基于特征属性信息熵的网络异常流量检测方法

doi:10.3969/j.issn.1671-1122.2021.02.010

信息网络安全 ›› 2021, Vol. 21 ›› Issue (2): 78-86.doi: 10.3969/j.issn.1671-1122.2021.02.010

基于特征属性信息熵的网络异常流量检测方法

刘奕¹(), 李建华¹, 张一瑫², 孟涛¹

1.空军工程大学信息与导航学院,西安 710077
2.空军工程大学职业教育中心,西安 710038

收稿日期:2020-09-01 出版日期:2021-02-10 发布日期:2021-02-23
通讯作者: 刘奕 E-mail:sonys16@163.com
作者简介:刘奕（1983—）,女,江苏,博士研究生,主要研究方向为网络安全|李建华（1965—）,男,陕西,教授,博士,主要研究方向为空天信息网络系统规划建设|张一瑫（1983—）,男,陕西,讲师,硕士,主要研究方向为无线电通信与导航|孟涛（1967—）,女,江苏,副教授,硕士,主要研究方向为通信对抗技术
基金资助:
国家自然科学基金(61871396)

Network Abnormal Flow Detection Method Based on Feature Attribute Information Entropy

LIU Yi¹(), LI Jianhua¹, ZHANG Yitao², MENG Tao¹

1. Information and Navigation College, Air Force Engineering University, Xi’an 710077, China
2. Vocational Education Center of Air Force Engineering University, Xi’an 710038, China

Received:2020-09-01 Online:2021-02-10 Published:2021-02-23
Contact: LIU Yi E-mail:sonys16@163.com

摘要/Abstract

摘要：

针对网络异常流量检测问题,文章提出一种基于网络流量特征属性信息熵的异常流量检测方法。该方法首先计算描述网络流量特征变化的源端口号、目的端口号、源IP地址和目的IP地址这4种特征属性信息熵,并进行归一化处理,降低异常样本数据对分类性能的影响;然后利用自适应遗传算法对支持向量机分类器的惩罚参数和核函数参数进行优化,提高分类器泛化能力,同时改进遗传算法的交叉算子和变异算子,减少支持向量机分类器的训练时间;最后通过训练好的支持向量机分类器识别4种流量特征属性信息熵的变化以实现网络异常流量检测。仿真实验表明,该方法提取的4种流量特征属性信息熵能够有效表征异常流量变化,在多种异常流量类型条件下,具有较高的异常流量识别率和较低的误判率,且检测方法的鲁棒性较好。

关键词: 信息熵, 异常流量检测, 支持向量机, 参数优化

Abstract:

Aiming at the problem of network abnormal flow detection, this paper proposes an abnormal flow detection method based on network flow feature attribute information entropy. This method firstly calculates the four feature attribute information entropies of source port number, destination port number, source IP address and destination IP address which describe the change of network flow feature. At the same time, normalization is performed to reduce the impact of abnormal sample data on classification performance. Then, the adaptive genetic algorithm is used to optimize the penalty parameters and kernel function parameters of the support vector machine classifier to improve the generalization ability of the classifier. At the same time, the crossover operator and mutation operator of the genetic algorithm are improved to reduce the training time of the support vector machine classifier. Finally, the trained support vector machine classifier is used to recognize the change of the four flow feature attribute information entropies to realize the network abnormal flow detection. Simulation experiments show that the four flow feature attribute information entropies extracted by the method can effectively characterize abnormal flow change. Under a variety of abnormal flow types, the method has a high abnormal flow recognition rate and a low false positive rate, and the robustness of the detection method is better.

Key words: information entropy, abnormal flow detection, support vector machine, parameter optimization

中图分类号:

TP309

刘奕, 李建华, 张一瑫, 孟涛. 基于特征属性信息熵的网络异常流量检测方法[J]. 信息网络安全, 2021, 21(2): 78-86.

LIU Yi, LI Jianhua, ZHANG Yitao, MENG Tao. Network Abnormal Flow Detection Method Based on Feature Attribute Information Entropy[J]. Netinfo Security, 2021, 21(2): 78-86.

图/表 10

图1

表1

图2

图3

图4

图5

图6

图7

图8

表2

参考文献 16

[1]	HONG C O, ALIH E. A Control Chart Based on Cluster-regression Adjustment for Retrospective Monitoring of Individual Characteristics[EB/OL]. https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0125835, 2015-04-29.
[2]	MARKOU M, SINGH S. Novelty Detection: A Review—part 2: Neural Network-based Approaches[J]. Signal Processing, 2003,83(12): 2499-2521.
[3]	WAGH S K, KOLHE S R. Effective Semi-supervised Approach Towards Intrusion Detection System Using Machine Learning Techniques[J]. International Journal of Electronic Security & Digital Forensics, 2015,7(3): 290-304.
[4]	TANG T A, MHAMDI L, MCLERNON D, et al. Deep Rrecurrent neural Network for Intrusion Detection in SDN-based Networks[C]//IEEE. The 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), June 25-29, 2018, Montreal, QC, Canada. NJ: IEEE, 2018: 202-206.
[5]	YAN Qiao, GONG Qingxiang, DENG F A. Detection of DDoS Attacks Against Wireless SDN Controllers Based on the Fuzzy Synthetic Evaluation Decision-making Model[J]. Ad Hoc & Sensor Wireless Networks, 2016,33(1): 275-299.
[6]	XIAO Linying, WANG Huaibin. Traffic Anomaly Detection Based on Hidden Markov Model and Conditional Entropy[J]. Journal of Tianjin University of Technology, 2019,35(5): 18-22, 28.
	肖林英, 王怀彬. 基于隐马尔可夫模型和条件熵的异常流量检测方法研究[J]. 天津理工大学学报, 2019,35(5): 18-22,28.
[7]	TIAN Zhongda, LI Shujiang, WANG Yanhong, et al. Network Traffic Prediction Based on Gaussian Process RegressionCompensation Arima[J]. Journal of Beijing University of Posts and Telecommunications, 2017,40(6): 65-73.
	田中大, 李树江, 王艳红, 等. 高斯过程回归补偿ARIMA的网络流量预测[J]. 北京邮电大学学报, 2017,40(6): 65-73.
[8]	MENG Yongwei, QIN Tao, ZHAO Liang, et al. Network Abnormal Traffic Detection Method Based on Residual Analysis[J]. Journal of Xi'an Jiaotong University, 2020,1(54): 42-48.
	孟永伟, 秦涛, 赵亮, 等. 利用残差分析的网络异常流量检测方法[J]. 西安交通大学学报, 2020,1(54): 42-48.
[9]	LIU Yating, WANG Yongcheng, QIANG Yanfei, et al. Network Traffic Anomaly Detection Based on Random Mapping and Clustering[J]. Computer Integrated Manufacturing Systems, 2019,3(36): 289-293.
	刘雅婷, 王永程, 强延飞, 等. 基于随机映射与聚类的网络流量异常检测[J]. 计算机仿真, 2019,3(36): 289-293.
[10]	PENG Huijun, SUN Zhe, ZHAO Xuejian, et al. A Detection Method for Anomaly Flow in Software Defined Network[J]. IEEE Access, 2018,6(5): 27809-27817.
[11]	LATAH M, TOKER L. Towards an Efficient Anomaly-based Intrusion Detection for Software-defined Networks[J]. Iet Networks, 2018,7(6): 453-459.
[12]	DONG Shuqin, ZHANG Bin. Network Traffic Anomaly Detection Method Based on Deep Feature Learning[J]. Journal of Electronics & Information Technology, 2020,42(3): 695-702.
	董书琴, 张斌. 基于深度特征学习的网络流量异常检测方法[J]. 电子与信息学报, 2020,42(3): 695-702.
[13]	LAKHINA A, CROVELLA M, DIOT C. Mining Anomalies Using Traffic Feature Distributions[J]. Computer Communication Review, 2005,35(4): 217-228.
[14]	HESTERMAN J Y, CAUCCI L, KUPINSKI M A, et al. Maximum-likelihood Estimation With a Contracting-grid Search Algorithm[J]. IEEE Transactions on Nuclear Science, 2010,57(3): 1077-1084. doi: 10.1109/TNS.2010.2045898 URL pmid: 20824155
[15]	LÜ Zhaoming, ZHANG Yingjiang. Abnormal Traffic Identification Based on Improved GOA-SVM Algorithm[J]. Journal of Hunan University of Science & Technology(Natural Science Edition), 2019,34(4): 90-96.
	吕赵明, 张颖江 .基于改进 GOA-SVM算法的异常流量识别[J]. 湖南科技大学学报(自然科学版), 2019,34(4): 90-96.
[16]	JIN Bo. Research and Improvement of Network Abnormal Traffic Detection Algorithm[J]. Computer & Digital Engineering, 2020,48(6): 1440-1449.
	金波. 关于网络异常流量检测算法的研究与改进[J]. 计算机与数字工程, 2020,48(6): 1440-1449.

异常流量类型	源IP信息熵	目的IP 信息熵	源端口信息熵	目的端口信息熵
Single Scan	减小	增大	增大	减小
Multiple Scan	增大	增大	增大	减小
Port Scan	减小	减小	增大	增大
DDoS	增大	减小	增大	减小
Alpha Flows	增大	增大	增大	增大

	平均检测率/%	误报率/%
AGA-SVM	94.7	0.024
GOA-SVM	89.5	0.076
PCA	88.3	0.081

基于特征属性信息熵的网络异常流量检测方法

Network Abnormal Flow Detection Method Based on Feature Attribute Information Entropy

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 16

相关文章 15

编辑推荐

Metrics

本文评价

[1]	张浩, 陈龙, 魏志强. 基于数据增强和模型更新的异常流量检测技术[J]. 信息网络安全, 2020, 20(2): 66-74.
[2]	陈冠衡, 苏金树. 基于深度神经网络的异常流量检测算法[J]. 信息网络安全, 2019, 19(6): 68-75.
[3]	胡建伟, 赵伟, 闫峥, 章芮. 基于机器学习的SQL注入漏洞挖掘技术的分析与实现[J]. 信息网络安全, 2019, 19(11): 36-42.
[4]	和湘, 刘晟, 姜吉国. 基于机器学习的入侵检测方法对比研究[J]. 信息网络安全, 2018, 18(5): 1-11.
[5]	宋金伟, 杨进, 李涛. 基于加权支持向量机的Domain Flux僵尸网络域名检测方法研究[J]. 信息网络安全, 2018, 18(12): 66-71.
[6]	苏静, 路文玲, 赵毅强, 史艳翠. 基于支持向量机的硬件木马检测建模与优化[J]. 信息网络安全, 2017, 17(8): 33-38.
[7]	张谦, 高章敏, 刘嘉勇. 基于Word2vec的微博短文本分类研究[J]. 信息网络安全, 2017, 17(1): 57-62.
[8]	宋伟, 杨培, 于京, 姜薇. 基于视觉语义概念的暴恐视频检测[J]. 信息网络安全, 2016, 16(9): 12-17.
[9]	尹心明, 胡正梁, 陈国梁, 黄海晔. 基于设备指纹决策树分类的IP视频专网入网检测方案研究[J]. 信息网络安全, 2016, 16(12): 68-73.
[10]	胡洋瑞, 陈兴蜀, 王俊峰, 叶晓鸣. 基于流量行为特征的异常流量检测[J]. 信息网络安全, 2016, 16(11): 45-51.
[11]	张晓惠, 林柏钢. 基于平衡二叉决策树SVM算法的物联网安全研究[J]. 信息网络安全, 2015, 15(8): 20-25.
[12]	戚名钰, 刘铭, 傅彦铭. 基于PCA的SVM网络入侵检测研究[J]. 信息网络安全, 2015, 15(2): 15-18.
[13]	沈长达，尤俊生，钱镜洁. TrueCrypt加密容器快速检测技术[J]. 信息网络安全, 2014, 14(9): 220-222.
[14]	严承华;程晋;樊攀星. 基于信息熵的网络流量信息结构特征研究[J]. , 2014, 14(3): 0-0.
[15]	. 基于信息熵的网络流量信息结构特征研究[J]. , 2014, 14(3): 28-.