CN102655465B - Method for quickly detecting time-frequency domains of abnormal network traffic - Google Patents

Method for quickly detecting time-frequency domains of abnormal network traffic Download PDF

Info

Publication number
CN102655465B
CN102655465B CN201210142390.7A CN201210142390A CN102655465B CN 102655465 B CN102655465 B CN 102655465B CN 201210142390 A CN201210142390 A CN 201210142390A CN 102655465 B CN102655465 B CN 102655465B
Authority
CN
China
Prior art keywords
time
abnormal
stream
coefficient
frequency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201210142390.7A
Other languages
Chinese (zh)
Other versions
CN102655465A (en
Inventor
蒋定德
姚成
袁珍
秦文达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201210142390.7A priority Critical patent/CN102655465B/en
Publication of CN102655465A publication Critical patent/CN102655465A/en
Application granted granted Critical
Publication of CN102655465B publication Critical patent/CN102655465B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a method for quickly detecting time-frequency domains of abnormal network traffic, which belongs to the field of network abnormality detection in a large-scale network environment. The method can be used for extracting abnormal characteristics by virtue of a processing way of related coefficients, thereby improving the detection accuracy; and simultaneously, the time-frequency domain analysis is performed on the abnormal characteristics by virtue of short-time Fourier transform, thereby detecting the abnormality relatively accurately and judging the occurrence time of the abnormality. The method can be used for analyzing data on the time-frequency domains, and in theory, the more layers are analyzed, the more accurate frequency division is, and finally, the obtained effect is relatively good.

Description

A kind of time-frequency domain rapid detection method of exception flow of network
Technical field
The present invention belongs to large-scale network environment lower network abnormity detecting field, particularly a kind of time-frequency domain rapid detection method of exception flow of network.
Background technology
Along with the development of network, Network anomalous behaviors comprises network failure, user misoperation, network attack and Network Virus Propagation etc., and these abnormal behaviours usually cause in network that on wall scroll or multilink, network traffics depart from normal phenomenon.Although abnormal flow does not show obvious off-note on wall scroll or multilink, in network, the abnormal flow summation of multilink is larger.Thereby Traffic Anomaly has great harmfulness and destructiveness to network and the various device that runs on network thereof.Because Traffic Anomaly disguise is extremely strong, outbreak suddenly, unknown characteristic, can bring great harm (for example by specific network attack program or network worm virus, to break out caused burst flow and cause network paralysis in the short time at the utmost point operational outfit on network or network, communication disruption), therefore accurately and rapidly detect exception of network traffic behavior, judgement causes the reason of Traffic Anomaly and takes rapidly correct responsive measures is the important prerequisite that guarantees the efficient operation of network security, and become the Front Scientific Problems of the common concern of academia and industrial quarters both at home and abroad at present.
Along with the development of information technology, exception of network traffic disguise is more and more stronger.From the relative normal discharge very greatly and in continuous variation, very little abnormal flow relatively detected, as " looking for a needle in a haystack ", must adopt new detection techniques, method and mechanism.
The difficulty of Traffic anomaly detection is mainly reflected on the Time precision of abnormity detecting.Only have and adopt Time-frequency method to analyze to abnormal signal, give prominence to the feature of abnormity point, could detect exactly the moment of abnormal appearance.
Chen-Mou Cheng etc. has proposed a kind of frequency spectrum analysis method and has identified normal TCP flow, they found to RTT(round-trip time) normal TCP stream is bound to demonstrate periodically in relevant bag transmission, and attack stream does not have this characteristic conventionally; Calendar year 2001 V.Alarcon-Aquino etc. has proposed a kind of based on detecting and locating the faint change in variance and frequency of given time series, but the yardstick of this algorithm picks is limited and algorithm idea is complicated; P.Barford etc. have proposed a kind ofly network traffics to be carried out to multiple dimensioned dyadic wavelet decomposes and reconstruct is comprehensive becomes high, medium and low three frequency ranges respectively with departing from the method that mark detects, this algorithm can be good at detecting the Flash Crowds that occurs in the past period and Short-time Anomalies etc., but the self adaptation that there is no well to solve a Wavelet Detection yardstick is chosen the problem with Real-Time Monitoring.Therefore present stage, exception of network traffic method for detecting still faces the problems such as adaptive problem, detecting real-time problem and detecting precision of method for detecting.
Summary of the invention
The deficiency existing for existing method, the present invention proposes a kind of time-frequency domain rapid detection method of exception flow of network, to reach detecting real-time, to improve the object of detecting precision.
Technical scheme of the present invention is achieved in that a kind of time-frequency domain rapid detection method of exception flow of network, comprises the following steps:
Step 1: in network topology structure, catch and contain abnormal data on flows, as time-domain signal to be analyzed;
Step 2: extract the data on flows on the OD stream in time-domain signal with identical destination node, carry out correlation analysis, calculate each OD stream and there is the coefficient correlation between the OD stream of identical destination node with him, calculated some coefficient correlations are averaged as the average correlation coefficient of this OD stream; Accumulation using the average correlation coefficient sum of all OD streams as coefficient correlation;
Step 3: the Accumulation of step 2 is carried out to joint time frequency analysis: adopt Short Time Fourier Transform, determine the time-frequency characteristics parameter of time-domain signal under certain time window; Change time window size, calculate the time-frequency characteristics parameter under time windows, by the above-mentioned time-frequency characteristics parameter stack calculating, obtain the accumulation time-frequency characteristics parameter of outstanding abnormal signal feature;
Step 4: set decision threshold, if accumulation time-frequency characteristics parameter surpasses this decision threshold, determine that this place exists abnormal flow.
Wherein, the decision threshold described in step 4, the method for determining is: calculate average and the variance of accumulation time-frequency characteristics parameter, get variance and be multiplied by a coefficient, then be added and obtain threshold value with average.
Described coefficient is a natural number within the scope of 1-10.
Advantage of the present invention: the time-frequency domain rapid detection method of exception flow of network of the present invention, the method that proposes the processing of employing coefficient correlation is extracted off-note, has improved the accuracy of detecting; Utilize Short Time Fourier Transform to carry out Time-Frequency Analysis to off-note simultaneously, detect more accurately abnormal and realize abnormal generation judgement constantly.The inventive method is to data analysis on time-frequency domain, and the number of plies of decomposing is in theory more, and more accurate to the division of frequency, the effect finally obtaining will be better.
Accompanying drawing explanation
Fig. 1 is the execution mode general flow chart that provides the time-frequency domain rapid detection method of exception flow of network of the present invention;
Fig. 2 is that one embodiment of the present invention destination node is 6 OD stream data from the sample survey bag schematic diagram, wherein, (a) represents that source node is 1; (b) represent that source node is 2; (c) represent that source node is 3; (d) represent that source node is 4; (e) represent that source node is 5; (f) represent that source node is 6; (g) represent that source node is 7; (h) represent that source node is 8; (i) represent that source node is 9; (j) represent that source node is 10; (k) represent that source node is 11; (l) represent that source node is 12;
Fig. 3 is that one embodiment of the present invention destination node is that in 6 OD stream, each OD stream, with the average correlation coefficient schematic diagram of other OD streams, wherein, (a) represents that source node is 1; (b) represent that source node is 2; (c) represent that source node is 3; (d) represent that source node is 4; (e) represent that source node is 5; (f) represent that source node is 6; (g) represent that source node is 7; (h) represent that source node is 8; (i) represent that source node is 9; (j) represent that source node is 10; (k) represent that source node is 11; (l) represent that source node is 12;
Fig. 4 is the Accumulation schematic diagram of each OD stream average correlation coefficient of one embodiment of the present invention;
Fig. 5 is the extraction schematic flow sheet of one embodiment of the present invention time-frequency characteristics parameter;
Fig. 6 is the time-frequency characteristics parameter distribution schematic diagram that the window of the different sizes of one embodiment of the present invention obtains;
Fig. 7 is the Accumulation schematic diagram of the time-frequency characteristics parameter of the different big or small windows acquisitions of one embodiment of the present invention;
Fig. 8 is the Energy distribution schematic diagram of one embodiment of the present invention characteristic parameter Accumulation;
Fig. 9 is one embodiment of the present invention Accumulation abnormity detecting result schematic diagram;
Figure 10 is that one embodiment of the present invention adopts and to depart from fraction method and each OD stream is carried out to the result schematic diagram of abnormity detecting, wherein, (a) represents the OD stream that source node is 1, destination node is 6; (b) represent the OD stream that source node is 2, destination node is 6; (c) represent the OD stream that source node is 3, destination node is 6; (d) represent the OD stream that source node is 4, destination node is 6; (e) represent the OD stream that source node is 5, destination node is 6; (f) represent the OD stream that source node is 6, destination node is 6; (g) represent the OD stream that source node is 7, destination node is 6; (h) represent the OD stream that source node is 8, destination node is 6; (i) represent the OD stream that source node is 9, destination node is 6; (j) represent the OD stream that source node is 10, destination node is 6; (k) represent the OD stream that source node is 11, destination node is 6; (l) represent the OD stream that source node is 12, destination node is 6.
Embodiment
Below in conjunction with accompanying drawing, embodiments of the present invention are described in further detail.
Fig. 1 is the general flow chart of execution mode of the time-frequency domain rapid detection method of exception flow of network.This flow process starts from step 101.In step 102, in network topology structure, catch and contain abnormal data on flows, as time-domain signal to be analyzed.In normal situation, the data on flows of network is more stably, and when there is abnormal flow, somewhere, flow value sometime depart from normal value, such as some flow value of constantly locating increases suddenly or reduces suddenly, can tentatively judge that this place may occur extremely.Present embodiment adopts the method for calculating similitude to give prominence to off-note, the party's ratio juris is: proper network data have certain similitude, can estimate data below with one piece of data above, if but in data below, had extremely, utilizing so certain segment data would above be to be unable to estimate out data below.The method of calculating by similitude is given prominence to off-note, is convenient to utilize Short Time Fourier Transform to process the similitude of accumulation.
In step 103, first adopt the method for structure OD stream and source, destination node relational matrix, extract the data on flows on the OD stream in time-domain signal with identical destination node, method is:
If total p node in network topology structure, exists p*p bar OD stream, establishing selected destination node is q, structure source, destination node relational matrix F (OD), formula is as follows:
F ( OD ) = f 1 1 f 2 1 · · · f q 1 · · · f p 1 f 1 2 f 2 2 · · · f q 2 · · · f p 2 · · · · · · · · · · · · f 1 p f 2 p · · · f q p · · · f p p - - - ( 1 )
In formula, represent that source node is that j destination node is the OD stream of i, wherein, 1≤i≤p, 1≤j≤p, for example, in the matrix shown in formula (1), represent that source node is that 1 destination node is 1 OD stream, represent that source node is that 2 destination nodes are 1 OD stream, the like, until represent that source node is that p destination node is the OD stream of p.
By formula (1), obtain the OD stream that all destination nodes are q.Extract all p bar OD stream, if the length of every OD stream is K, obtain traffic matrix F q, formula is:
F q = ( f q 1 ( t ) , f q 2 ( t ) , . . . , f q i ( t ) , . . . , f q p ( t ) ) 1 ≤ t ≤ K 1 ≤ i ≤ p - - - ( 2 )
In formula, F qbe the traffic matrix of a p*K, wherein, be illustrated in the t OD stream that constantly source node is 1, destination node is q, the like, being illustrated in t moment source node is the OD stream that p, destination node are q.
Secondly, carry out correlation analysis, calculate each OD stream and have the coefficient correlation between the OD stream of identical destination node with him, calculated some coefficient correlations are averaged as the average correlation coefficient of this OD stream, method is:
Ask traffic matrix F qin any two OD stream coefficient correlation.First the covariance matrix of calculated flow rate matrix formula is as follows:
cov ( f q i , f q j ) = E [ ( f q i - μ i ) ( f q j - μ j ) ] - - - ( 3 )
In formula, e represents to ask mathematic expectaion, and has j ≠ i.According to formula (3), determine OD stream between coefficient correlation formula is:
corrf ( f q i , f q j ) = cov ( f q i , f q j ) cov ( f q i , f q i ) cov ( f q i , f q j ) - - - ( 4 )
In conjunction with formula (4) calculated flow rate matrix F qin the average correlation coefficient of each OD stream between flowing with other OD, formula is as follows:
In formula, represent that k bar OD stream is with the average correlation coefficient of other p-1 bar OD stream.
Finally, the coefficient correlation sum between all OD stream is as the Accumulation of coefficient correlation: the Accumulation C that calculates the coefficient correlation between all OD stream , formula is as follows:
C Σ = Σ j = 1 p C OD j - - - ( 6 )
Accumulation C in fact can portray well the minutia of original anomaly flow signal, increase below and utilized Short Time Fourier Transform to carry out the accuracy of abnormity detecting.
In present embodiment, in network topology structure, there are 12 nodes, totally 144 OD stream, selected destination node is 6, according to can obtain destination node according to the relational matrix of formula (1) structure, is that 6 OD stream is respectively totally 12, the figure of corresponding every OD stream, as shown in Figure 2.By formula (2), (3), solving every OD stream is averaged with coefficient correlation summation between other 11 OD streams, obtain result as described in Figure 3, the stack of 12 OD stream is obtained to the Accumulation of coefficient correlation, as shown in Figure 4, this Accumulation can reflect the minutia of abnormal data well, therefore can use Short Time Fourier Transform to analyze judgement to this minutia.
In step 104, the Accumulation of step 103 is carried out to joint time frequency analysis: adopt Short Time Fourier Transform, determine the time-frequency characteristics parameter of time-domain signal under certain time window; Change time window size, calculate the time-frequency characteristics parameter under time windows, by the above-mentioned time-frequency characteristics parameter stack calculating, obtain the accumulative total time-frequency characteristics parameter of outstanding abnormal signal feature;
Short Time Fourier Transform is defined as:
STFT z ( t , f ) = ∫ - ∞ + ∞ z ( t ′ ) η * ( t ′ - t ) e - j 2 πf t ′ dt ′ - - - ( 7 )
In formula, STFT z(t, f) represents time-frequency characteristics parameter, and z (t') represents pending signal, refers in the present embodiment Accumulation C ; η (t) is a window function that time width is very short, η (t '-t) represents a window function centered by t, η * (t '-t) represents the conjugation of η (t '-t), wherein, * represent conjugate operation symbol, (t '-t) represents the time delay of window function, and, centered by t, length is the time period of (t '-t); F represents the frequency values for the signal at a t preset time place, and z (t') η * (t '-t) represents near the section of signal putting t analysis time.Sliced section is being carried out after Fourier transform, and all signal properties in corresponding its width of window centered by time t all can be by time-frequency characteristics parameter S TFT z(t, f) shows.In sum, the selection that can find out window function has a significant impact the performance of Short Time Fourier Transform.In the present embodiment, choice for use Hanning window η (t), formula is as follows:
η ( t ) = 0.5 ( 1 - cos ( 2 π n N - 1 ) ) , 0 ≤ n ≤ N - - - ( 8 )
In formula, N represents window size.
According to Heisenberg uncertainty principle, temporal resolution Δ t and frequency resolution Δ f can not be simultaneously arbitrarily small, and their product meets therefore will improve temporal resolution will reduce frequency resolution, and vice versa.In the present embodiment, we select different window sizes to carry out Short Time Fourier Transform, and finally in order to obtain result more accurately, the transformation results summation that can obtain different windows size is processed.Calculate time-frequency characteristics parameter S TFT z(t, f), Hanning window is time, obtain following formula:
STFT z ( t , f ) = ∫ - ∞ + ∞ z ( t ′ ) e 0.5 ( 1 - cos ( 2 π n N - 1 ) ) e - j 2 πf t ′ dt ′ - - - ( 9 )
Can obtain as calculated the time-frequency characteristics parameter S TFT of signal z (t') z(t, f).
One group of time-frequency characteristics parameter S TFT of the z (t') that each window correspondence obtains z,i(t, f), executes all windows and can obtain many stack features parameter, will after parameter delivery, superpose, and extracts the accumulation time-frequency characteristics parameter s um_STFT of outstanding abnormal signal feature for abnormal detecting, has improved the accuracy of result.
In present embodiment, as shown in Figure 5, wherein signal is input as coefficient correlation in the extraction of time-frequency characteristics parameter, and signal is output as the characteristic ginseng value sum that different size windows are carried out the different frequency that Short Time Fourier Transform correspondence obtains, as shown in Figure 6.In figure, different shades represents different frequency value, to after the parameter delivery of synchronization different frequency, superpose, extract the parameter s um_STFT of outstanding abnormal signal feature for abnormal detecting, improved the accuracy of detecting result, the figure of sum_STFT as shown in Figure 7.
Coefficient correlation, after having passed through Short Time Fourier Transform, obtains a series of time-frequency characteristics parameter vector.Abnormal detection method is actually and operates in time-frequency characteristics parameter, in step 104, extract the parameter s um_STFT of outstanding abnormal signal feature, due to the energy at abnormal signal place large (Energy distribution of coefficient correlation as seen from Figure 8), in figure, more to deeply feel the energy at bright this place larger for color.
In step 105, in present embodiment, adopt traditional self-adaptive decision threshold method to obtain threshold value threshold: to calculate average and the variance of Accumulation parameter, get variance and be multiplied by a coefficient, then be added and obtain threshold value threshold with average.Described coefficient is a natural number within the scope of 1-10.With characteristic parameter sum_STFT comparison, if surpassing the moment of decision threshold, sum_STFT intermediate value judges that this exists abnormal flow signal constantly again.As shown in Figure 9.
In actual emulation process, for the advantage of this algorithm is described better, in present embodiment, use simultaneously and depart from fraction method and carry out abnormity detecting and compare.In present embodiment, selecting detection window size is 20, sizes of history window is 30, the coefficient correlation obtaining in calculation procedure 103 depart from mark, it is 0.5 that alarm threshold is set adaptively, coefficient of deviation by more all 12 OD streams all has many places higher than alarm threshold, therefore judges that each OD stream all has abnormal.In order to detect abnormal generation constantly, it is 0.9 that abnormal threshold value is set in embodiment of the present invention adaptively, if phase relation numerical value is higher than abnormal threshold value, this phase relation numerical value is made as to 1.4, find in coefficient correlation and be 1.4 initial time continuously and stop constantly, be abnormal starting point and terminal, and by all be that 1.4 value resets 1 continuously, other zero setting, as Figure 10, wherein white dashed line represents abnormal thresholding, black dotted lines shows abnormity detecting result, from Figure 10, can find significantly, depart from fraction method can only detect whether have abnormal, cannot detect abnormal generation constantly.
Although more than described the specific embodiment of the present invention, one skilled in the art should be appreciated that these only illustrate, and can make various changes or modifications to these execution modes, and not deviate from principle of the present invention and essence.Scope of the present invention is only limited by appended claims.

