基于深度神经网络的异常流量检测算法

doi:10.3969/j.issn.1671-1122.2019.06.009

摘要/Abstract

摘要：

随着计算机网络和应用程序的规模呈指数级增长,攻击造成的潜在损害显著增加且越来越明显。传统异常流量检测方法已经不能满足当今互联网安全的需要,因此基于机器学习的算法成为针对复杂且不断增长的网络攻击的有效方法之一。文章提出基于深度神经网络的异常流量检测算法。通过对当前经典数据集进行对比,选择包含更多种攻击和协议类型的ISCX数据集进行实验分析。实验结果表明,与朴素贝叶斯算法对比,文章算法在提高准确率和降低误报率方面有了较大改善,是可用于异常流量检测的高效算法。

关键词: 异常流量检测, 机器学习算法, 网络攻击, 神经网络算法, ISCX数据集

Abstract:

As the scale of computer networks and applications grows exponentially, the potential damage caused by attacks increases significantly and becomes more apparent. Traditional abnormal traffic detection methods can no longer meet the needs of Internet security, so machine learning-based algorithm has become one of the effective methods for complex and growing network attacks. This paper presents an abnormal traffic detection algorithm based on deep neural network. By comparing the current classical data sets, this paper chooses ISCX data set which contains more attack and protocol types for experimental analysis. The experimental results show that compared with naive Bayesian algorithm, the proposed algorithm greatly improves the accuracy and reduces the false alarm rate. It is an efficient algorithm for abnormal traffic detection.

Key words: abnormal traffic detection, machine learning algorithm, network attack, neural network algorithm, ISCX data set

中图分类号:

TP309

陈冠衡, 苏金树. 基于深度神经网络的异常流量检测算法[J]. 信息网络安全, 2019, 19(6): 68-75.

Guanheng CHEN, Jinshu SU. Abnormal Traffic Detection Algorithm Based on Deep Neural Network[J]. Netinfo Security, 2019, 19(6): 68-75.

图/表 11

图1

图2

图3

图4

图5

表1

图6

图7

图8

图9

表2

参考文献 30

[1]	HORNG S J, SU Mingyang, CHEN Y H, et al.A Novel Intrusion Detection System Based on Hierarchical Clustering and Support Vector Machines[J]. Expert Systems with Applications, 2011, 38(1): 306-313.
[2]	BOSER B E, GUYON I M, VAPNIK V N.A Training Algorithm for Optimal Margin Classiﬁers[C]//ACM. The 5th Annual ACM Workshop on Computational Learning Theory, July 27-29, Pittsburgh, Pennsylvania, USA. New York: ACM, 1992: 144-152.
[3]	ALAZAB A, HOBBS M, ABAWAJY J, et al.Using Response Action with Intelligent Intrusion Detection and Prevention System against Web Application Malware[J]. Information Management & Computer Security, 2014, 22(5): 431-449.
[4]	AVCI E, COTELI R.A New Automatic Target Recognition System Based on Wavelet Extreme Learning Machine[J]. Expert Systems with Applications, 2012, 39(16): 12340-12348.
[5]	BUCZAK A L, GUVEN E.A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection[J]. IEEE Communications Surveys & Tutorials, 2016, 18(2): 1153-1176.
[6]	LAI Haiguang, CAI Shengwen, HUANG Hao, et al.A Parallel Intrusion Detection System for High-speed Networks[M]//Springer. Applied Cryptography and Network Security. Heidelberg: Springer, Berlin, Heidelberg, 2004: 439-451.
[7]	FENG Yong, WU Zhongfu, WU Kaigui, et al.An Unsupervised Anomaly Intrusion Detection Algorithm Based on Swarm Intelligence[C]//IEEE. 2005 International Conference on Machine Learning and Cybernetics, August 18-21, 2005 , Guangzhou, China.NJ: IEEE, 2005: 3965-3969.
[8]	LEE S W, VERRI A.Pattern Recognition with Support Vector Machines[M]. Berlin : Springer-Verlag, Berlin, 2002.
[9]	MASUD M, GAO J, KHAN L, et al.Mining Concept-drifting Data Stream to Detect Peer-to-peer Botnet Traffic[C]// IEEE. 2008 International Conference on Intelligence and Security Informatics, June 17-20, 2008, Taipei, China. NJ: IEEE, 2008: 29-30.
[10]	YU Xiaocong, DONG Xiaomei, YU Ge, et al.Online Botnet Detection Based on Incremental Discrete Fourier Transform[J]. Journal of Networks, 2010, 5(5): 568-576.
[11]	FEILY M, SHAHRESTANI A, RAMADASS S.A Survey of Botnet and Botnet Detection[C]//IEEE. The Third International Conference on Emerging Security Information, Systems and Technologies, June 18-23, 2009, Athens, Glyfada, Greece. NJ: IEEE, 2009: 268-73.
[12]	SUN Yongjia, YUAN Ye, WANG G.An On-line Sequential Learning Method in Social Networks for Node Classification[J]. Neurocomputing, 2015, 149: 207-214.
[13]	CHENG Chi, TAY W P, HUANG Guangbin.Extreme Learning Machines for Intrusion Detection[C]//IEEE. The 2012 International Joint Conference on Neural Networks, June 10-15, 2012, Brisbane, QLD, Australia. NJ: IEEE, 2012: 1-8.
[14]	MCHUGH J.Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory[J]. ACM Transactions on Information and System Security , 2000, 3(4): 262-294.
[15]	BROWN C, COWPERTHWAITE A, HIJAZI A, Analysis of the 1999 DARPA/Lincoln Laboratory IDS Evaluation Data with NetADHICT[C]//IEEE. 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, July 8-10, 2009 , Ottawa, ON, Canada . NJ: IEEE, 2009: 1-7.
[16]	KDD Cup 1999 Data [EB/OL]. , 2019-3-15.
[17]	TAVALLAEE M, BAGHERI E, LU Wei, et al. A Detailed Analysis of the KDD CUP 99 Data Set[C]//IEEE.2019 IEEE Symposium on Computational Intelligence for Security and Defense Applications, July 8-10, 2009, Ottawa, ON, Canada. NJ: IEEE: 1-6.
[18]	CAIDA. The CAIDA Anonymized Internet Traces Dataset 2008- Ongoing [EB/OL]. , 2019-3-15.
[19]	CAIDA. CAIDA DDoS Attack Dataset[EB/OL]. , 2019-3-15.
[20]	CAIDA. CAIDA Anonymized Internet Traces 2016 Dataset [EB/OL]. ,2019-3-15.
[21]	SONG J, TAKAKURA H, OKABE Y, et al.Statistical Analysis of Honeypot Data and Building of Kyoto 2006+ Dataset for NIDS Evaluation[C]//ACM. The First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, April 10 , 2011 , Salzburg, Austria . New York: ACM, 2011: 29-36.
[22]	SATO M, YAMAKI H, TAKAKURA H.Unknown Attacks Detection Using Feature Extraction from Anomaly-based IDS Alerts[C]//IEEE. 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet, July 16-20 , 2012, Izmir, Turkey. NJ: IEEE, 2012: 273-277.
[23]	CHITRAKAR R, HUANG Chuanhe.Anomaly Based Intrusion Detection Using Hybrid Learning Approach of Combining k-Medoids Clustering and Naive Bayes Classification[C]//IEEE. 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing, September 21-23, 2012, Shanghai, China. NJ: IEEE, 2012: 1-5.
[24]	CREECH G, HU Jianhun.Generation of a New IDS Test Dataset: Time to Retire the KDD Collection[C]//IEEE. 2013 IEEE Wireless Communications and Networking Conference, April 7-10, 2013, Shanghai, China. NJ: IEEE, 2013: 4487-4492.
[25]	XIE Miao, HU Jiankun.Evaluating Host-based Anomaly Detection Systems: A Preliminary Analysis of ADFA-LD[C]//IEEE. 2013 6th International Congress on Image and Signal Processing, December 16-18, 2013, Hangzhou, China. NJ: IEEE, 2013: 1711-1716.
[26]	XIE Miao, HU Jiankun, SLAY J.Evaluating Host-based Anomaly Detection Systems: Application of the One-class SVM Algorithm to ADFA-LD[C]//IEEE. 2014 11th International Conference on Fuzzy Systems and Knowledge Discovery, August 19-21, 2014 , Xiamen, China. NJ: IEEE, 2014: 978-982.
[27]	HE Xiang, LIU Sheng, JIANG Jiguo.Comparative Study of Intrusion Detection Methods Based on Machine Learning[J]. Netinfo Security, 2018, 18(5): 1-11.
	和湘,刘晟,姜吉国.基于机器学习的入侵检测方法对比研究[J].信息网络安全,2018,18(5):1-11.
[28]	UNB. Intrusion Detection Evaluation Dataset (ISCXIDS2012) [EB/OL]. , 2019-3-15.
[29]	YASSIN W, UDZIR1 N I, MUDA Z, et al. Anormaly-based Intrusion Detection through K-Means Clustering and Naivesbayes Classification[C]// ICOCI. The 4th International Conference on Computing and Informatics, August 28-30, 2013 , Sarawak, Malaysia. Universiti Utara Malaysia, 2013: 298-303.
[30]	CHEN Hongsong, WANG Gang, SONG Jianlin.Research on Anomaly Behavior Classification Algorithm of Internal Network User Based on Cloud Computing Intrusion Detection Data Set[J]. Netinfo Security, 2018, 18(3): 1-7.
	陈红松,王钢,宋建林.基于云计算入侵检测数据集的内网用户异常行为分类算法研究[J].信息网络安全,2018,18(3):1-7.

		DARPA	KDD99	CAIDA	kyoto	ADFA2013	ISCX2012
网络配置的完整性		完整	完整	完整	完整	完整	完整
流量完整性		不完整	不完整	完整	不完整	完整	完整
数据集标记		是	是	否	是	是	是
交互完整性		完整	完整	不完整	完整	完整	完整
捕获完整性		完整	完整	不完整	完整	完整	完整
可用协议类型	HTTP	可用	可用	-	可用	可用	可用
	HTTPS	不可用	不可用	-	可用	不可用	可用
	SSH	可用	可用	-	可用	可用	可用
	FTP	可用	可用	-	可用	可用	可用
	E-mail	可用	可用	-	可用	可用	可用
攻击类型多样性	Browser	不包含	不包含	不包含	包含	包含	包含
	Bforce	包含	包含	不包含	包含	包含	包含
	DoS	包含	包含	包含	包含	不包含	包含
	Scan	包含	包含	包含	包含	不包含	包含
	Bdoor	不包含	不包含	不包含	包含	包含	包含
	DNS	不包含	不包含	包含	包含	不包含	不包含
	其他	包含	包含	包含	包含	包含	包含
异构型		不具有	不具有	不具有	不具有	-	具有

实验方法	训练数据		测试数据
实验方法	准确率/%	误报率/%	准确率/%	误报率/%
朴素贝叶斯分类	82.8	17.6	88.2	33.7
深度神经网络	97.52	39.09	99.73	4.34