Research Of DDoS Attacks Detection Methods Based On Spectrum Analysis And Statistical Machine Learning

According to the fundamental technique research tasks of the "New Generation Network with High Trustability" and "Common Security and Control Framework in Tri-Network Convergence" projects of the National High-Tech Research and Development Program of China (863Program), this thesis studies the DDoS attacks detection methods under the unitary scheme of the "Distributed Detection, Hiberarchy Defence, and Centralized Situational Awareness". From the macrocosmic attacks awareness and the microcosmic specific detection methods, this thesis proposes the spectrum analysis based sensing methods for flooding attacks and low-rate attacks by IP packets seqence. At the same time, DDoS attacks detection is transformed into the binary classification problem in machine learning. With the use of the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields, the DDoS attacks detection methods including are implemented.To the macrocosmic awareness, this thesis proposes flooding DDoS attacks detection method based on the Hurst parameter estimation with fast fractional Fourier transform (FFrFT). Because DDoS attacks would influence the self-similarity characteristic of the network traffic, DDoS attacks can be estimated by monitoring the change threshold of Hurst parameter. The Hurst parameter estimation method based on FFrFT with low computation complexity and high estimation accuracy outperforms other well-known methods such as R/S, wavelet analysis, etc. Meanwhile, this thesis proposed a detection method based on the estimation of Bartlett power spectrum for low-rate DoS attacks. Our experiments reveal that the consistency and true positive rate of the Bartlett power spectrum method are better than the rectangular window based method and the triangular window based method.For the specific detection methods of DDoS attacks, three detection strategies based on statistical machine learning models are proposed separately. The machine learning models are the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields.Firstly, based on the multi-feature parallel Hidden Markov Model (MFP-HMM), a DDoS attack detection method is proposed according to probability point discriminant. With the relationship between HMM hidden-state sequence and observed characteristics sequence, the multi-dimensional feature changes, which caused by the DDoS attacks, have been translated into discrete random variables. Then, the deviations between the current sliding window sequence and the normal behavior profile are characterized by calculating the probability of the sequence. The architecture of MFP-HMM model uses parallel processing mode for multi-dimensional characteristics, which is conducive to the expansion of new processing module. Meanwhile, the observation sequence, translated from characteristic sequence by passing the sliding window, could be accelerated by multi-level hardware pipeline. So, it established the foundation for reconfigurable design and distributed deployment. Our experiments reveal that the MFP-HMM based method with higher detection accuracy and lower false positive rate is better than the standard HMM. Secondly, based on the Least Squares Twin Support Vector Machine (LSTSVM), a DDoS attack detection method with the classification of hyperplane discriminant is proposed. With the help of the optimization method in the solution of machine learning, this method improves the detection rate and reduces the false positive rate. The dispersion of source IP and the concentration of destination IP under DDoS attacks are reflected by taking the features such as the IP Flow Entropy, the IP identification, the TCP header flag, the packet rate and etc. Under the DARPA2000datasets and TFN2K-attack collection datasets, the experiment revealed that this method with the high detection accuracy and the low false positive rate is better than the Naive Bayes Algorithm, K-nearest neighborhood, the standard SVM and some other methods in the identification between normal burst traffic and DDoS attacks.Finally, the Conditional Random Fields based method is proposed. It can make full use of the multi-feature fusion together, while it doesn’t demand the characteristics are independent strictly. So, it could combine the pattern matching based methods and the anomaly detection based approach effectively. The detection rate and false positive rate have been improved under conditional random fields. The IP flow quintuple entropy conception is put forward as the DDoS attacks detection multi-feature vector. Our experiments reveal that CRF-based method has higher detection accuracy and lower false positive rate, as well as strong ability of anti-background-noise, and good robustness.