Research On IoT Device Identification And Anomaly Detection Techniques

With the vigorous development of Internet of Things technology,the types and number of smart devices connected through the Internet of Things are increasing day by day.The software and hardware ecological environment of Io T devices is extremely rich,making it difficult to implement unified defense measures;and an important prerequisite for security detection and defense of huge Io T devices is the identification of Io T devices.For this reason,Io T device identification and anomaly detection technology have gradually become a research hotspot in the field of network security.This research is of great significance for improving network security management capabilities and protecting the security of the Io T environment.The thesis conducts research from two aspects: Internet of Things device identification and anomaly detection.Io T device identification is based on two scenarios: LAN and WAN.Research on Io T device identification and detection is carried out.Research is conducted on anomaly detection of Io T devices in a LAN environment.The research results obtained are as follows:In the local area network environment,in order to solve the widespread problem of over-reliance on manual selection of features in current Internet of Things device identification methods,this thesis proposes a feature extraction method based on packet length sequence.This method designs an algorithm based on local entropy for packet header identification of non-public protocols.It uses the automatic feature extraction function of the convolution layer of a one-dimensional convolutional neural network to directly use the packet length sequence as a device fingerprint convolutional neural network.The input realizes the automation of feature extraction,overcomes the shortcomings of manual feature engineering that requires a lot of time and energy,and improves the generalization ability of feature extraction.At the same time,a series of experiments on different data sets also fully demonstrate that this method improves the recognition accuracy of Io T device identification without manual feature engineering,proving the feasibility,rationality and effectiveness of the proposed algorithm.In the wide area network environment,in view of the fact that there is relatively little Io T device data in the network data after network address translation,and there is a data imbalance problem in device identification,a wide area network device identification method based on gradient boosting tree and focus loss function is proposed.This method combines the Light GBM gradient boosting tree model and the focus loss function.The Light GBM gradient boosting tree model can better process structured data,and the focus loss function solves the impact of imbalanced data distribution on the recognition effect.This method overcomes the problem of data imbalance in Io T device traffic after network address translation,and improves the identification performance of Io T devices in home networks from the perspective of network operators.At the same time,a series of experiments on public data sets show that compared with other methods in the same field,the AUC and AUPRC recognition performance indicators of the proposed method have been improved to a certain extent,verifying the effectiveness of the algorithm.In order to solve the problem of high cost and scarcity of acquisition of marked abnormal data samples for Io T device anomaly detection in a local area network environment,an Io T traffic anomaly detection method based on semi-supervised learning and deep autoencoders is proposed.This method applies the semi-supervised learning architecture to anomaly detection of LAN Io T devices,uses public malware samples to collect malicious traffic,and uses deep semi-supervised learning methods to train the model.This method overcomes the problem of scarcity of labeled abnormal samples in Io T traffic anomaly detection to a certain extent.It can still obtain good detection results when using only a small number of labeled samples.Among them,deep autoencoders can better represent traffic characteristics and help semi-supervised learning methods distinguish the traffic characteristics of different Io T devices.Experiments on the Internet of Things real traffic data set show that when only 4% of labeled data samples are used,the overall anomaly detection performance index AUC of this method is improved compared to other methods in the same field,proving the effectiveness of this method.