CN1996888A - A detection method and detection device for exceptional network traffic - Google Patents

Abstract

The present invention relates to a detection method and detection device for network traffic anomalies. The detection method proposed in the present invention takes into account the multi-scale characteristics of traffic anomaly signals, performs adaptive decomposition according to the frequency characteristics of the abnormal signal itself, and adopts a double-threshold judgment mechanism , only continue to decompose the frequency bands that are less than the alarm threshold and greater than the decomposition threshold, which improves the flexibility of detection; in addition, it can perform adaptive reconstruction on abnormally decomposed frequency bands to confirm anomaly detection, which improves the reliability of detection. The invention also proposes an adaptive window adjustment mechanism based on the frequency characteristics of abnormal traffic, which overcomes the blindness of determining the time window size based on empirical statistics in traditional detection methods. The detection device proposed by the present invention includes: a wavelet packet transformation module, an initial anomaly detection module, and may further include a wavelet packet reconstruction module and a confirmation anomaly detection module. The invention has the same detection ability for abnormality of each frequency band, and realizes comprehensive and accurate detection.

Description

A method and device for detecting network traffic anomalies

technical field

The invention relates to a detection method and a detection device for network traffic anomalies, in particular to a detection method and a detection device for multi-scale network traffic anomalies by using wavelet packet transformation.

Background technique

Abnormal network traffic refers to the situation where the traffic behavior of the network deviates from its normal behavior. There are various reasons for abnormal network traffic, such as bad operation of network equipment, abnormal network operation, flash crowd, network intrusion, etc. wait. Abnormal traffic is characterized by sudden onset and unknown aura characteristics, which can bring great harm to the network or computers on the network in a short period of time (such as burst traffic behavior caused by specific attack programs or worm outbreaks), so Accurately and quickly detecting abnormal behavior of network traffic and making a reasonable response is one of the prerequisites to ensure the effective operation of the network. Traditional network security technologies focus on system intrusion detection, anti-virus software or firewalls of enterprise user networks. Such security measures are usually unable to detect abnormal traffic and behaviors in operator networks. For many abnormal behaviors and traffic of enterprise user networks It is also difficult to detect and identify accurately. In order to detect abnormal traffic in the network in a timely manner and reduce or eliminate various network hazards suffered by users, network and routing switching devices need to have the ability to detect and identify abnormal traffic, and adopt certain intervention rules, such as prohibiting certain ports traffic or reduce the bandwidth from a certain port address, and suppress or reject these illegal traffic.

Usually, routers, especially backbone network routers, have a large amount of data traffic and are constantly changing, while abnormal traffic is very small compared to normal traffic, or even relatively small to changes in normal traffic of. The ultimate goal of the traffic anomaly detection algorithm is to detect relatively small abnormal traffic from the relatively large and constantly changing normal traffic (it can be said to be "finding a needle in a haystack"), and to meet the real-time requirements, so the system design And it is very difficult to implement, which also makes abnormal traffic detection one of the frontier topics of common concern in academia and industry.

