基于核密度估计的轻量级物联网异常流量检测方法

Kernel Density Estimation-based Lightweight IoT Anomaly Traffic Detection Method

为了有效应对僵尸网络对家庭和个人物联网的安全威胁,尤其针对家用环境中用于异常检测的资源不足的客观问题,提出了一种基于核密度估计的轻量级物联网异常流量检测(Kernel Density Estimation-based Lightweight IoT Anomaly Traffic Detection,KDE-LIATD)方法。首先,KDE-LIATD方法使用高斯核密度估计方法估计了训练集中正常样本每一维特征的特征值概率密度函数以及对应的概率密度;然后,提出了基于核密度估计的特征选择算法(Kernel Density Estimation-based Feature Selection Algorithm,KDE-FS),获得了对异常检测贡献突出的特征,从而在提升异常检测准确率的同时降低了特征维度;最后,通过三次样条插值方法计算测试样本的异常评估值并进行异常检测,这一策略极大地减少了使用核密度估计方法计算测试样本异常评估值时所需要的计算开销与存储开销。仿真实验结果表明,提出的KDE-LIATD方法在面向异构的物联网设备的异常流量检测方面具有比较强的鲁棒性和兼容性,能够有效地对家庭和个人物联网僵尸网络的异常流量进行检测。

In order to effectively deal with the security threats of home and personal Internet of Things(IoT)bot nets,especially for the objective problem of insufficient resources for anomaly detection in the home environment,a kernel density estimation-based lightweight IoT anomaly traffic detection(KDE-LIATD)method is proposed.Firstly,the KDE-LIATD method uses a Gaussian kernel density estimation method to estimate the probability density function and corresponding probability density of each dimension feature value of thenormal samples in the training set.Then,a kernel density estimation-based feature selection algorithm(KDE-FS)is proposed to obtain features that contribute significantly to anomaly detection,thereby reducing the feature dimension while improving the accuracy of anomaly detection.Finally,the cubic spline interpolation method is used to calculate the anomaly evaluation value of the test sample and perform anomaly detection.This strategy greatly reduces the computational overhead and storage overhead required to calculate the anomaly evaluation value of the test sample using the kernel density estimation method.Simulation experiment results show that the KDE-LIATD method has strong robustness and strong compatibility for anomaly traffic detection of heterogeneous IoT devices,and can effectively detect abnormal traffic in home and personal IoT bot nets.