The Detection And Tracing Of DDoS Attack Based On The Analysis Of Self-similarity Behaviors

DDoS attack is an attack style which attacks specific target in the networks, force it failed to provide normal network service. Because of the appearence of DDoS attacks tools, launching DDoS attacks become simple and effective, so the network security incidents caused by DDoS attacks become more and more. With the continuous upgrading of DDoS attacks methods and tools, DDoS attacks harm getting bigger and becoming one of the major threats to today’s Internet security.This paper proposes an analysis method according to the characteristics of DDoS attacks which based on the user self-similarity behaviors. Studies the of the entropy value of the specific fields like sockets fields and TCP identifiers fields in the DDoS attacks, and combines some characteristics of the protein-protein interaction networks in Bioinformatics, then uses the variety information of these features entropy values to establish target protein-protein interaction network for different types of DDoS attacks.To be able to trace and locate DDoS attacks source, this paper uses the characteristics of active network and designs the overall method to detect and trace the DDoS attacks. The method is based on time-sharing statistics and creates RTCT field for each packets, the server side classifies the packets and generates individuals depending on different RTCT values, then uses the same features entropy values to establish protein-protein interaction network for each individuals. Finally, the server compares the individual protein-protein interaction network with the target protein-protein interaction network to decide whether the individual carried out DDoS attacks, if the attacks existed, decomposes the RTCT value of this individual to locate the attacks source and restore the attack path.The results of experiments shows the method is more sensitive to DDoS attacks, and can detect or forcast DDoS attacks and point out the type of DDoS attacks exactly. The method also can locate the attacks source and restore the attack path correctly in the complex network topology.