# 设备端指标 创建安全配置文件时,您可以通过为 IoT 设备生成的指标配置行为和阈值来指定 IoT 设备的预期行为。以下是设备端指标,它们是来自您在设备上安装的代理的指标。 ## 输出字节数 (`aws:all-bytes-out`) 给定时间段内从设备发出的出站字节数量。 使用此指标指定给定时间段内设备应该发送的最大或最小出站流量(以字节为单位)。 兼容:Rules Detect \$1 ML Detect 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:字节 持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。 **Example** ``` { "name": "TCP outbound traffic", "metric": "aws:all-bytes-out", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 4096 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 `statisticalThreshold` 的示例** ``` { "name": "TCP outbound traffic", "metric": "aws:all-bytes-out", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p50" }, "durationSeconds": 900, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Outbound traffic ML behavior", "metric": "aws:all-bytes-out", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 字节数 (`aws:all-bytes-in`) 给定时间段内发往设备的入站字节数量。 使用此指标指定给定时间段内设备应该接收的最大或最小入站流量(以字节为单位)。 兼容:Rules Detect \$1 ML Detect 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:字节 持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。 **Example** ``` { "name": "TCP inbound traffic", "metric": "aws:all-bytes-in", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 4096 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 `statisticalThreshold` 的示例** ``` { "name": "TCP inbound traffic", "metric": "aws:all-bytes-in", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p90" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Inbound traffic ML behavior", "metric": "aws:all-bytes-in", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 侦听 TCP 端口计数 (`aws:num-listening-tcp-ports`) 设备正在侦听的 TCP 端口数量。 使用此指标指定每个设备应该监控的最大 TCP 端口数量。 兼容:Rules Detect \$1 ML Detect 单位:失败次数 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:失败次数 持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。 **Example** ``` { "name": "Max TCP Ports", "metric": "aws:num-listening-tcp-ports", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 5 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 `statisticalThreshold` 的示例** ``` { "name": "Max TCP Ports", "metric": "aws:num-listening-tcp-ports", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p50" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Max TCP Port ML behavior", "metric": "aws:num-listening-tcp-ports", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 侦听 UDP 端口计数 (`aws:num-listening-udp-ports`) 设备正在侦听的 UDP 端口数量。 使用此指标指定每个设备应该侦听的最大 UDP 端口数量。 兼容:Rules Detect \$1 ML Detect 单位:失败次数 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:失败次数 持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。 **Example** ``` { "name": "Max UDP Ports", "metric": "aws:num-listening-udp-ports", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 5 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 `statisticalThreshold` 的示例** ``` { "name": "Max UDP Ports", "metric": "aws:num-listening-udp-ports", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p50" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Max UPD Port ML behavior", "metric": "aws:num-listening-tcp-ports", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 输出数据包数 (`aws:all-packets-out`) 给定时间段内从设备发出的出站数据包数量。 使用此指标指定给定时间段内设备应该发送的最大或最小出站总流量。 兼容:Rules Detect \$1 ML Detect 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:数据包 持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。 **Example** ``` { "name": "TCP outbound traffic", "metric": "aws:all-packets-out", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 100 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 `statisticalThreshold` 的示例** ``` { "name": "TCP outbound traffic", "metric": "aws:all-packets-out", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p90" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Outbound sent ML behavior", "metric": "aws:all-packets-out", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 数据包数 (`aws:all-packets-in`) 给定时间段内发往设备的入站数据包数量。 使用此指标指定给定时间段内设备应该接收的最大或最小入站总流量。 兼容:Rule Detect \$1 ML Detect 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:数据包 持续时间:非负整数。