Research On Anomaly Detection Techniques Of Network Traffic Based On Sampling Flow

The development of network technologies and the diversification of network applications have caused explosive growth of network traffic,and the problem of network security has become increasingly prominent.Some abnormal traffic generated by malicious attacks affects the normal working of network services,and even serious abnormal traffic can cause large-scale network paralysis.The economic loss caused by network security problems is even more than one hundred million every year.Anomaly detection techniques of network traffic have also improved with the development of disciplines such as network measurement and artificial intelligence.This paper aims at the anomaly detection problem of large-scale traffic,studies the flow sampling techniques and traffic anomaly detection techniques,improves the algorithm,designs and implements a traffic anomaly detection system based on a four-layer module to judge whether the network traffic is abnormal.Firstly,in view of the scale of traffic,a fair sampling algorithm based on elephant flow and mice flow is introduced.On this basis,this paper improves the algorithm and proposes a method based on timeout strategy in order to solve the problem that the original algorithm can not distinguish the new flow and the old flow,this problem will cause the large difference of the flow distribution between before and after sampling.At the same time,the optimization of the sampling probability function eliminates the influence of the inherent false positive rate of the Bloom filter structure on the flow sampling.Secondly,information entropy is used to describe the changes of the traffic characteristic for the traffic anomaly detection method.On the basis of analyzing the defects of the density peak algorithm based on the density ratio,a Fuzzy C-Means clustering algorithm based on sample growth ratio is proposed.This algorithm selects the initial cluster center by the sample growth ratio and the effect of the neighborhood radius ratio is weakened by the constraint conditions when the initial cluster center is selected.It solves the problem that Fuzzy C-Means is sensitive to the initial clustering center and easily falls into the local optimal.Finally,designing and implementing a traffic anomaly detection system based on four-layer modules of flow acquisition,flow sampling,information entropy calculation,clustering and anomaly detection.Through running the real network traffic data set to test the performance of each module.The result of the test shows that the system can reduce most of the normal traffic and increase the proportion of abnormal traffic.This system has a higher true positive rate and a lower false positive rate and its detection performance is well in large-scale traffic.