Claims (3)

1. a time-frequency domain rapid detection method for exception flow of network, is characterized in that: comprise the following steps:
Step 1: in network topology structure, catch and contain abnormal data on flows, as time-domain signal to be analyzed;
Step 2: extract the data on flows on the OD stream in time-domain signal with identical destination node, carry out correlation analysis, calculate each OD stream and there is the coefficient correlation between the OD stream of identical destination node with him, calculated some coefficient correlations are averaged as the average correlation coefficient of this OD stream; Accumulation using the average correlation coefficient sum of all OD streams as coefficient correlation;
Step 3: the Accumulation of step 2 is carried out to joint time frequency analysis: adopt Short Time Fourier Transform, determine the time-frequency characteristics parameter of time-domain signal under certain time window; Change time window size, calculate the time-frequency characteristics parameter under time windows, by the above-mentioned time-frequency characteristics parameter stack calculating, obtain the accumulation time-frequency characteristics parameter of outstanding abnormal signal feature, extract the parameter s um_STFT of outstanding abnormal signal feature for abnormal detecting;
Step 4: set decision threshold, if accumulation time-frequency characteristics parameter surpasses this decision threshold, determine that this place exists abnormal flow, then with characteristic parameter sum_STFT comparison, if sum_STFT intermediate value surpasses the moment of decision threshold, judge that this exists abnormal flow signal constantly;
Step 5: it is 0.9 that abnormal threshold value is set adaptively, if phase relation numerical value, higher than abnormal threshold value, is made as 1.4 by this phase relation numerical value, finds in coefficient correlation to be 1.4 initial time continuously and to stop constantly, i.e. abnormal starting point and terminal.
2. the time-frequency domain rapid detection method of exception flow of network according to claim 1, it is characterized in that: the decision threshold described in step 4, the method of determining is: calculate average and the variance of accumulation time-frequency characteristics parameter, get variance and be multiplied by a coefficient, then be added and obtain threshold value with average.
3. the time-frequency domain rapid detection method of exception flow of network according to claim 2, is characterized in that: described coefficient, span is a natural number in 1-10.
CN201210142390.7A 2012-05-09 2012-05-09 Method for quickly detecting time-frequency domains of abnormal network traffic Expired - Fee Related CN102655465B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210142390.7A CN102655465B (en) 2012-05-09 2012-05-09 Method for quickly detecting time-frequency domains of abnormal network traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210142390.7A CN102655465B (en) 2012-05-09 2012-05-09 Method for quickly detecting time-frequency domains of abnormal network traffic

Publications (2)

Publication Number Publication Date
CN102655465A CN102655465A (en) 2012-09-05
CN102655465B true CN102655465B (en) 2014-12-10

Family

ID=46730992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210142390.7A Expired - Fee Related CN102655465B (en) 2012-05-09 2012-05-09 Method for quickly detecting time-frequency domains of abnormal network traffic

Country Status (1)

