随着计算机网络规模和应用不断扩大，网络中的各种攻击在对网络稳定运行带来冲击的同时，也造成网络用户经济损失和信息泄露等问题。由于网络异常流量检测系统能够感知并识别网络中的攻击行为，近年来成为保障网络安全的热门研究课题。论文以深度学习方法为研究基础，网络异常流量检测为研究目标，采用了关键特征提取与网络异常流量检测模型相结合的思路展开研究。论文主要研究工作和创新如下：

（1）针对网络流量高维含噪数据难以提取有效特征的问题，论文提出了一种递归式信息相关（Recursive Information Correlation, RIC）的特征选择算法。该算法通过最大信息相关方法和递归特征消除法来降低特征冗余度，可以更高效的选择出最优特征子集。实验结果表明，论文提出的RIC特征选择算法不仅大幅度缩短了模型的训练时间，而且还提高了分类模型的准确率，同时经过特征选择改善了同一分类模型对于小样本网络流量类型数据的分类性能。

（2）针对卷积神经网络模型在网络异常流量检测中精度不高的问题，提出了跳级连接的反卷积神经网络（Skip Connection Based Deconvolutional Neural Network, SC-DeCN）模型。该模型可以减少汇聚操作中的信息损失，从而提高模型的检测精度。首先通过CNN模块提取网络流量特征；其次结合反卷积网络重构输入信号，将浅层的卷积神经网络信息与深层的反卷积神经网络信息相融合，构建SC-DeCN模型；最后为了缩短模型训练时间，将RIC算法与SC-DeCN模型相结合进行网络异常流量检测。实验结果表明，SC-DeCN模型相较于另外五种对比模型具有更好的检测性能，同时对于小样本数据的分类性能有所提升。此外，在融合RIC特征选择算法之后，大幅度缩短了模型的训练时间。

（3）为了能够及时有效的检测出网络中的异常流量，在分析用户实际需求的基础上，设计并实现了一个网络异常流量检测系统。该系统包含网络流量数据、数据预处理、异常检测和系统管理4个主要功能模块。系统基于Springboot框架，采用Java语言实现界面交互，使用Python语言实现异常检测算法模块。通过实际部署，结果表明该系统能够有效并可靠的检测到网络中的异常流量，具备了一定的实用价值。

With the continuous expansion of the scale and application of computer networks, various attacks in the network not only impact the stable operation of the network, but also cause economic losses to network users and information leakage. Because the network abnormal traffic detection system can perceive and identify the attack behavior in the network, it has become a hot research topic in ensuring network security in recent years. The paper takes the deep learning method as the research basis and the network abnormal traffic detection as the research goal, and adopts the idea of combining key feature extraction and network abnormal traffic detection model to carry out the research. The main research work and innovations of the paper are as follows:

Aiming at the problem that it is difficult to extract effective features from high-dimensional noisy data of network traffic, this paper proposes a feature selection algorithm based on recursive information correlation (RIC). The algorithm reduces the feature redundancy through the maximum information correlation method and the recursive feature elimination method, and can select the optimal feature subset more efficiently. The experimental results show that the RIC feature selection algorithm proposed in this paper not only greatly shortens the training time of the model, but also improves the accuracy of the classification model, and also improves the classification performance of the same classification model for small sample network traffic data types.

Aiming at the low accuracy of the convolutional neural network model in the detection of abnormal network traffic, a skip connection based deconvolutional neural network model (SC-DeCN) was improved for the detection of abnormal network traffic. The model can reduce the loss of information in the pooling operation and extract richer feature information, thereby improving the detection accuracy of the model.Firstly, the network traffic features are automatically extracted by the CNN module; secondly, the original input signal is reconstructed with the deconvolution network, and the information in the shallow convolutional neural network is fused with the information in the deep deconvolutional neural network to construct the SC-DeCN model. Finally, in order to shorten the model training time, the RIC algorithm is combined with the SC-DeCN model for network abnormal traffic detection. the experimental results show that compared with the other five comparison models, the SC-DeCN model has better detection performance while improving the classification performance on small sample data. In addition, after adding the RIC feature selection algorithm, the training time of the model is greatly reduced.

In order to detect the abnormal traffic in the network timely and effectively, on the basis of analyzing the actual needs of users, a network abnormal traffic detection system is designed and implemented. The system includes four main functional modules: network traffic data, data preprocessing, anomaly detection and system management. The system is based on the Springboot framework, uses Java language to implement interface interaction, and uses Python language to implement anomaly detection algorithm modules. Through practical deployment, the results show that the system can effectively and reliably detect abnormal traffic in the network, and has certain practical value.

[1]中国互联网络信息中心(CNNIC). 第48次中国互联网络发展状况统计报告[R]. 北京中国互联网络信息中心, 2021.

[2]王伟. 基于深度学习的网络流量分类及异常检测方法研究[D]. 合肥:中国科学技术大学, 2018.

[3]王小群, 丁丽, 严寒冰, 等. 2020年我国互联网网络安全态势综述[J]. 保密科学技术, 2021, (5): 3-10.

[4]黄婷. 基于机器学习的网络异常流量分析检测系统的研究与设计[J]. 网络安全技术与应用, 2021, (2): 46-48.

[5]胡天宇, 刘嵩. 基于卡方检验和LDOF算法的入侵检测技术研究[J]. 齐鲁工业大学学报, 2019, 33(03): 62-69.

[6]Hoz E, Ortiz A, et al. Feature selection by multi-objective optimisation: Application to network anomaly detection by hierarchical self-organising maps[J]. Knowledge-Based Systems, 2014, 71(nov.):322-338.

[7]Sindhu S, Geetha S, Kannan A. Decision tree based light weight intrusion detection using a wrapper approach[J]. Expert Systems with Applications, 2012, 39(1):129-141.

[8]Patra M R . Discriminative multinomial Naïve Bayes for network intrusion detection[C]// Sixth International Conference on Information Assurance & Security. IEEE, 2010.

[9]冉金也. 网络异常流量信息分析方法研究[D].成都:电子科技大学,2020.

[10]David J , Thomas C . Efficient DDoS Flood Attack Detection using Dynamic Thresholding on Flow-Based Network Traffic[J]. Computers & Security, 2019, 82(MAY):284-295.

[11]Chen Y , Ma X , Wu X . DDoS Detection Algorithm Based on Preprocessing Network Traffic Predicted Method and Chaos Theory[J]. IEEE Communications Letters, 2013, 17(5):1052-1054.

[12]孙知信, 唐益慰, 程媛. 基于改进CUSUM算法的路由器异常流量检测[J]. 软件学报, 2005, 16(12): 93-99.

[13]韩晓燕. 基于加权朴素贝叶斯的网络异常检测系统设计与实现[D]. 山东师范大学, 2016.

[14]李振刚 甘泉. 改进蚁群算法优化SVM参数的网络入侵检测模型研究[J]. 重庆邮电大学学报：自然科学版, 2014, 26(6):5.

[15]顾兆军, 李冰, 刘涛. 基于ELM-KNN算法的网络入侵检测模型[J]. 计算机工程与设计, 2018, 39(8):6.

[16]王海忠. 基于决策树的网络流量分类系统的设计与实现[D]. 北京:中国科学院大学, 2014.

[17]刘慕娴, 陈文迪, 刘桂华. 一种基于K-means算法的网络流量异常检测模型研究[J].无线互联科技, 2019, 16(18): 25-27.

[18]李胥蝰. 基于自动编码器的入侵检测系统研究与实现[D]. 南京:南京邮电大学, 2020.

[19]逯玉婧. 基于深度信念网络的入侵检测算法研究[D]. 石家庄, 河北师范大学, 2015.

[20]顾兆军, 郝锦涛, 周景贤. 基于改进双线性卷积神经网络的恶意网络流量分类算法[J]. 信息网络安全, 2020, 20(10): 67-74.

[21]Yang J, Deng J, Li S, et al. Improved traffic detection with support vector machine based on restricted Boltzmann machine[J]. Soft Computing,2017,21(11):3101-3112.

[22]董宁, 程晓荣. 基于深度学习的入侵检测系统[J]. 网络安全技术与应用, 2020, (10): 30-32.

[23]张蕾,崔勇,刘静,江勇,吴建平.机器学习在网络空间安全研究中的应用[J].计算机学报,2018,41(09):1943-1975.

[24]唐灿. 基于无监督学习的网络流量异常检测研究[D]. 绵阳:西南科技大学, 2020.

[25]Ma W. Analysis of anomaly detection method for Internet of things based on deep learning[J]. Transactions on Emerging Telecommunications Technologies, 2020, 31(12): e3893.

[26]Zhang Z, Li J, Manikopoulos C N, et al. HIDE: a hierarchical network intrusion detection system using statistical preprocessing and neural network classification[C]//Proc. IEEE Workshop on Information Assurance and Security. 2001, 85: 90.

[27]孙知信, 唐益慰, 程媛. 基于改进CUSUM算法的路由器异常流量检测[J]. 软件学报, 2005, 16(12): 93-99.

[28]Ambusaidi M A, Tan Z, He X, et al. Intrusion detection method based on nonlinear correlation measure[J]. International Journal of Internet Protocol Technology,2014,8(2-3): 77-86.

[29]Z. Tan, A. Jamdagni, X. He, et al. A system for denial-of-service attack detection based on multi-variate correlation analysis[J]. IEEE transactions on parallel and distributed systems,2013,25(2):447-456.

[30]Jianliang M, Haikun S, Ling B. The application on intrusion detection based on k-means cluster algorithm[C]//2009 International Forum on Information Technology and Applications. IEEE, 2009,1:150-152.

[31]Mazel J, Casas P, Fontugne R, et al. Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection[J]. International Journal of Network Management, 2015, 25(5):283-305.

[32]刘璐璐. 基于多分类支持向量机的网络异常流量检测方法[D]. 秦皇岛:燕山大学, 2021.

[33]徐洪平,马泽文,易航,张龙飞.基于卷积循环神经网络的网络流量异常检测技术[J].信息网络安全,2021,21(07):54-62.

[34]Estévez P A, Tesmer M, Perez C A, et al. Normalized mutual information feature selection[J]. IEEE Transactions on neural networks, 2009, 20(2): 189-201.

[35]张俐, 王枞, 郭文明. 利用近似马尔科夫毯的最大相关最小冗余特征选择算法[J].西安交通大学学报, 2018, 52(10): 147-151.

[36]HE Hongyan, HUANG Guoyan, ZHANG Bing, et al. Intrusion Detection Model Based on Extra Trees-recursive Feature Elimination and LightGBM[J]. Netinfo Security, 2022, 22(1): 64-71.

[37]张戈, 王建林. 基于混合ABC和CRO的高维特征选择方法[J]. 计算机工程与应用, 2019, 55(11):93-101.

[38]Setiono R, Liu H. Neural-network feature selector[J]. IEEE transactions on neural networks, 1997,8(3):654-662.

[39]Xu P, Lin S. Internet traffic classification using C4.5 decision tree. Journal of Software, 2009,20(10): 2692−2704.

[40]LeCun Y, Bengio Y. The handbook of brain theory and neural networks. chapter Convolutional Networks for Images, Speech, and Time Series[J]. MIT Press, Cambridge, MA, USA, 1998, 3: 255-258.

[41]刘金来. 深度学习模型在网络流量分类中的应用研究[D]. 哈尔滨:哈尔滨理工大学, 2018.

[42]Javed A R, Usman M, Rehman S U, et al. Anomaly detection in automated vehicles using multistage attention-based convolutional neural network[J]. IEEE Transactions on Intelligent Transportation Systems,2020, 22(7):4291-4300.

[43]Lotfollahi Mohammad, Siavoshanimahdi J, Zaderamin S H, et al. Deep packet: a novel approach for encrypted traffic classification using deep learning[J]. Soft Computing, 2019,24(3):1999-2012.

[44]王勇, 周慧怡, 俸皓, 等.基于深度卷积神经网络的网络流量分类方法[J]. 通信学报, 2018, 39(1): 14-23.

[45]LIU Yuefeng, WANG Cheng, ZHANG Yabin, et al. Multiscale convolutional CNN model for network intrusion detection[J] Computer Engineering and Applications, 2019,55(3):90-95.

[46]田伟宏, 李喜旺, 司志坚. 基于长短期记忆网络的工控网络异常流量检测[J]. 计算机系统应用, 2020, 29(09): 266-271.

[47]Kim T Y, Cho S B. Web traffic anomaly detection using C-LSTM neural networks[J]. Expert Systems with Applications, 2018, 106: 66-76.

[48]杭梦鑫, 陈伟, 张仁杰. 基于改进的一维卷积神经网络的异常流量检测[J]. 计算机应用, 2021, 41(2): 433-441.

[49]Zhang Y, Chen X, Guo D, et al. PCCN: parallel cross convolutional neural network for abnormal network traffic flows detection in multi-class imbalanced network traffic flows[J]. IEEE Access, 2019, 7: 119904-11991.