摘要
针对大规模高速网络海量数据处理和异常检测率较低的问题,将群落概念引入流量异常检测领域,用小波三层分解和偏离值结合的检测方法,实验性地证明了基于群落的检测比基于网络的检测能提供更加准确和高效的检测结果。因为以群落为观察范围,可以避免对群落的攻击被其他群落的无关网络活动所掩盖,并且可以分流数据。文中对群落检测所使用的特征集进行了研究,在总结已有基于Netflow记录的特征的基础上,用基于相关性的方法剔出了强相关的特征,优选出适合群落检测的特征集,避免了当前基于Netflow的异常检测中随意选取特征所造成的信息冗余。
The large scale and high speed networks can create massive data and have low detection rate.In order to address these issues,the idea of "community" into network anomaly detection area is borrowed,and applied three-layer wavelet decomposition as well as deviation score detection method are applied.The results of experiment demonstrated that,the community-based detection can achieve higher detection rate and better efficiency than the net-work-based detection.This is because,with the community-based detection,the community attacks covered by activi-ties of another unrelated communities could be eliminated,and the network data could be separated when community is used as monitor scope.The features of community detection is also studied in the paper.Then,based on the summary of the features of Netflow records,using the correlation based method to remove strong correlative features,and select proper features of community detection.Therefore,the information redundancy existied in current Netflow based anomaly detection can be eliminated.
出处
《电子测量与仪器学报》
CSCD
2010年第4期365-370,共6页
Journal of Electronic Measurement and Instrumentation
基金
国家自然科学基金(编号:60903157)资助项目
国家信息安全计划(编号:2006C27)资助项目
关键词
群落
异常检测
小波分解
特征选择
community
anomaly detection
wavelet analysis
feature selection