基于卡方距离和AEWMA的LDoS攻击检测方法研究

发布时间：2018-10-31 15:34

【摘要】：LDoS（Low-rate Denial of Service）攻击的攻击数据往往混杂在有效数据中，具有较高的隐蔽性，难以被检出。现阶段针对LDoS攻击检测的研究工作尚处于初级阶段，虽然已有的检测方法能够在某种程度上检测出某些种类的LDoS攻击，但还是存在诸多不足。因此，，探索新的、有效的、能够实时检测LDoS攻击的方法对提升网络系统的安全性具有重要的理论价值和积极的现实意义。对LDoS攻击的方式与种类进行了归纳，指出了LDoS攻击的检测难度，并对现有典型的LDoS攻击检测方法进行了分析。对网络中有效TCP（Transmission Control Protocol）流量与其它流量在频数分布上的特征进行了分析，发现这两类流量在无LDoS攻击时和有LDoS攻击时频数分布上存在较大的差异，为此引入了“距离”的度量方法。以此为基础提出了一种基于卡方距离的LDoS攻击检测方法，给出了相应的检测算法，同时对影响到检测结果精度的参数进行了细致的讨论。最后通过仿真实验证明了该方法的有效性。对有效TCP流量在多种情形中分布形态的差异性进行了分析，归纳出各种情形下有效TCP流量的分布特征，进而提出了一种基于AEWMA（Adaptive ExponentiallyWeighted Moving Average）的LDoS攻击检测方法。同时就判别准则所涉及到的相关参数进行了深入的讨论。最后通过仿真实验证明了该方法的有效性。通过对上述两种独立的方法存在的不足进行了分析，发现两种方法具有很强的互补性，为此构建了一种综合的LDoS攻击检测方法，对两种方法进行了融合，通过仿真实验证明这种融合后的综合检测方法相较原有的两种独立的方法在保证了较好的检测准确率的同时，具备更低的漏报率和误报率。
[Abstract]:The attack data of LDoS (Low-rate Denial of Service) attack) are often mixed in the effective data, which have high concealment and are difficult to be detected. At present, the research on LDoS attack detection is still in the primary stage. Although the existing detection methods can detect some kinds of LDoS attacks to some extent, there are still many shortcomings. Therefore, exploring new, effective and real-time detection methods of LDoS attacks has important theoretical value and positive practical significance in improving the security of network systems. The methods and types of LDoS attacks are summarized, the difficulty of detecting LDoS attacks is pointed out, and the existing typical LDoS attack detection methods are analyzed. In this paper, the characteristics of effective TCP (Transmission Control Protocol) traffic and other traffic in frequency distribution are analyzed. It is found that there are great differences between the frequency distribution of these two kinds of traffic in the absence of LDoS attack and in the presence of LDoS attack. For this reason, the measurement method of "distance" is introduced. Based on this, a LDoS attack detection method based on chi-square distance is proposed, and the corresponding detection algorithm is given. At the same time, the parameters that affect the accuracy of the detection results are discussed in detail. Finally, the effectiveness of the method is proved by simulation experiments. Based on the analysis of the difference of effective TCP traffic distribution patterns in various cases, the distribution characteristics of effective TCP traffic under various circumstances are summarized, and a LDoS attack detection method based on AEWMA (Adaptive ExponentiallyWeighted Moving Average) is proposed. At the same time, the related parameters involved in the criterion are discussed in depth. Finally, the effectiveness of the method is proved by simulation experiments. By analyzing the shortcomings of the above two independent methods, it is found that the two methods are highly complementary. For this reason, a comprehensive LDoS attack detection method is constructed, and the two methods are fused. The simulation results show that compared with the original two independent methods, the proposed integrated detection method has lower false alarm rate and lower false alarm rate as well as better detection accuracy.
【学位授予单位】：华中科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】

中国期刊全文数据库前8条

1 肖权权;段迅;;基于NS2的网络仿真与性能测试[J];计算机技术与发展;2012年04期

2 张长旺;殷建平;蔡志平;祝恩;程杰仁;;基于拥塞参与度的分布式低速率DoS攻击检测过滤方法[J];计算机工程与科学;2010年07期

3 赵磊;张笑盈;王丽娜;郭迟;;针对RED脆弱性的分布式LDoS攻击构造[J];武汉大学学报(理学版);2010年02期

4 何炎祥;曹强;刘陶;韩奕;熊琦;;一种基于小波特征提取的低速率DoS检测方法[J];软件学报;2009年04期

5 何炎祥;刘陶;韩奕;熊琦;曹强;;一种针对LDoS攻击的分布式协同检测方法[J];小型微型计算机系统;2009年03期

6 何炎祥;刘陶;曹强;熊琦;韩奕;;低速率拒绝服务攻击研究综述[J];计算机科学与探索;2008年01期

7 吴志军;张东;;低速率DDoS攻击的仿真和特征提取[J];通信学报;2008年01期

8 李德全;;拒绝服务攻击原理解析[J];信息网络安全;2007年03期

中国博士学位论文全文数据库前1条

1 吴玮;Ad Hoc网络拥塞检测与控制的研究[D];哈尔滨工业大学;2011年