基于tf - idf的端口访问统计分析捕获异常流量行为

2021 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI) Pub Date : 2021-10-15 DOI:10.1109/CCCI52664.2021.9583212

K. Shima

{"title":"基于tf - idf的端口访问统计分析捕获异常流量行为","authors":"K. Shima","doi":"10.1109/CCCI52664.2021.9583212","DOIUrl":null,"url":null,"abstract":"Detecting the anomalous behavior of traffic is one of the important actions for network operators. In this study, we applied term frequency – inverse document frequency (TF–IDF), which is a popular method used in natural language processing, to detect unusual behavior from network access logs. We mapped the term and document concept to the port number and daily access history, respectively, and calculated the TF–IDF. With this approach, we could obtain ports frequently observed in fewer days compared to other port access activities. Such access behaviors are not always malicious activities; however, such information is a good indicator for starting a deeper analysis of traffic behavior. Using a real-life dataset, we could detect two bot-oriented accesses and one unique UDP traffic.","PeriodicalId":136382,"journal":{"name":"2021 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2021-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Catching Unusual Traffic Behavior using TF–IDF-based Port Access Statistics Analysis\",\"authors\":\"K. Shima\",\"doi\":\"10.1109/CCCI52664.2021.9583212\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Detecting the anomalous behavior of traffic is one of the important actions for network operators. In this study, we applied term frequency – inverse document frequency (TF–IDF), which is a popular method used in natural language processing, to detect unusual behavior from network access logs. We mapped the term and document concept to the port number and daily access history, respectively, and calculated the TF–IDF. With this approach, we could obtain ports frequently observed in fewer days compared to other port access activities. Such access behaviors are not always malicious activities; however, such information is a good indicator for starting a deeper analysis of traffic behavior. Using a real-life dataset, we could detect two bot-oriented accesses and one unique UDP traffic.\",\"PeriodicalId\":136382,\"journal\":{\"name\":\"2021 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-10-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CCCI52664.2021.9583212\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCCI52664.2021.9583212","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

检测流量异常行为是网络运营商的重要工作之一。在这项研究中，我们应用术语频率-逆文档频率(TF-IDF)，这是自然语言处理中常用的一种方法，从网络访问日志中检测异常行为。我们将术语和文档概念分别映射到端口号和每日访问历史，并计算TF-IDF。使用这种方法，与其他端口访问活动相比，我们可以在更短的时间内获得经常观察的端口。这种访问行为并不总是恶意活动;然而，这些信息是开始对交通行为进行更深入分析的一个很好的指标。使用真实的数据集，我们可以检测到两个面向机器人的访问和一个唯一的UDP流量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Catching Unusual Traffic Behavior using TF–IDF-based Port Access Statistics Analysis

Detecting the anomalous behavior of traffic is one of the important actions for network operators. In this study, we applied term frequency – inverse document frequency (TF–IDF), which is a popular method used in natural language processing, to detect unusual behavior from network access logs. We mapped the term and document concept to the port number and daily access history, respectively, and calculated the TF–IDF. With this approach, we could obtain ports frequently observed in fewer days compared to other port access activities. Such access behaviors are not always malicious activities; however, such information is a good indicator for starting a deeper analysis of traffic behavior. Using a real-life dataset, we could detect two bot-oriented accesses and one unique UDP traffic.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2021 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)

自引率

0.00%

发文量