没有合适的资源？快使用搜索试试~ 我知道了~

首页"MINOS: 无监督的大型网络攻击检测与时间分析"

"MINOS: 无监督的大型网络攻击检测与时间分析"

网络

毕业设计

需积分: 5 0 下载量 44 浏览量更新于2024-03-12 收藏 1.33MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

试读

100页

The task of monitoring malicious activities in large-scale networks has become increasingly challenging. The sheer volume and heterogeneity of network traffic hinder the manual definition of IDS signatures and deep packet inspection. In this thesis, the author presents MINOS, a novel, completely unsupervised method for generating anomaly scores for each host, enabling high-precision classification of infected (host generating malicious activity), attacked (host under attack), or clean (no infection) hosts. The hourly scores generated can detect the time range of host being infected or attacked without any prior knowledge. MINOS automatically creates personalized traffic behavior models for each host, without the need for any prior knowledge of existing or unknown attacks. Experimental evaluations on real large-scale academic networks data spanning over a year show that MINOS achieves very high accuracy even with just two weeks of data analysis. The author demonstrates that MINOS is also more effective and faster than state-of-the-art unsupervised anomaly detection methods for traffic data. The thesis "MINOS: Unsupervised Netflow-Based Detection of Infected and Attacked Hosts, and Attack Time in Large Networks" by Mousume Bhowmick, submitted for the degree of Master of Science in Computer Science at Boise State University in August 2019, presents a significant contribution to the field of network security, offering a promising approach to addressing the challenges of monitoring and detecting malicious activities in large-scale networks.

资源详情

资源推荐

CHAPTER ONE: INTRODUCTION

1.1 Motivation

The Internet is a widespread system in continuous evolution, where the

number of attacks, Internet traffic, and line speed continues to grow [32]. Nowadays,

it is common to use an access speed of 1 - 10 Gbps. Since bandwidth for wired

connections is available, high-bandwidth services are being offered to users. For

example, a university network reaches traffic averages in the order of hundreds of

Mbps, including high activity peaks in the order of Gbps [53, 58, 59]. On backbone

networks, the throughput will even be higher. Also, it is conventional for Internet

users to have been a victim of an attack because of attackers’ constant assaults into

networked systems. For example, a hacked machine can send out sensitive data to an

unauthorized host; in this case, the cost of these attacks would be billions of U.S.

dollars [15]. Therefore, it becomes significant to detect and prevent these intrusions as

early as possible. Therefore, Network Intrusion Detection Systems (NIDS) need to

handle the rising number of attacks, the growth of Internet traffic as well as the

increase in line speed.

The most popular systems such as Bro [46], SNORT

, and Suricata

demonstrate high resource consumption, when confronted with the vast amount of data

found in today’s high-speed networks [14]. Additionally, those systems are doing an in-

depth analysis of the packets. If the packet’s data is encrypted, then it poses a new

challenge to payload-based systems. Moreover, researchers assess that the payload-

based NIDS processing capability lies between 100 Mbps and 200 Mbps [17, 34],

which is inconvenient to this era. In contrast, the flowbased NIDS looks at aggregated

information of related packets in the form of flow, so the amount of analyzing data is

reduced [1, 51, 53]. In this context, flow-based approaches might be a promising

candidate for Intrusion Detection research [59].

Traffic networks of large organizations are challenging to protect and monitor,

due to the increasing amount of communications and heterogeneity of user behaviors

and devices. Misuse-based systems (e.g., IDS [46]) require a priori knowledge on

attacks and standard definitions of signatures by security analysts. Therefore,

researchers focused on building statistical anomaly-based systems [9]. In this context,

proposed supervised models often train on traffic datasets that contain artifacts (e.g.,

DARPA datasets [37]). As a result, those models do not generalize well when

deployed in the real world. Moreover, obtaining reliable labels for traffic events is

challenging [56]. For these reasons, the focus of this thesis is an entirely unsupervised

setting (without any training labels).

An open-source network intrusion prevention and detection system, at <www.snort.org>

Suricata is a free and open-source, mature, fast and robust network threat detection engine, at

<https://suricata-ids.org/>

Existing research on unsupervised traffic anomaly detection is affected by some

critical limitations: existing works either make strong assumptions to identify specific

threats (e.g., similar communication patterns for botnet identification [21]), or require

unencrypted traffic (e.g., [5, 36]). Other methods that work even in the presence of

encrypted traffic either assume specific threats (e.g., data exfiltration [39]) or do not

scale to large networks (e.g., IoT traffic of surveillance cameras [41]).

