Improved KNN - Based 6LoWPAN Network Intrusion Detection Method

Abstract

The present invention relates to an improved KNN-based 6LoWPAN network intrusion detection method. The present invention selects quantifiable security features which can reflect a self-security state of network elements of a 6LoWPAN network for training, and establishes a 6LoWPAN network feature space. The present invention assigns the weights to the features and transfers zero points, to alleviate the bias caused by large and small impact factors and simplify calculation; realizes construction and update of a state data table of network elements by extracting the feature data of network elements in real time, thus forming a normal contour updated according to the real-time state of the network in the feature space of the 6LoWPAN network based on the clustering effect of a KNN algorithm; and the present invention improves the KNN algorithm and redefines a basis for judging the invasion, to meet the requirements for 6LoWPAN network intrusion detection.

Claims

1. An improved KNN-based 6LoWPAN network intrusion detection method, characterized in that: comprises following steps: S1: learning process: establishing a state data table of network elements, and completing networking by nodes, wherein there are m network elements in a network; setting a state data set of a plurality of network elements cached in a table as {y.sub.1, . . . , y.sub.i}, selecting q features of network elements of a 6LoWPAN network, and recording constructed feature set of the network elements as {Feature1, Feature2, Feature q}; reflecting state data of a certain network element x through the q features of network elements, and recording as y.sub.x={y.sub.x1, . . . , y.sub.xq}, wherein number of features of different network elements is q; and after a network starts operating, recording all feature data of network elements by a console; and selecting and capturing the feature data of network elements; S2: detecting process: collecting all data needed for intrusion detection, forming a state data table of network elements on the console, and conducting intrusion detection by the console; and supposing that normal data points appear in a dense neighborhood, making abnormal data points be far away from a nearest neighbor; and S3: on-line updating. characterized in that: a judge process for the intrusion detection comprises: direct judgment based on features of a certain network element and comprehensive judgment on a state data table of network elements established based on features of several network elements. characterized in that: the comprehensive judgment on the state data table of network elements established based on the features of several network elements is: in process of collecting the features of network elements, an intrusion detection system collects multiple quantifiable security features that can reflect self-security states of network elements of a 6LoWPAN network, establishes a state data table of network elements, and comprehensively judges whether intrusion exists in the network. characterized in that: the comprehensive judgment on a state data table of network elements established based on features of several network elements is specifically: selecting state data amount of network elements, thus determining a number of samples in the state data table of network elements, i.e., number of rows; constructing a feature set of network elements, thus determining the features related to 6LoWPAN intrusion detection in the state data table of network elements, and determining a dimension of the data, i.e., the number of columns; filling the state data table of network elements; and conducting data preprocessing and completing orthogonal normalization processing; a specific construction is as follows: (1) selection of the state data amount of network elements the number of sample state data in the state data table of network elements shall not be less than the number of network elements in the network, nor more than two times the total number of network elements, that is, the number of samples that can find outliers is optimal; the state set of a plurality of network elements cached in the table is set as {y.sub.1, . . . , y.sub.i}; m<i<2m is specified; three time periods of T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3 are specified; before T.sub.0, the network has started and a node joining process is completed; before T.sub.0, the network has started and the node joining process is completed; an acquisition for the state data set {y.sub.1, . . . , y.sub.m} of network elements is completed in T.sub.0.fwdarw.T.sub.1; the acquisition for the state data set {y.sub.m+1, . . . , y.sub.i} of network elements is completed in T.sub.1.fwdarw.T.sub.2; an update for the state data table of network elements is completed in T.sub.2.fwdarw.T.sub.3 (that is, a previous cache is cleared and new data are reloaded); and at this time, a state set of a plurality of network elements cached in the table is $\left\{y_1,y_2,...,y_{\frac{i}{p}}\right\},$ and p is score probability; two time periods of T.sub.0.fwdarw.T.sub.1 and T.sub.1.fwdarw.T.sub.2 will pass only when the state data table of network elements is firstly formed, and then a forming process in the table will follow a mode of a T.sub.2.fwdarw.T.sub.3 time period; in the firstly formed state data table of network elements, states y.sub.m+x and y.sub.x are the states of the same network element in different time periods; in addition, in the T.sub.2.fwdarw.T.sub.3 time period, the state of network elements in the network needs to be captured in $.Math.\frac{i}{p\times m}.Math.$ time periods; and └x┘ is a function representation for an integer part of a decimal; the parameter p is used during an updating process and is a parameter in an updating algorithm, and a value of p is specified by the console; at this time, states $y_{\left(m-1\right)+x},y_{2\left(m-1\right)+x},\mathrm{.Math.},y_{\left(\frac{2}{p}1\right)\left(m-1\right)+x}$ and y.sub.x are the states of the same network element in different time periods, and the data in the table are updated after these state data are screened according to the probability of p; the states of network elements in the table have been converted into the data, the console does not need to reflect time when the table is constructed, and previous states of the network elements do not need to be replaced; and the data amount of the states of network elements will be determined; (2) construction of feature set of network elements some features are time-based statistical features of network traffic, i.e., the number of feature/messages time period; and in order to avoid an influence of time period on statistical feature data, these features are uniformly represented by the “occurrence frequency of messages”; the features are as follows: Feature1: occurrence frequency of address unreachable response messages, with the weight of weight.sub.1; Feature2: the number of topology changes/establishments in a time period, with the weight of weight.sub.2; Feature3: the number of sub-network elements calculated by a parent network element item, with the weight of weight.sub.3; Feature4: differences that a proxy network element and an intrusion detection auxiliary device 1 detect a CON message, with the weight of weight.sub.4; Feature5: differences that the proxy network element and the intrusion detection auxiliary device 1 detect an ack message, with the weight of weight.sub.5; Feature6: occurrence frequency of response messages when a message is overlarge, with the weight of weight.sub.6; Feature7: the number of certain sub-network element data packets received, with the weight of weight.sub.7; Feature8: consumed energy of a certain sub-network element data packet received, with the weight of weight.sub.8; Feature9: forwarding rate of network element data packet, with the weight of weight.sub.9; the weights are assigned according to an impact factor console of each feature, satisfying Σweight=1; and the assigned weights can reduce a bias caused by distinct features; and in this table, a process that a series of features of network elements are constructed as a feature set is: since the state data of network elements in the table are captured at different times in the process of firstly forming the state data table of network elements, cases of capturing data in the T.sub.0.fwdarw.T.sub.1 and T.sub.1.fwdarw.T.sub.2 time periods will be explained in the process of constructing the following feature set; and except that the cases of capturing the data in different time periods exist in the process of firstly forming the table, the other cases are that the data are captured in a T.sub.2.fwdarw.T.sub.3 time period; a process of constructing the state data table of network elements in time sequence is that: firstly, describing a first forming process of the state data table of network elements: in a T.sub.0.fwdarw.T.sub.1 time period, 1) network element feature Feature1 capturing, by an intrusion detection auxiliary device 2, an address unreachable message that the network element sends to an upper-level network element, conducting statistical monitoring on the address unreachable message in T.sub.0.fwdarw.T.sub.1, monitoring the occurrence frequency, and recording a feature as v.sub.icmp1; and recording the network element feature of v.sub.icmp1 in the table; 2) network element features Feature2 and Feature3 a monitoring network element MN in T.sub.0.fwdarw.T.sub.1 time period: detecting any change related to a preferred parent network element in a network element DIO message of the network, taking DODAG ID changes or levels of the network element to be an infinitive, and recording the feature as Num.sub.topo; the monitoring network element MN in T.sub.0.fwdarw.T.sub.1 time period: detecting the increment of statistical sub-network elements through the parent network element; recording the feature as Num.sub.sub; recording the features of Num.sub.topo and Num.sub.sub in the table; 3) network element feature Feature4 an intrusion detection auxiliary device 1 and a proxy network element in T.sub.0.fwdarw.T.sub.1 time period: conducting statistics on network element notification messages; comparing the difference between the notification messages obtained by both; and monitoring the difference number of the messages and recording the feature as ΔCON; 4) network element feature Feature5 the intrusion detection auxiliary device 1 in T.sub.0.fwdarw.T.sub.1 time period: conducting statistics on the rate at which the gateway returns an ACK message; the proxy network element 6R in T.sub.0.fwdarw.T.sub.1: conducting statistics on the ACK message rate; comparing the difference between the ACK messages obtained by both; and monitoring the difference number of the messages and recording the feature as Δack; and recording the feature of Δack in the table; 5) network element feature Feature6 an intrusion detection auxiliary device 2 in T.sub.0.fwdarw.T.sub.1 time period: capturing an error report message returned to the network element, and conducting statistic detection on the message; monitoring the frequency of occurrence and recording the feature as v.sub.icmp2; and recording the feature of v.sub.icmp2 in the table; 6) network element energy feature FFD and 6R in T.sub.0.fwdarw.T.sub.1 time period: conducting statistics on self-energy, and processing the message obtained through the statistics, to obtain an energy feature, comprising the number Rcv.sub.Ak of data packets received by network elements, the consumed energy EnergyRcv.sub.Ak of the data packets received by the network elements, and forwarding rate Rate.sub.forward of a network element data packet; after the completion of a construction for the state data table of the network elements, a processing mode of the console for specific feature data of network elements in the state data table of network elements will be specially illustrated; (3) data preprocessing after the state data table of network elements is filled 1) denoising process: the console checks whether there are some non-numerical variables and obviously unreasonable data in the state data table of network elements, which are invalid; and after the denoising process is completed, the feature data set of network elements of the nth feature in the table is set as y.sub.|n={y.sub.1n, y.sub.2n, . . . , y.sub.in} i.e., the nth column of the state data table of network elements, and, threshold values of the y.sub.|n set are max.sub.n and min.sub.n where min.sub.n is a minimum value in the set and max.sub.n is a maximum value; and at this time, the console needs to pre-process a threshold range of each feature, and the console converts the threshold range (min.sub.i, max.sub.i) of each feature to that between (0, 1) through normalization function processing, that is, an eigenvalue is converted to $\frac{y_{\mathrm{in}}}{.Math.{\max }_n-{\min }_n.Math.};$ and in addition, the console also needs to rematch the weight of each feature according to the impact factor of the feature; 2) the console constructs q dimensional coordinate space, and takes q=10, and the feature data of the network elements in the state data table of network elements need to be located in a coordinate space; and at this time, the console introduces an echo coefficient C to transfer zero, so that the entire feature space is moved to a positive coordinate space, where the coefficient C is set to: c>|min|, min=min {min.sub.i, i=1, 2, . . . , q}.

