KR20110041149A - Method for detecting traffic anomaly using fisher linear discriminant - Google Patents

Abstract

PURPOSE: A method for detecting an abnormal traffic is provided to determine whether an inflow traffic is belong to a normal group or an abnormal group using a fisher linear discrimination method. CONSTITUTION: If an inflow traffic is located in the lower part of a hyperplane(S50), the traffic is determined as a normal group(S60). If the traffic is located in the upper part of the hyperplane, the traffic is determined as an abnormal group(S70). It is determined whether the traffic level exceeds a predetermined update period(S80). If the traffic reaches the update period, traffic vectors which were collected earlier than other traffic vectors are abandoned. A new hyperplane is created with the newly added traffic vectors during the update period(S90).

Description

Method for detecting traffic anomaly using Fisher linear discriminant

The present invention relates to a method for detecting anomalous traffic in a sub-network, in particular, using traffic during the collection period as data, using normal groups and chi-square distribution and Fisher linear classification. After forming a hyperplane that can be classified into an abnormal group, and subsequently to the traffic traffic detection method using the Fisher linear classification method to easily determine whether the incoming traffic belongs to the normal group or the abnormal group. .

Today's telecommunications networks have become increasingly complex and diversified, with the growing popularity of Internet-based applications such as multimedia streaming, peer-to-peer, real-time voice and video communications, and network games, as well as traditional Internet applications. It is emerging.

Through these complicated and diversified networks, the occurrence of abnormal traffics and various infringement accidents is increasing, and the damages are continuously occurring. Anomalous traffic causes various attacks such as network traffic congestion, DoS attacks, and worms, and is generated in an intelligent and complex form, requiring more advanced technology to detect such anomalies early.

Therefore, many existing studies have dealt with the method for detecting abnormal traffic. Two representative methods are rule-based and measurement-based.

First, a rule-based method is to grasp an abnormal traffic pattern in advance and detect a newly generated traffic pattern by comparing the previously detected pattern.

This approach, such as pattern matching, has a high detection rate for known attacks. However, it has a relatively low detection rate for new unknown attacks, and due to the problem of comparing packets individually, it is not conjoined in a high-speed large network such as a backbone.

In order to overcome this drawback, the measurement-based method is based on the premise that the Internet backbone traffic is periodic, and predicts future traffic by modeling the traffic based on simple traffic information available on the network. Methods of sampling and modeling only useful specific information among the many traffic information have been proposed.

However, the modeling detection method has a disadvantage in that it is necessary to go through several steps to find out the kind of abnormality.

On the other hand, since the detection of abnormal traffic is an important part of traffic monitoring, it is important to define parameters that can express the characteristics of the traffic and to develop a traffic analysis system.

The present invention was devised to solve the above-mentioned problems of the prior art, and the traffic group during the collection period is used as data, and a normal group and a chi-square distribution and Fisher linear classification method are used. After forming a hyperplane that can be classified into an abnormal group, it provides a method for detecting an abnormal traffic using the Fisher linear classification method to easily determine whether the incoming traffic belongs to the normal group or the abnormal group. For that purpose.

The constituent means of the abnormal traffic detection method of the present invention proposed to solve the above problems is, after collecting the traffic in a specific period for a specific collection period from the router, traffic consisting of a plurality of components representing the characteristics of each traffic collected After generating the vectors and forming a hyperplane that can be classified into normal and abnormal groups using Fisher linear classification using the traffic vectors as data, after forming the hyperplane If the incoming traffic is located in the lower area including the plane of the hyperplane, the second step is determined as a normal group, and if it is located in the upper area of the hyperplane, the second step is determined as an abnormal group. A third step of determining whether a predetermined update cycle has been reached; When the update period is reached, the oldest traffic vectors collected for the period corresponding to the update period are discarded, the newly generated traffic vectors are included in the update period to form a new hyperplane, and then returned to the second step. It comprises a fourth step.

Here, the components of each traffic vector are characterized in that the capacity of the bandwidth (band), the capacity of the flow (flow) and the capacity of the packet (packet).

