【作者】 郭通；

【导师】 兰巨龙；

【作者基本信息】 解放军信息工程大学 ， 军事信息学， 2013， 博士

【摘要】 近年来，随着互联网用户数量的持续增长和新型网络应用的快速部署，针对网络的流量攻击威胁问题也愈发严重，分布式拒绝服务攻击（Distributed DenialofService，DDoS）、僵尸网络和蠕虫攻击等频繁发生，对网络的正常运行造成极大的危害。如何在高速网络环境下对网络异常行为进行及时感知和快速处理，对于保证网络有效运行和提高服务提供能力的稳健性具有非常重要的意义。本文依托国家973计划重大课题——“可重构信息通信基础网络体系研究”，结合项目对异常事件精确感知的研究需求，以高速网络抽样测量获得的数据作支撑，重点研究异常流量的检测识别技术。鉴于流量预测模型能够在不同时间尺度上对网络流量行为的动态趋势做出合理准确的推断，论文采用流量预测与机器学习相结合的方法，首先，通过多维时间尺度预测实现对网络异常流量的粗检测，然后，再利用机器学习方法对由粗检测判断为正常的流量进行细检测，最终实现对异常行为的精确感知。本文的主要研究内容如下：1.针对现有的常用抽样方法关注于保存流统计特性而忽略流量特征信息的缺陷，提出了一种特征感知的自适应流抽样（Adaptive Flow Sampling，AFS）算法。该算法采用自适应抽样和后期抽样技术相结合的方案，能够修正抽样概率以使流量特征分布的失真度最小。它根据流特征矩大小选择流，从而可以忽略冗余大流而关注对异常检测具有重要作用的小流。与随机流抽样算法相比，AFS算法减少了由抽样过程引起的信息损失且系统的异常检测能力得到了提高。2.通过分析正常流量和异常流量数据在分数阶傅里叶变换（Fractional FourierTransform，FrFT）域的统计特性，得到实际网络流量在FrFT域满足自相似性。进一步地，针对网络流量在FrFT域的“时域”和“频域”展开，分别给出了基于改进的整体经验模态分解—去趋势波动分析（Modified Ensemble Empirical Mode Decomposition—DetrendedFluctuation Analysis，MEEMD-DFA）的Hurst指数估计法以及基于一维加权最小二乘回归（Weighted Least Square Regression，WLSR）的Hurst指数自适应估计法，并将它们应用于分形高斯噪声和真实网络流量数据。仿真结果表明，相比于现有估值算法，MEEMD-DFA法具有较高的估计精度，但其计算复杂度高；而FrFT自适应估计法则具有更优的估计鲁棒性，且计算复杂度较低，可作为一种实时在线估计真实网络数据Hurst指数的方法。3.针对网络流量在大时间尺度上呈现出的自相似特性，提出了一种基于改进的整体经验模态分解（MEEMD）与自适应分数阶粒子群优化RBF神经网络（AdaptiveFractional-order Particle Swarm Optimization trained Radial Basis Function Neural Network，AFOPSO-RBFNN）的流量预测模型。首先，采用MEEMD方法对流量序列进行分解，再利用AFOPSO-RBF神经网络对分解得到的固有模式函数分量进行预测，最后，合成所有分量的预测结果，获得最终的预测值。对真实网络流量的预测结果表明，相比于EMD与自回归滑动平均（Auto Regressive MovingAverage，ARMA）、EMD与支持向量机（SupportVector Machines，SVM）以及EEMD与人工神经网络（Artificial Neural Networks，ANN）方法，该算法具有较低的计算复杂度和更高的预测精度。4.针对网络流量在小时间尺度上的高维非线性，提出了一种由量子位、通用量子门和量子加权构成的量子神经网络（QuantumNeural Network，QNN）模型。为提高网络的收敛速度和防止算法陷入局部最优，给出了基于改进PRP共轭梯度（ModifiedPolak–Ribière–Polyak conjugate gradient Conjugate Gradient，MPRPCG）的学习算法，并从理论上证明了算法的全局收敛性。对小时间尺度上网络流量的预测结果表明，相比于现有的局部支持向量机回归（Local Support Vector Machine Regression，LSVMR）与柔性神经树模型（Flexible Neural Tree，FNT），QNN模型具有更高的预测精度和较低的计算复杂度，并且其收敛速度、鲁棒性均优于BP网络及量子加权神经网络（Quantum WeightedNeural Network，QWNN）。5.针对机器学习任务中用来检测异常的特征子集难以确定的问题，提出了一种基于归一化互信息特征选择（Normalized Mutual Information Feature Selection，NMIFS）与量子小波神经网络（Quantum Wavelet Neural Network，QWNN）的异常检测模型。首先，采用NMIFS方法从给定的样本特征集中选择检测所需的最佳特征组合，以实现对高维特征数据的有效降维，然后在训练阶段将获得的最佳组合特征向量交由QWNN分类器进行学习训练，得到异常检测模型，在检测阶段则将数据送入已经建立起来的检测模型中，并输出精确的检测结果。综合考虑经验风险与置信风险，QWNN分类器采用基于结构风险最小化的极速学习机（Structural Risk Minimization Extreme Learning Machine，SRM-ELM）学习算法。对真实异常数据的实验结果表明，相比于现有的常用异常检测方法，NMIFS-QWNN方法具有较高的检测精度和较低的漏报率，且算法复杂度较低，检测准确率达到95.8%。最后，提出了基于流量预测方法的粗检测技术与基于机器学习方法的细检测技术相结合的异常检测方案，并分别用人工合成数据和真实骨干网流量数据进行了实验验证，结果表明，本文提出方案的检测准确率能够达到96.9%。更多还原

