Network Traffic Anomaly Detection Method And Simulation Platform Developed

With the scale increasing of network, it has become more and more important in the daily life. And with the extensive application of the network, network traffic anomalies impact the network performance more often. To detect anomaly rapidly and accurately and to respond to anomaly correctly is one of the precondition of ensuring the efficient network operation. So detection of anomalous traffic is becoming a topic of concern.We can classify the network traffic anomaly detection in local and network-wide anomaly detection. The local anomaly detection is based on the hypothesis that anomalies may behave obviously on one node or link of the network. So, we can deal with the traffic as a one dimension signal, and use the signal processing methods to detect the anomaly. However, some anomalies may not behave obviously on one node or link, such as the DDoS, worm virus. So, we must detect this kind of anomaly based on the data of the whole network. This paper researches both the local and network-wide anomaly detection.Aiming at the local anomaly detection, this paper suggests a novel multi-resolving network traffic anomaly detection approach based on S transform with adaptive scale. This approach can increase the pertinence and precision of the detection. By introducing S transform, we can decompose network traffic signal into a group of difference frequency sub band according to the traffic signal's characteristic, and make it accord with the anomaly's characteristic. We employ restructure signal to further identify traffic anomalies, which help for improving the robust of the proposed approach.Aiming at the network-wide anomaly detection, this paper suggests a network-wide multi-traffic and multi-parameter correlative anomaly detection method. This method uses the characteristic that the anomaly signals on different links or OD flows, produced by one anomaly, are similar on frequency, the transformation characteristic of the amplitude and so on. And this method uses the comparability as the evidence of the anomaly detection. Firstly, we get some parameters of one link or OD flow. Then, we deal with these parameters by ICA, and get the feature variable of anomaly behavior of this flow. Finally, we detect the traffic anomaly by global correlation analysis on several flows by K-L transform.In the application, the network-wide anomaly detection system must be a distributed system. At the same time, to improve the efficiency of the detection, this paper suggests a distributed network traffic anomaly detection mechanism, and based on this mechanism, we develop a distributed network traffic anomaly detection emulating system. By introducing the 2-level detection mechanism, we can decrease the calculating burden of the center detection node. And we make this system universal, by separating the anomaly detection part from the network parameter collection part.The algorithms we puts forward in this paper are simulated with Matlab and NS2 under windows platform. The simulation results of these anomaly detection methods are satisfying, thus the validity of the algorithms has been verified. These detection algorithms and mechanisms can be regarded as components of the whole solution of the network security, together with other safety devices, solving the network security problem.