Zhaoli Liu,Xiaohong Guan,Shancang Li,Tao Qin,Chao He

DOI: https://doi.org/10.1109/access.2018.2882812

IF: 3.9

2018-01-01

IEEE Access

Abstract:The widespread use of social media, cloud computing, and Internet of Things generates massive behavior data recorded by system logs, and how to utilize these data to improve the stability and security of these systems becomes more and more difficult due to the increasing number of users and amount of data. In this paper, we propose a novel model named behavior rhythm (BR) to characterize and visualize the user's behaviors from the massive logs and apply it to the system security management. Based on the BR model, we conduct the clustering analysis to mine the user clusters. Different management and access control policies can be applied to different clusters to improve the management efficiency. Then, we apply the non-negative matrix factorization method to analyze the BRs and perform abnormal detection, and employ the BR similarity calculation to perform fast potential anomaly tracking. The detection and tracing results can help the administrators to control the threats efficiently. Experimental results based on the datasets collected from the campus network center of Xi'an Jiaotong University verify the accuracy and efficiency of our method in user behavior profiling and security management, which lay a solid foundation for improving system stability and quality of service.

Chris Muelder,Biao Zhu,Wei Chen,Hongxin Zhang,Kwan-Liu Ma

DOI: https://doi.org/10.1109/tvcg.2016.2534558

IF: 5.2

2016-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Cloud computing is an essential technology to Big Data analytics and services. A cloud computing system is often comprised of a large number of parallel computing and storage devices. Monitoring the usage and performance of such a system is important for efficient operations, maintenance, and security. Tracing every application on a large cloud system is untenable due to scale and privacy issues. But profile data can be collected relatively efficiently by regularly sampling the state of the system, including properties such as CPU load, memory usage, network usage, and others, creating a set of multivariate time series for each system. Adequate tools for studying such large-scale, multidimensional data are lacking. In this paper, we present a visual based analysis approach to understanding and analyzing the performance and behavior of cloud computing systems. Our design is based on similarity measures and a layout method to portray the behavior of each compute node over time. When visualizing a large number of behavioral lines together, distinct patterns often appear suggesting particular types of performance bottleneck. The resulting system provides multiple linked views, which allow the user to interactively explore the data by examining the data or a selected subset at different levels of detail. Our case studies, which use datasets collected from two different cloud systems, show that this visual based approach is effective in identifying trends and anomalies of the systems.

Sixi Chen,Ning An,Lian Li,Yongwei Wu,Weimin Zheng,Lin Sun

DOI: https://doi.org/10.1007/978-3-642-38562-9_6

2013-01-01

Abstract:Researchers have used the Web to better observe, monitor and reason various aspects of human behaviors. In the growing popularity of Cloud Computing environments, however, this important topic has yet to be carefully investigated. In this paper, we analyze 5-month logs detailing the access history to MeePo system that is a private cloud storage service deployed at Hefei University of Technology providing storage services to its college students. We find interesting activity patterns both for individual users and entire population. In particular, we find that the real world phenomena can be reflected closely in MeePo system.

Chunye ZHAO,Shanshan TU,Haoyu CHEN,Yongfeng HUANG

DOI: https://doi.org/10.16652/j.issn.1004-373x.2017.02.001

2017-01-01

Abstract:Cloud Storage provides data storage service for external by combing and coordinating different types of storage devices in the network,so that they can collectively work together. However it always exists a trust game relationship between users and service providers,therefore it is important to build a healthy,fair and secure cloud data service environment for the security auditing on the state of cloud data and operation processes. A cloud security?auditing scheme based on analysis of user behavior(UB)log data from cloud servers is proposed in this paper. The system log information analysis based on UB is realized functionally by description rules of UB. And the existing association rule mining algorithm is improved simultaneously,which is proposed for dealing with the Long Sequence Frequent Pattern(LSFP)to extract UB. The experiment result indicates that the so?lution can implement the tracking and evidence taking of data leakage efficiently for the cloud security auditing.

Wei Chen,Yan Tong,Jian Zhang,Tao Qin

DOI: https://doi.org/10.22323/1.299.0061

2017-01-01

Abstract:With the fast development of Web 2.0, users can obtain everything that they want from the Web. and their access behaviours are recorded by the access log. Based on mining the frequent access sequence, we can deeply understand their access interests. In turn, it can improve the efficiency of network management. In this paper, we firstly present the methods for log pre-processing and extract the features. Secondly, we employ the PrefixSpan algorithm to achieve the goal of frequent sequences mining. In order to process the massive log data in network today, we also combined the proposed methods with Spark. Finally, experimental results based on the log data collected from the campus network of Xi’an Jiaotong University verify the efficiency of the developed methods, which are useful for the understanding and management of the user’s behaviour.

Tao Qin,Wei Li,Chenxu Wang,Xingjun Zhang

DOI: https://doi.org/10.1587/transcom.e97.b.730

2014-01-01

IEICE Transactions on Communications

Abstract:With the ever-growing prevalence of web 2.0, users can access information and resources easily and ubiquitously. It becomes increasingly important to understand the characteristics of user's complex behavior for efficient network management and security monitoring. In this paper, we develop a novel method to visualize and measure user's web-communication-behavior character in large-scale networks. First, we employ the active and passive monitoring methods to collect more than 20,000 IP addresses providing web services, which are divided into 12 types according to the content they provide, e.g. News, music, movie and etc, and then the IP address library is established with elements as (service(type), IPaddress). User's behaviors are complex as they stay in multiple service types during any specific time period, we propose the behavior spectrum to model this kind of behavior characteristics in an easily understandable way. Secondly, two kinds of user's behavior characters are analyzed: the character at particular time instants and the dynamic changing characters among continuous time points. We then employ Renyi cross entropy to classify the users into different groups with the expectation that users in the same groups have similar behavior profiles. Finally, we demonstrated the application of behavior spectrum in profiling network traffic patterns and finding illegal users. The efficiency and correctness of the proposed methods are verified by the experimental results using the actual traffic traces collected from the Northwest Regional Center of China Education and Research Network (CERNET).

Chunye Zhao,Shanshan Tu,Haoyu Chen,Yongfeng Huang

DOI: https://doi.org/10.1109/icoacs.2016.7563067

2016-01-01

Abstract:Cloud Storage provides external data storage service by combing and coordinating different types of storage devices in the network, so that they can collectively work together. However it always exists a trust game relationship between users and service providers, therefore building a healthy, fair and secure cloud data service environment is necessary, especially for the security auditing on the state of cloud data and operation processes. This paper proposes user behavior (UB)-based scheme, by analyzing log data from cloud servers. Firstly, we present the description rules of UB for operating system logs. Then we put forward an association rule mining algorithm based on the Long Sequence Frequent Pattern (LSFP) to extract UB. At last, the result of experiment proves that our solution can implement the track and forensic of data leakage efficiently for the cloud security auditing.

Tao Qin,Xiaohong Guan,Yi Long,Wei Li

DOI: https://doi.org/10.1109/icis.2009.104

2009-01-01

Abstract:Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.

Jia Zhanpei,Shen Chao,Yi Xiao,Chen Yufei,Yu Tianwen,Guan Xiaohong

DOI: https://doi.org/10.1109/coase.2017.8256257

2017-01-01

CASE

Abstract:Log data are important audit basis to record routine events occurring on computer or network system, which are also critical data source for detecting system anomalies. By analyzing the data from multi-source logs, it is helpful to detect abnormal system behaviors and discover intruder attacks in real time. In this paper, a Spark-based log data security platform is designed and built to analyze the large-scale log data and detect abnormal network behaviors. By integrating data mining, machine learning, and statistical analysis technologies, our proposed framework can quickly analyze large-scale multi-source log data and accurately discriminate the abnormal behaviors. Furthermore, the association analysis is applied to detect abnormal behaviors or potential threats in the system. Under a real-world network environment, extensive experiments are conducted to evaluate the system performance, which can achieve a fast and accurate detection for abnormal network behaviors, and significantly improve the accuracies under various types of network attack scenarios.

Zhaoli Liu,Tao Qin,Xiaohong Guan,Hezhi Jiang,Chenxu Wang

DOI: https://doi.org/10.1109/ACCESS.2018.2843336

IF: 3.9

2018-01-01

IEEE Access

Abstract:Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Moreover, the growing volume of logs poses new challenges to anomaly detection. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the data set into different clusters. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. To verify the integrated method, we constructed a log collection and anomaly detection platform in the campus network center of Xi'an Jiaotong University. The experimental results based on the data sets collected from the platform show our method has high detection accuracy and low computational complexity.

Long Zhao,Yanyan Wang,Wenbin Fan,DeXuan Wang,Yuan Zhou,Yekun Fang,Enhong Chen

DOI: https://doi.org/10.1007/978-3-031-20738-9_111

2023-01-01

Abstract:The rapid increase of data has made data security a major problem that enterprises need to explore urgently. At present, data leakage is mainly divided into external attacks and internal leakage. This paper is focused on internal data leakage. Aiming at the quantifiable problem of abnormal behaviors, we propose a model based on data mining algorithms and time series to discover a criterion of normal behaviors. Via those criteria (called baseline), calculating anomaly scores and sorting the importance of those abnormal behaviors are possible. The purpose of our works is to discover possible data security risks efficiently and quickly and intuitively display their priority by quantifying their anomaly scores.

Tao Qin,Wei Li,Xiaohong Guan,Zhaoli Liu

DOI: https://doi.org/10.1109/glocom.2012.6503237

2012-01-01

Abstract:With the number of Internet users and applications continues to grow, it becomes increasingly important to understand the users' behavior character for efficient network management and security monitoring. Web is one of the most popular applications, which can help users to obtain anything they want. In this paper, we propose a new framework to measure and monitor users' web access behavior character. Firstly, web services are divided into 12 types according to the content they provide. As user like to access different web services at different time instants, we proposed the behavior spectrum to describe the users' access character in an easily understandable way. Secondly, we employ three traffic features (number of connections, number of packets and number of bytes) to measure the intensity of users' access behavior. Based on the spectrums and features obtained, two kinds of user's access characters are analyzed: the characters at a particular time instant and the dynamic changing characters at continuous time points. Finally, we employ the Renyi entropy to cluster the users into different groups based on the spectrum and find the results are useful for network management. To verify the method, several actual traffic traces are collected from the Northwest Regional Center of CERNET (China Education and Research Network) and the experimental results prove the efficiency of the proposed methods.

Tingzhong Wang,Nanjie Li,Hailong Wang,Junhong Xian,Jiayi Guo

DOI: https://doi.org/10.1155/2022/4291978

2022-05-05

Advances in Multimedia

Abstract:With the continuous development of internet economy and e-commerce, the scale of data produced by users on e-commerce platform is increasing explosively. Mining the behavior of individual users and group users from massive user behavior data and analyzing the value and law behind the data are of great significance to the development of e-commerce. Taking the user behavior log data of an e-commerce website as the data source, this paper, firstly, processes and analyzes the original dataset through the data filtering and storage module, and it uses the combination of Kafka and Flume to store the user behavior log with reasonable structure and complete fields in HDFS. Secondly, a hierarchical system of data warehouse is constructed in Hive, and each layer of log data is effectively mined and multidimensionally analyzed with the help of log mining technology. Finally, based on the big data framework and Bi tools, a data warehouse system is designed and implemented, which could store and analyze massive data and visually display the results. The system uses dimensional modeling to build a data warehouse hierarchical system to mine and analyze user behavior data through log mining algorithm deeply. The K-means clustering algorithm and RFM model are used to divide the user behavior characteristics in detail, and AARRR funnel model is used to analyze the logs in a modular way. Through the effective mining and multidimensional visual analysis of user behavior data, the behavior analysis of group users and individual users, as well as the analysis of commodity sales flow and sales linkage are realized, which provides support for internal decision-making and precision marketing.

Qiang Ren

DOI: https://doi.org/10.1088/1742-6596/1533/2/022092

2020-04-01

Journal of Physics: Conference Series

Abstract:Abstract With the rapid development of mobile Internet, operators are facing more and more fierce competition, traffic management is imperative. Accurate marketing based on user behavior analysis is an important means. However, in the era of big data, with the rapid growth of mobile Internet services and the increase in the number of users, the traditional architecture is difficult to adapt to the needs of mass data mining. The purpose of this paper is to make the Internet operators in China face a new development opportunity, start to move towards the road of traffic management to traffic management, and conduct an in-depth analysis of users’ behavior rules, to explore the real needs of the market and the majority of users. This paper proposes a cloud-based mobile Internet big data user behavior analysis engine solution, including the design of the overall system architecture, big data warehousing and preprocessing components, big data user behavior analysis model and other key modules, and finally analyzes the system test results.

Jingquan Jin,Xin Lin

DOI: https://doi.org/10.1155/2022/8485014

IF: 3.12

2022-08-27

Computational Intelligence and Neuroscience

Abstract:Web content mining describes the classification, clustering, and attribute analysis of a large number of text documents and multimedia files on the web. Special tasks include retrieval of data from the Internet search engine tool W; structured processing and analysis of web data. Today's blog analysis has security concerns. We do experiments to investigate its safety. Through experiments, we draw the following conclusions: (1) Web log extraction can use efficient data mining algorithms to systematically extract logs from web servers, then determine the main access types or interests of users, and then to a certain extent, based on the discovered user patterns, analyze the user's access settings and behavior. (2) No matter in the test set or the mixed test set, the curve value of deep mining is very stable, the curve value has been kept at 0.95, and the curve value of fuzzy statistics method and quantitative statistics method is stable within the interval of 0.90–095. The results also show that the data mining method has the highest identification accuracy and the best security performance. (3) Web usage analysis requires data abstraction for pattern discovery. This data abstraction can be achieved through data preprocessing, which introduces different formats of web server log files and how web server log data is preprocessed for web usage analysis. One of the most critical parts of the web mining field is web log mining. Web log mining can use powerful data mining algorithms to systematically mine the logs in the web server and then learn the user's access or preferred interests and then conduct a certain degree of user preferences and behavior patterns according to the discovered user patterns. Based on the above analysis, the current web log analysis is faced with security problems. We conduct experiments to study to verify the security performance of web logs and draw conclusions through experiments.

mathematical & computational biology,neurosciences

Xiaodong Zang,Jian Gong,Maoli Wang,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.jnca.2023.103603

IF: 7.574

2023-04-01

Journal of Network and Computer Applications

Abstract:Discovering and describing IP traffic behavior is becoming more and more significant for efficient network management and security monitoring. Recently, many modeling techniques have been proposed, most of which focused on properties of a single dimension, such as volume-based or spatial-based. Characterizing IP traffic behavior with individual dimension features is often insufficient as they are spatiotemporally correlated. In this paper, we demonstrate that IP traffic behavior can be profiled from the perspective of end users’ access relationship. We find that groups of IPs have similar behavior traits, and with insights from the identified behavior profiles, we can discover malicious traffic behavior in the overwhelming measurement data. To this end, firstly, we extract a collection of features to profile traffic behavior from the dimension of temporal, spatial, category, and intensity. Then, we characterize and model the rhythmic behavior, the cyclical behavior, the access stable behavior, the service diversity behavior, and the hotspot behavior. Finally, we use the open-source dataset, synthetic data, and the real Internet Netflow data collected from the China Education Research Network backbone (CERNET) to empirically validate our proposal. Extensive results demonstrate that the applications of derived traffic patterns can achieve fine-grained traffic monitoring.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Zhijun Zhao,Chen Xu,Bo Li

DOI: https://doi.org/10.1007/s11265-021-01644-4

2021-02-05

Journal of Signal Processing Systems

Abstract:Abstract Security devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Ruijuan Zheng,Jing Chen,Mingchuan Zhang,Qingtao Wu,Junlong Zhu,Huiqiang Wang

DOI: https://doi.org/10.1016/j.future.2018.01.028

IF: 7.307

2018-06-01

Future Generation Computer Systems

Abstract:It is the foundation of accessing and controlling cloud environment to establish the mutual trust relationship between users and clouds. How to identify the credible degree of the user identity and its behaviors have become the core problems. Combining with the abnormal recognition and misuse recognition, this paper proposes a collaborative analysis method of user abnormal behavior based on reputation voting. Firstly, the under-sampling and pruning technique are used to construct training samples to avoid high overhead for identifying all data, meanwhile it has solved the problem of unbalanced data learning. Moreover, reputation computing model combining with semi-supervised learning constructs ensemble classifier, and 2-level Chord is used to store reputation to realize its bidirectional query. On this basis, the base classifier is used to vote user behaviors by reputation in order to improve the speed of identifying abnormal behavior. The experimental results show that the scheme could improve the detection speed and clustering accuracy obviously in big data of the mobile user environment, and it has better effect for larger dataset with unbalanced rate especially.

Ye Tao,Shuaitong Guo,Cao Shi,Dianhui Chu

DOI: https://doi.org/10.1109/access.2019.2961769

IF: 3.9

2020-01-01

IEEE Access

Abstract:Modern mass customization production allows user interaction activities to be distributed in the full product life cycle via multiple information systems. Investigating user behaviors across the boundaries of different domains helps to deeply integrate isolated fragmental profiles into a comprehensive one, and therefore can provide multi-dimensional, high-quality and valuable services. However, traditional user behavior analysis models are based on individual user profile information derived from separate domains, such as requirement analysis, design, supply chain, logistics, marketing, etc., which have not considered the whole complexity of mass customization manufacturing. In this paper, we introduce the concept of multi-dimensional semantic activity space, where user behavior features are merged and represented as combined vectors. User behavior patterns are discovered by mining action data extracted from log files in different subsystems in the corresponding domains. We also identify distinct categories of user behaviors in various modules and subsystems in the context of an intelligent manufacturing environment. Experiment results show a strong indication that the proposed approach can be applied to reveal variations in typical behavioral aspects of cross-domain participants, in terms of patterns in resource access, operation tasks, performance assessment, etc.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chen Baogang,Xu Yong,Hu Jinlong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.05.064

2008-01-01

Abstract:Although P2P system is continually increasing popularity among people and augmenting traffic percentage on internet, we still do not have a clear understanding of the users' behaviors characteristics, the traffic patterns and the potential performance problems of the recent P2P system. In this study, we present an investigation of behavior characteristics of Maze P2P system based on log data recorded users' behaviors from central servers in Maze system. Our results show that uploading bandwidth, downloading bandwidth, uploading rile traffic and downloading file traffic of users' can be modeled by mixtures of two lognormal distributions while total downloaded size of each rile and downloading file size in one request are modeled by mixtures of three lognormal distributions.