Abnormal Event Identification Based On Communication Network Flow Connection Behavior Analysis

With the substantial development of Internet technology and large popularity of net-work applications, people’s life and work depend on the Internet more and more.At the same time, the security, reliability and efficiency of network communications have be-come a problem we focus on. In recent years, domestic and foreign research scholars have done a lot for network abnormal events detection and made breakthrough progress . The traditional method of detecting abnormal events is mainly to do Deep Packet In-spection.While the traffic in backbone communication network is very large,and a huge number of applications and users involved,it is difficult to use Deep Packet Inspection for real-time feature extraction and analysis.Network flow connections behavior researches on the relationship between differ-ent network flow,and pays attention to the characteristics of dynamic changes of the flow connection relationship. Network flow connection behavior contains a wealth of dynamic information network.In the extraction of network flow connection behavior characteris-tics,it does not involve the user’s private information and doesn’t require a large amount of computation and memory space,but has the very high real-time performance. Therefore, this thesis bases on network flow connection behavior to study methods to the abnormal event detection and identification.specific work is as follows:Firstly, acquisition and pre-processing of backbone network flow data. Backbone network communication interactions involves a large number of users, and produces a large number of interactive data on all the time.Now it could not study from the perspective of a single user or do Deep Packet Inspection. Therefore, this thesis introduces a more detailed analysis that is to divide the network flow based on protocol field and control field to focus on the behavior of different network connection Flow. The Shannon entropy and Network Flow Connection Graph is introduced to characterize the behavior of the network flow connection information and structure parameters.And then,this thesis construct a sequence of entropy for subsequent detection of abnormal network foundation.Secondly,the abnormal events identification method based on the Z-Score of network flow connection behavior characteristic parameters. The method solves the problem of the determination of threshold value on the current anomaly detection method based on the statistical analysis by selecting the appropriate time window. The method calculates the Z-Score of the entropy sequence and the structural parameters sequence by selecting the appropriate time window,and then figure out the outliers in sequence of entropy and structural parameters. Finally, combining entropy of the meaning and the corresponding changes to identify the abnormal events.Finally,the abnormal events identification method based on Markov clustering. The method focuses on the problem of traditional methods that can not distinguish the network nodes relationship between normal and abnormal behavior. This method uses Markov clustering core idea-having a high similarity within a cluster, inter-cluster with high difference, to divide the normal and abnormal behavior into difficent clusters. In this method, we use an adjacency matrix to represent the network flow connection behav-ior.And then.doing Markov clustering method to the adjacency matrix aims to study variation characteristics of the number of sub-core structure faulty nodes in the cluster and the number of communication structure number. Finally, combining the parameters of fully connected cluster nodes’network flow connection diagram to identify anomalies.