| With the continuous development and wide application of network technology,the amount of data carried by the Internet is rising,especially the amount of information in it.At the same time,applications that rely on the Internet are developing in a diversified trend,and cyberattacks are becoming more and more diverse and novel.Intrusion detection technology is constantly improving with the continuous generation of intrusion behaviors,by formulating corresponding defense solutions for various scenarios.But it has been challenged by the rapid development of related technologies.At present,new types of cyberattacks have begun to use deep learning techniques to combat existing intrusion detection systems,and more use of encryption and tunneling technology improves the concealment,so that the attack can easily avoid the existing security defense.These make unknown attacks more difficult to detect,resulting in some irreparable losses such as device data tampering or important information leakage.In order to deal with new threats that are constantly coming in,this dissertation brings the idea of UEBA into the field of network traffic anomaly detection.Based on behavior-oriented traffic analysis,in-depth analysis of time-related features in normal user behavior and attack traffic,so as to more ful y depict the baseline of normal users' network traffic behavior,to discover changes in newly generated traffic behavior,and thus to detect attacks and other abnormal behaviors.This dissertation proposes to use the generative adversarial network model for baseline learning.This method can avoid the problem of insufficient sample size during training in this field,and use sufficient normal user behavior data to train anomaly detection models.The training samples in this dissertation are easier to collect,and the model is easier to deploy.It can be deployed for any user,system,or device with an IP address.The framework detects quickly and has a certain effect on multiple attacks.The main research work and innovations of this dissertation are as follows.1.It analyzes the network traffic granularity division,the advantages and disadvantages of different division methods,and determines the flow-level division method used in the study.Aiming at the problem of high false negative rate in traditional detection,which is difficult to detect unknown attacks,the research status based on behavior abnormality detection is analyzed.In addition,for the problem of detection model is difficult to handle high-dimensional data,the current status of anomaly detection based on machine learning methods is analyzed.Then,for the problem of selecting one-sided features and models usual y face a specific scenario for detection,it analyzed UEBA's framework idea and finally locked in a deep learning-based method that is good at analyzing complex data types.2.It analyzes the representation of network traffic,and decided to use TCP / IP underlying metadata to represent upper-layer interactions.Then,in-depth analysis of the flow features of normal user's session,and put forward a basic representation of differences in user behavior.At the same time,according to the attack process,it analyzes the traffic features of various common attack behaviors and summarizes the salient features of identifying attack behaviors.In addition,the existing intrusion detection data sets are analyzed,and their deficiencies are pointed out,so as to determine the model training by collecting long-term real user behavior data.Combining the above analysis,a set of time-based metadata features based on bidirectional streams and substreams are proposed.The feature is 54-dimensional,which can more ful y characterize and stably represent user behavior.According to the combination of features,the collected normal user traffic and attack traffic in the public data set are extracted to form a data set.The final step before modeling is to analyze the advantages and disadvantages of methods for processing such data for unbalanced training data.Finally,a modeling algorithm that uses only one-type-of-data is determined.3.An improved baseline modeling method based on bidirectional Generative Adversarial Network(GAN)is proposed.An improved baseline modeling method based on bidirectional generated confrontation network is proposed.By learning only normal samples,the model continuously optimizes and learns automatically in the process to establish a baseline model for different users.In the study,the principle of the model,the improvement of the training part,the parameter selection,the network structure of each part and the training process are elaborated.Finally,the continuous and discrete features in the data are preprocessed into a form that conforms to the model learning.After the model is trained,the effectiveness of the baseline model is tested through experimental comparison,and the modeling time suitable for such users is obtained.4.This dissertation designs and implements an abnormal behavior detection system based on user and entity behavior and tests the performance.Furthermore,the system is applied to real-time collected laboratory user traffic and seven types of attack traffic in public data sets.The experimental results show that the system can produce different detection effects through the construction of different user behavior baselines.The detection speed is very fast,which has produced an excellent detection effect for some attacks,and verified the feasibility of the method. |
