Anomalous Data Flow Detection System Based On Neural Network

The anomalous data flow detection system is used to prevent the users inside the network from leaking the confidential information of the enterprise.Most of the traditional solutions use the method of content identification to detect leaked confidential information,but this method can not detect encrypted files.There is a study of information flow analysis to prevent confidential information from flowing to the user's external storage device or network,but this needs to modify the source of application or the need for the underlying hardware support,which does not apply to the existing system.In general,the current detection method has poor applicability,and there is a risk of data leakage.Anomalous data flow detection based on Long-Short Term Memory Artificial neural network(LSTM-based Anomalous Data Flow Detection,LADFD)uses LSTM artificial neural network to identify the sequential relationship between user's network operations and abnormal behavior patterns to prevent the leakage of confidential information,which achieves a high detection rate and low false alarm rate.LADFD is divided into two phases,the learning phrase and the probing phase.During the learning phase,LADFD saves the user's application layer data as a historical traffic library and organizes them in a double-linked list to facilitate the addition and deletion of historical traffic.During the probing phase,LADFD successfully obtains application layer data by building an application layer proxy for the HTTP protocol,the SMTP protocol,and the POP3 protocol,and using the middleman blocking to handle the SSL protocol encrypted connection.Then,the feature vector of the application layer data is extracted based on the historical traffic library,and detected by the LSTM artificial neural network to discover the data leakage behavior of the users.The LADFD system was tested from functionality and performance.In terms of functionality,the LADFD system can efficiently block the application layer data as well as the data of SSL protocol encrypted,and can correctly block the connection to the data leakage.At the same time,in the CERT data set of HTTP traffic and SMTP traffic detection,respectively,LADFD reached 87.27% and 84.81% detection rate,12.37% and 1.87% false positives.In terms of performance,the access to the historical traffic library under the multi-thread becomes a bottleneck,which results in a large performance loss.