【摘要】：隨著互聯(lián)網(wǎng)技術(shù)的飛速發(fā)展,網(wǎng)絡(luò)中的流量越來越豐富,并且對網(wǎng)絡(luò)傳輸?shù)目煽啃�、實時性和安全性的要求也越來越高。隨之而來的網(wǎng)絡(luò)異常流量攻擊,給人們的生活帶來了嚴重的潛在威脅,影響到互聯(lián)網(wǎng)的正常運行。其中,異常流量對網(wǎng)絡(luò)的危害主要體現(xiàn)在兩個方面：第一方面是占用大量的網(wǎng)絡(luò)資源,包括交換機等網(wǎng)絡(luò)設(shè)備；第二方面是造成互聯(lián)網(wǎng)的網(wǎng)絡(luò)擁堵,從而使網(wǎng)絡(luò)數(shù)據(jù)包的時延增大,產(chǎn)生丟包行為,甚至導致網(wǎng)絡(luò)癱瘓不可用。因此對網(wǎng)絡(luò)異常流量的檢測和識別成為一個關(guān)鍵性的研究熱點和問題。 本文基于當前最流行熱門的網(wǎng)絡(luò)模型OpenFlow來對校園網(wǎng)環(huán)境下的異常流量進行識別和管理。通過研究對異常流量的檢測和識別,在總結(jié)前人經(jīng)驗基礎(chǔ)之上基于OpenFlow平臺實現(xiàn)一套網(wǎng)絡(luò)異常流量的識別管理系統(tǒng)展開以下一系列工作和創(chuàng)新之處,主要包括流量采集抽樣模塊,異常流量識別模塊和異常流量管控模塊三大模塊來對異常流量進行處理。 (1)流量采樣模塊是基于OpenFlow平臺對流量進行采樣,在OpenFlow交換機上安裝流量采集節(jié)點,通過采用自適應(yīng)的動態(tài)采樣算法對經(jīng)過流表查詢的數(shù)據(jù)包進行捕獲統(tǒng)計,并作基本的過濾和協(xié)議分析。將采集得到的數(shù)據(jù)作為訓練數(shù)據(jù)集,通過對數(shù)據(jù)進行分流,使流量進行預處理,按照網(wǎng)絡(luò)流量的協(xié)議進行聚類,建立相應(yīng)的IP群,同時生成訓練樣本數(shù)據(jù)集,對樣本數(shù)據(jù)集進行屬性分析,讓訓練樣本生成聚類數(shù)據(jù),同時對聚類的數(shù)據(jù)進行標記。 (2)異常流量檢測識別模塊是將采集到的數(shù)據(jù)集作為分析粒度,運用數(shù)據(jù)挖掘相關(guān)技術(shù)及算法對數(shù)據(jù)記錄進行劃分并找出數(shù)據(jù)記錄之間的相互關(guān)系及隱含的、有用的模式和規(guī)則,劃分出正常行為庫和異常行為庫,然后對異常行為庫進行模式分析,通過在OpenFlow控制器中設(shè)置過濾規(guī)則,通過將異常行為庫與過濾規(guī)則進行匹配從而識別出異常流量。數(shù)據(jù)挖掘的算法采用K-means算法,對于大流量的計算具有可伸縮和高效性,可以達到局部最優(yōu)。 (3)異常流量管控模塊主要包括如何定制過濾規(guī)則以及生成決策樹,對異常數(shù)據(jù)包的分類處理和分析協(xié)議結(jié)構(gòu)以及信息反饋。 最后通過仿真平臺Mininet和Floodlight搭建實驗模擬平臺,通過模擬流量的收發(fā)和模擬網(wǎng)絡(luò)攻擊驗證了本文設(shè)計的模型的正確性和可行性。
[Abstract]:With the rapid development of Internet technology, the traffic in the network becomes more and more abundant, and the reliability, real-time and security requirements of network transmission are also higher and higher. The following network abnormal traffic attacks have brought serious potential threats to people's lives and affected the normal operation of the Internet. Among them, the harm of abnormal traffic to the network is mainly reflected in two aspects: the first aspect is to occupy a large number of network resources, including switches and other network equipment; The second aspect is to cause the network congestion of the Internet, so that the delay of the network packet increases, resulting in packet loss behavior, and even makes the network paralyzed unusable. Therefore, the detection and identification of network abnormal traffic has become a key research hotspot and problem. This paper is based on the most popular network model OpenFlow to identify and manage abnormal traffic in campus network environment. By studying the detection and identification of abnormal traffic, on the basis of summarizing the previous experience, a set of network abnormal traffic identification management system based on OpenFlow platform is implemented, including the following a series of work and innovations, mainly including the flow sampling module. Abnormal traffic identification module and abnormal flow control module to deal with abnormal traffic. (1) the flow sampling module is based on the OpenFlow platform to sample the traffic, install the traffic collection node on the OpenFlow switch, and capture the data packets after the flow table query by adopting the adaptive dynamic sampling algorithm. And basic filtering and protocol analysis. The collected data are used as training data set, and the traffic is pre-processed by dividing the data, clustering according to the network traffic protocol, establishing the corresponding IP group, and generating the training sample data set at the same time. Attribute analysis is carried out on the sample data set to make the training sample generate cluster data and mark the clustering data. (2) the anomaly flow detection and recognition module takes the collected data set as the analysis granularity, uses the data mining related technology and algorithm to divide the data record and find out the relationship and implicature among the data records. Useful patterns and rules, divided into normal behavior database and abnormal behavior database, and then the abnormal behavior database for pattern analysis, by setting filtering rules in the OpenFlow controller, The abnormal traffic is identified by matching the exception behavior library with the filtering rules. The algorithm of data mining adopts K-means algorithm, which is scalable and efficient for the computation of large traffic, and can reach the local optimum. (3) abnormal traffic control module mainly includes how to customize filtering rules and generate decision tree, classify and analyze the protocol structure of abnormal data packets and feedback information. Finally, Mininet and Floodlight are used to build the simulation platform, and the correctness and feasibility of the model are verified by the simulation traffic receiving and network attack simulation.
【學位授予單位】：大連理工大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.18

【參考文獻】

相關(guān)期刊論文 前5條

1 韓君,張煥國,羅敏;一種基于數(shù)據(jù)挖掘的分布式入侵檢測系統(tǒng)[J];計算機工程與應(yīng)用;2004年08期

2 劉穎秋;李巍;李云春;;網(wǎng)絡(luò)流量分類與應(yīng)用識別的研究[J];計算機應(yīng)用研究;2008年05期

3 劉磊;李聞天;肖^j;王榮彬;;校園網(wǎng)中P2P應(yīng)用的管理策略及流量監(jiān)控初探[J];昆明理工大學學報(理工版);2008年03期

4 朱琳;朱參世;;滑動窗口數(shù)據(jù)流聚類算法在IDS中的應(yīng)用[J];計算機工程與應(yīng)用;2014年01期

5 王風宇;云曉春;王曉峰;王勇;;高速網(wǎng)絡(luò)監(jiān)控中大流量對象的提取[J];軟件學報;2007年12期

，

本文編號：2448444