Threat Situational Awareness System Based On Network Traffic Anomaly Detection

With the rapid development of Internet technology,network has become the essential part of people's production and life.Network structure is increasingly complex;network environment is penetrating each other and network attacking has various types.Enormous network security events caused huge economic losses and serious social impact.It is arguably network security has been one of the most important public issues in contemporary society.Nevertheless firewall,intrusion detection tools and intrusion defense equipments play important roles in network security,most of the security instruments have limitations.For example,it is difficult to accurately monitor real-time high speed network environment.Meanwhile,security experts are confused to make decision in face of complex testing results from those security products.This paper provides threat situational awareness system based on network traffic anomaly detection technology.The system tries to resolve the inherent conflict between real-time testing capability and accuracy of network.In addition,the system provides the possibility of quick respond to complicated testing results for administrators.The system describes current network threats by the use of multiple granularity anomaly testing analysis and real-time network by setting up a feasible network threats system.By using this system,security experts can respond to emergency quickly in order to alleviate or avoid the abnormal effects of the network.Multi-granularity anomaly detection uses coarse-grained anomaly detection based on packet to analyze time slices containing abnormal network flow.Through the analysis of the fine-grained anomaly detection based on the flow of abnormal flow which reorganize time slices extracts flow characteristics.By using anomaly detection algorithm,anomaly type can be detected from flow characteristics.The paper tested network threat situational awareness system which is based on traffic anomaly detection according to KDD99 data set and real-time network traffic data.This paper finds that the system has good real-time performance and accuracy.It is significant to find out the below six points of this paper:1.The paper raises a method combining coarse-grained and fine-grained detection in face of the inherent conflict between network real-time detection and network accuracy.This method increase the real-time detecting capability and accuracy of network flow anomaly detecting.More importantly,the method improves the efficiency and accuracy of threat of situational awareness.2.This paper employs B/S model and MVC framework to develop.The advantages of this methodology are as follows: It has clear logic framework and reduced the coupling degree to the lowest level.Moreover,this paper has strong expansibility and usability because of this methodology.3.This paper designed and implemented flow reorganization algorithm which is on the flow restructuring of Hash Map – queue.It is efficient for flow reorganization and has provided the safeguard for further flow extraction.4.This paper designed and implemented feature selection algorithm based on combining filter and wrapper.This hybrid algorithm dramatically increase accuracy of testing and the efficiency of classification calculation5.This paper combined many anomaly detecting algorithm to carry out experiment and researched deeply on the different network environment of various algorithm.The paper optimized C45 and Random Forest Algorithm and increased working efficiency without reducing the accuracy.6.This paper considered different user requests when we designed the interface.The interface provides intuitive visual icons for general users and have real-time journals for network administrator to analyze deeply.This paper empirically finds the threat situational awareness system has good efficiency and accuracy and can adapt to large-scale threats situational awareness under current network environment.Moreover,this system has good interactive interface and low utilization rate of resources.Network administrators can use this system to control network and respond swiftly to reduce the losses of virus and malicious attacks.It is arguably that this paper has great market prospect when the network security has become high-profile.