互联网异常流量动态检测技术研究

发布时间：2018-06-28 23:49

本文选题：流量异常检测 + 聚类分析　；参考：《曲阜师范大学》2017年硕士论文

【摘要】：网络流量异常检测是入侵检测的一种检测手段,它能够对网络中数据流量进行实时的收集、分析和处理,根据获得的网络运行状况及时向网络管理者发出异常警告,其重要性得到了研究者们的关注。在大数据时代,数据具有高速、海量的特点,网络流量异常检测如何处理这些数据,使其面临着巨大的挑战,而聚类分析技术能够能很好的解决这一问题,研究聚类分析技术在异常检测中的应用具有重要的实用价值。本文全面系统的总结了网络异常检测理论,接着详细阐述了聚类分析技术的相关概念,指出了聚类分析技术在网络流量异常检测中的作用,分析比较了聚类分析算法中基于层次、划分、密度的聚类分析方法。在数据处理阶段,提出使用信息熵对源数据进行度量,实现检测前的数据处理。在聚类分析阶段,针对K-means算法K值确定和初始中心点选取问题,提出了基于小类合并动态确定思想和密度-最大距离思想的K-means聚类分析算法。在异常检测阶段,提出基于聚类分析的网络流量异常检测模型,解决处理大数据流量问题。具体的研究内容如下:(1)研究使用信息熵对数据进行度量。根据当网络发生异常时,网络数据所表现出来的规律,对流量数据进行提取与分析。选取源IP地址、目的IP地址、源端口、目的端口数据作为异常检测特征属性,使用信息熵对其量化度量,实现检测阶段前的数据处理过程。(2)提出一种基于小类合并动态确定思想和密度-最大距离思想的K-means算法。在网络异常检测过程中,所用到的K-means聚类算法存在诸多问题;针对此算法在迭代运行之前无法明确聚类数K问题,提出了小类合并动态确定思想,即通过最大聚类个数和小类合并法经过多次迭代确定最优聚类个数K的方法。针对初始聚类中心点选取随机性问题,基于密度和最大距离思想提出一种第一步获取密度最大和密度最小两个初始中心点,经过多次迭代,然后获取距离间隔较大的剩余K-2个中心点的方法。选用实验数据集对优化后的算法进行实验验证。(3)提出一种基于聚类分析的异常检测模型。在数据处理阶段、聚类分析阶段、异常检测阶段分别构建三个模块,根据三个模块搭建异常检测模型,并用训练数据集和模拟攻击数据集对异常检测模型进行实验,实验结果显示,本文中改进的K-means算法较传统K-means在检测率和误报率上都具有明显的优势。
[Abstract]:Network traffic anomaly detection is a detection method of intrusion detection. It can collect, analyze and process the data flow in the network in real time, and issue abnormal warning to the network manager according to the network running condition. Its importance has attracted the attention of researchers. In the era of big data, data has the characteristics of high speed and mass. How to deal with these data in network traffic anomaly detection, which makes them face a huge challenge, and clustering analysis technology can solve this problem very well. It is of great practical value to study the application of clustering analysis in anomaly detection. In this paper, the theory of network anomaly detection is summarized systematically, then the related concepts of cluster analysis technology are expounded in detail, and the function of cluster analysis technology in network traffic anomaly detection is pointed out. The clustering analysis methods based on hierarchy, partition and density are analyzed and compared. In the stage of data processing, the information entropy is used to measure the source data to realize the data processing before detection. In the phase of clustering analysis, a K-means clustering algorithm based on the idea of subclass merging dynamic determination and the idea of density-maximum distance is proposed to solve the problem of K-means value determination and initial center point selection. In the phase of anomaly detection, a network traffic anomaly detection model based on clustering analysis is proposed to solve the problem of dealing with big data traffic. The specific research contents are as follows: (1) Information entropy is used to measure the data. According to the rule of network data when network anomaly occurs, traffic data is extracted and analyzed. The source IP address, destination IP address, source port and destination port data are selected as the feature attributes of anomaly detection. The data processing process before the detection phase is realized. (2) A K-means algorithm based on the idea of subclass merging dynamic determination and density-maximum distance is proposed. In the process of network anomaly detection, there are many problems in K-means clustering algorithm. That is to say, the optimal clustering number K is determined by the maximum clustering number and the subclass merging method after several iterations. Aiming at the randomness of selecting initial clustering center points, based on the idea of density and maximum distance, a first step to obtain two initial centers of maximum density and minimum density is proposed. Then the method of obtaining the remaining K-2 center points with large distances is obtained. Experimental data sets are used to verify the optimized algorithm. (3) an anomaly detection model based on clustering analysis is proposed. In the phase of data processing, clustering analysis and anomaly detection, three modules are constructed, according to the three modules, the model of anomaly detection is built, and the model of anomaly detection is tested by training data set and simulated attack data set. Experimental results show that the improved K-means algorithm has obvious advantages over the traditional K-means in detection rate and false alarm rate.
【学位授予单位】：曲阜师范大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】