有效值为 300、600、900、1800 或 3600 秒。 **Example** ``` { "name": "TCP inbound traffic", "metric": "aws:all-packets-in", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 100 }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example** 使用 `statisticalThreshold` 的示例 ``` { "name": "TCP inbound traffic", "metric": "aws:all-packets-in", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p90" }, "durationSeconds": 300, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Inbound sent ML behavior", "metric": "aws:all-packets-in", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 目标 IP (`aws:destination-ip-addresses`) 一组目标 IP 地址。 使用此指标指定一组允许(以前称为列入白名单)或拒绝(以前称为列入黑名单)的无类域间路由 (CIDR),每个设备必须或不得通过它们连接到 AWS IoT。 兼容:Rule Detect 运算符:in-cidr-set \$1 not-in-cidr-set 值:CIDR 列表 单位:n/a **Example** ``` { "name": "Denied source IPs", "metric": "aws:destination-ip-address", "criteria": { "comparisonOperator": "not-in-cidr-set", "value": { "cidrs": [ "12.8.0.0/16", "15.102.16.0/24" ] } }, "suppressAlerts": true } ``` ## 侦听 TCP 端口 (`aws:listening-tcp-ports`) 设备正在侦听的 TCP 端口。 使用此指标指定一组允许(以前称为列入白名单)或拒绝(以前称为列入黑名单)的 TCP 端口,每个设备必须或不得通过它们进行侦听。 兼容:Rule Detect 运算符:in-port-set \$1 not-in-port-set 值:端口列表 单位:n/a **Example** ``` { "name": "Listening TCP Ports", "metric": "aws:listening-tcp-ports", "criteria": { "comparisonOperator": "in-port-set", "value": { "ports": [ 443, 80 ] } }, "suppressAlerts": true } ``` ## 侦听 UDP 端口 (`aws:listening-udp-ports`) 设备正在侦听的 UDP 端口。 使用此指标指定一组允许(以前称为列入白名单)或拒绝(以前称为列入黑名单)的 UDP 端口,每个设备必须或不得通过它们进行侦听。 兼容:Rule Detect 运算符:in-port-set \$1 not-in-port-set 值:端口列表 单位:n/a **Example** ``` { "name": "Listening UDP Ports", "metric": "aws:listening-udp-ports", "criteria": { "comparisonOperator": "in-port-set", "value": { "ports": [ 1025, 2000 ] } } } ``` ## 已建立的 TCP 连接计数 (`aws:num-established-tcp-connections`) 设备的 TCP 连接数。 使用此指标指定每个设备应该具有的最大或最小活动 TCP 连接数量(所有 TCP 状态)。 兼容:Rules Detect \$1 ML Detect 运算符:less-than \$1 less-than-equals \$1 greater-than \$1 greater-than-equals 值:非负整数 单位:连接 **Example** ``` { "name": "TCP Connection Count", "metric": "aws:num-established-tcp-connections", "criteria": { "comparisonOperator": "less-than-equals", "value": { "count": 3 }, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 `statisticalThreshold` 的示例** ``` { "name": "TCP Connection Count", "metric": "aws:num-established-tcp-connections", "criteria": { "comparisonOperator": "less-than-equals", "statisticalThreshold": { "statistic": "p90" }, "durationSeconds": 900, "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1 }, "suppressAlerts": true } ``` **Example 使用 ML Detect 的示例** ``` { "name": "Connection count ML behavior", "metric": "aws:num-established-tcp-connections", "criteria": { "consecutiveDatapointsToAlarm": 1, "consecutiveDatapointsToClear": 1, "mlDetectionConfig": { "confidenceLevel": "HIGH" } }, "suppressAlerts": true } ``` ## 设备指标文档规范 **整体结构** | 长名称 | 短名称 | 必需 | 类型 | 约束 | 备注 | | --- | --- | --- | --- | --- | --- | | header | hed | Y | 对象 | | 格式正确的报告所必需的完整数据块。 | | 指标 | met | Y | 对象 | | 报告可以同时包含两个或至少一个 `metrics` 或者 `custom_metrics` 数据块。 | | custom\$1metrics | cmet | Y | 对象 | | 报告可以同时包含两个或至少一个 `metrics` 或者 `custom_metrics` 数据块。 | **标头数据块** | 长名称 | 短名称 | 必需 | 类型 | 约束 | 备注 | | --- | --- | --- | --- | --- | --- | | report\$1id | rid | Y | 整数 | | 单调递增值。推荐采用纪元时间戳。 | | version | v | Y | 字符串 | Major.Minor | 添加字段时为次要增量。如果指标移除,则为主要增量。 | **指标数据块:** **TCP 连接** | 长名称 | 短名称 | 父元素 | 必需 | 类型 | 约束 | 备注 | | --- | --- | --- | --- | --- | --- | --- | | tcp\$1connections | tc | 指标 | N | 对象 | | | | established\$1connections | ec | tcp\$1connections | N | 对象 | | 已建立 TCP 状态 | | connections | cs | established\$1connections | N | List | | | | remote\$1addr | rad | connections | Y | 数字 | ip:port | IP 可能是 IPv6 或 IPv4 | | local\$1port | lp | connections | N | 数字 | >= 0 | | | local\$1interface | li | connections | N | 字符串 | | 接口名称 | | total | t | established\$1connections | N | 数字 | >= 0 | 已建立的连接数 | **侦听 TCP 端口** | 长名称 | 短名称 | 父元素 | 必需 | 类型 | 约束 | 备注 | | --- | --- | --- | --- | --- | --- | --- | | listening\$1tcp\$1ports | tp | 指标 | N | 对象 | | | | ports | pts | listening\$1tcp\$1ports | N | List | > 0 | | | 端口 | pt | ports | N | 数字 | > 0 | 端口应该是大于 0 的数字 | | interface | if | ports | N | 字符串 | | 接口名称 | | total | t | listening\$1tcp\$1ports | N | 数字 | >= 0 | | **侦听 UDP 端口** | 长名称 | 短名称 | 父元素 | 必需 | 类型 | 约束 | 备注 | | --- | --- | --- | --- | --- | --- | --- | | listening\$1udp\$1ports | up | 指标 | N | 对象 | | | | ports | pts | listening\$1udp\$1ports | N | List | > 0 | | | 端口 | pt | ports | N | 数字 | > 0 | 端口应该是大于 0 的数字 | | interface | if | ports | N | 字符串 | | 接口名称 | | total | t | listening\$1udp\$1ports | N | 数字 | >= 0 | | **网络统计数据** | 长名称 | 短名称 | 父元素 | 必需 | 类型 | 约束 | 备注 | | --- | --- | --- | --- | --- | --- | --- | | network\$1stats | ns | metrics | N | 对象 | | | | bytes\$1in | bi | network\$1stats | N | 数字 | Delta Metric, >= 0 | | | bytes\$1out | bo | network\$1stats | N | 数字 | Delta Metric, >= 0 | | | packets\$1in | pi | network\$1stats | N | 数字 | Delta Metric, >= 0 | | | packets\$1out | po | network\$1stats | N | 数字 | Delta Metric, >= 0 | | **Example** 以下 JSON 结构使用长名称。 ``` { "header": { "report_id": 1530304554, "version": "1.0" }, "metrics": { "listening_tcp_ports": { "ports": [ { "interface": "eth0", "port": 24800 }, { "interface": "eth0", "port": 22 }, { "interface": "eth0", "port": 53 } ], "total": 3 }, "listening_udp_ports": { "ports": [ { "interface": "eth0", "port": 5353 }, { "interface": "eth0", "port": 67 } ], "total": 2 }, "network_stats": { "bytes_in": 29358693495, "bytes_out": 26485035, "packets_in": 10013573555, "packets_out": 11382615 }, "tcp_connections": { "established_connections": { "connections": [ { "local_interface": "eth0", "local_port": 80, "remote_addr": "192.168.0.1:8000" }, { "local_interface": "eth0", "local_port": 80, "remote_addr": "192.168.0.1:8000" } ], "total": 2 } } }, "custom_metrics": { "MyMetricOfType_Number": [ { "number": 1 } ], "MyMetricOfType_NumberList": [ { "number_list": [ 1, 2, 3 ] } ], "MyMetricOfType_StringList": [ { "string_list": [ "value_1", "value_2" ] } ], "MyMetricOfType_IpList": [ { "ip_list": [ "172.0.0.0", "172.0.0.10" ] } ] } } ``` **Example 使用短名称的 JSON 结构示例** ``` { "hed": { "rid": 1530305228, "v": "1.0" }, "met": { "tp": { "pts": [ { "if": "eth0", "pt": 24800 }, { "if": "eth0", "pt": 22 }, { "if": "eth0", "pt": 53 } ], "t": 3 }, "up": { "pts": [ { "if": "eth0", "pt": 5353 }, { "if": "eth0", "pt": 67 } ], "t": 2 }, "ns": { "bi": 29359307173, "bo": 26490711, "pi": 10014614051, "po": 11387620 }, "tc": { "ec": { "cs": [ { "li": "eth0", "lp": 80, "rad": "192.168.0.1:8000" }, { "li": "eth0", "lp": 80, "rad": "192.168.0.1:8000" } ], "t": 2 } } }, "cmet": { "MyMetricOfType_Number": [ { "number": 1 } ], "MyMetricOfType_NumberList": [ { "number_list": [ 1, 2, 3 ] } ], "MyMetricOfType_StringList": [ { "string_list": [ "value_1", "value_2" ] } ], "MyMetricOfType_IpList": [ { "ip_list": [ "172.0.0.0", "172.0.0.10" ] } ] } } ``` ## 从设备发送指标 AWS IoT Device Defender Detect 可以收集、聚合和监控 AWS IoT 设备生成的指标数据,以识别表现出异常行为的设备。本部分介绍如何将指标从设备发送到 AWS IoT Device Defender。 您必须在连接 AWS IoT 的设备或设备网关上安全部署 AWS IoT SDK 版本二,以收集设备端指标。查看在[此处](https://docs.aws.amazon.com/iot/latest/developerguide/iot-sdks.html)查看 SDK 的完整列表。 您可以使用 AWS IoT Device Client 发布指标,因为它提供的单个代理涵盖了 AWS IoT Device Defender 和 AWS IoT Device Management 中的功能。这些功能包括任务、安全隧道、AWS IoT Device Defender 指标发布等。 您可以将设备端指标发布到 AWS IoT 中的[预留主题](https://docs.aws.amazon.com//iot/latest/developerguide/reserved-topics.html#reserved-topics-device-defender),便于 AWS IoT Device Defender 进行收集和评估。 ### 使用 AWS IoT Device Client 发布指标 要安装 AWS IoT Device Client,您可以从 [Github](https://github.com/awslabs/aws-iot-device-client) 下载。在要收集设备端数据的设备上安装 AWS IoT 后,您必须进行配置以将设备端指标发送到 AWS IoT Device Defender。确认 AWS IoT Device Client [配置文件](https://github.com/awslabs/aws-iot-device-client/blob/main/config-template.json)在 `device-defender` 部分设置了以下参数: ``` "device-defender": { "enabled": true, "interval-in-seconds": 300 } ``` **警告** 时间间隔至少应设置为 300 秒。如果将时间间隔设置为小于 300 秒,则您的指标数据可能会被节流。 更新配置后,您可以在 AWS IoT Device Defender 控制台创建安全配置文件和行为来监控设备发布到云的指标。您可以依次选择 Defend(防护)、Detect(检测)和 Metrics(指标),从而在 AWS IoT Core 控制台中发布指标。