摘要
文章通过分析单窗口聚类异常检测算法的不足,综合利用权值、相似度和局部密度等概念对单窗口检测出的潜在异常点进行归属查找和异常合并,设计了一种基于多窗口机制的数据流异常检测算法。该算法首先在单个窗口内用改进的K-means聚类算法对预处理之后的数据流进行初步聚类检测,将每个窗口聚类的结果分为正常簇集合和潜在异常点集合。然后对单窗口检测结果进行二次判断。针对单窗口检测的潜在异常点,利用相似度原理进行正常类簇的归属查找,排除异常误判;利用局部密度等概念,对剩下的潜在异常点进行异常合并,再次排除可能的正常点。最后利用时间权值,综合多个数据流窗口的检测结果得出最终异常数据。仿真实验表明,相较于单窗口数据流异常检测算法,该算法提高了数据流的异常检测率,减少了异常误判,在检测率和误报率方面更具优势。
bThis paper analyses the weaknesses of cluster anomaly detection algorithm based on single-window, takes advantage of weigh value, similarity, local density and other concepts to conduct affiliation search and abnormal merging on potential abnormal point obtained by single-window algorithm. Moreover, a dataflow anomaly detection algorithm based on multi-window mechanism is designed. This algorithm firstly conducts primary cluster detection to preprocessed dataflow with improved X-means cluster algorithm in single window and then conduct second judge to the results. For the potential abnormal point detected by single-window algorithm, similarity principle is adopted to conduct normal cluster affiliation search to exclude misjudges, other conceptions like local density is adopted to conduct abnormal merging to the rest potential abnormal points to exclude normal points again. Lastly,the time weigh value is used to obtain final abnormal data comprehensively from tlie detection results of several dataflow windows. The simulation shows that this algorithm has advantage over single-window cluster anomaly detection algorithm on detection rate and misjudge rate.
出处
《信息网络安全》
2016年第11期33-39,共7页
Netinfo Security
基金
湖北省自然科学基金[2015CF867]
关键词
单窗口
多窗口
数据流
异常检测
single window
multi-windows
data flow
anomaly detection
