您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2018, Vol. 53 ›› Issue (9): 1-11.doi: 10.6040/j.issn.1671-9352.2.2017.169

• •    下一篇

基于图演化事件的主机群异常检测模型

叶晓鸣1,陈兴蜀2*,杨力3,王文贤2,朱毅1,邵国林1,梁刚2   

  1. 1.四川大学计算机学院, 四川 成都 610065;2.四川大学网络空间安全学院, 四川 成都 610065;3.西南交通大学经济管理学院, 四川 成都 610031
  • 收稿日期:2017-08-28 出版日期:2018-09-20 发布日期:2018-09-10
  • 作者简介:叶晓鸣(1981— ),女,博士研究生,讲师,研究方向为信息安全、大数据分析. E-mail:yexm.edu@gmail.com*通信作者简介:陈兴蜀(1968— ),女,博士,教授,博士生导师,研究方向为云计算、信息安全、计算机网络. E-mail:chenxsh@scu.edu.cn
  • 基金资助:
    国家自然科学基金资助项目(61272447);四川省科技厅科技支撑计划项目(2016GZ0042,16ZHSF0483,2017GZ0168);四川省教育厅重点资助科研项目(17ZA0238,17ZA0200)

Anomaly detection model of host group based on graph-evolution events

YE Xiao-ming1, CHEN Xing-shu2*, YANG Li3, WANG Wen-xian2, ZHU Yi1, SHAO Guo-lin1, LIANG Gang2   

  1. 1. College of Computer Science, Sichuan University, Chengdu 610065, Sichuan, China;
    2. College of Cybersecurity, Sichuan University, Chengdu 610065, Sichuan, China;
    3. School of Economics and Management, Southwest Jiao Tong University, Chengdu 610031, Sichuan, China
  • Received:2017-08-28 Online:2018-09-20 Published:2018-09-10

摘要: 针对网络环境中出现的以服务为聚合的通信行为和以分布式攻击为典型的新型协同攻击模式,提出了基于图演化事件的主机群异常检测模型。分析了行为主体潜在的社会化关系、聚集成簇的主机群及其群体行为的动态特性,该模型具有无参数、数据量级可扩展的特点。定义并提出了图动态演化事件及检测算法,实现异常主机群检测。本模型在Spark上实现和部署,还从实际计算机和网络环境提取数据进行分析和验证。实验结果表明,该模型能够有效刻画群体行为,揭露重要的图演化事件,准确定位异常发生的主机群,其群成员主机的检测率达到95.09%。

关键词: 图演化事件, 主机群, 群体行为, 异常检测

Abstract: Aiming at the communication behavior based on service aggregation and the new collaborative attack mode that is typical of distributed attack in the network environment, the anomaly detection model of host group based on graph-evolution events is proposed. It analyzes the potential socialization of actors, the clustering of host clusters and the dynamics of their group behavior. The model has the characteristics of no parameters and extensible data magnitude. The dynamic evolution events and detection algorithms are defined and proposed to detect abnormal host groups. The model is implemented and deployed on Spark, and the data from the actual computer and network environment is analyzed and verified. The experimental results show that this model can effectively describe group behavior, expose important graph-evolution events, and locate the host group with abnormal occurrence accurately. The detection rate of group members is 95.09%.

Key words: graph-evolution event, host group, group behavior, anomaly detection

中图分类号: 

