Research on security situation awareness method of Internet of things based on evidence theory

Abstract

Social Internet of things technology is developing rapidly , The security problem is becoming more and more serious , This paper studies the simple and easy-to-use security situation awareness method of the Internet of things . The current security situational awareness system of the Internet of things is lack of versatility 、 The disadvantage of relying too much on expert knowledge , A method based on improved D-S Internet of things security situational awareness method based on evidence theory . The membership matrix of vulnerability information is calculated by using fuzzy Gaussian membership function , Normalized as evidence distribution matrix ; Use to improve Topsis Methods to measure the credibility of evidence , Aggregate the local credibility between two evidences , Improve the expected positive and negative solution vector according to the situation assessment scenario , Fully suppress the credibility of conflicting evidence , Improve the credibility of mutually supportive evidence , Using the weighted average method to fuse vulnerability information, the situation assessment results are obtained ; Based on the fusion of time factor discount and high-risk vulnerability proportional discount evidence theory, the situation awareness results , Use time factor to aggregate multiple situation assessment data , Discount the situation assessment evidence at different times according to the time scale , The closer to the current moment, the smaller the discount of evidence , On the contrary, the bigger . meanwhile , Comprehensively consider the vulnerability information of the Internet of things at different times , Use the proportion information of high-risk vulnerabilities to carry out adaptive dynamic weighting , Discount high-risk information at different times into the identification framework , The risk change information of the system is concentrated in the process of evidence fusion . Experiments show that , In different quantitative evidence body fusion and 4 Common conflict evidence fusion , improvement Topsis The method has a higher fusion probability for credible propositions ; In the aspect of situation assessment , Accurately assess the current system risk ; In terms of situational awareness , Discount theory can fully predict the probability of high risk and emergency risk , Than traditional D-S Evidence theory is more effective . According to the proposed theory, a method and process of IOT security situational awareness is designed to guide engineering practice , In the future, in terms of vulnerability information utilization , Consider the relationship between vulnerabilities , Refine richer situation information between vulnerabilities , Make the result of situation assessment more accurate and reasonable , You can also learn from the idea of game theory in the attacker 、 Defenders conduct situational awareness in the process of dynamic game .

key word ： D-S Evidence theory  ;  Situational awareness  ;  Internet of things security  ;  Time evolution  ;  Common vulnerability scoring system

0 introduction

With the advent of intelligent era , The Internet of things system is developing rapidly , Various applications based on Internet of things technology are becoming more and more mature . The Internet of things is the traditional Internet in “ matter ” An extension of ,“ All things connected ” It is the wonderful vision of the Internet of things . The Internet of things is rapidly building the interaction scene between people and things , A lot of security problems have arisen . In complex network environment , The IOT system has a large number of device firmware programs , A bit careless , Will be used by hackers , Bring huge losses to society [1]. The increasingly serious security problems of the Internet of things make people have to pay attention to the research on the security situation awareness of the Internet of things . Situation awareness mainly includes the extraction of situation elements 、 Device scanning 、 Safety analysis 、 Situation assessment and situation awareness [2]. In a general way , It is necessary to carry out comprehensive and unified security data integration for the Internet of things system , Form a unified monitoring 、 Centralized analysis 、 Centralized situational awareness system [3]. The traditional information security risk research work is just a static evaluation and protection work [4], Situational awareness systems utilize time evolution , In order to carry out safety protection in the dynamic process .

