[1]杨晓峰,李伟,孙明明,等.基于文本聚类的网络攻击检测方法[J].智能系统学报,2014,9(1):40-46.[doi:10.3969/j.issn.1673-4785.201108007]
 YANG Xiaofeng,LI Wei,SUN Mingming,et al.Web attack detection method on the basis of text clustering[J].CAAI Transactions on Intelligent Systems,2014,9(1):40-46.[doi:10.3969/j.issn.1673-4785.201108007]
点击复制

基于文本聚类的网络攻击检测方法

《智能系统学报》[ISSN 1673-4785/CN 23-1538/TP] 卷: 9 期数: 2014年第1期 页码: 40-46 栏目: 学术论文—自然语言处理与理解 出版日期: 2014-02-25
Title:
Web attack detection method on the basis of text clustering
作者:
杨晓峰1, 李伟1,2, 孙明明1, 胡雪蕾1
1. 南京理工大学 计算机科学与技术学院, 江苏 南京 210094;
2. 哈佛医学院 Dana-Farber癌症研究所, 波士顿 马萨诸塞州 02115, 美国
Author(s):
YANG Xiaofeng1, LI Wei1,2, SUN Mingming1, HU Xuelei1
1. School of Computer Science and Technology, Nanjing University of Science and Technology, Nanjing 210094, China;
2. Dana-Farber Cancer Institute, Harvard Medical School, Boston, Massachusetts 02115, USA
关键词:
网络攻击网络攻击检测文本聚类非监督检测算法
Keywords:
Web attackWeb attack detectiontext clusteringunsupervised detection algorithm
分类号:
TP393
DOI:
10.3969/j.issn.1673-4785.201108007
摘要:
针对Web服务应用的攻击是近年来网络上广泛传播的攻击方式, 现有的攻击检测算法多采用监督学习的方法确定正常行为和攻击行为的分类边界;但由于监督检测模型在检测之前需要复杂的学习过程, 往往会降低系统的实用效果。因此, 根据现实中正常访问样本和攻击样本在数量和分布上的差异, 提出了一种基于文本聚类的非监督检测算法。算法首先采用迭代聚类过程聚类样本, 直至聚为一类;同时根据异常与正常样本的分布规律, 在聚类过程中选择最优的最大类别作为正常样本类, 将其余的作为异常样本类。最优方案的选择采用了使得分类误差最小的原则确定。实验表明, 与多种经典检测方法相比, 该方法省去了复杂的学习过程, 增强了方法的适应性, 具有较好的检测率和误报率。
Abstract:
The attacks aiming at Web service applications within the past several years have become more widely-propagated, and the present attack detection algorithms mostly use the supervision study to determine the border between normal the behavior and attack behavior; however, for the supervision and detection model, before the detection, a complex studying process is necessary, this will lower the practical effects of the system. Therefore, on the basis of the realistic difference between the normal visit specimen and the attack specimen on the aspects of quantity and distribution, an unsupervised detection algorithm based on text clustering is proposed. In the algorithm, firstly, the iteratively clustered process is applied to cluster specimens, until reaching a category; in addition, according to the distribution law of the abnormal and normal specimens, in the clustering process, the optimal maximum category is considered as the normal specimen category and the others are considered as an abnormal specimen category. The optimal scheme is determined on the basis of the principle of the minimum classification error. The experiment shows that, in comparison with many traditional detection methods, the method used in this paper omits complex study processes and improves adaptability; the detection rate and the false positive rate are excellent.
参考文献/References:
[1] CHRISTEY S, MARTIN R A. Vulnerability type distributions in CVE [EB/OL]. [2011-08-20]. http://cwe.mitre.org/documents/vuln-trends.html.
[2] FIELDING R, GETTYS J, MOGUL J, et al. RFC-2616: hypertext transfer protocol-HTTP/1.1[S]. Montreal: Internet Engineering Task Force (IETF), 1999.
[3] INGHAM K L, SOMAYAJIB A, BURGEA J, et al. Learning DFA representations of HTTP for protecting web applications[J]. Computer Networks, 2007, 51(5): 1239-1255.
[4] CORONA I, ARIU D, GIACINTO G. HMM-Web: a framework for the detection of attacks against web applications[C]//IEEE International Conference on Communications. Dresden, Germany, 2009: 1-6.
[5] DURY A, HALLAL H H, PETRENKO A. Inferring behavioural models from traces of business applications[C]//IEEE International Conference on Web Services. Los Angeles, USA, 2009: 791-798.
[6] BACE R. Intrusion detection[M]. [S.l.]: Macmillan Publishing Co. Inc., 2000: 1-4.
[7] ROESCH M. Snort-lightweight intrusion detection for networks[C]//Proceedings of the 13th USENIX Conference on System Administration. Seattle, USA, 1999: 229-238.
[8] CHANDOLA V, BANERJEE A, KUMAR V. Anomaly detection: a survey[J]. ACM Computing Surveys, 2009, 41(3): artical no. 15.
[9] KRUEGEL C, VIGNA G. Anomaly detection of web-based attacks[C]//Proceedings of the 10th ACM Conference on Computer and Communications Security. Washington, DC, USA: ACM, 2003: 251-261.
[10] KRUEGEL C, VIGNA G, ROBERTSON W. A multi-model approach to the detection of web-based attacks[J]. Computer Networks, 2005, 48(5): 717-738.
[11] PORTNOY L, ESKIN E, STOLFO S. Intrusion detection with unlabeled data using clustering[C]//Proceedings of ACM CSS Workshop on Data Mining Applied to Security. Philadelphia, USA, 2001: 5-8.
[12] MAHONEY M V, CHAN P K. Learning nonstationary models of normal network traffic for detecting novel attacks[C]//Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, USA: ACM, 2002: 376-385.
[13] WARRENDER C, FORREST S, PEARLMUTTER B. Detecting intrusions using system calls: alternative data models[C]//Proceedings of IEEE Symposium on Security and Privacy. Oakland, USA, 1999: 133-145.
[14] SENGAR H, WIJESEKERA D, WANG H, et al. VoIP intrusion detection through interacting protocol state machines[C]//Proceedings of International Conference on Dependable Systems and Networks. Philadelphia, USA: IEEE/IFIP, 2006: 393-402.
[15] 周东清,张海锋,张绍武,等.基于HMM的分布式拒绝服务攻击检测方法[J].计算机研究与发展, 2005, 42(9): 1594-1599.ZHOU Qingdong, ZHANG Haifeng, ZHANG Shaowu, et al. A DDos attack detection method based on hidden Markov model[J]. Journal of Computer Research and Development, 2005, 42(9): 1594-1599.
[16] INGHAM K L, INOUE H. Comparing anomaly detection techniques for HTTP[C]//Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. Gold Goast, Australia, 2007: 42-62.
[17] JULISCH K. Clustering intrusion detection alarms to support root cause analysis[J]. ACM Transactions on Information and System Security, 2003, 6(4): 443-471.
[18] HAINES J W, LIPPMANN R P, FRIED D J, et al. 1999 DARPA intrusion detection system evaluation: design and procedures, TR-1062[R]. Lexington, USA: Lincoln Laboratory, Massachusetts Institute of Technology, 2001.
[19] LIPPMANN R P, HAINES J W, FRIED D J, et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Computer Networks, 2000, 34(4): 579-595.
[20] The UCI KDD Archive. KDD Cup 1999 data[EB/OL]. (1999-10-28)[2011-08-20]. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
相似文献/References:
[1]常利伟,田晓雄,张宇青,等.基于多源异构数据融合的网络安全态势评估体系[J].智能系统学报,2021,16(1):38.[doi:10.11992/tis.202006053]
 CHANG Liwei,TIAN Xiaoxiong,ZHANG Yuqing,et al.Network security situation assessment architecture based on multi-source heterogeneous data fusion[J].CAAI Transactions on Intelligent Systems,2021,16():38.[doi:10.11992/tis.202006053]

备注/Memo

收稿日期:2011-08-29。
基金项目:国家自然科学基金资助项目(60705020);江苏省自然科学基金资助项目(BK207594).
作者简介:杨晓峰,男,1982年生,博士研究生,主要研究方向为网络安全、机器学习;孙明明,男,1981年生,讲师,主要研究方向为模式识别、机器学习。
通讯作者:李伟,男,1978年生,博士,主要研究方向为复杂网络、模式识别、机器学习.E-mail:liweinust@hotmail.com.

更新日期/Last Update: 1900-01-01
Copyright © 《 智能系统学报》 编辑部
地址:(150001)黑龙江省哈尔滨市南岗区南通大街145-1号楼 电话:0451- 82534001、82518134 邮箱:tis@vip.sina.com