Research On Network Intrusion Detection Technology Based On Graph Kernel

Network attacks can destroy the function of the information system and perform unauthorized access to data or services,which may cause great damage to the confidentiality,integrity,and availability of data and services.Researchers have proposed many methods to detect network intrusions,such as DPI(deep packet inspection),outlier detection methods in multidimensional feature space,anomaly detection methods based on subgraph matching and graph embedding,and so on.As cyberspace data have implicit graph characteristics,and the existing anomaly detection methods have limitations in accuracy,integrity,and interpretability when capturing structural and temporal information,the research on graph-based anomaly detection methods for network intrusion detection has important theoretical significance and application value.The main work and innovations of this thesis are as follows:1.Firstly,we analyze the research status of network intrusion detection methods based on traditional machine learning,deep learning,and graph anomaly detection theory at home and abroad.Then we discuss the limitations of existing detection methods and introduce the research background and significance of graph-based network intrusion detection methods.2.Secondly,we propose the graph-kernel-based network intrusion detection framework.It first introduces the hosts’ network behavior graph based on subtree to extract and express the behaviors from connection records.Compared with the graph based on walk or path,it can embed more information and support the fusion and association analysis of multiple data sources to provide more complete information for subsequent anomaly detection;After using graph kernel to calculate the fine-grained attribute similarity between host behavior graphs to capture the structure information and timing information more accurately,the framework combines kernel methods and ensemble learning methods,for which both the efficiency of model training and the accuracy of model classification are guaranteed.3.Thirdly,we propose a data reduction strategy based on graphs’ self-similarity.The network data contains a large amount of redundant data,but it is hard to judge which connection records in the original data are redundant.We first extract the network behavior graph of hosts,then reduce the data based on the self-similarity of graphs,and only keep the non-repeated graph samples in the training set,for which the redundant connection records are indirectly reduced and the completeness of behavior patterns of hosts won’t be affected.4.Fourthly,based on the idea of TF-IDF and the idea behind the graph kernel-based similarity calculation,we propose an improved strategy for graph kernel,which takes into account the characteristic that the category of objects in cyberspace is more related to special patterns.It increases the similarity between samples that are more likely to be in the same category to make the calculation of graph similarity more accurate.5.Finally,the method proposed in this thesis was verified with several experiments,and the results were analyzed and discussed.Compared with other models,the network intrusion detection framework improved the accuracy by 0.5%-8.5%,the F1 value by0.5%-17.2% and the Recall by 2%-20%.Aiming at solving the limitations of existing network intrusion detection methods,a new detection framework was proposed in this thesis,it can fit and adapt to the characteristics of cyberspace data,and its effectiveness was verified on three well-known botnet datasets including CTU-13,ISOT,and ISCX.As the feasibility of the framework is also considered,it has application value in network attack anomaly detection.