Research On Key Technologies Of Multi-link Honey Network System

With the rapid popularization of the Internet,lots of researchers devoted themselves into the work of the Internet to make more related applications into people's lives,but this development also caused many issues of network security.In order to improve the situation,a variety of security defenses were taken,such as firewall,access control,encrypted transmission,intrusion detection system,etc.However,most of these traditional defense methods are passive and lack of initiative,which makes it difficult to detect new methods and tools of intrusion.The emergence of honeynet technology is expected to improve this problem.It can monitor and record the behavior of an attacker on the honeypot,so as to obtain the information about the tools,methods and motivation of the attacker.This thesis is mainly about the key technology of multi-link honeynet system.Firstly,aiming at distributed deployment of abnormal traffic capture nodes and multiple types of attacks,this thesis studies the method of abnormal traffic aggregation and proposes a multi-node aggregation technology of abnormal traffic based on data characteristics.Through the in-depth analysis of various types of attack traffic,for example,port scanning,SQL injection,XSS attacks,information disclosure,DDoS,etc.and the feature extraction of the traffic from multiple dimensions,such as IP address,port,the contents of the application layer,flow of realtime,etc.,the abnormal traffic hijacking model based on multidimensional features detection and its load balancing mechanism are constructed.As a consequence,it is proved by the experiment that this method has higher rate of detection and lower rate of false alarm.Secondly,aiming at the complex and changeable problem of the attacker's attack behavior after the intrusion,this thesis studies the method of data analysis and proposes a network penetration identification technology based on interactive behavior analysis.At first,using technology of Sebek to capture the keystroke records of the attacker,and then analyze the features of the records and mine the relationship between them,after that,the keystroke sequence is modeled according to time,finally,the recognition method of attack by Recurrent Neural Networks is proposed,and the recognition model of penetration attack is constructed by Long Short-Term Memory which is specially designed to solve the problems of gradient disappearance,gradient explosion and long-term memory deficit of the common Recurrent Neural Networks.As a consequence,the model is proved to be accurate in recognition of network penetration by experiment.