基于改进聚类分析的网络流量异常检测方法

doi:10.11959/j.issn.2096-109x.2015.00009

Abstract

Abstract:

To solve the problem that traditional traffic abnormal detection methods were not accurate enough,a traf-fic anomaly detection method based on improved k-means was proposed.All kinds of network traffic data were pre-processed to make k-means algorithm can apply to enumeration data detection.Then a features selection method was pro-posed with the analysis of the distribution of network traffic data to avoid the distance useless caused by too much fea-tures.Furthermore,the clustering process of K clusters was optimized based on dichotomy,aiming to reduce the effects of initial clusters centers selection.Simulation results demonstrate the effectiveness of the algorithm.

Key words: network security, traffic abnormal detection, clustering analysis, k-means algorithm

CLC Number:

TP309.7

Hong-cheng LI,Xiao-ping WU,Hong-hai JIANG. Traffic anomaly detection method in networks based on improved clustering algorithm[J]. Chinese Journal of Network and Information Security, 2015, 1(1): 66-71.

Figures/Tables 6

References 12

[1]	唐成华, 刘鹏程, 汤申生 ,等. 基于特征选择的模糊聚类异常入侵行为检测[J]. 计算机研究与发展, 2015,52(3): 718-728.
	TANG C H , LIU P C , TANG S S ,et al. Fuzzy clustering abnormal behavior detection based on feature selection[J]. Computer Re-search and Development, 2015,52(3): 718-728.
[2]	XU J H , LIU H . Web user clustering analysis based on k-means algorithm[C]// Proceeding of the 2010 International Conference on Information,Networking and Automation (ICINA),New York. 2010: 6-9.
[3]	LI P , LIU L , GAO D ,et al. On challenges in evaluating malware clustering[C]. Recent Advances in Intrusion Detection,Ottawa. 2010: 238-255.
[4]	武小年, 彭小金, 杨宇洋 ,等. 入侵检测中基于 SVM 的两级特征选择方法[J]. 通信学报, 2015,36(4): 19-26.
	WU X N , PENG X J , YANG Y Y ,et al. Two levels of feature selec-tion methods based on SVM in intrusion detection[J]. Journal on Communication, 2015,36(4): 19-26.
[5]	郑黎明, 邹鹏, 韩伟红 ,等. 基于多维熵值分类的骨干网流量异常检测研究[J]. 计算机研究与发展, 2012,49(9): 1972-1981.
	ZHENG L M , ZOU P , HAN W H ,et al. Backone network traffic anomaly detection study based on multidimensional entropy classi-fication[J]. Computer Research and Development, 2012,49(9): 1972-1981.
[6]	SHINGO M , CHEN C , LU N N . Intrusion-detection model based on fuzzy class-association-rule mining using genetic programming network[J]. IEEE Transaction on Systems,Man,and Cybernetics, 2011,41(1): 130-139.
[7]	DASH S K , REDDY K S . Adaptive naive Bayes method for mas-querade detection[J]. Security and Communications Networks, 2011,4(4): 410-417.
[8]	张玲, 白中英, 罗守山 ,等. 基于粗糙集和人工免疫的集成入侵检测模型[J]. 通信学报, 2013,34(9): 166-176.
	ZHANG L , BAI Z Y , LUO S S ,et al. Ensemble intrusion detection model based on rough set and artificial immunity[J]. Journal on Communication, 2013,34(9): 166-176.
[9]	陆悠, 李伟, 罗军舟 ,等. 一种基于选择性协同学习的网络用户异常行为检测方法[J]. 计算机学报, 2014,37(1): 28-40.
	LU Y , LI W , LUO J Z ,et al. A method of network users abnormal behavior based on selective collaborative learning[J]. Chinese Journal of Computer, 2014,37(1): 28-40.
[10]	FLAVIO C , NILESH D , RAVI K . Correlation clustering in MapRe-duce[C]// Proceeding of the 20th ACM SIGKDD International Con-ference on Knowledge Discovery and Data Mining (KDD 2014),New York. 2014: 641-650.
[11]	钱叶魁, 陈鸣, 叶立新 ,等. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报, 2012,23(2): 361-377.
	QIAN Y K , CHEN M , YE L X ,et al. Methods of full network anomaly detection based on multi-scale principle component analy-sis[J]. Journal of Software, 2012,23(2): 361-377.
[12]	RUBINSTEIN B , NELSON B , HUANG L ,et al. Stealthy poison-ing attacks on PCA-based anomaly detectors[C]// Proceeding of the ACM SIGMETRICS,New York. 2009.

Metrics

Recommended 0

No Suggested Reading articles found!

所属攻击大类	在10%训练集中出现的攻击类型	只在测试集中出现的攻击类型
DoS	back、land、neptune、pod、smurf、teardrop	apache2 mailbomb processtable udpstorm
R2L	ftp_write guess_passwd imap multihop phf warezmaster、 spy、warezclient	named sendmail snmpgetattack snmpguess worm xlock、 xsnoop
U2R	buffer_overflow、loadmodule、perl、rootkit	httptunnel、ps、sqlattack、xterm
Probing	ipsweep、nmap、portsweep、satan	mscan、saint

类型	在10%训练集中的数量/个	在10%训练集中占的比例/%	在测试集中的数量/个	在测试集中占的比例/%
DoS	391 458	79.24	229 851	73.90
R2L	1 126	0.23	16 311	5.24
U2R	52	0.01	104	0.03
Probing	4 107	0.83	4 166	1.34
Normal	97 278	19.69	60 593	19.48
Overall	494 021	100.00	311 025	100.00

序号	特征名称	特征含义
2	protocol_type	网络协议的类型
3	service	网络流目的主机的服务类别
4	flag	连接正常则为1，错误为0
10	hot	网络流访问密级较高资源的次数
12	logged_in	是否成功登录的状态
22	is_guest_login	是否为guest登录的状态
23	count	两秒时间里，与该网络连接目的主机一致的连接数目
28	srv_rerror_rate	两秒时间里，标记“REJ”错误的网络连接占与该网络连接服务类型一致的网络连接的比例
32	dst_host_count	在此前100个网络连接里与该网络连接目的主机一致的网络连接数目
33	dst_host_srv_count	在此前100个网络连接里，与该网络连接目的主机和服务类型均一致的网络连接数目
3437	dst_host_same_srv_ratedst_host_srv_diff_host_rate	在此前100个网络连接里，与该网络连接目的主机和服务类型均一致的网络连接占的比例在此前100个网络连接里，在与该网络连接目的主机和服务类型均一致的网络连接中，与该网络连接源主机不一致的网络连接所占比例
39	dst_host_srv_serror_rate	在此前100个网络连接里，在与该网络连接目的主机和服务类型均一致的网络连接中，标记“SYN”错误的网络连接所占比例

类型	基本k-means的检测率/%	基本k-means的误报率/%	本文算法的检测率/%	本文算法的误报率/%
DoS	82.08	17.92	87.01	12.99
R2L	83.44	16.56	88.45	11.55
U2R	85.07	14.93	90.17	9.83
Probing	80.20	19.80	85.01	14.99

[1]	Heli WANG, Qiao YAN. Selfish mining detection scheme based on the characters of transactions [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 104-114.
[2]	Dong LI, Yanni HAO, Shenghui PENG, Ruijie ZI, Ximeng LIU. Network security of the National Natural Science Foundation of China: today and prospects [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 92-101.
[3]	Fukang XING, Zheng ZHANG, Ran SUI, Sheng QU, Xinsheng JI. Qualitative modeling and analysis of attack surface for process multi-variant execution software system [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 121-128.
[4]	Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181.
[5]	Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.
[6]	Yang WANG, Guangming TANG, Shuo WANG, Jiang CHU. Defense mechanism of SDN application layer against DDoS attack based on API call management [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 73-87.
[7]	Tao WANG, Hongchang CHEN. Multi-objective optimization placement strategy for SDN security controller considering Byzantine attributes [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 72-84.
[8]	Chenglei ZHANG, Yulong FU, Hui LI, Jin CAO. Research on security scenarios and security models for 6G networking [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 28-45.
[9]	QIN Yuhai,LIU Luyuan,GAO Haohang,LIU Shengqiao,DONG Han. Innovative professional skills competition to create a police practice talents [J]. Chinese Journal of Network and Information Security, 2019, 5(3): 75-80.
[10]	Hao HU, Yuling LIU, Yuchen ZHANG, Hongqi ZHANG. Survey of attack graph based network security metric [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 1-16.
[11]	Juntai HU,Zhenyu WU,Xiao FU,Yichao WANG. Game model based security strategy of heterogeneous controllers in the cloud [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 52-59.
[12]	Binghao YAN,Guodong HAN. Combinatorial intrusion detection model based on deep recurrent neural network and improved SMOTE algorithm [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 48-59.
[13]	Wenyan LIU,Shumin HUO,Qing TONG,Miao ZHANG,Chao QI. Research on models of network security evaluation and analysis [J]. Chinese Journal of Network and Information Security, 2018, 4(4): 1-11.
[14]	Haocheng ZHANG,Xiaojie WU,Xiang TANG,Runxuan SHU,Tianchen DING,Xiaoju DONG. System detecting network anomaly with visualization techniques [J]. Chinese Journal of Network and Information Security, 2018, 4(2): 40-54.
[15]	Jialin WANG, Jiqiang LIU, Di ZHAO, Yingdi WANG, Yingxiao XIANG, Tong CHEN, Endong TONG, Wenjia NIU. Intrusion detection model based on non-symmetric convolution auto-encode and support vector machine [J]. Chinese Journal of Network and Information Security, 2018, 4(11): 57-68.

Traffic anomaly detection method in networks based on improved clustering algorithm

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 12

Related Articles 15

Metrics

Recommended 0