自注意力的多特征网络流量异常检测与分类

doi:10.3969/j.issn.1000-5641.2021.06.016

摘要/Abstract

摘要：

基于特征选择的网络流量异常检测引起了人们广泛的研究兴趣. 现有的方案大多通过简单降低流量数据的维度来检测异常, 却忽略了数据特征之间的相关性, 导致异常流量检测效率低下. 为了有效识别各种类型的攻击, 首先提出了一种自注意力机制模型来学习网络流量数据多个特征之间的相关性. 然后, 设计了一种新型的多特征异常流量检测和分类模型, 该模型分析了异常流量数据中多特征之间的相关性, 达到检测与识别异常网络流量的目的. 实验结果表明, 与两种基准方法相比, 所提出的技术将异常检测和分类的准确率提高了1.65%, 并将误报率降低了1.1%.

关键词: 网络异常检测, 网络异常分类, 自注意力, 特征选择, 多特征相关性

Abstract:

Network traffic anomaly detection based on feature selection has attracted great research interest. Most existing schemes detect anomalies by reducing the dimensionality of traffic data, but ignore the correlation between data features; this results in inefficient detection of anomaly traffic. In order to effectively identify various types of attacks, a model based on a self-attentive mechanism is proposed to learn the correlation between multiple features of network traffic data. Then, a novel multi-feature anomalous traffic detection and classification model is designed, which analyzes the correlation between multiple features of the anomalous traffic data and subsequently identifies anomalous network traffic. Experimental results show that, compared to two benchmark methods, the proposed technique increased the accuracy of anomaly detection and classification by a maximum of 1.65% and reduced the false alarm rate by 1.1%.

Key words: network anomaly detection, network anomaly classification, self-attention, feature selection, multi-feature correlation

中图分类号:

TP393

皇甫雨婷, 李丽颖, 王海洲, 沈富可, 魏同权. 自注意力的多特征网络流量异常检测与分类[J]. 华东师范大学学报（自然科学版）, 2021, 2021(6): 161-173.

Yuting HUANGFU, Liying LI, Haizhou WANG, Fuke SHEN, Tongquan WEI. Enabling self-attention based multi-feature anomaly detection and classification of network traffic[J]. Journal of East China Normal University(Natural Science), 2021, 2021(6): 161-173.

图/表 11

图1

图2

图3

表1

表2

图4

图5

图6

表3

图7

图8

参考文献 23

1	CHANDOLA V, BANERJEE A, KUMAR V. Anomaly detection: A survey. ACM Computing Surveys, 2009, 41 (3): 15.
2	GARG S, SINGH A, BATRA S, et al. EnClass: Ensemble-based classification model for network anomaly detection in massive datasets [C]// 2017 IEEE Global Communications Conference. IEEE, 2017. DOI: 10.1109/GLOCOM.2017.8255025.
3	LIMTHONG K, TAWSOOK T. Network traffic anomaly detection using machine learning approaches [C]// Network Operations and Management Symposium. IEEE, 2012: 542-545.
4	PACHECO F, EXPOSITO E, GINESTE M, et al. Towards the deployment of machine learning solutions in network traffic classification: A aystematic survey. IEEE Communications Surveys and Tutorials, 2019, 21 (2): 1988- 2014. doi: 10.1109/COMST.2018.2883147
5	SHEEN S, RAJESH R. Network intrusion detection using feature selection and decision tree classifier [C]// 2008 IEEE Region 10 Conference. IEEE, 2008. DOI: 10.1109/TENCON.2008.4766847.
6	KUANG F, XU W, ZHANG S. A novel hybrid KPCA and SVM with GA model for intrusion detection. Applied Soft Computing Archive, 2014, (18): 178- 184.
7	FARNAAZ N, JABBAR M A. Random forest modeling for network intrusion detection system. Procedia Computer Science, 2016, (89): 213- 217.
8	WU G, ZHAO Z, FU G, et al. A fast kNN-based approach for time sensitive anomaly detection over data streams [C]// International Conference on Computational Science. 2019: 59-74.
9	GUMUSBAS D, YILDIRIM T, GENOVESE A, et al. A comprehensive survey of databases and deep learning methods for cybersecurity and intrusion detection systems. IEEE Systems Journal, 2021, 15 (2): 1717- 1731. doi: 10.1109/JSYST.2020.2992966
10	WANG W, ZHU M, WANG J, et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks [C]// 2017 IEEE International Conference on Intelligence and Security Informatics. IEEE, 2017: 43-48.
11	NGUYEN T T T, ARMITAGE G. A survey of techniques for internet traffic classification using machine learning [C]// IEEE Communications Surveys and Tutorials. IEEE, 2008: 56-76.
12	YIN C, ZHU Y, FEI J, et al. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access, 2017, (5): 21954- 21961.
13	HOCHREITER S. The vanishing gradient problem during learning recurrent neural nets and problem solutions. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 1998, 6 (2): 107- 116. doi: 10.1142/S0218488598000094
14	ZENG Y, GU H, WEI W, et al. Deep-full-range: A deep learning based network encrypted traffic classification and intrusion detection framework. IEEE Access, 2019, (7): 45182- 45190.
15	WANG S, XIA C, WANG T. A novel intrusion detector based on deep learning hybrid methods [C]// 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). IEEE, 2019: 300-305.
16	KIM T, SUH S C, KIM H, et al. An encoding technique for CNN-based network anomaly detection [C]// 2018 IEEE International Conference on Big Data. IEEE, 2018: 2960-2965.
17	SMAGULOVA K, JAMES A P. A survey on LSTM memristive neural network architectures and applications [J]. The European Physical Journal Special Topics, 2019, 228(10): 2313–2324.
18	RUI T, ZOU J, ZHOU Y, et al. Convolutional neural network simplification based on feature maps selection [C]// 2016 IEEE 22nd International Conference on Parallel and Distributed Systems. IEEE, 2016: 1207-1210.
19	SINDAGI V A, PATEL V M. A survey of recent advances in CNN-based single image crowd counting and density estimation. Pattern Recognition Letters, 2018, 107 (1): 3- 16.
20	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need [C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 5998-6008.
21	WU X, CAI Y, LI Q, et al. Combining contextual information by self-attention mechanism in convolutional neural networks for text classification [C]// International Conference on Web Information Systems Engineering. 2018: 453-467.
22	CAI N, MA C, WANG W, et al. Effective self-attention modeling for aspect based sentiment analysis [C]// International Conference on Computational Science. 2019: 3-14.
23	ZHU M, YE K, WANG Y, et al. A deep learning approach for network anomaly detection based on AMF-LSTM [C]// IFIP International Conference on Network and Parallel Computing. 2018: 137-141.

标签	原始数量/万	在原始数据集中所占百分比/%	采样后数量/万	采样后在数据集中所占百分比/%
BENIGN	80.00	59.25	1.00	16.67
Botnet	0.19	0.13	0.50	8.33
WebAttack	0.21	0.16	0.50	8.33
DDoS	12.00	8.88	1.00	16.67
DoS	25.00	18.51	1.00	16.67
Patator	1.30	0.96	1.00	16.67
PortScan	15.00	11.11	1.00	16.67

真实预测	true	false
positive	TP	FP
negative	FN	TN

数据集	精确率/%		召回率/%		$ {F}_{1} $ 值		准确率/%
数据集	LSTM	Proposed	LSTM	Proposed	LSTM	Proposed	LSTM	Proposed
$ {S}_{1} $	73.68	98.97	75.54	97.83	74.62	98.15	75.96	98.73
$ {S}_{2} $	73.18	98.62	74.23	97.36	74.12	97.95	73.18	98.35
$ {S}_{3} $	76.16	98.43	76.72	98.35	75.82	98.39	76.23	98.37
$ {S}_{4} $	68.34	98.13	70.39	97.53	69.03	97.91	78.42	98.45
$ {S}_{5} $	56.31	98.21	59.73	98.68	58.28	98.42	74.73	98.69
$ {S}_{6} $	65.29	98.87	68.62	97.83	67.19	98.91	70.25	98.65

[1]	黄奇文, 李丽颖, 沈富可, 魏同权. 基于集成特征选择的网络异常流量检测[J]. 华东师范大学学报（自然科学版）, 2021, 2021(6): 100-111.
[2]	傅裕, 李优, 林煜明, 周娅. 基于自注意力机制的冗长商品名称精简方法[J]. 华东师范大学学报(自然科学版), 2019, 2019(5): 113-122,167.