CN108696521A - A kind of cyberspace intrusion detection method - Google Patents

A kind of cyberspace intrusion detection method Download PDF

Info

Publication number
CN108696521A
CN108696521A CN201810450340.2A CN201810450340A CN108696521A CN 108696521 A CN108696521 A CN 108696521A CN 201810450340 A CN201810450340 A CN 201810450340A CN 108696521 A CN108696521 A CN 108696521A
Authority
CN
China
Prior art keywords
network packet
intrusion detection
cyberspace
data object
distance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810450340.2A
Other languages
Chinese (zh)
Inventor
周贤德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ryan Friend Data Technology Nanjing Co Ltd
Original Assignee
Ryan Friend Data Technology Nanjing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ryan Friend Data Technology Nanjing Co Ltd filed Critical Ryan Friend Data Technology Nanjing Co Ltd
Priority to CN201810450340.2A priority Critical patent/CN108696521A/en
Publication of CN108696521A publication Critical patent/CN108696521A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering

Abstract

The present invention provides a kind of cyberspace intrusion detection method, can improve the detection efficiency and detection performance of intruding detection system.The method includes:Obtain network packet;It determines the isolated point in network packet and deletion, obtains new network packet;Clustering is carried out to obtained new network packet, obtains several submanifolds;Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimum clustering number, and optimal cluster result is determined according to obtained optimum clustering number, is performed intrusion detection according to obtained optimum cluster result.The present invention is operated suitable for cyberspace intrusion detection.

Description

A kind of cyberspace intrusion detection method
Technical field
The present invention relates to network safety fileds, particularly relate to a kind of cyberspace intrusion detection method.
Background technology
With the continuous development and influence of internet, made to contemporary society's people's lives, study, work etc. Huge variation has especially pushed the Internet, applications to a new stage in " internet+" strategy, social all trades and professions with Internet links together, and traditional industries is made to be filled with completely new element.Since internet is nowadays ceased with people's lives Correlation, therefore internet information also results in safely worldwide extensive concern, about the acquisition of information, transmits, processing, Storage and the safety of information become the important component of internet level.The consumption pattern of people also occurs all changeable Change, the electronic money such as ideal money, mobile device for paying are turned to by traditional physical monetary.This requires that we reinforce The protection of network security and the safety of cyberspace.
Intrusion detection compensates for the deficiency of conventional security technology as a kind of initiative type safeguard technology.Intrusion detection (IDS, Intrusion Detection System) computer and networks can be monitored in real time, analysis finds suspicious event, just In the attack for quickly finding rogue attacks system and network.IDS is divided into following two:Mainframe type IDS (HIDS) and Network-type IDS (NIDS).
The analysis object of HIDS be host audit log, so need software is installed on host, for different systems, Different versions need to install different host engines, and installation configuration is complex, while can be made to the operation of system and stability At influence.
The analysis object of NIDS is network data flow, need to be only mounted on the listening port of network, to the operation nothing of network Any influence.If fire wall is compared to gate guard, IDS is exactly video camera incessantly in network.IDS passes through bypass Wherein whether the mode of monitoring is continual collects network data, has no effect to the operation and performance of network, while judging Attempt containing attack is alarmed by various means to administrator.Not only it can be found that from external attack, it has also been discovered that Internal malicious act.Thus IDS is the second gate of network security, is the necessary complement of fire wall, is constituted complete Network security solution.IDS systems can promptly respond after finding to invade, including cut-out network connection, record event With alarm etc..Once intrusion behavior is detected, system, which will take appropriate measures, (such as to be notified administrator, cuts off network Connection etc.), it will be to harm that system generates safely to eliminate in time.Important set of the intrusion detection as system security technology At part, it is increasingly subject to national governments and the attention of scholar.
But cyberspace is performed intrusion detection using common k-means algorithms in the prior art, cause detection to be imitated Rate is low, detection performance is poor.
Invention content
The technical problem to be solved in the present invention is to provide a kind of cyberspace intrusion detection methods, to solve prior art institute The problem that existing detection efficiency is low, detection performance is poor.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of cyberspace intrusion detection method, including:
Obtain network packet;
It determines the isolated point in network packet and deletion, obtains new network packet;
Clustering is carried out to obtained new network packet, obtains several submanifolds;
Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimal Cluster numbers determine optimal cluster result according to obtained optimum clustering number, are invaded according to obtained optimum cluster result Detection.
Further, the isolated point in the determining network packet and deletion, obtaining new network packet includes:
Calculate the distance between data object quadratic sum SumDist (x in network packet Xi) and square distance sum is equal Value avg (X), wherein xiIndicate data object x in network packet Xi;
To each data object in network packet X, by its SumDist (xi) be compared with avg (X), if SumDist(xi)>Avg (X) then judges that the data object for isolated point, the isolated point is deleted in network packet X, is obtained To new network packet X'.
Further, the SumDist (xi) be expressed as:
Wherein, xiIndicate data object x in network packet Xi, xjIndicate data object x in network packet Xj, N expressions The number of data object in network packet X.
Further, the avg (X) is expressed as:
Further, described pair of obtained new network packet carries out clustering, and obtaining several submanifolds includes:
Utilize network packet X'Minimum spanning tree is generated, is arranged by weights descending, deletes k-1 branch, obtains k son Cluster, wherein k indicates the number of submanifold;
Calculate initial cluster center of the arithmetic equal value of each submanifold as k submanifold.
Further, the determining optimum clustering number Validity Index includes:
Determine the inter- object distance of data object;
Determine the between class distance of data object;
Optimum clustering number Validity Index according to the distance of the inter- object distance of determining data object and between class distance and, really Determine optimum clustering number Validity Index.
Further, if obtained new network packet X'={ x1,x2,x3,……,xn, wherein p data object It is clustered and is divided into class Si, Si={ s1,s2,……,sk, inter- object distance
Further, between class distance Wit (Si,Sj) it is class SiTo other classes SjDistance,
Further, optimum clustering number Validity Index
Wherein, m is to write a Chinese character in simplified form parameter,
The above-mentioned technical proposal of the present invention has the beneficial effect that:
In said program, network packet is obtained;Determine the isolated point in network packet and deletion, i.e.,:Delete network Abnormal data obtains new network packet;Clustering is carried out to obtained new network packet, obtains several height Cluster;Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimum cluster Number, optimal cluster result is determined according to obtained optimum clustering number, is performed intrusion detection according to obtained optimum cluster result, Cyberspace intrusion detection method described in the present embodiment is applied to intruding detection system, intruding detection system can be improved Detection efficiency and detection performance.
Description of the drawings
Fig. 1 is the flow diagram of cyberspace intrusion detection method provided in an embodiment of the present invention.
Specific implementation mode
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool Body embodiment is described in detail.
The present invention provides a kind of cyberspace invasion inspection for the problem that existing detection efficiency is low, detection performance is poor Survey method.
As shown in Figure 1, cyberspace intrusion detection method provided in an embodiment of the present invention, including:
S101 obtains network packet;
S102 determines the isolated point in network packet and deletion, obtains new network packet;
S103 carries out clustering to obtained new network packet, obtains several submanifolds;
S104 determines optimum clustering number Validity Index, and when the Validity Index minimum, the number of current submanifold is Optimum clustering number determines optimal cluster result according to obtained optimum clustering number, is carried out according to obtained optimum cluster result Intrusion detection.
Cyberspace intrusion detection method described in the embodiment of the present invention obtains network packet;Determine network packet In isolated point and deletion, i.e.,:Network Abnormal data are deleted, new network packet is obtained;To obtained new network data Packet carries out clustering, obtains several submanifolds;Optimum clustering number Validity Index is determined, when Validity Index minimum When, the number of current submanifold is optimum clustering number, and optimal cluster result is determined according to obtained optimum clustering number, according to obtaining Optimum cluster result perform intrusion detection, by the cyberspace intrusion detection method described in the present embodiment be applied to intrusion detection System can improve the detection efficiency and detection performance of intruding detection system.
In the specific implementation mode of aforementioned network space intrusion detection method, further, the determining network data Isolated point in packet and deletion, obtaining new network packet includes:
Calculate the distance between data object quadratic sum SumDist (x in network packet Xi) and square distance sum is equal Value avg (X), wherein xiIndicate data object x in network packet Xi;
To each data object in network packet X, by its SumDist (xi) be compared with avg (X), if SumDist(xi)>Avg (X) then judges that the data object for isolated point, the isolated point is deleted in network packet X, is obtained To new network packet X'.
In the present embodiment, the object of intrusion detection is mainly the data packet for carrying out automatic network, and the most data in the inside are all Normally, only fraction is abnormal, in order to quickly obtain normal data mode library, needs first to reject Network Abnormal data.
In the present embodiment, quickly Network Abnormal data, the optimization isolated point are rejected by way of optimizing isolated point The step of method may include:
The Euclidean distance between data object in network packet X is calculated, the matrix of Euclidean distance is obtained, further according to obtaining Euclidean distance matrix, calculate the distance between data object quadratic sum SumDist (xi) and square distance sum mean value avg (X);
Remove square distance and SumDist (xi) it is more than the data object x of square distance and mean value avg (X)i, as remove Isolated point (can also remove:Noise point), to obtain a new network packet X'.
In the present embodiment, the influence of isolated point and noise point is rejected by optimizing isolated point method, can be improved next The clustering performance of clustering algorithm, and the iterations of cluster are reduced, and help to obtain preferable partition clustering result.
In the specific implementation mode of aforementioned network space intrusion detection method, further, the SumDist (xi) table It is shown as:
Wherein, xiIndicate data object x in network packet Xi, xjIndicate data object x in network packet Xj, N expressions The number of data object in network packet X.
In the specific implementation mode of aforementioned network space intrusion detection method, further, the avg (X) is expressed as:
In the present embodiment, normal data mode library, need to carry out obtained new network packet cluster and draw in order to obtain Point, obtain several submanifolds;And determine optimum clustering number Validity Index, when the Validity Index minimum, current submanifold Number be optimum clustering number, and then obtain optimal cluster result, performed intrusion detection according to obtained optimum cluster result.
In the specific implementation mode of aforementioned network space intrusion detection method, further, described pair obtain it is new Network packet carries out clustering, and obtaining several submanifolds includes:
Utilize network packet X'Minimum spanning tree is generated, is arranged by weights descending, deletes k-1 branch, obtains k son Cluster, wherein k indicates the number of submanifold;
Calculate initial cluster center of the arithmetic equal value of each submanifold as k submanifold.
In the present embodiment, define optimum clustering number (K values) Validity Index come improve assessment cluster as a result, improving in turn The detection efficiency and performance of invasion, specifically:An inter- object distance and between class distance are set, inter- object distance and class spacing are passed through With a distance from and to define Validity Index.
In optimum clustering number Validity Index optimum clustering number Validity Index the present embodiment, if obtained new network data Wrap X'={ x1,x2,x3,……,xn, wherein p data object, which is clustered, is divided into class Si, Si={ s1,s2,……,sk, it is fixed Adopted inter- object distance Bet (Si) it is class SiThe square distance of middle any two data x, y and
In the present embodiment, if obtained new network packet X'={ x1,x2,x3,……,xn, wherein p data pair It is divided into class S as being clusteredi, Si={ s1,s2,……,sk, define between class distance Wit (Si,Sj) it is class SiTo other classes Sj's Distance:
In the present embodiment, definition BW is Validity Index:Its In, m is to write a Chinese character in simplified form parameter,
In summary, K values Validity Index reflects separation property between compactness and class in the class of cluster structure, if if It is close in class, then needing inter- object distance the smaller the better;Make to detach between class, i.e., between class distance is the bigger the better, and uses linear group Conjunction mode balances the relationship of the two, and when BW minimums, in class closely between class far from an equilibrium valve is reached, corresponding is exactly most Excellent cluster result, k values at this time are exactly optimum clustering number K.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, without departing from the principles of the present invention, several improvements and modifications can also be made, these improvements and modifications It should be regarded as protection scope of the present invention.

Claims (9)

1. a kind of cyberspace intrusion detection method, which is characterized in that including:
Obtain network packet;
It determines the isolated point in network packet and deletion, obtains new network packet;
Clustering is carried out to obtained new network packet, obtains several submanifolds;
Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimum cluster Number, optimal cluster result is determined according to obtained optimum clustering number, is performed intrusion detection according to obtained optimum cluster result.
2. cyberspace intrusion detection method according to claim 1, which is characterized in that in the determining network packet Isolated point and deletion, obtaining new network packet includes:
Calculate the distance between data object quadratic sum SumDist (x in network packet Xi) and square distance sum mean value avg (X), wherein xiIndicate data object x in network packet Xi;
To each data object in network packet X, by its SumDist (xi) be compared with avg (X), if SumDist (xi)>Avg (X) then judges that the data object for isolated point, deletes the isolated point in network packet X, obtains new net Network data packet X'.
3. cyberspace intrusion detection method according to claim 2, which is characterized in that the SumDist (xi) indicate For:
Wherein, xiIndicate data object x in network packet Xi, xjIndicate data object x in network packet Xj, N expression networks The number of data object in data packet X.
4. cyberspace intrusion detection method according to claim 3, which is characterized in that the avg (X) is expressed as:
5. cyberspace intrusion detection method according to claim 1, which is characterized in that described pair of obtained new network Data packet carries out clustering, and obtaining several submanifolds includes:
Utilize network packet X'Minimum spanning tree is generated, is arranged by weights descending, is deleted k-1 branch, obtain k submanifold, Wherein, k indicates the number of submanifold;
Calculate initial cluster center of the arithmetic equal value of each submanifold as k submanifold.
6. cyberspace intrusion detection method according to claim 1, which is characterized in that the determining optimum clustering number has Effect property index include:
Determine the inter- object distance of data object;
Determine the between class distance of data object;
Optimum clustering number Validity Index according to the distance of the inter- object distance of determining data object and between class distance and, determine most Excellent cluster numbers Validity Index.
7. cyberspace intrusion detection method according to claim 6, which is characterized in that the new network data set Wrap X'={ x1,x2,x3,……,xn, wherein p data object, which is clustered, is divided into class Si, Si={ s1,s2,……,sk, class Interior distance
8. cyberspace intrusion detection method according to claim 7, which is characterized in that between class distance Wit (Si,Sj) be Class SiTo other classes SjDistance,
9. cyberspace intrusion detection method according to claim 8, which is characterized in that optimum clustering number Validity Index
Wherein, m is to write a Chinese character in simplified form parameter,
CN201810450340.2A 2018-05-11 2018-05-11 A kind of cyberspace intrusion detection method Pending CN108696521A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810450340.2A CN108696521A (en) 2018-05-11 2018-05-11 A kind of cyberspace intrusion detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810450340.2A CN108696521A (en) 2018-05-11 2018-05-11 A kind of cyberspace intrusion detection method

