| Network traffic anomaly detection is a kind of detection method for intrusion detection,it can collect,analyze and deal with the data flow in the network in real time,According to the real-time operation of the network,the network manager can send out the warning to the network administrator,its importance has aroused the attention of the researchers.In the era of big data,the data has the characteristics of high speed and mass detection.So how to deal with the data of abnormal network traffic is facing a huge challenge,however the clustering analysis technology can solve this problem well.Clustering analysis has the important practical value of application technology in anomaly detection.In this thesis,the theory of network anomaly detection is summarized,and the data mining,machine learning and other big data technologies are analyzed.This thesis points out the role of cluster analysis technology in network traffic anomaly detection,and then analysis and comparison of the related concepts of clustering analysis technology in detail.In the process of data processing,we propose to use the information entropy to quantify the source data flow,and realize the data processing before the test.In the cluster analysis stage,aiming at the problem of determining the K value of the K-means algorithm,an improved clustering algorithm based on the idea of combining the small class and the dynamic is proposed.The problem of initial center selection of the algorithm is proposed based on density and maximum distance.At the stage of cluster analysis,a network traffic anomaly detection model based on clustering analysis is proposed to solve the problem of large data traffic.Specific research contents are as follows:(1)The quantitative measurement of data using information entropy is proposed.when the network is abnormal,the network data displayed by the law,the flow of data extraction.Select the source IP address,destination IP address,source port,destination port data as abnormal detection feature attributes,the use of information entropy on the amount of its degree,to achieve the detection phase of the data before.(2)An improved K-means algorithm based on the idea of combining dynamic determination and density and maximum distance is proposed.In the process of network anomaly detection,clustering analysis used by the K-means algorithm has many problems;this algorithm in the iterative process cannot be clear before the number of clusters K.To deal with this problem,class merging dynamic determination of thought is proposed,namely through the maximum number of clustering and class merging method after several iterative methods to determine the optimal clustering the number of K.According to the initial cluster centersselection of stochastic problems,put forward a first step to obtain the maximum density and minimum density of two initial center point,after several iterations,and then get the distance gap remaining K-2 centers.Experimental data sets are used to verify the algorithm.(3)An anomaly detection model based on clustering analysis is proposed.In the process of data processing,cluster analysis and anomaly detection,three modules are constructed.The anomaly detection model is tested by the training data set and the simulated attack data set.The experimental results show that the improved K-means algorithm in this thesis has obvious advantages compared with the traditional K-means in the detection rate and false alarm rate. |
PDF Full Text Request