Research On Threat Perception Method Oriented To Network Flow Feature Entropy

With the frequent occurrence of network security incidents,the vulnerability of the network system itself has become more and more obvious.Therefore,the perception of network threats has become a hot research issue in the field of network security.Currently,threat perception technology is mainly based on software implementation.The methods mainly include entropy-based perception,machine learning-based perception,and deep learning-based perception.These methods mostly focus on software-side implementation,and while pursuing real-time and accuracy,they greatly ignore the resource occupation in threat perception.Therefore,the most difficult point in improving threat perception methods is to ensur e that the accuracy,availability,and efficiency of the method coexist,while reducing equipment resource consumption.In response to the above problems,this paper proposes a threat perception method for network flow feature entropy from the perspective of the combination of software and hardware,which mainly includes the following research contents:(1)Aiming at the problem that the existing methods focus on software implementation and occupy too much resources,a method of attribute extraction and entropy calculation oriented to network flow characteristics is proposed from the perspective of the combination of software and hardware.Methods Using the programmable network device Open Box,the hardware pipeline was reconstructed according to the feature extraction method.The refactored hardware pipeline includes three parts: packet analysis module(PPM),attribute extraction module(AER),and output engine module(GOE).The architecture uses FPGA to extract attribute characteristics during the message forwarding process and report to the software layer through message encapsulation,without affecting the forwarding of the original message.The new pipeline realizes the software-side entropy calculation method based on multi-core alternation.Through the equipment multi-core alternation processing and database statistical calculation,the analysis and entropy calculation of the reported attribute vector message are completed.The method completes the attribute extraction and feature preprocessing of threat perception,and provides input for the multi-classifier threat perception method MCEL.The experimental results show that the method proposed in this paper can correctly extract features and calculate the entropy value under the condition of small equipment resource occupancy.(2)The multi-classifier threat perception method MCEL based on ensemble learning method is proposed.Aiming at the problem that multi-class classifiers are prone to overfitting,the method realizes threat perception and recognition classification through multiple two-class classifiers.Through the feature selection method based on the correlation and the model,the feature selection of the classifier is carried out to accelerate the training of the classifier model and improve the classification efficiency.Using multiple classifiers that identify specific threats to refine the classification problem,the method effectively improves the accuracy of the classification.Aiming at the difficulty of predicting traffic changes in the network,the method designs a classifier update strategy based on threshold parameters to maintain the accuracy of the classifier.Experimental results show that the MCEL method can quickly and accurately perceive classification threats.Compared with a single machine learning method and a deep learning method,it has a more stable and reliable performance.(3)Based on the above method,the thesis designs and implements a prototype system of threat perception method oriented to network flow feature entropy.Besides,we design the overall framework of the system.The ideas of system’s design and implementation are described from three parts: threat perception classification server module,display control module and support service module.The system provides a human-machine friendly interactive operation interface.The users can intuitively see the current network topology and threat information from a visual perspective,and can also adjust the parameter configuration of the threat perception system through page interaction.