CN104618175A - Network abnormity detection method - Google Patents
Network abnormity detection method Download PDFInfo
- Publication number
- CN104618175A CN104618175A CN201410810860.1A CN201410810860A CN104618175A CN 104618175 A CN104618175 A CN 104618175A CN 201410810860 A CN201410810860 A CN 201410810860A CN 104618175 A CN104618175 A CN 104618175A
- Authority
- CN
- China
- Prior art keywords
- cluster
- detection method
- anomaly detection
- network
- mib data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network abnormity detection method. The method comprises the following steps: 1, determining attribute of clustered MIB (Management Information Base) data according to a to-be-detected network to generate an attribute vector X; 2, sampling the MIB data in a predetermined time; 3, executing clustering analysis treatment on the acquired MIB data; IV, executing outlier detection on a clustering analysis treatment result, wherein the cluster of which the number of members in the clustering analysis treatment result is smaller than a specified threshold value is judged to be an isolated event in the step IV, and occurrence of network abnormity in the time corresponding to the isolated event is judged.
Description
Technical field
The present invention relates to network communication field, more particularly, the present invention relates to a kind of network anomaly detection method based on cluster and Outlier Detection, wherein utilize the management information bank that router produces, find Network Abnormal point, network failure discovery and intrusion detection etc. can be widely used in.。
Background technology
1980, James P.Anderson classified to Cyberthreat, illustrated the concept of Network anomaly detection for the first time.1984 to 1985, the people such as the Denning of George London University have developed first system for real-time intrusion detection model IDES (Intrusion Detection Expert System), this is the system of first applied statistics and rule-based two kinds of technology, is also the most influential system in intrusion detection.Nineteen ninety, the MIDAS (Multics Intrusion Detection and Alerting Syetem) of development was a real-time abnormality detection system being supplied to national security computer center network host, though it mainly adopts P-BEST development, wherein also utilize the thought of the abnormality detection of Corpus--based Method.
The method mainly Statistics-Based Method of current abnormality detection, wherein mainly comprises following four kinds: 1) threshold detection technique.Such as, the number of times of password mistake is at short notice detected.2) average and standard deviation modelling technique.By average and the standard deviation of calculating parameter, setting confidential interval, shows there is exception when measured value exceedes the scope of confidential interval.3) multivariate model is set up.Its detection notes abnormalities based on carrying out correlation analysis to two or more parameter.4) Markov model.Each dissimilar as a state variable using audit event, uses a state-transition matrix to describe state variation, and the state matrix transfer that probability is less may be abnormal generation a little.5) time series models.Consider that the order of a series of observation generation, the time of advent and value note abnormalities.
But for said method, wherein the model of first method is comparatively simple, more abnormal behaviour type cannot be detected; For second method, because confidential interval needs artificially to be arranged by experience, therefore need the failure of more number of times and experience to generate believable confidential interval; In 3rd, method model is complicated, and result can tool has a greater change along with parameter is different; Send out method for 4th kind and be applicable to the situation that variable is continuous parameter, obtain situation cannot obtain effective result for being sampled as centrifugal pump; The result of Lung biopsy depends on the size of time window setting.
Summary of the invention
Technical problem to be solved by this invention is for there is above-mentioned defect in prior art, provides a kind of and MIB data analysis is introduced in cluster analysis and Outlier Detection thus can find the network anomaly detection method of Network Abnormal quickly.This network anomaly detection method simplifies model to a certain extent and can find Network Abnormal fast.
In order to realize above-mentioned technical purpose, according to the present invention, providing a kind of network anomaly detection method, comprising: first step, by by the attribute of the MIB data of cluster, generating attribute vector X for determining according to network to be detected; Second step, for sampling to the MIB data in the scheduled time; Third step, for performing cluster analysis process to the MIB data collected; 4th step, carries out Outlier Detection for performing cluster analysis result.
Preferably, in the 4th step, the cluster that number of members in cluster analysis result is less than assign thresholds is judged as isolated cases, and judges to there occurs Network Abnormal in the time corresponding to isolated cases.
Preferably, described MIB data are MIB data that router produces.
Preferably, described assign thresholds is 3-10.
Preferably, described assign thresholds is 5.
Preferably, K-MEANS algorithm is adopted to perform cluster analysis process to the MIB data collected in third step.
Preferably, perform cluster analysis process to the MIB data collected in third step to comprise the steps:
First sub-step: the cluster centre X of random setting n cluster and each cluster
i(i=1,2 ..., n);
Second sub-step: the normal form distance of attribute vector value to each cluster centre calculating each time point, and attribute vector is ranged the minimum cluster of distance cluster centre, obtain the cluster belonging to each time point.
3rd sub-step: recalculate each cluster centre
and calculate predetermined instant attribute variable X relative to
change
4th sub-step: judge whether p (X) is greater than assign thresholds;
If rate of change p (X) is greater than assign thresholds, then again attribute variable X is classified, return the second sub-step.
Preferably, each component of attribute vector is each attribute variable in MIB.
Cluster analysis and Outlier Detection theory are introduced Network anomaly detection problem by the present invention, have played the superiority of cluster analysis in detection system is regular, have solved the problem of Network Abnormal in the time period of detection.And, the present invention is directed to the management information bank (MIB) that router produces, model can be easily passed and calculate, try to achieve possible abnormity point, saved the time, improve detection efficiency.Application surface of the present invention is comparatively wide, can be applied in network invasion monitoring, network failure discovery equals Network Abnormal related aspect.
Accompanying drawing explanation
By reference to the accompanying drawings, and by reference to detailed description below, will more easily there is more complete understanding to the present invention and more easily understand its adjoint advantage and feature, wherein:
Fig. 1 schematically shows the network anomaly detection method according to the preferred embodiment of the invention based on cluster and Outlier Detection.
Fig. 2 schematically shows according to the preferred embodiment of the invention based on the cluster analysis process of the network anomaly detection method of cluster and Outlier Detection.
Fig. 3 schematically shows the three-dimensional result that the intrusion detection based on ant group algorithm realizes.
It should be noted that, accompanying drawing is for illustration of the present invention, and unrestricted the present invention.Note, represent that the accompanying drawing of structure may not be draw in proportion.Further, in accompanying drawing, identical or similar element indicates identical or similar label.
Embodiment
In order to make content of the present invention clearly with understandable, below in conjunction with specific embodiments and the drawings, content of the present invention is described in detail.
Fig. 1 schematically shows the network anomaly detection method according to the preferred embodiment of the invention based on cluster and Outlier Detection.
Specifically, as described in Figure 1, comprise based on the network anomaly detection method of cluster and Outlier Detection according to the preferred embodiment of the invention:
First step S1, by by the attribute of the MIB of cluster (Management Information Base, management information bank) data, generates attribute vector X for determining according to network to be detected; Wherein, such as, each component of attribute vector is each attribute variable in MIB.
Second step S2, for sampling to the MIB data in the scheduled time; Particularly, such as described MIB data are MIB data that router produces.
Third step S3, for performing cluster analysis process to the MIB data collected;
4th step S4, Outlier Detection is carried out for performing cluster analysis result, wherein number of members in cluster analysis result is less than assign thresholds (such as, described assign thresholds is 3-10, such as described assign thresholds is 5) cluster be judged as isolated cases, and judge to there occurs Network Abnormal in the time corresponding to isolated cases.
In a particular embodiment, in third step S3, cluster analysis process is performed to the MIB data collected and can adopt K-MEANS algorithm, such as, can comprise the steps:
First sub-step S10: the cluster centre X of random setting n cluster and each cluster
i(i=1,2 ..., n);
Second sub-step S20: the normal form distance of attribute vector value to each cluster centre calculating each time point, and attribute vector is ranged the minimum cluster of distance cluster centre, obtain the cluster belonging to each time point.
3rd sub-step S30: recalculate each cluster centre
and calculate predetermined instant attribute variable X relative to
change
4th sub-step S40: judge whether p (X) is greater than assign thresholds;
If rate of change p (X) is greater than assign thresholds, then again attribute variable X is classified, return the second sub-step S20.
When not having rate of change p (X) to be greater than the point of assign thresholds, cluster terminates.
Fig. 3 is the three-dimensional result (3 variablees being used for examining or check are respectively router and enter bag change ifInOctcts, and router goes out bag change ifOutOctcts and router packet loss change ifOutDiscards) realized based on the intrusion detection of ant group algorithm.As can be seen from Figure 3 the variable member that rightmost cluster comprises only has 1, therefore can judge that this cluster is as isolated point, and think that the moment of its correspondence there occurs Network Abnormal.
This method analyzes Network anomaly detection from a new angle, by sampling mib variable, Network anomaly detection problem is introduced in cluster analysis and Outlier Detection technology.Using this method, by reasonably arranging the time window of calculating, cluster analysis just can be utilized possible Network Abnormal point to be detected.
In addition, it should be noted that, unless stated otherwise or point out, otherwise the term " first " in specification, " second ", " the 3rd " etc. describe only for distinguishing each assembly, element, step etc. in specification, instead of for representing logical relation between each assembly, element, step or ordinal relation etc.
Be understandable that, although the present invention with preferred embodiment disclose as above, but above-described embodiment and be not used to limit the present invention.For any those of ordinary skill in the art, do not departing under technical solution of the present invention ambit, the technology contents of above-mentioned announcement all can be utilized to make many possible variations and modification to technical solution of the present invention, or be revised as the Equivalent embodiments of equivalent variations.Therefore, every content not departing from technical solution of the present invention, according to technical spirit of the present invention to any simple modification made for any of the above embodiments, equivalent variations and modification, all still belongs in the scope of technical solution of the present invention protection.
Claims (8)
1. a network anomaly detection method, is characterized in that comprising:
First step, by by the attribute of the MIB data of cluster, generates attribute vector for determining according to network to be detected;
Second step, for sampling to the MIB data in the scheduled time;
Third step, for performing cluster analysis process to the MIB data collected;
4th step, carries out Outlier Detection for performing cluster analysis result.
2. network anomaly detection method according to claim 1, it is characterized in that, in the 4th step, the cluster that number of members in cluster analysis result is less than assign thresholds is judged as isolated cases, and judges to there occurs Network Abnormal in the time corresponding to isolated cases.
3. network anomaly detection method according to claim 1 and 2, is characterized in that, described MIB data are MIB data that router produces.
4. network anomaly detection method according to claim 1 and 2, is characterized in that, described assign thresholds is 3-10.
5. network anomaly detection method according to claim 1 and 2, is characterized in that, described assign thresholds is 5.
6. network anomaly detection method according to claim 1 and 2, is characterized in that, adopts K-MEANS algorithm to perform cluster analysis process to the MIB data collected in third step.
7. network anomaly detection method according to claim 1 and 2, is characterized in that, performs cluster analysis process comprise the steps: in third step to the MIB data collected
First sub-step: the cluster centre X of random setting n cluster and each cluster
i(i=1,2 ..., n);
Second sub-step: the normal form distance of attribute vector value to each cluster centre calculating each time point, and attribute vector is ranged the minimum cluster of distance cluster centre, obtain the cluster belonging to each time point.
3rd sub-step: recalculate each cluster centre
and calculate predetermined instant attribute variable X relative to
change
4th sub-step: judge whether p (X) is greater than assign thresholds;
If rate of change p (X) is greater than assign thresholds, then again attribute variable X is classified, return the second sub-step.
8. network anomaly detection method according to claim 1 and 2, is characterized in that, each component of attribute vector is each attribute variable in MIB.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410810860.1A CN104618175A (en) | 2014-12-19 | 2014-12-19 | Network abnormity detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410810860.1A CN104618175A (en) | 2014-12-19 | 2014-12-19 | Network abnormity detection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104618175A true CN104618175A (en) | 2015-05-13 |
Family
ID=53152466
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410810860.1A Pending CN104618175A (en) | 2014-12-19 | 2014-12-19 | Network abnormity detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104618175A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018076571A1 (en) * | 2016-10-28 | 2018-05-03 | 南京华苏科技有限公司 | Method and system for detecting abnormal value in lte network |
CN109801175A (en) * | 2019-01-21 | 2019-05-24 | 北京邮电大学 | A kind of medical insurance fraudulent act detection method and device |
CN111178380A (en) * | 2019-11-15 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data classification method and device and electronic equipment |
CN111425932A (en) * | 2020-03-30 | 2020-07-17 | 瑞纳智能设备股份有限公司 | Heat supply network operation monitoring and warning system and method based on F L INK |
WO2020258505A1 (en) * | 2019-06-28 | 2020-12-30 | 平安科技(深圳)有限公司 | Network access security determination method and apparatus |
CN114531335A (en) * | 2020-11-23 | 2022-05-24 | 大唐移动通信设备有限公司 | Method, equipment and device for detecting management information base data |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102184208A (en) * | 2011-04-29 | 2011-09-14 | 武汉慧人信息科技有限公司 | Junk web page detection method based on multi-dimensional data abnormal cluster mining |
CN103618651A (en) * | 2013-12-11 | 2014-03-05 | 上海电机学院 | Network abnormality detection method and system based on information entropy and sliding window |
-
2014
- 2014-12-19 CN CN201410810860.1A patent/CN104618175A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102184208A (en) * | 2011-04-29 | 2011-09-14 | 武汉慧人信息科技有限公司 | Junk web page detection method based on multi-dimensional data abnormal cluster mining |
CN103618651A (en) * | 2013-12-11 | 2014-03-05 | 上海电机学院 | Network abnormality detection method and system based on information entropy and sliding window |
Non-Patent Citations (2)
Title |
---|
向继 等: ""聚类算法在网络入侵检测中的应用"", 《计算机工程》 * |
朱文婷: ""基于MIB的大规模网络异常节点检测"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018076571A1 (en) * | 2016-10-28 | 2018-05-03 | 南京华苏科技有限公司 | Method and system for detecting abnormal value in lte network |
US11057788B2 (en) | 2016-10-28 | 2021-07-06 | Nanjing Howso Technology Co., Ltd | Method and system for abnormal value detection in LTE network |
CN109801175A (en) * | 2019-01-21 | 2019-05-24 | 北京邮电大学 | A kind of medical insurance fraudulent act detection method and device |
WO2020258505A1 (en) * | 2019-06-28 | 2020-12-30 | 平安科技(深圳)有限公司 | Network access security determination method and apparatus |
CN111178380A (en) * | 2019-11-15 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data classification method and device and electronic equipment |
CN111178380B (en) * | 2019-11-15 | 2023-07-04 | 腾讯科技(深圳)有限公司 | Data classification method and device and electronic equipment |
CN111425932A (en) * | 2020-03-30 | 2020-07-17 | 瑞纳智能设备股份有限公司 | Heat supply network operation monitoring and warning system and method based on F L INK |
CN111425932B (en) * | 2020-03-30 | 2022-01-14 | 瑞纳智能设备股份有限公司 | Heat supply network operation monitoring and warning system and method based on FLINK |
CN114531335A (en) * | 2020-11-23 | 2022-05-24 | 大唐移动通信设备有限公司 | Method, equipment and device for detecting management information base data |
CN114531335B (en) * | 2020-11-23 | 2023-04-11 | 大唐移动通信设备有限公司 | Method, equipment and device for detecting management information base data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10735446B2 (en) | Cognitive information security using a behavioral recognition system | |
EP3206368B1 (en) | Telemetry analysis system for physical process anomaly detection | |
CN104618175A (en) | Network abnormity detection method | |
US11699278B2 (en) | Mapper component for a neuro-linguistic behavior recognition system | |
EP3465515B1 (en) | Classifying transactions at network accessible storage | |
WO2019160641A1 (en) | Unsupervised spoofing detection from traffic data in mobile networks | |
CN107003992B (en) | Perceptual associative memory for neural language behavior recognition systems | |
US11847413B2 (en) | Lexical analyzer for a neuro-linguistic behavior recognition system | |
CN113313280B (en) | Cloud platform inspection method, electronic equipment and nonvolatile storage medium | |
WO2021197806A1 (en) | Network anomaly detection | |
CN110943974B (en) | DDoS (distributed denial of service) anomaly detection method and cloud platform host | |
de Souza et al. | Performance and accuracy trade-off analysis of techniques for anomaly detection in IoT sensors | |
CN105069158A (en) | Data mining method and system | |
Hu et al. | Classification of abnormal traffic in smart grids based on GACNN and data statistical analysis | |
Ksibi et al. | IoMT Security Model based on Machine Learning and Risk Assessment Techniques | |
Minot et al. | Separation of interleaved markov chains | |
CN103795710A (en) | Method for constructing intrusion detection system based on Cloud Stack | |
Sengupta et al. | Comparison of supervised learning and reinforcement learning in intrusion domain | |
Mwitondi et al. | An ensemble method for intrusion detection with conformity to data variability | |
Aishwarya et al. | Efficient intrusion alert reduction mechanism using fuzzy artmap [j] | |
Wei et al. | Research of IOT intrusion detection system based on hidden Markov model | |
Lv et al. | Information security monitoring system based on data mining | |
Wang et al. | A Practical Intrusion Visualization Analyzer based on Self-organizing Map | |
CN117811780A (en) | Federal network intrusion detection method, system, electronic equipment and medium | |
CN116438524A (en) | Anomaly detection using embedded spatial representation of system state |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150513 |