基于PCA的流量异常检测方法

发布时间：2018-03-16 01:39

本文选题：LDoS攻击模型　切入点：攻击流量分析　出处：《中国民航大学》2015年硕士论文　论文类型：学位论文

【摘要】：流量异常检测是保障网络安全的重要措施之一。本文提出了一种基于主成成分分析PCA(Principal Component Analysis)算法的流量异常检测方法,针对低速率拒绝服务LDoS(Low-rate Denial of Service)攻击引起的网络流量异常进行了检测。首先研究了具有一般性的LDoS攻击模型,并从两种不同攻击形式的角度出发,分别对利用TCP超时重传机制和利用路由器RED机制的LDoS攻击模型进行了研究。构建网络实验拓扑,使用NS2工具产生LDoS攻击仿真流量,使用LDoS攻击流生成工具产生LDoS攻击真实流量,收集产生的流量,从流量数据包的角度对LDoS攻击流量进行分析。网络流量数据具有高维度特性,使用流量建模时需要解决维度问题,这正是本文提出基于PCA算法的流量异常检测方法的原因。PCA算法中选取的主成贡献率不同,数据处理后所保留的数据特征将不同。实验选取了90%、50%、10%三种不同主成贡献率来验证不同主成贡献率下模型的检测效率。PCA算法处理流量样本数据时获得的T2控制限值作为模型的判决门限,检测流量中超过T2控制限值的流量样本判定为异常流量,反之为正常流量。建模分别使用正常异常混合流量、纯异常流量、纯正常流量三种不同的流量样本,检测结果表明主成贡献率越高,模型的检测率也越高。
[Abstract]:Traffic anomaly detection is one of the most important measures to ensure network security. In this paper, a traffic anomaly detection method based on PCA(Principal Component analysis algorithm is proposed. In this paper, the anomaly of network traffic caused by low-rate denial of service LDoS(Low-rate Denial of Service attack is detected. Firstly, a general LDoS attack model is studied, and two different attack forms are proposed. The LDoS attack models using TCP timeout retransmission mechanism and router RED mechanism are studied respectively. The network experimental topology is constructed, LDoS attack simulation traffic is generated by NS2 tool, and LDoS attack real traffic is generated by LDoS attack flow generation tool. Collect the generated traffic, analyze the LDoS attack traffic from the point of view of traffic packets. Network traffic data have high dimensional characteristics, the use of traffic modeling needs to solve the dimension problem, This is precisely the reason why this paper proposes a new method of traffic anomaly detection based on PCA algorithm. The main contribution rate of PCA algorithm is different. The data characteristics will be different after data processing. The experiment selected 90% 50% 10% three different main contribution rates to verify the detection efficiency of the model under different principal contribution rate .PCA algorithm when processing the flow sample data obtained T2 control limit value. As the decision threshold for the model, The flow samples that exceed the limit of T2 control are determined as abnormal flow, otherwise normal flow. The model uses three different flow samples: normal mixed flow, pure abnormal flow, pure normal flow, and pure normal flow. The results show that the higher the main contribution rate, the higher the detection rate of the model.
【学位授予单位】：中国民航大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.08

【参考文献】