2. An improved KNN-based 6LoWPAN network intrusion detection method according to claim 1, characterized in that: an analysis mode, a selection mode, a capturing mode and an abnormal judgment and decision mode of multiple quantifiable security features that can reflect a self-security state of the 6LoWPAN network element are as follows: process 1: Address assignment and resolution connecting a gateway and a 6R to a network, and fixedly assigning an address; then, after network elements FFD and RFD are connected to the network, sending a request information RS message to directly connect the 6R to request an IPv6 address, and after the 6R receives the RS message, replying a RA message, wherein the RA is used for configuring an address prefix, the network elements use the prefix to configure an IP address, and the parameters for configuring the network comprise an MTU, a hop limit, and a life value TTL; obtaining the IP addresses for the RFD and the FFD; converting MAC addresses owned by the RFD and the FFD to an interface ID through an EUI-64, and adding a link prefix; in the above process, the selection and capturing modes of the network element features are specifically as follows: 1) occurrence frequency of address unreachable response messages capturing, by the intrusion detection auxiliary device 2, an address unreachable message returned to a network element, and detecting a message rate; and once the rate exceeds a threshold, indicating that a destination address does not exist in the network, or a malicious use exists; filtering and extracting ICMP messages in T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3 by the intrusion detection auxiliary device 2; supposing that t.sub.m (m=0, 1, 2) is the starting time and t.sub.m+1 is the end time, and t.sub.m.fwdarw.t.sub.m+1 is a fixed time period, which is a time window; a is a certain network element in t.sub.m.fwdarw.t.sub.m+1, i.e., the number of ICMP error response messages received by FFD and 6R, Timestamp.sub.1 represents a certain network element in t.sub.m.fwdarw.t.sub.m+1, i.e., a timestamp of the 1st error response message received by the FFD and the 6R, and Timestamp.sub.a represents a timestamp of the ath error response message received in t.sub.m.fwdarw.t.sub.m+1; and Timestamp.sub.x represents the time of the xth message received in t.sub.m.fwdarw.t.sub.m+1; $v_{\mathrm{icmp}1}=\frac{a}{\left({\mathrm{Timestamp}}_a-{\mathrm{Timestamp}}_1\right)}$ is the occurrence frequency of the ICMP error response messages received by the network element in t.sub.m.fwdarw.t.sub.m+1; if the network is normal and not invaded, the maximum frequency of the received error response message is V′ max; (1) if $v_{\mathrm{icmp}1}=\frac{a}{\left({\mathrm{Timestamp}}_a-{\mathrm{Timestamp}}_1\right)}>V^{\prime }\max ,$ the intrusion detection device 2 determines that the network element is injured; and (2) if $v_{\mathrm{icmp}1}=\frac{a}{\left({\mathrm{Timestamp}}_a-{\mathrm{Timestamp}}_1\right)}\le V^{\prime }\max ,$ the network element is normal; for Feature1, above features are established in this step: frequency of address unreachable message, and the weight is set as weight.sub.1; process 2: establishment of network routing an intrusion detection mechanism performs following steps of: capturing, analyzing and extracting an established routing control message in accordance with RFC6550 by monitoring the network element, wherein the information on an MN monitoring list comes from DIO and DAO messages identifying network elements; MN monitoring list: i. a network element ID and a rank thereof ii. a preferred parent network element ID of the network element and the rank thereof iii. the number of topology changes/establishments of the network element in a time period iv. an ETX value of a network element, which is obtained from a DIO message broadcast by the network element v. change of a network element as a parent network element, which comes from DAO messages of other network elements vi. the number of sub-network elements calculated by a parent network element item; it is required that the sent and received network elements along a route are obliged to check whether a rank rule is broken, and a rank-error bit is set in RPL packet information, to ensure that a rank value cannot be faked; in the above processes, an execution step of which a network element in the network and an intrusion detection auxiliary device capture feature data are as follows: each monitoring network element is responsible for monitoring features of a network element object within a monitoring scope thereof in the time periods of T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3, and when the monitoring network element hears the DIO message from the network element object for the first time, it illustrates that a topology starts setting and the state changes; and then, the monitoring network element extracts all necessary information (i.e., a monitoring list) in specific entries of the objects in a monitoring table thereof from the DIO and DAO messages, to determine control messages sent or received by monitored network element objects; in the above processes, the network element features are selected specifically as: 2) the number of DODAG ID changes (the number of topology changes/establishments in a time period) if MN detects any change related to a preferred parent network element in the DIO message, that is, the DODAG ID changes or level of the network element becomes an infinitive, and a state change is recorded; and if the state changes frequently and the number of changes exceeds the threshold, any network element behavior that results in a local repair will be recorded in the monitoring network element; and the network element that results in the local repair is abnormal; for Feature2, the above features are established in this step: the number of topology changes/establishments in a time period (i.e., the number of changes), and the weight is set as weight.sub.2; 3) the number of sub-network elements calculated by a parent network element item when MN detects that an ETX relationship between a parent network element and a sub-network element in a monitoring list is broken, that is, an ETX value of the parent network element is large and a route is invalid, and at this time, RPL starts a local repair mechanism to restore a network routing topology; and if the number of the sub-network elements calculated by the parent network element item increases beyond the threshold value, the threshold value depends on a fluctuation of a network environment and a network size, that is, when the network element broadcasts, the ETX value thereof decreases and at the same time the increase of sub-network element thereof exceeds the threshold value, showing that the sub-network element is invaded; and the network element is necessarily