CN102457525A - Load-based anomaly intrusion detection method and system - Google Patents

Load-based anomaly intrusion detection method and system Download PDF

Info

Publication number
CN102457525A
CN102457525A CN2011104246134A CN201110424613A CN102457525A CN 102457525 A CN102457525 A CN 102457525A CN 2011104246134 A CN2011104246134 A CN 2011104246134A CN 201110424613 A CN201110424613 A CN 201110424613A CN 102457525 A CN102457525 A CN 102457525A
Authority
CN
China
Prior art keywords
feature
packet
load
piecemeal
cluster
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN2011104246134A
Other languages
Chinese (zh)
Inventor
李继国
刘杭州
张亦辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hohai University HHU
Original Assignee
Hohai University HHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hohai University HHU filed Critical Hohai University HHU
Priority to CN2011104246134A priority Critical patent/CN102457525A/en
Publication of CN102457525A publication Critical patent/CN102457525A/en
Withdrawn legal-status Critical Current

Links

Images

Abstract

The invention discloses a load-based anomaly intrusion detection method and belongs to the technical field of computing network security. During anomaly intrusion detection, a data packet load to be detected is partitioned into blocks by using a CPP algorithm, and the characteristics of only the first N blocks of data are extracted, so that the data processing quantity is reduced, the detection speed is increased, and the method has higher adaptability to monitoring of a high speed network. In the method, a normal communication outline is constructed by adopting a multiple classifier system, so the detection accuracy is improved. The invention also discloses a load-based anomaly intrusion detection system, which comprises a CPP-based load partitioning module, a characteristic extraction module, a detection module and a response module. Compared with the prior art, the method can be used for detecting anomaly intrusion of the high speed network quickly.

