Method and device for detecting multidimensional flow anomalies of distributed network

Abstract

The invention discloses a method and device for detecting multidimensional flow anomalies of a distributed network. The method comprises the following steps: extracting instantaneous parameters of each signal flow which is received by a certain node as mixed signals of a given source signal; calling an independent component analysis (ICA) algorithm to divide each signal flow into N independent signals, and taking weak Gaussianity as extraction reference to extract relative abnormal signals in the N independent signals of each signal flow, wherein N is less than or equal to the dimensionality of the mixed signals of the given source signal; dividing a data set Y constituted by the relative abnormal signals into a strongly correlated portion Z1 and a weakly correlated portion Z2 by virtue of principle component analysis (PCA); adopting timed sliding of a fixed-length time window to capture the signal sequence of the strongly correlated portion Z1, and carrying out PCA on the captured signal sequence each time so as to obtain a vector z1(t); and when the size of the vector z1(t) exceeds a normal threshold value, judging that anomalies exist. According to the invention, the ICA is utilized to separate out abnormal portions from the frequency domain and time domain of each flow signal, thus eliminating influences caused by similar characters among the normal flows.

Description

technical field [0001] The invention relates to the field of communication technology, in particular to a distributed network multi-dimensional traffic abnormality detection method and device. Background technique [0002] There are many reasons for abnormal network traffic, including malicious behavior, misconfiguration, device error, or sudden access, etc. Network managers can monitor network traffic, identify irregular changes, reveal abnormal network behaviors, and provide evidence for operators to manage networks. With the multiplication of network capacity and number of users, fast and accurate detection of traffic anomalies is of great significance to network reliability and availability. [0003] The traditional traffic anomaly detection method usually sets the traffic monitoring point between the user network and the transmission network, installs a firewall or an intrusion detection system, and conducts fine-grained analysis of the incoming and outgoing traffic. T...

AI Technical Summary

Problems solved by technology

[0013] (1) Normal network traffic usually has some regular patterns, such as similar weekly and daily behavior patterns. The PCA-based detection method divides the traffic with strong similar characteristics into normal, and judges the energy of the remaining parts. However, the same abnormal event Similar abnormal traffic may also be generated on multiple links. According to the normal division idea based on the PCA method, this part of abnormal traffic may be classified as normal, and missed detection occurs.

[0014] (2) This method only analyzes the time domain of the traffic signal, that is, it can only detect the abnormality of the traffic signal in the time domain, which is far from enough (especially for the detection of DDoS attacks)

Images