摘要
在信息安全领域中,对信息资产的异常行为检测是相对困难的问题,特别是在无标记的数据集中定位某些未知的异常行为,这要求能充分找出历史数据中可以作为信息资产行为基线之内容,从而形成可靠的参照基准,并基于此对数据进行归纳和比对,分析可能存在的未知威胁。该文利用机器学习中的谱聚类算法分析相关信息资产的历史网络通信数据,基于相似性方法提取特征,建立行为基线。将待检测数据与基线进行比对,当出现一定程度的偏离则认为存在行为异常。该文所提方法可对广泛存在于网络空间中的未知威胁进行识别,以弥补传统基于签名方式的检测方法的缺失。
In the field of information security,the detection of abnormal behaviors of information assets is a relatively difficult problem,especially to locate certain unidentified abnormal behaviors among untagged data sets,which requires the ability to fully identify historical data that can be used as a baseline for information asset behaviors.In this way,a reliable reference benchmark is formed.And based on this,the data to be detected is summarized and compared.Then the unknown threats that may exist are analyzed.In this paper we employ an improved spectral clustering algorithm in machine learning to analyze the historical network communication data of information assets,and use similarity-based methods to extract features,establish a behavioral baseline.Then compare the data to be detected with the baseline.When there is a certain degree of deviation,it is believed that there is an abnormal behavior.The algorithm here can identify the unidentified threats that widely exist in the cyber space to make up for defects of traditional signature-based detection methods.
作者
孟庆杰
尧海昌
Meng Qingjie;Yao Haichang(School of Computer and Software,Nanjing Vocational University of Industry Technology,Nanjing 210023,China;Industrial Software Engineering Technology Research and DevelopmentCenter of Jiangsu Education Department,Nanjing Vocational University of Industry Technology,Nanjing 210023,China;School of Computer Science,Nanjing University of Posts andTelecommunications,Nanjing 210023,China)
出处
《南京理工大学学报》
EI
CAS
CSCD
北大核心
2021年第2期205-213,共9页
Journal of Nanjing University of Science and Technology
基金
江苏省重点研发计划项目(BE2017166)。
关键词
谱聚类算法
信息资产
行为异常检测
未知威胁
spectral clustering algorithm
information asset
behavior anomaly detection
unidentified threat
