Anomaly Detection And Traffic Classification Based On Spatiotemporal Graph Neural Network

With the rapid development of Internet and information technology,people’s life becomes more and more colorful.At the same time,the increasingly complex network environment also brings challenges to network management and network security.Network anomaly refers to the phenomenon that the network cannot work normally due to network failure,network congestion or network attack.It is very important to detect network abnormal phenomena effectively to maintain the normal operation of the network and ensure the network security.However,most of the existing anomaly detection and traffic classification algorithms are for single link or local network analysis,lack of grasp of the global network information,which will cause the detection and classification accuracy is not high.Therefore,this paper proposes to use graph to explore the global network traffic behavior information,and integrate network flow characteristics to achieve network anomaly detection and traffic classification.The main contributions of this paper are as follows:(1)Network flow contains the source and destination IP,port and protocol information.The traffic matrix(TM)can reflect the global network state.In order to obtain the global network information for network anomaly detection,this paper takes the traffic matrix as the research object,uses the historical TMs to predict future TM,and detect anomaly through the residual between the observed TM and the predicted TM.Therefore,accurate traffic matrix prediction is very important for anomaly detection.LSTM(Long Short-Term Memory)can explore the dependence of time series and is often used for TM prediction.However,the LSTM model lacks the consideration of spatial correlation in the TM,Therefore,this paper designs a TM prediction model based on spatiotemporal graph neural network,constructs the communication graph using network flow,and then utilize graph neural network(GNN)and LSTM to construct spatiotemporal graph neural network model to obtain the potential temporal and spatial characteristics of TM,so as to realize the accurate prediction of network traffic matrix.Experiments show that the performance of the proposed model is improved compared with other methods.In addition,the analysis of the experiment shows that the efficiency of the model decreases with the increase of the network size.Therefore,this paper proposes a graph sampling algorithm to reduce the time consumption of model training and prediction.Finally,the experimental results show that the efficiency of the model is improved obviously without reducing the performance of the TM prediction.Finally,this paper realizes network anomaly detection based on accurate prediction of TM.(2)For the problem of abnormal traffic classification,more and more network attacks are initiated by multiple hosts,which makes the traditional method of abnormal traffic classification invalid.Therefore,this paper proposes a graph-based traffic classification.Firstly,based on the characteristics of network flow level,the information entropy gain is used to analyze the statistical characteristics of traffic and select the appropriate flow level characteristics.Secondly,from the perspective of graph,this paper uses network flow to build network communication interaction graph and model the connection behavior of traffic communication nodes;Based on graph structure,this paper first extracts the shallow features of nodes,and then uses graph representation learning algorithm to explore the deep spatial interaction behavior features of network communication nodes.Then,the flow level feature and the behavior feature of graph are combined to construct the mixed behavior feature.Finally,machine learning algorithm K-Nearest Neighbor and Decision Tree are used to classify normal traffic and abnormal traffic,and finegrained multi classification of abnormal types.In this paper,the proposed method is verified on the public dataset CICIDS-2017.The experimental results show that the traffic behavior features extracted in this paper are better than those only focusing on a single level of traffic features in the two classification and multi classification tasks of abnormal traffic,which is the enhancement and supplement of simple features.(3)Based on the above analysis,this paper designs a simple network anomaly detection simulation system based on the proposed anomaly detection model,combined with software defined network,mininet network simulation tools and Ryu controller.Through normal and abnormal traffic simulation,it shows the feasibility of the proposed anomaly detection model in real network.