A network traffic anomaly detection method and device based on infigarch model

Abstract

The embodiment of the invention relates to the field of network security and provides a network traffic anomaly detection method based on an INFIGARCH (integer-valued fractional integrated generalized autoregressive conditional heteroscedastic) model. Specifically, the method comprises the following steps of S1, determining a modeled moving window time gap value m; S2, determining a time interval value corresponding to each data point after data aggregation; S3, determining a model updating time gap T <gap >; S4, aggregating traffic data; S5, obtaining undetermined parameters and moreover, recording the time T<est> corresponding to the lastly utilized data point; S6, wherein each predication value corresponds to one prediction moment according to the parameters obtained in the S5; S7, aggregating newcome traffic and recording the moment and the corresponding aggregation traffic; S8, comparing the aggregation traffic with a traffic upper bound threshold value; S9, if the difference between the aggregation traffic and the traffic upper bound threshold value is greater than the T <gap >, returning to the step S4, updating a model, otherwise, performing the step S10; and S10, adding the aggregated data to a time sequence queue and moving a time window. The mode of the method has the excellent characteristic that the stability and tendency following capability are regarded equally important.

Description

technical field [0001] The invention relates to the field of network security, in particular to a method and equipment for detecting network traffic anomalies based on the INFIGARCH model. Background technique [0002] With the deepening of the network into people's daily production and life, the problem of network attacks is also becoming more and more serious. Since the network data stream contains timestamps, it is naturally a time series. Therefore, based on the time series model, network anomaly detection is a common method. Traditionally, time series network traffic anomaly detection methods mainly consider network traffic as real numbers or transform them into real numbers, and then model them as real number time series. At the same time, the existing time series-based models are often based on traditional ARIMA models or statistical tests. These methods generally ignore the right-biased distribution of network traffic data, heteroscedasticity and long memory among ...

AI Technical Summary

Problems solved by technology

[0035] In order to solve the shortcomings of existing methods that approximate integers with real numbers and ignore long memory and heteroscedasticity characteristics, the present invention proposes a network traffic anomaly detection method based on integer fractional difference generalized autoregressive conditional heteroscedasticity model (INFIGARCH)

Images