基于多尺度特征融合的异常流量检测方法

快速、准确地检测异常是网络安全的重要保证。但是由于网络流量的非线性、非平稳性以及自相似性,异常流量检测存在误报率高、检测率低、不能满足骨干网实时性要求等问题。该方法综合了希尔伯特-黄变换(Hilbert-Huang Transform,HHT)和Dempster-Shafer证据理论(D-S evidence theory)评测框架。前者将不同的流特征分别分解为多时间尺度上的固有模态函数(Intrinsic Mode Function,IMF),滤除特征中的非线性、非平稳分量;后者将前者分解得到的多尺度特征作为证据融合并最终做出决策。通过对KDD CUP 1999的入侵检测系统(Intrusion DetectionSystem,IDS)基准数据的实验表明,该方法能有效区分突发流量(crowd flow)和拒绝服务攻击(Denail of service,DoS)攻击流,整体上在保证低误报率前提下检测率达到85.1%。目前该方法已经作为入侵检测的子模块实现,并试用于某骨干网入口处检测异常。

Anomaly Traffic Detection Based on Multi-resolution Feature Fusion

Detecting network traffic anomaly quickly and accurately is playing significant roles in guaranteeing network secuirity.But it has high false alarm rate,low detect rate,and can’t perform real-time detection in the backbone very well due to its nonlinearity,nonstationarity and self-similarity.For this status quo,we proposed a novel multi-resolution fusion detection method.It combines Hilbert-Huang transform(i.e.,HHT) and Dempster-Shafer(i.e,D-S) theory.The former decomposes traffic features on multi-time scales to intrinsic mode function(IMF),and filters nonlinear,nonstationary ingredients effectively;the latter fuses the multiscale elements and makes a decision.Based on the KDD CUP 1999 intrusion detection system evaluation data set,this detector detects 85.1% attacks at low false alarm rate which is better than related ones,and recognises DoS from burst traffic.At present,this method has been performed as a detector and run in a backbone network.