Research On Detection Method Of DDoS Attack Based On Behavior Characteristics

The situation of network security is increasingly serious,and Distributed Denial of Service(DDo S)attacks are one of the most difficult and destructive attacks.Recent statistics show that attackers are increasingly favoring application-layer DDo S attacks.Application-layer DDoS attack has the characteristics of strong stealth and can quickly achieve the purpose of attack,which brings a great challenge to DDoS attack detection and defense.The traditional method of detecting DDoS attacks at the network layer by counting the underlying protocol data packets and other methods has certain limitations for the changeable application-layer DDoS attacks.By analyzing the application layer DDo S attack detection method at the present stage,it can be known that most detection methods generally start from the user's behavior characteristics and calculate the deviation of the normal user from the abnormal user behavior for attack detection.The complexity of the algorithm,the large amount of data and other reasons lead to low detection efficiency and high false detection rate.This paper starts from the purpose of rapid detection and reducing false detection,proposes an application layer DDo S attack detection method based on user characteristics.The main work and innovation are as follows:In the aspect of feature analysis,the characteristics of D DoS attacks at the application layer and the characteristics of normal users are analyzed and compared.The three aspects of request frequency,traffic size,and page popularity of application-layer DDo S attacks are significantly different from those of no rmal users..Excavating these three characteristics from massive log data can achieve accurate application-layer DDo S attack detection,and has a lower false detection rate than previous detection methods.In terms of algorithms,a detection tree model was constructed using the improved decision tree classification algorithm C4.5.The decision tree has the characteristics of simple structure,easy to understand the generation rules,high classification accuracy,and high detection rate.Since the attribute values used in this paper are continuous values,in order to improve the efficiency of the algorithm,we use improved C4.5 algorithm to build a decision tree.In terms of modeling,the model first cleans up the data collected from the web log,identifies the session,and identifies each user's access process,using each user as an instance.Then calculate each user's access frequency,average flow size,page popularity and other numerical characteristics.Finally,a decision tree model is built after the processed training data samples,and the model is tested with the test data set to evaluate the model's detection rate and false alarm rate.The experimental results show that the decision tree constructed by these three characteristics has a higher detec tion rate for distributed denial of service attacks at the application layer,and can also accurately distinguish between normal user access and DDo S attacks under large traffic bursts.,detecting asymmetric attacks reduces the false detection rate.