A Network Anomaly Detection Method Based on Transduction Scheme

4th National Conference on Electrical, Electronics and Computer Engineering (NCEECE 2015)Anomaly Detection Approach based on Function Code Traffic by UsingCUSUM AlgorithmMing Wan a*, Wenli Shang b, Peng Zeng cShenyang Institute of Automation, Chinese Academy of Sciences, Shenyang, ChinaKey Laboratory of Networked Control System, Chinese Academy of Sciences, Shenyang, Chinaa**************,b**************,c*********Keywords: Anomaly detection; Modbus/TCP; Function code traffic; Cumulative sum;Abstract. There is an increasing consensus that it is necessary to resolve the security issues in today’s industrial control system. From this point, this paper proposes an anomaly detection approach based on function code traffic to detect abnormal Modbus/TCP communication behaviors efficiently. Furthermore, this approach analyzes the Modbus/TCP communication packets in depth, and obtains the function code in each packet. According to the function code traffic change, this approach uses the Cumulative Sum (CUSUM) algorithm for change point detection, and generates an alarm. Our simulation results show that, the proposed approach is very available and effective to provide the security for industrial control system. Besides, we also discuss some advantages and drawbacks when using this approach.IntroductionNowadays, industrial control system has become an important part in many critical infrastructures, for example power, water, oil, gas, transportation, et al. With the development of modern networking, computing and control technologies, the deep integration of industrialization and informationization has been regarded as the inevitable tendency by both academia and industry. Especially, the “Industry 4.0” revolution, defined by Germany, further emphasizes the essential role of the networking technology [1]. However, the incoming networking technology has broken the original closure in industrial control system, and has brought some security problems into industrial control system [2]. Although there are various kinds of security methods in regular IT system, the traditional security methods cannot be applied directly to networked control system [3].There are two general approaches for improving the security in industrial control system. One is the communication control or access control approach, and its typical application is industrial firewall [4]. However, due to the manual rule setting and the real-time performance, this approach has been used to a limited extent. Secondly, the intrusion detection approach in industrial control system [5,6] is effective to identify network attacks, and it can give an alarm when suffering a great destruction. As a bypass approach to monitor the abnormal behaviors, intrusion detection technology has been attracting great interests of industry and researchers. Furthermore, intrusion detection can be into two categories: misuse detection and anomaly detection, and the proposed approach in this paper falls into the latter category.Anomaly detection technology in industrial control system can be divided into three categories [7,8]: statistics-based approach, knowledge-based approach, and machine learning-based approach. By supervising the industrial communication behaviors, these three categories of approaches can detect attacks, alarm and carry out the defensive measures before suffering from kinds of attacks. In the statistics-based approaches, Reference [9] uses the sequential detection model to realize the aberrant communication behaviors in control system. References [10] and [11] use the CUSUM algorithm to implement the communication traffic statistics in industrial control system, and explore the abnormal change point. However, the above statistical analysis only aims at the common industrial communication traffic, and cannot analyze the communication packets in depth according to the industrial communication protocol specification. In this paper, we propose an anomalyapproach based on function code traffic. In accordance with the Modbus/TCP protocol specification, this approach analyzes the Modbus/TCP communication packets in depth, and utilizes the function code traffic to detect abnormal Modbus/TCP communication behaviors. According to the function code traffic change, this approach uses the Cumulative Sum (CUSUM) algorithm for change point detection, and generates an alarm.Modbus/TCP and Vulnerability AnalysisModbus/TCP, regarded as an application layer protocol, is an open industrial communication protocol, and uses a typical master-slave communication mode. Namely, one Modbus master sends a request message to one Modbus slave, and the Modbus slave responds this message in accordanceAs shown in Fig. 1, the Modbus/TCP packet format mainly consists of three parts: MBAP (Modbus Application Protocol) header, Modbus function code and data. Wherein, MBAP header is a special header which is used to identify Modbus application data unit. Function code is a flag field to perform various operations, and is used to inform the slave to operate the corresponding function. The data domain can be regards as the parameters of function code, and indicates the specific data to perform one operation.The vulnerabilities of this protocol are increasingly exposed in recent years [12,13], and can be concluded as follows: firstly, Modbus/TCP lacks the authentication, and any Modbus master can use an illegal IP address and one function code to establish a Modbus session; secondly, Modbus/TCP does not consider the authorization, and any Modbus master can perform any operation by using some invalid function codes; finally, Modbus/TCP is short of the integrity detection, and the communication data may be tampered. For example, the function code can be changed to another illegal function code by one attacker.Anomaly Detection Approach based on Function Code TrafficIt is highly necessary to study on the anomaly detection approach in industrial control system. However, the industrial communication traffic is high-dimensional, and it hard to detect the abnormal communication behaviors. Therefore, we use the function code traffic to execute the anomaly detection, because the function code traffic is simple and single dimensional, and can indirectly reflect the industrial communication behaviors. In our approach, we first capture the industrial communication packets, and extract the Modbus/TCP communication packets. After that, we analyze these Modbus/TCP packets in depth, and get the function code in each packet. From this base, we perform a statistical analysis to form the function code traffic in each specified time interval. Finally, according to the function code traffic, we use the CUSUM algorithm to detect the change point. When one change point appears, the corresponding alarm will be generated. The CUSUM algorithm can be described as follows [14]:Assume the time sequence 1x , 2x ,…,1v x − are independent identically distributed variables withthe Gaussian distribution (0,1)N , and the time sequence v x , 1v x +,…, n x are independent identicallydistributed variables with the Gaussian distribution (,1)N δ, where v (v n <) is an unknown changepoint and the value i x represents the number of function codes in the th i time interval. Suppose thereis no change point, namely v =∞, the statistical value of the log-likelihood ratio is:11max ()2n n i v n i v Z x δ≤<+=−∑ (1) Eq. (1) describes the most ordinary CUSUM statistical value. Suppose h (0h >) is a chosen threshold which may be determined empirically through experiments. If i Z h ≤, 1,2,...,i n =, the former 1n − values are under normal conditions; if n Z h >, anomaly happens and an alarm should begenerated. Similarly, the foregoing judgment also can be understood that if an existing number r satisfies 0(1)2r n i i x r h δ−=−+>∑, where 01r n ≤≤−, then the anomaly happens and an alarm should begenerated.The aforementioned equation illustrates the basic CUSUM algorithm. However, the prerequisite is that we have assumed that {n x } are independent Gaussian random variables. Of course, this is nottrue for network traffic measurements owning to seasonality, trends and time correlations [16]. Therefore, in order to remove such non-stationary behaviors, the work in [15] further improves the basic CUSUM algorithm, and n Z can be calculated by:111120[()]20n n n n n n Z Z x Z αµαµµσ+−−−− =+−− = (2) where α is an amplitude percentage parameter, which intuitively corresponds to the most probable percentage of increase of the mean rate after a change has happened. 2σ is the variance of σ. Meanwhile, the mean n µ can be calculated by using an exponentially weighted moving average(EWMA) of previous measurements:1(1)nn n x µβµβ−=+− (3) where β is the EWMA factor. Thus, the conditions to generate an alarm can be summarized as follow:1, if ;()0, otherwise.n n Z h f Z > =（4） In Eq. (4), 1 indicates that the anomaly in the detected sequence {n x } is identified and an alarm isgenerated. By contrast, 0 indicates that the detected sequence {n x } is normal.However, a disadvantage or flaw exists in the CUSUM algorithm [17]. That is, when the anomaly or attack is over, CUSUM still continues generating the false alarms for a long time. Resulting from accumulation effect of the CUSUM algorithm, the increased amount to n Z caused by the attacktraffic is much greater than the decreasing amount provided by the normal traffic. In order to resolve this issue, our approach uses the following formula to revoke an alarm.2()0, if and v i n n i f Z Z h x ϕµ−=≥< (5)where ϕ is an amplitude and 1ϕ>. Assume an anomalous behavior happens at time v , and i x is the detected mapping request traffic in the th i time interval, i v > . 2v i µ− is the traffic mean of theformer 2v i − time intervals, which can be calculated by Eq. (3). The main idea of Eq. (5) is that when the traffic i x is less than the traffic mean 2v i µ− and n Z h ≥, the alarm will be revoked. In addition, inorder to revoke an alarm more accurately, the condition 2v i i x ϕµ−< can be improved as:201{}i j v i j k j x θϕµ+−−=≥<∑ (6)where θ is a positive integer and 1k θ>>. Eq. (6) describes that when the number satisfies the condition 2v i i x ϕµ−< is larger than θ, the alarm will be revoked. At the same time, after revoking thealarm, we also reset n Z between 0 and h .Performance Evaluations In the simulation experiment, we build a small SCADA system, whose communication is based on Modbus/TCP. As shown in Fig. 2, the whole technological process can be simply depicted as follows: when the valve switches A and B are respectively turned on, materials A and B successively flow into the container through the valve switches A and B to produce material C. When material C in the container reaches the level upper point, the valve switches A and B are turned off, and then the valve switch C is turned on. When material C in the container exhausts and reaches the level lower point, the valve switch C is turned off. Besides, the above-described technological process is repeatedly performed every 5 minutes.Fig.2 Simulation experiment topologyIn order to detect the abnormal communication behaviors, we deploy a monitoring computer on industrial switch to capture the communication packets between the supervisory control layer and the control unit layer. Furthermore, we carry out two experiments: one is under normal condition, and the other is under abnormal condition. Under normal condition, we run the simulation for 120 minutes. Fig. 3(a) shows the communication traffic captured by the monitoring computer per 1 minute, and Fig. 3(b) shows the corresponding function code traffic. From these two figures we can see that, the communication traffic is complex and changed, but the function code traffic varies periodically and can reflect every technological process. Under abnormal condition, we perform two attacks at 30th minute and at 80th minute respectively. Here, the attacker sends 50 Modbus/TCP packets whose function code is to write a coil at 30th minute, and sends the same 30 packets at 80th minute. Besides, we apply our anomaly detection approach to the corresponding function code traffic. Fig. 4(a) plots the communication traffic after the attacks. From this figure we can conclude that the attack traffic is hidden into the normal communication traffic, and we cannot identify the attack behaviors only from the communication traffic. Similarly, Fig. 4(b) plots the alarm points in the function code traffic after the attacks. From this figure we find that the proposed approach can detect the abnormal behaviors and generate alarms when the attacks happen. To sum up the above arguments, our approach is available and effective to identify and diagnose some network anomalies in industrial control system. In other words, compared with the anomaly detection using the communication traffic, our approach is more advantage.Fig.4 Under normal conditionConclusionThis paper aims to propose an anomaly detection approach based on function code traffic, and the basic idea behind the proposed approach is very simple. That is, identifying and detecting the anomalous communication behaviors in industrial control system by judging the function code traffic anomaly. In this paper, we first analyze Modbus/TCP protocol and its vulnerabilities, and then we present the detailed design of our approach, including the CUSUM algorithm. At last, we evaluate our approach in detail by simulation experiment. We show that, our approach is very available and effective to provide the security for industrial control system. Besides, we also discuss some drawbacks of our approach for our future research.AcknowledgementsThis work is supported by the National Natural Science Foundation of China (Grant No. 61501447) and Independent project of Key Laboratory of Networked Control System Chinese Academy of Sciences: Research on abnormal behavior modeling, online intrusion detection and self-learning method in industrial control network.References[1] H. Kagermann, W. Wahlster, J. Helbig, Recommendations for implementing the strategic initiative INDUSTRIE 4.0, Final Report, http://www.plattform-i40.de/finalreport2013, 2013.[2] B. Genge, C. Siaterlis, I. N. Fovino, et al., A cyber-physical experimentation environment for the security analysis of networked industrial control systems, Computer and Electrical Engineering, 38(5) (2012) 1146-1161.[3] C. Shao, L. G. Zhong, An information security solution scheme of industrial control system based on trusted computing, Information and Control, 44(5) (2015) 628-633.[4] S. S. Zhang, W. L. Shang, M. Wan, et al., Security defense module of Modbus TCP communication based on region/enclave rules, Computer Engineering and Design, 35(11) (2014) 3701-3707.[5] A. Carcano, A. Coletta, M. Guglielmi, et al., A multidimensional critical state analysis for detecting intrusions in SCADA systems, IEEE Transactions on Industrial Informatics, 7(2) (2011) 179-186.[6] A. Anoop, M. S. Sreeja, New genetic algorithm based intrusion detection system for SCADA, International Journal of Electronics Communication and Computer Engineering, , 2(2) (2013) 171-175.[7] S. M. Papa, V. S. S. Nair, A behavioral intrusion detection system for SCADA systems, Southern Methodist University, 2013.[8] B. Zhu, S. Sastry, SCADA-specific intrusion detection/prevention systems: a survey and taxonomy, The 1st Workshop on Secure Control Systems (SCS), 2010.[9] A. A. Cardenas, S. Amin, Z. S. Lin, Attacks against process control systems: risk assessment, detection, and response, The 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, 2011, pp.355-366.[10] Y. G. Zhang, H. Zhao, L. N. Wang, A non-parametric CUSUM intrusion detection method based on industrial control model, Journal of Southeast University(Natual Science Edition), A01 (2012) 55-59.[11] M. Wei, K. Kim, Intrusion detection scheme using traffic prediction for wireless industrial networks, Journal of Communications and Networks, 14(3) (2012) 310-318.[12] N. Goldenberg, A. Wool, Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems, International Journal of Critical Infrastructure Protection, 6(2) (2013) 63-75.[13] T. H. Kobayashi, A. B. Batista, A. M. Brito, et al., Using a packet manipulation tool for security analysis of industrial network protocols, IEEE Conference on Emerging Technologies and Factory Automation. Patras, 2007, pp.744-747.[14] M. Wan, H. K. Zhang, T. Y. Wu, et al., Anomaly detection and response approach based on mapping requests, Security and Communication Networks, 7 (2014) 2277-2292.[15] V. A. Siris, F. Papagalou, Application of anomaly detection algorithms for detecting SYN flooding attacks, 2004 IEEE Global Telecommunications Conference GLOBECOM’04, Dallas, 2004, pp.2050-2054.[16] J. L. Hellerstein, F. Zhang, P. Shahabuddin, A statistical approach to predictive detection, International Journal of Computer and Telecommunications Networking, 35(1) (2001) 77-95. [17] H. H. Takada, U. Hofmann, Application and analyses of cumulative sum to detect highly distributed denial of service attacks using different attack traffic patterns, /dissemination/newsletter7.pdf, 2004.。

专利名称：Network anomaly detection发明人：James Peroulas,Poojita Thukral,DuttKalapatapu,Andreas Terzis,Krishna Sayana申请号：US16397082申请日：20190429公开号：US10891546B2公开日：20210112专利内容由知识产权出版社提供专利附图：摘要：A method for detecting network anomalies includes receiving a controlmessage from a cellular network and extracting one or more features from the control message. The method also includes predicting a potential label for the control messageusing a predictive model configured to receive the one or more extracted features from the control message as feature inputs. Here, the predictive model is trained on a set of training control messages where each training control message includes one or more corresponding features and an actual label. The method further includes determining that a probability of the potential label satisfies a confidence threshold. The method also includes analyzing the control message to determine whether the control message corresponds to a respective network performance issue. When the control message impacts network performance, the method includes communicating the network performance issue to a network entity responsible for the network performance issue.申请人：Google LLC地址：Mountain View CA US国籍：US代理机构：Honigman LLP代理人：Brett A. Krueger更多信息请下载全文后查看。

基于多分辨率网格的异常检测方法刘文芬1，穆晓东1，黄月华1，21.桂林电子科技大学广西密码学与信息安全重点实验室，广西桂林5410042.桂林航天工业学院计算机科学与工程学院，广西桂林541004摘要：作为一种重要的数据挖掘手段，异常检测在数据分析领域有着广泛的应用。

然而现有的异常检测算法针对不同的数据，往往需要调整不同的参数才能达到相应的检测效果，在面对大型数据时，现有算法检测的时间效率也不尽如人意。

基于网格的异常检测技术，可以很好地解决低维数据异常检测的时间效率问题，然而检测精度严重依赖于网格的划分尺度和密度阈值参数，该参数鲁棒性较差，不能很好地推广到不同类型数据集上。

基于上述问题，提出了一种基于多分辨率网格的异常检测方法，该方法引入一个鲁棒性较好的子矩阵划分参数，将高维数据划分到多个低维的子空间，使异常检测算法在子空间上进行，从而保证了高维数据的适用性；通过从稀疏到密集的多分辨率网格划分，综合权衡了数据点在不同尺度网格下的局部异常因子，最终输出全局异常值的得分排序。

实验结果表明，新引入的子矩阵划分参数具有较好的鲁棒性，该方法能较好地适应高维数据，并在多个公开数据集上都能得到良好的检测效果，为解决高维数据异常检测的相关问题提供了一种高效的解决方案。

关键词：异常检测；多分辨率网格；高维数据；子空间；数据挖掘文献标志码：A中图分类号：TP311.13doi：10.3778/j.issn.1002-8331.1908-0188刘文芬，穆晓东，黄月华.基于多分辨率网格的异常检测方法.计算机工程与应用，2020，56（17）：78-85.LIU Wenfen,MU Xiaodong,HUANG Yuehua.Anomaly detection method based on multi-resolution puter Engi-neering and Applications,2020,56（17）：78-85.Anomaly Detection Method Based on Multi-resolution GridLIU Wenfen1,MU Xiaodong1,HUANG Yuehua1，21.Guangxi Key Laboratory of Cryptography and Information Security,Guilin University of Electronic Technology,Guilin, Guangxi541004,China2.College of Computer Science and Engineering,Guilin University of Aerospace Technology,Guilin,Guangxi541004,ChinaAbstract：As an important means of data mining,anomaly detection is widely used in the field of data analysis.However, existing anomaly detection algorithms often need to adjust different parameters for different data to achieve the corre-sponding detection effect.In the face of big data,the detection time efficiency of existing algorithms is not satisfactory. The anomaly detection technology based on grid can well solve the problem of time efficiency of low-dimensional data anomaly detection.However,the detection accuracy depends heavily on the grid partition scale and density threshold parameters,which have poor robustness and cannot be well extended to different types of data sets.Based on the above problems,the proposed method firstly introduces a submatrix partition parameter with good robustness,divides high-dimensional data into several low-dimensional subspaces,and makes the anomaly detection algorithm carry out on the⦾大数据与云计算⦾基金项目：国家自然科学基金（No.61862011）；广西自然科学基金（No.2018GXNSFAA138116）；广西密码学与信息安全重点实验室研究课题（No.GCIS201704）；桂林电子科技大学硕士研究生创新项目（No.2019YCXS052）。

专利名称：ANOMALY DETECTION METHOD ANDSYSTEM AND MAINTENANCE METHOD ANDSYSTEM发明人：Yasuhiko Matsunaga,JunichiTakeuchi,Takayuki Nakata申请号：US11914156申请日：20060602公开号：US20090052330A1公开日：20090226专利内容由知识产权出版社提供专利附图：摘要：A network management apparatus in a mobile communication network holds acommunication quality index in a normal operation and periodically receives input of a communication quality measurement result from a radio base station control apparatus. When a connection failure count f with respect to a connection request count a of each radio cell is obtained as a measurement result, letting pbe the call loss rate in the normal operation, an upper probability B of a binomial distribution representing the connection failure count becomes larger than f is obtained (step ). The negative logarithm of the upper probability B is obtained as the score of the degree of abnormality (step ). Anomaly of communication is detected when the score of the degree of abnormality exceeds a predetermined threshold value (steps and ). After that, maintenance control is executed in accordance with the calculated score of the degree of abnormality, thereby appropriately avoiding a fault of the communication system. This allows to calculate the degree of abnormality from the measurement result of the communication quality index in the mobile communication network in consideration of the statistical reliability and execute maintenance corresponding to the degree of abnormality.申请人：Yasuhiko Matsunaga,Junichi Takeuchi,Takayuki Nakata地址：Tokyo JP,Tokyo JP,Tokyo JP国籍：JP,JP,JP更多信息请下载全文后查看。

1引言自1987年Denning[1]首次提出异常检测的概念之后，异常检测很快成为入侵检测领域研究的热点。

已经有很多学者使用不同方法（如数据挖掘，人工智能等）从不同方面（如系统日志，进程调度顺序，网络流量等）对异常检测进行了研究，但是将贝叶斯网应用到网络异常检测的却很少。

Sebyala等人[2]将贝叶斯网应用到proxylet的异常检测中，根据CPU和内存利用率构建了一个仅有3个变量的贝叶斯网作为proxylet分类模型，他们的贝叶斯网过于简单，而且没有给出具体的检测方法和检测结果。

张琨等人[3]用贝叶斯网作为分类器，并用这些分类器作为入侵检测的分布式代理来构造大型网络的入侵检测系统，但测试结果表明他们的方法并不理想。

由于现有的贝叶斯网异常检测模型和方法不理想，所以本文提出一种新的基于贝叶斯网的网络异常检测方法。

2相关定义和引理2.1数据定义1，随机变量简称变量，是定义在样本空间上的函数，通常用大写字母表示，如X，Y，Z。

随机变量的取值通常用小写字母表示，如x，y，z。

随机变量X的所有可能取值的集合称为它的值域，也称状态空间，记为ΩX。

状态空间是离散的随机变量称为离散随机变量，状态空间是连续的随机变量称为连续随机变量。

如未特别说明，本文中所说的变量均指离散随机变量。

离散随机变量的状态空间ΩX的大小即其包含的可能值的个数，记为|ΩX|。

若Θ=｛X1，…，X n｝为一组离散随机变量，变量X i的第i个取值为x ij，变量X i的状态空间为ΩXi，简记为Ωi，则Ωi=｛x i1，…，x im｝。

Ωi的大小为|Ωi|，且|Ωi|=m。

对于任意两个变量X i和X j，i≠j，|Ωi|不一定等于|Ωj|。

定义2，设Θ=｛X1，…，X n｝为一组离散随机变量。

由Θ中所有或部分变量的状态所构成的向量称为数据样本（data sample）或数据向量（data vector），简称样本（或向量），记为d。

数据样本d的大小即其包含的变量的个数，记为|d|。

基于机器学习的网络异常检测与防范研究Chapter 1: IntroductionWith the rapid development of the Internet, network security has become a significant concern for individuals, organizations, and governments. The increasing number of cyber-attacks has highlighted the necessity for proactive measures to detect and prevent network anomalies. In recent years, machine learning techniques have shown great potential in addressing this issue. This research aims to explore the application of machine learning in detecting and preventing network anomalies.Chapter 2: Network Anomalies2.1 Definition and Types of Network AnomaliesNetwork anomalies refer to abnormal patterns or behaviors that deviate from the expected normal state of a network. They can be categorized into various types, such as network intrusion, denial of service (DoS) attacks, network traffic anomalies, and network-based malware.2.2 Challenges in Network Anomaly DetectionDetecting network anomalies poses several challenges due to the increasing complexity and diversity of cyber-attacks. These challenges include the high volume and velocity of network data, the presence ofunknown and evolving anomalies, and the necessity for real-time detection without affecting network performance.Chapter 3: Machine Learning Techniques for Network Anomaly Detection3.1 Supervised LearningSupervised learning algorithms utilize labeled training data to train a model that can classify network traffic as normal or anomalous. Popular techniques include support vector machines (SVM), random forests, and neural networks. These algorithms can achieve high accuracy but heavily rely on labeled data, which can be costly and time-consuming to obtain.3.2 Unsupervised LearningUnsupervised learning algorithms aim to detect anomalies without prior knowledge of normal and abnormal instances. Clustering algorithms, such as k-means and DBSCAN, can group similar instances together and identify outliers as potential anomalies. However, they may generate false positives and struggle to differentiate between different types of anomalies.3.3 Reinforcement LearningReinforcement learning algorithms learn from interactions with an environment to make informed decisions. In the context of network anomaly detection, reinforcement learning can be applied to createadaptive and evolving models that can dynamically update anomaly detection strategies to handle new and evolving network attacks.Chapter 4: Feature Selection and Extraction4.1 Network Data RepresentationNetwork data can be represented in various formats, such as raw packet-level data or aggregated flow-level data. Feature selection is critical to extract relevant information from the data and reduce dimensionality. Techniques like principal component analysis (PCA), information gain, and genetic algorithms can be used to select informative features.4.2 Feature EngineeringFeature engineering involves transforming and creating new features that better represent the underlying patterns of network traffic. Statistical measures, domain knowledge, and expert insights are leveraged to engineer features that capture the characteristics of normal and abnormal network behavior.Chapter 5: Evaluation Metrics and Performance Analysis5.1 Evaluation MetricsTo assess the performance of network anomaly detection systems, various evaluation metrics are employed, including accuracy, precision, recall, and F1 score. A comprehensive evaluation framework helpsresearchers and practitioners compare different approaches and select the most suitable one for specific network environments.5.2 Performance AnalysisReal-world network datasets are used to evaluate the performance of machine learning algorithms for network anomaly detection. Comparative analysis and statistical methods are employed to analyze the results, identify limitations, and propose improvements for future research.Chapter 6: Network Anomaly PreventionWhile detection is crucial, prevention plays an equally important role in network security. This chapter explores different preventive measures, including access control, firewalls, intrusion prevention systems, and network segmentation. Machine learning techniques can be integrated into these preventive measures to enhance their effectiveness and adaptability in detecting and responding to emerging threats.Chapter 7: ConclusionIn conclusion, machine learning offers promising solutions for network anomaly detection and prevention. The combination of supervised, unsupervised, and reinforcement learning techniques, along with effective feature selection and engineering, can significantly improve the accuracy and efficiency of detecting network anomalies. However, continuous research and development are needed to addressthe evolving nature of network attacks and enhance the overall resilience of network security systems.。

装备环境工程第20卷第9期·152·EQUIPMENT ENVIRONMENTAL ENGINEERING2023年9月基于实船结构监测数据的异常检测及处理方法孙梦丹，汪雪良，吴国庆，姚骥，蒋镇涛（中国船舶科学研究中心, 江苏 无锡 214082）摘要：目的获得高质量实船结构监测数据，减少数据因外界干扰造成的异常现象，现开发一套面向真实海况的实船结构监测数据的异常处理方法。

方法将统计学中的Z-score异常检测方法与数据处理中常用的平均值计算法相结合，实现对船舶结构应力数据的异常处理。

基于正常信号创建含有异常现象的验证数据，对新的异常处理方法进行精度验证。

结果相比Hampel滤波法、Smooth平滑函数等传统的信号处理方法，Z-score异常检测及平均值计算方法的异常处理精度最高，且以此为基础计算的结构信号统计值准确度较好。

结论 Z-score异常检测及平均值计算方法可实现真实海况下的实船结构监测数据的异常处理，并在结构应力数据的价值挖掘上可提供有力支撑。

关键词：实船结构监测数据；Z-score异常值检测；平均值法；误差分析；精度验证；统计值计算中图分类号：TP39 文献标识码：A 文章编号：1672-9242(2023)09-0152-08DOI：10.7643/ issn.1672-9242.2023.09.017Anomaly Detection and Processing Method Based on Real ShipStructure Monitoring DataSUN Meng-dan, WANG Xue-liang, WU Guo-qing, YAO Ji, JIANG Zhen-tao(China Ship Scientific Research Center, Jiangsu Wuxi 214082, China)ABSTRACT: To obtain high-quality real ship structure monitoring data and reduce signal errors caused by external factors, the work aims to develop a set of fast and accurate anomaly processing methods to preprocess the real ship structure monitoring data. The method combined the Z-score anomaly detection method in statistics with the commonly used average calculation method in data processing to achieve high-precision and fast anomaly processing of ship monitoring data. Based on normal sig-nals, validation data containing abnormal phenomena was created to verify the accuracy of the new anomaly processing method.Finally, the validation data that had undergone anomaly processing were subject to structural statistical value calculations in-cluding signal filtering, signal component extraction, and signal feature value calculation, and the calculation errors were com-pared. Compared with traditional signal processing methods such as Hampel filter and Smooth smoothing function, the Z-score anomaly detection and average value calculation method had the highest accuracy in anomaly processing, and the structural sig-nal statistical values calculated based on this were the most accurate, with an average calculation error of less than 10%. In con-clusion, the Z-score anomaly detection and average value calculation method is suitable for anomaly handling of real ship struc-ture monitoring data and plays an important role in mining the value of structure data.KEY WORDS: real ship structure monitoring data; Z-score anomaly detection; average method; error analysis; accuracy veri-fication; calculation of statistical values收稿日期：2023-07-19；修订日期：2023-09-06Received：2023-07-19；Revised：2023-09-06引文格式：孙梦丹, 汪雪良, 吴国庆, 等. 基于实船结构监测数据的异常检测及处理方法[J]. 装备环境工程, 2023, 20(9): 152-159.SUN Meng-dan, WANG Xue-liang, WU Guo-qing, et al. Anomaly Detection and Processing Method Based on Real Ship Structure Monitoring Data[J]. Equipment Environmental Engineering, 2023, 20(9): 152-159.第20卷第9期孙梦丹，等：基于实船结构监测数据的异常检测及处理方法·153·为适应世界海运发展，加强海洋资源开发，船舶技术发展尤为重要。

通信网络技术ＤＯＩ：１０．１９３９９／ｊ．ｃｎｋｉ．ｔｐｔ．２０２３．０２．０５７基于机器学习的网络入侵检测方法研究孙玉坤1，韩聿彪2（1.中化学交通建设集团运营管理（山东）有限公司，山东济南250014；2.山东省信息技术产业发展研究院，山东济南250014）摘要：考虑到传统方法在检测网络入侵数据时存在准确率、检测率和F1分数低的问题，提出了基于机器学习的网络入侵检测方法。

根据网络入侵数据传输量的变化情况，估计出网络入侵数据的传输量，通过初始化机器学习算法的参数，获得网络入侵数据提取结果的概率矩阵，将网络入侵数据检测的特征向量作为机器学习算法的输入，构建网络入侵检测模型，实现了网路入侵的检测。

实验结果表明，所提方法在检测网络入侵数据的过程中可以有效提高检测的检测率和F1分数，具有更好的检测性能。

关键词：机器学习算法；网络入侵；特征提取；传输量；检测方法；观测向量Research on Network Intrusion Detection Method Based on Machine LearningSUN Yukun1, HAN Yubiao2（1.Sinochem Transportation Construction Group Operation Management (Shandong) Co., Ltd., Jinan 250014, China;2.Shandong Electronic Information Products Inspection Institute，Jinan 250014, China）Abstract: Considering the low accuracy, detection rate and F1 score of traditional methods in detecting network intrusion data, a network intrusion detection method based on machine learning is proposed. According to the change of network intrusion data transmission, the transmission amount of network intrusion data is estimated. By initializing the parameters of machine learning algorithm, the probability matrix of network intrusion data extraction results is obtained.The feature vector of network intrusion data detection is used as the input of machine learning algorithm to build a network intrusion detection model, and network intrusion detection is realized. The experimental results show that the method in this paper can effectively improve the detection rate and F1 score in the process of detecting network intrusion data, and has better detection performance.Keywords: machine learning algorithm; network intrusion; feature extraction; transmission quantity; detection method; observation vector0 引 言互联网技术不断发展的过程中，经常会遭到网络入侵，因此对网络入侵数据和行为进行检测，可以保证网络的安全性[1-3]。

第36卷第3期计算机仿真2019年3月文章编号:1006-9348 (2〇19 )03-〇289-〇5基于随机映射与聚类的网络流量异常检测刘雅婷1，王永程2，强延飞1，谷源涛1(1.清华大学电子工程系，北京1〇〇〇84;2.西南电子电信技术研究所，四川成都610041)摘要:研究网络安全领域的网络流量异常检测问题。

针对传统异常检测算法实时性差、对数据分布特性要求高、正确识别率 低且误判率高等问题，采用滑动窗口、多次随机映射以及无监督聚类算法相组合的新型方法。

利用随机映射进行网络数据 包的汇聚获取待测对象的时间序列;对各滑动窗口内的流量序列进行KmeanS++聚类检测得到多个待定异常集;对多个待定 异常集进行交集操作，从而得出最终异常对象集。

通过仿真得出结论，改进算法具有高准确率和低误判率，能够实时检测网 络中的异常数据。

关键词：网络流量异常检测；随机映射;聚类;时间序列;交集中图分类号:TP393.08 文献标识码：BNetwork Traffic Anomaly Detection Based onRandom Projection and ClusteringLIU Ya—ting1，WANG Yong-cheng2, JIANG Yan-fei1，GU Yuan—tao1(1. Department of Electronic Engineering, Tsinghua University, Beijing 100084, China；2. Southwest Electronics and Telecommunication Technology Research Institute, Chengdu CSichuan 610041 , China))A B S T R A C T：In t h i s paper, network t r a f f i c anomaly detection of security was researched.To solve the problems in­cluding poor r e a l time, high requirement f o r data distribution, low true positive r a t e and high fal s e positive r a t e of t r a­d itional anomaly detection methods,a new combination method i s adopted, which integrates sliding time window,multiple random projections and unsupervised clustering algorithm.W e f i r s t aggregated network t r a f f i c by using ran-dom projection t o get time s e ries of object.Then, Kmeans + + clustering detection was applied with t r a f f i c series of sliding windows t o get multiple alarm sets.W e next exploited the intersection operation t o determine f i n a l anomaly st, based on M A W I L A B we experimented with dataset and obtained the conclusion t hat the new detection method has higher true positive r a t i o and lower fal s e positive r a t i o and can detect anomaly of network in r e a l time.K E Y W O R D S：Network t r a f f i c anomaly detection；Random projection；Clustering；Time series；Intersectioni引言随着互联网技术的快速发展与普及，网络安全问题变得 曰益突出，大量的威胁与安全隐患例如木马程序、蠕虫病毒、D D0S攻击等扰乱了社会的正常运转与经济的持续发展。

设计应用K-Means的网络异常检测徐翔（广东海洋大学教育信息中心，广东湛江海量网络数据流量检测可以发现网络中的异常行为，如Probe确定聚类中心具有较大的随机性，聚类结果不够精准，针对这一问题提出一种基于改进K-Means聚类算法，分布式执行网络数据聚类任务，节省聚类时间开销，再算法的聚类中心，提高网络异常数据聚类的精准度。

实验结果显示该方法检测率保持左右，具有较高的实际应用价值。

模型；最小生成树；聚类中心；异常检测Network Anomaly Detection Based on Improved K-MeansXU XiangGuangdong Ocean UniversityMassive network data traffic detection can find abnormal behavior in the networketc.The determination of clustering center by traditional K-Means algorithm has great randomness法聚类结果，求取各个对象与聚类中心之间的距离，函数将结果按照类别进行划分，相同类别数据归类为一个簇，算法获取网络异常样本数据聚类函数迭代运算的输。

此过程中，一致的数据，求取累K-Means算法新的聚类中心，以此类推进行迭代运算，最终输出结果算法的网络异常数据聚类算法以原型目标函数为基础进行硬聚类，在此类聚类算法中极具代表性，具体方式是确定原始聚类中心，通过数学方法运算原始聚类中心与聚类对象样本，从而得到新的聚类中心，完成精准的数据样K-Means挖掘算此外，用的聚类中心。

一幅完全图的最小连通子图即为最小生成树，完全图的全部点均包含在最小生成树算法之内据此定义确定聚类中心，需要将网络异常流量数据视为完全图的连接点，由此建立的带权完全图表达为：式中，H即连接点之间的长度；基于上述公式原理，通过生成树，由此确定到网络异常流量聚类结果。

基于时间序列分析的网络流量异常检测李彦【摘要】A network traffic anomaly detection model based on time series analysis is proposed to detect the network traffic anomaly accurately and ensure the network normal operation. The wavelet analysis is used to decompose the network traffic ac-cording to the similarity of the network traffic data, so as to divide it into the components with smaller scale. And then the gray model and Markov model of the time series analysis method are used to perform the network traffic anomaly detection for the high-frequency component and low frequency component respectively, their results are fused with the wavelet analysis, and analyzed with the simulation experiment of the network traffic anomaly. The results show that the time series analysis model has simple working process, increased the detection rate of the network traffic anomaly, its false alarm rate is lower than that of other net-work traffic anomaly detection models, and can obtain better real-time performance of the network traffic anomaly detection.%为了准确检测出网络流量的异常现象,保证网络的正常工作,提出基于时间序列分析的网络流量异常检测模型.根据网络流量数据间的相似性,采用小波分析对网络流量进行分解,划分为更小尺度的分量,然后采用时间序列分析法——灰色模型和马尔可夫模型分别对高频分量和低频分量进行网络流量异常检测,并采用小波分析对它们的检测结果进行融合,最后采用网络流量异常仿真实验进行分析.结果表明,时间序列分析模型的工作过程简单,提高了网络流量异常检测率,误检率要低于其他网络流量异常检测模型,获得更优的网络流量异常检测实时性.【期刊名称】《现代电子技术》【年(卷),期】2017(040)007【总页数】4页(P85-87,91)【关键词】网络系统;流量异常检测;灰色模型;小波分析【作者】李彦【作者单位】景德镇陶瓷大学信息工程学院,江西景德镇 333403【正文语种】中文【中图分类】TN915.07-34;TP391随着计算机技术的不断发展和成熟，网络上的业务种类越来越多，如视频，图像等，网络成为了一种主要的通信载体[1]。

磁探测定位系统噪声抑制技术研究发布时间：2022-12-12T06:33:46.544Z 来源：《科学与技术》2022年16期作者：官业欣，赵文纯[导读] 本文通过基于磁偶极子理论，运用BAS算法，建立磁探测定位系统的噪声抑制模型，针对水下运动平台不同的噪声来源建立数学模型，并运用添加随机噪声的虚拟仿真验证算法，验证了噪声抑制技术的可行性。

官业欣，赵文纯（1、中国船舶集团第七一〇研究所，湖北宜昌443000；2、磁学研究中心，湖北宜昌443000）Abstract：In this paper, the noise suppression model of magnetic detection and positioning system is established by using BAS algorithm based on magnetic dipole theory, establishing mathematical models for different noise sources of underwater motion platforms, and verifying the feasibility of noise suppression technology by using virtual simulation of adding random noise to verify the algorithm. The noise suppression technique proposed in this paper has a good application value in the noise suppression of underwater motion platform, and is of great significance to the development of underwater non-acoustic detection technology in China.摘要：本文通过基于磁偶极子理论，运用BAS算法，建立磁探测定位系统的噪声抑制模型，针对水下运动平台不同的噪声来源建立数学模型，并运用添加随机噪声的虚拟仿真验证算法，验证了噪声抑制技术的可行性。