基于iForest和LOF的流量异常检测  被引量：8

作　　者：杭菲璐 郭威 陈何雄 张振红 易东阳 Hang Feilu;Guo Wei;Chen Hexiong;Zhang Zhenhong;Yi Dongyang(Information Center,Yunnan Power Grid Co.,Ltd.,Kunming 650034,China;Network&Data Security Key Laboratory of Sichuan Province,University of Electronic Science&Technology of China,Chengdu 610054,China)

机构地区：[1]云南电网有限责任公司信息中心,昆明650034 [2]电子科技大学网络与数据安全四川省重点实验室,成都610054

出　　处：《计算机应用研究》2022年第10期3119-3123,共5页Application Research of Computers

基　　金：国家自然科学基金资助项目(62072074,62076054,62027827,61902054,62002047);国家重点研发计划前沿科技创新专项资助项目(2019QY1405);四川省科技创新基地(平台)和人才计划资助项目(2020JDJQ0020);四川省科技支撑计划资助项目(2020YFSY0010)。

摘　　要：异常检测在现代大规模分布式系统的安全管理中起着重要作用,而网络流量异常检测则是组成异常检测系统的重要工具。网络流量异常检测的目的是找到和大多数流量数据不同的流量,并将这些离群点视为异常。由于现有的基于树分离的孤立森林(iForest)检测方法存在不能检测出局部异常的缺陷,为了克服这个缺陷,提出一种基于iForest和局部离群因子(LOF)近邻集成的无监督的流量异常检测方法。首先,改进原始的iForest与LOF算法,在提升检测精度的同时控制算法时间;然后分别使用两种改进算法进行检测,并将结果进行融合以得到最终的检测结果;最后在自制数据集上对所提方法进行有效性验证。实验结果表明,所提方法能够有效地隔离出异常,获得良好的流量异常检测效果。Network traffic anomaly detection is an important tool of anomaly detection system.The purpose of network traffic anomaly detection is to find the data different from most data in the traffic log,and treat these outliers as exceptions.The exis-ting isolation forest(iForest)method based on tree separation has a defect:which cannot detect local anomalies.In order to overcome the defect,this paper proposed an unsupervised traffic anomaly detection method based on iForest and LOF nearest neighbor integration.Firstly,it improved the original iForest and LOF algorithms to enhance the detection accuracy and control the algorithm time.Then,it used the two improved algorithms to detect,and fused the results of two algorithms to get the final detection result.Finally,this paper validated this method on the self-made dataset.Experimental results show that the proposed method can effectively isolate anomalies,and obtain good traffic anomaly detection effect.

关 键 词：流量异常检测 大规模多维数据 孤立森林 特征离群系数 局部离群因子 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]