[go: up one dir, main page]

CN116595503A - A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior - Google Patents

A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior Download PDF

Info

Publication number
CN116595503A
CN116595503A CN202310522837.1A CN202310522837A CN116595503A CN 116595503 A CN116595503 A CN 116595503A CN 202310522837 A CN202310522837 A CN 202310522837A CN 116595503 A CN116595503 A CN 116595503A
Authority
CN
China
Prior art keywords
system call
behavior
string
res
unknown
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310522837.1A
Other languages
Chinese (zh)
Inventor
宋永立
李昕
程驰
程彦彦
陈怡瑾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN202310522837.1A priority Critical patent/CN116595503A/en
Publication of CN116595503A publication Critical patent/CN116595503A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/12Fingerprints or palmprints

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Multimedia (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明公开了一种基于系统调用行为的工业物联网设备指纹识别方法,包括以下步骤:通过服务器端向未知设备端发送安全请求;未知设备端在接收安全请求后生成系统调用串;根据系统调用串生成未知设备端的设备指纹;由未知设备端将设备指纹发送至服务器端;服务器端收到设备指纹后,与预存设备指纹进行相关性值计算,并根据计算出来的相关性值判断设备行为是否发生变化。该方法能够有效提高指纹识别的准确性,同时保护设备隐私。

The invention discloses a fingerprint identification method for industrial internet of things equipment based on system call behavior, which comprises the following steps: sending a security request to an unknown equipment terminal through a server terminal; generating a system call string after receiving the security request at the unknown equipment terminal; The device fingerprint of the unknown device is generated by string; the unknown device sends the device fingerprint to the server; after the server receives the device fingerprint, it calculates the correlation value with the pre-stored device fingerprint, and judges whether the device behavior is based on the calculated correlation value. change. The method can effectively improve the accuracy of fingerprint identification while protecting device privacy.

Description

一种基于系统调用行为的工业物联网设备指纹识别方法A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior

技术领域technical field

本发明属于工业信息安全防御技术领域领域,特别是一种基于系统调用行为的工业物联网设备指纹识别方法。The invention belongs to the technical field of industrial information security defense, in particular to a method for identifying fingerprints of industrial Internet of Things devices based on system call behavior.

背景技术Background technique

工业物联网(IIoT)可能会利用不同的设备收集敏感数据,与其他系统通信,并监控关键基础设施应用中的关键流程。然而,在IIoT生态系统中,未经授权或欺骗的设备可能会危及或损害关键基础设施的性能和安全,更为严重的是可能会对人身安全造成巨大的损害。所以,工业物联网面临的一个严峻的挑战就是如何保证设备的安全性。The Industrial Internet of Things (IIoT) may utilize disparate devices to collect sensitive data, communicate with other systems, and monitor critical processes in critical infrastructure applications. However, in an IIoT ecosystem, unauthorized or spoofed devices may compromise or impair the performance and security of critical infrastructure, and more seriously, may cause enormous damage to personal safety. Therefore, a serious challenge facing the Industrial Internet of Things is how to ensure the security of equipment.

为此,研究人员提出了基于系统调用的设备行为指纹来对设备进行识别的方案,它允许一个可信的服务器端(SERVER)通过收集设备端(DEVICE)的指纹来验证其安全性状态。更具体地来说,SERVER通过发送挑战(challenge),要求DEVICE回馈一个和其系统调用及设备性能的响应(response指纹),然后,SERVER验证收到的response指纹,SERVER根据收到的指纹与数据库中已存在的指纹进行相关性计算,评估DEVICE的安全状态,从而判断DEVICE是否是安全的。当发现不安全的工业物联网设备时会发出告警,达到保证设备安全性的目的。To this end, the researchers proposed a device identification scheme based on the device behavior fingerprint of the system call, which allows a trusted server (SERVER) to verify its security status by collecting the fingerprint of the device (DEVICE). More specifically, SERVER sends a challenge (challenge), asking DEVICE to give back a response (response fingerprint) related to its system call and device performance. Then, SERVER verifies the received response fingerprint, and SERVER uses the received fingerprint and database Correlation calculations are performed on the existing fingerprints in the database to evaluate the security status of DEVICE, so as to judge whether DEVICE is safe. When an unsafe industrial IoT device is found, an alarm will be issued to ensure the security of the device.

然而,现有的设备指纹识别方案还存在一些缺陷:1)在提取设备的系统调用指纹时会忽略系统调用的位置信息,这就可能造成提取指纹不够准确。2)现有的设备系统调用指纹是基于系统调用函数名称的,这样不利于指纹识别方案的跨平台使用,跨平台使用时可能会泄露设备的某些隐私。However, there are still some defects in the existing device fingerprint identification scheme: 1) the location information of the system call will be ignored when extracting the system call fingerprint of the device, which may cause the extracted fingerprint to be inaccurate. 2) The existing device system call fingerprint is based on the name of the system call function, which is not conducive to the cross-platform use of the fingerprint identification scheme, and some privacy of the device may be leaked when the cross-platform use is used.

因此,如何提高指纹识别的准确性以及保护设备隐私,保证工业物联网中设备的安全性,成为当前研究的关键问题。Therefore, how to improve the accuracy of fingerprint recognition, protect device privacy, and ensure the security of devices in the Industrial Internet of Things has become a key issue in current research.

发明内容Contents of the invention

鉴于上述问题,本发明提供一种至少解决上述部分技术问题的一种基于系统调用行为的工业物联网设备指纹识别方法。In view of the above problems, the present invention provides a fingerprint identification method for industrial Internet of Things devices based on system call behavior that solves at least some of the above technical problems.

本发明实施例提供了一种基于系统调用行为的工业物联网设备指纹识别方法,包括以下步骤:The embodiment of the present invention provides a method for identifying fingerprints of industrial Internet of Things devices based on system call behavior, including the following steps:

S1、通过服务器端向未知设备端发送安全请求;S1. Send a security request to the unknown device through the server;

S2、所述未知设备端在接收所述安全请求后生成系统调用串;S2. The unknown device generates a system call string after receiving the security request;

S3、根据所述系统调用串生成所述未知设备端的设备指纹;S3. Generate the device fingerprint of the unknown device according to the system call string;

S4、由所述未知设备端将所述设备指纹发送至所述服务器端;S4. The unknown device sends the device fingerprint to the server;

S5、所述服务器端收到所述设备指纹后,与预存设备指纹进行相关性值计算,并根据计算出来的相关性值判断设备行为是否发生变化。S5. After receiving the device fingerprint, the server calculates a correlation value with the pre-stored device fingerprint, and judges whether the behavior of the device changes according to the calculated correlation value.

进一步地,所述安全请求包括加密包、数字签名和时间戳。Further, the security request includes an encrypted package, a digital signature and a time stamp.

进一步地,所述步骤S2具体包括:所述未知设备端在接收所述安全请求后,采用LD_PRELOAD法和ptrace法提取所述未知设备端的系统调用列表,并根据所述系统调用列表生成所述系统调用串。Further, the step S2 specifically includes: after receiving the security request, the unknown device uses the LD_PRELOAD method and the ptrace method to extract the system call list of the unknown device, and generates the system call list according to the system call list. call string.

进一步地,所述系统调用串基于close目标函数、free目标函数、malloc目标函数、memcpy目标函数、mprotect目标函数、signal目标函数和usleep目标函数获得。Further, the system call string is obtained based on the close objective function, the free objective function, the malloc objective function, the memcpy objective function, the mprotect objective function, the signal objective function and the usleep objective function.

进一步地,所述步骤S3具体包括:Further, the step S3 specifically includes:

S31、根据所述系统调用串,获取系统调用n-gram串;S31. Obtain a system call n-gram string according to the system call string;

S32、根据所述系统调用n-gram串,获得系统调用频率串;S32. Obtain a system call frequency string according to the system call n-gram string;

S33、基于所述系统调用频率串,生成所述未知设备端的设备指纹。S33. Based on the system call frequency string, generate a device fingerprint of the unknown device.

进一步地,所述设备指纹的属性包括系统调用频率串的最大值、均值、标准差、峰值数、熵值、偏度值和四分位值。Further, the attributes of the device fingerprint include the maximum value, mean value, standard deviation, peak number, entropy value, skewness value and quartile value of the system call frequency string.

进一步地,所述相关性值的具体计算公式如下:Further, the specific calculation formula of the correlation value is as follows:

其中,resXi表示预设设备resX中的第i个数字;resYi表示未知设备resY中的第i个数字;表示预设设备resX中数字的平均值;/>表示未知设备resY中数字的平均值;表示预设设备resX中数字的标准偏差;/>表示未知设备resY中数字的标准偏差;n表示resX或resY的数据维度。Among them, res Xi represents the i-th number in the preset device res X ; res Yi represents the i-th number in the unknown device res Y ; Indicates the average value of the numbers in the preset device res X ; /> represents the average value of the numbers in the unknown device res Y ; Indicates the standard deviation of the numbers in the preset device res X ; /> Indicates the standard deviation of numbers in res Y for an unknown device; n indicates the data dimension of res X or res Y.

进一步地,在所述步骤S5中,当所述相关性值小于阈值时,表示设备行为发生变化,此时所述服务器端进行告警。Further, in the step S5, when the correlation value is smaller than the threshold, it means that the behavior of the device changes, and at this time, the server sends an alarm.

进一步地,在所述步骤S5中,当所述相关性值大于或等于阈值时,表示设备行为正常,此时更新服务器端数据库中的预设设备指纹。Further, in the step S5, when the correlation value is greater than or equal to the threshold value, it means that the device behaves normally, and at this time, the preset device fingerprint in the server-side database is updated.

与现有技术相比,本发明记载的一种基于系统调用行为的工业物联网设备指纹识别方法,具有如下有益效果:Compared with the prior art, a fingerprint recognition method for industrial Internet of Things devices based on system call behavior recorded in the present invention has the following beneficial effects:

本发明通过收集工业控制设备的系统调用的行为指纹,使用相关性算法对工业控制设备的安全性进行判断,分辨出真实设备与未经授权和不可信的设备。一方面利用了与平台无关的系统调用提取方法能够支持方法跨平台使用的同时还能保护设备隐私,另一方面保留了一部分系统调用的位置信息,提高了指纹识别的准确性。The invention collects the behavior fingerprint of the system call of the industrial control equipment, uses a correlation algorithm to judge the security of the industrial control equipment, and distinguishes real equipment from unauthorized and untrustworthy equipment. On the one hand, the platform-independent system call extraction method is used to support the cross-platform use of the method while protecting device privacy. On the other hand, a part of the system call location information is retained, which improves the accuracy of fingerprint identification.

本发明通过系统调用的提取,研究了工控设备在硬件和内核级别的行为和性能,将系统和功能调用跟踪技术、信号处理和硬件性能分析相结合,以实现基于安全挑战/响应的设备类别识别解决方案,提供了很高的安全性能;The present invention studies the behavior and performance of industrial control devices at the hardware and kernel levels through the extraction of system calls, and combines system and function call tracking technology, signal processing and hardware performance analysis to realize device category identification based on security challenges/responses solution, providing high security performance;

本发明不需要广泛的网络流量监控,且不会对工控设备的计算资源产生显著的开销,成本较低且易于实现。The invention does not require extensive network flow monitoring, does not generate significant overhead on computing resources of industrial control equipment, has low cost and is easy to implement.

本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.

附图说明Description of drawings

附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明,并不构成对本发明的限制。在附图中:The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not constitute a limitation to the present invention. In the attached picture:

图1为本发明实施例提供的基于系统调用行为的工业物联网设备指纹识别方法对应的系统模型示意图。FIG. 1 is a schematic diagram of a system model corresponding to a fingerprint identification method for an industrial Internet of Things device based on a system call behavior provided by an embodiment of the present invention.

图2为本发明实施例提供的基于系统调用行为的工业物联网设备指纹识别方法流程示意图。Fig. 2 is a schematic flowchart of a fingerprint identification method for industrial Internet of Things devices based on system call behavior provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

本发明实施例提供了一种基于系统调用行为的工业物联网设备指纹识别方法,该方法对应的系统模型如图1所示,具体包含两类实体:未知工业控制设备(DEVICE)和服务器(SERVER)。其中,SERVER是可信的实体,拥有海量的存储空间以及强大的计算能力,除了承担计算指纹相关性的任务,在本发明实施例中,服务器端还用于存储已经获得的已知设备的指纹。DEVICE端是一个未知的实体,在本发明实施例中,DEVICE端能与SERVER端进行交互,通过收集DEVICE端的指纹,并向SERVER端发送这些收集到的指纹,用于判断未知的DEVICE实体是否可信。The embodiment of the present invention provides a fingerprint identification method for industrial Internet of Things devices based on system call behavior. The system model corresponding to this method is shown in Figure 1, which specifically includes two types of entities: unknown industrial control equipment (DEVICE) and server (SERVER ). Among them, SERVER is a trusted entity with massive storage space and powerful computing power. In addition to undertaking the task of calculating fingerprint correlation, in the embodiment of the present invention, the server is also used to store the fingerprints of known devices that have been obtained. . The DEVICE end is an unknown entity. In the embodiment of the present invention, the DEVICE end can interact with the SERVER end. By collecting the fingerprints of the DEVICE end and sending these collected fingerprints to the SERVER end, it is used to determine whether the unknown DEVICE entity can letter.

工业控制设备大多数都是资源受限型的设备,在能量、计算能力、存储能力等方面都是有限的,同时工业控制设备规模一般比较庞大且复杂性很高。攻击者可能使用软件和硬件架构与真实设备非常相似的欺骗设备来增加隐蔽恶意操作的机会。此外,具有未经授权组件的设备通常能够支持大多数CPS操作,但在负责更高要求和关键的任务时,容易出现性能不足和故障。在这些场景中,设备指纹技术适用于识别原始设备,并将其与未经授权和不可信的设备区分开来。在本发明实施例中,假设这些工业控制设备包括资源受限型设备,同时也包括资源不受限型设备。Most industrial control devices are resource-constrained devices with limited energy, computing power, and storage capacity. At the same time, industrial control devices are generally large in scale and highly complex. Attackers may use spoofed devices with software and hardware architectures that closely resemble real devices to increase their chances of concealing malicious operations. Furthermore, devices with unauthorized components are often capable of supporting most CPS operations, but are prone to underperformance and failure when responsible for more demanding and critical tasks. In these scenarios, device fingerprinting is suitable for identifying original devices and differentiating them from unauthorized and untrusted devices. In the embodiment of the present invention, it is assumed that these industrial control devices include resource-limited devices and resource-unlimited devices.

本发明实施例提供了一种基于系统调用行为的工业物联网设备指纹识别方法,具体实施步骤如图2所示,包括:The embodiment of the present invention provides a fingerprint recognition method for industrial Internet of Things devices based on system call behavior. The specific implementation steps are shown in Figure 2, including:

S1、通过服务器端向未知设备端发送安全请求;S1. Send a security request to the unknown device through the server;

S2、未知设备端在接收安全请求后生成系统调用串;S2. The unknown device generates a system call string after receiving the security request;

S3、根据系统调用串生成未知设备端的设备指纹;S3. Generate the device fingerprint of the unknown device according to the system call string;

S4、由未知设备端将设备指纹发送至服务器端;S4. The unknown device sends the device fingerprint to the server;

S5、服务器端收到设备指纹后,与预存设备指纹进行相关性值计算,并根据计算出来的相关性值判断设备行为是否发生变化。S5. After receiving the device fingerprint, the server side calculates the correlation value with the pre-stored device fingerprint, and judges whether the behavior of the device changes according to the calculated correlation value.

该方法通过收集工业控制设备的系统调用的行为指纹,使用相关性算法对工业控制设备的安全性进行判断,分辨出真实设备与未经授权和不可信的设备。一方面利用了与平台无关的系统调用提取方法能够支持方法跨平台使用的同时还能保护设备隐私,另一方面保留了一部分系统调用的位置信息,提高了指纹识别的准确性。The method collects the behavioral fingerprints of the system calls of the industrial control equipment, uses a correlation algorithm to judge the security of the industrial control equipment, and distinguishes real equipment from unauthorized and untrustworthy equipment. On the one hand, the platform-independent system call extraction method is used to support the cross-platform use of the method while protecting device privacy. On the other hand, a part of the system call location information is retained, which improves the accuracy of fingerprint identification.

上述步骤S1-S4只是为了便于说明,并不对该方法的具体执行步骤进行限定;下面分别对上述各个步骤进行详细的说明。The above-mentioned steps S1-S4 are just for the convenience of description, and do not limit the specific execution steps of the method; the above-mentioned steps will be described in detail below.

在上述步骤S1中,服务器端上运行的调度器向未知的工业控制设备发送一个包含秘密质询的安全请求;质询中包括加密包、数字签名和时间戳;其中,加密包用于防止窃听者学习安全请求的结构和内容;数字签名则是保证了请求的完整性;而时间戳的使用则是防止攻击者使用老旧的安全请求,能对抗重放攻击。In the above step S1, the scheduler running on the server sends a security request containing a secret challenge to an unknown industrial control device; the challenge includes an encrypted package, a digital signature and a time stamp; where the encrypted package is used to prevent eavesdroppers from learning The structure and content of the security request; the digital signature guarantees the integrity of the request; the use of the timestamp prevents attackers from using old security requests and can resist replay attacks.

在上述步骤S2中,未知设备端在接收安全请求后,激活本地的特征提取模块,该特征提取模块采用LD_PRELOAD法和ptrace法提取未知设备端的系统调用列表,并根据系统调用列表生成系统调用串;系统调用串的生成是基于对以下目标函数进行调用提取得到的:close目标函数、free目标函数、malloc目标函数、memcpy目标函数、mprotect目标函数、signal目标函数和usleep目标函数,具体参见下表1所示;特征提取模块在提取调用时,还会监控未知设备在CPU利用率和内存利用率方面的性能。In the above step S2, after receiving the security request, the unknown device side activates the local feature extraction module, and the feature extraction module uses the LD_PRELOAD method and the ptrace method to extract the system call list of the unknown device side, and generates a system call string according to the system call list; The generation of the system call string is based on the extraction of the following target functions: close target function, free target function, malloc target function, memcpy target function, mprotect target function, signal target function and usleep target function, see the following table 1 for details As shown; the feature extraction module also monitors the performance of unknown devices in terms of CPU utilization and memory utilization when extracting calls.

LD_PRELOAD是一个允许用户强制加载一个或多个指定绕行函数的代理库。当目标进程调用目标函数时,它将使用在代理库中定义的绕行函数,而不是系统库中定义的原始函数,可以使用以下命令将代理库注入到目标进程中实现函数调用提取:LD_PRELOAD=[library name]./[target executable]。Ptrace是linux可以用来获取和更改其他系统调用。Ptrace允许用户使用PTRACE_PEEKUSER指令让父进程检查在子进程中执行的系统调用的参数;PTRACE_POKEUSER指令允许父进程更改系统调用参数;PTRACE_DETACH:停止父进程挂接的跟踪进程;PTRACE_SINGLESTEP:在每个指令之后停止跟踪。LD_PRELOAD is a proxy library that allows the user to force loading of one or more specified detour functions. When the target process calls the target function, it will use the detour function defined in the proxy library instead of the original function defined in the system library. You can use the following command to inject the proxy library into the target process to achieve function call extraction: LD_PRELOAD= [library name]./[target executable]. Ptrace is what linux can use to get and alter other system calls. Ptrace allows the user to use the PTRACE_PEEKUSER instruction to let the parent process check the parameters of the system call executed in the child process; the PTRACE_POKEUSER instruction allows the parent process to change the system call parameters; PTRACE_DETACH: Stop the trace process that the parent process hooks; PTRACE_SINGLESTEP: Stop after each instruction track.

在本发明中,首先利用上述的LD_PRELOAD和Ptrace提取的特定调用函数列表以获取原始调用索引串(ocs),在获得原始调用索引串(ocs)后,根据此原始调用索引串ocs就可以获得n-gram串,n-gram由原始调用索引串上包含n个连续系统调用的字符表示,最后就可以计算出调用频率序列(cfs),频率序列(cfs)由n-gram串中每个值的出现频率组成,频率序列用于设备指纹文件的生成。下图展示了原始调用索引串(ocs)到特征提取成功的全流程。In the present invention, at first utilize above-mentioned LD_PRELOAD and the specific calling function list that Ptrace extracts to obtain original calling index string (ocs), after obtaining original calling index string (ocs), just can obtain n according to this original calling index string ocs -gram string, n-gram is represented by characters containing n consecutive system calls on the original call index string, and finally the call frequency sequence (cfs) can be calculated, and the frequency sequence (cfs) is represented by each value in the n-gram string Occurrence frequency components, frequency sequences are used to generate device fingerprint files. The figure below shows the whole process from the original call index string (ocs) to the successful feature extraction.

表1目标函数及相关作用Table 1 Objective function and related functions

在上述步骤S3中,根据系统调用串,获取相应的系统调用n-gram串(其中n取值范围为n=1,2,3);之后可以根据获得的3个n-gram串计算出相应的系统调用频率串,系统调用频率串是由n-gram串中每个值出现的次数组成的;最后,特征提取模块使用系统调用频率串来计算出未知设备端的设备指纹;具体参见下表2和表3所示;In the above step S3, according to the system call string, obtain the corresponding system call n-gram string (wherein the value range of n is n=1, 2, 3); after that, the corresponding n-gram string can be calculated according to the obtained 3 n-gram strings. The system call frequency string of the system call frequency string is composed of the number of occurrences of each value in the n-gram string; finally, the feature extraction module uses the system call frequency string to calculate the device fingerprint of the unknown device side; see Table 2 below for details and shown in Table 3;

