With the accelerating variation of malicious code and its concealment from strength to strength, the network anomaly detection approach based on traffic features has higher false negatives, especially when the attacker confuses the traffic characteristics. In this paper, we propose a modeling method which establishes the directed graph model of a 4-layer tree structure in the order of local hosts, local ports, remote ports and remote hosts. This model reflects the relationships of end-hosts and the relationships among the processes in end-hosts. Based on this model, a subgraph model is established for the server's client behavior and server-side behavior respectively. Due to the long-term stability of server-side behavior in subgraph structure, this paper proposes a subgraph-based server network behavior anomaly detection algorithm SNBAD. The algorithm divides the server's network traffic into several data-windows and establishes the service subgraph models for each window respectively, and characterizes the communication features of each subgraph. The algorithm detects abnormal behavior by calculating the Jaccard similarity coefficient of the continuous data window. In this paper, the flow of host infected malicious code is mixed into the real network traffic data, and the SNBAD algorithm is verified. The experimental results show that the SNBAD algorithm can detect the abnormal of the server-side behavior of server effectively.%随着恶意代码变异速度加快,隐蔽性越来越强,特别是在攻击者将流量特征进行混淆时,基于流量统计特征的网络异常检测方法漏报率变大.文章应用图分析方法,提出一种基于子图的服务器网络行为建模方法,该建模方法将本地主机流量按照本地主机、本地端口、远程端口、远程主机的顺序建立具有4层树形结构的有向图模型.该模型反映了本地主机与远程主机的通信关系以及两端进程间的通信关系.基于此模型,分别对服务器的客户端行为和服务端行为建立子图模型.由于服务端行为在子图结构上具有长期稳定性,文章提出了基于子图的服务器网络行为异常检测算法SNBAD.该算法对服务器的网络流量划分数据窗口,并对每个窗口分别建立服务子图模型,刻画每个子图的通信特征.该算法通过计算连续数据窗口服务子图的Jaccard相似系数来对异常行为进行检测.文章将主机感染恶意代码的流量混入真实网络流量数据中对SNBAD算法进行了验证,实验结果表明,SNBAD算法能够有效检测服务器服务端行为的异常.
展开▼