In the field of traditional information security risk assessment , The scheme of comprehensive evaluation by combining qualitative and quantitative methods occupies the mainstream [5-6]. Qualitative analysis methods mainly include Delphi method , Give a comprehensive evaluation with the knowledge and experience of the expert group , The disadvantage is that subjectivity is too strong ; Quantitative analysis methods mainly include fault tree analysis and Bayesian network analysis , Emphasize the importance of objective laws in specific scenes , But it is not suitable for complex scenes ; Qualitative and quantitative analysis methods mainly include analytic hierarchy process and fuzzy analytic hierarchy process , Subjectivity and objectivity are organically combined , Good expansibility , But the judgment matrix is still determined according to expert opinions . besides ,D-S Evidence theory is also widely used in information security risk assessment , Used to fuse multiple risk evidences [7]. In a general way ,D-S Evidence theory is combined with analytic hierarchy process or fuzzy analytic hierarchy process , Analytic hierarchy process establishes an evaluation index set for information security risk assessment under specific scenarios , When determining the weight of hierarchical factors, use D-S Evidence for multi feature fusion , Make the weight distribution of parameters more objective and reasonable . But in tradition D-S Under evidence theory, the fusion result is inconsistent with common sense when evidence conflicts , Many experts and scholars based on this problem D-S Improve evidence theory , Adapt it to more complex evidence synthesis scenarios .

The situation awareness method mainly uses the evidence network model [8]、 Markov model [9]、 Neural network model [10-11]、 Bayesian network model [12], But the structure of these models is complex , The training is difficult , Parameter explosion is easy to occur in the real scene .

For the above problems , This paper focuses on D-S Application of evidence theory in the security situational awareness model of the Internet of things .

1) In the aspect of situation assessment , This article uses improved Topsis Methods to measure the credibility of evidence , Reduces the credibility of conflict evidence , Maintain the credibility of mutually supportive evidence , Proved by experiment , In terms of different quantitative evidence bodies and common conflict evidence , After fusion, the basic probability of correct proposition is assigned higher .

2) In terms of situational awareness , This paper proposes a discount based on time discount and high-risk vulnerability proportion D-S Evidence theory , Good situation awareness results are obtained by fusing situation assessment data at multiple times .

1 D-S Evidence theory

1.1 Tradition D-S Evidence theory

In tradition D-S In evidence theory , Define the identification framework of standard variables  θ={ θ1,θ2,⋯,θn}θ={θ1,θ2,⋯,θn}, It belongs to power set 2θ The elements of A It's about variables θ Value proposition , Or Jiao yuan . About proposition A The function of is defined as the probability distribution function BPA, Commonly referred to as mass function , abbreviation m function .

m(∅)=0,∑A⊆θm(A)=1　　　　(1)m(∅)=0,∑A⊆θm(A)=1　　　　(1)

Trust function , Is defined as the probability distribution sum of a subset of propositions , Indicates the degree of trust in the proposition as true .

Bel(A)=∑B⊆Am(B), ∀A⊆θ　　　　(2)Bel(A)=∑B⊆Αm(B), ∀A⊆θ　　　　(2)

Likelihood function , It is defined as the sum of set probability distributions with empty intersection with propositions , Indicates the degree of trust in a proposition that is not false .

Pl(A)=1−Bel(¬A)=Pl(A)=1−Bel(¬Α)=

1−∑B⊆¬Anm(B)=∑B∩A=∅nm(B),∀A⊆θ　　　(3)1−∑B⊆¬Αnm(B)=∑B∩Α=∅nm(B),∀A⊆θ　　　(3)

The trust function defines the lower bound of trust for a proposition to be true , The likelihood function defines the proposition as the upper bound of non false trust , Describe uncertainty in terms of intervals . because  {¬A,A}⊆θ{¬A,A}⊆θ, Pl(A)≥Bel(A). actually ,[Bel(A),Pl(A)] Represent a proposition A The uncertainty interval of ,[0,Bel(A)] Express the right proposition A Supported evidence interval ,[0,Pl(A)] Express the right proposition A The range of plausible evidence ,[Pl(A),1] Express the right proposition A Proof of rejection interval .

When there is n A piece of evidence m1,m2,m3,⋯,mnm1,m2,m3,⋯,mn When integration is needed , The composition rule is

m(A)=(m1⊕m2⊕⋯⊕mn)A=m(A)=(m1⊕m2⊕⋯⊕mn)A=

11−K∑∩i=1nAi=A∏i=1nmi(Ai)　　　　(4)11−K∑∩i=1nAi=A∏i=1nmi(Ai)　　　　(4)

among ,K It is called conflict factor , operator ⊕ It is called fusion operator .

