灰理论数列灰预测在CERNET西南网点网络流量预测中的应用

关键网点网络流量预测是网络测量和网络行为研究十分重要的部分.网络流量测量和预测可以获取流量未来走势和分析用户行为变化,可调控目前措施和网络设计,也可解决网络异常状况.文章应用灰理论数列灰预测中GM(1,1,D)模型建立CERNET西南网点电子科大通信学院主网流量时间序列模型,结果表明,该方法是有效可行的.     

基于统计的网络流量模型及异常流量发现

基于从网络流量的大小和流量曲线的形状两个方面的研究,建立了一种基于统计的网络流量模型,提出了计算正常情况网络流量曲线的算法.通过对比正常网络流量曲线和异常网络流量曲线之间的差距,实现了对异常数据流的自动检测.实验表明,该模型不仅可以模拟与网络实测数据相似的网络流量,而且具有一定的异常流量发现能力.     

一种基于概率统计的网络异常检测方法

目前的入侵检测系统（IDS）采用的分析技术主要为两种,误用检测（Misuse Detection）与异常检测（Anomaly Detection）[1-2]。误用检测的不足是无法检测未知的异常行为或恶意代码。异常入侵检测不需要事先知道入侵行为的特征,其假设当用户系统被攻击或者入侵时,会表现出不同往常的行为特点,作为检测依据。检测效率高,不依赖先验知识库,能够检测未知异常。本文提出了一种通过统计分析IP、端口、流量、周期、时间等因子来判定网络行为异常的检测方法。通过算法优化和实验验证,该方法针对常见的DDOS攻击、蠕虫扫描、木马窃密等网络行为都有较高的检测准确度。     

网络性能的分析、评价模型及其软件实现

通过网络参数设置、建立性能分析模型、采用新网络测试技术和使用开源网络测试软件Cacti进行具体网络测试与分析。搭建一个小型的骨干网络来模拟运营商的IP承载网,在IP网络的核心,以具体的网络故障排除作为分析实例,使用Cacti对网络流量进行监控和对流量图进行分析,以及性能测试与网络性能瓶颈分析,最后提出相关优化解决方案。     

ANFIDS:基于模糊神经网络的自适应入侵检测系统

在研究和分析现有网络入侵检测技术的基础上,提出了一种基于神经网络和模糊推理技术的自适应入侵检测系统（ANFIDS）。该系统运用模糊理论把安全参数模糊化,使得系统能更好地描述网络流量特性与攻击的关系,从而更精确地捕获攻击行为,同时利用网络流量对隶属度函数和模糊规则进行调整和优化。实验结果表明,训练后的ANFIDS系统能够检测网络的异常行为并有效地减低误报率。     

基于相对密度的DNS请求数据流源IP异常检测算法

研究了域名系统(DNS)的异常检测.通过对基于相对密度的离群点检测算法的研究,提出了一种基于相对密度的DNS请求数据流源IP异常检测算法.该算法计算每个源IP的相对密度,并将该密度的倒数作为其异常值评分;在计算相对密度时,从查询次数、源端口熵值、所请求非法域名占比等9个维度来表示一个源IP.试验结果表明,这种基于相对密度的源IP异常检测方法,能正确地根据各个源IP不同的异常程度,给出其相应的异常值评分.     

一种光传送网动态联合选路与资源分配算法

提出了一种融合IP/WDM、IP/SDH/WDM的光传送网分层网络模型,它将基于波分复用(WDM)的物理光网络划分为IP、SDH和WDM层,IP和SDH层分别产生基于IP的分组交换型业务和同步时分复用业务,WDM层以波长颗粒度为IP和SDH层提供信道.给出了这种分层网络模型中的动态联合选路与资源分配(DJRRA)算法,该算法能优化层间链路和层内逻辑链路的带宽使用.仿真结果表明,与传统的分离式逐层选路和资源分配算法相比,DJRRA能有效降低网络阻塞率,提高网络吞吐量.     

智能变电站网络传输技术研究

为解决智能变电站过程层数据共享传输过程中出现的网络流量过大引起冲突或广播风暴的问题,分析研究网络报文流量的大小和过程层交换机网络延时,提出采用优先级和VLAN分级流量控制技术方案,并结合鲍店矿智能变电站实际情况进行VLAN逻辑划分,在应用中取得显著效果。     

网络传输层产生自相似业务的一个原因

网络传输层可以产生自相似性的发现，引发了对网络长相关性流量模型更进一步的研究，文章结合网络流量的研究进展，介绍现有网络传输层产生自相似业务的一个原因。     

基于Snort的Botnet网络检测系统设计研究

Botnet网络作为极具威胁的攻击类型,往往被用来发动大规模网络破坏活动。在Botnet网络中,为了保持服务器的隐蔽性、可用性,与域名关联的IP地址需要不停变动,而传统检测系统针对组织Botnet网络攻击显然已失效。因此,为了有效识别未知、潜伏的Botnet网络,该文设计了一种基于Snort的Botnet网络检测系统,并与传统检测系统进行比较。结果表明,该系统可以实时监测网络流量,从而快速检测攻击行为,检测正确率较高,具有良好的扩展性、可移植性。     

Improving network anomaly detection via selective flow-based sampling

Sampling has become an essential component of scalable Internet traffic monitoring and anomaly detection. A new flow-based sampling technique that focuses on the selection of small flows, which are usually the source of malicious traffic, is introduced and analysed. The proposed approach provides a flexible framework for preferential flow sampling that can effectively balance the tradeoff between the volume of the processed information and the anomaly detection accuracy. The performance evaluation of the impact of selective flow-based sampling on the anomaly detection process is achieved through the adoption and application of a sequential non-parametric change-point anomaly detection method on realistic data that have been collected from a real operational university campus network. The corresponding numerical results demonstrate that the proposed approach achieves to improve anomaly detection effectiveness and at the same time reduces the number of selected flows.     

Anomaly Detection in Images With Smooth Background via Smooth-Sparse Decomposition

In various manufacturing applications such as steel, composites, and textile production, anomaly detection in noisy images is of special importance. Although there are several methods for image denoising and anomaly detection, most of these perform denoising and detection sequentially, which affects detection accuracy and efficiency. Additionally, the low computational speed of some of these methods is a limitation for real-time inspection. In this article, we develop a novel methodology for anomaly detection in noisy images with smooth backgrounds. The proposed method, named smooth-sparse decomposition, exploits regularized high-dimensional regression to decompose an image and separate anomalous regions by solving a large-scale optimization problem. To enable the proposed method for real-time implementation, a fast algorithm for solving the optimization model is proposed. Using simulations and a case study, we evaluate the performance of the proposed method and compare it with existing methods. Numerical results demonstrate the superiority of the proposed method in terms of the detection accuracy as well as computation time. This article has supplementary materials that includes all the technical details, proofs, MATLAB codes, and simulated images used in the article.     

A Network Traffic Classification Model Based on Metric Learning

Attacks on websites and network servers are among the most critical threats in network security. Network behavior identification is one of the most effective ways to identify malicious network intrusions. Analyzing abnormal network traffic patterns and traffic classification based on labeled network traffic data are among the most effective approaches for network behavior identification. Traditional methods for network traffic classification utilize algorithms such as Naive Bayes, Decision Tree and XGBoost. However, network traffic classification, which is required for network behavior identification, generally suffers from the problem of low accuracy even with the recently proposed deep learning models. To improve network traffic classification accuracy thus improving network intrusion detection rate, this paper proposes a new network traffic classification model, called ArcMargin, which incorporates metric learning into a convolutional neural network (CNN) to make the CNN model more discriminative. ArcMargin maps network traffic samples from the same category more closely while samples from different categories are mapped as far apart as possible. The metric learning regularization feature is called additive angular margin loss, and it is embedded in the object function of traditional CNN models. The proposed ArcMargin model is validated with three datasets and is compared with several other related algorithms. According to a set of classification indicators, the ArcMargin model is proofed to have better performances in both network traffic classification tasks and open-set tasks. Moreover, in open-set tasks, the ArcMargin model can cluster unknown data classes that do not exist in the previous training dataset.     

A DDoS Attack Information Fusion Method Based on CNN for Multi-Element Data

Traditional distributed denial of service (DDoS) detection methods need a lot of computing resource, and many of them which are based on single element have high missing rate and false alarm rate. In order to solve the problems, this paper proposes a DDoS attack information fusion method based on CNN for multi-element data. Firstly, according to the distribution, concentration and high traffic abruptness of DDoS attacks, this paper defines six features which are respectively obtained from the elements of source IP address, destination IP address, source port, destination port, packet size and the number of IP packets. Then, we propose feature weight calculation algorithm based on principal component analysis to measure the importance of different features in different network environment. The algorithm of weighted multi-element feature fusion proposed in this paper is used to fuse different features, and obtain multi-element fusion feature (MEFF) value. Finally, the DDoS attack information fusion classification model is established by using convolutional neural network and support vector machine respectively based on the MEFF time series. Experimental results show that the information fusion method proposed can effectively fuse multi-element data, reduce the missing rate and total error rate, memory resource consumption, running time, and improve the detection rate.     

XA-GANomaly: An Explainable Adaptive Semi-Supervised Learning Method for Intrusion Detection Using GANomaly

Intrusion detection involves identifying unauthorized network activity and recognizing whether the data constitute an abnormal network transmission. Recent research has focused on using semi-supervised learning mechanisms to identify abnormal network traffic to deal with labeled and unlabeled data in the industry. However, real-time training and classifying network traffic pose challenges, as they can lead to the degradation of the overall dataset and difficulties preventing attacks. Additionally, existing semi-supervised learning research might need to analyze the experimental results comprehensively. This paper proposes XA-GANomaly, a novel technique for explainable adaptive semi-supervised learning using GANomaly, an image anomalous detection model that dynamically trains small subsets to these issues. First, this research introduces a deep neural network (DNN)-based GANomaly for semi-supervised learning. Second, this paper presents the proposed adaptive algorithm for the DNN-based GANomaly, which is validated with four subsets of the adaptive dataset. Finally, this study demonstrates a monitoring system that incorporates three explainable techniques—Shapley additive explanations, reconstruction error visualization, and t-distributed stochastic neighbor embedding—to respond effectively to attacks on traffic data at each feature engineering stage, semi-supervised learning, and adaptive learning. Compared to other single-class classification techniques, the proposed DNN-based GANomaly achieves higher scores for Network Security Laboratory-Knowledge Discovery in Databases and UNSW-NB15 datasets at 13% and 8% of F1 scores and 4.17% and 11.51% for accuracy, respectively. Furthermore, experiments of the proposed adaptive learning reveal mostly improved results over the initial values. An analysis and monitoring system based on the combination of the three explainable methodologies is also described. Thus, the proposed method has the potential advantages to be applied in practical industry, and future research will explore handling unbalanced real-time datasets in various scenarios.     

An Abnormal Network Flow Feature Sequence Prediction Approach for DDoS Attacks Detection in Big Data Environment

Distributed denial-of-service (DDoS) is a rapidly growing problem with the fast development of the Internet. There are multitude DDoS detection approaches, however, three major problems about DDoS attack detection appear in the big data environment. Firstly, to shorten the respond time of the DDoS attack detector; secondly, to reduce the required compute resources; lastly, to achieve a high detection rate with low false alarm rate. In the paper, we propose an abnormal network flow feature sequence prediction approach which could fit to be used as a DDoS attack detector in the big data environment and solve aforementioned problems. We define a network flow abnormal index as PDRA with the percentage of old IP addresses, the increment of the new IP addresses, the ratio of new IP addresses to the old IP addresses and average accessing rate of each new IP address. We design an IP address database using sequential storage model which has a constant time complexity. The autoregressive integrated moving average (ARIMA) trending prediction module will be started if and only if the number of continuous PDRA sequence value, which all exceed an PDRA abnormal threshold (PAT), reaches a certain preset threshold. And then calculate the probability that is the percentage of forecasting PDRA sequence value which exceed the PAT. Finally we identify the DDoS attack based on the abnormal probability of the forecasting PDRA sequence. Both theorem and experiment show that the method we proposed can effectively reduce the compute resources consumption, identify DDoS attack at its initial stage with higher detection rate and lower false alarm rate.     

YATA: Yet Another Proposal for Traffic Analysis and Anomaly Detection

Network traffic anomaly detection has gained considerable attention over the years in many areas of great importance. Traditional methods used for detecting anomalies produce quantitative results derived from multi-source information. This makes it difficult for administrators to comprehend and deal with the underlying situations. This study proposes another method to yet determine traffic anomaly (YATA), based on the cloud model. YATA adopts forward and backward cloud transformation algorithms to fuse the quantitative value of acquisitions into the qualitative concept of anomaly degree. This method achieves rapid and direct perspective of network traffic. Experimental results with standard dataset indicate that using the proposed method to detect attacking traffic could meet preferable and expected requirements.     

基于改进YOLOv5s的护帮板异常检测方法研究

准确识别护帮板支护状态,判断护帮板是否与采煤机发生干涉,是实现煤矿安全生产的重要一环。提出了一种基于改进YOLOv5s的护帮板异常检测方法。建立了护帮板数据集hb_data2021,对YOLOv5s模型进行改进。根据基于改进YOLOv5s的护帮板状态检测结果的标签分类,判断护帮板状态是否异常。为了减小YOLOv5s模型的参数量,采用MobileNetV3 和轻量级注意力机制NAM（normalization-based attention module,标准化注意力模块）替换主干特征提取网络。为了提高护帮板检测精度,改进损失函数为α-CIoU,并进行知识蒸馏。实验结果表明：蒸馏后的网络平均精度提高了1.0%,参数量减小了33.4%,推理加速34.2%;基于改进YOLOv5s的护帮板异常检测方法效果良好,将其部署在NVIDIA Jetson Xavier平台上,可以满足实时检测视频的要求。将检测模型移植到巡检机器人的嵌入式平台上,可以实现护帮板异常检测,满足煤矿工业实际需求。