In this thesis, we propose MINOS

, a fully unsupervised approach that produces

an anomaly score for each internal host of an organization. That anomaly score can

prioritize and classify (in an unsupervised manner) each host into one of three

categories: clean, under attack, and infected. Also, it can recognize the attack time of

an infected or under attack host. The inputs of MINOS are network communications

between the internal hosts of an organization and the Internet, where no ground truth

is required. To address the heterogeneity of network communications, MINOS

automatically creates a behavioral traffic profile for each host independently by

clustering network flows. We remark that MINOS is a fully unsupervised approach

followed by a parallel procedure over multiple hosts. We experimented MINOS over

1,000 hosts and one year of network traffic at Boise State University. We then

evaluated how the anomaly score of MINOS prioritizes and differentiates three classes

of hosts effectively. We also show that MINOS has better accuracy and execution time

In Dante Alighieri’s Divine Comedy, MINOS is depicted as a man with a serpent tail in charge of judging

evil souls to determine which circle of Hell they deserve to be in. The circle is determined by the number

of wraps of MINOS’s tail on the evil soul.

than Kitsune [41], a state of the art approach for unsupervised traffic anomaly

detection.

1.2 Contributions

In summary, this work makes the following main contributions:

• We propose a novel fully unsupervised large-scale traffic

analysis approach, called MINOS, that is able to classify internal hosts into

one of three classes: clean, malicious, and under attack and also identify

the time frame of being attacked. This is different from most prior research

that distinguished just between benign and malicious activities. We

evaluate MINOS on one year of real data collected for 1,000 hosts of Boise

State University (a large academic network).

• In addition to offline analysis of one year of traffic data, we

show that MINOS retains high performance in classifying hosts even when

applied on reduced time windows (e.g., two weeks).

• We show that MINOS outperforms Kitsune [41] (a state-of-the-

art approach for unsupervised traffic anomaly detection) both in accuracy

and in execution times.

Our results show that MINOS is a viable solution towards identifying risky hosts in

large networks in the absence of label supervision.

1.3 Outlines

In Chapter 2, we provide the relevant background of Intrusion Detection

Systems, machine learning in supervised and unsupervised contexts, neural networks,

commonly used standard novelty detection algorithms, and present the literature

review of previous research works related to this thesis.

In Chapter 3, we discuss the size and shape of the raw dataset, experimental

machine selection, network flows collection, and feature selection procedure. Also,

we present the problem statements of this thesis.

In Chapter 4, we describe the methodology and implementation of feature vector

extraction and novelty detection algorithms, i.e. identifying host status and time frame

of existing attacks.

In Chapter 5, we extend our discussion on the experimental setup, variants of

experimental instances and statistical relevance.

Finally, in Chapter 6, we discuss a summary of the proposed methodology, the

future research direction and conclude this thesis.

剩余99页未读，继续阅读

复制用Lingo求一企业的工厂生产3种产品，A、B和C，每个月的市场需求量分别为8000个、6000个和4000个。工厂有3条生产线，生产线1每月能生产5000个A、3000个B和2000个C，生产线2每月能生产4000个A、4000个B和1000个C，生产线3每月能生产2000个A、4000个B和3000个C。生产A的成本为10元/个，生产B的成本为8元/个，生产C的成本为6元/个。每个月的库存成本为每个A、B和C分别为1元/个、2元/个和1.5元/个。如何安排生产计划，以最小化总成本？的最有解model: x11 = x21 = x31 = 0 x41 = x12 = x22 = 0 x32 = x42 = x13 = 0 x23= x33 = x43 = 0 min z = 10x11 + 8x21 + 6x31 + 1x41 + 10x12 + 8x22 + 6x32 + 2x42 +10x13 + 8x23 + 6x33 + 1.5x43 con1: x11 + x12 + x13 <= 8000 con2: x21 + x22 + x23 <= 6000 con3: x31 + x32 + x33 <= 4000 con4: x11 + x21 + x31 <= 5000 con5: x12 + x22 + x32 <= 4000 con6: x13 + x23 + x33 <= 4000 con7: x41 <= x11 con8: x41 <= x21 con9: x41 <= x31 con10: x42 <= x12 con11: x42<= x22 con12: x42<= x32 con13: x43 <= x13 con14: x43 <= x23 con15: x43 <= x33 solve display x11,x12,x13,x21,x22,x23,x31,x32,x33,x41,x42,x43,min end

MINOS 5.51: optimal solution found. 12 iterations, objective = 1.4500000000e+05 x11 = 5000 x12 = 1000 x13 = 0 x21 = 3000 x22 = 3000 x23 = 0 x31 = 0 x32 = 1000 x33 = 3000 x41 = 5000 x42 = 0 x43 = 1000 ...

