Research And Application Of Network Anomaly Detection

With the increasing complexity of IT architectures,applications are emerging,and the boundaries between networks and applications are becoming increasingly blurred.This makes it difficult for traditional security devices based on single boundaries and control points to effectively grasp the security status of the entire network.On the one hand,the characteristics of cyber attacks such as universality,concealment,persistence,complexity,and diversity make traditional network attack detection techniques difficult to cope effectively.On the other hand,with the development of technologies such as mobile Internet and cloud computing,there are more and more threat intelligence information in the network.Therefore,how to efficiently and intelligently integrate and process large amounts of unstructured data externally and internally is the key to the development of network security as well as effective association,retrieval and intelligence tracking of multi-source data.In recent years,with the continuous development of network anomaly detection technology,the emergence of software-defined security architecture,and the development of big data technology,the problems caused by the above security challenges have gradually been alleviated.This paper selects the botnet and web attack,which are the most common and most ubiquitous network threats in the network,and studies the botnet C&C server detection and HTTP anomaly detection.At the same time,the anomaly detection algorithm is encapsulated as anomaly detection module and integrated with security data platform under software defined security architecture so that data-driven security business orchestration can be realized.The specific research contents of this paper are as follows:1.Using multi-source heterogeneous data that widely existing in the network,and drawing on new ideas in the security field such as security threat intelligence,user and entity behavior analysis(UEBA),the problem of network anomaly detection is developed based on statistical analysis,machine learning,and deep learning.Research including:(1)C&C server detection based on metro network sampling Netflow(2)Anomaly detection based on HTTP portrait based on UEBA thought(3)HTTP anomaly detection based on Long Short Term Memory(LSTM)neural network2.This paper designs a scheme to integrate network anomaly detection module with the security data platform,realizes the real-time online anomaly detection of network data,and automatically selects the protection strategy based on the abnonnal detection result and delivers it under the software-defined security architecture in order to achieve data-driven security service orchestration,improve security protection efficiency.