  • TN915.08
[1] GU G, PERDISCI R, ZHANG J, et al. BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection[C] // Proceedings of the17th USENIX Security Symposium. California: USENIX Association, 2008: 139-154.
[2] 李乔, 何慧, 方滨兴,等. 基于信任的网络群体异常行为发现[J]. 计算机学报, 2014, 37(1):1-14. LI Qiao, HE Hui, FANG Bingxing, et al. Awareness of the network group anomalous behaviors based on network trust[J]. Chinese Journal of Computers, 2014, 37(1):1-14.
[3] GIRVAN M, NEWMAN M E. Community structure in social and biological networks[J]. Proceedings of the National Academy of Sciences of the United States of America, 2002, 99(12):7821-7826.
[4] BARABASI A, JEONG H, NEDA Z, et al. Evolution of the social network of scientific collaborations[J]. Physica A: Statistical Mechanics and Its Applications, 2002, 311(3):590-614.
[5] CHAKRABARTI D, KUMAR R, TOMKINS A. Evolutionary clustering[C] // Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. Philadelphia: ACM, 2006: 554-560.
[6] ASUR S, PARTHASARATHY S, UCAR D. An event-based framework for characterizing the evolutionary behavior of interaction graphs[J]. ACM Transactions on Knowledge Discovery from Data, 2009, 3(4):16.
[7] PALLA G, BARABASI A, VICSEK T. Quantifying social group evolution[J]. Nature, 2007, 446(7136):664-667.
[8] BRODKA P, KAZIENKO P, KOLOSZCZYK B. Predicting group evolution in the social network[J]. Social Informatics, 2012: 54-67.
[9] CHEN Z, HENDRIX W, SAMATOVA N F. Community-based anomaly detection in evolutionary networks[J]. Journal of Intelligent Information Systems, 2012, 39(1):59-85.
[10] TAJEUNA E G, BOUGUESSA M, WANG S. Tracking the evolution of community structures in time-evolving social networks[C] // International Conference on Data Science and Advanced Analytics. Paris, France: IEEE, 2015: 1-10.
[11] GRANELL C, DARST R K, ARENAS A, et al. Benchmark model to assess community structure in evolving networks[J]. Physical Review E, 2015, 92(1):012805.
[12] 苏璞睿, 李德全, 冯登国. 基于基因规划的主机异常入侵检测模型(英文)[J]. 软件学报, 2003, 14(6):1120-1126. SU Purui, LI Dequan, FENG Dengguo. A host-based anomaly intrusion detection model based on genetic programming[J]. Journal of Software, 2003, 14(6):1120-1126.
[13] 皮建勇, 巩明树, 刘心松,等. 基于访问控制的主机异常入侵检测模型[J]. 计算机应用研究, 2009, 26(2):332-335+338. PI Jianyong, GONG mingshu, LIU Xinsong, et al. Access control-based host anomaly intrusion detection model [J]. Application Research of Computers, 2009, 26(2):332-335+338.
[14] 李川, 冯冰清, 李艳梅,等. 动态信息网络中基于角色的结构演化与预测[J]. 软件学报, 2017, 28(3):663-675. LI Chuan, FENG Bingqing, LI Yanmei, et al. Role-based structural evolution and prediction in dynamic networks[J]. Journal of Software, 2017, 28(3):663-675.
[15] YE Xiaoming,CHEN Xingshu,WANG Haizhou,et al. An anomalous behavior detection model in cloud computing [J]. Tsinghua Science and Technology, 2016, 21(3):322-332.
[16] DAVE S, DIWANJI H. Trend analysis in social networking using opinion mining a survey[J]. International Journal of Scientific Research in Science, Engineering and Technology, 2015, 1(6):302-305.
[17] KARAGIANNIS T, PAPGIANNAKI K, FALOUTSOS M. BLINC: Multilevel traffic classification in the dark[J]. ACM Special Interest Group on Data Communication, 2005, 35(4):229-240.
[18] STEINHAEUSER K, CHAWLA N V, GANGULY A R. An exploration of climate data using complex networks[J]. ACM SIGKDD Explorations, 2010, 12(1):25-32.
[19] TAN Jun, CHEN Xingshu, DU Ming, et al. A novel internet traffic identification approach using wavelet packet decomposition and neural network[J]. Journal of Central South University, 2012, 19:2218-2230.
[20] BLONDEL V D, GUILLAUME J, LAMBIOTTE R, et al. Fast unfolding of communities in large networks[J]. Journal of Statistical Mechanics Theory and Experiment, 2008, 2008(10):155-168.
[21] Spark Programming Guide[EB/OL]. http://spark.apache.org/docs/latest/rdd-programming-guide.html, 2017.
[22] GREENE D, DOYLE D, CUNNINGHAM P. Tracking the evolution of communities in dynamic social networks[C] // International Conference on Advances in Social Networks Analysis and Mining, Odense, Denmark: IEEE Computer Society, 2010: 176-183.
[23] TAKAFFOLI M, FAGNAN J, SANGI F, et al. Tracking changes in dynamic information networks[C] // International Conference on Computational Aspects of Social Networks, Salamanca: IEEE, 2011: 94-101.
[1] 庄政茂,陈兴蜀,邵国林,叶晓鸣. 一种时间相关性的异常流量检测模型[J]. 山东大学学报(理学版), 2017, 52(3): 68-73.
[2] 郭晨1,梁家荣2,罗超3,彭硕1. 基于TLR异常检测系统的DC算法研究[J]. J4, 2012, 47(5): 93-97.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!