Zhengmin Xia,Songnian Lu,Jianhua Li,Aixin Zhang

DOI: https://doi.org/10.1007/978-3-642-11145-7_22

2009-01-01

Abstract:Abnormal traffic detection is a difficult problem in network management and network security. This paper proposed an abnormal traffic detection method based on LoSS (loss of self-similarity) through comparing the difference of Hurst parameter distribution under the network normal and abnormal traffic time series conditions. This method adopted wavelet analysis to estimate the Hurst parameter of network traffic in large time-scale, and the detection threshold could self-adjusted according to the extent of network traffic self-similarity under normal conditions. The test results on data set from Lincoln Lab of MIT demonstrate that the new detection method has the characteristics of dynamic self-adaptive and higher detection rate, and the detection speed is also improved by one time segment.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Cheng XU,Zhaowei QU,Pengfei TAO,Sheng JIN

DOI: https://doi.org/10.11990/jheu.201503045

2016-01-01

Abstract:Because of the large quantity of absence and abnormity of original traffic data in the real detector, by an?alyzing the influence of inner relationship of data acquisition interval and three traffic flow parameters and other fac?tors, this paper designed a four?step data sieving method, including preliminary screening, threshold filtering, the?oretical screening of traffic flow and quality control sieving. Then four data reconstruction methods used in different conditions were also proposed based on time series, historical data, spatial location and spatial?temporal correla?tion, lastly on the basis of this, the data preprocessing process was set up. Using the field data on the city express?way in Beijing, it indicates the algorithm can effectively remove abnormal data and the abnormal data reconstruction accuracy is less than 10%. These methods have been proven to have good real?time performance and stability, and can be used in engineering projects.

Dingde Jiang,Peng Zhang,Zhengzheng Xu,Cheng Yao,Wenda Qin

DOI: https://doi.org/10.1109/CIS.2011.222

2011-01-01

Abstract:Anomaly traffic often breaks out without any omen and brings a breakdown to networks in a short time, and thus the adaptive detection of anomalies in network traffic is an important and challenging task. In this paper, we propose a wavelet-based adaptive approach to detect anomalies in network traffic. We can use wavelet packet transform and continuous wavelet transform to perform the adaptive detect anomaly. First, wavelet packet transform is exploited to extract the anomaly characteristics on the different scales. Then continue wavelet transform is exploited to obtain the further anomaly information about network traffic. Simulation results show that our method is effective and feasible.

ding de jiang,cheng yao,zheng zheng xu,peng zhang,zhen yuan,wen da qin

DOI: https://doi.org/10.4028/www.scientific.net/AMM.130-134.2098

2012-01-01

Applied Mechanics and Materials

Abstract:Anomalous traffic often has a significant impact on network activities and lead to the severe damage to our networks because they usually are involved with network faults and network attacks. How to detect effectively network traffic anomalies is a challenge for network operators and researchers. This paper proposes a novel method for detecting traffic anomalies in a network, based on continuous wavelet transform. Firstly, continuous wavelet transforms are performed for network traffic in several scales. We then use multi-scale analysis theory to extract traffic characteristics. And these characteristics in different scales are further analyzed and an appropriate detection threshold can be obtained. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and feasible.

Ming Li,Shengquan Wang,Wei Zhao

DOI: https://doi.org/10.1007/11839569_53

2006-01-01

Abstract:Abnormal variations of traffic are conventionally considered to occur under the condition that traffic rate is abnormally high in the cases, such as traffic congestions or traffic under distributed denial-of-service (DDOS) flood attacks. Various methods in detecting traffic variations at abnormally high rate have been reported. We note that a recent paper by Kuzmanovic and Knightly, which explains a type of DDOS attacks that may result in abnormally low traffic rate. Such a type of abnormal variations of traffic, therefore, can easily evade from detection systems based on abnormally high traffic rate. This paper presents a real-time and reliable detection approach to detect traffic variations at both abnormally high and low rates. The formulas in terms of detection probabilities, miss probabilities, classification criterion, and detection thre-sholds are proposed.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Xing Jian Qi,Hu Guang-min,Dan Yang,Li Zong-lin

DOI: https://doi.org/10.1109/ICCIS.2008.4670902

2008-01-01

Abstract:Identifying network traffic anomalies accurately and rapidly is very critical to efficient operation of computer network. In this paper, to improve the existing anomaly detection, we propose a novel multi-resolution network traffic anomaly detection approach based on S Transform with self- adjusting scale. By introducing S Transform, we can decompose network traffic signal into a group of different frequency sub- bands according to the traffic signal's characteristics. By means of self-adjusting reconstruction of the signal from different frequency sub-bands, our method is able to confirm the anomaly characteristics and enhances the reliability of detection. By means of self-adaptive window selection, we are able to determine the length of detection window according to the spectrum characteristics of the corresponding signal. The simulation results prove that the method can detect the network traffic anomaly efficiently and rapidly, and excels the existing multi-resolution anomaly detection methods. © 2008 IEEE.

zhi yong guo,jian ping li,jian ming liao,xiao feng gu,si yu zhan

DOI: https://doi.org/10.1142/9789812772763_0135

2006-01-01

Abstract:We don't consider the burst of the traffic stream in traditional network, it is short-range dependence. The recent research has shown the existence of self-similarity and long-range dependence in real network traffic. First of all, we give several familiar definitions of self-similarity (also called long-range dependence), describing the stochastic process's characteristics in mathematics and physics, and then we will discuss how to identify a sequence is self-similarity (long-dependence) or not and how to identify its magnitude in quantity. In this paper, we produce the traffic source with the Pareto distribution (one of the heavy-trail distribution) by the ON/OFF model. Subsequently, we estimate the H parameter using V-T and wavelet methods. As the V-T method, we emphasize on the exactness and the operation time. As the Wavelet method, we analyze the effect that the parameters of wavelet method put on the result and introduce the optimal scheme for choosing the parameters. Base on the optimal scheme, we gain very good result. The result of simulation shows that the estimated parameters correctly describe the characteristics of self-similar traffic stream. Whether exactness or the operation time, Wavelet method performs better. At the same time, we study the effect that the vanishing moment of wavelet put on the result by simulation. We gain the applicable scope of wavelet method.

Jun Lv,Xing Li,Tong Li

DOI: https://doi.org/10.1109/iciw.2007.72

2007-01-01

Abstract:Network traffic anomaly detection is a difficult problem in network management. This paper presents a Wavelet Generalized Likelihood Ratio (WGLR) algorithm and an Error Performance Detection (EPD) algorithm to solve this problem. WGLR algorithm combines Generalized Likelihood Ratio (GLR) algorithm and wavelet transform method, and captures the failure point in real time. Error performance Detection (EPD) algorithm is based on the prediction error of the traffic model and regards the error as the statistical variable, comparing with the threshold, which will detect the anomalous change in the signal without test window delay. Simulation and network traffic experiment has demonstrated that the algorithm has the better performance in fault detection

Dingde Jiang,Cheng Yao,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1002/ett.2619

IF: 3.6

2013-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abnormal network traffic has an important impact on network activities and leads to the severe damage to our networks because they are usually related with network faults and network attacks. How to detect effectively network traffic anomalies is an open issue for network researchers. This paper proposes a novel method for detecting traffic anomalies in high‐speed backbone networks, based on multi‐scale analysis. Firstly, the continuous wavelet transforms are performed for network traffic in multiple continuous scales. We then use the principal component analysis for the continuous wavelet transforms in the different scales and extract the nature of the anomalous network traffic. And the new mapping function is constructed to detect the abnormal traffic. Finally, we use the traffic data from the real network to validate our method. Simulation results show that our approach is more promising than the previous method.Copyright © 2013 John Wiley & Sons, Ltd.

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Zonglin Li,Guangmin Hu,Ruqiang Zhou

DOI: https://doi.org/10.1142/9789812799524_0363

2008-01-01

Abstract:Traffic modeling as one of the ways to describe the normal behavior of network traffic is used to detect anomaly. Due to the self-similar model and multi-fractal model are inherently unable to capture the nature of traffic data in all time scales, we propose a novel anomaly detection method based on IDC model analysis to describe the characteristic of traffic data more accurately. By studying the influences of anomalous traffic on the estimation of IDC model through wavelet transform modulus maxima, a cumulative deviation is defined to estimate abnormal behavior. The simulation results show that our method is more sensitive to small anomalous traffic than detection methods based on H parameter analysis, and can accurately detect the anomalies which would not cause the Hurst parameter change evidently. Therefore, it is suite for the early stage detection of anomaly traffic.

