基于子图的服务器网络行为建模及异常检测方法研究  被引量：1

作　　者：李巍[1,2] 狄晓晓[1,2] 王迪 李云春 LI Wei;DI Xiaoxiao;WANG Di;LI Yunchun(School of Computer Science and Engineering, Beihang University, Beijing 100191, China;Key Lab of Beijing Network Technology, Beihang University, Beijing 100191, China;Sino-German Joint Software Institute, Beihang University, Beijing 100191, China)

机构地区：[1]北京航空航天大学计算机学院,北京100191 [2]北京航空航天大学网络技术北京市重点实验室,北京100191 [3]北京航空航天大学中德联合软件研究所,北京100191

出　　处：《信息网络安全》2018年第2期1-9,共9页Netinfo Security

基　　金：国家自然科学基金[U1636208]

摘　　要：随着恶意代码变异速度加快,隐蔽性越来越强,特别是在攻击者将流量特征进行混淆时,基于流量统计特征的网络异常检测方法漏报率变大。文章应用图分析方法,提出一种基于子图的服务器网络行为建模方法,该建模方法将本地主机流量按照本地主机、本地端口、远程端口、远程主机的顺序建立具有4层树形结构的有向图模型。该模型反映了本地主机与远程主机的通信关系以及两端进程间的通信关系。基于此模型,分别对服务器的客户端行为和服务端行为建立子图模型。由于服务端行为在子图结构上具有长期稳定性,文章提出了基于子图的服务器网络行为异常检测算法SNBAD。该算法对服务器的网络流量划分数据窗口,并对每个窗口分别建立服务子图模型,刻画每个子图的通信特征。该算法通过计算连续数据窗口服务子图的Jaccard相似系数来对异常行为进行检测。文章将主机感染恶意代码的流量混入真实网络流量数据中对SNBAD算法进行了验证,实验结果表明,SNBAD算法能够有效检测服务器服务端行为的异常。With the accelerating variation of malicious code and its concealment from strength to strength, the network anomaly detection approach based on traffc features has higher false negatives, especially when the attacker confuses the traffc characteristics. In thispaper, we propose a modeling method which establishes the directed graph model of a 4-layer tree structure in the order of local hosts, local ports, remote ports and remote hosts. This model refects the relationships of end-hosts and the relationships among the processes in end-hosts. Based on this model, a subgraph model is established for the server＇s client behavior and server-side behavior respectively. Due to the long-term stability of server-side behavior in subgraph structure, this paper proposes a subgraph-based server network behavior anomaly detection algorithm SNBAD. The algorithm divides the server＇s network traffc into several data-windows and establishes the service subgraph models for each window respectively, and characterizes the communication features of each subgraph. The algorithm detects abnormal behavior by calculating the Jaccard similarity coefficient of the continuous data window. In this paper, the fow of host infected malicious code is mixed into the real network traffc data, and the SNBAD algorithm is verifed. The experimental results show that the SNBAD algorithm can detect the abnormal of the server-side behavior of server effectively.

关 键 词：子图模型 网络行为 异常检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]