Intrusion Detection Technologies Based On Network Traffic Analysis

With the rapid extension of the Internet from the virtual economy to the real economy,network traffic data has become an important information medium.At the same time,network traffic has become an important object of analysis and protection in the field of data security due to the extreme cost of cyberspace security incidents.Network intrusion detection strategies are divided into misuse detection and anomaly detection.In terms of actual research and deployment,misuse detection methods are mostly stuck in the past with rule matching,while anomaly detection methods that mostly use machine learning have not taken advantage of the technology in the field of intrusion detection due to insufficient attention to the relationship between features and intrusion behavior and inadequate analysis of the diversity of normal traffic.These two strategies need to complement each other to enhance the effectiveness of network intrusion detection.This thesis focuses on the practical differences in different data scenarios based on different strategy ideas and conducts targeted research on intrusion detection techniques based on network traffic analysis.The main contributions of this thesis are as follows:(1)A traffic classification method based on multi-level feature fusion is proposedBased on the full data,the research proposes a multi-level feature fusion method to address the problems that existing intrusion detection technologies do not sufficiently analyse data and ignore the analysis of features while over-relying on model effects.Segment-level features are introduced to mine fine-grained data patterns,an Autoencoder is used to encode segment-wise application-level information,and statistical feature clustering is combined to obtain an embedded representation of segmentwise data.Finally,a classification algorithm is used to achieve multi-level feature fusion classification.The experimental results show that the proposed method outperforms the comparison model in terms of classification effectiveness.(2)A memory-based traffic anomaly detection method is proposedThe research is based on metadata.Metadata has room for further improvement in network traffic anomaly detection research due to sparse features.At the same time,as network traffic is a carrier of multiple daily behaviours,traffic anomaly detection methods generally suffer from the volatility of the features of the data itself,i.e.data drift,leading to unsatisfactory model results.To address these issues,a traffic anomaly detection method based on a memory module is proposed.First of all,the multi-angle feature expansion is carried out by combining the idea of anomaly and misuse,and then a streaming adaptive anomaly detection model is constructed using a combination of auto-encoder and memory memory module,which enables effective anomaly detection through a selflearning update mechanism.The possibility of performance degradation due to data drift is also suppressed.(3)Build a traffic intrusion detection system for smart gridA smart grid scenario is selected to build a traffic intrusion detection system from an application perspective.Combining misuse and anomaly detection strategies,the Suricata intrusion detection engine is chosen to combine with the model to implement a visualisation platform for traffic analysis and detection,and to validate the practical utility of the proposed approach.