Anomaly Detection Based On The Modeling Of Network Traffic Flow

Network traffic anomaly typically refers to circumstances when traffic behaviors deviate from the normal behaviors. Network traffic anomalies can arise due to various causes, such as malfunctioning network devices, network overload, malicious DDoS attacks and network intrusion. The anomaly traffic characteristics are that it breaks out without any omen and can destroy networks and computers in a short time (For instance, the burst traffic behavior caused by specific attack programs or worm outbreak). Therefore, to detect traffic anomalies rapidly and accurately is one of the preconditions which ensure the efficient network operations. And anomalous traffic detection has become one of the attractive and valuable research directions in the present academic and industrial circles. This paper intends to research traffic anomaly detection based on traffic model: we investigates the effect of anomalous traffic on the self-similarity of the ambient traffic; we investigates the effect of anomalous traffic on the cascade characteristics of the ambient traffic to realize the detection based on IDC model; Aiming at the deficiency of the present single link traffic anomaly detection and network-wide traffic anomaly detection, we realize the network-wide multi-traffic correlation anomaly detection.(1) On the basis of the introduction of some basic concepts about network traffic anomaly detection, this paper reviews the current traffic anomaly detection methods and classifies them into three classes. And for the flaws of the current traffic anomaly detection methods, we point out some directions on the performance improvement of them.(2) This paper systematically reviews traffic modeling theory, including self-similar model, multi-fractal model, infinitely divisible cascades and ARMA time series model.(3) This paper investigates the effect of anomalous traffic on the self-similarity of the ambient traffic. We propose that the effectiveness of traffic anomaly detection based on traffic self-similar index is up to the significant difference between the anomalous traffic self-similarity and the ambient traffic self-similarity. When the two is close to each other, to detect the variation of self-similar index H is not adequate for the discrimination between anomalous traffic and normal traffic.(4) This paper proposes a network traffic anomaly detection method based on infinitely divisible cascades (IDC) model. As IDC model is adequate for the complete description of traffic scaling nature, this method is based on the identification criterion of it. This method computes the anomaly identification statistic by estimating the cumulative deviation quantity of the least square fitted curve to identify the anomaly. The simulation result shows that the proposed method can successfully detect the simulated DDoS attack, however, its real-time performance and anomaly locating need to improve.(5) Aiming at the deficiency of the present single link traffic anomaly detection and network-wide traffic anomaly detection, this paper proposes a network-wide multi-traffic correlation anomaly detection method. Firstly, we forecast the traffic using the previous data on every OD flow or link by ARMA model. Then, we get the forecasted error traffic by subtracting the real traffic from the forecasted traffic. Finally, we detect traffic anomaly using network-wide correlation analysis on all obtained forecasted error traffic. The simulation result shows that this method can detect the anomaly which can't be detected by some network-wide traffic anomaly detection method.