基于加权熵的低速率DDoS攻击检测研究

发布时间：2018-05-13 19:21

本文选题：低速率DDoS + 加权熵　；参考：《武汉轻工大学》2014年硕士论文

【摘要】：随着互联网技术的发展，互联网对各行各业占据着举足轻重的地位。而因互联网对数据包（恶意或非恶意）在传输过程中的尽最大努力转发和最小可能处理的特殊性质，，使得网络中服务器容易受到DDoS攻击，给服务提供商和合法用户带来巨大损失。因此，网络安全在提供网络服务中显得尤为重要。本文以低速率分布式拒绝服务（Distributed Denial-of-Service，低速率DDoS）攻击加权熵检测算法为核心，重点讨论了低速率DDoS攻击检测的几个问题：（1）低速率DDoS攻击模型和原理；（2）低速率DDoS攻击流与正常流在数据包大小方面的分布差异；（3）数据流按数据包大小统一建模，首次提出一种基于数据包大小的熵权机制；（4）定性和定量分析了基于数据包大小的熵权在正常流和攻击流的变化趋势。第一，分析了低速率DDoS攻击的组织形式、分类，以及攻击过程中涉及到的其他关键问题，在应用层对低速率DDoS攻击原理详细分析，并对当前的低速率DDoS攻击检测研究进行分析。第二，分析了当前国内外有关低速率DDoS攻击流检测的发展现状和研究成果，重点关注了两类检测方法，即基于特征值的度量检测方式和基于异常的度量检测方式，将聚合链路流量特征运用到基于异常的度量检测方式中。第三，分析了低速率DDoS攻击发生时，以信息熵度量方式分别对正常流和攻击流流量特征甄别。熵检测在聚合链路流量监测的异常检测机制不仅能应用于被攻击者端检测，而且能扩展至攻击路径检测，对于攻击追溯起到关键作用。第四，提出了一种新的熵权确定机制——基于数据包大小的熵权确定机制，并将此熵权确定机制运用到正常流和攻击流中，以基于数据包大小的熵权作为权值，运用加权熵计算正常流和攻击流，实验结果显示，与香农熵度量检测机制相比，误报率降低了23.10%。
[Abstract]:With the development of Internet technology, Internet plays an important role in various industries. However, due to the special nature of the Internet's best efforts to forward packets (malicious or non-malicious) during transmission and the least possible processing, servers in the network are vulnerable to DDoS attacks. To the service provider and the legal user brings the huge loss. Therefore, network security is particularly important in providing network services. This paper focuses on the low rate distributed Denial-of-Service (low rate DDoS) attack weighted entropy detection algorithm. Several problems of low rate DDoS attack detection are discussed in detail: 1) low rate DDoS attack model and its principle 2) the distribution difference between low rate DDoS attack flow and normal flow in data packet size. An entropy weight mechanism based on packet size is proposed for the first time. Firstly, the organization and classification of low rate DDoS attacks, as well as other key problems involved in the attack process, are analyzed in detail. The principle of low rate DDoS attacks is analyzed in detail in the application layer, and the current research on low rate DDoS attack detection is analyzed. Secondly, this paper analyzes the current situation and research results of low-rate DDoS attack flow detection at home and abroad, and focuses on two kinds of detection methods, I. E. measurement detection based on eigenvalue and measurement detection based on anomaly. The aggregate link traffic feature is applied to the anomaly-based metric detection. Thirdly, when low rate DDoS attacks occur, the characteristics of normal flow and attack flow are identified by information entropy measurement. The anomaly detection mechanism of entropy detection in aggregate link traffic monitoring can not only be applied to the detection of the attacker side, but also can be extended to attack path detection, which plays a key role in attack tracing. Fourthly, a new entropy weight determination mechanism, which is based on packet size, is proposed and applied to the normal flow and attack flow, and the entropy weight based on the packet size is used as the weight. The weighted entropy is used to calculate the normal flow and the attack flow. The experimental results show that the false alarm rate is 23.1010% lower than the Shannon entropy measurement detection mechanism.
【学位授予单位】：武汉轻工大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】