Analysis Of Network Application Flow Behavior And Research On Abnormal Detection Method

Many large enterprises and institutions have their own internal network,the network in addition to carrying the general network applications,but also carry the enterprise within the private network applications.To campus network,for example,the campus network includes the financial system,scientific research management system,human management system,elective system,collaborative office systems and other applications.The stable operation of the application of the internal network of enterprises and institutions is of vital importance to the normal conduct and development of their business.The existing network management tools mainly rely on Net Flow and SNMP protocol information to monitor and analyze the status of network nodes and links,and lack an effective way to monitor and detect the running status of specific network applications.Basing on the internal network application flow connection behavior analysis and statistical feature analysis based on the application of traffic behavior anomaly detection method,this thesis analysis and dectects irregular behavior of the internal network.The innovation and main work of this thesis are as follows:(1)The information entropy and the flow connection density are used to characterize the concentration of the internal network application flow connection,and the information entropy change is found at each time point by using the information entropy and the flow density of the internal network.And then the anomalous time window is obtained,and the secondary anomaly is determined according to the ratio of the density of the flow connection density at the time points in the abnormal time window and the average fluctuation of the flow density in the time window,and the abnormality time is found at the abnormal time point IP address,destination IP address,and IP address pair.(2)According to the historical data of the server application,the Hurst coefficient empirical model is established,and the dynamic threshold setting method of the abnormal detection of the abnormal interval of the historical data of the same time slice is proposed by using the network flow self-similarity model.That achieves the accurate detection of abnormal mutation caused by abnormal application of flow behavior and the purpose of preventing normal flow mutation detection caused by normal application flow behavior.(3)Making full use of the local amplification characteristics of wavelet analysis,in view of the characteristics of the client application traffic change is not obvious.Using the wavelet analysis method to decompose the signal into high frequency and low frequency,amplificates the application flow mutation,which can not only be sensitive to the discovery of application flow anomalies,but also the ability to accurately locate the time at which an anomaly occurs for an intranet application.