网络流量分析系统的设计与实现

随着网络速度的不断增长及网络应用的不断增多,网络监管的难度大大增加.实现了一种高速网络流量的实时监控系统NTAS——网络流量分析系统.通过PF_ RING底层报文捕获模块,捕获网络流量,并对网络流量进行完整会话管理以及在此基础上基于有穷自动机(DFA)的协议识别,解决了同类系统性能不足和协议识别率不高的问题.最后给出了NTAS与同类系统的比较测试.测试结果表明,NTAS具备在高速网络环境下对网络流量的实时分析处理的能力.     

高速网络流采集系统的设计与实现

针对基于软件的网络流采集系统不能高效处理高速网络流量,以及为了提高采集效率需要同时对多种网络流进行采集的问题,提出一种基于软硬件结合的高速网络流采集框架,探讨在NetFPGA-10G平台实现高速网络流采集系统,称之为HSNTCS。该系统在硬件上通过精确串匹配引擎或正则表达式匹配引擎过滤、分类出所需的多种网络流后,将其传至内核驱动层对应的数据缓冲区,然后直接拷贝至用户空间并存储至对应的数据库。经实验测试,在精确串匹配情况下,用硬件方式实现的高速网络流采集系统的用户数据报协议(UDP)、传输控制协议(TCP)吞吐率都达到1.2Gb/s,约是用软件方式实现的3倍;在正则表达式匹配情况下,用硬件方式实现的高速网络流采集系统的UDP、TCP吞吐率都达到640Mb/s,约是用软件方式实现的3倍。结果表明,相对于软件实现方式,硬件实现具有更高的采集性能。     

网络流量实时监控分析系统的设计与实现

网络流量监控分析是网络管理与网络安全的重要组成部分。文章介绍了一种基于深度报文检测技术的网络流量实时采集分析系统RT-TMA,同时给出了其设计框架和关键技术实现方法。测试结果表明,该系统运行稳定、准确,可以达到预期效果。     

基于类标记扩展的半监督网络流量特征选择算法

针对网络流量特征选择过程中存在的样本标记瓶颈问题,以及现有半监督方法无法选择强相关的特征的不足,提出一种基于类标记扩展的多类半监督特征选择(SFSEL)算法。该算法首先从少量的标记样本出发,通过K-means算法对未标记样本进行类标记扩展;然后结合基于双重正则的支持向量机(MDrSVM)算法实现多类数据的特征选择。与半监督特征选择算法Spectral、PCFRSC和SEFR在Moore数据集进行了对比实验,SFSEL得到的分类准确率和召回率明显都要高于其他算法,而且SFSEL算法选择的特征个数明显少于其他算法。实验结果表明: SFSEL算法能够有效地提高所选特征的相关性,获取更好的网络流量分类性能。     

Honeypot forensics part 1: analyzing the network

A major goal of honeypot research is to improve our knowledge of blackhats from two perspectives: technical and ethnological. For the former we want new ways to discover rootkits, Trojans, and potential zero-day exploits. For the latter, we want a better understanding of the areas of interest and hidden links between blackhat teams. One way to achieve these goals is to increase the verbosity of our honeypot logs and traces so that we learn every single action the intruder made. The most common tools for doing this are Sebek for system events and Snort for network activity. Unfortunately, there is no easy way to correlate information from these sources, which complicates honeypot forensics. Although computer forensics focuses on analyzing a system once we suspect it has been compromised, we expect honeypots to be compromised. Thus, honeypot forensics focuses on understanding the blackhat's techniques and tools, before and after its intrusion on the honeypot. The article looks at: network activity analysis; building the network timeline; and tools and techniques.     

面向图像修复取证的U型特征金字塔网络

图像修复是一种常见的图像篡改手段,而基于深度学习的图像修复方法能生成更复杂的结构乃至新的对象,使得图像修复取证工作更具有挑战性。因此,提出一种端到端的面向图像修复取证的U型特征金字塔网络（FPN）。首先,通过自上而下的VGG16模块进行多尺度特征提取,并利用自下而上的特征金字塔架构对融合后的特征图进行上采样,整体流程形成U型结构;然后,结合全局和局部注意力机制凸显修复痕迹;最后,使用融合损失函数以提高修复区域的预测率。实验结果表明,所提方法在多种深度修复数据集上的平均F1分数和IoU值分别为0.791 9和0.747 2,与现有的基于扩散的数字图像修复定位（LDI）、基于图像块的深度修复取证方法（Patch-CNN）和基于高通全卷积神经网络（HP-FCN）方法相比,所提方法具有更好的泛化能力,且对JPEG压缩也具有较强的鲁棒性。     

