Study Found Netflow-based Network Anomaly Flow

Today, IP network is the mainstream. As the network's development and business promotion, most business have been migrated to IP network. At the same time, more and more anomalies have emerged. Anomaly detection has become the focus of network operator. To detect the anomaly traffic, we can take corresponding measures to ensure the normal operation of the network. With the expansion of network, network traffic increases exponentially. Techniques based packets or bytes have become overwhelmed. In this context, flow-based techiniques were proposed. Netflow, the technology propsosed by Cisco, which use flow as the basis of statistics and provide multi-grain-size analysis, attracted many people's attention.Firstly, the selected indicators and algorithms which the passed Netflow-based anomaly detection technology were analyzed and the Netflow data of the compus network was studied from different grain-size and different angle for a long time. Then integration-indicators and Time Window Comparision Algorithms were introduced. Integration-indicators which remove the non-stationary factors can reflect the characteristics of network traffic in addition to the non-stationary factors; Integration-indicators based Time Window Comparison Algorithm was divided into vertical and horizontal comparison, the vertical comparison to analyze the long-term trends of intergration-indicators, horizontal comparison was to analyze short-term trends of intergration-indicators. Secondly, the anomaly detection system based on intergration-indicators and Time Window Comparison Algorithm was produced. The whole system was divided into three parts, data collection, data processing, anomaly detection. Data collection module was responsible for the collection of Netflow data and optimizing database. The second part was to cut Netflow data to retain only the fields which anomaly detection required. The last part includes the extraction of indicators and Time Window Comparision Algorithm two sub-modules. Three parts of the system, main classes were stated. And each module was tested to achieve the desired results. At last, the conclusion of this disseration and some future work were briefly introduced.