Abstract: With the application of high-speed Internet, all packets can not be followed by detection in massive data. Abnormal attack traffic is hardly identified. Poisson Pareto Burst Process(PPBP) of Classic model is used to analyze self-similarity of network traffic. Flow size is divided into long and short for a stratified sampling algorithm, according to sampling ratio incremental based on flow arrival time. The method is applied in anomalous detection system based on snort, and simulation results show that it can effectively reduce range of abnormal attack data, and detect quickly and precisely.

Key words: anomalous traffic, traffic sampling technology, Poisson Pareto Burst Process(PPBP), sandwich sampling, stratified sampling, anomalous attack detection

摘要： 在高速互联网应用中，海量数据无法逐包检测分析，异常攻击流量也不易被识别。为解决该问题，利用泊松帕累托突发过程的经典流量模型对网络流量自相似特性进行分析，将网络流量分为长流与短流，并根据数据流到达时间的抽样比增量进行分层抽样，由此实现异常攻击流量的检测。在基于数据报文级检测的snort异常入侵检测系统上对该方法进行仿真实验，结果证明其能有效缩小异常攻击数据范围，快速准度地检测出攻击。

关键词: 异常流量, 流量抽样技术, 泊松帕累托突发过程, 三明治抽样, 分层抽样, 异常攻击检测

CLC Number: 

• TP393