计算机应用 ›› 2013, Vol. 33 ›› Issue (08): 2228-2231.

• 信息安全 • 上一篇    下一篇

基于时间序列分析的应用层DDoS攻击检测

顾晓清,王洪元,倪彤光,丁 辉   

  1. 常州大学 信息科学与工程学院,江苏 常州 213164
  • 收稿日期:2013-03-01 修回日期:2013-04-16 出版日期:2013-08-01 发布日期:2013-09-11
  • 通讯作者: 顾晓清
  • 作者简介:顾晓清(1981-),女,江苏常州人,讲师,硕士,主要研究方向:网络安全、模式识别;
    王洪元(1962-),男,江苏张家港人,教授,博士,主要研究方向:模式识别;
    倪彤光(1978-),男,河北邢台人,讲师,博士研究生,主要研究方向:模式识别;
    丁辉(1978-),女,江苏扬州人,讲师,硕士,主要研究方向:网络安全。
  • 基金资助:

    浙江省青年科学基金资助项目

Detection of application-layer DDoS attack based on time series analysis

GU Xiaoqing,WANG Hongyuan,NI Tongguang,DING Hui   

  1. Collage of Information Science and Engineering, Changzhou University, Changzhou Jiangsu 213164, China
  • Received:2013-03-01 Revised:2013-04-16 Online:2013-09-11 Published:2013-08-01
  • Contact: GU Xiaoqing

摘要: 根据正常用户和攻击者在访问行为上的差异,提出一种基于IP请求熵(SRE)时间序列分析的应用层分布式拒绝服务(DDoS)攻击检测方法。该方法通过拟合SRE时间序列的自适应自回归(AAR)模型,获得描述当前用户访问行为特征的多维参数向量,并使用支持向量机(SVM)对参数向量进行分类来识别攻击。仿真实验表明,该方法能够准确区分正常流量和DDoS攻击流量,适用于大流量背景下攻击流量没有引起整个网络流量显著变化的DDoS攻击的检测。

关键词: 应用层, 分布式拒绝服务攻击, 时间序列, 自适应自回归模型, 支持向量机

Abstract: According to the difference between normal users visiting patterns and abnormal ones, a new method to detect applicationlayer Distributed Denial of Service (DDoS) attack was proposed based on IP Service Request Entropy (SRE) time series. By approximating the Adaptive AutoRegressive (AAR) model, the SRE time series was transformed into a multidimensional vector series regarded as a description of current users visiting patterns. Furthermore, a Support Vector Machine (SVM) classifier was applied to classify vector series and identify the attacks. The simulation results show that this approach not only can distinguish between normal traffic and DDoS attack traffic, but also is suitable to detect DDoS attack against the large scale network traffic, which does not arouse the sharp changes of the network traffic.

Key words: application-layer, Distributed Denial of Service (DDoS), time series, Adaptive AutoRegressive (AAR) model, Support Vector Machine (SVM)

中图分类号: