【作者】 陈宁；

【导师】 李磊； 陈晓苏；

【作者基本信息】 华中科技大学 ， 计算机应用技术， 2009， 博士

【摘要】 当前网络中存在着许多诸如网络扫描、拒绝服务攻击等以网络入侵或网络破坏为目的的网络异常行为,严重影响了网络的正常运行。虽然目前已经有了基于阀值过滤、特征匹配、统计检测等网络异常检测方法,但这些方法主要专注于网络异常的发现以及如何实现防护,对攻击时刻、攻击类型、攻击行为发起主机地址等与网络犯罪相关的数字证据关注较少。因此,探索出行之有效的网络异常检测与溯源方法,对网络追踪、网络取证、打击网络犯罪,具有重要的理论意义和现实意义。根据网络流量在大时间尺度上的自相似性,以及在小时间尺度上异常流量、小波变换模极大值与Lipschitz(简称李氏)正则性三者之间的关系,利用小波变换,提出了一种基于小波变换的网络流量异常检测与定位方法。该方法利用小波系数方差法求解Hurst指数,并通过该指数的变化情况来判断当前网络流量正常与否。在发现异常后,利用信号奇异性与李氏指数的关系,使用小波变换快速求解网络流量的李氏指数,并通过李氏指数的变化情况来实现网络流量异常发生时刻定位。同时,据研究发现,网络流量中约有90%的流量为TCP(Transmission ControlProtocol)流。不难想象,TCP流的任何微小变化都可能会对整个网络产生巨大的影响。因此,在发现网络流量存在异常,并定位异常发生时刻后,根据TCP协议,针对TCP流,提出了一种基于相关系数矩阵的网络异常行为检测与分析的方法。该方法从TCP连接建立和连接拆除报文的完整性入手,利用TCP流不同类型报文在数量上的相关关系,在不维护每个TCP连接具体状态的情况下使用相关系数矩阵对TCP流的健康性进行宏观评估。通过选择恰当的统计时间粒度和样本量,选取TCP流中与TCP连接建立和连接拆除相关的五种不同类型的报文作为观察报文,根据各观察报文彼此间在数量上的相关关系变化情况,结合常见的TCP流异常行为对相关系数计算结果的影响,揭示出导致TCP流发生异常的报文类型,进而发掘出导致网络行为异常的原因。在发现网络流量存在异常,并判断出异常发生时间段、异常的报文以及异常行为的类型后,针对网络传输层异常报文溯源的要求,提出了一种网络传输层异常报文的溯源方法。该方法通过一种对标准Bloom Filter改进的方法一独立哈希布鲁姆过滤(Independent Hash Bloom Filter,IHBF)方法对异常报文的TCP五元组信息进行存储和聚类分析。在挖掘出异常报文中最活跃的五元组及其主成分聚类信息的频繁项后,结合TCP流常见异常行为的聚类特征,通过综合分析获取与异常报文溯源相关的信息,由此实现网络传输层异常报文溯源。通过对网络异常检测与溯源方法的研究,取得了一系列理论成果,对提升网络的安全性和打击网络犯罪具有积极意义。更多还原

【Abstract】 Network anomaly is usually caused by malicious behaviors, such as disturbed denial-of-service (DDoS) attacks, network scanning and so on. These anomalies severely disturb network operations. Researchers have been looking for various ways to detect and prohibit them, including threshold based, feature based and statistic based approaches. However, most of these methods ignored the digital forenscis which are related with network crime, such as attack time, attack style, attack host and so on. Therefore, exploring an effective detection and trace back method has important theoretical significance and practical value in network trace, network forensics and fighting against network crime.According to the characteristics of self-similar about network traffic in large time scale, and the relationship among abnormal traffic, wavelet transform max module and Lipschitz exponent in small time scale, we present a network traffic anomaly detection and orientation method based on wavelet transform. This network traffic anomaly detection method based on the change of Hurst parameter which is calculatied by the variance of wavelet coefficients method. When detecting anomaly, it uses the relationship between signal singularity and Lipschitz exponent, calculates Lipschitz exponent quickly by wavelet transform, and locates the network traffic anomaly time by the change of Lipschitz exponent.It has been discovered that about 90% of network traffic was TCP (Transmission Control Protocol) flows which dominate the network traffic. Therefore, after detecting network traffic anomaly and locating the anomaly time, we found on the TCP protocol, focuse on TCP flows, give an anomaly detection and analysis method based on correlation coefficient matrix. This method is based on the packets integrality in establishing and disconnecting TCP connections, utilizes the quantitative correlation between different types of packets in TCP flows and estimates TCP flows’ health by correlation coefficient matrix without maintaining the detailed information of each TCP connection. By choosing right statistical time granularity, sample number, and observed TCP packets, we obtain the quantitative relationship between different types of packets in each time unit by correlation coefficient matrix, so as to discover the anomaly behaviors in the TCP flows and their types by the variety of correlation coefficients between observed packets, consequently implement network health checking and anomaly behavior detection and analysis.After finding network traffic anomaly, locating the anomaly time, getting the abnormal packet and anomaly behavior, we focus on the requirement of trace back the network transport layer anomaly packet, give a method for tracing back abnormal TCP packets. This method saves and analyzes clustering information of the five-tuple by an improved Bloom Filter method—IHBF (Independent Hash Bloom Filter) method. After digged the clustering information of the five-tuple and its principal components in the data stream, together with the characteristic of normal anomaly behaviors, we can trace the source of the abnormal TCP packets finally.By the research of network anomaly detection and trace method, we got a serial of academic achievement, and it has positive meaning in upgrade network security and fighting against network crime.更多还原