CN108696521A - A kind of cyberspace intrusion detection method - Google Patents
A kind of cyberspace intrusion detection method Download PDFInfo
- Publication number
- CN108696521A CN108696521A CN201810450340.2A CN201810450340A CN108696521A CN 108696521 A CN108696521 A CN 108696521A CN 201810450340 A CN201810450340 A CN 201810450340A CN 108696521 A CN108696521 A CN 108696521A
- Authority
- CN
- China
- Prior art keywords
- network packet
- intrusion detection
- cyberspace
- data object
- distance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
Abstract
The present invention provides a kind of cyberspace intrusion detection method, can improve the detection efficiency and detection performance of intruding detection system.The method includes:Obtain network packet;It determines the isolated point in network packet and deletion, obtains new network packet;Clustering is carried out to obtained new network packet, obtains several submanifolds;Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimum clustering number, and optimal cluster result is determined according to obtained optimum clustering number, is performed intrusion detection according to obtained optimum cluster result.The present invention is operated suitable for cyberspace intrusion detection.
Description
Technical field
The present invention relates to network safety fileds, particularly relate to a kind of cyberspace intrusion detection method.
Background technology
With the continuous development and influence of internet, made to contemporary society's people's lives, study, work etc.
Huge variation has especially pushed the Internet, applications to a new stage in " internet+" strategy, social all trades and professions with
Internet links together, and traditional industries is made to be filled with completely new element.Since internet is nowadays ceased with people's lives
Correlation, therefore internet information also results in safely worldwide extensive concern, about the acquisition of information, transmits, processing,
Storage and the safety of information become the important component of internet level.The consumption pattern of people also occurs all changeable
Change, the electronic money such as ideal money, mobile device for paying are turned to by traditional physical monetary.This requires that we reinforce
The protection of network security and the safety of cyberspace.
Intrusion detection compensates for the deficiency of conventional security technology as a kind of initiative type safeguard technology.Intrusion detection (IDS,
Intrusion Detection System) computer and networks can be monitored in real time, analysis finds suspicious event, just
In the attack for quickly finding rogue attacks system and network.IDS is divided into following two:Mainframe type IDS (HIDS) and
Network-type IDS (NIDS).
The analysis object of HIDS be host audit log, so need software is installed on host, for different systems,
Different versions need to install different host engines, and installation configuration is complex, while can be made to the operation of system and stability
At influence.
The analysis object of NIDS is network data flow, need to be only mounted on the listening port of network, to the operation nothing of network
Any influence.If fire wall is compared to gate guard, IDS is exactly video camera incessantly in network.IDS passes through bypass
Wherein whether the mode of monitoring is continual collects network data, has no effect to the operation and performance of network, while judging
Attempt containing attack is alarmed by various means to administrator.Not only it can be found that from external attack, it has also been discovered that
Internal malicious act.Thus IDS is the second gate of network security, is the necessary complement of fire wall, is constituted complete
Network security solution.IDS systems can promptly respond after finding to invade, including cut-out network connection, record event
With alarm etc..Once intrusion behavior is detected, system, which will take appropriate measures, (such as to be notified administrator, cuts off network
Connection etc.), it will be to harm that system generates safely to eliminate in time.Important set of the intrusion detection as system security technology
At part, it is increasingly subject to national governments and the attention of scholar.
But cyberspace is performed intrusion detection using common k-means algorithms in the prior art, cause detection to be imitated
Rate is low, detection performance is poor.
Invention content
The technical problem to be solved in the present invention is to provide a kind of cyberspace intrusion detection methods, to solve prior art institute
The problem that existing detection efficiency is low, detection performance is poor.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of cyberspace intrusion detection method, including:
Obtain network packet;
It determines the isolated point in network packet and deletion, obtains new network packet;
Clustering is carried out to obtained new network packet, obtains several submanifolds;
Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimal
Cluster numbers determine optimal cluster result according to obtained optimum clustering number, are invaded according to obtained optimum cluster result
Detection.
Further, the isolated point in the determining network packet and deletion, obtaining new network packet includes:
Calculate the distance between data object quadratic sum SumDist (x in network packet Xi) and square distance sum is equal
Value avg (X), wherein xiIndicate data object x in network packet Xi;
To each data object in network packet X, by its SumDist (xi) be compared with avg (X), if
SumDist(xi)>Avg (X) then judges that the data object for isolated point, the isolated point is deleted in network packet X, is obtained
To new network packet X'.
Further, the SumDist (xi) be expressed as:
Wherein, xiIndicate data object x in network packet Xi, xjIndicate data object x in network packet Xj, N expressions
The number of data object in network packet X.
Further, the avg (X) is expressed as:
Further, described pair of obtained new network packet carries out clustering, and obtaining several submanifolds includes:
Utilize network packet X'Minimum spanning tree is generated, is arranged by weights descending, deletes k-1 branch, obtains k son
Cluster, wherein k indicates the number of submanifold;
Calculate initial cluster center of the arithmetic equal value of each submanifold as k submanifold.
Further, the determining optimum clustering number Validity Index includes:
Determine the inter- object distance of data object;
Determine the between class distance of data object;
Optimum clustering number Validity Index according to the distance of the inter- object distance of determining data object and between class distance and, really
Determine optimum clustering number Validity Index.
Further, if obtained new network packet X'={ x1,x2,x3,……,xn, wherein p data object
It is clustered and is divided into class Si, Si={ s1,s2,……,sk, inter- object distance
Further, between class distance Wit (Si,Sj) it is class SiTo other classes SjDistance,
Further, optimum clustering number Validity Index
Wherein, m is to write a Chinese character in simplified form parameter,
The above-mentioned technical proposal of the present invention has the beneficial effect that:
In said program, network packet is obtained;Determine the isolated point in network packet and deletion, i.e.,:Delete network
Abnormal data obtains new network packet;Clustering is carried out to obtained new network packet, obtains several height
Cluster;Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimum cluster
Number, optimal cluster result is determined according to obtained optimum clustering number, is performed intrusion detection according to obtained optimum cluster result,
Cyberspace intrusion detection method described in the present embodiment is applied to intruding detection system, intruding detection system can be improved
Detection efficiency and detection performance.
Description of the drawings
Fig. 1 is the flow diagram of cyberspace intrusion detection method provided in an embodiment of the present invention.
Specific implementation mode
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool
Body embodiment is described in detail.
The present invention provides a kind of cyberspace invasion inspection for the problem that existing detection efficiency is low, detection performance is poor
Survey method.
As shown in Figure 1, cyberspace intrusion detection method provided in an embodiment of the present invention, including:
S101 obtains network packet;
S102 determines the isolated point in network packet and deletion, obtains new network packet;
S103 carries out clustering to obtained new network packet, obtains several submanifolds;
S104 determines optimum clustering number Validity Index, and when the Validity Index minimum, the number of current submanifold is
Optimum clustering number determines optimal cluster result according to obtained optimum clustering number, is carried out according to obtained optimum cluster result
Intrusion detection.
Cyberspace intrusion detection method described in the embodiment of the present invention obtains network packet;Determine network packet
In isolated point and deletion, i.e.,:Network Abnormal data are deleted, new network packet is obtained;To obtained new network data
Packet carries out clustering, obtains several submanifolds;Optimum clustering number Validity Index is determined, when Validity Index minimum
When, the number of current submanifold is optimum clustering number, and optimal cluster result is determined according to obtained optimum clustering number, according to obtaining
Optimum cluster result perform intrusion detection, by the cyberspace intrusion detection method described in the present embodiment be applied to intrusion detection
System can improve the detection efficiency and detection performance of intruding detection system.
In the specific implementation mode of aforementioned network space intrusion detection method, further, the determining network data
Isolated point in packet and deletion, obtaining new network packet includes:
Calculate the distance between data object quadratic sum SumDist (x in network packet Xi) and square distance sum is equal
Value avg (X), wherein xiIndicate data object x in network packet Xi;
To each data object in network packet X, by its SumDist (xi) be compared with avg (X), if
SumDist(xi)>Avg (X) then judges that the data object for isolated point, the isolated point is deleted in network packet X, is obtained
To new network packet X'.
In the present embodiment, the object of intrusion detection is mainly the data packet for carrying out automatic network, and the most data in the inside are all
Normally, only fraction is abnormal, in order to quickly obtain normal data mode library, needs first to reject Network Abnormal data.
In the present embodiment, quickly Network Abnormal data, the optimization isolated point are rejected by way of optimizing isolated point
The step of method may include:
The Euclidean distance between data object in network packet X is calculated, the matrix of Euclidean distance is obtained, further according to obtaining
Euclidean distance matrix, calculate the distance between data object quadratic sum SumDist (xi) and square distance sum mean value avg
(X);
Remove square distance and SumDist (xi) it is more than the data object x of square distance and mean value avg (X)i, as remove
Isolated point (can also remove:Noise point), to obtain a new network packet X'.
