【作者】 毛敬玉；

【导师】 管会生； 杨阳；

【作者基本信息】 兰州大学 ， 计算机技术， 2007， 硕士

【摘要】 随着计算机网络规模和应用领域的日益增大，网络复杂性和异构性也不断增加，通过网络传播的病毒和人为破坏越来越多，严重干扰了正常的网络运行秩序。在这种情况下，准确、快速地检测网络流量的异常，并做出合理的响应成为保证网络有效运行的关键问题之一。为了解决上述问题，本文设计了一个能够实时分析网络流量的异常检测系统。为了保证有较高的检测率和较低的误报率，文中采用数据挖掘技术，从网络历史审计数据里分别得到正常与异常行为规则厍，用实时网络流量数据与其比对，从而判别网络流量数据的异常行为。当发现有不能识别的数据出现时，采用人为干预的方式，更新规则库，增强对未知数据的识别能力。为了避免因主机之间行为存在较大差异而引起的误判，文中以网络历史审计数据为数据源，统计网络中各主机单位时间内访问量，依据聚类算法将主机按访问量聚类建立IP群以指导网络审计数据的分流，用分流后的审计数据分别建立规则库。文中就整个检测系统架构系统各组成部分功能及实现做了详细描述最后，我们将实现的系统原型置于校园网络的出口节点，实时监控出入校园网的网络流量。通过进行模拟网络攻击，我们发现原型系统能够有效地识别已知攻击类型数据并对未知数据有良好的识别能力，实现了对网络异常流量地实时检测。更多还原

【Abstract】 With the scale of the computer network and application fields growing, network hasbecome an important part of the daily life and work. However, due to increasing thenetwork complexity and heterogeneity, the number of the internet virusand various human factors become more and more through transmitting, whichprobably influence the function of the internet and seriously disturb the normaloperation of the network order. Under such circumstances, accurate and rapiddetection of abnormal network traffic and rational response is one of the key issues toensure the effective functioning of the network. In order to solve the above problem,this paper designs an abnormal detection system to analysis of network trafficcorrectly.In order to guarantee a higher detection rate and lower false alarm rate, we usedata mining technology. From the historical data network Lane, we can get astorehouse of normal and abnormal behavior. Compared with the use real-timenetwork data flow, we can discriminate the abnormal behavior network traffic data.If it is found that the data fail to be recognized we can use artificial intervention bythe way, update the rule storehouse and enhance the ability to identify the unknowndata.To avoid actions between hosts there is a big difference caused by themisjudgment, the paper is based on the historical network data as the audit datasources. We count the number of visiting between the network mainframes accordingto clustering algorithm and we will build up clustering IP group in order to guide thenetwork audit data streaming, after the audit data separately for the establishment ofrules. The paper make a detailed description of the whole detection system, thevarious components of the system functions and realization.In the experiment, we install the implemented prototype system in the outlet ofcampus network, and real-time access to the campus network monitoring networktraffic. Then, we make several network attacks to a server in the campus network, andfound that the prototype system can be effective in identifying known attack types ofdata as well as data unknown good recognition ability and the implementation of thenetwork traffic in real time abnormal detection.更多还原