Network Security Situation Analysis Research And Application Based On Network Flow

The network flow contains all the information of the network session.Through the analysis of the network flow,the current network status can be obtained and attack behaviors can be found in a timely and accurate manner,and the cost of system deployment is relatively low.At present,the flow-based attack detection systems mostly identify and classify the characteristics of the flow,and do not make full use of the hierarchical structure characteristics of network flow data and the staged characteristics of network attack events.In order to improve the efficiency of analysis and effectively discover the behavioral characteristics of APT attack events,this thesis first extracts network flow characteristics based on the three-level flow entity representation structure;then,intelligently identified and classified the flow based on pattern matching and deep learning dual-engine flow identification technology.Based on the attack chain theory model,through the method of space-time Association and causal association,mining the complete network attack chain,reconstructing the attack scenario and deducing the complete attack event.Finally,a flow-based network situation analysis system is designed,which realizes the complete function of real-time network situation and attack warning from the original traffic collection,analysis and identification to the end user interface.The main contents of this thesis are as follows:(1)A multi-level network flow entity representation architecture design is proposed.Draw lessons from the three-level representation of words,sentences,and segments in natural language processing,to make full use of the space-time relationships between data packets within flow and between flows,as well as certain semantic characteristics,this thesis proposes a three-level architecture: network packet,network flow and network flow group.Network flow entity representation structure and specific feature attribute extraction technology provide a basis for subsequent stream extraction,trend behavior identification,and attack event identification.(2)An intelligent traffic comprehensive identification method based on the combination of pattern matching and deep learning is proposed.Use pattern matching and deep learning dual engines to identify traffic.First,known attack traffic is quickly classified by using prior expert knowledge based on rule matching,and then abnormal traffic is identified by using intelligent baseline model.Finally,CNN model is used to further classify attack types.This method effectively combines the rapid detection ability of pattern matching for known traffic,the baseline model can identify abnormal traffic without a large number of training samples,and the advantages of CNN deep learning model in flow classification with high accuracy,thus improving the timeliness and accuracy of traffic detection.(3)A method to discover network attack events based on attack chains is proposed.Based on the theoretical model of attack chain,the detected attack flow is aggregated into the network flow group representing the single-step attack behavior firstly,and the complete attack chain is mined by using the spatio-temporal correlation and causal correlation,then the attack events that have occurred are reconstructed to alert the current attack behavior.(4)A flow-based network situation analysis system is designed and implemented.Based on the above-mentioned methods and design,a flow-based network situation analysis system is designed and implemented.The system includes three modules of collection,analysis and presentation to realize the collection,analysis and identification of original flow data.