Description

A kind of abnormal intrusion detection method and system based on load
Technical field
The present invention relates to a kind of abnormal intrusion detection method, more particularly to a kind of abnormal intrusion detection method and system based on load, belong to calculating network security technology area.
Background technology
In recent years, continuing to develop with computer technology, the continuous expansion of network size, intrusion behavior oneself through the increasingly severe safety for having threatened computer systems and networks.Invasion is exactly to deliberate to attempt access information without permission, distort information, makes system unreliable or can not use.Because invasion mode is more and more diversified, means are increasingly advanced, and traditional static security technology is such as:Fire wall, data encryption technology etc., own warp can not meet the security requirement of system and network.
Intrusion Detection Technique compensate for the deficiency of static security technology well as a kind of important dynamic security technology.Intrusion Detection Technique is broadly divided into two classes:Misused detection and abnormal intrusion detection.Misused detection refers to detect invasion using the vulnerability attack pattern of known system and application software.Because the technology depends primarily on known system defect and invasion, it is possible to accurately detect known invasion, but the unknown attack of system can not be detected.Abnormal intrusion detection is the invasion for referring to detect according to abnormal behaviour and using computer resource situation.Abnormal intrusion detection attempts to describe acceptable behavioural characteristic with quantitative manner, with distinguish it is improper, potentially invade sexual behaviour.This method can detect unknown intrusion behavior, but be due to description acceptable behavior feature may and the larger accuracy for causing detection of actual conditions deviation it is not high.
It is its real limiting factor there are some researches show false alarm rate is too high in abnormal intrusion detection.Abnormal Intrusion Detection System based on load can accurately detect the network attack being stored in malicious data in data packet load, but using network packet load to carry out abnormality detection when, often be faced with a problem:I.e. the load of network packet is very big sometimes, such as the load of port 21 and the network packet on port 80.If be modeled using the load of network packet 100%, resulting Abnormal Intrusion Detection System is difficult to be adapted to monitor for express network.
Abnormal intrusion detection based on load is a kind of new intrusion detection method that developed recently gets up, and certain progress is had been achieved at present.Wang and Stolfo etc. proposes Network Abnormal intruding detection system PAYL, the PAYL calculating based on load
Figure 2011104246134100002DEST_PATH_IMAGE001
(
Figure 455142DEST_PATH_IMAGE002
One kind,
Figure 2011104246134100002DEST_PATH_IMAGE003
Individual continuous byte,When be) occurrence frequency in load, as feature, a proper communication behavior profile is set up to the packet of each different length.PAYL proper communication profile is
Figure 703644DEST_PATH_IMAGE006
Occurrence frequency average and standard deviation, when being detected, if the simple mahalanobis distance of data to be tested bag exceeds certain thresholding, decide that the packet is abnormal.PAYL can effectively detect various attacks.Perdisci, Lee et al. propose a scheme (McPAD) that the abnormality detection system verification and measurement ratio based on Payload is improved using multi-classifier system.McPAD improves the verification and measurement ratio of the abnormality detection based on Payload using MCS (Multiple Classifier System, multi-classifier system), and it uses multiple one-class classifiers to build proper communication profile, to improve Detection accuracy.Detection when, by feature extraction, obtain the description spatially to same packet in different characteristic, then using each feature space as the one-class classifier for representing proper communication profile accordingly input, to classify to packet.The output of multiple one-class classifiers is finally integrated, it is whether abnormal to packet to make final judgement.Test result indicates that, McPAD can obtain very high verification and measurement ratio when malicious data is stored in the network attack in data packet load by detection under relatively low false alarm rate;Moreover, when detecting senior attack as such as polymorphic Hybrid Attack, McPAD also can obtain higher verification and measurement ratio under relatively low false alarm rate.Zhang etc. proposes to improve PAYL and McPAD using noise reduction fuzzy support vector machine (noise against fuzzy support vector machine), its mainly solve McPAD etc. detect polymorphic Hybrid Attack when accuracy rate it is relatively low the problem of, obtain more preferable Detection results by means of noise reduction fuzzy support vector machine.But, the above-mentioned abnormality detection system based on load can not be detected effectively in monitoring high speed, the network of high bandwidth in the case where data packet load is larger.
