KDD 99数据集
众所周知,KDD是知识发现与发掘英文的简称,KDD CUP是ACM年度竞赛。KDD 99 就是这个竞赛在1999年使用的数据集。这个数据集的来源是这样的,林肯实验室建立了模拟美国空军局域网的网络环境,收集了9周的网络连接和系统审计数据,仿真各种用户类型、各种不同的网络流量和攻击手段。
数据集特点:前41项为特征,第42项为标记
41个特征划分为4大类:
- TCP连接基本特征
- TCP连接的内容特征
- 基于时间的网络流量统计特征
- 基于主机的网络流量统计特征
代码1:使用K近邻算法检测Rootkit
事实上,KDD99种存在39种攻击方式,当我们着重检测某一种时,必然要为其定制。提取KDD99数据的41维特征,筛选Rootkit相关特征,主要为TCP连接的内容特征。
产看KDD 99中TCP连接的内容,对应着第10到22列的内容
# -*- coding:utf-8 -*-
import re
import matplotlib.pyplot as plt
import os
from sklearn.feature_extraction.text import CountVectorizer
from sklearn import cross_validation
import os
from sklearn.naive_bayes import GaussianNB
from sklearn.neighbors import KNeighborsClassifier
#加载KDD数据集
def load_kdd99(filename):
x=[]
with open(filename) as f:
for line in f:
line=line.strip('\n')
line=line.split(',')
x.append(line)
return x
def get_rootkit2andNormal(x):
v=[]
w=[]
y=[]
#筛选标记为KDD99和normal且是telent的数据
for x1 in x:
if ( x1[41] in ['rootkit.','normal.'] ) and ( x1[2] == 'telnet' ):
if x1[41] == 'rootkit.':
y.append(1)
else:
y.append(0)
x1 = x1[9:21]
v.append(x1)
#挑选与Rookit相关的特征作为样本特征
for x1 in v :
v1=[]
for x2 in x1:
v1.append(float(x2))
w.append(v1)
return w,y
if __name__ == '__main__':
v=load_kdd99("/用户/zhanglipeng/资源库/Python/3.7/lib/python/Data/kdd99_corrected")
x,y=get_rootkit2andNormal(v)
clf = KNeighborsClassifier(n_neighbors=3)
print (cross_validation.cross_val_score(clf, x, y, n_jobs=-1, cv=10))
运行结果:
[0.95652174 0.95652174 0.95652174 1. 0.95652174 1.
1. 1. 1. 1. ]
代码2:使用决策树算法检测POP3暴力破解
POP3暴力破解即为我们常说的猜密码,在KDD 99中,分别是第1列,
第5到9列,
第23到31列(基于时间的网络流量统计特征)
# -*- coding:utf-8 -*-
import re
import matplotlib.pyplot as plt
import os
from sklearn.feature_extraction.text import CountVectorizer
from sklearn import cross_validation
import os
from sklearn.datasets import load_iris
from sklearn import tree
import pydotplus
def load_kdd99(filename):
x=[]
with open(filename) as f:
for line in f:
line=line.strip('\n')
line=line.split(',')
x.append(line)
return x
def get_guess_passwdandNormal(x):
v=[]
w=[]
y=[]
for x1 in x:
if ( x1[41] in ['guess_passwd.','normal.'] ) and ( x1[2] == 'pop_3' ):
if x1[41] == 'guess_passwd.':
y.append(1)
else:
y.append(0)
x1 = [x1[0]] + x1[4:8]+x1[22:30]
v.append(x1)
for x1 in v :
v1=[]
for x2 in x1:
v1.append(float(x2))
w.append(v1)
return w,y
if __name__ == '__main__':
v=load_kdd99("../data/kddcup99/corrected")
x,y=get_guess_passwdandNormal(v)
clf = tree.DecisionTreeClassifier()
print cross_validation.cross_val_score(clf, x, y, n_jobs=-1, cv=10)
clf = clf.fit(x, y)
dot_data = tree.export_graphviz(clf, out_file=None)
graph = pydotplus.graph_from_dot_data(dot_data)
graph.write_pdf("../photo/6/iris-dt.pdf")
3.检测针对Apache的DDoS攻击
和DDoS相关的特征主要为网络连接基本特征和基于时间的网络流量统计特征:
网络网络连接基本特征:
基于时间的网络流量特征:
基于主机的网络流量特征:
# -*- coding:utf-8 -*-
import re
import matplotlib
matplotlib.use('TkAgg')
import matplotlib.pyplot as plt
import os
from sklearn.feature_extraction.text import CountVectorizer
from sklearn.model_selection import KFold
from sklearn.model_selection import cross_val_score
import os
from sklearn.naive_bayes import GaussianNB
def load_kdd99(filename):
x=[]
with open(filename) as f:
for line in f:
line=line.strip('\n')
line=line.split(',')
x.append(line)
return x
def get_apache2andNormal(x):
v=[]
w=[]
y=[]
for x1 in x:
if ( x1[41] in ['apache2.','normal.'] ) and ( x1[2] == 'http' ):
if x1[41] == 'apache2.':
y.append(1)
else:
y.append(0)
x1 = [x1[0]] + x1[4:8]+x1[22:30]+x1[31:40]
#x1 = x1[4:8]
v.append(x1)
for x1 in v :
v1=[]
for x2 in x1:
v1.append(float(x2))
w.append(v1)
return w,y
if __name__ == '__main__':
v=load_kdd99("/Users/zhanglipeng/Data/kddcup99/corrected")
x,y=get_apache2andNormal(v)
clf = GaussianNB()
print cross_val_score(clf, x, y, n_jobs=-1, cv=10)
[0.99925094 0.99875156 0.99950062 0.99950062 0.996004 0.9995005
0.997003 0.98975768 0.99975019 0.99925056]