Research On Network Situation Data Analysis And Malicious Node Detection

With the continuous development of the Internet infrastructure and emergence of new applications,the network topology has become increasingly complex.In the mean time,it faces a serious threat from cyber attacks,which tend to be distributed,large-scale and complicated.With the increasing complexity of network security environment,a sharp increase interest occurred in network security situation awareness(short for NSSA).Because the network traffic contains comprehensive network information,can reflect the network state in real time,the traffic collection method is flexible and diverse,etc.,the NSSA based on the network traffic is getting more and more attention.However,the current analysis of network traffic is mainly from the perspective of data packets and session flow,with little consideration of the relationship between network nodes and the temporal information.This thesis considers building a NSSA system that can take into account the relationship between nodes and temporal information of the network.And security situation analysis and malicious node identification are carried out from the two dimensions of node relationship and node temporal information.The main work of this thesis is as follows:Firstly,this paper uses the graph database to construct the distribution diagram of network node relations,and uses the graph model to describe the entities and the relations between entities.First,the storage model of graph database is designed for the network traffic data,and then the session aggregation and feature extraction of network traffic information are carried out according to the storage model of graph database(referred to as primary feature extraction in this thesis).Finally,the processed network traffic data is stored in Neo4 j database to form the network node diagram database.Secondly,this thesis proposes a malicious node detection method based on graph database.By means of complex network analysis method,combined with network traffic statistical characteristics,this thesis selects node exit degree,node entry degree,clustering coefficient and intermediary centrality to describe the relationship between network nodes(secondary feature extraction).These features are combined with network node behavior features,which are extracted from data packets and session flows and stored in the graph database,to form a new malicious node detection feature set with 22 features.In this thesis,the 22 features are used as input to train the BP neural network and construct the malicious node detector.Finally,the proposed malicious node detection method is evaluated through experiments.The experimental results show that the malicious node detection method based on the graph database is superior to the similar methods in terms of detection accuracy,recall rate and false positive rate.This thesis also designs a node clustering method based on time series analysis.In view of network traffic is often the aggregation of multiple independent components,Empirical Mode Decomposition(EMD)is firstly used to decompose network traffic into multiple Intrinsic Mode Functions(IMF).then the IMFs are processed by Fourier transform to select period candidates,comparing the autocorrelation coefficients of period candidates,the period of each IMF is determined.Finally,the distance measurement between time series is converted to the distance measurement of component periods by using the periodic characteristics of IMF.In this thesis,the K-mediods method based on the measure of component period distance is used to cluster time series.The experimental results show that the node clustering method based on time series analysis proposed in this paper has low time complexity and high accuracy,which can meet the actual requirements.Finally,this thesis integrates the malicious node detection method based on graph database with the node clustering method based on time series analysis,and designs the network security situation analysis process based on graph database.This process takes into account the behavior attribute of network traffic,the relationship between nodes and the temporal information.In this thesis,Spring Boot framework and Neo4 j related API are used to implement the network security situation analysis prototype system based on this process,and the performance of the prototype system is verified by experiments.The experimental results show that the prototype system is reasonable and feasible.