Study On Detecting Network Anomaly And Tracing Back Abnormal TCP Packets

Network anomaly is usually caused by malicious behaviors, such as disturbed denial-of-service (DDoS) attacks, network scanning and so on. These anomalies severely disturb network operations. Researchers have been looking for various ways to detect and prohibit them, including threshold based, feature based and statistic based approaches. However, most of these methods ignored the digital forenscis which are related with network crime, such as attack time, attack style, attack host and so on. Therefore, exploring an effective detection and trace back method has important theoretical significance and practical value in network trace, network forensics and fighting against network crime.According to the characteristics of self-similar about network traffic in large time scale, and the relationship among abnormal traffic, wavelet transform max module and Lipschitz exponent in small time scale, we present a network traffic anomaly detection and orientation method based on wavelet transform. This network traffic anomaly detection method based on the change of Hurst parameter which is calculatied by the variance of wavelet coefficients method. When detecting anomaly, it uses the relationship between signal singularity and Lipschitz exponent, calculates Lipschitz exponent quickly by wavelet transform, and locates the network traffic anomaly time by the change of Lipschitz exponent.It has been discovered that about 90% of network traffic was TCP (Transmission Control Protocol) flows which dominate the network traffic. Therefore, after detecting network traffic anomaly and locating the anomaly time, we found on the TCP protocol, focuse on TCP flows, give an anomaly detection and analysis method based on correlation coefficient matrix. This method is based on the packets integrality in establishing and disconnecting TCP connections, utilizes the quantitative correlation between different types of packets in TCP flows and estimates TCP flows' health by correlation coefficient matrix without maintaining the detailed information of each TCP connection. By choosing right statistical time granularity, sample number, and observed TCP packets, we obtain the quantitative relationship between different types of packets in each time unit by correlation coefficient matrix, so as to discover the anomaly behaviors in the TCP flows and their types by the variety of correlation coefficients between observed packets, consequently implement network health checking and anomaly behavior detection and analysis.After finding network traffic anomaly, locating the anomaly time, getting the abnormal packet and anomaly behavior, we focus on the requirement of trace back the network transport layer anomaly packet, give a method for tracing back abnormal TCP packets. This method saves and analyzes clustering information of the five-tuple by an improved Bloom Filter method—IHBF (Independent Hash Bloom Filter) method. After digged the clustering information of the five-tuple and its principal components in the data stream, together with the characteristic of normal anomaly behaviors, we can trace the source of the abnormal TCP packets finally.By the research of network anomaly detection and trace method, we got a serial of academic achievement, and it has positive meaning in upgrade network security and fighting against network crime.