基于网络行为分析的DDoS攻击检测技术研究

发布时间：2018-12-18 19:20

【摘要】：随着近些年互联网的迅速发展,包括Web服务在内的应用层服务和应用程序越来越多的被开发和使用。应用层的安全问题日益突出,其安全重要性也愈加显得重要。基于Web服务器的网络攻击行为发生频繁,分布式拒绝服务攻击(DDoS)是其中最难以防御且破坏性最大的攻击行为之一。DDoS是一种通过消耗目标资源来阻止用户正常访问目标服务的网络攻击形式,它对网络和网络服务的可用性构成极大的威胁,同传统的DDoS相比,基于应用层的DDoS攻击隐藏效果更好,破坏力更强。DDoS攻击检测是整个安全防范体系的重要一环,通过快速、准确地检测和识别攻击,为安全防御提供有效支撑。现有的大多数DDoS检测方法难以区分攻击者的攻击行为和突发的大流量正常请求行为,基于网络行为分析的检测方法对于攻击者的异常行为能够较好的辨识,因此基于网络行为分析的DDoS检测方法的研究显得很有必要。本文根据攻击者对Web服务器发起DDoS攻击时选取URL的不同方式,把针对应用层Web服务的DDoS攻击分为固定URL攻击,随机URL攻击和遍历URL爬虫模式攻击三种类型,并对每一类攻击时URL的请求率进行分析,把请求的URL作为离散随机变量,得出攻击时的URL请求熵并与正常情况下URL请求熵进行对比,以此找出DDoS攻击时的行为差异。在此基础上对检测结果进一步分析优化,提出一种基于URL联合信息熵向量的DDoS攻击检测方法,检测方法将URL请求熵和页面停留时间熵进行向量结合,通过仿真表明该方法能够有效的区分DDoS攻击和正常突发大流量Flash Crowd访问情况。最后,通过对目前主流DDoS攻击工具的研究分析,基于实验室的面向服务架构下的Web系统,利用模拟实验对检测方法做了可行性和检测效能的验证测试,实验结果表明基于网络行为分析的联合信息熵向量检测方法对DDoS检测能够明显的减少误检率。
[Abstract]:With the rapid development of the Internet in recent years, more and more application-level services and applications, including Web services, have been developed and used. The security problem of application layer is becoming more and more prominent, and its security importance is becoming more and more important. Network attacks based on Web server occur frequently. Distributed denial of service attack (DDoS) is one of the most difficult and destructive attacks. DDoS is a network attack that prevents users from accessing the target service by consuming target resources. It poses a great threat to the availability of network and network services. Compared with traditional DDoS, DDoS attack based on application layer has better hiding effect and stronger destructive power. DDoS attack detection is an important part of the whole security prevention system. Accurate detection and identification of attacks to provide effective support for security defense. Most of the existing DDoS detection methods are difficult to distinguish the attacker's attack behavior from the burst large traffic normal request behavior. The detection method based on network behavior analysis can better identify the attacker's abnormal behavior. Therefore, it is necessary to study the DDoS detection method based on network behavior analysis. According to the different ways of selecting URL when attackers launch DDoS attack on Web server, this paper divides the DDoS attack against application layer Web service into three types: fixed URL attack, random URL attack and traversing URL crawler mode attack. The request rate of URL in each attack is analyzed, the URL of the request is regarded as a discrete random variable, the URL request entropy of the attack is obtained and compared with the normal URL request entropy, so as to find out the difference of the behavior of the DDoS attack. On this basis, the detection results are further analyzed and optimized, and a DDoS attack detection method based on the URL joint information entropy vector is proposed. The detection method combines the URL request entropy with the page residence time entropy vector. Simulation results show that the proposed method can effectively distinguish DDoS attacks from normal burst large traffic Flash Crowd access. Finally, through the research and analysis of the current mainstream DDoS attack tools, based on the Web system based on the service-oriented architecture of the laboratory, the feasibility and effectiveness of the detection method are tested by simulation experiments. The experimental results show that the joint information entropy vector detection method based on network behavior analysis can significantly reduce the false detection rate for DDoS detection.
【学位授予单位】：沈阳理工大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】