中文摘要：

分布式拒绝服务（distributed denial of service,DDoS）攻击能够在短时间内产生巨量的数据包耗尽目标主机或网络的资源,经过研究发现这些伪造的数据包在一个特定的时间内有着合法数据包所不具备的函数特点。因此,本文提出了行为分布的模型,一旦有可疑流流入服务器,则开始计算这些可疑流的行为分布差异,如果该差异小于一个设定的阈值,则判断有DDoS攻击发生;反之则为合法的数据访问。根据NS-3的模拟实验,证明该模型能够有效的从合法访问中区分出DDoS攻击流,对提前控制DDoS攻击的发生具有重要的意义。

英文摘要：

A distributed denial of service（DDoS） attack is a common network attack and it is difficult to prevent.A DDoS attack usually generates a huge amount of packages in a very short time and exhausts the resources of the host and network which are attacked.Consequently,DDoS attack is a great threat to the stability of high-speed networks.Many studies have shown that the attack packages are generated by one or several functions.Therefore,the attack packages always share some features that valid packages do not have.This paper introduces the concept of behavior distribution.When suspicious flows arrive at a server,the software calculates the differences in their behavior distribution.If the difference is lower than the threshold,it is deemed a DDoS attack.Otherwise,it is a valid access.The NS-3 experimental results indicate that this method can effectively distinguish a DDoS attack from a valid access and thus contain an attack as soon as possible.