The enormous number of network packets transferred in modern networks together with the high speed of transmissions hamper the implementation of successful IT security mechanisms. In addition, virtual networks create highly dynamic and flexible environments which differ widely from well-known infrastructures of the past decade. Network forensic investigation that aims at the detection of covert channels, malware usage or anomaly detection is faced with new problems and is thus a time-consuming, error-prone and complex process. Machine learning provides advanced techniques to perform this work faster, more precise and, simultaneously, with fewer errors. Depending on the learning technique, algorithms work nearly without any interaction to detect relevant events in the transferred network packets. Current algorithms work well in static environments, but the highly dynamic environments of virtual networks create additional events which might confuse anomaly detection algorithms. This paper analyzes highly flexible networks and their inherent on-demand changes like the migration of virtual machines, SDN-programmability or user customization and the resulting effect on the detection rate of anomalies in the environment. Our research shows the need for adapted pre-processing of the network data and improved cooperation between IT security and IT administration departments.

现代网络中传输的大量网络数据包以及高速传输阻碍了成功的IT安全机制的实施。此外，虚拟网络还创建了高度动态和灵活的环境，与过去十年中众所周知的基础设施大不相同。旨在检测隐蔽通道，恶意软件使用或异常检测的网络取证调查面临着新问题，因此是一个耗时，易错且复杂的过程。机器学习提供了先进的技术，可以更快，更准确地同时执行此工作，并且错误更少。根据学习技术的不同，算法几乎可以在没有任何交互的情况下工作，以检测传输的网络数据包中的相关事件。当前的算法在静态环境下效果很好，但是虚拟网络的高度动态环境会创建其他事件，这些事件可能会使异常检测算法感到困惑。本文分析了高度灵活的网络及其固有的按需更改，例如虚拟机的迁移，SDN可编程性或用户自定义，以及它们对环境中异常检测率的影响。我们的研究表明，需要对网络数据进行适当的预处理，并改善IT安全和IT管理部门之间的合作。SDN可编程性或用户自定义以及对环境中异常检测率的最终影响。我们的研究表明，需要对网络数据进行适当的预处理，并改善IT安全和IT管理部门之间的合作。SDN可编程性或用户自定义以及对环境中异常检测率的最终影响。我们的研究表明，需要对网络数据进行适当的预处理，并改善IT安全和IT管理部门之间的合作。