Research On DDoS Attack Detection Technology Based On Network Behavior Analysis

With the rapid development of the Internet in recent years,more and more application layer services and applications,including Web services,have been developed and used.Application layer security issues have become increasingly prominent,and its security is also becoming more important.Network attacks based on Web server occur frequently,and the distributed denial of service attack(DDoS)is one of the most difficult and destructive attacks.DDoS is a kind of network attack which can prevent users from accessing the target service by consuming the target resource,which is a great threat to the availability of the network and the network service.Compared with the traditional DDoS,the DDoS attack based on application layer have better hidden effect and more destructive.DDoS attack detection is an important part of the security system,through the rapid and accurate detection and identification of attacks,to provide effective support for security defense.Most of the existing DDoS detection methods are difficult to distinguish the abnormal request of the attacker and the large traffic normal request.The detection method based on the network behavior analysis can identify the abnormal behavior of the attacker.So it is very necessary to study the DDoS detection method based on the network behavior analysis.In this paper,according to the attacker's attack on the Web service when selecting the different ways of URL,the application layer Web service DDoS attacks are divided into fixed URL attacks,random URL attacks and traversal URL crawler attacks,and the URL request rates are analyzed for each type of attack.The request of the URL are regarded as a discrete random variable,the URL request entropy is obtained and compared with the URL request entropy under normal conditions.,in order to find the difference in the behavior of DDoS attacks.On the basis of this,the detection results are further optimized,and a DDoS attack detection method based on URL joint information entropy vector is proposed.Request entropy vector is the combination of the URL request entropy and the information entropy of the residence time on the URL page.The simulation results show that the proposed algorithm can effectively distinguish the Web server DDoS attacks and the normal burst traffic(Flash Crowd).Finally,through the research and analysis of the current mainstream DDoS attack tools,based on the laboratory's SOA Web environment,the simulation experiment is used to test the feasibility and effectiveness of the detection method.The experimental results show that the joint entropy vector detection method based on network behavior analysis can significantly reduce the false detection rate.