[1]李柏楠,钱叶魁,罗兴国.基于往返时延矩阵子空间的网络异常检测方法[J].南京理工大学学报(自然科学版),2015,39(02):215-224.
 Li Bainan,Qian Yekui,Luo Xingguo.Network anomaly detection method based on RTT matrix subspace[J].Journal of Nanjing University of Science and Technology,2015,39(02):215-224.
点击复制

基于往返时延矩阵子空间的网络异常检测方法
分享到:

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

卷:
39卷
期数:
2015年02期
页码:
215-224
栏目:
出版日期:
2015-04-30

文章信息/Info

Title:
Network anomaly detection method based on RTT matrix subspace
作者:
李柏楠12钱叶魁2罗兴国1
1.国家数字交换系统工程技术研究中心 系统集成芯片设计技术研究实验室,河南 郑州 450002; 2.防空兵学院 指挥控制系,河南 郑州 450052
Author(s):
Li Bainan12Qian Yekui2Luo Xingguo1
1.Laboratory of System on Chip Design Technology Researches,National Digital Switching System Engineering and Technological Research Center,Zhengzhou 450002,China; 2.Department of Command and Control,Air Defence Forces Academy of PLA,Zhengzhou 450052,Chi
关键词:
异常检测 主成分分析 子空间 往返时延 矩阵
Keywords:
anomaly detection principal component analysis subspace round-trip time matrix
分类号:
TP393
摘要:
针对以往的网络异常检测方法仅关注单条链路或路径的异常行为以及需要复杂的基于流量矩阵的监测技术的问题,该文构建了往返时延(RTT)矩阵模型,引入了RTT矩阵子空间概念,提出了基于RTT矩阵子空间的分析(ARMS)方法。对Abilene实测数据集的分析验证表明,ARMS方法完全满足进行异常检测的两个前提条件。在NS2上设计的仿真试验表明,ARMS方法较之传统的时间序列分析方法能够更准确地检测网络异常,当异常流量较大或分布较广时检测效果更好,且算法复杂度没有随着网络拓扑规模增加而急剧恶化。
Abstract:
Aiming at the problems that previous anomaly detection methods either focus on the single link/path,or need sophisticated monitoring techniques based on the traffic matrix,the round-trip time(RTT)matrix model is constructed.The concept RTT matrix subspace is introduced and the analysis method based on the RTT matrix subspace(ARMS for short)is put forward.In order to verify the feasibility of ARMS,the real measurement data from Abilene show that ARMS can satisfy two preconditions for the anomaly detection.Simulation experiments on NS2 show that ARMS can detect the anomaly network more accurately than traditional time series analysis,the detection effect is better when the abnormal traffic augments or is distributed more widely,and it is unrelated with the network topology size.

参考文献/References:

[1] Thottan M,Ji Chuanyi.Anomaly detection in IP networks[J].IEEE Transaction on Signal Processing,2003,51(2):2109-2118.
[2]Paul B,Jeffery K,David P,et al.A signal analysis of network traffic anomalies[A].Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement[C].Marseille,France:IMW,2002:71-82.
[3]Jake D B.Aberrant behavior detection in time series for network monitoring[A].Proceedings of the 14th USENIX Conference on System Administration[C].Berkeley,US:Berkeley CA,2000:139-146.
[4]McGregor A J,Braun H W.Automated event detection for active measurement systems[A].Proceedings of Passive and Active Measurement(PAM)[C].Amsterdam,Netherland:PAM,2001:23-32.
[5]Connie L,Cottrell J.Experiences in traceroute and available bandwidth change analysis[A].SIGCOMM Workshop[C].Portland,US:ACM Press,2004:247-252.
[6]Anukool L,Mark C,Christophe D.Mining anomalies using traffic feature distributions[A].SIGCOMM[C].Philadelphia,US:ACM Press,2005:217-228.
[7]Mardani M.Robust network traffic estimation via sparsity and low rank[A].Acoustics,Speech and Signal Processing(ICASSP)[C].Vancouver,Canada:IEEE,2013:4529-4533.
[8]Novakov S,Lung Chunghorng,Lambadaris I,et al.Studies in applying PCA and wavelet algorithms for network traffic anomaly detection[A].High Performance Switching and Routing(HPSR)[C].Taipei,China:IEEE,2013:185-190.
[9]张润楚.多元统计分析[M].北京:科学出版社,2006:213-246.
[10]周静静,杨家海,杨扬,等.流量矩阵估算的研究进展[J].软件学报,2007,18(11):2669-2682.
Zhou Jingjing,Yang Jiahai,Yang Yang,et al.Research on traffic matrix estimation[J].Journal of Software,2007,18(11):2669-2682.
[11]Augustin S,Kavé S,Nina T.Combining filtering and statistical methods for anomaly detection[A].Internet Measurement Conference 2005[C].Berkeley,US:USENIX Association,2005:331-344.
[12]Simmross-Wattenberg F,Asensio-Perez J I,Casaseca-de-la-Higuera P,et al.Anomaly detection in network traffic based on statistical inference and alpha-stable modeling[J].Dependable and Secure Computing,2011,8(4):494-509.
[13]钱叶魁,陈鸣.基于奇异值分解更新的多元在线异常检测方法[J].电子与信息学报,2010,32(10):2404-2409.
Qian Yekui,Chen Ming.A multivariate online anomaly detection algorithm based on SVD updating[J].Journal of Electronics & Information Technology,2010,32(10):2404-2409.
[14]钱叶魁,陈鸣.因特网流量矩阵的流形结构[J].电子与信息学报,2010,32(12):2982-2986. Qian Yekui,Chen Ming.On the manifold structure of internet traffic matrix[J].Journal of Electronics & Information Technology,2010,32(12):2982-2986.
[15]钱叶魁,陈鸣,郝强,等.ODC:一种在线检测和分类全网络流量异常的方法[J].通信学报,2011,32(1):111-120.
Qian Yekui,Chen Ming,Hao Qiang,et al.ODC:A method for online detecting & classifying network-wide traffic anomalies[J].Journal on Communications,2011,32(1):111-120.
[16]钱叶魁,陈鸣.面向PCA异常检测器的攻击和防御机制[J].电子学报,2011,39(3):543-548. Qian Yekui,Chen Ming.Poison attack and defense strategies on PCA-based anomaly detector[J].ACTA Electronica Sinica,2011,39(3):543-548.
[17]钱叶魁,陈鸣.MOADA-SVR:一种基于支持向量回归的多元在线异常检测方法[J].通信学报,2011,32(12):106-113.
Qian Yekui,Chen Ming.MOADA-SVR:A multivariate online anomaly detection algorithm based on SVR[J].Journal on Communications,2011,32(12):106-113.
[18]Barford P,Duffield N,Ron A,et al.Network Performance anomaly detection and localization[A].INFOCOM[C].New York,USA:IEEE,2009:1377-1385.
[19]David R C,Fabián E B,Zihui G.Crowdsourcing service-level network event monitoring[A].SIGCOMM[C].New Delhi,India:IEEE,2011:387-398.
[20]Huang Yiyi,Feamster N,Lakhina A,et al.Diagnosing network disruptions with network-wide analysis[A].Sigmetrics[C].San Diego,US:ACM,2007,35(1):61-72.
[21]Sriharsha G,Puneet S,Sonia F.Pegasus:Precision hunting for icebergs and anomalies in network flows[A].IEEE INFOCOM[C].Dulin,Italy:IEEE,2013:654-662.
[22]钱叶魁,陈鸣,叶立新,等.基于多尺度主成分分析的全网络异常检测方法[J].软件学报,2012,23(2):361-377.
Qian Yekui,Chen Ming,Ye Lixin,et al.Network-wide anomaly detection method based on multiscale principal component analysis[J].Journal of Software,2012,23(2):361-377.
[23]Claudia P,Maria R de O,Rui V,et al.Robust feature selection and robust PCA for internet traffic anomaly detection[A].IEEE INFOCOM[C].Orlando,US:IEEE,2012:1231-1239.
[24]Yeung Dit-Yan,Ding Yuxin.Host-based intrusion detection using dynamic and static behavioral models[J].Pattern Recognition,2003,36(5):229-243.
[25]Yan He,Flavel A,Ge Zihui,et al.Argus:End-to-end service anomaly detection and localization from an ISP's point of view[A].IEEE INFOCOM[C].Orlando,US:IEEE,2012:982-1000.
[26]Wang Yufeng,Nakao Akihirio.Heterogeneity playing key role:Modeling and analyzing the dynamics of incentive mechanisms in autonomous networks[J].Journal ACM Transaction on Autonomous and Adaptive Systems,2012,7(1):31.
[27]Horn R A,Johnson C R(美).矩阵分析[M].张明尧,张凡 译.北京:机械工业出版社,2005.
[28]Abilene.The Abilene Observatory Data Collections[EB/OL].http://abilene.internet2.edu/observafoty/data-collec-tions.html,2012.
[29]Steven McCanne,Sally Floyd,Kevin Fall.The network simulator-ns2[EB/OL].http://www.isi.edu/nsnam/ns/.2014.
[30]Alberto M,Anukool L,Ibrahim M,et al.BRITE:Universal topology generation from a user's perspective[A].Proceedings of the 9th IEEE International Symposium on Modeling,Analysis,and Simulation of Computer and Telecommunications Systems[C].Cincinnati,US:IEEE,2001:346-356.
[31]Anukool L,Konstantina P,Mark C,et al.Structural analysis of network traffic flows[A].ACM Sigmetrics[C].New York,US:IEEE,2004:61-72.

