摘要
为实现高级持续性威胁(APT)的通信检测,提出一种对服务器端和主机端日志数据的检测方法。通过建立IP地址数据库,采用DBSCAN聚类算法对海量日志数据进行收集和处理得到异常通信日志。利用高级持续性威胁14种通信特征的隐含狄利克雷分布(LDA)建模对异常通信日志进行检测。实验结果表明,与潜在语义分析和概率潜在语义分析检测模型相比,LDA建模提高了APT通信检测的效率和准确度。
In order to realize the communication detection of the Advanced Persistent Threat(APT),this paper presents a detection method for server-side and host-side log data.It makes the establishment of IP address database and uses DBSCAN clustering algorithm to collect and deal with the massive log data to get abnormal communication log.The abnormal communication log is detected by using Latent Dirichlet Distribution(LDA) modeling of the 14 communication features of APT.Experimental results show that LDA modeling improves the efficiency and accuracy of APT communication detection compared with Latent Semantic Analysis(LSA) and Probabilistic Latent Semantic Analysis(PLSA) detection models.
出处
《计算机工程》
CAS
CSCD
北大核心
2017年第2期194-200,205,共8页
Computer Engineering
关键词
高级持续性威胁
大数据处理
IP规范
DBSCAN算法
特征描述
Advanced Persistent Threat(APT)
big data processing
IP specification
DBSCAN algorithm
characteristic description
