A Recognition Mechanism Of User Abnormal Behavior Based On Traffic Detection

With the development and popularization of computer network technology,more and more governments,enterprises and organizations have deployed LAN.At the same time,network attackers are constantly improving the attack technology.Network attackers' behavior can cause network abnormal phenomenon.In order to maintain the security and stability of the LAN,abnormal phenomenon and abnormal types must be discovered in time.As the aggregation node of LAN connects the internal network and the external network,it is one of the important path nodes for communication.The traffic collected at the node contains rich user behavior information,which is of great value in the study of network anomalies.Besides,the running speed of the aggregation node is related to the service speed of the intranet network.On the aggregation node,the amount of real-time traffic and the number of users involved are very large.Therefore,the abnormal behavior recognition mechanism of users deployed at the aggregation node must be high efficient and have accurate performance.There are many abnormal behavior recognition methods.These methods can't meet the requirements of accuracy,real-time or judging abnormal type.Therefore,the identification mechanisms deployed on the aggregation node of the LAN are not perfect.This thesis designs a recognition mechanism of user abnormal behavior based on traffic detection.The mechanism can identify abnormal users and abnormal types of abnormal behaviors in the LAN,timely and accurately.The method of user anomaly behavior recognition needs to detect traffic anomalies and find the time point of anomalous behaviors,firstly.In order to accurately detect the abnormal time,a two-level traffic anomaly detection algorithm based on entropy and linear relationship is designed.In order to improve the accuracy,the two-level dynamic thr-eshold is set in the time series.To ensure real-time performance,only the entropy changes between the first-level threshold and the second-level threshold,the method based on linear relationship runs.Next the abnormal type can be identified by this method.The simulation results show that the proposed method in this thesis outperforms the existing methods in terms of accuracy and real-time.On the basis of traffic anomaly detection,in order to accurately identify users who have abnormal behavior,this thesis designs an user abnormal behavior recognition algorithm based on behavior similarity.Based on the relevance of port Numbers used in traffic of different users,the similarity calculation formula of user behavior is proposed.The k-similarity clustering algorithm is proposed based on the similarity of user behavior.In order to improve the accuracy of the clustering results,the algorithm considers the outliers.The experimental results show that the method is superior to the existing methods in terms of the recognition rate of abnormal users and the misjudgment rate of normal users.