作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程

• 安全技术 • 上一篇    下一篇

基于ME-PGNMF的异常流量检测方法

陈露露,郭文普,何灏   

  1. (火箭军工程大学 信息工程系,西安 710025)
  • 收稿日期:2016-12-07 出版日期:2018-01-15 发布日期:2018-01-15
  • 作者简介:陈露露(1993—),男,硕士研究生,主研方向为网络安全、通信工程;郭文普,副教授、博士;何灏,硕士研究生。

Abnormal Traffic Detection Method Based on ME-PGNMF

CHEN Lulu,GUO Wenpu,HE Hao   

  1. (Department of Information Engineering,Rocket Forces Engineering University,Xi’an 710025,China)
  • Received:2016-12-07 Online:2018-01-15 Published:2018-01-15

摘要: 由于部分网络异常对流量变化影响不明显,流量分析难以发现此类异常。传统基于主成分分析的网络异常流量检测方法追求全局最优解,对局部特征提取不充分,导致对连续异常不敏感,降低了异常流量的检测精度,且物理意义不明确。针对上述问题,在多维信息熵的基础上,提出梯度投影非负矩阵分解异常流量检测方法。将流量数据处理为多维特征熵矩阵,用梯度投影非负矩阵分解方法重构多维熵矩阵,分离出正常和异常子空间,采用多元统计过程控制方法中的Q图检测异常。实验结果表明,与以流量分析为基础的主成分分析方法、传统非负矩阵分解方法相比,该方法能更快、更准确地检测出连续异常,对流量变化不敏感的低速分布式拒绝服务攻击检测效果明显提高,对蠕虫攻击更加敏感。

关键词: 网络流量, 多维熵, 异常检测, 非负矩阵分解, 子空间

Abstract: Because some network anomalies have little effect on traffic flow,it is difficult to find such anomalies in traffic analysis.Traditional anomaly traffic detection method based on Principal Component Analysis(PCA) is not suitable for continuous local anomalies detection,and it can reduce the detection accuracy of abnormal flow and the physical meaning is not clear.Aiming at the above situation,an anomalous traffic detection method based on Multidimensional Entropy-Projected Gradient Non-negative Matrix Factorization (ME-PGNMF) is proposed.Firstly,the network traffic data is processed into multidimensional entropy matrix,then Projected Gradient Non-negative Matrix Factorization(PGNMF) is used to reconstruct the multi-dimensional entropy matrix,and the normal subspace and abnormal subspace are separated.Finally,the anomaly is detected by multivariate statistical process control chart Q. Experimental results show that the proposed method can detect the continuous anomaly faster and more accurately than the traditional Nonnegative Matrix Factorization(NMF) method based on the PCA method based on the flow analysis.The low-speed Distributed Denial of Serviee(DDOS) attack anomaly detection is not sensitive to the traffic change.Attacks are more sensitive.

Key words: network traffic, multidimensional entropy, abnormal detection, Non-negative Matrix Factorization(NMF), subspace

中图分类号: