Research On User Behavior Analysis Based On High Flow And Large Capacity Network

Along with the development of the computer networks, not only the application area of the network has become far and wide, but also the increase in different kinds of viruses and Trojans is get going. Unfortunately, the availability of multipurpose network attack mechanisms and attack tools have made the computer network field abstruse and fragile by putting it to certain threats. The constantly growing rate of network users along with some other limitations like bandwidth management, efficient storage, handling massive amount of data, detecting and mitigating threats and making the effective decision making has become the focus of research in the field network security.The traditional intrusion detection system adopts the idea of passive defense technology of detection for abnormal data and intrusion detection in network. However, the accelerated growth in network bandwidth and number of data packets processed per unit time has raised some severe security problems such as low speed of detection, high false alarm rate in data collection and analysis for the intrusion detection system. While keeping shortcoming of the current intrusion detection technology in mind, in this paper we have analyzed the principle of large flow data capture, clustering and anomaly detection. We have conducted in-depth research as follows:①When in the data collection, a high-speed flow acquisition environment is set up combining with the freebsd and tcpdump, and the network card is modified for the freebsd system. The test results have shown that network outlet flow capture and data packets loss rate is in the acceptable limits when applying it in Chongqing University. At the same time, it also has the ability to analyze the captured data packets in real time.②Based on the analysis of the existing intrusion detection systems and data mining technology, a data capture and intrusion detection system based on IP flows clustering which called Cluster Package CAP (CPCAP) is proposed in this paper.③The problems such as high false alarm rate when catching the exception for intrusion detection system and failure of the CP algorithm for the processing of massive data; the algorithm based on IP flows clustering K-means with CP (KCP Algorithm) is adopted for detecting abnormal network data. The improved algorithm is advanced to the CP algorithm with respect to the time, complexity and proper analysis on the intrusion detection data. After discovering the abnormal data, algorithm can determine the attackers and destination host according to the improved KCP algorithm.④The CPCAP system is deployed in the campus network of Chongqing University. It can detect the abnormal data and cyber attack effectively.The last part of this summarizes our discussions and prospective of the future work.Though the designed system and the improved algorithm have improvements in the detection of network abnormal data, there are still a number of unsolved problems, such as active network fault and performance measurement. So further work will be required to continue the related research and analysis.