For the special requirements of anomaly detection in backbone networks, an anomaly detection method was proposed based in the summary data structure: Filter-ary-Sketch. It recorded the network traffic information in Fil-ter-are-Sketch online and detected anomalies based on multi-dimensional entropy at every circle. If an anomaly was detected, the anomaly point located according to data stream recorded in Filter-ary-Sketch. Finally, malicious traffic blocked using the source Ips recorded in Bloom filter. The method was effective in detecting a variety of network attacks; especially it could block the malicious traffic. Evaluated by the experiment, the method can detect anomaly in the backbone network with small computing and memory resource and block the IP flows that are responsible for the anomaly.%针对骨干网上异常检测的特殊要求,提出了一种基于Filter-ary-Sketch数据结构的异常检测方法.该方法通过Filter-ary-Sketch实时记录网络流量信息,然后每隔一定周期进行基于多维熵值的异常检测.如果出现异常则根据Filter-ary-Sketch记录的流量信息进行异常点定位,最后利用Bloom Filter中记录的源IP信息进行恶意流量阻断.该方法能够检测多种类型的网络攻击,且能有效地进行恶意流量阻断.利用实际骨干网流量数据,分别从效率和精度2个方法进行对比实验,取得了较好的效果.
展开▼
