您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2018, Vol. 53 ›› Issue (1): 83-88.doi: 10.6040/j.issn.1671-9352.2.2017.082

• • 上一篇    下一篇

基于流量统计特征的潜在威胁用户挖掘方法

李阳1,程雄1,童言1,陈伟1,秦涛2,张剑1,徐明迪1   

  1. 1.武汉数字工程研究所, 湖北 武汉 430070;2.西安交通大学电子与信息工程学院, 陕西 西安 710049
  • 收稿日期:2017-08-28 出版日期:2018-01-20 发布日期:2018-01-19
  • 作者简介:李阳(1976— ),女,高级工程师,硕士,研究方向为系统仿真、信息系统安全. E-mail:lily050911@163.com
  • 基金资助:
    国家自然科学基金资助项目(61502438,61672026);陕西省自然科学基金资助项目(2016JM6040);国防基础科研资助项目(B0820132036)

Method for threaten users mining based on traffic statistic characteristics

LI Yang1, CHENG Xiong1, TONG Yan1, CHEN Wei1, QIN Tao2, ZHANG Jian1, XU Ming-di1   

  1. 1. Wuhan Digital Engineering Institute, Wuhan 430074, Hubei, China;
    2. School of Electronic and Information Engineering, Xian Jiaotong University, Xian 710049, Shaanxi, China
  • Received:2017-08-28 Online:2018-01-20 Published:2018-01-19

PDF (PC)

446

摘要: 为有效的从网络中挖掘出潜在威胁用户,提出了一种基于网络流量统计特征的异常用户挖掘方法。通过分析用户的网络流量,归纳出刻画网络流量集合的13个特征属性,包含网络流大小、数据包大小、数据包持续时间、数据包对称度等。在此基础上采用熵权决策法对每个特征选取合适的权重,计算出用户的行为威胁度,根据威胁度的大小和预先定义的阈值,将用户归为不同的威胁度分类等级。真实网络流量的实验结果显示,所提出的方法能够准确的实现潜在威胁的挖掘。

关键词: 网络用户管理, 异常用户行为挖掘, 网络流量统计特征, 网络安全监控

Abstract: With the rapid development and widely used of computer networks, potential threats mining become more and more important. To mine potential threats and solve the challenge posed by signature matching based methods, an abnormal behavior mining method based on statistical characteristics of network traffic was proposed. Firstly, 13 attributes were extracted to capture the traffic characterization exactly, including network flow size, packet size, packet duration, packet symmetry and so on. Secondly, the entropy was employed to select appropriate weight for different attributes. Finally, user behavior threaten degree are obtained and the users were divided into different groups based on the threaten degree. The experimental results based on the actual network traffic verify that the method proposed can achieve the goal of potential threat mining.

Key words: abnormal user behavior mining, network security monitoring, statistical characteristics of network traffic, network user management

中图分类号: 

  • TP393.2
[1] 焦文欢, 冯兴杰. 一种面向TCP流的异常检测技术[J]. 中国民航大学学报, 2014, 32(3):50-54. JIAO Wenhuan, FENG Xingjie. Anomaly detection technique oriented TCP flow[J]. Journal of Civil Aviation University of China, 2014, 32(3):50-54.
[2] MAXION R A, FEATHER F E. A case study of Ethernet anomalies in a distributed computing environment[J]. IEEE Transactions on Reliability, 1990, 39(4):433-443.
[3] 方峰, 蔡志平, 肇启佳. 使用Spark Streaming的自适应实时DDoS检测和防御技术[J]. 计算机科学与探索, 2016, 10(5):601-611. FANF Feng, CAI Zhiping, ZHAO Qijia. Adaptive technique for real-time DDos detection and defense using Spark Streaming[J]. Journal of Frontiers of Computer Science & Technology, 2016, 10(5):601-611.
[4] KRAUSE J, SCALF M, SMITH L M. Identifying important features for intrusion detection using support vector machines and neural networks[C] // Proceedings 2003 Symposium on Applications and the Internet Workshops. Orlando: IEEE, 2003: 209-216.
[5] JI S Y, Choi S, JEONG D H. Designing a two-level monitoring method to detect network abnormal behaviors[C] // Proceedings 2014 IEEE 15th International Conference on Information Reuse and Integration.[S.l.] : IEEE, 2014: 703-709.
[6] CROVELLA M, LAKHINA A. Method and apparatus for whole-network anomaly diagnosis and method to detect and classify network anomalies using traffic feature distributions: US, US8869276[P]. 2014-10-21.
[7] 陈鸿昶, 程国振, 伊鹏. 基于多尺度特征融合的异常流量检测方法[J]. 计算机科学, 2012, 39(2):42-46. CHEN Hongchang, CHENG Guozhen, YI Peng. Anomaly traffic detection based on multi-resolution feature fusion[J]. Computer Science, 2012, 39(2):42-46.
[8] 罗玲, 殷保群, 曹杰. 基于sketch数据结构与正则性分布的骨干网流量异常分析与识别[J]. 系统科学与数学, 2015, 35(1):1-8. LUO Ling, YIN Baoqun, CAO Jie. Anomaly Analysis and identification of backbone network based on sketch and regularity distribution[J]. Journal of Systems Science and Mathematical Sciences, 2015, 35(1):1-8.
[9] WANG H, ZHANG D, SKIN K G. Detecting SYN flooding attacks[C] // Proceedings Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.[S.l.] : IEEE, 2002: 1530-1539.
[10] HAJJI H. Statistical analysis of network traffic for adaptive faults detection[J]. IEEE Transactions on Neural Networks, 2005, 16(5):1053-1063.
[11] 钱叶魁, 陈鸣, 叶立新, 等. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报, 2012, 23(2):361-377. QIAN Yekui, CHEN Ming, YE Lixin. Network — wide anomaly detection method based on multiscale principle component analysis[J]. Journal of Software, 2012, 23(2):361-377.
[12] OVERVIEW T. Introduction to Cisco IOS® NetFlow [S/OL].[2017-08-28]. https://www.mendeley.com/research-papers/introduction-cisco-ios-netflow/.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
版权所有 © 2018 《山东大学学报(理学版)》编辑部 
地址: 山东省济南市山大南路27号山东大学中心校区(250100) 电话: +86-0531-88366917 E-mail: xblxb@sdu.edu.cn
本系统由北京玛格泰克科技发展有限公司设计开发