轻量级主机数据采集与实时异常事件检测方法研究  被引量：6

作　　者：张剑[1] 童言[1] 徐明迪[2] 秦涛[3] ZHANG Jian;TONG Yan;XU Mingdi;QIN Tao(System Research Department, Wuhan Digital Engineering Institute, Wuhan 430074, China;System Software Department, Wuhan Digital Engineering Institute, Wuhan 430074, China;School of Electronic and Information Engineering, Xi＇an Jiaotong University, Xi＇an 710049, China)

机构地区：[1]武汉数字工程研究所系统科研部,武汉430070 [2]武汉数字工程研究所系统软件部,武汉430070 [3]西安交通大学电子与信息工程学院,西安710049

出　　处：《西安交通大学学报》2017年第4期97-102,共6页Journal of Xi'an Jiaotong University

基　　金：国家自然科学基金资助项目(61502438;61672026);陕西省自然科学基金资助项目(2016JM6040);国防预研基金资助项目(B0820132036)

摘　　要：针对特征值匹配方法不能检测未知异常的缺点以及常驻采集代理占用大量系统资源的问题,提出一种主机数据采集和异常检测方法。采用智能化的移动代理实现主机数据采集,大幅度降低系统中数据采集代理的数量;结合实时异常检测的需求,采用主成分分析方法对所收集的主机信息进行维度约减,并采用聚类方法对降维后的数据进行聚类分析,挖掘其中的异常点;为消除随机异常点对检测结果的影响,采用基于连续时间窗口的主机异常检测方法实现主机异常的准确检测。实验结果表明:与传统方法相比,数据规模相当的情况下,所提方法的时间复杂度减少了50%以上,检测准确率达到了95%以上,适用于主机异常的实时检测。A new method for data collection and anomaly detection of hosts is proposed to focus on the problems that the methods based on signature matching cannot detect unknown anomaly and data collection agents occupy too many host resources.Intelligent mobile agents are employed to perform data collection so that the number of collection agents is greatly reduced.In order to achieve the goal of online anomaly detection,the principal component analysis method is employed to reduce the dimension of the data,and the clustering method is used to mine the abnormal events.The host anomaly detection method based on continuous time windows is adopted to eliminate the influence of random outliers.Experimental results show that the proposed method has lower computational complexity and higher detection accuracy,and for same number of records the time complexity is reduced by more than 50%and the detection accuracy is above 95%,compared with conventional method.It is concluded that the method is suitable for real-time detection of host anomaly.

关 键 词：异常检测 移动代理 主成分分析 数据聚类 

分 类 号：TP393.2[自动化与计算机技术—计算机应用技术]