Journal of Frontiers of Computer Science and Technology ›› 2020, Vol. 14 ›› Issue (7): 1154-1163.DOI: 10.3778/j.issn.1673-9418.1908003

Previous Articles     Next Articles

Intranet Anomaly Detection Method Using Flow Mining and Graph Mining

SUN Wei, ZHANG Yu   

  1. 1. School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China
    2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
    3. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
  • Online:2020-07-01 Published:2020-08-12

利用流挖掘和图挖掘的内网异常检测方法

孙伟, 张羽   

  1. 1. 北京交通大学 计算机与信息技术学院,北京 100044
    2. 中国科学院大学 网络空间安全学院,北京 100049
    3. 中国科学院 信息工程研究所,北京 100093

Abstract:

Evidence of malicious activity on the intranet is often hidden in large data streams, such as system logs that accumulate over months or years, whereas data flows are often unbounded, changing, and unlabeled. Therefore, in order to achieve highly accurate anomaly detection, this paper proposes an intranet anomaly detection method that integrates flow mining and graph mining, which not only gives full play to the unsupervised advantages of graph mining, but also integrates the good adaptive ability of flow mining. Through the ensemble classification and update, when the concept drift occurs, this paper uses the ensemble-based method to ensure that the ensemble adapts to the current concept, so that it can detect the malicious behavior of the intranet. Experiments show that this method is more effective than the traditional single-model based method, and can effectively detect the intranet anomalies, which changes their behavior over time to hide malicious activities. The method based on flow mining and graph mining proposed in this paper is very meaningful for the abnormal and unlabeled data of the intranet hidden in a large number of data streams.

Key words: anomaly detection, graph computing, intranet anomaly, ensemble learning

摘要:

内网恶意内部活动的证据通常隐藏在大型数据流中,例如数月或数年累积的系统日志,然而数据流往往是无界的、不断变化的和未标记的。因此,为实现高度准确的异常检测,提出集成流挖掘和图挖掘的内网异常检测方法,在发挥图挖掘的无监督优势的同时,融入了流挖掘的良好自适应能力。采用集成的方法,通过集成分类和更新,当出现概念漂移时,保证集成适应当前概念,使之可以检测到内网恶意行为。实验证明基于集成的方法比传统的单模型方法更有效,可以有效识别随时间改变其行为来隐藏恶意活动的内网异常,在面对隐藏在大量数据流中的内网异常且无标记的数据时,所提出的基于流挖掘和图挖掘的集成方法是十分有意义的。

关键词: 异常检测, 图计算, 内网异常, 集成学习