ISSN 1000-1239 CN 11-1777/TP

• 论文 • 上一篇    下一篇

全网异常流量簇的检测与确定机制

杨雅辉1 杜克明2   

  1. 1(北京大学软件与微电子学院 北京 102600) 2(西安电子科技大学通信工程学院 西安 710071) (yhyang@ss.pku.edu.cn)
  • 出版日期: 2009-11-15

Identification of Anomalous Traffic Clusters for Network-Wide Anomaly Analysis

Yang Yahui1 and Du Keming2   

  1. 1(School of Software & Microelectronics, Peking University, Beijing 102600) 2(School of Communications Engineering, Xidian University, Xi’an 710071)
  • Online: 2009-11-15

摘要: 在网络安全管理领域,自动确定异常流量簇可为ISP分析和定位全网流量异常提供有效手段.提出了一种基于过滤的网络流数据的全网异常流量簇检测及确定机制.给出了问题的形式化描述和定义;扩展和改进了基于多维树的大流量簇检测方法,提出了灵活的“检测阈值”及“分裂值”的计算方法以改善大流量簇的检测精度;通过剪枝算法缩减了树的规模,提高了查找大流量簇的效率;给出了基于大流量簇确定异常流量簇的方法.实验表明该方法是可行的,可应用于全网异常诊断.

关键词: 异常检测, 异常流量簇, 网络流, 检测阈值

Abstract: In the field of network security management, a number of recent researches have been dedicated to network-wide anomaly detection. But little attention has been paid to further identifying the anomalous traffic clusters which have been involved in the anomaly. Automatic identification of anomalous traffic clusters helps ISP providers to analyze and locate network anomalies for network and security management. The authors propose a method to detect and identify anomalous traffic clusters based on the filtered netflow data. The problems to be solved are described and defined formally; The Trie-based solution for detecting heavy hitters in a multi-dimensional tree is adapted and improved; the practical and flexible methods are proposed to calculate the threshold used for detecting specific heavy hitters and splitting value used for guiding the construction of trees to improve the accuracy of the algorithm; The operation for trimming off branches of the trees is integrated with reconstruction of traffic volume to decrease the size of trees to improve the efficiency for searching for heavy hitters; The methods to identify anomalous traffic clusters based on specific heavy hitters are presented. Experiments show that the methods proposed are feasible for network-wide anomaly diagnosis.

Key words: anomaly detection, anomalous traffic clusters, netflow, detection threshold