Nginx 1.24.0 是 Nginx 开源项目发布的一个重要更新版本，该版本在性能优化、功能增强以及安全性提升方面带来了诸多改进。当您下载 Nginx 1.24.0 的压缩包时，您将获得一个包含 Nginx 源代码的压缩文件，通常命名为 nginx-1.24.0.tar.gz（对于 GNU/Linux 和 macOS 系统）或类似的格式，具体取决于发布平台。这个压缩包包含了编译 Nginx 服务器所需的所有源代码文件、配置文件模板（如 nginx.conf）、模块源码以及构建和安装说明。通过解压这个压缩包，您可以在支持 C 语言编译器的操作系统上编译并安装 Nginx 1.24.0。 Nginx 1.24.0 引入了一系列新特性和优化，可能包括但不限于对 HTTP/2 和 HTTP/3 协议的进一步支持、性能提升、新的模块或模块更新，以及对已知安全漏洞的修复。这使得 Nginx 能够在保持其作为高性能 HTTP 和反向代理服务器的声誉的同时，继续满足不断发展的网络需求。

智能化病虫害标注系统前端.zip

图像识别技术在病虫害检测中的应用是一个快速发展的领域，它结合了计算机视觉和机器学习算法来自动识别和分类植物上的病虫害。以下是这一技术的一些关键步骤和组成部分： 1. **数据收集**：首先需要收集大量的植物图像数据，这些数据包括健康植物的图像以及受不同病虫害影响的植物图像。 2. **图像预处理**：对收集到的图像进行处理，以提高后续分析的准确性。这可能包括调整亮度、对比度、去噪、裁剪、缩放等。 3. **特征提取**：从图像中提取有助于识别病虫害的特征。这些特征可能包括颜色、纹理、形状、边缘等。 4. **模型训练**：使用机器学习算法（如支持向量机、随机森林、卷积神经网络等）来训练模型。训练过程中，算法会学习如何根据提取的特征来识别不同的病虫害。 5. **模型验证和测试**：在独立的测试集上验证模型的性能，以确保其准确性和泛化能力。 6. **部署和应用**：将训练好的模型部署到实际的病虫害检测系统中，可以是移动应用、网页服务或集成到智能农业设备中。 7. **实时监测**：在实际应用中，系统可以实时接收植物图像，并快速给出病虫害的检测结果。 8. **持续学习**：随着时间的推移，系统可以不断学习新的病虫害样本，以提高其识别能力。 9. **用户界面**：为了方便用户使用，通常会有一个用户友好的界面，显示检测结果，并提供进一步的指导或建议。这项技术的优势在于它可以快速、准确地识别出病虫害，甚至在早期阶段就能发现问题，从而及时采取措施。此外，它还可以减少对化学农药的依赖，支持可持续农业发展。随着技术的不断进步，图像识别在病虫害检测中的应用将越来越广泛。

本压缩包内含Kubernetes（简称k8s）1.31版本的完整镜像集合，专为高效部署与升级Kubernetes集群而精心准备。Kubernetes作为业界领先的容器编排平台，1.31版本在稳定性、性能优化、新特性引入及安全性增强方面均实现了显著提升。该镜像压缩包集成了所有必要的Kubernetes组件镜像，包括但不限于kube-apiserver、kube-controller-manager、kube-scheduler、etcd、kubelet及kube-proxy等核心组件，确保用户能够一键部署或无缝升级至最新版本的Kubernetes集群，极大地简化了部署流程，降低了运维复杂度。此外，本镜像包还经过严格测试，确保与主流操作系统及云环境兼容，无论是裸机部署、虚拟机环境还是云服务商提供的Kubernetes服务，都能轻松集成使用。同时，我们优化了镜像体积，减少了不必要的空间占用，加快了下载与部署速度，让用户能够更快地享受到Kubernetes 1.31版本带来的技术红利。总之，k8s1.31版本镜像压缩包是构建或升级现代云原生应用基础设施的理想选择。

小兔子平安

粉丝: 243
资源: 1940

上传资源快速赚钱

我的内容管理展开

我的资源快来上传第一个资源

我的收益

登录查看自己的收益

我的积分登录查看自己的积分

我的C币登录后查看C币余额

我的收藏

我的下载

下载帮助

"MINOS: 无监督的大型网络攻击检测与时间分析"

论文研究-基于Netflow的网络安全态势感知系统研究.pdf

论文研究-基于NetFlow时间序列的网络异常检测.pdf

计算机网络第八版教案

kemono roster - minos

批处理copy

批处理筛选重复内容

vbs自动登录

批处理判断ip

批处理打开控制面板

批处理打开IP设置

nginx-1.24.0.tar

智能化病虫害标注系统前端.zip

Python 小游戏 （贪吃蛇、五子棋、扫雷、俄罗斯方块）

MATLAB/simulink 电力系统之变压器仿真-变压器空载运行仿真，磁通饱和+励磁电流

超级好的电赛习题分享.zip

8051Proteus仿真c源码串口通讯计算器

算法部署-基于ONNX+MNN+Cpp部署语音识别模型-附项目源码-优质项目实战.zip

全球与中国聚烯烃弹性体 （POE）市场现状及未来发展趋势（2024版）.docx

k8s1.31-images.tar

最新资源

Python 小游戏（贪吃蛇、五子棋、扫雷、俄罗斯方块）

全球与中国聚烯烃弹性体（POE）市场现状及未来发展趋势（2024版）.docx