Research On Key Technologies Of Internal Network Surveying And Mapping

Internal networks are ubiquitous in cyberspace and it is physically or logically isolated from the Internet.They have been integrated into various fields of human social governance and social activities and also carried high-value private data which has been regarded as “Information Rich Mine”.Although these internal networks are under legal protection of laws and national systems,but network attacks still linger on.They are always the key targets of internal network attacks and APT attacks.It has become the pressing issue to protect the current network security.We should solve the problem and promote the active defence capability by timely detecting the internal network vulnerabilities,accurately distinguishing the network attacks,and effectively judging the abnormal network behaviors.By introducing the concept of network surveying and mapping,this paper focuses on network surveying and mapping technology and security detection methods based on stream mining and graph mining to improve the security and defense capabilities of the internal network.The main contents of this study are shown as follows: targeted measurement method from passive reply to active guiding;equipment identification method based on communication atlas;anomaly detection technique through stream mining and graph mining;network attack detection method based on time-space coordinating and etc.The main innovations include the following aspects:1.A model of targeted measurement method from passive reply to active guiding is proposed to provide support for the transfer of traditional mapping methods to the internal network and to solve the problems including but not limited to the sparse IP address distribution and limited network load.In this model strategy for active measurement is ensured by passive measurement by obtaining tuple data in traffic data and establishing IP address data set,port data set and general connection relation set for different timing.Under the guidance of this model,the component measurement is taken as the example to process the traffic data based on source forgery,to filter and extract the tuple data based on the regular matching,to assess the importance of the IP address and the calculation port based on the difference calculation model.The achievements through the initial ergodic measurement,incremental measurement,real-time measurement are used for targeted active detection.Without reducing the comprehensiveness of the measurement,the results show that the targeted measurement method produces significantly fewer detection data packets than the traditional traversal measurement method and effectively reduce the network load.At the same time,the sparsity of IP address distribution can be overcome;the incremental measurement and real-time measurement can be realized and the measurement efficiency can be improved.2.Internal network equipment identification method based on stream mining and graph mining is proposed which provides support for the blind spots of active detection and is aimed at to solve the problems including but not limited to low recall rate of active detection data packets and limited depth analysis of in traffic data restricted by the conditions of internal network.This paper takes the IP address as the node and IP link as the edge and calculates the correlation degree,neighborhood average degree and fortress index of each node based on the map of IP address connection relation.The method is used to determine that whether the IP address is connected to corresponding server equipment or a terminal device.On this basis,DBSCAN algorithm is used again for secondary clustering,and terminal devices are judged to be host devices or NAT devices through communication frequency,number of packets,total amount of data,and etc.Finally,according to the expert knowledge and the communication atlas,distinguished whether there is a server behind the NAT device.The results show that the passive measurement method based on the DBSCAN algorithm is very effective in identifying internal network components,which can compensate for the blind spots of active measurement and improve the comprehensiveness of measurement.By tuning the parameters such as Eps,Min Pts,threshold,etc.,the equipment identification accuracy can be improved and false positives can be reduced.3.An optimization method of integrated detection by graph mining and stream mining is proposed to provide support for improving the detection ability of abnormal behaviors and to solve the problems in view of the isolation of detection models and strategies.This paper takes advantage of the unsupervised advantage of graph mining,integrates the good adaptive ability of stream mining and adopts the integrated method to classify and update the K model by classification.In case of concept drift,the K model is evolving to ensure the adaptability of the current integration concept.On this basis and by introducing the known log data stream of Lincoln dataset,the measurement effects have been promoted by experimental evaluation on K model,the number of normalized substructures q,fading factor ? and etc..Finally,stream mining and graph mining are carried out and the detection method is further optimized by introducing surveying and mapping results and expert knowledge.The results show that the integrated detection method has stronger analytical capability and could effectively identify the lateral movement attack of APT attack under the guidance of surveying and mapping.4.Faced with the problems of difficult fusion of massive alarm information and excessive false alarms in restricted internal networks,this paper provides the abnormal detection method based on the correlation of time-space events which is proposed to provide support for improving the information fusion of attack events in joint time-space scenes.Based on the analysis of subject and object and causal analysis,this paper constructs scattered attack scenes and forms a multi-dimensional representation method of attack events in time series and space series.On account of the surveying and mapping achievements,the internal network attack detection method for time-space association is used to compromise the time-space attack events.The results shows DDos reflection amplification attacks can be distinguished and identified effectively by using time-space correlation analysis model under the guidance of surveying and mapping.Compared with the traditional expert system algorithm and the classic BP neural network model,the time-space correlation analysis model has higher accuracy,lower false positive rate and lower false negative rate.There are 56 pictures,16 tables and 154 references in this paper.