K=∑∩i=1nAi=∅m1(A1)m2(A2)⋯mn(An)=K=∑∩i=1nAi=∅m1(A1)m2(A2)⋯mn(An)=

∑∩i=1nAi=∅∏i=1nmi(Ai)=1−∑∩i=1nAi≠∅∏i=1nmi(Ai)　　　　(5)∑∩i=1nAi=∅∏i=1nmi(Ai)=1−∑∩i=1nAi≠∅∏i=1nmi(Ai)　　　　(5)

Tradition D-S Evidence theory satisfies commutative law and associative law on fusion operator . The exchange law is m1⊕m2=m2⊕m1m1⊕m2=m2⊕m1, The law of association is m1⊕(m2⊕m3)=(m1⊕m2)⊕m3m1⊕(m2⊕m3)=(m1⊕m2)⊕m3.

Tradition D-S Evidence theory is on the rule of composition , The product term is used for fusion , Then normalize to get the final fusion result , When the basic probability of evidence to proposition is 0 when , After evidence fusion, the result is still 0, Even if other evidence confirms the proposition with high probability . except “0 Confidence conflict ”, Tradition D-S Evidence theory and “1 Confidence conflict ”“ Complete conflict ”“ High conflict ” And so on , Here 4 In the case of paradox , The traditional rule of evidence synthesis is no longer applicable [13].

To the traditional D-S The improvement of evidence theory is mainly reflected in two directions , Improve the composition rules or improve the distribution of evidence [13]. Improve the synthesis rules of evidence , Think cause 4 The root of the paradox lies in the imperfection of the rule of evidence synthesis , Most of the improved schemes are weighted sum improvements based on the original product terms . Improve the distribution of evidence , It is considered that the synthesis rule is generally applicable , It is the unreasonable distribution of evidence that produces 4 The problem with this paradox , Fully measure the conflict between evidences , And transfer the conflict between evidences .

1.2 Based on improvement Topsis Method evidence credibility measure

Topsis The method is generally used in multi-objective comprehensive evaluation scenarios [14], Based on the distance between the evaluation target and the expected positive and negative solution in the evaluation index, the optimal target scheme is determined . In a general way , The expected positive solution is the vector composed of the maximum value of each evaluation index , The expected negative solution is the vector composed of the minimum value of each evaluation index , It is often necessary to standardize and forward the initial data before evaluation .

Suppose there is n Evaluation objectives 、m Evaluation indicators ,zij Indicates the evaluation objective i In the evaluation index j The score in the game , Because different evaluation indicators have different dimensions , So avoid “ Large numbers take decimals ” The situation of , It needs to be standardized , as follows .

zij˜=zij∑i=1nz2ij√,i=1,2,⋯,n,j=1,2,⋯,m　　　　(6)zij˜=zij∑i=1nzij2,i=1,2,⋯,n,j=1,2,⋯,m　　　　(6)

Define the expected positive solution as the vector composed of the maximum value of each evaluation index as follows .

Z+=[z+1,z+2,⋯,z+m]=[max(z11˜,z21˜,⋯,zn1˜),⋯,Z+=[z1+,z2+,⋯,zm+]=[max(z11˜,z21˜,⋯,zn1˜),⋯,

max(z1m˜,z2m˜,⋯,znm˜)]　　　　(7)max(z1m˜,z2m˜,⋯,znm˜)]　　　　(7)

Define the expected negative solution as the vector composed of the minimum value of each evaluation index as follows .

Z−=[z−1,z−2,⋯,z−m]=[min(z11˜,z21˜,⋯,zn1˜),⋯,Z−=[z1−,z2−,⋯,zm−]=[min(z11˜,z21˜,⋯,zn1˜),⋯,

min(z1m˜,z2m˜,⋯,znm˜)]　　　　(8)min(z1m˜,z2m˜,⋯,znm˜)]　　　　(8)

Define evaluation objectives i The distance of the expected positive solution is

D+i=∑j=1m(zij˜−z+j) 2−−−−−−−−−−−−⎷　　　　(9)Di+=∑j=1m(zij˜−zj+) 2　　　　(9)

Define evaluation objectives i The distance of the expected negative solution is

D−i=∑j=1m(zij˜−z−j) 2−−−−−−−−−−−−⎷　　　　(10)Di−=∑j=1m(zij˜−zj−) 2　　　　(10)

Define evaluation objectives i The non normalized score is

S+i=D−iD+i+D−i　　　　(11)Si+=Di−Di++Di−　　　　(11)

Topsis Methods by calculating the relative closeness between the evaluation goal and the positive solution, the advantages and disadvantages of the goals are measured , If the distance from the positive solution is closer , It shows that the distribution of the evaluation objective on the evaluation index is more similar to the positive solution , The closer the value of the evaluation target on the evaluation index is to the maximum value , Even equal to the maximum .

In this scenario , The credibility between evidences needs to be fully evaluated , Reduce the credibility of conflict evidence , Improve the credibility of mutually supportive evidence . After analysis, we found that , There is a big gap between conflicting evidence propositions , It's not evenly distributed , Often the basic probability distribution on a single proposition is close to 1, The basic probability distribution of other propositions is 0, Therefore, when evaluating the conflict of evidence , The closer the evidence is to the maximum vector , The more likely it is to be judged as evidence of conflict , The lower the credibility score , This paper adopts the formula (12) Measure the credibility of evidence .

S−i=D+iD+i+D−i　　　　(12)Si−=Di+Di++Di−　　　　(12)

In this scenario , First calculate the credibility support between two pieces of evidence , Then sum to determine the overall support of the evidence , And take the sum result after normalization as the final credibility measurement basis of evidence .

The credibility support matrix of evidence body is

S−=⎡⎣⎢⎢⎢⎢⎢⎢s−11s−21⋮s−n1s−12s−22⋮s−n2......⋱...s−1ns−2n⋮s−nn⎤⎦⎥⎥⎥⎥⎥⎥　　　　(13)S−=[s11−s12−...s1n−s21−s22−...s2n−⋮⋮⋱⋮sn1−sn2−...snn−]　　　　(13)

s−ij=⎧⎩⎨⎪⎪⎪⎪⎪⎪0,i=j1,i≠j,mi=mjDj+iDj+i+Dj−i,i≠j,mi≠mj　　　(14)sij−={0,i=j1,i≠j,mi=mjDij+Dij++Dij−,i≠j,mi≠mj　　　(14)

among , Based on the body of evidence mi and mj When evaluating ,Dj−iDij− Indicates the body of evidence mi Distance from the expected negative solution ;Dj+iDij+ Indicates the body of evidence mi Distance from the expected positive solution ;s−ijsij− Indicates the body of evidence mj To the body of evidence mi Degree of support .

Definition mi The support obtained by the body of evidence is Sup(mi).

Sup(mi)=∑j=1ns−ij　　　　(15)Sup(mi)=∑j=1nsij−　　　　(15)

After normalization, the confidence measure between evidences is

Be(mi)=Sup(mi)∑j=1nSup(mj),∑i=1nBe(mi)=1　　　　(16)Be(mi)=Sup(mi)∑j=1nSup(mj),∑i=1nBe(mi)=1　　　　(16)

The results of the fusion of different quantitative evidence bodies are as follows surface 1 The BOLD data shown represents the basic probability distribution of the correct proposition after fusion . The literature [15] The proposed method uses Jousselme The formula measures the distance between evidences and determines the formula for calculating the credibility between evidences , The weighted average evidence is obtained by weighting the evidence distribution with credibility , Then perform iterative fusion , according to surface 1 It turns out that , The method of this paper is the identification of correct propositions and Literature [15] Agreement , In line with expectations , And the fusion result of the correct proposition of this method is higher than that of the literature [15] Method .

4 The fusion results of common evidence conflicts are as follows surface 2  Shown , Bold data represents the basic probability distribution of the correct proposition after fusion . For the previously mentioned 4 A paradox , The correct proposition that is more in line with common sense is {AACA}, It can be seen that the identification results of the two methods are consistent with common sense , The recognition probability of correct proposition in this method is higher than that in literature [15] Method , The identification effect is obvious .

1.3 Based on dynamic discount rate D-S Evidence theory

In the research method of improving the distribution of evidence , There is a discount theory , The discount degree is introduced to discount the original evidence distribution , Usually, evidence with high conflict is highly discounted , The conflict between evidences is allocated to uncertainty by discount .

W={ w1,w2,⋯,wn},∑i=1nwi=1　　　　(17)W={w1,w2,⋯,wn},∑i=1nwi=1　　　　(17)

m′i(A)={ wimi(A),A≠θwimi(θ)+1−wi,A=θ　　　(18)m′i(A)={wimi(A),A≠θwimi(θ)+1−wi,A=θ　　　(18)

W For a standardized set of evidence discounts , According to expert opinions , It can also be calculated objectively based on the evidence distribution matrix . The above discount theory is a static discount theory , Without considering the evolution of evidence in time , The result of fusion is still static .

surface 1    Fusion results of different quantitative evidences Table 1 Fusion result of different numbers of evidence

surface 2   4 Common evidence conflict fusion results Table 2 Fusion result of four conflicted evidence

This paper focuses on the evolution process of the security situation of the Internet of things , Use static situation assessment data at multiple times for dynamic situation awareness . After analysis, we found that , Evidence from multiple moments has different roles in the process of time evolution , The longer the evidence is from the current moment, the lower the support of the perceived results , The stronger the discount ; The closer the evidence is to the current moment, the higher the support of the perceived result , The weaker the discount [7]. Let's say that there is k Evidence of a moment , m1,m2,m3,…,mk, The perception result after fusion is Rk(m1,m2, m 3,…,mk), The fusion process between evidences is as follows .

R2(m1,m2)=M(mw(t2−t1)1,m2)R2(m1,m2)=M(m1w(t2−t1),m2)

R3(m1,m2,m3)=M(R2(m1,m2) w(t3−t2),m3)　　　　...R3(m1,m2,m3)=M(R2(m1,m2) w(t3−t2),m3)　　　　...

Rk(m1,⋯,mk)=Rk(m1,⋯,mk)=

M(Rk−1(m1,m2,⋯,mk−1) w(tk−tk−1),mk)　　　　(19)M(Rk−1(m1,m2,⋯,mk−1) w(tk−tk−1),mk)　　　　(19)

M Represents the fusion function between two evidences ,W()t Represents the discount rate on the time scale . Tradition D-S Evidence theory has exchangeability in the fusion of multiple evidences , Considering the evolution of time , There is the following formula .

M(mw(t3−t2)w(t2−t1)1,m3)=M(mw(t3−t1)1,m3)　　　　(20)M(m1w(t3−t2)w(t2−t1),m3)=M(m1w(t3−t1),m3)　　　　(20)

therefore , You can choose the characteristic function w(t)=e-αt,α≥0, This function is a decreasing function in time .

