计算机应用 ›› 2009, Vol. 29 ›› Issue (11): 2952-2956.

• 信息与网络安全 • 上一篇    下一篇

DDoS攻击的全局异常相关检测方法

李宗林1,胡光岷1,杨丹1,姚兴苗2   

  1. 1. 电子科技大学 宽带光纤传输与通信网技术教育部重点实验室
    2. 电子科技大学宽带光纤传输与通信网技术教育部重点实验室
  • 收稿日期:2009-05-25 修回日期:2009-07-14 发布日期:2009-11-26 出版日期:2009-11-01
  • 通讯作者: 李宗林
  • 基金资助:
    国家973计划项目;教育部新世纪优秀人才支持计划资助项目

Global abnormal correlation analysis method for DDoS attack detection

Zong-lin LI,Guang-min HU,Dan YANG,Xing-miao YAO   

  • Received:2009-05-25 Revised:2009-07-14 Online:2009-11-26 Published:2009-11-01
  • Contact: Zong-lin LI

摘要: 骨干网中存在的DDoS攻击,由于背景流量巨大,且分布式指向受害者的多个攻击流尚未汇聚,因此难以进行有效的检测。为了解决该问题,提出一种基于全局流量异常相关分析的检测方法。根据攻击流引起流量之间相关性的变化,采用主成分分析提取多条流量中潜在异常部分之间的相关性,并将相关性变化程度作为攻击检测测度。实验结果证明了该测度的可用性,能够克服骨干网中DDoS攻击流幅值相对低且不易检测的困难,同现有的全局流量检测方法相比,所提出的方法能够取得更高的检测率。

关键词: 网络安全, 相关性分析, 主成分分析

Abstract: DDoS attack is hard to detect in backbone network, for the reason that attack flows are distributed in multiple links and prone to be masked by tremendous amounts of background traffic. To solve this problem, a detection method based on global abnormal correlation analysis was proposed. The change of correlation between traffic caused by attack flows was exploited for attack detection, the correlation between potentially anomalous traffic was extracted by principle component analysis, and its change degree was used as an indicator of attack. Evaluation shows effectiveness of the proposed method, and proves that it overcomes the difficulties in detecting relatively low volume of DDoS attack transiting in backbone network. Compared with the existing network-wide detection method, it achieves higher detection rate.

Key words: network security, correlation analysis, Principle Component Analysis (PCA)