表2系统调用频率串生成算法Table 2 System call frequency string generation algorithm

表3设备指纹生成算法Table 3 device fingerprint generation algorithm

从上表3可知,设备指纹中的属性具体包括:{Max_Fi,Mean_Fi,Std_Fi,Kurtosis_Fi,Entropy_Fi,skewness_Fi,Q1_Fi,Q2_Fi,Q3_Fi}。下面分别介绍每个属性的含义。Max_Fi表示系统调用频率串Fi中的最大值;Mean_Fi表示系统调用频率串Fi中的平均值;Std_Fi表示系统调用频率串Fi中的标准差,用于反映一个数据集的离散程度;Kurtosis_Fi表示系统调用频率串Fi中的峰值数,用于描述数据分布陡峭或是平滑的情况;Entropy_Fi表示系统调用频率串Fi中的熵值,用于评估数据中值的不确定性的度量;skewness_Fi表示系统调用频率串Fi中的偏度,用于描述数据分布的对称性,正态分布的偏度为0;Q1_Fi表示系统调用频率串Fi中的第一四分位数;Q2_Fi表示系统调用频率串Fi中的第二四分位数;Q3_Fi是指系统调用频率串Fi中的第三四分位数;上述四分位数均用于保存系统调用串中某个调用的位置信息。As can be seen from Table 3 above, the attributes in the device fingerprint include: {Max_Fi, Mean_Fi, Std_Fi, Kurtosis_Fi, Entropy_Fi, skewness_Fi, Q1_Fi, Q2_Fi, Q3_Fi}. The meaning of each attribute is described below. Max_Fi represents the maximum value in the system call frequency string Fi; Mean_Fi represents the average value in the system call frequency string Fi; Std_Fi represents the standard deviation in the system call frequency string Fi, which is used to reflect the degree of dispersion of a data set; Kurtosis_Fi represents the system call The number of peaks in the frequency string Fi is used to describe the steepness or smoothness of the data distribution; Entropy_Fi represents the entropy value in the system call frequency string Fi, which is used to evaluate the uncertainty of the value in the data; skewness_Fi represents the system call frequency Skewness in the string Fi is used to describe the symmetry of the data distribution, and the skewness of the normal distribution is 0; Q1_Fi represents the first quartile in the string Fi of the system call frequency; Q2_Fi represents the quartile in the string Fi of the system call frequency The second quartile; Q3_Fi refers to the third quartile in the system call frequency string Fi; the above quartiles are all used to save the location information of a certain call in the system call string.

在上述步骤S4中,未知设备端将收集到的设备指纹信息发送到服务器端,等待服务器端进行下一步的数据处理。In the above step S4, the unknown device sends the collected device fingerprint information to the server, and waits for the server to perform the next data processing.

在上述步骤S5中,服务器端获取已存在于数据库中的真实的预存设备指纹,并将接收到的设备指纹和数据库中的预存设备指纹进行相关性值计算,相关性值计算方法可参见下表4所示;In the above step S5, the server acquires the real pre-stored device fingerprints that already exist in the database, and calculates the correlation value between the received device fingerprints and the pre-stored device fingerprints in the database. The correlation value calculation method can be found in the following table 4 shown;

表4相关性值计算Table 4 Correlation Value Calculation

相关性值的具体计算公式如下:The specific calculation formula of the correlation value is as follows:

其中,resXi表示预设设备resX中的第i个数字;resYi表示未知设备resY中的第i个数字;表示预设设备resX中数字的平均值;/>表示未知设备resY中数字的平均值;表示预设设备resX中数字的标准偏差;/>表示未知设备resY中数字的标准偏差;n表示resX或resY的数据维度。Among them, res Xi represents the i-th number in the preset device res X ; res Yi represents the i-th number in the unknown device res Y ; Indicates the average value of the numbers in the preset device res X ; /> represents the average value of the numbers in the unknown device res Y ; Indicates the standard deviation of the numbers in the preset device res X ; /> Indicates the standard deviation of numbers in res Y for an unknown device; n indicates the data dimension of res X or res Y.

当相关性值小于阈值u时,表示设备行为发生变化,即该未知设备不可信,此时服务器端进行告警;操作人员在收到服务端发出的告警信息后,判断发生的系统调用的行为变化是否合法;如果判定为合法,那么就可以选择对服务端的指纹数据库进行更新;如果判定为非法,那么就可以针对相应的设备采取有效的解决措施;When the correlation value is less than the threshold u, it means that the behavior of the device has changed, that is, the unknown device is untrustworthy. At this time, the server sends an alarm; the operator judges the behavior change of the system call after receiving the alarm information sent by the server. Whether it is legal; if it is determined to be legal, then you can choose to update the fingerprint database on the server; if it is determined to be illegal, then you can take effective solutions for the corresponding device;

当相关性值大于或等于阈值u时,表示设备行为正常,即该未知设备可信,此时直接更新服务器端数据库中的预设设备指纹,即将该未知设备指纹存储在服务端的数据库中。When the correlation value is greater than or equal to the threshold u, it means that the device behaves normally, that is, the unknown device is credible. At this time, the preset device fingerprint in the server-side database is directly updated, that is, the unknown device fingerprint is stored in the server-side database.