This paper not only considers the role of time discount , Also consider the impact of vulnerability risk at the previous moment on future perceived results , If a large number of high-risk and emergency risk vulnerabilities are detected at a certain time , It shows that there are great loopholes in the overall security measures of the system at that time , It has a great impact on future situational awareness , High discount , Keep this high-risk impact in the uncertainty , therefore , The final discount factor is the combined result of time discount and then high-risk vulnerability proportion discount . stay mk The fusion  Rk−1(m1,m2,m3,⋯,mk−1)Rk−1(m1,m2,m3,⋯,mk−1)  when , Keep the original multiplication synthesis rules , Considering the average evidence support between propositions , Introduce weighted average evidence , Make the fusion result of evidence more comprehensive .

m(A)=(m1⊕m2)A=m(A)=(m1⊕m2)A=

∑A1∩A2=Am1(A1)m2(A2)+K∑i=12Be(mi)mi(Ai)　　　　(21)∑A1∩A2=Am1(A1)m2(A2)+K∑i=12Be(mi)mi(Ai)　　　　(21)

among ,Be(mi) For the credibility of evidence ,K It's a conflict factor .

2 IOT security situational awareness model

2.1 IOT security situational awareness method process

The method and process of IOT security situational awareness are as follows chart 1 Shown . First, determine the vulnerability according to the firmware security analysis results , Use the general vulnerability scoring system to obtain vulnerability scores ; Secondly, Gaussian membership function is used to determine the membership matrix , The normalized membership matrix is the evidence distribution matrix ; Then use improvement Topsis Methods to determine the new evidence distribution , Conduct static situation assessment ; Finally, use the situation assessment results at multiple times , Based on dynamic discount rate D-S Evidence theory gets the result of situational awareness , Guide safety personnel to carry out post protection work .

chart 1

chart 1    IOT security situational awareness method process Figure 1 Process of IoT security situational awareness method

2.2 Determine the membership matrix

In the security situational awareness model of the Internet of things designed in this paper , Set identification framework （ Comments collection ）θ by { No risk N, Low risk L, Medium risk M, High risk H, Emergency risks C}, Based on the Gaussian membership function CVSS Score the membership of each risk comment in the identification framework , Normalize the membership matrix and act as D-S Evidence theory BPA Distribution . Gaussian membership function

y=e−(x−μ) 22δ2　　　　(22)y=e−(x−μ) 22δ2　　　　(22)

among ,x For input , The scheme in this paper is vulnerable CVSS score ,μ Is the center of the function ,δ Width , Use the method of fuzzy mathematics to improve CVSS Generalization ability in single vulnerability evaluation , On multi vulnerability information fusion D-S Evidence theory can get more objective evaluation results . reference CVSS, Definition 5 The membership center of comments is 1.0、2.0、5.5、8.0、9.5.

In the field of traditional risk assessment ,δ The setting is subjective , In a general way , The evaluation value is given by experts x, At the same time, the measurement range of the evaluation uncertainty is given , Lack of persuasion , And in many fuzzy comprehensive evaluation methods , The consideration of comment sets always believes that comments do not affect each other , Not compatible with each other , Are independent of each other , The progressive relationship between comments is not taken into account . Semantically , this 5 Comments indicate that the vulnerability is increasingly dangerous , Vulnerabilities at higher risk have lower risk semantic basis and scoring basis by default , When calculating high-risk vulnerabilities, we cannot only deliberately improve the membership of the corresponding risks , Membership degree of restraining other risks , It should be considered comprehensively , Reflect that the membership of high-risk vulnerabilities to low-risk comments is enhanced rather than reduced , At the same time, ensure that the membership degree of the vulnerability with lower risk is still low at the place with higher risk comments . In order to characterize this enhanced relationship , This article attempts to use δ Describe relevance ,δ The larger the Gaussian function curve, the lower the width , The membership degree of higher risk vulnerabilities in the calculation of lower risk comments will be enhanced ,δ The smaller the Gaussian function curve, the higher the narrow , Lower risk vulnerabilities will reduce the membership of higher risk comments , combination CVSS Vulnerability rating division interval ,5 The membership function of the comments is

y=e−(x−1.0) 2210√2　　　　(23)y=e−(x−1.0) 22102　　　　(23)

y=e−(x−2.0) 22×62　　　　(24)y=e−(x−2.0) 22×62　　　　(24)

y=e−(x−5.5) 22×52　　　　(25)y=e−(x−5.5) 22×52　　　　(25)

y=e−(x−8.0) 22×42　　　　(26)y=e−(x−8.0) 22×42　　　　(26)

y=e−(x−9.5) 22×32　　　　(27)y=e−(x−9.5) 22×32　　　　(27)

After analyzing the firmware security module of the Internet of things, we get the security test report in the system , Security issues in positioning systems , utilize CVSS Calculate the score of each safety problem , Calculate the membership matrix through the membership function , The normalized membership matrix is used as D-S Evidence theory BPA Distribution .

∀v∈V,∑θi∈θmv(θi)=1,V={ v1,v2,⋯,vn}　　　(28)∀v∈V,∑θi∈θmv(θi)=1,V={v1,v2,⋯,vn}　　　(28)

among ,V Represents the discovered vulnerability set ,mv(θi) Indicates a vulnerability v In comments θi Basic probability distribution on .

2.3 Use matrix analysis to determine the conflict value K

Suppose there is n A piece of evidence ,m¯¯¯m¯ It's a proposition , Find the conflict value in the traditional method K The time complexity required is O(m¯¯¯n)O(m¯n), Use matrix analysis to find the conflict value K The time complexity required is O(nm¯¯¯2)O(nm¯2), The time complexity is reduced from the original exponential level to polynomial level [16].

Suppose the distribution of evidence is

M=⎡⎣⎢⎢M1⋮Mn⎤⎦⎥⎥=⎡⎣⎢⎢⎢⎢⎢m11m21⋮mn1m12m22⋮mn2⋯⋯⋱⋯m1m¯¯¯m2m¯¯¯⋮mnm¯¯¯⎤⎦⎥⎥⎥⎥⎥　　　　(29)M=[M1⋮Mn]=[m11m12⋯m1m¯m21m22⋯m2m¯⋮⋮⋱⋮mn1mn2⋯mnm¯]　　　　(29)

M1M1 The body of evidence is transposed into a column vector sum M2M2 The line vectors of the evidence body are multiplied to get a m¯¯¯m¯¯¯m¯m¯ matrix .

Φ=MT1M2=Φ=M1TM2=

[m11⋯m1m¯¯¯]T[m21⋯m2m¯¯¯]=[m11⋯m1m¯]T[m21⋯m2m¯]=

⎡⎣⎢⎢⎢⎢⎢m11m21m12m21⋮m1m¯¯¯m21m11m22m12m22⋮m1m¯¯¯m22⋯⋯⋱⋯m11m2m¯¯¯m12m2m¯¯¯⋮m1m¯¯¯m2m¯¯¯⎤⎦⎥⎥⎥⎥⎥　　　　(30)[m11m21m11m22⋯m11m2m¯m12m21m12m22⋯m12m2m¯⋮⋮⋱⋮m1m¯m21m1m¯m22⋯m1m¯m2m¯]　　　　(30)

Diagonal element is the fusion product term of two evidence bodies for the same proposition , If only two bodies of evidence fuse , Then the sum of non diagonal elements is the conflict factor K, combination D-S The law of combination of evidence theory , take ΦΦ Diagonal elements of a matrix （ Form a column vector ） And M3M3 The row vectors of the evidence body are multiplied to obtain a new matrix .

Φ=⎡⎣⎢⎢⎢⎢⎢m11m21m31⋯⋮⋯⋯m12m22m32⋮⋯⋯⋯⋱⋯⋯⋯⋮m1m¯¯¯m2m¯¯¯m3m¯¯¯⎤⎦⎥⎥⎥⎥⎥　　(31)Φ=[m11m21m31⋯⋯⋯⋯m12m22m32⋯⋯⋮⋮⋱⋮⋯⋯⋯m1m¯m2m¯m3m¯]　　(31)

The new matrix takes out diagonal elements and multiplies them with each remaining evidence body in turn , Until integration MnMn, Diagonal elements are n The fusion result of the product of evidence on the same proposition , The conflict factor can be obtained by adding the non diagonal elements of all the result matrices K.

