Research On Detection Method Of Network Abnormal Behavior Based On Traffic

Network traffic anomaly detection is a key part of the intrusion detection system and is very important for maintaining the security and stability of the network.In today's complex and large network environment,there is an urgent need to develop a simple and efficient anomaly detection method.The information entropy-based detection method is sensitive to the feature distribution state and has the advantage of simple operation.It is a research hotspot in the field of anomaly detection.However,many existing methods deal with each traffic feature separately during anomaly detection,ignoring the characteristics.The related information between the two causes the anomaly detection result to be less than ideal,and there is still much room for improvement.After analyzing and researching the existing network traffic anomaly detection methods,it is found that deep mining traffic information is the basis for improving the detection success rate.Firstly,this thesis studies the port scanning attack and proposes a joint feature entropy detection method.By analyzing the behavior characteristics of horizontal scanning and vertical scanning,the relationship between features is found,the joint features are constructed,and the information entropy is used to judge the distribution of related features,and the effect of accurate detection is realized.Secondly,in order to apply the joint feature information entropy to the detection of the whole anomaly,an association rule mining algorithm is proposed to automate the extraction of the associated features.Through the mining of frequent item sets and scattered item sets,a joint feature is constructed to accurately identify many anomalies that occur in traffic.Finally,a network anomaly behavior detection system is designed around the joint feature information entropy detection method.The algorithm is tested by CIDDS dataset.The results show that the overall detection rate is over 99%,the false alarm rate is controlled below 1%,and the system execution speed can reach the second level,which basically meets the requirements of real-time detection.By fitting the anomalous behavior by associating features,it is possible to refine the content of the traffic and make the anomaly detection reach a deeper level.The joint feature information entropy detection method can be operated in a distributed system after classification and preprocessing,which is beneficial to improve the detection speed.Through analysis and verification,the proposed algorithm is feasible and effective.