| With the rapid development of the global Internet, network security has already become a problem that needs to solute urgently. Among many threats of network security, DDoS is of great important because of its easy implementation, great destroy and difficult to detect.In recent years, the extensive study results show that the actual network traffic has significant scale characteristics, namely it is self-similar (mono-fractal) in large time scale and multi-fractal in small time scale. Based on the analysis of characteristics of network traffic , DDoS attack detection is studied using the fractal characteristics of the network traffic.Firstly, the thesis elaborates the principles of DoS attacks and DDoS attacks, analyzes the common types of DDoS attacks, studies DDoS attacks tools and sums up the common DDoS attacks detection method.Secondly, the FGN model used to generate self-similar trace in our thesis is introduced.Seven kinds of Hurst estimation algorithm usualy used are studied.The self-similar and multi-fractal characteristics of typical DDoS attacks traffic are analyzed. The relationship between the Hurst parameter of the traffic flow and that of the sub-flow when twoself-similar sub-flow are synthezed is studied.The thesis focuses on the detecttion of DDoS attacks based on the Hurst parameter and the Holder index of network traffic. In the DDoS attachs detection scheme, the background traffic is use to simulate the case of no attack, and the attack traffic is added to the background traffic to similate the traffic change of the network attack. Then a certain period of network traffic is aggregated to form a that represent the behalf of the network traffic. The Hurst parameter of this non-negative time series in some time points is computed using R/S algorithm and the change plot of the Hurst parameter of the time series is drawed. The analysis results show that DDoS attacks can be detected efficiently based on Hurst parameter. But this method has the problems of large detection delay and low detection sensitivity because of the inherent characteristic of mono-fractal. To solve these problems, the multi-fractal characteristic of the network traffic is used to detect the DDoS attacks. In the thesis, we use the Holder index of the network traffic to detect the DDoS attacks. The variance of Holder index of the network traffic with DDoS attacks in small time scale is studied. The results show that compare to the normal traffic, the Holder index of the network traffic with DDoS attackd is quite different. Because the Holder index in small time scale reflects a local singularity, one can use the variance of the Holder index to detect the DDoS attacks. This method has not the problems of large detection delay and low detection senditivity and better effect can be obtained. |
PDF Full Text Request