applying Internet of things equipment

CN122027357ACN 122027357 ACN122027357 ACN 122027357ACN-122027357-A

Abstract

The invention discloses a network security risk dynamic assessment and early warning method applying Internet of things equipment, relates to the technical field of Internet of things equipment security, and aims to solve the problems that blind areas exist in hidden malicious process monitoring in Internet of things equipment by comprehensively assessing offset and coupling factors by utilizing a weight assessment model, identifying hidden malicious processes only running locally, constructing a time prediction model by utilizing a long-short-term memory network, dynamically adjusting weight coefficients according to consistency comparison results, and constructing a joint monitoring record by means of timestamp alignment, constructing a reference database containing multiple working modes.

Inventors

  • AN DERONG
  • JIANG HONGLIANG
  • ZHOU DONGXU
  • LI ZHENG

Assignees

  • 山东舜云信息科技有限公司

Dates

Publication Date
20260512
Application Date
20260410

Claims (9)

  1. 1. The network security risk dynamic assessment and early warning method using the Internet of things equipment is characterized in that: acquiring an operation record of the Internet of things equipment, and performing feature extraction on power data in the operation process of the Internet of things equipment to obtain an energy consumption feature vector of the transient operation state of the Internet of things equipment; Extracting communication flow data of the target internet of things equipment in a corresponding sampling period, extracting communication flow data characteristics, constructing a flow characteristic vector of external communication behavior of the internet of things equipment, performing clock alignment on the energy consumption characteristic vector and the flow characteristic vector through a unified time stamp, and establishing a joint monitoring record; acquiring operation data of the Internet of things equipment in at least two working modes, calculating characteristic values of energy consumption data and flow data in each working mode in a safe environment, and constructing a working mode reference database; Establishing an energy consumption flow coupling factor through a proportional relation between the offset of the energy consumption characteristic vector deviating from the reference value and the actual communication load change in the flow characteristic vector; Matching the currently acquired energy consumption feature vector in a working mode reference database, calculating the offset of the real-time energy consumption feature and a corresponding working mode reference value, evaluating the offset and the energy consumption flow coupling factor through a weight evaluation model, identifying a hidden malicious process which only runs locally on the Internet of things equipment and does not generate outgoing flow, and feeding back the moment of finding the hidden malicious process; Obtaining records for confirming existence of hidden malicious processes, training to obtain a time prediction model for finding the hidden malicious processes through feedback of a time sequence for finding the hidden malicious processes, comparing the prediction result of the time prediction model with the real-time evaluation result of the weight evaluation model, and if the manual confirmation result is inconsistent with the weight evaluation model, generating an error signal to trigger weight updating logic based on gradient descent.
  2. 2. The method for dynamically evaluating and early warning network security risk by using Internet of things equipment according to claim 1, wherein the method for obtaining the energy consumption characteristic vector of the transient operation state of the Internet of things equipment comprises the following steps: The method comprises the steps of setting fixed sampling frequency, collecting power data from a power supply loop of the internet of things equipment, wherein the power data comprises power data and voltage data, acquiring operation records of the internet of things equipment, recording that the power data is a data change characteristic when an internal processor of the internet of things equipment executes an instruction, and splicing the data change characteristic to obtain an energy consumption characteristic vector.
  3. 3. The method for dynamically evaluating and early warning network security risk by using Internet of things equipment according to claim 1, wherein the method for extracting communication traffic data features and constructing a joint monitoring record comprises the following steps: counting state transition probabilities among data packets transmitted by Internet of things equipment in a unit period, constructing a transition probability matrix, calculating the maximum eigenvalue of the transition probability matrix, and extracting a corresponding normalized eigenvector as a flow eigenvector; and aligning the energy consumption characteristic vector and the flow characteristic vector on a time axis according to the acquisition time of the energy consumption characteristic vector and the flow characteristic vector, so as to obtain a joint monitoring record.
  4. 4. The method for dynamically evaluating and early warning network security risk by using Internet of things equipment according to claim 1, wherein the method for constructing the working mode reference database comprises the following steps: the working modes comprise a deep sleep mode, a stable operation mode, a burst uplink mode and a high load processing mode; and collecting the joint monitoring records of all the working modes, and respectively collecting the joint monitoring records according to the working modes to obtain a working mode reference database.
  5. 5. The method for dynamically evaluating and early warning network security risk by using Internet of things equipment according to claim 4, wherein the method for judging the working mode comprises the following steps: The method comprises the steps of enabling the Internet of things equipment to be in a deep sleep mode when the average power consumption value of the Internet of things equipment in a unit period is smaller than a preset low power consumption threshold value, enabling the Internet of things equipment to be in a stable operation mode when the Internet of things equipment shows periodic current pulses and the pulse width is within a preset width range, enabling the Internet of things equipment to be in a burst uplink mode when the current amplitude is larger than the current amplitude threshold value and the increasing rate of the data packet transmission quantity is larger than the increasing rate threshold value, and enabling the Internet of things equipment to be in a high-load processing mode when the average power consumption value of the Internet of things equipment in the unit period is larger than the preset high power consumption threshold value.
  6. 6. The method for dynamically evaluating and pre-warning network security risk by using Internet of things equipment according to claim 1, wherein the method for establishing the energy consumption flow coupling factor comprises the following steps: Calculating the flow change quantity between the total communication load byte number in the sampling period and a reference flow load value, wherein the energy consumption expected value represents the module length of the average value of the energy consumption characteristic vectors in the working mode, and the reference flow load value represents the average value of the communication load byte number in the working mode; And respectively carrying out deviation standardization on the energy consumption offset and the flow variation, taking the ratio as an energy consumption flow coupling factor after eliminating dimension characteristics, and when calculating the ratio, including a zero removal protection constant on a denominator.
  7. 7. The method for dynamically evaluating and pre-warning network security risks by using Internet of things equipment according to claim 1, wherein the method for identifying hidden malicious processes comprises the following steps: Inputting the currently acquired energy consumption characteristic vector into a working mode reference database, matching to obtain a current working mode, obtaining a normalized value E of the current energy consumption offset and a normalized value C of an energy consumption flow coupling factor, and respectively carrying out weighted summation on the E and the C through a first weight coefficient and a second weight coefficient to obtain a risk assessment coefficient; And comparing the risk assessment coefficient with a risk threshold, and triggering a hidden malicious process alarm when the risk assessment coefficient exceeds the risk threshold.
  8. 8. The method for dynamically evaluating and pre-warning cyber-security risks by using the Internet of things device according to claim 1, wherein the method for adjusting the weight coefficients in the weight evaluation model comprises the following steps: The method comprises the steps of taking a joint monitoring record in a preset history duration as an input sequence, adopting a long-short-period memory network structure to construct a time prediction model for finding hidden malicious processes, learning a periodic rule and a task scheduling mode of equipment operation, introducing an attention mechanism to automatically identify time point data with decisive action on a predicted future state when weight adjustment is carried out, introducing the attention mechanism in the weight adjustment process, calculating an associated score of each data point in the history time sequence to the current time state, distributing the attention weight through a normalized exponential function, and carrying out weight update by adopting a self-adaptive adjustment strategy based on gradient descent if a real-time evaluation result has abnormal fluctuation outside a normal high-energy consumption window marked by the attention mechanism.
  9. 9. The method for dynamically evaluating and pre-warning cyber-security risks using Internet of things equipment according to claim 8, wherein the method for executing the gradient descent-based adaptive adjustment strategy comprises the following steps: The method comprises the steps of taking the sum of squares of the difference between a predicted finding moment and an actual identifying moment as a loss function, calculating partial derivatives of the loss function on a first weight coefficient and a second weight coefficient through a back propagation algorithm, and carrying out iterative updating on the first weight coefficient and the second weight coefficient according to a preset learning step length.

Description

Network security risk dynamic assessment and early warning method applying Internet of things equipment Technical Field The invention relates to the technical field of safety of Internet of things equipment, in particular to a dynamic evaluation and early warning method for network safety risk of Internet of things equipment. Background The network security risk dynamic assessment and early warning method of the Internet of things equipment is used as a key means for monitoring the state of the terminal in real time and preventing malicious attacks. Because a large number of Internet of things devices adopt a low-power consumption design, the communication behavior of the Internet of things devices has the characteristics of obvious discontinuity and high delay, so that the existing monitoring means have obvious safety blind areas when the devices are in a dormant or semi-dormant state. Meanwhile, the method is limited by objective conditions of lack of computing power of the terminal of the Internet of things, and complex protection software is difficult to deploy at equipment, so that the risk perception dimension is single, the recognition precision is insufficient, and real-time accurate early warning of a hidden malicious process cannot be realized. Therefore, a network security risk dynamic assessment and early warning method using the internet of things equipment is needed. Disclosure of Invention The invention aims to provide a network security risk dynamic assessment and early warning method applying Internet of things equipment, so as to solve the problems in the prior art. In order to achieve the purpose, the invention provides the following technical scheme that the method for dynamically evaluating and early warning the network security risk by using the equipment of the Internet of things comprises the following specific steps: And step 1, acquiring an operation record of the Internet of things equipment, namely performing feature extraction on electric power data in the operation process of the Internet of things equipment to obtain an energy consumption feature vector of the transient operation state of the Internet of things equipment. And collecting power data from a power supply loop of the internet-enabled device by setting a preset sampling frequency, wherein the power data comprises current data and voltage data. And acquiring an operation record of the Internet of things equipment, recording data change characteristics of the electric power data when an internal processor of the Internet of things equipment executes instructions, and splicing the data change characteristics to obtain an energy consumption characteristic vector. And 2, extracting communication flow data of the target Internet of things equipment in a corresponding sampling period, namely extracting communication flow data characteristics, constructing a flow characteristic vector of external communication behavior of the Internet of things equipment, performing clock alignment on the energy consumption characteristic vector and the flow characteristic vector through a uniform time stamp, and establishing a joint monitoring record. The method comprises the steps of constructing a transition probability matrix by counting state transition probabilities among data packets transmitted by Internet of things equipment in a unit period, and extracting eigenvalues of the transition probability matrix as flow eigenvectors. And aligning the energy consumption characteristic vector and the flow characteristic vector on a time axis according to the acquisition time of the energy consumption characteristic vector and the flow characteristic vector, so as to obtain a joint monitoring record. And step 3, constructing a working mode reference database, namely acquiring operation data of the Internet of things equipment in various working modes. And under the safe environment, calculating the characteristic values of the energy consumption data and the flow data in each working mode. The working modes comprise a deep sleep mode, a steady operation mode, a burst uplink mode and a high load processing mode. And collecting the joint monitoring records of all the working modes, and respectively collecting the joint monitoring records according to the working modes to obtain a working mode reference database. And 4, establishing an energy consumption flow coupling factor, namely establishing the energy consumption flow coupling factor through a proportional relation between the offset of the energy consumption characteristic vector deviating from the reference value and the actual communication load change in the flow characteristic vector. The method comprises the steps of calculating energy consumption offset between a modular length of an energy consumption characteristic vector and an energy consumption expected value in a corresponding mode in a working mode reference database, calculating flow variation between the total communication