引用本文
  • 陈 虹,卢健波,金海波,武 聪,程明佳.基于NNOA和EWOA的流量异常检测方法[J].信息安全学报,已采用    [点击复制]
  • Chen Hong,Lu Jianbo,Jin Haibo,Wu Cong,Cheng Mingjia.A Traffic Anomaly Detection Method Based on NNOA and EWOA[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 455次   下载 0  
基于NNOA和EWOA的流量异常检测方法
陈 虹1, 卢健波1, 金海波1, 武 聪2, 程明佳1
0
(1.辽宁工程技术大学软件学院;2.辽宁工程技术大学科学技术研究院)
摘要:
流量异常检测能够识别网络流量中潜在的攻击行为,是网络安全研究的重要内容。近年来,机器学习在流量异常检测领域得到了广泛的应用,现有的机器学习算法进行流量异常检测存在两个问题:一是流量数据不平衡导致少数类检测率低;二是数据特征冗余性大导致检测准确率低、时效性差。为了提高少数类的检测率以及在减少特征冗余的基础上提升准确率和检测速度,提出一种自然邻居过采样算法(Oversampling Algorithm With Natural Neighbors,NNOA)和增强鲸鱼优化算法(Enhanced Whale Optimization Algorithm,EWOA)相结合的流量异常检测方法。首先设计了基于NNOA的过采样算法,通过自然近邻算法(Natural Neighbors,NN)确定少数类样本的自然邻居,根据基样本和其自然邻居之间的随机差异合成新样本,缓解数据不平衡问题;其次设计了基于EWOA的特征选择算法,通过两个策略增强算法的搜索能力,获得高质量的特征子集。一是自适应搜索猎物策略:通过交替采用单维更新和全维更新,丰富种群多样性进而提高全局搜索能力。二是双重引导策略:在最优引导的基础上引入加权引导,减少个体对当前最优解的依赖进而提升局部搜索能力。最后,利用最优特征子集训练决策树(Decision Tree, DT)分类器,区分正常流量和各类攻击。在NSL-KDD和UNSW-NB15数据集上的实验结果表明:所提方法不仅提升了少数类的检测率,而且显著地减少了特征冗余和处理时间。同时,对比其他研究方法,本文方法可以实现较高的准确率、检测率和F1-score。
关键词:  流量异常检测  机器学习  自然近邻算法  鲸鱼优化算法
DOI:
投稿时间:2023-07-29修订日期:2024-01-23
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目)
A Traffic Anomaly Detection Method Based on NNOA and EWOA
Chen Hong1, Lu Jianbo1, Jin Haibo1, Wu Cong2, Cheng Mingjia1
(1.Department of Software,Liaoning Technical University;2.Institute of Science and Technology,Liaoning Technical University)
Abstract:
An essential component of network security research is traffic anomaly detection, which can spot potential assaults in network traffic. Machine learning technology has become widely applied in the field of traffic anomaly detection in recent years. The current machine learning-based algorithms for traffic anomaly detection struggle with two issues: the first is the low detection rate of minority classes, which is brought on by the imbalance in traffic data, and the second is the low detection accuracy and slow timeliness, which is brought on by the significant redundancy of data characteristics. A traffic anomaly detection method combining Oversampling Algorithm with Natural Neighbors (NNOA) and Enhanced Whale Optimization Algorithm (EWOA) has been developed in order to increase the detection rate of minority classes, improve accuracy, and increase detection speed on the premise of minimizing feature redundancy. Firstly, we create an oversampling technique based on NNOA and employ the natural neighbors (NN) algorithm to calculate the natural neighbors of minority samples. To address the issue of data imbalance, new samples are created based on the random differences between a chosen base sample and one of its natural neighbors. Then, in order to produce a high-quality feature subset, a feature selection algorithm based on EWOA is devised, and the searchability of the algorithm is improved by two strategies. One is the adaptive search prey method, which promotes global search capability while enriching population diversity by alternatively using single-dimensional update and full-dimensional update. The second is the dual guidance technique, which introduces weighted guidance on top of optimum guidance to lessen an individual"s reliance on the present optimal solution and enhance local search capabilities. Lastly, in order to discriminate between normal traffic and different threats, the decision tree (DT) classifier is trained using the best feature subset. On the NSL-KDD and UNSW-NB15 datasets, we conducted anomaly detection experiments. The findings show that the suggested method not only increases the detection rate of minority classes but also noticeably decreases feature redundancy and processing time. In addition, our proposed method can achieve higher accuracy, detection rate, and F1 score when compared to other research methodologies.
Key words:  traffic anomaly detection  machine learning  natural neighbors  whale optimization algorithm