【作者】 朱士瑞；

【导师】 许晓东；

【作者基本信息】 江苏大学 ， 计算机应用技术， 2007， 硕士

【摘要】 本文从宏观角度来考察大规模网络的流量，以一定的采样率将包汇聚成流，再将其以字节大小、流数或包数为单位对应到离散的时间轴上，它本质上属于非平稳的时间序列，具有周期性、趋势性、随机性、季节波动等特性。随着网络应用的丰富和网络用户的增多，安全问题也日益重要，而基于宏观流量的网络异常检测也成为研究重点。本文充分研究了各种现有的非平稳网络流量的模型以及各种实用的异常检测的方法，并对其适用层次和优缺点进行了总结。在此基础上提出将传统的基于统计的异常处理和信号处理的方法进行结合，将流量看成信号，并使用统计和信号处理的方法，如小波分析、量图分析等，来进行异常的定位和检测。同时本文还对网络中的常见异常进行了分类，并对其在数学和信号上的表现形式作了分析，以便可以利用检测的结果来归类异常。本文主要从定性和定量的角度来考虑异常的检测，其中定性分析侧重于从网络流量的建模出发，利用描述模型奇异特性的几种参数，如反映正则性的李氏(Lipschitz)指数，反映自相似度的Hurst指数以及对应不同李氏指数的分形维数，试图从这些参数的变化轨迹中找出与异常出现的对应关系，进而来检测出异常；而定量分析则侧重于对奇异现象的量化，不需要人为的判断，通过一系列的统计分析、信号分析最终将异常突显，这方面主要包括能量比分布分析、小波多层分解、偏差值等方法，最终建立了自动在线实时异常检测系统。影响网络的因素太多太复杂，甚至还涉及到网络用户的行为波动，因此不可能只通过某一种方法或某一种手段就达到异常的完美检测。本文从不同的角度不同的手段来考虑异常检测的方法，试图建立起一个完善的异常检测体系，而评价异常检测系统好坏的两个因素，即误报率和漏报率，是检测我们系统的唯一标准。本文主要对四段含有异常的流量进行分析，实验结果表明，对异常的检测和突显是有效的。本文不论是定性或定量的异常检测，都是以小波分析作为算法的基础，因此本系统实际上是基于小波分析的网络异常检测系统。更多还原

【Abstract】 This paper inspects the traffic of large-scale network from a macroscopic perspective. We aggregate packets into flows in a certain sampling rate, which can be mapped to the ordinate of bytes, flows, or packets. It is essentially non-stationary time series with the periodic trend, randomness, seasonal fluctuations and other characteristics. Along with the rich network applications and the increasing number of network users, security issues is becoming more and more important. Correspondingly, network anomaly detection based on flows from a macroscopic point of view has become the focus of the research. This paper studies various existing models of non-stationary network, as well as practical methods of anomaly detection and gives a summarization about their applications, advantages and disadvantages. This paper regards flow aggregation as a signal and combines statistical and signal processing methods, such as wavelet analysis, scalogram analysis to locate and detect anomalies. This paper also gives a classification of network anomalies and analyzes their manifestations in mathematics and the signal, which can be used to classify the result of anomaly detection.This paper mainly studies anomaly detection from the qualitative and quantitative perspective. Qualitative analysis of anomaly detection focuses on models of network traffic and their parameters, which can be used to describe the singular characteristic of traffic such as Lipschitz exponent, Hurst exponent and fractal dimension. This paper tries to identify the relationship between the changing trace of these parameters and the presence of anomalies, which can be used to detect anomalies. Quantitative analysis focuses on the quantified singular phenomenon. Through a series of statistical analysis and signal processing, such as the energy ratio distribution analysis, multi-level wavelet decomposition and the deviation value, this paper establishes a automatic on-line real-time anomaly detection system, which can highlight and detect the anomalies under no human judgment.The network is affected by too many and complicated factors, even the volatility of network users. It is not possible only through one method or one means to achieve the perfect anomaly detection. This paper studies the algorithms of anomaly detection from different perspectives and different methods, trying to build a comprehensive system of anomaly detection. This system can be evaluated by two factors: false positive rate and false negative rate, which are the only criterion. This paper experiments on four traffic flow samples, which contain anomalies. The results show that this system is effective to the detection and highlight of anomalies.In this paper, both qualitative and quantitative detection of the anomalies are based on wavelet analysis. So the system can be called "Network Anomaly Detection System Based on Wavelet Analysis".更多还原