Research On Network Anomaly Detection Method Based On Multi-level Traffic Characteristic

The frequent occurrences of diverse attacks cause a serious threat on network security.It is of great significance about how to rapidly and accuratly detect attacks based on network traffic for the protection of network security and stability.However,the existing network traffic anomaly detection methods can not effectively detect more hidden and complex attacks.In addition,there are redundant intermediate steps resulting in a great detection delay.Meanwhile,high bandwidth increases the difficulty of network traffic storage and calculation.Based on the multi-level characteristics of network traffic,combined with statistical analysis,machine learning and deep learning technology,this paper deeply studies the detection ability of basic packet features and basic flow features for DDoS attacks,and further analyzes the mining ability of deep flow features for complex attacks,so as to realize the effective detection of multiple attacks in edge and core networks.Firstly,a low-rate DDoS attack detection method based on IP flow is proposed for solving the problem of hardly accurately detecting the small number of hidden IP flows in low-rate DDoS attacks.This method designs a new multi-dimensional sketch aggregation and compression structure to effectively reduce the cost of data storage in high-speed network.A behavior divergence measurement method based on rearranged Daub4 wavelet transform is proposed to calculate the energy proportion value of sketch deviation.On this basis,a dynamic threshold mechanism based on improved exponential weighted moving average method and traffic freezing mechanism are built to accuratly discriminate energy proportion value.This method realizes the effective detection of low-rate DDoS attacks.Secondly,a fast all-packets-based DDoS attack detection method is proposed in the edge network for solving the huge detection delay and low detection accuracy caused by IP flow generation with sampling technology.A new time-series network graph model based on network packets is designed,and the standard network graph set is defined.According to the constructed network graphs,a network graph difference measurement model based on the directed Weisfeiler-Lehman graph kernel is constructed to measure the difference value between the current network graph and the standard network graph set.Then,a dynamic network threshold is built by the improving exponential weighted moving average method to detect the graph difference value and identify DDoS attacks.This method realizes the real-time detection for DDoS attacks of different types and attack rates in the edge network.Thirdly,a lightweight DDoS attack detection method based on all packets is designed in the core metwork in order to solve the huge detection delay of flow-based methods and the difficulty of storage and calculation of massive traffic,as well as the difficulty of obtaining the real DDoS attack traffic to constructe the traditional supervised classification model.This method structures a new probabilistic storage model,called square sketch,which has the advantages of parallelization,accumulation and re-compression.On the basis of square sketch,an all packets mapping model is proposed.According to the recompression characteristic,compression square sketches are obtained.Then only considering the compression square sketches of normal network,the adversarial learning model is utilized to construct a one class classifier,and the DDoS attack detection model based on adversarial one class classifer is established.In a word,a low consumption and real-time DDoS attack detection method is achieved.Then,a network anomaly detection method based on data balance and recursive feature selection is proposed for achieving high detection accuracy and low false alarm rate in the massive,unbalanced and high-dimensional network flows.Firstly,a data balance algorithm based on improved KNN outlier detection is proposed to select the representative data.And a recursive feature addition algorithm combined with correlation analysis is constructed to select important features.According to the obove processing,a network flow data of balance and low dimension is obtained.The random forest model is used as the classification model of network anomaly detection.This method realizes the accurate classification and recall of network attack behaviors.Finally,in order to evaluate the performance of the attack detection methods proposed in this paper,the accuracy,detection rate,false alarm rate and other evaluation indicators are applied.Analyzis and evaluatation are carried on several simulated and real DDoS attack datasets and benchmark network anomaly datasets.Via comparing with several existing methods,the effectivenesses of the proposed methods are illustrated.