Country Link
CN (1) CN102655465B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078668B (en) * 2013-02-01 2016-03-16 北京曼若科技有限公司 Power line communication method and device
CN103138805B (en) * 2013-02-01 2015-02-18 北京曼若科技有限公司 Transmission method and device and system of power line carrier waves
CN103200043B (en) * 2013-03-14 2015-07-29 东北大学 Non-stationary network flow programming method method is become time a kind of
CN106161241B (en) * 2016-08-25 2019-02-15 北京科技大学 A kind of detection method of wireless sensor network routing layer low speed flood attack
CN107294794A (en) * 2017-07-31 2017-10-24 国网辽宁省电力有限公司 A kind of large-scale ip communication service matrix estimation method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106487A (en) * 2007-08-31 2008-01-16 华为技术有限公司 A method and device for detecting exception of network traffic
CN101252482A (en) * 2008-04-07 2008-08-27 华为技术有限公司 Network flow abnormity detecting method and device
CN101388885A (en) * 2008-07-23 2009-03-18 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN102130798A (en) * 2011-03-25 2011-07-20 中国电子科技集团公司第三十研究所 Method and device for detecting multidimensional flow anomalies of distributed network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106487A (en) * 2007-08-31 2008-01-16 华为技术有限公司 A method and device for detecting exception of network traffic
CN101252482A (en) * 2008-04-07 2008-08-27 华为技术有限公司 Network flow abnormity detecting method and device
CN101388885A (en) * 2008-07-23 2009-03-18 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN102130798A (en) * 2011-03-25 2011-07-20 中国电子科技集团公司第三十研究所 Method and device for detecting multidimensional flow anomalies of distributed network

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
A Network-wide Traffic Anomaly Detection Method Based on HSMM;Li Min等;《Communications,Circuits and Systems Proceedings》;20060628;第3卷;全文 *
Communication-Efficient Online Detection of Network-Wide Anomalies;Ling Huang等;《26th IEEE International Conference on Computer Communication》;20070512;全文 *
Li Min等.A Network-wide Traffic Anomaly Detection Method Based on HSMM.《Communications,Circuits and Systems Proceedings》.2006,第3卷全文. *
Ling Huang等.Communication-Efficient Online Detection of Network-Wide Anomalies.《26th IEEE International Conference on Computer Communication》.2007,全文. *
周汝强.基于网络业务量建模的流量异常检测.《万方学位论文数据库》.2007,全文. *
基于网络业务量建模的流量异常检测;周汝强;《万方学位论文数据库》;20070816;全文 *

Also Published As

Publication number Publication date
CN102655465A (en) 2012-09-05

Similar Documents

Publication Publication Date Title
CN102655465B (en) Method for quickly detecting time-frequency domains of abnormal network traffic
CN101286897B (en) Network flow rate abnormality detecting method based on super stochastic theory
CN103454528B (en) Based on power system component fault detect and the recognition methods of form singular entropy
Kallache et al. Trend assessment: applications for hydrology and climate research
CN101388885B (en) Detection method and system for distributed denial of service
CN100486179C (en) A detection method and detection device for exceptional network flow
CN102014031A (en) Method and system for network flow anomaly detection
CN101252482A (en) Network flow abnormity detecting method and device
CN105245503A (en) Method of using hidden Markov model to detect LDoS (Low-Rate Denial of Service) attack
CN104717106A (en) Distributed network traffic abnormity detection method based on multi-variable sequential analysis
CN102664772B (en) Multi-scale detecting method of network flow anomaly in dynamic environment
CN103607370B (en) A kind of credibility assessment method of the multiple blind result of bpsk signal
CN106357574A (en) BPSK (Binary Phase Shift Keying)/QPSK (Quadrature Phase Shift Keying) signal modulation blind identification method based on order statistic
CN104270167A (en) Signal detection and estimation method based on multi-dimensional characteristic neural network
CN102130798A (en) Method and device for detecting multidimensional flow anomalies of distributed network
CN105093196A (en) Coherent detection method under complex Gaussian model based on inverse gamma texture
CN105100017A (en) LDoS attack detection method based on signal cross correlation
CN109951420A (en) A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN103530660B (en) A kind of strip tension sensor fault method of early diagnosis
CN106209868A (en) A kind of large-scale network traffic exception detecting method and system
CN105049105B (en) A kind of frequency extraction method of frequency diverse signals
Jin et al. Abnormal detection and correlation analysis of communication network traffic based on behavior
CN113256977B (en) Traffic data processing method based on image tensor decomposition
CN109840386A (en) Damnification recognition method based on factorial analysis
CN101572564B (en) Locally optimal detector based method for capturing pseudocode under weakly dependent non-Gaussian environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141210

Termination date: 20150509

EXPY Termination of patent right or utility model