Aberrant Traffic Behavior Detection Based On NBOS System

Aberrant traffic behavior refers to the situation that the network traffic is deviated from the normal range,which is mainly caused by malicious network attack behavior,network configuration errors,sporadic line interruption and sudden massive flow.These events will affect the service quality and interfere with normal operation of the network.Hence,the detection of aberrant traffic behavior is a meaningful research work.Research work in this thesis will be based on basic traffic data provided by NBOS(Network Behavior Observation System).The method of detecting aberrant traffic behavior at the boundary of the network is studied and then integrated into the NBOS system.In this thesis,the definition of abnormal network traffic is discussed,and the abnormal traffic is classified according to the reasons.Then,the basic characteristics of network traffic in normal state and the change in traffic feature distributions in abnormal state are studied.We also introduce the main detection methods currently,including their advantages and disadvantages.Based on flow records provided by the network boundary routerss,NBOS can provide fine-grained data sources for anomaly detection,including bandwidth metrics which is classified according to opposite IP and port distribution statistics data.Therefore,the thesis launches concrete research work from two perspectives,one is based on bandwidth data,the second is based on port traffic distribution.Both were verified by experiments carried out in the actual network of CERNET in Nanjing node.In the case of anomaly detection based on bandwidth metrics,the research work starts with analysis of available detection methods.Based on the analysis of the environment and conditions and other factors,two time series analysis algorithms are selected-the algorithm based on dynamic exponential smoothing model and the algorithm based on holt-winters seasonal model.By comparison based on measured data in Nanjing node of CERNET,the latter is chosen and integrated into NBOS system.A number of anomalous events is detected in real time in a 24-hour real environment.The thesis chooses three of them and analyze detailedly about the causes.The practice shows that classical anomaly detection algorithms can be used in engineering environments which use flow records as analysis sources.In the case of anomaly detection based on port traffic distribution,the concept of information entropy is introduced,and the thesis defines port traffic entropy oriented to time granularity.The analysis based on measured data of CERNET in Nanjing node indicates that,port traffic entropy at the same moment in a day is distributed in normal distribution in genreral.On this basis,this thesis presents a port entropy anomaly detection method,which is then implemented and run in NBOS system.Port entropy anomaly is detected in real time for 29 times by the algorithm in 11-day real network environment,and can be merged into 5 anomalous events after analysis,which can be classified in 3 categories according to the reasons.The thesis chooses an event for each class and presents its detailed analysis process.The analysis verifies the effectiveness of the algorithm.