CN104618175A - Network abnormity detection method - Google Patents

Network abnormity detection method Download PDF

Info

Publication number
CN104618175A
CN104618175A CN201410810860.1A CN201410810860A CN104618175A CN 104618175 A CN104618175 A CN 104618175A CN 201410810860 A CN201410810860 A CN 201410810860A CN 104618175 A CN104618175 A CN 104618175A
Authority
CN
China
Prior art keywords
cluster
detection method
anomaly detection
network
mib data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410810860.1A
Other languages
Chinese (zh)
Inventor
赵雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Dianji University
Original Assignee
Shanghai Dianji University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Dianji University filed Critical Shanghai Dianji University
Priority to CN201410810860.1A priority Critical patent/CN104618175A/en
Publication of CN104618175A publication Critical patent/CN104618175A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network abnormity detection method. The method comprises the following steps: 1, determining attribute of clustered MIB (Management Information Base) data according to a to-be-detected network to generate an attribute vector X; 2, sampling the MIB data in a predetermined time; 3, executing clustering analysis treatment on the acquired MIB data; IV, executing outlier detection on a clustering analysis treatment result, wherein the cluster of which the number of members in the clustering analysis treatment result is smaller than a specified threshold value is judged to be an isolated event in the step IV, and occurrence of network abnormity in the time corresponding to the isolated event is judged.

Description

Network anomaly detection method
Technical field
The present invention relates to network communication field, more particularly, the present invention relates to a kind of network anomaly detection method based on cluster and Outlier Detection, wherein utilize the management information bank that router produces, find Network Abnormal point, network failure discovery and intrusion detection etc. can be widely used in.。
Background technology
1980, James P.Anderson classified to Cyberthreat, illustrated the concept of Network anomaly detection for the first time.1984 to 1985, the people such as the Denning of George London University have developed first system for real-time intrusion detection model IDES (Intrusion Detection Expert System), this is the system of first applied statistics and rule-based two kinds of technology, is also the most influential system in intrusion detection.Nineteen ninety, the MIDAS (Multics Intrusion Detection and Alerting Syetem) of development was a real-time abnormality detection system being supplied to national security computer center network host, though it mainly adopts P-BEST development, wherein also utilize the thought of the abnormality detection of Corpus--based Method.
The method mainly Statistics-Based Method of current abnormality detection, wherein mainly comprises following four kinds: 1) threshold detection technique.Such as, the number of times of password mistake is at short notice detected.2) average and standard deviation modelling technique.By average and the standard deviation of calculating parameter, setting confidential interval, shows there is exception when measured value exceedes the scope of confidential interval.3) multivariate model is set up.Its detection notes abnormalities based on carrying out correlation analysis to two or more parameter.4) Markov model.Each dissimilar as a state variable using audit event, uses a state-transition matrix to describe state variation, and the state matrix transfer that probability is less may be abnormal generation a little.5) time series models.Consider that the order of a series of observation generation, the time of advent and value note abnormalities.
But for said method, wherein the model of first method is comparatively simple, more abnormal behaviour type cannot be detected; For second method, because confidential interval needs artificially to be arranged by experience, therefore need the failure of more number of times and experience to generate believable confidential interval; In 3rd, method model is complicated, and result can tool has a greater change along with parameter is different; Send out method for 4th kind and be applicable to the situation that variable is continuous parameter, obtain situation cannot obtain effective result for being sampled as centrifugal pump; The result of Lung biopsy depends on the size of time window setting.
Summary of the invention
Technical problem to be solved by this invention is for there is above-mentioned defect in prior art, provides a kind of and MIB data analysis is introduced in cluster analysis and Outlier Detection thus can find the network anomaly detection method of Network Abnormal quickly.This network anomaly detection method simplifies model to a certain extent and can find Network Abnormal fast.
In order to realize above-mentioned technical purpose, according to the present invention, providing a kind of network anomaly detection method, comprising: first step, by by the attribute of the MIB data of cluster, generating attribute vector X for determining according to network to be detected; Second step, for sampling to the MIB data in the scheduled time; Third step, for performing cluster analysis process to the MIB data collected; 4th step, carries out Outlier Detection for performing cluster analysis result.
Preferably, in the 4th step, the cluster that number of members in cluster analysis result is less than assign thresholds is judged as isolated cases, and judges to there occurs Network Abnormal in the time corresponding to isolated cases.
Preferably, described MIB data are MIB data that router produces.
Preferably, described assign thresholds is 3-10.
Preferably, described assign thresholds is 5.
Preferably, K-MEANS algorithm is adopted to perform cluster analysis process to the MIB data collected in third step.
Preferably, perform cluster analysis process to the MIB data collected in third step to comprise the steps:
First sub-step: the cluster centre X of random setting n cluster and each cluster i(i=1,2 ..., n);
Second sub-step: the normal form distance of attribute vector value to each cluster centre calculating each time point, and attribute vector is ranged the minimum cluster of distance cluster centre, obtain the cluster belonging to each time point.
3rd sub-step: recalculate each cluster centre and calculate predetermined instant attribute variable X relative to change p ( X ) = | X - X ‾ | X ‾
4th sub-step: judge whether p (X) is greater than assign thresholds;
If rate of change p (X) is greater than assign thresholds, then again attribute variable X is classified, return the second sub-step.
Preferably, each component of attribute vector is each attribute variable in MIB.
Cluster analysis and Outlier Detection theory are introduced Network anomaly detection problem by the present invention, have played the superiority of cluster analysis in detection system is regular, have solved the problem of Network Abnormal in the time period of detection.And, the present invention is directed to the management information bank (MIB) that router produces, model can be easily passed and calculate, try to achieve possible abnormity point, saved the time, improve detection efficiency.Application surface of the present invention is comparatively wide, can be applied in network invasion monitoring, network failure discovery equals Network Abnormal related aspect.
Accompanying drawing explanation
By reference to the accompanying drawings, and by reference to detailed description below, will more easily there is more complete understanding to the present invention and more easily understand its adjoint advantage and feature, wherein:
Fig. 1 schematically shows the network anomaly detection method according to the preferred embodiment of the invention based on cluster and Outlier Detection.
Fig. 2 schematically shows according to the preferred embodiment of the invention based on the cluster analysis process of the network anomaly detection method of cluster and Outlier Detection.
Fig. 3 schematically shows the three-dimensional result that the intrusion detection based on ant group algorithm realizes.
It should be noted that, accompanying drawing is for illustration of the present invention, and unrestricted the present invention.Note, represent that the accompanying drawing of structure may not be draw in proportion.Further, in accompanying drawing, identical or similar element indicates identical or similar label.
Embodiment
In order to make content of the present invention clearly with understandable, below in conjunction with specific embodiments and the drawings, content of the present invention is described in detail.
Fig. 1 schematically shows the network anomaly detection method according to the preferred embodiment of the invention based on cluster and Outlier Detection.
Specifically, as described in Figure 1, comprise based on the network anomaly detection method of cluster and Outlier Detection according to the preferred embodiment of the invention:
First step S1, by by the attribute of the MIB of cluster (Management Information Base, management information bank) data, generates attribute vector X for determining according to network to be detected; Wherein, such as, each component of attribute vector is each attribute variable in MIB.
Second step S2, for sampling to the MIB data in the scheduled time; Particularly, such as described MIB data are MIB data that router produces.
Third step S3, for performing cluster analysis process to the MIB data collected;
4th step S4, Outlier Detection is carried out for performing cluster analysis result, wherein number of members in cluster analysis result is less than assign thresholds (such as, described assign thresholds is 3-10, such as described assign thresholds is 5) cluster be judged as isolated cases, and judge to there occurs Network Abnormal in the time corresponding to isolated cases.
In a particular embodiment, in third step S3, cluster analysis process is performed to the MIB data collected and can adopt K-MEANS algorithm, such as, can comprise the steps:
First sub-step S10: the cluster centre X of random setting n cluster and each cluster i(i=1,2 ..., n);
Second sub-step S20: the normal form distance of attribute vector value to each cluster centre calculating each time point, and attribute vector is ranged the minimum cluster of distance cluster centre, obtain the cluster belonging to each time point.
3rd sub-step S30: recalculate each cluster centre and calculate predetermined instant attribute variable X relative to change p ( X ) = | X - X ‾ | X ‾
4th sub-step S40: judge whether p (X) is greater than assign thresholds;
If rate of change p (X) is greater than assign thresholds, then again attribute variable X is classified, return the second sub-step S20.
When not having rate of change p (X) to be greater than the point of assign thresholds, cluster terminates.
Fig. 3 is the three-dimensional result (3 variablees being used for examining or check are respectively router and enter bag change ifInOctcts, and router goes out bag change ifOutOctcts and router packet loss change ifOutDiscards) realized based on the intrusion detection of ant group algorithm.As can be seen from Figure 3 the variable member that rightmost cluster comprises only has 1, therefore can judge that this cluster is as isolated point, and think that the moment of its correspondence there occurs Network Abnormal.
This method analyzes Network anomaly detection from a new angle, by sampling mib variable, Network anomaly detection problem is introduced in cluster analysis and Outlier Detection technology.Using this method, by reasonably arranging the time window of calculating, cluster analysis just can be utilized possible Network Abnormal point to be detected.
In addition, it should be noted that, unless stated otherwise or point out, otherwise the term " first " in specification, " second ", " the 3rd " etc. describe only for distinguishing each assembly, element, step etc. in specification, instead of for representing logical relation between each assembly, element, step or ordinal relation etc.
Be understandable that, although the present invention with preferred embodiment disclose as above, but above-described embodiment and be not used to limit the present invention.For any those of ordinary skill in the art, do not departing under technical solution of the present invention ambit, the technology contents of above-mentioned announcement all can be utilized to make many possible variations and modification to technical solution of the present invention, or be revised as the Equivalent embodiments of equivalent variations.Therefore, every content not departing from technical solution of the present invention, according to technical spirit of the present invention to any simple modification made for any of the above embodiments, equivalent variations and modification, all still belongs in the scope of technical solution of the present invention protection.

Claims (8)

1. a network anomaly detection method, is characterized in that comprising:
First step, by by the attribute of the MIB data of cluster, generates attribute vector for determining according to network to be detected;
Second step, for sampling to the MIB data in the scheduled time;
Third step, for performing cluster analysis process to the MIB data collected;
4th step, carries out Outlier Detection for performing cluster analysis result.
2. network anomaly detection method according to claim 1, it is characterized in that, in the 4th step, the cluster that number of members in cluster analysis result is less than assign thresholds is judged as isolated cases, and judges to there occurs Network Abnormal in the time corresponding to isolated cases.
3. network anomaly detection method according to claim 1 and 2, is characterized in that, described MIB data are MIB data that router produces.
4. network anomaly detection method according to claim 1 and 2, is characterized in that, described assign thresholds is 3-10.
5. network anomaly detection method according to claim 1 and 2, is characterized in that, described assign thresholds is 5.
6. network anomaly detection method according to claim 1 and 2, is characterized in that, adopts K-MEANS algorithm to perform cluster analysis process to the MIB data collected in third step.
7. network anomaly detection method according to claim 1 and 2, is characterized in that, performs cluster analysis process comprise the steps: in third step to the MIB data collected
First sub-step: the cluster centre X of random setting n cluster and each cluster i(i=1,2 ..., n);
Second sub-step: the normal form distance of attribute vector value to each cluster centre calculating each time point, and attribute vector is ranged the minimum cluster of distance cluster centre, obtain the cluster belonging to each time point.
3rd sub-step: recalculate each cluster centre and calculate predetermined instant attribute variable X relative to change p ( X ) = | X - X ‾ | X ‾
4th sub-step: judge whether p (X) is greater than assign thresholds;
If rate of change p (X) is greater than assign thresholds, then again attribute variable X is classified, return the second sub-step.
8. network anomaly detection method according to claim 1 and 2, is characterized in that, each component of attribute vector is each attribute variable in MIB.
CN201410810860.1A 2014-12-19 2014-12-19 Network abnormity detection method Pending CN104618175A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410810860.1A CN104618175A (en) 2014-12-19 2014-12-19 Network abnormity detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410810860.1A CN104618175A (en) 2014-12-19 2014-12-19 Network abnormity detection method

Publications (1)

Publication Number Publication Date
CN104618175A true CN104618175A (en) 2015-05-13

Family

ID=53152466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410810860.1A Pending CN104618175A (en) 2014-12-19 2014-12-19 Network abnormity detection method

Country Status (1)

Country Link
CN (1) CN104618175A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018076571A1 (en) * 2016-10-28 2018-05-03 南京华苏科技有限公司 Method and system for detecting abnormal value in lte network
CN109801175A (en) * 2019-01-21 2019-05-24 北京邮电大学 A kind of medical insurance fraudulent act detection method and device
CN111178380A (en) * 2019-11-15 2020-05-19 腾讯科技(深圳)有限公司 Data classification method and device and electronic equipment
CN111425932A (en) * 2020-03-30 2020-07-17 瑞纳智能设备股份有限公司 Heat supply network operation monitoring and warning system and method based on F L INK
WO2020258505A1 (en) * 2019-06-28 2020-12-30 平安科技(深圳)有限公司 Network access security determination method and apparatus
CN114531335A (en) * 2020-11-23 2022-05-24 大唐移动通信设备有限公司 Method, equipment and device for detecting management information base data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184208A (en) * 2011-04-29 2011-09-14 武汉慧人信息科技有限公司 Junk web page detection method based on multi-dimensional data abnormal cluster mining
CN103618651A (en) * 2013-12-11 2014-03-05 上海电机学院 Network abnormality detection method and system based on information entropy and sliding window