The content of the invention
The technical problems to be solved by the invention are to overcome the shortcomings of that the existing abnormal intrusion detection method based on load is difficult to be used for quickly detecting the packet in express network, a kind of abnormal intrusion detection method based on load is provided, the packet in express network can be used for quickly detecting on the premise of Detection accuracy is ensured.
It is of the invention specific using following technical scheme solution above-mentioned technical problem:
A kind of abnormal intrusion detection method based on load, comprises the following steps:
Step A, training in advance obtain proper communication profile;
Step B, to packet to be detected carry out feature extraction;
Step C, using proper communication profile, detected according to the feature of data to be tested bag, whether judge data to be tested bag is abnormal data bag;
When training obtains proper communication profile, piecemeal is carried out to training data bag first with CPP algorithms;Then only to before after piecemealNBlock carries out feature extraction;Then according to the feature samples extracted, training obtains proper communication profile;
Before feature extraction is carried out to packet to be detected, piecemeal is carried out to packet to be detected first with CPP algorithms, then using only before after piecemealNBlock extracts feature;
Wherein,NFor the integer less than packet piecemeal sum.
Further, the feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained in the feature space corresponding to it.
Further, specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained.
Preferably, it is described to be selected in each cluster away from the nearer feature samples in cluster center, specifically in accordance with the following methods:Judge whether sample number in the cluster is more than a threshold value set in advance, in this way, select before distance center is nearer in the cluster
Figure 561748DEST_PATH_IMAGE008
Individual sample;If not, selecting before distance center is nearer in the cluster
Figure 2011104246134100002DEST_PATH_IMAGE009
Individual sample;Wherein
Figure 46824DEST_PATH_IMAGE008
With
Figure 995189DEST_PATH_IMAGE009
It is default integer, and
A kind of Abnormal Intrusion Detection System based on load can also be obtained according to the present invention, the system includes:
Load piecemeal module based on CPP, carries out piecemeal, then by before using CPP algorithms to packet to be detectedNBlock number is handled according to characteristic extracting module is given, wherein,NFor the integer less than packet piecemeal sum;
Characteristic extracting module, for extracting before the data to be tested bag after piecemealNThe feature of block number evidence, and the feature of extraction is sent to detection module;The feature extraction is used
Figure 934643DEST_PATH_IMAGE007
Method, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;
Detection module, the feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained on the feature space corresponding to it;Specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained;
Respond module, for being determined as that abnormal packet is responded to detection module, the corresponding information of record data bag sends alarm.
Compared with prior art, the invention has the advantages that:
The present invention carries out piecemeal as a result of CPP algorithms to packet, and is detected using only sub-load, so reducing data processing amount, improves detection speed, has more preferable adaptability to the monitoring of express network;Simultaneously as building proper communication profile using multi-classifier system, the accuracy rate of detection is improved.
Brief description of the drawings
Fig. 1 is the structural representation of the Abnormal Intrusion Detection System of the present invention;
Fig. 2 is CPP algorithm flow charts;
Fig. 3 is the structure schematic diagram of proper communication profile in the present invention;
Fig. 4 is improved ISUC algorithm flow charts.
Embodiment
Technical scheme is described in detail below in conjunction with the accompanying drawings:
The Abnormal Intrusion Detection System based on load of the present invention, as shown in figure 1, including:
Load piecemeal module based on CPP, carries out piecemeal, then by before using CPP algorithms to packet to be detectedNBlock number is handled according to characteristic extracting module is given, wherein,NFor the integer less than packet piecemeal sum;
Characteristic extracting module, for extracting before the data to be tested bag after piecemealNThe feature of block number evidence, and the feature of extraction is sent to detection module;The feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;
Detection module, the feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained on the feature space corresponding to it;Specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained;
