Classification Of Server Service Intention And Traffic Behavior Based On Flow

The Internet plays an extremely important role in today’s society,and it is everywhere in the production and life of human society.At the same time,more and more malicious behaviors in the network have seriously affected the normal network order,and the network security problem has gradually developed into a problem that needs to be solved urgently.Faced with an endless stream of cyber attacks,the early defense methods have been stretched,and network security situational awareness technology based on big data is becoming an effective means of network management and security assurance.This thesis is based on the task requirements of network security situational awareness.By monitoring the flow record data flowing between the Jiangsu Provincial Network and the CERNET backbone network,it finds the IP address that needs to be supervised first-the server IP,and then performs the service intention features of servers.By classifying servers with similar traffic behavior,we can get a general understanding of the nature of various servers in the managed network,and realize the perception of the overall status of servers in the managed network.First,by analyzing the characteristics of the communication traffic of different nodes in the network,the thesis designs and implements the server identification algorithm based on IP flow record.The algorithm can effectively eliminate the interference of scanning traffic and P2 P traffic,realize high-efficiency and high-precision server IP and port identification,and lay the foundation for subsequent service intent classification and identification.At the same time,the thesis explored the completeness and rationality of the algorithm and proved its feasibility.Second,construct a feature set that can characterize the service intent for the identified server.Starting from multiple dimensions of time,space,category,and intensity,the thesis selected a total of 17 measures to describe the server’s service activity intentions,including not only simple statistical measures such as SDrt(Average service duration)and SNobj(Number of clients),but also complex computational measures such as SDisp(Service dispersion)and SRhy(Service rhythm).By designing reasonable measurement methods for these measurements,the structure of the server feature set is realized,and some features are statistically analyzed.Third,based on the constructed service intent feature set,from the perspective of service intent semantic analysis,the thesis designs and implements the server multi-layer classification model.From the semantic perspective of whether to provide services actively,who to provide services to and what types of services to provide,the model classifies servers at multiple levels,including classification based on service initiative,classification based on domain names and ports,classification based on service objects and classification based on service type.It realizes the discovery of similar servers and the semantic description of the service intent of each category.Finally,the thesis designs a server security situational awareness system.The system applies the server identification and classification algorithms mentioned above,provides continuous server discovery,server feature set construction,server classification and detection result query function.Achieve long-term continuous monitoring of servers in the managed network with high fault tolerance and robustness.