CN1996888A - A detection method and detection device for exceptional network traffic - Google Patents

A detection method and detection device for exceptional network traffic Download PDF

Info

Publication number
CN1996888A
CN1996888A CN 200610168173 CN200610168173A CN1996888A CN 1996888 A CN1996888 A CN 1996888A CN 200610168173 CN200610168173 CN 200610168173 CN 200610168173 A CN200610168173 A CN 200610168173A CN 1996888 A CN1996888 A CN 1996888A
Authority
CN
China
Prior art keywords
detection
signal
detected parameters
alarm threshold
wavelet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200610168173
Other languages
Chinese (zh)
Other versions
CN100486179C (en
Inventor
胡光岷
高军
姚兴苗
杨松
李宗林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
University of Electronic Science and Technology of China
Original Assignee
Huawei Technologies Co Ltd
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, University of Electronic Science and Technology of China filed Critical Huawei Technologies Co Ltd
Priority to CNB200610168173XA priority Critical patent/CN100486179C/en
Publication of CN1996888A publication Critical patent/CN1996888A/en
Application granted granted Critical
Publication of CN100486179C publication Critical patent/CN100486179C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

This invention relates to one network flow hater test method and device, wherein, the test method considers the hater signals with multiple dimensions for self-adapting analysis according to the hater signal frequency property; it adopts double gate judgment mechanism to continue analysis on the frequency band with gate larger than analysis gate to improve test flexibility and to improve test reliability for hater test after reconstruction. This invention also provides one self-adaptive window adjust mechanism based on hater flow frequency rate characteristics.

