Research On High-effective Local Anomaly Detection For Distributed Denial Of Service Attack

Distributed Denial-of-Service attack is also called DDoS, generally defined as the attacker carries out attacks by controlling a large number of hosts in the network to send fake messages to victim machine.DDoS will consume the resources of victim machine and cause its unavailability to provide service for normal requests. This thesis researches the single point detection technology deeply, designes and implements a new attack detection prototype system.Most of the single point detection technologies are based on single thread or process to capture network packets,that the drawback of the method is that it cannot collect the packets of network fully and effectively, and then reduce the timeliness and accuracy of the detection system. This thesis designs and implements an high-efficient local anomaly detection prototype system. Firstly, parallelly capturing the packets through multiple threads from different interfaces in the single point, and storing them into the shared memory; Then, extracting the destination IP address, compressing and storing it into the Sketch for forming the general matrix information, calculating the current general matrix information entropy and queue matrix dynamic threshold, by comparing the entropy and the dynamic threshold to determine whether there is an DDoS; Finally, storing the calculated current general matrix information into the queue head, and making an accumulation of the current general matrix information with network anomaly information and obtaining the suspicious general matrix information though reverse algorithm.In order to visually display the attack results for users, this thesis applies the MVC low coupling method to realize the front-end display software, it can fully demonstrate the attack information detected by back-end.Experimental results show that the detection system can detect the attack information more timely and accurately compared with the traditional single-point detection method so as to reduce the damage degree of the victim machine,users can also visually analyze and judge the attack situation through the front-end display software.