[0012] The specific embodiments of the present invention will be described in detail below with reference to the drawings and specific conditions.
[0013] In the specific implementation of the present invention, firstly, the packet-based coarse-grained abnormality detection is used to analyze the time slices containing abnormal network traffic; and then the flow-based fine-grained abnormality detection is performed to reorganize and extract the network traffic of the abnormal time slices. Flow feature attributes, use the flow feature anomaly detection algorithm to determine the attack type; finally, for the detected threat events, quantitatively evaluate the severity of the current network threat, which is implemented by the following steps:
[0014] 1. Package-based coarse-grained anomaly detection:
[0015] 1. Online monitoring of the data traffic in the real-time network environment, storage according to a time window of 1 minute, and use WinPcap to extract the serial number, time, source IP, destination IP, source port, destination port, protocol type and length attributes while storing. , Use "," to divide between attributes;
[0016] 2. Data packet attribute statistics, extract source IP attribute, destination IP attribute, source port attribute, destination port attribute, byte count attribute, protocol type attribute for each data packet, namely Packet={sIP,dIP,sPort,dPort ,bytes,protocol}, use the summary data structure to record the statistical information (or summary information) of these six attributes in each time window;
[0017] 3. Feature extraction. In the time window T, according to the recorded statistical information, use the non-extensive entropy to extract the features of the network flow data in the time window, and use the feature vector L T ={l T1 ,l T2 ,...,l Tn } Means that n is a natural positive integer;
[0018] 4. Anomaly detection, using the random forest algorithm to quickly detect the characteristics of the packet, and get the abnormal types R2L, U2R, PROBE and DOS;
[0019] 5. Record the inspection results, record the time slice name of the data packet that may have problems in the coarse-grained detection in the file and the threat situation awareness database for subsequent fine-grained detection of group flow;
[0020] After passing the packet-based coarse-grained anomaly detection module, the time slice is divided into normal time slice and abnormal time slice, and flow-based fine-grained anomaly detection is performed on the abnormal time slice;
[0021] 2. Flow-based fine-grained anomaly detection
[0022] 1. Stream reorganization, according to the result of coarse-grained anomaly detection, select the data packets in the current time slice and the adjacent time slice, and perform stream reorganization on the packets involved in the abnormal time slice to ensure that the complete stream data is combined together. Stream feature extraction;
[0023] 2. Flow feature extraction. For the flow involved in the abnormal time slice, perform attribute analysis and feature attribute extraction to form a flow feature file for anomaly detection. The flow feature attribute is selected by the flow feature selection module through the flow feature selection, from the original feature set The optimal feature subset selected for attack flow classification;
[0024] 3. Fine-grained anomaly detection, through the C4.5 decision tree algorithm (that is, the conventional algorithm) to detect and judge the flow feature files, determine whether each flow is abnormal, and write the log file and detection results into the threat situation awareness database;
[0025] The C4.5 decision tree algorithm is an algorithm that uses supervised learning. Given a data set, a set of attribute values is used to describe each tuple. Each tuple belongs to a category in a mutually exclusive category set. Through C4. 5 The algorithm can find a mapping relationship from attribute value to category, and this mapping relationship can be used to classify new tuples. Anomaly detection based on C4.5 decision tree algorithm mainly includes four steps: generating training set, training detection model, generating abnormal time slice stream feature file, and detecting abnormal stream. details as follows:
[0026] A) Extract stream features from the original training set, and generate a stream feature training file with anomalous categories as the training set of the C4.5 decision tree;
[0027] B) Call the C4.5 training function to train and learn to obtain a detection model based on flow features.
[0028] C) Perform flow feature extraction on the flow involved in the abnormal time slice, and generate a flow feature file to be detected.
[0029] D) Call the C4.5 detection function to classify the abnormality of the flow in the flow characteristic file to be detected, and determine the abnormal type of each flow;
[0030] 4. The detection results are merged and stored in the database. Since different network flows may belong to the same attack, the C4.5 decision tree algorithm detection results must be merged according to the attack fusion strategy to obtain accurate and reliable network abnormal conditions, and save the results to the log file And threat situation awareness database for threat situation assessment and visualization;
[0031] 3. Threat situation assessment:
[0032] According to the attack situation of the network during a period of time, due to one evaluation cycle, which includes multiple anomaly detection time slices, the severity of network threats in the current time period is evaluated. First, the threat situation awareness database is counted. Fine-grained anomaly detection results; then, calculate the threat situation assessment indicators; finally get the threat value of the network during the period of time, the larger the value, the more serious the threat to the network is currently suffered;
[0033] The calculation of the cyber threat value includes:
[0034] 1. The types of attacks that occurred, that is, the types of attacks that occurred during this period of time accounted for several of the four types of attacks. Multiple types of attacks in the same period of time pose a greater threat to the network than a single type of attack;
[0035] 2. The number of occurrences of each type of attack, that is, how many times each type of attack occurred during the time period.