abnormal; thus, two features such as the ETX value of the network element and the increment number of the sub-network elements are known to jointly judge the security state of the network element; and the increment number of the sub-network elements is the quantity of state, which cannot be recorded in the state data table of network elements, therefore, “the number of the sub-network elements calculated by the parent network element item” is recorded in the state data table of network elements, and the ETX value of the network element cooperates with this feature of “the number of the sub-network elements calculated by the parent network element item”, and when the ETX value of the network element decreases, this feature of “the number of the sub-network elements calculated by the parent network element item” is recorded; and if the ETX value of the network element does not decrease, this feature has no influence, and both the eigenvalue and the weight thereof are set to 0; and a feature of the number of the sub-network elements calculated by the parent network element item is taken as a factor, and the weight is set as Feature3; process 3: acquisition of network resource state An application layer of a network architecture adopts a CoAP protocol subscriber pattern to collect information, and execution action steps of each unit in the network and an execution step of which a network element in a network and the intrusion detection auxiliary device 1 capture feature data are as follows: when the data changes, sending a notification to a client as a request response by a network element to which each proxy client subscribes, wherein the notification is a CON message; and capturing the CON message sent to 6R and calculating the notification rate from each network element statistically by the intrusion detection auxiliary device 1; 4) differences that a proxy network element and an intrusion detection auxiliary device 1 detect a CON message each proxy network element, that is, does not collect the information, and network elements for only forwarding need to statistically monitor the number of the CON messages from different network elements in T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3; once a certain network element is detected to send notifications too frequently, exceeding the threshold value, it illustrates that the network is abnormal, and at this time, it is impossible to determine whether the proxy network element is abnormal or a network element (i.e., a server) in a sub-network is abnormal, therefore, the statistical information by the intrusion detection auxiliary device 1 and the proxy network element is compared. CON.sub.proxy is an occurrence frequency of CON messages captured by the proxy network element; CON.sub.IDS is the occurrence frequency of CON messages captured by the intrusion detection auxiliary device; Supposing that ΔCON=|CON.sub.proxy−CON.sub.IDS| if ΔCON is overlarge, the console further compares CON.sub.proxy−CON.sub.IDS if CON.sub.proxy−CON.sub.IDS>0, the proxy network element is abnormal; and if CON.sub.proxy−CON.sub.IDS<0, the server is abnormal; the notification is the CON message, 6R and the proxy network element need ACK to respond to the CON message, and if the ACK response is not received for a long time, the client will automatically cancel the subscription to the server network element; 5) differences that a proxy network element and an intrusion detection device detect an ACK message the intrusion detection auxiliary device 1 needs to statistically monitor the occurrence frequency at which the gateway returns the ACK message in T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3; and the proxy also needs to statistically monitor the occurrence frequency of the ACK message in T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3; if an occurrence frequency of ACK messages is significantly lower than that of CON messages, it illustrates that the gateway or the proxy network element is abnormal; at this time, the occurrence frequency of statistical ACK messages by the gateway and the proxy network element is compared to further judge the abnormity; and the judgment for the CON message is similar. ack.sub.proxy is an occurrence frequency of CON messages captured by the proxy network element; ack.sub.IDS is the occurrence frequency of CON messages captured by the intrusion detection auxiliary device 1; in the above features, the occurrence frequencies of ACK messages captured respectively by the proxy network element and the intrusion detection auxiliary device are related; the establishments of Feature4 and Feature5 are completed; Feature4: ΔCON=|CON.sub.proxy−CON.sub.IDS|, with the weight of weight.sub.4; Feature5: Δack=|ack.sub.proxy−ack.sub.IDS|, with the weight of weight.sub.5; 6) occurrence frequency of response messages when a message is overlarge during a data packet uploading process, if a data packet exceeds a current network element MTU, the data packet will be discarded and an ICMP error report message will be returned; an intrusion detection auxiliary device 2 filters and extracts ICMP messages in T.sub.0.fwdarw.T.sub.1, T.sub.1>T.sub.2 and T.sub.2.fwdarw.T.sub.3; supposing that t.sub.m (m=0, 1, 2) is the starting time and t.sub.m+1 is the end time, and t.sub.m.fwdarw.t.sub.m+1 is a fixed time period, which is a time window; b is the number of ICMP error response message received in t.sub.m.fwdarw.t.sub.m+1, Timestamp.sub.1′ represents a timestamp of the 1st error response message received in t.sub.m.fwdarw.t.sub.m+1, and Timestamp.sub.b′ represents a timestamp of the bth error response message received in t.sub.m.fwdarw.t.sub.m+1; and Timestamp.sub.x′ is the time of xth message received in t.sub.m.fwdarw.t.sub.m+1; $v_{\mathrm{icmp}2}=\frac{b}{\left({\mathrm{Timestamp}}_{b^{\prime }}-\mathrm{Time}s{\mathrm{tamp}}_{1^{\prime }}\right)}$ is the occurrence frequency of the error response message received by the injured network element in t.sub.m.fwdarw.t.sub.m+1; if the network is normal and not invaded, the maximum frequency of the received error response message is V.sub.max (3) if $v_{\mathrm{icmp}2}=\frac{b}{\left({\mathrm{Timestamp}}_{b^{\prime }}-\mathrm{Time}s{\mathrm{tamp}}_{1^{\prime }}\right)}>V_{\max },$ the network element is injured; and (4) if $v_{\mathrm{icmp}2}=\frac{b}{\left({\mathrm{Timestamp}}_{b^{\prime }}-\mathrm{Time}s{\mathrm{tamp}}_{1^{\prime }}\right)}\le V_{\max },$ the network element is normal; the establishment of Feature6 is completed; Feature6: $v_{\mathrm{icmp}2}=\frac{b}{\left({\mathrm{Timestamp}}_{b^{\prime }}-\mathrm{Time}s{\mathrm{tamp}}_{1^{\prime }}\right)},$ with the weight of weight.sub.6; 7) energy feature in addition, during a normal operation of the network, an FFD and a 6R need to conduct energy statistics. The specific measures are as follows: the FFD and the 6R store neighbor information in a routing registry; and a neighbor table and DODAG are as follows: four network elements k1, k2, A, B are supposed k1, k2 forwards data to A, and A forwards the data to B; Supposing that Rcv.sub.Ak1 is the number of data packets that A receives k1, Rcv.sub.Ak2 is the number of the data packets that A receives k2, Rcv.sub.Ak is the number of the data packets that A receives all next-level network elements k1 and k2, and Sent.sub.A is the number of the data packets that A forwards to an upper-level network element B; a network element i needs to attach a timestamp to the data packets received and sent thereby, so as to conduct periodic energy statistics, and a statistical energy is used as key security information on abnormal detection; for the energy statistics, the statistics on the energy of a received packet and a sent packet is conducted; a Kbit data packet is sent within a distance d, which is represented as ETx(k,d), and the Kbit data packet is received, which is represented as ERx(k,d), and a distance between neighboring nodes is set within the distance d; if the network is invaded, there are two abnormal network elements: one is an attacked network element, and the other is a captured and controlled puppet network element; there are three attack scenarios: 1) intermediator forwarding attack: the network element loses the packet seriously, and just sends the data packet symbolically; 2) DoS attack: the puppet network element constantly sends the data packet, which consumes the network energy and seriously even causes the network paralysis; 3) Death of ping attack: the puppet network element constantly sends small data packet, which causes the injured network element to have no time to process other data packets; when the network is not invaded, the network element A receives a minimum of n data packets from each next-level network element in t.sub.m.fwdarw.t.sub.m+1, receives the total energy of the data packets from each next-level network element in t.sub.m.fwdarw.t.sub.m+1, with the minimum of Energymin, and receives the total energy of the data packets from each next-level network element in t.sub.m.fwdarw.t.sub.m+1, with the maximum of Energymax; it specifies that when the network is not invaded, a minimum rate of a forwarded packet is V.sub.min; supposing that the forwarding rate is Rate.sub.forward and $Rat{e}_{\mathrm{fowar}d}=\frac{En\mathrm{ergySen}t}{\mathrm{EnergyTotalRcv}};$ 1) intermediator forwarding attack (1). if Rcv.sub.Ak1<n, a network element k1 loses the packet seriously, which is judged as a malicious node; (2). if Rcv.sub.Ak2<n, a network element k2 loses the packet seriously, which is judged as the malicious node; (3). if Rate.sub.forward<V it is judged that a network element A is a malicious intermediator node; (4). if Rate.sub.forward>V min, an abnormity is not founded in the network; the features captured by the network element i are illustrated and specially processed: although the features Rcv.sub.Ak1 and Rcv.sub.Ak2 are captured by the network element A, the features are actually the feature attributes of next-level network elements, i.e., k1 and k2; 2) Death of ping attack 3) DoS attack when Rcv.sub.Ak1>n, there are following conditions: (5) Energy min>EnergyRcv.sub.Ak1, the network element k1 is abnormal, judging that the network element A is under death of ping attack; (6) Energy min>EnergyRcv.sub.Ak2, the network element k2 is abnormal, judging that the network element A is under death of ping attack; (7) Energy min<EnergyRcv.sub.Ak1<Energy max, the abnormity is not founded in the network; (8) Energy min<EnergyRcv.sub.Ak2<Energy max, the abnormity is not founded in the network; (9) Energy max>EnergyRcv.sub.Ak1, the network k1 is abnormal, and the network element A is under DoS attack; and (10) Energy max>EnergyRcv.sub.Ak2, the network k2 is abnormal, and the network element A is under DoS attack; features captured by the network element A are illustrated and specially processed: although the features EnergyRcv.sub.Ak1 and EnergyRcv.sub.Ak2 are captured by the network element A, the features are actually the feature attributes of the next-level network elements, i.e., k1 and k2; a network element A finally needs to send the information on Rate.sub.forward, EnergySent, Rcv.sub.Ak1, Rcv.sub.Ak2, EnergyRcv.sub.Ak1, EnergyRcv.sub.Aka and EnergyRcv to the gateway; these information on Rcv.sub.Ak1, Rcv.sub.Ak2, EnergyRcv.sub.Ak1 and EnergyRcv.sub.Ak2 are respectively feature data of k1 and k2, and homogeneous feature data of the network element A is statistically calculated by the upper-level network element B of the network element A and recorded as Rcv.sub.m; the establishment of Feature {7, 8, 9} is completed; Feature7: Rcv.sub.Ak, with the weight of weight.sub.7; Feature8: EnergyRcv.sub.Ak, with the weight of weight.sub.8; although the features Rcv.sub.Ak and EnergyRcv.sub.Ak are captured by the network element A, the features are actually the feature attributes of the next-level network elements, i.e., k1 and k2; above two feature data do not belong to the network element A; and the captured information is added to the feature attributes of k1 and k2; Feature9: Rate.sub.forward, with the weight of weight.sub.9; a learning process is summarized as follows: the features are selected as follows: Feature1: $v_{\mathrm{icmp}1}=\frac{a}{\left({\mathrm{Timestamp}}_a-{\mathrm{Timestamp}}_1\right)},$ with the weight of weight.sub.1; Feature2: Num.sub.topo (the number of topology changes/establishments in a time period), with the weight of weight.sub.2; Feature3: Num.sub.sub (the number of sub-network elements calculated by a parent network element), with the weight of weight.sub.3; Feature4: ΔCON=|CON.sub.proxy−CON.sub.IDS|, with the weight of weight.sub.4; Feature5: Δack=|ack.sub.proxy−ack.sub.IDS|, with the weight of weight.sub.5; Feature6: $v_{\mathrm{icmp}2}=\frac{b}{\left({\mathrm{Timestamp}}_{b^{\prime }}-\mathrm{Time}s{\mathrm{tamp}}_{1^{\prime }}\right)},$ with the weight of weight.sub.6; Feature7: Rcv.sub.Ak, with the weight of weight.sub.7; Feature8: EnergyRcv.sub.Ak, with the weight of weight.sub.8; Feature9: Rate.sub.forward, with the weight of weight.sub.9; weights assigned to each feature by the console are multiplied by corresponding feature data, and a result of adding all feature data assigned to the weights can effectively reflect the state of the network element; at this point, the feature data of the network elements has been quantitatively analyzed in terms of features and typical attacks of the 6LoWPAN network, a qualitative analysis on a selection of the features, states of the network elements and specific indicators of an action execution of the network elements in the network, and a quantitative analysis on feature data of the network elements have been completed.