Description

A kind of detection method of exception of network traffic and checkout gear
Technical field
The present invention relates to a kind of detection method and checkout gear of exception of network traffic, especially a kind of detection method and checkout gear that utilizes wavelet package transforms to carry out multiple dimensioned exception of network traffic.
Background technology
The flow behavior that exception of network traffic refers to network departs from the situation of its normal behaviour, the reason that causes exception of network traffic is diversified, and for example bad operation of the network equipment, network operation are unusual, burst access (flash crowd), network intrusions etc.The characteristics of abnormal flow are that outbreak is unexpected, the tendency unknown characteristic, can bring great harm (for example breaking out caused burst flow behavior) at short notice the computer on network or the network by specific attacker or worm, therefore detect the abnormal behaviour of network traffics accurately and rapidly, and to make rational response be to guarantee effectively one of prerequisite of operation of network.Traditional network security technology lays particular emphasis on system's intrusion detection, anti-virus software or the fire compartment wall of enterprise customer network, this class safety measure can not detect improper flow and the behavior in the carrier network usually, also is difficult to detection and Identification exactly for the many abnormal behaviours and the flow of enterprise customer network.In order to detect the abnormal flow in the network in time, reducing or eliminating the diverse network that the user suffers endangers, network and route exchange device need possess the detection of abnormal flow and recognition capability, and adopt certain intervention rule, such as the flow of forbidding certain port or reduce bandwidth, these illegitimate traffic are suppressed or refuse from a certain port address.
Generally, router especially backbone network router data flow all is very big, and is in the continuous variation, and abnormal flow is very little with respect to normal discharge, even also is very little with respect to the variation of normal discharge.The final goal of Traffic Anomaly detection algorithm is will be from relatively very big and be in the normal discharge of continuous variation, detect very little abnormal flow (can be described as " looking for a needle in a haystack ") relatively, and to satisfy the requirement of real-time, thereby the difficulty of system design and realization is very big, and abnormal flow is detected becomes one of present academia and the common advanced subject paid close attention to of industrial quarters.
As a kind of emerging technology, be subjected to the great attention of external theoretical circles in recent years, particularly since 2002, a large amount of articles has been delivered in various magazines and meeting, and wherein Jue Daduoshuo discussion is the detection at ddos attack.Conclude and to get up to have rule-based method (referring to document [1] L.Lewisand G.Dreo, " Extending trouble ticket systems to fault diagnosis, " IEEENetwork; Document [2], L.Lewis, " A case based reasoning approach to themanagement of faults in communication networks; " in Proc.IEEE INFOCOM, vol.3, SanFrancisco, CA, Mar.1993, pp.1422-1429.vol.7, pp.44-51, Nov.1993.), the method of finite state machine (referring to: document [3], I.Katzela and M.Schwarz, " Schemes for fault identification in communication networks, " IEEE/ACMTrans.Networking, vol.3, pp.753-764, Dec.1995; Document [4], I.Rouvellouand G.Hart, " Automatic alarm correlation for faultidentification; " in Proc.IEEE INFOCOM, Boston, MA, Apr.1995, pp.553-561.), the method for pattern matching is (referring to document [5], F.Feather and R.Maxion, " Fault detectionin an ethernet network using anomaly signature matching, " in Proc.ACMSIGCOMM, vol.23, SanFrancisco, CA, Sept.1993, pp.279-288; Document [6], S.Papavassiliou, M.Pace, A.Zawadzki, and L.Ho, " Implementingenhanced network maintenance for transaction access services:Toolsand applications; " Proc.IEEE Int.Contr.Conf., vol.1, pp.2 11-215,2000.), the method of statistical analysis (referring to: document [7], Marina Thottan and ChuanyiJi, " Anomaly Detection in IP Networks " IEEE TRANSACTIONS ON SIGNALPROCESSING, VOL.51, NO.8, AUGUST 2003; Document [8], Chen-Mou Cheng, H.T.Kung, Koan-Sin Tan, " Use of Spectral Analysis in Defense Against DoSAttacks ", Proceedings of IEEE GLOBECOM 2002.), Hurst coefficient analysis method (referring to: document [9], William H.Allen and Gerald A.Marin, " On theSelf-similarity of Synthetic Traffic for the Evaluation of IntrusionDetection Systems ", Proceedings of the 2003 Symposium onApplications and the Internet (SAINT ' 03); Document [10], to the Chongqing, " IP network QoS and Research on Security Technology ", University of Electronic Science and Technology's thesis for the doctorate (2003) .), subspace method is (referring to document [11], A.Lakhina, M.Crovella, and C.Diot. " DiagnosingNetwork-Wide Traffic Anomalies " .In ACM SIGCOMM, Portland, August2004; Document [12], A.Lakhina, K.Papagiannaki, M.Crovella, C.Diot, E.D.Kolaczyk, and N.Taft. " Structural Analysis of Network TrafficFlows " .In ACM SIGMETRICS, New York, June 2004; Document [13], A.Lakhina, M.Crovella, and C.Diot.Characterization of Network-Wide Anomaliesin Tfaffic Flows.Technical Report BUCS-2004-020, Boston University, 2004.) and wavelet analysis method (referring to: document [14], V.Alarcon-Aquino, J.A.Barria. " Anomaly Detection in Communication Networks Using Wavelets " .IEEEProc-Commun.Vol.148.No.6.December 2001; Document [15], P.Barford, J.Kline, D.Plonka, and A.Ron. " A signal analysis of networkt rafficanomalies " .In Proceedings of the ACM SIGCOMM Internet MeasurementWorkshop, Marseille, France, November 2002; Document [16], P.Barford andD.Plonka, " Characteristics of networkt raffic flow anomalies " .InInternet MeasurementWorkshop, 2001; Document [17], Seong Soo Kim, A.L.Narasimha Reddy, " Detecting Traffic Anomalies at the Source throughaggregate analysis of packet header data " http://dropzone.tamu.edu/techpubs/2003/TAMU-ECE-2003-03.pdf; Document [18], Lan Li and Gyungho Lee, " DDoS Attack Detection and Wavelets " .Computer Communications andNetworks, 2003.ICCCN 2003.Proceedings.The 12th InternationalConference on, 20-22 Oct.2003 Pages:421-427; Anu Ramanathan, " WADeS:A Tool for Distributed Denial of Service Attack Detection ", TAMU-ECE-2002-02, Master of Science Thesis, August 2002.) etc.In conjunction with nearly all from the data in the real network, be that this characteristic with multiple dimensioned character is (referring to document [19] in itself, Bakshi.B.R.Multi-scale analysis and modeling usingwavelets.Journal of Chemometrics, 13, (3), 1999.), and the time varying signal of proper network flow is compared with the time varying signal of unusual network traffics, its frequency band range must be distinguishing, that is to say that background traffic generally is wide band, the frequency band relative narrower of abnormal flow.And wavelet transformation similarly is a school microscop, and the details of energy amplifying signal extracts the signal characteristic of random time, frequency, so is well suited for the transient state abnormal phenomena of carrying secretly in the detection normal signal and shows its composition.
In unusual network flow detection method based on wavelet analysis, calendar year 2001 V.Alarcon-Aquino etc. has just proposed a kind of algorithm (referring to document [14]) based on UDWT (undecimated discrete wavelett ransform does not have and extracts wavelet transform) and Bayesian analysis.This algorithm can detect and locate the faint change on variance and frequency of given time series, but the yardstick of this algorithm picks is limited and algorithm thought complexity.Anu Ramanathan has proposed a kind of WADeS based on wavelet analysis (Wavelet based Attack Detection Signatures) mechanism (referring to document [20]) and has detected ddos attack subsequently, flow signal is done wavelet transformation, and wavelet coefficient is directly calculated variance judge the point of attack.This method does not possess real-time detectability.Meanwhile, P.Barford etc. has proposed a kind ofly network traffics to be carried out that multiple dimensioned dyadic wavelet decomposes and reconstruct is comprehensive becomes high, medium and low three frequency ranges respectively with departing from the method (referring to document [15]) that mark (deviation score) detects.On the above two basis, Seong Soo Kim etc. has also proposed a kind of by analyzing the technology (referring to document [17]) of carrying out the Traffic Anomaly detection in the purpose IP address of border router middle outlet flow, this technology can be afterwards or real-time detection outlet network traffics, but it can not be to all frequencies has the same detection ability unusually because it is based on multiresolution analysis.Other a kind of Energy distribution method based on wavelet analysis (referring to document [18]) that Lan Li proposes that also comprises detects ddos attack, discovers that the variance of Energy distribution when flow is influenced by ddos attack produces significantly " spine ".
Highlight the technical scheme of the middle record of document [15] below, this technical scheme mainly is divided into two parts:
(1) wavelet analysis module
Use certain small echo by multiresolution analysis (Multi-Resolution Analysis, MRA) this Time Series signal is decomposed, therefrom choose different yardsticks again and be reconstructed into high, medium and low three frequency ranges, the signal of three frequency ranges that then this decomposited is sent in the detection module.Its medium-high frequency, intermediate frequency, low frequency part are represented duration, abnormal flow signal short, general, that grow respectively.
(2) detection module
The employed detection algorithm of detection module is for departing from mark algorithm (deviation score).
At first, the variance of normalization low frequency, intermediate frequency and high-frequency band to be detected is one.Calculate low frequency, intermediate frequency and high-frequency band then respectively and drop on a variance of specifying the data in the big or small sliding window in advance, thereby obtain the mark that departs from of corresponding frequency band.The size of these sliding windows depends on wants the unusual time limit size of catching.If use t 0The unusual lasting time limit of expression, t 1The size of expression sliding window, then q=t in the ideal case 0/ t 1≈ 1.If ratio q is too little, that is then detected can blur even lose unusually; If ratio is too big, we may be flooded by uninterested what is called " unusually ", and can not find real interested unusual.Therefore, selecting t 1The time, should make that generally ratio q levels off to 1.And the size of high band, low-frequency range and Mid Frequency sliding window generally is different.Then, the mark that departs from of three frequency ranges that previous step is calculated uses a weighted sum to carry out combination, thereby produces the fractional signal that departs from of a combination.At last, depart from mark by detection and whether surpass a given thresholding, judge whether to have taken place unusual.
There is the shortcoming of following several respects in technique scheme:
(1) this algorithm is based on the multiresolution analysis of dyadic wavelet transform, and the HFS to details does not further decompose, and therefore can't detect high-frequency anomaly well.
(2) this algorithm need carry out wavelet transformation, and conversion itself needs certain overhead, will inevitably influence the real-time of detection algorithm.
The method of the selection sliding window size that (3) provides in this algorithm is based on the abnormal signal duration, but in actual detected, can't learn the unusual duration in advance, so the method for getting the sliding window size that this algorithm proposed is in actual detected, operability is not strong.
(4) this algorithm does not provide a kind of adaptive thresholding system of selection, just with a fixing empirical value as decision threshold, its threshold value size can not be with changes in flow rate adaptively modifying.
Generally speaking, the defective that mostly has following three aspects based on the method for detecting abnormality of wavelet transformation of the prior art:
(1) the comprehensive deficiency of abnormality detection, it is better promptly low-frequency anomaly to be detected effect, and it is relatively poor that high-frequency anomaly is detected effect; All detection algorithms all are to be based upon on the basis of multiresolution analysis, and many explanations are analyzed and can be detected less high-frequency anomaly, and this is bigger because of the shared proportion of network traffics low-frequency component.But just omission appears easily to a lot of intermediate frequencies are unusual;
(2) the reliability deficiency of abnormality detection, one may be distributed in non-conterminous a plurality of frequency range unusually, very unreliable to the testing result of single yardstick;
(3) the time window of abnormality detection is difficult to determine, usually each yardstick adopt detection the time window size identical, do not select window when corresponding according to the characteristic of abnormal signal itself.
Summary of the invention
The objective of the invention is at above-mentioned the deficiencies in the prior art, a kind of detection method and checkout gear of exception of network traffic are provided, carry out multiple dimensioned WAVELET PACKET DECOMPOSITION by double threshold mechanism is adaptive, with comprehensive, flexibility and the reliability that improves abnormality detection.
Another goal of the invention of the present invention provides a kind of detection method and checkout gear of exception of network traffic, by confirming abnormality detection mechanism, further reduces false drop rate.
For achieving the above object, the invention provides a kind of detection method of exception of network traffic, comprise the steps:
Step 1, the network traffics signal is sampled, generate flow signal;
Step 2, flow signal is carried out WAVELET PACKET DECOMPOSITION, generate the wavelet packet coefficient of a plurality of frequency ranges;
Step 3, utilize statistic algorithm that the wavelet packet coefficient of each frequency range of decomposing the back and generating is carried out the initial stage abnormality detection, generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding,, then confirm as abnormal signal if exist detected parameters greater than alarm threshold; If exist detected parameters less than alarm threshold, greater than decomposing thresholding, then the frequency range of this detected parameters correspondence is carried out one deck decomposition under the wavelet packet, repeated execution of steps 3 then.
In such scheme, if exist detected parameters, then confirm as abnormal signal greater than alarm threshold, can be specially:
Step 4, the wavelet packet coefficient sequence greater than the detected parameters corresponding frequency band of alarm threshold is reconstructed;
Step 5, the signal that generates after the reconstruct is confirmed abnormality detection, detected parameters and the predefined described alarm threshold that generates compared,, then confirm as abnormal signal if greater than described alarm threshold.
The present invention also provides a kind of checkout gear of exception of network traffic, comprising: flow signal generation module, wavelet package transforms module, initial stage abnormality detection module;
The flow signal generation module is used for the network traffics signal is sampled, and generates flow signal;
The wavelet package transforms module is used for flow signal generation module flow signal and unusual wavelet packet coefficient sequence of initial stage are carried out WAVELET PACKET DECOMPOSITION;
Initial stage abnormality detection module, be used for the wavelet packet coefficient sequence that the wavelet package transforms module generates is carried out the initial stage abnormality detection, generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding, if exist detected parameters greater than described alarm threshold, then output signal is the testing result of abnormal signal, if exist detected parameters less than described alarm threshold, greater than described decomposition thresholding, then export the wavelet packet coefficient sequence of this detected parameters correspondence to described wavelet package transforms module.
Device of the present invention can further include the wavelet package reconstruction module and confirms the abnormality detection module:
The wavelet package reconstruction module is used for initial stage abnormality detection module detection is reconstructed for the wavelet packet coefficient sequence of abnormal signal;
Confirm the abnormality detection module, be used for the flow signal of the generation after the reconstruct of wavelet package reconstruction module is confirmed abnormality detection, the detected parameters and the predefined described alarm threshold that generate are compared, if greater than described alarm threshold, the unusual testing result of output signal then.
As shown from the above technical solution, the present invention has following beneficial effect:
(1) according to the detection case of each layer wavelet packet coefficient, by double threshold mechanism, determine whether flexibly to continue to decompose or the path of one deck WAVELET PACKET DECOMPOSITION down, solved the problem that the self adaptation of decomposition scale is chosen.Avoid the blindness of WAVELET PACKET DECOMPOSITION, improved the flexibility that detects;
(2) by adopting the decomposition of wavelet packet self adaptation, reconstruct, detection, each frequency range had the similar detection ability unusually, can detect persistent anomaly flow when long and sudden change abnormal flow in short-term effectively, can detect effectively also that detect based on the exception of network traffic of multiresolution analysis can't detected intermediate frequency attack traffic, thereby realize complete detection.And further confirm to have improved the reliability that detects unusually;
(3) window system of selection when proposing the self adaptation based on wavelet center frequency has solved the problem of choosing of the wavelet packet coefficient detection window under every layer of each yardstick.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the flow chart of the detection method specific embodiment 1 of exception of network traffic of the present invention;
Fig. 2 departs from mark algorithm schematic diagram for sliding window of the present invention;
Fig. 3 is a WAVELET PACKET DECOMPOSITION tree example of the present invention;
Fig. 4 is the structural representation one of the checkout gear of exception of network traffic of the present invention;
Fig. 5 is the structural representation two of the checkout gear of exception of network traffic of the present invention.
Embodiment
Traditional method for detecting abnormality all belongs to single scale.For unexpected variation, these methods all are effective, but present attack means is in order to escape unusual detection, can set up a play very flexibly, they may come target of attack with the signaling traffic of relatively slower gradual change, seem variation slowly for these, because the measurement effect of single scale is not obvious relatively, just might omission.If the details of amplifying signal to a certain extent, signal to attack also will become obvious relatively so slowly.Thus, realize that with wavelet transformation the idea of abnormality detection begins to take shape.
Exception of network traffic detects, and earlier network traffics is sampled, and generates the one dimension time varying signal, is called flow signal.The data statistics characteristic by utilizing abnormal signal and the deviation of normal condition, just the ANOMALOUS VARIATIONS of flow signal (Abrupt Change) detects unusually.Random signal as the flow signal, we use power spectral density (Power Spectral Density usually, PSD) characterize its statistical average spectral property, the power spectrum of proper network flow is different with the power spectrum of unusual network traffics, in general, the energy of the power spectrum of normal discharge in each band limits is more even, and the power spectrum of abnormal flow is more concentrated in some band limits self-energy.Forefathers utilize wavelet decomposition to detect just to utilize the normal and difference of abnormal flow signal on the frequency domain foundation as detection.Their detection algorithm all is to be based upon on the basis of multiresolution analysis, and it can carry out effective time-frequency decomposition to signal, because its yardstick is relatively poor in its frequency resolution of high-frequency band by the binary system variation.It might be low frequency unusually that yet abnormal flow produces varied having caused of reason, also might be high frequency.So existing, these methods can not effectively detect the unusual deficiency of all frequency ranges.
This is bright to have proposed one wavelet packet analysis has been used for the new mechanism that exception of network traffic detects.Wavelet packet analysis is the improvement of multiresolution analysis, and it can be chosen different time frequency resolution and decompose automatically according to the characteristic of signal.When utilizing it to carry out effectively-frequency location and small-signal extraction.
Specific embodiment 1
Referring to Fig. 1, it is the flow chart of the detection method specific embodiment 1 of exception of network traffic of the present invention, comprises the steps:
Step 1, detection signal generate: as flow signal, establishing sampling time interval is T with the bag number that passes through router in the unit interval 0Second.If f (n) then has as the value of n sample point:
Figure A20061016817300121
Concrete, in above-mentioned sampling process, f (n) is to n unit interval T 0The result who adds up by the bag number of router in second.With on the traditional meaning, with continuous analog signal all on time, the amplitude, the time that converts to goes up discretely but " sampling " process difference of still continuous discrete analog signal on the amplitude.Above-mentioned sampling process only is the more excellent sample mode in the invention, and the present invention also can adopt other existing sample modes to generate flow signal.
Step 2, WAVELET PACKET DECOMPOSITION: flow signal is carried out WAVELET PACKET DECOMPOSITION, generate the wavelet packet coefficient sequence of a plurality of frequency ranges.Discover, background traffic itself is exactly the signal of frequency on the low side, and abnormal signal is generally higher frequency signal, even very faint high-frequency anomaly also can be after WAVELET PACKET DECOMPOSITION, can partly detect at the high band of (π, pi/2) by the normalizing angular frequency, so only need earlier multiple dimensionedly decompose the 1st layer, be that the frequency range of (0, pi/2) begins WAVELET PACKET DECOMPOSITION then from the normalizing angular frequency.Analyze by 2 extraction discrete wavelet bags, be output as the wavelet packet coefficient sequence of each yardstick.Along with the increase of the WAVELET PACKET DECOMPOSITION number of plies, the number of the wavelet packet coefficient of output reduces by half.If detecting the length of sequence is N, the length of the wavelet packet coefficient sequence of exporting on the j layer so just is N/2 jBecause WAVELET PACKET DECOMPOSITION is a binary tree structure, along with the increase of the number of plies, every layer of tree node is with 2 jIncrease, so the number of plies of general initial decomposition is all limited.To decompose with the detection case self adaptation later on.
Step 3, initial stage abnormality detection: after carrying out WAVELET PACKET DECOMPOSITION, wavelet packet coefficient sequence to each frequency range of generation after decomposing is carried out the initial stage abnormality detection, generate detected parameters ratio, detected parameters and predefined alarm threshold are compared with the decomposition thresholding, if exist detected parameters greater than alarm threshold, can confirmation signal be unusual then, but in order further to improve the reliability of testing result, also can detect detected parameters greater than alarm threshold after, execution in step 4, wavelet packet coefficient sequence greater than the detected parameters corresponding frequency band of alarm threshold is reconstructed, confirms unusual detection then, can get rid of the result of a part of flase drop like this; If exist detected parameters less than alarm threshold, greater than decomposing thresholding, then the frequency range of this detected parameters correspondence is carried out WAVELET PACKET DECOMPOSITION, repeated execution of steps 3 then; If all less than decomposing thresholding, it is normal then to confirm as signal for the detected parameters that generates;
In above-mentioned steps 3, can adopt the mode that departs from the mark detection to carry out the initial stage abnormality detection, depart from the mark algorithm and be used on the reconstruction signal, in the present invention at first, not only it is used to detect reconstruction signal, and directly it is used for wavelet packet coefficient.Signal is after having passed through wavelet package transforms, what obtain is a series of wavelet packet coefficient, the abnormality detection algorithm is actually to be operated on wavelet packet coefficient, because the catastrophe point of signal is on the wavelet package transforms territory, normal extreme point or zero crossing corresponding to the wavelet package transforms coefficient module, and the size of Signal Singularity is corresponding mutually with the Changing Pattern of yardstick with the extreme value of wavelet package transforms coefficient.That is to say, can think that the statistical property of the wavelet packet coefficient of signal behind wavelet package transforms and the statistical property of original signal conform to.So the detection of wavelet packet coefficient almost is equal to detection to primary signal.
Departing from mark detects the mark algorithm that departs from can adopt based on sliding window and realizes, as shown in Figure 2, it departs from mark algorithm schematic diagram for sliding window, uses two measurement window here, a window HisWin who is based on historical variance, one is detection window DetWin.Two windows all move along with moving of time, accomplish real-time update.Along with the variation of time, at current time t, we calculate (t-DetWin, t) the variance V in this detection window 1, (t-HisWin, t) the variance V of this history window 2Order
ratio = V 1 V 2 - - - ( 3 - 1 )
Parameter ratio has reflected departing from of sample more historical normal data in the detection window to a certain extent, if going up signal, current time point has unusually, it will inevitably have influence on the measurement result of detection window so, is reflected on this parameter of ratio, and the growth of a range value just must be arranged.In the abnormality detection stage at the initial stage of moment t, (t-HisWin, t) the network traffics signal in the time period is done WAVELET PACKET DECOMPOSITION, and we obtain the wavelet packet coefficient under each yardstick, it is adopted depart from the mark algorithm and detect, and with the ratio and the predefined alarm threshold T that generate aWith decomposition thresholding T dCompare, have three kinds of situations like this:
If 1 ratio>T a, then think abnormality to have occurred, and confirm abnormality detection, in the unusual stage of the affirmation of moment t,, on reconstruction signal, carry out one-time detection again the wavelet packet coefficient reconstruct of finding under each unusual yardstick of possibility.If the testing result to the signal of reconstruct still surpasses alarm threshold T a, then be defined as unusually, otherwise think flase drop, promptly signal is normal.
If 2 ratio<T a, ratio>T d, then think doubtful unusual state to have occurred, then to further carry out WAVELET PACKET DECOMPOSITION to the frequency range that doubtful state occurs, repeat the initial stage abnormality detection then, be till signal abnormality or signal have occurred and is in normal condition until testing result.
If 3 ratio<T d, think that then signal is normal.
Depart from mark iff dependence, will lose efficacy to long-term low-frequency anomaly so.Reason is that low-frequency anomaly just settles out when being increased to certain amplitude, when detection window is significantly smaller than unusual duration, is merely able to depart from mark and just has sudden change when beginning unusually and finishing, and the centre is departed from mark unusually stably the time and remained unchanged substantially.At this moment, long-term short unusual of two duration that unusually just has been taken as.In order to address this problem, the present invention has done second improvement to departing from the mark algorithm, has defined a mean shift mark ratio EAt current time t, calculate (t-DetWin, t) the average E of interior detection window 1, (t-HisWin, t) the average E of interior history window 2, then make the mean shift mark be
ratio E = E 1 E 2 - - - ( 3 - 2 )
It has reflected the variation of the more historical normal data of sample mean in the detection window.In general, low-frequency anomaly begin that its value of back will be more stable greater than 1, so, can accurately detect long-term low-frequency anomaly in conjunction with it.For average mark ratio E, corresponding alarm threshold is T Ea, decomposing thresholding accordingly is T Ed, concrete detection method, identical with the detection method of above-mentioned skew mark, do not giving unnecessary details at this.
From step 3 as can be seen, the decomposition number of plies and the decomposition path-ways of wavelet packet are unfixed, being to determine whether flexibly according to detected abnormality or doubtful abnormality further to decompose or the path of one deck WAVELET PACKET DECOMPOSITION down, is adaptive fully.
Step 4, the wavelet packet coefficient sequence greater than the detected parameters corresponding frequency band of alarm threshold is reconstructed, the energy of abnormal signal probably is distributed on the unusual frequency range of detected appearance in the step 3, wavelet packet coefficient sequence on these frequency ranges is reconstructed, and the signal that reconstructs like this is outstanding abnormal signal on primary signal more.
Because the complexity of abnormal signal, unusual very possible being distributed in of finding in the abnormality detection in the early stage in the different wavelet field, the wavelet packet coefficient of these wavelet field is reconstructed, and the signal that reconstructs like this is outstanding abnormal signal on primary signal more.Further detection to reconstruction signal can be confirmed unusually.In addition by reconstruct wavelet packet coefficient sequence selectively, can be more accurately these are unusual in the location on time-domain.
Step 5, affirmation abnormality detection: the detected parameters and the predefined alarm threshold that generate are compared,, then confirm as abnormal signal if greater than described alarm threshold, otherwise, think flase drop, promptly confirmation signal is normal.Since in the early stage in the abnormality detection module detected doubtful might be flase drop unusually.So we will detect once more to the reconstruct burst at last, reduce false drop rate.And 2 to extract wavelet packet analysis time domain polarization fuzzy, can increase the accuracy of unusual time domain location to the detection of signal after the reconstruct.
In addition, in the above-described embodiments, window also can determine that by adaptive mode in general, window is difficult to determine during abnormality detection during detection, if window just can't guarantee well to detect effect when at will selecting one.So the present invention proposes one according to the centre frequency of each frequency band true method of timing window roughly.
Initial stage, signal to be detected was each layer wavelet packet coefficient during abnormality detection.The flow signal WAVELET PACKET DECOMPOSITION behind the j layer, is had 2 jThe length of signal is reduced to 1/2 of flow signal in the sequence of frequency bands of individual equiband, each frequency band j, the sampling interval increases to 2 of flow signal jDoubly.If the highest frequency of flow signal is f, then 2 jThe frequency range of individual frequency band is:
2 -j(i-1)f~2 -jif (3-3)
I=1 in the formula, 2 ..., 2 jThe sequence of frequency bands of expression decomposed signal.The centre frequency (center frequency) that we can roughly estimate each frequency band is:
f cj i = 2 - ( j + 1 ) ( 2 i - 1 ) f - - - ( 3 - 4 )
If the sampling interval Δ of the 0th layer (to flow signal), then the sampling interval of j layer is 2 jΔ.We get 2 jThe data length of doubling time correspondence is the size of detection window:
DetWin j i = 2 j · 2 ( j + 1 ) / [ ( 2 i - 1 ) f · 2 j Δ ] = 2 ( j + 1 ) / [ ( 2 i - 1 ) f · Δ ] - - - ( 3 - 5 )
As can be seen, the detection window that calculates by centre frequency all has different sizes under each frequency range of each layer: detection window is bigger during low frequency, and detection window is less during high frequency.
When affirmation was unusual, signal to be detected was a reconstruction signal.In order to ensure can both effectively detect unusually in all band limits, so detection window is made as by the maximum of the wavelet packet coefficient Sequence Detection window of reconstruct.
In addition, another improvements of the present invention are, the detection method among the present invention, with online detection and the combination of sliding window technology, can know by Fig. 2 and to find out, the data of front and back sliding window intercepting some will be overlapping, especially to history window, the redundant data amount is very big.In two adjacent detections constantly, what wavelet package transforms will repeat carries out twice calculating to redundant data, and this will cause expending a large amount of operation time, causes the real-time performance of whole detector to descend.In order to satisfy the requirement that detects in real time, in the application of reality, can adopt wavelet package transforms fast algorithm based on sliding window.
In addition, thresholding T a, T d, T Ea, T EdCan be by the monitoring of proper network and the data analysis of web-based history flow be determined.In order to make WAVELET PACKET DECOMPOSITION arrive self adaptation, use dual-threshold judgement mechanism in the initial stage abnormality detection wherein: being provided with two thresholdings, is respectively alarm threshold (T aAnd T Ea) and decompose thresholding (T dAnd T Ed), (T wherein a>T d, T Ea>T Ed), thresholding T a, T dCan obtain according to the fractional value ratio that departs from the statistics detection algorithm,, obtain the threshold value of the normal ratio of each yardstick flow, get by detection to historical normal discharge T a = ratio ‾ + 3 σ , T d = ratio ‾ + 6 σ . Thresholding T Ea, T EdCan be according to average mark ratio EObtain,, obtain the normal ratio of each yardstick flow by research to historical flow EThreshold value, get T Ea = ratio E ‾ + 3 σ , T Ed = ratio E ‾ + 6 σ , σ in the above-mentioned formula is in the process that historical normal discharge is detected, the data variance in the detection window, and 3 σ and 6 σ are empirical value, also can get other numerical value according to actual conditions.
Set below in conjunction with WAVELET PACKET DECOMPOSITION and to further specify the present invention, referring to Fig. 3, it is a WAVELET PACKET DECOMPOSITION tree example of the present invention, at first flow signal is carried out 1 layer of multiple dimensioned decomposition, the coefficient to [1,0] node carries out 3 layers of WAVELET PACKET DECOMPOSITION to the then, use statistics detection algorithm based on sliding window to detect the unusual of coefficient under each yardstick, if certain frequency range at preceding certain yardstick of n layer reaches alarm threshold, then reconstruct immediately detects, and reports to the police if be still unusually then; If reaching to decompose thresholding then further decompose the n+1 layer at certain yardstick of n layer detects, if the wavelet packet coefficient of n+1 layer then can be judged as non-unusual less than decomposing thresholding; If then continue deep decomposition less than alarm threshold greater than decomposing thresholding; Then directly be reconstructed greater than alarm threshold, again reconstruction signal judged.Dark color is a kind of possible decomposition path-ways among Fig. 3.
The present invention also provides a kind of checkout gear of exception of network traffic, as shown in Figure 4, it is the structural representation one of the checkout gear of exception of network traffic of the present invention, comprising: flow signal generation module 11, wavelet package transforms module 12, initial stage abnormality detection module 13;
Flow signal generation module 11 is used for the network traffics signal is sampled, and generates flow signal;
Wavelet package transforms module 12 is used for flow signal and initial stage abnormality detection module output wavelet packet coefficient sequence are carried out WAVELET PACKET DECOMPOSITION;
Initial stage abnormality detection module 13, be used for the wavelet packet coefficient sequence that the wavelet package transforms module generates is carried out the initial stage abnormality detection, generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding, if exist detected parameters greater than described alarm threshold, then output signal is the testing result of abnormal signal, if exist detected parameters less than described alarm threshold, greater than described decomposition thresholding, then export the wavelet packet coefficient sequence of these detected parameters correspondences to described wavelet package transforms module 12.
In addition, as shown in Figure 5, it is the structural representation two of the checkout gear of exception of network traffic of the present invention, in order further to improve the reliability that detects, has added wavelet package reconstruction module 14 and confirm abnormality detection module 15 in this device;
Wavelet package reconstruction module 14 is used for initial stage abnormality detection module detection is reconstructed for unusual wavelet packet coefficient sequence.
Confirm abnormality detection module 15, be used for the flow signal of the generation after the reconstruct of wavelet package reconstruction module is confirmed abnormality detection, the detected parameters and the predefined described alarm threshold that generate are compared, if greater than described alarm threshold, the unusual testing result of output signal then.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.

