摘要
传统重标极差分析法(Rescaled Range Analysis,R/S)检测软件定义网络(SDN,Software Defined Network)流量是否存在异常时,某节点的网络流量序列存在恒定值小区间内子序列全为零值,造成标准差为零的运算错误,为了解决这个问题,文章提出了一种改进的重标极差法(Improvement Rescaled Range Analysis,IR/S)。算法利用微元法分析法,确定一组可用的参数,将参数引入计算数据流量序列Hurst指数,并将待计算的数据流量序列等分,同时规定序列长度为2的整数次幂,分别计算R/S值,通过拟合来判断是否存在异常流量情况。改进后的方法能够达到均分子序列的要求,无需计算序列的因数,使计算过程更加简化,避免了某些长度序列因数过少、素数长度导致的拟合点过少无法收敛的现象,减少了由计算结果精确度带来的误差。将算法在Mininet环境下进行虚拟SDN仿真测试,实验结果表明,文章中的方法能够较显著区分正常与异常流量,并且在探测异常时延迟较低。
When traditional Rescaled Range Analysis(R/S)detects whether software defined network(SDN)traffic is abnormal,subsequences are all zero in the constant value interval existing in the network traffic series of several nodes,which causes some operation error with a standard deviation of zero.An Improved Rescaled Range Analysis(IR/S)method is proposed to solve this problem.The algorithm uses the microelement analysis method to determine a set of available parameters which is introduced into the calculated data flow sequence Hurst exponent,and divides the data flow sequence to be calculated into equal parts.At the same time,the length of the sequence is specified as an integer power of 2,and calculate R/S values separately,to determine if there is an abnormal flow condition by fitting.The improved method can meet the requirements of homogeneous molecular sequences without calculating the sequence factors.The calculation process is more simplified,avoiding inability to converge due to too few factors of some length sequence or even too few fit points which is caused by prime length,and reducing the accuracy of the calculation results.A virtual SDN simulation test of the algorithm in Mininet environment is set up,and the experimental results show that the method can distinguish between normal and abnormal traffic significantly,and detect anomalies with a lower delay.
作者
兰海燕
孙鹤玲
潘昱辰
Lan Haiyan;Sun Heling;Pan Yuchen(College of Computer Science and Technology,Harbin Engineering University,HeilongjiangHarbin 150001)
出处
《网络空间安全》
2020年第5期38-44,共7页
Cyberspace Security