Jun Lv,Tong Li,Xing Li

DOI: https://doi.org/10.1109/iscc.2007.4381634

2007-01-01

Abstract:Network traffic anomaly detection is a difficult problem in network management. This paper proposed the wavelet generalized likelihood ratio WGLR) algorithm and the error performance detection (EPD) algorithm to solve this problem. The WGLR algorithm combines the generalized likelihood ratio (CLR) algorithm and the Wavelet transform method, and has an advantage of less computation cost. The EPD algorithm, which is based on the prediction error of the traffic model, will detect the anomalous change in the signal without test window delay. Simulating and network traffic experimental results show that the new algorithm has the better performance in network traffic anomaly detection.

Yangrui HU,Xingshu CHEN,Junfeng WANG,Xiaoming YE

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.008

2016-01-01

Abstract:Real network environment lack of labeled data set, so traditional anomaly traffic detection method based on labeled data set is unsuitable for actual large-scale network. To resolve this, the paper proposes an improved k-means anomaly traffic detection method for unlabeled data sets. Firstly, collect the Sichuan University network outlet lfow and store in the distributed ifle system;secondly, construct user behavior feature set on the basis of network lfow analysis, and extract relevant characteristics by Spark big data processing platform. Referenced principles of group to define the normal behavior of clusters in the actual flow, construct normal flow behavior model on improved K-means++cosine clustering method;Finally, the cosine distance between the normal behavior model and user actual flow behavior is calculated to detected anomaly flow behavior. The feasibility and validity of the method are verified by attacking experiment. The experimental results show that the normal lfow behavior model for anomaly lfow detection has higher accuracy.

Zheng-min Xia,Song-nian Lu,Jian-hua Li,Ling Tie

DOI: https://doi.org/10.1007/s12204-010-9515-6

2010-01-01

Journal of Shanghai Jiaotong University (Science)

Abstract:Modeling of network traffic is a fundamental building block of computer science. Measurements of network traffic demonstrate that self-similarity is one of the basic properties of the network traffic possess at large time-scale. This paper investigates the change of non-stationary self-similarity of network traffic over time, and proposes a method of combining the discrete wavelet transform (DWT) and Schwarz information criterion (SIC) to detect change points of self-similarity in network traffic. The traffic is segmented into pieces around changing points with homogenous characteristics for the Hurst parameter, named local Hurst parameter, and then each piece of network traffic is modeled using fractional Gaussian noise (FGN) model with the local Hurst parameter. The presented experimental performance on data set from the Internet Traffic Archive (ITA) demonstrates that the method is more accurate in describing the non-stationary self-similarity of network traffic.

Jun Gao,Hu Guangmin,Xingmiao Yao,Rocky K. C. Chang

DOI: https://doi.org/10.1109/APCC.2006.255840

2006-01-01

Abstract:The rapid and accurate detection of network traffic anomaly is one of the preconditions to guarantee the effective work of the network. Aiming at the deficiency of present methods of network traffic anomaly detection, we propose a scale-adaptive method based on wavelet packet. By means of wavelet packet decomposition, our method can adjust the decomposition process adaptively, has the same detective ability to the anomaly of various frequency, especially the middle and high frequency ones which can not be checked out by the multi-resolution analysis. By means of adaptive reconstruction of the wavelet packet coefficient of different wavelet domains which anomaly, our method is able to confirm the characteristics of anomaly and enhance the reliability of detection. The simulation results prove that the method can detect the network traffic anomaly efficiently

Zhenping Shi,Jie Li,Chentao Wu,Jinyuan Li

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00335

2019-01-01

Abstract:With the explosion of network traffic volume, high efficient and large-scale network traffic anomaly detection methods becomes necessary. However, existing methods often fail to take into account both the detection delay and the detection accuracy. We propose a novel method, focusing on period-wise detection. We use Long Short-Term Memory (LSTM) to establish abnormal traffic detection model. Besides, We use some big data processing frameworks for online network traffic collection and preprocessing. Performance evaluation shows that our online anomaly detection model outperforms other anomaly detection methods based on traditional anomaly detection methodologies.

颜若愚,郑庆华,牛国林

DOI: https://doi.org/10.3321/j.issn:0253-987x.2009.12.001

2009-01-01

Abstract:A network traffic anomaly detection method based on adaptive filter is proposed to detect all kinds of network traffic attacks.Multiple network traffic indicators are predicted by recursive least square and the allowable statistical range based on the prediction errors are used to detect anomaly.Detection results are finally normalized.The method has the following traits: no training from any historical data,reducing the number of alarms,remarkably,and highlighting the severity of alarms.Testing results on DARPA intrusion detection data sets show that the proposed method is more suitable to detect denial of service attacks,and has a higher detection rate,faster speed and lower alarm rate than similar existing methods with same dimension of weight vectors.