Claims (11)

1, a kind of detection method of exception of network traffic is characterized in that comprising the steps:
Step 1, network traffics are sampled, generate flow signal;
Step 2, flow signal is carried out WAVELET PACKET DECOMPOSITION, generate the wavelet packet coefficient sequence of a plurality of frequency ranges;
Step 3, the wavelet packet coefficient sequence of decomposing each frequency range that the back generates is carried out the initial stage abnormality detection, generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding,, then confirm as abnormal signal if exist detected parameters greater than described alarm threshold; If exist detected parameters less than described alarm threshold, greater than described decomposition thresholding, then the frequency range of this detected parameters correspondence is descended one deck WAVELET PACKET DECOMPOSITION, repeated execution of steps 3 then.
2, detection method according to claim 1 is characterized in that then confirming as abnormal signal if exist detected parameters greater than alarm threshold, is specially:
Step 4, the wavelet packet coefficient sequence greater than the detected parameters corresponding frequency band of described alarm threshold is reconstructed;
Step 5, the signal that generates after the reconstruct is confirmed abnormality detection, detected parameters and the predefined described alarm threshold that generates compared,, then confirm as abnormal signal if greater than described alarm threshold.
3, detection method according to claim 1 and 2 is characterized in that sampling process is specially in described step 1: the bag number by router in to the unit interval is added up, and generates flow signal.
4, detection method according to claim 1 and 2 is characterized in that described initial stage abnormality detection and/or confirms that abnormality detection adopts the mode that mark detects that departs from.
5, detection method according to claim 4 is characterized in that the described mark that departs from detects the mode that adopts historical variance window and detection window to slide and detect.
6, detection method according to claim 5, it is characterized in that in described slip testing process, described detection window slides to detect and generates detection window variance V1, and described historical variance window slides to detect and generates history window variance V2, and described detected parameters is the ratio of V1 and V2.
7, method according to claim 6, it is characterized in that in described slip testing process, described detection window slides and detects the average E1 that generates detection window, and described historical variance window slides and detects the average E2 that generates history window, and described detected parameters is the ratio of E1 and E2.
8, according to claim 5,6 or 7 described detection methods, the size that it is characterized in that described detection window is to determine according to the centre frequency of each frequency range.
9, detection method according to claim 1 and 2 is characterized in that also comprising before described step 1: by to the monitoring of proper network and the data analysis of web-based history flow, determine described alarm threshold and decompose thresholding.
10, a kind of checkout gear of exception of network traffic is characterized in that comprising: flow signal generation module, wavelet package transforms module, initial stage abnormality detection module;
The flow signal generation module is used for the network traffics signal is sampled, and generates flow signal;
The wavelet package transforms module, be used for to the unusual output of flow signal generation module flow signal and initial stage the wavelet packet coefficient sequence carry out WAVELET PACKET DECOMPOSITION;
Initial stage abnormality detection module, be used for that the wavelet packet coefficient sequence that the wavelet package transforms module generates is carried out the initial stage abnormality detection and generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding, if exist detected parameters greater than described alarm threshold, then output signal is the testing result of abnormal signal, if exist detected parameters less than described alarm threshold, greater than described decomposition thresholding, then export the wavelet packet coefficient sequence of this detected parameters correspondence to described wavelet package transforms module.
11, checkout gear according to claim 10 is characterized in that also comprising:
The wavelet package reconstruction module is used for initial stage abnormality detection module detection is reconstructed for the wavelet packet coefficient sequence of abnormal signal;
Confirm the abnormality detection module, be used for the flow signal of the generation after the reconstruct of wavelet package reconstruction module is confirmed abnormality detection, the detected parameters and the predefined described alarm threshold that generate are compared, if greater than described alarm threshold, the unusual testing result of output signal then.
CNB200610168173XA 2006-12-15 2006-12-15 A detection method and detection device for exceptional network flow Expired - Fee Related CN100486179C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB200610168173XA CN100486179C (en) 2006-12-15 2006-12-15 A detection method and detection device for exceptional network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB200610168173XA CN100486179C (en) 2006-12-15 2006-12-15 A detection method and detection device for exceptional network flow

Publications (2)

Publication Number Publication Date
CN1996888A true CN1996888A (en) 2007-07-11
CN100486179C CN100486179C (en) 2009-05-06

Family

ID=38251836

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB200610168173XA Expired - Fee Related CN100486179C (en) 2006-12-15 2006-12-15 A detection method and detection device for exceptional network flow

Country Status (1)

Country Link
CN (1) CN100486179C (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895420A (en) * 2010-07-12 2010-11-24 西北工业大学 Rapid detection method for network flow anomaly
CN102083087A (en) * 2011-01-25 2011-06-01 南京金思科技有限公司 Telephone traffic abnormality detection method combining subjective mode and objective mode
CN102111312A (en) * 2011-03-28 2011-06-29 钱叶魁 Multi-scale principle component analysis-based network abnormity detection method
CN101388885B (en) * 2008-07-23 2012-04-25 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
WO2014194495A1 (en) * 2013-06-05 2014-12-11 Beijing Blue I.T. Technologies Co., Ltd Method and apparatus for detecting attack on server
CN104268222A (en) * 2014-09-25 2015-01-07 北京国双科技有限公司 Monitoring method and device for promoted account operation events
WO2015172657A1 (en) * 2014-05-15 2015-11-19 Huawei Technologies Co., Ltd. System and method for anomaly detection
CN105515888A (en) * 2015-06-30 2016-04-20 国家电网公司 Intelligent substation communication network anomaly detection method based on multi-dimensional entropy sequence classification
CN105933157A (en) * 2016-06-01 2016-09-07 国网辽宁省电力有限公司葫芦岛供电公司 Fault detection method for electric power data communication network
CN103927392B (en) * 2014-05-04 2017-03-22 苏州大学 Deep layer network data source abnormal point detection method and system
CN108900476A (en) * 2018-06-07 2018-11-27 桂林电子科技大学 Based on Spark and the parallel network flow method for detecting abnormality that forest is isolated
CN110839016A (en) * 2019-10-18 2020-02-25 平安科技(深圳)有限公司 Abnormal flow monitoring method, device, equipment and storage medium
CN112188534A (en) * 2019-07-05 2021-01-05 中兴通讯股份有限公司 Anomaly detection method and device
CN112272100A (en) * 2020-08-04 2021-01-26 淘宝(中国)软件有限公司 High-availability flow regulation and control method and device for local service requirements of online platform

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447713B2 (en) 2017-04-26 2019-10-15 At&T Intellectual Property I, L.P. Internet traffic classification via time-frequency analysis

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388885B (en) * 2008-07-23 2012-04-25 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN101895420A (en) * 2010-07-12 2010-11-24 西北工业大学 Rapid detection method for network flow anomaly
CN102083087A (en) * 2011-01-25 2011-06-01 南京金思科技有限公司 Telephone traffic abnormality detection method combining subjective mode and objective mode
CN102111312A (en) * 2011-03-28 2011-06-29 钱叶魁 Multi-scale principle component analysis-based network abnormity detection method
CN102111312B (en) * 2011-03-28 2013-05-01 钱叶魁 Multi-scale principle component analysis-based network abnormity detection method
WO2014194495A1 (en) * 2013-06-05 2014-12-11 Beijing Blue I.T. Technologies Co., Ltd Method and apparatus for detecting attack on server
US9398044B2 (en) 2013-06-05 2016-07-19 Beijing Blue I.T. Technologies Co., Ltd. Method and apparatus for detecting attack on server
CN103927392B (en) * 2014-05-04 2017-03-22 苏州大学 Deep layer network data source abnormal point detection method and system
WO2015172657A1 (en) * 2014-05-15 2015-11-19 Huawei Technologies Co., Ltd. System and method for anomaly detection
CN104268222B (en) * 2014-09-25 2018-04-03 北京国双科技有限公司 The monitoring method and device of promoted account Action Events
CN104268222A (en) * 2014-09-25 2015-01-07 北京国双科技有限公司 Monitoring method and device for promoted account operation events
CN105515888A (en) * 2015-06-30 2016-04-20 国家电网公司 Intelligent substation communication network anomaly detection method based on multi-dimensional entropy sequence classification
CN105933157A (en) * 2016-06-01 2016-09-07 国网辽宁省电力有限公司葫芦岛供电公司 Fault detection method for electric power data communication network
CN108900476A (en) * 2018-06-07 2018-11-27 桂林电子科技大学 Based on Spark and the parallel network flow method for detecting abnormality that forest is isolated
CN108900476B (en) * 2018-06-07 2021-05-11 桂林电子科技大学 Parallel network flow abnormity detection method based on Spark and forest isolation
CN112188534A (en) * 2019-07-05 2021-01-05 中兴通讯股份有限公司 Anomaly detection method and device
WO2021004161A1 (en) * 2019-07-05 2021-01-14 中兴通讯股份有限公司 Anomaly detection method and apparatus
US11777824B2 (en) 2019-07-05 2023-10-03 Zte Corporation Anomaly detection method and apparatus
CN112188534B (en) * 2019-07-05 2023-11-03 中兴通讯股份有限公司 Abnormality detection method and device
CN110839016A (en) * 2019-10-18 2020-02-25 平安科技(深圳)有限公司 Abnormal flow monitoring method, device, equipment and storage medium
CN112272100A (en) * 2020-08-04 2021-01-26 淘宝(中国)软件有限公司 High-availability flow regulation and control method and device for local service requirements of online platform

Also Published As

Publication number Publication date
CN100486179C (en) 2009-05-06

Similar Documents

Publication Publication Date Title
CN100486179C (en) A detection method and detection device for exceptional network flow
Tartakovsky et al. A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods
Liu et al. Real-time detection of stealthy ddos attacks using time-series decomposition
Li et al. DDoS attack detection and wavelets
Manikopoulos et al. Network intrusion and fault detection: a statistical anomaly approach
Dainotti et al. Nis04-1: Wavelet-based detection of dos attacks
CN101345664A (en) Detection method and apparatus for network flux exception
CN103716180A (en) Network flow actual forecasting-based network abnormality pre-warning method
CN104660464B (en) A kind of network anomaly detection method based on non-extension entropy
CN109768981B (en) Network attack defense method and system based on machine learning under SDN architecture
Ahmad et al. Application of artificial neural network in detection of probing attacks
Wu et al. Network anomaly detection using time series analysis
Zheng et al. Safeguarding building automation networks: The-driven anomaly detector based on traffic analysis
Tellenbach et al. Beyond shannon: Characterizing internet traffic with generalized entropy metrics
Popa et al. Using traffic self-similarity for network anomalies detection
Hamdi et al. Detecting Denial-of-Service attacks using the wavelet transform
Liu et al. Real-time diagnosis of network anomaly based on statistical traffic analysis
Wu et al. A low-rate dos attack detection method based on hilbert spectrum and correlation
Bartos et al. Towards efficient flow sampling technique for anomaly detection
Kim et al. Detecting traffic anomalies using discrete wavelet transform
Jiang et al. Enhancing network traffic prediction and anomaly detection via statistical network traffic separation and combination strategies
Lu et al. Detecting network anomalies using different wavelet basis functions
Mai et al. Detecting BGP anomalies with wavelet
Tian et al. Reduction of false positives in intrusion detection via adaptive alert classifier
Kaur et al. A novel multi scale approach for detecting high bandwidth aggregates in network traffic

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090506

Termination date: 20181215