Behavior Analysis Based Traffic Anomaly Detection And Correlation Analysis For Communication Networks

While the information technology and telecommunication technology arecontinuously improved and widely adopted, the data traffic carried on communicationnetworks keeps on increasing, and the structure and applications of communicationnetworks are increasingly complex. To guarantee the safe and efficient operation of thecommunication networks, it is necessary to capture the root cause of abnormal events,from analyzing and detecting the network operation condition in a real-time, accuratemanner. Traffic anomaly detection effectively discovers network abnormal events, andcorrelation analysis unveils the root causes of them. The research is important forimproving the emergency response ability of the communication networks. It is also afrontier area which is currently concerned by both academia and industry.Based on network traffic behavior analysis, this thesis analyzed the differentcharacteristics of network traffic behaviors in space and time. Combining with datamining and signal processing techniques, the traffic anomaly detection and correlationanalysis in communication networks are studied in the thesis. The achievements are asfollows:1. Behavior characteristic parameter extraction for communication network trafficAn characteristic parameter extraction method based on traffic decomposition forcommunication network traffic behaviors is proposed. Compared with existingnetwork traffic behavior characteristic parameters, the characteristics extracted on thesubsets of traffic can describe more details of the traffic behavior while still satisfyingthe real-time requirement.2. Single PoP based communication network abnormal traffic behavior detection(1) A detection method which is based on the mining of time-series graphs isproposed. The method can effectively detect abnormal traffic behaviors by quantizingthe relationships between multiple time series used in abnormal traffic behaviordetection.(2) A method based on the entropy of traffic behavior characteristic to detect DoSand DDoS attacks is presented. By using both coarse and fine-grained characteristic parameters to analyze the traffic data, the proposed method can accurately extract theflows which are related to the attack, while the real-time requirement of detection isguaranteed.3. Distributed abnormal traffic behavior detection in communication networks(1) A method based on time-series graph mining is proposed for detectingdistributed abnormal traffic behaviors in communication networks. The proposedmethod uses graphs to describe behavior characteristic parameters and theirrelationships, and mines the graphs to reveal the underlying relationships between thebehavior characteristics on multiple links. It effectively improves the accuracy ofexisting methods on abnormal behavior detection.(2) A system based on traffic characteristic analysis for distributed abnormaltraffic behavior detection is designed. In the system, a series of data mining techniquesare used for analyzing traffic behavior characteristics and their abnormalrepresentations in logical topology. The purpose of using data mining techniques is tomodel and detect distributed abnormal traffic behaviors. Compared with existingmethods, the system can differentiate independent traffic abnormal behaviors fromcorrelated traffic abnormal behaviors.(3) A method based on multi-time series analysis for distributed abnormal trafficbehavior detection is presented. Through analyzing the time series from the changes oftraffic data over time on multiple links, this method reduces the interference ofbackground traffic in abnormal behavior detection. Also, it does not need an estimationof global traffic matrix, nor does it consume a large amount of network resources forcommunication between PoPs.4. Correlation analysis and recognition for abnormal traffic behaviors incommunication networks(1) An algorithm based on characteristic correlation analysis for detectingabnormal traffic behavior is proposed. By using the correlation between thevolume-based behavior characteristics and the entropy-based behavior characteristicsin the subsets of traffic, the validity of the correlation between abnormal trafficbehaviors and their characteristics is guaranteed, and the abnormal behavior is thuseffectively recognized.(2) A method based on the correlation analysis of user behaviors to detect abnormal behaviors in a smart grid is presented. The advantage of the method is that itutilizes the correlation of the similar behaviors for different electricity consumers intime. Compared with existing methods, the measurements needed for this method canbe obtained directly from normal smart meters, without the need to guarantee a set ofreliable measurements.