综上,本发明实施例提供了一种基于系统调用行为的工业物联网设备指纹识别方法,利用观测系统调用行为变化的方法来对未知的工业控制设备实现安全高效的指纹识别;并且,通过提取与系统调用名称无关的特征来实现高适应性;此外,本发明实施例提供的方法易于实现,不会产生过多的工控设备额外开销,成本较低。To sum up, the embodiment of the present invention provides a fingerprint identification method for industrial Internet of Things devices based on system call behavior, using the method of observing system call behavior changes to realize safe and efficient fingerprint identification for unknown industrial control devices; and, by extracting High adaptability is realized by features that have nothing to do with the name of the system call; in addition, the method provided by the embodiment of the present invention is easy to implement, does not generate too much extra overhead of industrial control equipment, and has low cost.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (8)

1.一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,包括以下步骤:1. A method for fingerprint identification of industrial internet of things equipment based on system call behavior, it is characterized in that, comprising the following steps: S1、通过服务器端向未知设备端发送安全请求;S1. Send a security request to the unknown device through the server; S2、所述未知设备端在接收所述安全请求后生成系统调用串;S2. The unknown device generates a system call string after receiving the security request; S3、根据所述系统调用串生成所述未知设备端的设备指纹;S3. Generate the device fingerprint of the unknown device according to the system call string; S4、由所述未知设备端将所述设备指纹发送至所述服务器端;S4. The unknown device sends the device fingerprint to the server; S5、所述服务器端收到所述设备指纹后,与预存设备指纹进行相关性值计算,并根据计算出来的相关性值判断设备行为是否发生变化。S5. After receiving the device fingerprint, the server calculates a correlation value with the pre-stored device fingerprint, and judges whether the behavior of the device changes according to the calculated correlation value. 2.如权利要求1所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,所述安全请求包括加密包、数字签名和时间戳。2. A kind of industrial Internet of Things device fingerprint identification method based on system call behavior as claimed in claim 1, is characterized in that, described security request comprises encrypted package, digital signature and time stamp. 3.如权利要求1所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,所述步骤S2具体包括:所述未知设备端在接收所述安全请求后,采用LD_PRELOAD法和ptrace法提取所述未知设备端的系统调用列表,并根据所述系统调用列表生成所述系统调用串。3. A method for identifying fingerprints of industrial Internet of Things devices based on system call behavior as claimed in claim 1, wherein said step S2 specifically comprises: after receiving said security request, said unknown device uses LD_PRELOAD method and ptrace method to extract the system call list of the unknown device, and generate the system call string according to the system call list. 4.如权利要求1所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,所述步骤S3具体包括:4. A kind of industrial internet of things device fingerprint identification method based on system call behavior as claimed in claim 1, is characterized in that, described step S3 specifically comprises: S31、根据所述系统调用串,获取系统调用n-gram串;S31. Obtain a system call n-gram string according to the system call string; S32、根据所述系统调用n-gram串,获得系统调用频率串;S32. Obtain a system call frequency string according to the system call n-gram string; S33、基于所述系统调用频率串,生成所述未知设备端的设备指纹。S33. Based on the system call frequency string, generate a device fingerprint of the unknown device. 5.如权利要求4所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,所述设备指纹的属性包括系统调用频率串的最大值、均值、标准差、峰值数、熵值、偏度值和四分位值。5. A kind of industrial internet of things device fingerprint identification method based on system call behavior as claimed in claim 4, is characterized in that, the attribute of described device fingerprint comprises the maximum value, average value, standard deviation, peak value of system call frequency string , entropy, skewness, and quartiles. 6.如权利要求1所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,所述相关性值的具体计算公式如下:6. A kind of industrial internet of things device fingerprint identification method based on system call behavior as claimed in claim 1, is characterized in that, the specific calculation formula of described correlation value is as follows: 其中,resXi表示预设设备resX中的第i个数字;resYi表示未知设备resY中的第i个数字;表示预设设备resX中数字的平均值;/>表示未知设备resY中数字的平均值;/>表示预设设备resX中数字的标准偏差;/>表示未知设备resY中数字的标准偏差;n表示resX或resY的数据维度。Among them, res Xi represents the i-th number in the preset device res X ; res Yi represents the i-th number in the unknown device res Y ; Indicates the average value of the numbers in the preset device res X ; /> Indicates the average value of the numbers in the unknown device res Y ; /> Indicates the standard deviation of the numbers in the preset device res X ; /> Indicates the standard deviation of numbers in res Y for an unknown device; n indicates the data dimension of res X or res Y. 7.如权利要求1所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,在所述步骤S5中,当所述相关性值小于阈值时,表示设备行为发生变化,此时所述服务器端进行告警。7. A method for fingerprinting industrial IoT devices based on system call behavior according to claim 1, characterized in that, in the step S5, when the correlation value is less than a threshold, it means that the behavior of the device has changed , at this time, the server sends an alarm. 8.如权利要求1所述的一种基于系统调用行为的工业物联网设备指纹识别方法,其特征在于,在所述步骤S5中,当所述相关性值大于或等于阈值时,表示设备行为正常,此时更新服务器端数据库中的预设设备指纹。8. A method for fingerprinting industrial Internet of Things devices based on system call behavior as claimed in claim 1, wherein in said step S5, when said correlation value is greater than or equal to a threshold value, it means that the device behavior Normal, update the preset device fingerprint in the server-side database at this time.
CN202310522837.1A 2023-05-10 2023-05-10 A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior Pending CN116595503A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310522837.1A CN116595503A (en) 2023-05-10 2023-05-10 A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310522837.1A CN116595503A (en) 2023-05-10 2023-05-10 A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior

Publications (1)

Publication Number Publication Date
CN116595503A true CN116595503A (en) 2023-08-15

Family

ID=87605678

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310522837.1A Pending CN116595503A (en) 2023-05-10 2023-05-10 A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior

Country Status (1)

Country Link
CN (1) CN116595503A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6651169B1 (en) * 1997-05-28 2003-11-18 Fujitsu Siemens Computers Protection of software using a challenge-response protocol embedded in the software
US10027697B1 (en) * 2017-04-28 2018-07-17 The Florida International University Board Of Trustees Detection of counterfeit and compromised devices using system and function call tracing techniques
US20220150245A1 (en) * 2020-11-11 2022-05-12 Bank Of America Corporation Network device authentication for information security
CN115168159A (en) * 2022-09-06 2022-10-11 北京达佳互联信息技术有限公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN115801430A (en) * 2022-11-29 2023-03-14 南京理工大学 A fingerprint recognition method for persistent industrial Internet of Things devices based on traffic behavior

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6651169B1 (en) * 1997-05-28 2003-11-18 Fujitsu Siemens Computers Protection of software using a challenge-response protocol embedded in the software
US10027697B1 (en) * 2017-04-28 2018-07-17 The Florida International University Board Of Trustees Detection of counterfeit and compromised devices using system and function call tracing techniques
US20220150245A1 (en) * 2020-11-11 2022-05-12 Bank Of America Corporation Network device authentication for information security
CN115168159A (en) * 2022-09-06 2022-10-11 北京达佳互联信息技术有限公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN115801430A (en) * 2022-11-29 2023-03-14 南京理工大学 A fingerprint recognition method for persistent industrial Internet of Things devices based on traffic behavior

Similar Documents

Publication Publication Date Title
CN110598404B (en) Security risk monitoring method, monitoring device, server and storage medium
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
JP2015170219A (en) access management method and access management system
CN113676486B (en) A Security Detection Method for Edge IoT Agents
CN111967044A (en) Method and system for tracking leaked private data suitable for cloud environment
CN118432940A (en) Network security detection method, device, electronic device and computer readable medium
Jacob et al. Detecting Cyber Security Attacks against a Microservices Application using Distributed Tracing.
CN118118223A (en) Multi-party related data collusion behavior identification model construction method, identification method and device
CN119577843B (en) Method for tracing confidential file leakage by using big data
CN118862098B (en) A system and method for detecting security vulnerabilities of open source components
CN116595503A (en) A Fingerprint Recognition Method for Industrial Internet of Things Devices Based on System Call Behavior
CN119047836A (en) Asset risk assessment method and device for power monitoring system, terminal equipment and storage medium
CN119051957A (en) Network defense rule validity detection method, work order platform and electronic equipment
CN119167364A (en) A method and system for enhancing computer data security
CN116980181B (en) Method and system for detecting associated alarm event
CN120223422B (en) Web page request processing method, device, electronic device and storage medium
CN120358025B (en) A method, device, equipment and medium for secure transmission of power system information
CN121125268A (en) Data security protection methods and related equipment
CN120474729A (en) Network security threat classification method and system for auxiliary control systems of thermal power plants
Wang et al. Assessment of Vulnerability Severity in Power Monitoring System Based on Text Mining
CN119210817A (en) A request interception method based on client fingerprint recognition
CN115696341A (en) Identification and analysis method and device for harmful events based on consistency and consensus
CN116955096A (en) Method and system for real-time monitoring and alarming of asset vulnerability state
CN120880726A (en) External process automatic evidence obtaining method for associated process context
CN120654254A (en) Deep learning-based large model parameter protection method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination