Researches On The Detection Methods For Distributed Denial Of Service Attack Based On Network Flow Features

Distributed Denial of Service (DDoS) attack, which greatly threatens the usability of network, is one of the main threats that the Internet is faced with. The detection of DDoS attacks, as an important stage in defending against DDoS attacks, will largely influence the overall defence performance. Although there have been a lot of previous works in the area of DDoS attack detection, most of them are taking on obvious defects occur with the development of new attack technologies are continuously developing. Recently, the exploration of novel and essential methods in DDoS attack detection, which aims at improving the detection quality and solving the problems in real applications, has aroused considerable interest in the information security community. The basic idea of this thesis is to use independent detection mechanisms in different network positions. Based on the different features of attack flows and normal flows shown at different network positions, this paper makes a thorough study of the main essential methods of DDoS attack detection. The main contributions of this paper can be listed as follows:(1) We propose a DDoS attack detection method based on Address Correlation Degree (ACD). We had conducted an investigation into the varying features for distinguishing the DDoS attack flows and normal flows at the victim side. For most current methods using only single certain feature caused by the attacks, we propose to consider a combination of several attack features, such as the abrupt traffic change, flow dissymmetry and distributed source IP addresses. We propose the concept of ACD, and we transform the ACD time series extracted from the network flows to a parameter vector by AR (Autoregressive) model parameter fitting, and then classify the state variation feature series by SVM (Support Vector Machine) classifier to realize real-time detection of DDoS attacks. Experiments show that ACD can well reflect the different state variation features of normal flows and attack flows, and the ACD based detection method can detect DDoS attacks in real-time with a good accuracy.(2) We propose a DDoS attack detection method based on attack features via the ARMA (AutoRegressive Moving Average) prediction model. Most of the current methods extract attack features directly from network flows, which will easily be interfered by normal background flows. This paper made a thorough analysis of the features of attack flows and normal flows at the key nodes near the victims. Based on multiple attack features of the attack flows, we propose the concept of IP Flow Feature Value (FFV). In order to calculate FFV, we remove some normal flows according to the dissymmetry of IP addresses of the attack flows, which aims at reducing the interference of normal flows, and then extract attack feature from different characteristics of the attack flows. As an extension, we also propose a FFV based ARMA prediction model used for DDoS attack detection, which can reduce more interference caused by normal flows and increase the quality of detection. Experiment results show that our methods can well reduce the disturbance brought by normal flows and well extract the features of attack flows, thus recognize the abnormal phenomenon caused by attack flows quickly and effectively.(3) We propose a three-state partition detection method based on flow interaction behavior feature. When it is near the attack sources, attack flows formed by some of the attack sources are usually small and are similar with normal flows. The existing detection methods cannot effectively distinguish between normal flows and attack flows and the detection performance is not satisfying near the attack source. This paper made a thorough analysis of the features of network interaction behaviors of normal users and attackers in the DDoS attack based on source IP address spoofing, and then proposes the IP Flow Interaction Behavior Feature (IBF). According to IBF features, we define three states (Health State, Quasi Health State and Abnormal State) of network flows and then we propose an IBF based three-state model (ITSM) detection method. Experiment results show that the ITSM method can extract the features of normal flows and abnormal flows effectively and can recognize the abnormal phenomenon in the normal flows.(4) We propose a time series correlation pattern detection method based on multi-feature fusion. Most current methods at the attack source side are based on the dissymmetry of the attack flows. However, a single source in a DDoS attack generates only a small amount of traffic volume and in most cases faked IP addresses are used. Sometimes indirect DDoS attack methods are used, which makes the dissymmetry of attack flows not so obvious. Based on the interaction characteristics of normal flows and DDoS attack flows, this paper combines multiple attack features of DDoS attack flows and proposes an IP Flow Multi-feature Fusion algorithm (MFF). Based on the correlation of the context of MFF series and related detection results, we propose a MFF-based time series correlation pattern detection method (MTCP). Experiment results illustrate that MFF can well distinguish between the normal flows and attack flows, and can reflect the different features of normal flows and attack flows; the MTCP detection method can detect the DDoS attacks quickly and effectively and reduce the false positives.(5) We propose a change-point detection method based on half interaction feature series. For large scale DDoS attacks, some key routing devices will route a large volume of converged DDoS attack flows, and at the same time, the normal traffic routed by those devices is also large. As a result, the current methods will be largely affected by large volume of normal flows, which will lead to high false positive rate and false negative rate. This paper proposes the concept of IP Flow Address Half Interaction Anomaly Degree (HIAD). We extract HIAD from abnormal flows in the network, then transform the HIAD time series into CSTS by an improved Cumulative Sum (CUSUM) algorithm, and propose CSTS-based DDoS attack detection (CDAD) method. Experiments show that the CDAD method can extract features of DDoS attack flows from abnormal flows and can recognize the DDoS attack rapidly and effectively.