基于流量结构稳定性的服务器网络行为描述:建模与系统

针对现有基于异常特征库匹配的流量检测方法难以适应日趋复杂的网络环境需要的问题，对服务器网络流量进行了大量观测和研究，综合正常流量在某些属性上的固有稳定性及特定服务在流量层面表现出的稳定性，提取相应的流量特征，同时提出了流量结构稳定性的概念，并基于此对服务器的正常网络行为轮廓进行刻画，依据当前流量结构偏离正常轮廓的程度对服务器网络异常行为进行检测。针对流量结构差异性的定量刻画问题，提出了一种基于Spie Chart的可视化度量方法，并基于一台邮件服务器流量实现了系统，通过实验验证了系统对常见网络攻击及未知网络异常的检测效果。

Profiling Structure-Stability-Based Server Traffic: Behavior Models and System

Server as an important part of the institutions or organizations usually carries a particular network service, for the security protection, it usually adopts rule-based approaches to detecting attacks according to the specific characters. However, due to the new network attacks emerge in endlessly and network anomaly is difficult to define, anomaly-feature-based detection is more and more difficult to meet the needs of the increasingly complex network environment. To cope with it, we propose the concept of traffic structure stability based on both the inherent stability of normal traffic attributes and the stability of a specific service, and profile the normal network behavior model for the server to detect traffic abnormality. To describe the difference between current traffic structure and the normal profile, we propose a novel visualization measurement method based on Spie Chart. Finally, we implement the system on a mail server and confirm the validity of the model by experiments.