黄河;邓浩江;陈君;

• 1:中国科学院声学研究所国家网络新媒体工程技术研究中心
• 2:中国科学院大学

摘要(Abstract)：

基于流量特征建模的网络异常行为检测技术通过对网络流量进行特征匹配与模式识别,进而检测出潜在的、恶意入侵的网络流量,是网络异常行为检测的有效手段。根据检测数据来源的不同,传统检测方法可以分为基于传输层信息、载荷信息、主机行为特征等三类,而近年来兴起的深度学习方法已经开始应用于这三类数据,并可以综合应用三类数据,本文从技术原理与特点、实验方式、取得的成果等方面对上述技术路线进行了综述,并分析了存在的主要问题和发展趋势。

关键词(KeyWords)： 网络异常行为;异常检测;模式识别;流量特征建模;深度学习

Abstract:

Keywords:

基金项目(Foundation): 中科院率先行动计划项目:端到端关键技术研究与系统研发(编号:SXJH201609)

作者(Authors): 黄河;邓浩江;陈君;

参考文献(References)：

• [1] Google Chief:My Fears for Generation Facebook[EB/OL].[2010-08-17].https://www.independent.co.uk/life-style/gadgets-and-tech/news/google-chief-my-fears-for-generation-facebook-2055390.html.
• [2] 2018年全球互联网发展数据分析[EB/OL].[2018-02-11].http://mini.eastday.com/mobile/180211010721083.html.
• [3] V.Chandola,A.Banerjee,V.Kumar.Anomaly Detection:A Survey[J].ACM Computing Surveys,2009,41(3):1-58.
• [4] A.L.Buczak,E.Guven.A survey of data mining and machine learning methods for cyber security intrusion detection[J].IEEE Communications Surveys & Tutorials,2016,18(2):1153-1176.
• [5] IANA.Port Numbers[EB/OL].[2014-10-15].http://www.iana.org/assignments/port-numbers.
• [6] T.F.Lunt,R.Jagannathan.A prototype real-time intrusion-detection expert system[C]//Proceedings of the Security and Privacy,1988 Proceedings,1988 IEEE Symposium on,IEEE,1988:59-66.
• [7] S.Kumar,E.H.Spafford.A pattern matching model for misuse intrusion detection[C]//Proceedings of the Proceedings of the 17th National Computer Security Conference,1995.
• [8] C.Sinclair,L.Pierce,S.Matzner.An application of machine learning to network intrusion detection[C]//Proceedings of the Computer Security Applications Conference,1999 (ACSAC’99) Proceedings 15th Annual,IEEE,1999:371-377.
• [9] W.Li.Using genetic algorithm for network intrusion detection[J].Proceedings of the United States Department of Energy Cyber Security Group,2004,(1):1-8.
• [10] A.W.Moore,K.Papagiannaki.Toward the accurate identification of network applications[C]//Proceedings of the International Workshop on Passive and Active Network Measurement,Springer,2005:41-54.
• [11] M.Finsterbusch,C.Richter,E.Rocha,et al.A survey of payload-based traffic classification approaches[J].IEEE Communications Surveys & Tutorials,2014,16(2):1135-1156.
• [12] B.-C.Park,Y.J.Won,M.-S.Kim,et al.Towards automated application signature generation for traffic identification[C]//Proceedings of the Network Operations and Management Symposium,2008 NOMS 2008 IEEE,IEEE,2008:160-167.
• [13] N.Hua,H.Song,T.Lakshman.Variable-stride multi-pattern matching for scalable deep packet inspection[C]//Proceedings of the INFOCOM 2009,IEEE,IEEE,2009:415-423.
• [14] C.Krügel,T.Toth,E.Kirda.Service specific anomaly detection for network intrusion detection[C]//Proceedings of the Proceedings of the 2002 ACM symposium on Applied computing,ACM,2002:201-208.
• [15] N.Ye,Q.Chen.An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems[J].Quality and Reliability Engineering International,2001,17(2):105-112.
• [16] M.-L.Shyu,S.-C.Chen,K.Sarinnapakorn,et al.A novel anomaly detection scheme based on principal component classifier[R].MIAMI UNIV CORAL GABLES FL DEPT OF ELECTRICAL AND COMPUTER ENGINEERING,2003.
• [17] I.Sourdis,V.Dimopoulos,D.Pnevmatikatos,et al.Packet pre-filtering for network intrusion detection[C]//Proceedings of the Architecture for Networking and Communications systems,2006 ANCS 2006 ACM/IEEE Symposium on,IEEE,2006:183-192.
• [18] A.W.Moore,D.Zuev.Internet traffic classification using bayesian analysis techniques[C]//Proceedings of the ACM SIGMETRICS Performance Evaluation Review,ACM,2005:50-60.
• [19] K.A.Heller,K.M.Svore,A.D.Keromytis,et al.One class support vector machines for detecting anomalous windows registry accesses[C]//Proceedings of the Proc of the workshop on Data Mining for Computer Security,2003.
• [20] W.Hu,Y.Liao,V.R.Vemuri.Robust anomaly detection using support vector machines[C]//Proceedings of the Proceedings of the international conference on machine learning,2003:282-289.
• [21] 彭飞,曾学文,刘磊,等.基于服务可信度的QoS预测模型[J].网络新媒体技术,2014,3(6):20-24.
• [22]N.Williams,S.Zander,G.Armitage.A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification[J].ACM SIGCOMM Computer Communication Review,2006,36(5):5-16.
• [23] T.Auld,A.W.Moore,S.F.Gull.Bayesian neural networks for internet traffic classification[J].IEEE Transactions on neural networks,2007,18(1):223-239.
• [24] G.Szabo,I.Szabo,D.Orincsay.Accurate traffic classification[C]//Proceedings of the World of Wireless,Mobile and Multimedia Networks,2007 WoWMoM 2007 IEEE International Symposium on a,IEEE,2007:1-8.
• [25] S.R.Gaddam,V.V.Phoha,K.S.Balagani.K-Means+ ID3:A novel method for supervised anomaly detection by cascading K-Means clustering and ID3 decision tree learning methods[J].IEEE Transactions on Knowledge and Data Engineering,2007,19(3):345-354.
• [26]A.P.Muniyandi,R.Rajeswari,R.Rajaram.Network anomaly detection by cascading k-Means clustering and C4.5 decision tree algorithm[J].Procedia Engineering,2012,30:174-182.
• [27] T.Shon,J.Moon.A hybrid machine learning approach to network anomaly detection[J].Information Sciences,2007,177(18):3799-3821.
• [28] I.Trestian,S.Ranjan,A.Kuzmanovi,et al.Unconstrained endpoint profiling (googling the internet)[C]//Proceedings of the ACM SIGCOMM Computer Communication Review,ACM,2008:279-290.
• [29] Y.Xie,S.-Z.Yu.A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors[J].IEEE/ACM Transactions on Networking (TON),2009,17(1):54-65.
• [30] W.Feng,Q.Zhang,G.Hu,et al.Mining network data for intrusion detection through combining SVMs with ant colony networks[J].Future Generation Computer Systems,2014,37:127-140.
• [31] Y.LeCun,Y.Bengio,G.Hinton.Deep learning[J].nature,2015,521(7553):436.
• [32] 孙志军,薛磊,许阳明,等.深度学习研究综述[J].计算机应用研究,2012,29(8):2806-2810.
• [33] A.Javaid,Q.Niyaz,W.Sun,et al.A deep learning approach for network intrusion detection system[C]//Proceedings of the Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS),ICST (Institute for Computer Sciences,Social-Informatics and Telecommunications Engineering),2016:21-26.
• [34] T.A.Tang,L.Mhamdi,D.McLernon,et al.Deep learning approach for network intrusion detection in software defined networking[C].Proceedings of the Wireless Networks and Mobile Communications (WINCOM),2016 International Conference on,IEEE,2016:258-263.
• [35] B.Dong,X.Wang.Comparison deep learning method to traditional methods using for network intrusion detection[C].Proceedings of the Communication Software and Networks (ICCSN),2016 8th IEEE International Conference on,IEEE,2016:581-585.
• [36] Z.Yuan,Y.Lu,Z.Wang,et al.Droid-sec:deep learning in android malware detection[C].Proceedings of the ACM SIGCOMM Computer Communication Review,ACM,2014:371-372.
• [37] Y.Yu,J.Long,Z.Cai.Session-Based Network Intrusion Detection Using a Deep Learning Architecture[C].Proceedings of the Modeling Decisions for Artificial Intelligence,Springer,2017:144-155.
• [38] E.Hodo,X.Bellekens,A.Hamilton,et al.Threat analysis of IoT networks using artificial neural network intrusion detection system[C].Proceedings of the Networks,Computers and Communications (ISNCC),2016 International Symposium on,IEEE,2016:1-6.
• [39] W.Wang,M.Zhu,X.Zeng,et al.Malware traffic classification using convolutional neural network for representation learning[C].Proceedings of the Information Networking (ICOIN),2017 International Conference on,IEEE,2017:712-717.
• [40] H.Yakura,S.Shinozaki,R.Nishimura,et al.Malware Analysis of Imaged Binary Samples by Convolutional Neural Network with Attention Mechanism[C].Proceedings of the Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy,ACM,2018:127-134.
• [41] 欧阳峰,刘强,张帆.OPNET Cyber Effects网络攻击模型应用[J].网络新媒体技术,2016,5(4):52-58.
• [42] Q.Wang,W.Guo,K.Zhang,et al.Adversary resistant deep neural networks with an application to malware detection[C]//Proceedings of the Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining,ACM,2017:1145-1153.
• [43] H.Huang,H.Deng,J.Chen,et al.Automatic Multi-task Learning System for Abnormal Network Traffic Detection[J].International Journal of Emerging Technologies in Learning (iJET),2018,13(04):4-20.
• [44] J.Goh,S.Adepu,M.Tan,et al.Anomaly detection in cyber physical systems using recurrent neural networks[C]//Proceedings of the High Assurance Systems Engineering (HASE),2017 IEEE 18th International Symposium on,IEEE,2017:140-145.
• [45] J.Kim,J.Kim,H.L.T.Thu,et al.Long short term memory recurrent neural network classifier for intrusion detection[C]//Proceedings of the Platform Technology and Service (PlatCon),2016 International Conference on,IEEE,2016:1-5.
• [46] 郝怡然,盛益强,王劲林,等.基于递归神经网络的网络安全事件预测[J].网络新媒体技术,2017,6(5):54-58.
• [47] A.Krizhevsky,I.Sutskever,G.E.Hinton.Imagenet classification with deep convolutional neural networks[C]//Proceedings of the Advances in neural information processing systems,2012:1097-1105.
• [48] D.Bahdanau,K.Cho,Y.Bengio.Neural machine translation by jointly learning to align and translate[J].Computer Science,2014.