基于多维时间序列分析的网络异常检测

针对实际网络异常检测要求高检测率、低误报率的问题，提出了一种基于多维时间序列的检测方法。首先，通过对实际网络流量进行长期观测，提取多维特征对网络流量进行描述；然后，利用时间序列分析方法对多维特征进行预测，计算预测值与真实值的时间序列偏离度，并且实时更新偏离度，适应多变的网络环境；最后，利用支持向量机（SVM）算法对偏离度向量进行分类判别，判断是否发生异常。目前该方法已应用于校园网关键服务器的实时监测与防护工作中，实际服务器流量的预测、告警结果表明，该方法可以有效检测网络中的异常流量。

Network Anomaly Detector Based on Multiple Time Series Analysis

The anomaly detection of network traffic in practice requires both high detection rate and low false alarm rate.To address this problem,a detection approach based on multidimensional time series analysis was proposed.Firstly,the network traffic was observed in a long time,and multiple network features were chosen for building the network behavior model.Subsequently,multiple features were predicted by the method of time series analysis.Then the degree of deviation between the predict value and the real value was calculated and updated.Finally,the state of whether the network flow is normal was determined by using support vector machine to classify the degree of deviation in time series.This method has been applied to real-time monitoring and protection on a campus key server.The results showed that it can detect anomalies effectively in network traffic.