Research On Feature Extraction Method Of Exploit Attack In Network Traffic Based On Honeypot

As the scale of the network increases,there are inevitably some security vulnerabilities.Once these vulnerabilities are found by attackers,they will use these vulnerabilities to launch attacks,bringing great harm to network security.Facing the threats caused by vulnerabilities in network security,more and more security personnel have strengthened their research on the security of network traffic,using machine learning algorithms to build malicious traffic identification models to identify network attacks and discover potential in network traffic risk.However,if these models want to achieve a more accurate recognition effect,it not only depends on the performance of the classification algorithm,but also has a close relationship with the excellent feature set used when training the classification model.Therefore,this research takes the exploits attack behavior as the research object,and takes the efficient feature extraction method as the research objective,and launches a series of research.Due to there is a problem of data imbalance in the existing abnormal attack data set or the data assembly obtained through the traffic acquisition tool,the abnormal traffic data is much smaller than the normal traffic data,which has a certain impact on the recognition performance of the detection model.Therefore,this study uses honeypot technology based on active defense strategy to collect network traffic.Through the deep research and analysis of exploit attack feature extraction technique,this study proposes a series of methods that can extract features of attack behavior efficiently,and conducts a lot of empirical research.Group experiments verify the effectiveness of the proposed method,and compare and analyze it with the widely used feature extraction methods in the field.At the same time,in order to automate the operation process,a vulnerability exploit attack feature extraction and identification system is designed and implemented.The main research contents and contributions of this paper are summarized as follows:1.Aiming at the Kernel Principal Component Analysis(KPCA)method in shallow learning methods,due to its lack of consideration of category information and feature attributes in terms of mean value,this thesis proposes a KPCA-based quadratic feature extraction L-KPCA(linear discriminant-kernel principal component analysis)approach.This approach first uses the KPCA method to project the original linearly inseparable data samples into a high-dimensional linearly separable space,then delete the redundant and irrelevant features.After that,in the new feature space,the linear discriminant analysis(LDA)method is used for secondary feature extraction to obtain more accurate feature attributes.This kind of processing not only guarantees the processing effect of the non-linear data in the network traffic,but also effectively compensates for the problem that KPCA only focuses on the analysis of the characteristics from the angle of variance and ignores the performance of the characteristics in the mean value.This approach considers the characteristics of sample in both mean and variance,and then features are analyzed more comprehensively.In addition,the L-KPCA method pays attention to the use of category information,and can extract the feature combination that are useful for classification,so that the subsequent use of feature training classification model can achieve better recognition effect.In order to verify the effectiveness of the proposed approach,this thesis also proposes a malicious attack identification model L-KPCA?SVM based on this approach,which is used to classify and identify the exploit attack traffic in the network traffic.By setting up comparative experiments,the proposed approach can make the classification model perform better in recognition precision and recall rate.2.Aiming at the convolution autoencoder(CAE)method in the filed of deep learning,considering that the processing of data samples to features is completed in the encode stage,this thesis proposes an asymmetric deep convolutional autoencoder(ADCAE)feature extraction model.This model combines the advantage of the autoencoder and convolutional neural network.By retaining only the encoding process in the CAE,and setting up multiple hidden layers to construct an asymmetric deep convolutional autoencoder model,it is also a model through experiments set an appropriate number of hidden layers of the encoder,so that the model can get the best hidden layer output,that is,features.Similarly,based on this model,a malicious traffic identification model ADCAE?SVM is constructed,combined with the SVM algorithm to detect and classify the exploit attacks in network traffic.By observing and comparing the experimental results,the model proposed in this paper can effectively improve the recognition effect compared with the existing models,and has high stability and accuracy in sample detection.3.In view of the fact that a larger amount of experimental data and repeated labor will be generated when calculating the results of the algorithm during the experimental process,taking into account the error interference caused by human processing.Therefore,this paper designs and implements an exploits attack traffic identification system EATIS,which integrates the whole process of traffic samples from data preprocessing,feature extraction,classification model training to final data analysis in a modular manner.At the same time,the system is highly automated,which can effectively reduce manual intervention.The test verified the feasibility and effectiveness of the prototype system.