Research On Device Identification And Anomaly Monitoring Technology Of Internet Of Things Devices Based On Network Traffic Fingerprint

Existing Internet of Things devices realize remote access through the Internet,and there are security risks of equipment counterfeiting and remote control.Therefore,identification of the legitimacy of Internet of Things devices has become one of the research hotspots of Internet of Things security.However,there are many challenges in the identification of identity legitimacy of Io T devices: 1)There are many manufacturers of Io T devices,which are applied in smart home,industry 4.0,energy and transportation,etc.,and the hardware structure and function realization of devices in various fields are greatly different? 2)Considering the cost of device deployment,most Io T devices have limited computing capacity and storage resources and simple structure,making it difficult to achieve complex identity authentication functions? 3)For deployed devices that lack a reliable identity authentication mechanism,security functions cannot be upgraded through remote firmware update.In view of the above challenges,this paper carries out research on network traffic fingerprint,and achieves unified,cross-platform and noninvasive identification and anomaly detection by extracting fingerprint information related to device types from network traffic without changing the existing hardware and software structure of the Internet of Things.Due to the layered design of network protocols,physical information of the underlying iot devices cannot be directly obtained from network traffic.Therefore,how to obtain hardwarerelated features from packet contents above the network layer as device fingerprints is the difficulty to be solved in this paper.In view of this difficulty,this paper carries out work from three aspects: 1)feature extraction? 2)Equipment identification? 3)Anomaly detection.The main work and innovations of this paper are as follows:(1)In terms of feature extraction,this paper proposes a device type identification method based on the combination of active fingerprint and passive fingerprint to solve the problem that traffic characteristics of similar devices are difficult to distinguish.In the aspect of active fingerprint extraction,this paper abstracts the tested device as a linear time-invariant signal response system,considers the inquiry frame and response frame as excitation signal and response signal,and proposes a hardware fingerprint extraction method based on response signal time domain information to improve the recognition rate of similar devices.Furthermore,a feature selection algorithm based on information entropy feature offset is proposed to select time-span insensitive feature sets to improve the robustness of the recognition model.The experimental results show that the recognition rate of the classification model for similar equipment is improved from 83%to 90.9%,and the stability is improved by nearly 60%.(2)In the aspect of classification,in view of the need to add new equipment training classification model leads to increase the amount of calculation,this paper proposes a clustering based on local sensitive hash optimization modular classification model,this model can be separately for each type of the property of the Internet of things device cluster learning,thus ensuring the classification model are independent of each other,There is no need to relearn all the sample data when the type changes.The algorithm proposed in this paper is based on the K-prototypes algorithm,which uses a locally sensitive algorithm to cluster similar data into the same cluster during cluster center initialization,thus solving the problem of unstable clustering results due to random selection of initial cluster centers.Local sensitive hashing is used to ensure the difference between the initial clusters,and the local search strategy can be used to search the cluster center in the nearest neighbor domain in the iterative stage of cluster update,so as to realize the redistribution of data objects and improve the iterative update speed of the algorithm.The experimental results show that the clustering speed is improved by 26.7% and the average accuracy of equipment recognition reaches 94.14%.(3)In terms of anomaly monitoring,in view of the problem that existing anomaly monitoring methods cannot effectively distinguish the anomaly of occasional events from the anomaly of network attacks,this paper proposes a behavior anomaly detection method of Internet of Things devices based on consistency discrimination of classification results.In order to realize the continuous behavior monitoring of equipment in a long time span,a consistency score index for equipment classification recognition was proposed.In this indicator,it can adjust dynamically according to the output results of device classification model,so as to achieve dynamic monitoring of device behavior abnormalities.The experiment shows that this index can distinguish the occasional anomaly from the network attack anomaly.