As an emerging technology, it has been highly valued by foreign theoretical circles in recent years, especially since 2002, a large number of articles have been published in various magazines and conferences, and most of the discussions are aimed at the detection of DDoS attacks. In summary, there are rule-based methods (see: literature [1] L.Lewisand G.Dreo, "Extending trouble ticket systems to fault diagnosis," IEEENetwork; literature [2], L.Lewis, "A case based reasoning approach to the management of faults in communication networks," in Proc.IEEE INFOCOM, vol.3, San Francisco, CA, Mar.1993, pp.1422-1429.vol.7, pp.44-51, Nov.1993.), finite state machine The method (see: literature [3], I.Katzela and M.Schwarz, "Schemes for fault identification in communication networks," IEEE/ACMTrans.Networking, vol.3, pp.753-764, Dec.1995; literature [ 4], I.Rouvellouand G.Hart, "Automatic alarm correlation for fault identification," in Proc.IEEE INFOCOM, Boston, MA, Apr.1995, pp.553-561.), pattern matching method (see: literature [5 ], F.Feather and R.Maxion, "Fault detection in an ethernet network using anomaly signature matching," in Proc.ACMSIGCOMM, vol.23, San Francisco, CA, Sept.1993, pp.279-288; Literature [6], S. Papavassiliou, M. Pace, A. Zawadzki, and L. Ho, "Implementing enhanced network maintenance for transaction access services: Tools and applications," Proc.IEEE Int.Contr.Conf., vol.1, pp.2 11-215 , 2000.), statistical analysis methods (see: literature [7], Marina Thottan and ChuanyiJi, "Anomaly Detection in IP Networks" IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL.51, NO.8, AUGUST 2003; literature [8], Chen-Mou Cheng, H.T.Kung, Koan-Sin Tan, "Use of Spectral Analysis in Defense Against DoSAtacks", Proceedings of IEEE GLOBECOM 2002.), Hurst coefficient analysis method (see: literature [9], William H.Allen and Gerald A.Marin, "On the Self-similarity of Synthetic Traffic for the Evaluation of IntrusionDetection Systems", Proceedings of the 2003 Symposium on Applications and the Internet (SAINT'03); Literature [10], Xiang Yu, "IP Network QoS and Security Technology Research", University of Electronic Science and Technology of China doctoral dissertation (2003).), subspace method (see: literature [11], A.Lakhina, M.Crovella, and C.Diot. "DiagnosingNetwork-Wide Traffic Anomalies".In ACM SIGCOMM , Portland, August2004; Literature [12], A.Lakhina, K.Papagiannaki, M.Crovella, C.Diot, E.D.Kolaczyk, and N.Taft. "Structural Analysis of Network TrafficFlows".In ACM SIGMETRICS, New York, June 2004; Literature [13], A.Lakhina, M.Crovella, and C.Diot.Characterization of Network-Wide Anomalies in Tfaffic Flows.Technical Report BUCS-2004-020, Boston University, 2004.) and wavelet analysis method (see: Literature [14], V.Alarcon-Aquino, J.A.Barria. "Anomaly Detection in Communication Networks Using Wavelets". IEEEProc-Commun.Vol.148.No.6.December 2001; Literature [15], P.Barford, J. Kline, D.Plonka, and A.Ron. "A signal analysis of networkt rafficanomalies". In Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Marseille, France, November 2002; literature [16], P.Barford and D.Plonka, "Characteristics of network traffic flow anomalies".InInternet MeasurementWorkshop, 2001; literature [17], Seong Soo Kim, A.L.Narasimha Reddy,"Detecting Traffic Anomalies at the Source through aggregate analysis of packet header data"http://dropzone.tamu.edu/techpubs /2003/TAMU-ECE-2003-03.pdf; Literature [18], Lan Li and Gyungho Lee, "DDoS Attack Detection and Wavelets". Computer Communications and Networks, 2003. ICCCN 2003. Proceedings. The 12th International Conference on, 20- 22 Oct.2003 Pages: 421-427; Anu Ramanathan, "WADeS: A Tool for Distributed Denial of Service Attack Detection", TAMU-ECE-2002-02, Master of Science Thesis, August 2002.), etc. Combining almost all data from actual networks is inherently multi-scale (see: literature [19], Bakshi.B.R.Multi-scale analysis and modeling using wavelets.Journal of Chemometrics, 13, (3) , 1999.), and the time-varying signal of normal network traffic and the time-varying signal of abnormal network traffic must have a different frequency band range, that is to say, the background traffic is generally wide-band, and the frequency band of abnormal traffic is relatively narrow narrow. The wavelet transform is like a mathematical microscope, which can amplify the details of the signal and extract the signal features at any time and frequency, so it is very suitable for detecting transient abnormal phenomena in normal signals and displaying their components.

In the abnormal network traffic detection method based on wavelet analysis, in 2001, V.Alarcon-Aquino et al. proposed an algorithm based on UDWT (undecimated discrete wavelet transform) and Bayesian analysis (see literature [ 14]). The algorithm can detect and locate the slight changes in variance and frequency of a given time series, but the scale selected by the algorithm is limited and the algorithm idea is complicated. Then Anu Ramanathan proposed a WADeS (Wavelet based Attack Detection Signatures) mechanism based on wavelet analysis (see literature [20]) to detect DDoS attacks, perform wavelet transform on the traffic signal, and directly calculate the variance of the wavelet coefficients to judge the attack point. This method does not have real-time detection capability. At the same time, P.Barford et al. proposed a method to decompose network traffic by multi-scale dyadic wavelet and reconstruct it into three frequency bands of high, medium and low, respectively, and use the deviation score (deviation score) to detect the method (see literature [15]). On the basis of the former two, Seong Soo Kim et al. also proposed a technology for traffic anomaly detection by analyzing the destination IP address of the egress traffic in the border router (see literature [17]). detects egress network traffic, but it cannot detect all frequencies of anomalies equally because it is based on multiresolution analysis. Others include an energy distribution method based on wavelet analysis proposed by Lan Li (see literature [18]) to detect DDoS attacks. The study found that when the traffic is affected by DDoS attacks, the variance of the energy distribution produces obvious "spikes".

The technical solution recorded in the document [15] is mainly introduced below, and the technical solution is mainly divided into two parts:

(1) Wavelet analysis module

Use a certain wavelet to decompose the time series signal through multi-resolution analysis (Multi-Resolution Analysis, MRA), and then select different scales to reconstruct it into high, medium and low frequency bands, and then decompose the three frequency bands The signals of the frequency bands are sent to the detection module. Among them, the high-frequency, medium-frequency, and low-frequency parts represent duration, short, general, and long abnormal flow signals, respectively.

(2) Detection module

The detection algorithm used by the detection module is a deviation score algorithm (deviation score).

First, normalize the variance of the low-frequency, mid-frequency and high-frequency bands to be detected to be one. Then calculate the variance of the data in the low frequency, middle frequency and high frequency segments within a sliding window of a predetermined size, respectively, so as to obtain the deviation scores of the corresponding frequency bands. The size of these sliding windows depends on the timing of the exceptions you want to catch. If t ₀ is used to represent the duration of the abnormality, and t ₁ represents the size of the sliding window, then q=t ₀ /t ₁ ≈1 under ideal conditions. If the ratio q is too small, the detected anomalies will be blurred or even lost; if the ratio is too large, we may be overwhelmed by so-called "abnormalities" that are not of interest, and we cannot find the anomalies that are really interesting. Therefore, when choosing _t1 , the ratio q should generally be close to 1. And the sizes of the sliding windows of the high frequency band, the low frequency band and the middle frequency band are generally different. The deviation scores for the three frequency bands calculated in the previous step are then combined using a weighted sum to produce a combined deviation score signal. Finally, an anomaly occurs by detecting whether the deviation score exceeds a given threshold.

There are the following disadvantages in the above-mentioned technical scheme:

(1) The algorithm is based on multi-resolution analysis of binary wavelet transform, without further decomposition of the high-frequency part of the details, so high-frequency anomalies cannot be detected well.

(2) The algorithm needs wavelet transform, and the transform itself requires a certain system overhead, which will inevitably affect the real-time performance of the detection algorithm.

(3) The method for selecting the size of the sliding window given in the algorithm is based on the duration of the abnormal signal, but in actual detection, the duration of the abnormality cannot be known in advance, so the method for selecting the size of the sliding window proposed by the algorithm is in In actual testing, the operability is not strong.

(4) This algorithm does not provide an adaptive threshold selection method, but only uses a fixed empirical value as the decision threshold, and its threshold value cannot be adaptively changed with the flow change.

Generally speaking, most of the anomaly detection methods based on wavelet transform in the prior art have the following three defects:

(1) The comprehensiveness of anomaly detection is insufficient, that is, the effect of low-frequency anomaly detection is better, and the effect of high-frequency anomaly detection is poor; all detection algorithms are based on multi-resolution analysis, which can detect relatively high-frequency anomalies. Small high-frequency anomalies, because the low-frequency components of network traffic account for a large proportion. However, it is easy to miss detection for many intermediate frequency abnormalities;

(2) The reliability of anomaly detection is insufficient. An anomaly may be distributed in multiple non-adjacent frequency bands, and the detection result of a single scale is not very reliable;

(3) The time window for anomaly detection is difficult to determine. Usually, the detection time windows used in each scale are the same size, and the corresponding time window is not selected according to the characteristics of the anomaly signal itself.

Contents of the invention

The purpose of the present invention is to address the above-mentioned deficiencies in the prior art, to provide a method and device for detecting network traffic anomalies, which can self-adaptively perform multi-scale wavelet packet decomposition through a double-threshold mechanism, so as to improve the comprehensiveness and flexibility of anomaly detection sex and reliability.

Yet another object of the present invention is to provide a method and device for detecting network traffic anomalies, which can further reduce the false detection rate by confirming the anomaly detection mechanism.

In order to achieve the above object, the present invention provides a method for detecting abnormal network traffic, comprising the following steps:

Step 1. Sampling network traffic signals to generate traffic signals;

Step 2, performing wavelet packet decomposition on the traffic signal to generate wavelet packet coefficients in multiple frequency bands;

Step 3, use statistical algorithm to carry out initial anomaly detection on the wavelet packet coefficients of each frequency band generated after decomposition, generate detection parameters, compare the detection parameters with the preset alarm threshold and decomposition threshold, if there is a detection parameter greater than the alarm threshold, Then it is confirmed that the signal is abnormal; if there is a detection parameter that is less than the alarm threshold and greater than the decomposition threshold, then the next layer of wavelet packet decomposition is performed on the frequency band corresponding to the detection parameter, and then step 3 is repeated.

In the above scheme, if there is a detection parameter greater than the alarm threshold, it is confirmed that the signal is abnormal, which can be specifically:

Step 4, reconstructing the wavelet packet coefficient sequence corresponding to the frequency band of the detection parameter greater than the alarm threshold;

Step 5: Perform abnormality detection on the signal generated after reconstruction, compare the generated detection parameters with the preset alarm threshold, and if it is greater than the alarm threshold, confirm that the signal is abnormal.

The present invention also provides a detection device for network traffic anomalies, including: a traffic signal generation module, a wavelet packet transformation module, and an initial anomaly detection module;

A traffic signal generating module, configured to sample network traffic signals to generate traffic signals;

The wavelet packet transformation module is used to decompose the wavelet packet coefficient sequence of the flow signal of the flow signal generation module and the initial abnormal wavelet packet coefficient sequence;

The initial anomaly detection module is used to perform initial anomaly detection on the wavelet packet coefficient sequence generated by the wavelet packet transform module, generate detection parameters, compare the detection parameters with the preset alarm threshold and decomposition threshold, if there is a detection parameter greater than the stated Alarm threshold, the output signal is the detection result of signal abnormality, if there is a detection parameter less than the alarm threshold and greater than the decomposition threshold, then output the wavelet packet coefficient sequence corresponding to the detection parameter to the wavelet packet transformation module.

The device of the present invention may further include a wavelet packet reconstruction module and a confirmation abnormality detection module:

The wavelet packet reconstruction module is used to reconstruct the wavelet packet coefficient sequence detected as signal anomaly by the initial anomaly detection module;

Confirmation anomaly detection module, used for confirming anomaly detection of the traffic signal generated after the reconstruction of the wavelet packet reconstruction module, comparing the generated detection parameters with the preset alarm threshold, if greater than the alarm threshold, Then, the detection result of signal abnormality is output.

As can be seen from the foregoing technical solutions, the present invention has the following beneficial effects:

(1) According to the detection of wavelet packet coefficients in each layer, through the double-threshold mechanism, flexibly determine whether to continue to decompose or the path of the next layer of wavelet packet decomposition, and solve the problem of self-adaptive selection of decomposition scale. It avoids the blindness of wavelet packet decomposition and improves the flexibility of detection;

(2) By using wavelet packet self-adaptive decomposition, reconstruction, and detection, it has the same detection ability for abnormalities in each frequency band, and can effectively detect long-term continuous abnormal traffic and short-term abrupt abnormal traffic, and can also effectively detect Detects medium-frequency attack traffic that cannot be detected by network traffic anomaly detection based on multi-resolution analysis, thereby achieving comprehensive detection. And further confirm the abnormality, improving the reliability of detection;

(3) By proposing an adaptive time window selection method based on the wavelet center frequency, the problem of selecting the detection window of wavelet packet coefficients in each layer and each scale is solved.

The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.

Description of drawings

Fig. 1 is the flow chart of the specific embodiment 1 of the method for detecting abnormal network traffic of the present invention;

Fig. 2 is a schematic diagram of the deviation score algorithm of the sliding time window of the present invention;

Fig. 3 is the wavelet packet decomposition tree example of the present invention;

Fig. 4 is a structural schematic diagram 1 of a detection device for abnormal network traffic of the present invention;

FIG. 5 is a second structural schematic diagram of the device for detecting abnormal network traffic of the present invention.

Detailed ways

Traditional anomaly detection methods are all single-scale. For sudden changes, these methods are effective, but in order to avoid abnormal detection, the current attack methods can organize attacks very flexibly. They may use relatively slow and gradual changes in signal traffic to attack the target. For these seemingly slow Since the single-scale measurement effect is relatively inconspicuous, it may be missed. If the details of the signal can be amplified to a certain extent, then the slow attack signal will become relatively obvious. Thus, the idea of using wavelet transform to realize anomaly detection was initially formed.

For network traffic anomaly detection, the network traffic is first sampled to generate a one-dimensional time-varying signal, which is called a traffic signal. Abnormalities are detected by using the deviation between the statistical characteristics of the abnormal signal and the normal situation, that is, the abnormal change of the traffic signal (Abrupt Change). For random signals such as traffic signals, we usually use Power Spectral Density (PSD) to characterize its statistical average spectral characteristics. The power spectrum of normal network traffic and the power spectrum of abnormal network traffic are different. Generally speaking, , the power spectrum of normal traffic has relatively uniform energy in each frequency range, and the power spectrum of abnormal traffic has relatively concentrated energy in certain frequency bands. Predecessors using wavelet decomposition to detect is just using the difference between normal and abnormal flow signals in the frequency domain as the basis for detection. Their detection algorithms are all based on multi-resolution analysis, which can effectively decompose the signal in time-frequency. Since its scale changes according to binary, its frequency resolution is poor in high-frequency bands. However, there are various reasons for abnormal traffic, so the abnormality may be low-frequency or high-frequency. Therefore, these methods have the disadvantage that they cannot effectively detect abnormalities in all frequency bands.

Benming proposes a new mechanism using wavelet packet analysis for network traffic anomaly detection. Wavelet packet analysis is an improvement of multi-resolution analysis, which can automatically select different time-frequency resolutions for decomposition according to the characteristics of the signal. Using it can effectively carry out time-frequency positioning and weak signal extraction.

Specific embodiment 1

Referring to Fig. 1, it is the flow chart of the specific embodiment 1 of the detection method of abnormal network traffic of the present invention, comprises the following steps:

Step 1. Detection signal generation: the number of packets passing through the router per unit time is used as the flow signal, and the sampling time interval is set as T ₀ seconds. If f(n) is used as the value of the nth sampling point, then:

Specifically, in the above sampling process, f(n) is the result of counting the number of packets passing through the router within the nth unit time T ₀ seconds. It is different from the traditional "sampling" process of converting an analog signal that is continuous in time and amplitude into a discrete analog signal that is discrete in time but still continuous in amplitude. The above sampling process is only a better sampling method in the invention, and the present invention can also use other existing sampling methods to generate flow signals.

Step 2, wavelet packet decomposition: perform wavelet packet decomposition on the flow signal, and generate wavelet packet coefficient sequences of multiple frequency bands. The study found that the background traffic itself is a low-frequency signal, and the abnormal signal is generally a high-frequency signal. Even a very weak high-frequency anomaly can be decomposed from the wavelet packet, and the angular frequency can be normalized at (π, π/2) The high-frequency band part is detected, so it only needs to be multi-scale decomposed to the first layer, and then the wavelet packet decomposition starts from the frequency band whose normalized angular frequency is (0, π/2). Through 2 extraction discrete wavelet packet analysis, the output is the sequence of wavelet packet coefficients of each scale. As the number of wavelet packet decomposition layers increases, the number of output wavelet packet coefficients is halved. If the length of the detection sequence is N, then the length of the wavelet packet coefficient sequence output on the jth layer is N/2 ^j . Since the wavelet packet decomposition is a binary tree structure, with the increase of the number of layers, the number of tree nodes in each layer increases by ^2j , so the number of initial decomposition layers is generally limited. It will be decomposed adaptively according to the detection situation in the future.

Step 3. Initial anomaly detection: After performing wavelet packet decomposition, perform initial anomaly detection on the wavelet packet coefficient sequences of each frequency band generated after the decomposition, generate detection parameter ratio, and compare the detection parameters with the preset alarm threshold and decomposition threshold , if there is a detection parameter greater than the alarm threshold, it can be confirmed that the signal is abnormal, but in order to further improve the reliability of the detection result, it is also possible to perform step 4 after detecting that the detection parameter is greater than the alarm threshold, and corresponding to the detection parameters greater than the alarm threshold The wavelet packet coefficient sequence of the frequency band is reconstructed, and then the abnormal detection is confirmed, so that some false detection results can be eliminated; if there is a detection parameter that is less than the alarm threshold and greater than the decomposition threshold, then the wavelet packet decomposition is performed for the frequency band corresponding to the detection parameter , and then repeat step 3; if the generated detection parameters are all smaller than the decomposition threshold, it is confirmed that the signal is normal;

In the above-mentioned step 3, the initial anomaly detection can be carried out by adopting the deviation score detection method. The deviation score algorithm is initially used on the reconstructed signal. In the present invention, it is not only used to detect the reconstructed signal, but also Apply it directly to the wavelet packet coefficients. After the signal undergoes wavelet packet transformation, a series of wavelet packet coefficients are obtained. The anomaly detection algorithm actually operates on the wavelet packet coefficients, because the mutation point of the signal is in the wavelet packet transform domain, which often corresponds to the wavelet packet coefficient. The extremum point or zero-crossing point of the transform coefficient modulus, and the size of the signal singularity corresponds to the change law of the extremum value of the wavelet packet transform coefficient with the scale. That is to say, it can be considered that the statistical properties of the wavelet packet coefficients of the signal after wavelet packet transformation are consistent with those of the original signal. Then the detection of the wavelet packet coefficients is almost equivalent to the detection of the original signal.

The deviation score detection can be realized by using the deviation score algorithm based on the sliding time window, as shown in Figure 2, which is a schematic diagram of the deviation score algorithm of the sliding time window. Two measurement windows are used here, one is the window HisWin based on the historical variance, and the other is Is the detection window DetWin. Both windows move with time, updating in real time. As time changes, at the current moment t, we calculate the variance V ₁ in the detection window (t-DetWin, t), and the variance V ₂ in the history window (t-HisWin, t). make

$\mathrm{<span\; class="notranslate">\; ratio</span>}<span\; class="notranslate">\; =</span>\frac{{\mathrm{<span\; class="notranslate">\; V</span>}}_{\mathrm{<span\; class="notranslate">\; 1</span>}}}{{\mathrm{<span\; class="notranslate">\; V</span>}}_{\mathrm{<span\; class="notranslate">\; 2</span>}}}<span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 3</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>$

The parameter ratio reflects the deviation of the samples in the detection window from the historical normal data to a certain extent. If there is an abnormality in the signal at the current moment, it will inevitably affect the measurement results of the detection window. Reflected in the parameter ratio, there must be An increase in magnitude value. In the initial stage of anomaly detection at time t, we decompose the network traffic signal in the time period (t-HisWin, t) into wavelet packets, and we obtain the wavelet packet coefficients at various scales, and use the deviation score algorithm to detect them. The generated ratio is compared with the preset alarm threshold T _a and decomposition threshold T _d , so there are three situations:

1. If ratio>T _a , it is considered that an abnormal state has occurred, and anomaly confirmation detection is carried out. In the anomaly confirmation stage at time t, the wavelet packet coefficients at various scales where possible anomalies are found are reconstructed, and then reconstructed on the reconstructed signal Run a test. If the detection result of the reconstructed signal still exceeds the alarm threshold T _a , it is determined to be abnormal, otherwise it is considered to be a false detection, that is, the signal is normal.

2. If ratio<T _a , ratio>T _d , it is considered that a suspected abnormal state has occurred, and the frequency band in which the suspected state appears is further decomposed by wavelet packets, and then the initial abnormal detection is repeated until the detection result is that the signal appears Abnormal state or signal is in normal state.

3. If ratio<T _d , the signal is considered normal.

If only relying on the deviation score, it will be invalid for low-frequency anomalies with a long duration. The reason is that low-frequency anomalies stabilize when they increase to a certain extent. When the detection window is much smaller than the duration of the anomaly, there will be a sudden change in the deviation score only at the beginning and end of the anomaly. When the anomaly is stable in the middle, the deviation score will basically remain unchanged. . At this time, a longer-duration exception is treated as two shorter-duration exceptions. In order to solve this problem, the present invention makes a second improvement to the deviation score algorithm, and defines a mean deviation score ratio _E . At the current time t, calculate the mean value E ₁ of the detection window in (t-DetWin, t), and the mean value E ₂ of the historical window in (t-HisWin, t), then let the mean value shift score be

${\mathrm{<span\; class="notranslate">\; ratio</span>}}_{\mathrm{<span\; class="notranslate">\; E.</span>}}<span\; class="notranslate">\; =</span>\frac{{\mathrm{<span\; class="notranslate">\; E.</span>}}_{\mathrm{<span\; class="notranslate">\; 1</span>}}}{{\mathrm{<span\; class="notranslate">\; E.</span>}}_{\mathrm{<span\; class="notranslate">\; 2</span>}}}<span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 3</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 2</span>}<span\; class="notranslate">\; )</span>$

It reflects the average change of the sample in the detection window compared with the historical normal data. Generally speaking, its value will be more stable than 1 after the low-frequency anomaly starts, so combining it can accurately detect low-frequency anomalies with a long duration. For the average score ratio _E , the corresponding alarm threshold is T _Ea , and the corresponding decomposition threshold is T _Ed . The specific detection method is the same as the above-mentioned detection method of the offset score, and will not be repeated here.

It can be seen from step 3 that the number of decomposition layers and decomposition paths of the wavelet packet are not fixed, and it is flexibly determined whether to further decompose or the next layer of wavelet packet decomposition path according to the detected abnormal state or suspected abnormal state. It is completely adaptive.

Step 4. Reconstruct the wavelet packet coefficient sequence of the frequency band corresponding to the detection parameter greater than the alarm threshold. The energy of the abnormal signal is roughly distributed on the abnormal frequency band detected in step 3, and the wavelet packet coefficient sequence on these frequency bands is Reconstruction, so that the reconstructed signal can highlight abnormal signals on the original signal to a greater extent.

Due to the complexity of signal anomalies, the anomalies found in the initial anomaly detection are likely to be distributed in different wavelet domains, and the wavelet packet coefficients of these wavelet domains are reconstructed, so that the reconstructed signal can be more consistent with the original Highlight abnormal signals on the signal. Further inspection of the reconstructed signal can confirm the anomaly. In addition, by selectively reconstructing the sequence of wavelet packet coefficients, these anomalies can be more accurately located in the time domain.

Step 5. Confirm abnormality detection: compare the generated detection parameters with the preset alarm threshold, if it is greater than the alarm threshold, it is confirmed that the signal is abnormal; otherwise, it is regarded as a false detection, that is, the signal is confirmed to be normal. Because the suspected abnormality detected in the initial abnormality detection module may be a false detection. So in the end we have to detect the reconstructed signal sequence again to reduce the false detection rate. Moreover, the 2-decimation wavelet packet analysis is ambiguous in time-domain positioning, and the detection of reconstructed signals can increase the accuracy of abnormal time-domain positioning.

In addition, in the above embodiments, the detection time window can also be determined in an adaptive manner. Generally speaking, it is difficult to determine the anomaly detection time window, and a good detection effect cannot be guaranteed if a time window is randomly selected. Therefore, the present invention proposes a method of approximately determining the time window according to the center frequency of each frequency band.

In initial anomaly detection, the signal to be detected is the wavelet packet coefficient of each layer. After the flow signal wavelet packet is decomposed into the jth layer, there are 2 ^j frequency band sequences of equal bandwidth, the length of the signal in each frequency band is reduced to 1/2 ^j of the flow signal, and the sampling interval is increased to 2 ^j times of the flow signal. If the highest frequency of the flow signal is f, the frequency range of the 2 ^j frequency bands is:

2 ^-j (i-1)f～2 ^-j if (3-3)

In the formula, i=1, 2,..., 2 ^j represents the frequency band sequence of the decomposed signal. We can roughly estimate the center frequency (center frequency) of each frequency band as:

${\mathrm{<span\; class="notranslate">\; f</span>}}_{\mathrm{<span\; class="notranslate">\; cj</span>}}^{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; =</span>{\mathrm{<span\; class="notranslate">\; 2</span>}}^{<span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; j</span>}<span\; class="notranslate">\; +</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 2</span>}\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>\mathrm{<span\; class="notranslate">\; f</span>}<span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 3</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 4</span>}<span\; class="notranslate">\; )</span>$

If the sampling interval of layer 0 (for flow signal) is Δ, then the sampling interval of layer j is 2 ^j Δ. We take the data length corresponding to 2 ^j times the period as the size of the detection window:

${\mathrm{<span\; class="notranslate">\; DetWin</span>}}_{\mathrm{<span\; class="notranslate">\; j</span>}}^{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; =</span>{\mathrm{<span\; class="notranslate">\; 2</span>}}^{\mathrm{<span\; class="notranslate">\; j</span>}}<span\; class="notranslate">\; \&Center\; Dot;</span>{\mathrm{<span\; class="notranslate">\; 2</span>}}^{<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; j</span>}<span\; class="notranslate">\; +</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>}<span\; class="notranslate">\; /</span><span\; class="notranslate">\; \&lsqb;</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 2</span>}\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>\mathrm{<span\; class="notranslate">\; f</span>}<span\; class="notranslate">\; \&Center\; Dot;</span>{\mathrm{<span\; class="notranslate">\; 2</span>}}^{\mathrm{<span\; class="notranslate">\; j</span>}}\mathrm{<span\; class="notranslate">\; \&Delta;</span>}<span\; class="notranslate">\; \&rsqb;</span><span\; class="notranslate">\; =</span>{\mathrm{<span\; class="notranslate">\; 2</span>}}^{<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; j</span>}<span\; class="notranslate">\; +</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>}<span\; class="notranslate">\; /</span><span\; class="notranslate">\; \&lsqb;</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 2</span>}\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>\mathrm{<span\; class="notranslate">\; f</span>}<span\; class="notranslate">\; \&Center\; Dot;</span>\mathrm{<span\; class="notranslate">\; \&Delta;</span>}<span\; class="notranslate">\; \&rsqb;</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 3</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 5</span>}<span\; class="notranslate">\; )</span>$

It can be seen that the detection window calculated by the center frequency has different sizes in each frequency band of each layer: the detection window is larger at low frequencies, and smaller at high frequencies.

When anomalies are confirmed, the signal to be detected is a reconstructed signal. In order to ensure that anomalies in all frequency bands can be effectively detected, the detection window is set to the maximum value of the detection window of the reconstructed wavelet packet coefficient sequence.

In addition, another improvement of the present invention is that the detection method in the present invention combines online detection and sliding time window technology. It can be clearly seen from Figure 2 that some data intercepted by the front and rear sliding windows will overlap, especially For the history window, the amount of redundant data is very large. At two adjacent detection moments, the wavelet packet transform will repeatedly calculate the redundant data twice, which will consume a lot of computing time and lead to the decline of the real-time performance of the entire detector. In order to meet the requirements of real-time detection, in practical applications, a fast algorithm based on sliding time window wavelet packet transform can be used.

In addition, the thresholds T _a , T _d , T _Ea , and T _Ed can be determined by monitoring normal networks and analyzing historical network traffic data. In order to make the wavelet packet decomposition reach self-adaptation, a double-threshold judgment mechanism is used in the initial anomaly detection: there are two thresholds, namely the alarm threshold (T _a and T _Ea ) and the decomposition threshold (T _d and T _Ed ), where (T _a > T _d , T _Ea > T _Ed ), the thresholds T _a and T _d can be obtained according to the deviation score value ratio in the statistical detection algorithm, and through the detection of historical normal traffic, the ratio gates of normal traffic in each scale can be obtained limit, take $T_a=\stackrel{\&OverBar;}{\mathrm{ratio}}+3\mathrm{\&sigma;},$ $T_d=\stackrel{\&OverBar;}{\mathrm{ratio}}+6\mathrm{\&sigma;}.$ Thresholds T _Ea and T _Ed can be obtained according to the average score ratio _E. Through the study of historical traffic, the threshold value of ratio _E for normal traffic in each scale is obtained, which is taken as $T_{\mathrm{Ea}}=\stackrel{\&OverBar;}{{\mathrm{ratio}}_{\mathrm{E.}}}+3\mathrm{\&sigma;},$ $T_{\mathrm{Ed}}=\stackrel{\&OverBar;}{{\mathrm{ratio}}_{\mathrm{E.}}}+6\mathrm{\&sigma;},$ The σ in the above formula is the data variance within the detection window during the detection of historical normal traffic. 3σ and 6σ are empirical values, and other values can also be taken according to the actual situation.

The present invention will be further described below in conjunction with the wavelet packet decomposition tree. Referring to FIG. 3, it is an example of the wavelet packet decomposition tree of the present invention. First, the flow signal is decomposed into layer 1 multi-scale, and then the coefficients of [1, 0] nodes are subjected to wavelet analysis. The packet is decomposed to the third layer, and the statistical detection algorithm based on the sliding time window is used to detect the abnormality of the coefficients at each scale. If a certain frequency band of a certain scale in the first n layers reaches the alarm threshold, the detection will be reconstructed immediately. If it is still abnormal Then alarm; if a certain scale of the nth layer reaches the decomposition threshold, it will be further decomposed to the n+1 layer for detection, if the wavelet packet coefficient of the n+1 layer is less than the decomposition threshold, it can be judged as non-abnormal; if it is greater than the decomposition threshold and If it is less than the alarm threshold, it will continue to decompose in depth; if it is greater than the alarm threshold, it will be reconstructed directly, and then the reconstructed signal will be judged. The dark color in Figure 3 is a possible decomposition path.

The present invention also provides a detection device for abnormal network traffic, as shown in Figure 4, which is a structural schematic diagram 1 of the detection device for abnormal network traffic of the present invention, including: a traffic signal generation module 11, a wavelet packet transformation module 12, Initial anomaly detection module 13;

A traffic signal generation module 11, configured to sample network traffic signals to generate traffic signals;

The wavelet packet transformation module 12 is used for performing wavelet packet decomposition on the flow signal and the output wavelet packet coefficient sequence of the initial anomaly detection module;

The initial anomaly detection module 13 is used to carry out initial anomaly detection to the wavelet packet coefficient sequence generated by the wavelet packet transformation module, generates detection parameters, compares the detection parameters with the preset alarm threshold and decomposition threshold, if there is a detection parameter greater than the specified Said alarm threshold, then the output signal is the detection result of abnormal signal, if there is detection parameter less than said alarm threshold, greater than said decomposition threshold, then output the wavelet packet coefficient sequence corresponding to said detection parameter to said wavelet packet transformation module 12.

