Monitoring network data streams in real-time to check security event become more and more important along with the rapid growth of Internet applications. The detection typically treats the traffic as a collection of flows that need to be examined for significant changes in traffic pattern (e.g., volume, number of connections). However, as link speeds and the number of flows increase, keeping perflow state is either too expensive or too slow.We propose building compact summaries of the traffic data using the notion of sketches.In this paper, we proposed an IP address traceability network anomaly detection method at right time based on the summary data structure. In this method, the network traffic information is recorded into sketch online in every circle which is used to detect anomalies. By using EWMA forecasting model to get each circle forecast value, it computes the error sketch between the recoded value and forecast value and detects heavy network traffic change based on Mean-Standard deviation in the error sketch. The method is effective in detecting DDoS attack, scan attack. And it can trace the IP address of victim host. Evaluated by the experiment, the results show that this method takes up little computing and memory resources and is suitable for anomaly detection under the high-speed network traffic.
Li, Aiping; Han, Yi; Zhou, Bin; Han, Weihong; and Jia, Yan
"Detecting Hidden Anomalies Using Sketch for High-speed Network Data Stream Monitoring,"
Applied Mathematics & Information Sciences: Vol. 06:
3, Article 49.
Available at: https://digitalcommons.aaru.edu.jo/amis/vol06/iss3/49