Hierarchical Method for Anomaly Detection and Attack Identification in High-speed Network

Traffic anomaly detection and attack identification are research focus in the network security community. In the paper, a hierarchical system framework is proposed to detect and identify traffic anomaly in high-speed network. At first, multiple basic detectors developed under authors' previous research work are represented roughly. Then an alerts fusion method combining these basic detectors is used to improve on the anomaly detection ability. Experiments in real high-speed network demonstrate that the method has higher detection performance than basic detectors and majority voting method. To further identify attack type accurately, seven traffic features are used to characterize three types of attack (port scan, network scan and DoS attack) and traffic distribution change for each traffic feature is measured by cross entropy. Then Exponentially Weighted Moving Average (EWMA) control chart method based on cross entropy is proposed to classify attacks. The experimental results on traffic in backbone router have shown that the method has strong ability to detect and identify attacks.