In addition, as shown in Figure 5, it is the second structural diagram of the detection device for abnormal network traffic of the present invention, in order to further improve the reliability of detection, a wavelet packet reconstruction module 14 and an abnormality detection module 15 are added to the device ;

The wavelet packet reconstruction module 14 is used to reconstruct the wavelet packet coefficient sequence detected as abnormal by the initial anomaly detection module.

Confirmation abnormality detection module 15 is used for confirming the abnormality detection of the traffic signal generated after the reconstruction of the wavelet packet reconstruction module, comparing the generated detection parameters with the preset alarm threshold, if greater than the alarm threshold , the detection result of signal anomaly is output.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that: it still Modifications or equivalent replacements can be made to the technical solutions of the present invention, and these modifications or equivalent replacements cannot make the modified technical solutions deviate from the spirit and scope of the technical solutions of the present invention.

Claims (11)

1, a kind of detection method of exception of network traffic is characterized in that comprising the steps:

Step 1, network traffics are sampled, generate flow signal;

Step 2, flow signal is carried out WAVELET PACKET DECOMPOSITION, generate the wavelet packet coefficient sequence of a plurality of frequency ranges;

Step 3, the wavelet packet coefficient sequence of decomposing each frequency range that the back generates is carried out the initial stage abnormality detection, generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding,, then confirm as abnormal signal if exist detected parameters greater than described alarm threshold; If exist detected parameters less than described alarm threshold, greater than described decomposition thresholding, then the frequency range of this detected parameters correspondence is descended one deck WAVELET PACKET DECOMPOSITION, repeated execution of steps 3 then.

2, detection method according to claim 1 is characterized in that then confirming as abnormal signal if exist detected parameters greater than alarm threshold, is specially:

Step 4, the wavelet packet coefficient sequence greater than the detected parameters corresponding frequency band of described alarm threshold is reconstructed;

Step 5, the signal that generates after the reconstruct is confirmed abnormality detection, detected parameters and the predefined described alarm threshold that generates compared,, then confirm as abnormal signal if greater than described alarm threshold.

3, detection method according to claim 1 and 2 is characterized in that sampling process is specially in described step 1: the bag number by router in to the unit interval is added up, and generates flow signal.

4, detection method according to claim 1 and 2 is characterized in that described initial stage abnormality detection and/or confirms that abnormality detection adopts the mode that mark detects that departs from.

5, detection method according to claim 4 is characterized in that the described mark that departs from detects the mode that adopts historical variance window and detection window to slide and detect.

6, detection method according to claim 5, it is characterized in that in described slip testing process, described detection window slides to detect and generates detection window variance V1, and described historical variance window slides to detect and generates history window variance V2, and described detected parameters is the ratio of V1 and V2.

7, method according to claim 6, it is characterized in that in described slip testing process, described detection window slides and detects the average E1 that generates detection window, and described historical variance window slides and detects the average E2 that generates history window, and described detected parameters is the ratio of E1 and E2.

8, according to claim 5,6 or 7 described detection methods, the size that it is characterized in that described detection window is to determine according to the centre frequency of each frequency range.

9, detection method according to claim 1 and 2 is characterized in that also comprising before described step 1: by to the monitoring of proper network and the data analysis of web-based history flow, determine described alarm threshold and decompose thresholding.

10, a kind of checkout gear of exception of network traffic is characterized in that comprising: flow signal generation module, wavelet package transforms module, initial stage abnormality detection module;

The flow signal generation module is used for the network traffics signal is sampled, and generates flow signal;

The wavelet package transforms module, be used for to the unusual output of flow signal generation module flow signal and initial stage the wavelet packet coefficient sequence carry out WAVELET PACKET DECOMPOSITION;

Initial stage abnormality detection module, be used for that the wavelet packet coefficient sequence that the wavelet package transforms module generates is carried out the initial stage abnormality detection and generate detected parameters, detected parameters and predefined alarm threshold are compared with the decomposition thresholding, if exist detected parameters greater than described alarm threshold, then output signal is the testing result of abnormal signal, if exist detected parameters less than described alarm threshold, greater than described decomposition thresholding, then export the wavelet packet coefficient sequence of this detected parameters correspondence to described wavelet package transforms module.

11, checkout gear according to claim 10 is characterized in that also comprising:

The wavelet package reconstruction module is used for initial stage abnormality detection module detection is reconstructed for the wavelet packet coefficient sequence of abnormal signal;

Confirm the abnormality detection module, be used for the flow signal of the generation after the reconstruct of wavelet package reconstruction module is confirmed abnormality detection, the detected parameters and the predefined described alarm threshold that generate are compared, if greater than described alarm threshold, the unusual testing result of output signal then.

Images