Network Security Anomaly Detection Based On Time Series Analysis

As the information collected during network working,network behavior characteristics(NBC)are an important information source for network management and security detection,which is represented as a high-dimensional time-series.The current state of a network can be evaluated through the analysis of NBC,which has practical significance for network security.But the current research is difficult to adapt to the highdimensional and complex NBC,mainly in two aspects:(1)the existing public datasets often have short periods and insufficient samples;and(2)most of the research focuses on multi-dimensional features,but the research on time-series composed by complex signals is insufficient.This thesis analyzes NBC as a high-dimensional time-series,proposes a feature selection method and data enhancement method for time-series in the preprocessing link,and combines signal decomposition technology with generalized likelihood ratio test(GLRT)to detect anomalies in NBC.This method consists of three parts: data preprocessing technology,data argumentation,and time-series analysis technology.This thesis proposes a feature selection algorithm based on Light GBM and cross-validation,which could improve the applicability and accuracy of these models by sorting the importance of features.And then,this thesis proposes a data argumentation based on Generative Adversarial Networks(GAN)to generate artificial training data to improve detection ability.In terms of analysis technology,this work uses Improved Complete Ensemble Empirical Mode Decomposition with Adaptive Noise(ICEEMDAN)to decompose the enhanced timeseries into different time scales and computes GLRT to detect anomalies.This thesis proposed a multi-scale time-series analysis method to effectively combine the spatiotemporal correlations of time-series data in different channels,alleviate the imbalance of time-series data distribution,and effectively extract time-series features.This work used three time-series sets under different network environments and proved our method has a lower false alarm rate and is more accurate than comparative experiments.