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184208A (en) * 2011-04-29 2011-09-14 武汉慧人信息科技有限公司 Junk web page detection method based on multi-dimensional data abnormal cluster mining
CN103618651A (en) * 2013-12-11 2014-03-05 上海电机学院 Network abnormality detection method and system based on information entropy and sliding window

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
向继 等: ""聚类算法在网络入侵检测中的应用"", 《计算机工程》 *
朱文婷: ""基于MIB的大规模网络异常节点检测"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018076571A1 (en) * 2016-10-28 2018-05-03 南京华苏科技有限公司 Method and system for detecting abnormal value in lte network
US11057788B2 (en) 2016-10-28 2021-07-06 Nanjing Howso Technology Co., Ltd Method and system for abnormal value detection in LTE network
CN109801175A (en) * 2019-01-21 2019-05-24 北京邮电大学 A kind of medical insurance fraudulent act detection method and device
WO2020258505A1 (en) * 2019-06-28 2020-12-30 平安科技(深圳)有限公司 Network access security determination method and apparatus
CN111178380A (en) * 2019-11-15 2020-05-19 腾讯科技(深圳)有限公司 Data classification method and device and electronic equipment
CN111178380B (en) * 2019-11-15 2023-07-04 腾讯科技(深圳)有限公司 Data classification method and device and electronic equipment
CN111425932A (en) * 2020-03-30 2020-07-17 瑞纳智能设备股份有限公司 Heat supply network operation monitoring and warning system and method based on F L INK
CN111425932B (en) * 2020-03-30 2022-01-14 瑞纳智能设备股份有限公司 Heat supply network operation monitoring and warning system and method based on FLINK
CN114531335A (en) * 2020-11-23 2022-05-24 大唐移动通信设备有限公司 Method, equipment and device for detecting management information base data
CN114531335B (en) * 2020-11-23 2023-04-11 大唐移动通信设备有限公司 Method, equipment and device for detecting management information base data

Similar Documents

Publication Publication Date Title
US10735446B2 (en) Cognitive information security using a behavioral recognition system
EP3206368B1 (en) Telemetry analysis system for physical process anomaly detection
CN104618175A (en) Network abnormity detection method
US11699278B2 (en) Mapper component for a neuro-linguistic behavior recognition system
EP3465515B1 (en) Classifying transactions at network accessible storage
WO2019160641A1 (en) Unsupervised spoofing detection from traffic data in mobile networks
CN107003992B (en) Perceptual associative memory for neural language behavior recognition systems
US11847413B2 (en) Lexical analyzer for a neuro-linguistic behavior recognition system
CN113313280B (en) Cloud platform inspection method, electronic equipment and nonvolatile storage medium
WO2021197806A1 (en) Network anomaly detection
CN110943974B (en) DDoS (distributed denial of service) anomaly detection method and cloud platform host
de Souza et al. Performance and accuracy trade-off analysis of techniques for anomaly detection in IoT sensors
CN105069158A (en) Data mining method and system
Hu et al. Classification of abnormal traffic in smart grids based on GACNN and data statistical analysis
Ksibi et al. IoMT Security Model based on Machine Learning and Risk Assessment Techniques
Minot et al. Separation of interleaved markov chains
CN103795710A (en) Method for constructing intrusion detection system based on Cloud Stack
Sengupta et al. Comparison of supervised learning and reinforcement learning in intrusion domain
Mwitondi et al. An ensemble method for intrusion detection with conformity to data variability
Aishwarya et al. Efficient intrusion alert reduction mechanism using fuzzy artmap [j]
Wei et al. Research of IOT intrusion detection system based on hidden Markov model
Lv et al. Information security monitoring system based on data mining
Wang et al. A Practical Intrusion Visualization Analyzer based on Self-organizing Map
CN117811780A (en) Federal network intrusion detection method, system, electronic equipment and medium
CN116438524A (en) Anomaly detection using embedded spatial representation of system state

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150513