信息网络安全 ›› 2018, Vol. 18 ›› Issue (2): 1-9.doi: 10.3969/j.issn.1671-1122.2018.02.001

• •    下一篇

基于子图的服务器网络行为建模及异常检测方法研究

李巍1,2(), 狄晓晓1,2, 王迪1,2, 李云春1,3   

  1. 1.北京航空航天大学计算机学院,北京100191
    2.北京航空航天大学网络技术北京市重点实验室,北京100191
    3.北京航空航天大学中德联合软件研究所,北京100191
  • 收稿日期:2017-11-30 出版日期:2018-02-20 发布日期:2020-05-11
  • 作者简介:

    作者简介:李巍(1970—),女,北京,副教授,博士,主要研究方向为网络安全、网络测量和性能分析、分布式应用测量及性能分析;狄晓晓(1993—),女,山东,硕士研究生,主要研究方向为网络安全;王迪(1993—),男,湖北,硕士研究生,主要研究方向为网络安全、分布式应用测量及性能分析;李云春(1972—),男,北京,研究员,博士,主要研究方向为并行计算、计算机网络、网络安全、教育信息化。

  • 基金资助:
    国家自然科学基金[U1636208]

Subgraph-based Network Behavior Models and Anomaly Detection for Server

Wei LI1,2(), Xiaoxiao DI1,2, Di WANG1,2, Yunchun LI1,3   

  1. 1. School of Computer Science and Engineering, Beihang University, Beijing 100191, China
    2.Key Lab of Beijing Network Technology, Beihang University, Beijing 100191, China
    3.Sino-German Joint Software Institute, Beihang University, Beijing 100191, China
  • Received:2017-11-30 Online:2018-02-20 Published:2020-05-11

摘要:

随着恶意代码变异速度加快,隐蔽性越来越强,特别是在攻击者将流量特征进行混淆时,基于流量统计特征的网络异常检测方法漏报率变大。文章应用图分析方法,提出一种基于子图的服务器网络行为建模方法,该建模方法将本地主机流量按照本地主机、本地端口、远程端口、远程主机的顺序建立具有4层树形结构的有向图模型。该模型反映了本地主机与远程主机的通信关系以及两端进程间的通信关系。基于此模型,分别对服务器的客户端行为和服务端行为建立子图模型。由于服务端行为在子图结构上具有长期稳定性,文章提出了基于子图的服务器网络行为异常检测算法SNBAD。该算法对服务器的网络流量划分数据窗口,并对每个窗口分别建立服务子图模型,刻画每个子图的通信特征。该算法通过计算连续数据窗口服务子图的Jaccard相似系数来对异常行为进行检测。文章将主机感染恶意代码的流量混入真实网络流量数据中对SNBAD算法进行了验证,实验结果表明,SNBAD算法能够有效检测服务器服务端行为的异常。

关键词: 子图模型, 网络行为, 异常检测

Abstract:

With the accelerating variation of malicious code and its concealment from strength to strength, the network anomaly detection approach based on traffic features has higher false negatives, especially when the attacker confuses the traffic characteristics. In this paper, we propose a modeling method which establishes the directed graph model of a 4-layer tree structure in the order of local hosts, local ports, remote ports and remote hosts. This model reflects the relationships of end-hosts and the relationships among the processes in end-hosts. Based on this model, a subgraph model is established for the server's client behavior and server-side behavior respectively. Due to the long-term stability of server-side behavior in subgraph structure, this paper proposes a subgraph-based server network behavior anomaly detection algorithm SNBAD. The algorithm divides the server's network traffic into several data-windows and establishes the service subgraph models for each window respectively, and characterizes the communication features of each subgraph. The algorithm detects abnormal behavior by calculating the Jaccard similarity coefficient of the continuous data window. In this paper, the flow of host infected malicious code is mixed into the real network traffic data, and the SNBAD algorithm is verified. The experimental results show that the SNBAD algorithm can detect the abnormal of the server-side behavior of server effectively.

Key words: subgraph model, network behavior, anomaly detection

中图分类号: