基于行为特征学习的互联网流量分类方法

基于连接图的互联网流量分类方法能反映主机间的通信行为,具有较高的分类稳定性,但是经验式总结的启发式规则有限,难以获得高分类准确率.研究分析了主机间通信行为模式和BOF方法,从具有相同{目的IP地址,目的端口号,传输层协议}网络流量中,提取主机间连接相关的行为统计特征(HCBF),采用C4.5决策树算法学习基于行为特征的分类规则,其无需人工建立启发式规则.在传统互联网和移动互联网流量数据集上,从基本分类性能和分类稳定性方面,与现有的特征集进行比较分析,实验结果表明,HCBF特征集合的类间区分能力和稳定性较高.     

基于异常行为特征的僵尸网络检测方法研究

基于僵尸网络通信及网络流量的异常行为,可以有效检测出僵尸频道。介绍了通过对主机响应信息的异常分析,进而判断出当前IRC频道是否为一个僵尸频道的检测算法。由此引入了基于异常行为的僵尸频道检测模型,该模型分类提取IRC频道的主机响应信息,结合检测算法分析得出结论。实验结果验证了该模型的有效性。     

基于Dempster-Shafer证据理论的端口扫描检测方法

端口扫描是通过对目标系统端口试探性的访问来判断端口是否开放的行为.它往往是攻击者入侵行为的第一步.端口扫描检测是入侵监测系统不可缺少的一部分,而当前端口扫描的检测方法不多,并且准确性不高.为提高扫描检测的准确性,本文使用Dempster-Shafer证据理论对两种扫描检测方法产生的数据进行融合:一种是基于端口分布特征的扫描检测方法,该方法简单且具有较高的检测率;另一种是基于序列假设测试的扫描检测方法,该方法充分利用了端口扫描的本质特征.实验结果表明,同单独使用基于端口分布特征或序列假设测试的方法相比,这种基于Dempster-Shafer证据理论的扫描检测方法对端口扫描的检测准确得多.     

基于MapReduce的僵尸网络在线检测算法

目前僵尸网络主要是通过网络流量分析的方法来进行检测,这往往依赖于僵尸主机的恶意行为,或者需要外部系统提供信息。另外传统的流量分析方法计算量很大,难以满足实时要求。为此该文提出一种基于MapReduce的僵尸网络在线检测算法,该算法通过分析网络流量并提取其内在的关联关系检测僵尸网络,并在云计算平台上进行数据分析,使数据获取和数据分析工作同步进行,实现在线检测。实验结果表明该算法的检测率可达到90%以上,误报率在5%以下,并且数据量较大时加速比接近线性,验证了云计算技术在僵尸网络检测方面的可行性。     

端口扫描与反扫描技术研究

对目标系统进行端口扫描，是网络系统入侵者进入目标系统的第一步。随着技术的发展，出现了越来越多的扫描工具，不仅能进行普通扫描，还能实现隐蔽扫描，对目标系统安全造成严重隐患。首先讨论了目前常用的端口扫描技术及其特点，并对这种基于空闲主机的隐蔽端口扫描方法进行详细分析。通过对端口扫描和反扫描技术的研究，提出了一种有效防御空闲主机扫描的改进方案，并给出了具体实现策略和测试结果。这种改进方案不仅能有效防御常规的端口扫描，也能有效防御SYN隐蔽扫描。     

基于决策树的僵尸流量检测方法研究

僵尸网络目前是互联网面临的安全威胁之一,检测网络中潜在的僵尸网络流量对提高互联网安全性具有重要意义。论文重点研究了基于IRC协议的僵尸网络,以僵尸主机与聊天服务器之间的会话特征为基础,提出了一种基于决策树的僵尸网络流量检测方法。实验证明该方法是可行的。     

基于PGM-NMF的网络流量异常检测研究

通过对网络流量数据进行采样,小波空间变化过滤噪声,构建了基于信息熵的网络流量矩阵,使用PGM-NMF算法对网络流量矩阵进行分解,构建的基于非负子空间方法的残余矩阵,应用Q 图实现网络流量的异常检测。理论分析及实验结果表明,与PCA方法相比,PGM-NMF算法在网络流量的异常检测中具有较好检测性能。     

基于Command and Control通信信道流量属性聚类的僵尸网络检测方法

僵尸网络(Botnet)是一种从传统恶意代码形态进化而来的新型攻击方式,为攻击者提供了隐匿、灵活且高效的一对多命令与控制信道(Command and Control channel, CC)机制,可以控制大量僵尸主机实现信息窃取、分布式拒绝服务攻击和垃圾邮件发送等攻击目的。该文提出一种与僵尸网络结构和CC协议无关,不需要分析数据包的特征负载的僵尸网络检测方法。该方法首先使用预过滤规则对捕获的流量进行过滤,去掉与僵尸网络无关的流量;其次对过滤后的流量属性进行统计;接着使用基于X-means聚类的两步聚类算法对CC信道的流量属性进行分析与聚类,从而达到对僵尸网络检测的目的。实验证明,该方法高效准确地把僵尸网络流量与其他正常网络流量区分,达到从实际网络中检测僵尸网络的要求,并且具有较低的误判率。     

基于网络流量的实时入侵检测

实时异常检测是目前网络安全的研究热点,基于大规模网络流量的统计特征,提出了一个基于统计的流量异常检测模型。根据网络流量的测度集,描绘了一个正常网络流量的基线。参照该正常流量基线,使用假设检验理论进行异常检测。采用一个基于滑动窗口的流量更新策略和感应阈控制模型,使异常检测能够更加高效。     

网络流量的联合多重分形模型及特性分析

网络尺度行为的发现提供了用数学模型方法研究网络流量特性的可能性.本文基于连乘瀑布过程与K分布过程提出了联合多重分形(JMF)网络流量模型,该模型以尺度函数与矩因子的联合作为主要特征函数来研究网络流量的特性.理论分析及由实测网络流量数据的仿真结果表明,JMF模型可以较客观地同时描述网络流量短期分形行为与长期自相似行为,且实现复杂度小.其中尺度函数能够刻画时间尺度对流量特性的影响,矩因子描述了同一时间尺度上流量突发性的变化,二者的联合较好地描述了网络流量的短期行为,而模型的统计特性则刻画了流量的长期行为特征.     

A proposal of port scan detection method based on Packet-In Messages in OpenFlow networks and its evaluation

By quickly detecting a port scan and blocking the culprit host from the network, it is possible to minimize the spread of the damage by infected hosts and malicious users. In the past, various Software-Defined Networking (SDN)-based methods have been proposed, whose main advantage is the lower overhead compared to traditional methods that collect and analyze all captured traffic. On the other hand, due to the polling process used in these methods, it is necessary to set a short interval (e.g., few seconds) to keep the attacks' detection as short as possible. However, when the attack frequency is very low compared to normal traffic, there is an unnecessary overhead. In this paper, we propose a port scan detection method that considers the characteristics of Packet-In messages sent from the OpenFlow (OF) switch to the controller. This allows a prompt detection and with less overhead than conventional polling methods. The evaluation was conducted using both simulated and real traffic data. Results confirm that the proposed method can detect port scans with lower overhead than existing methods.     

基于多级分类的网络流量在线识别方法(英文)

Internet traffic classification plays an important role in network management. Many approaches have been proposed to classify different categories of Internet traffic. However, these approaches have specific usage contexts that restrict their ability when they are applied in the current network environment. For example, the port based approach cannot identify network applications with dynamic ports; the deep packet inspection approach is invalid for encrypted network applications; and the statistical based approach is time-consuming. In this paper, a novel technique is proposed to classify different categories of network applications. The port based, deep packet inspection based and statistical based approaches are integrated as a multistage classifier. The experimental results demonstrate that this approach has high recognition rate which is up to 98% and good performance of real-time for traffic identification.     

A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.     

Architecture design for ATM statistical multiplexers

Both high-speed packet switches and statistical multiplexers are critical elements in the ATM (asynchronous transfer mode) network. Many switch architectures have been proposed and some of them have been built, but relatively fewer statistical multiplexer architectures have been investigated to date. It has been considered that multiplexers are a special kind of switches which can be implemented with similar approaches. The main function of a statistical multiplexer, however, is to concentrate traffic from a number of input ports to a comparatively smaller number of output ports; ‘switching’ in the sense that a cell must be delivered to a specific output port is often not required. This implies that the channel grouping design principle, in which more than one path is available for each virtual circuit connection, can be applied in the multiplexer. We show that this technique reduces the required buffer memory and increases the system performance significantly. The performances of three general approaches for implementing an ATM statistical multiplexer are studied through simulations with various bursty traffic assumptions. Based on the best performing approach (sharing output channels and buffers), we propose two architecture designs to implement a scalable statistical multiplexer that is modularly decomposed into many smaller multiplexers by using a novel grouping network.     

基于失败连接分析的网络蠕虫检测系统研究

根据网络蠕虫攻击的特点，提出一种基于失败连接分析的网络蠕虫早期检测系统。该系统通过实时分析失败连接流量分布和正常状态的偏离度来检测蠕虫，通过分析失败连接集的自相似度进一步降低蠕虫检测的误报率。基于原型系统的实验结果显示，该系统能够实时检测未知类型的网络蠕虫攻击，分析蠕虫扫描的网络传输特征和网络内可能感染的主机列表。和已有方法相比，该系统对蠕虫的早期扫描行为更加敏感，并具有更低的误报率。     

Dynamic buffer management using per‐queue thresholds

Shared buffer switches consist of a memory pool completely shared among output ports of a switch. Shared buffer switches achieve low packet loss performance as buffer space is allocated in a flexible manner. However, this type of buffered switches suffers from high packet losses when the input traffic is imbalanced and bursty. Heavily loaded output ports dominate the usage of shared memory and lightly loaded ports cannot have access to these buffers. To regulate the lengths of very active queues and avoid performance degradations, threshold‐based dynamic buffer management policy, decay function threshold, is proposed in this paper. Decay function threshold is a per‐queue threshold scheme that uses a tailored threshold for each output port queue. This scheme suggests that buffer space occupied by an output port decays as the queue size of this port increases and/or empty buffer space decreases. Results have shown that decay function threshold policy is as good as well‐known dynamic thresholds scheme, and more robust when multicast traffic is used. The main advantage of using this policy is that besides best‐effort traffic it provides support to quality of service (QoS) traffic by using an integrated buffer management and scheduling framework. Copyright © 2006 John Wiley & Sons, Ltd.     

双口RAM在大屏幕LED显示系统中的应用开发

双口RAM与常规RAM的最大区别是双口RAM具有两套独立的地址、数据和控制线,允许两个独立的CPU或控制器同时异步地访问存储单元,双口RAM由片内的仲裁逻辑来确定哪一侧的CPU可以访问内部RAM单元.IDT7132是2kB的标准双口RAM.文中重点介绍采用以自顶向下方法设计的基于CLD(复杂可编程逻辑器件)的大屏幕LED(发光二极管)显示系统中双口RAM的应用,并给出了系统设计方法及相关硬件电路.本设计中IDT7132双口RAM用来连接单片机信号处理模块和CPLD扫描模块.     

Protection-against-collision optical packet network

An optically transparent packet network controlled by a simple medium access circuit is presented. The system, based on frequency division multiplexing and tunable transmitters, has no internal blocking and is optically self-routing. It provides internal collision-free traffic by allowing access to the network only if the addressed channel (output port) is available. A packet denied access to the network is reflected back to its input port, which is thus informed of the packet status. Therefore, the traffic is not bogged down by acknowledgments between input and output ports. To achieve this result, each input of the network is controlled by a protection-against-collision (PAC) circuit located at a central hub. The PAC circuit uses the packet for probing the energy present in the addressed channel. The resulting signal controls an optical switch connecting the input port to the network. Thus, full optical connectivity is provided between ports controlled by electrical signals derived from simple optical power measurements     

Scheduling of multicast traffic in high-capacity packet switches

Switches with input buffers are scalable due to their simplicity. In these switches, the port that sources a multicast session might easily get congested as it becomes more popular. We propose that destination ports should forward copies of multicast packets to other destination ports in a specified order. In this way, the multicast traffic load is evenly distributed over the switch ports. Packets are scheduled according to the weighted sequential greedy algorithm.     

An efficient dynamic multicast traffic-grooming algorithm for WDM networks

With the growth of multi-granularity multicast applications, there comes into being a huge gap between the bandwidth of a wavelength provided and a multicast traffic required in the wavelength division multiplexing (WDM) networks. The dynamic multicast traffic-grooming is an effective way for WDM networks to improve the wavelength utilization and decrease the traffic blocking probability. A novel switching node architecture with the multicast switching matrix and traffic-grooming fabric is studied in the paper. Then, an efficient dynamic multicast traffic-grooming algorithm is proposed for the architecture. According to the ratio of network available grooming port number to network transceiver number, the proposed algorithm estimates whether the traffic-grooming port is a scarce resource for input traffic and chooses the appropriate grooming strategy. If the traffic-grooming port is scarce, the minimized use grooming port strategy is designed for the coming traffic. On the contrary, the minimized use node transceiver strategy is applied for the coming traffic. Simulation results show that the proposed algorithm can groom traffic efficiently with low blocking probability and high network throughput constraint by limiting number of node transceivers and grooming ports.