Network Security Detection Method Based on Abnormal Traffic Detection

—To discover potential risks and vulnerabilities in the network in time and ensure the safe operation of the network, a network security detection method based on abnormal traffic detection is studied. Construct network security detection architecture from several aspects, including the front-end interface module, control center module, network status extraction module, anomaly detection module, alarm module, and database module. Use NetFlow technology to capture network traffic from the network in the form of flow, and use the KNN algorithm in the traffic filtering submodule to filter network traffic packets and eliminate duplicate traffic data. After filtering traffic, the traffic data is transmitted to the feature selection sub-module. PCA-TS algorithm is used to reduce the dimension of the network traffic data and select the network traffic characteristics, and then it is input into the SVM classifier. The improved SVM multi-classification algorithm is used to classify normal and abnormal traffic, complete abnormal traffic detection, and achieve network security detection. Experimental results show that the time for feature selection of this method does not exceed 3.0s, and the G score in the detection process also remains above 0.70, indicating that this method has strong network security detection capability.


INTRODUCTION
Network security detection refers to a comprehensive security assessment and inspection of the computer network system to find potential security risks and vulnerabilities and take corresponding measures to protect the security and integrity of the network system [1].Its significance lies in preventing potential threats, protecting important data, maintaining business continuity, improving user trust and complying with regulatory requirements.By preventing potential threats, vulnerabilities and weaknesses in the network system can be found and repaired in time to avoid security attacks [2].At the same time, security incidents such as hacker intrusion, data leakage and malware infection can be avoided by timely finding and solving security problems [3].Network security detection can help enterprises and individuals protect important business and personal data.Data security and confidentiality can be ensured by detecting vulnerabilities and risks in the network system [4].It can also ensure the normal operation of the network, reduce business interruption and loss caused by security vulnerabilities and attacks, find and repair the vulnerabilities in the network system in time, and ensure the continuity and stability of the business [5].By improving network security through network security detection, users can use online services more confidently without worrying about personal information leakage or account theft [6].Therefore, network security detection is of great significance.
With the popularization of computer network applications and services, the number of Internet users continues to increase, and the demand for Internet information sharing continues to expand [7].The threat of network security attacks has become more serious, and network anomaly detection has become an increasingly important task in network security research [8].There are many reasons for network exceptions, such as network overload, worm network intrusion, routing policy modification, and distributed denial of service attacks.Network traffic anomaly is the most common threat in network anomaly.Abnormal network traffic may reduce the central network speed or even cause network paralysis, which will cause serious damage to the network environment [9].Weihai caused by abnormal network traffic is generally characterized by bandwidth occupation, network blocking, failure to send normal information on time, network packet loss, etc. [10].For computer systems, servers, and clients, the harm caused by abnormal network traffic is shown as occupying a large amount of memory space, and data responses are transmitted to the server normally with different responses [11].Many scholars have studied network security detection methods to solve these threats to network security and achieve timely hazard warnings and other functions.
Wozniak M et al. [12] studied the cyclic neural network model for threat detection of the Internet of Things and network malware.This method classifies the information in the network through the cyclic neural network to detect malicious threat information, but this method cannot achieve security alarm in the detection process, and the detection results of multiple attacks are not clear enough; Steno P et al. [13] studied uses deep learning to detect threat objects in security screening.This method uses deep learning network and crossentropy loss calculation to realize risk screening in network objects, but this method cannot detect the degree of flow fluctuation in the network, resulting in a small detection range; Gaber T et al. [14] studied an injection attack detection method for intelligent Internet of Things applications using machine learning.This method detects network attack traffic in smart cities, uses constant removal and recursive feature elimination methods to achieve feature selection, and uses machine learning classifiers to classify attack traffic.Although the accuracy of this method is as high as 99%, this method needs a lot of time in feature extraction and detection.
The abnormal traffic detection method identifies and detects abnormal situations inconsistent with normal network traffic behavior by analyzing the network traffic changes.This www.ijacsa.thesai.orgdetection method can help find abnormal activities in the network, such as network attacks, malware propagation, data leakage, etc., to ensure the network's security and stability [15].There are many methods to detect abnormal network traffic, such as traffic analysis methods, machine learning methods, etc.The traffic analysis method determines whether the traffic is abnormal by capturing and parsing the network data packets, analyzing the source address, destination address, protocol type and other information of the data packets, as well as the size, frequency and other characteristics of the data packets.For example, an exception may exist if an IP address sends many data packets quickly or a port receives abnormally large data traffic.The machine learning method uses algorithms to analyze and model network traffic to identify abnormal traffic.Machine learning can automatically identify abnormal data packet size, abnormal connection behavior, etc. [16] by learning the characteristics of normal traffic behavior.Therefore, this paper proposes an abnormal traffic detection method based on support vector machine (SVM).The innovation lies in the construction of a network security detection architecture, which uses NetFlow technology to capture traffic data from the network and uses KNN algorithm to remove duplicate data.In the feature selection submodule, PCA-TS algorithm is used to reduce the dimensionality of network traffic and select features.An improved SVM multi classification algorithm is used to classify normal and abnormal traffic, achieving efficient abnormal traffic detection and network security detection.

A. Construction of Network Security Detection Architecture
To improve the network security and operation status, this paper studies the network security detection architecture, shown in Fig. 1.The architecture is divided into a foreground interface, control center, network status extraction, anomaly detection, alarm, and database modules.Feature selection and anomaly detection modules are the architecture's main parts.
The specific contents of the network security detection architecture are as follows: 1) Front-end interface: The main functions of the frontend interface module include network topology node display function, user information display and user login function, system working status display function, log information display function and abnormal flow alarm display function.The main function of the foreground interface is to provide users with a good and beautiful interface display function and provide users with a good interaction function.The network topology node display function can view the current network's working nodes and the current network's topology.The alarm display function can more intuitively see the attacked node.The log information display function can view the system log, including user login information and running status record information on the architecture.
2) Control center: The main functions of the control center module include user authority management function, configuration function, alarm function, task allocation function, etc.The user authority management function can ensure that the authority is not abused.Only super users have administrator authority to modify sensitive content such as network configuration information.The alarm function makes it possible to quickly give feedback to the foreground interface to prompt network exceptions when the detection architecture is abnormal and even locate the attacked node in time.The task allocation function mainly includes switching between the network status extraction function, normal detection status, and log viewing function.3) Feature selection module: The main function of the feature selection module is to capture network traffic through the function of collecting data and selecting the features of the captured traffic to achieve feature extraction.In the safe working mode, the module saves the extracted feature information to the database.In the normal working mode, the extracted features are transmitted to the abnormal flow detection module to judge the abnormal flow of the network.In the update mode, the extracted features are updated to the database.Feature selection module is one of the most important functional modules, including four sub-modules: traffic capture module, traffic filtering module, feature selection module and network status update module.
The traffic capture submodule's main function is to capture each node's data packets and then save the data packets to the packet queue.The main function of the traffic filtering submodule is to filter the redundant content and duplicate content captured and then wait for the feature selection sub-module to extract features.The feature selection sub-module is the core module of the architecture.It receives the data package of the filter sub-module, selects its features, and saves the extracted state information to the database.The status update sub-module mainly updates the recorded standard status information.

4) Anomaly detection module:
The anomaly detection module is mainly responsible for judging whether the network has been attacked by abnormal traffic and passing the detection results to the alarm module.At the same time, the detection results are saved in the database as log management, which can facilitate viewing historical record information.The algorithm implements this module.At the same time, this module is one of the most important functional modules and is the key judge of whether an intrusion occurs.

5) Alarm module:
The main function of the alarm module is to send an alarm to the user when the abnormal flow detection module judges that an intrusion has occurred.The alarm module receives the result of the abnormal flow detection module.If the result is true, the alarm information will be written into the database and sent to the control center simultaneously.The alarm can be sent out an alarm tone or pop up a window light on the foreground interface.
6) Database module: The main function of the database module is to record various types of information, including log information, user information records, alarm information records, etc.The database module is the information center of the entire architecture.All data extraction, information exchange and record-keeping between modules are completed in this module.The database module requires the physical support of the database software, or it can be deployed to an independent server separately.

B. Network Traffic Capture
Based on NetFlow technology, the traffic capture submodule under the feature selection module in the network security detection architecture captures network traffic in flow.Use the V9 NetFlow technology as a sniffer or probe in the network to transmit the traffic records to a data collector with a specified IP address.The output package format of NetFlow V9 is shown in Fig. 2. FlowSet represents the collection of traffic records.The Template Flowset in Fig. 2  Encapsulates the network traffic records into UDP packets and transmits them to the collector with UDP protocol to ensure high efficiency when transmitting a large number of traffic records.To prevent NetFlow from generating a large amount of data and causing network congestion, a dedicated link is designed for the traffic record output to the collector in the congestion-sensitive network.When the collector cannot be placed at the router's next hop or the transmission link cannot be exclusive to NetFlow, a special link needs to be designed to handle the large amount of data NetFlow generates.

C. Traffic Filtering of KNN Classification Algorithm
After capturing the network traffic data, due to the huge amount of network traffic data [17], and some botnet traffic and duplicate content, effective measures must be taken to filter the traffic.Through reasonable filtering means, the traffic data can be more conducive to subsequent network security detection [18].This paper uses the KNN algorithm to filter traffic in the traffic filtering sub-module under the feature selection module.

1) Filtering analysis:
KNN algorithm realizes classification by measuring the distance between different eigenvalues to achieve a data filtering effect.If most of the that the most similar samples belong to a category, the samples also belong to that category.The most similar definition here is that the eigenvalue of the sample is the nearest in the feature space.Among is an integer less than or equal to 20.In the KNN algorithm, the most similar samples are correctly divided into corresponding classes [19].When this method is used for classification, the possible classification of samples is determined according to the classification of the nearest one or several samples.Fig. 3 shows the operation mode of the algorithm.www.ijacsa.thesai.orgIt can be seen from Fig. 3 that when , the grey filled circle shall belong to the hollow triangle type.When , the grey filled circle shall be classified as a hollow square.Therefore, it can be concluded that the selection of values affects the filtering results; the optimal value can make the filtering effect the best.
2) Flow filtration: Due to the large difference between normal traffic and abnormal traffic caused by attacks, the external parameters of abnormal traffic can be filtered out from the external parameters of mixed traffic, including normal and abnormal traffic, using the KNN method to achieve faster traffic data processing [20].The implementation process is: The obtained labelled data (packet length, URL length) and unlabeled data (packet length, URL length) are regarded as vectors, and their Euclidean distances are calculated.European distance can be calculated by Formula (1): In Formula (1), ( ) represents a data set between European distance of and ; and respectively represent of the labeled data and unlabeled data; indicates the number of traffic data.This formula can measure the absolute distance between points in multidimensional space.
3) The first one closest to the unlabeled data is counted the labelled data with the most occurrences among the data will be marked with the same label as the unlabeled data.Obtain a batch of labelled data, which can support subsequent work in terms of data quantity.

D. Design of Network Traffic Feature Selection Method
Real network traffic contains many feature attributes, and the existing anomaly traffic detection methods based on feature analysis cannot meet the real-time requirements of highdimensional feature analysis [21], [22].Therefore, when this paper filters the traffic data through the KNN algorithm, the feature selection submodule uses the traffic feature selection algorithm based on principal component analysis (PCA) and tabu search (TS) to conduct feature reduction and near-optimal feature subset selection for high-dimensional features through PCA-TS, providing reliable feature data for subsequent abnormal traffic detection.

1) Dimension reduction of traffic data:
The dimensionality of the traffic data filtered by the KNN algorithm is reduced to facilitate the subsequent feature selection [23].Principal component analysis is an effective method of analyzing data in statistics, mainly used for feature extraction and data dimension reduction.The idea is to reduce the dimension of a data set with high dimension and correlation by using the feature space transformation of statistical properties of the data set [24].PCA transforms the original space into a new principal component space, and the principal components are unrelated.
Assume that the network traffic data set contains N samples * + , where, is the feature space, is the characteristic dimension.Find variable space * +, satisfied and ( ) , through transformation new variables can represent most of the information of original variables , as shown in Formula (2): In Formula ( 2), is a one orthogonal matrix and is the covariance matrix of the eigenvalue matrix of data samples ∑ ( )( ) , where, ∑ .Therefore, it is transformed into solving the eigenproblem as shown in Formula (3): (3) In Formula (3), is characteristic value of , is the corresponding eigenvector.Principal component analysis selects several characteristic values with a high contribution rate corresponding eigenvector as the principal component, to achieve the purpose of dimension reduction.The characteristic contribution rate is shown in Formula (4): In Formula (4), is the threshold value of the feature contribution rate, feature dimension is selected according to to determine the general choice 85%~95%.When using PCA for analysis, different variables in the data often have different dimensions, leading to a large difference in the dispersion of the values of each variable, thus affecting the calculation accuracy.To eliminate the possible impact of different dimensions, the variables need to be standardized first, and then the dimension can be reduced by PCA.

2) Feature selection based on the tabu search algorithm:
After the dimensionality reduction of traffic data through the PCA algorithm, feature selection can be done.Tabu Search (TS) algorithm is a heuristic global optimization search method, which obtains the global optimal solution by marking the searched local optimal solution and avoiding repeated search in the iterative calculation [25].The main idea of the algorithm is first to determine an initial effective solution , for each solution define a neighborhood ( ) , determine www.ijacsa.thesai.orgseveral candidate solutions from the neighborhood of the current solution, and select the best candidate solution from them.Selecting the best candidate solution is a search process.To avoid the search process being limited to cycles, TS avoids the local optimization of the search algorithm by constructing a tabu table and defining stop rules.Tabu list before saving the second taboo length avoids returning to the original solution, thus improving the search ability of the solution space; Stop rule defines that when the optimal solution cannot be improved within several iterations, the algorithm stops.In addition, neighborhood, tabu list, tabu length, amnesty rule and initial solution in the tabu search algorithm will directly affect the search optimization results.
Feature selection based on tabu search is an optimization problem constrained by the objective function, and the appropriate objective function improves the quality of search and optimal feature selection.A good feature solution should guarantee as much classification information as possible on the minimum number of features.In information theory, the greater the information gains of an attribute, the greater the amount of information it contains [26].Based on the information gained, the classification information of feature vectors can be effectively evaluated.Therefore, this paper selects information gain as the objective function and defines the objective function as shown in Formula (5): In Formula ( 5), ( ) represents sample whether it is correctly classified, is the number of samples; ( ) is information gain of features .Ensure that the maximum classification information is guaranteed with a small number of features through Formula (5), and select divided by that can ensure faster tabu search speed and avoid overfitting.
The selection of the initial solution in tabu search greatly impacts the effect of tabu search.In the calculation process of other optimal feature selection algorithms, due to the large feature dimension of actual network traffic, it will affect the efficiency of the tabu search algorithm, and feature redundancy will also affect the selection of the optimal feature set.Therefore, the initial solution of tabu search has an important impact on search efficiency and quality.
Generally, the larger the feature, the higher the accuracy of the analysis is.However, in practice, too large a feature space will cause two problems: (1) The huge feature space not only needs higher storage space but also increases the measurement time, which is difficult to apply to real-time traffic analysis; (2) In some applications, such as anomaly detection, service classification, etc., the characterization of different network services requires different feature attribute vectors.If all features are used to represent different service flows, not only the learning effect is reduced, but also the learning time is increased.So, feature selection is to mine the best feature set to describe network traffic; best and tabu search provides a nearoptimal solution.

3) Feature selection design based on PCA-TS algorithm:
The statistical characteristics of network traffic refer to the characteristics of extracting ports and protocols from the attributes of packets or flows.Such as message length, arrival interval, number of messages, flow duration, number of messages in the flow, etc. Feature vectors represent these statistical characteristics.Such as a network flow , the characteristic description based on the flow can be expressed as * +, where represents the value of the feature.The feature set of a flow may contain as many as hundreds of features.Finding a small number of optimal feature subsets to describe the flow is important to improve learning efficiency.
Therefore, this paper makes full use of the feature that PCA can perform fast and effective feature reduction on highdimensional data, and improves the efficiency of solving the optimal solution of the tabu search method by eliminating feature redundancy and reducing the dimension space.To this end, this paper selects network traffic characteristics by combining PCA and TS algorithms.The flow chart of the PCA-TS feature selection method is shown in Fig. 4.
In Fig. 4, the specific implementation steps of the PCA-TS algorithm are as follows: 1) The tabu table is empty, and initialization parameters are set: tabu length , maximum iterations , maximum improvement times ̄ .2) Use PCA to reduce the original network traffic characteristics and obtain the reduced feature collection { }， is the number of feature sets after reduction.
3) To feature set perform binary coding to obtain the initial solution .4) Set termination conditions, when getting ̄ , the search stops; When the best solution cannot be improved by passing , stop searching.5) Judge whether the termination conditions are met.If the termination conditions are met, end the operation and output the optimal flow feature subset.Otherwise, go to the next step.
6) Initial solution brings into the neighborhood structure to calculate the neighborhood solution, and the best candidate solution is selected through the objective function.
7) Judge whether the candidate solution meets the amnesty rule.If yes, update the optimal solution in the tabu list and go to step (4), otherwise go to the next step.
8) Calculate the tabu attribute of the candidate solution, select the initial value of the optimal replacement tabu table for non-tabu objects, and go to step (4).9) End, output the optimal flow characteristic subset .www.ijacsa.thesai.org

Start Parameter initialization
The initial tabu search solution is obtained by PCA feature reduction Binary encoding of the reduced feature set, emergency table empty Are the termination conditions met?
The initial solution is brought into the neighborhood function to calculate all the neighborhood function solutions, and the best candidate solution is selected by the objective function

Whether amnesty rules are met？
The object corresponding to the current solution replaces the object that enters the tabu table earliest, and updates the optimal solution The tabu attribute of the candidate solution is calculated, and the optimal state of the non-tabu object in the candidate solution is selected as the new current solution, and the object that enters the emergency table earliest is replaced with the object The optimal feature subset of network traffic is output In Fig. 4, the specific implementation steps of the PCA-TS algorithm are as follows: 1) The tabu table is empty, and initialization parameters are set: tabu length , maximum iterations , maximum improvement times ̄ .2) Use PCA to reduce the original network traffic characteristics and obtain the reduced feature collection { }， is the number of feature sets after reduction.
3) To feature set perform binary coding to obtain the initial solution .
4) Set termination conditions, when getting ̄ , the search stops; When the best solution cannot be improved by passing , stop searching.5) Judge whether the termination conditions are met.If the termination conditions are met, end the operation and output the optimal flow feature subset.Otherwise, go to the next step.
6) Initial solution brings into the neighborhood structure to calculate the neighborhood solution, and the best candidate solution is selected through the objective function.
7) Judge whether the candidate solution meets the amnesty rule.If yes, update the optimal solution in the tabu list and go to step (4), otherwise go to the next step.
8) Calculate the tabu attribute of the candidate solution, select the initial value of the optimal replacement tabu table for non-tabu objects, and go to step (4).9) End, output the optimal flow characteristic subset .

