HU Hangyu, ZHAI Xuemeng, HU Guangmin
The graph model method has unique advantages in network flow behavior analysis,because it can intuitively and completely describe the connection mode of network flow.However,the current methods have many problems,such as single composition mode,incomplete information and insufficient analysis means etc.Therefore,by referring to the concept of knowledge graph,this paper proposes a network flow behavior analysis model based on flow knowledge graph,namely,the network flow connection graph.We first build the basic model of the network flow connection relationship by collecting the network flow information.Then we set the graph node level and the edge weight value based on the network flow attribute information.According to the filtering rules of the node and edge,we extract the core connection mode of the network application behavior and simplify the network scale.Finally,we adopt the complex network feature analysis method to extract the network flow feature parameters.Experimental results show that network flow connection graph can fully utilize the available information in the network flow behavior measurement data,accurately characterize the inherent characteristics of the network application flow connection relationship,and effectively detect and identify network abnormal behaviors such as DDoS attacks,worm propagation and port scanning.Besides,the network flow connection graph shows good scalability,making it suitable for the application of multiple graph mining algorithms.