Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithms

The paper aims at the change of core routers ports’ ingress and egress traffic, employing a modified CUSUM (cumulative sum) algorithm to trace their statistics characteristic in real time and detect network flow abnormity. According to the characteristics of multi-ports in a router, the paper puts forward a matrix-based, multi-statistics modified CUSUM algorithm (M-CUSUM). M-CUSUM presents an adjustable parameter setup system to increase detecting accuracy. M-CUSUM algorithm can monitor changes of the equal value in real time through calculating the ratio between the subtracting and plus absolute value among ingress and egress ports traffic. Simulation experiments indicate that the algorithm has the higher detecting speed and accuracy to DOS/DDOS attacks, and spends less system resources. The algorithm has been used successfully in software routers.