基于IR/S的軟件定義網絡流量異常檢測算法

蘭海燕　孫鶴玲　潘昱辰

摘? ?要：傳統重標極差分析法（Rescaled Range Analysis，R/S）檢測軟件定義網絡（SDN，Software Defined Network）流量是否存在異常時，某節點的網絡流量序列存在恒定值小區間內子序列全為零值，造成標準差為零的運算錯誤，為了解決這個問題，文章提出了一種改進的重標極差法（Improvement Rescaled Range Analysis， IR/S）。算法利用微元法分析法，確定一組可用的參數，將參數引入計算數據流量序列Hurst指數，并將待計算的數據流量序列等分，同時規定序列長度為2的整數次冪，分別計算R/S值，通過擬合來判斷是否存在異常流量情況。改進后的方法能夠達到均分子序列的要求，無需計算序列的因數，使計算過程更加簡化，避免了某些長度序列因數過少、素數長度導致的擬合點過少無法收斂的現象，減少了由計算結果精確度帶來的誤差。將算法在Mininet環境下進行虛擬SDN仿真測試，實驗結果表明，文章中的方法能夠較顯著區分正常與異常流量，并且在探測異常時延遲較低。

關鍵詞：Hurst指數;重標極差法;軟件定義網絡;拒絕服務攻擊;分形學

中圖分類號： TP393? ? ? ? ? 文獻標識碼：A

Abstract： When traditional Rescaled Range Analysis （R/S） detects whether software defined network （SDN） traffic is abnormal， subsequences are all zero in the constant value interval existing in the network traffic series of several nodes， which causes some operation error with a standard deviation of zero. An Improved Rescaled Range Analysis （IR/S） method is proposed to solve this problem. The algorithm uses the micro-element analysis method to determine a set of available parameters which is introduced into the calculated data flow sequence Hurst exponent， and divides the data flow sequence to be calculated into equal parts. At the same time， the length of the sequence is specified as an integer power of 2， and calculate R / S values separately， to determine if there is an abnormal flow condition by fitting. The improved method can meet the requirements of homogeneous molecular sequences without calculating the sequence factors. The calculation process is more simplified， avoiding inability to converge due to too few factors of some length sequence or even too few fit points which is caused by prime length， and reducing the accuracy of the calculation results. A virtual SDN simulation test of the algorithm in Mininet environment is set up， and the experimental results show that the method can distinguish between normal and abnormal traffic significantly， and detect anomalies with a lower delay.

Key words： Hurst exponent; rescaled range analysis; software defined network; denial of service attack; fractal

1 引言

網絡流量與時間序列具有分形學的自相似性，正常狀態下網絡產生的流量與異常狀態下網絡產生的流量自相似性不同，利用這一特點，可以通過直接分析網絡所產生的流量序列分形特征進行相互對比，從而判斷某一狀態下的網絡與正常狀態的區別。由于研究序列的分形特征不太依賴對系統基礎性的假設，故針對各種時間序列都具有較為廣泛的適用性。……