信息网络安全 ›› 2020, Vol. 20 ›› Issue (3): 45-50.doi: 10.3969/j.issn.1671-1122.2020.03.006

• 技术研究 • 上一篇    下一篇

基于一致性预测算法的内网日志检测模型

顾兆军1, 任怡彤1,2(), 刘春波1, 王志3   

  1. 1.中国民航大学信息安全测评中心,天津 300300
    2.中国民航大学计算机科学与技术学院,天津 300300
    3.南开大学人工智能学院,天津 300071
  • 收稿日期:2019-09-25 出版日期:2020-03-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:顾兆军(1966—),男,山东,教授,博士,主要研究方向为网络与信息安全、民航信息系统;任怡彤(1995—),女,天津,硕士研究生,主要研究方向为网络与信息安全;刘春波(1976—),男,天津,讲师,硕士,主要研究方向为计算机技术与网络安全;王志(1982—),男,河北,副教授,博士,主要研究方向为大数据与网络安全。

  • 基金资助:
    国家自然科学基金[61601467,U1533104];民航科技项目[MHRD20140205,MHRD20150233];民航安全能力建设项目[PESA170003,PDSA2018079]

Intranet Log Anomaly Detection Model Based on Conformal Prediction

GU Zhaojun1, REN Yitong1,2(), LIU Chunbo1, WANG Zhi3   

  1. 1. Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China, Tianjin 00300, China
    2. Institute of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
    3. Collage of Artificial Intelligence, Nankai University, Tianjin 300071, China
  • Received:2019-09-25 Online:2020-03-10 Published:2020-05-11

摘要:

机器学习是网络安全威胁检测系统的薄弱环节。不断进化的网络攻击利用数据的概念漂移躲避机器学习检测,导致检测模型随时间不断退化。文章通过一致性度量的统计学习方法,缓解基于日志分析的内网安全威胁检测模型的退化问题。相比于基于静态阈值的检测方法,一致性度量的统计学习方法可以动态适应不断进化的安全攻击,感知底层数据的概念漂移,缓解模型退化问题。文章实现了一个基于日志分析的内网安全检测模型,在HDFS数据集上有效发现了概念漂移趋势,缓解了模型退化。

关键词: HDFS, 异常检测, 一致性预测, 混淆矩阵

Abstract:

Machine learning is the weakest link in cybersecurity threat detection systems. Evolving cybersecurity attacks exploit the conceptual drift of data to evade machine learning detection, causing detection models to degrade over time. In this paper, the statistical learning method of consistency metrics is used to alleviate the degradation problem of intranet security threat detection model based on log analysis. Compared with the static threshold-based detection method, the statistical learning method of consistency metric can dynamically adapt to the evolving security attack, perceive the conceptual drift of the underlying data, and alleviate the model degradation problem. This paper implements an internal network security detection model based on log analysis, effectively discovering the concept drift trend on the HDFS data set and alleviating the model degradation.

Key words: HDFS, anomly detection, conformal prediction, confusion matrix

中图分类号: