基于多尺度特征的网络流量异常检测方法

doi:10.11959/j.issn.1000-436x.2022195

通信学报 ›› 2022, Vol. 43 ›› Issue (10): 65-76.doi: 10.11959/j.issn.1000-436x.2022195

基于多尺度特征的网络流量异常检测方法

段雪源¹^,²^,³, 付钰¹, 王坤¹^,⁴, 刘涛涛¹, 李彬¹

¹ 海军工程大学信息安全系，湖北武汉 430033
² 信阳师范学院计算机与信息技术学院，河南信阳 464000
³ 信阳师范学院河南省教育大数据分析与应用重点实验室，河南信阳 464000
⁴ 信阳职业技术学院数学与信息工程学院，河南信阳 464000

修回日期:2022-09-27 出版日期:2022-10-25 发布日期:2022-10-01
作者简介:段雪源（1981− ），男，河南开封人，海军工程大学博士生，主要研究方向为人工智能、信息处理、网络安全
付钰（1982− ），女，湖北武汉人，博士，海军工程大学教授、博士生导师，主要研究方向为信息安全、人工智能
王坤（1981− ），女，河南信阳人，海军工程大学博士生，主要研究方向为信息安全
刘涛涛（1996− ），男，江西吉水人，海军工程大学博士生，主要研究方向为网络安全、网络信息对抗
李彬（1998− ），男，湖南娄底人，海军工程大学硕士生，主要研究方向为信息安全、人工智能
基金资助:
国家重点研发计划基金资助项目(2018YFB0804104)

Network traffic anomaly detection method based on multi-scale characteristic

Xueyuan DUAN¹^,²^,³, Yu FU¹, Kun WANG¹^,⁴, Taotao LIU¹, Bin LI¹

¹ Department of Information Security, Naval University of Engineering, Wuhan 430033, China
² College of Computer and Information Technology, Xinyang Normal University, Xinyang 464000, China
³ Henan Key Laboratory of Analysis and Applications of Education Big Data, Xinyang Normal University, Xinyang 464000, China
⁴ School of Mathematics and Information Engineering, Xinyang Vocational and Technical College, Xinyang 464000, China

Revised:2022-09-27 Online:2022-10-25 Published:2022-10-01
Supported by:
The National Key Research and Development Program of China(2018YFB0804104)

摘要/Abstract

摘要：

摘要：针对传统的网络流量异常检测方法大都只关注流量数据的细粒度特征，对多尺度特征信息利用不充分，可能导致异常检测结果准确率不高的问题，提出了一种基于多尺度特征的网络流量异常检测方法。使用多个不同尺度的滑动窗口将原始流量划分为多个观察跨度的子序列，利用小波变换技术重构各个子序列的多层级序列，链式 SAE 通过特征空间映射生成多层级重构序列，各层级的分类器根据重构序列的误差进行异常的初步判定，采用加权投票策略对各层级的初步判定结果进行汇总，形成最终结果判定。实验结果表明，所提方法可有效挖掘网络流量的多尺度特征信息，对异常流量的检测性能较传统方法有明显提升。

关键词: 网络流量, 异常检测, 多尺度特征, 小波变换

Abstract:

Aiming at the problem that most of the traditional network traffic anomaly detection methods only pay attention to the fine-grained features of traffic data, and make insufficient use of multi-scale feature information, which may lead to low accuracy of anomaly detection results, a network traffic anomaly detection method based on multi-scale features was proposed.The original traffic was divided into sub-sequences with multiple observation spans by using multiple sliding windows of different scales, and the multi-level sequences of each sub-sequence were reconstructed by wavelet transform technology.Multi-level reconstructed sequences were generated by Chain SAE through feature space mapping, and a preliminary judgment of abnormality was made by the classifiers of each level according to the errors of the reconstructed sequences.The weighted voting strategy was adopted to summarize the preliminary judgment results of each level to form the final result judgment.Experimental results show that the proposed method can effectively mine the multi-scale feature information of network traffic, and the detection performance of abnormal traffic is obviously improved compared with traditional methods.

Key words: network traffic, anomaly detection, multi-scale characteristic, wavelet transformation

中图分类号:

TP391

段雪源, 付钰, 王坤, 刘涛涛, 李彬. 基于多尺度特征的网络流量异常检测方法[J]. 通信学报, 2022, 43(10): 65-76.

Xueyuan DUAN, Yu FU, Kun WANG, Taotao LIU, Bin LI. Network traffic anomaly detection method based on multi-scale characteristic[J]. Journal on Communications, 2022, 43(10): 65-76.

图/表 13

图1

图2

图3

图4

表1

表2

表3

表4

表5

图5

图6

表6

表7

参考文献 31

[1]	YUAN X Y , HE P , ZHU Q L ,et al. Adversarial examples:attacks and defenses for deep learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9): 2805-2824.
[2]	张成磊, 付玉龙, 李晖 ,等. 6G 网络安全场景分析及安全模型研究[J]. 网络与信息安全学报, 2021,7(1): 28-45.
	ZHANG C L , FU Y L , LI H ,et al. Research on security scenarios and security models for 6G networking[J]. Chinese Journal of Network and Information Security, 2021,7(1): 28-45.
[3]	AL-SANJARY O I , ROSLAN M A B , HELMI R A A ,et al. Comparison and detection analysis of network traffic datasets using K-means clustering algorithm[J]. Journal of Information ＆ Knowledge Management, 2020,19(3): 2050026.
[4]	PARMAR N , SHARMA A , JAIN H ,et al. Email spam detection using nave Bayes and particle swarm optimization[J]. 2020,6(10): 367-373.
[5]	李洪成, 吴晓平, 姜洪海 . 基于改进聚类分析的网络流量异常检测方法[J]. 网络与信息安全学报, 2015,1(1): 66-71.
	LI H C , WU X P , JIANG H H . Traffic anomaly detection method in networks based on improved clustering algorithm[J]. Chinese Journal of Network and Information Security, 2015,1(1): 66-71.
[6]	VIJAYANAND R , DEVARAJ D , KANNAPIRAN B . Support vector machine based intrusion detection system with reduced input features for advanced metering infrastructure of smart grid[C]// Proceedings of 4th International Conference on Advanced Computing and Communication Systems. Piscataway:IEEE Press, 2017: 1-7.
[7]	DA T , QU Y R , PRASANNA V K . Accelerating decision tree based traffic classification on FPGA and multicore platforms[J]. IEEE Transactions on Parallel and Distributed Systems, 2017,28(11): 3046-3059.
[8]	JAIN M , KAUR G , SAXENA V . A K-Means clustering and SVM based hybrid concept drift detection technique for network anomaly detection[J]. Expert Systems with Applications, 2022,193:116510.
[9]	KHAN M , WANG H Z , RIAZ A ,et al. Bidirectional LSTM-RNNbased hybrid deep learning frameworks for univariate time series classification[J]. The Journal of Supercomputing, 2021,77(7): 7021-7045.
[10]	GOODFELLOW I , BENGIO Y , et al . Deep learning[M]. Cambridge: MIT Press, 2016.
[11]	GOODFELLOW I J , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial nets[C]// Proceedings of the 27th International Conference on Neural Information Processing Systems. Massachusetts:MIT Press, 2014: 2672-2680.
[12]	KINGMA D P , WELLING M . Auto-encoding variational Bayes[J]. Statistics, 2014,10: 1-14.
[13]	BRYNIELSSON J , SHARMA R . Detectability of low-rate HTTP server DoS attacks using spectral analysis[C]// Proceedings of IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. Piscataway:IEEE Press, 2015: 954-961.
[14]	何炎祥, 曹强, 刘陶 ,等. 一种基于小波特征提取的低速率DoS检测方法[J]. 软件学报, 2009,20(4): 930-941.
	HE Y X , CAO Q , LIU T ,et al. A low-rate DoS detection method based on feature extraction using wavelet transform[J]. Journal of Software, 2009,20(4): 930-941.
[15]	CHENG M , LI Q , LV J M ,et al. Multi-scale LSTM model for BGP anomaly classification[J]. IEEE Transactions on Services Computing, 2021,14(3): 765-778.
[16]	WANG J Y , WANG Z , LI J F ,et al. Multilevel wavelet decomposition network for interpretable time series analysis[C]// Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery ＆ Data Mining. New York:ACM Press, 2018: 2437-2446.
[17]	FOULADI R F , ERMI? O , ANARIM E . A DDoS attack detection and countermeasure scheme based on DWT and auto-encoder neural network for SDN[J]. Computer Networks, 2022,214:109140.
[18]	ALBAHAR M A . Recurrent neural network model based on a new regularization technique for real-time intrusion detection in SDN environments[J]. Security and Communication Networks, 2019,2019: 1-9.
[19]	PEI J M , ZHONG K Y , JAN M A ,et al. Personalized federated learning framework for network traffic anomaly detection[J]. Computer Networks, 2022,209:108906.
[20]	ZONG B , SONG Q , MIN M R ,et al. Deep autoencoding gaussian mixture model for unsupervised anomaly detection[C]// Proceedings of International Conference on Learning Representations. Vancouver:ICLR Press, 2018: 1-19.
[21]	YANG D H , HWANG M . Unsupervised and ensemble-based anomaly detection method for network security[C]// Proceedings of14th International Conference on Knowledge and Smart Technology. Piscataway:IEEE Press, 2022: 75-79.
[22]	GEIGER A , LIU D Y , ALNEGHEIMISH S ,et al. TadGAN:time series anomaly detection using generative adversarial networks[C]// Proceedings of IEEE International Conference on Big Data (Big Data). Piscataway:IEEE Press, 2020: 33-43.
[23]	PATIL R , BIRADAR R , RAVI V ,et al. Network traffic anomaly detection using PCA and BiGAN[J]. Internet Technology Letters, 2022,5(1): e235.
[24]	邹福泰, 谭越, 王林 ,等. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021,42(7): 95-106.
	ZOU F T , TAN Y , WANG L ,et al. Botnet detection based on generative adversarial network[J]. Journal on Communications, 2021,42(7): 95-106.
[25]	CHEN X H , DENG L W , HUANG F T ,et al. DAEMON:unsupervised anomaly detection and interpretation for multivariate time series[C]// Proceedings of IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 2225-2230.
[26]	麻文刚, 张亚东, 郭进 . 基于LSTM与改进残差网络优化的异常流量检测方法[J]. 通信学报, 2021,42(5): 23-40.
	MA W G , ZHANG Y D , GUO J . Abnormal traffic detection method based on LSTM and improved residual neural network optimization[J]. Journal on Communications, 2021,42(5): 23-40.
[27]	CHOUHAN N , KHAN A , KHAN H U R . Network anomaly detection using channel boosted and residual learning based deep convolutional neural network[J]. Applied Soft Computing, 2019,83:105612.
[28]	YANG S , . Anomaly traffic detection based on LSTM[C]// Proceedings of IEEE 10th Joint International Information Technology and Artificial Intelligence Conference. Piscataway:IEEE Press, 2022: 667-670.
[29]	ULLAH I , MAHMOUD Q H . Design and development of RNN anomaly detection model for IoT networks[J]. IEEE Access, 2022,10: 62722-62750.
[30]	SUGIARTAWAN P , PULUNGAN R , KARTIKA A . Prediction by a hybrid of wavelet transform and long-short-term-memory neural network[J]. International Journal of Advanced Computer Science and Applications, 2017,8(2): 326-332.
[31]	CHEN J L , LI Z P , PAN J ,et al. Wavelet transform based on inner product in fault diagnosis of rotating machinery:a review[J]. Mechanical Systems and Signal Processing, 2016,70/71: 1-35.

真实分类结果	预测为正	预测为负
真实为正	TP	FN
真实为负	FP	TN

数据集	数据子集	样本总数/个	正常样本数/个	异常样本数/个	特征数/个
KDD99	10_percent_corrected	494 021	97 278	396 743	41
	corrected	253 727	26 053	227 674	41
NSL-KDD	NSL-KDD-Train+	25 191	13 448	11 743	41
	NSL-KDD-Test+	22 543	9 711	12 832	41
UNSW-NB15	NB15_training-set	82 332	37 000	45 332	49
	NB15_testing-set	175 341	56 000	119 341	49
CIC-IDS2018	CIC-IDS2018-train	198 675	142 822	55 853	79
	CIC-IDS2018-test	132 425	95 215	37 210	79

数据集	数据子集	样本总数/个	正常样本数/个	异常样本数/个
	训练集	49 332	49 332	—
KDD99	验证集	433 742	36 999	396 743
	测试集	264 672	36 998	227 674
	训练集	9 264	9 264	—
NSL-KDD	验证集	18 691	6 948	117 43
	测试集	19 780	6 948	12 832
	训练集	37 200	37 200	—
UNSW-NB15	验证集	73 233	27 901	45 332
	测试集	147 241	27 900	119 341
	训练集	95 215	95 215	—
CIC-IDS2018	验证集	127 264	71 411	55 853
	测试集	108 621	71 411	37 210

自编码器	输入尺寸	输出尺寸
编码器层1	150	110
编码器层2	110	90
编码器层3	90	64
解码器层1	64	90
解码器层2	90	110
解码器层3	110	150

测试序号	准确率	精确率	召回率	误报率	F1值
1	0.900 6	0.915 0	0.948 9	0.049 2	0.931 6
2	0.902 1	0.918 0	0.948 1	0.050 3	0.932 8
3	0.908 5	0.932 2	0.943 5	0.055 8	0.937 8
4	0.919 7	0.942 3	0.948 9	0.050 8	0.945 6
5	0.919 4	0.942 4	0.948 4	0.051 3	0.945 4
平均	0.910 1	0.929 9	0.947 6	0.051 5	0.938 6

基于多尺度特征的网络流量异常检测方法

Network traffic anomaly detection method based on multi-scale characteristic

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 31

相关文章 15

Metrics

推荐阅读 0

模型	数据集	精确率	召回率	F1值
	KDD99	0.788 5	0.778 6	0.783 5
	NSL-KDD	0.834 3	0.887 1	0.859 9
Tad-GAN	UNSW-NB15	0.868 1	0.899 1	0.883 3
	CIC-IDS2018	0.838 9	0.822 1	0.830 4
	平均	0.832 5	0.846 7	0.839 3
	KDD99	0.929 7	0.944 2	0.936 9
	NSL-KDD	0.864 2	0.855 3	0.859 7
DAGMM	UNSW-NB15	0.856 7	0.836 9	0.846 7
	CIC-IDS2018	0.840 3	0.846 4	0.843 3
	平均	0.858 9	0.857 4	0.858 1
	KDD99	0.847 9	0.823 7	0.835 6
	NSL-KDD	0.894 3	0.896 1	0.895 2
CBR-CNN	UNSW-NB15	0.888 9	0.902 3	0.895 5
	CIC-IDS2018	0.778 4	0.800 8	0.789 4
	平均	0.852 4	0.855 7	0.854 0
	KDD99	0.922 3	0.948 9	0.935 4
	NSL-KDD	0.946 1	0.950 6	0.948 3
MFC	UNSW-NB15	0.890 3	0.906 8	0.898 5
	CIC-IDS2018	0.849 2	0.865 4	0.857 2
	平均	0.879 5	0.904 3	0.891 6

[1]	魏德宾, 潘成胜, 杨力, 颜佐任. 基于网络流量水平等级预测的自适应随机早期检测算法[J]. 通信学报, 2023, 44(6): 154-166.
[2]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11.
[3]	霍纬纲, 梁锐, 李永华. 基于随机Transformer的多维时间序列异常检测模型[J]. 通信学报, 2023, 44(2): 94-103.
[4]	廖建新, 付霄元, 戚琦, 王敬宇, 孙海峰. 6G-ADM：基于知识空间的6G网络管控体系[J]. 通信学报, 2022, 43(6): 3-15.
[5]	段雪源, 付钰, 王坤. 基于VAE-WGAN的多维时间序列异常检测方法[J]. 通信学报, 2022, 43(3): 1-13.
[6]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[7]	孙海丽, 龙翔, 韩兰胜, 黄炎, 李清波. 工业物联网异常检测技术综述[J]. 通信学报, 2022, 43(3): 196-210.
[8]	龙华, 黄张衡, 邵玉斌, 杜庆治, 苏树盟. 基于改进CFCC特征提取的语种识别算法研究[J]. 通信学报, 2022, 43(12): 211-221.
[9]	陈卓, 朱淼, 杜军威. 基于多视角图神经网络的欺诈检测算法[J]. 通信学报, 2022, 43(11): 225-232.
[10]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊. 基于对比学习的细粒度未知恶意流量分类方法[J]. 通信学报, 2022, 43(10): 12-25.
[11]	朱会娟, 陈锦富, 李致远, 殷尚男. 基于多特征自适应融合的区块链异常交易检测方法[J]. 通信学报, 2021, 42(5): 41-50.
[12]	胡永进,郭渊博,马骏,张晗,毛秀青. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9): 59-70.
[13]	陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138.
[14]	戚琦,申润业,王敬宇. GAD：基于拓扑感知的时间序列异常检测[J]. 通信学报, 2020, 41(6): 152-160.
[15]	魏德宾,沈婷,杨力,戚耀文. 基于自相似流量水平分级预测的网络队列调度算法[J]. 通信学报, 2020, 41(4): 182-189.