【摘要】：隨著互聯(lián)網(wǎng)絡(luò)的飛速發(fā)展、網(wǎng)絡(luò)的規(guī)模及其所承載的業(yè)務(wù)類型日益增多。雖然互聯(lián)網(wǎng)的發(fā)展給人們帶來了很大的方便,但是,網(wǎng)絡(luò)出現(xiàn)異常情況的機會也隨之增大。如何準(zhǔn)確、快速地檢測出網(wǎng)絡(luò)中的異常流量并做出及時、合理的響應(yīng)具有重要的實際意義和應(yīng)用價值。近幾年,研究者們提出了基于數(shù)據(jù)挖掘的異常流量檢測方法,從海量數(shù)據(jù)中自動地發(fā)現(xiàn)隱含的、有用的知識,形成檢測規(guī)則,從而發(fā)現(xiàn)異常情況。針對這些內(nèi)容,學(xué)者們進行了廣泛的研究。首先,本論文通過廣泛的調(diào)研對國內(nèi)外異常流量檢測與分析的技術(shù)發(fā)展和現(xiàn)狀有了一定的了解。然后對異常流量定義及其分類、異常檢測方法進行概述,并對主流的流量檢測和異常流量檢測技術(shù)進行詳細(xì)的分析和對比,根據(jù)其原理,對其優(yōu)點與不足進行說明。其次,本文對數(shù)據(jù)挖掘算法中的聚類算法進行了研究,將基于密度的DBSCAN算法用于異常流量的檢測。采用改進的基于網(wǎng)格的DBSCAN聚類方法對離線數(shù)據(jù)集進行訓(xùn)練與測試,得到異常流量特征趨勢,區(qū)分出哪些是正常行為,哪些是異常行為。此方法可以發(fā)現(xiàn)任意形狀、不同大小的簇并有效地識別邊界點和去除噪聲點,使得聚類結(jié)果更加精準(zhǔn),同時執(zhí)行效率也有所提高。再次,本文對異常流量分類的方法進行了研究。運用交叉熵理論來度量流量特征的分布變化,當(dāng)出現(xiàn)異常行為時,會使得兩個連續(xù)觀測點之間的交叉熵突然增大。本文使用源IP地址、目的IP地址、源端口、目的端口、流大小、入度、出度、包數(shù)目8項特征屬性的交叉熵來對網(wǎng)絡(luò)異常流量進行分類。定義蠕蟲病毒、DoS攻擊、DDoS攻擊、端口掃描攻擊、異常P2P流量5種異常流量的屬性特征,采用歐式距離判斷攻擊類型。此方法能根據(jù)異常流量的特征將異常流量分類,使得分類結(jié)果準(zhǔn)確度有所提高。最后,本文通過離線數(shù)據(jù)集KDD 99以及基于網(wǎng)格的DBSCAN算法和交叉熵理論進行異常流量監(jiān)測的模型建立,采用基于NetFlow形式的網(wǎng)絡(luò)流進行流量數(shù)據(jù)的采集,對模擬實時流量進行檢測與分析,為日后能迅速排查網(wǎng)絡(luò)異常、找準(zhǔn)異常原因、提供解決方案提供檢測依據(jù)。
[Abstract]:With the rapid development of the Internet, the scale of the network and the types of business carried by it are increasing day by day. Although the development of the Internet has brought great convenience to people, the chance of network anomaly also increases. How to accurately and quickly detect the abnormal traffic in the network and make timely and reasonable response has important practical significance and application value. In recent years, researchers have proposed a method of anomaly traffic detection based on data mining, which can automatically find hidden and useful knowledge from massive data and form detection rules. In view of these contents, scholars have carried out extensive research. First of all, through extensive research, this paper has a certain understanding of the technical development and current situation of abnormal traffic detection and analysis at home and abroad. Then, the definition and classification of abnormal traffic, the methods of anomaly detection are summarized, and the main flow detection and abnormal flow detection techniques are analyzed and compared in detail. According to its principle, the advantages and disadvantages are explained. Secondly, the clustering algorithm of data mining algorithm is studied in this paper, and the density-based DBSCAN algorithm is used to detect abnormal traffic. An improved grid-based DBSCAN clustering method is used to train and test off-line data sets to obtain the trend of abnormal traffic characteristics and to distinguish which is normal behavior and which is abnormal behavior. This method can find clusters of arbitrary shapes and sizes and effectively identify boundary points and remove noise points, so that the clustering results are more accurate and the execution efficiency is also improved. Thirdly, the method of abnormal traffic classification is studied in this paper. The cross-entropy theory is used to measure the distribution of traffic characteristics. When abnormal behavior occurs, the cross-entropy between two continuous observation points increases suddenly. In this paper, the cross-entropy of eight characteristic attributes of source IP address, destination IP address, source port, destination port, stream size, incoming degree, outlier and number of packets is used to classify the network abnormal traffic. The attribute characteristics of 5 kinds of abnormal traffic such as worm, DoS attack, DDoS attack, port scan attack and abnormal P2P traffic are defined, and Euclidean distance is used to judge the attack type. This method can classify the abnormal traffic according to the characteristics of the abnormal traffic, and improve the accuracy of the classification results. Finally, the model of abnormal traffic monitoring is established by off-line data set KDD 99, grid-based DBSCAN algorithm and cross-entropy theory, and the network flow based on NetFlow is used to collect traffic data. The detection and analysis of simulated real-time traffic can provide a basis for detecting network anomalies quickly, finding out the causes of anomalies and providing solutions.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2016
【分類號】：TP311.13;TP393.06

【參考文獻】

相關(guān)期刊論文 前10條

1 姚武軍;魏彬;;基于貝葉斯樹和集成學(xué)習(xí)的異常檢測[J];武漢大學(xué)學(xué)報(理學(xué)版);2014年06期

2 符嘯威;;基于Netflow技術(shù)的互聯(lián)網(wǎng)流量流向的分析與研究[J];中國現(xiàn)代教育裝備;2012年09期

3 郭保青;朱力強;史紅梅;;基于快速DBSCAN聚類的鐵路異物侵限檢測算法[J];儀器儀表學(xué)報;2012年02期

4 陳鍶奇;王娟;;基于信息熵理論的教育網(wǎng)異常流量發(fā)現(xiàn)[J];計算機應(yīng)用研究;2010年04期

5 許曉東;卞鵬;朱士瑞;;基于Netflow的異常流量分離以及歸類[J];計算機工程與設(shè)計;2009年21期

6 何震凱;陽愛民;劉永定;邱密;;一種使用DBSCAN聚類的網(wǎng)絡(luò)流量分類方法[J];計算機應(yīng)用研究;2009年09期

7 魏桂英;姜亞星;;基于流數(shù)據(jù)挖掘的網(wǎng)絡(luò)流量異常檢測及分析研究[J];中國管理信息化;2009年15期

8 馮少榮;肖文俊;;一種提高DBSCAN聚類算法質(zhì)量的新方法[J];西安電子科技大學(xué)學(xué)報;2008年03期

9 馮少榮;肖文俊;;DBSCAN聚類算法的研究與改進[J];中國礦業(yè)大學(xué)學(xué)報;2008年01期

10 徐興元;傅和平;熊中朝;;基于數(shù)據(jù)挖掘的入侵檢測技術(shù)研究[J];微計算機信息;2007年09期

相關(guān)博士學(xué)位論文 前1條

1 韋安明;互聯(lián)網(wǎng)中基于流測量的P2P流量及異常事件檢測[D];北京郵電大學(xué);2007年

相關(guān)碩士學(xué)位論文 前6條

1 嚴(yán)晉如;基于關(guān)鍵元素的流量矩陣分析研究[D];華中科技大學(xué);2012年

2 陳鵬;數(shù)據(jù)流關(guān)聯(lián)規(guī)則挖掘研究及其應(yīng)用[D];浙江大學(xué);2011年

3 毛敬玉;基于Data Mining的網(wǎng)絡(luò)異常流量檢測系統(tǒng)的研究[D];蘭州大學(xué);2007年

4 楊政安;基于數(shù)據(jù)挖掘的網(wǎng)絡(luò)流量異常檢測系統(tǒng)研究[D];天津大學(xué);2007年

5 陳婷婷;基于數(shù)據(jù)流的網(wǎng)絡(luò)流量突發(fā)異常檢測[D];哈爾濱工業(yè)大學(xué);2006年

6 應(yīng)建波;數(shù)據(jù)挖掘技術(shù)在網(wǎng)絡(luò)流量異常檢測中的應(yīng)用研究[D];華中科技大學(xué);2006年

，

本文編號：2263878