基于WSDM的校园网流量监测系统设计与实现

设计了一种基于WSDM的校园网流量监测系统。以校园网为实验环境,设计并实现了该流量监测系统的原型。通过测试结果分析,证明该系统比传统流量监测系统具有更多的流量采集方式,更好的松耦合性,更容易进行扩展以及服务管理,对基于分布式计算的网络管理系统模型的开发和设计有较好的借鉴价值。     

基于成对约束扩展的半监督网络流量特征选择算法

针对网络流量特征选择过程中监督信息缺乏的问题,提出一种基于成对约束扩展的半监督网络流量特征选择算法。该算法同时考虑少量成对约束和大量无标记样本,利用样本集合间的相关性和自相关性,扩展成对约束集到无标记样本上,产生更多可靠性强的成对约束,以揭示样本空间分布信息。最后,利用扩展的成对约束集进行特征选择。实验证明:与未进行成对约束扩展的算法相比,该算法在少量初始成对约束的情况下能获得更好的分类性能。     

面向Internet的文档管理系统的设计与实现

阐述了Internet环境下新型文档管理系统的设计与实现,针对传统文档管理系统在可扩展性、伸缩性和Web接口方面的缺陷,以Java2企业版应用服务平台为基础,实现了IETF面向分布式文档写作与版本控制的协议—WebDAV,提供了一个分布式的、多层的、基于组件和易于扩展的文档管理系统的体系结构和平台。     

A scalable network forensics mechanism for stealthy self-propagating attacks

Network forensics supports capabilities such as attacker identification and attack reconstruction, which complement the traditional intrusion detection and perimeter defense techniques in building a robust security mechanism. Attacker identification pinpoints attack origin to deter future attackers, while attack reconstruction reveals attack causality and network vulnerabilities. In this paper, we discuss the problem and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in the identification of the attack origin. We further develop a data reduction method to filter out attack-irrelevant data and only retain evidence relevant to potential attacks for a post-mortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of attack-irrelevant network traffic and successfully identify attack origin.     

Data representation for CNN based internet traffic classification: a comparative study

Multimedia Tools and Applications - It has been well established that the Internet of Things will bring an expansion in traffic volume and types. This will bring new challenges in terms of Quality...     

A fuzzy logic-based AQM for real-time traffic over internet

Autonomic networking has been proposed as an approach to reduce cost and complexity of managing communication functions. An autonomic system is self-configuring, self-optimizing, self-healing and self-protecting. Such a system requires the minimum of administration, primarily involving policy-level management and AI-cognitive models. On the other hand, numerous Active Queue Management (AQM) algorithms have been proposed in the literature to address the problem of congestion in the Internet. Their performance is highly dependent on parameters’ setting and tuning. Besides that, most of the AQM algorithms focus on throughput optimization and fail to provide bounded transmission delay while providing high link utilization to popular TCP-based radio/video streaming applications. Tackling the aforementioned concerns, in this paper we propose and evaluate a novel self-configuring AQM algorithm based on fuzzy logic. The proposed approach simplifies significantly the deployment and management of such complex QoS control mechanisms in the Internet providing at the same time a good tradeoff between link utilization and queuing latency. The introduced algorithm is compared with the most efficient adaptive AQM algorithms proposed to date such as ARED, REM, BLUE, PID and LRED. The performance analysis demonstrates that the proposed “Fast and Autonomic Fuzzy Controller” (FAFC): (1) minimizes queue fluctuation, (2) optimizes the throughput regardless of the traffic load variation and the presence of unresponsive UDP/RTP based voice and video communications, and (3) suggests the best compromise between link utilization and queuing delay.     

SLIC: Self-Learning Intelligent Classifier for network traffic

Internet traffic classification plays an important role in the field of network security and management. Past research works utilize flow-level statistical features for accurate and efficient classification, such as the nearest-neighbor based supervised classifier. However, classification accuracy of supervised approaches is significantly affected if the size of the training set is small. More importantly, the model built using a static training set will not be able to adapt to the non-static nature of Internet traffic. With the drastic evolution of the Internet, network traffic cannot be assumed to be static. In this paper, we develop the concept of ‘self-learning’ to deal with these two challenges. We propose, design and develop a new classifier called Self-Learning Intelligent Classifier (SLIC). SLIC starts with a small number of training instances, self-learns and rebuilds the classification model dynamically, with the aim of achieving high accuracy in classifying non-static traffic flows. We carry out performance evaluations using two real-world traffic traces, and demonstrate the effectiveness of SLIC. The results show that SLIC achieves significant improvement in accuracy compared to the state-of-the-art approach.     

A comparison of improving multi-class imbalance for internet traffic classification

Most research of class imbalance is focused on two class problem to date. A multi-class imbalance is so complicated that one has little knowledge and experience in Internet traffic classification. In this paper we study the challenges posed by Internet traffic classification using machine learning with multi-class unbalanced data and the ability of some adjusting methods, including resampling (random under-sampling, random over-sampling) and cost-sensitive learning. Then we empirically compare the effectiveness of these methods for Internet traffic classification and determine which produces better overall classifier and under what circumstances. Main works are as below. (1) Cost-sensitive learning is deduced with MetaCost that incorporates the misclassification costs into the learning algorithm for improving multi-class imbalance based on flow ratio. (2) A new resampling model is presented including under-sampling and over-sampling to make the multi-class training data more balanced. (3) The solution is presented to compare among three methods or to compare three methods with original case. Experiment results are shown on sixteen datasets that flow g-mean and byte g-mean are statistically increased by 8.6 % and 3.7 %; 4.4 % and 2.8 %; 11.1 % and 8.2 % when three methods are compared with original case. Cost-sensitive learning is as the first choice when the sample size is enough, but resampling is more practical in the rest.     

Bloom filter在网络取证中的应用研究

针对传统网络取证技术的特点和技术挑战,对Bloom filter的特性进行了分析研究,设计了基于Bloom filter的网络取证系统。该系统利用Bloom filter数据结构的特点,能够实时对网络原始数据进行采集、压缩、存储,有效节省存储空间,支持高效的网络取证事后分析查询。最后指出了进一步的研究方向。     

基于Multi-Agent的网络入侵动态取证

在分析计算机动态取证基本原理和Multi-Agent特点的基础上,将Multi-Agent技术应用到计算机取证中,提出了一种基于Multi-Agent的网络入侵动态取证系统结构.该系统在多种Agent的协同工作下能实时、准确和全面地收集入侵证据,再现入侵过程,从而克服了静态取证所存在的实时性差和证据收集困难等缺陷.     

Visualization for internet of things: power system and financial network cases

Multimedia Tools and Applications - National critical infrastructure networks, such as banks and industrial control systems (ICSs), can be serious damaged in the event of a security incident....     

Dynamic traffic engineering for mixed traffic on international networks: Simulation and analysis on real network and traffic scenarios

In this paper, a novel distributed dynamic traffic engineering (Dynamic TE) mechanism is proposed. The mechanism periodically updates bandwidth reservation and selects the optimum path (resizing and rerouting) for each TE-LSP according to its computed traffic load, leading to path reoptimization and better network utilization. Different resizing policies are investigated and their effect on QoS is analyzed. Detailed performance analysis is then undertaken using simulations on conditions similar to an international transit network. A mixed load of voice and data traffic originating in different timezones is used on a realistic network where all the links have an independent probability of failure. The simulation results show significant performance improvement using Dynamic TE for several metrics of interest and give insight into several scenarios that could benefit from its deployment.     

An SVM-based machine learning method for accurate internet traffic classification

Accurate and timely traffic classification is critical in network security monitoring and traffic engineering. Traditional methods based on port numbers and protocols have proven to be ineffective in terms of dynamic port allocation and packet encapsulation. The signature matching methods, on the other hand, require a known signature set and processing of packet payload, can only handle the signatures of a limited number of IP packets in real-time. A machine learning method based on SVM (supporting vector machine) is proposed in this paper for accurate Internet traffic classification. The method classifies the Internet traffic into broad application categories according to the network flow parameters obtained from the packet headers. An optimized feature set is obtained via multiple classifier selection methods. Experimental results using traffic from campus backbone show that an accuracy of 99.42% is achieved with the regular biased training and testing samples. An accuracy of 97.17% is achieved when un-biased training and testing samples are used with the same feature set. Furthermore, as all the feature parameters are computable from the packet headers, the proposed method is also applicable to encrypted network traffic.