分布式拒绝服务(DDoS)攻击检测是网络安全领域的研究热点.对DDoS攻击的研究进展及其特点进行了详细分析,针对DDoS攻击流的流量突发性、流非对称性、源IP地址分布性和目标IP地址集中性等本质特征提出了网络流的地址相关度(ACV)的概念.为了充分利用ACV,提高方法的检测质量,提出了基于ACV的DDoS攻击检测方法,通过自回归模型的参数拟合将ACV时间序列变换为多维空间内的AR模型参数向量序列来描述网络流状态特征,采用支持向量机分类器对当前网络流状态进行分类以识别DDoS攻击.实验结果表明,该检测方法能够有效地检测DDoS攻击,降低误报率.
Detecting distributed denial of service (DDoS) attacks is currently a hot topic in the network security field. The characteristics of DDoS attacks and the existing methods to detect DDoS attacks are analyzed, and a novel detection scheme for DDoS attacks based on address correlation value (ACV) is proposed. ACV is designed to reflect the essential features of DDoS attacks, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. To increase the detection accuracy in various conditions, ACV time series are transformed into a multidimensional vector (MV) by estimating the auto regressive (AR) model parameters using the Yule-Walker method, and then MV is used to describe the state features of network flows. Furthermore, a support vector machine (SVM) classifier, which is trained by MV of ACV time series from normal flow and attack flow, is applied to classify the state of current network flow and identify the DDoS attacks. The experimental results show that ACV time series can be well used to characterize the different state features between DDoS attack flows and normal flows; the scheme can identify the state features of the abnormal flow due to the DDoS attacking flows, and detect DDoS attacks accurately and reduce the false positive drastically.