Research On Anomaly Behavior Detection And Recognition In Cyberspace

Open space domain with the borderless to signal field has formed the fifth space domain after the Land,Sea,Air and Sky,become a dynamical and interactive virtual space reflecting the relationship of people to people,thing to thing,and people to thing from physical space.In our country,the strategy demands have been proposed that ensure the security of information and resource,and ensure the interconnection among key information infrastructures in Cyberspace.For this reason,new challenges are coming to the detection and recognition of network anomaly behavior as one of important studies of Cyberspace security.Guided by the national Cyberspace security strategy,from the aspects of communication information and communication structure in Cyberspace,the studies for small probability events which have affected network performance and security in process of virtual space reflecting physical space,have been done to ensure the interconnection among key information infrastructures existing in network environment based on packet switching technology.First,by studying network flow interaction behavior in packet switching environment,an interaction model for large scale Cyberspace flows is proposed based on complex network method.Has used the temporal locality principle to depict the interactive relationship among network flows on time series,a temporal locality-based network flow interaction model is constructed.After analyzing the statistical characteristics of model structures of different network applications,the results show that there is a well representation ability of this model to definitive behaviors by network application,and find that weak interaction flows prefer to form small-world network and strong interactive flows prefer to form scale-free network.Has designed a multivariate flow similarity algorithm to filter pesudo-interactive flows from high network volume,a local multi-variate similarity-based network flow interaction model is constructed.After analyzing the dynamics of model structure of anomaly flows,we found the positive,negative-and non-relation between model characteristics and network states(i.e.normal and abnormal)by using the proposed significance measurement method of model characteristics to network states based on Gaussian distribution.The highest significance in all anomaly datasets is 97.06%.The results show that there is a well representation ability of this model to network anomaly flow behavior.All above show that network flow interactive model can be used to monitor,analyze and visualize the large scale traffic on key information infrastructures.Second,by introducing intuitionistic fuzzy set to quantify the relationship between flow interaction model characteristics and network states,the univariate intuitionistic fuzzy set detection method(IFS-AD)and multivariate intuitionistic fuzzy set ensemble detection method(IFSE-AD)are proposed to detect the network anomaly flow behaviors.For the sequence and aggregation of model characteristics,we design an intu-itionistic fuzzy set construction method of model characteristic.For the nonuniqueness between univariate clustering intervals to network states,an univariate intuitionistic fuzzy set detection method is put forward by proposing probability accumulating method of intuitionistic fuzzy set for two-states' linguist variables and rules of detection results judgement of multi-linguist variables.Experimental results on multiple anomaly datasets show there is a good detection performance.For the inconsistent of multivariate to the datasets,the map method of clustering intervals to linguist variable is designed,and multivariate intuitionistic fuzzy set ensemble detection method is put forward.Experimental results show that the values of anomaly detection accuracy are above 94.44%except for the CTU-4.Compared with the existed methods,the results demonstrate the superiority of IFSE-AD to state-of-the-art approaches.Third,according to our findings that there is a significance relationship from flow interaction model characteristics to definitive behaviors of network application,a recognition method of Cyberspace anomaly application flow is proposed to classify the net-work flow and identify the anomaly application effectively.The network flow processing approach is designed to reduce the scale of problems and to finish the network application recognition for study goals.For massive network flows,we have proposed the network flow grouping method by clustering to merging.Experimental results shown that this method can not only filter the individual flows effectively,but also aggregate flows with nonunique packet signature and mixed protocol flows.In multiple network flow groups of multiple samples,a construction method of flow grouping set from a anomaly application is put forward.After constructed multiple anomaly applications'flow interaction model,the analysis results of model characteristic sequence show that model characteristic distribution of anomaly applications follow the interval aggregation.For multiple characteristic sequence of multiple anomaly applications,a clustering algorithm is introduced to partition the characteristic sequence,and the recognizer on multiple model characteristic clustering intervals based random forest is constructed.Experimental results show that accuracy of anomaly application flow recognition is above 96%.Compared analysis with existed method,we found our method not only detect anomalies at early stage and aggregate network flow,but also mining the anomaly flow interactive patterns.Finally,for the Cyberspace domain beyond geographical space,the monitoring mechanism of Cyberspace structure based on active probe is studied to measure the dynamic and catastrophic of network structure.Relying on our research group's program,a real-time monitoring framework for Cyberspace is designed to probe network topology structure with the distributed and synergetic monitors.After analyzed the changes of network structure in anomaly activities,the network path changing coefficient is put forward,that effectively distinguish network states before and after sudden changes of network structure and avoid the impact of strange nodes' link for structure measurement,to measure the dynamic of network structure.For the dynamic in Cyberspace structure system,forward knearest neighbor's Fibonacci steady-state domain is given to quantify the normal state of network structure.Then the detection rules of network structure in anomaly activities is defined to measure the catastrophic of network structure.Experimental results show that detection accuracy of Cyberspace anomaly activities is above 97.78%.All of above,our studies about Cyberspace anomaly can analyze anomaly flows,detect anomaly behaviors,recognize anomaly application flows,monitor and measure network for key information infrastructures.The study results shown that there are significant value for practical applying and meaningful in reality in aspects of ensure the interconnection among key information infrastructures.Meanwhile our works will provide basic supports for national Cyberspace security construction.