基于Lindeberg-Feller定理的网络异常检测算法

在网络运维管理领域,需要及时发现网络异常并进行提示。网络异常事件与正常数据相比较少,难以作为二分类问题进行处理。同时异常事件丰富多样,没有统一模式和规律。因此,需要对网络正常数据进行建模,利用待检数据与正常数据的偏离程度判定网络异常事件是否发生。通过对正常数据进行建模分析,以Lindeberg-Feller中心极限定理为基础,设计合理的假设检验统计量,对待检数据计算出的检验统计量是否在置信度对应的拒绝域给出异常事件判别结论。最后,用仿真实验证明算法原理,并给出算法在公开数据集和实际数据集上的检测性能,在选择合理的异常事件对应参数后,异常事件召回率可以达到90%以上。

Network Anomaly Detection Algorithm Based on Lindeberg-Feller Central Limit Theorem

In the fields of network maintenance and operation, it attracts much attention how to detect and prompt the network anomalies in time. Anomalous events are less in dataset than the normal ones, leading to the fact that it is difficult to use the two-class classifications for anomaly detection because of the imbalance of data labeled as normal or anomalous. Meanwhile, anomalous events are in various patterns and there is little prior information about the anomaly that the users are concerned with, therefore, it is necessary to model the normal data and use them for anomaly detection by comparing the received data with the normal model. Based on Lindeberg-Feller central limit theorem, a hypothesis test is designed to detect whether the data to be tested is anomalous or not, according to the refusing area calculated by the confidential parameter. Finally, the theorem of this algorithm is simulated and the performance is also tested both on the common and the actual datasets. When the users take the correlation features of the anomalous events as the algorithm input, the recall ratio reaches 90%.