多维多层次网络流量异常检测研究
Anomaly Detection Using Multi-Level and Multi-Dimensional Analyzing of Network Traffic
-
摘要: 随着网络攻击种类和数量的增加以及网络带宽的不断增大,网络流量异常检测系统面临着误报率高和漏报率高的问题.针对该问题,首先对采集到的网络流量数据进行多维多层次在线联机分析,通过构建检测立方体数据结构并在检测立方体上针对异常检测的应用特征提出了一系列优化策略,采用最小生成树对多维度上的多查询进行优化,采用异常驱动的方法动态设定聚集的层次,来有效降低在线联机分析的时间和空间复杂度;然后在联机分析计算结果的基础上采用熵对多维多层次流量数据分布特征进行度量,获得流量数据在各个维度上的熵值序列;最后采用一类支持向量机对多维熵值序列进行分类,达到高效准确检测异常的目的.在大量实际网络流量数据集上对所提方法进行了验证并和已有方法进行了对比实验,取得了较好的实验效果.Abstract: With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. Firstly, we use multi-level and multi-dimensional online OLAP method to analyse traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Secondly, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multi-dimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.