Research On Anomaly Detection Techniques Based On Netflow Network Traffic

Along with the rapid development of the Internet, it has been widely spread invarious fields. Today, the network has been everywhere, our life have beeninseparable from the network whether we are office or entertainment, it has becomea part of people in the daily work life. The rapid development of network technologyhas brought a series of network security, for example: network attacks, Trojanattacks, the spread of the virus and so on. Now, the people have started to attachimportance to this question, past those traditional intrusion detection system has beenunable to meet the current high-speed development of a network environment. Basedon the above background, this paper carried out research work.Firstly, this paper researches and studies the acquisition method of network traffic,and describes collection methods of the SNMP, network probes, and the basicprinciples of NetFlow collection methods. Then, we analyze the advantages anddisadvantages of these techniques, and based on the analysis results on the networktraffic for NetFlow collection methods to do thorough research, Finally we choose thecollection methods of NetFlow, and put forward an anomaly detection algorithmbased on the clustering algorithm. Through analyzing the inter-related characteristicsof abnormal traffic priorities, we base on their characteristic to design the anomalydetection which based on clustering algorithm, it’s evaluation criteria is the similarityand connectivity, and improving the quality of the clustering algorithm by combiningthese two classes with a high standard. Thirdly, the paper designs to achieve a modelof network traffic anomaly detection system, the model includes data acquisitionmodule, information statistics module, anomaly detection module, alarm andinformation presentation module. Firstly, the data acquisition module export NetFlowdata collected from routers to take for testing and data processing, and storing theprocessed data in the database; the information statistics module will polymerize anddeal with the collected statistics, then store in the database and present the resultingand statistical information to the user; anomaly detection mainly tests the trafficanomaly detection, it can detect and locate the traffic anomalies host. Through the system of testing and simulation, we can explore and detect network traffic anomalies,and achieve the location of the abnormal host abnormal.