基于集成SVM和Bagging的未知恶意流量检测

未知恶意网络流量检测是异常检测领域亟待解决的核心问题之一. 从高速网络数据流中获取的流量数据往往具有不平衡性和多变性. 虽然在恶意网络流量异常检测特征处理和检测方法方面已存在诸多研究, 但这些方法在同时解决数据不平衡性和多变性以及模型检测性能方面仍存在不足. 因此, 本文针对未知恶意网络流量检测目前存在的困难, 提出了一种基于集成SVM和Bagging的未知恶意流量检测模型. 首先, 针对网络流量数据的不平衡性, 提出一种基于Multi-SMOTE过采样的流量处理方法, 以提高流量处理后的特征质量; 第二, 针对网络流量数据分布的多样性, 提出一种基于半监督谱聚类的未知流量筛选方法, 以实现从具有多样分布的混合流量中筛选出未知流量; 最后, 基于Bagging思想, 训练了集成SVM未知恶意流量检测器. 实验结果表明, 本文所提出的基于集成SVM与Bagging的未知流量攻击类型检测模型在综合评价(F1分值)上优于目前同类未知恶意流量检测方法, 同时在不同数据集上具有较好的泛化能力.

Unknown Malicious Traffic Detection Based on Integrated SVM and Bagging

Unknown malicious network traffic detection is one of the core problems to be solved in anomaly detection as the traffic data obtained from high-speed network data flow are often unbalanced and changeable. Although there have been many studies on feature processing and detection methods of unknown malicious network traffic detection, these methods have shortcomings in simultaneously solving data imbalance and variability as well as detection performance. Considering the difficulty in unknown malicious network traffic detection, this study proposes an unknown malicious traffic detection model based on integrated SVM and bagging. Firstly, in view of the imbalance of network traffic data, a traffic processing method based on Multi-SMOTE oversampling is put forward to improve the feature quality upon traffic processing. Secondly, considering the distribution diversity of network traffic data, an unknown traffic screening method based on semi-supervised spectral clustering is presented to screen unknown traffic from mixed traffic with a diverse distribution. Finally, with the idea of Bagging, an unknown malicious traffic detector based on integrated SVM is trained. The experimental results reveal that the proposed detection model is superior to the current similar methods in comprehensive evaluation (F1 value), and it also has good generalization ability on different data sets.