计算机工程与应用 ›› 2007, Vol. 43 ›› Issue (29): 146-149.

• 网络、通信与安全 • 上一篇    下一篇

分布式拒绝服务攻击特征分析与检测

徐 图,何大可,邓子健   

  1. 西南交通大学 信息科学与技术学院,成都 610031
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2007-10-11 发布日期:2007-10-11
  • 通讯作者: 徐 图

Features analysis and detection of DDoS attack

XU Tu,HE Da-ke,DENG Zi-jian   

  1. School of Information Science and Technology,Southwest Jiaotong University,Chengdu 610031,China
  • Received:1900-01-01 Revised:1900-01-01 Online:2007-10-11 Published:2007-10-11
  • Contact: XU Tu

摘要: 检测分布式拒绝服务攻击(DDoS)的关键是能够找到反映攻击流和正常流本质区别的特征,并使用简单高效的算法,在线识别这些特征,就可以实现在低虚警率和低漏警率下对DDoS进行在线检测。根据DDoS攻击包的特性,提出了单边连接密度(OWCD)的概念,在使用“距离测度”进行DDoS识别的原则指导下,提出了使用OWCD序列来识别DDoS的算法。实验表明,该检测方法克服了使用二分类方法来识别DDoS攻击的弊端,对识别不同强度的DDoS攻击,有很好的检测效果。

关键词: 分布式拒绝服务攻击, 单边连接密度, 距离测度

Abstract: It is a challenge to detect DDoS attack with low false positive and false negative.The key is to find the essential difference between normal stream and attack stream and identify it with simple algorithm.In term of the features of DDoS attack,a new conception of One-Way Connection Density(OWCD) is presented.Meanwhile,a DDoS detecting algorithm following distance measure is described.A cumulative Euclidean distance would be computed to indicate the deviation degree of the DDoS attack.As shown in the experiments,OWCD can more clearly mark DDoS attack than another conception,Flow Connection Density(FCD).This detection measure can also overcome the shortage of two-classification detecting means and efficiently and simply identify the DDoS attack of various attacking intensity.

Key words: distributed denial of service attack, one-way connection density, distance measure