Skip to Main Content
Real-Time anomaly detection is currently a hot topic in the area of network security research. In this paper, we firstly introduce the average length of data message as the measurement of abnormal behavior, and then advance a model of sampling measurement, in which the stratified sampling algorithm based on content trigger is utilized to select the bits in the IP packet identification field as the sampling and mask's length and contents. The comparison between statistic characters of total messages traffic and the samples in a large-scale network decides whether the sampIes are precise and efficient. Based on statistic characters of the samples and examination theory of hypothesis, real-time anomaly detection model is built. Lastly, average length of network data packets is defined to be the measurement of network behavior, and then we successfully realize the real time detection of distributed denial of service attack of network. Methods and ideas in this paper could provide some meaningful advice for other network security detection researches.