Multi-layer anomaly detection method based on network traffic

Abstract

The invention discloses a multi-layer anomaly detection method based on network traffic. The invention is capable of detecting the small traffic attack behavior well with high detection accuracy, andmay adapt to different data sets. The invention comprises: firstly adopting a binary representation of symbol attributes in the data preprocessing stage to eliminate the negative influence of the traditional numerical size on the classification, and raising the attribute set of the data set to a relatively high dimension, so that the subsequent data classification effect is more accurate; then using the dimension reduction method to extract features and reduce the amount of data, so that the running speed is faster and the memory consumption is lower during the subsequent steps; subsequently,using the KNN outlier detection method and genetic algorithm combination method for data selection, so that different types of data are more balanced, each type of data is separated as far as possible, and the classification result is fairer; finally, using the constructed multi-layer classifier, thereby enabling more accurate identification of large-flow attacks and small-flow attacks.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a multi-layer anomaly detection method based on network traffic. Background technique [0002] With the continuous development of network technology produced by the combination of computer technology and communication technology, it has had a great impact on people's study and life style. While the growth of the network brings convenience to people, it also brings great threats. Various attacks (0day attacks, worms and network viruses, etc.) continue to occur, bringing huge economic losses to the economic life of the country and the people. Therefore, network security is an important problem to be solved urgently. Network intrusion detection technology can judge whether network behavior is abnormal according to network traffic, and is an important detection technology in the field of network security. Currently, intrusion detection techniques are mainly divided into t...

AI Technical Summary

Problems solved by technology

[0008] However, most of the existing research on intrusion detection is carried out on the KDD99 data set or NSL_KDD data set. This data set was experimented in 1998. The network environment and attack methods at that time were outdated. In this data set The detection effect of the anomaly detection classifier trained on the above cannot satisfy the modern network well, and at the same time, it cannot detect the current attack behavior well

Moreover, the existing intrusion detection methods cannot be well migrated to different data sets and are not universal

In the detection of attack behavior, it can effectively identify the attack behavior of large traffic, such as DOS attack, but it cannot identify the attack behavior of small traffic, such as worm, U2R and R2L attack behavior.

Images