Abstract: Network traffic is an important factor to analyze the state of host network. On the basis of analyzing the flow characteristics of the normal and abnormal state of the host, the result of the abnormal network behavior flow characteristics are deposited in the matching library. Based on the analysis and contrast of two states, the method of multilevel host flow analysis based on the characteristic matching of stream data is designed. In order to do early warning work for the host users, we design the host flow statistical analysis system. Firstly, the classification of host traffic is based on the process application type method, referring to the host traffic characteristics and the common attack types. By simulating attack experiments, the abnormal flow characteristics of the host are deposited into the matching library. The experimental results show that the multilevel host flow statistical analysis system based on the characteristic matching of stream data can effectively prevent the Trojans and Ddos attacks.

Key words: host network traffic, network behavior, flow characteristics, feature matching, simulated attack

摘要： 网络流量是分析主机网络状态的重要因素.在分析主机正常、异常状态下流量特征的基础上，将正异常网络行为流量特征分析结果存入匹配库中.基于2种状态下的分析对比，从而设计基于流数据特征匹配的多级主机流量分析方法.并设计和实现主机流量统计分析系统，为主机用户做好预警工作.首先参照主机流量特征以及常见攻击种类，采用基于进程应用类型方法对主机流量分类.通过模拟攻击实验，将主机异常流量特征存入匹配库.实验测试结果表明，基于流数据特征匹配的多级主机流量统计分析系统能够对木马、Ddos等攻击进行有效预警.

关键词: 主机网络流量, 网络行为, 流量特征, 特征匹配, 模拟攻击