Network Security Monitoring System Based On Security Object And Behavior Analysis

The development of computer and network technology has improved the efficiency of people's life and accelerated the process of social development.At the same time,it also brings the problem of network attack.With the diversification and complexity of network attack means,the problem of network security attracts more and more attention.This thesis will focus on the actual situation of the northeast China network center of CERNET(China Education and Research Network)and conduct an in-depth analysis of the problem on how to monitor the security objects in the actual network environment.By analyzing the security objects and their behaviors at three levels: network,hosts and users,this thesis designs and implements a network security monitoring system,which provides support for network managers to conduct security monitoring within the network.In the aspect of network security monitoring,this thesis designs and implements a network topology discovery algorithm based on SNMP protocol,and based on the device information collected by the topology discovery algorithm,implements monitoring of the network topology and network devices.The algorithm uses multi-threaded concurrency technology to accelerate the efficiency of the algorithm and ensure the real-time performance of the data results.At the same time,according to the actual network environment,this thesis designs algorithms for wired network and wireless network respectively,to ensure the integrity and accuracy of the topology information.In the aspect of host security monitoring,this thesis compares and analyzes common anomaly detection algorithms in detail.Based on the anomaly detection model,this paper designs and implements an anomaly detection algorithm based on host system resource data.The host system resource data is used as the data source,and the OCSVM classifier is used to construct the host system resource usage pattern,and the host system resource data is judged within the time window,thereby performing host abnormality detection.In the aspect of user security monitoring,aiming at the actual use of users on the internal server of the network center,this thesis firstly designs and implements an anomaly detection algorithm for users' login behavior,and monitors abnormal users and login behavior by extracting relevant information of users' login.In addition,the Shell command sequence generated by the user on the server is extracted,which is used as the basis for the detection of the user's identity exception,and the HMM algorithm is used to detect the exception of the user's identity theft.After the design and implementation of the safety monitoring system,this thesis conducted experiments and analysis on each module of the system.The experimental results show that in this thesis,the design and implementation of network security monitoring system can effectively to internal actual environment of the network center to monitor the security object,and has the timeliness and accuracy.