Here, the distribution during the collection period for each component of the traffic vector follows a chi-square distribution, and if at least one of each component corresponds to the top 4% to 6%, it is an abnormal group. If the dose of all the components do not correspond to the top 4% ~ 6%, characterized in that classified into a normal group.

According to the method for detecting abnormal traffic using Fischer linear classification in the sub-network of the present invention having the above-described problems and solving means, the chi-square distribution and the Fisher (Fisher) After forming a hyperplane that can be classified into a normal group and an abnormal group by using a linear classification method, if the incoming traffic falls into the lower region of the hyperplane, it is classified into a normal group, and the top of the hyperplane If the area corresponds to the abnormal group can be classified, there is an advantage that can easily determine the abnormal traffic among the incoming traffic.

In addition, since the hyperplane is periodically updated, there is an advantage that can meet the trend of changing traffic.

Hereinafter, with reference to the accompanying drawings will be described in detail a preferred embodiment of the abnormal traffic detection method using the Fischer linear classification method of the present invention having the above problems, solutions and effects.

From the point of view of the network administrator, in order to provide efficient and normal services to users, not only harmful traffic, but also malicious traffic should be detected for abnormal traffic that is problematic for the network user to receive normal services.

In addition, each abnormal traffic may be classified as normal traffic according to the characteristics of the network. For example, in some networks, if ftp traffic is causing problems with other information, the corresponding ftp traffic should be classified as abnormal, and if it can only allow a certain level of ftp traffic in terms of network efficiency, Ftp traffic can only be controlled by detecting abnormal traffic.

From this point of view, it is necessary to classify according to the characteristics of network traffic and classify which traffic group the incoming traffic belongs to.

The method proposed in the present invention defines a traffic vector, which is a set of data consisting of the characteristics of traffic observed on the network, and then groups the traffic according to the characteristics using the traffic vector and distinguishes the groups well. After discriminating, it is a method for detecting which group the incoming traffic belongs to.

Before describing the abnormal traffic detection method using the Fischer linear classification method of the present invention in detail, the entire system applied to the present invention will be briefly described with reference to FIG.

In order to implement the abnormal traffic detection method using the Fisher linear classification method of the present invention, the system shown in FIG. That is, the present invention is implemented through a system composed of traffic monitoring means 10, analysis means 20, detection means 30 and control means 40.

The traffic monitoring means 10 includes a traffic capture unit 15, a traffic sampling unit 17, and a traffic storage and monitoring unit 19. The analysis unit 20 includes a storage unit 21, And a traffic classifier 23 and a mathematical analyzer 25.

Traffic raw data may be collected by the traffic capture unit 15 through a router 13 connected on the network 11. The traffic raw data is configured in the format of Netflow v5. Netflow is basically one-way and consists of five tuples: source and destination addresses, port numbers, and protocols. In addition, it includes TOS and interface information and AS information.

The Netflow can generate and distinguish various protocol flows by applying this information as a rule. This has the advantage of fast processing speed and the flow of traffic generated by the router so that the network administrator can receive the information immediately.

The traffic raw data is stored and monitored by the traffic storage and monitoring unit 19 through a predetermined sampling process by the traffic sampling unit 17.

The traffic stored in the traffic storage and monitoring unit 19 as described above is stored in the storage unit 21 of the analysis means 20 through a predetermined process. That is, the storage unit 21 processes and stores the traffic stored in the traffic storage and monitoring unit 19 at specific cycles.

Of course, such a process is performed under the control of the control means 40, the processed traffic is stored in the storage unit 21 in the form of an Excel file every specific period. Then, the components of the traffic vector are determined according to the characteristics of the traffic collected and stored in the storage unit 21, and the traffic group is determined according to the common characteristics of each traffic vector. In the present invention, the classifier 23 creates two traffic groups (a normal group and an abnormal group) using an MS-SQL query to determine the criteria of the traffic group.

In addition, the mathematical analysis unit 25 applies the chi-square distribution in order to make an accurate criterion of the group, and forms a hyperplane through Fisher linear classification.

After the hyperplane is formed, traffic flows that can be classified as normal or abnormal. Then, the detection means 30 determines whether the incoming traffic is included in the normal group or the abnormal group by using the hyperplane, and detects the abnormal traffic.

On the other hand, since the traffic is constantly changing, the mathematical analysis unit 25 updates the hyperplane periodically under the control of the control means 40 to reflect the newly generated traffic. In other words, when the update period is P, the traffic of the oldest P period is replaced with new traffic during the P period, thereby forming a new hyperplane.

Through such a system, the abnormal traffic detection method using the Fisher linear classification method of the present invention is implemented.

The following describes Fischer linear classification and chi-square distribution that are important in the present invention.

Fischer linear classification is a linear function that can classify groups and is a technique for classifying groups by projecting multidimensional data into the normal vectors of the hyperplane ([A. Shashua, "On the Relationship Between the Support Vector Machine for Classification and Sparsified"). Fisher's Linear Discriminant, "Neural Processing Letters, vol. 9, pp. 129-139, April 1999.], R. Johnson, and D. Wichern, Applied Multivariate Statistical Analysis, 6th ed., Prentice-Hall, 2007, pp 576-593, 623-633.).

를 n개의 성분으로 이루어진 벡터 로 구성된 데이터 집합이라 하자. 이 데이터 집합은 m 종류의 데이터로 그룹으로 분류된다고 가정하고, j 그룹의 데이터 집합을 Y_j로 표기한다.

Let be a data set consisting of a vector of n components. This data set is assumed to be classified into groups of m kinds of data, and the data set of the j group is denoted by Y _j .

를 만족하는 X의 디스조인트(disjoint) 서브셋(subset)이다. 여기서 ｜Y_j｜는 Y_j 집합의 원소의 개수를 나타낸다. u와 uj는 각각 X와 Yj의 평균이라 하자. 여기서 u=(u₁,....u_n)^t와 u_j=(u_j1,....u_jn)^t의 성분은 각각

와

로 주어진다. 여기서 t는 행렬의 전치(transpose)를 나타낸 것이다.That is, Y = {Y _j } ^m _{j = 1}

Is a disjoint subset of X that satisfies. Where | Y _j | represents the number of elements of the Y _j set. Let u and uj be the mean of X and Yj, respectively. Where u = (u ₁ , .... u _n ) ^t and u _j = (u _j1 , .... u _jn ) ^t are the components of

Wow

Is given by Where t is the transpose of the matrix.

(여기서

이고, d는 원점으로부터 하이퍼플레인까지의 거리)과 수직인 법선 벡터 w를 찾는 것이 목적이다.We now introduce a direction vector and define a scatter matrix in the data group and a scatter matrix between the groups. In the present invention, when the average u _j of each group is projected to a normal vector w, a hyperplane that has a maximum variance so that each group can be separated well.

(here

And d is the distance from the origin to the hyperplane).

와

_inter로 나타낸다. 이 행렬들을 정의하기 위하여

를 집합 j의 산란 행렬로 다음과 같이 정의한 다.Each of the scattering matrices within the group and

Wow

_Represented by _inter . To define these matrices

Is defined as the scattering matrix of set j as

수식 (1)

Formula (1)

와

_inter는 다음과 같이 정의한다.Using this

Wow

_inter is defined as follows.

,

_inter

,

_inter

Therefore, the sum of normalized variances between the projected elements of each group from the projected center of each group is expressed as

,

수식 (2)

,

Formula (2)

을 계산하면

이 된다.Where wh stands at the Euclidean norm and

If you calculate

Becomes

In order to separate groups well, the data within the group should be as much as possible and the data between groups should be as far apart as possible. In other words, the large value of Equation (2) means that the distinction between groups is clear. Therefore, using the equations (1) and (2), the classical Fisher criterion function through the optimization formulation can be defined as follows.

이다.here

to be.

Since the solution of the optimization formula (OPT) can be obtained by minimizing the denominator and maximizing the numerator, the traffic in each group should be composed of the same characteristics, and the traffic between groups should be able to exhibit different characteristics. The optimization formulation is equivalent to the eigenvalue problem:

수식 (3)

Formula (3)

In addition, the eigenvector corresponding to the maximum eigenvalue of Equation (3) is the normal vector w ([A. Shashua, "On the Relationship Between the Support Vector Machine for Classification and Sparsified Fisher's Linear Discriminant," Neural Processing Letters, vol. 9, pp. 129-139, April 1999.].

On the other hand, as will be described later, since the amount of daily traffic collected in the present invention was largely observed to follow a normal distribution, traffic data collected for 30 days or more according to the following the square distribution according to the following theorem Assuming that there is no big problem. The following theorem shows the relationship between the standard normal distribution and the chi-square distribution.

Theorem 1: If the random variables Z1, ..... Zk follow the standard normal distribution N (0,1) and are independent of each other, then Z ² ₁ + Z ² ₂ + ..... + Z ² _k is degrees of freedom of freedom) follows a square distribution of k. This is represented by Z ² ₁ + Z ² ₂ + .... + Z ² _k to χ ² (k) (Z. Zhang and H. Shen "Online Training of SVMs for Real-time Intrusion Detection," in Proc. AINA 2004, pp. 568-573, March 2004.], T. Hamada, K. Chujo, T. Chujo, and X. Yang, "Peer-to-peer traffic in metro networks: analysis, modeling, and policies, "in Proc. IEEE / IETF NOMS 2004, pp. 425-438, April 2004.])

The method for detecting abnormal traffic based on the Fisher linear classification method and the chisquare distribution described above and the system described with reference to FIG. 1 will be described with reference to FIG. 2.

In order to detect abnormal traffic, the present invention forms a hyperplane, which is a reference plane for easily determining whether incoming traffic is normal traffic or abnormal traffic, by using the chisquare distribution and Fisher linear classification.

In order to form a hyperplane as described above, traffic used as raw data is collected through a router (S10). Traffic used as raw data from the router is collected for a specific collection period. As will be described later, embodiments of the present invention collect traffic for 30 days.

The collected traffic is collected at some specific period. For example, traffic is collected and stored every five minutes. Thus, the collected traffic is collected at a specific period for a specific collection period. For example, traffic is collected and stored every 5 minutes for 30 days.

A traffic vector having specific information is generated using the collected traffic (S20). That is, after collecting the traffic, traffic vectors consisting of a plurality of components representing the characteristics of each collected traffic are generated.

The components of each traffic vector include a capacity of bandwidth, a capacity of flow and a capacity of packet. That is, each traffic vector represents a bandwidth capacity, a flow capacity, and a packet capacity, which are information on the corresponding traffic.

When the traffic vectors are generated as described above, the traffic vectors are used as data to form a traffic group and form a hyperplane (S30). That is, using the traffic vectors as data, a hyperplane that can be classified into a normal group and an abnormal group using a Fisher linear classification method is formed.

According to the present invention, the distribution of the capacity of the bandwidth, the capacity of the flow and the capacity of the packet, which is a component of each of the traffic vectors, follows the square distribution.

That is, the distribution during each collection period (eg, for 30 days) for each component of the traffic vector follows a chi square distribution. Here, a criterion for determining whether the traffic vector corresponds to normal traffic or abnormal traffic is determined.

In the present invention, a range with a relatively large capacity for each component is regarded as an abnormal range. Specifically, if the capacity of the bandwidth in the chi-square distribution during the collection period falls within the upper specific range, it corresponds to abnormal traffic, and if the capacity of the flow in the chi-square distribution during the collection period belongs to the upper specific range, If the capacity of the packet falls within the upper specific range in the chi-square distribution during the collection period, it is determined to correspond to abnormal traffic.

That is, if any capacity of each component of the traffic vector falls within the upper distribution range, it is classified as abnormal traffic. If the capacity of all components does not fall into the upper distribution range, it is classified as normal traffic.

In the present invention, the upper distribution range is between 4% and 6%. Experimentally, since the hyperplane is formed based on the above range, the detection accuracy is high when detecting normal / abnormal traffic.

