CN106657065A - Network abnormality detection method based on data mining - Google Patents

Abstract

The invention discloses a network abnormality detection method based on data mining, which adopts a system standard input and output stdio, a system standard library stdlib and a system mathematical function library math and comprises the steps of: firstly, starting up a master program file detection.cpp, reading in data to be detected and carrying out preprocessing; calling a cluster analysis and generation module clust.cpp, using an individual obtained in the previous step as an initial center point of a cluster partitioning method, and by the module, carrying out partitioning on the data and generating a cluster; calling a data readability conversion module trap.cpp to carry out marking on the generated cluster, and determining types of normal data and abnormal data; and by an alert module alert.cpp, outputting information of the normal data and the abnormal data to a control console. According to the network abnormality detection method disclosed by the invention, a data mining technology is effectively applied to intrusion detection, and an application based on intrusion detection needs to improve an original clustering analysis algorithm, so that the algorithm can be suitable for an environment and a data type of intrusion detection, an aim of intrusion detection is fulfilled, a detection rate of intrusion detection is improved and a false alarm rate is reduced.

Description

A kind of network anomaly detection method based on data mining

Technical field

The invention belongs to Computer Applied Technology field, more specifically, more particularly to a kind of net based on data mining Network method for detecting abnormality.

Background technology

Data mining is from being stored in database, to excavate in the mass data in data warehouse or other information storehouse and interesting know The process of knowledge.Data mining is a large amount of fuzzy from database, in noisy initial data, excavate important according to certain rule Information, extract valuable knowledge.Data mining technology is a cross discipline, is related to intrusion detection, intelligence database With the multiple fields such as machine learning, data mining has become the research topic of hot topic.Application data is excavated in intrusion detection Technology, can improve detection efficiency, enhance the adaptivity and autgmentability of system.Intrusion detection system based on data mining System, can well protect the safety of computer network system, with very high researching value and realistic meaning.

The informatized service of 21 century brings earth-shaking change to human society, changes the information interchange in the whole world Mode, with the development of computer and the communication technology, network becomes the key factor of world today's development.In recent years, computer Network Development is extremely rapid, and information network has been related to the numerous areas such as government, military affairs, the culture and education of country, each weight of government Big decision-making, commercial economy secret, bank capital flowing, energy statistics, scientific data etc. all contain substantial amounts of information flow, believe Breath network has become the important guarantee of social development, is the symbol for embodying national comprehensive strength.With the networking of computer And globalization, the every field of society generates qualitative leap in cybertimes, the study of people, work, lives and is all dissolved into In network, by network people's shared resource.

Through the development of many decades, network environment has occurred that very big change, structure from simple to complex, application by It is single to diversification, the normal table operation for safeguarding network also becomes extremely important problem.Various network technologies are in the time The increase of extension spatially, number of users and equipment, attack takes place frequently, the destabilizing factor in these networks The difficulty for making network management is increased.Serious by the criminal activity mouth benefit of network, the safety for ensureing computer network system is carved not Rong Huan, network security has become the significant problem of national security.Only computer network security, the informationization of society could be normal Development, the information of country could safety, the network life that could ensure the people do not encroached on, therefore, network security technology grinds Study carefully with important social effect and realistic meaning.

At present, there are many unsafe factors in network application, be mainly shown as that leakage of information, information are distorted, illegally made With Internet resources, invalid information infiltration etc., safety and the strick precaution of the network information seem more and more important.Computer network security is hidden Trouble is more, and maintenance difficulties are big, and attack meanses become diversification, complication, intellectuality, it is therefore necessary to set up one safely and effectively Protection system, just can guarantee that the stable operation of network health.

Traditional network security technology mainly has:Encryption technology, identity differentiate and authentication techniques, access control technology, anti- Wall with flues technology etc., in the primary stage of evolution of computer networks, these safe practices serve certain effect, it is ensured that network Normal operation and information exchange.In the face of current complicated network environment, traditional security protection technology mainly has following several Individual problem:

1. these technologies belong to static security technology category, it is impossible to active tracing invader, while the safety in static defence Strategy sacrifices the Partial rights of user, and this opening with network, sharing is disagreed；

2. the attack from internal system can not be prevented, it is helpless to the situation of authorized user's abusing computer and its resource；

3. due to the restriction of performance, it is impossible to provide real-time monitoring.

Therefore, the research emphasis of computer network security progressively turn to active tracing, active detecting by static security technology Dynamic security technology.

The content of the invention

The invention aims to solve shortcoming present in prior art, and propose it is a kind of based on data mining Network anomaly detection method.

