To verify the integrated method we proposed, we constructed a log collection and anomaly detection platform in the campus network center of Xi’an Jiaotong University. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the dataset into different clusters. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. Moreover, the growing volume of logs poses new challenges to anomaly detection. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Thus, the value of the threshold is acceptable discrimination to use in detecting HTTP botnet activity. The result found showed about 95% of the data are declared as an attack when the sample of data has been compared with the value of the threshold. The comparative analysis with another researcher also has been conducted. The likelihood ratio tests and classification table were two test that will be used in order to access the fit of the model. Therefore, in this paper, we will identify the appropriate static value of the threshold for detecting HTTP botnet. The suitable value of the threshold can minimize false positive rate botnet activity. Identifying an appropriate threshold value is essential in order to differentiate between normal and abnormal network traffic. Many researchers focus on developing the systems and compare the detection method to detect the botnet activity. A lot of effort has been given to detect the presence of a botnet. Over the past years, botnets have gained the attention of researchers worldwide. The result achieved shows the direction or pathway to design anomaly detectors that can utilize raw traffic logs collected from heterogeneous sources on the network monitored and correlate the events across the logs to detect intrusions. Ultimately, the framework is able to detect a broad range of intrusions exist in the logs without using either the attack knowledge or the traffic behavioural models. As each segment is instrumented for a particular undertaking towards a definitive objective, the commitment of each segment towards abnormality recognition is estimated with various execution measurements.
Several logs from multiple sources are used as input and this data are processed by all the modules of the framework. To accomplish this, a current segment (clustering) has been used and a few new parts (filtering, aggregating and feature analysis) have been presented. Consequently, this investigation proposes a structure to identify an extensive variety of abnormalities by analysing heterogeneous logs, without utilizing either a prepared model of system transactions or the attributes of anomalies. More effort has been taken in utilizing the data mining and machine learning algorithms to construct anomaly based intrusion detection systems, but the dependency on the learned models that were built based on earlier network behaviour still exists, which restricts those methods in detecting new or unknown intrusions. Observing network traffic flow for anomalies is a common method in Intrusion Detection.
0 kommentar(er)