Publications (1)

Publication Number Publication Date
CN108696521A true CN108696521A (en) 2018-10-23

Family

ID=63846278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810450340.2A Pending CN108696521A (en) 2018-05-11 2018-05-11 A kind of cyberspace intrusion detection method

Country Status (1)

Country Link
CN (1) CN108696521A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101859383A (en) * 2010-06-08 2010-10-13 河海大学 Hyperspectral remote sensing image band selection method based on time sequence important point analysis
CN103714154A (en) * 2013-12-26 2014-04-09 西安理工大学 Method for determining optimum cluster number
CN106021361A (en) * 2016-05-10 2016-10-12 中国空间技术研究院 Sequence alignment-based self-adaptive application layer network protocol message clustering method
US20180041521A1 (en) * 2013-02-26 2018-02-08 Palo Alto Networks, Inc. Malware domain detection using passive dns

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101859383A (en) * 2010-06-08 2010-10-13 河海大学 Hyperspectral remote sensing image band selection method based on time sequence important point analysis
US20180041521A1 (en) * 2013-02-26 2018-02-08 Palo Alto Networks, Inc. Malware domain detection using passive dns
CN103714154A (en) * 2013-12-26 2014-04-09 西安理工大学 Method for determining optimum cluster number
CN106021361A (en) * 2016-05-10 2016-10-12 中国空间技术研究院 Sequence alignment-based self-adaptive application layer network protocol message clustering method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李红岩: "基于K-means的最佳聚类数确定方法研究", 《电脑知识与技术》 *
秦振涛: "一种新的最佳聚类数确定方法", 《计算机技术与应用》 *

Similar Documents

Publication Publication Date Title
KR102612500B1 (en) Sensitive data exposure detection through logging
Garg et al. Statistical vertical reduction‐based data abridging technique for big network traffic dataset
CN110958220B (en) Network space security threat detection method and system based on heterogeneous graph embedding
US11032323B2 (en) Parametric analysis of integrated operational technology systems and information technology systems
Shah et al. Fuzzy clustering for intrusion detection
US20220224723A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US10437996B1 (en) Classifying software modules utilizing similarity-based queries
CN109922075A (en) Network security knowledge map construction method and apparatus, computer equipment
US20180075240A1 (en) Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device
Xie et al. Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments
WO2016123522A1 (en) Anomaly detection using adaptive behavioral profiles
Sandhu et al. A survey of intrusion detection & prevention techniques
US11159564B2 (en) Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
Saravanan Performance evaluation of classification algorithms in the design of Apache Spark based intrusion detection system
Xie et al. P-gaussian: provenance-based gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases
Razaq et al. A big data analytics based approach to anomaly detection
US10637878B2 (en) Multi-dimensional data samples representing anomalous entities
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN111709021B (en) Attack event identification method based on mass alarms and electronic device
CN111191683A (en) Network security situation assessment method based on random forest and Bayesian network
Salem et al. A comparison of one‐class bag‐of‐words user behavior modeling techniques for masquerade detection
Li et al. LogKernel: A threat hunting approach based on behaviour provenance graph and graph kernel clustering
CN108696521A (en) A kind of cyberspace intrusion detection method
Qiao et al. Behavior analysis-based learning framework for host level intrusion detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181023

RJ01 Rejection of invention patent application after publication