| With the continuous development of the Internet,attack activities on the network are also becoming more and more frequent,and the importance of network security is becoming more and more prominent.Honeypot is widely used as an active defense in network security.The essence of honeypot is to simulate some vulnerable services to attract attackers to attack,so as to capture the attackers' data,analyze the attackers'behavior and understand the attackers' intention and motivation.Then the production system can be timely understand the security threats they face and safeguard them through technical means.Therefore,it is extremely important to conduct an anomaly analysis on the data of the honeypot.To accurately detect and analyze the data in the honeypot,we first need to preprocess the raw data,then select the features which can make a clear distinction normal and abnormal,and then choose the appropriate anomaly detection method for training the anomaly detection model.In response to the above problems,the main work and innovations of this thesis are as follows:(1)Propose a feature selection algorithm aganist the data imbalance in honeypots.Most of the traditional feature selection methods do not consider the imbalance of positive and negative samples,so these methods can not select good features for honeypots data.This thesis put forward a method based on maximizing AUC and minimum redundancy.The AUC evaluation index should be properly changed to make it be used to judge the correlation between features and categories.Then,the minimum redundancy principle is used to judge the redundancy between features.Experiments show that the proposed algorithm can effectively reduce the feature dimension and make the prediction result of the anomaly detection model more reliable,and can improve the training speed of the anomaly detection model.(2)An anomaly detection algorithm based on cost-sensitive boosting tree is proposed.The method is based on the imbalance of data samples in honeypots.Based on the AdaBoost algorithm,different costs of classification errors are considered,the cost function is introduced,and the decision tree is used as the base classifier.Experiments show that the algorithm is suitable for the traffic data in the honeypot and can improve the accuracy of the data anomaly detection in the honeypot.(3)Finally,taking the traffic data in low honeypot Nepenthes as an example,a honeypot-based anomaly detection subsystem is designed and implemented.Feature selection is performed using an algorithm based on the maximized AUC and minimum redundancy principles and the detection model is trained using an anomaly detection method based on a cost-sensitive lift tree.Get a higher accuracy,and can adapt to the abnormal detection model. |
PDF Full Text Request