Research On Abnormal Traffic Behavior Detection And Classification Method Based On Graph

With the advent of the post-epidemic era,people’s dependence on online production and lifestyle has gradually increased.The extensive interconnection of massive heterogeneous terminals and the diversified development of network applications have brought great challenges to abnormal traffic detection.How to quickly and effectively realize the efficient and accurate detection of abnormal network traffic is of great significance for ensuring the security and stability of the network.At present,network attacks often use encrypted traffic and distributed attacks,and the number and complexity of attacks continue to increase.The network attack host is not directly connected with the victim host,which makes the analysis of abnormal traffic from the perspective of a single network flow less different from normal traffic,and it is difficult to find abnormal behavior.That is to say,traditional models usually only focus on the statistical characteristics of traffic sent by a single host,so they may ignore the potential relationship of communication patterns in network traffic,and cannot fully utilize the rich communication patterns existing in the network,resulting in poor performance in detecting complex attacks.At the same time,in the face of the high-dimensional and spatiotemporal characteristics of massive traffic data,the existing methods seldom take into account the influence of the occurrence of abnormal network events on the evolution characteristics of network flow behavior,and insufficiently utilize the evolution feature information of network flow behavior.Therefore,in the face of complex and hidden attack behaviors,it is very important to select appropriate behavior characteristics in network traffic,comprehensively characterize the interaction behavior of network traffic,and achieve accurate and effective abnormal behavior detection and classification.The graph is a powerful data structure for representing entities and relationships between entities.One of its advantages is its versatility.Different network behaviors can be represented using the same structure.In addition,graph models can represent the correlation between data more comprehensively and related technologies for analyzing as well as learning complex graph networks have also been relatively mature.Therefore,graphs have become an efficient means of detecting and analyzing network traffic behaviors.By drawing on the complex modeling ability and spatial acquisition ability of graphs,this thesis deeply explores the spatial correlation in network communication and performs abnormal traffic detection and classification tasks.Specifically,the following research contents are included:(1)Aiming at the problem that a single packet sequence cannot fully describe the interaction behavior of network traffic,this thesis designs a network traffic interaction graph model(Traffic Interaction Graph,TIG)based on network flow.This method avoids accessing the payload of the data packet.It is less affected by changes in the network environment,and the interaction between network flows is represented by a graph structure,which breaks through the limitations of single-flow detection and provides a basis for the following research.Experiments show that TIG structural features can effectively characterize the changes of network communication behaviors in different states.(2)Aiming at the problem of low detection accuracy caused by distributed attacks,this thesis proposes an abnormal traffic detection method based on graph similarity on the basis of TIG.The occurrence of abnormal network events will cause abnormal changes in TIG evolution characteristics.The method uses the graph to check the similarity of the context network graph to measure the difference value of the network state,and uses the sliding window adaptive threshold method to identify the difference value,so as to realize the detection of abnormal attack behavior.Experiments show that this method can effectively detect abnormal DDo S traffic at different rates,with an average accuracy rate of over 90%.(3)Aiming at the problem of high false alarm rate in the classifier based only on flow statistical features,this thesis proposes a method for classifying abnormal traffic behavior that combines graph structure features and statistical features,which considers both the statistical features of network traffic and the structural information between them.In order to better utilize the statistical features,this thesis transforms the node and edge relationships on TIG and converts TIG into Network traffic Interaction Attribute Graph(TIAG).Furthermore,this thesis designs a network traffic classification method based on spatio-temporal graph neural network by combining graph convolutional neural network,gated recurrent unit and attention mechanism,so as to achieve a comprehensive consideration of spatio-temporal correlation of network traffic.Experiments show that the method proposed in this thesis combining the structural features of the traffic graph and the statistical features of the traffic flow has improved performance in the multi-classification task of abnormal traffic compared with only focusing on the traffic features at a single level,and the average accuracy rate has reached 88.94%.(4)Based on the above research points,this thesis designs and implements an abnormal traffic detection prototype system,which includes a data preprocessing module,an abnormal traffic detection module,an abnormal behavior classification module,and a visual display module.The system can analyze offline data sources or online data sources,realize abnormal traffic detection and classification,and display the results.