融合密度聚类与集成学习的数据库异常检测  被引量：6

作　　者：李勃 寿增 刘昕禹 高明慧 马力 徐剑[4] LI Bo;SHOU Zeng;LIU Xin-yu;GAO Ming-hui;MA Li;XU Jian(China NARI Group Corporation(State Grid Electronic Power Research Institute),Nanjing 210061,China;Beijing Kedong Electric Power Control System Co.,Ltd.,Beijing 100192,China;State Grid Liaoning Electric Power Supply Co.Ltd.,Shenyang 110003,China;Software College,Northeastern University,Shenyang 110169,China)

机构地区：[1]南瑞集团有限公司(国网电力科学研究院有限公司),南京210061 [2]北京科东电力控制系统有限责任公司,北京100192 [3]国网辽宁省电力有限公司,沈阳110003 [4]东北大学软件学院,沈阳110169

出　　处：《小型微型计算机系统》2021年第3期666-672,共7页Journal of Chinese Computer Systems

基　　金：国家自然科学基金项目(61872069)资助;中央高校基本科研业务费专项资金项目(N2017012)资助。

摘　　要：目前,针对数据库系统内部攻击与威胁的检测方法较少,且已有的数据库异常检测方案存在代价开销高、检测准确率低等问题.为此,将密度聚类和集成学习融合,提出一种基于密度聚类和集成学习的数据库异常检测方法.利用OPTICS(Ordering Points To Identify the Clustering Structure)密度聚类算法对用户产生的数据库SQL操作日志进行聚类,通过对SQL语句中的各属性进行分析,提取用户的异常行为,形成先验知识;将Bagging、Boosting和Stacking进行组合,形成集成学习模型,以OPTICS聚类形成的先验知识为基础,并利用该集成学习模型对用户行为作进一步分析,并创建用户行为特征库.基于用户形成特征库,对用户行为进行检测.给出了方案的详细构建过程,包括数据预处理、训练、学习模型建立以及异常检测;利用相关实验数据进行测试,结果表明本方案能以较高的效率检测出数据库异常行为,并且在准确率方面优于同类方案.At present,there are fewer detection methods for internal attacks and threats in database systems,and most existing database anomaly detection schemes have problems such as high cost and low accuracy.Therefore,we proposed a database anomaly detection scheme based on OPTICS and ensemble learning.Use OPTICS to cluster the database SQL operation log generated by the user,and analyze the attributes of the SQL statement to extract the abnormal behavior.Finally,use ensemble learning model composed of Bagging,Boosting and Stacking to further analyze user behavior and create a feature database.Detect user behavior based on the feature database.The detailed construction process of the scheme is given including data preprocessing,training,learning model construction and anomaly detection.The performance of the proposed scheme are evaluated and compared on different metrics.The results show that the scheme can detect abnormal database user behavior with high efficiency and accuracy.

关 键 词：异常检测 数据库系统 用户行为 密度聚类 集成学习 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]