Traffic Anomaly Detection And Optimal Probe Deployment For Data Center Networks

Network security is an important part of national security.As an infrastructure that carries large amounts of data from important national departments and key enterprises,data center networks have become the main targets of cyber attacks.Every year,a large number of attacks against enterprise networks or data center networks occur around the world,causing a large number of information leaks,economic losses and even political problems.Attack traffic for the data center network have many characteristics,with strong uncertainty,strong concealment,and a wide attacking range.Existing network intrusion detection methods often only use a single flow feature,which makes difficult to identify attacks from large-scale network traffic accurately in real time,and it is easy to produce false positives.At the same time,the largescale attack traffic makes centralized network intrusion detection system face a heavy burden of detection,resulting in low detection efficiency.Therefore,how to quickly and accurately identify abnormal traffic in the data center network has become a key issue in data center network security,and it is also a key issue that needs to be resolved in environment sense for network security situational awareness.It has important research value and need to be concerned and solved.This paper aims at these problems and proposes a data center network anomaly detection technique that combines multiple feature combinations with software and hardware.This paper studies the features of network traffic data,the real-time detection of abnormal traffic,and the deployment of distributed network probes.The main contributions of this article can be summarized into the following three points:1.This paper proposes and implements a network traffic feature selection mechanism based on clustering technique and information gain filter.The proposed mechanism first defines the distance between feature vectors based on correlation coefficients,and clustering feature vectors by distances.Then merge feature subsets by the information gain and the information gain ratio.On different network traffic data sets,the proposed algorithm is compared with the commonly used feature selection techniques.The comparison results show that the proposed technique can effectively reduce the feature dimension in the network traffic data set.On different network traffic data sets,the feature subset generated by the proposed method can shorten the training time of the classifier,and improves the cost-performance of the classifier for abnormal traffic detection.2.This paper proposes and implements a real-time detection algorithm for DDo S attacks based on multi-dimensional joint entropy.The proposed method considers the joint effect of different feature combinations,and finds out different feature combinations for specific DDo S attack by calculating the variation of the joint entropy of different feature combinations.This method conducts real-time DDo S attack detection experiments in a software-defined network environment.The experimental results prove that the proposed DDo S attack detection algorithm can detect the attack faster than the detection algorithm using single information entropy,and at the same time improve the detection accuracy rate and reduce the false alarm rate.Besides,this paper also leverages the advantages of controlling-forwarding decoupling and dynamic network management in SDN,and proposes a DDo S attack mitigation method based on fuse and recovery technique.The method can determine the access behavior to the data center server and block the attack traffic of the malicious host without affecting the normal access behavior to the server.The experimental results prove that the proposed mitigation method can effectively block the attack traffic,and when the zombie host returns to normal,the proposed method can allow the normal access behavior.3.This paper proposes and implements a network probe deployment algorithm based on anomaly rate range and cross entropy optimization.First of all,this article uses the minimum covariance determinant algorithm to obtain the historical abnormal rate data of all servers in the network based on the historical traffic data of the data center servers,which are collected by the above-mentioned real-time attack detection algorithm.Then the algorithm optimize the deployment location through the cross-entropy optimization algorithm to minimize the aggregate abnormal rate.The experimental results prove that,compared with the benchmark algorithm,the algorithm proposed in this paper can make each probe closer to the server with a high historical abnormality rate.At the same time,when a new anomaly occurs,the average number of servers that each probe needs to check is lower,which effectively improves the detection efficiency.The proposed data center network abnormal traffic detection technology with multi-feature and software-hardware combination can better improve the efficiency and accuracy of data center network abnormal traffic detection,and help improve cyberspace security situation awareness.