Network Security Situation Analysis System Based On Flow Analysis

According to the "China Internet Development Report",the network equipment that was attacked in 2018 involved all aspects.In the "DDoS Attack Situation Report",it is pointed out that there are many DDoS attacks,which occur especially frequently and the attack traffic is huge,which causes great social impact.In response to network security threats,network security situational awareness emerges as the times require.By analyzing the network operating environment,it senses the macroscopic situation of network security and provides a basis for network administrators to maintain network security.When a DDoS attack or network scan occurs,an abnormal network flow is generated.The network flow contains comprehensive network information.Therefore,the analysis of the network flow can accurately discover the security threats in the network in real time,and facilitate timely taking defense measures.In this paper,network flow is used as the analysis,combined with the existing network security situational awareness theory,the network security situation analysis system is designed,including network flow data acquisition and storage module,data analysis module,situation assessment module and situation display module.Conduct a comprehensive situation analysis.The main work of this paper is as follows:(1)A three-dimensional situation indicator model is proposed.In order to make a comprehensive analysis of the network security situation,by analyzing the situation influencing factors,on the principle of building network security situation indicators,the three-dimensional index model of network security situation analysis is proposed,including basic statistical information indicators,information entropy indicators and attack information indicators.Used to describe the situation of network operation,unknown attack situation and known attacks.(2)An unknown attack detection method based on information entropy is proposed.For the principle that certain IPs,ports,and protocols change in the network flow when certain attacks occur,the unknown attack is detected by analyzing the trend change of the traffic characteristic information entropy.(3)Design of IDS model based on CNN.For several known attacks,the IDS model was built using the CNN network,and the validity of the model was verified using the KDD CUP1999 data set,which achieved good results for the identification of some attacks.(4)A macro network security situation assessment method is proposed.Through the comprehensive information entropy index and attack information index,the network security situation assessment vector is constructed.The RBF neural network is used to classify the evaluation indicators and the situation level classification,and the macro network security situation assessment level is obtained.(5)Design and implementation of network security situation analysis system.According to the above network security situation analysis method,the pypcap-based traffic collection module,data storage module,three-dimensional situation index analysis module,macro situation assessment module and network security situation visualization module are designed and implemented to achieve the goal of sensing network security posture based on network flow analysis.