【作者】 吕良福；

【导师】 何丕廉；

【作者基本信息】 天津大学 ， 计算机应用技术， 2008， 博士

【摘要】 网络安全可视化是近年来国外研究的热点领域。与传统的分析日志数据方法不同,可视化技术带来网络安全研究方法的变革。它不仅能有效处理海量数据信息,而且通过对图形图像模式的分析帮助网络管理人员快速识别潜在的攻击和异常事件,甚至发现新的攻击类型和对安全事件做出预测。本文主要针对DDoS攻击的网络安全可视化问题进行了深入研究。针对利用小波分析法求解Hurst参数值检测DDoS攻击,求得参数值不够精确,易造成漏报、误报,加上运用小波分析法需要的样本容量较大,计算过程缓慢,不能准确快速地识别弱DDoS攻击等特点,本文提出了一种改进的小波分析法的DDoS检测技术。根据主成分分析法将网络数据进行维数约减,然后利用小波分析法对降维后的数据求解自相似参数Hurst;提出了针对大规模网络数据维数约减的改进的主成分分析法。新算法大大提高了检测速度,能准确地求解Husrt参数值。通过数值、图形等方式给出了实验结果,从多角度说明了新算法的有效性。结合信息可视化流水线,本文研究了DDoS攻击可视化检测系统应采用的数据源、选取的可视化结构和应具备的交互功能,分析了国外现有有关DDoS攻击的网络安全可视化技术的优缺点,提出了一种新型DDoS攻击检测技术。从DDoS攻击形成的前期特征入手,通过对网络数据进行提取分析和统计,对数据按照一定的算法原则进行图形元素的属性计算并显示。最后设计并实现了专门针对DDoS攻击的显示工具DDoSViewer,实验证明新系统具有好的显示、交互等功能,能有效检测DDoS攻击。目前基于端口扫描的网络安全可视化技术常常以时间作为最重要参数指标,往往只能检测那些较快速地扫描行为,对强动态性、强随机性和强隐蔽性的与端口有关的安全事件如DDoS、蠕虫病毒、木马等效果并不好。为此,本文提出一种针对慢扫描、隐蔽扫描的网络安全信息可视化方法,通过分析处理网络数据包,运用信息可视化技术设计并开发了可视化端口扫描检测系统ScanViewer,该系统能从大量模糊数据信息中发现攻击模式,能有效检测到慢扫描、分布式扫描和各类TCP隐蔽扫描等。更多还原

【Abstract】 Network security visualization has become a hot research field in recent years. Unlike the traditional methods of analyzing log data, visualization technology can change the research methods of network security greatly. It can not only deal with large volume of data effectively, but also help network administrators detect anomalies by analyzing patterns in the graphs, even can discover new types of attacks and forecast the trend of events.Tough some researchers proposed that we can solve the self-similarity parameter of network traffic by use of wavelet analysis, the value is imprecise. The volume of training data used in solving the self-similarity parameter is very large. This makes the whole process very slow, and the method can not detect the weak DDoS attack timely. So an improved DDoS detection algorithm based on wavelet analysis is proposed in this paper. Principal component analysis method is used to reduce the dimension of network data firstly. The new data with low dimension can be used for solving the self-similarity parameter. An improved principal component analysis algorithm for dimension reduction of large amounts of data is proposed in this paper too. The algorithm increases the speed of detection greatly. From the numerical and graphic results we can see the new algorithms are very effective.According to information visualization process, the data sources, visual structures and interactive functions in visualization techniques especially for DDoS detection are studied in this paper. The advantages and disadvantages of existing network security visualization techniques for DDoS detection are analyzed too. The early characteristics of DDoS attacks are studied and a novel visualization technique for DDoS detection named DDoSviewer is proposed in the paper. The extraction and analysis of network data, the calculation and display of graphic elements’attribute are included in the new visualization technique. The results show that the new system can detect DDoS attacks effectively.Time is always used as the most important parameter in the current network security visualization techniques on port scan.This makes the slow scan, the dynamic or random scan, concealed scan and spoofed scan hard to detect, and the detection results of the related security anomalies such as DDoS, worms, Trojans etc are bad too. Therefore, a novel network security visualization method for slow scan, concealed scan etc is proposed in this paper. Through analysis of the network data packets and information visualization techniques, a new visual system for port scan detection named ScanViewer is designed in the paper. Many interactive fuctions are developed in the new system too.The results show that the attack patterns can be easily found from large amount of fuzzy data, and slow scan, distributed scan and various types of TCP concealed scans can be effectively detected from the ScanViewer.更多还原