Method for detecting anomaly traffic based on feature selection and density peak clustering

Abstract

The invention discloses a method for detecting network traffic anomaly based on feature selection and density peak clustering. The method comprises the following stages: a stage of acquiring the traffic: monitoring a network through a network analysis tool, and acquiring monitored data packets in the local; a stage of extracting features: extracting the data packets belonging to the same stream from the data packets, performing feature extraction of the data packets, and normalizing the extracted features; a stage of selecting the features: evaluating the importance of each feature on classification decision by utilizing a maximal information coefficient, simply clustering the features according to the redundancy among the features, selecting one feature having the highest importance, and adding the feature having the highest importance into a feature sub-set; and a stage of clustering and analyzing: clustering the features by adopting an improved clustering method based on a density peak so as to obtain clusters in a plurality of traffic types, performing little sampling of the cluster in each traffic type, performing class detection, and covering the traffic types of the clusters in the whole traffic types by utilizing the modal classified traffic types in a sampled sample, such that the anomaly traffic can be detected.

Description

Technical field [0001] The invention belongs to the cross field of data mining and abnormal detection, and particularly relates to an abnormal flow detection method based on feature selection and density peak clustering. Background technique [0002] When malicious behaviors such as snooping and intrusion occur, certain characteristics of the traffic transmitted on the network, such as the size of the traffic, the length of the data packet, and the content of the specific area of ​​the data packet, will show differences from the normal traffic. If it can be detected as soon as possible With these abnormal traffic, actions can be taken in advance to protect network security. The study of detecting and locating abnormal hosts caused by abnormal traffic, and then processing abnormal hosts, is of great significance to avoid network congestion, ensure network performance, avoid abuse of network resources, and protect network information security. [0003] The ease of use and automation...

AI Technical Summary

Problems solved by technology

[0004] 1. Due to the large amount of data, the extracted feature dimensions are high and there are irrelevant features, which makes abnormal traffic detection occupy high computing resources and take a long time to analyze. Therefore, effective methods are needed to extract the most suitable features

[0005] 2. The current supervised classification method requires a large amount of manual labeling of unknown traffic, which obviously cannot be applied to large-scale data volumes. Although some unsupervised clustering methods do not require labeling, the clustering accuracy and the required Time is sensitive to some parameters, such as the number of cluster centers, and it is difficult to achieve satisfactory results

An existing clustering method, the clustering algorithm based on the density peak, although it combines the advantages of the distance-based and density-based clustering methods, but in the selection stage of its cluster centers, it is necessary to establish a two-dimensional Matrix, in order to record the distance between the two, on a single machine, the data that can be processed is very limited

Images