Research On Key Technologies Of Network Security Based On Machine Learning

In recent years,benefiting from the application of communication,big data and cloud computing technologies,"Internet+" has made significant progress in people's livelihood,economy,government affairs,etc;but with the development of information technology,countless network devices,applications and explosive network data make the Internet increasingly complex,which brings huge dangers to network security.Faced with the massive,diversified and dynamic-changing data,the traditional security technologies are becoming powerless,which puts forward new requirements for network security research in terms of performance,adaptability and generalization.And the research of new network security technology is important.Machine learning-based network security researches have made a lot of progress,showing the ability in data processing,detection and adaptively learning,providing new ways to solve the current security problems.However,machine learning methods rely on publicly tagged data sets and empirical knowledge,and have difficulties in actual network data collection,feature extraction,detection model construction,which makes it difficult to implement the existing researches in the actual network.Therefore,this dissertation first reviews the existing researches of machine learning-based network security,including the research category,research method and related works;then focuses on the analysis of the main problems of existing researches and their causes,to provide support for the follow-up study;next focuses on three key techniques: actual information collection,unknown protocol feature extraction and adaptive incremental model construction,which overcomes the limitations of existing researches and better realizes the application of machine learning-based network security research in actual network;the details of the key techniques are as follows.1.The security information acquisition model is proposed;firstly,the security data generated by heterogeneous security devices in the actual network are collected and encapsulated in a standard format;then,the filtering-integration algorithm is used to filter the error and redundant content in origin information;next,the correlation method based on Bayes algorithm is ultilized to gather the similar information;finally,the event management is studied;the experimental results show that the model can collect security information from the actual network using information collection,processing and correlation,and achieve a good performance.2.In order to extract features on the condition of no prior knowledge,an unknown protocol reversing method,Rebuilder,is proposed;firstly,the unknown protocol message model based on hidden semi-Malkov Model is constructed to describe the evolution within protocol field and the transition between the fields;then,the parameter-training method based on the maximum likelihood criterion is proposed,and the length of keywords and fields is estimated;finally,several experiments have been conducted to show that the text,binary protocol message format and field can be well restored without prior condition,which provides useful information for extracting unknown protocol messages features.3.Aiming at the problem in content 2,which relies on the general laws of message structure to construct the unknown protocol message model,an unknown protocol reversing method based on pattern discovery,Resight,is proposed;firstly,protocol parsing process is analyzed according to the information theory,and a measure of pattern discovery and reconstruction rules are proposed;then,the reconstruction algorithm of ? machine is ultilized to mine the format of message;finally,Resight is used to reverse the format of binary messages without prior condition,which provides useful information for extracting unknown protocol messages features.4.A network intrusion detection system based on Gaussian Mixture Model,ENID,is constructed;firstly,the feature selection method based on rough set theory is ultilized to generate the optimal feature subset;then,an adaptive clustering algorithm based on Gaussian Mixture Model is proposed,which can automatically determine the optimal number of clusters according to the principle of similarity-separation and learn the normal and abnormal network data features;next,the incremental method is proposed,which uses the original results and incremental samples for incremental clustering,mining frequent features to renew the feature database;at last,the ENID is tested to verify its detection performance against high-dimensional,complex and fast-changing data in actual network.Finally,a hybrid detection system,MixID,is designed,and a simulated network topology is built to test MixID and verify each key technology.By comparing the experimental results,MixID shows some advantages in the existing standards,and has made good progress in performance,adaptability and generalization.However,considering the limitations of the current works,there are still issues worthy futher study in large-scale network flow attacks,encrypted traffic attacks,and so on.