| The rapid development of Internet makes it an essential part of everyday life. However, the increasing amount of unwanted traffic produced by a variety of network threats like scan, DDoS attacks has made a significant impact on network stability, performance and security. It is urge to identify and filter out unwanted traffic from large-scale network traffic. From the perspective of hosts, unwanted traffic may lead to a great behavior change of senders or receivers, making them taking up more network resources, that is, becoming a hot host. Therefore, this paper focuses on detecting unwanted traffic from the point of hot hosts, the whole research is based on IP flows.Firstly, the thesis discusses the definition of unwanted traffic, then, two methodologies to detect unwanted traffic from hot hosts are proposed, one uses activity of hosts’IP address, the other is based on behavior profiles, both of them are based on flows.Activity of IP address divides hot hosts into two spaces, active and inactive hot host space. The detection rule based on address activity is that all the traffic of inactive hot hosts is unwanted. To get accurate inactive IP space, a method of detecting activity of IP address based on flows is put forward. Core idea of the method is IP addresses with two-way communication traffic are active. Furthermore, this paper discusses the impacts of flows’ sampling and spoofed traffic on the method. Through experiment, the accuracy and efficiency of the method are both validated.For the active hot hosts, the paper uses method based on behavior profiles to detect unwanted traffic. For some hosts that are known of their roles (only DNS servers), this paper discusses the normal traffic profiles, and summarize a rule for detecting anomaly. For the others, a host classification method is proposed. The method suggests labeling hot host according to its communication pattern, then the labeling process naturally divides the host into different behavior classes. The semantics of behavior classes express the role and application information of hosts in it. Through in-depth analysis of behavior class properties and behavior dynamics of individual hot hosts, some rules for detecting unwanted traffic are proposed.Finally, hot hosts’ unwanted traffic detection is implemented on NBOS platform. Existing unwanted traffic detection function is improved to ensure the uniqueness of results. Then, this paper designs and implements hot hosts’ unwanted traffic detection algorithm based on the rule-set from the two methodologies above, and practical experiments verify effectiveness of the algorithm. |
PDF Full Text Request