Attack Behavior Detection System Design Based On Network Traffic Analysis

With the rapid development of Internet technology, many new online applications such as e-mail, online shopping, online chatting, online games have become an important choice for people to work and entertaining. These new applications have brought great convenience, but because of the need of uploading privacy information such as bank card number, ID card number, it also brought a great security risks to users. Criminals often use the vulnerabilities of protocols and operating systems to get illegal money. So the network security has become a problem with people's lives. As an important area of network security, traffic anomaly based attack detection is one of the hot spots. The advantages of traffic anomaly based attack detection are fast and it can detect unknown attacks to some extent.The main idea of the traditional traffic anomaly detection is to use the differences between normal traffic behavior and attack traffic behavior. The disadvantages of the traditional traffic anomaly detection are normal behavior model dependence and the anomaly threshold set may affect the detection results. This paper proposes a traffic anomaly detection method based on self similarity theory. The core idea of the method follows three steps. Firstly, we should segment the traffic sequence to some son traffic sequence. Secondly, we use the iterative method to calculate the Hurst index of these son traffic sequences. Finally, we determine whether the traffic is abnormal according to the value of Hurst index. The advantage of this method is that it is not necessary to build the normal behavior model. It used the basic network traffic characteristics – self similar characteristics to determine whether the traffic is abnormal. This method is faster and more flexible compared with existing method. We test this method in simulation environment. The false warning rate is 0.05% as well as the missing report rate is 0.05% which shows that this method has a certain detection capability.According to the proposed method, this paper designed an attack behavior detection system based on network traffic analysis. This system uses the network underlying access tool Winpcap to achieving the traffic statistics module, uses the network traffic selfsimilarity to achieving the detection module, and uses the interface development framework Qt to design the interface. At last, this paper gives a test of real traffic environment on the system performance. The false warning rate is 5.7% as well as the missing report rate is 13.3%. The false warning rate and the missing report rate are within acceptable limits which proved that this system is availability in attack behavior detection.