A GMM-Based Anomaly IP Detection Model from Security Logs

The intrusion prevention system (IPS) is a widely used security system which generates logs for the attacks blocked by it for management personnel to review and conduct further processing. However, most of the entries in the actual IPS logs are not attack entries, which makes it impossible for us to obtain the attacker’s IP through simple log analysis. The traditional log analysis methods rely on the administrator to manually analyze the log text. So it is necessary to use anomaly detection methods for analysis. The majority of existing log data-based automatic detection methods for anomalies cannot get an satisfying result while ensuring computational requirements and the interpretability of the model. This paper chose the Gaussian Mixture Model (GMM) to detect abnormal IP on the log dataset. The GMM method provides better detection results while ensuring relatively low computational requirements, and maintains the interpretability of the model. Experiments show that the ability of GMM method to detect abnormal IP is strong and the GMM is a suitable log data-based automatic detection method for detecting abnormal IP.