摘要
随着网络通信技术的迅速发展,骨干通信网的带宽不断增加,承载的信息日趋多元化,异常流量带来的通信网络管理问题也越来越复杂。分布式流量异常是由同种原因引起,同时存在于多条链路的异常流量,如分布式拒绝服务攻击、蠕虫传播、突发访问、网络操作异常等。在单条链路上这些异常流量隐蔽在骨干通信网巨大的背景流量下,不易检测,而多条链路上的异常汇聚总量惊人,可能导致网络性能急剧下降,严重影响网络的正常运行。对分布式隐蔽流量异常的检测是确保通信网络安全的基础工作,对提高通信网络系统的应急响应能力具有十分重要的意义,也是全球网络安全领域学术界和工业界共同关注的前沿科学问题。
本文在系统地分析现有多种流量异常检测方法的基础上,充分考虑了分布式隐蔽流量异常时间空间模式上的不同特征,结合多种统计分析、信号处理等技术,
从不同角度提出了多种检测方法,所取得的主要研究成果如下:
1.提出了一种基于层叠模型的单链路流量异常检测方法
运用小波变换对模型的参数进行估计,设计了一种定量策略,衡量异常流量对模型估计的影响。能够有效检测出弱异常流以及未明显影响自相似Hurst系数变化的异常流,对异常发生初期检测效果明显。与基于自相似模型的流量异常检测方法相比,能检测出幅值更低的弱异常。
2.提出了一种分布式隐蔽流量异常的全局相关检测方法
首先通过提出一种基于滑动时窗的瞬时参数快速计算方法,迅速获得流量信号的瞬时频率和瞬时振幅;采用时间序列模型预测获得瞬时参数估计值,将瞬时参数观测值与估计值间的差异定义为异常空间;最终根据异常空间相关性检测分布在不同链路的隐蔽流量异常。本方法具有比现有方法更高的统计检测性能,对低幅值的分布式流量异常具有更高的敏感性,可避免现有全局主成分分析方法无法检测相关异常的缺陷。
3.提出了一种基于单节点信息的分布式隐蔽流量异常多尺度检测方法
首先对单个节点的不同链路,利用多尺度分析自适应地检测流量信号中可能存在异常的频带,将可能存在异常的频带重构,生成单条链路的异常特征信号;然后将多条链路上同一个时刻下的异常特征信号值看做高维空间中的点,通过核密度估计评估异常程度。仿真数据的检测结果表明本文方法能检测出单条链路上很小的异常流量,优于现有方法。
4.提出了一种使用链路流量数据直接检测分布式隐蔽流量异常的方法
改变传统基于OD流检测方法需要由链路流量推断OD流,再由OD流计算网络级别特征参数的两步模式,提出一种通过多层递归感知神经网络,直接由链路流量计算取得OD流级别特征参数的分布式隐蔽流量异常检测方法。优点是避免了传统检测方法中链路流量反演OD流引入的误差,与现有文献中分别基于直接和间接测量数据的检测方法结果相对比,本文方法有更好的检测效果。
With the rapid development of network communication technology, bandwidth growth in backbone network continues to increase, information carried by network becomes more and more diversity and the consequent network management problems caused by anomalous traffic evolve into more and more complex. Distributed network traffic anomaly refers to an abnormal behavior of traffic caused by the same source in many links of the network, e.g. DDoS(Distributed Denial of Service), worm propagate, flash crowd and network failure. Usually, there are not any obvious features of anomaly in a single link for distributed network traffic anomaly, compared with background traffic in backbone network, anomalous traffic might be stealthy and hard to detect, however, the sum of anomalous traffic in many links can be prevailing, seriously impact performance of network and does more harm to its normal operation. Accurate detection of distributed stealthy traffic anomaly is the groundwork of network security and of great significance for communication network system to enhance emergency response capability, it’s also a cutting-edge scientific issue common concerned by network security field in both academia and industry.
In this thesis, we firstly review existing traffic anomaly detection methods systematically, then we develop several detection methods from different points of view, by exploiting characteristics of distributed stealthy traffic anomaly in both temporal and spatial pattern, with the use of statistical analysis and signal process technologies, the innovative achievements in this thesis are as following:
1. A network traffic anomaly temporal detection method based on cascade model is proposed
By studying the influences of anomalous traffic on estimation of cascade model through wavelet transform modulus maxima, a quantitative scheme is devised to measure impact of anomaly on casecade model of normal behavior. This method is more sensitive to small anomalous traffic and can accurately detect the anomalies which would not impact the Hurst parameter change evidently, therefore it is advantageous for early stage detection. Comparing with methods based on self-similar model, our method is capable of detecting anomaly with lower volume.
2. A network-wide correlation analysis method against distributed stealthy traffic anomaly is proposed
A fast algorithm of instantaneous parameters based on sliding window is proposed to improve computation speed of instantenous frequency and instantenous amplitude of traffic signal. Estimations of instantenous parameters are obtained by time series model prediction, anomalous space is divided as the difference between observations and estimations of instantenous parameters, correlation analysis among anomalous spaces is then performed to reveal stealthy anomalies distributed in different links. Evaluation demonstrated that this method has higher statistical detection performance and is more sensitive to small anomaly in single link, can overcome the limitations of network-wide PCA(Principle Component Analysis) in failing to detect the anomalies with strong correlations.
3. A multi-scale spatial detection of distributed stealthy traffic anomaly based on information from single node is proposed
It firstly performs multi-scale wavelet packet analysis separately on multiple links of single node, to get abnormal frequency ranges on different time sections and reconstruct signals with anomalous features. Then points in high dimensional space are formed by anomalous features from different links in the same time, deviation degree of high dimension vectors that composed of reconstructions is evaluated by kernel density estimation. Detection results of simulation show that our method can detect small anomaly in indivadul link and performs better than existing distributed detection method.
4. A directed detection method against distributed stealthy traffic anomaly using link measurement is proposed
Unlike traditional OD(Origin-Destination) based detection methods which usually involve two steps, which the first is OD inference from link measurement, then characteristic parameters of network level is computed from OD inference, a directed detection method agaisnt distributed stealthy traffic anomaly is proposed, it is achieved by recurrent multilayer perception neural network to obtain characteristic parameters of OD level directedly from link traffic. The benefit of this method is avoiding inference error in OD based method during traffic matrix estimation. In simulation we compare detection results based on existing directed and indirected measurement methods with ours, and show that our method allow distribute traffic anomaly detection with directed available measurement and solve the problem of inference error in OD based method.
引文
[1] MS06-035 vulnerability in server service could allow remote code execution. http://www. microsoft.com/technet/security/Bulletin/MS06-035.mspx (last visited on February 28th, 2007), July 2006
[2] CNN, Immense network assault takes down yahoo, February 2000, http://www.cnn.com/2000/TECH/computing/02/08/yahoo.assault.idg/index.html
[3] D. Moore, G. Voelker and S. Savage. Inferring internet denial-of-service activity. In proceedings of the 10th Usenix security symposium, 2001:9-22
[4] S. Staniford, V. Paxson and N. Weaver. How to own the Internet in your spare time. In proceedings of the 11th USENIX security symposium, 2002:149-167
[5] V. Yegneswaran, P. Barford, J. Ullrich. Internet intrusions: global characteristics and prevalence. SIGMETRICS, 2003:138-147
[6] Johannes Ullrich. DSHIELD. http : //www:dshield:org, 2000
[7] P. J. Criscuolo. Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319. Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev.1, Lawrence Livermore National Laboratory, Feb 14, 2000
[8] TFreak. smurf.c, www.phreak.org/archives/exploits/denial/smurf.c, 2003
[9] TFreak. fraggle.c, www.phreak.org/archives/exploits/denial/fraggle.c, 2003
[10] Challenge collapser. http://www.hacker.cn/Get/jczs/0713108403099850.shtml, 2003
[11] CERT Coordination Center, TCP SYN flooding and IP spoofing attacks, http://www.cert.org/advisories/CA-1996-21.html, 2001
[12] P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, RFC 2827, 2000
[13] M.S. Stephen, R.B. Lee. Distributed denial of service: taxonomies of attacks, tools, and countermeasures. ISCA PDCS, 2004: 543-550
[14] J. Mirkovic, P.L. Reiher. A taxonomy of DDoS attack and DDoS defense mechanisms.Computer Communication Review, 2004,34 (2):39-53
[15] J.H. Saltzer, D.P. Reed and D.D. Clark. End-to-end arguments in system design. ICDCS, 1981: 509-512
[16] P.J. Criscuolo, Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network and Stacheldraht. http://ftp.se.kde.org/pub/security/csir/ciac/ciacdocs/ciac2319.txt. 2000
[17] D.M.Kienzle, M.C.Elder. Recent worms: a survey and trends. In Proceeding of the 2003 ACM Workshop on Rapid Malcode, Washington, 2003:1~10
[18] E. H. Spafford. The Internet worm program: an analysis. Technical Report CSD-TR-823. Department of Computer Science, Purdue University. July 1988. http://homes. Cerias.purdue.edu/~spaf/tech-reps/823.pdf
[19] D. Moore, C. Shannon and K.C. Claffy. Code-Red: a case study on the spread and victims of an internet worm. Internet Measurement Workshop,2002:273-284
[20] CAIDA. CodeRed worms a global threat. http://www:caida:org/analysis/security/code-red/2001
[21] A. Mackie, J. Roculan, R. Russell and M. V. Velzen. Nimda Worm Analysis.Incident Analysis Report, SecurityFocus, 2001:l-6
[22] D. Moore, V. Paxson and S. Savage et al.: Inside the Slammer Worm. IEEE Security & Privacy, 2003,1(4):33-39
[23] V. Yegneswaran, P. Barford and J. Ullrich. Internet intrusions: global characteristics and prevalence. SIGMETRICS,2003:138-147
[24] D. Oppenheimer, A. Ganapathi and D. A. Patterson, Why do Internet services fail, and what can be done about it? in 4th Usenix Symposium on Internet Technologies and Systems (USITS’03), 2003
[25] D.J. Houck, K.S. Meier-Hellstern, F. Saheban and R.A. Skoog, Failure and congestion propagation through signalling control, in Proceedings of the 14th International Teletraffic Congress (ITC-14), 1994, 1: 367-376
[26] Nanog mailing list, http://www.cctec.com/maillists/nanog/historical/0210/msg00058.html, 2002
[27] J. Jung and B. Krishnamurthy, M. Rabinovich. Flash crowds and denial of service attacks:characterization and implications for CDNs and web sites.In WWW, 2002:293-304
[28] R.A. Maxion and E.F. Frank. A case study of ethernet anomalies in a distributed computing environment. IEEE Transaction on Reliability, 1990,39 (4): 433-443
[29] Y. Bouzida, F. Cuppens and S. Gombault. Detecting and reacting against distributed denial of service attacks, in IEEE International Conference on Communications, 2006,5:2394-2400
[30] D.E. Denning. An Intrusion-Detection Model. IEEE Trans. Software Eng. 1987,13(2):222-232
[31] Cisco Corporation, NetFlow, www.cisco.com/warp/public/732/netflow, 2006
[32] M. Mahoney, P. K. Chan. PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic. Florida Tech. technical report, 2001, http://cs.fit.edu/~tr/
[33] M. Mahoney, P. K. Chan. Learning Models of Network Traffic for Detecting Novel Attacks. Florida Tech. technical report. 2002, http://cs.fit.edu/~tr/
[34] M. Mahoney, P. K. Chan. Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks, SIGKDD, 2002:376-385
[35] M. Mahoney. Network traffic anomaly detection based on packet bytes, Proceedings of the 18th ACM Symposium on Applied Computing (SAC), Melbourne, FL, USA 2003:346-350
[36] C. Kru¨gel, T. Toth and E. Kirda. Service specific anomaly detection for network intrusion detection, Proceedings of the 17th ACM Symposium on Applied Computing (SAC), Madrid, Spain 2002:201-208
[37] A.B. Kulkarni, S.F. Bush and S. C. Evans. Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. Journal of Network and Systems Management. 2006,14(1):69-80
[38] A.B. Kulkarni and S.F. Bush. Active Network Management and Kolmogorov Complexity. In Proceedings of IEEE OpenArch 2001, 2001:3-7
[39] L. Feinstein, D. Schnackenberg, R. Balupari and D. Kindred. Statistical approaches to DDoS attack detection and response. In DISCEX’03, 2003:303-314
[40] Yong Liu, Don Towsley, Tao Ye and Jean C. Bolo. An Information-Theoretic Approach to Network Monitoring and Measurement. In IMC’05: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, New York, NY, USA,2005:1-14
[41] W.Lee and D. Xiang. Information-Theoretic Measures for Anomaly Detection. Proceedings of the 2001 IEEE Symposium on Security and Privacy, Washington, USA, 2001:130-130
[42] J. Brutlag. Aberrant behavior detection in time series for network monitoring. In USENIX, New Orleans, LA, 2000:139-146.
