Research Of Network Traffic Anomaly Detection Method Based On Multiple Attribute

Great convenience has been brought to users with the “Internet plus”, it accelerates the integration of information infrastructure and the internet. But at the same time, more and more security threats and anomalies appear in the network. Network traffic anomaly detection technology makes a significant contribution to detect the security threats and satisfy user's security requirement. In order to ensure the anomaly detection rate, strictly determinant rules always be set in the traditional network anomaly detection technology, which increased the false alarm rate. Meanwhile, it is difficult to detect the anomaly information that hidden in multiple attribute. Accordingly, the problems to be solved immediately are how to improve the detection rate and detect the anomaly that is hidden in the highly dimensional traffic. Aiming at these problems, this thesis does a thoroughly research and analysis on network traffic anomaly detection. The details are as follows:1. This thesis proposes a multi-level network traffic anomaly detection strategy to improve the detection performance of the traditional network traffic anomaly detection method. Firstly, this strategy makes a differential preprocessing to the original traffic and gets the differential sequence. Secondly, this strategy makes a prediction to differential sequence by the Exponentially Weighted Moving Average Model, sets the dynamic threshold interval and establishes the normal traffic model, and then the first threshold detection can be executed. Finally, a further detection needs to be done to the traffic that has been judged to be anomaly. The experimental result indicates that this multiple detection and judgment can efficiently increase the detection rate and decrease the false alarm rate.2. In order to detect anomaly in multiple attribute, this thesis proposes a network traffic anomaly detection method based on attribute reduction. First of all, this method makes an attribute reduction to the original traffic to get the sub dataset by two attribute selection methods, and the two methods are the comprehensive attribute selection method based on the Waikato Environment for Knowledge Analysis and the attribute reduction method based on rough set and information entropy respectively. Secondly, according to the sub dataset, the next step is to construct a sampling traffic matrix and analyze it by data normalization based principle component analysis, and then the original traffic can be described by a relative lower dimensional principle component. Finally, the reconstructed traffic can be constructed by the principle component, then calculates the standard Euclidean distance between the reconstruct traffic and the original traffic and establishes the normal traffic model. The experiment shows that this method can detect the anomaly in complexity traffic and is stable in property.