HTTP malicious traffic detection method based on hybrid structure deep neural network

In response to the HTTP malicious traffic detection problem,a preprocessing method based on cutting mechanism and statistical association was proposed to perform statistical information correlation as well as normalization processing of traffic.Then,a hybrid neural network was proposed based on the combination of raw data and empirical feature engineering.It combined convolutional neural network (CNN) and multilayer perceptron (MLP) to process text and statistical information.The effect of the model was significantly improved compared with traditional machine learning algorithms (e.g.,SVM).The F₁value reached 99.38% and had a lower time complexity.At the same time,a data set consisting of more than 450 000 malicious traffic and more than 20 million non-malicious traffic was created.In addition,prototype system based on model was designed with detection precision of 98.1%~99.99% and recall rate of 97.2%~99.5%.The application is excellent in real network environment.     

Intelligent detection method on network malicious traffic based on sample enhancement

To address the problem that the existing methods of network traffic anomaly detection not only need a large number of training sets,but also have poor generalization ability,an intelligent detection method on network malicious traffic based on sample enhancement was proposed.The key words were extracted from the training set and the sample of the training set was enhanced based on the strategy of key word avoidance,and the ability for the method to extract the text features from the training set was improved.The experimental results show that,the accuracy of network traffic anomaly detection model and cross dataset can be significantly improved by small training set.Compared with other methods,the proposed method can reduce the computational complexity and achieve better detection ability.     

信息网络内生恶意行为检测框架

“内生安全”赋予信息网络自学习、自成长的能力,是构建可信智能通信网络不可或缺的重要组成部分。面向信息网络“内生安全”,提出了一种内生恶意行为检测框架,变被动防御为主动拦截。同时,对内生恶意行为检测框架中五大关键组件进行了建模分析,并对自学习、自成长的恶意行为检测机制进行了阐述。最后,搭建原型系统并进行了实验,实验结果表明了检测框架的可行性和有效性。     

支持数据隐私保护的恶意加密流量检测确认方法

为解决基于机器学习的恶意加密流量检测易产生大量误报的问题,利用安全两方计算,在不泄露具体数据内容的前提下实现网络流量内容和入侵检测特征间的字符段比对.基于字符段比对结果,设计入侵检测特征匹配方法,完成关键词的精准匹配.为保证所提方法的有效执行,提出用户终端输入随机验证策略,使恶意用户终端难以使用任意数据参与安全两方计算...     

基于改进型循环神经网络的恶意代码分类检测

近年来,随着恶意代码检测技术的提升,网络攻击者开始倾向构建能自重写和重新排序的恶意代码,以避开安全软件的检测。传统的机器学习方法是基于安全人员自主设计的特征向量来判别恶意代码,对这种新型恶意代码缺乏检测能力。为此,文中提出了一种新的基于代码时序行为的检测模型,并采用回声状态网络、最大池化和半帧结构等方式对神经网络进行优化。与传统的检测模型相比,改进后的模型对恶意代码的检测率有大幅提升。     

基于MGS+NN算法的恶意流量安全检测技术研究

随着计算机技术及相关应用的高速发展,越来越多的信息系统投入应用到人们的日常生活中,与此同时,IPv6技术的普及也使得越来越多的物联网设备呈爆发式增长。然而针对各类信息系统及物联网设备的攻击层出不穷,已严重威胁日常信息系统的安全运行。所以,针对恶意流量的安全检测技术在网络安全中起到至关重要的作用。本文提出一种基于多粒度扫描和BP神经网络的恶意流量检测算法,通过对实验数据的计算与模拟,利用本算法得到了较好的准确率,证明了本算法的有效性。     

检测海面弱目标的神经网络集成方法

海杂波中弱小目标的检测在军用和民用领域有着重要应用价值。基于径向基函数神经网络的目标检测方法可以检测海杂波中弱小目标,但是训练样本的选择直接影响检测效果。为了减小训练样本对检测效果的影响,提出了基于神经网络集成检测海杂波中弱小目标的方法。根据子网络在验证集上的表现,赋给差异度大的子网络较大的权值,子网络的加权平均得到集成的输出。采用McMaster大学IPIX雷达实测数据的测试结果表明,该方法能够减弱训练样本的选择对目标检测效果的影响,提高检测能力。     

基于活跃熵的网络异常流量检测方法

提出了一种基于活跃熵的网络异常流量检测新方法,将受监控的目标网络视为一个整体系统,对进出系统的网络数据流所形成的NetFlow记录进行分析,分别统计二者的活跃度并计算它们的活跃熵。在进行活跃熵的计算时,根据流量大小选择不同的尺度来降低误报率,从而能更有效地检测网络流量中存在的异常。在实际网络环境下的模拟实验结果表明,与传统检测方案相比,基于活跃熵的网络异常流量检测方法能够更有效地检测出具有随机特征的网络异常流量。     

网页恶意代码检测系统研究

为了保护网页不被嵌入恶意代码,提出了一种基于网页文件代码分类检测技术的恶意代码检测系统,并完成了软件设计与开发.该系统采用J2EE技术开发,能够对网页文件进行代码分类扫描,并根据不同的扫描结果进行相应的处理.通过实际应用表明,采用代码分类检测技术能够高检出、低误报的识别出多种恶意代码,达到了设计要求.     

基于AdaBoost的组合网络流量分类方法

针对单一分类方法在训练样本不足的情况下对于小样本网络流分类效果差的特点,通过自适应增强(Adaptive Boosting,AdaBoost)算法进行流量分类。算法首先使用CFS(Correlation-based Feature Selection)特征选择方法从大量网络流特征中提取出少量高效的分类特征,在此基础上,通过AdaBoost算法组合决策树、关联规则和贝叶斯等5种单一分类方法实现流量分类。实际网络流量数据测试表明,基于AdaBoost的组合分类方法的准确率在所选的几种算法中是最高的,其能够达到98192%,且相对于单一的分类算法,组合流量分类方法对于小样本网络流的分类效果具有明显提升。     

IMM4HT:an identification method of malicious mirror website for high-speed network traffic

Aiming at the problem that some information causing harm to the network environment was transmitted through the mirror website so as to bypass the detection,an identification method of malicious mirror website for high-speed network traffic was proposed.At first,fragmented data from the traffic was extracted,and the source code of the webpage was restored.Next,a standardized processing module was utilized to improve the accuracy.Additionally,the source code of the webpage was divided into blocks,and the hash value of each block was calculated by the simhash algorithm.Therefore,the simhash value of the webpage source codes was obtained,and the similarity between the webpage source codes was calculated by the Hamming distance.The page snapshot was then taken and SIFT feature points were extracted.The perceptual hash value was obtained by clustering analysis and mapping processing.Finally,the similarity of webpages was calculated by the perceptual hash values.Experiments under real traffic show that the accuracy of the method is 93.42%,the recall rate is 90.20%,the F value is 0.92,and the processing delay is 20 μs.Through the proposed method,malicious mirror website can be effectively detected in the high-speed network traffic environment.     

A network processor‐based architecture for multi‐gigabit traffic analysis

The wide availability of cheap and effective commodity PC hardware has driven the development of versatile traffic monitoring software such as protocol analyzers, traffic characterizers and intrusion detection systems. Most of them are designed to run on general purpose architectures and are based on the well‐known libpcap API, which has rapidly become a de facto standard. Although many improvements have been applied to packet capturing software, it still suffers from several performance flaws, mainly due to the underlying hardware bottlenecks. To overcome these issues, this paper proposes a system architecture, which combines the high performance of a Network Processor card with the flexibility of software‐based solutions. It allows for removing most part of the hardware limitations exhibited by a purely PC‐based architecture, while preserving the full compliance to any software applications based on libpcap. In addition, the proposed system enables the use of monitoring applications at the wire speed, with the possibility of on‐the‐fly data processing. The system performance has been thoroughly assessed: the results show that it clearly outperforms the previous PC‐based solutions in terms of packet capturing power, while the timestamping accuracy is as good as that achieved by DAG cards. Copyright © 2009 John Wiley & Sons, Ltd.     

宽带网络流量分析和管理

近年来，随着宽带到联网在全球的迅速发展和各种相关应用的快速普及．宽带互联网已成为人们日常工作生活中不可或缺的信息承载工具。然而．伴随着用户的正常应用流量．宽带网络上形形色色的异常流量也随之而来．影响到网络的正常运行．威胁用户主机的安全和正常使用．通过日常网络管理的实际应用．对互联网流量分析进行了综合介绍．重点介绍如何借助主流流量分析技术-NETFLOW．解决异常流量分析与处理等问题。     

Method of data cleaning for network traffic classification

Network traffic classification aims at identifying the application types of network packets. It is important for Internet service providers （ISPs） to manage bandwidth resources and ensure the quality of service for different network applications However, most classification techniques using machine learning only focus on high flow accuracy and ignore byte accuracy. The classifier would obtain low classification performance for elephant flows as the imbalance between elephant flows and mice flows on Internet. The elephant flows, however, consume much more bandwidth than mice flows. When the classifier is deployed for traffic policing, the network management system cannot penalize elephant flows and avoid network congestion effectively. This article explores the factors related to low byte accuracy, and secondly, it presents a new traffic classification method to improve byte accuracy at the aid of data cleaning. Experiments are carried out on three groups of real-world traffic datasets, and the method is compared with existing work on the performance of improving byte accuracy. Experiment shows that byte accuracy increased by about 22.31% on average. The method outperforms the existing one in most cases.     

Distributed detection of mobile malicious node attacks in wireless sensor networks

In wireless sensor networks, sensor nodes are usually fixed to their locations after deployment. However, an attacker who compromises a subset of the nodes does not need to abide by the same limitation. If the attacker moves his compromised nodes to multiple locations in the network, such as by employing simple robotic platforms or moving the nodes by hand, he can evade schemes that attempt to use location to find the source of attacks. In performing DDoS and false data injection attacks, he takes advantage of diversifying the attack paths with mobile malicious nodes to prevent network-level defenses. For attacks that disrupt or undermine network protocols like routing and clustering, moving the misbehaving nodes prevents them from being easily identified and blocked. Thus, mobile malicious node attacks are very dangerous and need to be detected as soon as possible to minimize the damage they can cause. In this paper, we are the first to identify the problem of mobile malicious node attacks, and we describe the limitations of various naive measures that might be used to stop them. To overcome these limitations, we propose a scheme for distributed detection of mobile malicious node attacks in static sensor networks. The key idea of this scheme is to apply sequential hypothesis testing to discover nodes that are silent for unusually many time periods—such nodes are likely to be moving—and block them from communicating. By performing all detection and blocking locally, we keep energy consumption overhead to a minimum and keep the cost of false positives low. Through analysis and simulation, we show that our proposed scheme achieves fast, effective, and robust mobile malicious node detection capability with reasonable overhead.     

An efficient weighted trust‐based malicious node detection scheme for wireless sensor networks

The aim of wireless sensor networks (WSNs) is to gather sensor data from a monitored environment. However, the collected or reported information might be falsified by faults or malicious nodes. Hence, identifying malicious nodes in an effective and timely manner is essential for the network to function properly and reliably. Maliciously behaving nodes are usually detected and isolated by reputation and trust‐based schemes before they can damage the network. In this paper, we propose an efficient weighted trust‐based malicious node detection (WT‐MND) scheme that can detect malicious nodes in a clustered WSN. The node behaviors are realistically treated by accounting for false‐positive and false‐negative instances. The simulation results confirm the timely identification and isolation of maliciously behaving nodes by the WT‐MND scheme. The effectiveness of the proposed scheme is afforded by the adaptive trust‐update process, which implicitly performs trust recovery of temporarily malfunctioning nodes and computes a different trust‐update factor for each node depending on its behavior. The proposed scheme is more effective and scalable than the related schemes in the literature, as evidenced by its higher detection ratio (DR) and lower misdetection ratio (MDR), which only slightly vary with the network's size. Moreover, the scheme sustains its efficient characteristics without significant power consumption overheads.     

成簇阶段恶意节点识别与剔除模型研究及实现

无线传感器网络节点成簇是实现对传感器网络高效节能管理和应用的有效途径.网络安全问题中恶意节点尤为突出,它们破坏网络系统的正常工作规则,影响网络的工作效率和整体存活寿命.为了提高网络的整体性能,希望能在网络成簇阶段及时将破坏作用的恶意节点识别出来并别除.采用LEACH层次化网络通信思路,应用一种基于LEACH算法的密钥预...     

P2P网络中抑制恶意节点的研究综述

随着P2P网络的迅速发展,它在各个领域被广泛应用,但由于P2P网络自身开放性、匿名性等特点,使网络中存在许多欺骗性、合谋性以及策略性的恶意节点,影响其有效性和可用性.目前存在许多信任模型都分别给出了抑制各种恶意节点的方法,文中从恶意节点出发,总结了典型信任模型中抑制恶意节点的主要方法.     

基于交通流检测的路灯节能监控系统设计

为了进一步优化路灯监控系统的节能效果,构建了基于RFID技术、ZigBee技术和GPRS网络的路灯节能监控系统.该系统采用监控中心、监控子站和监控终端三层监控结构,GPRS和ZigBee结合的两层组网方式.监控中心根据照度信息控制全市路灯统一开关.路灯开启后,监控子站引入RFID技术实时检测交通流信息,以交通流预测信息为依据调节路灯的功率（亮度）.该系统具有技术先进、实用价值高、节能效果好等优点,在城市路灯监控、高速公路路灯监控领域等有着广阔的应用前景.