[43] A.Soule, K.Salamatian, N.Taft. Combining Filtering and Statistical Methods for Anomaly Detection. In Proc. of IMC,2005:331-344
[44] P. Barford and D. Plonka. Characteristics of network traffic flow anomalies. In Proceedings of the ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA,2001:69-73
[45] W. Schleifer, M. Made. On-line error detection through observation of traffic self-similarity. IEE Proceedings of Communications,2001,48 (1):38-42
[46] W. Yan, E. Hou and N. Ansari. Anomaly detection and traffic shaping under self-similar aggregated traffic in optical switched networks. In ICCT, Beijing, China, 2003,1:378-381
[47] Y. Xiang, Y. Lin, L. Leiw, et al. Detecting DDOS attack based on network self-similarity. IEE Proceedings on Communications,2004,151 (3):292-295
[48] I.D. Graham,S.F. Donnelly,S. Martin, et al..Nonintrusive and accurate measurement of unidirectional delay and delay variation on the Internet. In INET'98,Geneva,Switzerland, 1998:21-24
[49] T. Zseby, S. Zander, G. Carle. Evalutation of building blocks for passive one-way delay measurements. In PAM2001, Amsterdam, 2001:23-24
[50] Haining Wang, Danlu Zhang and Kang G. Shin. Change-Point Monitoring for the Detection of DoS Attacks. IEEE Trans. Dependable Sec. Comput. 2004,1 (4):193-208
[51] Haining Wang, Danlu Zhang and Kang G. Shin. SYN-dog: Sniffing SYN Flooding Sources. In ICDCS, 2002: 421-428
[52] X.F. Qiu, J.H. Hao, M. Chen. A mechanism to defend SYN flooding attack based on network measurement system. In proceedings of the ITRE, London, 2004:208-212
[53]龚俭,彭艳兵,杨望等. TCP流的宏观平衡性.计算机学报, 2006, 29 (9):1561-1571
[54] J. Mirkovic, P.L. Reiher. D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks. IEEE Trans. Dependable Sec. Comput, 2005,2(3):216-232
[55] Kuai Xu, Zhi-Li Zhang and Supratik Bhattacharyya. Profiling Internet Backbone Traffic: Behavior Models and Applications. SIGCOMM Comput. Commun. Rev., 2005,35(4):169-180
[56] Haiquan Zhao, Ashwin Lall, Mitsunori Ogihara et al.. A data streaming algorithm for estimating entropies of OD flows. In IMC’07: Proceedings of the 7th ACM SIGCOMMConference on Internet Measurement, New York, USA,2007:279-290
[57] Yin Zhang, Matthew Roughan, Carsten Lund and David Donoho. An Information-Theoretic Approach to Traffic Matrix Estimation. In SIGCOMM’03: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, New York, USA, 2003:301-312
[58] Yu Gu, Andrew McCallum and Don Towsley. Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation. In IMC’05: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, New York, USA, 2005:1-6
[59] N.G. Duffield, C. Lund and M. Thorup. Properties and Prediction of Flow Statistics from Sampled Packet Streams. In Proc. of ACM SIGCOMM Internet Measurement Workshop, 2002:159-171
[60] R. Schweller, A. Gupta, E. Parsons and Y. Chen. Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams. In Proc. of IMC, Italy, 2004:207-212
[61] B. Krishnamurthy, S. Sen, Y. Zhang and Y. Chen. Sketch-based change detection: methods, evaluation, and applications. Internet Measurement Comference,2003:234-247
[62] Xin Li, Fang Bian, Mark Crovella, Christophe Diot, et al. Detection and identification of network anomalies using sketch subspaces. Internet Measurement Conference, 2006:147-152
[63] M. Thottan, C. Ji. Anomaly Detection in IP Networks. IEEE Trans. Signal Processing, Special Issue of Signal Processing in Networking, 2003, 51 (8):2191-2204
[64] H. Wang, D. Zhang and K.G. Shin. Detecting SYN flooding attacks, In Proceedings of IEEE INFOCOM’2002, New York,2002:1530-1539
[65] R.B. Blazek, H. Kim, B. Rozovskii and A. Tartakovsky. A novel approach to detection of denial-of-service attacks via adaptive sequential and batch- sequential change-point detection methods. In: Proceedings of IEEE Workshop on Information Assurance and Security, West Point, 2001:220-226
[66] J. Brutlag. Aberrant behavior detection in time series for network monitoring. in USENIX, New Orleans, LA, 2000:139-146.
[67]邹柏贤,刘强.基于ARMA模型的网络流量预测.计算机研究与发展, 2002, 39(12):1645-1653
[68]邹柏贤.一种网络异常实时检测方法.计算机学报, 2003, 26 (5): 940-948
[69] Jun Jiang, Symeon Papavassiliou. Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction. Journal of Network and Systems Management.2004,12 (l): 51-73
[70] W. E. Leland, M.S. Taqqu, W. Willinger, et al. On the self-similar nature of Ethernet traffic. IEEE/ACM Trans on Networking. 1994, 2 (1):1-15
[71] L. Li, G. Lee. DDos Attack Detection and Wavelets.The 12th International Conference on Computer Communications and Networks, Dallas, 2003:421-427
[72]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法.通信学报, 2006, 27(5):6-11
[73]李金明,王汝传.基于Hurst参数的DoS/DDoS攻击实时检测技术研究.计算机工程与应用, 2007, 43(6):20-23
[74] C.M. Cheng, H.T. Kung and K.S. Tan, Use of spectral analysis in defense against dos attacks.In Proceedings of IEEE GLOBECOM 2002, Taipei, Taiwan, 2002, 3:2143-2148
[75] A. Hussain, J. Heidemann and C. Papadopoulos. A framework for classifying denial of service attacks, In proceedings of ACM SIGCOMM, Karlsruhe, Germany, 2003:99-110
[76] P. Barford, J. Kline, D. Plonka and A. Ron. A signal analysis of network traffic anomalies. In Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Marseille, France, 2002:71-82
[77] S.S. Kim and A.L.N. Reddy. Detecting Traffic Anomalies at the Source through aggregate analysis of packet header data. http://dropzone.tamu.edu/techpubs/2003/TAMU-ECE-2003-03.pdf
[78] Lan Li and Gyungho Lee. DDoS Attack Detection and Wavelets.In ICCCN 2003:421-427
[79] D. Alberto, P. Antonio and V. Giorgio. Wavelet-based Detection of DoS Attacks. GLOBECOM '06. 2006, 25 (1):1452-1457
[80] T. Ahmed, B. Oreshkin and M. Coates. Machine Learning Approaches to Network Anomaly Detection. In proc. of International Measurement Conference, 2007: 625-633
[81] D. Andersen, N. Feamster, S. Bauer and H. Balaskrishman. Topology inference from BGP routing dynamics. Proc. SIGCOM Internet Measurements Workshop, Marseille, France,2002:243-248
[82] R. Ensafi, S. Dehghanzadeh, R. Mohammad and T. Akbarzadeh. Optimizing Fuzzy K-Meansfor Network Anomaly Detection Using PSO. Computer Systems and Applications, IEEE/ACS International Conference, 2008:686-693
[83] H. Hajji. Statistical Analysis of Network Traffic for Adaptive Faults Detection. IEEE Trans. Neural Networks. 2005, 16 (5):1053-1063
[84] C.S. Hood, C. Ji. Proactive Network Fault Detection. IEEE Tran. Reliability, 1997, 46 (3): 333-341
[85] K. Kline, S. Nam, P. Barford, et al. Traffic Anomaly Detection at Fine Time Scales with Bayes Nets. International Conference on Internet Monitoring and Protection, 2008:37-46
[86] A. Lakhina, M. Crovella and C. Diot. Diagnosing Network-Wide Traffic Anomalies. In Proc. Of ACM SIGCOMM, 2004:201-206
[87] A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, et al. Structural Analysis of Network Traffic Flows. In Proc. of ACM SIGMETRICS, 2004:61-72
[88] A. Lakhina, M. Crovella and C. Diot. Mining Anomalies Using Traffic Feature Distributions. In Proc. of ACM SIGCOMM, Philadelphia, 2005: 217-228
[89] L. Huang, X. Nguyen, M. Garofalakis, et al. Communication-Efficient Online Detection of Network-Wide Anomalies. In Proc. of 26th Annual IEEE Conference on Computer Communications, 2007:134-142
[90] Y. Huang, N. Feamster, A. Lakhina and J. Xu. Diagnosing Network Disruptions with Network-Wide Analysis. In Proc. of ACM SIGMETRICS, 2007:61-72
[91] H. Ringberg, A. Soule, J. Rexford and C. Diot. Sensitivity of PCA for Traffic Anomaly Detection. In Proc. of ACM SIGMETRICS, 2007:109-120
[92] W. Lee, S.J. Stolfo and K. Mok. A Data Mining Framework for Building Intrusion Detection Models. In Proceedings of IEEE Symposium on Security and Privacy, Oakland, 1999: 132-148
[93]凌军,曹阳,尹建华.基于时态知识模型的网络入侵检测方法研究.计算机学报, 2003, 26 (11):1592-1599
[94]饶鲜,董春曦,杨绍全.基于支持向量机的入侵检测系统.软件学报.2003,25(3):326-332
[95] W. Li. Using Genetic Algorithm for Network Intrusion Detection, C.S.G. Department of Energy, 2004:1-8
[96] J. Gomez and D. Dasgupta. Evolving fuzzy classifiers for intrusion detection. In IEEEWorkshop on Information Assurance, United States Military Academy, 2001
[97] T. Lunt, et al. A Real-Time Intrusion Deteetion Expert System(IDES), Technieal Report, SRI-CSL-92-05, SRI International, Computer Science Lab, 1992
[98] V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Lawrence Berkeley National Laboratory. In Proceedings of 7'th USENIX Security Symposium, San Antonio, 1998:26-29
[99] M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proc. USENIX Lisa '99, Seattle, 1999:7-12
[100] SPADE. Silicon Defense. http://www.silicondefense.com/software/spice/
[101] R. Sekar, M. Bendre, D. Dhurjati and P. Bollineni. A Fast Automaton-based Method for Detecting Anomalous Program Behaviors. In Proceedings of IEEE Symposium on Security and Privacy, 2001:144-155
[102] D. Anderson, et. al., Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), Computer Science Laboratory, SRI-CSL 95-06, ,1995, http://www.sdl.sri.com/papers/5/s/5sri/5sri.pdf
[103] P. Barford, J. Kline and D. Plonka, A. Ron. A Signal Analysis of Network Traffic Anomalies. In SIGCOMM Internet Measurement Workshop, Marseilles, France, 2002:71-82
[104] Y. Zhang, Z. Ge, A. Greenberg and M. Roughan. Network anomography. In IMC'05: Proceedings of the Internet Measurement Conference, 2005:1-14
[105] A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, P. Abry. Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies. IEEE Trans. Dependable Sec. Comput, 2007, 4 (1):56-70
[106] S.S. Kim, A. Reddy. Statistical techniques for detecting traffic anomalies through packet Header Data. IEEE Trans. on Networking, 2008,16 (2):562-575
[107] A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, P. Abry. Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies. IEEE Trans. Dependable Sec. Comput, 2007, 4 (1):56-70
[108] Xiaohong Guan, Tao Qin and Wei Li. Monitoring Abnormal Traffic Based on Dynamic Flow Model and Systematic Method. In APNG, 2007
[109] D.S. Yeung, S. Jin and X. Wang. Covariance-Matrix Modeling and Detecting VariousFlooding Attacks. IEEE Tran. Systems, Man and Cybernetics, Part A, 2007, 37 (2):157-169
[110] M. Tavallaee, W. Lu, S. A. Iqbal, A. Ghorbani. A Novel Covariance Matrix Based Approach for Detecting Network Anomalies. In Communication Networks and Services Research Conference, 2008:75-81
[111] A. Lakhina, M. Crovella and C. Diot. Detecting Distributed Attacks using Network-Wide Flow Traffic. In FloCon 2005 Analysis Workshop, Pittsburgh, 2005
[112] J. Yuan and K. Mills. Monitoring the macroscopic effect of DDoS flooding attacks. IEEE Transactions on Dependable and Secure Computing, 2005, 2 (4):324-335
[113] X. Li, F. Bian, M. Crovella, C. Diot, et al. Detection and Identification of Network Anomalies Using Sketch Subspaces. In Proceedings of f ACM Internet Measurement Conference, 2006.
[114] Y. Huang, N. Feamster, A. Lakhina, J. Xu. Diagnosing Network Disruptions with Network-Wide Analysis. ACM SIGMETRICS, San Diego, 2007:61-72
[115] T. Ahmed, M. Coates and A. Lakhina. Multivariate Online Anomaly Detection Using Kernel Recursive Least Squares. INFOCOM, 2007:625-633
[116] B.I.P. Rubinstein, B. Nelson, L. Huang, et al. Stealthy Poisoning Attacks on PCA-based Anomaly Detectors. In SIGMETRICS, 2009:73-74
[117] R.R. Talpade, G. Kim and S. Khurana. NOMAD: Traffic-based Network Monitoring Framework for Anomaly Detection. In ISCC, 1999:442-452
[118] R.K.C. Chang. Defending against Flooding-Based Distributed Denial of Service Attacks: A Tutorial. IEEE Comm. Magazine, 2002, 40 (10):42-51
[119] K.K. Wan, R. Chang. Engineering of a global defence infrastructure for DDoS attacks. In Proc.of IEEE International Conference on Networking, 2002:419-427
[120] D. Sterne, K. Djahandari, B. Wilson, et al. Autonomic response to distributed denial-of-service attacks. In Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection, Davis, 2001:134-149
[121] D. Schnackenberg, K. Djahandari and D. Sterne. Infrastructure for intrusion detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II), Anaheim, 2000
[122] Y. Chen, K. Hwang and Y.K. Kwok. Collaborative Defense against Periodic Shrew DDoS Attacks in Frequency Domain. Journal ACM Transactions on Information and System, 2005
[123] P.Chhabra, C. Scott, E.D. Kolaczyk and M. Crovella. Distributed Spatial Anomaly Detection. In INFOCOM, 2008:1705-1713
[124] V. Paxson, S. Floyd. Wide Area Traffic: the Failure of Possion Modeling. IEEE/ACM Trans on Networking, 1995, 3 (3):224-226
[125] S.G. Liu, P.J.Wang, L.J. Qu. Modeling and simulation of self-similar data traffic .IEEE Proceedings of2005International Conference on Machine Learning and Cybernetics. 2005:18-21
[126] A. Popescu. Traffic self-similarity. www.itm.bth.se/~adrian/courses/modern_techni- ques_networking /lectures/lecture5_new.pdf
[127]任勋益,王汝传,蔡小华,傅雷杨.一种基于Hurst指数的异常检测软件.计算机科学, 2008(11):267-269
[128] H.B. Xia, W.B. Xu. Reasearch on method of network abnormal detection based on hurst parameter estimation. IEEE Conference on Computer Science and Software Engineering. IEEE, 2008(3):559-562
[129] Y. Xiang, Y. Lin, L. Leiw, et al. Detecting DDOS attack based on network self_similarity. IEEE Proc-Commun, 2004, 151 (3):292-295
[130] L. Li, G. Lee. DDoS Attack Detection and Wavelets. In the 12 th International Conference on Computer Communications and Networks, 2003:421-427
[131]向渝. IP网络QoS和安全技术研究[博士学位论文],电子科技大学. 2003
[132] M.S. Taqqu, V. Teverovsky and W. Willinger. Is network traffic self-similar of multifractal? Fractats, 1997, 5 (1):63-73
[133]张小明,许晓东,朱士瑞.基于Hurst指数方差分析的DDoS攻击检测方法.计算机工程, 2008, 34(14):149-151
[134]彭涛,薛小平,梅素平,温德龙.基于实时方差时间图法的DDoS攻击检测,计算机应用,2009, 29(6):80-82
[135] A. Feldmann, A. Gilbert and W. Willinger. Data networks as cascades: Investigating the multifractal nature of Internet wan traffic. In ACM SIGCOMM, 1998:42-55
[136]贾岩,谭献海,何平,胡玉清.网络业务多重分形特性研究,计算机仿真,2009,26(4): 145-148
[137] D. Veitch and P. Abry. A Wavelet-Based Joint Estimator of the Parameters of Long-Range Dependence. IEEE Transactions on Information Theory, 1999, 45 (3):878-897
[138] P. Abry, R. Baraniuk, P. Flandrin, R. Riedi, D. Veitch. The Multiscale Nature of Network Traffic: Discovery, Analysis, and Modelling. IEEE signal processing magazine, 2002 (5): 28-46
[139] M.Taqqu and V.Teverovsky. On Estimating the Intensity of Long-Range Dependence in Finite and Infinite Variance Time Series. In A Practical Guide to Heavy Tails: Statistical Techniques and Applications, Birkhauser, Boston, 1998:177-217
[140] P. Abry, D. Veitch. Wavelet Analysis of Long-Range-Dependent Traffic. IEEE Transactions on Information Theory, 1998, 44 (1):2-15
[141] B.Castaing. The temperature of turbulent flows. Journal de Physigue, 1996, 6:105-114
[142] D. Veitch, P. Flandrin and P. Abry. Infinitely divisible cascade analysis of network traffic data, ICASSP 2000, Istanbul,2000,1:245-248
[143] A. Arnéodo, J.F. Muzy and S.G. Roux. Experimental analysis of self-similar random cascade processes: application to fully developed turbulence. Journal de Physique II, 1997,7:363-370
[144] S. Roux, D. Veith, P. Abry, L.Huang, J.Micheel and P. Flandrin. Statistical scaling analysis of tcp/ip data using cascades. In ICASSP, 2001:3425-3428
[145] J.F. Muzy, E. Bacry and A. Arneodo, The multifractal formalism revisited with wavelets, Int. Joumal of Bifurcation and Chaos, 1994, 4 (2):245-302
[146] A. Arneodo, B. Audit, E. Bacry, S. Manneville, J.F. Muzy and S.G. Roux. Thermodynamics of fractal signals based on wavelet analysis: application to fully developed turbulence data and sequences. Physica A, 1998, 254:24-45
[147] Lawrence Berkeley National Laboratory, the Internet Traffic Archive. http://ita.ee.lbl.gov/index.html
[148] S.Mallat.信号处理的小波导引(杨力华,戴道清,黄文良,湛秋辉译). 2000,北京:机械工业出版社
[149] P. Abry and D. Veitch. Wavelet analysis of long range dependent traffic. IEEE Transactions on Information Theory, 1998, 44 (1):2-15
[150] FGN, Lawrence Berkeley National Laboratory. The Internet Traffic Archive. http://ita.ee.lbl.gov/html/contrib/fft_fgn_c.html
[151] C.M. Cheng, H. Kung, and K.S. TAN. Use of spectral analysis in defense against DoS attacks. In Proc. IEEE GLOBECOM, Taipei, China, 2002:2143-2148
[152] W. Wang, K. Pei and X. Jin, Using Hilbert-Huang Transform to Characterize Intrusions in Computer Networks, In ICNC, 2007, 5:24-27
[153] N.E. Huang, Z. Shen and S.R. Long, etc.The empirical mode decomposition and Hilbert spectrum for nonlinear and non-stationary time series analysis. In Pro. RSoc, London, 1998, 45(4):903-995
[154] K. Papagiannaki, N. Taft, Z. L. Zhang and C. Diot. Long-term forecasting of internet backbone traffic: observations and initial models. In INFOCOM, 2003, 312(3):1178-1188
[155] G. E. Box, G. M. Jenkins. Time Series Analysis: Forecasting and Control. 1976, San Francisco: Holden Day
[156] S.S. Kim, A.L.N. Reddy, M. Vannucci. Detecting Traffic Anomalies at the Source through Aggregate Analysis of Packet Header Data. Networking, 2004:1047-1059
[157] Abilene trace. http://abilene.internet2.edu/
[158] M. Crovella, E. Kolaczyk. Graph wavelets for spatial traffic analysis, In INFOCOM, 2003: 1848-1857
[159] M. Roughan, T. Griffin, Z.M. Mao, A. Greenberg, B. Freeman, M. Albert. IP Forwarding Anomalies and Improving their Detection Using Multiple Data Sources. In SIGCOMM, 2004: 307-312
[160] A. Feldmann, A.Greenberg, C. Lund, N. Reingold, J. Rexford, F. True. Deriving traffic demands for operational IP networks: methodology and experience. IEEE/ACM Transactions on Networking, 2001, 9 (3):265-280
[161] A. Medinaa, N. Tafta, K. Salamatianc, S. Bhattacharyyaa, C. Diot. Traffic matrix estimation existing techniques. In SIGCOMM, 2002:161-174
[162] Simon Haykin. Kalman Filtering and Neural Networks. 2001, Wiley
[163] P. J. Werbos. Backpropagation through time: What does it does and how to do it.In Proc. IEEE, 1990, 78 (10):1550-1560
[164] R.J. Williams and D. Zipser. A learning algorithm for continually running fully recurrent neural networks, neural computation, 1989, 1 (2):270-280
[165] L. A. Feldkamp and G. V. Puskorius. Training controller for robustness: multistream DEKF, In IEEE International Conference on Neural Network, 1994:2377-2382