一种时间相关性的异常流量检测模型

doi:10.6040/j.issn.1671-9352.1.2016.030

山东大学学报（理学版） ›› 2017, Vol. 52 ›› Issue (3): 68-73.doi: 10.6040/j.issn.1671-9352.1.2016.030

一种时间相关性的异常流量检测模型

庄政茂¹,陈兴蜀^2*,邵国林¹,叶晓鸣¹

1. 四川大学计算机学院, 四川成都 610065;2. 四川大学网络空间安全研究院, 四川成都 610065

收稿日期:2016-08-16 出版日期:2017-03-20 发布日期:2017-03-20
通讯作者: 陈兴蜀(1968— ),女,博士,教授,博士生导师,研究方向为云计算、信息安全、计算机网络.E-mail:chenxsh@scu.edu.cn E-mail:zzm844740385@126.com
作者简介:庄政茂(1992— ),男,硕士研究生,研究方向为网络行为分析.E-mail:zzm844740385@126.com
基金资助:
国家自然科学基金资助项目(61272447)

A time-relevant network traffic anomaly detection approach

ZHUANG Zheng-mao¹, CHEN Xing-shu^2*, SHAO Guo-lin¹, YE Xiao-ming¹

1.College of Computer Science, Sichuan University, Chengdu 610065, Sichuan, China;
2. CyberSecurity Research Institute, Sichuan University, Chengdu 610065, Sichuan, China

Received:2016-08-16 Online:2017-03-20 Published:2017-03-20

摘要/Abstract

摘要： 针对服务器行为具有时间动态相关性的特性,提出了基于分布率、聚类偏差和密集度相结合的聚类方法,构建了一种时间相关性的服务器异常流量检测模型。通过对校园网服务器流量长期观测和研究发现,服务器流量特征与时间具有动态相关性,基于此抽取了服务器当前时刻的流量特征,并结合了与当前时刻动态相关的时间特征,提出了基于分布率、聚类偏差和密集度相结合的聚类算法构建异常检测模型以发现服务器异常流量。实验表明,该模型能根据文中抽取的网络流量统计特征有效地发现服务器异常流量,且对于真实环境的应用同样能有效地检查异常,同时模型应用时间越长,算法的自适应越强。

关键词: 异常检测, 网络流量, 时间相关性

Abstract: Server behavior characteristics in a time of dynamic correlation characteristics of a clustering method based on the distribution ratio, clustering and density deviation combined to construct a temporal correlation server traffic anomaly detection model. Through the campus network server traffic and long-term observation study found that server traffic characteristics and dynamic correlation time, based on this condition, this article extract the feature server traffic flow at the present time and combines the features of the current moment of time associated with dynamic, using K-means clustering algorithm to detect the outliers of the flow characteristics, and find abnormal server traffic. Experimental results show that the model can effectively detect abnormal server traffic even in the real-world environment. The longer the model applies, the stronger adaptable the algorithm is.

Key words: network traffic, time-relevant, anomaly detection

中图分类号:

TP393

庄政茂,陈兴蜀,邵国林,叶晓鸣. 一种时间相关性的异常流量检测模型[J]. 山东大学学报（理学版）, 2017, 52(3): 68-73.

ZHUANG Zheng-mao, CHEN Xing-shu, SHAO Guo-lin, YE Xiao-ming. A time-relevant network traffic anomaly detection approach[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(3): 68-73.

参考文献

[1] 郭春. 基于数据挖掘的网络入侵检测关键技术研究[D]. 北京邮电大学, 2014. GUO Chun. Research on key technologies of network intrusion detection based on data mining[D]. Beijing University of Posts and Telecommunications, 2014.
[2] 诸葛建伟, 王大为, 陈昱,等. 基于D-S证据理论的网络异常检测方法[J]. 软件学报, 2006, 17(3):463-471. ZHUGE Jianwei, WANG Dawei, CHEN Yu, et al. A network anomaly detector based on the D-S evidence theory[J]. Journal of Software, 2006, 17(3):463-471.
[3] 周颖杰, 胡光岷, 贺伟淞. 基于时间序列图挖掘的网络流量异常检测[J]. 计算机科学, 2009, 36(1):46-50. ZHOU Yingjie, HU Guangmin, HE Weisong. Network traffic anomaly detection based on data mining in time-series graph[J]. Computer Science, 2009, 36(1):46-50.
[4] 王硕, 赵荣彩, 单征. 基于FSS时间序列分析的DDoS检测算法[J]. 计算机工程, 2012, 38(12):13-16. WANG Shuo, ZHAO Rongcai, SHAN Zheng. Distributed denial of service detection algorithm based on FSS time Series Analysis[J]. Computer Engineering, 2012, 38(12):13-16.
[5] 钱叶魁, 陈鸣, 叶立新,等. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报, 2012, 23(2):361-377. QIAN Yekui, CHEN Ming, YE Lixin, et al. Network-wide anomaly detection method based on multiscale principal component analysis[J]. Journal of Software, 2012, 23(2):361-377.
[6] 陈烨, 刘渊. 基于参数优化 SVM 融合的网络异常检测[J]. 计算机应用与软件, 2013(9):39-43. CHEN Ye, LIU Yuan. Network anomaly detection based on papameters oprimised SVM fusion[J]. Computer Applications and Software, 2013(9):39-43.
[7] 贺成彬. 基于张量分析的网络异常检测[D]. 太原:太原科技大学, 2014. HE Chengbin. Network anomaly detection technology based on tensor analysis [D]. Taiyuan University of Science & Technology, 2014.
[8] 贺亮, 褚衍杰, 韩杰思. 基于通联累积量的动态网络异常检测算法[J]. 通信技术, 2015(12):1400-1405. HE Liang, CHU Yanjie, HAN Jiesi. Anomaly detection algorithm based on communicating cumulant in dynamic network [J]. Communications Technology, 2015(12):1400-1405.
[9] 李柏楠, 钱叶魁, 罗兴国. 基于往返时延矩阵子空间的网络异常检测方法[J]. 南京理工大学学报, 2015, 39(2):215-224. LI Bainan, QIAN Yekui, LUO Xingguo. Network anomaly detection method based on RTT matrix subspace[J]. Journal of Nanjing University of Science and Technology, 2015, 39(2):215-224.
[10] 刘敬, 谷利泽, 钮心忻,等. 基于单分类支持向量机和主动学习的网络异常检测研究[J]. 通信学报, 2015, 36(11):136-146. LIU Jing, GU Lize, NIU Xinxin, et al. Research on network anomaly detection based on one-class SVM and active learning[J]. Journal on Communications, 2015, 36(11):136-146.
[11] 孙腾. 基于扩散小波的网络流量异常检测研究[D]. 北京:北京交通大学, 2015. SUN Teng. Study on anomaly detection of network traffic based on diffusion wavelet[D]. Beijing Jiaotong Universiry, 2015.
[12] YE Xiaoming, CHEN Xingshu, WANG Haizhou, et al. An anomalous behavior detection model in cloud computing [J]. Tsinghua Science and Technology, 2016, 21(3):322-332.
[13] Macqueen J. Some methods for classifications and analysis of multivariate observations[J]. Berkeley University of California Press, 1967, 1:281-297.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed

一种时间相关性的异常流量检测模型

A time-relevant network traffic anomaly detection approach

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 6

多维度评价

本文评价

推荐阅读 0

[1]	叶晓鸣,陈兴蜀,杨力,王文贤,朱毅,邵国林,梁刚. 基于图演化事件的主机群异常检测模型[J]. 山东大学学报（理学版）, 2018, 53(9): 1-11.
[2]	李阳,程雄,童言,陈伟,秦涛,张剑,徐明迪. 基于流量统计特征的潜在威胁用户挖掘方法[J]. 山东大学学报（理学版）, 2018, 53(1): 83-88.
[3]	杜瑞颖, 杨勇, 陈晶, 王持恒. 一种基于相似度的高效网络流量识别方案[J]. 山东大学学报（理学版）, 2014, 49(09): 109-114.
[4]	郭晨1,梁家荣2,罗超3,彭硕1. 基于TLR异常检测系统的DC算法研究[J]. J4, 2012, 47(5): 93-97.
[5]	常建龙,闫莺,宫学庆,戴岱,周傲英 . SMART: 基于数据流技术的电信网络流量监控系统[J]. J4, 2007, 42(11): 27-31 .
[6]	冯海亮,林青家,陈涤*,陈春晓 . 基于不同消失矩的多分形小波模型对网络流量的合成和分析[J]. J4, 2006, 41(2): 125-130 .