In the present embodiment, the influence of isolated point and noise point is rejected by optimizing isolated point method, can be improved next
The clustering performance of clustering algorithm, and the iterations of cluster are reduced, and help to obtain preferable partition clustering result.
In the specific implementation mode of aforementioned network space intrusion detection method, further, the SumDist (xi) table
It is shown as:
Wherein, xiIndicate data object x in network packet Xi, xjIndicate data object x in network packet Xj, N expressions
The number of data object in network packet X.
In the specific implementation mode of aforementioned network space intrusion detection method, further, the avg (X) is expressed as:
In the present embodiment, normal data mode library, need to carry out obtained new network packet cluster and draw in order to obtain
Point, obtain several submanifolds;And determine optimum clustering number Validity Index, when the Validity Index minimum, current submanifold
Number be optimum clustering number, and then obtain optimal cluster result, performed intrusion detection according to obtained optimum cluster result.
In the specific implementation mode of aforementioned network space intrusion detection method, further, described pair obtain it is new
Network packet carries out clustering, and obtaining several submanifolds includes:
Utilize network packet X'Minimum spanning tree is generated, is arranged by weights descending, deletes k-1 branch, obtains k son
Cluster, wherein k indicates the number of submanifold;
Calculate initial cluster center of the arithmetic equal value of each submanifold as k submanifold.
In the present embodiment, define optimum clustering number (K values) Validity Index come improve assessment cluster as a result, improving in turn
The detection efficiency and performance of invasion, specifically:An inter- object distance and between class distance are set, inter- object distance and class spacing are passed through
With a distance from and to define Validity Index.
In optimum clustering number Validity Index optimum clustering number Validity Index the present embodiment, if obtained new network data
Wrap X'={ x1,x2,x3,……,xn, wherein p data object, which is clustered, is divided into class Si, Si={ s1,s2,……,sk, it is fixed
Adopted inter- object distance Bet (Si) it is class SiThe square distance of middle any two data x, y and
In the present embodiment, if obtained new network packet X'={ x1,x2,x3,……,xn, wherein p data pair
It is divided into class S as being clusteredi, Si={ s1,s2,……,sk, define between class distance Wit (Si,Sj) it is class SiTo other classes Sj's
Distance:
In the present embodiment, definition BW is Validity Index:Its
In, m is to write a Chinese character in simplified form parameter,
In summary, K values Validity Index reflects separation property between compactness and class in the class of cluster structure, if if
It is close in class, then needing inter- object distance the smaller the better;Make to detach between class, i.e., between class distance is the bigger the better, and uses linear group
Conjunction mode balances the relationship of the two, and when BW minimums, in class closely between class far from an equilibrium valve is reached, corresponding is exactly most
Excellent cluster result, k values at this time are exactly optimum clustering number K.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art
For, without departing from the principles of the present invention, several improvements and modifications can also be made, these improvements and modifications
It should be regarded as protection scope of the present invention.
Claims (9)
1. a kind of cyberspace intrusion detection method, which is characterized in that including:
Obtain network packet;
It determines the isolated point in network packet and deletion, obtains new network packet;
Clustering is carried out to obtained new network packet, obtains several submanifolds;
Determine optimum clustering number Validity Index, when the Validity Index minimum, the number of current submanifold is optimum cluster
Number, optimal cluster result is determined according to obtained optimum clustering number, is performed intrusion detection according to obtained optimum cluster result.
2. cyberspace intrusion detection method according to claim 1, which is characterized in that in the determining network packet
Isolated point and deletion, obtaining new network packet includes:
Calculate the distance between data object quadratic sum SumDist (x in network packet Xi) and square distance sum mean value avg
(X), wherein xiIndicate data object x in network packet Xi;
To each data object in network packet X, by its SumDist (xi) be compared with avg (X), if SumDist
(xi)>Avg (X) then judges that the data object for isolated point, deletes the isolated point in network packet X, obtains new net
Network data packet X'.
3. cyberspace intrusion detection method according to claim 2, which is characterized in that the SumDist (xi) indicate
For:
Wherein, xiIndicate data object x in network packet Xi, xjIndicate data object x in network packet Xj, N expression networks
The number of data object in data packet X.
4. cyberspace intrusion detection method according to claim 3, which is characterized in that the avg (X) is expressed as:
5. cyberspace intrusion detection method according to claim 1, which is characterized in that described pair of obtained new network
Data packet carries out clustering, and obtaining several submanifolds includes:
Utilize network packet X'Minimum spanning tree is generated, is arranged by weights descending, is deleted k-1 branch, obtain k submanifold,
Wherein, k indicates the number of submanifold;
Calculate initial cluster center of the arithmetic equal value of each submanifold as k submanifold.