3. An improved KNN-based 6LoWPAN network intrusion detection method according to claim 1, characterized in that: the direct judgment method based on the feature of a certain network element is that: in the process of acquiring the feature of the network element, directly judging, by the intrusion detection system, whether the intrusion exists by one of the acquired features of network elements, wherein selection and capturing modes of the features of network elements are specifically that: 1) RA address prefix each time a 6R network element sends a RA message, an intrusion detection auxiliary device 1 is close to the 6R network element, captures the RA message in the T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3 time periods respectively, and parses and compares the RA message contents; and captures different messages from the 6R, wherein the address prefixes are respectively: prefix.sub.1, prefix.sub.2, . . . , prefix.sub.n the intrusion detection auxiliary device 1 sends this message to the console, which parses the message and extracts an address prefix, and performs an XOR operation on the address prefix; if prefix.sub.1⊕prefix.sub.2⊕ . . . ⊕prefix.sub.n=1, the console directly judges that the 6R network element is abnormal; if prefix.sub.1⊕prefix.sub.2⊕ . . . ⊕prefix.sub.n=0, the 6R network element is normal; 2) RA message frequency in addition, the intrusion detection auxiliary device 1 statistically monitors the frequency of the RA message that the 6R network element occurs in T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3 time periods, which is expressed as v.sub.na: supposing that the 6R network element is under normal condition, the occurrence frequency of the RA message is v.sub.limit-na, if v.sub.limit-na>v.sub.na, the 6R network element is normal; and if v.sub.limit-na<v.sub.na, the console directly judges that the 6R network element is abnormal; 3) NS message frequency the intrusion detection auxiliary device 2 monitors NS messages of subnet intranet elements in T.sub.0.fwdarw.T.sub.1, T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3 time periods respectively, which is expressed as v.sub.s.once any network element receives NS frequency exceeding the limit, the subnet intranet elements are actively detected, that is, the subnet intranet elements send NS messages in reverse; and if NA is not returned, or NA messages from other MAC addresses are received, a behavior is proved to be abnormal, ND table entries are not updated, and the behavior is reported to the console; supposing that the network element is under normal condition, the frequency limit of the received NS message is v.sub.limit-ns, and supposing that a source IP address of the received NS message is Address0, the source IP address of the returned NA message is Address1; if v.sub.ns>v.sub.limit-ns, the NS message is sent in reverse; step 1: if the NA message is not returned, the network element is directly judged to be abnormal; and step 2: if the NA message is returned, the IP address is compared; Address0⊕Address1=1, the console directly judges that the network element is abnormal; Address0⊕Address1=0, the network element is normal; and if v.sub.ns<v.sub.limit-ns the network element is normal; 4) occurrence frequency of get messages when a customer 6R needs data and sends get messages, the intrusion detection device 1 needs to statistically monitor the get messages captured from 6R in T.sub.0.fwdarw.T.sub.1 T.sub.1.fwdarw.T.sub.2 and T.sub.2.fwdarw.T.sub.3 and calculate the occurrence frequency of the get messages, and once the frequency exceeds the limit threshold, the 6R network element is directly judged to be abnormal; 5) rank-error bit in RPL packet information an MN receives level information during DIO check, and if the monitoring network element detects any child/parent relationship that breaks a rank rule, the network element with changed rank is abnormal; and this feature means that once the rank value changes, the sent or received network elements along a route check that the rank rule is broken, and the rank-error bit in RPL packet information becomes 1, then it can be directly judged that the network element is directly judged to be abnormal; and this feature means the rank value change is directly judged to be abnormal.

