| With the development of the cyber technology,cyber-security problems are drawing increasing attention.Traditional defense methods mainly rely on perimeter defense and matching of the existing attacks in the library,which is helpless in a situation that the new attack methods and insider threats come in an unending flow.Netflow data is important in cyber space that it can reflect the usage of the network and the features of the persons in it.Making analysis on the netflow data could help a lot in covering the shortage of the traditional methods faced with new threats.This paper concludes the common methods of netflow feature analysis and network anomaly detection.Aiming at Intranet with complete structures,this paper proposes a security analysis framework that can identify roles in the network based on netflow features and detect abnormalities of different group of roles' interactions.First,we create a feature library that can profile the characteristic of individual's interaction based on the distribution of interaction behaviors and interaction flow,and apply random forest to identify the roles in the network.Then,we merge individual's netflow into group's netflow based on individual's role information,construct anomaly detection features set and detect abnormalities in groups' interactions through time series analysis.Experiments of on one real Intranet illustrate that the proposed method and framework are able to mine the role information of individuals in one network,and detect abnormalities of groups which are comprised of individuals with the same roles. |
PDF Full Text Request