|
| 基于内存增强特征提取与时序预测的网络流异常检测 |
| Network Traffic Anomaly Detection based on Memory-Augmented Feature Extraction with Temporal Prediction |
| 投稿时间:2024-08-29 修订日期:2024-11-11 |
| DOI: |
| 中文关键词: 网络流异常检测 基于Transformer特征提取 内存网络 时间依赖性预测 |
| 英文关键词:network traffic anomaly detection Transformer-based feature extraction memory networks temporal-dependencies prediction |
| 基金项目: |
|
| 摘要点击次数: 0 |
| 全文下载次数: 0 |
| 中文摘要: |
| 异常检测在网络安全等领域中至关重要,但在网络流异常检测中面临诸多挑战。网络流数据中的异常数据量少且标记成本高,监督学习方法难以应用,无监督方法更为适用。现有的无监督异常检测模型基于重构和预测方法,但它们在泛化能力和处理时间依赖性方面存在不足,并且缺乏有效的异常识别能力。为了应对泛化能力弱的问题,需引入内存模块,但是实时检测中的内存模块面临内存污染问题。针对这些问题,提出了一种新的无监督网络流异常检测模型MDTN。该模型结合了基于Transformer的特征提取模块、内存模块和基于预测的时间依赖性提取网络。内存模块采用FIFO(first in first out)内存替换和KNN(k-Nearest Neighbor)策略,增强了模型的泛化能力和对内存中毒的鲁棒性。异常评分方法融合重构和预测误差,扩大了正常和异常数据之间的差异。在四个真实网络流数据集上的评估结果显示,MDTN在AUC-ROC和AUC-PR上优于主流基线方法。 |
| 英文摘要: |
| Anomaly detection is crucial in network security, but it faces many challenges in network traffic anomaly detection. Unsupervised methods are more suitable since supervised learning methods are difficult to apply due to the small amount of anomalies in network traffic data and the high cost of labeling. The existing unsupervised anomaly detection models are based on reconstruction and prediction methods. However, they are deficient in generalization ability and processing temporal dependencies, and lack effective anomaly identification. The memory module is introduced to cope with the problem of weak generalization ability. In the real-time detection, however, it faces the problem of memory contamination. To address these issues, a new unsupervised network traffic anomaly detection model MDTN is proposed, which combines a Transformer-based feature extraction module, a memory module, and a prediction-based temporal-dependencies extraction network. The memory module employs FIFO (first in first out) memory replacement and KNN (k-Nearest Neighbor) strategy to enhance the generalization ability of the model and robustness to memory poisoning. The anomaly scoring method fuses reconstruction error and prediction error, and it enlarges the gap between normal and abnormal data. Evaluation results on four real network traffic datasets show MDTN over existing state-of-the-art baseline methods on AUC-ROC and AUC-PR. |
| 查看/发表评论 下载PDF阅读器 |
| 关闭 |