基于奇异值分解更新的多元在线异常检测方法

钱叶魁; 陈鸣

doi:10.3724/SP.J.1146.2009.01342

基于奇异值分解更新的多元在线异常检测方法

doi: 10.3724/SP.J.1146.2009.01342

钱叶魁^{①② 陈鸣,},
陈鸣

基金项目:

国家自然科学基金重大研究计划(90304016)，国家863计划项目(2007AA01Z418)和江苏省自然科学基金(BK2009058)资助课题

计量
- 文章访问数: 3634
- HTML全文浏览量: 92
- PDF下载量: 1403
- 被引次数: 0
出版历程
- 收稿日期: 2009-10-15
- 修回日期: 2010-02-16
- 刊出日期: 2010-10-19

A Multivariate Online Anomaly Detection Algorithm Based on SVD Updating

Qian Ye-Kui^{①② 陈鸣
,},
Chen Ming

摘要

摘要: 网络异常检测对于保证网络稳定高效运行极为重要。基于主成分分析的全网络异常检测算法虽然具有很好的检测性能，但无法满足在线检测的要求。为了解决此问题，该文引入流量矩阵模型，提出了一种基于奇异值分解更新的多元在线异常检测算法MOADA-SVDU，该算法以增量的方式构建正常子空间和异常子空间，并实现网络流量异常的在线检测。理论分析表明与主成分分析算法相比，该算法具有更低的存储和计算开销。因特网实测的流量矩阵数据集以及模拟试验数据分析表明，该算法不仅实现了网络异常的在线检测，而且取得了很好的检测性能。
- 网络异常检测 /
- 在线算法 /
- 奇异值分解 /
- 多元分析 /
- 增量学习
Abstract: Network anomaly detection is critical to guarantee stabilized and effective network operation. Although PCA-based network-wide anomaly detection algorithm has good detection performance, it can not satisfy demands of online detection. In order to solve the problem, the traffic matrix model is introduced and a Multivariate Online Anomaly Detection Algorithm based on Singular Value Decomposition Updating named MOADA-SVDU is proposed. The algorithm constructs normal subspace and abnormal subspace incrementally and implements online detection of network traffic anomalies. Theoretic analysis shows that MOADA-SVDU has lower storage and less computing overhead compared with PCA. Analyses for traffic matrix datasets from Internet and simulation experiments show that MOADA-SVDU algorithm not only achieves online detection of network anomaly but also has very good detection performance.
- Network anomaly detection /
- Online algorithm /
- Singular Value Decomposition (SVD) /
- Multivariate analysis /
- Incremental learning

HTML全文

参考文献(1)

[1] Lakhina A, Crovella M, and Diot C. Diagnosing network-wide traffic anomalies[C]. SIGCOMM, Portland, Oregon, USA, 2004: 224-235. [2] Lakhina A, Crovella M, and Diot C. Mining anomalies using traffic feature distributions[C]. SIGCOMM, Philadelphia, Pennsylvania, USA, 2005: 164-175. [3] Jin Y, Sharafuddin E, and Zhang Z L. Unveiling core network-wide communication patterns through application traffic activity graph decomposition[C]. SIGMETRICS, Seattle, WA, USA, 2009: 86-91. Torres R, Hajjat M, and Rao S G, et al.. Inferring undesirable behavior from P2P traffic analysis[C]. SIGMETRICS, Seattle, WA, USA, 2009: 156-167. [4] Logg C, Cottrell L, and Navratil J. Experiences in traceroute and available bandwidth change analysis[C]. SIGCOMM Workshop, Portland, Oregon, USA, 2004: 81-90. [5] 吴志军, 张东. 低速率DDoS攻击的仿真和特征提取[J].通信学报.2008, 29(1):71-76 Wu Z J and Zhang D. Attack simulation and signature extraction of low-rate DDoS[J]. Journal on Communications, 2008, 29(1): 71-76. [6] 谢逸, 余顺争. 基于Web用户浏览行为的统计异常检测[J].软件学报.2007, 18(4):967-977 Xie Y and Yu S Z. Anomaly detection based on web users browsing behaviors[J].Journal of Software.2007, 18(4):967-977 [7] Zhao H, Yuen P C, and Kwok J T. A novel incremental principal component analysis and its application for face recognition[J].IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics.2006, 36(3):873-886 [8] Ahmed T, Coates M, and Lakhina A. Multivariate online anomaly detection using kernel recursive least squares[C]. INFOCOM, Los Angeles, USA, 2007: 387-396. [9] Lakhina A, Papagiannaki K, and Crovella M, et al.. Structural analysis of network traffic flows[C]. SIGMETRICS, New York, NY, USA, 2004: 156-167. [10] Soule A, Salamatian K, and Taft N. Combining filtering and statistical methods for anomaly detection[C]. IMC, Boston, USA, 2005: 168-179. [11] Rubinstein B, Nelson B, and Huang L. Stealthy poisoning attacks on PCA-based anomaly detectors[C]. SIGMETRICS, Seattle, WA, USA, 2009: 168-179. Zhang Y, Roughan M, and Willinger W, et al.. Spatio-temporal compressive sensing and Internet traffic matrices[C]. SIGCOMM, Barcelona, Spain, 2009: 110-121.

施引文献

资源附件(0)

访问统计