| With the rapid development of network communication technology, bandwidth growth in backbone network continues to increase, information carried by network becomes more and more diversity and the consequent network management problems caused by anomalous traffic evolve into more and more complex. Distributed network traffic anomaly refers to an abnormal behavior of traffic caused by the same source in many links of the network, e.g. DDoS(Distributed Denial of Service), worm propagate, flash crowd and network failure. Usually, there are not any obvious features of anomaly in a single link for distributed network traffic anomaly, compared with background traffic in backbone network, anomalous traffic might be stealthy and hard to detect, however, the sum of anomalous traffic in many links can be prevailing, seriously impact performance of network and does more harm to its normal operation. Accurate detection of distributed stealthy traffic anomaly is the groundwork of network security and of great significance for communication network system to enhance emergency response capability, it's also a cutting-edge scientific issue common concerned by network security field in both academia and industry.In this thesis, we firstly review existing traffic anomaly detection methods systematically, then we develop several detection methods from different points of view, by exploiting characteristics of distributed stealthy traffic anomaly in both temporal and spatial pattern, with the use of statistical analysis and signal process technologies, the innovative achievements in this thesis are as following:1. A network traffic anomaly temporal detection method based on cascade model is proposedBy studying the influences of anomalous traffic on estimation of cascade model through wavelet transform modulus maxima, a quantitative scheme is devised to measure impact of anomaly on casecade model of normal behavior. This method is more sensitive to small anomalous traffic and can accurately detect the anomalies which would not impact the Hurst parameter change evidently, therefore it is advantageous for early stage detection. Comparing with methods based on self-similar model, our method is capable of detecting anomaly with lower volume.2. A network-wide correlation analysis method against distributed stealthy traffic anomaly is proposedA fast algorithm of instantaneous parameters based on sliding window is proposed to improve computation speed of instantenous frequency and instantenous amplitude of traffic signal. Estimations of instantenous parameters are obtained by time series model prediction, anomalous space is divided as the difference between observations and estimations of instantenous parameters, correlation analysis among anomalous spaces is then performed to reveal stealthy anomalies distributed in different links. Evaluation demonstrated that this method has higher statistical detection performance and is more sensitive to small anomaly in single link, can overcome the limitations of network-wide PCA(Principle Component Analysis) in failing to detect the anomalies with strong correlations.3. A multi-scale spatial detection of distributed stealthy traffic anomaly based on information from single node is proposedIt firstly performs multi-scale wavelet packet analysis separately on multiple links of single node, to get abnormal frequency ranges on different time sections and reconstruct signals with anomalous features. Then points in high dimensional space are formed by anomalous features from different links in the same time, deviation degree of high dimension vectors that composed of reconstructions is evaluated by kernel density estimation. Detection results of simulation show that our method can detect small anomaly in indivadul link and performs better than existing distributed detection method.4. A directed detection method against distributed stealthy traffic anomaly using link measurement is proposedUnlike traditional OD(Origin-Destination) based detection methods which usually involve two steps, which the first is OD inference from link measurement, then characteristic parameters of network level is computed from OD inference, a directed detection method agaisnt distributed stealthy traffic anomaly is proposed, it is achieved by recurrent multilayer perception neural network to obtain characteristic parameters of OD level directedly from link traffic. The benefit of this method is avoiding inference error in OD based method during traffic matrix estimation. In simulation we compare detection results based on existing directed and indirected measurement methods with ours, and show that our method allow distribute traffic anomaly detection with directed available measurement and solve the problem of inference error in OD based method.
|
PDF Full Text Request