通信类英文文献及翻译.doc

附录

一、英文原文：

Detecting Anomaly Traf?c using Flow Data in the real

VoIP network

I. INTRODUCTION

Recently, many SIP[3]/RTP[4]-based VoIP applications and services have

appeared and their penetration ratio is gradually increasing due to the free

or cheap call charge and the easy subscription method. Thus, some of the subscribers to the PSTN service tend to change their home telephone services

to VoIP products. For example, companies in Korea such as LGDacom, SamsungNet- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reported

that more than ?ve million users have subscribed the commercial VoIP services

and 50% of all the users are joined in 2009 in Korea [1]. According to IDC, it

is expected that the number of VoIP users in US will increase to 27 millions

in 2009 [2]. Hence, as the VoIP service becomes popular, it is not surprising

that a lot of VoIP anomaly traf ?c has been already known [5]. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious traf ?c. Particu- larly, most of current SIP/RTP-based VoIP services

supply the minimal security function related with authentication. Though secure transport-layer protocols such as Transport Layer Security (TLS) [6] or Secure RTP(SRTP) [7] have been standardized, they have not been fully implemented and

deployed in current VoIP applications because of the overheads of implementation and performance. Thus, un-encrypted VoIP packets could be easily sniffed and

forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5in the SIP header could be maliciously exploited, because SIP is a text-based protocol and unencrypted SIP packets are easily

decoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly traf ?c detection method using the

?ow-based traf ?c measurement archi-tecture. We consider three representative

VoIP anomalies called CANCEL,BYEDenial of Service (DoS) and RTP?ooding attacks in this paper, because we found that malicious users in wireless LANcould easily perform these attacks in the real VoIP network. For monitoring VoIP packets,

we employ the IETF IP Flow Information eXport (IPFIX) [9] standard that is based on NetFlow v9. This traf ?c measurement method provides a ?exible and extensible template structure for various protocols, which is useful for observing SIP/RTP ?ows [10]. In order to capture and export VoIP packets into IPFIX ?ows, we de?ne two additional IPFIX templates for SIP and RTP ?ows. Furthermore, we add four IPFIX ?elds to observe packets which are necessary to detect VoIP source spoo?ng attacks in WLANs.

II. RELATED WORK

[8] proposed a ?ooding detection method by the Hellinger Distance (HD) concept. In [8], they have pre- sented INVITE, SYN and RTP?ooding detection meth-ods.

The HD is the difference value between a training data set and a testing data

set. The training data set collected traf?c over n sampling period of duration testing data set collected traf?c next the training data set in the same

period. If the HD is close to ‘1’, this testing data set is regarded as anomaly traf ?c. For using this method, they assumed that initial training data set did

not have any anomaly traf ?c. Since this method was based on packet counts, it

might not easily extended to detect other anomaly traf ?c except ?ooding. On the other hand, [11] has proposed a VoIP anomaly traf ?c detection method using Extended Finite State Machine (EFSM). [11] has suggested INVITE ?ooding, BYE

DoS anomaly traf ?c and media spamming detection methods. However, the state

machine required more memory because it had to maintain each ?ow. [13] has presented NetFlow-based VoIP anomaly detection methods for INVITE, REGIS-TER,

RTP?ooding, and REGISTER/INVITEscan. How-ever, the VoIP DoSattacks considered

in this paper were not considered. In [14], an IDS approach to detect SIP

anomalies was developed, but only simulation results are presented. For monitoring VoIP traf ?c, SIPFIX [10] has been proposed as an IPFIX extension.

The key ideas of the SIPFIX are application-layer inspection and SDP analysis

for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly traf ?c detection and prevention. Wedescribed the preliminary idea of detecting VoIP anomaly traf ?c in [15]. This paper elaborates BYEDoSanomaly traf ?c and RTP?ooding anomaly traf ?c detec-tion method based on IPFIX. Based on [15], we have considered SIP and RTP anomaly

traf ?c generated in wireless LAN. In this case, it is possible to generate the

similiar anomaly traf ?c with normal VoIP traf ?c, because attackers can easily

extract normal user information from unencrypted VoIP packets. In this paper,

we have extended the idea with additional SIP detection methods using information

of wireless LAN packets. Furthermore, we have shown the real experiment results

at the commercial VoIP network.

III. THE VOIP ANOMALY TRAFFIC DETECTION METHOD A. CANCEL DoS Anomaly Traf ?c Detection

As the SIP INVITE message is not usually encrypted, attackers could extract ?elds necessary to reproduce the forged SIP CANCELmessage by snif ?ng SIP INVITE packets, especially in wireless LANs. Thus, wecannot tell the difference between the normal SIP CANCEL message and the replicated one, because the faked CANCEL packet includes the normal ?elds inferred from the SIP INVITE message. The

attacker will perform the SIP CANCELDoS attack at the samewireless LAN, because the purpose of the SIP CANCELattack is to prevent the normal call estab-lishment when a victim is waiting for calls. Therefore, as soon as the attacker catches

a call invitation message for a victim, it will send a SIP CANCELmessage, which makes the call establishment failed. Wehave generated faked SIP CANCELmessage using sniffed a SIP INVITE in SIP header of this CANCEL message is the same

as normal SIP CANCEL message, because the attacker can obtain the SIP header

?eld from unencrypted normal SIP message in wireless LANenvironment. Therefore it is impossible to detect the CANCEL DoS anomaly traf ?c using SIP headers, we use the different values of the wireless LANframe. That is, the sequence number in the frame will tell the difference between a victim host and an attacker.

Welook into source MACaddress and sequence number in the MAC frame including a SIP CANCEL messageas shown in Algorithm 1. We compare the source MAC address of SIP CANCEL packets with that of the previously saved SIP INVITE ?ow. If the source MAC address of a SIP CANCEL ?ow is changed, it will be highly probable

that the CANCEL packet is generated by a unknown user. However, the source MAC address could be spoofed. Regarding source spoo ?ng detection, we employ the method in [12] that uses sequence numbers of frames. We calculate the gap

between n-th and (n-1)-th frames. As the sequence number ?eld in a MAC header uses 12 bits, it varies from 0 to 4095. When we ?nd that the sequence number gap between a single SIP ?ow is greater than the threshold value of N that will

be set from the experiments, we determine that the SIP host address as been

spoofed for the anomaly traf ?c.

B. BYE DoS Anomaly Traf ?c Detection

In commercial VoIP applications, SIP BYE messages use the same authentication ?eld is included in the SIP IN-VITE message for security and

accounting purposes. How-ever, attackers can reproduce BYEDoS packets through snif ?ng normal SIP INVITE packets in wireless faked SIP BYE message is same

with the normal SIP BYE. Therefore, it is dif ?cult to detect the BYEDoS anomaly traf ?c using only SIP header snif ?ng SIP INVITE message, the attacker at the same or different subnets could terminate the normal in- progress call, because it could succeed in generating a BYE message to the SIP proxy server. In the

SIP BYE attack, it is dif ?cult to distinguish from the normal call termination procedure. That is, we apply the timestamp of RTP traf ?c for detecting the SIP BYE attack. Generally, after normal call termination, the bi-directional RTP

?ow is terminated in a bref space of time. However, if the call termination

procedure is anomaly, we can observe that a directional RTP media ?ow is still ongoing, whereas an attacked directional RTP?ow is broken. Therefore, in order to detect the SIP BYE attack, we decide that we watch a directional RTP ?ow for a long time threshold of N sec after SIP BYEmessage. The threshold of N is also set from the 2 explains the procedure to detect BYE DoS anomal traf ?c using captured timestamp of the RTPpacket. Wemaintain SIP session information between clients with INVITE and OK messages including the same Call-ID and 4-tuple

(source/destination IP Address and port number) of the BYEpacket. Weset a time threshold value by adding Nsec to the timestamp value of the BYE message. The

reason why we use the captured timestamp is that a few RTP packets are observed under second. If RTP traf ?c is observed after the time threshold, this will

be considered as a BYE DoS attack, because the VoIP session will be terminated

with normal BYEmessages. C. RTPAnomaly Traf ?c Detection Algorithm 3 describes an RTP ?ooding detection method that uses SSRC and sequence numbers of the RTP header. During a single RTPsession, typically, the sameSSRCvalue is maintained. If SSRCis changed, it is highly probable that anomaly has occurred. In addition,

if there is a big sequence number gap between RTP packets, we determine that

anomaly RTPtraf ?c has happened. As inspecting every sequence number for a packet is dif ?cult, we calculate the sequence number gap using the ?rst, last, maximum and minimum sequence numbers. In the RTP header, the sequence number ?eld uses 16 bits from 0 to 65535. When we observe a wide sequence number gap in our algorithm, we consider it as an RTP ?ooding attack.

IV. PERFORMANCE EVALUATION

A. Experiment Environment

In order to detect VoIP anomaly traf ?c, we established an experimental environment as ?gure 1. In this envi-ronment, we employed two VoIP phones with wireless LANs, one attacker, a wireless access router and an IPFIX ?ow collector.

For the realistic performance evaluation, we directly used one of the working

VoIP networks deployed in Korea where an 11-digit telephone number (070-XXXX-XXXX) has been assigned to a SIP wireless SIP phones supporting ,

we could make calls to/from the PSTNor cellular phones. In the wireless access router, we used two wireless LAN cards- one is to support the AP service, and

the other is to monitor packets. Moreover, in order to observe VoIP packets

in the wireless access router, we modi ?ed nProbe [16], that is an open IPFIX

?ow generator, to create and export IPFIX ?ows related with SIP, RTP, and information. As the IPFIX collector, we have modi ?ed libip ?x so that it could provide the IPFIX ?ow decoding function for SIP, RTP, and templates. We used MySQL for the ?ow DB.

B. Experimental Results

In order to evaluate our proposed algorithms, we gen-erated 1,946 VoIP calls

with two commercial SIP phones and a VoIP anomaly traf ?c generator. Table I shows

our experimental results with precision, recall, and F-score that is the harmonic mean of precision and recall. In CANCEL DoS anomaly traf ?c detection, our algorithm represented a few false negative cases, which was related with the

gap threshold of the sequence number in MAC header. The average of the F-score value for detecting the SIP CANCEL anomaly is %.For BYE anomaly tests, we

generated 755 BYEmes-sages including 118 BYEDoSanomalies in the exper-iment. The proposed BYE DoS anomaly traf ?c detec-tion algorithm found 112 anomalies

with the F-score of %. If an RTP?ow is terminated before the threshold, we regard the anomaly ?ow as a normal one. In this algorithm, we extract RTP session

information from INVITE and OK or session description messages using the same

Call-ID of BYE message. It is possible not to capture those packet, resulting

in a few false-negative cases. The RTP ?ooding anomaly traf ?c detection experiment for 810 RTP sessions resulted in the F score of 98%.The reason of

false-positive cases was related with the sequence number in RTP header. If the sequence number of anomaly traf ?c is overlapped with the range of the normal

traf ?c, our algorithm will consider it as normal traf ?c.

V. CONCLUSIONS

We have proposed a ?ow-based anomaly traf ?c detec-tion method against SIP and RTP-based anomaly traf ?c in this paper. We presented VoIP anomaly traf ?c detection methods with ?ow data on the wireless access router. Weused the IETF IPFIX standard to monitor SIP/RTP ?ows passing through wireless access routers, because its template architecture is easily extensible to several protocols.

For this purpose, we de ?ned two new IPFIX templates for SIP and RTP traf ?c and four new IPFIX ?elds for traf ?c. Using these IPFIX ?ow templates,we proposed CANCEL/BYE DoS and RTP?ooding traf ?c detection algorithms. From experimental results on the working VoIP network in Korea, we showed that our method is able to detect three representative VoIP attacks on SIP phones. In CANCEL/BYE DoS anomaly traf ?c

detection method, we employed threshold values about time and sequence number

gap for class ?cation of normal and abnormal VoIP packets. This paper has not

been mentioned the test result about suitable threshold values. For the future

work, we will show the experimental result about evaluation of the

threshold values for our detection method.

二、英文翻译：

交通流数据检测异常在真实的世界中使用的VoIP 网络

一.介绍

最近 , 许多 SIP[3],[4]基于服务器的VoIP应用和服务出现了,并逐渐增加他

们的穿透比及由于自由和廉价的通话费且极易订阅的方法。因此, 一些用户服务倾向于改变他们PSTN家里电话服务VoIP 产品。例如, 公司在韩国LG、三星等Dacom网- 作品、 KT 已经开始部署 SIP / RTP-based VoIP 服务。据报道 , 超过 5 百万的用户已订阅《商业VoIP 服务和50%的所有的用户都参加了2009 年在韩国[1] 。据 IDC, 预期该用户的数量将增加在我们的 VoIP 2009 年到 27 百万 [2] 。因

此 , 随着 VoIP 服务变得很受欢迎 , 这是一点也不意外 , 很多人对 VoIP 异常交通已

经知道 [5] 。所以 , 大多数商业服务如 VoIP 服务应该提供必要的安全功能对于隐

私、认证、完整性和不可否认对于防止恶意的交通。 Particu - larly, 大多数的电流SIP / RTP-based VoIP 服务提供最小安全功能相关的认证。虽然安全

transport-layer 一类协议传输层安全 (TLS)[6] 或安全服务器 (SRTP)[7] 已经被修正 , 它们并没有被完全实施和部署在当前的 VoIP 应用的实施 , 因为过顶球和性

能。因此 ,un-encrypted VoIP 包可以轻易地嗅和伪造的 , 特别是在无线局域网。尽管的认证 , 认证键 , 如 MD5在 SIP 头可以狠的剥削 , 因为 SIP 是基于文本的协议和未加密的 SIP 包都很容易地被解码。因此 ,VoIP 服务很容易被攻击开发 SIP 和

服务器。我们的目标是在提出一个 VoIP 异常交通检测方法 archi-tecture 使用流转交通测量。我们认为有代表性的VoIP 异常称为取消, 再见拒绝服务(DoS)和快速的洪水袭击在本文中 , 因为我们发现恶意的用户在无线局域网可以很容易地

履行这些袭击的真正的VoIP 网络。 VoIP 包监测 , 利用 IETF 出口 (IPFIX IP流信息 )[9] 标准的基础上 , 对 NetFlow 9 节。这一交通测量方法的研究提供了一个灵

活的、可扩展的模板结构为各种各样的协议 , 有利于对观察 SIP / 服务器流 [10] 。摘要为获取和出口 VoIP 包成 IPFIX 流中 , 我们定义两个额外的 IPFIX 模板为 SIP 和快速流动。此外 , 我们加上四个 IPFIX 领域观察包所必需的欺骗攻击的检测在 WLANs VoIP来源。

二 . 相关工作

[8]提出了一种检测方法 Hellinger 洪水的距离 ( 简称 HD)的概念。文献 [8] 中 , 他们有售前介绍邀请 , 洪水 :SYN 和快速检测种方法。高清是之间的差异值的训练数据集和测试的数据集。收集的训练数据集的交通量持续时间Δn采样周期

t 。收集的测试数据集的训练数据集下的流量可以在同一时间内。如果高清接近' 1 ',该测试数据集被视为异常交通。为使用这个方法, 他们假定初始训练数据集

上没有任何异常交通。因为这种方法是基于分组数, 它可能不会很容易地扩展来侦测其他异常交通除了洪水泛滥。另一方面 ,[11] 提出了一项 VoIP 异常交通检测

方法 , 利用扩展有限状态机 (EFSM)。[11] 建议邀请洪水 , 再见 DoS异常交通和媒

体垃圾邮件检测的方法。然而 , 状态机的需要更多的内存空间 , 因为它已经保持每个

流程。 [13] 已经呈现出 NetFlow-based VoIP 异常检测方法 ,REGIS-TER邀请 , 琳琅驱 , 而注册 / 邀请扫描。 How-ever VoIP DoS 攻击 , 本文认为不被考虑。在 [14], 一个入侵检测系统 (IDS) 的方法来检测 , 研制了 SIP 的异常 , 但是只有仿真的结果。VoIP 交通、 SIPFIX 监测 [10] 作为 IPFIX 提出了延长。 SIPFIX 的主要思路的分析是应用层检验和 SDP装载媒体会话的信息。然而 , 本文提出只有中应用的可能

性 ,SIPFIX DoS异常交通检测器和预防。我们描述了初步的构思的交通状况检测VoIP 异常 [15] 。阐述了交通 , 再见 DoS异常交通 detec-tion 洪水异常快速

IPFIX 方法的基础上。基于[15], 我们一直认为SIP 和服务器异常交通产生在无

线局域网。在这种情况下, 就有可能产生类似的异常交通与正常VoIP 交通 , 因为攻击者就很容易从普通用户信息提取未加密的VoIP 的数据包。在本文中 , 我们已经将这个想法与额外的SIP 检测方法的使用信息的无线局域网的数据包。此外, 我们已经表现出真正的实验结果在商业VoIP 网络。

三 . 交通检测器的VOIP异常方法

a. 取消 DoS异常交通检测器

为 SIP 邀请信息通常是不加密的 , 攻击者可以提取领域繁殖伪造的必要信息通过嗅闻啜啜取消邀请包 , 特别是在无线局域网。因此 , 我们不能辨别其正常 SIP

取消短信与复制的一个 , 因为管理领域包括正常取消包推断出 SIP 邀请的讯息。攻

击者将会执行的园区取消 DoS攻击 , 因为相同的无线局域网的目的是为了防止

SIP 取消攻击时的正常叫 estab-lishment 受害者正等待着电话。因此 , 尽快打电话邀请袭击者渔获的信息 , 为一个受害者 , 就会发送一个 SIP 取消消息 , 这使得叫建立失败了。我们产生了伪造的 SIP 取消消息使用嗅一口邀请的讯息。苏州工业园区头球的领域都是一样的 , 取消信息正常 SIP 取消留言 , 因为攻击者无法获得 SIP 标题

域 SIP 消息未加密的正常从无线局域网的环境。因此无法检测交通使用DoS异常取消标题 , 我们使用了 SIP 的值不同的无线局域网帧。也就是说 , 序号在画框会在分辨一个受害者的主人和一个攻击者。我们看着源 MAC地址和序列号的MAC框架包括一小口取消信息显示在算法 1。我们比较了源 MAC地址的 SIP 取消包与先前储存的 SIP 邀请流动。如果源 MAC地址的一小口取消流量发生变化时 , 它会有很高的可能取消包所产生的未知的用户。然而 , 源 MAC地址可以欺骗时。

关于源掺假检测 , 利用法在 [12], 使用序列号的帧。我们之间的差距 , 最后对计算 -

th(n-1 的帧。 ) 作为序号在现场的使用 12 位 MAC头球 , 它不同于从 0 到 4095。

, 将定氮的实验结果, 我们当我们发现序号在一个单一的 SIP 流量差距大于阈值确

定 SIP 主机地址被欺骗时为异常交通。

b. 再见DoS异常交通检测器

VoIP 应用在商业,SIP 再见消息使用相同的认证领域包括在SIP IN-VITE 的信息 , 为安全、会计的目的。 How-ever, 攻击者可以复制再见DoS信息包通过嗅正常 SIP 邀请包的无线局域网。信息管理 SIP 再见也用正常的 SIP 再见。因此 , 很难侦测再见 DoS异常交通只利用 SIP 的标题信息。信息后 , 闻了闻 SIP 邀请攻击者在相同或不同的子网 , 可以终止在正常范围之内 , 因为它可以进步电话中获得成功 , 生成了再见消息给 SIP 代理服务器。在 SIP 再见攻击 , 难以区分 , 从普通的电话终止程序。也就是说 , 我们申请时间戳的快速交通侦测 SIP 再见的攻击。一般来说 , 普通电话后 , 由双向快速流终止结束时仍很快就空间的时间。然而 , 如果这个调用终止程序是异常时 , 我们能观察到的媒体流方向快速仍在进行 , 但是攻击流量定向琳琅坏了。因此 , 为了检测 SIP 再见的进攻 , 我们决定 , 我们观看了一

场方向快速流在很长一段时间后的最低门槛 ,N 秒 SIP 再见消息。入口处的 N 也将从

实验。算法的程序来检测 2 解释说再见 DoS anomal 交通用被俘的时间戳的

快速包。我们保持 SIP 会话之间信息的客户提供包括邀请和好的信息和 4-tuple 相同的 Call-ID( 源/ 目的 IP 地址和端口 ) 再见包。我们约个时间通过增加 Nsec 阈值的时间戳的价值信息。再见我们为什么使用捕获的时间戳是那几个服务器包下观察秒。如果服务器后交通观测时间阈值 , 这将被视为一种再见 DoS攻击 , 因为

VoIP 会议将终止与正常再见消息。服务器异常交通检测算法之 3 描述了一种快速检测方法 , 使用 SSRC洪水和顺序编号的服务器的标题。会议期间 , 通常一个单

一的服务器 , 同样的 SSRC价值得以维持。如果 SSRC也发生了变化 , 极有可能就是异常发生时。另外 , 如果有一个很大的序列号差距包 , 我们确定服务器异常交通发生。服务器检查每一个序列号码作为一个包是困难的 , 我们计算序列号的差距 , 最后使用第一 , 最大和最小顺序编号。在服务器页眉、序号在现场使用 16 位从 0

到 65535 之间。当我们看到一个宽的序列号差距在我们的方法 , 我们觉得这是一种快速的洪水袭击。

四 . 绩效评估

a.试验环境

为了检测 VoIP 异常交通 , 我们建立了一个实验环境为图 1。在这个环境 , 我们聘用了两VoIP 电话与无线局域网, 一个袭击者, 无线接入路由器和IPFIX 流收藏家。对现实的绩效评估 , 我们直接采用 VoIP 网络的工作之一 11-digit 部署在

韩国当在一个电话号码 (070-XXXX-XXXX)已被分配到一个 SIP 电话。 SIP 电话支持无线 , 我们可以打电话到 / 从 PSTN或手机。在无线接入路由器 , 我们使用了两种无线局域网卡 - 一个是为了支持美联社服务 , 另一个是监听的数据包。此外 , 为了观察VoIP 包的无线接入路由器, 我们修改nProbe[16], 那是一个开放的IPFIX 流发生器、创造和出口 IPFIX 流动相关的喝了一口 , 琳琅 , 的信息。随着 IPFIX 收藏

家 , 我们更改了 , 它会 libipfix 流动提供了 IPFIX 解码功能为喝了一口 , 琳琅 , 模板。我们使用 MySQL的流量分贝。

b.实验结果

为了评估我们提出的演算法, 我们 gen-erated 1,946 VoIP电话和两个商业

SIP 电话和VoIP 异常交通的发电机。实验结果显示我们的桌子上我和精确, 召回, 这是F-score 谐波均值的精度和召回率的两倍。在DoS异常交通检测器取消, 我们的算法代表了一些假负面的案例 , 这是关系到阈值的差距序列号在 MAC 的标

题。F-score 值的平均值为检测 %.For SIP 取消异常是产生异常的测试中 , 我们再见再见再见 mes-sages 包括 118 靶向 exper-iment DoS 异常之处。提出的交通

F-score 112 异常发现的%。如果一个快速流detec-tion 再见DoS异常算法

与

是前终止阈值, 我们把异常流量作为一个正常的人。该算法提取信息从服务器会

话的邀请和好的或者会议简介讯息使用相同的Call-ID 再见消息。它是可能的, 不是来捕捉那些包 , 导致一些最后的病例。洪水异常交通检测器的服务器会话 810

对试验结果的分析导致了服务器的 F 值可达到 98%以上。假阳性病例的原因

与服务器的序列号在页眉。如果序列数目的异常交通搭接的正常范围, 我们的演

算法将考虑交通是正常的交通。

五. 结论

我们提出了一 detec-tion 流转异常交通方法和 SIP 和 RTP-based异常交通进行了论述。我们提出了异常检测方法与 VoIP 交通流数据的无线接入路由器。我们使用了 IETF 标准监控 IPFIX SIP / 服务器通过无线接入路由器流动 , 因为模板的建筑是

很容易扩展到几个协议。为了这个目的 , 我们定义了两个新的 IPFIX 模板为 SIP 和

快速交通和四个新 IPFIX 田野为的交通。使用这些 IPFIX 流程模版 ,

我们提出取消 / 再见 DoS及快速交通检测算法的洪水。从实验的结果 VoIP 网络在韩国的工作表明 , 我们的方法 , 我们可以探测到三个代表 VoIP 袭击 SIP 电话。在取消 / 再见 DoS 异常交通检测方法 , 本研究使用的阈值关于时间和序列号的差异极大的正常及异常的 ip 数据包。本文还没有提到关于适当的阈值 , 对测试结果的价值。对将来的工作 , 我们将显示实验结果对评价为我们的检测方法的阈值。