张斌
1.信息工程大学 ??郑州 ??450001
2.河南省信息安全重点实验室 ??郑州 ??450001
基金项目:河南省基础与前沿技术研究计划基金(142300413201),信息工程大学新兴科研方向培育基金(2016604703)
详细信息
作者简介:董书琴:男,1990年生,博士生,研究方向为网络安全态势感知
张斌:男,1969年生,教授,博士生导师,研究方向为网络空间安全
通讯作者:董书琴 dongshuqin377@126.com
中图分类号:TP393计量
文章访问数:1726
HTML全文浏览量:622
PDF下载量:60
被引次数:0
出版历程
收稿日期:2018-06-28
修回日期:2019-01-15
网络出版日期:2019-01-28
刊出日期:2019-06-01
A Probabilistic Flow Sampling Method for Traffic Anomaly Detection
Shuqin DONG,,Bin ZHANG
1. Information Engineering University, Zhengzhou 450001, China
2. Henan Key Laboratory of Information Security, Zhengzhou 450001, China
Funds:The Foundation and Frontier Technology Research Project of Henan Province (142300413201), The New Research Direction Cultivation Fund of Information Engineering University (2016604703)
摘要
摘要:针对基于概率抽样的网络流量异常检测数据集构造过程中无法同时兼顾大、小流抽样需求及未区分flash crowd与流量攻击等问题,该文提出一种面向流量异常检测的概率流抽样方法。在对数据流按目的、源IP地址进行分类的基础上,将每类数据流抽样率定义为其目的、源IP地址抽样率的最大值,并在抽样过程中对数据流抽样数目向上取整,保证每类数据流至少被抽样一次,使抽样得到的数据集可有效反映原始流量在大、小流和源、目的IP地址方面的分布性。采用源IP地址熵刻画异常流源IP地址分散度,并基于源IP地址熵阈值设计攻击流抽样算法,降低由flash crowd引起的非攻击异常流抽样概率。仿真结果表明,该方法能同时满足大、小流抽样需求,具有较强的异常流抽样能力,可抽样到所有与异常流相关的可疑源、目的IP地址,并能在抽样过程中过滤非攻击异常流。
关键词:网络流量/
异常检测/
流抽样/
概率抽样
Abstract:For problems of not meeting the demand of sampling both large flows and small flows at the same time, and not distinguishing flash crowd from traffic attacks in building network traffic anomaly detection datasets based on probabilistic sampling methods, a probabilistic flow sampling method for traffic anomaly detection is proposed. On the basis of the classification of network data flows according to their destination and source IP addresses, the sampling probability for each class of data flows is set as the maximum of its destination and source IP address’s sampling probability, and the number of sampled data flows is ceiled to ensure that each class of data flows is sampled at least once, so that the sampled dataset can reflect the distributions of large, small flows and source, destination IP addresses in original traffics. Then, the source IP address entropy is used to characterize the source IP dispersion of anomaly flows, and the attack flow sampling algorithm is designed based on the threshold of the source IP address entropy, which reduces the sampling probability of non-attack anomaly flows caused by flash crowd. The simulation results show that the proposed method can satisfy the sampling requirements of both large flows and small flows, it has a high anomaly flows sampling ability, can sample all the suspicious sources and destination IP addresses related to anomaly flows, and can effectively filter the non-attack anomaly flows.
Key words:Network traffic/
Anomaly detection/
Flow sampling/
Probabilistic sampling
PDF全文下载地址:
https://jeit.ac.cn/article/exportPdf?id=43b71c1f-cf64-454f-9e06-cc234a4aafb4
