Netinfo Security ›› 2016, Vol. 16 ›› Issue (11): 33-39.doi: 10.3969/j.issn.1671-1122.2016.11.006

• Orginal Article • Previous Articles     Next Articles

Cluster Anomaly Detection Algorithm Based on Multi-windows Mechanism

Mingliang HE1(), Zemao CHEN1, Jin ZUO2   

  1. 1. Information Security Department, Naval University of Engineering, Wuhan Hubei 430033, China
    2. 91428 Troops of PLA, Ningbo Zhejiang 315000, China
  • Received:2016-07-01 Online:2016-11-20 Published:2020-05-13

Abstract:

This paper analyses the weaknesses of cluster anomaly detection algorithm based on single-window, takes advantage of weigh value, similarity, local density and other concepts to conduct affiliation search and abnormal merging on potential abnormal point obtained by single-window algorithm. Moreover, a dataflow anomaly detection algorithm based on multi-window mechanism is designed. This algorithm firstly conducts primary cluster detection to preprocessed dataflow with improved K-means cluster algorithm in single window and then conduct second judge to the results. For the potential abnormal point detected by single-window algorithm, similarity principle is adopted to conduct normal cluster affiliation search to exclude misjudges, other conceptions like local density is adopted to conduct abnormal merging to the rest potential abnormal points to exclude normal points again. Lastly, the time weigh value is used to obtain final abnormal data comprehensively from the detection results of several dataflow windows. The simulation shows that this algorithm has advantage over single-window cluster anomaly detection algorithm on detection rate and misjudge rate.

Key words: single window, multi-windows, data flow, anomaly detection

CLC Number: