基于一致性预测算法的内网日志检测模型

doi:10.3969/j.issn.1671-1122.2020.03.006

信息网络安全 ›› 2020, Vol. 20 ›› Issue (3): 45-50.doi: 10.3969/j.issn.1671-1122.2020.03.006

基于一致性预测算法的内网日志检测模型

顾兆军¹, 任怡彤^1,²(), 刘春波¹, 王志³

1.中国民航大学信息安全测评中心,天津 300300
2.中国民航大学计算机科学与技术学院,天津 300300
3.南开大学人工智能学院,天津 300071

收稿日期:2019-09-25 出版日期:2020-03-10 发布日期:2020-05-11
作者简介:
作者简介：顾兆军（1966—）,男,山东,教授,博士,主要研究方向为网络与信息安全、民航信息系统;任怡彤（1995—）,女,天津,硕士研究生,主要研究方向为网络与信息安全;刘春波（1976—）,男,天津,讲师,硕士,主要研究方向为计算机技术与网络安全;王志（1982—）,男,河北,副教授,博士,主要研究方向为大数据与网络安全。
基金资助:
国家自然科学基金[61601467,U1533104];民航科技项目[MHRD20140205,MHRD20150233];民航安全能力建设项目[PESA170003,PDSA2018079]

Intranet Log Anomaly Detection Model Based on Conformal Prediction

GU Zhaojun¹, REN Yitong^1,²(), LIU Chunbo¹, WANG Zhi³

1. Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China, Tianjin 00300, China
2. Institute of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
3. Collage of Artificial Intelligence, Nankai University, Tianjin 300071, China

Received:2019-09-25 Online:2020-03-10 Published:2020-05-11

摘要/Abstract

摘要：

机器学习是网络安全威胁检测系统的薄弱环节。不断进化的网络攻击利用数据的概念漂移躲避机器学习检测,导致检测模型随时间不断退化。文章通过一致性度量的统计学习方法,缓解基于日志分析的内网安全威胁检测模型的退化问题。相比于基于静态阈值的检测方法,一致性度量的统计学习方法可以动态适应不断进化的安全攻击,感知底层数据的概念漂移,缓解模型退化问题。文章实现了一个基于日志分析的内网安全检测模型,在HDFS数据集上有效发现了概念漂移趋势,缓解了模型退化。

关键词: HDFS, 异常检测, 一致性预测, 混淆矩阵

Abstract:

Machine learning is the weakest link in cybersecurity threat detection systems. Evolving cybersecurity attacks exploit the conceptual drift of data to evade machine learning detection, causing detection models to degrade over time. In this paper, the statistical learning method of consistency metrics is used to alleviate the degradation problem of intranet security threat detection model based on log analysis. Compared with the static threshold-based detection method, the statistical learning method of consistency metric can dynamically adapt to the evolving security attack, perceive the conceptual drift of the underlying data, and alleviate the model degradation problem. This paper implements an internal network security detection model based on log analysis, effectively discovering the concept drift trend on the HDFS data set and alleviating the model degradation.

Key words: HDFS, anomly detection, conformal prediction, confusion matrix

中图分类号:

TP309

顾兆军, 任怡彤, 刘春波, 王志. 基于一致性预测算法的内网日志检测模型[J]. 信息网络安全, 2020, 20(3): 45-50.

GU Zhaojun, REN Yitong, LIU Chunbo, WANG Zhi. Intranet Log Anomaly Detection Model Based on Conformal Prediction[J]. Netinfo Security, 2020, 20(3): 45-50.

