Research On Anomaly Detection Algorithm Based On SDN Network Traffic

The Software Defined Network(SDN)architecture breaks through the dilemma of high difficulty and poor expansibility of traditional Network management,and realizes the flexible management of Network.However,SDN technology is still not mature enough,and its potential security problems are becoming increasingly prominent.Since network traffic can intuitively reflect the network status,the abnormal trdffic detection can provide support the defense of network attacks.In the existing researches on anomaly detection of network traffic,although the effect of the anomaly detection methods based on machine learning is more effective,there still exist problems such as low anomaly detection performance due to the high characteristic dimension of network traffic,and the situation that anomaly detection performance of testing phase is lower than that of training phase.Therefore,this thesis improves the performance of anomaly detection from two perspectives of feature selection and optimal flow representation.The main work of this thesis is as follows:(1)At present,if anomaly detection is carried out based on network traffic data,the high traffic characteristic dimension and the large volume of traffic data significantly lowers the detection efficiency of anomaly detection.In this thesis,a network traffic Feature Selection algorithm based on Correlation and Influence(FSCI)is proposed.Firstly,according to the correlation judgment,the traffic features with low correlation with category(" label ")and the ones with redundancy in the set are removed to obtain the feature subset.Then,the feature subset is optimized in accordance to the influence degree factor to obtain the optimal feature set.Finally,the FSCI algorithm is compared with other feature selection algorithms based on the accuracy of anomaly detection.The experimental results show that the FSCI algorithm optimizes the traffic feature set and improves the anomaly detection accuracy.(2)In the process of anomaly detection model detecting,the joint distribution of features and categories in the test set deviates from those in the training.And the anomaly detection model based on decision tree construction has too many branches and high complexity.This thesis presents an Anomaly Detection algorithm based on Traffic Representation Optimization(ADTRO).ADTRO algorithm mainly includes two parts: firstly,the histogram data of semantic characteristics of network traffic and the histogram data of characteristic similarity matrix are combined to obtain a more accurate representation of network traffic.Secondly,the number of leaf nodes is introduced to generate a new spanning tree evaluation bases.If the evaluation bases of two features are similar,they will be combined into a new feature.The anomaly detection of the data before and after the expression optimization is performed.And detection accuracy of ADTRO is compared with other anomaly detection algorithms.The experiment shows that the algorithm proposed in this thesis can describe different types of traffic data more accurately,achieving more accurate and more stable anomaly detection.(3)Based on the SDN network architecture,a prototype system,which includes functionalities of traffic collection and feature extraction,feature selection,representation optimization,anomaly detection and exception handling is designed and implemented.In order to test and evaluate the performance of the system,a fat-tree network topology is built based on Mininet.Then,normal traffic and attack traffic are simulated respectively.Finally,the SDN anomaly detection prototype system periodically collects the SDN traffic data and constructs the vector to be detected according to the optimal feature subset,as well as other processing.If there exists abnormal traffic,the updates update the feature selection and anomaly detection module,and filters the data from the abnormal source.