本文選題：流量異常檢測 + 聚類分析��； 參考：《曲阜師范大學》2017年碩士論文

【摘要】：網(wǎng)絡流量異常檢測是入侵檢測的一種檢測手段,它能夠對網(wǎng)絡中數(shù)據(jù)流量進行實時的收集、分析和處理,根據(jù)獲得的網(wǎng)絡運行狀況及時向網(wǎng)絡管理者發(fā)出異常警告,其重要性得到了研究者們的關注。在大數(shù)據(jù)時代,數(shù)據(jù)具有高速、海量的特點,網(wǎng)絡流量異常檢測如何處理這些數(shù)據(jù),使其面臨著巨大的挑戰(zhàn),而聚類分析技術能夠能很好的解決這一問題,研究聚類分析技術在異常檢測中的應用具有重要的實用價值。本文全面系統(tǒng)的總結了網(wǎng)絡異常檢測理論,接著詳細闡述了聚類分析技術的相關概念,指出了聚類分析技術在網(wǎng)絡流量異常檢測中的作用,分析比較了聚類分析算法中基于層次、劃分、密度的聚類分析方法。在數(shù)據(jù)處理階段,提出使用信息熵對源數(shù)據(jù)進行度量,實現(xiàn)檢測前的數(shù)據(jù)處理。在聚類分析階段,針對K-means算法K值確定和初始中心點選取問題,提出了基于小類合并動態(tài)確定思想和密度-最大距離思想的K-means聚類分析算法。在異常檢測階段,提出基于聚類分析的網(wǎng)絡流量異常檢測模型,解決處理大數(shù)據(jù)流量問題。具體的研究內容如下:(1)研究使用信息熵對數(shù)據(jù)進行度量。根據(jù)當網(wǎng)絡發(fā)生異常時,網(wǎng)絡數(shù)據(jù)所表現(xiàn)出來的規(guī)律,對流量數(shù)據(jù)進行提取與分析。選取源IP地址、目的IP地址、源端口、目的端口數(shù)據(jù)作為異常檢測特征屬性,使用信息熵對其量化度量,實現(xiàn)檢測階段前的數(shù)據(jù)處理過程。(2)提出一種基于小類合并動態(tài)確定思想和密度-最大距離思想的K-means算法。在網(wǎng)絡異常檢測過程中,所用到的K-means聚類算法存在諸多問題;針對此算法在迭代運行之前無法明確聚類數(shù)K問題,提出了小類合并動態(tài)確定思想,即通過最大聚類個數(shù)和小類合并法經過多次迭代確定最優(yōu)聚類個數(shù)K的方法。針對初始聚類中心點選取隨機性問題,基于密度和最大距離思想提出一種第一步獲取密度最大和密度最小兩個初始中心點,經過多次迭代,然后獲取距離間隔較大的剩余K-2個中心點的方法。選用實驗數(shù)據(jù)集對優(yōu)化后的算法進行實驗驗證。(3)提出一種基于聚類分析的異常檢測模型。在數(shù)據(jù)處理階段、聚類分析階段、異常檢測階段分別構建三個模塊,根據(jù)三個模塊搭建異常檢測模型,并用訓練數(shù)據(jù)集和模擬攻擊數(shù)據(jù)集對異常檢測模型進行實驗,實驗結果顯示,本文中改進的K-means算法較傳統(tǒng)K-means在檢測率和誤報率上都具有明顯的優(yōu)勢。
[Abstract]:Network traffic anomaly detection is a detection method of intrusion detection. It can collect, analyze and process the data flow in the network in real time, and issue abnormal warning to the network manager according to the network running condition. Its importance has attracted the attention of researchers. In the era of big data, data has the characteristics of high speed and mass. How to deal with these data in network traffic anomaly detection, which makes them face a huge challenge, and clustering analysis technology can solve this problem very well. It is of great practical value to study the application of clustering analysis in anomaly detection. In this paper, the theory of network anomaly detection is summarized systematically, then the related concepts of cluster analysis technology are expounded in detail, and the function of cluster analysis technology in network traffic anomaly detection is pointed out. The clustering analysis methods based on hierarchy, partition and density are analyzed and compared. In the stage of data processing, the information entropy is used to measure the source data to realize the data processing before detection. In the phase of clustering analysis, a K-means clustering algorithm based on the idea of subclass merging dynamic determination and the idea of density-maximum distance is proposed to solve the problem of K-means value determination and initial center point selection. In the phase of anomaly detection, a network traffic anomaly detection model based on clustering analysis is proposed to solve the problem of dealing with big data traffic. The specific research contents are as follows: (1) Information entropy is used to measure the data. According to the rule of network data when network anomaly occurs, traffic data is extracted and analyzed. The source IP address, destination IP address, source port and destination port data are selected as the feature attributes of anomaly detection. The data processing process before the detection phase is realized. (2) A K-means algorithm based on the idea of subclass merging dynamic determination and density-maximum distance is proposed. In the process of network anomaly detection, there are many problems in K-means clustering algorithm. That is to say, the optimal clustering number K is determined by the maximum clustering number and the subclass merging method after several iterations. Aiming at the randomness of selecting initial clustering center points, based on the idea of density and maximum distance, a first step to obtain two initial centers of maximum density and minimum density is proposed. Then the method of obtaining the remaining K-2 center points with large distances is obtained. Experimental data sets are used to verify the optimized algorithm. (3) an anomaly detection model based on clustering analysis is proposed. In the phase of data processing, clustering analysis and anomaly detection, three modules are constructed, according to the three modules, the model of anomaly detection is built, and the model of anomaly detection is tested by training data set and simulated attack data set. Experimental results show that the improved K-means algorithm has obvious advantages over the traditional K-means in detection rate and false alarm rate.
【學位授予單位】：曲阜師范大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前10條

1 王龍業(yè);羅杰;;互聯(lián)網(wǎng)端口掃描攻擊的安全檢測方法[J];信息安全與技術;2016年02期

2 李洪成;吳曉平;姜洪海;;基于改進聚類分析的網(wǎng)絡流量異常檢測方法[J];網(wǎng)絡與信息安全學報;2015年01期

3 嚴承華;程晉;樊攀星;;基于信息熵的網(wǎng)絡流量信息結構特征研究[J];信息網(wǎng)絡安全;2014年03期

4 張振海;李士寧;李志剛;陳昊;;一類基于信息熵的多標簽特征選擇算法[J];計算機研究與發(fā)展;2013年06期

5 張登銀;廖建飛;;基于相對熵的網(wǎng)絡流量異常檢測方法[J];南京郵電大學學報(自然科學版);2012年05期

6 池水明;周蘇杭;;DDoS攻擊防御技術研究[J];信息網(wǎng)絡安全;2012年05期

7 熊忠陽;陳若田;張玉芳;;一種有效的K-means聚類中心初始化方法[J];計算機應用研究;2011年11期

8 張新有;曾華q，

本文編號：2079890