An Abnormal Traffic Detection Method Based on Feature Selection and Density Peak Clustering

Abstract

The invention discloses a method for detecting network traffic anomaly based on feature selection and density peak clustering. The method comprises the following stages: a stage of acquiring the traffic: monitoring a network through a network analysis tool, and acquiring monitored data packets in the local; a stage of extracting features: extracting the data packets belonging to the same stream from the data packets, performing feature extraction of the data packets, and normalizing the extracted features; a stage of selecting the features: evaluating the importance of each feature on classification decision by utilizing a maximal information coefficient, simply clustering the features according to the redundancy among the features, selecting one feature having the highest importance, and adding the feature having the highest importance into a feature sub-set; and a stage of clustering and analyzing: clustering the features by adopting an improved clustering method based on a density peak so as to obtain clusters in a plurality of traffic types, performing little sampling of the cluster in each traffic type, performing class detection, and covering the traffic types of the clusters in the whole traffic types by utilizing the modal classified traffic types in a sampled sample, such that the anomaly traffic can be detected.

Description

technical field [0001] The invention belongs to the intersecting fields of data mining and abnormality detection, and in particular relates to an abnormal flow detection method based on feature selection and density peak clustering. Background technique [0002] When malicious behaviors such as snooping and intrusion occur, certain characteristics of the traffic transmitted on the network, such as traffic size, data packet length, and the content of a specific area of ​​the data packet, will show dissimilarity from normal traffic. If it can be detected as early as possible With these abnormal traffic, actions can be taken in advance to protect network security. It is of great significance to study the detection of these abnormal traffic, locate the abnormal host, and then deal with the abnormal host to avoid network congestion, ensure network performance, avoid abuse of network resources and protect network information security. [0003] The ease of use and automation of da...

AI Technical Summary

Problems solved by technology

[0004] 1. Due to the large amount of data, the extracted feature dimensions are high and there are irrelevant features, which makes abnormal traffic detection occupy high computing resources and take a long time to analyze. Therefore, effective methods are needed to extract the most suitable features

[0005] 2. The current supervised classification method requires a large amount of manual labeling of unknown traffic, which obviously cannot be applied to large-scale data volumes. Although some unsupervised clustering methods do not require labeling, the clustering accuracy and the required Time is sensitive to some parameters, such as the number of cluster centers, and it is difficult to achieve satisfactory results

An existing clustering method, the clustering algorithm based on the density peak, although it combines the advantages of the distance-based and density-based clustering methods, but in the selection stage of its cluster centers, it is necessary to establish a two-dimensional Matrix, in order to record the distance between the two, on a single machine, the data that can be processed is very limited

Images