基于多维熵值分类的骨干网流量异常检测研究

针对高速骨干网上异常检测要求高检测效率和低误报率问题,提出了一个基于多维流量数据熵值分类方法.在多个不同维度上采用熵度量流量数据的分布特征,提出了多维高效熵值计算算法有效减低熵值计算的时间和空间复杂度;在每个时间窗口上把不同维度熵值序列排列成检测向量,采用一类支持向量机对检测向量进行分类;对支持向量机分类判断过程中可能出现误报的情况,提出多窗口关联检测算法,通过在多个连续时间窗口上对异常向量进行多窗口关联检测,最终判断异常是否发生.通过在真实网络流量数据集上的两个对比实验,验证了本文算法在检测效率方面随着网络流量和攻击流量的增加时间和空间开销增长较为平缓,在检测精度方面也取得了令人满意的效果.

Traffic Anomaly Detection Using Multi-Dimensional Entropy Classification in Backbone Network

Traffic anomaly detection require not only high detection rate but also low false alarm rate in high speed backbone networks. A multi-dimensional entropy classification method is proposed to satisfy this demand, which uses entropy to measure the distribution of traffic in some traffic dimensions. An efficient algorithm is introduced to estimate entropy with low computational and space complexity. The values of entropy of all dimensions are collected to form a detection vector in each sliding window, then all detection vectors are classified into two groups: abnormal vectors and normal vectors via one-class support vector machine. In order to achieve the goal of accuracy and reduce false positive rate, we utilize a multi-windows correlation algorithm to calculate a comprehensive anomaly score when observing a sequence of windows. Some real-world traces are used to validate and evaluate the effectiveness and accuracy of this detection system through two experiments. Results of the first experiment demonstrate the effectiveness of the detection system and show that the time and space grow relatively flat as traffic and attack increase. Compared with the exited systems in the second experiment, the accuracy of the system is evaluated and our system is the most accurate method.