Abstract: Real network traffic contains mass of features, and the method of anomaly detection based on feature analysis is not suitable for high-dimensional features classification. A method based on Principal Component Analysis and tabu Tabu Search (PCA-TS) decision tree classification for anomaly detection was proposed. The method reduced high-dimensional features and selected optimal feature subset which was suitable for classification through PCA-TS algorithm, then the decision tree of higher detection rate and lower false rate was used for classification and detection based on semi-supervised learning. The experiment shows that the approach has higher detection accuracy and lower false rate compared with traditional anomaly detection method, and the detection performance is less affected by sample size and is suitable for real-time detection of unknown anomalies.

Key words: anomaly detection, decision tree, feature selection, Principal Component Analysis (PCA), Tabu Search (TS)

摘要： 真实网络流量包括大量特征属性，现有基于特征分析的异常流量检测方法无法满足高维特征分析要求。提出一种基于主成分分析和禁忌搜索(PCA-TS)的流量特征选择算法结合决策树分类的异常流量检测方法，通过PCA-TS对高维特征进行特征约减和近优特征子集选择，为决策树分类方法提供有效的低维特征属性，结合决策树分类精度和处理效率高的优点，采用半监督学习方式进行异常流量实时检测。实验表明，与传统异常检测方法相比，此方法具有更高的检测精度和更低的误检率，其检测性能受样本规模影响较小，且对未知异常可以进行有效检测

关键词: 异常检测, 决策树, 特征选择, 主成分分析, 禁忌搜索