Abstract: Abstract: Distributed Denial of Service (DDoS) attack is a major threat to the availability of Web service. The inherent presence of self-similarity in Web traffic motivates the applicability of time series analysis in the study of the burst feature of DDoS attack. This paper presents a method of detecting DDoS attacks against Web server by analyzing the abrupt change of time series data obtained from Web traffic. Time series data are specified in reference sliding window and test sliding window, and the abrupt change is modeled using Auto-Regressive (AR) process. By comparing two adjacent non-overlapping windows of the time series, the attack traffic could be detected at a time point. Combined with alarm correlation and location correlation, not only the presence of DDoS attack, but also its occurring time and location can be determined. The experimental results in a test environment are illustrated to justify our method.

Key words: Distributed Denial of Service, Auto-Regressive Model, Time Series, Web Server

摘要： 摘要: 分布式拒绝服务攻击(Distributed Denial of Service, DDoS)的目标是破坏网络服务的有效性，是当前Web服务安全的主要威胁之一。本文提出了一种基于时间序列分析的DDoS攻击检测方法。该方法利用网络流量的自相似性，建立Web流量时间序列变化的自回归模型，通过动态分析Web流量的突变来检测针对Web服务器的DDoS攻击。在此基础上，通过对报警数据的关联分析，获得攻击的时间和位置信息。实验结果表明：该方法能有效检测针对Web服务器的DDoS攻击。

关键词: 分布式拒绝服务攻击, 自回归模型, 时间序列, Web服务器