基于图演化事件的主机群异常检测模型

针对网络环境中出现的以服务为聚合的通信行为和以分布式攻击为典型的新型协同攻击模式,提出了基于图演化事件的主机群异常检测模型。分析了行为主体潜在的社会化关系、聚集成簇的主机群及其群体行为的动态特性,该模型具有无参数、数据量级可扩展的特点。定义并提出了图动态演化事件及检测算法,实现异常主机群检测。本模型在Spark上实现和部署,还从实际计算机和网络环境提取数据进行分析和验证。实验结果表明,该模型能够有效刻画群体行为,揭露重要的图演化事件,准确定位异常发生的主机群,其群成员主机的检测率达到95.09%。

Anomaly detection model of host group based on graph-evolution events

Aiming at the communication behavior based on service aggregation and the new collaborative attack mode that is typical of distributed attack in the network environment, the anomaly detection model of host group based on graph-evolution events is proposed. It analyzes the potential socialization of actors, the clustering of host clusters and the dynamics of their group behavior. The model has the characteristics of no parameters and extensible data magnitude. The dynamic evolution events and detection algorithms are defined and proposed to detect abnormal host groups. The model is implemented and deployed on Spark, and the data from the actual computer and network environment is analyzed and verified. The experimental results show that this model can effectively describe group behavior, expose important graph-evolution events, and locate the host group with abnormal occurrence accurately. The detection rate of group members is 95.09%.