Modeling And Detection Of Network Behavior Traffic Based On Time-frequency Features

Modeling and detection of network behavior traffic is a technique that aimed at identifying and predicting various network behaviors in the network environment by measuring and statistically analyzing the resulting network traffic,to achieve situational awareness of the security status in the current network environment.Measurement methods include statistical algorithms in low-speed networks and sampling methods,sketch algorithms and hardware acceleration methods such as in high-speed networks.Modeling and analysis methods use mathematical models such as time series and Markov models to describe statistical features of network traffic,and then use statistical analysis,data mining,or deep learning methods to complete detection tasks.With the rapid advances of high-speed network in the last decade,both infrastructures and applications have been ushered toward a new era.Emerging network behaviors progressively appear with more diversification and complexity than ever before.Traditional measurement methods for network behaviors in low-speed and low Qo S network environments are gradually becoming ineffective.On one hand,the computational capabilities of measurement algorithms and platforms based on software and hardware platforms are subjectively limited to handle the massive data volume in high-speed networks.On the other hand,network infrastructure improvements have brought about more diverse network behaviors,complex behavior patterns,and dynamic traffic characteristics.Therefore,the method for characterizing and modeling more complex new network behavior traffic in new network environments has become a key issue in current network behavior traffic measurement.To address this issue,this thesis conducts research on modeling and detection methods for network behavior traffic based on time-frequency domain analysis and machine learning methods in digital signal processing:(1)In the case of raw network behavior traffic with mixed network behaviors,i.e.,without five-tuple flow gathering,network traffic is considered as signals.Based on this,a modeling and coarse-grained classification recognition algorithm,NBATF is designed.Two improved algorithms are proposed to solve the problems encountered in the modeling process,and their mathematical methods are demonstrated.The experimental results on a typical laboratory network behavior traffic dataset demonstrate that this method can achieve satisfactory performance in coarse-grained network behavior recognition,and the two improved algorithms have significant improvement in identification performance.(2)The NBTFA modeling method is applied to the detection of virtual currency mining behavior traffic,and a hierarchical detection architecture is designed based on the traffic characteristics of virtual currency network behavior.This architecture first designs a matching and reasoning method for mining domain name request traffic,and then uses a sketch data flow method based on high-speed network measurement to screen out non-mining traffic,greatly reducing the non-equilibrium rate of sample distribution.Finally,the NBATF method proposed in this thesis is used to model and construct a machine learning model for identification.Experimental results show that the NBATF method has a significant effect on the detection of mining behavior traffic,and the hierarchical detection structure has a great improvement on the final machine learning model detection performance.In summary,the methods proposed in this thesis have certain theoretical innovation significance and practical application value for the measurement,modeling,and analysis of network behavior traffic,and directly affect the field of situational awareness of network security status.