Research Of Campus Network Intrusion Detection And Defense Based On Clustering

With the rapid development of information technology,the network environment is becoming increasingly complex,and traditional network security technology has been difficult to guarantee the security of the network.In order to adapt to the current large-scale,complex and covert network attack behavior,it is of great theoretical and practical significance to study efficient intrusion detection and defense technology and develop a secure detection and defense system.With the deep integration of information technology and education,the construction of university informatization is becoming increasingly mature.And the interaction between students and the school's environment and resources has been optimized.At the same time,students also put forward higher requirements for the sustainability of the campus network.In this thesis,we study the intrusion detection and defense method of campus network based on clustering algorithm,so as to realize the detection of the campus network traffic without labels and the defense of the attack traffic in the campus network.First,the campus network traffic collection system and web application attack collection system are established for data collection and analysis on the main web site of a university,and traffic collection and attack simulation are carried out for web application attacks.In order to realize the accurate identification and analysis of user behavior,we carried out feature extraction,clustering and cluster analysis on campus network traffic based on the partition rule of a single abnormal user.Then the composition of the traffic in campus network is preliminarily determined through cluster analysis.Through the web application attack simulation,we further understand the attack mode and attack characteristics,which lays a foundation for the subsequent intrusion detection experiments.Secondly,in order to effectively detect the attack behavior in campus network traffic without label,genetic algorithm and clustering algorithm are used to build a campus network intrusion detection model.Aiming at the problem that the detection rate of unlabeled datasets when directly using clustering algorithm is difficult to measure,the external attacks with label are added to distinguish normal clusters and abnormal clusters after clustering.The model extracts the traffic characteristics of campus network and external attacks,and proposes an optimal weight selection method based on genetic algorithm to obtain the optimal weight value of features.Cluster analysis is carried out on the dataset to calculate the detection rate of campus network attack traffic in abnormal clusters.Results show that the detection rate of the model in the campus network dataset is 99.09%,which can detect the attack behavior in unlabeled datasets well.The model has also been verified on CSIC 2010 Dataset,and the detection rate is 99.25%,which is 2.69% higher than that in related literature.Thirdly,an alarm mining model based on correlation analysis and clustering algorithm is proposed to classify,filter and prioritize alarms.Split alarms into path items and behavior items and then cluster them according to the string similarity between the behavior items.The optimal number of clusters is determined by the detection rate of false alarms in the false alarm cluster,and the classification and filtering are completed under the optimal number of clusters.The filtered alarms are sorted by calculating the cluster size and average cluster frequency,and this allows high-threat alarms to be handled more promptly and effectively.The model is tested on CSIC alarm set and campus network alarm set,and the detection rate of false alarms are 99.13% and 97.63% respectively,which not only ensure the filtering of most false alarms,but also reduce the loss of true alarms.In addition,the collation of this model can measure the alarm frequency of the data set without time stamp,which has better applicability than the relevant literature.