基于文本聚类的网络攻击检测方法  被引量：6

作　　者：杨晓峰[1] 李伟[1,2] 孙明明[1] 胡雪蕾[1] 

机构地区：[1]南京理工大学计算机科学与技术学院,江苏南京210094 [2]哈佛医学院Dana-Farber癌症研究所

出　　处：《智能系统学报》2014年第1期40-46,共7页CAAI Transactions on Intelligent Systems

基　　金：国家自然科学基金资助项目(60705020);江苏省自然科学基金资助项目(BK207594)

摘　　要：针对Web服务应用的攻击是近年来网络上广泛传播的攻击方式,现有的攻击检测算法多采用监督学习的方法确定正常行为和攻击行为的分类边界;但由于监督检测模型在检测之前需要复杂的学习过程,往往会降低系统的实用效果。因此,根据现实中正常访问样本和攻击样本在数量和分布上的差异,提出了一种基于文本聚类的非监督检测算法。算法首先采用迭代聚类过程聚类样本,直至聚为一类;同时根据异常与正常样本的分布规律,在聚类过程中选择最优的最大类别作为正常样本类,将其余的作为异常样本类。最优方案的选择采用了使得分类误差最小的原则确定。实验表明,与多种经典检测方法相比,该方法省去了复杂的学习过程,增强了方法的适应性,具有较好的检测率和误报率。The attacks aiming at Web service applications within the past several years have become more widely -propagated , and the present attack detection algorithms mostly use the supervision study to determine the border be -tween normal the behavior and attack behavior;however , for the supervision and detection model , before the detec-tion, a complex studying process is necessary , this will lower the practical effects of the system .Therefore , on the basis of the realistic difference between the normal visit specimen and the attack specimen on the aspects of quantity and distribution, an unsupervised detection algorithm based on text clustering is proposed .In the algorithm, firstly, the iteratively clustered process is applied to cluster specimens , until reaching a category;in addition , according to the distribution law of the abnormal and normal specimens , in the clustering process , the optimal maximum catego-ry is considered as the normal specimen category and the others are considered as an abnormal specimen category . The optimal scheme is determined on the basis of the principle of the minimum classification error .The experiment shows that , in comparison with many traditional detection methods , the method used in this paper omits complex study processes and improves adaptability;the detection rate and the false positive rate are excellent .

关 键 词：网络攻击 网络攻击检测 文本聚类 非监督检测算法 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]