| With the development of computer network technology and the expansion of network size, network-topology gets perplexing, network devices become complicated, and services-provided by the network are increasing. All these lead more faults and performance problems in the network. In order to detect network anomaly of a network in time, the alarms must be generated when the network is anomalous, for the manager to keep the network in right order. Therefore, networks must be monitored continuously. Network anomaly detection is a key part of network monitor, whether the network anomaly is detected accurately or not is very important to improve network availability and reliability.This thesis presents some new methods to detect network anomaly. In order to improve the capability to detect network anomaly and identify its reasons, we also present a method to predict traffic anomaly (overload) to enable an alarm before the problem happens. The main innovations of this thesis are following three aspects. The first, Residual Ratio detection method. This thesis presents a new method that aims at detecting the abrupt changes in network traffic—Residual Ratio detection method. Due to the characteristic of ARMA model, which is fit for description and analysis for anomalous behavior in time series, the ARMA model and likelihood ratio test are used to reason a new detection method for anomaly of network traffic, namely, residual ratio detection method. Experiments show that this method could detect abrupt traffic changes in networks (see figure 4.11-4.12, 4.15-4.18). The observations of traffic are sampled at 15 seconds interval, so that some subtle changes may be detected.The computation of this method is simple, and advantageous in practice.The second, prediction of network traffic. Prediction of network traffic is not only applied to network management, optimization and admission control, but also to network monitoring. A traffic overload means that the traffic at a network node exceeded a given threshold. Traffic overload can be considered a kind of network anomalous behavior. In the process of network monitoring, an alarm may be generated in advance if the traffic overload is predicted, and then there is more time for the manager to analyze and solve the problem. This will change the management manner from response to proactive. The traffic model used for the predictive method is the...
|
PDF Full Text Request