CAJ | 학술논문

提出一种基于sketch概要数据结构的异常检测方法.该方法实时记录网络数据流信息到sketch数据结构,然后每隔一定周期进行异常检测.采用EWMA(exponentially weighted moving average)预测模型预测每一周期的预测值,计算观测值与预测值之间的差异sketch,然后基于差异sketch采用均值均方差模型建立网络流量变化参考.该方法能够检测DDoS、扫描等攻击行为,并能追溯异常的IP地址.通过模拟实验验证,该方法占用很少的计算和存储资源,能够检测骨干网络流量中的异常IP地址.
제출일충기우sketch개요수거결구적이상검측방법.해방법실시기록망락수거류신식도sketch수거결구,연후매격일정주기진행이상검측.채용EWMA(exponentially weighted moving average)예측모형예측매일주기적예측치,계산관측치여예측치지간적차이sketch,연후기우차이sketch채용균치균방차모형건립망락류량변화삼고.해방법능구검측DDoS、소묘등공격행위,병능추소이상적IP지지.통과모의실험험증,해방법점용흔소적계산화존저자원,능구검측골간망락류량중적이상IP지지.
In this paper, an anomaly detection method is proposed based on the summary data structure-sketch. It records the network traffic information in sketch online and detects anomalies at every circle. After using EWMA forecasting model to get each circle's forecast sketch, this paper computes the errors between the recoded sketch and forecast sketch. Then, the network traffic change reference is constructed by establishing the Mean-Standard deviation model on the error sketch. The method is effective in detecting DDOS attack, scan attack and so on. Particularly, it can track the IP address of anomaly. Evaluated by the experiment, this method can detect anomaly in the backbone network with small computing and memory resource.