Adaptive and augmented active anomaly detection on dynamic network traffic streams  

作　　者：Bin LI Yijie WANG Li CHENG 

机构地区：[1]National Key Laboratory of Parallel and Distributed Computing,College of Computer,National University of Defense Technology,Changsha 410073,China [2]College of System Engineering,National University of Defense Technology,Changsha 410073,China

出　　处：《Frontiers of Information Technology & Electronic Engineering》2024年第3期446-460,共15页信息与电子工程前沿（英文版）

基　　金：Project supported by the National Science and Technology Major Project(No.2022ZD0115302);the National Natural Science Foundation of China(No.61379052);the Science Foundation of Ministry of Education of China(No.2018A02002);the Natural Science Foundation for Distinguished Young Scholars of Hunan Province,China(No.14JJ1026)。

摘　　要：Active anomaly detection queries labels of sampled instances and uses them to incrementally update the detection model,and has been widely adopted in detecting network attacks.However,existing methods cannot achieve desirable performance on dynamic network traffic streams because(1)their query strategies cannot sample informative instances to make the detection model adapt to the evolving stream and(2)their model updating relies on limited query instances only and fails to leverage the enormous unlabeled instances on streams.To address these issues,we propose an active tree based model,adaptive and augmented active prior-knowledge forest(A3PF),for anomaly detection on network trafic streams.A prior-knowledge forest is constructed using prior knowledge of network attacks to find feature subspaces that better distinguish network anomalies from normal traffic.On one hand,to make the model adapt to the evolving stream,a novel adaptive query strategy is designed to sample informative instances from two aspects:the changes in dynamic data distribution and the uncertainty of anomalies.On the other hand,based on the similarity of instances in the neighborhood,we devise an augmented update method to generate pseudo labels for the unlabeled neighbors of query instances,which enables usage of the enormous unlabeled instances during model updating.Extensive experiments on two benchmarks,CIC-IDS2017 and UNSW-NB15,demonstrate that A3PF achieves significant improvements over previous active methods in terms of the area under the receiver operating characteristic curve(AUC-ROC)(20.9%and 21.5%)and the area under the precision-recall curve(AUC-PR)(44.6%and 64.1%).

关 键 词：Active anomaly detection Network traffic streams Pseudo labels Prior knowledge of network attacks 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]