聚类算法在手机病毒入侵检测中的研究与实现
|
摘要
随着信息通信技术的发展和用户应用需求的增加,手机由简单的通信工具向娱乐、办公、通信与一体的智能化终端发展。智能手机支持独立的操作系统,系统上能安装和使用第三方软件,使手机一改以前只能提供简单的话音和文字信息服务,开始集成了短距离无线传输、多媒体信息收发、移动联网、移动办公、音视频娱乐和简单图像处理等功能,使手机毅然成了一个移动PC。在用户享受智能化给生活带来便利和乐趣的同时,针对智能手机的病毒入侵和破坏行为也日渐增多,给用户的通信安全和用户体验造成极大不利影响。而反手机病毒技术发展相对滞后于病毒的更新,基于此我们迫切需要将在计算机反病毒方面的经验和技术积淀用到手机病毒研究领域,本文针对手机病毒的入侵检测技术的研究与实现便在此种背景下提出。
本文首先详细介绍了手机病毒的特点和运行原理并分析了聚类算法在入侵检测中应用的可行性。再针对手机病毒的特点提出了基于异常数据学习的增量层次聚类算法,该算法是一种凝聚型层次聚类算法,用指定的代表点来表示每簇中的实际数据。同时利用一个收缩因子来控制代表点的数据分布,这一方法能有效的表示不规则的数据分布,同时对异常数据点也有很好的适应性。本算法的创新之处是能利用新增异常数据对前期的建模数据结果簇进行修正,从而使算法具有自学习的能力。能在有效利用前期建模结果的基础上,将最新的病毒特征数据加入到病毒特征库中,这一方法也有效的解决了层次聚类是上步操作一旦完成,聚类簇中数据不可更改的缺点。
本文针对手机病毒入侵检测的应用要求,在学习和改进前人研究成果的基础上提出了“基于异常数据学习的增量层次聚类算法”(The incremental hierarchical clustering algorithm based on learning abnormal data)简称ICLAD。该算法能很好的解决手机病毒检测应用需求,并以该算法的思想指导设计和开发了针对手机病毒的入侵检测系统,系统部署在移动通信系统的核心网侧,系统通过对网络中获得的海量手机通信数据进行建模学习,从中得到正常和病毒数据特征库,再利用这些属性特征库对网络数据进行检测,以发现异常数据,来给用户提供一个安全可靠的通信环境。系统测试结果表明:该系统能有效的从无类标号的数据中得出规则,利用该规则对数据测试能达到较好的检测目的。
With the development of ICT and the applications of user demand, mobile phones turns can from the traditional "da ge da" as only receive calls gradually to intelligent direction. Smart phone supports a separate operating system, where the system can install and use third-party software, make the phone a change t hat can only provide simple voice and text message service before, starting with integrated short-range wireless transmission, multimedia messaging, mobile Internet, mobile office, audio and video entertainment and simple image processing functions, to become a mobile PC. With the user enjoying a lot easier and fun of life bridged by Intelligent, the viruses and vandalism for smart phones is also increasing, which caused great negative impact to the user's communication security and user experience. The anti-virus technology is lagging behind mobile phone in the virus updates, so we urgently need anti-virus computer experience and accumulation of anti-virus used in the field of mobile phones based on this. The research and implementation against intrusion detection technology of mobile phone viruses is put forward.
This paper describes the characteristics and operation principle of mobile phone viruses in detail and analysis feasibility of the clustering algorithm in the application of intrusion detection. Then proposing incremental hierarchical clustering algorithm based on Study of abnormal incremental data the characteristics of the virus, which is a cohesive hierarchical clustering algorithm, using the designated representative point of each cluster to represent the actual data. It uses a shrinkage factor to control the data distribution of representative points at the same time. This method is effective to represent irregular data distributions, and have a good adaptability to anomaly point data at the same time. The innovation of this algorithm is that it is able to use incremental abnormal data to correction modeling data on the pre-cluster, So that the algorithm has the ability of self-learning. It will add the latest virus signature data to the virus signature database, based on the effective using of pre-modeling results. This approach is also effective to solve the shortcoming of that once all step has been done, he data in the clustering of clusters can't be changed.
This article designed and developed intrusion detection system against mobile phone viruses according to "based on abnormal data studying Incremental hierarchical clustering algorithm" and the characteristics of mobile phone virus. System models vast amounts of data obtained through the network, get the normal virus signature data, and then detect the network data using these signatures. System test results show that:the system can effectively derive rules from classless data, achieve better detection purposes by testing using the rules.
本文首先详细介绍了手机病毒的特点和运行原理并分析了聚类算法在入侵检测中应用的可行性。再针对手机病毒的特点提出了基于异常数据学习的增量层次聚类算法,该算法是一种凝聚型层次聚类算法,用指定的代表点来表示每簇中的实际数据。同时利用一个收缩因子来控制代表点的数据分布,这一方法能有效的表示不规则的数据分布,同时对异常数据点也有很好的适应性。本算法的创新之处是能利用新增异常数据对前期的建模数据结果簇进行修正,从而使算法具有自学习的能力。能在有效利用前期建模结果的基础上,将最新的病毒特征数据加入到病毒特征库中,这一方法也有效的解决了层次聚类是上步操作一旦完成,聚类簇中数据不可更改的缺点。
本文针对手机病毒入侵检测的应用要求,在学习和改进前人研究成果的基础上提出了“基于异常数据学习的增量层次聚类算法”(The incremental hierarchical clustering algorithm based on learning abnormal data)简称ICLAD。该算法能很好的解决手机病毒检测应用需求,并以该算法的思想指导设计和开发了针对手机病毒的入侵检测系统,系统部署在移动通信系统的核心网侧,系统通过对网络中获得的海量手机通信数据进行建模学习,从中得到正常和病毒数据特征库,再利用这些属性特征库对网络数据进行检测,以发现异常数据,来给用户提供一个安全可靠的通信环境。系统测试结果表明:该系统能有效的从无类标号的数据中得出规则,利用该规则对数据测试能达到较好的检测目的。
With the development of ICT and the applications of user demand, mobile phones turns can from the traditional "da ge da" as only receive calls gradually to intelligent direction. Smart phone supports a separate operating system, where the system can install and use third-party software, make the phone a change t hat can only provide simple voice and text message service before, starting with integrated short-range wireless transmission, multimedia messaging, mobile Internet, mobile office, audio and video entertainment and simple image processing functions, to become a mobile PC. With the user enjoying a lot easier and fun of life bridged by Intelligent, the viruses and vandalism for smart phones is also increasing, which caused great negative impact to the user's communication security and user experience. The anti-virus technology is lagging behind mobile phone in the virus updates, so we urgently need anti-virus computer experience and accumulation of anti-virus used in the field of mobile phones based on this. The research and implementation against intrusion detection technology of mobile phone viruses is put forward.
This paper describes the characteristics and operation principle of mobile phone viruses in detail and analysis feasibility of the clustering algorithm in the application of intrusion detection. Then proposing incremental hierarchical clustering algorithm based on Study of abnormal incremental data the characteristics of the virus, which is a cohesive hierarchical clustering algorithm, using the designated representative point of each cluster to represent the actual data. It uses a shrinkage factor to control the data distribution of representative points at the same time. This method is effective to represent irregular data distributions, and have a good adaptability to anomaly point data at the same time. The innovation of this algorithm is that it is able to use incremental abnormal data to correction modeling data on the pre-cluster, So that the algorithm has the ability of self-learning. It will add the latest virus signature data to the virus signature database, based on the effective using of pre-modeling results. This approach is also effective to solve the shortcoming of that once all step has been done, he data in the clustering of clusters can't be changed.
This article designed and developed intrusion detection system against mobile phone viruses according to "based on abnormal data studying Incremental hierarchical clustering algorithm" and the characteristics of mobile phone virus. System models vast amounts of data obtained through the network, get the normal virus signature data, and then detect the network data using these signatures. System test results show that:the system can effectively derive rules from classless data, achieve better detection purposes by testing using the rules.
引文
[1]周宇岩,2010年智能手机市场回顾和展望[J].中国计算机报.2011,043:1
[2]腾讯科技.报告称2009年智能手机市场份额将达17%. [EB/OL]. [2010.03.10].http://tech.qq.com/a/20090130/000029.htm
[3]赛迪网.2011年第二季度全球智能手机出货量的报告[EB/OL].[2011.12.02]. http://www.ccidreport.com/report/content/7/201172/268669.html
[4]360安全中心.2011年11月手机安全报告.[EB/OL].[2011.12.02]. http://bbs.360.cn/5295927/252176539.html?page=1
[5]搜狐IT.IDC:2011年Q3全球智能手机出货量同比增长42.6%. [EB/OL]. [2011.11.17] http://it.sohu.com/20111117/n325994936.shtml
[6]Mobile phones as computing devices:the viruses are coming!. IEEE Pervasive Computing, vol.3, no.4, pp.11-15,2004
[7]夏玮,李朝晖,陈增强,袁著社.带有预防接种的手机蓝牙病毒传播模型[J].天津大学学报.2007,40(2):1426-1430.
[8]夏玮,李朝晖,陈增强,袁著社.基于速度分段的手机蓝牙病毒传播模型[J].计算机工程.2008,34(9):10-12.
[9]Cong Jin, Xiaoyan Huang, Songlin Jin. Propagation Model Of Mobile Phone Virus Based on Effieieney of Immunization.2008 International Confereneeon Multi Mediaand Information Teehnology,500-502
[10]陈晓江,赵跃辉,吴传生.手机病毒传播模型仿真研究[J].武汉理工大学学报.信息与管理工程版,2009,31(1):8-11.
[11]Abhijit Bose and Kang G.Shin. On Mobile Viruses Exploiting Messaging and Bluetooth Serviees. SeeureComm,2006
[12]John E. Dickerson, Jukka Juslin. Fuzzy Intrusion Detection. IEEE IFSA World Congress and 20th NAFIPS International Conference,2001,3:1506-1510
[13]Hiren Shah, Undercoier. Fuzzy Clustering for Intrusion Detection, the 12th IEEE international Conf.on Fuzzy System,2003,2:1274-1278
[14]高艳,管晓宏.基于实时击键序列的主机入侵检测.计算机学报,2004,27(3):396-401
[15]张敏,于剑.基于划分的模糊聚类算法.软件学报,2004,15(6):858-868
[16]Susan M. Bridges, Rayford B. Vaughn. Fuzzy Data Mining and Genetic Algorithm Applied to Intrusion Detection. The National Information Systems Security Conference,2000, Vol.19:253-267
[17]Leonid Ponroy. Intrusion detection with unlabeled data using clustering. Proceedings of ACM CSS Workshop on Data Mining Applied to Security(DMSA-2001),2001,12:438-447
[18]Klaus Julisch. Data mining for intrusion detection. Applications of Data Mining in Computer Security,2002:366-375
[19]Guha S, Rastogi R, Shim K. CURE:An efficient clustering algorithm for large databases. In:Haas LM, Tiwary A, eds. Proc. of the ACM SIGMOD Int'1 Conf. on Management of Data. New York:ACM Press,1998.73-84.
[20]李志,王延巍,朱林.手机病毒的现状与未来[J].电信技术.2006,3:87-90.
[21]王世安.手机病毒原理及防范[J].大连轻工业学院学报.2004,23(1):74-76
[22]孙剑,底翔.智能手机的病毒防治[J].信息安全与通信保密2007(1):136-138
[23]刘功申.计算机病毒及其防范技术[M].北京:清华大学出版社.2008
[24]陈建民,3G时代手机病毒的威胁与移动安全[J].信息网络安全.2009(09).19-20
[25]Bace R G. Intrusion Detection Macmillan Technical Publishing. Indianapolis. IN 46290 USA,2000
[26]王慧强,杜哗,庞永刚.入侵检测技术研究[J].计算机应用研究,2003,10(29):90-94
[27]卿斯汉,蒋建春,马恒太等.入侵检测技术研究综述[J].通信学报.2004,25(7):19-29
[28]Denning DE. An Intrusion-Detection Model [J]. IEEE. Transaction on Software Engineering,1987(2),222-232
[29]DasguPtaD.Immunity-BasedIntrusionDetectionSystem:AGeneralFramework. Proseedings of 22th NISSC,1999
[30]RyanJ, Lin M J. Intrusion detection with neural networks. Advances in Neural Information Proeessing Systems10,Cambridge, MA:MIT Press,1998
[31]魏宇欣,武穆清..基于KFDA-SVM的入侵检测技术.北京邮电大学学报.2007,30(sup)
[32]关键,刘大听.一种基于遗传算法的误用检测模型自适应建立算法.哈尔滨工程大学学报.2004,25(1):80-84
[33]JiaweiHan, Michelline Kamber. Data Mining Concept and Technology [M]. Beijing:Mechanical Industry Publishing Society,2007
[34]Kanungo, T., Mount, D., Piatko, C., Silverman, R., Wu, A., "An efficient k-means clustering algorithm:analysis and implementation," IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol.24, No.7,887-892, (2002).
[35]Tsai, C.A., Lee, T.C., Ho, I.C., Yang, U.C., Chen, C.H., Chen, J.J., "Multi-class clustering and prediction in the analysis of microarray data," Mathematical Biosciences, Vol.193, Issue 1,79-100, (2005)
[36]A. Curti, and J. Carver, "Intrusion Response Systems:A Survey", Department of Computer Science, Texas A&M University,2000, Tech Report.
[37]Jiawei Han等著.范明等译.数据挖掘概念与技术.机械工业出版社.2001.8
[38]刘红岩,陈剑等.数据挖掘中的数据分类算法综述.清华大学学报:自然科学版2002 Vol.42,P6
[39]Huang Z. Extensions to the k-means algorithm for clustering large data sets with categorical values. Data Mining and Knowledge,Discovery II,1998,(2):283 304.
[40]Chaturvedi AD, Green PE, Carroll JD. K-modes clustering. Journal of Classification,2001,18(1):35-56.
[41]Ma WM, Chow E, Tommy WS. A new shifting grid clustering algorithm. Pattern Recognition,2004,37(3):503-514.
[42]Pilevar AH, Sukumar M. GCHL:A grid-clustering algorithm for high-dimensional very large spatial data bases. Pattern Recognition Letters, 2005,26(7):9991010.
[43]Birant D, Kut A. ST-DBSCAN:An algorithm for clustering spatial-temporal data. Data & Knowledge Engineering,2007,60(1):208221
[44]宋凌,李枚毅,李孝源.一种新的半监督入侵检测算法[J].计算机应用,2008,28(7):1781-1783
[45]李永忠,孙彦,罗军生.WINEPI挖掘算法在入侵检测中的应用[J].计算机工程,2006,32(23):159-161
[46]PortnoyL, Eskin E, Stolfo S. Intrusion detectionwith unlabeled data using clustering [C]//Proceedings ofACMCSSWorkshop on DataMining Applied to Security. Phladelphia:[s. n.],2001
[47]高能,冯登国,向继.一种基于数据挖掘的拒绝服务攻击检测技术[J].计算机学报,2006,29(6):944-950
[48]罗敏,王丽娜,张焕国.基于无监督聚类的入侵检测方法[J].电子学报,2003,31(11):1713-1716.
[49]冯兴杰,黄亚楼增量式CURE聚类算法研究小型微型计算机系统第25卷第10期1847-1849 2004
[50]The UCIKDD Archive. KDD99 cup dataset [EB/OL].[2011-10-10]. http://kdd. ics. uc. i edu/databas-es/kddcup99/kddcup99. Html
[2]腾讯科技.报告称2009年智能手机市场份额将达17%. [EB/OL]. [2010.03.10].http://tech.qq.com/a/20090130/000029.htm
[3]赛迪网.2011年第二季度全球智能手机出货量的报告[EB/OL].[2011.12.02]. http://www.ccidreport.com/report/content/7/201172/268669.html
[4]360安全中心.2011年11月手机安全报告.[EB/OL].[2011.12.02]. http://bbs.360.cn/5295927/252176539.html?page=1
[5]搜狐IT.IDC:2011年Q3全球智能手机出货量同比增长42.6%. [EB/OL]. [2011.11.17] http://it.sohu.com/20111117/n325994936.shtml
[6]Mobile phones as computing devices:the viruses are coming!. IEEE Pervasive Computing, vol.3, no.4, pp.11-15,2004
[7]夏玮,李朝晖,陈增强,袁著社.带有预防接种的手机蓝牙病毒传播模型[J].天津大学学报.2007,40(2):1426-1430.
[8]夏玮,李朝晖,陈增强,袁著社.基于速度分段的手机蓝牙病毒传播模型[J].计算机工程.2008,34(9):10-12.
[9]Cong Jin, Xiaoyan Huang, Songlin Jin. Propagation Model Of Mobile Phone Virus Based on Effieieney of Immunization.2008 International Confereneeon Multi Mediaand Information Teehnology,500-502
[10]陈晓江,赵跃辉,吴传生.手机病毒传播模型仿真研究[J].武汉理工大学学报.信息与管理工程版,2009,31(1):8-11.
[11]Abhijit Bose and Kang G.Shin. On Mobile Viruses Exploiting Messaging and Bluetooth Serviees. SeeureComm,2006
[12]John E. Dickerson, Jukka Juslin. Fuzzy Intrusion Detection. IEEE IFSA World Congress and 20th NAFIPS International Conference,2001,3:1506-1510
[13]Hiren Shah, Undercoier. Fuzzy Clustering for Intrusion Detection, the 12th IEEE international Conf.on Fuzzy System,2003,2:1274-1278
[14]高艳,管晓宏.基于实时击键序列的主机入侵检测.计算机学报,2004,27(3):396-401
[15]张敏,于剑.基于划分的模糊聚类算法.软件学报,2004,15(6):858-868
[16]Susan M. Bridges, Rayford B. Vaughn. Fuzzy Data Mining and Genetic Algorithm Applied to Intrusion Detection. The National Information Systems Security Conference,2000, Vol.19:253-267
[17]Leonid Ponroy. Intrusion detection with unlabeled data using clustering. Proceedings of ACM CSS Workshop on Data Mining Applied to Security(DMSA-2001),2001,12:438-447
[18]Klaus Julisch. Data mining for intrusion detection. Applications of Data Mining in Computer Security,2002:366-375
[19]Guha S, Rastogi R, Shim K. CURE:An efficient clustering algorithm for large databases. In:Haas LM, Tiwary A, eds. Proc. of the ACM SIGMOD Int'1 Conf. on Management of Data. New York:ACM Press,1998.73-84.
[20]李志,王延巍,朱林.手机病毒的现状与未来[J].电信技术.2006,3:87-90.
[21]王世安.手机病毒原理及防范[J].大连轻工业学院学报.2004,23(1):74-76
[22]孙剑,底翔.智能手机的病毒防治[J].信息安全与通信保密2007(1):136-138
[23]刘功申.计算机病毒及其防范技术[M].北京:清华大学出版社.2008
[24]陈建民,3G时代手机病毒的威胁与移动安全[J].信息网络安全.2009(09).19-20
[25]Bace R G. Intrusion Detection Macmillan Technical Publishing. Indianapolis. IN 46290 USA,2000
[26]王慧强,杜哗,庞永刚.入侵检测技术研究[J].计算机应用研究,2003,10(29):90-94
[27]卿斯汉,蒋建春,马恒太等.入侵检测技术研究综述[J].通信学报.2004,25(7):19-29
[28]Denning DE. An Intrusion-Detection Model [J]. IEEE. Transaction on Software Engineering,1987(2),222-232
[29]DasguPtaD.Immunity-BasedIntrusionDetectionSystem:AGeneralFramework. Proseedings of 22th NISSC,1999
[30]RyanJ, Lin M J. Intrusion detection with neural networks. Advances in Neural Information Proeessing Systems10,Cambridge, MA:MIT Press,1998
[31]魏宇欣,武穆清..基于KFDA-SVM的入侵检测技术.北京邮电大学学报.2007,30(sup)
[32]关键,刘大听.一种基于遗传算法的误用检测模型自适应建立算法.哈尔滨工程大学学报.2004,25(1):80-84
[33]JiaweiHan, Michelline Kamber. Data Mining Concept and Technology [M]. Beijing:Mechanical Industry Publishing Society,2007
[34]Kanungo, T., Mount, D., Piatko, C., Silverman, R., Wu, A., "An efficient k-means clustering algorithm:analysis and implementation," IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol.24, No.7,887-892, (2002).
[35]Tsai, C.A., Lee, T.C., Ho, I.C., Yang, U.C., Chen, C.H., Chen, J.J., "Multi-class clustering and prediction in the analysis of microarray data," Mathematical Biosciences, Vol.193, Issue 1,79-100, (2005)
[36]A. Curti, and J. Carver, "Intrusion Response Systems:A Survey", Department of Computer Science, Texas A&M University,2000, Tech Report.
[37]Jiawei Han等著.范明等译.数据挖掘概念与技术.机械工业出版社.2001.8
[38]刘红岩,陈剑等.数据挖掘中的数据分类算法综述.清华大学学报:自然科学版2002 Vol.42,P6
[39]Huang Z. Extensions to the k-means algorithm for clustering large data sets with categorical values. Data Mining and Knowledge,Discovery II,1998,(2):283 304.
[40]Chaturvedi AD, Green PE, Carroll JD. K-modes clustering. Journal of Classification,2001,18(1):35-56.
[41]Ma WM, Chow E, Tommy WS. A new shifting grid clustering algorithm. Pattern Recognition,2004,37(3):503-514.
[42]Pilevar AH, Sukumar M. GCHL:A grid-clustering algorithm for high-dimensional very large spatial data bases. Pattern Recognition Letters, 2005,26(7):9991010.
[43]Birant D, Kut A. ST-DBSCAN:An algorithm for clustering spatial-temporal data. Data & Knowledge Engineering,2007,60(1):208221
[44]宋凌,李枚毅,李孝源.一种新的半监督入侵检测算法[J].计算机应用,2008,28(7):1781-1783
[45]李永忠,孙彦,罗军生.WINEPI挖掘算法在入侵检测中的应用[J].计算机工程,2006,32(23):159-161
[46]PortnoyL, Eskin E, Stolfo S. Intrusion detectionwith unlabeled data using clustering [C]//Proceedings ofACMCSSWorkshop on DataMining Applied to Security. Phladelphia:[s. n.],2001
[47]高能,冯登国,向继.一种基于数据挖掘的拒绝服务攻击检测技术[J].计算机学报,2006,29(6):944-950
[48]罗敏,王丽娜,张焕国.基于无监督聚类的入侵检测方法[J].电子学报,2003,31(11):1713-1716.
[49]冯兴杰,黄亚楼增量式CURE聚类算法研究小型微型计算机系统第25卷第10期1847-1849 2004
[50]The UCIKDD Archive. KDD99 cup dataset [EB/OL].[2011-10-10]. http://kdd. ics. uc. i edu/databas-es/kddcup99/kddcup99. Html