ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2015, Vol. 52 ›› Issue (3): 718-728.doi: 10.7544/issn1000-1239.2015.20130601

• 信息安全 • 上一篇    下一篇

基于特征选择的模糊聚类异常入侵行为检测

唐成华1,2,刘鹏程1,2,汤申生3,谢逸4   

  1. 1(桂林电子科技大学广西可信软件重点实验室 广西桂林 541004); 2(桂林电子科技大学广西信息科学实验中心 广西桂林 541004); 3(西密苏里州立大学工程技术系 美国密苏里州圣约瑟夫 64507); 4(中山大学信息科学与技术学院 广州 510275) (tch@guet.edu.cn)
  • 出版日期: 2015-03-01
  • 基金资助: 
    基金项目:国家自然科学基金项目(61163057,60970146,61462020);广西可信软件重点实验室基金项目(kx201111);广西信息科学实验中心基金项目(20130329);广西自然科学基金项目(2014GXNSFAA118375)

Anomaly Intrusion Behavior Detection Based on Fuzzy Clustering and Features Selection

Tang Chenghua1,2, Liu Pengcheng1,2, Tang Shensheng3, Xie Yi4   

  1. 1(Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin, Guangxi 541004); 2(Guangxi Experiment Center of Information Science, Guilin University of Electronic Technology, Guilin, Guangxi 541004); 3(Department of Engineering Technology, Missouri Western State University, Saint Joseph, Missouri, USA MO 64507); 4(School of Information Science and Technology, Sun Yat-sen University, Guangzhou 510275)
  • Online: 2015-03-01

摘要: 网络攻击连接具有行为的多变性和复杂性等特征,利用基于传统聚类的行为挖掘技术来构建异常入侵检测模型是不可行的.针对网络攻击行为的特点,提出了基于特征选择的模糊聚类异常入侵模型.首先通过层次聚类算法改善了FCM聚类算法结果对初始聚类中心的敏感性,再利用遗传算法的全局搜索能力克服了其在迭代时易陷入局部最优的缺点,并将它们结合构成一种AGFCM算法;然后采用信息增益算法对网络攻击连接数据集的特征属性进行排序,同时利用约登指数来删减数据集的特征属性以确定特征属性容量;最后利用低维特征属性集和改进的FCM聚类算法构建了异常入侵检测模型.实验结果表明该模型对绝大多数的网络攻击类型具有很好的检测能力,为解决异常入侵检测模型的误警率和检测率等问题提供了一种可行的解决途径.

关键词: 模糊聚类, 层次聚类, 特征选择, 模糊C均值, 异常检测

Abstract: The behaviors of network attack connection are always changeable and complex. Typical behavior mining methods, which always do using traditional clustering, do not fit in with constructing anomaly intrusion detection model. According to the characteristics of network attacks, the anomaly intrusion detection model based on fuzzy clustering and features selection are proposed. Firstly, the results that the fuzzy C-means clustering algorithm is sensitive to the initial cluster centers is improved using hierarchical clustering algorithm, the disadvantage that FCM is easy to fall into local optimum in the iteration is overcome using the global search ability of genetic algorithm, and they are combined into a AGFCM algorithm. Secondly, the feature attribute data sets of network attack connection are sorted through the information gain algorithm. The capacity of feature attributes is determined by using the Youden index to cut the data sets at the same time. Lastly, the anomaly intrusion detection model is built by using the attribute data sets dimensionality reduction and improved FCM clustering algorithm. Experimental results show that the anomaly intrusion detection model can effectively detect the vast majority of network attack types, which provides a feasible solution for solving the problems of false alarm rate and detection rate in anomaly intrusion detection model.

Key words: fuzzy clustering, hierarchical clustering, features selection, fuzzy C-means, anomaly detection

中图分类号: