Research On Real-time Attack Detection Technologies Based On Network Flow Features

Cyberspace security has recently received more and more attention from the society,and establishing effective defensive measures to defend against various types of network attacks and ensure the security of network devices and information has become a highly important issue.With the growth of network traffic scale,traditional attack detection systems can hardly meet the requirements of real-time and accuracy in high-speed network traffic scenarios,and high-speed network traffic collection technology has become its main performance bottleneck.In addition,how to extract network traffic features quickly and effectively in high-speed network traffic scenarios is also a topic of continuous research.Therefore,the thesis carries out research on the high-speed network traffic collection framework and attack detection dataset,combines with practical application scenarios,proposes and implements a prototype system for real-time attack detection based on network flow features.The main work and innovation points are as follows:1)The high-speed network traffic real-time collection and analysis processing method based on DPDK(Data Plane Development Kit)is proposed.By studying and analyzing the basic principles of network traffic collection technology of current attack detection systems,and addressing the problem of high leakage rate due to low network traffic collection performance in high-speed network scenarios,the DPDK-based high-speed network traffic real-time collection and analysis processing method is proposed.The method integrates traffic filtering,multi-core binding and load balancing techniques,which can effectively reduce the packet loss rate and improve the system detection performance.2)The real-time network flow features processing method is proposed.By studying and analyzing the features of CICIDS2017 dataset and KDD CUP 99 dataset,the problems of redundant features and low detection efficiency of CICIDS2017 dataset and the inability of KDD CUP 99 dataset to be applied to practical scenarios and low data volume are improved,and the attack detection dataset based on network flow features is generated,which includes time-based window-based network traffic statistics features and time-window-based host-related statistics features,can effectively reduce the detection time and improve the detection rate.3)Experiments on real-time attack detection based on network flow features are verified,and a prototype system for real-time attack detection based on network flow features is implemented.This system combines the proposed high-speed network traffic real-time collection and analysis processing method,and real-time network flow features processing method.The system implements real-time attack detection in high-speed network traffic scenarios through the processes of high-speed network traffic real-time collection and analysis,real-time feature processing,attack detection and attack response.The experimental results show that the proposed real-time network traffic collection and analysis processing method reduces the packet loss rate to 12%and improves the traffic collection efficiency under the scenario of packet size of 64Byte,traffic sending rate of 10Gbps and simultaneous processing of messages;using the same machine learning algorithm and raw traffic data,the dataset generated by the proposed real-time web stream feature processing method has a 48%lower average training and detection time and 7%higher accuracy than the CICIDS2017 dataset.;in a simulation scenario with a maximum traffic delivery rate of 6Gbps,the prototype system of real-time attack detection based on network flow features is able to identify abnormal traffic and achieve an average detection accuracy of 89%within 2 seconds.