信息网络安全 ›› 2020, Vol. 20 ›› Issue (2): 14-21.doi: 10.3969/j.issn.1671-1122.2020.02.003

• • 上一篇    下一篇

基于改进MajorClust聚类的网络入侵行为检测

罗文华(), 许彩滇   

  1. 中国刑事警察学院网络犯罪侦查系,沈阳110035
  • 收稿日期:2019-08-15 出版日期:2020-02-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:罗文华(1977—),男,辽宁,教授,硕士,主要研究方向为信息网络安全与电子数据取证;许彩滇(1995—),男,广东,硕士研究生,主要研究方向为信息网络安全与电子数据取证。

  • 基金资助:
    国家重点研发计划[2018YFC0830600];公安部技术研究计划(重点)[2017JSYJA10];中国刑事警察学院研究生创新能力提升项目[2019YCYB21]

Network Intrusion Detection Based on Improved MajorClust Clustering

LUO Wenhua(), XU Caidian   

  1. Cyber Crime Investigation Department, Criminal Investigation Police University of China, Shenyang 110035, China
  • Received:2019-08-15 Online:2020-02-10 Published:2020-05-11

摘要:

基于监督的入侵检测算法对于没有类别标记或识别特征不明显的网络访问连接,无法准确训练出入侵检测模型。为此,文章提出一种基于改进MajorClust聚类算法的无监督入侵检测算法,该算法能够动态自适应网络入侵行为数据的内在关系,实现自动高效地检测。改进MajorClust聚类算法,以未聚类邻边之和最小的点作为初始簇中心,依据簇中心与其他节点的距离分布特点,通过最小二乘法原理拟合点间的空间分布曲线,以曲线的拐点值作为聚类半径,并将簇抽象为节点重新进行聚类迭代,进而实现网络行为数据的自动聚类以及优化。文章构建了改进MajorClust算法、k-means算法及DBSCAN算法的无监督入侵检测模型,在优化处理的基础上,利用NSL-KDD数据集分析比较检测效果。实验结果表明,改进MajorClust算法在入侵检测性能及效果稳定性等方面具有较为显著的优势。

关键词: 入侵检测, MajorClust, NSL-KDD, 拐点半径

Abstract:

Based on the supervised intrusion detection algorithm, the intrusion detection model cannot be accurately trained for network access connections without category marking or identification features. Therefore, an unsupervised intrusion detection algorithm based on improved main class clustering algorithm is proposed, which can dynamically improve the MajorClust clustering algorithm, with the sum of the ungrouped neighbors and the smallest point as the initial cluster center, according to the cluster Center and other conventional distance distribution characteristics, the spatial distribution curve between points is fitted by the least squares principle, the inflection point value of the curve is used as the clustering slice, the cluster abstraction is broken into clusters, and the network behavior data is realized. Automatic clustering and optimization. MajorClust algorithm, k-means algorithm and unsupervised intrusion detection model of DBSCAN algorithm, based on the optimization process, use NSL-KDD dataset to analyze and compare the detection results. The experimental results show that the MajorClust algorithm has a significant advantage in terms of its intrusion detection performance and effect stability.

Key words: intrusion detection, MajorClust, NSL-KDD, inflection radius

中图分类号: