Research And Implementation Of Flood Attack Detection And Defense Method Based On Abnormal Behavior Of Network Flow

With the rapid development of big data technology,Internet flooding attacks(IFA)occur more frequently and cause serious harm.The explosive growth of network traffic and the high complexity of big data make IFA detection and defense face serious challenges.This paper proposes an Autoregressive Integrated Moving Average(ARIMA)time series flooding attack detection model based on Network Abnormal Feature Value(NAFV)and a two-stage clustering algorithm(TCA)based on Density-Based Spatial Clustering of Applications with Noise,(DBSCAN).Based on the algorithm,a flood attack detection and defense system is established.The main research work is as follows:1.This article first conducted an in-depth investigation on the detection and defense methods of flood attacks,and summarized the deficiencies of the current flood attack detection and defense methods based on the domestic and foreign research status.Aiming at the principle of flood attack and combining classic cases,the characteristics of flood attack traffic are summarized.2.In view of the shortcomings of the existing flood attack detection method in the big data environment,such as high false alarm rate and detection time extension,this paper proposed a flood attack detection method based on abnormal behavior of network flow.A database called IPD that can quickly access and compare IP addresses was established.The IPD use consecutive bits to store and mark IP addresses,reducing the time complexity of querying IP addresses.Then through the statistics and analysis of the changes in the number of new and old IPs,NAFV is defined to divide the network status into three categories: normal network status,flooding attack and network congestion.Finally,an ARIMA time series model based on the fused eigenvalues of abnormal behavior of network flow is established to predict the anomalies caused by flooding attacks.3.In view of the problem that the clustering input parameters and clustering noise have a great influence on the results of existing clustering methods,this paper proposed an algorithm called TCA based on DBSCAN.This method uses the similarity of clustering data to progress clustering from two aspects of clustering morphology and density.Experimental results show that the method can distinguish clusters of different shapes and densities,that is,it can distinguish normal network traffic from abnormal network traffic.4.Finally,this paper implemented a flood attack detection and defense system.The system includes an abnormal network flow capture module,a traffic monitoring module,an attacked end analysis module,and an abnormal network flow blocking module.After functional testing and performance testing,the system is proved to have achieved real-time monitoring and defense of abnormal network traffic.The system visualizes abnormal network traffic and records attack logs.It can analyze the types and characteristics of attacks received by the victim,which is of great significance for actively defending against flood attacks.Theoretical analysis and experimental results show that the proposed flood attack detection and defense method has the advantages of short delay and high efficiency,and is of great significance for responding to flood attacks in a big data environment.The flood attack detection and defense system proposed in this paper applies the above two models to realize the real-time monitoring and blocking of abnormal network flows,ensuring the normal communication security of the attacked end,and has broad application prospects in the field of defense against flood attacks.