基于用户忠实度的App-DDoS防御模型

发布时间：2018-04-08 21:38

本文选题：应用层　切入点：DDoS　出处：《天津大学》2014年硕士论文

【摘要】：分布式拒绝服务(Distributed Denial of Service,DDoS)攻击是当前互联网面临的最严重的安全问题之一。近些年,随着Web服务的不断涌现,DDoS攻击开始从传统的传输层和网络层转向应用层,且应用层DDoS(Application DDoS,App-DDoS)攻击发生的愈发频繁,造成的影响越来越大。App-DDoS攻击中攻击者发出的攻击请求都是合法请求,并且在底层表现合法。因此传统DDoS攻击的防御方法不能有效防御App-DDoS攻击。在应用层,客户端可以通过发送少量报文就可以使服务器进行大量计算,从而消耗其各种资源。因此App-DDoS攻击有更强的攻击性。综上所述,寻找有效的App-DDoS防御方法更加迫切。App-DDoS攻击中,攻击者与正常用户最主要的不同在于访问目的。为了达到消耗服务器资源的目的,攻击者便会在行为特征表现上和正常用户在有很大的区别。因此本文将通过分析用户的行为特征来对App-DDoS进行攻击检测。针对应用层DDoS攻击的特点,本文首先提取了请求速率和负载请求比例两个用户行为特征来对用户行为进行检测。其次,本文提出了忠实度的概念,作为对用户行为特征表现的综合评估,并提出了有效的忠实度评估方法。忠实度的评估不仅要考量用户访问过程中的行为表现,还要结合用户的历史行为表现。因此可以对用户行为进行更准确的评估。忠实度计算还通过低初始值和慢增快减两种机制来保证攻击用户往往拥有较低忠实度值,正常用户拥有较高忠实度值,可以有效提高攻击检测率,降低误报率。再次,为了更好地统计用户的历史行为,本文提出了基于客户端的检测和过滤方式。在该方法中,使用Cookie技术来标识客户端,将检测攻击用户转化为评估一台主机是否为攻击主机。该方法使得攻击者无法轻易丢弃旧身份,可以更好地统计该主机的历史行为表现。最后,针对App-DDoS攻击,本文实现了一种基于用户忠实度的ULDM(User Loyalty Defense Model)防御模型。该模型通过忠实度计算来评估主机用户是否为攻击主机。实验表明,该防御模型可以有效检测和过滤App-DDoS攻击,并具有较高的检测率和较低的误报率。
[Abstract]:Distributed Denial of Service DDoS (DDoS) attack is one of the most serious security problems facing the Internet.In recent years, with the continuous emergence of Web services, DDoS attacks begin to shift from the traditional transport layer and the network layer to the application layer, and the DDoS(Application DDoS App-DDoS) attacks in the application layer occur more frequently.The impact of the attack is more and more serious. In the attack of .App-DDoS, the attack requests issued by the attacker are all legitimate requests, and they are legitimate in the bottom layer.Therefore, the traditional DDoS attack defense method can not effectively defend against App-DDoS attacks.In the application layer, the client can make the server compute a lot by sending a small number of packets, thus consuming all kinds of resources.So App-DDoS attacks are more aggressive.To sum up, it is more urgent to find an effective defense method for App-DDoS. The main difference between attacker and normal user is access purpose.In order to consume server resources, the behavior of the attacker is different from that of the normal user.Therefore, this paper will analyze the behavior of users to detect App-DDoS attacks.According to the characteristics of application layer DDoS attack, this paper firstly extracts two user behavior characteristics, request rate and load request ratio, to detect user behavior.Secondly, this paper puts forward the concept of fidelity as a comprehensive evaluation of the behavior characteristics of users, and puts forward an effective method of loyalty evaluation.The evaluation of fidelity not only takes into account the behavior of the user during the access process, but also combines the historical behavior of the user.As a result, user behavior can be evaluated more accurately.Loyalty calculation also guarantees that the attack user often has lower fidelity value and the normal user has a higher fidelity value through two mechanisms: low initial value and slow increasing fast decreasing mechanism, which can effectively improve the attack detection rate and reduce the false alarm rate.Thirdly, in order to better statistics the historical behavior of users, this paper proposes a client-based detection and filtering method.In this method, Cookie technology is used to identify the client, and the detection attack user is converted to evaluate whether a host is an attack host.This method can not easily discard the old identity, and can better measure the historical behavior of the host.Finally, a ULDM(User Loyalty Defense Model defense model based on user loyalty is implemented for App-DDoS attacks.The model evaluates whether the host user is an attacking host through the fidelity calculation.Experiments show that the model can effectively detect and filter App-DDoS attacks, and has high detection rate and low false alarm rate.
【学位授予单位】：天津大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】