The Research On The Anomaly Detection Of Network Traffic Based On The Temporal Subgraph Pattern

The coming of the internet era provides us with more convenience in our life,but also brings new challenges.The situation of network security is still grim,the technology of network security threat is constantly upgrading,and new network security threats are constantly emerging,which is not conducive to the detection of threats and security defense.With the increase of network scale,the data of network traffic becomes larger,which brings great challenges to the storage,analysis and detection of network traffic.How to find the abnormal behavior of network traffic in large-scale network in real time and accurately and ensure the normal and effective operation of the network is important to improve the availability and reliability of the network.To achieve the above challenges,we research the technology of the network traffic anomaly detection framework design,offline analysis of network traffic and anomaly detection of network traffic based on temporal subgraph.Firstly,we summary the network traffic anomaly detection and graph anomaly detection.Our contributions are as follows:1)According to the characteristics of network traffic,a network traffic anomaly detection framework based on temporal subgraph pattern is designed.The framework consists of five parts: data collection layer,data storage layer,graph model building layer,anomaly detection layer and data display layer.Then,the technology used in each layer of the framework is introduced.Finally,the off-line analysis of network traffic based on frequent temporal subgraph,on-line anomaly detection based on temporal subgraph pattern counting and on-line anomaly detection based on temporal subgraph continuous query are emphasized.2)an off-line analysis method of network traffic based on frequent temporal subgraph is proposed.Frequent temporal subgraphs are used to describe the frequent interaction patterns in different scenes.However,due to the lack of time information,the current frequent subgraph mining algorithms are difficult to mine frequent interaction patterns in network traffic.We study and design a frequent temporal subgraph mining algorithm based on time first search(TFS),which constructs an canonical labeling system based on TFS to reduce the search space and improve the efficiency of the algorithm.Finally,the algorithm is used to mine frequent temporal subgraph in network traffic.The experimental results show that the TM-Miner can effectively mine the communication patterns of the network traffic.3)a method of network traffic anomaly detection based on temporal subgraph pattern counting is proposed.In this method,the network traffic is divided and constructed into temporal graph according to the time,and the temporal subgraph counting is used as the feature for anomaly detection.Then the method of multivariate covariance matrix is used to detect the anomaly in network traffic.In order to meet the real-time construction of the feature of temporal subgraph counting,an exact and an estimation counting algorithm based on TFS are proposed,and both of them adopt time information to improve the efficiency of the algorithm.Experimental results show that the accurate algorithm can count temporal subgraphs accurately and quickly,and the estimation algorithm improves the efficiency of the algorithm under the condition of ensuring the accuracy.4)a method of network traffic anomaly detection based on temporal subgraph pattern continuous query is proposed.The graph stream is used to describe the network traffic.At the same time,some network exceptions have a fixed attack pattern,which can be represented by temporal subgraph.Therefore,the network traffic anomaly detection algorithm can be modeled as the problem of continuous detection of temporal subgraph in graph stream.In order to solve this problem,we design a temporal subgraph continuous detection algorithm based on the connection cache tree for the single time line pattern,and a temporal subgraph continuous detection algorithm based on the hasse for the multi time line pattern.These two algorithms realize the simultaneous matching of time information and topology structure to improve the efficiency of the algorithm.Experiments show that the two algorithms have high efficiency,which can realize the real-time detection of network traffic anomalies.In order to solve the problem of the current anomaly detection framework based on the graph,we study the key technology of network traffic anomaly based on the temporal subgraph pattern.The experimental results show that the framework can monitor network traffic anomaly and identify traffic anomaly in real time.This anomaly detection framework is not only suitable for anomaly detection of network traffic,but also for anomaly detection of dynamic graph such as social network.