Research And Implementation Of Network Attack Anomaly Detection Technology Based On Unknown Protocol Feature Extraction And Modeling

With the advancement of the Internet and a new generation of information technology,there are a large number of user-defined internal unknown protocols within a large number of enterprises and communication networks,and there are high requirements for communication security.In today's network environment,the current attack detection system mainly has the following three problems:1.At this stage,the attack detection technology mainly includes misuse detection and anomaly detection.The accuracy of misuse detection is high,but unknown attacks cannot be detected,and the false alarm rate is high;anomaly detection can identify unknown attacks,but has a false alarm rate Higher,and less practical applications.2.At present,most of the attack detection systems are mainly aimed at general-purpose environments and are cost-effective.However,for private networks with high security requirements,current attack detection systems cannot achieve ultra-high attack recognition accuracy.3.For known communication protocols that disclose format information,the recognition technology is also very mature.But for protocols that are completely unknown to the detection system,the current attack detection system will appear powerless.Based on the above background,this article focuses on the use of anomaly detection system,flow-based feature extraction and modeling in a specific environment with a large number of unknown protocols,to achieve accurate identification of network attacks in an environment with high security requirements.The work of this paper can be summarized as follows:1.Propose a multi-dimensional unknown protocol feature extraction method:This paper extracts and models the feature of the unknown protocol based on three dimensions.The three feature dimensions are:statistical features,format features,and behavior features.The statistical characteristics of the flow are mainly extracted from two categories:the basic characteristics of the flow and the information characteristics of the flow;the format characteristics of the flow mainly infer the format of the unknown protocol;the behavior characteristics of the flow are mainly divided into the topological characteristics of the flow and the attack characteristics of the flow.2.Propose a multi-dimensional attack detection method:According to the method of protocol feature extraction in three dimensions,a corresponding detection method is designed.The statistical feature proposes a detection method that combines basic features and related parameters;the format feature proposes a detection method based on the protocol message format;the topological feature proposes a detection method based on information entropy.3.Designed an anomaly detection system based on unknown protocols:using multi-dimensional feature extraction and attack detection methods for unknown protocols,adding high-speed packet capture module,massive data storage module,known unknown traffic classification module,interactive alarm and display module,Form a complete anomaly detection system.In the testing phase,this paper uses the known protocol as the unknown protocol to test the detection accuracy of the entire system.In the test,the system can accurately model each protocol separately,and distinguish each traffic model with a high success rate,and can identify common attacks,which has a certain value in the field of unknown protocol traffic detection.