摘要: 单独以SYN/TCP值判断网络是否发生SYN洪流攻击的检测效率较低,且SYN 洪流攻击不能模拟正常网络流量的重尾分布特性。该文提出将SYN/TCP的统计阈值和流量重尾特性相结合来检测SYN洪流攻击的方法,并用MIT的林肯实验室数据进行了实验。实验证明该方法简便、快捷、有效。
关键词:
网络流量,
SYN洪流检测,
统计阈值,
重尾特性
Abstract: It is inefficient to judge whether SYN flood happens by using the ratio between SYN packets and total TCP packets. Normal network traffic has the characteristic of heavy-tailed, and it is hard for SYN flood attack to fabricate the same distribution as that of normal network traffic. This paper presents a method to detect it by combining the ratio between SYN packets and total TCP packets and heavy-tailed distribution of network traffic. Experiment with the dataset of MIT Lincoln Laboratory shows that the method can detect SYN flood attack quickly and has higher detection efficiency.
Key words:
network traffic,
SYN flood detection,
statistics threshold,
heavy-tail property
中图分类号:
许晓东;杨海亮;朱士瑞. 基于重尾特性的SYN洪流检测方法[J]. 计算机工程, 2008, 34(22): 179-181.
XU Xiao-dong; YANG Hai-liang; ZHU Shi-rui. SYN Flood Detection Method Based on Heavy-tail Property[J]. Computer Engineering, 2008, 34(22): 179-181.