| In recent years,with the continuous expansion of network scale,malicious network flow attacks become more and more frequent,which poses a severe challenge to network security.Attack behavior is carried in the data stream of cyberspace,and often carries out hiding processing such as encryption,fragmentation,confusion and camouflage.Therefore,the attack detection and traceability of network stream for attack behavior has become a major basic problem to ensure the security of cyberspace defense.The emergence of weak cooperation and non-cooperation scenarios adds new challenges to the detection and traceability of network flow attacks.Weak cooperation and non-cooperation scenarios refer to uncontrollable networks such as the Internet.Their characteristics are that the network does not have or only has a small part of controllability,and it is impossible to obtain more advanced permissions for in-depth analysis.At the same time,only some nodes can be observed to obtain relevant information for auxiliary analysis.Therefore,in weak cooperation and non-cooperation scenarios,the analysis of network flow is the most direct way,and it is also the mainstream method of detection tasks.The confrontation and defense carried out in the non-cooperative scenario has low mastery of the huge cyberspace state.For example,in the end-to-end transmission of data in the network,the attacker can maliciously intercept the gateway or router through which the data packet passes,resulting in data leakage.Due to the uncontrollability of the network,the attacked network node cannot be found in time or the security of data transmission cannot be guaranteed.Aiming at the nodes that require high security and privacy in the Internet,this dissertation is more inclined to find the timeliness of the attack and the accuracy of attacking nodes.When a node finds a threat attack,the purpose is to track the source node and take defense,countermeasures and other measures to prevent multiple attack sources from attacking.However,in the weak cooperation and non-cooperation scenarios,the communication content of each device and node cannot be obtained directly.Only some controllable edge nodes can detect and analyze the network flow on the path.At the same time,some information in the network topology is unknown,so we can only infer the path information of other nodes based on the analysis results of network flow on some controllable edge nodes to trace the source of network flow attacks.Threat detection is the foundation,and the primary task is to detect whether the current node is attacked;Threat tracing is a means to completely cut off the attack from the source.In terms of threat detection,the current attack detection methods for network flow are mainly based on machine learning and deep learning models,which have the disadvantages of low analysis efficiency,low accuracy and high false alarm rate,so it is difficult to meet the needs of national network defense;At the same time,the attack detection model of network flow is deployed at all levels of nodes in cyberspace.Most of the existing detection methods have high complexity and cannot be deployed on a large scale.In terms of threat traceability,the traditional network flow attacks traceability methods mostly rely on topology information to carry out threat traceability,which is not universal.However,under the current weak cooperative and non-cooperative network conditions,it is impossible to trace the network flow path based on some network topology information to realize point-to-point network popularity monitoring.Therefore,starting from threat detection and threat traceability,aiming at the problems of low accuracy and high complexity of existing threat detection methods,this dissertation proposes two attack detection models of accurate and lightweight network flows,which can meet the needs of various detection tasks;In view of the poor effectiveness of the existing threat traceability methods,combined with the node comprehensive evaluation model,a label implantation technology is proposed to mark and locate important controllable nodes,so as to carry out threat discovery and traceability.The main work and innovations of this dissertation are as follows:(1)Research on lightweight model technology of flow detection based on network architecture searchAiming at the problems of the large demand for computing resources and low degree of model lightweight in the network architecture search,a model architecture search algorithm for attack detection of network flow is proposed.Neural architecture search(NAS)is introduced to find the attack detection architecture of lightweight network flow with better detection performance.Among them,the performance of the candidate architecture is predicted through the agent model,and the operation blocks related to the image domain are introduced to obtain the corresponding operation set suitable for the network flow data,so that the search network architecture has better performance;The corresponding training strategy is designed to reduce the number of samples required to train the agent model and effectively reduce the training costs.(2)Research on flow detection accuracy model technology based on deep reinforcement learning Aiming at the problems of poor migration and low accuracy of the attack detection model of network flow,a portable and adaptive network intrusion detection model based on deep reinforcement learning is innovatively proposed.Among them,the transferability is improved by unifying the characteristics of the data set in the state observed from the environment,so that the trained model has a better detection accuracy on different data sets;An interactive reward mechanism is designed to improve the environmental adaptability of the model by building an agent to interact with the environment and obtain effective information,so that the agents have more interactive information with the environment,and makes few-shot learning possible.(3)Research on attack traceability analysis technology of network flow based on topology information inferenceAiming at the problems of high complexity and high cost of existing threat traceability technologies,a node comprehensive evaluation model and an attack traceability analysis technology of network flow based on topology inference are proposed.Among them,the node comprehensive evaluation model evaluates the importance of network flow according to the attack detection results and node security,and deploys the attack traceability analysis technology of network flow accordingly;The attack traceability analysis technology of network flow embeds labels at all levels of nodes from the multi-layer network structure,and realizes the positioning,traceability,disposal and containment of network threats through label identification. |
PDF Full Text Request