| With the development of network, traditional IDS systems which are used to detect the anomaly in the network have not been suitable for large scale networks. Traditional IDS systems based on packet level with capturing, reassembling and matching can't follow the desire of efficiency. Thus, Analyzing in a flow way is a more natural approach. By observing the dynamic characteristics of network flows, some behavior characteristics in a high granularity can be concluded.This thesis focuses on the correlation between the characteristics of network flows in large scale networks and applies them to network anomaly detection. Firstly some characteristics are abstracted from the traffic, and they can represent the status of network. Secondly two methods are put forward to analyze the correlation between the characteristics and are verified through experiments.After analyzing the distribution of most attack packet size and the distribution of small packet percentage in normal datasets, a based on small packet threshold adaptive sampling method is proposed to promote the capacity of capturing attack packets. Sampling strategy adjusts automatically according to the variation of small packet in order to capture more attack packets.The first analysis method is based on principal components analysis. The method abstracts network flow and network status, defines network flow pattern and studies the correlation between network flows. It can show significant difference between normal flows and attack flows in the correlation, which offers a new method to analyze the correlation in anomaly detection.The second analysis method is multi-similarity analysis of network charact-eristics. The method defines the concept of characteristic multi-similarity and the concrete compute procedure, and studies the similarity of normal behavior and anomaly behavior. The method can tell different network behavior, which proposes an anomaly detection method based on multi-similarity later. |
PDF Full Text Request