4. An improved KNN-based 6LoWPAN network intrusion detection method according to claim 1, characterized in that: the step S2 is specifically: 1) constructing a hypercube feature space with continuous fixed size, supposing the hypercube is C.sub.u1, . . . , uq and its diagonal is $\frac{d}{2};$ 2) global contour forming process: when feature data of the network elements in the state data table of network elements are filled, calculating a position of a hypercube C.sub.u1, . . . , uq by a console, and calculating the frequency of each hypercube position, i.e., the number of the data in the hypercube, thereby forming a global normal contour; 3) after the global normal contour is formed, performing online detection by the console, k is the parameter in the intrusion detection mechanism, which is specified by the user, wherein if state data of network elements in the hypercube where the state data of network elements are located are greater than k, the states of network elements are normal; or detecting the state data of network elements in a detection area being replaced, wherein if the data are greater than k, the states of network elements are normal; positioning the state data of network elements in the hypercube feature space and calculating whether the state data of network elements fall into the normal profile by the console.

5. An improved KNN-based 6LoWPAN network intrusion detection method according to claim 1, characterized in that: the step S3 is specifically: first, forming a part of state data table of network elements in the console; when the state data of network elements fill in the state data table of network elements at the console end, forming a normal profile in a feature space constructed by the console; after the state data table of network elements are filled for the first time in the T.sub.0.fwdarw.T.sub.1 and T.sub.1.fwdarw.T.sub.2 time periods, conducting the first round of detection; conducting the first round of detection, at the same time, continuing to fill in the state data table of the next round of network elements; when the state data amount of the network element saved by the console in T.sub.2.fwdarw.T.sub.3 reaches $\frac{i}{p},$ randomly selecting, by the console, the state data of network elements saved in T.sub.2.fwdarw.T.sub.3 time period at the probability p, filling the state data of the selected network elements into the state data table of network elements, and discarding remaining data; and when the state data table of network elements is completely replaced by new data, sending, by the network element, a request to update the state data table of network elements, and relearning and updating the normal profile; Specifying that T.sub.2.fwdarw.T.sub.3 is a period for updating the state data table of network elements, and the period is fixed; and the 6LoWPAN network adopts a distributed mode of real-time operation; an operation of the distributed mode requires all sensor nodes to participate in an internal calculation of the network, and the collection of network features needs the cooperation of each network element in the network, instead of being captured by the intrusion detection auxiliary device; in addition to being captured of the auxiliary device, the feature data of an IPv6 wireless sensor network also has the cooperation of the network elements in the subnet, and following points need to be considered for the scheduling of network resources: 1) monitoring network element (MN) will monitor the communications from the neighbor thereof, comprising parent network element and child network element thereof; 2) the network element is actively detected, that is, the network element sends the NS message in reverse, and passes through a temporarily applied GTS time slot; 3) finally, the network element A simply sends the Rate.sub.forward, EnergySent, Rcv.sub.Ak, EnergyRcv.sub.Ak and EnergyTotalRcv information to the gateway; 4) a detection module of each network element performs the local normal profiledetection, and finally uploads an abstract to a cluster-head network element; 5) the cluster-head network element also needs to send the global normal profile to each network element; 6) each proxy network element RFD detects the CON/get/ACK message rate; in addition, above 6 points that need to be considered occur in parallel, and tasks of some network elements are multiple, and the above 6 points need to be considered simultaneously in time slot allocation, so that communication resources can be reasonably configured.

