基于行为分析的通信网络流量异常检测与关联分析
|
摘要
随着信息技术和通信技术的不断发展和广泛应用,通信网络承载的数据流量越来越大,网络结构和应用日趋复杂。为保证通信网络的安全、高效运行,就必须实时、准确地对网络运行情况进行分析和检测,获取异常事件发生的根本原因。流量异常检测能够有效检测网络中的异常事件,关联分析能揭示引起异常的根本原因,对提高通信网络系统的应急响应能力具有重要意义,也是目前全世界学术界和工业界共同关注的前沿研究领域。
本文以网络流量行为分析为基础,深入理解流量行为在时间和空间上表现出的不同特征,并结合数据挖掘和信号处理方法,研究通信网络中的流量异常检测与关联分析方法,所取得的主要研究成果如下:
1.通信网络流量的行为特征参数提取
提出基于子流分解的通信网络流量行为特征参数提取方法,与现有网络流量行为特征参数相比,在子流上提取的网络流量行为特征参数能在满足实时性要求的前提下,更细致地刻画流量行为特征的细节。
2.基于单汇接点的通信网络流量异常行为检测
(1)提出基于时间序列图挖掘的通信网络流量异常行为检测方法,该方法通过挖掘时间序列图对流量异常行为检测的多时间序列之间相互关系进行量化,能有效检测流量异常行为。
(2)研究基于流量行为特征信息熵的DoS/DDoS攻击检测方法,采用粗细粒度结合的思想对通信网络中的流量数据进行分析,在保证检测实时性的同时,准确地提取出与DoS/DDoS攻击相关的网络流量。
3.通信网络分布式流量异常行为检测
(1)提出基于时间序列图挖掘的通信网络分布式流量异常行为检测方法,使用图描述行为特征参数及它们之间的关系,通过图挖掘揭示多条链路上行为特征间的潜在联系,相较于现有方法有效提高了异常行为检测的准确性。
(2)设计了一个基于流量特征分析的通信网络分布式流量异常行为检测系统,使用了一系列数据挖掘技术分析流量行为特征以及它们在逻辑拓扑的异常体现,从而对分布式流量异常行为进行建模和检测。与现有技术相比,该系统能区分由同一原因引起的分布式流量异常行为与独立的流量异常行为。
(3)研究基于时空序列分析的通信网络分布式流量异常行为检测方法,通过分析多条链路上的流量数据随时间变化构成的多时间序列来检测分布式流量异常行为。该方法降低了背景流量对于异常行为检测的干扰,并且该方法中链路流量的获取不需要估计全局流量矩阵和消耗大量网络资源进行汇接点间的通信。
4.通信网络流量异常行为的关联分析与识别
(1)提出基于特征关联分析的通信网络流量异常行为识别算法,利用各子流幅值行为特征与熵值行为特征之间的关联性,保证流量异常行为与其特征之间的关联效率,从而能够有效地识别异常行为。
(2)研究基于用户行为关联分析的智能电网通信支撑网络异常行为识别方法,该方法识别异常行为的优势在于其使用了电力消费者的相似用电行为在时间上的关联。与现有方法相比,该方法所需测量信息均可从普通智能电表直接获得,不需要保证任何一组基本测量集的可靠性。
While the information technology and telecommunication technology arecontinuously improved and widely adopted, the data traffic carried on communicationnetworks keeps on increasing, and the structure and applications of communicationnetworks are increasingly complex. To guarantee the safe and efficient operation of thecommunication networks, it is necessary to capture the root cause of abnormal events,from analyzing and detecting the network operation condition in a real-time, accuratemanner. Traffic anomaly detection effectively discovers network abnormal events, andcorrelation analysis unveils the root causes of them. The research is important forimproving the emergency response ability of the communication networks. It is also afrontier area which is currently concerned by both academia and industry.
Based on network traffic behavior analysis, this thesis analyzed the differentcharacteristics of network traffic behaviors in space and time. Combining with datamining and signal processing techniques, the traffic anomaly detection and correlationanalysis in communication networks are studied in the thesis. The achievements are asfollows:
1. Behavior characteristic parameter extraction for communication network traffic
An characteristic parameter extraction method based on traffic decomposition forcommunication network traffic behaviors is proposed. Compared with existingnetwork traffic behavior characteristic parameters, the characteristics extracted on thesubsets of traffic can describe more details of the traffic behavior while still satisfyingthe real-time requirement.
2. Single PoP based communication network abnormal traffic behavior detection
(1) A detection method which is based on the mining of time-series graphs isproposed. The method can effectively detect abnormal traffic behaviors by quantizingthe relationships between multiple time series used in abnormal traffic behaviordetection.
(2) A method based on the entropy of traffic behavior characteristic to detect DoSand DDoS attacks is presented. By using both coarse and fine-grained characteristic parameters to analyze the traffic data, the proposed method can accurately extract theflows which are related to the attack, while the real-time requirement of detection isguaranteed.
3. Distributed abnormal traffic behavior detection in communication networks
(1) A method based on time-series graph mining is proposed for detectingdistributed abnormal traffic behaviors in communication networks. The proposedmethod uses graphs to describe behavior characteristic parameters and theirrelationships, and mines the graphs to reveal the underlying relationships between thebehavior characteristics on multiple links. It effectively improves the accuracy ofexisting methods on abnormal behavior detection.
(2) A system based on traffic characteristic analysis for distributed abnormaltraffic behavior detection is designed. In the system, a series of data mining techniquesare used for analyzing traffic behavior characteristics and their abnormalrepresentations in logical topology. The purpose of using data mining techniques is tomodel and detect distributed abnormal traffic behaviors. Compared with existingmethods, the system can differentiate independent traffic abnormal behaviors fromcorrelated traffic abnormal behaviors.
(3) A method based on multi-time series analysis for distributed abnormal trafficbehavior detection is presented. Through analyzing the time series from the changes oftraffic data over time on multiple links, this method reduces the interference ofbackground traffic in abnormal behavior detection. Also, it does not need an estimationof global traffic matrix, nor does it consume a large amount of network resources forcommunication between PoPs.
4. Correlation analysis and recognition for abnormal traffic behaviors incommunication networks
(1) An algorithm based on characteristic correlation analysis for detectingabnormal traffic behavior is proposed. By using the correlation between thevolume-based behavior characteristics and the entropy-based behavior characteristicsin the subsets of traffic, the validity of the correlation between abnormal trafficbehaviors and their characteristics is guaranteed, and the abnormal behavior is thuseffectively recognized.
(2) A method based on the correlation analysis of user behaviors to detect abnormal behaviors in a smart grid is presented. The advantage of the method is that itutilizes the correlation of the similar behaviors for different electricity consumers intime. Compared with existing methods, the measurements needed for this method canbe obtained directly from normal smart meters, without the need to guarantee a set ofreliable measurements.
本文以网络流量行为分析为基础,深入理解流量行为在时间和空间上表现出的不同特征,并结合数据挖掘和信号处理方法,研究通信网络中的流量异常检测与关联分析方法,所取得的主要研究成果如下:
1.通信网络流量的行为特征参数提取
提出基于子流分解的通信网络流量行为特征参数提取方法,与现有网络流量行为特征参数相比,在子流上提取的网络流量行为特征参数能在满足实时性要求的前提下,更细致地刻画流量行为特征的细节。
2.基于单汇接点的通信网络流量异常行为检测
(1)提出基于时间序列图挖掘的通信网络流量异常行为检测方法,该方法通过挖掘时间序列图对流量异常行为检测的多时间序列之间相互关系进行量化,能有效检测流量异常行为。
(2)研究基于流量行为特征信息熵的DoS/DDoS攻击检测方法,采用粗细粒度结合的思想对通信网络中的流量数据进行分析,在保证检测实时性的同时,准确地提取出与DoS/DDoS攻击相关的网络流量。
3.通信网络分布式流量异常行为检测
(1)提出基于时间序列图挖掘的通信网络分布式流量异常行为检测方法,使用图描述行为特征参数及它们之间的关系,通过图挖掘揭示多条链路上行为特征间的潜在联系,相较于现有方法有效提高了异常行为检测的准确性。
(2)设计了一个基于流量特征分析的通信网络分布式流量异常行为检测系统,使用了一系列数据挖掘技术分析流量行为特征以及它们在逻辑拓扑的异常体现,从而对分布式流量异常行为进行建模和检测。与现有技术相比,该系统能区分由同一原因引起的分布式流量异常行为与独立的流量异常行为。
(3)研究基于时空序列分析的通信网络分布式流量异常行为检测方法,通过分析多条链路上的流量数据随时间变化构成的多时间序列来检测分布式流量异常行为。该方法降低了背景流量对于异常行为检测的干扰,并且该方法中链路流量的获取不需要估计全局流量矩阵和消耗大量网络资源进行汇接点间的通信。
4.通信网络流量异常行为的关联分析与识别
(1)提出基于特征关联分析的通信网络流量异常行为识别算法,利用各子流幅值行为特征与熵值行为特征之间的关联性,保证流量异常行为与其特征之间的关联效率,从而能够有效地识别异常行为。
(2)研究基于用户行为关联分析的智能电网通信支撑网络异常行为识别方法,该方法识别异常行为的优势在于其使用了电力消费者的相似用电行为在时间上的关联。与现有方法相比,该方法所需测量信息均可从普通智能电表直接获得,不需要保证任何一组基本测量集的可靠性。
While the information technology and telecommunication technology arecontinuously improved and widely adopted, the data traffic carried on communicationnetworks keeps on increasing, and the structure and applications of communicationnetworks are increasingly complex. To guarantee the safe and efficient operation of thecommunication networks, it is necessary to capture the root cause of abnormal events,from analyzing and detecting the network operation condition in a real-time, accuratemanner. Traffic anomaly detection effectively discovers network abnormal events, andcorrelation analysis unveils the root causes of them. The research is important forimproving the emergency response ability of the communication networks. It is also afrontier area which is currently concerned by both academia and industry.
Based on network traffic behavior analysis, this thesis analyzed the differentcharacteristics of network traffic behaviors in space and time. Combining with datamining and signal processing techniques, the traffic anomaly detection and correlationanalysis in communication networks are studied in the thesis. The achievements are asfollows:
1. Behavior characteristic parameter extraction for communication network traffic
An characteristic parameter extraction method based on traffic decomposition forcommunication network traffic behaviors is proposed. Compared with existingnetwork traffic behavior characteristic parameters, the characteristics extracted on thesubsets of traffic can describe more details of the traffic behavior while still satisfyingthe real-time requirement.
2. Single PoP based communication network abnormal traffic behavior detection
(1) A detection method which is based on the mining of time-series graphs isproposed. The method can effectively detect abnormal traffic behaviors by quantizingthe relationships between multiple time series used in abnormal traffic behaviordetection.
(2) A method based on the entropy of traffic behavior characteristic to detect DoSand DDoS attacks is presented. By using both coarse and fine-grained characteristic parameters to analyze the traffic data, the proposed method can accurately extract theflows which are related to the attack, while the real-time requirement of detection isguaranteed.
3. Distributed abnormal traffic behavior detection in communication networks
(1) A method based on time-series graph mining is proposed for detectingdistributed abnormal traffic behaviors in communication networks. The proposedmethod uses graphs to describe behavior characteristic parameters and theirrelationships, and mines the graphs to reveal the underlying relationships between thebehavior characteristics on multiple links. It effectively improves the accuracy ofexisting methods on abnormal behavior detection.
(2) A system based on traffic characteristic analysis for distributed abnormaltraffic behavior detection is designed. In the system, a series of data mining techniquesare used for analyzing traffic behavior characteristics and their abnormalrepresentations in logical topology. The purpose of using data mining techniques is tomodel and detect distributed abnormal traffic behaviors. Compared with existingmethods, the system can differentiate independent traffic abnormal behaviors fromcorrelated traffic abnormal behaviors.
(3) A method based on multi-time series analysis for distributed abnormal trafficbehavior detection is presented. Through analyzing the time series from the changes oftraffic data over time on multiple links, this method reduces the interference ofbackground traffic in abnormal behavior detection. Also, it does not need an estimationof global traffic matrix, nor does it consume a large amount of network resources forcommunication between PoPs.
4. Correlation analysis and recognition for abnormal traffic behaviors incommunication networks
(1) An algorithm based on characteristic correlation analysis for detectingabnormal traffic behavior is proposed. By using the correlation between thevolume-based behavior characteristics and the entropy-based behavior characteristicsin the subsets of traffic, the validity of the correlation between abnormal trafficbehaviors and their characteristics is guaranteed, and the abnormal behavior is thuseffectively recognized.
(2) A method based on the correlation analysis of user behaviors to detect abnormal behaviors in a smart grid is presented. The advantage of the method is that itutilizes the correlation of the similar behaviors for different electricity consumers intime. Compared with existing methods, the measurements needed for this method canbe obtained directly from normal smart meters, without the need to guarantee a set ofreliable measurements.
引文
[1] Roy A. Maxion. Anomaly detection for diagnosis[C]. in Proc. of International Symposium onFault-Tolerant Computing, Newcastle Upon Tyne, UK,1990,20-27
[2] A. Lakhina, M. Crovella, C. Diot. Mining anomalies using traffic feature distributions[C]. inProc. of ACM SIGCOMM, Philadelphia, PA, USA,2005,9-20
[3] K. Xu, Z. Zhang, S. Bhattacharyya. Profiling internet backbone traffic: behavior models andapplications[C]. in Proc. ofACM SIGCOMM, Philadelphia, PA, USA,2005,169-180
[4] W. Yan, E. Hou, N. Ansari. Anomaly detection and traffic shaping under self-similar aggregatedtraffic in optical switched networks[C]. in Proc. of International Conference on CommunicationTechnology (ICCT), Beijing, China,2003,378-381
[5] S. Wolfgang, M. Mannle. Online error detection through observation of trafficself-similarity[J]. IET Communications,2001,148(1):38-42
[6] P. Barford, D. Plonka. Characteristics of network traffic flow anomalies[C]. in Proc. of ACMSIGCOMM Internet Measurement Workshop (IMC), San Francisco, CA, USA,2001,69-73
[7] P. V. Alvarado, C. V. Rosales, D. T. Roman, et al. Detecting anomalies in network traffic usingthe method of remaining elements[J]. IEEE Communications Letters,2009,13(6):462-464
[8] A. Ziviani, A. T. Gomes, M. L. Monsores, et al. Network anomaly detection using nonextensiveentropy[J]. IEEE Communications Letters,2007,11(12):1034-1036
[9] K. Xu, Z. Zhang, S. Bhattacharyya. Internet traffic behavior profiling for network securitymonitoring[J]. IEEE/ACM Transactions on Networking,2008,16(6):1241-1252
[10]龚俭,彭艳兵,杨望,等.TCP流的宏观平衡性[J].计算机学报,2006,29(9):1561-1571
[11] M. Thottan, C. Ji. Anomaly detection in IP networks[J]. IEEE Transactions on SignalProcessing,2003,51(8):2191-2204
[12] H. Wang, D. Zhang, K. G. Shin. Detecting SYN flooding attacks[C]. In Proc. of Annual JointConference of the IEEE Computer and Communications Societies, New York, NY, USA,2002,1530-1539
[13] R. B. Blazek, H. Kim, B. Rozovskii, et al. A novel approach to detection of denial-of-serviceattacks via adaptive sequential and batch-sequential change-point detection methods[C]. in Proc.of IEEE Systems, Man and Cybernetics Information Assurance Workshop, West Point, NY,USA,2001,220-226
[14]程光,龚俭,丁伟.基于抽样测量的高速网络实时异常检测模型[J].软件学报,2002,13(4):594-599
[15]梁昇,肖宗水,许艳美.基于统计的网络流量异常检测模型[J].计算机工程,2005,31(24):123-125
[16] S. S. Kim, A. L. Reddy, M. Vannucci. Detecting traffic anomalies at the source throughaggregate analysis of packet header data[C]. in Proc. of IFIP Networking, Athens, Greece,2004,1047-1059
[17] L. Li, G. Lee. DDoS attack detection and wavelets[J]. Telecommunication Systems,2005,28(3-4):421-427
[18] A. Dainotti, A. Pescape, G. Ventre. Wavelet-based detection of DoS attacks[C]. in Proc. of IEEEGLOBECOM, San Francisco, CA, USA,2006,1-6
[19] P. Barford, J. Kline, D. Plonka, et al. A signal analysis of network traffic anomalies[C]. in Proc.of ACM SIGCOMM Internet Measurement Workshop (IMC), Marseille, France,2002,71-82
[20] C. M. Cheng, H. T. Kung, K. S. Tan. Use of spectral analysis in defense against DoS attacks[C].in Proc. of IEEE GLOBECOM, Taipei, Taiwan, China,2002,2143-2148
[21] C. Callegari, L. Gazzarrini, S. Giordano, et al. A novel PCA-based network anomalydetection[C]. in Proc. of IEEE International Conference on Communications (ICC), Kyoto,Japan,2011,1-5
[22] M. W. Lin, S. Y. Chen, G. H. Chang, et al. Research on PCA-based anomaly detection system inhigh-speed network[J]. Journal of Computational Information Systems,2011,7(7):2315-2321
[23] L. Huang, X. L. Nguyen, M. Garofalakis, et al. In-network PCA and anomaly detection[C]. inProc. of Annual Conference on Neural Information Processing Systems (NIPS), Vancouver, BC,Canada,2007,617-624
[24] Y. Liu, L. Zhang, Y. Guan. Sketch-based streaming PCA algorithm for network-wide trafficanomaly detection[C]. in Proc. of International Conference on Distributed ComputingSystems (ICDCS), Genova, Italy,2010,807-816
[25] Y. Kanda, R. Fontugne, K. Fukuda, et al. ADMIRE: Anomaly detection method usingentropy-based PCA with three-step sketches[J]. Computer Communications,2013,36(5):575-588
[26] C. Pascoal, M. R. Oliveira, R. Valadas, et al. Robust feature selection and robust PCA forinternet traffic anomaly detection[C]. in Proc. of IEEE INFOCOM, Orlando, FL, USA,2012,1755-1763
[27] C. Callegari, L. Gazzarrini, S. Giordano, et al. A novel multi time-scales PCA-based anomalydetection system[C]. in Proc. of International Symposium on Performance Evaluation ofComputer and Telecommunication Systems (SPECTS), Ottawa, Canada,2010,156-162
[28] D. Brauckhoff, K. Salamatian, M. May. Applying PCA for traffic anomaly detection:Problems and solutions[C]. in Proc. of IEEE INFOCOM, Rio de Janeiro, Brazil,2009,2866-2870
[29] H. Ringberg, A. Soule, J. Rexford, et al. Sensitivity of PCA for traffic anomaly detection[C]. inProc. of ACM SIGMETRICS, San Diego, CA, USA,2007,109-120
[30] K. Leung, C. Leckie. Unsupervised anomaly detection in network intrusion detection usingclusters[C]. in Proc. of Australasian Computer Science Conference, Newcastle, NSW,Australia,2005,333-342
[31] Y. Yasami, S. P. Mozaffari. A novel unsupervised classification approach for network anomalydetection by k-Means clustering and ID3decision tree learning methods[J]. Journal ofSupercomputing,2010,53(1):231-245
[32] C. C. Noble, D. J. Cook. Graph-based anomaly detection[C]. in Proc. of ACM InternationalConference on Knowledge Discovery and Data Mining (SIGKDD), San Diego, CA, USA,2003,631-636
[33] W. Eberle, J. Graves, L. Holder. Insider threat detection using a graph-based approach[J].Journal ofApplied Security Research,2010,6(1):32-81
[34] W. Eberle, L. Holder. Anomaly detection in data represented as graphs[J]. Intelligent DataAnalysis,2007,11(6):663-689
[35] M. Iliofotou, P. Pappu, M. Faloutsos, et al. Network monitoring using traffic dispersion graphs(TDGs)[C]. in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMC), Kyoto,Japan,2007,315-320
[36] D. Q. Le, T. Jeong, H. E. Roman, et al. Traffic dispersion graph based anomaly detection[C]. inProc. of International Symposium on Information and Communication Technology,Hanoi, Vietnam,2011,36-41
[37] Y. Jin, E. Sharafuddin, Z. Zhang. Unveiling core network-wide communication patterns throughapplication traffic activity graph decomposition[C]. in Proc. of ACM SIGMETRICS, Seattle,WA, USA,2009,49-60
[38] X. Li, Z. Deng. Mining frequent patterns from network flows for monitoring network[J]. ExpertSystems withApplications,2010,37(12):8850-8860
[39] Y. Zhou, G. Hu, W. He. Using graph to detect network traffic anomaly[C]. in Proc. ofInternational Conference on Communications, Circuits and Systems (ICCCAS), Milpitas, CA,USA,2009,341-345
[40] G. Fang, Z. Deng, H. Ma. Network traffic monitoring based on mining frequent patterns[C]. inProc. of International Conference on Fuzzy Systems and Knowledge Discovery (FSKD),Tianjin, China,2009,571-575
[41] C. Manikopoulos, S. Papavassiliou. Network intrusion and fault detection: a statistical anomalyapproach[J]. IEEE Communications Magazine,2002,40(10):76-82
[42] C. S. Hood, C. Ji. Proactive network-fault detection[J]. IEEE Transactions on Reliability,1997,46(3):333-341
[43] J. Kline, S. Nam, P. Barford, et al. Traffic anomaly detection at fine time scales with bayesnets[C]. in Proc. of International Conference on Internet Monitoring and Protection (ICIMP),Bucharest, Romania,2008,37-46
[44] D. M. Farid, M. Z. Rahman. Anomaly network intrusion detection based on improved selfadaptive bayesian algorithm[J]. Journal of Computer,2010,5(1):23-31
[45] K. Limthong, T. Tawsook. Network traffic anomaly detection using machine learningapproaches[C]. in Proc. of IEEE/IFIP Network Operations and Management Symposium(NOMS), Krakow, Poland,2012,542-545
[46] Y. Zhao, Z. Zheng, H. Wen. Bayesian statistical inference in machine learning anomalydetection[C]. in Proc. of International Conference on Communications and IntelligenceInformation Security (ICCIIS), NanNing, Guangxi, China,2010,113-116
[47] J. Ndong, K. Salamatian. A robust anomaly detection technique using combined statisticalmethods[C]. in Proc. of Communication Networks and Services Research Conference (CNSR),Ottawa, ON, Canada,2011,101-108
[48] K. Christopher, T. Thomas, K. Clemens. Decentralized event correlation for intrusiondetection[C]. in Proc. of International Conference on Information Security and Cryptology(ICISC), Seoul, Korea,2001,114-131
[49] A. Valdes, K. Skinner. Probabilistic alert correlation[C]. in Proc. of International Symposiumon Recent Advances in Intrusion Detection (RAID), Davis, CA, USA,2001,54-68
[50] B. Morin, D. Herve. Correlation of intrusion symptoms: an application of chronicles[C]. in Proc.of International Symposium on Recent Advances in Intrusion Detection (RAID), Pittsburgh,PA, USA,2003,94-112
[51] R. P. Goldman, W. Heimerdinger, S. A. Haro. Information modeling for intrusion reportaggregation[C]. in Proc. of DARPA Information Survivability Conference and Exposition,Anaheim, CA, USA,2001,329-342
[52] B. Morin, L. Me, H. Debar, et a1. M2D2: A formal data model for IDs alert correlation[C]. inProc. of International Symposium on Recent Advances in Intrusion Detection (RAID), Zurich,Switzerland,2002,115-137
[53] P. A. Porras, M. W. Fong, A. Valdes. A mission-impact-based approach to INFOSEC alarmcorrelation[C]. in Proc. of International Symposium on Recent Advances in Intrusion Detection(RAID), Zurich, Switzerland,2002,95-114
[54] S. Bandini, S. Manzoni, A. Mosca, et al. Intelligent alarm correlation[C]. in Proc. of IEEEInternational Conference on Systems, Man and Cybernetics, Washington, DC, USA,2003,3601-3606
[55] C. Mu, H. Huang, S. Tian. Intrusion detection alert verification based on multi-level fuzzycomprehensive evaluation[C]. in Proc. of International Conference on ComputationalIntelligence and Security, Xi'an, China,2005,9-16
[56]穆成坡,黄厚宽,田盛丰,等.基于模糊综合评判的入侵检测报警信息处理[J].计算机研究与发展,2005,42(10):1679-1685
[57] F. Valeur, G. Vigna, C. Kruegel, et a1. A comprehensive approach to intrusion detection alertcorrelation[J]. IEEE Transactions on Dependable and Secure Computing,2004,1(3),146-169
[58] K. Tabia, P. Leray. Alert correlation: severe attack prediction and controlling false alarm ratetradeoffs[J]. Intelligent Data Analysis,2011,15(6):955-978
[59] F. Valeur, G. Vigna, C. Kruegel, et al. Comprehensive approach to intrusion detection alertcorrelation[J]. IEEE Transactions on Dependable and Secure Computing,2004,1(3):146-169
[60] F. Silveira, C. Diot. URCA: Pulling out anomalies by their root causes[C]. in Proc. of IEEEINFOCOM, San Diego, CA, USA,2010,1-9
[61] F. Silveira, C. Diot, N. Taft, et al. ASTUTE: Detecting a different class of traffic anomalies[C].in Proc. of ACM SIGCOMM, New Delhi, India,2010,267-278
[62] I. P. Oliva, X. Dimitropoulos, M. Molina, et al. Automating root-cause analysis of networkanomalies using frequent itemset mining[C]. in Proc. of ACM SIGCOMM, New Delhi, India,2010,467-468
[63] I. P. Oliva, I. C. Uroz, P. B. Ros, et al. Practical anomaly detection based on classifying frequenttraffic patterns[C]. in Proc. of IEEE INFOCOM Routingand Network Operations Workshop,Orlando, FL, USA,2012,49-54
[64] N. Duffield, P. Haffner, B. Krishnamurthy, et al. Rule-based anomaly detection on IP flows[C].in Proc. of IEEE INFOCOM, Rio de Janeiro, Brazil,2009,424-432
[65] L. Zheng, P. Zou, Y. Jia, et al. Traffic anomaly detection in backbone networks usingclassification of multidimensional time series of entropy[J]. China Communications,2012,9(7):108-120
[66] B. Tellenbach, M. Burkhart, D. Schatzmann, et al. Accurate network anomaly classificationwith generalized entropy metrics[J]. Computer Networks,2011,55(15):3485-3502
[67] G. Androulidakis, V. Chatzigiannakis, S. Papavassiliou. Network anomaly detection andclassification via opportunistic sampling[J]. IEEE Network,2009,23(1):6-12
[68] M. MeneGanti, F. S. Saviello, R. Tagliaferri. Fuzzy neural networks for classification anddetection of anomalies[J]. IEEE Transactions on Neural Networks,1998,9(5):848-861
[69] B. Mathewos, M. Carvalho, F. Ham. Network traffic classification using a parallel neuralnetwork classifier architecture[C]. in Proc. of Cyber Security and Information IntelligenceResearch Workshop, Oak Ridge, TN, USA,2011,33-36
[70] P. Ning, Y. Cui, D. S. Reeves. Analyzing intensive intrusion alerts via correlation[C]. in Proc. ofInternational Symposium on Recent Advances in Intrusion Detection (RAID), Zurich,Switzerland,2002,74-94
[71] P. Ning, Y. Cui, D. Reeves, et al. Tools and techniques for analyzing intrusion alerts[J]. ACMTransactions on Information and System Security,2004,7(2):273-318
[72] S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks for scenariorecognition[C]. in Proc. of DARPA Information Survivability Conference and Exposition,Washington, DC, USA,2003,284-292
[73] S. J. Templeton, K. Levitt. A requires/provides model for computer attacks[C]. in Proc. of NewSecurity ParadigmWorkshop, Ballycotton, Ireland,2001,31-38
[74]穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述[J].计算机研究与发展,2006,43(1):1-8
[75] P. Ning, Y. Cui, D. S. Reeves. Constructing attack scenarios through correlation of intrusionalerts[C]. in Proc. of ACM Conference on Computer and Communications Security (CCS),Washington, DC, USA,2002,245-254
[76] S. E. Smaha. Haystack: an intrusion detection system[C]. in Proc. of Aerospace ComputerSecurityApplications Conference, Orlando, FL, USA,1988,37-44
[77] Abilene Network. http://www.internet2.edu/network/
[78]张文修,吴伟志,梁吉业,等.粗糙集理论与方法[M].北京:科学出版社,2006:12-16
[79] C. E. Shannon, W. Weaver. The mathematical theory of communication[M]. Urbana, IL, USA:University of Illinois Press,1948:379-423
[80]郑斌祥,杜秀华,席裕庚.一种时序数据的离群数据挖掘新算法[J].控制与决策,2002,17(3):324-327.
[81] D. Moore, G. Voelker, S. Savage. Inferring Internet denial of service activity[C]. in Proc.USENIX Security Symposium, Washington, DC, USA,2001,9-22
[82] W. Lee, X. Dong. Information-theoretic measures for anomaly detection[C]. in Proc. of IEEESymposium on Security and Privacy (S&P), Oakland, CA, USA,2001,130-143
[83] T. Qin, X. Guan, W. Li, et al. Dynamic features measurement and analysis for large-scalenetworks[C]. in Proc. of IEEE International Workshop on Computer-Aided Modeling, Analysisand Design of Communication Links and Networks, Beijing, China,2008,212-216
[84] J. Han, M. Kamber. Data mining: concepts and techniques[M]. San Francisco, CA, USA:Morgan Kaufmann Publishers,2006:146-176
[85]国家计算机网络应急技术处理协调中心.CNCERT/CC2007年网络安全工作报告[EB/OL].北京:2008年1月
[86]王继龙.北京交大连续7个月IPv6地址居首[EB/OL].北京:中国教育网络,2010年12月
[87] A. Lakhina, M. Crovella, C. Diot. Characterization of network-wide anomalies in trafficflows[C]. in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMC), Portland, OR,USA,2004,201-206
[88] A. Lakhina, M. Crovella, and C. Diot. Diagnosing network-wide traffic anomalies[C]. in Proc.of ACM SIGCOMM, Portland, OR, USA,2004,219-230
[89] X. Li, F. Bian, M. Crovella, et al. Detection and identification of network anomalies usingsketch subspaces[C]. in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMC), Riode Janeiro, Brazil,2006,147-152
[90] L. Huang, X. L. Nguyen, M. Garofalakis, et al. Communication-efficient online detection ofnetwork-wide anomalies[C]. in Proc. of IEEE INFOCOM, Anchorage, AK, USA,2007,134-142
[91] Y. Zhang, Z. Ge, A. Greenberg, et al. Network anomography[C]. in Proc. of ACM SIGCOMMInternet Measurement Workshop (IMC), NewYork, NY, USA,2005,1-14
[92] T. Ahmed, M. Coates and A. Lakhina. Multivariate online anomaly detection using kernelrecursive least squares[C]. in Proc. of IEEE INFOCOM,Anchorage, AK, USA,2007,625-633
[93] P. Chhabra, C. Scott, E. Kolaczyk, et al. Distributed spatial anomaly detection[C]. in Proc. ofIEEE INFOCOM, Phoenix, AZ, USA,2008,1705-1713
[94] X. Yan, J. Han. Closegraph: mining closed frequent graph patterns[C]. in Proc. of ACMInternational Conference on Knowledge Discovery and Data Mining (SIGKDD), Washington,DC, USA,2003,286-295
[95] G. Dong, J. Li. Efficient mining of emerging patterns: discovering trends and differences[C]. inProc. of ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD),San Diego, CA, USA,1999,43-52
[96] S. Selim, M. Ismail. K-means-type algorithms: a generalized convergence theorem andcharacterization of local optimality[J]. IEEE Transactions on Pattern Analysis and MachineIntelligence,1984,6(1):81-87
[97] M. Rahman, S. Saha, U. Chengan, et al. IP traffic matrix estimation methods: comparisons andimprovements[C]. in Proc. of IEEE International Conference on Communications (ICC),Istanbul, Turkey,2006,90-96
[98] D. L. Davies, W. Bouldin. A cluster separation measure[J]. IEEE Transactions on PatternAnalysis and Machine Intelligence,1979,1(2):224-227
[99] Y. Zhou, G. Hu, W. He. Using graph to detect network traffic anomaly[C]. in Proc. of IEEEInternational Conference on Communications, Circuits and Systems (ICCCAS), Milpitas, CA,USA,2009,341-345
[100]冯震.骨干通信网中流量异常事件的关联分析[D].成都:电子科技大学,2010,53-65
[101] Y. Liu, P. Ning, M. K. Reiter. False data injection attacks against state estimation in electricpower grids[C]. in Proc. of ACM Conference on Computer and Communications Security(CCS), Chicago, IL, USA,2009,21-32
[102] L. Xie, Y. Mo, B. Sinopoli. False data injection attacks in electricity markets[C]. in Proc. ofIEEE International Conference on Smart Grid Communications, Gaithersburg, MD, USA,2010,226-231
[103] O. Kosut, L. Jia, R. Thomas, et al. Malicious data attacks on smart grid state estimation: attackstrategies and countermeasures[C]. in Proc. of IEEE International Conference on Smart GridCommunications, Gaithersburg, MD, USA,2010,220-225
[104] Z. Wang, G. Zheng. Residential appliances identification and monitoring by a nonintrusivemethod[J]. IEEE Transactions on Smart Grid,2012,3(1):80-92
[105] M. Dong, P. Meira, W. Xu, et al. An event window based load monitoring technique for smartmeters[J]. IEEE Transactions on Smart Grid,2012,3(2):787-796
[106] US Census Bureau's2009American Community Survey Reports.http://www.census.gov/prod/2011pubs/acs-15.pdf
[107] Australian Energy Market Operator. http://www.aemo.com.au
[108]曹军威,万宇鑫,涂国煜,等.智能电网信息系统体系结构研究[J].计算机学报,2013,36(1):143-167
[2] A. Lakhina, M. Crovella, C. Diot. Mining anomalies using traffic feature distributions[C]. inProc. of ACM SIGCOMM, Philadelphia, PA, USA,2005,9-20
[3] K. Xu, Z. Zhang, S. Bhattacharyya. Profiling internet backbone traffic: behavior models andapplications[C]. in Proc. ofACM SIGCOMM, Philadelphia, PA, USA,2005,169-180
[4] W. Yan, E. Hou, N. Ansari. Anomaly detection and traffic shaping under self-similar aggregatedtraffic in optical switched networks[C]. in Proc. of International Conference on CommunicationTechnology (ICCT), Beijing, China,2003,378-381
[5] S. Wolfgang, M. Mannle. Online error detection through observation of trafficself-similarity[J]. IET Communications,2001,148(1):38-42
[6] P. Barford, D. Plonka. Characteristics of network traffic flow anomalies[C]. in Proc. of ACMSIGCOMM Internet Measurement Workshop (IMC), San Francisco, CA, USA,2001,69-73
[7] P. V. Alvarado, C. V. Rosales, D. T. Roman, et al. Detecting anomalies in network traffic usingthe method of remaining elements[J]. IEEE Communications Letters,2009,13(6):462-464
[8] A. Ziviani, A. T. Gomes, M. L. Monsores, et al. Network anomaly detection using nonextensiveentropy[J]. IEEE Communications Letters,2007,11(12):1034-1036
[9] K. Xu, Z. Zhang, S. Bhattacharyya. Internet traffic behavior profiling for network securitymonitoring[J]. IEEE/ACM Transactions on Networking,2008,16(6):1241-1252
[10]龚俭,彭艳兵,杨望,等.TCP流的宏观平衡性[J].计算机学报,2006,29(9):1561-1571
[11] M. Thottan, C. Ji. Anomaly detection in IP networks[J]. IEEE Transactions on SignalProcessing,2003,51(8):2191-2204
