基于评分迭代的无监督网络流量异常检测

doi:10.16511/j.cnki.qhdxxb.2021.21.045

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(3264 KB) HTML
输出: BibTeX | EndNote (RIS)

摘要针对计算机网络流量异常检测中缺乏标注信息的挑战，该文提出一种基于评分迭代的无监督异常检测方法。设计了基于自编码器的异常评分迭代过程来学习通用异常特征，获取其初始异常评分。设计了基于深度序数回归模型的异常评分迭代过程来学习判别异常特征，进一步提高异常评分准确性。另外，还通过深度模型、多视图特征、集成学习提高检测准确率。在多个数据集上的实验表明，在无标注信息的情况下，该方法的性能相比对照方法具有明显优势，可以有效地用于现实网络流量异常检测。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	平国楼
	曾婷玉
	叶晓俊

关键词 ：计算机网络, 异常评分, 无监督, 自编码器, 深度序数回归模型, 集成学习

Abstract：Network traffic anomaly detection is limited by the lack of annotation information in the traffic. This paper presents an unsupervised anomaly detection method based on score iterations that overcomes this limitation. An autoencoder based anomaly score iteration process was designed to learn generic anomaly features to determine an initial anomaly score. A deep ordinal regression model based anomaly score iteration process was then designed to learn discriminative anomaly features to further improve the anomaly score accuracy. Deep models, multi-view features and ensemble learning are also used to improve the detection accuracy. Tests on several datasets show that this method has significant advantages over other methods in the absence of annotation information and can be effectively applied to network traffic anomaly detection.

Key words： computer networks anomaly scores unsupervised autoencoder deep ordinal regression model ensemble learning

收稿日期: 2021-09-03 出版日期: 2022-04-26

基金资助:国家重点研发计划支持项目（20201250027）

通讯作者: 叶晓俊,教授,E-mail:yexj@tsinghua.edu.cn E-mail: yexj@tsinghua.edu.cn

作者简介: 平国楼(1992—),男,博士研究生。

引用本文:

平国楼, 曾婷玉, 叶晓俊. 基于评分迭代的无监督网络流量异常检测[J]. 清华大学学报（自然科学版）, 2022, 62(5): 819-824.
PING Guolou, ZENG Tingyu, YE Xiaojun. Unsupervised network traffic anomaly detection based on score iterations. Journal of Tsinghua University(Science and Technology), 2022, 62(5): 819-824.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2021.21.045 或 http://jst.tsinghuajournals.com/CN/Y2022/V62/I5/819

[1] LIU F T, TING K M, ZHOU Z H. Isolation forest[C]//Proceedings of the 2008 8th IEEE International Conference on Data Mining. Pisa, Italy:IEEE Press, 2008:413-422.
[2] ZHANG J, JONES K, SONG T Y, et al. Comparing unsupervised learning approaches to detect network intrusion using netflow data[C]//Proceedings of the 2017 Systems and Information Engineering Design Symposium. Charlottesville, USA:IEEE Press, 2017:122-127.
[3] ESKIN E, ARNOLD A, PRERAU M, et al. A geometric framework for unsupervised anomaly detection[M]//BARBARá D, JAJODIA S. Applications of Data Mining in Computer Security. Boston, MA, USA:Springer, 2002:77-101.
[4] RINGBERG H, SOULE A, REXFORD J, et al. Sensitivity of PCA for traffic anomaly detection[C]//Proceedings of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. California, USA:Association for Computing Machinery, 2007:109-120.
[5] PASCOAL C, DE OLIVEIRA M R, VALADAS R, et al. Robust feature selection and robust PCA for internet traffic anomaly detection[C]//2012 Proceedings IEEE INFOCOM. Orlando, USA:IEEE Press, 2012:1755-1763.
[6] MIRZA A H, COSAN S. Computer network intrusion detection using sequential LSTM neural networks autoencoders[C]//Proceedings of the 2018 26th Signal Processing and Communications Applications Conference. Izmir, Turkey:IEEE Press, 2018:1-4.
[7] MVNZ G, LI S, CARLE G. Traffic anomaly detection using k-means clustering[C]//Proceedings of Leistungs-, Zuverlässigkeits-und Verlässlichkeitsbewertung von Kommunikationsnetzen und Verteilten Systemen, 4 GI/ITG Workshop MMBnet. Hamburg, Germany, 2007:13-14.
[8] BOHARA A, THAKORE U, SANDERS W H. Intrusion detection in enterprise systems by combining and clustering diverse monitor data[C]//Proceedings of the Symposium and Bootcamp on the Science of Security. Pittsburgh, PA, USA:Association for Computing Machinery, 2016:7-16.
[9] VINCENT P, LAROCHELLE H, LAJOIE I, et al. Stacked denoising autoencoders:Learning useful representations in a deep network with a local denoising criterion[J]. Journal of Machine Learning Research, 2010, 11:3371-3408.
[10] MANDIC D P, CHAMBERS J. Recurrent neural networks for prediction:Learning algorithms, architectures and stability[M]. New York:John Wiley & Sons, Inc., 2001.
[11] LI Z, ZHAO Y, BOTTA N, et al. COPOD:Copula-based outlier detection[C]//Proceedings of the 2020 IEEE International Conference on Data Mining. Sorrento, Italy:IEEE Press, 2020:1118-1123.
[12] SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]//Proceedings of the 4th International Conference on Information Systems Security and Privacy. Funchal, Madeira Island, Portugal:SciTePress, 2018:108-116.
[13] MONTAZERISHATOORI M, DAVIDSON L, KAUR G, et al. Detection of DoH tunnels using time-series classification of encrypted traffic[C]//Proceedings of the 2020 IEEEInternational Conference on Dependable, Autonomic and Secure Computing, International Conference on Pervasive Intelligence and Computing, International Conference on Cloud and Big Data Computing, International Conference on Cyber Science and Technology Congress. Calgary, Canada:IEEE, 2020:63-70.
[14] RUFF L, VANDERMEULEN R A, GÖRNITZ N, et al. Deep one-class classification[C]//Proceedings of the 35th International Conference on Machine Learning. Stockholm, Sweden:PMLR, 2018:4393-4402.
[15] AYTEKIN C, NI X Y, CRICRI F, et al. Clustering and unsupervised anomaly detection with l2 normalized deep auto-encoder representations[C]//Proceedings of the 2018 International Joint Conference on Neural Networks. Rio de Janeiro, Brazil:IEEE, 2018:1-6.
[16] ZHAO Y, NASRULLAH Z, LI Z. PyOD:A Python toolbox for scalable outlier detection[J]. Journal of Machine Learning Research, 2019, 20:1-7.

[1]	贾鹏, 王平辉, 陈品安, 陈奕超, 何诚, 刘炯宙, 管晓宏. 基于无监督学习的智能数据中心电力拓扑系统[J]. 清华大学学报（自然科学版）, 2023, 63(5): 730-739.
[2]	赵祺铭, 毕可鑫, 邱彤. 基于机器学习的乙烯裂解过程模型比较与集成[J]. 清华大学学报（自然科学版）, 2022, 62(9): 1450-1457.
[3]	刘树栋, 张嘉妮, 陈旭. 评论感知的异构变分自编码器推荐模型[J]. 清华大学学报（自然科学版）, 2022, 62(1): 88-97.
[4]	和敬涵, 张可欣, 李猛, 聂铭, 宋元伟. 基于深度学习的柔性直流线路单端量波形特征保护[J]. 清华大学学报（自然科学版）, 2021, 61(5): 478-486.
[5]	杨宏宇, 王峰岩, 吕伟力. 基于无监督生成推理的网络安全威胁态势评估方法[J]. 清华大学学报（自然科学版）, 2020, 60(6): 474-484.
[6]	宋宇波, 杨慧文, 武威, 胡爱群, 高尚. 软件定义网络DDoS联合检测系统[J]. 清华大学学报（自然科学版）, 2019, 59(1): 28-35.
[7]	刘卫东, 刘亚宁. 推荐系统中的带辅助信息的变分自编码器[J]. 清华大学学报（自然科学版）, 2018, 58(8): 698-702.
[8]	耿海军, 刘洁琦, 尹霞. 基于段路由的单节点故障路由保护算法[J]. 清华大学学报（自然科学版）, 2018, 58(8): 710-714.
[9]	杨倩文, 孙富春. 基于泛化空间正则自动编码器的遥感图像识别[J]. 清华大学学报（自然科学版）, 2018, 58(2): 113-121.
[10]	刘武, 王永科, 孙东红, 任萍, 刘柯. 开源智能终端认证漏洞挖掘及登录认证改进[J]. 清华大学学报（自然科学版）, 2017, 57(9): 897-902.
[11]	王素格, 李大宇, 李旸. 基于联合模型的商品口碑数据情感挖掘[J]. 清华大学学报（自然科学版）, 2017, 57(9): 926-931.
[12]	陈宇, 王娜, 王晋东. 利用三角模糊数的语言变量项集减项算法[J]. 清华大学学报（自然科学版）, 2017, 57(8): 892-896.
[13]	王丙坤, 黄永峰, 李星. 基于多粒度计算和多准则融合的情感分类[J]. 清华大学学报（自然科学版）, 2015, 55(5): 497-502.
[14]	开毅,卢建元,刘斌. 基于分组处理能力共享的低功耗路由器体系结构[J]. 清华大学学报（自然科学版）, 2014, 54(4): 485-489.

Viewed

Full text

Abstract

Cited

Shared

Discussed