作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2011, Vol. 37 ›› Issue (10): 134-136. doi: 10.3969/j.issn.1000-3428.2011.10.045

• 安全技术 • 上一篇    下一篇

基于宏观网络流相关性的DDoS攻击检测

许晓东,范艳华,朱士瑞   

  1. (江苏大学网络中心,江苏 镇江 212013)
  • 出版日期:2011-05-20 发布日期:2011-05-20
  • 作者简介:许晓东(1964-),男,副教授,主研方向:网络管理,系统集成;范艳华、朱士瑞,硕士研究生
  • 基金资助:
    江苏省教育厅高校科学研究基金资助项目(03KJD520073)

DDoS Attack Detection Based on Correlation of Macro Network Flow

XU Xiao-dong, FAN Yan-hua, ZHU Shi-rui   

  1. (Network Center, Jiangsu University, Zhenjiang 212013, China)
  • Online:2011-05-20 Published:2011-05-20

摘要: 针对现行分布式拒绝服务(DDoS)攻击检测方法存在检测效率低、适用范围小等缺陷,在分析DDoS攻击对网络流量大小和IP地址相关性影响的基础上,提出基于网络流相关性的DDoS攻击检测方法。对流量大小特性进行相关性分析,定义Hurst指数方差变化率为测度,用以区分正常流量与引起流量显著变化的异常性流量。研究IP地址相关性,定义并计算IP地址相似度作为突发业务流和DDoS攻击的区分测度。实验结果表明,对网络流中流量大小和IP地址2个属性进行相关性分析,能准确地区分出网络中存在的正常流量、突发业务流和DDoS攻击,达到提高DDoS攻击检测效率的目的。

关键词: 分布式拒绝服务攻击, 自相似性, 突发业务流, 相似度

Abstract: Aiming at the defects such as detection efficiency is still low, the application scope is narrow in currently detection methods, based on analyzing the impact of the correlation of traffic size and IP address caused by Distributed Denial of Service(DDoS) attacks, this paper proposes a method of detecting DDoS attacks based on the correlation of network flow, analyses the correlation of traffic size, defines the rate of variance of hurst exponent as the measure to distinguish the normal traffic and abnormal traffic which cause the original traffic increase notable. The correlation of IP address is analysed, flash traffic and DDoS attacks through the measure of degree of similarity are distinguished. Result shows that through combine correlation analysis of traffic size and IP address, it can distinguish DDoS attacks traffic from normal traffic and burst traffic, and raise the detection efficiency.

Key words: Distributed Denial of Service(DDoS) attack, self-similarity, burst traffic, degree of similarity

中图分类号: