Enterprise Network Abnormal Behavior Detection and Defense Strategy Based on LOF

In response to the problem of existing methods being insensitive to local anomalies in enterprise network environments, this article analyzes traffic local anomalies based on the Local Outlier Factor (LOF) algorithm to improve the detection efficiency of network attacks. The K-Means clustering algorithm is used to fill in missing values and their corresponding attribute values in the cluster center; based on the LOF algorithm, local density analysis is performed on traffic data to identify abnormal connections that do not match the normal pattern. At the same time, Isolation Forest (iForest) is fused to construct a random tree model to improve the accuracy of anomaly detection, and an LOF-iForest network abnormal behavior detection model is constructed; by integrating firewalls and building network anomaly security defense strategies, real-time blocking of abnormal traffic can be achieved. Through experiments using the CICIDS 2017 (Canadian Institute for Cybersecurity Intrusion Detection Systems 2017) dataset, it is found that when dealing with viral infections, LOF-iForest only takes 0.68 seconds, with an average false detection rate of only 2.87%; the defense response time is 2 seconds, and the response level to unknown threats is excellent. The adopted method effectively improves the detection accuracy and speed of abnormal behavior in enterprise networks, providing strong network security guarantees for the development of enterprises.