Distributed Denial-of-Service Attack Detection Based On Traffic

Distributed Denial of Service attack (DDoS) still remains one of the most difficult problems in the field of network security because of its wide distribution feature and more participants. The research about DDoS attacks mainly focuses on the field of detection. A detection method based on traffic, that is, network based detection, is an important direction in the field. At present, there are many difficulties and problems to be solved in the detection research of DDoS attacks. Three among them are as follows. First, methods to distinguish normal burst traffic from abnormal attack flow are lacking, which affects the rate of attack detection. The second problem is that the attackers are difficult to be traced because of forgery source addresses of their attack packets. The third is that how to protect the server adaptively in order to make it quickly response the requirements of legitimate users under severe attacks.The research in this thesis focuses on the detection attack methods based on traffic, in order to solve the problem that how to recognize normal abrupt traffic from abnormal flow, and propose an approach that can control network traffic adaptively in case of severe attacks.First, the research background about DDoS attack detection, attack classification and current detection techniques are briefly reviewed for the main issues in this thesis. Second, in order to create the detection attack methods based on traffic, the traffic feature has to be studied first. By means of the analysis of traffic impurity rate, the component of traffic is studied, and the conclusion, which the ratio of normal user number to other user number is almost a constant, is given. By using the theory of probability, it is revealed that the traffic has the characteristics of normal distribution and periodicity. These features are the foundations of building detection attack models. In addition, according to the fact that the impurity rate of traffic is almost constant, the paper tries to reveal the relation between the traffic impurity rate and traffic self-similar.By the study and analysis of traffic feature, the new measure that can be used for detection attack is proposed. The measure is proofed. It has nothing to do with the normal traffic size and normal user number, but it is influenced by attack traffic. Based on the conclusion, the problem that the normal abrupt traffic is difficult to be distinguished from abnormal flow can be solved. Tested by the real data, the algorithm, in which the measure is used, has a higher rate of detection.In order to minimize the influence of random traffic, the wavelet technique is used in the detection algorithm. During detection, the detected traffic is decomposed to many levels by wavelet transform. The decomposed data show that the attack characteristics are mainly concealed in mid-high level data. Therefore, this gives a chance to choose appropriately level data that are little influenced by normal abrupt traffic and can be used in detection algorithm. By testing with the level data, the algorithm has anti-jumping capability and better rate of detection attacks.In order to improve the capability of run-time detection of the algorithm, the recursive algorithm and restore method of statistic traffic are proposed in the paper.Detecting attacks is only the first step for preventing attacks. Another important step is how to response to the result of detection. In order to protect a server and make it provide a good service for its normal users under severe attacks, a model of adaptive traffic detection and control system is proposed. The model is composed of two parts. One is used for detecting attacks and the other for control traffic. In order to detect attacks and control traffic automatically, the control formula is given. Based on the stability analysis of the formula, the standard of control traffic is provided. Due to the limit of router capability, application server is added to the adaptive system. It can send attack messages to its upper routers in time in any case. Because methods are lacking in recognizing the ID of attackers, the system first protects the benefit of most legitimate server users under attacks. Based on the point, the algorithm of automatic detection attacks and control traffic is proposed. Due to the complexity of the algorithm, it is decomposed into three parts in the paper. The first one is the algorithm in a server (or a victim). The second one is in an application server. The third in a router. The simulation of the system shows that the algorithm can meet the design requirements.