Research On Classification Of Burst Anomalous Traffic Based On Aggregated Flow

The behavior of the traffic in the Internet backbone link has a certain regularity,which could be broken by burst anomalous network traffic.Therefore,the detection of the change of regularity of traffic behavior can be used to locate the burst anomalous network traffic,which is mainly caused by malicious network attack behavior,scan activity,sudden massive flow and so on.It is of great significance for network management to detect and respond to the burst anomalous network traffic in time.Based on the flow records of large-scale network boundaries,research work in this thesis studies the detection and classification of burst anomalous network traffic,which will be tested and verified on the boundary of Nanjing main node network of CERNET.The research work in this thesis mainly focuses on the following aspects:1)It is difficult to apply the anomalous traffic classification method based on machine learning in the actual network environment due to the construction of standard dataset.Therefore,the classification target for burst anomalous network traffic and the appropriate classification method are discussed first.Also,the classification measures for the classification target are constructed.Then,a scheme for classification of the burst anomalous network traffic is designed on the basis of supervised learning method,which can effectively use the unlabeled anomalous traffic data in the actual network environment to construct the standard dataset,so as to construct the classifier for classifying the burst anomalous network traffic with high confidence.2)The core algorithm of the detection module for detecting burst anomalous network traffic based on port traffic distribution is improved and extended,which is deployed on the boundary of Nanjing main node network of CERNET.The improvement optimizes the normal distribution model of the original detection module and increases the scalability of the model.The effectiveness and availability of the improved model are verified by comparison experiments.Besides,the extended model can effectively detect anomalous traffic and extract abnormal flows during the test.3)A two-stage algorithm is designed and implemented in this thesis,which is used to construct the dataset of burst anomalous network traffic with high confidence for classification target.The algorithm consists of the strong rule matching stage and the semi-supervised learning model(TTSLM)expansion stage.It takes the unlabeled anomalous traffic data in the actual network environment as the input and outputs the standard dataset of burst anomalous network traffic with high confidence for classification target after processing in the two stages.4)A classification target oriented training process for training classifier of burst anomalous network traffic is designed in this thesis,which can overcome the multi-label problem.Then,the optimal classifier of burst anomalous network traffic is trained successfully by using standard dataset constructed from the two-stage algorithm,which can classify the detected burst anomalous network traffic based on the analysis of flow record.Finally,the classfier is deployed on the boundary of Nanjing main node network of CERNET for classifying the burst anomalous network traffic timely in high-speed network environment.The test in real network environment shows that the classifier could accomplish the task.