朴素贝叶斯算法是应用最为广泛的分类算法之一。简称NB算法。可以用来检测异常操作,检测DGA域名,检测针对Apache的DDos攻击,检测基于MNIST数据集的验证码。
朴素贝叶斯算法包括以下算法
高斯朴素贝叶斯算法
多项式朴素贝叶斯算法
伯努利朴素贝叶斯
1.hellobeiyesi
# coding: utf-8
from sklearn import datasets
iris = datasets.load_iris()
from sklearn.naive_bayes import GaussianNB
gnb = GaussianNB()
y_pred = gnb.fit(iris.data,iris.target).predict(iris.data)#训练并预测数据
print ("Number of mislabeled points out of total %d points : %d" % (iris.data.shape[0],(iris.target != y_pred).sum()))
2.检测异常操作
操作思路:
1.数据的搜集与清洗
2.特征化
3.训练模型
4.效果验证
检测异常操作:
# -*- coding:utf-8 -*-
import sys
import urllib
import urlparse
import re
from hmmlearn import hmm
import numpy as np
from sklearn.externals import joblib
import HTMLParser
import nltk#用来分词
import csv
import matplotlib.pyplot as plt
from nltk.probability import FreqDist
from sklearn.feature_extraction.text import CountVectorizer
from sklearn.neighbors import KNeighborsClassifier
from sklearn.naive_bayes import GaussianNB
N = 90
def load_user_cmd_new(filename):
cmd_list=[]
dist = []
with open(filename) as f:
i=0
x=[]
for line in f:
line = line.strip('\n')
x.append(line)
dist.append(line)
i+=1
if i == 100:
cmd_list.append(x)
x=[]
i=0
fdist=FreqDist(dist).keys()
return cmd_list,fdist
def load_user_cmd(filename):
cmd_list=[]
dist_max=[]
dist_min=[]
dist=[]
with open(filename) as f:
i=0
x=[]
for line in f:
line=line.strip('\n')
x.append(line)
dist.append(line)
i+=1
if i == 100:
cmd_list.append(x)
x=[]
i=0
fdist = FreqDist(dist).keys()
dist_max = set(fdist[0:50])
dist_min = set(fdist[-50:])
return cmd_list,dist_max,dist_min
#以下是提取特征
def get_user_cmd_feature(user_cmd_list,dist_max,dist_min):
user_cmd_feature=[]
for cmd_block in user_cmd_list:
f1=len(set(cmd_block))
fdist = FreqDist(cmd_block).keys()
f2 = fdist[0:10]
f3 = fdist[-10:]
f2 = len(set(f2) & set(dist_max))
f3 = len(set(f3)&set(dist_min))
x = [f1,f2,f3]
user_cmd_feature.append(x)
return user_cmd_feature
def get_user_cmd_feature_new(user_cmd_list,dist):
user_cmd_feature=[]
for cmd_list in user_cmd_list:
v=[0]*len(dist)
for i in range(0,len(dist)):
if dist[i] in cmd_list:
v[i]+=1
user_cmd_feature.append(v)
return user_cmd_feature
def get_label(filename,index=0):
x=[]
with open(filename) as f:
for line in f:
line=line.strip('\n')
x.append(int(line.split()[index]))
return x
if __name__ == '__main__':
user_cmd_list,dist=load_user_cmd_new("/home/qin/code/python/web-ml/1book-master/data/MasqueradeDat/User3")
user_cmd_feature=get_user_cmd_feature_new(user_cmd_list,dist)
labels=get_label("/home/qin/code/python/web-ml/1book-master/data/MasqueradeDat/label.txt",2)
y=[0]*50+labels
x_train=user_cmd_feature[0:N]
y_train=y[0:N]
x_test = user_cmd_feature[N:150]
y_test = y[N:150]
neigh = KNeighborsClassifier(n_neighbors=3)
neigh.fit(x_train,y_train)
y_predict_knn=neigh.predict(x_test)
print y_train
clf = GaussianNB().fit(x_train,y_train)
y_predict_nb=clf.predict(x_test)
score=np.mean(y_test==y_predict_knn)*100
print "KNN %d " % score
score=np.mean(y_test==y_predict_nb)*100
print "NB %d" % score
结果:
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]
KNN 83
NB 83
2.检测WebShell
# -*- coding:utf-8 -*-
import os
from sklearn.feature_extraction.text import CountVectorizer
import sys
import numpy as np
from sklearn import cross_validation
from sklearn.naive_bayes import GaussianNB
def load_file(file_path):
t=""
with open(file_path) as f:
for line in f:
line=line.strip('\n')
t+=line
return t
def load_files(path):
files_list=[]
for r,d,files in os.walk(path):
for file in files:
if file.endswith('.php'):
file_path=path+file
print "Load %s" % file_path
t=load_file(file_path)
files_list.append(t)
return files_list
if __name__=='__main__':
webshell_bigram_vectorizer=CountVectorizer(ngram_range=(2,2),decode_error="ignore",token_pattern= r'\b\w+\b',min_df=1)
#ngram_range表明基于2-gram,ignore表示忽略异常字符的影响,token_pattern表示按单词切分
webshell_files_list=load_files("/home/qin/code/python/web-ml/1book-master/data/PHP-WEBSHELL/xiaoma/")
x1=webshell_bigram_vectorizer.fit_transform(webshell_files_list).toarray()
y1=[1]*len(x1)
vocabulary=webshell_bigram_vectorizer.vocabulary_
wp_bigram_vectorizer = CountVectorizer(ngram_range=(2,2),decode_error="ignore",token_pattern=r"\b\w+\b",min_df=1,vocabulary=vocabulary)
wp_files_list=load_files("/home/qin/code/python/web-ml/1book-master/data/wordpress/")
x2=wp_bigram_vectorizer.fit_transform(wp_files_list).toarray()
y2=[0]*len(x2)
x=np.concatenate((x1,x2))
y=np.concatenate((y1,y2))
clf = GaussianNB()
print cross_validation.cross_val_score(clf,x,y,n_jobs=-1,cv=3)
3.shell2
import os
from sklearn.feature_extraction.text import CountVectorizer
import sys
import numpy as np
from sklearn import cross_validation
from sklearn.naive_bayes import GaussianNB
r_token_pattern=r'\b\w+\b\(|\'w+\''
def load_file(file_path):
t=""
with open(file_path) as f:
for line in f:
line=line.strip('\n')
t+=line
return t
def load_files(path):
files_list=[]
for r, d, files in os.walk(path):
for file in files:
if file.endswith('.php'):
file_path=path+file
#print "Load %s" % file_path
t=load_file(file_path)
files_list.append(t)
return files_list
if __name__ == '__main__':
webshell_bigram_vectorizer = CountVectorizer(ngram_range=(1, 1), decode_error="ignore",
token_pattern = r_token_pattern,min_df=1)
webshell_files_list=load_files("/home/qin/code/python/web-ml/1book-master/data/PHP-WEBSHELL/xiaoma")
x1=webshell_bigram_vectorizer.fit_transform(webshell_files_list).toarray()
y1=[1]*len(x1)
vocabulary=webshell_bigram_vectorizer.vocabulary_
wp_bigram_vectorizer = CountVectorizer(ngram_range=(1, 1), decode_error="ignore",
token_pattern = r_token_pattern,min_df=1,vocabulary=vocabulary)
wp_files_list=load_files("/home/qin/code/python/web-ml/1book-master/data/wordpress/")
x2=wp_bigram_vectorizer.transform(wp_files_list).toarray()
y2=[0]*len(x2)
x=np.concatenate((x1,x2))
y=np.concatenate((y1, y2))
clf = GaussianNB()
print vocabulary
print cross_validation.cross_val_score(clf,x,y,n_jobs=-1,cv=3)