6. cyberspace intrusion detection method according to claim 1, which is characterized in that the determining optimum clustering number has
Effect property index include:
Determine the inter- object distance of data object;
Determine the between class distance of data object;
Optimum clustering number Validity Index according to the distance of the inter- object distance of determining data object and between class distance and, determine most
Excellent cluster numbers Validity Index.
7. cyberspace intrusion detection method according to claim 6, which is characterized in that the new network data set
Wrap X'={ x1,x2,x3,……,xn, wherein p data object, which is clustered, is divided into class Si, Si={ s1,s2,……,sk, class
Interior distance
8. cyberspace intrusion detection method according to claim 7, which is characterized in that between class distance Wit (Si,Sj) be
Class SiTo other classes SjDistance,
9. cyberspace intrusion detection method according to claim 8, which is characterized in that optimum clustering number Validity Index
Wherein, m is to write a Chinese character in simplified form parameter,
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810450340.2A CN108696521A (en) | 2018-05-11 | 2018-05-11 | A kind of cyberspace intrusion detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810450340.2A CN108696521A (en) | 2018-05-11 | 2018-05-11 | A kind of cyberspace intrusion detection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108696521A true CN108696521A (en) | 2018-10-23 |
Family
ID=63846278
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810450340.2A Pending CN108696521A (en) | 2018-05-11 | 2018-05-11 | A kind of cyberspace intrusion detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108696521A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101859383A (en) * | 2010-06-08 | 2010-10-13 | 河海大学 | Hyperspectral remote sensing image band selection method based on time sequence important point analysis |
CN103714154A (en) * | 2013-12-26 | 2014-04-09 | 西安理工大学 | Method for determining optimum cluster number |
CN106021361A (en) * | 2016-05-10 | 2016-10-12 | 中国空间技术研究院 | Sequence alignment-based self-adaptive application layer network protocol message clustering method |
US20180041521A1 (en) * | 2013-02-26 | 2018-02-08 | Palo Alto Networks, Inc. | Malware domain detection using passive dns |
-
2018
- 2018-05-11 CN CN201810450340.2A patent/CN108696521A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101859383A (en) * | 2010-06-08 | 2010-10-13 | 河海大学 | Hyperspectral remote sensing image band selection method based on time sequence important point analysis |
US20180041521A1 (en) * | 2013-02-26 | 2018-02-08 | Palo Alto Networks, Inc. | Malware domain detection using passive dns |
CN103714154A (en) * | 2013-12-26 | 2014-04-09 | 西安理工大学 | Method for determining optimum cluster number |
CN106021361A (en) * | 2016-05-10 | 2016-10-12 | 中国空间技术研究院 | Sequence alignment-based self-adaptive application layer network protocol message clustering method |
Non-Patent Citations (2)
Title |
---|
李红岩: "基于K-means的最佳聚类数确定方法研究", 《电脑知识与技术》 * |
秦振涛: "一种新的最佳聚类数确定方法", 《计算机技术与应用》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102612500B1 (en) | Sensitive data exposure detection through logging | |
Garg et al. | Statistical vertical reduction‐based data abridging technique for big network traffic dataset | |
CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
US11032323B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
Shah et al. | Fuzzy clustering for intrusion detection | |
US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
US10437996B1 (en) | Classifying software modules utilizing similarity-based queries | |
CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
Xie et al. | Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments | |
WO2016123522A1 (en) | Anomaly detection using adaptive behavioral profiles | |
Sandhu et al. | A survey of intrusion detection & prevention techniques | |
US11159564B2 (en) | Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time | |
CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
Saravanan | Performance evaluation of classification algorithms in the design of Apache Spark based intrusion detection system | |
Xie et al. | P-gaussian: provenance-based gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases | |
Razaq et al. | A big data analytics based approach to anomaly detection | |
US10637878B2 (en) | Multi-dimensional data samples representing anomalous entities | |
RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
CN111709021B (en) | Attack event identification method based on mass alarms and electronic device | |
CN111191683A (en) | Network security situation assessment method based on random forest and Bayesian network | |
Salem et al. | A comparison of one‐class bag‐of‐words user behavior modeling techniques for masquerade detection | |
Li et al. | LogKernel: A threat hunting approach based on behaviour provenance graph and graph kernel clustering | |
CN108696521A (en) | A kind of cyberspace intrusion detection method | |
Qiao et al. | Behavior analysis-based learning framework for host level intrusion detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181023 |
|
RJ01 | Rejection of invention patent application after publication |