• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>Enterprise security >Automatic Clustering of Malicious IP Flow Records Using Unsupervised Learning
【24h】

Automatic Clustering of Malicious IP Flow Records Using Unsupervised Learning

机译:使用无监督学习对恶意IP流记录进行自动聚类

获取原文
获取原文并翻译 | 示例
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Anomaly based intrusion detection systems classify network traffic into normal and malicious categories. The intrusion detection system raises an alert when maliciousness is detected in the traffic. A security administrator inspects these alerts and takes corrective action to protect the network from intrusions and unauthorized access. Manual inspection of the alerts is also necessary because anomaly based intrusion detection systems have a high false positive rate. The alerts can be in very large number and their manual inspection is a challenging task. We propose an extension for anomaly based intrusion detection system which automatically groups malicious IP flows into different attack clusters. Our technique creates attack clusters from a training set of unla-beled IP flows using unsupervised learning. Every attack cluster consists of malicious IP flows which are similar to each other. We analyze IP flows in every cluster and assign an attack label to them. After the clusters are created, an incoming malicious IP flow is compared with all clusters and the label of the closest cluster is assigned to the IP flow. The intrusion detection system uses labeled flows to raise consolidated anomaly alert for a set of similar IP flows. This approach significantly reduces the overall number of alerts and also generates a high-level map of attack population. We use unsupervised learning techniques for automatic clustering of IP flows. Unsupervised learning is advantageous over supervised learning because the availability of a labeled training set for supervised learning is not always guaranteed. Three unsupervised learning techniques, k-means, self-organizing maps (SOM) and DBSCAN are considered for clustering of malicious IP flows. We evaluated our technique on a flow-based data-set containing different types of malicious flows. Experimental results show that our scheme gives good performance and places majority of the IP flows in correct attack clusters.
机译:基于异常的入侵检测系统将网络流量分为正常和恶意类别。当在流量中检测到恶意时,入侵检测系统会发出警报。安全管理员检查这些警报并采取纠正措施,以保护网络免受入侵和未经授权的访问。警报的手动检查也是必要的,因为基于异常的入侵检测系统具有很高的误报率。警报可能非常多,并且对其进行手动检查是一项艰巨的任务。我们提出了基于异常的入侵检测系统的扩展,该系统可将恶意IP流自动分组到不同的攻击群集中。我们的技术使用无监督学习,从无约束的IP流训练集中创建攻击集群。每个攻击群集都包含彼此相似的恶意IP流。我们分析每个群集中的IP流,并为其分配攻击标签。创建群集后,会将传入的恶意IP流与所有群集进行比较,并将最接近的群集的标签分配给IP流。入侵检测系统使用标记的流来针对一组类似的IP流发出合并的异常警报。这种方法大大减少了警报的总数,并且还生成了高级的攻击人口图。我们使用无监督学习技术对IP流进行自动聚类。无监督学习优于有监督学习,因为不能始终保证有标签的训练集可用于有监督学习。考虑将三种无监督学习技术,k均值,自组织映射(SOM)和DBSCAN用于恶意IP流的群集。我们在包含不同类型恶意流的基于流的数据集上评估了我们的技术。实验结果表明,该方案具有良好的性能,并将大多数IP流放置在正确的攻击群集中。

著录项

  • 来源
    《Enterprise security 》|2015年|97-119|共23页
  • 会议地点 Vancouver(CA)
  • 作者

    Muhammad Fahad Umer; Muhammad Sher;

  • 作者单位

    Department of Computer Science and Software Engineering, Faculty of Basic and Applied Sciences, International Islamic University, Islamabad, Pakistan;

    Department of Computer Science and Software Engineering, Faculty of Basic and Applied Sciences, International Islamic University, Islamabad, Pakistan;

  • 会议组织
  • 原文格式 PDF
  • 正文语种 eng
  • 中图分类
  • 关键词

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号