ISSN 1000-1239 CN 11-1777/TP

• 论文 •

### 全网异常流量簇的检测与确定机制

1. 1(北京大学软件与微电子学院 北京 102600) 2(西安电子科技大学通信工程学院 西安 710071) (yhyang@ss.pku.edu.cn)
• 出版日期: 2009-11-15

### Identification of Anomalous Traffic Clusters for Network-Wide Anomaly Analysis

Yang Yahui1 and Du Keming2

1. 1(School of Software & Microelectronics, Peking University, Beijing 102600) 2(School of Communications Engineering, Xidian University, Xi’an 710071)
• Online: 2009-11-15

Abstract: In the field of network security management, a number of recent researches have been dedicated to network-wide anomaly detection. But little attention has been paid to further identifying the anomalous traffic clusters which have been involved in the anomaly. Automatic identification of anomalous traffic clusters helps ISP providers to analyze and locate network anomalies for network and security management. The authors propose a method to detect and identify anomalous traffic clusters based on the filtered netflow data. The problems to be solved are described and defined formally; The Trie-based solution for detecting heavy hitters in a multi-dimensional tree is adapted and improved; the practical and flexible methods are proposed to calculate the threshold used for detecting specific heavy hitters and splitting value used for guiding the construction of trees to improve the accuracy of the algorithm; The operation for trimming off branches of the trees is integrated with reconstruction of traffic volume to decrease the size of trees to improve the efficiency for searching for heavy hitters; The methods to identify anomalous traffic clusters based on specific heavy hitters are presented. Experiments show that the methods proposed are feasible for network-wide anomaly diagnosis.