基于深度学习的网络流量异常检测  被引量：11

作　　者：杨月麟 毕宗泽 YANG Yue-lin;BI Zong-ze(School of Software Engineering,University of Science and Technology of China,Hefei 230022,China)

机构地区：[1]中国科学技术大学软件学院,合肥230022

出　　处：《计算机科学》2021年第S02期540-546,共7页Computer Science

摘　　要：为了解决网络流量数据的远程依赖性及数据集样本不平衡导致的长尾效应等问题,文中基于视觉Transformer提出一种网络流量异常检测模型,将多头自注意力引入残差网络,通过Feature Embedding将输入的稀疏高维度特征转化为稠密低维度特征,并加入二维相对位置编码,实现对流量数据位置全局感知,解决网络流量数据的远程依赖性。视觉Transformer模块包括编码器与解码器,编码器由N个相同的层堆叠组成,每层包括一个多头卷积自注意力层和一个二维卷积前馈网络,解码器在每层中插入一个查询自注意力的附加层,得到合成的流量特征图。同时提出深度自适应特征学习算法,通过半监督学习缓解数据分布不平衡导致的长尾效应问题,根据模型对无标签数据中尾部类别数据识别精确率高的特点,在无标签数据中挑选预测类别为尾部类别的样本加入到已标记集合,通过引入尾部类别样本缓解类别不平衡问题。使用CIC-IDS-2017网络入侵检测数据集进行实验评估。通过对比实验证明,模型的尾部样本检测准确率高于其他深度学习模型在提高检测性能的同时减少了检测时间,在网络流量异常检测领域具备实际应用价值。This paper proposes a novel and general end-to-end convolutional transformer network for modeling the long-range spatial and temporal dependence on network anomaly detection.The core ingredient of the proposed model is the feature embedding module by just replacing the spatial convolutions with proposed global self-attention in the final three bottleneck blocks of a ResNet,and the multi-head convolutional self-attention layer in encoder and decoder,which learns the sequential dependence of network traffic data.Our model uses an encoder,built upon multi-head convolutional self-attention layers,to map the input sequence to a feature map sequence,and then another deep networks,incorporating multi-head convolutional self-attention layers,decode the target synthesized feature map from the feature maps sequence.We also present a class-rebalancing self-training framework to alleviate the long tail effect caused by the imbalance of data distribution through semi-supervised learning,which is motivated by the observation that existing SSL algorithms produce high precision pseudo-labels on minority classes.The algorithm iteratively retrains a baseline SSL model with a labeled set expanded by adding pseudo-labeled samples from an unlabeled set,where pseudo-labeled samples from minority classes are selected more frequently according to an estimated class distribution.In this paper,CIC-IDS-2017 datasets is used for experimental evaluation.The experiments shows that the accuracy of our model is higher than that of other deep learning models,which improves detection performance while reducing detection time,and has practical application value in the field of network traffic anomaly detection.

关 键 词：深度学习 异常检测 注意力 类别再平衡 残差网络 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]