CN105959316A - Network security authentication system - Google Patents

Abstract

The invention discloses a network security authentication system, comprising a data capturing module, used for capturing suspicious traffic and abnormal behaviors of an import and export system to form sample data; a data preprocessing module, used for carrying out screening preprocessing on the sample data, removing the noise data in the sample data and carrying out dimensionality reduction processing on the sample data; and a behavior analysis module, used for carrying out clustering analysis on the preprocessed sample data by adopting an improved K-Means clustering method, and carrying out aggressive behavior detection based on an artificial neural network algorithm to identify potential unknown attacks in the network. The network security authentication system disclosed by the invention can detect known and unknown network attacks, carry out clustering analysis on the preprocessed suspicious traffic and the abnormal behaviors of the import and export system by adopting the improved K-Means clustering method and can accurately separate the network attacks of various types, so as to achieve very high accuracy and a very low false alarm rate.

Description

Internet security checking system

Technical field

The present invention relates to Internet technical field, be specifically related to internet security checking system.

Background technology

In correlation technique, network security detecting system uses Passive Defence technology, such as firewall technology and intrusion detection skill mostly Art etc..Firewall technology only filters static data, can not stop the attack from network internal；Intrusion Detection Technique is not only Can not effectively detect the attack of UNKNOWN TYPE it is also possible to occur failing to report and reporting by mistake.

Summary of the invention

For the problems referred to above, the present invention provides internet security to verify system.

The purpose of the present invention realizes by the following technical solutions:

Internet security checking system, including data capture module, data preprocessing module, behavior analysis module；Described data Trapping module, for capturing the suspicious traffic of turnover system and Deviant Behavior, forms sample data；Described data prediction Module, for sample data carries out screening pretreatment, the noise data in removal sample data, then sample data is carried out Dimension-reduction treatment；Described behavior analysis module, for using the K-means clustering method of improvement to enter pretreated sample data Row cluster analysis, and carry out aggressive behavior detection based on artificial neural network algorithm, identify unknown attack potential in network.

Preferably, described data capture module uses the suspicious traffic of fire wall collection turnover system.

Preferably, described data capture module is described by using intruding detection system to monitor network transmission in real time to capture Deviant Behavior.

Wherein, the described K-means clustering method using improvement carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i,a_j)]_n×n, i, j=1 ..., n, wherein sim (a_i,a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_max-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k value is hidden layer number, determines according to test of many times；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is l the center clustered.

Wherein, the span of the described ratio value T set is as [1.4,1.8].

The invention have the benefit that

1, known and unknown network can be attacked and detect, by the K-means clustering method that improves to pretreated respectively The sample data of the network suspicious traffic and Deviant Behavior of planting turnover system carries out cluster analysis, can be accurately by various types of Network attack distinguishes, thus reaches the highest accuracy rate and the lowest rate of false alarm；

2, provide the K-means clustering method of improvement, be prevented effectively from the single occasionality taking arbitrary sampling method to be brought, Improve cluster stability, further increase the accuracy of internet security checking.

Accompanying drawing explanation

The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limitation of the invention, for Those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtains the attached of other according to the following drawings Figure.

Fig. 1 is the connection diagram of each module of the present invention；

Fig. 2 is the principle schematic of present system running.

Reference:

Data capture module 1, data preprocessing module 2, behavior analysis module 3.

Detailed description of the invention

The invention will be further described with the following Examples.

Embodiment 1

Seeing Fig. 1, Fig. 2, the internet security checking system of the present embodiment, including data capture module 1, data prediction mould Block 2, behavior analysis module 3；Described data capture module 1 is used for the suspicious traffic to turnover system and Deviant Behavior captures, Form sample data；Described data preprocessing module 2, for carrying out screening pretreatment, in removal sample data to sample data Noise data, then sample data is carried out dimension-reduction treatment；Described behavior analysis module 3, for using the K-means of improvement Clustering method carries out cluster analysis to pretreated sample data, and carries out aggressive behavior detection based on artificial neural network algorithm, Identify unknown attack potential in network.

Wherein, described data capture module 1 uses the suspicious traffic of fire wall collection turnover system.

Wherein, described data capture module 1 is described by using intruding detection system to monitor network transmission in real time to capture Deviant Behavior.

Wherein, the described K-means clustering method using improvement carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i,a_j)]_n×n, i, j=1 ..., n, wherein sim (β_i,a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_max-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k value is hidden layer number, determines according to test of many times；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is l the center clustered.

Known and unknown network attack can be detected by having the beneficial effect that of the present embodiment, gathered by the K-means improved Class method carries out cluster analysis to the pretreated network suspicious traffic of various turnover systems and the sample data of Deviant Behavior, can To be distinguished by various types of network attacks accurately, thus reach the highest accuracy rate and the lowest rate of false alarm；Provide and change The K-means clustering method entered, is prevented effectively from the single occasionality taking arbitrary sampling method to be brought, improves cluster stability, Further increase the accuracy of internet security checking, wherein set ratio value T=1.4, the accuracy of internet security checking Relatively improve 2%.

Embodiment 2

Seeing Fig. 1, Fig. 2, the internet security checking system of the present embodiment, including data capture module 1, data prediction mould Block 2, behavior analysis module 3；Described data capture module 1 is used for the suspicious traffic to turnover system and Deviant Behavior captures, Form sample data；Described data preprocessing module 2, for carrying out screening pretreatment, in removal sample data to sample data Noise data, then sample data is carried out dimension-reduction treatment；Described behavior analysis module 3, for using the K-means of improvement Clustering method carries out cluster analysis to pretreated sample data, and carries out aggressive behavior detection based on artificial neural network algorithm, Identify unknown attack potential in network.

Wherein, described data capture module 1 uses the suspicious traffic of fire wall collection turnover system.

Wherein, described data capture module 1 is described by using intruding detection system to monitor network transmission in real time to capture Deviant Behavior.

Wherein, the described K-means clustering method using improvement carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i,a_j)]_n×n, i, j=1 ..., n, wherein sim (a_i,a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_max-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k value is hidden layer number, determines according to test of many times；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is l the center clustered.

Known and unknown network attack can be detected by having the beneficial effect that of the present embodiment, gathered by the K-means improved Class method carries out cluster analysis to the pretreated network suspicious traffic of various turnover systems and the sample data of Deviant Behavior, can To be distinguished by various types of network attacks accurately, thus reach the highest accuracy rate and the lowest rate of false alarm；Provide and change The K-means clustering method entered, is prevented effectively from the single occasionality taking arbitrary sampling method to be brought, improves cluster stability Further increasing the accuracy of internet security checking, wherein set ratio value T=1.45, it is accurate that internet security is verified Degree improves 2.5% relatively.

Embodiment 3

Seeing Fig. 1, Fig. 2, the internet security checking system of the present embodiment, including data capture module 1, data prediction mould Block 2, behavior analysis module 3；Described data capture module 1 is used for the suspicious traffic to turnover system and Deviant Behavior captures, Form sample data；Described data preprocessing module 2, for carrying out screening pretreatment, in removal sample data to sample data Noise data, then sample data is carried out dimension-reduction treatment；Described behavior analysis module 3, for using the K-means of improvement Clustering method carries out cluster analysis to pretreated sample data, and carries out aggressive behavior detection based on artificial neural network algorithm, Identify unknown attack potential in network.

Wherein, described data capture module 1 uses the suspicious traffic of fire wall collection turnover system.

Wherein, described data capture module 1 is described by using intruding detection system to monitor network transmission in real time to capture Deviant Behavior.

Wherein, the described K-means clustering method using improvement carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i,a_j)]_n×n, i, j=1 ..., n, wherein sim (a_i,a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_max-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k value is hidden layer number, determines according to test of many times；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is l the center clustered.

Known and unknown network attack can be detected by having the beneficial effect that of the present embodiment, gathered by the K-means improved Class method carries out cluster analysis to the pretreated network suspicious traffic of various turnover systems and the sample data of Deviant Behavior, can To be distinguished by various types of network attacks accurately, thus reach the highest accuracy rate and the lowest rate of false alarm；Provide and change The K-means clustering method entered, is prevented effectively from the single occasionality taking arbitrary sampling method to be brought, improves cluster stability, Further increase the accuracy of internet security checking, wherein set ratio value T=1.5, the accuracy of internet security checking Relatively improve 4%.

Embodiment 4

Seeing Fig. 1, Fig. 2, the internet security checking system of the present embodiment, including data capture module 1, data prediction mould Block 2, behavior analysis module 3；Described data capture module 1 is used for the suspicious traffic to turnover system and Deviant Behavior captures, Form sample data；Described data preprocessing module 2, for carrying out screening pretreatment, in removal sample data to sample data Noise data, then sample data is carried out dimension-reduction treatment；Described behavior analysis module 3, for using the K-means of improvement Clustering method carries out cluster analysis to pretreated sample data, and carries out aggressive behavior detection based on artificial neural network algorithm, Identify unknown attack potential in network.

Wherein, described data capture module 1 uses the suspicious traffic of fire wall collection turnover system.

Wherein, described data capture module 1 is described by using intruding detection system to monitor network transmission in real time to capture Deviant Behavior.

Wherein, the described K-means clustering method using improvement carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i,a_j)]_n×n, i, j=1 ..., n, wherein sim (a_i,a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_mxx-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k value is hidden layer number, determines according to test of many times；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is l the center clustered.

Known and unknown network attack can be detected by having the beneficial effect that of the present embodiment, gathered by the K-means improved Class method carries out cluster analysis to the pretreated network suspicious traffic of various turnover systems and the sample data of Deviant Behavior, can To be distinguished by various types of network attacks accurately, thus reach the highest accuracy rate and the lowest rate of false alarm；Provide and change The K-means clustering method entered, is prevented effectively from the single occasionality taking arbitrary sampling method to be brought, improves cluster stability, Further increasing the accuracy of internet security checking, wherein set ratio value T=1.55, it is accurate that internet security is verified Degree improves 2.8% relatively.

Embodiment 5

Seeing Fig. 1, Fig. 2, the internet security checking system of the present embodiment, including data capture module 1, data prediction mould Block 2, behavior analysis module 3；Described data capture module 1 is used for the suspicious traffic to turnover system and Deviant Behavior captures, Form sample data；Described data preprocessing module 2, for carrying out screening pretreatment, in removal sample data to sample data Noise data, then sample data is carried out dimension-reduction treatment；Described behavior analysis module 3, for using the K-means of improvement Clustering method carries out cluster analysis to pretreated sample data, and carries out aggressive behavior detection based on artificial neural network algorithm, Identify unknown attack potential in network.

Wherein, described data capture module 1 uses the suspicious traffic of fire wall collection turnover system.

Wherein, described data capture module 1 is described by using intruding detection system to monitor network transmission in real time to capture Deviant Behavior.

Wherein, the described K-means clustering method using improvement carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i,a_j)]_n×n, i, j=1 ..., n, wherein sim (a_i,a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_max-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k value is hidden layer number, determines according to test of many times；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is l the center clustered.

Known and unknown network attack can be detected by having the beneficial effect that of the present embodiment, gathered by the K-means improved Class method carries out cluster analysis to the pretreated network suspicious traffic of various turnover systems and the sample data of Deviant Behavior, can To be distinguished by various types of network attacks accurately, thus reach the highest accuracy rate and the lowest rate of false alarm；Provide and change The K-means clustering method entered, is prevented effectively from the single occasionality taking arbitrary sampling method to be brought, and improves cluster stable Property, further increase the accuracy of internet security checking, wherein set ratio value T=1.6, the standard of internet security checking Exactness improves 3.2% relatively.

Last it should be noted that, above example is only in order to illustrate technical scheme, rather than to scope Restriction, although having made to explain to the present invention with reference to preferred embodiment, it will be understood by those within the art that, Technical scheme can be modified or equivalent, without deviating from the spirit and scope of technical solution of the present invention.

Claims (5)

1. internet security checking system, it is characterised in that include data capture module, data preprocessing module, behavior analysis module；

Described data capture module, for capturing the suspicious traffic of turnover system and Deviant Behavior, forms sample data；

Described data preprocessing module, for sample data carries out screening pretreatment, the noise data in removal sample data, Then sample data is carried out dimension-reduction treatment；

Described behavior analysis module, for using the K-means clustering method of improvement to cluster pretreated sample data Analyze, and carry out aggressive behavior detection based on artificial neural network algorithm, identify unknown attack potential in network.

Internet security the most according to claim 1 checking system, it is characterised in that described data capture module uses fire wall Gather the suspicious traffic of turnover system.

Internet security the most according to claim 1 checking system, it is characterised in that described data capture module is entered by use Invade detecting system network transmission is monitored in real time and captures described Deviant Behavior.

Internet security the most according to claim 1 checking system, it is characterised in that the K-means cluster that described employing improves Method carries out cluster analysis to pretreated sample data, including:

1) described sample data is divided into n sample, n sample is carried out vectorization, calculated by included angle cosine function all Sample similarity between any two, obtains similarity matrix XS；

2) each row of similarity matrix XS is sued for peace, calculate the similarity of each sample and whole original sample, if XS=[sim (a_i, a_j)]_n×n, i, j=1 ..., n, wherein sim (a_i, a_j) represent sample a_i,a_jBetween similarity, sum formula is:

${\mathrm{XS}}_p=\underset{j=1}{\overset{n}{\Σ}}sim(a_i,a_j),p=1,...,n$

3) XS is arranged in descending order_p, p=1 ..., n, if XS_pBy front 4 values arranged from big to small it is XS_max,XS_max-1,XS_max-2,XS_max-3If,Select and maximum XS_maxCorresponding sample as first initial center that clusters, otherwise select with XS_max,XS_max-1,XS_max-2,XS_max-3The average of four corresponding samples is as first initial bunch center；

4) it is XS by maximum_maxIn corresponding matrix, the element of row vector carries out ascending order arrangement, it is assumed that front k-1 minimum unit Element is XS_pq, q=1 ..., k-1, k-1 minimum element XS before selecting_pqCorresponding sample is as at the beginning of remaining k-1 The center that clusters begun, wherein said k is the cluster number set；

5) calculate residue sample and each initial similarity clustered between center, residue sample is distributed to the highest the gathering of similarity In bunch, form the k after change and cluster；

6) average of each sample in clustering after calculating change, replaces in clustering before updating as the center that clusters after updating The heart；

7) if the center that clusters before Geng Xining is identical with the center that clusters after renewal, or object function has reached minima, stops more Newly, described object function is:

$J=\underset{l=1}{\overset{k}{\Σ}}\underset{a_x\∈C_l}{\Σ}\left|\right|a_x-\stackrel{\‾}{a_{xl}}|{|}^2$

Wherein, C_lL during expression k clusters clusters, a_xIt is the sample during l clusters,It is during l clusters The heart.

Internet security the most according to claim 1 checking system, it is characterised in that the value model of the ratio value T of described setting Enclose for [1.4,1.6].