E. Abnormal Flow Detection
After selecting network traffic characteristics, you can use the selected traffic characteristics to detect abnormal traffic through the network security architecture abnormal traffic detection module.Improve the detection efficiency of abnormal flow and improve the detection accuracy.This paper uses the SVM algorithm to detect abnormal traffic, assuming there is type of samples, and then it is necessary to construct two class classifiers.Each classifier is used to separate one class from the rest.During training, please take one of them as positive, and the rest class is negative.When judging, the sequence of the tested samples passes through , the total of two class classifiers output values is ( ) ( ( )) . If the decision result contains only one+1, the corresponding classifier's sample class to be detected is the positive class.Suppose there is more than one+1 in the decision result, that is, classification overlap.In that case, it is also necessary to compare the decision function value of the classifier whose output is+1, and the positive class of the classifier with the largest value represents the class of the sample to be detected.If the judgment result is -1, the sample is considered to be indivisible.Therefore, this paper proposes an improved SVM multi-classification algorithm.The idea of class distance in clustering analysis is used as the basis for sorting the second-class classifiers in the detection model.About class flow characteristic samples, calculate the center distance from each class to other classes, and then calculate the average distance from each class to other classes.The class with the largest average distance is the class with the most obvious specificity, and such class is preferred as the positive class of the second-class classifier ranking first.The relevant definition of distance is: Definition 1: Center distance.The center distance of the flow characteristic samples of class and is defined as the Euclidean distance in the space of the spherical center that can contain all class traffic characteristic samples to the spherical center that can contain all samples of class traffic characteristics, recorded as .www.ijacsa.thesai.orgDefinition 2: Average distance.The mean distance between the class traffic characteristics and the remaining categories is defined as the mean of the center distance from the class traffic characteristics to the other samples of the traffic characteristics, recorded as , and meet: The specific implementation steps are as follows: 1) Calculate the center distance of ( )between various flow characteristic samples and other flow characteristic samples according to definition 1.
2) Calculate the average distance of ( ) between various flow characteristic samples and other flow characteristic samples according to definition 2.
3) Compare the size of step 2 , and then follow the categories that numbered in descending order .
4) Construct one by one according to the sample number sequence obtained in step (3) the two class classifiers.The sample with the first number is the positive class of the first second-class classifier, the sample with the second number is the positive class of the second-class classifier, and so on.
During abnormal flow detection, let the sample to be tested pass through each two-class classifier in turn.If the decision result of the sample to be tested in a classifier is+1, then it is determined that the sample is the positive class of the corresponding classifier, and the detection of this sample is terminated.If the output result of samples passing through all the second-class classifiers in turn is -1, it is determined as unknown flow, added to the set to be verified, and waiting for re training.The sample decision process is shown in Fig. 5.
The distance first SVM multi-classification algorithm can improve the classifier's detection accuracy.Therefore, although class two classifiers were constructed when building model sets.However, in the improved SVM multi-classification algorithm, when a classifier is judged as+1, the judgment is terminated to shorten the sample detection time.
At this time, according to the specific process of abnormal network traffic detection method, abnormal traffic detection can be realized by the following methods: 1) NetFlow technology captures network traffic packets through flow.
2) The captured data packets are used in the KNN algorithm to filter traffic and eliminate duplicate traffic packets.
3) After data filtering, the traffic packets are input into the PCA-TS algorithm for data dimensionality reduction and feature selection.

……
The judgment is category 1 The judgment is category 2 The judgment is category k Whether it is an exception column number？

Trigger corresponding alarm
The verdict is normal traffic N Y Fig. 5. Sample decision process.www.ijacsa.thesai.org

5)
The improved SVM multi -classification method is used to input the characteristic samples of the traffic to be measured into the SVM multi-class classifier.If the secondclass classifier can recognize the characteristic samples of the traffic to be measured, it is determined that the traffic of the corresponding category is detected.If the detected flow is normal, continue; if it is abnormal, send an alarm.Repeat step (5).If the flow characteristic sample to be detected is determined to be an unknown flow, perform step (6).
6) Add unknown traffic to the collection to be verified.If the traffic in the set to be verified can be clustered and is significantly different from the normal traffic, it can be considered that a new anomaly has occurred.

III. EXPERIMENTAL ANALYSES
To verify the effectiveness of the network security detection method in this paper, this paper constructs a simulation experiment through the NS2 simulation platform and shows the network topology in Fig. 6.
In Fig. 6, R1, R2 and R3 are routers, of which R2 is the "key router".The link between R2 and R3 is the bottleneck link, with a bandwidth of 10Mbps and a delay of 30ms.All other links have a bandwidth of 100Mbps and a delay of 15ms.The network contains 25 legitimate TCP connections, 10 of which are background traffic.
Meanwhile, attack parameters are designed: attack cycle is 1s, attack pulse duration is 150ms or 200ms or 250ms, and attack pulse intensity is 30Mbps or 40Mbps.The observation time window WS duration is 90s, and the attack packet types are UDP, ICMP, and invalid TCP.
The experimental data set uses the Honeynet Challenges data set provided by the HoneyPot Project.HoneyPot Project is a non-profit network security research institution committed to studying the latest network attacks and developing open-source security tools to improve the network environment.The organization has volunteers from all over the world.On its official website, many open-source security tools are developed to improve the network security environment.Table I shows some network traffic attributes of the experiment.
Analyze this method's abnormal feature selection ability before abnormal flow detection, and analyze the time required for different abnormal flow feature selections.The analysis results are shown in Table II.According to Table II, this method can effectively select multiple features during feature selection to provide reliable data for subsequent network security detection.At the same time, in the feature selection process, the time for this method to realize feature selection does not exceed 3.0s.Therefore, this method has a strong feature selection ability, which provides a reliable guarantee for subsequent abnormal traffic detection.This paper uses the G score to evaluate this method's abnormal traffic detection effect.G score is defined as: √ In Formula (6), and indicate the accuracy rate and recall rate in turn.The higher the G score, the stronger the method's ability to detect abnormal traffic is.Test the G scores of different numbers of packets when they are attacked by different traffic and show the experimental data results through Fig. 7.
As shown in Fig. 7, with the increase in the number of test packets, the G scores obtained by this method begin to decline under attacks of different attack data types.Among them, when being attacked by UDP, the G score obtained by the test is the lowest among the three attack types, but not less than 0.70.It shows that this method can maintain high performance in the detection process.This paper can get a higher G score for detecting ICMP and invalid TCP attacks.It can be seen that this detection method can effectively detect multiple types of attacks.
This study selected three different scenarios for verifying abnormal traffic detection.In scenario B1, there are no attacks in the network, or the attacks present in the network have no direct impact on TCP data traffic.In the B2 scenario, the attacks present in the network have a direct impact on TCP data traffic, but there are no serious attacks.In the C3 scenario, there are serious attacks in the network.Verify the detection effectiveness of our method by analyzing the degree of traffic fluctuations in different scenarios.The analysis results are shown in Fig. 8.According to Fig. 8, when there is no attack in the network or the attack has no direct impact on TCP data traffic, the traffic always fluctuates below five packets/second, with a small fluctuation degree.When attacks in the network directly impact TCP data traffic, the fluctuation of network traffic increases.When serious attacks exist in the network, the traffic amplitude exceeds 20 packets/second fluctuations.From the above analysis, it can be seen that this method can effectively detect flow fluctuation.
Injecting attack traffic at different times, namely 400s, 800s, and 1200s, analyze the changes in the number of received and forwarded packets detected by the method proposed in this paper, the method proposed in reference [12], and the method proposed in reference [14].The analysis results are shown in Fig. 9.
As shown in Fig. 9, after applying the method proposed in this article, under normal circumstances, the number of received packets is approximately equal to the number of forwarded packets; After injecting an attack, it will restrict the forwarding of abnormal packets, resulting in a lower number of forwarded packets than received packets.At this point, the number of forwarded packets shows a significant decrease.In response to persistent attacks, the number of packets forwarded by the port gradually decreases until the normal number of forwards is restored.From this, it can be seen that the method proposed in this article has strong ability to detect abnormal traffic and can achieve network security detection.By comparing the methods in reference [12] and reference [14], it can be seen that although the overall trend of the two methods is similar to that of the method in this paper, both methods show abnormal increase or decrease, indicating that the two comparison methods are affected by attacks and have misidentification phenomena..This paper studies the network security detection method based on abnormal traffic detection, uses this method, and applies this method to the experimental detection process.Experiments show that this method has a good detection effect on the common abnormal traffic and attacks in the network.Given the shortcomings of the current research, the following aspects can be improved in the future research work: 1) Find or build appropriate data sets.The existing real data sets have some shortcomings, lacking real attack data.Most researchers use traditional network data sets for experiments.However, due to the network environment's limitations, the simulation data cannot fully reflect the real network conditions.
2) Accurately identify the types of network attacks and make reasonable solutions.At present, this method can only achieve the detection and early warning of abnormal traffic and cannot achieve the processing of abnormal traffic.In the future, some effective abnormal traffic processing methods can be designed to improve network security.

Fig. 2 .
Fig. 2. Analysis of the output package format of NetFlowV9.

Fig. 4 .
Fig. 4. Process of feature selection method based on PCA-TS.

4 )
After obtaining the traffic characteristics, the structure contains sample a set of traffic, including normal traffic and abnormal flow with obvious difference in the distribution characteristics of three kinds of flow.

7 )
Add new exceptions to the training samples in step (1) for re training to obtain a new model set, and repeat step (5) to achieve network security detection.

Fig. 9 .
Fig. 9. Analysis of changes in the number of packets during injection attacks.