[0036] 3. ProbX, the probability of occurrence of each attack type up to the current time window, that is, from the start of detection to the current time window, the total number of occurrences of each attack type as a percentage of the total number of records detected, the calculation formula of ProbX is as follows:
[0037] Pr o b X = s u m N o o f X s u m Formula 1)
[0038] Where X={dos,u2r,r21,probe}, sumNoofX is the total number of occurrences of an abnormality up to the current time window. sum is the total number of detections in the current time window, that is, the sum of the number of various attacks;
[0039] The specific calculation formula of the cyber threat value is as follows:
[0040] t h r e a t v a l u e ( t ) = α X X e A X ( m a r k X X ( 1 + Pr o b X ) X ω e + ( 1 - α ) X t h r e a t v a l u e ( t - 1 ) ) Formula (2)
[0041] Among them, markX marks whether this kind of abnormality occurs within the time window, the occurrence mark is "1", and the non-occurrence mark is "0"; e Represents the threat weight corresponding to each attack type; α is the proportion of the past attack events detected in the future when the threat situation value changes.
[0042] It can be seen from the above that the present invention proposes and implements a threat assessment method based on network traffic. This method uses multi-granularity anomaly detection technology based on network data packets and network flows to detect threats to the network in real time with high accuracy. , Designed an effective network threat situation assessment system, which can describe the severity of the current network threats, and the results will help network managers grasp the current network security threats in time, so as to take effective emergency response measures and mitigate Or avoid serious damage to the network, ensure network security and use effects, and have achieved very good beneficial technical effects through field applications and tests. The relevant information is as follows:
[0043] In order to verify the effectiveness of the method, experiments were performed on the multi-granularity anomaly detection algorithm and the threat value calculation method in the present invention.
[0044] Experimental test environment such as figure 2 As shown, a local area network is built, and after the server starts a threat situation assessment system based on the present invention, the attacker starts to replay the set attack traffic to the host and observe the detection result. The relevant equipment parameters are: 6 laptops (memory 4GB, hard disk 500GB, processor Inteli4-2450M, operating system windows7 home regular version), a network switch (TP-LINK-WR842N).
[0045] Test data: Select DARPA99, a well-known public experimental data set in the field of intrusion detection, as the experimental data. This data set has the original data flow in pcap format, which is convenient for replaying the flow experiment, and has corresponding flow description documents, which can be used to compare the detected data Attack events and actual attack events in the traffic.
[0046] Experimental results of the coarse-grained detection algorithm: the precision rate (Pre) and recall rate (Rec) of the coarse-grained detection algorithm are shown in Table 1. It takes 170 seconds to detect 200,000 time slices. It can be seen that the present invention has multiple granularities. The network threat assessment method of anomaly detection is highly accurate and fast. See the table below for details.
[0047] Table 1 Accuracy and recall rate of coarse-grained detection algorithm
[0048]
[0049] Experimental results of the fine-grained detection algorithm: The effectiveness of the fine-grained detection algorithm is mainly reflected in the correct type, source and purpose of the specific attack event detected. Fine-grained detected attack event information. By comparing the description of specific attack events in the DARPA99 document, the detection results are basically correct.
[0050] Parameter setting: The role of threat weight is to quantify the severity of the damage caused by attacks of different threat levels, and its size can reasonably reflect the level of threat level. During the experiment, the threat level is set in sequence from low to high, as shown in Table 2. Show; α is the degree of influence of the current situation by the threat state of the previous detection window during the change of the threat situation value. The degree of influence depends on the proportion of the attack events detected in the previous detection window in the future attack events detected Proportion, considering that the attack event that occurred in the previous detection window does not occur within the continuous detection window and the possibility of occurrence is equivalent, so in the experiment, α=50%.
[0051] Table 2 Threat weights corresponding to attack types
[0052] Event type
[0053] The experimental results of threat situation assessment: The current threat situation value of the network in each assessment cycle is given. The larger the value, the more serious the current threat to the network. The time distribution of the high threat value obtained from the experimental results is basically the same as the attack scenario described in the Darpa99 documentation; and the specific attack event type given by the pie chart in the floating window is also basically the same as the attack type given in the Darpa99 documentation It is proved that the method of the present invention is stable and reliable, easy to operate, accurate in evaluation, effective in evaluating network threats, and ensuring safe use of the network. It is a major innovation in network security and has huge economic and social benefits.