相似文献/References:

[1]钟晓芳,韩之俊.利用主成分分析对多质量特性的优化设计[J].南京理工大学学报(自然科学版),2003,(03):301.
 ZhongXiaofang Han.Multi-response Optimization Design Using Principal Component Analysis[J].Journal of Nanjing University of Science and Technology,2003,(02):301.
[2]徐 杰,许修宏,刘 月,等.添加菌剂对堆肥化过程中微生物群落代谢影响的 Biolog解析[J].南京理工大学学报(自然科学版),2014,38(01):181.
 Xu Jie,Xu Xiuhong,Liu Yue,et al.Analysis of effect of inocula on microbial community metabolic profiles during composting using Biolog method[J].Journal of Nanjing University of Science and Technology,2014,38(02):181.
[3]王 鑫.聚类分析观点下的分散式最快变化检测[J].南京理工大学学报(自然科学版),2014,38(02):276.
 Wang Xin.Decentralized quickest change detection based on cluster analysis[J].Journal of Nanjing University of Science and Technology,2014,38(02):276.
[4]黄 伟,陈 昊,郭雅娟.融合领域知识的网络异常检测方法[J].南京理工大学学报(自然科学版),2016,40(02):229.[doi:10.14177/j.cnki.32-1397n.2016.40.02.016]
 Huang Wei,Chen Hao,Guo Yajuan.Network anomaly detection approach using domain knowledge[J].Journal of Nanjing University of Science and Technology,2016,40(02):229.[doi:10.14177/j.cnki.32-1397n.2016.40.02.016]
[5]胡 博.面向异常检测的双重否定黑洞覆盖算法[J].南京理工大学学报(自然科学版),2018,42(05):604.[doi:10.14177/j.cnki.32-1397n.2018.42.05.015]
 Hu Bo.Dual negative algorithm for black hole coverage of anomaly detection[J].Journal of Nanjing University of Science and Technology,2018,42(02):604.[doi:10.14177/j.cnki.32-1397n.2018.42.05.015]

备注/Memo

备注/Memo:
收稿日期:2014-06-21 修回日期:2014-07-27
基金项目:国家自然科学基金(61070173); 国家863计划项目(2007AA01Z418); 江苏省自然科学基金(BK2009058)
作者简介:李柏楠(1978-),男,博士生,助教,主要研究方向:计算机网络,E-mail:libainan.cfa@gmail.com。
引文格式:李柏楠,钱叶魁,罗兴国.基于往返时延矩阵子空间的网络异常检测方法[J].南京理工大学学报,2015,39(2):215-224.
投稿网址:http://zrxuebao.njust.edu.cn
更新日期/Last Update: 2015-04-30