Network Traffic Burst Detection Based On Data Streams

Network traffic burst anomaly is the significant abnormal changes in the network traffic. Detecting the network traffic burst anomaly is with great meaning to locate the anomaly in time and response subsequently. With the continuous increase of network scale and speed, to design the network traffic burst anomaly detection algorithms which are required to accurately analyze the massive traffic data in real time is really a challenge.Faced with the massive network traffic data with high speed, this paper we takes a data streams approach. A new formulation definition of burst is presented based on the data stream computation model. A novel digest structure, two-layered wavelet tree, and its correspondent burst detection algorithm are proposed. We also design a network traffic burst detection system.Based on the observation of real network traffic data, we introduce the lasting factor and abrupt factor in the definition of burst in order to better characterize the burst in the real application. The proposed two layered wavelet tree structure can decompose the traffic data into each time scale and consume less space than traditional wavelet structure. An online single pass algorithm designed to detect burst can flexibly adjust the time scale of aimed bursts and the process time is not influenced by the threshold settings. Theoretical analysis and comparison experiment on Internet Traffic Archive data sets prove the superiority of this algorithm over others in burst characterization and detecting efficiency.In the network traffic burst detection, we divide the IP traffic data streams into smaller ones of specific protocols as the input data of the burst detection algorithm in order to quickly find network anomaly behavior based on certain protocols. The network traffic burst detection archetype system can report the time range and aggregate mean value for the lasting bursts, break time point and peak value for abrupt bursts. The experiment on NLANR traces and simulated attack traffic prove the effectiveness of this system.