Research On Network Traffic Analysis And Abnormal Detection Based On Fractal Theory

Network traffic analysis as one of advanced hot topics at theory research ofComputer and Network Foundations, has significant scientific meaning and applicationvalue in understanding the network behavior, improving the network performance andprotecting the network security. The computer network is a typical giant complex system,and presents many large-scale nonlinear dynamic behaviors (including Chaos and fractalphenomenon), social interactions (including competition, cooperation, deception, and fight,etc) and generalized metabolism behaviors (including software, hardware, application, etc),these massive existing communication entities and short-range nonlinear interactionbetween each other make the network traffic more and more complicated. As so far, thereis not any mathematic model which can descript the network traffic behavior effectively.Linear superposition of traditional micro-based anomaly detection methods often can notin agreement with the complex behavior of network. According to the Gilder’s law, withthe rapid expansion of network bandwidth, the real-time and no state-reserve requirementsbased on large network will lead the exiting detection methods bear high false alarm rateand missing alarm rate. Therefore, it is necessary to accurate, objective, and real-timeanalysis of network traffic characteristics and propose a new anomaly detection method tokeep the network security. Along with the development of fractal theory, the research withthe network traffic is further. A large number of traffic monitoring results show that: at anytime, any place, and any network environment, the self-similarity of network traffic iswide exist in the computer network, and the existence of this character is almost irrelevantwith the network type, network scale, network topology structure, data transfer protocol,and network service. Therefore, the anomaly detection method based on the fractalanalysis of network traffic will have higher detection rate, lower false alarm rate and the most extensive applicability. In this thesis, we make further research on the above areas,mainly focus on the fractal character of network traffic and abnormal detection technology,and propose some efficient solutions and obtain several research achievements. Our mainachievements are as follows:1. Propose a non-stationary self-similar network traffic model based on thenon-stationary and self-similarity of network traffic character. The existing works supposethat the network traffic is stationary when modeling the network traffic, but the traffic isnot always stationary. Under this condition, we first segment the non-stationary trafficaround the position, where the network traffic self-similarity changes, and then estimatethe self-similarity parameter of each traffic piece, then model each traffic piece withself-similar model from the traffic model library. The proposed traffic model canovercome the influence of non-stationary characteristic of traffic when modeling theself-similar traffic.2. Propose a DDoS attack detection method based on the Hurst parameter variation.When the variation between the real Hurst parameter and estimation one exceed thedetection threshold, we assume DDoS attack happens. Meanwhile, we propose twomethods to determine the detection threshold that indicates the occurrence of DDoSattacks. The detection rate associated with one method and false alarm rate for the othermethod are also derived. The proposed detection method uses the Hurst parameter as thedetection argument, and it does not need to further analysis the traffic data, but only dostatistical analysis of the traffic length, so the method has the merit of fast detection. Inaddition, the method is irrelevant with specific protocol or platform, so it has strongportability.3. After further analysis of the GC model, especially the change pattern of fractalparameter D and Hurst parameter H under the DDoS attack, we propose a DDoS attackdetection method, and the detection principle is also derived. In addition, we also proposea method to enhance the detection performance by fusion the detection results of Ddetector and H detector based on Dempster-Shafer fusion theory. The proposed method ismore efficient in detecting the DDoS attack, especially those low and moderate intensityattacks by simultaneously detection with two arguments.4. Take the advantage of fuzzy logic in decision making, we propose a DDoSattack detection and intensity determination method based on fuzzy logic. In this method, we first estimate the Hurst parameter before and after the DDoS attack, and then get theself-similarity variation HC. After that, we can infer the attack exist or not and theintensity of the attack based on the fuzzy decision rules. The proposed method can notonly infer the attack exist or not in real-time, but also can realize the attack time andintensity determination intelligently.