Research On Network Anomaly Detection For Endogenous Security

With the rapid development of Internet and communication network technology,people’s daily life has become more convenient,at the same time,network security problems are more prominent,more and more network attack means appear,so that the normal operation of the network environment is facing great challenges.Traditional firewall,anti-virus software and other security means based on "shell" can not effectively resist malicious network attacks.In this thesis,by imitating the risk prevention mechanism of biological system,we find the risk and locate the risk by taking the node as the unit,and carry out the research of network anomaly detection for endogenous security.In this thesis,the artificial intelligence "brain" constantly learns the network mode to obtain the "resistance" to deal with risks.By learning the normal mode of the network,it improves the ability to discover unknown attacks,and integrates the content features and structure features of the network through the graph neural network to further locate the threat nodes.The main work and innovation of this thesis are as follows:(1)Biological immune mechanism and traditional intrusion detection related theory are studied in this thesis.It analyzes the correlation between biological immune and intrusion detection,summarizes and analyzes the problems in the existing network security system.Learning from the mechanism of biological immunity,this thesis finds the "non-self" behavior in the network,and puts forward a new idea for network anomaly detection.(2)Learning from the mechanism of distinguishing "self" and "non-self" in biological immunity and imitating the principle of negative selection algorithm,the artificial intelligence "brain" realize the detection of "non self" data in the network by learning the normal data in the network.Aiming at the problems of large amount of network data,high feature dimension and high dependence of traditional machine learning algorithms on data labels,an unsupervised intrusion detection method RF-DAGMM based on random forest and deep auto-encoder Gaussian mixture model is proposed.This method enables the artificial intelligence "brain" to effectively select feature subsets which are more important to the result through the feature selection network,and eliminate the interference of irrelevant features to the detection result,and input the selected data into the deep auto-encoding Gaussian mixture model.In the experiment,KDDCUP99,UNSW-NB15,and CICIDS2017 datasets are used to evaluate the experimental results.The experimental results show that RF-DAGMM outperforms the comparison algorithm in many indicators,and reduces the training time and computational cost.(3)By imitating the mechanism of biological system to prevent risk,the risk is located by node after the risk is found,and the non-self positioning method is proposed.Aiming at the traditional network anomaly detection algorithm that only pays attention to the content features in the network,a graph neural network anomaly detection method NADGNN that integrates structural features is proposed.While considering the characteristics of network content,the artificial intelligence "brain" integrates graph-based structural features into the model,and collectively serves as the basis for network anomaly detection.The unsupervised representation process in this method takes into account the structural information and attribute information of network nodes and edges by maximizing mutual information,and obtains node embeddings that include the global structural features of the graph,so that the algorithm can extract the structural features and attribute features of the network at the same time,mine the network anomalies more accurately.The experimental results based on CICIDS2017,Digg and Reddit datasets show that the method has some advantages and the experimental accuracy is higher than that of the comparison method.