利用改进的MajorClust算法实现异常用户行为定位  被引量：6

作　　者：罗文华[1] 张艳 LUO Wen-hua;ZHANG Yan(Criminal Investigation Police University of China,Cyber Crime Investigation Department,Shenyang 110035,China)

机构地区：[1]中国刑事警察学院网络犯罪侦查系

出　　处：《小型微型计算机系统》2019年第11期2374-2379,共6页Journal of Chinese Computer Systems

基　　金：公安部技术研究计划重点项目(2017JSYJA10)资助;公安部理论及软科学计划项目(2018LLYJXJXY016)资助;辽宁省社科基金项目(L18BFX009)资助;中国刑事警察学院研究生创新能力提升项目(2018YCZD04)资助

摘　　要：传统入侵检测技术难以在发现异常入侵的同时,兼顾精准定位核心证据及线索的司法需求.MajorClust算法可以规避传统聚类算法需要事先给定聚类数量的缺陷,其侧重于对图形自身属性进行考量的特性为行为检测提供了崭新的思路.但在应用于行为证据发现时,经单次MajorClust算法处理得到的异常行为规律不够明显,也无法准确定位关键异常点.改进后的MajorClust算法在关联度计算基础上,经过多次迭代抽象处理更精准地梳理记录间关系,并通过在频率最高、到达率最高以及邻边权重之和最大这三种类型节点中合理选择簇核心点实现海量记录中核心异常行为的定位.没有沿袭传统的以单一异常参数进行异常检测的思路,而是基于行为间的关联特性连带次高异常参数予以综合判断,不同簇的核心节点信息相互印证,提升了检测结果的可信度.Traditional intrusion detection technology is difficult to find the abnormal intrusion while taking into account the judicial needs of accurately positioning core evidence and clues. MajorClust can circumvent the traditional clustering algorithm needs to give the number of clusters in advance,and its focus on the characteristics of the graph itself provides a new idea for behavior detection. However,when applied to the discovery of behavioral evidence,the abstract behavior of the abstracted MajorClust treatment is not obvious enough,and it is impossible to accurately locate the critical anomaly. Based on the correlation degree calculation,the improved MajorClust algorithm sorts the relationship between records more accurately after repeated iteration abstraction processing,and the core anomaly behavior in mass records is achieved by reasonably selecting cluster core points in the three types of nodes with the highest frequency,the highest arrival rate and the largest sum of adjacent edges. The traditional idea of abnormality detection with a single abnormal parameter is not followed,but based on the correlation characteristics between behaviors and the second highest anomaly parameters,the core node information of different clusters is mutually verified,which improves the credibility of the detection results.

关 键 词：异常检测 聚类 MajorClust 相似度 信息定位 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]