For achieving the above object, the present invention provides following technical scheme：

A kind of network anomaly detection method based on data mining, including：

System standard input, output：stdio；

System standard storehouse:stdlib；

Systematic mathematical function library:math；

System standard input, output stream:iostream；

Specifically include following steps：

S1, first, starts master program file detection.cpp, reads in data to be detected and is pre-processed；

S2, to call program num.epp that quantizes, two files of data normalization program format.cpp to carry out data successively pre- Process, improve the operational efficiency of algorithm below；

S3, the fitness for calling individual adaptation degree calculation procedure fitcal.cpp calculating individualities, for selection opertor part Gambling disk is selected；

S4, call genetic operator program genetic.cpp；

S5, call cluster analysis and generation module clust.cpp, will back gained individuality as the initial of clustering method Central point, thus module data are divided and are produced with cluster；

S6, call data readability modular converter trap.cpp to produce cluster be identified, determine normal data and exception Data type；

S7, alarm module alert.cpp export the information of normal data and abnormal data to console.

Preferably, it is described to call comprising the following steps that for genetic operator program genetic.cpp in S4：

A first, calls selection opertor to select the higher individuality of fitness；

Then b, calls crossover operator moderately to intersect individuality, improves ability of searching optimum；

C is last, calls mutation operator moderately to make a variation individuality, improves local search ability, altogether iteration 4 times.

Preferably, in S5, the concrete grammar of the cluster is as follows：

Input：The data set A of density radius r, n bar record；Output：K cluster；Comprise the steps：

A, run-down data set A, For：Read each data i in sample set A；

B, the dot density of each data is calculated, and calculate the distance and D of each data point and distance and H；

If C, data object density value are less than density value Q, and D>H is then considered as the object for isolated point t；

D, the isolated point data removed in A, obtain new data set A', and record the number of samples m=n-t in A', and output is isolated Point；

The algorithm of E, the acquisition initial cluster center of operational development, obtains k initial cluster center；

F, point set U is clustered, form k gathering U_K。

Abnormality detection be according to the behavior of user or the normal degree of the normal behaviour in service of resource come judge whether invasion, can To detect new attack behavior.The anomaly occurred in the communication of abnormality detection main detection, rather than known invasion row For.Abnormality detection assume intrusion behavior be all it is abnormal, such as it is outside swarm into, internal upset operation and attack, based on this It is individual it is assumed that the historical data of collection system normal behaviour, is the feature database that system sets up a normal behaviour with quantitative method, So can just be considered as intrusion behavior with the different behavior of normal characteristics and operation in theory.Abnormality detection judges that system is provided The service condition in source, monitors behavior of the user in system, by current movable feature and normally by running monitoring programme The feature of behavior compares, if the difference degree of the feature of current movable feature and normal behaviour is sentenced more than the thresholds of setting It is set to invasion, and sends alarm.For abnormality detection, the key of the method is the setting to abnormality degree threshold values and normal characteristics Select.

The technique effect and advantage of the present invention：A kind of Network anomaly detection side based on data mining that the present invention is provided Method, compared with conventional art, effectively application of the application data digging technology in intrusion detection, based on intrusion detection of the invention Need to be improved original cluster algorithm so that algorithm can be applied to the environment and data type of intrusion detection, Reach the purpose of intrusion detection, and improve the verification and measurement ratio of intrusion detection, reduce rate of false alarm；Meanwhile, invention introduces heredity is calculated Method solves the defect that clustering algorithm converges on locally optimal solution, so as to further increase the verification and measurement ratio of intrusion detection, reduces Rate of false alarm.

Specific embodiment

In order that the objects, technical solutions and advantages of the present invention become more apparent, below in conjunction with specific embodiment, to this Invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, not For limiting the present invention.Based on the embodiment in the present invention, those of ordinary skill in the art are not before creative work is made The every other embodiment for being obtained is put, the scope of protection of the invention is belonged to.

A kind of network anomaly detection method based on data mining, including：

System standard input, output：stdio；

System standard storehouse:stdlib；

Systematic mathematical function library:math；

System standard input, output stream:iostream；

Specifically include following steps：

S1, first, starts master program file detection.cpp, reads in data to be detected and is pre-processed；

S2, to call program num.epp that quantizes, two files of data normalization program format.cpp to carry out data successively pre- Process, improve the operational efficiency of algorithm below；

S3, the fitness for calling individual adaptation degree calculation procedure fitcal.cpp calculating individualities, for selection opertor part Gambling disk is selected；

S4, call genetic operator program genetic.cpp；

S5, call cluster analysis and generation module clust.cpp, will back gained individuality as the initial of clustering method Central point, thus module data are divided and are produced with cluster；

S6, call data readability modular converter trap.cpp to produce cluster be identified, determine normal data and exception Data type；

S7, alarm module alert.cpp export the information of normal data and abnormal data to console.

