| The Internet of Things is gradually entering public life.However,compared with the Internet,the Internet of Things has more potential security problems and traffic faces greater security risks.Therefore,it is necessary to detect the malicious traffic in the Internet of Things.At the same time,the diversity of Internet of Things traffic makes the backtracking of attacks more complicated.Therefore,it is of great significance to carry out research on malicious traffic detection and association backtracking technology in the Internet of Things.This thesis mainly studies the following contents:(1)A malicious traffic detection method for common Internet of Things application layer protocols.This thesis studied the security related reports of the Internet of Things and discussed the security threats of the Internet of Things.Message Queuing Telemetry Transport(MQTT),Advanced Message Queuing Protocol(AMQP),Data Distribution Service(DDS),Hyper Text Transfer Protocol(HTTP),The communication mechanism and security of four common Internet of Things protocols are analyzed.This thesis summarizes the trend of malicious traffic behavior in the Internet of Things,selects the combined traffic characteristics from the size chain,time chain and direction chain,combines the deep flow detection points and the deep packet detection points,and induces a coarse-fine-grained malicious traffic detection method in the Internet of Things.Using the characteristic code matching,regular expression and other judgment mechanisms,with the flow control policy database,fingerprint rule database to detect malicious traffic.(2)Relational backtracking analysis technology.Taking the threat alarm data detected by malicious traffic as input,the adaptive weight coefficient is set for the Apriori algorithm,so as to calculate the correlation degree of threat behavior,form the correlation attack events,and determine the bidirectional nature of association rules.The traffic data is analyzed by association,and the link chain of user elements,event elements and metadata elements is constructed to improve the problems of high false positives,insufficient evidence chain and incomplete traceability of security incidents brought about by traditional threat information.(3)Design and implement the prototype system of malicious traffic detection and correlation tracing in the Internet of Things.In this thesis,a prototype system is designed according to the actual requirements,and the prototype system is implemented based on Moloch framework and Suricata framework.The system modules include data acquisition module,protocol identification module,malicious traffic detection module,correlation and backtracking module and visual rendering module.The system can present the detection of attack behavior,traffic data,etc.In order to verify the actual effect of the prototype system of malicious traffic detection and associated traceability in the Internet of Things,a variety of open data sets,model data reappeared by attack and derived malicious traffic were taken as the test set to test the prototype system.The test results show that each module works normally and stabilities.The accuracy rate of malicious traffic detection module is high and the false detection rate is low.The correlation traceability module can get the correlation degree of the related malicious attack events and can associate and interact the detected threat data with the historical traffic.The visual presentation module can display the threat alarm information,traffic backtracking information and associated attack events on the interface.To sum up,the relevant research results of exploring malicious traffic detection and correlation backtracking in the Internet of Things in this thesis have a positive effect on detecting malicious traffic attacks in the Internet of Things and protecting the healthy development of the Internet of Things. |
PDF Full Text Request