Research and Implementation on Network Traffic Anomaly Detection without Guidance Learning with Spark

doi:10.3969/j.issn.1671-1122.2016.06.001

Abstract

Abstract:

In view of the massive data intrusion detection, this paper designs and implements a network traffic anomaly detection system based on Spark framework. Data preprocessing use Python and Python data, an upgraded version of the IPython implementation. Anomaly detection uses K-means predict and classify flow records represent the type of attack. In order to avoid time overhead uses traditional distributed computing framework, this paper designs and implements an anomaly K-means detection method under the framework of Spark. The method storages temporary data into memory rather than the hard drive, and improve the computational efficiency. In order to solve the problem of K value select difficult, through the Spark iterative calculation and comparison of the different K-means value of the K algorithm in the cluster center to all points in the cluster average value of all points, to achieve the best selection of K value. Finally, the performance and function of the system are tested. The test result shows that the system achieves the predetermined design requirements, and has high computational efficiency and detection accuracy.

Key words: network traffic detection, Spark, guiding learning

CLC Number:

TP309

Xiaoping WU, Zhou ZHOU, Hongcheng LI. Research and Implementation on Network Traffic Anomaly Detection without Guidance Learning with Spark[J]. Netinfo Security, 2016, 16(6): 1-7.

Figures/Tables 6

References 40

[1]	杨晓君. 入侵检测报警数据处理技术研究[D]. 哈尔滨:哈尔滨理工大学,2009.
[2]	戚名钰,刘铭,傅彦铭. 基于PCA的SVM网络入侵检测研究[J]. 信息网络安全,2015(2):15-18.
[3]	陈晓梅. 入侵检测中的数据预处理问题研究[J]. 计算机科学,2006,33(1):81-83.
[4]	王晓晔,张涛,郝亚培. 网络入侵异常检测中数据预处理的研究[J]. 天津理工大学学报,2013,29(6):31-35.
[5]	李凯,薛一波,王春露,等. 千兆网络入侵防御系统高速数据包处理的研究与实现[J]. 小型微型计算机系统,2006,27(9);1677-1681.
[6]	何鹏程,方勇. 一种基于Web日志和网站参数的入侵检测和风险评估模型的研究[J]. 信息网络安全,2015(1):61-65.
[7]	李凯. 千兆网络入侵防御系统包处理技术的研究[D]. 北京:北京邮电大学,2006.
[8]	黄俊,韩玲莉,陈光平. 基于无指导离群点检测的网络入侵检测技术[J]. 小型微型计算机系统,2007,28(11):2007-2009.
[9]	蒋盛益,李庆华. 无指导的入侵检测方法[J]. 计算机工程,2005,31(9):31-33.
[10]	肖海军. 基于SVM和无指导学习的入侵检测研究[D]. 武汉:华中科技大学,2007.
[11]	周思伟. Spark大表等值连接的优化及其在网络流量数据分析的应用研究[D]. 广州:华南理工大学,2015.
[12]	吴亚非,李新友,禄凯. 信息安全风险评估[M].北京:清华大学出版社,2007.
[13]	孙科. 基于Spark的机器学习应用框架研究与实现[D]. 上海:上海交通大学,2015.
[14]	尹绪森. Spark与MLlib:当机器学习遇见分布式系统[J]. 程序员,2014(7):112-115.
[15]	陈虹君. 基于Spark框架的聚类算法研究[J]. 电脑知识与技术,2015(2):56-57.
[16]	孟浩,王劲松,黄静耘,等. 基于TcpFlow的网络可视分析系统研究与实现[J]. 信息网络安全,2016(2):40-46.