Traffic groups classified as normal traffics are classified into normal groups, and traffic groups classified as abnormal traffic are classified into abnormal groups. Specifically, if any of the capacity of each component of the traffic vector corresponds to the top 4% to 6%, it is classified as an abnormal group, and if the capacity of all the components does not correspond to the top 4% to 6% Classify as a normal group.

The reference plane of the above normal or abnormal group is a hyperplane formed by Fisher linear classification. The hyperplane can be formed by obtaining a normal vector w using the aforementioned Fischer linear classification method, and finding a plane perpendicular to the normal vector and passing through an average point indicated in space by the overall average value for each component.

As described above, when the hyperplane is formed, the normal group region and the abnormal group region are divided. That is, the lower region including the plane of the hyperplane is the normal group region, and the upper region of the hyperplane is the region of the abnormal group.

Thus far, the reference planes (hyperplanes) that can be classified as normal or abnormal traffic have been formed. Then, from now on, it is possible to determine whether the traffic flowing through the actual router is normal traffic or abnormal traffic.

Therefore, the traffic is introduced through the router (S40). Then, for the incoming traffic, a traffic vector representing three components (a bandwidth capacity, a flow capacity, and a packet capacity) is generated, and the positions indicated by these three components are generated. It is determined whether is located in the upper region of the hyperplane (S50). That is, it is determined whether the incoming traffic is located in the upper region of the hyperplane. Of course, it can also be determined whether it is located in the lower region including the plane of the hyperplane.

As a result of the determination, when the incoming traffic is located in the lower region including the plane of the hyperplane, it is determined as a normal group (traffic) (S60), and when it is located in the upper region of the hyperplane, it is determined as an abnormal group (S70). ).

Through this method, it is easy to classify whether the incoming traffic is normal traffic or abnormal traffic.

On the other hand, since the trend of traffic is constantly changing, it is necessary to reflect this. Therefore, in the present invention, the process of updating the hyperplane which is a reference plane for determining whether the incoming traffic is normal or abnormal.

Therefore, the update period is set in advance, and when the update value that increases over time reaches the update period, the process of updating the hyperplane is performed. For example, when the update period is 1 hour and the timer provided in the system reaches 1 hour, the update of the hyperplane is performed and the timer is reset.

As described above, when the update period has been reached and determined, when the update period has been reached, the existing traffic vectors are discarded and newly introduced traffic vectors are included to form a new hyperplane. Specifically, when the update period is reached, the oldest traffic vectors collected for the period corresponding to the update period are discarded, and a new hyperplane is formed by including the newly generated traffic vectors during the update period (S80 to S90).

For example, assuming that the update period is 10 minutes, traffic vectors introduced for 10 minutes to determine whether it is normal / abnormal traffic are used to form a new hyperplane, and are previously collected and used. The oldest traffic vectors collected for 10 minutes are discarded.

Through such an execution process, since the hyperplane is periodically updated, it can easily cope with the variable traffic trend. When a new hyperplane is formed, new traffic is introduced again, and the procedure (S40 to S70) of determining whether it is normal or abnormal is repeated.

According to the method described above, the abnormal traffic can be easily detected with respect to the traffic on the sub-network, and can effectively cope with the variable traffic trend.

Hereinafter, specific examples to which the present invention is actually applied will be described in detail.

First, a traffic vector and a traffic group, which are terms applied to the present invention, are specifically defined.

는 트래픽 정보를 성분으로 갖는 벡터인데, 이 벡터를 트래픽 벡터라 정의하고,

중에서 동일한 특성을 갖는 트래픽 벡터들의 집합을 트래픽 그룹이라 정의한다.

Is a vector containing traffic information as a component, and this vector is defined as a traffic vector.

A set of traffic vectors having the same characteristic among the traffic groups is defined.

The traffic vector contains the measurable items that can represent the characteristics of each traffic group, and the components may be the source IP, the destination IP, the source port, the destination port, the protocol, and the flow of information observed from the router. . A traffic group may also be referred to as a collection of traffic vectors having these same characteristics.

