基于IP监控和非高斯统计的网络异常流量检测

为保障网络和信息系统安全,需要对网络实施有效的监控,确保能及时检测出网络异常(蠕虫爆发、DDoS攻击等)等流量,进而为后续的动态量化风险评估、主动防御提供有力支持。为此,本文提出了一种基于IP监控和非高斯统计的网络异常流量检测方法(IPM-NGSD)。该方法包括两个关键部分:常用IP地址库FIPD和非高斯统计建模。前者,通过利用Bloomfilter技术和FIPD,将网络流量快速分流为常见和非常见IP网络流量:S0和S1;后者,在不同聚合层次上,提取S0和S1的非高斯边缘分布的轮廓值Porfile0和Porfile1,并通过计算Porfile0和Porfile1之间的统计距离,来检测是否存在异常。通过理论分析和两组统计实验验证了该方法的有效性:在缺少有关目标流量先验知识的前提下,该方法能快速、准确地发现短期突发攻击流量和长期低密度攻击流量。

Network Anomaly Traffic Detection Based on IP Monitoring and Non-Gaussian Statistics

To ensure the security of network and information systems,it is necessary to monitor the network continually and detect the network anomaly (worm outbreaks,DDoS,…) traffic in time,and then effectively support the dynamic,quantitative risk assessment and active defence.Therefore,this paper presents a network anomaly traffic detection method (IPM-NGSD) using IP monitoring and non-Gaussian statistics.This method contains two key segments: frequent IP DB (FIPD) and non-Gaussian statistics modeling.The first segment promptly diffluences the network traffic into frequent and infrequent IP traffic:S0 and S1,by using the Bloom filter technique and FIPD.The second segment first extracts the profile values of non-Gaussian distribution at different aggregation levels for S0 and S1:Porfile0 and Porfile1,and then computes the statistical distance between them to detect anomalies. By a theoretical analysis and two statistical experiments,we confirm the validity of IPM-NGSD:it can prompt and accurately detect both short-lived burst and long-lasting low-intensity network attack traffic,without any prior knowledge of the targeted traffic.