基于概要數據結構的全網絡持續流檢測方法

周愛平 朱琛剛

摘 要：持續流是隱蔽的網絡攻擊過程中顯現的一種重要特征，它不產生大量流量且在較長周期內有規律地發生，給傳統的檢測方法帶來極大挑戰。針對網絡攻擊的隱蔽性、單監測點的重負荷和信息有限的問題，提出全網絡持續流檢測方法。首先，設計一種概要數據結構，并將其部署在每個監測點;其次，當網絡流到達監測點時，提取流的概要信息并更新概要數據結構的一位;然后，在測量周期結束時，主監測點將來自其他監測點的概要信息進行綜合;最后，提出流持續性的近似估計，通過一些簡單計算為每個流構建一個位向量，利用概率統計方法估計流持續性，使用修正后的持續性估計檢測持續流。通過真實的網絡流量進行實驗，結果表明，與長持續時間流檢測算法（TLF）相比，所提方法的準確性提高了50%，誤報率和漏報率分別降低了22%和20%，說明全網絡持續流檢測方法能夠有效監測高速網絡流量。

關鍵詞：網絡測量;持續流檢測;網絡攻擊;概要數據結構;概率統計方法

中圖分類號：?TP393.08

文獻標志碼：A

Detection method for network-wide persistent flow based on sketch data structure

ZHOU Aiping1，2*， ZHU Chengang3

1.School of Computer Science and Technology， Taizhou University， Taizhou Jiangsu 225300， China ;

2.Key Laboratory of Computer Network and Information Integration of Ministry of Education （Southeast University）， Nanjing Jiangsu 211189， China ;

3.School of Computer Science and Engineering， Southeast University， Nanjing Jiangsu 211189， China

Abstract：?Persistent flow is an important feature of hidden network attack. It does not generate a large amount of traffic and it occurs regularly in a long period， so that it brings a large challenge for traditional detection methods. Network attacks have invisibility， single monitors have heavy load and limited information. Aiming at the above problems， a method to detect network-wide persistent flows was proposed. Firstly， a sketch data structure was designed and was deployed on each monitor. Secondly， when the network flow arrived at a monitor， the summary information was extracted from network data stream and one bit in the sketch data structure was updated. Thirdly， at the end of measurement period， the summary information from other monitors was synthesized by the main monitor. Finally， the approximate estimation of flow persistence was presented. A bit vector was constructed for each flow by some simple computing， flow persistence was estimated by using probability statistical method， and the persistent flows were detected based on revised persistence estimation. The experiments were conducted on real network traffic， and their results show that compared with the algorithm of Tracing Long Duration flows （TLF）， the proposed method increases the accuracy by 50% and reduces the false positive rate， false negative rate by 22%， 20% respectively. The results illustrate that the method of detecting network-wide persistent flows can effectively monitor network traffic in high-speed networks.

Key words：?network measurement; persistent flow detection; network attack; sketch data structure; probabilistic statistical method

0 引言

網絡流量測量是流量工程、異常檢測、用戶行為分析等的基礎。大流挖掘[1]、超點識別[2]和持續流檢測[3-4]一直是網絡流量測量的三個重要問題。大流挖掘指在測量周期內從海量網絡流量中挖掘流長超過一定閾值的流，大流也稱為heavy hitters、elephant flows、frequent items等，如流量計費。超點識別指在測量周期內識別連接數超過一定閾值的節點，如分布式拒絕服務（Distributed Denial of Service，DDoS）攻擊檢測。……