| With the fast increase of network connections, the problem of intrusion detection becomes more and more important. Although internet service can provide useful information due to its open property, it should also be noticed that the number of network intrusions increases faster than before, which introduces a lot of inconvenience to the users.Network traffic anomaly detection is usually divided into two basic categories. The one is based on statistical model (which first predict and then detect on the statistical model or the distribution), the other is based on the characteristic quantity of the network directly. Because of the large randomness and the enormous data quantity of the network traffic, it usually has a higher false reject rate and needs even longer computing time in detecting network traffic directly. The main advantages of network traffic anomaly detection based on the characteristic quantity are as follows: the number of the characteristic quantity is far lower than the original network flow, so it only spends less time to complete the detection. In the fact, the effect of the detection directly depends on the selected characteristic quantity and the result on anomaly detection if selecting the no- ideal characteristic quantity is even worse than that on detecting the original network flow directly. However, network traffic anomaly detection based on statistical model establishes the statistical model first with comprehensive consideration of all of properties of network traffic, and then predicts network flow according to the model, finally detects on the basis of the difference between the prediction results and the actual results. The advantage of this kind method is with the consideration of the network characteristics, but it needs a large amount of data and has very high computational complexity in posterior prediction. This paper mainly focuses on the method with the statistical model, furthermore, before establishing the statistical model or the distribution, and the stationary of the series should be considered first. We must take a wide sense stationary process as a basis to carry on feasibility research at least.In this paper, the experimental results show that the abnormal traffic flow is a kind of complicated changing process, which is non-stationary, random and abrupt. So it is invalid to process the non-stationary by using the differential transform simply, which has been proved in this paper. Due to the basic characters mentioned above, there are a lot of unavoidable problems in network traffic anomaly detection. Therefore, aiming at these kinds of complicated problems effectively, the superstatistics theory has been put forward to relate with the network flow, which is suitable for the change of the statistical parameters. We propose to use a more complex method which comprise the conception of'statistics of statistics'(that is'superstatistics', SS) to model the network traffic. The'superstatistics'is the frontier areas of today's physics region which can conquer the disadvantage of normal statistical methods.'Superstatistics'means a kind of'statistics of statistics', which is used in non-equilibrium systems with complex dynamics in stationary states with large fluctuation of intensive quantities on long time scales.After the non-stationary series transformed into the stationary series, the corresponding statistical model can be determined on the basics of the statistical characteristics. According to the infinitesimal calculus theory, segments can be done under the premise of a wide sense stationary, which can effectively reduce the significance and complexity of the segments. The superstatistics theory mainly describes the parameter variation of the distribution model and according to the parameter characteristics the abnormal changes of the network flow can be found by the changes of the parameters on a certain degree. Therefore, network traffic abnormity detection can be completed effectively through the research on the decisive distribution parameters which are named slow parameters and the adaptive detection method.As a whole, it is more visual then ever before. This method has obtained a very good effect through a lot of experiments. The research of the complex network flow focused on the region of some decisive parameter series. The method not only makes up for those shortcomings, but also avoids the computational complexity of the traditional statistical model.
|
PDF Full Text Request