Specifically, it is described to call comprising the following steps that for genetic operator program genetic.cpp in S4：

A first, calls selection opertor to select the higher individuality of fitness；

Then b, calls crossover operator moderately to intersect individuality, improves ability of searching optimum；

C is last, calls mutation operator moderately to make a variation individuality, improves local search ability, altogether iteration 4 times.

Specifically, in S5, the concrete grammar of the cluster is as follows：

Input：The data set A of density radius r, n bar record；Output：K cluster；Comprise the steps：

A, run-down data set A, For：Read each data i in sample set A；

B, the dot density of each data is calculated, and calculate the distance and D of each data point and distance and H；

If C, data object density value are less than density value Q, and D>H is then considered as the object for isolated point t；

D, the isolated point data removed in A, obtain new data set A', and record the number of samples m=n-t in A', and output is isolated Point；

The algorithm of E, the acquisition initial cluster center of operational development, obtains k initial cluster center；

F, point set U is clustered, form k gathering U_K。

In sum：The present invention can not effectively detect the attack of UNKNOWN TYPE based on the method for misuse detection, based on different Normal intrusion detection method does not rely on the feature database of intrusion detection, can detect the attack of UNKNOWN TYPE, it is necessary to research row The method of effective abnormality detection.Data mining technology is present invention employs, intruding detection system is improved, can effectively be fitted For the data mining algorithm of intruding detection system, further improve verification and measurement ratio and reduce rate of false alarm.When the attack to system is sent out When raw, system is capable of detecting when attack, reports to the police to network manager in time, reaches the purpose of intrusion detection.

Finally it should be noted that：The preferred embodiments of the present invention are the foregoing is only, the present invention is not limited to, Although being described in detail to the present invention with reference to the foregoing embodiments, for a person skilled in the art, it still may be used To modify to the technical scheme described in foregoing embodiments, or equivalent is carried out to which part technical characteristic, All any modification, equivalent substitution and improvements within the spirit and principles in the present invention, made etc., should be included in the present invention's Within protection domain.

Claims (3)

1. a kind of network anomaly detection method based on data mining, including：

System standard input, output：stdio；

System standard storehouse:stdlib；

Systematic mathematical function library:math；

System standard input, output stream:iostream；

It is characterized in that：Specifically include following steps：

S1, first, starts master program file detection.cpp, reads in data to be detected and is pre-processed；

S2, to call program num.epp that quantizes, two files of data normalization program format.cpp to carry out data successively pre- Process, improve the operational efficiency of algorithm below；

S3, the fitness for calling individual adaptation degree calculation procedure fitcal.cpp calculating individualities, for selection opertor part Gambling disk is selected；

S4, call genetic operator program genetic.cpp；

S5, call cluster analysis and generation module clust.cpp, will back gained individuality as the initial of clustering method Central point, thus module data are divided and are produced with cluster；

S6, call data readability modular converter trap.cpp to produce cluster be identified, determine normal data and exception Data type；

S7, alarm module alert.cpp export the information of normal data and abnormal data to console.

2. a kind of network anomaly detection method based on data mining according to claim 1, it is characterised in that：In S4 In, it is described to call comprising the following steps that for genetic operator program genetic.cpp：

A first, calls selection opertor to select the higher individuality of fitness；

Then b, calls crossover operator moderately to intersect individuality, improves ability of searching optimum；

C is last, calls mutation operator moderately to make a variation individuality, improves local search ability, altogether iteration 4 times.

3. a kind of network anomaly detection method based on data mining according to claim 1, it is characterised in that：In S5 In, the concrete grammar of the cluster is as follows：

Input：The data set A of density radius r, n bar record；Output：K cluster；Comprise the steps：

A, run-down data set A, For：Read each data i in sample set A；

B, the dot density of each data is calculated, and calculate the distance and D of each data point and distance and H；

If C, data object density value are less than density value Q, and D>H is then considered as the object for isolated point t；

D, the isolated point data removed in A, obtain new data set A', and record the number of samples m=n-t in A', and output is isolated Point；

The algorithm of E, the acquisition initial cluster center of operational development, obtains k initial cluster center；

F, point set U is clustered, form k gathering U_K。