信息网络安全 ›› 2022, Vol. 22 ›› Issue (1): 72-79.doi: 10.3969/j.issn.1671-1122.2022.01.009

• 技术研究 • 上一篇    下一篇

基于流量行为图的攻击检测方法

张东鑫1,2, 郎波1, 严寒冰1,2()   

  1. 1.北京航空航天大学计算机学院,北京 100191
    2.国家互联网应急中心,北京 100029
  • 收稿日期:2021-06-29 出版日期:2022-01-10 发布日期:2022-02-16
  • 通讯作者: 严寒冰 E-mail:yhb@cert.org.cn
  • 作者简介:张东鑫(1996—),男,河北,硕士研究生,主要研究方向为网络安全;|郎波(1969—),女,北京,教授,博士,主要研究方向为基于机器学习的大数据分析与管理、信息安全|严寒冰(1975—),男,江西,正高级工程师,博士,主要研究方向为网络安全、计算机图形学
  • 基金资助:
    国家自然科学基金(U1736218);国家重点研发计划(2018YFB0804701)

Attack Detection Method Based on Flow Behavior Graph

ZHANG Dongxin1,2, LANG Bo1, YAN Hanbing1,2()   

  1. 1. School of Computer Science and Engineering, Beihang University, Beijing 100191, China
    2. National Internet Emergency Center, Beijing 100029, China
  • Received:2021-06-29 Online:2022-01-10 Published:2022-02-16
  • Contact: YAN Hanbing E-mail:yhb@cert.org.cn

摘要:

传统基于流的攻击检测无法完全捕获网络通信模式,难以对网络中的攻击事件进行有效检测,而流量行为图中包含的信息可以有效反映主机的真实情况。文章针对多类型网络攻击检测问题,提出了基于流量行为图的攻击检测方法,实现了基于流量行为图的攻击检测。检测方法基于聚类和生成学习模型,包含两个阶段,第一阶段通过聚类算法尽可能地过滤良性节点,第二阶段应用生成学习模型检测多种不同攻击事件。在公开数据集上的实验结果表明,文章提出的攻击检测方法可以有效检测出网络中存在的多种不同攻击事件。此外,系统使用基于Apache Spark的分布式处理框架,可以有效进行大规模数据处理。

关键词: 流量行为图, 聚类, 生成学习, 攻击检测, Spark

Abstract:

Traditional flow-based attack detection cannot fully capture network communication patterns, and it is difficult to effectively detect attack events that exist in the network. The information contained in the flow behavior graph can effectively reflect the real behavior of the host. Aiming at the detection of multiple types of network attacks, this article proposed an attack detection method based on flow behavior graph, and the attack detection based on flow behavior graph was realized. The detection method is based on clustering and a generative learning model, and consists of two stages. The first stage uses a clustering algorithm to filter benign nodes as much as possible, and the second stage uses a generative learning model to detect a variety of different attack events. The experimental results on the public data set show that the attack detection method proposed in this article can effectively detect a variety of different attack events in the network. In addition, the system uses a distributed processing framework based on Apache Spark, which can effectively process large-scale data.

Key words: flow behavior graph, clustering, generative learning, attack detection, Spark

中图分类号: