Research On Intrusion Detection Based On Network Traffic And IP Traceback Scheme

As the "Internet +" time arrival, the connection between the Internet and our life became more and more closely. The development of science and technology brings us convenience, but also brings more hidden danger to our information security. In recent years, a variety of network security incidents occurs frequently, especially the large-scale incidents such as DDOS (Distributed Denial of Service), which affect the legitimate users using the Internet, and also making the enormous economic losses. In response to network intrusion, detection and real-time tracking are the two main parts. However, the major drawback of existing method is that detection rate and misjudgment rate are difficult to balance. Except that,the existing tracking technology has a huge cost and poor robustness.Aiming at these problems, the main improvements of this thesis are described as follow:(1) Based on the single argument self-similar traffic model, a binary self-similar traffic model is proposed, which is based on packet and bytes time series statistics, and uses the branch - and - bound process to optimize the model parameters. Through a series of comparative experiments,it is verified that the proposed model is better than the single argument self-similar traffic model.(2) Combining the binary self-similar traffic model with the deep learning model, the thesis proposed a hybrid intrusion detection method.The proposed method consists of two major steps: the traffic anomaly determination and the abnormal flow classification. Due to the strong learning ability of deep learning model, the proposed method could achieve a better performance than the existing method. The experimental results show that the accuracy is up to 93%.(3) In order to make an effective response after detecting intrusion in time,this thesis presents a novel IP traceback scheme based on ant colony algorithm. This scheme achieves a good tracking effect in the limited amount of package and time, and can deal with the situation of spoofed IP without the full cooperation of the Internet service provider and the excessive resource consumption.