| With the rapid development of Internet technology and P2P applications, network management and control has become increasingly important, and traffic identification technology has also become an important subject. At present, most traffic identification methods still remain in the theoretical stage, so they cannot be applied to reality. On the basis of previous studies, this paper focuses on P2P traffic identification and anomaly detection, and optimizes the payload-based identification methods. Meanwhile, behavior characteristics of node-based traffic, the majority of the total traffic behavior and denial of service behavior on anomaly traffic are thoroughly analyzed.The main work and contributions of the thesis are as follows:(1) On the aspect of payload-based identification methods, to make up limitations in identification speed and accuracy rate of the existing methods, a heuristic traffic identification method based on trusted list was proposed. This method first analyzes packets payload characteristics, then adds the discerned connection into a trusted list, and finally uses an active parameter to optimize and control the trusted list. This parameter labels the frequency that a session has been visited, which ensures that a record with a high frequency in the trusted list can be identified by a high priority. This parameter can help to reduce the system costs caused by searching of the list. Furthermore, a method that uses sequence number of TCP packets to accelerate the identification speed was proposed. Also, a plenty of work on protocol characteristics has been conducted, according to which, mistakes on old characteristics were modified and new regular expressions of popular applications were introduced. The experiments results show that this method can make up the drawbacks of the original algorithm and effectively improve the identification accuracy.(2) To avoidthe powerlessness of payload-based methods on identifying "unknown" applications and encryption packets, a diffused traffic identification method based on node behavior analysis (NBTI for short) was proposed. NBTI method focuses on the node connection characteristics incurred by one P2P application, as well as total connection number in a specific period, and builds an identification model on the basis of the analysis results. For NBTI method does not rely on packet payload characteristics, it can effectively identify encrypted traffic and those "unknown" applications, which sometimes exhibit certain types of behavior characteristics. NBTI method can also avoid privacy issues of network traffic. By means of UDP packets based heuristics method; performance of NBTI method can be further enhanced. Combining with node-based characteristics, NBTI is suitable for network environment.with large traffic.(3) For the phenomenon that most part of the total bytes is occupied by a small part of flows, a behavior-based majority traffic identification method (BMTI for short) was proposed. BMTI method focuses on five types of heavy traffic applications such as P2P streaming, P2P file sharing, denial-of-service (DoS), worms and scan behavior etc. It mainly analyzes the similarities and differences of these applications in percentage of communication nodes, principles of applications and other behavior aspects, by which we can obtain different features to identify specific applications. This method adopts some special strategies to improve the efficiency of identification. One is to define the thresholds of packet number and bytes number to restrict the identification list, the other is to employ TCP packet based accelerate method and UDP packets based heuristics method to improve identification efficiency and accuracy.(4) As to the denial-of-service which is one of the major origin of anomaly traffic, a DoS attacks identification method based on behavior analysis was proposed. This method mainly analyzes the packets connections; packets length distribution, remote nodes and ports number distribution caused by DoS attacks, and concludes seven types of different features. Based on the analysis results, five factors were proposed to identify DoS attacks, which include packet length range, variation conditions of nodes and ports number, the ratio of upload-to-download bytes, the interval of packets and the similarity of packets. By the results of P2P, FTP, as well as denial of service attacks hybrid experiment, the effectiveness of this algorithm is proved.Taken as a collection, the proposed traffic identification method based on behavior analysis has model simplicity, and it is easier to be understood by engineers. Not only does it deserve deep research in theory, but also does it have better application values for engineering.
|
PDF Full Text Request