Identifying Anomalous Traffic using Dynamic Programming based Differential Analysis Method

摘要

This paper proposes an identification method of anomalous traffic such as DDoS attacks to protect network or server resources. Identification results are used as ACL rules at routers and represented as a set of aggregated flows; such as source/destination IP address ranges (prefixes), source/destination port numbers and protocols. Requirements for the identification can be summarized as the following three conditions; 1) covering the anomalous traffic, 2) avoiding to cover normal traffic, 3) with small number of aggregated flows. To accomplish these requirements, we identify the anomalous traffic by comparing traffic before the anomaly and that after the anomaly and analyzing the difference between them. Then, we assume the difference as anomalous traffic, traffic before anomaly as normal traffic, and generate a set of aggregate flow that meets the above three requirements and achieves the highest score representing the requirements. Here, searching the set of above flow is combinatorial optimization, and cause computing explosion. In this paper, we adopt dynamic programming to reduce the computing time. We evaluate our algorithm by using actual DDoS traffic data and show that computation time does not exponentially increase as the conventional method does.