共查询到20条相似文献,搜索用时 250 毫秒
1.
随着网络攻击的复杂化、自动化和智能化水平的不断提高,网络中不断涌现出新的攻击类型,给基于特征码的网络攻击检测和及时响应带来极大挑战。为了更加有效准确的识别异常流量,提出一种基于多特征提取自编码器的网络流量异常检测算法。算法自定义基于多特征提取的自编码器模型,由5个不同的Encoder模块构成编码器,1个Decoder模块构成解码器,能够同时提取流量中的空间特征和时间特征,且能有效避免产生退化现象,有效检测异常流量。同时,自定义SMOTE-新样本过采样法来解决数据不均衡问题,使用方差分析进行特征选择,优化数据,降低模型复杂度,大大缩短检测时间,提高算法的检测实时性。实验结果表明,提出的算法在网络流量异常检测的准确率方面比当前同类最优算法提升了1%,对百万条流量数据的检测时间减少了4.22 s。 相似文献
2.
一种基于Netflow的蠕虫攻击检测方法研究 总被引:1,自引:1,他引:0
文中在分析Netflow原理和蠕虫攻击行为特征的基础上,提出了一种基于Netflow的蠕虫检测方法。对检测算法中的流量异常和特征异常检测模块进行了编码实现,并搭建了相应的实验环境。通过模拟RedCode蠕虫爆发时的网络行为,实验结果表明:该方法可快速、准确地实现常见蠕虫的检测,对新型蠕虫也可实现特征提取和预警。 相似文献
3.
针对BGP异常检测领域中获得的数据具有多变性、小样本和高维性等特征,提出一种基于SVM的BGP异常流量检测方法。BGP数据实验结果表明,应用SVM算法进行BGP异常流量检测是可行的,有效的。 相似文献
4.
5.
基于奇异值分解更新的多元在线异常检测方法 总被引:1,自引:0,他引:1
网络异常检测对于保证网络稳定高效运行极为重要。基于主成分分析的全网络异常检测算法虽然具有很好的检测性能,但无法满足在线检测的要求。为了解决此问题,该文引入流量矩阵模型,提出了一种基于奇异值分解更新的多元在线异常检测算法MOADA-SVDU,该算法以增量的方式构建正常子空间和异常子空间,并实现网络流量异常的在线检测。理论分析表明与主成分分析算法相比,该算法具有更低的存储和计算开销。因特网实测的流量矩阵数据集以及模拟试验数据分析表明,该算法不仅实现了网络异常的在线检测,而且取得了很好的检测性能。 相似文献
6.
7.
8.
数字化变电站通信网异常流量检测过程中易陷入局部最优,导致检测结果不精准。为了解决这个问题,提出了基于Wolf的数字化变电站通信网异常流量检测系统。构建系统总体结构,分析通信网流量异常频域特征。通过采集异常流量模块解析目的物理地址,检查组件为系统提供信息交互引擎。使用Wolf算法将混沌序列映射到数字化变电站通信网异常流量多维相空间,设置控制收敛因子,避免检测结果陷入局部最优。计算异常流量特征值的熵,判断流量异常类型。实验结果表明,该系统一次设备异常流量检测结果与实际数据一致,二次设备异常流量检测结果与实际数据存在最大为2 Mb/s的误差,说明使用所设计系统检测结果精准。 相似文献
9.
10.
为提升对区块链网络层混合型攻击流量的综合泛化特征感知能力,增强异常流量检测性能,提出一种具有支持异常数据综合判决机制和强泛化能力的基于多分类器集成的区块链网络层异常流量检测方法。首先,为扩大所用基分类器的输入特征子集差异度,提出基于区分度和冗余信息量特征子集选择算法,特征筛选过程中激励高区分度子集项输出,同时抑制冗余信息生成。其次,在Bagging集成算法中引入随机方差缩减梯度算法动态调整各基模型投票权重,提升对混合型攻击流量的检测泛化能力。最后,为了将集成算法输出的低维数值向量向高维空间映射,提出基于数据场概念的局部离群因子算法,并基于数据点间势差放大各样本数据点空间密度分布差异性,提升异常数据点检测召回率。实验结果表明,相较于单一分类检测器集成方法,所提方法的异常检测准确率、召回率分别平均提升1.57%、2.71%。 相似文献
11.
12.
This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a spike when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack. 相似文献
13.
Velusamy Rajakumareswaran Subramaniam Nithiyanandam 《International Journal of Communication Systems》2019,32(7)
Domain Name Server (DNS) is a type of server used to maintain and process the IP addresses of all the domains in the Internet. It works by responding with corresponding IP addresses when a client requests with a domain name. The DNS can be attacked by redirecting all the incoming traffic to a fake server by returning fake IP address when requested by a client. In this work, a novel work has been employed to detect DNS attack using box‐counting method (BCM)–based multifractal analysis. A set of network features are selected and rules are created using CISCO's Flowspec model, and those features are analysed using BCM technique to find the attack in the network traffic. To the best of our knowledge, this is the first work that implements Flowspec‐based monitoring of DNS attack using fractal analysis. 相似文献
14.
近年来,复杂环境下的高级持续性威胁(APT)防御逐渐成为网络安全关注的重点。APT攻击隐蔽性强,早期发现则危害性较小。文中提出的方法基于DNS日志深度挖掘,通过DGA域名智能检测,APT隧道智能检测等功能维度入手,从DNS日志角度提出APT防御的新思路,实现检测,监控,溯源等一体化功能。论文提出了基于Transformer神经网络和GRU融合算法检测恶意DGA域名和采用统计机器学习算法检测APT攻击通讯的DNS隧道,将早期网络安全防护预警扩展到DNS层面,弥补了网络安全措施对算法生成域名关注度的不足和DNS易被APT潜伏利用的漏洞。通过在实验环境中的深度测试,结果表明论文方法能够较好的应对日益严峻的互联网APT安全威胁。 相似文献
15.
Routing protocol of MANET works with the presumption that nodes will transmit the data in collaboration. This presumption is a limitation of routing protocol which gives an occasion to attackers to hinder the security of the device and data in the network. Therefore, it becomes vital to develop methods and systems which will ensure the safety, integrity and confidentiality of data in such devices and systems. Although, existing IDS are able to detect various types of attack but some misbehavior goes undetected which potentially damage the network. Collusion attack is one such misbehavior where nodes perform maliciously in collaboration with neighboring nodes without being detected. In this work, Intrusion detection algorithm has been proposed that can effectively detect and isolate colluding nodes from the network so that these malicious nodes do not affect the performance of the network . Proposed detection algorithm uses in–out traffic information and overhearing statistics of nodes to identify colluding attackers. Detection algorithm works successfully for DSR routing protocol. Experimental results on NS-2 show that the proposed algorithm is capable of reducing the packet drops consequently improving the throughput of the network in presence of collusion attack. 相似文献
16.
17.
18.
DNS(domain name system)作为互联网基础设施的重要组成部分,其数据一般不会被防火墙等网络安全防御设备拦截。以DNS协议为载体的隐蔽信道具有较强的穿透性和隐蔽性,已然成为攻击者惯用的命令控制和数据回传手段。现有研究中缺乏对真实APT(advanced persistent threat)攻击中DNS隐蔽信道的检测技术或方法,且提取的特征不够全面。为深入分析攻击流量和行为特征,基于有限状态机对真实APT攻击中DNS隐蔽通信建模,剖析了APT攻击场景下DNS隐蔽信道的构建机理,详细阐述了其数据交互过程,通过总结和分析DNS隐蔽通信机制,基于有限状态机建立通信模型,提出通信过程中存在关闭、连接、命令查询、命令传输等7种状态,控制消息和数据消息等不同类型消息的传输将触发状态迁移。利用泄露的Glimpse工具模拟真实APT攻击下DNS隐蔽通信,结合Helminth等恶意样本实验验证了模型的适用性和合理性,为人工提取特征提供了充分的依据。 相似文献
19.
Paweł Foremski Christian Callegari Michele Pagano 《International Journal of Network Management》2014,24(4):272-288
Nowadays we see a tremendous growth of the Internet, especially in terms of the amont of data being transmitted and new network protocols being introduced. This poses a challenge for network administrators, who need adequate tools for network management. Recent findings show that DNS can contribute valuable information on IP flows and improve traffic visibility in a computer network. In this paper, we apply these findings on DNS to propose a novel traffic classification algorithm with interesting features. We experimentally show that the information carried in domain names and port numbers is sufficient for immediate classification of a highly significant portion of the traffic. We present DNS‐Class: an innovative, fast and reliable flow‐based traffic classification algorithm, which on average yields 99.8% of true positives and < 0.1% of false positives on real traffic traces. The algorithm can work as a major element of a modular system in a cascade architecture. Additionally, we provide an analysis on how various network protocols depend on DNS in terms of flows, packets and bytes. We release the complete source code implementing the presented system as open source. Copyright © 2014 John Wiley & Sons, Ltd. 相似文献
20.
对于骨干网中存在的DDoS攻击,由于背景流量巨大,且分布式指向受害者的多个攻击流尚未汇聚,因此难以进行有效的检测。为了解决该问题,本文提出一种基于全局流量异常相关分析的检测方法,根据攻击流引起流量之间相关性的变化,采用主成份分析提取多条流量中的潜在异常部分之间的相关性,并将相关性变化程度作为攻击检测测度。实验结果证明了测度的可用性,能够克服骨干网中DDoS攻击流幅值相对低且不易检测的困难,同现有的全局流量检测方法相比,该方法能够取得更高的检测率。 相似文献