针对机器学习在流量异常检测中存在特征选择依赖经验、易受离群点影响导致鲁棒性差等问题,基于因素空间理论的"背景关系-背景分布-背景基"体系提出一种流量异常检测的基点分类方法.首先,数据预处理阶段使用KNN离群点检测算法去除数据中的离群点,降低异常点对后续背景基提取的影响.其次,使用mRMR算法对数据特征进行排序,选择对分类最具影响力的特征标注为类别区分特征.然后,以内点判别法为理论基础优化背景基提取算法,提取训练数据中不同类别数据的背景基,得到各类别的单位认知包.最后,以单位认知包为核心构造基点分类算法(fundamental point classification algorithm,FPCA)实现异常流量的精准二分类.在NSL-KDD数据集上对所提方法的二分类实验准确率和F1-score分别达到92.48%和92.18%,检测性能优于同类型的其他机器学习方法.在CICIDS2017场景数据集上的测试进一步验证了所提方法在实际应用中的可行性.
Traffic anomaly detection method based on fundamental point classification by factor space background basis
In order to solve the problems of feature selection dependent on experience and poor robustness caused by outliers in machine learning traffic anomaly detection,a fundamental point classification method for traffic anomaly detection based on the"background relation-background distribution-background basis"system by factor space theory is proposed.Firstly,the KNN outlier detection algorithm is used to remove outliers in the data in the data preprocessing stage to reduce the influence of outliers on the subsequent background basis extraction.Secondly,the mRMR algorithm is used to sort the data features and select the most influential features for classification as category distinguishing features.Then,the background basis extraction algorithm is optimized based on the internal point discriminant method,and the background basis of different types of data in the training data is extracted,and the unit cognition package of each type is obtained.Finally,a fundamental point classification algorithm(FPCA)based on the unit cognitive packet is constructed to achieve accurate two-class classification of abnormal traffic.The proposed method attains accuracy rate of 92.48%and F1-score of 92.18%in a two-class classification task on the NSL-KDD dataset,which detection performance superior to the same type machine learning method.The test on CICIDS2017 scene data set further verifies the feasibility of the proposed method.
factor spacebackground basisfundamental point classificationanomaly detection
NETL
NSTL
万方数据
