【作者】 李宗林；

【导师】 胡光岷；

【作者基本信息】 电子科技大学 ， 通信与信息系统， 2010， 博士

【摘要】 随着网络通信技术的迅速发展,骨干通信网的带宽不断增加,承载的信息日趋多元化,异常流量带来的通信网络管理问题也越来越复杂。分布式流量异常是由同种原因引起,同时存在于多条链路的异常流量,如分布式拒绝服务攻击、蠕虫传播、突发访问、网络操作异常等。在单条链路上这些异常流量隐蔽在骨干通信网巨大的背景流量下,不易检测,而多条链路上的异常汇聚总量惊人,可能导致网络性能急剧下降,严重影响网络的正常运行。对分布式隐蔽流量异常的检测是确保通信网络安全的基础工作,对提高通信网络系统的应急响应能力具有十分重要的意义,也是全球网络安全领域学术界和工业界共同关注的前沿科学问题。本文在系统地分析现有多种流量异常检测方法的基础上,充分考虑了分布式隐蔽流量异常时间空间模式上的不同特征,结合多种统计分析、信号处理等技术,从不同角度提出了多种检测方法,所取得的主要研究成果如下:1.提出了一种基于层叠模型的单链路流量异常检测方法运用小波变换对模型的参数进行估计,设计了一种定量策略,衡量异常流量对模型估计的影响。能够有效检测出弱异常流以及未明显影响自相似Hurst系数变化的异常流,对异常发生初期检测效果明显。与基于自相似模型的流量异常检测方法相比,能检测出幅值更低的弱异常。2.提出了一种分布式隐蔽流量异常的全局相关检测方法首先通过提出一种基于滑动时窗的瞬时参数快速计算方法,迅速获得流量信号的瞬时频率和瞬时振幅;采用时间序列模型预测获得瞬时参数估计值,将瞬时参数观测值与估计值间的差异定义为异常空间;最终根据异常空间相关性检测分布在不同链路的隐蔽流量异常。本方法具有比现有方法更高的统计检测性能,对低幅值的分布式流量异常具有更高的敏感性,可避免现有全局主成分分析方法无法检测相关异常的缺陷。3.提出了一种基于单节点信息的分布式隐蔽流量异常多尺度检测方法首先对单个节点的不同链路,利用多尺度分析自适应地检测流量信号中可能存在异常的频带,将可能存在异常的频带重构,生成单条链路的异常特征信号;然后将多条链路上同一个时刻下的异常特征信号值看做高维空间中的点,通过核密度估计评估异常程度。仿真数据的检测结果表明本文方法能检测出单条链路上很小的异常流量,优于现有方法。4.提出了一种使用链路流量数据直接检测分布式隐蔽流量异常的方法改变传统基于OD流检测方法需要由链路流量推断OD流,再由OD流计算网络级别特征参数的两步模式,提出一种通过多层递归感知神经网络,直接由链路流量计算取得OD流级别特征参数的分布式隐蔽流量异常检测方法。优点是避免了传统检测方法中链路流量反演OD流引入的误差,与现有文献中分别基于直接和间接测量数据的检测方法结果相对比,本文方法有更好的检测效果。更多还原

【Abstract】 With the rapid development of network communication technology, bandwidth growth in backbone network continues to increase, information carried by network becomes more and more diversity and the consequent network management problems caused by anomalous traffic evolve into more and more complex. Distributed network traffic anomaly refers to an abnormal behavior of traffic caused by the same source in many links of the network, e.g. DDoS(Distributed Denial of Service), worm propagate, flash crowd and network failure. Usually, there are not any obvious features of anomaly in a single link for distributed network traffic anomaly, compared with background traffic in backbone network, anomalous traffic might be stealthy and hard to detect, however, the sum of anomalous traffic in many links can be prevailing, seriously impact performance of network and does more harm to its normal operation. Accurate detection of distributed stealthy traffic anomaly is the groundwork of network security and of great significance for communication network system to enhance emergency response capability, it’s also a cutting-edge scientific issue common concerned by network security field in both academia and industry.In this thesis, we firstly review existing traffic anomaly detection methods systematically, then we develop several detection methods from different points of view, by exploiting characteristics of distributed stealthy traffic anomaly in both temporal and spatial pattern, with the use of statistical analysis and signal process technologies, the innovative achievements in this thesis are as following:1. A network traffic anomaly temporal detection method based on cascade model is proposedBy studying the influences of anomalous traffic on estimation of cascade model through wavelet transform modulus maxima, a quantitative scheme is devised to measure impact of anomaly on casecade model of normal behavior. This method is more sensitive to small anomalous traffic and can accurately detect the anomalies which would not impact the Hurst parameter change evidently, therefore it is advantageous for early stage detection. Comparing with methods based on self-similar model, our method is capable of detecting anomaly with lower volume.2. A network-wide correlation analysis method against distributed stealthy traffic anomaly is proposedA fast algorithm of instantaneous parameters based on sliding window is proposed to improve computation speed of instantenous frequency and instantenous amplitude of traffic signal. Estimations of instantenous parameters are obtained by time series model prediction, anomalous space is divided as the difference between observations and estimations of instantenous parameters, correlation analysis among anomalous spaces is then performed to reveal stealthy anomalies distributed in different links. Evaluation demonstrated that this method has higher statistical detection performance and is more sensitive to small anomaly in single link, can overcome the limitations of network-wide PCA(Principle Component Analysis) in failing to detect the anomalies with strong correlations.3. A multi-scale spatial detection of distributed stealthy traffic anomaly based on information from single node is proposedIt firstly performs multi-scale wavelet packet analysis separately on multiple links of single node, to get abnormal frequency ranges on different time sections and reconstruct signals with anomalous features. Then points in high dimensional space are formed by anomalous features from different links in the same time, deviation degree of high dimension vectors that composed of reconstructions is evaluated by kernel density estimation. Detection results of simulation show that our method can detect small anomaly in indivadul link and performs better than existing distributed detection method.4. A directed detection method against distributed stealthy traffic anomaly using link measurement is proposedUnlike traditional OD(Origin-Destination) based detection methods which usually involve two steps, which the first is OD inference from link measurement, then characteristic parameters of network level is computed from OD inference, a directed detection method agaisnt distributed stealthy traffic anomaly is proposed, it is achieved by recurrent multilayer perception neural network to obtain characteristic parameters of OD level directedly from link traffic. The benefit of this method is avoiding inference error in OD based method during traffic matrix estimation. In simulation we compare detection results based on existing directed and indirected measurement methods with ours, and show that our method allow distribute traffic anomaly detection with directed available measurement and solve the problem of inference error in OD based method.更多还原