| With the rapid development of network technology and the wide use of the Internet,new methods of attack continue to emerge,and network security problems frequently occur.As an active defense technology,honeypot has been widely used in the field of network security.In addition to trapping an attacker,the honeypot can also record the information and behavior of the attack in detail to help analyze the intruder's behavior and better defend.Due to the huge number and the noise of data captured by honeypot,data mining algorithms can be used to mine hidden relationships between data.The traditional K-means algorithm is sensitive to noise data,and the stability of the algorithm is low.Using this algorithm to analyze the data captured by the honeypot,it is easy to generate a local optimal solution,resulting in inaccurate data analysis results.Therefore,this paper proposes a network defense model based honeypot,and designs and implements it.The specific work of this article is as follows:1.This paper proposes the GDK-means algorithm according to the characteristics of the data captured by honeypot and the deficiencies of the K-means algorithm.The algorithm uses the advantages of meshing and DBSCAN algorithms to filter noise points in the data and reduce noise data.At the same time,the K-means K value and the initial clustering center are determined,and the improvement of the traditional K-means algorithm in the practical application results in the clustering result reaching a local optimal state due to its own instabilities.2.Using the GDK-means algorithm,a network defense model based honeypot is designed.The model includes four parts:data control,data capture,data analysis and rule extraction.Data analysis is the focus of this model.This module uses the improved K-means algorithm to cluster the data captured by the honeypot and can be divided into normal clusters and abnormal clusters,and then use the association rules algorithm Apriori to extract strong rules for abnormal behavior.Finally,according to the criteria of Snort rules,the generated strong rules are converted into Snort rules.3.The functions of the main modules of the model were implemented,including four modules:data control,data capture,data analysis,and rule extraction.a network defense model based honeypot was set up,and the functions of the model were tested and analyzed.Experimental results show that the functions of each module have achieved the desired results.Therefore,this model can detect unknown attacks and reduce the false alarm rate and false negative rate to some extent.In summary,the network defense model designed in this paper can detect unknown attacks in the network and implement active defense. |
PDF Full Text Request