Research On Anomaly Network Traffic Detection Technology Of Similarity Feature Recognition Problem

Network traffic anomaly detection technology is an important part of network intrusion detection technology.Most of the existing network traffic anomaly detection methods rely on network traffic feature extraction.They use traditional machine learning or deep learning methods to select features for anomaly traffic detection.With the rapid development of the information age,the network traffic increases dramatically.Most of the network traffic features extraction process depends on the network equipment for automatic feature extraction and the extracted feature dimensions have limitations.At the same time,artificial feature extraction requires sufficient professional knowledge and the extraction process is complex and time-consuming.Anomaly attacks of network traffic are usually hidden,destructive and uncertain.In this case,the extraction feature dimension is usually less and the network traffic feature classfication is not obvious.When all normal and anomaly attack traffic is mixed together,it is difficult to detect anomaly attack accurately.Under this situation,there is a condition that the features are exactly the same while the labels are completely different.We name this situation as the similarity feature recognition problem,which is emphasized in this dissertation.The main problems and the innovation of the research are as follows:First,to solve the similarity feature recognition problem in network traffic anomaly detection,we propose a time-dependent anomaly detection method which contains of the time-dependent adaptive feature integration and label redefinition method.This dissertation fully excavates the potential features in the network and use the time characteristics that can not be directly used in the network traffic.We integrate the classification features and redefine the corresponding classification labels.Then we use the new model to train the data and the classification results are transformed into the original data labels for comparison.The previously indistinguishable individuals with similarity characteristics are transformed into the time-dependent combination with different characteristics.Thus,the detection is proved to be effective.This method can effectively reduce the feature dimension and the resource consumption with high classification accuracy.Second,to solve the problem that the construction detection model of time-dependent anomaly traffic detection methods,we reconstruct the time-dependent anomaly detection method with the traditional DNN and CNN methods in deep learning.We construct the TIDNN and HFICNN model to deal with the similarity feature recognition problem in network traffic anomaly detection.Through the integration of multiple time-related data features,the DNN feature extraction module is reconstructed and the TIDNN model is constructed by combining the binary coded label redefinition method.HFICNN is the further improved model of TIDNN.The convolution feature extraction module is constructed by integrating multiple data features.The binary label redefinition method is extended to the function mapping label redefinition method.We also introduce fuzzy classification method to construct the model.The fuzzy convolution anomaly detection model(HFICNN)is constructed to make the model more applicable and more effective.The experiment tests the standard data set.The test result is higher than the traditional machine learning and deep learning method.The models are simple and efficient.Third,to solve the data imbalance distribution problem after redefining labels,we propose a combinatorial time-dependent SVM anomaly detection model(CTSVM).Through the tests of TIDNN and HFICNN models,the experiment test results are deeply excavated.It is found that the label redefinition method can deal well with the similarity feature recognition problem,but it would cause the defined label imbalance distribution problem.What's more,this problem strong influence the deep learning results.Therefore,we continue to improve the model to select the combination of SVM methods.Because of the SVM classification boundary is independent of the internal data number,we construct the CTSVM and improve the detection effect greatly.The three models are gradually optimized to solve the similarity feature recognition problem that different labels of the same features can not be recognized in reality.