3 case analysis

The experimental environment built in this paper is as follows chart 2 Shown , Use virtual machines and common IOT devices to build an IOT scene for situational awareness , Common IOT devices are used in this scenario , Such as Bluetooth Bracelet 、 wireless router 、Zigbee Equipment etc. , The bracelet mainly tests the security of Bluetooth module , Wireless routers are mainly for testing Wi-Fi Module security ,Zigbee The equipment is mainly for testing Zigbee Security on the Protocol .

chart 2

chart 2    Experimental environment Figure 2 Experimental environment

The security test report of each firmware is obtained through the firmware security analysis module of the Internet of things . selection T Conduct situation assessment on the security situation at any time , The distribution of vulnerabilities is as follows surface 3 Shown .

surface 3    Vulnerability distribution Table 3 Vulnerabilities distribution

At present, most of them are medium risk items , At the same time, there are high-risk items and emergency risk items to a certain extent , The situation assessment results obtained through the above theoretical fusion are as follows surface 4 Shown , You can see the system with 64% The probability of is at the medium risk level , That is, the system risk assessment level at this time is medium risk , The probability on the high risk level is close to 12%, In line with the real situation at that moment .

surface 4   T Moment situation assessment results Table 4 T time situation assessment result

about chart 2 The built Internet of things environment is continuously monitored , Test different versions of the same firmware , Collect for a period of time 8 Conduct situational awareness tasks based on the situation assessment results at three times , Collected 8 The situation assessment results at each moment are as follows surface 5 Shown , It can be seen that , There are two moments when the system presents a high risk level , The rest of the time is at medium risk .

surface 5   T1～T8 Moment situation assessment results Table 5 T1～T8 time situation assessment result

The situation awareness results are as follows surface 6 Shown . from surface 6 It can be seen that , During this time period, the system approaches 49% The probability of is at the medium risk level , suffer T7 The influence of time , The probability of high risk level is 20% about , In the future, we need to pay attention to strengthening safety protection measures . Tradition D-S The fusion result of evidence theory shows that the probability of medium risk level is about 99%, But the basic probability distribution is almost close 1, Ignore perceptions of other risks , The method in this paper has a reasonable basic probability distribution on each risk level , It is in line with expectations , It can also point out the possibility of high risk and emergency risk , More instructive .

surface 6    Situation awareness results Table 6 Situation awareness result

In order to quantitatively describe the situation awareness results , Draw situation awareness curve , The scheme of this paper is right 5 Quantitative value allocation of comments [17]{2,4,6, 8,10}, Define the situation value as

T=∑θi∈θe(θi)m(θi)　　　　(32)T=∑θi∈θe(θi)m(θi)　　　　(32)

among ,e(θi)e(θi) yes θi The score of the comment ,m(θi)m(θi) It's a fusion θi Comment on the basic probability distribution value .

Yes T1-T8 Always draw the trend curve of IOT security situational awareness , The result is as follows chart 3 Shown , From the curve trend , The trend is on the rise , It means higher risks in the future , Protective measures need to be strengthened .

chart 3

chart 3    IOT security situational awareness trend curve Figure 3 IoT security situational awareness trend curve

4 Conclusion

Through in-depth research on the current situation of the situation awareness system of the Internet of things , Based on the improvement D-S Situation assessment and situation awareness methods of evidence theory , After experimental comparison , The main conclusions are as follows .

1) Use improved Topsis Methods to measure the credibility of evidence , It can accurately and quickly identify conflict evidence , Reduce the credibility of conflict evidence , And ensure the high reliability of mutually supporting evidence . The basic probability distribution of the correct proposition is high when the evidence of different quantities is fused and the evidence of common conflicts is fused .

2) Based on time discount and high-risk vulnerability proportion discount D-S Evidence theory , In the process of situational awareness , The probability of high risk and emergency risk is fully predicted , And get the situation awareness curve , It has good guiding significance for future safety protection .