The Abnormal Behavior Of The Ip Network Based On Catastrophe Theory, Detection And Control Mechanism

Detecting anomaly network is primary step for ensuring network security and network survivability. It also plays very role in defense system of network security. Therefore, the research for anomaly detection in IP network gains attention more and more. Currently, anomaly detection techniques for network consist of misused detection and anomaly detection based on normal behaviors. Misused detection is techniques, which works in known anomaly signature matches data detected to detect anomaly. This mechanism has high detection rate for known anomaly and has percent 100 false negative rate because of norm of the mechanism based on known anomaly pattern database. Based on normal behaviors anomaly detection detects offsetting anomaly behaviors by normal behaviors profile established. This mechanism can detect unknown anomaly, further overcome false negative of misused detection as elements of this detection scheme. But constructing this mechanism can't include all of normal behaviors, which results in having a high false positive rate for normal behaviors. So is there any anomaly detection techniques which can not only detect known anomaly, but also can detect unknown anomaly and haven't high false positive for normal behaviors?An anomaly detection mechanism based on catastrophe model for IP network (ADMCM) is proposed which carries out detection catastrophe anomaly behaviors to resolve above problem. The main idea of this mechanism talks about: use synthesis standardization pretreatment data of network, use t-hypothesis testing validating catastrophe of anomaly behaviors, use clustering arithmetic, least square data fitting and confidence-estimation to establish model-cusp catastrophe describing network anomaly behaviors. Using clustering arithmetic gains anomaly threshold of network throughput, abnormal network flow and network load based on built network anomaly behaviors models to establish anomaly detection mechanism based on logic combination of relation of many anomaly variables. Finally, do experiment for ADMCM using KDD CUP 99 dataset and result shows that this mechanism can improve detection rate and decrease false negative rate comparing to for DoS attacks and so on. Although the ADMCM can availably detect anomaly behaviors, then cannot avoid anomaly behavior of network happening.An anomaly behaviors avoiding scheme based on cusp catastrophe for IP network (BASCC) is proposed which carries out avoiding anomaly behaviors happening to resolve above problem. Firstly, analyze feature of catastrophe theory, then use catastrophe and tracks of dynamic behaviors displayed when control parameter such as forward rate of router, request times of operation and state parameter such as time-delay, throughput are abnormal to establish cusp catastrophe model describing dynamic behaviors and establish bifurcation set describing anomaly behaviors boundary. Controlling change of controllable parameters, eg.: u, v to not cross boundary of dynamic anomaly behavior and implementing bifurcation set of anomaly behaviors far from arrange of normal behaviors is to avoid anomaly happen. Two specific schemes are proposed for actualizing anomaly control mechanism in IP network. Finally, this mechanism is demonstrated by simulation to avoid network influence from anomaly behaviors.Summing up, there are much primary works like this:1. Establish a concrete anomaly detection mechanism: ADMCM to implement detecting catastrophe anomaly behaviors.2. Propose a mechanism avoiding anomaly behaviors: BASCC to avoid influence for network performance from catastrophe anomaly behaviors. Then improve survivability and security of network.