Research On Anomaly Detection Algorithms For Application-layer Distributed Denial Of Service Attacks

With the increasing complexity of network environment, along with the diversity andconcealment of App-DDoS attacks, current anomaly detection algorithms mainly face threeproblems:1) flow features for Net-DDoS attacks are ineffective for App-DDoS attacks, whichresults in detection blind spot on the server front-end;2) current detection means for App-DDoSattacks mostly consider Web server only, which leads to limited detection range and pooralgorithm extensibility;3) the modes of App-DDoS attacks against Web server are multiple andconcealed, current algorithms can’t achieve transparent detection.To solve these problems, this paper proposes three detection algorithms and a two-leveldetection system called App-TDS, which are supported by“Common Security and ControlFramework in Tri-Network Convergence” project and based on attack characteristics andabnormal behavior of App-DDoS attacks. Besides eliminating detection blind spot on the serverfront-end, the proposed algorithms and detection system also have satisfying detectionextensibility and transparency. The researches in the dissertation are as follows:1. Considering the detection blind spot on the server front-end, this paper proposes a newdetection algorithm based on flow analysis and Kalman filtering. After extracting effectiveabnormal character through flow analysis, this algorithm adopts waveform smoothing andKalman filter to achieve attack positioning. It is proved by simulation that the algorithm canidentify kinds of App-DDoS attacks more than80%with false alarm rate being10%, finallyeliminates the detection blind spot.2. Considering the poor detection range and extensibility of current detection algorithms, anew detection algorithm based on marking access and d-SVDD is proposed, which is deployedon the server. After extracting effective abnormal features through access marked strategy andcharacter extracted strategy, this algorithm adopts SVDD and d-SVDD classificationmechanisms to achieve attack detection. Due to the ideal extensibility and detection performanceof the proposed algorithm, more than95%of kinds of App-DDoS attacks can be identified withfalse alarm rate being10%.3. Considering the poor transparency of current detection algorithms for Web server, a newdetection model based on maximal frequent sequential pattern mining is proposed, calledADA_MFSP. After mining maximal frequent sequential patterns of trained and detected WASD,this model introduces sequence alignment abnormality, view time abnormality and requestcirculation abnormality to describe the behaviour of App-DDoS attacks, finally achieves thepurpose of attack detection. It is proved with experiments that the ADA_MFSP model can notonly detect kinds of App-DDoS attacks against Web server, but also have good detectionsensitivity.4. Considering the R&D requirement of “Common Security and Control Framework inTri-Network Convergence” project, as well as the complexity of implementation, a two-leveldetection system called App-TDS is designed. After describing the structure of sub-modules in detail, two test environments of CC attack and ddnsf attack are built respectively to evaluate thedetection performance of App-TDS. Simulation results indicate that the detection rate for bothCC attack and ddnsf attack can reach more than95%when the abnormal flow ratio is moderate.