Anomalous Traffic Detection Based on Traffic Behavior Characteristics

doi:10.3969/j.issn.1671-1122.2016.11.008

Abstract

Abstract:

Real network environment lack of labeled data set, so traditional anomaly traffic detection method based on labeled data set is unsuitable for actual large-scale network. To resolve this, the paper proposes an improved k-means anomaly traffic detection method for unlabeled data sets. Firstly, collect the Sichuan University network outlet flow and store in the distributed file system; secondly, construct user behavior feature set on the basis of network flow analysis, and extract relevant characteristics by Spark big data processing platform. Referenced principles of group to define the normal behavior of clusters in the actual flow, construct normal flow behavior model on improved K-means++ cosine clustering method; Finally, the cosine distance between the normal behavior model and user actual flow behavior is calculated to detected anomaly flow behavior. The feasibility and validity of the method are verified by attacking experiment. The experimental results show that the normal flow behavior model for anomaly flow detection has higher accuracy.

Key words: big data, anomaly traffic detection, k-means

CLC Number:

TP391

Yangrui HU, Xingshu CHEN, Junfeng WANG, Xiaoming YE. Anomalous Traffic Detection Based on Traffic Behavior Characteristics[J]. Netinfo Security, 2016, 16(11): 45-51.

Figures/Tables 9

References 28

[1]	BHUYAN M H, BHATTACHAYYA D K, KALITA J K.Network Anomaly Detection: Methods, Systems and Tools[J]. Communications Surveys & Tutorials, 2014, 16(1): 303-336.
[2]	HE G, TAN C, YU D, et al.A Real-Time Network Traffic Anomaly Detection System Based on Storm[C]//IEEE. IEEE 7th IHMSC Conference on Intelligent Human-Machine Systems and Cybernetics (IHMSC), August 26 - 27, 2015, Hangzhou, China. New York:IEEE, 2015, 1: 153-156.
[3]	HUANG H, ALAZZAWI H, BRANI H. Network Traffic Anomaly Detection[EB/OL]. ,2016-6-1.
[4]	王苏南. 高速复杂网络环境下异常流量检测技术研究[D]. 郑州:解放军信息工程大学,2012.
[5]	许晓东,杨燕,李刚. 基于K-means 聚类的网络流量异常检测[J]. 无线通信技术,2013,4(1): 21-26.
[6]	FORREST S, PERELSON A S, ALLEN L, et al. Self-nonself Discrimination in a Computer[EB/OL]. , 2016-6-1.
[7]	GHOSH A K, MICHAEL C, SCHATZ M. A Real-time Intrusion Detection System Based on Learning Program Behavior[EB/OL]. , 2016-6-1.
[8]	LEE W, STOLFO S J, MOK K W.A Data Mining Framework for Building Intrusion Detection Models[C]//IEEE. IEEE Conference on Security and Privacy, May 9-12, 1999. Oakland, California, USA. New York:IEEE, 1999: 120-132.
[9]	隋新,杨喜权,陈棉书,等. 入侵检测系统的研究[J]. 科学技术与工程,2012,12(33):8971-8979.
[10]	HAI T N, PETROVIC S, FRANKE K.A Comparison of Feature-Selection Methods for Intrusion Detection[J]. Department of Computer & Information Science, 2010, 6258(19) :242-255.
[11]	边肇祺. 模式识别[M]. 北京:清华大学出版社,2000.
[12]	LUNT T T, TAMARU A, GILLHAM F. A Real-time Intrusion-detection Expert System (IDES)[EB/OL].,2016-6-1.
[13]	VALDES A, SKINNER K. Adaptive, Model-based Monitoring for Cyber Attack Detection[EB/OL]. , 2016-6-1.
[14]	TENG H S, CHEN K, LU S C. Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns[EB/OL]. , 2016-6-1.
[15]	KUMAR S.Classification and Detection of Computer Intrusions[D]. USA:Purdue University, 1995.
[16]	黄学宇,魏娜,陶建锋. 基于人工免疫聚类的异常检测算法[J]. 计算机工程,2010,36(1):166-169.
[17]	QIN T, GUAN X, LONG Y, et al.Users' Behavior Character Analysis and Classification Approaches in Enterprise Networks[C]//IEEE. Eighth IEEE/ACIS International Conference on Computer and Information Science, June 1-3, 2009, Shanghai, China. New York: IEEE, 2009: 323-328.
[18]	董富强. 网络用户行为分析研究及其应用[D]. 西安:西安电子科技大学,2005.
[19]	杨铮. 基于流量识别的网络用户行为分析[D]. 重庆:重庆大学,2009.
[20]	GU L, LI H.Memory or Time: Performance Evaluation for Iterative Operation on Hadoop and Spark[C]//IEEE. High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing (HPCC_EUC), November 13 - 15, 2013, Zhangjiajie, China. New York: IEEE, 2013: 721-727.
[21]	吴夙慧,成颖,郑彦宁,等. K-means 算法研究综述[J]. 现代图书情报技术,2011,27(5): 28-35.
[22]	穆筝,吴进,许书娟. 高速网络下P2P流量识别研究[J]. 信息网络安全,2015(5):69-76.
[23]	沈昌祥,张焕国,冯登, 等. 信息安全综述[J]. 中国科学:E辑, 2007(2):129-150.
[24]	肖梅,辛阳. 基于朴素贝叶斯算法的VoIP流量识别技术研究[J]. 信息网络安全,2015(10):74-79.
[25]	TIBSHIRANI R, WALTHER G, HASTIE T.Estimating the Number of Clusters in a Data Set via the Gap Statistic[J]. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 2001, 63(2): 411-423.
[26]	ARTHUR D, VASSILVITSKII S. k-means++: The Advantages of Careful Seeding[C]//ACM. Proceedings of the eighteenth annual ACM-SIAM symposium on Discrete algorithms, January 7-9, 2007, New Orleans, Louisiana, USA. Philadelphia: Society for Industrial and Applied Mathematics, 2007: 1027-1035.
[27]	翟东海,鱼江,高飞,等. 最大距离法选取初始簇中心的 K-means 文本聚类算法的研究[J]. 计算机应用研究,2014,31(3): 713-715.
[28]	雷小锋,谢昆青, 林帆,等.一种基于K-Means局部最优性的高效聚类算法[J].软件学报, 2008,19(7):1683-1692.