关键词: 异常检测, 异常流量簇, 网络流, 检测阈值

Abstract: In the field of network security management, a number of recent researches have been dedicated to network-wide anomaly detection. But little attention has been paid to further identifying the anomalous traffic clusters which have been involved in the anomaly. Automatic identification of anomalous traffic clusters helps ISP providers to analyze and locate network anomalies for network and security management. The authors propose a method to detect and identify anomalous traffic clusters based on the filtered netflow data. The problems to be solved are described and defined formally; The Trie-based solution for detecting heavy hitters in a multi-dimensional tree is adapted and improved; the practical and flexible methods are proposed to calculate the threshold used for detecting specific heavy hitters and splitting value used for guiding the construction of trees to improve the accuracy of the algorithm; The operation for trimming off branches of the trees is integrated with reconstruction of traffic volume to decrease the size of trees to improve the efficiency for searching for heavy hitters; The methods to identify anomalous traffic clusters based on specific heavy hitters are presented. Experiments show that the methods proposed are feasible for network-wide anomaly diagnosis.

Key words: anomaly detection, anomalous traffic clusters, netflow, detection threshold