[17]	RENUKA D S, YOGESH P.A Hybrid Approach to Counter Application Layer DDoS Attacks[J]. International Journal on Cryptography and Information Security, 2012, 2(2): 45-52.
[18]	BOLZONI D, CRISPO B, ETALLE S.ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection System[C]//USENIX. The 21st Large Installation System Administration Conference, November 11-16, 2007, Dallas, Texas. Berkeley: USENIX, 2007: 141-152.
[19]	张玲,白中英,罗守山,等. 基于粗糙集和人工免疫的集成入侵检测模型[J]. 通信学报,2013,34(9):167-176.
[20]	ISO/IEC15408 Common Criteria for Information Technology Security Evaluation[S]. Geneva: IEC, 2004.
[21]	李晓勇,左晓栋. 信息安全的等级保护体系[J]. 信息网络安全,2004(1):18-20.
[22]	GB/T 20984-2007 信息安全风险评估规范[S]. 国家质量监督检验检疫总局,2007.
[23]	李锦玲,汪斌强. 基于最大频繁序列模式挖掘的App-DDoS攻击的异常检测[J]. 电子与信息学报,2013,35(7):1739-1745.
[24]	CHANDRASEKAR A, VASUDEVAN V, YOGESH P.Evolutionary Approach for Network Anomaly Detection using Effective Classification[J]. IJCSNS Int Journal of Computer Science and Network Security, 2009, 9(1): 296-302.
[25]	陈晓,赵晶玲. 大数据处理中混合型聚类算法的研究与实现[J]. 信息网络安全,2015(4):45-49.
[26]	MABU S, CHEN Ci, LU Nannan.An Intrusion-detection Model Based on Fuzzy Class-association-rule Mining using Genetic Programming Network[J]. IEEE Transaction on Systems, Man, and Cybernetics, 2011, 41(1): 130-139.
[27]	陆悠,李伟,罗军舟,等. 一种基于选择性协同学习的网络用户异常行为检测方法[J]. 计算机学报,2014,37(1):28-40.
[28]	王秀利,王永吉. 基于命令紧密度的用户伪装入侵检测方法[J]. 电子学报,2014,42(6):1225-1229.
[29]	DASH S K, REDDY K S.Adaptive Naive Bayes Method for Masquerade Detection[J]. Security and Communications Networks, 2011, 4(4): 410-417.
[30]	钱叶魁,陈鸣,叶立新. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报,2012,23(2):361-377.
[31]	刘大有,陈慧灵,齐红,等. 时空数据挖掘研究进展[J]. 计算机研究与发展,2013,50(2):225-239.
[32]	RINGBERG H, SOULE A, REXFORD J, et al.Sensitivity of PCA for Traffic Anomaly Detection[J]. Acm Sigmetrics Performance Evaluation Review, 2015, 35(1): 109-120.
[33]	BRAUCKHOFF D, SALAMATIAN K, MAY M.Applying PCA for Traffic Anomaly Detection: Problems and Solutions[J]. IEEE INFOCOM, 2009, 34(1):2866-2870.
[34]	RUBINSTEIN B I P, NELSON B, HUANG L, et al. Stealthy Poisoning Attacks on PCA-based Anomaly Detectors[J]. Acm Sigmetrics Performance Evaluation Review, 2009, 37(2): 73-74.
[35]	郑黎明,邹鹏,韩伟红,等. 基于多维熵值分类的骨干网流量异常检测研究[J]. 计算机研究与发展,2012, 49(9):1972-1981.
[36]	王洁松,张小飞. KDDCup99网络入侵检测数据的分析和预处理[J]. 科技信息:科学·教研,2008(15):10-17.
[37]	RYZA S, LASERSON U, OWEN S, et al. Advanced Analytics with Spark[EB/OL]. , 2016-1-22.
[38]	HARRINGTON P.Machine Learning in Action[M]. Greenwich: Manning Publications Co., 2012.
[39]	张士豪,顾益军,张俊豪. 基于用户聚类的热门微博分类研究[J]. 信息网络安全,2015(7):84-89.
[40]	William Wealey. Python for Data Analysis McKinney[EB/OL]. , 2016-1-23.