Respond module, for being determined as that abnormal packet is responded to detection module, the corresponding information of record data bag sends alarm.
The method for detecting abnormality of the present invention is further described with reference to above-mentioned Abnormal Intrusion Detection System.
Load piecemeal module based on CPP:The purpose for carrying out piecemeal is to reduce the data volume handled by feature extraction phases, just only will can extract feature using part piecemeal after load piecemeal.The present invention carries out piecemeal using CPP algorithms to packet.CPP algorithms are prior art, and detailed content refers to see document(Athicha Muthitacharoen, Benjie Chen and David Mazieres. A low-bandwidth network file system. Symposium on Operating Systems Principles, 2001, 174-187.), its flow is as shown in Figure 4.CPP determines piecemeal border according to the content of load, and it judges the end of a piecemeal using Lay guest fingerprint (Rabin fingerprinting);It is a length of at one
Figure 2011104246134100002DEST_PATH_IMAGE011
On the sliding window of byte, CPP calculates a series of Lay guest fingerprint
Figure 196921DEST_PATH_IMAGE012
, it is before Payload
Figure 148827DEST_PATH_IMAGE011
Byte starts to calculate, and then the afterbody towards load slides a byte every time, with Lay guest's fingerprint of calculated for subsequent.When
Figure 43840DEST_PATH_IMAGE012
Value be equal to stopping criterion set in advance
Figure 2011104246134100002DEST_PATH_IMAGE013
When, decide that current piecemeal terminates, and start the calculating of next piecemeal.This process can be described as follows, it is assumed that have a byte sequence
Figure 916725DEST_PATH_IMAGE014
, then it is for a lengthSubsequence
Figure 715048DEST_PATH_IMAGE016
, its Lay guest's fingerprintIt can be calculated by (1) formula:
Figure 398708DEST_PATH_IMAGE018
                   (1)
It is therein
Figure 2011104246134100002DEST_PATH_IMAGE019
With
Figure 781016DEST_PATH_IMAGE020
All it is constant, the length of sliding windowNeed to find optimal value by testing, in the methods of the invention,
Figure 549569DEST_PATH_IMAGE011
Value when taking 32, experimental result can be preferable.When
Figure 2011104246134100002DEST_PATH_IMAGE021
Value in 550 ~ 600 (stopping criterions of selection
Figure 365251DEST_PATH_IMAGE013
) when, just terminate current piecemeal, then start a new piecemeal;Otherwise, current bit is just added to current piecemeal, and window is slided backward a bit, to calculate new Lay guest's fingerprint.
Characteristic extracting module:To before the packet that is obtained from the load piecemeal module based on CPP
Figure 595375DEST_PATH_IMAGE022
After block, with regard to carrying out feature extraction, feature extraction is used
Figure 2011104246134100002DEST_PATH_IMAGE023
Method,
Figure 764057DEST_PATH_IMAGE023
It is apart in method calculated load
Figure 396027DEST_PATH_IMAGE024
(=0,1,2 ...) occurrence frequency of the character pair of byte, in difference
Figure 359172DEST_PATH_IMAGE024
Obtained under value
Figure 342172DEST_PATH_IMAGE026
Distributive law, gives the structural informations different on a packet, by merging using different
Figure 675064DEST_PATH_IMAGE025
It is worth the information extracted, we can reconstruct (or partial reconfiguration) and directly use
Figure DEST_PATH_IMAGE027
Technology exists
Figure 535442DEST_PATH_IMAGE028
When the information extracted.It is fixed for one
Figure 561167DEST_PATH_IMAGE025
Value,
Figure 264418DEST_PATH_IMAGE023
Calculate letter to occurrence frequency when, use the length to be
Figure DEST_PATH_IMAGE029
Sliding window, but be not relevant between first byte and trail byte
Figure 276368DEST_PATH_IMAGE025
The value of individual byte, this
Figure 115885DEST_PATH_IMAGE025
Byte regards blank as.Assuming that there is a data packet load
Figure 312512DEST_PATH_IMAGE030
, here
Figure DEST_PATH_IMAGE031
It is
Figure 942207DEST_PATH_IMAGE032
Middle position
Figure DEST_PATH_IMAGE033
The byte value at place;Then oneG,
Figure 451872DEST_PATH_IMAGE034
(
Figure DEST_PATH_IMAGE035
)
Figure 193301DEST_PATH_IMAGE032
In occurrence frequency can be calculated by (2) formula:
Figure 107030DEST_PATH_IMAGE036
                        (2)
Figure DEST_PATH_IMAGE037
Figure 959317DEST_PATH_IMAGE032
In occurrence number, be by length
Figure 540471DEST_PATH_IMAGE011
Sliding window calculate;
Figure 311856DEST_PATH_IMAGE038
It is that window exists
Figure 916144DEST_PATH_IMAGE032
On the number of times that slides altogether,It can be regarded as to probability
Figure 368860DEST_PATH_IMAGE040
(
Figure 804520DEST_PATH_IMAGE032
In find
Figure 248271DEST_PATH_IMAGE037
Probability) estimation;So,
Figure 402172DEST_PATH_IMAGE023
Figure DEST_PATH_IMAGE041
Occurrence frequency can just be calculated by (3) formula:
Figure DEST_PATH_IMAGE043
                    (3)
(3) formula can be explained so:In Payload apartByte it is alphabetical right
Figure 322647DEST_PATH_IMAGE041
Occurrence frequency, be withStart
Figure DEST_PATH_IMAGE045
What is ended up is all
Figure 952397DEST_PATH_IMAGE046
Occurrence frequency sum.According to
Figure 310697DEST_PATH_IMAGE025
The difference of value, can obtain to a packet different feature spaces description;Assuming that
Figure 720950DEST_PATH_IMAGE025
Value be respectively
Figure DEST_PATH_IMAGE047
, then just obtain
Figure 880405DEST_PATH_IMAGE048
To the description of packet on individual feature space, that is, obtain
Figure 743319DEST_PATH_IMAGE048
Feature in individual feature space.
Detection module:The feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out.The proper communication profile of the present invention uses multi-classifier system.When multiple graders of fusion are the graders of " variation ", multi-classifier system is with regard to that can obtain the raising of accuracy rate.A kind of diversified method of generation is each grader for making multi-classifier system based on the description to pattern in different characteristic spatially.The description in different characteristic spatially, i.e. feature extraction to a packet are obtained in the present invention, is to pass through
Figure DEST_PATH_IMAGE049
Method is realized.Using
Figure 279211DEST_PATH_IMAGE023
After progress feature extraction, according to
Figure 941309DEST_PATH_IMAGE025
Value is (assuming that have
Figure 163343DEST_PATH_IMAGE050
Individual different value) difference, can obtain what same packet was describedIndividual different feature space;Training obtains using SVMs in an one-class classifier, present embodiment on each feature space(SVM), thus obtainThe individual proper communication profile spatially described in different characteristic, its principle is as shown in Figure 3.Each one-class classifier wherein in multi-categorizer is obtained by improved ISUC Algorithm for Training.The present invention is to ISUC algorithms(Referring to document Li Xiaoli, Liu Jimin, Shi Zhong plants the Chinese Web page classification device Chinese journal of computers that is combined based on SVMs with Unsupervised clustering, 2001,24 (1):62-68.)Improvement mainly have following two aspects:(1) abandon being detected using two graders, proper communication profile is built using only single class SVM, because false alarm rate higher in abnormal intrusion detection is unacceptable, therefore abandon using the relatively low UC classification of classification accuracy.(2) training sample is clustered using clustering algorithms such as k-means, CURE, fuzzy K-means, clustered in present embodiment using UC algorithms;Then training sample is selected using cluster center, selects away from the nearer sample in cluster center to train single class SVM in each cluster, picking rule is as follows:
Figure DEST_PATH_IMAGE051
Selection is trained away from the nearer sample in cluster center;The size of cluster is considered simultaneously, and according to the size of cluster, the number of samples that each cluster of Reasonable adjustment is picked out, larger cluster selects more sample, and less cluster selects less sample.Specifically, when exactly being selected in each cluster away from the nearer feature samples in cluster center, in accordance with the following methods:Judge whether sample number in the cluster is more than a threshold value set in advance, in this way, select before distance center is nearer in the cluster
Figure 473659DEST_PATH_IMAGE008
Individual sample;If not, selecting before distance center is nearer in the cluster
Figure 311165DEST_PATH_IMAGE009
Individual sample;Wherein
Figure 814959DEST_PATH_IMAGE008
WithIt is default integer, and
Figure 851103DEST_PATH_IMAGE010
.It is of course also possible to use the simpler size for not considering cluster, selects the equal number of feature samples nearer away from cluster center from each cluster.As shown in figure 4, improved ISUC algorithm flows of the invention are as follows:
Step1.,
Figure 113588DEST_PATH_IMAGE054
.
If Step2., Step6 is performed, whereinFor the Hou Cu centers number that clusters
Step3. in cluster
Figure DEST_PATH_IMAGE057
Middle searching is according to cluster center
Figure 59471DEST_PATH_IMAGE058
Nearer all samples
Figure DEST_PATH_IMAGE059
If, clusterSample number be more than
Figure 278411DEST_PATH_IMAGE020
(standard for judging larger cluster specified), then judgement sample away from
Figure 888122DEST_PATH_IMAGE058
Nearer standard is
Figure DEST_PATH_IMAGE061
, otherwise, criterion is
Figure 774169DEST_PATH_IMAGE062
, wherein
Figure 679808DEST_PATH_IMAGE010
.
Step4.
Figure DEST_PATH_IMAGE063
.
Step5.
Figure 87525DEST_PATH_IMAGE064
, perform Step2.
Step6. with the sample set selected
Figure DEST_PATH_IMAGE065
Training obtains final single class SVM.
Specifically detection process is:Will be in difference
Figure 907451DEST_PATH_IMAGE024
Feature in the lower feature space extracted of value, give corresponding list class SVM (spatially training obtained proper communication profile in different characteristic) in proper communication profile to be classified, finally merge multiple one-class classifiers and the classification results of packet are made with the whether abnormal final judgement of packet.
Respond module:It is determined as that abnormal packet is responded to detection module, the corresponding information of record data bag, and send alarm.

Claims (6)

1. a kind of abnormal intrusion detection method based on load, comprises the following steps:Step A, training in advance obtain proper communication profile;Step B, to packet to be detected carry out feature extraction;Step C, using proper communication profile, detected according to the feature of data to be tested bag, whether judge data to be tested bag is abnormal data bag;Characterized in that,
When training obtains proper communication profile, piecemeal is carried out to training data bag first with CPP algorithms;Then only to before after piecemealNBlock carries out feature extraction;Then according to the feature samples extracted, training obtains proper communication profile;
Before feature extraction is carried out to packet to be detected, piecemeal is carried out to packet to be detected first with CPP algorithms, then using only before after piecemealNBlock extracts feature;
Wherein,NFor the integer less than packet piecemeal sum.
2. the abnormal intrusion detection method as claimed in claim 1 based on load, it is characterised in that the feature extraction is used
Figure 2011104246134100001DEST_PATH_IMAGE002
Method, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained in the feature space corresponding to it.
3. the abnormal intrusion detection method as claimed in claim 2 based on load, it is characterised in that specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained.
4. the abnormal intrusion detection method based on load as claimed in claim 3, it is characterised in that described to be selected in each cluster away from the nearer feature samples in cluster center, specifically in accordance with the following methods:Judge whether sample number in the cluster is more than a threshold value set in advance, in this way, select before distance center is nearer in the clusterIndividual sample;If not, selecting before distance center is nearer in the cluster
Figure 2011104246134100001DEST_PATH_IMAGE006
Individual sample;Wherein
Figure 264658DEST_PATH_IMAGE004
With
Figure 341199DEST_PATH_IMAGE006
It is default integer, and
Figure 2011104246134100001DEST_PATH_IMAGE008
5. the abnormal intrusion detection method based on load as described in claim any one of 1-4, it is characterised in that when carrying out piecemeal to packet using CPP algorithms, the length value of sliding window is 32.
6. a kind of Abnormal Intrusion Detection System based on load, it is characterised in that the system includes:
Load piecemeal module based on CPP, carries out piecemeal, then by before using CPP algorithms to packet to be detectedNBlock number is handled according to characteristic extracting module is given, wherein,NFor the integer less than packet piecemeal sum;
Characteristic extracting module, for extracting before the data to be tested bag after piecemealNThe feature of block number evidence, and the feature of extraction is sent to detection module;The feature extraction is used
Figure 298528DEST_PATH_IMAGE002
Method, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;
Detection module, the feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained on the feature space corresponding to it;Specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained;
Respond module, for being determined as that abnormal packet is responded to detection module, the corresponding information of record data bag sends alarm.
CN2011104246134A 2011-12-19 2011-12-19 Load-based anomaly intrusion detection method and system Withdrawn CN102457525A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2011104246134A CN102457525A (en) 2011-12-19 2011-12-19 Load-based anomaly intrusion detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011104246134A CN102457525A (en) 2011-12-19 2011-12-19 Load-based anomaly intrusion detection method and system

Publications (1)

Publication Number Publication Date
CN102457525A true CN102457525A (en) 2012-05-16

Family

ID=46040181

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011104246134A Withdrawn CN102457525A (en) 2011-12-19 2011-12-19 Load-based anomaly intrusion detection method and system

Country Status (1)

Country Link
CN (1) CN102457525A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103490992A (en) * 2013-10-10 2014-01-01 沈阳航空航天大学 Instant messaging worm detection method
CN106452829A (en) * 2016-01-21 2017-02-22 华南师范大学 Intelligent operation and maintenance method and system for cloud computation center based on BCC-KNN
CN110351220A (en) * 2018-04-02 2019-10-18 蓝盾信息安全技术有限公司 One kind realizing gateway efficient data scanning technique based on packet filtering
CN111294362A (en) * 2020-03-16 2020-06-16 湖南大学 LDoS attack real-time detection method based on fractal residual error
CN113037553A (en) * 2021-03-11 2021-06-25 湖南大学 IEC102 protocol communication behavior abnormity detection method and system based on IA-SVM
CN113516162A (en) * 2021-04-26 2021-10-19 湖南大学 OCSVM and K-means algorithm based industrial control system flow abnormity detection method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789885A (en) * 2009-01-23 2010-07-28 英业达股份有限公司 Network intrusion detection system
CN102201948A (en) * 2011-05-27 2011-09-28 北方工业大学 Quick matching method for network intrusion detection system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789885A (en) * 2009-01-23 2010-07-28 英业达股份有限公司 Network intrusion detection system
CN102201948A (en) * 2011-05-27 2011-09-28 北方工业大学 Quick matching method for network intrusion detection system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ATHICHA MUTHITACHAROEN等: "A Low-bandwidth Network File System", 《SOSP "01 PROCEEDINGS OF THE EIGHTEENTH ACM SYMPOSIUM ON OPERATING SYSTEMS PRINCIPLES 》, 31 December 2001 (2001-12-31), pages 174 - 187 *
ROBERTO PERDISCI等: "McPAD: A multiple classifier system for accurate payload-based anomaly detection", 《COMPUTER NETWORKS》, vol. 53, no. 6, 31 December 2009 (2009-12-31), pages 864 - 881 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103490992A (en) * 2013-10-10 2014-01-01 沈阳航空航天大学 Instant messaging worm detection method
CN103490992B (en) * 2013-10-10 2016-10-19 沈阳航空航天大学 Instant messaging Worm detection method
CN106452829A (en) * 2016-01-21 2017-02-22 华南师范大学 Intelligent operation and maintenance method and system for cloud computation center based on BCC-KNN
CN106452829B (en) * 2016-01-21 2019-07-19 华南师范大学 A kind of cloud computing center intelligence O&M method and system based on BCC-KNN
CN110351220A (en) * 2018-04-02 2019-10-18 蓝盾信息安全技术有限公司 One kind realizing gateway efficient data scanning technique based on packet filtering
CN111294362A (en) * 2020-03-16 2020-06-16 湖南大学 LDoS attack real-time detection method based on fractal residual error
CN113037553A (en) * 2021-03-11 2021-06-25 湖南大学 IEC102 protocol communication behavior abnormity detection method and system based on IA-SVM
CN113516162A (en) * 2021-04-26 2021-10-19 湖南大学 OCSVM and K-means algorithm based industrial control system flow abnormity detection method and system

Similar Documents

Publication Publication Date Title
Meidan et al. ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis
CN107231384B (en) DDoS attack detection and defense method and system for 5g network slices
Moustafa et al. Big data analytics for intrusion detection system: Statistical decision-making using finite dirichlet mixture models
CN102457525A (en) Load-based anomaly intrusion detection method and system
CN106899435B (en) A kind of complex attack recognition methods towards wireless invasive detection system
US7962611B2 (en) Methods, systems and computer program products for detecting flow-level network traffic anomalies via abstraction levels
CN111107102A (en) Real-time network flow abnormity detection method based on big data
CN105553998A (en) Network attack abnormality detection method
Jalili et al. Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks
KR20170056045A (en) Method and apparatus of fraud detection for analyzing behavior pattern
Qiu et al. Multi-view convolutional neural network for data spoofing cyber-attack detection in distribution synchrophasors
KR20150091775A (en) Method and System of Network Traffic Analysis for Anomalous Behavior Detection
CN108322445A (en) A kind of network inbreak detection method based on transfer learning and integrated study
Aminanto et al. Another fuzzy anomaly detection system based on ant clustering algorithm
CN108632269A (en) Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms
Song et al. Unsupervised anomaly detection based on clustering and multiple one-class SVM
Ghaleb et al. Detecting bogus information attack in vehicular ad hoc network: a context-aware approach
Mathiyalagan et al. An efficient intrusion detection system using improved bias based convolutional neural network classifier
Maharaj et al. A comparative analysis of different classification techniques for intrusion detection system
Bhuyan et al. Towards an unsupervised method for network anomaly detection in large datasets
Liu et al. Data source authentication for wide-area synchrophasor measurements based on spatial signature extraction and quadratic kernel SVM
Xiao et al. An anomaly detection scheme based on machine learning for WSN
Chen et al. A wireless multi-step attack pattern recognition method for WLAN
Chhikara et al. Significance of hybrid feature selection technique for intrusion detection systems
Wang Research of intrusion detection based on an improved K-means algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20120516

WW01 Invention patent application withdrawn after publication