[12] H. Wang, D. Zhang, K. G. Shin. Detecting SYN flooding attacks[C]. In Proc. of Annual JointConference of the IEEE Computer and Communications Societies, New York, NY, USA,2002,1530-1539
[13] R. B. Blazek, H. Kim, B. Rozovskii, et al. A novel approach to detection of denial-of-serviceattacks via adaptive sequential and batch-sequential change-point detection methods[C]. in Proc.of IEEE Systems, Man and Cybernetics Information Assurance Workshop, West Point, NY,USA,2001,220-226
[14]程光,龚俭,丁伟.基于抽样测量的高速网络实时异常检测模型[J].软件学报,2002,13(4):594-599
[15]梁昇,肖宗水,许艳美.基于统计的网络流量异常检测模型[J].计算机工程,2005,31(24):123-125
[16] S. S. Kim, A. L. Reddy, M. Vannucci. Detecting traffic anomalies at the source throughaggregate analysis of packet header data[C]. in Proc. of IFIP Networking, Athens, Greece,2004,1047-1059
[17] L. Li, G. Lee. DDoS attack detection and wavelets[J]. Telecommunication Systems,2005,28(3-4):421-427
[18] A. Dainotti, A. Pescape, G. Ventre. Wavelet-based detection of DoS attacks[C]. in Proc. of IEEEGLOBECOM, San Francisco, CA, USA,2006,1-6
[19] P. Barford, J. Kline, D. Plonka, et al. A signal analysis of network traffic anomalies[C]. in Proc.of ACM SIGCOMM Internet Measurement Workshop (IMC), Marseille, France,2002,71-82
[20] C. M. Cheng, H. T. Kung, K. S. Tan. Use of spectral analysis in defense against DoS attacks[C].in Proc. of IEEE GLOBECOM, Taipei, Taiwan, China,2002,2143-2148
[21] C. Callegari, L. Gazzarrini, S. Giordano, et al. A novel PCA-based network anomalydetection[C]. in Proc. of IEEE International Conference on Communications (ICC), Kyoto,Japan,2011,1-5
[22] M. W. Lin, S. Y. Chen, G. H. Chang, et al. Research on PCA-based anomaly detection system inhigh-speed network[J]. Journal of Computational Information Systems,2011,7(7):2315-2321
[23] L. Huang, X. L. Nguyen, M. Garofalakis, et al. In-network PCA and anomaly detection[C]. inProc. of Annual Conference on Neural Information Processing Systems (NIPS), Vancouver, BC,Canada,2007,617-624
[24] Y. Liu, L. Zhang, Y. Guan. Sketch-based streaming PCA algorithm for network-wide trafficanomaly detection[C]. in Proc. of International Conference on Distributed ComputingSystems (ICDCS), Genova, Italy,2010,807-816
[25] Y. Kanda, R. Fontugne, K. Fukuda, et al. ADMIRE: Anomaly detection method usingentropy-based PCA with three-step sketches[J]. Computer Communications,2013,36(5):575-588
[26] C. Pascoal, M. R. Oliveira, R. Valadas, et al. Robust feature selection and robust PCA forinternet traffic anomaly detection[C]. in Proc. of IEEE INFOCOM, Orlando, FL, USA,2012,1755-1763
[27] C. Callegari, L. Gazzarrini, S. Giordano, et al. A novel multi time-scales PCA-based anomalydetection system[C]. in Proc. of International Symposium on Performance Evaluation ofComputer and Telecommunication Systems (SPECTS), Ottawa, Canada,2010,156-162
[28] D. Brauckhoff, K. Salamatian, M. May. Applying PCA for traffic anomaly detection:Problems and solutions[C]. in Proc. of IEEE INFOCOM, Rio de Janeiro, Brazil,2009,2866-2870
[29] H. Ringberg, A. Soule, J. Rexford, et al. Sensitivity of PCA for traffic anomaly detection[C]. inProc. of ACM SIGMETRICS, San Diego, CA, USA,2007,109-120
[30] K. Leung, C. Leckie. Unsupervised anomaly detection in network intrusion detection usingclusters[C]. in Proc. of Australasian Computer Science Conference, Newcastle, NSW,Australia,2005,333-342
[31] Y. Yasami, S. P. Mozaffari. A novel unsupervised classification approach for network anomalydetection by k-Means clustering and ID3decision tree learning methods[J]. Journal ofSupercomputing,2010,53(1):231-245
[32] C. C. Noble, D. J. Cook. Graph-based anomaly detection[C]. in Proc. of ACM InternationalConference on Knowledge Discovery and Data Mining (SIGKDD), San Diego, CA, USA,2003,631-636
[33] W. Eberle, J. Graves, L. Holder. Insider threat detection using a graph-based approach[J].Journal ofApplied Security Research,2010,6(1):32-81
[34] W. Eberle, L. Holder. Anomaly detection in data represented as graphs[J]. Intelligent DataAnalysis,2007,11(6):663-689
[35] M. Iliofotou, P. Pappu, M. Faloutsos, et al. Network monitoring using traffic dispersion graphs(TDGs)[C]. in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMC), Kyoto,Japan,2007,315-320
[36] D. Q. Le, T. Jeong, H. E. Roman, et al. Traffic dispersion graph based anomaly detection[C]. inProc. of International Symposium on Information and Communication Technology,Hanoi, Vietnam,2011,36-41
[37] Y. Jin, E. Sharafuddin, Z. Zhang. Unveiling core network-wide communication patterns throughapplication traffic activity graph decomposition[C]. in Proc. of ACM SIGMETRICS, Seattle,WA, USA,2009,49-60
[38] X. Li, Z. Deng. Mining frequent patterns from network flows for monitoring network[J]. ExpertSystems withApplications,2010,37(12):8850-8860
[39] Y. Zhou, G. Hu, W. He. Using graph to detect network traffic anomaly[C]. in Proc. ofInternational Conference on Communications, Circuits and Systems (ICCCAS), Milpitas, CA,USA,2009,341-345
[40] G. Fang, Z. Deng, H. Ma. Network traffic monitoring based on mining frequent patterns[C]. inProc. of International Conference on Fuzzy Systems and Knowledge Discovery (FSKD),Tianjin, China,2009,571-575
[41] C. Manikopoulos, S. Papavassiliou. Network intrusion and fault detection: a statistical anomalyapproach[J]. IEEE Communications Magazine,2002,40(10):76-82
[42] C. S. Hood, C. Ji. Proactive network-fault detection[J]. IEEE Transactions on Reliability,1997,46(3):333-341
[43] J. Kline, S. Nam, P. Barford, et al. Traffic anomaly detection at fine time scales with bayesnets[C]. in Proc. of International Conference on Internet Monitoring and Protection (ICIMP),Bucharest, Romania,2008,37-46
[44] D. M. Farid, M. Z. Rahman. Anomaly network intrusion detection based on improved selfadaptive bayesian algorithm[J]. Journal of Computer,2010,5(1):23-31
[45] K. Limthong, T. Tawsook. Network traffic anomaly detection using machine learningapproaches[C]. in Proc. of IEEE/IFIP Network Operations and Management Symposium(NOMS), Krakow, Poland,2012,542-545
[46] Y. Zhao, Z. Zheng, H. Wen. Bayesian statistical inference in machine learning anomalydetection[C]. in Proc. of International Conference on Communications and IntelligenceInformation Security (ICCIIS), NanNing, Guangxi, China,2010,113-116
[47] J. Ndong, K. Salamatian. A robust anomaly detection technique using combined statisticalmethods[C]. in Proc. of Communication Networks and Services Research Conference (CNSR),Ottawa, ON, Canada,2011,101-108
[48] K. Christopher, T. Thomas, K. Clemens. Decentralized event correlation for intrusiondetection[C]. in Proc. of International Conference on Information Security and Cryptology(ICISC), Seoul, Korea,2001,114-131
[49] A. Valdes, K. Skinner. Probabilistic alert correlation[C]. in Proc. of International Symposiumon Recent Advances in Intrusion Detection (RAID), Davis, CA, USA,2001,54-68
[50] B. Morin, D. Herve. Correlation of intrusion symptoms: an application of chronicles[C]. in Proc.of International Symposium on Recent Advances in Intrusion Detection (RAID), Pittsburgh,PA, USA,2003,94-112
[51] R. P. Goldman, W. Heimerdinger, S. A. Haro. Information modeling for intrusion reportaggregation[C]. in Proc. of DARPA Information Survivability Conference and Exposition,Anaheim, CA, USA,2001,329-342
[52] B. Morin, L. Me, H. Debar, et a1. M2D2: A formal data model for IDs alert correlation[C]. inProc. of International Symposium on Recent Advances in Intrusion Detection (RAID), Zurich,Switzerland,2002,115-137
[53] P. A. Porras, M. W. Fong, A. Valdes. A mission-impact-based approach to INFOSEC alarmcorrelation[C]. in Proc. of International Symposium on Recent Advances in Intrusion Detection(RAID), Zurich, Switzerland,2002,95-114
[54] S. Bandini, S. Manzoni, A. Mosca, et al. Intelligent alarm correlation[C]. in Proc. of IEEEInternational Conference on Systems, Man and Cybernetics, Washington, DC, USA,2003,3601-3606
[55] C. Mu, H. Huang, S. Tian. Intrusion detection alert verification based on multi-level fuzzycomprehensive evaluation[C]. in Proc. of International Conference on ComputationalIntelligence and Security, Xi'an, China,2005,9-16
[56]穆成坡,黄厚宽,田盛丰,等.基于模糊综合评判的入侵检测报警信息处理[J].计算机研究与发展,2005,42(10):1679-1685
[57] F. Valeur, G. Vigna, C. Kruegel, et a1. A comprehensive approach to intrusion detection alertcorrelation[J]. IEEE Transactions on Dependable and Secure Computing,2004,1(3),146-169
[58] K. Tabia, P. Leray. Alert correlation: severe attack prediction and controlling false alarm ratetradeoffs[J]. Intelligent Data Analysis,2011,15(6):955-978
[59] F. Valeur, G. Vigna, C. Kruegel, et al. Comprehensive approach to intrusion detection alertcorrelation[J]. IEEE Transactions on Dependable and Secure Computing,2004,1(3):146-169
[60] F. Silveira, C. Diot. URCA: Pulling out anomalies by their root causes[C]. in Proc. of IEEEINFOCOM, San Diego, CA, USA,2010,1-9
[61] F. Silveira, C. Diot, N. Taft, et al. ASTUTE: Detecting a different class of traffic anomalies[C].in Proc. of ACM SIGCOMM, New Delhi, India,2010,267-278
[62] I. P. Oliva, X. Dimitropoulos, M. Molina, et al. Automating root-cause analysis of networkanomalies using frequent itemset mining[C]. in Proc. of ACM SIGCOMM, New Delhi, India,2010,467-468
[63] I. P. Oliva, I. C. Uroz, P. B. Ros, et al. Practical anomaly detection based on classifying frequenttraffic patterns[C]. in Proc. of IEEE INFOCOM Routingand Network Operations Workshop,Orlando, FL, USA,2012,49-54
[64] N. Duffield, P. Haffner, B. Krishnamurthy, et al. Rule-based anomaly detection on IP flows[C].in Proc. of IEEE INFOCOM, Rio de Janeiro, Brazil,2009,424-432
[65] L. Zheng, P. Zou, Y. Jia, et al. Traffic anomaly detection in backbone networks usingclassification of multidimensional time series of entropy[J]. China Communications,2012,9(7):108-120
[66] B. Tellenbach, M. Burkhart, D. Schatzmann, et al. Accurate network anomaly classificationwith generalized entropy metrics[J]. Computer Networks,2011,55(15):3485-3502
[67] G. Androulidakis, V. Chatzigiannakis, S. Papavassiliou. Network anomaly detection andclassification via opportunistic sampling[J]. IEEE Network,2009,23(1):6-12
[68] M. MeneGanti, F. S. Saviello, R. Tagliaferri. Fuzzy neural networks for classification anddetection of anomalies[J]. IEEE Transactions on Neural Networks,1998,9(5):848-861
[69] B. Mathewos, M. Carvalho, F. Ham. Network traffic classification using a parallel neuralnetwork classifier architecture[C]. in Proc. of Cyber Security and Information IntelligenceResearch Workshop, Oak Ridge, TN, USA,2011,33-36
[70] P. Ning, Y. Cui, D. S. Reeves. Analyzing intensive intrusion alerts via correlation[C]. in Proc. ofInternational Symposium on Recent Advances in Intrusion Detection (RAID), Zurich,Switzerland,2002,74-94
[71] P. Ning, Y. Cui, D. Reeves, et al. Tools and techniques for analyzing intrusion alerts[J]. ACMTransactions on Information and System Security,2004,7(2):273-318
[72] S. Cheung, U. Lindqvist, M. W. Fong. Modeling multistep cyber attacks for scenariorecognition[C]. in Proc. of DARPA Information Survivability Conference and Exposition,Washington, DC, USA,2003,284-292
[73] S. J. Templeton, K. Levitt. A requires/provides model for computer attacks[C]. in Proc. of NewSecurity ParadigmWorkshop, Ballycotton, Ireland,2001,31-38
[74]穆成坡,黄厚宽,田盛丰.入侵检测系统报警信息聚合与关联技术研究综述[J].计算机研究与发展,2006,43(1):1-8
[75] P. Ning, Y. Cui, D. S. Reeves. Constructing attack scenarios through correlation of intrusionalerts[C]. in Proc. of ACM Conference on Computer and Communications Security (CCS),Washington, DC, USA,2002,245-254
[76] S. E. Smaha. Haystack: an intrusion detection system[C]. in Proc. of Aerospace ComputerSecurityApplications Conference, Orlando, FL, USA,1988,37-44
[77] Abilene Network. http://www.internet2.edu/network/
[78]张文修,吴伟志,梁吉业,等.粗糙集理论与方法[M].北京:科学出版社,2006:12-16
[79] C. E. Shannon, W. Weaver. The mathematical theory of communication[M]. Urbana, IL, USA:University of Illinois Press,1948:379-423
[80]郑斌祥,杜秀华,席裕庚.一种时序数据的离群数据挖掘新算法[J].控制与决策,2002,17(3):324-327.
[81] D. Moore, G. Voelker, S. Savage. Inferring Internet denial of service activity[C]. in Proc.USENIX Security Symposium, Washington, DC, USA,2001,9-22
[82] W. Lee, X. Dong. Information-theoretic measures for anomaly detection[C]. in Proc. of IEEESymposium on Security and Privacy (S&P), Oakland, CA, USA,2001,130-143
[83] T. Qin, X. Guan, W. Li, et al. Dynamic features measurement and analysis for large-scalenetworks[C]. in Proc. of IEEE International Workshop on Computer-Aided Modeling, Analysisand Design of Communication Links and Networks, Beijing, China,2008,212-216
[84] J. Han, M. Kamber. Data mining: concepts and techniques[M]. San Francisco, CA, USA:Morgan Kaufmann Publishers,2006:146-176
[85]国家计算机网络应急技术处理协调中心.CNCERT/CC2007年网络安全工作报告[EB/OL].北京:2008年1月
[86]王继龙.北京交大连续7个月IPv6地址居首[EB/OL].北京:中国教育网络,2010年12月
[87] A. Lakhina, M. Crovella, C. Diot. Characterization of network-wide anomalies in trafficflows[C]. in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMC), Portland, OR,USA,2004,201-206
[88] A. Lakhina, M. Crovella, and C. Diot. Diagnosing network-wide traffic anomalies[C]. in Proc.of ACM SIGCOMM, Portland, OR, USA,2004,219-230
[89] X. Li, F. Bian, M. Crovella, et al. Detection and identification of network anomalies usingsketch subspaces[C]. in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMC), Riode Janeiro, Brazil,2006,147-152
[90] L. Huang, X. L. Nguyen, M. Garofalakis, et al. Communication-efficient online detection ofnetwork-wide anomalies[C]. in Proc. of IEEE INFOCOM, Anchorage, AK, USA,2007,134-142
[91] Y. Zhang, Z. Ge, A. Greenberg, et al. Network anomography[C]. in Proc. of ACM SIGCOMMInternet Measurement Workshop (IMC), NewYork, NY, USA,2005,1-14
[92] T. Ahmed, M. Coates and A. Lakhina. Multivariate online anomaly detection using kernelrecursive least squares[C]. in Proc. of IEEE INFOCOM,Anchorage, AK, USA,2007,625-633
[93] P. Chhabra, C. Scott, E. Kolaczyk, et al. Distributed spatial anomaly detection[C]. in Proc. ofIEEE INFOCOM, Phoenix, AZ, USA,2008,1705-1713
[94] X. Yan, J. Han. Closegraph: mining closed frequent graph patterns[C]. in Proc. of ACMInternational Conference on Knowledge Discovery and Data Mining (SIGKDD), Washington,DC, USA,2003,286-295
[95] G. Dong, J. Li. Efficient mining of emerging patterns: discovering trends and differences[C]. inProc. of ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD),San Diego, CA, USA,1999,43-52
[96] S. Selim, M. Ismail. K-means-type algorithms: a generalized convergence theorem andcharacterization of local optimality[J]. IEEE Transactions on Pattern Analysis and MachineIntelligence,1984,6(1):81-87
[97] M. Rahman, S. Saha, U. Chengan, et al. IP traffic matrix estimation methods: comparisons andimprovements[C]. in Proc. of IEEE International Conference on Communications (ICC),Istanbul, Turkey,2006,90-96
[98] D. L. Davies, W. Bouldin. A cluster separation measure[J]. IEEE Transactions on PatternAnalysis and Machine Intelligence,1979,1(2):224-227
[99] Y. Zhou, G. Hu, W. He. Using graph to detect network traffic anomaly[C]. in Proc. of IEEEInternational Conference on Communications, Circuits and Systems (ICCCAS), Milpitas, CA,USA,2009,341-345
[100]冯震.骨干通信网中流量异常事件的关联分析[D].成都:电子科技大学,2010,53-65
[101] Y. Liu, P. Ning, M. K. Reiter. False data injection attacks against state estimation in electricpower grids[C]. in Proc. of ACM Conference on Computer and Communications Security(CCS), Chicago, IL, USA,2009,21-32
[102] L. Xie, Y. Mo, B. Sinopoli. False data injection attacks in electricity markets[C]. in Proc. ofIEEE International Conference on Smart Grid Communications, Gaithersburg, MD, USA,2010,226-231
[103] O. Kosut, L. Jia, R. Thomas, et al. Malicious data attacks on smart grid state estimation: attackstrategies and countermeasures[C]. in Proc. of IEEE International Conference on Smart GridCommunications, Gaithersburg, MD, USA,2010,220-225
[104] Z. Wang, G. Zheng. Residential appliances identification and monitoring by a nonintrusivemethod[J]. IEEE Transactions on Smart Grid,2012,3(1):80-92
[105] M. Dong, P. Meira, W. Xu, et al. An event window based load monitoring technique for smartmeters[J]. IEEE Transactions on Smart Grid,2012,3(2):787-796
[106] US Census Bureau's2009American Community Survey Reports.http://www.census.gov/prod/2011pubs/acs-15.pdf
[107] Australian Energy Market Operator. http://www.aemo.com.au
[108]曹军威,万宇鑫,涂国煜,等.智能电网信息系统体系结构研究[J].计算机学报,2013,36(1):143-167