图/表 8

图1

表1

图2

图3

表2

表3

表4

表5

参考文献 18

[1]	VAARANDI R.A Data Clustering Algorithm for Mining Patterns from Event Logs[C]//IEEE. 3rd IEEE Workshop on IP Operations & Management, October 3, 2003, Kansas City, MO, USA. New Jersey: IEEE, 2003: 119-126.
[2]	VAARANDI R, PIHELGAS M.LogCluster-A Data Clustering and Pattern Mining Algorithm for Event Logs[C]//IEEE. 11th International Conference on Network and Service Management, November 9-13, 2015, Barcelona, Spain. New Jersey: IEEE, 2015: 1-7.
[3]	NAGAPPAN M, VOUK M A.Abstracting Log Lines to Log Event Types for Mining Software System Logs[C]//IEEE. 7th IEEE Working Conference on Mining Software Repositories, May 2-3 2010, Cape Town, South Africa. New Jersey: 2010: 114-117.
[4]	LIANG Tang, LI Tao, PERNG C S.LogSig: Generating System Events from Raw Textual Logs[C]//ACM. 20th ACM International Conference on Information and Knowledge Management, October 24-28, 2011, Glasgow, Scotland, UK. New York: ACM, 2011: 785-794.
[5]	HAMOONI H, DEBNATH B, XU J, et al.LogMine: Fast Pattern Recognition for Log Analytics[C]//ACM. 25th ACM International on Conference on Information and Knowledge Management, October 24-28, 2016, Indianapolis, IN, USA. ACM: New York: 2016: 1573-1582.
[6]	JIANG Zhenming, HASSAN A E, FLORA P, et al.Abstracting Execution Logs to Execution Events for Enterprise Applications(Short Paper)[C]//IEEE. 8th International Conference on Quality Software, August 12-13, 2008, Oxford, UK. New Jersey: IEEE, 2008: 181-186.
[7]	MAKANJU A, ZINCIRHEYWOOD A N, MILIOS E E.A Lightweight Algorithm for Message Type Extraction in System Application Logs[J]. IEEE Transactions on Knowledge and Data Engineering, 2012, 11(24): 1921-1936.
[8]	ZONG B, Song Qi, Min M R, et al. Deep Autoencoding Gaussian Mixture Model for Unsupervised Anomaly Detection[EB/OL]. , 2019-5-11.
[9]	ANGIULLI F, PIZZUTI C.Fast Outlier Detection in High Dimensional Spaces[C]//ACM. 6th European Conference on Principles of Data Mining and Knowledge Discovery, August 19-23, 2002, Helsinki, Finland. New York: ACM, 2002: 15-27.
[10]	ZIMEK A, SCHUBERT E, KRIEGEL H P.A Survey on Unsupervised Outlier Detection in High-dimensional Numerical Data[J]. Statistical Analysis and Data Mining: The ASA Data Science Journal, 2012, 5(5): 363-387.
[11]	PANG Guangsong, CAO Longbing, CHEN Ling, et al.Learning Representations of Ultrahigh-dimensional Data for Random Distance-based Outlier Detection[C]//ACM. 24th ACM SIGKDD International Conference on Knowledge Discovery and Data mining, August 19-23, 2018, London, UK. New York: ACM, 2018: 2041-2050.
[12]	BREUNIG M M, KRIEGEL H P, NG R T, et al.LOF: Identifying Density-based Local Outliers[C]//ACM. 2000 ACM SIGMOD International Conference on Management of Data, May 16-18, 2000, Dallas, Texas, USA. New York: ACM, 2000: 93-104.
[13]	RAMASWAMY S, RASTOGI R, SHIM K.Efficient Algorithms for Mining Outliers from Large Data Sets[J]. ACM SIGMOD Record, 2000, 29(2): 427-438.
[14]	DU Min, LI Feifei, ZHENG Guineng, et al.DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning[C]//ACM. 2017 ACM SIGSAC Conference, October 30-November 3, 2017, Dallas, TX, USA. New York: ACM, 2017: 1285-1298.
[15]	GAMA J, ŽLIOBAITĖ I, BIFET A, et al.A Survey on Concept Drift Adaptation[J]. ACM Computing Surveys, 2014, 46(4): 1-37.
[16]	KANTCHELIAN A, AFROZ S, HUANG L, et al.Approaches to Adversarial Drift[C]//ACM. ACM Workshop on Artificial Intelligence & Security, November 4, 2013, New York, USA. New York: ACM, 2013: 99-110.
[17]	THOMAS K, GRIER C, MA J, et al.Design and Evaluation of a Real-time URL Spam Filtering Service[C]//IEEE. 32nd IEEE Symposium on Security and Privacy, May 22-25, 2011, Berkeley, California, USA. New Jersey: IEEE, 2011: 447-462.
[18]	VOVK V, GAMMERMAN A, SHAFER, G. Algorithmic Learning in a Random World[EB/OL]. , 2019-6-12.

文本日志	结构化日志	block_id	事件id
PacketResponder 1 for block blk_16 terminating	PacketResponder <> for block <> terminating	16	E1
Verification succeeded for blk_490	Verification succeeded for <*>	490	E2
Verification succeeded for blk_16	Verification succeeded for <*>	16	E2

方法	基于阈值	基于p值
TP	113094	113151
TN	1616	1616
FP	59	59
FN	134	77

方法	基于阈值	基于p值
Accuracy	0.998	0.999
Precision	0.923	0.955
Recall	0.965	0.965
F1	0.944	0.960

方法	基于阈值	基于p值
TP	113228	113228
TN	1606	1664
FP	69	11
FN	0	0

方法	基于阈值	基于p值
Accuracy	0.999	1.0
Precision	1.0	1.0
Recall	0.959	0.993
F1	0.979	0.997

基于一致性预测算法的内网日志检测模型

Intranet Log Anomaly Detection Model Based on Conformal Prediction

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 18

相关文章 15

编辑推荐

Metrics

本文评价

[1]	陆佳丽. 基于改进时间序列模型的日志异常检测方法[J]. 信息网络安全, 2020, 20(9): 1-5.
[2]	黄娜, 何泾沙, 吴亚飚, 李建国. 基于LSTM回归模型的内部威胁检测方法[J]. 信息网络安全, 2020, 20(9): 17-21.
[3]	王伟, 沈旭东. 基于实例的迁移时间序列异常检测算法研究[J]. 信息网络安全, 2019, 19(3): 11-18.
[4]	杨威超, 郭渊博, 钟雅, 甄帅辉. 基于设备型号分类和BP神经网络的物联网流量异常检测[J]. 信息网络安全, 2019, 19(12): 53-63.
[5]	朱海麒, 姜峰. 人工智能时代面向运维数据的异常检测技术研究与分析[J]. 信息网络安全, 2019, 19(11): 24-35.
[6]	邓海莲, 刘宇靖, 葛一漩, 苏金树. 域间路由异常检测技术研究[J]. 信息网络安全, 2019, 19(11): 63-70.
[7]	李巍, 狄晓晓, 王迪, 李云春. 基于子图的服务器网络行为建模及异常检测方法研究[J]. 信息网络安全, 2018, 18(2): 1-9.
[8]	何利, 姚元辉. 基于上下文聚类的云虚拟机异常检测与识别策略[J]. 信息网络安全, 2018, 18(12): 54-65.
[9]	赵刚, 姚兴仁. 基于用户画像的异常行为检测模型[J]. 信息网络安全, 2017, 17(7): 18-24.
[10]	吴鑫, 严岳松, 刘晓然. 基于改进HMM的程序行为异常检测方法[J]. 信息网络安全, 2016, 16(9): 108-112.
[11]	杨连群, 温晋英, 刘树发, 王峰. 一种改进的图分割算法在用户行为异常检测中的应用[J]. 信息网络安全, 2016, 16(6): 35-40.
[12]	何明亮, 陈泽茂, 左进. 基于多窗口机制的聚类异常检测算法[J]. 信息网络安全, 2016, 16(11): 33-39.
[13]	刘汝隽, 辛阳. 网络安全数据可视分析系统的设计与实现[J]. 信息网络安全, 2016, 16(11): 40-44.
[14]	汤健, 孙春来, 毛克峰, 贾美英. 基于主元分析和互信息维数约简策略的网络入侵异常检测[J]. 信息网络安全, 2015, 15(9): 78-83.
[15]	李凌云, 敖吉, 乔治, 李剑. 基于微博的安全事件实时监测框架研究[J]. 信息网络安全, 2015, 15(1): 16-23.