| 摘要: |
| 鉴于网络流量交互关系本身具有高度的稀疏性和复杂性,传统的网络流量异常检测方法很难有效的利用网络流量中的时序特征和拓扑信息,在应对复杂多样的网络流量进行异常检测时,往往存在准确性不足和适应性差的问题。为了解决这些关键问题,本文在图神经网络E-GraphSAGE的基础上提出了一种融合会话特征和重启随机游走算法的集成检测方法TR-SAGE。该方法通过利用会话级别的流量特征以及图的拓扑信息,显著增强针对网络流量异常的检测能力。会话特征提取通过捕获会话生命周期内的动态变化和统计属性,以发现传统方法可能忽略的隐藏流量模式和关系。通过图拓扑优化为重启随机游走算法提供了更有效的采样基础。通过提高模型采样质量,该方法可以更有效地区分正常和异常流量模式,即使在高度复杂的数据集中也是如此。在三个通用网络流量异常检测数据集上进行了实验,TR-SAGE方法在召回率、精确度、F1分数等评估指标上均表现出色,尤其在面对复杂、动态变化的网络流量时,能够有效地识别出多种异常模式。在ISCXTor2016数据集上不仅评估指标都达到了最优,并且相比SOTA图神经网络模型提升19%的召回率、17%的精确度和18%的F1分数。实验结果证明了本文方法对于网络流量异常检测任务的有效性和鲁棒性。方法在解决网络安全和流量分析挑战方面表现出显著的效果,为网络流量异常检测提供了一种有希望的解决方案。 |
| 关键词: 网络流量,异常检测 会话特征 时间序列 图表达 拓扑优化 |
| DOI: |
| 投稿时间:2024-09-02修订日期:2025-01-27 |
| 基金项目: |
|
| Research on TR-SAGE Anomaly Detection of Network Sessions |
|
luowen
|
| (Nanjing University of Science and Technology) |
| Abstract: |
| Given that network traffic interactions are highly sparse and complex, traditional network traffic anomaly detection methods are difficult to effectively utilize the temporal features and topological information in network traffic. When dealing with complex and diverse network traffic anomaly detection, they often have problems of insufficient accuracy and poor adaptability. To address these key issues, this paper proposes an integrated detection method TR-SAGE that integrates session features and restarted random walk algorithms based on the graph neural network E-GraphSAGE. This method significantly enhances its ability to detect network traffic anomalies by utilizing ses-sion-level traffic features and graph topological information. Session feature extraction captures dynamic changes and statistical properties within the life cycle of a session to discover hidden traffic patterns and relationships that traditional methods may ignore. In addition, graph topology optimization provides a more effective sampling basis for the restarted random walk algorithm. By improving the quality of model sampling, this method can more effec-tively distinguish normal and abnormal traffic patterns, even in highly complex data sets. We conduct experiments on three common network traffic anomaly detection datasets. The TR-SAGE method performs well in evaluation indicators such as recall, precision, and F1 score. In particular, it can effectively identify a variety of abnormal pat-terns when facing complex and dynamically changing network traffic. For example, on the ISCX-Tor2016 dataset, not only the evaluation indicators have reached the most advanced level, but also the recall rate, precision and F1 score of the proposed method have been improved by 19%, 17% and 18% compared with the SOTA graph neural network model. The experimental results prove the effectiveness and robustness of the proposed method for net-work traffic anomaly detection tasks. The proposed method has shown significant effects in solving network secu-rity and traffic analysis challenges, and provides a promising solution for network traffic anomaly detection. |
| Key words: network traffic anomaly detection session features time series graph representation topology optimization |