Description

DESCRIPTION OF DRAWINGS

[0243] To enable the purpose, the technical solution and the beneficial effects of the present invention to be more clear, the present invention provides the following drawings for explanation:

[0244] FIG. 1 is an intrusion detection architecture of a 6LoWPAN network;

[0245] FIG. 2 is a sequence diagram of data capturing;

[0246] FIG. 3 is an action in T0 to T1;

[0247] FIG. 4 shows that (a) is an action in T0 to T1; and (b) is an action in T2 to T3;

[0248] FIG. 5 is the occurrence time for first detection;

[0249] FIG. 6 is a sequence diagram of an intrusion detection process; and

[0250] FIG. 7 is a 6LoWPAN heterogeneous network in an embodiment.

DETAILED DESCRIPTION

[0251] Preferred embodiments of the present invention will be described below in detail in combination with drawings.

[0252] The embodiment mainly illustrates the process of intrusion detection after 6LoWPAN heterogeneous network attack, describes a logical process of intrusion detection, and illustrates the effect after detection.

[0253] A 6LoWPAN heterogeneous network in an embodiment is shown in FIG. 7 below:

[0254] The role description has been illustrated in FIG. 1 of the present invention.

[0255] Simulated Attack Implementation:

[0256] The attack is an attack against the 6LoWPAN network, so an attacker needs to attack within the wireless coverage range (within 30 meters) of a vulnerable network element.

[0257] The 6LoWPAN is a wireless communication specification constructed based on IEEE 802.15.4, which allows the forwarding of the IPv6 packet through low-power Personal Area Networks (PAN).

[0258] In order to monitor and inject 6LoWPAN traffic, a peripheral device based on an IEEE 802.15.4 specification is needed. The device is installed with an ATMEL AVR Raven of a Contiki 6LoWPAN firmware image, and provides a standard network interface, which can monitor and inject the network traffic into the 6LoWPAN network. The network traffic is monitored and injected into the 6LoWPAN network through the network interface.

[0259] Through an incoming process of a new node and by monitoring the data packet captured from the 6LoWPAN network simultaneously, the network protocol thereof is parsed, and the message is constructed, to control the network element and send any data packet.

Embodiment

[0260] Attack results: Suppose the node 10 implemented by attacking is captured. That is, the node 10 is a puppet network element.

[0261] Intrusiondetection implementation: [0262] 1) Constructing a state data table of the network elements;

[0263] There are nodes in the network, with the total of 12 network elements. wherein, a 6R network element exists.

[0264] Therefore, the state data amount of network elements is 20.

[0265] The network starts running, each network element captures the data in T.sub.0.fwdarw.T.sub.1 and T.sub.1.fwdarw.T.sub.2, and the state data table of the network elements is firstly formed on the console.

[0266] The algorithm to firstly form the state data table of network elements is as follows:

TABLE-US-00021 Algorithm(1): Produce-ST(state table) Input: featuredata //feature data Output: motestate // state set of network elements, i.e., state data table of network elements Do: 1:  ST produce-ST 2: if T0<t<T2 else Update-ST 3:  for i=1,...20 4:  for q=1,...10 5: 6: the data is suffered in ST 7:  return 8:  motestate = ST 9:  End

[0267] 2) Detection process: constructing feature space, and establishing normal contour.

TABLE-US-00022 Algorithm(2): Detection Input: y.sub.i,k,c,h // state data of network elements, and detection algorithm parameters Output: label // detection results Do: 1:label=detection 2: mote state y.sub.i arrives in 3:for i =1,...,20 [00026]$4\text{:}{u}_i=\frac{y_i\text{+}c}{h}\text{,}\mathrm{pos}\text{=}.Math.u_i.Math.$ 5: Index=find-index(ST,pos) 6: if ST[index].count≥k label=normal; return 7: for i =1,...,20 [00027]$8\text{:}\mathrm{if}{u}_i-.Math.u_i.Math.>\frac{1}{2}{e}_i\text{=}1\text{,}\mathrm{else}{e}_i\text{=}\mathrm{–1}$ 9: count=0 10: for v.sub.1=u.sub.1, u.sub.1+e.sub.1,..., v.sub.19=u.sub.19, u.sub.19+ e.sub.19 11: v.sub.20= u.sub.20,pos=0 12: for i=1,...20 13: pos=└v.sub.i┘ 14: count=ST(pos).count+ST(pos+e.sub.20).count 15: if count < k label=anomaly,else label=normal 16: End

[0268] Intrusiondetection results:

[0269] See parameter k=1/12*20≈2

[0270] In the process of intrusion detection, the data points in a hypercube where node 10 is located are less than K, so the node 10 is judged to be abnormal.

[0271] 3) Updating process

TABLE-US-00023 Algorithm(3): Update-ST(state table) Input: p,feature data // probability, and feature data Output: motestate // state set of network elements, i.e., state data table of network elements Do:  1:  ST Update-ST  2: assume p=1/3  3: if t>T2  4: for i=1,...60  5: for q=1,...10  6:  7: the data is suffered in ST  8:  return  9:  mot estate = randomlyselect20datainST 10: End

[0272] Finally, it should be noted that the above preferred embodiments are only used for describing, rather than limiting the technical solution of the present invention. Although the present invention is already described in detail through the above preferred embodiments, those skilled in the art shall understand that various changes in form and detail can be made to the present invention without departing from the scope defined by claims of the present invention.