骨干通信网的DDoS攻击检测方法研究

发布时间：2018-05-29 20:29

本文选题：DDoS + Counting　；参考：《电子科技大学》2017年硕士论文

【摘要】：随着信息技术的快速发展,网络异常行为事件爆发的频率越来越高,给人们日常生活带来的负面影响也日益显著。近年来,越来越多的国内外研究学者开始关注网络异常行为,他们对网络异常行为的分析展开了很多研究。在此背景下,本文针对网络异常行为中的分布式拒绝服务(DDoS)攻击,以SYN flood攻击行为作为重点研究对象。传统SYN flood攻击行为检测算法大都以深度包分析方法为主,通过报文统计的手段对网络流数据报文进行细致解析。然而骨干通信网络存在着规模持续增大、数据量超大的基本特性,会导致传统检测方法的运行时间成倍增加,方法成本开销加剧并且方法的实时性效率降低。此外,由于突发访问行为与分布式拒绝服务攻击在表现形式上有诸多相似之处,现有异常行为识别方法的识别效果都会有不小的误检率和误识别率。为了解决上述问题,本文在流连接图基础上提出了基于Counting Bloom Filter的SYN flood攻击检测算法,并且提出了一种基于图挖掘的SYN flood攻击检测算法。本文主要工作如下:(1)提出了一种基于Counting Bloom Filter的SYN flood攻击检测算法:根据TCP三次握手过程中SYN、SYN|ACK、ACK报文数量大致相等的特性,监测时间片内SYN|ACK与ACK报文数量是否平衡,用差值与时间窗口内的ACK报文数值相比。再通过自适应调整时间窗口的大小,实时检测网络状态,并且用基于信息熵的方法去确定疑似的被攻击的目标。最后通过与其他两种报文统计的检测算法相比较,验证了本文算法在保证较高检测率的同时,又能有效地与突发访问进行区分。(2)提出了一种基于图挖掘的SYN flood检测算法:根据SYN flood攻击对虚假源IP地址的重复利用率将其分为两类。利用图挖掘技术,将两类不同的SYN flood攻击构图进行模式匹配,从而检测到网络是否发生异常。当发生突发访问时,其网络行为表现形式与第二类SYN flood攻击有诸多相似之处,再利用第三级判断区分出第二类SYN flood攻击与突发访问,最后实验验证了算法的有效性。
[Abstract]:With the rapid development of information technology, the frequency of network abnormal behavior has become more and more frequent, and the negative impact on people's daily life has become increasingly significant. In recent years, more and more researchers at home and abroad have begun to pay attention to network abnormal behavior, they have carried out a lot of research on the analysis of network abnormal behavior. In this context, this paper focuses on the distributed denial of service (DDoS) attacks in network anomaly behavior, and focuses on the SYN flood attacks. Most of the traditional SYN flood attack detection algorithms are based on depth packet analysis (DPA). The network stream data packets are analyzed in detail by means of packet statistics. However, the backbone communication network has the basic characteristics of continuous increase in scale and large amount of data, which will lead to the increase of the running time of the traditional detection methods, the increase of the cost of the methods and the decrease of the real-time efficiency of the methods. In addition, due to the similarity between burst access behavior and distributed denial of service attack, the recognition effect of existing methods for identifying abnormal behavior will have not small error detection rate and error recognition rate. In order to solve the above problems, a SYN flood attack detection algorithm based on Counting Bloom Filter and a SYN flood attack detection algorithm based on graph mining are proposed in this paper. The main work of this paper is as follows: (1) A SYN flood attack detection algorithm based on Counting Bloom Filter is proposed. According to the characteristic that the number of SYNG-SYN-SYN-SYN-ACK packets is approximately equal in the process of shaking hands three times in TCP, the balance of the number of SYN ACK and ACK packets in the time frame is monitored. The difference value is compared with the ACK message value in the time window. Then the network state is detected in real time by adjusting the size of the time window, and the suspected target is determined by the method based on information entropy. Finally, by comparing with the other two algorithms of packet statistics, it is proved that the proposed algorithm can guarantee a high detection rate. An algorithm for SYN flood detection based on graph mining is proposed. It can be divided into two categories according to the repeated utilization of false source IP addresses by SYN flood attacks. Using graph mining technique, two kinds of SYN flood attacks are combined to match the patterns, and the anomaly of the network is detected. When burst access occurs, the network behavior is similar to that of the second type of SYN flood attack. The second type of SYN flood attack is distinguished from the burst access by the third level judgment. Finally, the effectiveness of the algorithm is verified by experiments.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】