| In recent years,with the rapid development of Internet of Things technology,network security issues have gradually emerged.In order to meet the communication requirements in different scenarios,a large number of communication protocols for data interaction between devices appear in the network,including some private protocols whose specifications are not disclosed.In this case,it is difficult to obtain the description of the protocol,which greatly affects protocol security analysis and network intrusion detection.Therefore,this thesis adopts protocol reverse method to infer the state machine of unknown protocol from network traffic,and analyzes protocol behavior characteristics based on protocol state machine to detect intrusion behavior.The main research contents are as follows:Firstly,in order to analyze the behavior information of unknown protocol in Internet of Things,this thesis proposes a state machine inference method of unknown binary protocol based on state field.To solve the problem of inaccurate identification of protocol messages,a message identification method based on status field is adopted.Considering that protocol packets in network traffic are bidirectional transmission,some association between receiving packets and sending packets of protocol entities should be established in a certain state.This correlation can be reflected in the statusrelated fields representing the protocol message types,so the status-related fields can be extracted based on conditional entropy.In order to improve the accuracy of message identification,analysis is performed in units of half byte and byte respectively,and the corresponding field combination method is designed.In terms of protocol state mechanism construction,there are too many state nodes in the current state mechanism construction process,thus affecting efficiency.Based on the above situation,a parallel scheme of state mechanism construction and update based on equivalent state is proposed.Finally,the protocol state field is extracted effectively and a more accurate protocol state machine is deduced during the tests on MQTT and RFID protocols.Then,on the basis of reversing the unknown protocol state machine in the Internet of Things,a network intrusion detection method based on protocol state machine is proposed.Firstly,the characteristics of protocol behavior in network traffic are analyzed,and the probabilistic model of protocol behavior is established based on the protocol state machine deduced previously.Then it analyzes the abnormal characteristics of attack behavior in Internet of Things in the probability model of protocol behavior.To detect abnormal behaviors in the Internet of Things,a two-stage intrusion detection scheme is proposed,which implements distributed attack detection and session-based attack detection respectively.Finally,an experiment is carried out on the Internet of Things traffic based on MQTT communication,and the attack behaviors in the traffic are accurately detected.Finally,on the basis of the previous two studies,a prototype network intrusion detection system for unknown protocols of the Internet of Things is designed and implemented.The system is built upon the Django framework,and all functions are deployed on the server.Users can log in and use it on the Web.The system is mainly divided into two modules,namely protocol state machine inference module and intrusion detection module based on state machine.In this system,users can infer the protocol state machine from unknown Internet of Things traffic and detect abnormal traffic based on the inferred state machine. |
PDF Full Text Request