【Abstract】 Network anomaly detection, which establishes the normal network traffic behavior modelto detect the abnormal behavior of the network, is an important means of Intrusion Detection. Inrecent years, with the continued growth of the number of Internet users and the rapiddeployment of new network applications, threat of attack against the network traffic hasbecome increasingly serious, distributed denial of service attack (DDoS), botnet and wormattacks etc. occur frequently, they have caused great harm to the normal operation of thenetwork. How to timely perception and fast processing of network anomaly behavior in thehigh-speed network environment, it has a very important significance for ensuring the effectiveoperation of the network and raising the robustness of service providing ability.Combined with the fundamental technique research task of identifying abnormal eventsaccurately in the“Research on Reconfigurable Information Communication Basic NetworkSystem” project belonging to the National Priority Basic Research and Development Programof China(973Program), this dissertation primarily discussed how to better detect networktraffic anomaly based on measurement in high-speed backbone link. Considering the trafficprediction model can make reasonable accurate inference for the dynamic trend of networktraffic behavior on different time scales, the paper achieves accurate perception of abnormalbehavior through the combination of traffic prediction method and machine learning method.First of all, this paper realizes the coarse detection of network traffic abnormally through themultidimensional time scales prediction. Then, to prevent the emergence of false positive, ituses machine learning method to carry out fine detection for normal traffic judging from thecoarse detection module. The main research contents of this paper are outlined as follows:1. Aiming at the deficiencies of the existing common sampling methods, a feature-awareadaptive flow sampling (AFS) algorithm is proposed. The algorithm can correct the samplingprobability to minimize the distortion of the traffic feature distribution through the combinationof adaptive sampling method and late sampling technique. In the algorithm, the fows areselected according to the size of their moments, thus it can ignore the redundant flow and focuson the small flows which play an important role in anomaly detection. Compared with therandom flow sampling algorithm, AFS algorithm reduces the loss of information caused by thesampling process, and the anomaly detection capabilities of the system has been improved.2. Statistical characteristic of network traffic data in the fractional Fourier transform (FrFT)domain are analyzed, which indicates the self-similarity feature. Further, Hurst parameterestimation methods based on modified ensemble empirical mode decomposition-detrendedfluctuation analysis (MEEMD-DFA) and adaptive estimator with weighted least square regression (WLSR) are presented, which are aimed at the displaying network traffic in―time‖or―frequency‖domain of FrFT domain separately. Experimental results demonstrate that theMEEMD-DFA method has more accurate estimate precision but higher computationalcomplexity than existing common methods. While the overall robustness of adaptive estimatoris satisfactory over the other six methods in simulation, and that it has lower computationalcomplexity. Thus, it can be used as a real-time online Hurst parameter estimator for traffic data.3. Aiming at the self-similarity of network traffic on large-time scale, a traffic forecastingmodel based on modified ensemble empirical mode decomposition (MEEMD) and adaptivefractional particle swarm optimization radial basis function neural network (AFOPSO-RBFNN)is presented. Firstly, the MEEMD method is employed to decompose the traffic data sequenceinto intrinsic mode function (IMF) component. Then, the AFOPSO-RBFNN is adopted toforecast the IMF components. Ultimately, the final prediction value is obtained via synthetizingthe prediction results of all components. The forecast results on real network traffic show thatthe proposed algorithm has a lower computational complexity and higher prediction accuracythan that of EMD and Auto Regressive Moving Average (ARMA), EMD and Support VectorMachines (SVM), EEMD and Artificial Neural Networks (ANN) method.4. Aiming at the high-dimensional nonlinear behavior of network traffic on small-timescale, a novel quantum neural network (QNN) model is presented. The quantum neural networkis composed of quantum bits, universal quantum gates and quantum weighted. Then, toaccelerate the convergence speed and prevent the algorithm from falling into local optimum, alearning algorithm based on modified descent Polak–Ribière–Polyak conjugate gradient(MPRPCG) method is given, and its global convergence is proved in theory. Forecasting resultson real small-time scale network traffic demonstrate that the proposed method has lowercomputational complexity and more accurate prediction precision than that of flexible neuraltree (FNT) and local support vector machine regression model (LSVMR). Moreover, comparedto BP neural network and Quantum weighted neural Network (QWNN), the convergence andthe robustness of the method in this paper are outstanding.5. Aiming at the difficult problem of determining the feature subset used to detect anomalyin machine learning task, an anomaly detection model based on normalized mutual informationfeature selection (NMIFS) and quantum wavelet neural network (QWNN) is presented. Firstly,in order to realize the effective reduction for high-dimensional feature data, NMIFS method isused to select the best feature combination from a given set of sample features. Then, the bestcombination of feature vectors are sent to the QWNN classifier for learning and training in thetraining phase, and the anomaly detection model will be obtained. At the detection stage, thedata is fed into the detection model that has been established during the detection phase; ultimately output the accurate detection results to the client. Considering the empirical risk andconfidence risk comprehensively, the learning algorithm of structural risk minimization extremelearning machine (SRM-ELM) is employed by the QWNN classifier. The experimental resultson real abnormal data demonstrate that the NMIFS-QWNN method has higher detectionaccuracy and lower false negative rate than existing common anomaly detection methods.Further more, the complexity of the algorithm is low and the detection accuracy can reach up to95.8%.Finally, the anomaly detection scheme, which is consisted of coarse detection technologybased on traffic prediction method and fine detection technology based on machine learningmethod, is proposed. Experimental results on synthetic data and real backbone traffic data showthat the detection accuracy of the proposed program can reach more than96.9%.更多还原