Traffic groups can be classified into normal groups, abnormal groups, worm groups, traffic congestion groups, etc. In particular, abnormal groups can be specifically divided into network malfunction groups, flash crowd abnormal groups, and network abuse groups. (P. Barford and D. Plonkz, "Characteristics of Network Traffic Flow Anomalies," in Proc. ACM SIGCOMM 2001, pp. 69-73, August 2001.).

In this embodiment, the traffic collected through the backbone router of Korea University was analyzed. Traffic was collected every 30 minutes starting at midnight on May 14, 2008 until 23:55 on June 12, 2008. The total traffic set from 288 observations per day is 8640.

The traffic vector has three components, which are defined as the capacity of bandwidth (b), the capacity of flow (f), and the capacity of packet (p). We also consider normal and abnormal groups to separate groups. FIG. 3 shows a trend for the capacity of the bandwidth of the traffic collected over 30 days and part of the daily traffic.

It should be noted from FIG. 3 that there is a very small amount of traffic from 11 pm to 6 am, which is the result of the school library being closed during this time. 3 shows only the capacity of the bandwidth, the trend for the capacity of the flow and the capacity of the packet also has a similar pattern to the trend for the capacity of the bandwidth.

Observe the distribution of the collected traffic to create a criterion for separating the two groups from the collected set of traffic. 4 is a distribution of bandwidth capacity of daily data, and FIG. 5 is a distribution of bandwidth amounts of data collected for 30 days. 4, although not continuous, it can be seen that the distribution of daily traffic except 0 to 20Mbps follows the standard normal distribution.

The reason for excluding 0 to 20 Mbps is that a very small amount of data from 11 pm to 6 am is not included in the abnormal criteria. As shown in FIG. 5, it can be seen that the traffic collected for 30 days follows a Kaisquare distribution having a long tail shape to the left and a right.

Since the daily data follow the standard normal distribution and the squared sum of the graphs follow the Kai Square distribution, it can be assumed that the data for 30 days follow the Kai Square distribution with 30 degrees of freedom.

의 결과를 얻었다.Here, assuming that about 5% of the data is in the abnormal range of the total traffic, the criteria for grouping were created. See Table C.5, K. Trivedi, Probability and Statistics with Reliability, Queuing, and Computer Science Applications, 2nd ed., John Wiley and Sons, 2002, pp. 658-664. So

Result was obtained.

This means that traffic having a bandwidth capacity of 437.730 Mbps or more belongs to an abnormal range. According to this criterion, it can be seen that 8468 traffics of the 8640 traffics belong to the normal, and the remaining 172 traffics belong to the abnormal group. As a result of applying the flow capacity and the packet capacity in the same manner, it was found that 8617 and 8263 belonged to the normal group, respectively.

In addition, the OR condition is applied to the MS-SQL query to define the criterion that if any one of the three traffic vectors is abnormal, it belongs to the abnormal group. According to this criterion, the normal and abnormal groups were | Y _n | = 8241 and | Y _an | = 399, respectively.

Where Y _n | is the number of traffic belonging to the normal group, and Y _an | is the number of traffic belonging to the abnormal group.

Next, using the results as described above, the process of obtaining a hyperplane using the Fisher linear classification method is as follows.

의 값을 각각 계산한다. 트래픽에 관한 각각의 평균은 표 1에 나타나 있다.First, find both the mean and the total mean of each group to find the normal vector w,

Calculate the value of. Each average for the traffic is shown in Table 1.

Table 1

을 이용한다. 이 특성 방정식으로부터 3개의 다른 고유값과 그에 대응하는 고유벡터를 구하면 다음과 같다.Characteristic equation of the eigenvalue problem given by equation (1) to find w

Use Three different eigenvalues and corresponding eigenvectors are obtained from this characteristic equation:

λ ₁ = 0.1882e ⁰⁰² , λ ₂ = -0.1083e ^-14 , λ3 = 0.7932 ^-008

w ₁ = (-28.6341, -0.9995e ^-002 , -0.4927) ^t

w ₂ = (0.2597e ^-003 , -0.3358e ^-002 , 9.8352) ^t

w ₃ = (9995.6493, -0.1654e ^-002 , -0.1577e ^-001 ) ^t

The eigenvector corresponding to the largest value among the eigenvalues thus obtained becomes the normal vector w. Therefore, w ₁ = (-28.6341, -0.9995e ^-002 , -0.4927) ^t corresponding to lambda ₁ = 0.1882e ⁰⁰² becomes a normal vector.

We can now define the hyperplane we are looking for by finding a plane that is perpendicular to the normal vector and passes through the mean point. The equation of the hyperplane thus obtained is as follows.

-28.6341 (x-103,709,872.7)-

0.9995e ^-002 (y-5,247,040)-0.4927 (z-18,336,008) = 0

6 shows each traffic and w, hyperplane, two separate groups. In order to simplify the drawing, the normal vector, the hyperplane, and the normalized and abnormal traffic are represented by only one tenth of the normal and abnormal traffic.

By applying this hyperplane to newly introduced traffic, it is possible to determine whether the traffic belongs to the normal group in the lower region or the abnormal group in the upper region. This hyperplane can be detected in real time with a constantly varying average value and hyperplane to reflect the trend of traffic to be detected.

On the other hand, in order to prove the reliability of the obtained hyperplane, we experimented by applying the data of July 2, 2008, which is the data of a specific day, to this hyperplane. This day was the day when the traffic of the school portal system was very crowded due to the university's first semester grades, and it was proved to be the day when the traffic was abnormally high due to the traffic observed in the school computer center.

Figure 7 shows a part of the table showing the abnormality collected from the monitoring server. 7, the type of traffic, the time of occurrence, and the pattern thereof can be known. During this particular day, there were a lot of jump traffic and profile traffic which seemed to be abnormally congested, and the frequency of the abnormal traffic was long and frequent.

It also updates new incoming traffic every five minutes to delete the oldest five minutes of traffic and inserts new five minutes of traffic to create an updated hyperplane.

The reason why we update the hyperplane every five minutes is to block influential attacks, such as the slammer worm, which causes intrusions very quickly, unlike conventional viruses or attacks (D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer worm," IEEE Security & Privacy Magazine 1 (4), pp. 33-39, July / Aug. 2003. ]).

The slammer worm spreads rapidly as it emerged, taking advantage of Microsoft SQL database software. It traveled and replicated itself over the network, doubling every 8.5 seconds, infecting 90% of vulnerable hosts in just 10 minutes. At about three minutes after the peak of the airspeed, it was found that 55 million times per second location search request was sent through the Internet network.

8 is a diagram of a hyperplane obtained by deleting existing traffic collected from May 14 to May 20, 2008 and replacing it with a new set of collected traffic for a week from June 13 to June 19, 2008. Show you The trend of the newly formed hyperplane also shows a similar appearance with only a slight change in slope.

When we look at the change of hyperplane in 5 minutes, it is almost similar, so we can't see the change with the naked eye. 8, it can be seen that the tendency of the newly formed hyperplane is also changed to only a slight inclination, which is almost similar.

Next, the performance of the present invention is evaluated. The term is defined here for performance evaluation.

In fact, the case of belonging to the normal group and judged correctly as the normal group is called true positive, and the case of the case of belonging to the abnormal group and judged right to the abnormal group is referred to as true negative, and in fact, to belong to the normal group but belonged to the abnormal group. The case is called a false positive and the case in which it is actually determined to belong to an abnormal group but is incorrectly regarded as a normal group is called a false negative.

Now, to determine how accurate the detection is based on the results obtained, we define the correct detection probability and miss detection probability as follows.

Here, | FP |, | FN |, | TP |, and | TN | represent false positive, false negative, true positive, and true negative, respectively. By applying the detection process to 288 traffics on a specific day, the results are shown in Table 2.

Table 2

When looking through the school computer server providing the information of abnormal traffic, it was found that there were 108 normal traffics and 180 abnormal traffics on July 2, which is a specific day considered in the present invention. On the other hand, when this traffic was applied to the hyperplane obtained in the present invention, 103 normal traffics and 185 abnormal traffics were detected.

Table 2 shows the results of the detection rate and the false detection rate. As shown in Table 2, a false detection rate of 3% occurred, and this false detection rate was considered to be an error in dividing traffic groups due to a very small difference in flow volume.

In order to examine the performance of the detection scheme proposed by the present invention, a technique (1) (KH Ramah, H. Ayari, and F. Kamoun, "Traffic Anomaly Detection and Characterization in the Tunisian National University Network) , "in Proc. NETWORKING 2006, LNCS 3976, pp. 136-147, May 2006.].

Although the experimental data does not completely match, the technique (1) detected abnormal traffic using the Tunisian National University Network (TNUN). To this end, the technique (1) collected data from the campus network periodically for 45 days and developed Anomaly Detection System (ADS).

Collects network traffic traces through the Management Information Base (MIB) from the central firewall of TNUN. The collected results are used to calculate inter-anomaly time distribution and anomaly duration distribution to detect abnormal traffic within 5 minutes. Although not the same experimental data, the traffic of TNUN used experimental data almost similar to the experimental data used in the present invention.

As a result of the experiment, it can be seen that the detection rate of about 90% under the same detection situation considered in the present invention. That is, when compared with this result, it can be seen that the technique in the present invention is about 7% superior.

As described above, in the present invention, the traffic vector and the traffic group are defined, and when the new traffic data is generated using the optimized hyperplane obtained by the Fisher linear classification method, it is determined which group the data belongs to. The method proposed in the present invention was able to detect the traffic abnormality more simply and accurately in real time than the conventional method.

In addition, by periodically reflecting the traffic trends, new ideal phenomena could be detected.

FIG. 1 is a system diagram for implementing an abnormal traffic detection method using the inventor's linear classification method.

2 is a flowchart of a method for detecting abnormal traffic using the linear classification method according to the present invention.

3 is a characteristic graph of bandwidth capacity applied in the present invention.

Figure 4 is a daily data distribution of the bandwidth capacity applied to the present invention.

5 is a distribution diagram of bandwidth capacity of data collected for 30 days according to the present invention.

6 is a graph showing a hyperplane applied to the present invention.

7 is an exemplary diagram of abnormal traffic observed by the monitoring server according to an embodiment of the present invention.

8 is a comparison of an existing hyperplane with an updated hyperplane.

Claims (5)

After collecting traffic from a router at a specific period for a specific collection period, traffic vectors consisting of a plurality of components representing the characteristics of each collected traffic are generated, and the traffic vectors are used as data to obtain a normal using Fisher linear classification. A first step of forming a hyperplane that can be classified into a group and an abnormal group; A second step of, after forming the hyperplane, determining that the incoming traffic is a normal group if the incoming traffic is located in the lower area including the plane of the hyperplane, and determining the abnormal group if the incoming traffic is located in the upper area of the hyperplane; A third step of determining whether a preset update period has been reached after the determination; As a result of the determination, when the update period is reached, the oldest traffic vectors collected during the period corresponding to the update period are discarded, new traffic planes are formed by including the newly generated traffic vectors during the update period, and then the second hyperplane is generated. The abnormal traffic detection method using the fischer linear classification method comprising the step of returning to the step. The method according to claim 1, The component of each traffic vector is an abnormal traffic detection method using the fischer linear classification method, characterized in that the capacity of the bandwidth (flow), the capacity of the flow (flow) and the capacity of the packet (packet). The method according to claim 2, The distribution during the collection period for each component of the traffic vector follows a chi-square distribution, and if at least one of each component corresponds to the top 4% to 6%, it is classified into an abnormal group. , If the capacity of all the components do not fall in the top 4% to 6% abnormal traffic detection method using the Fisher linear classification method characterized in that the classification to the normal group. The method of claim 3, The chisquare distribution is abnormal traffic detection method using the Fischer linear classification, characterized in that the collection period. The method according to claim 1, And the hyperplane is a plane perpendicular to a normal vector and passing through a total average point including the normal group and the abnormal group.

Images