| Distributed Denial of Service (DDoS) attacks have posed an immense threat to the Internet recent years, so detection and defeat against DDoS attacks have become the focus in network security research. Researchers constantly advanced network security systems, while attackers in turn improve their tools to survive from new security systems. Both of the variety and sophistication of DDoS attack tools are growing rapidly. Therefore, an abstract, formalized description and taxonomy is necessary to DDoS detection, DDoS defence, and forecast for the tendency of DDoS attacks. There are some related works to deal with this question, however, all of them describe attacks with natural language and classify attacks according to some of their specific properties. Therefore, an abstract, formalized description and taxonomy is needed to identify and classify existing attack tools and their late editions. Besides, the taxonomy should be scalable to deal with new attacks.In addition, according to the position where detection system deployed, there could be three types of detecting methods: detection deployed in victim networks, detection in intermediate networks (normally deployed on Internet core routers) and detection in source-end networks. Comparing with the other two methods, DDoS attacks detection systems deployed in source-end networks are superior: first, it can perceive and throttle attacks before attack flows enter Internet; second, it trace back faster and easier because it is near to the attacks'sources, and so it brings lower spending than other ways of detection; third, comparing with the core routers, routers deployed in source-end networks can provide more resources for detection.Therefore, Source-end Detection for DDoS attacks is important to improve entire Internet QoS and enhance resistibility from malicious attacks. However, there are some difficulties in Source-end Detection: firstly, attacks with high dispersively and low attack spead have beeb the tendency of DDoS attacks. The attack flow in source-end network is so dispersive, thus the traditional detecting algorithm troubled in distinguishing attack flows and normal flows, and high false-positive rate and false-negative rate are led; then, there is a large number of source-end networks, and they distributes separately. To superior the whole internet, a large number of source-end network detection systems should be deployed; in addition, administrators of source-end network always pay little attention to defending from DDoS attacks, because usually there is no heavy impact from DDoS attacks to source-end network. And this situation provides a good chance to attackers for constructing their network topology, for example, scanning for zombies.The existed detection sysytems are based on single-feature extracted from source-end network, so could not synthesize multiple factors. Although the single-feature detection algorithm has been improved, it limited in precision rising--it cannot describe complex diversification in source-end network. Thus, the key problem of how to raise precision and sensitivity in source-end DDoS detection is how to synthesize multiple factors.This paper analyzes the mechanisms of DDoS attacks, and focuses on formalized taxonomy and source-end detection for DDoS attacks. The main works are as follows:1. Analyzed popular DDoS attack tools and attack mechanisms, this paper proposed four typical topologies (Agent-Zombie(A-M-Z) Model, Agent-Master-Zombie(A-M-Z) Model, Agent-Master-Reflector-Zombie(A-M-R-Z) Model, and Agent-IRC-Zombie(A-IRC-Z) Model) and several attack ways of DDoS attack networks. Moreover, enumerated several typical DDoS attack tools and forecasted DDoS attacks development trends in the next period.2. Analyzed existed taxonomies to DDoS attacks, this paper proposed a novel and abstract method for describing DDoS attacks with characteristic tree, three-tuple, and introduce an original, formalized taxonomy based on similarity and Hierarchical Clustering method. By classifying 12 real DDoS attack tools, the taxonomy was evaluated. The results show that to complicated attack samples, this taxonomy could classify them accurately, and could also handle more new attacks classification with expansion of the feature set. In addition, it is important for developing realistic models of DDoS simulation and for performing attacks detection and analysis as a Plug-in. It can also be packaged as an automated tool to aid in rapid response to DDoS attacks.3. After analyzed the characters and difficulties of source-end detection for DDoS attacks, we proposed a novel approach using Multi-stream Combined Hidden Markov Model (MC-HMM) for integrating multi-features simultaneously. And the Hidden Markov Model (HMM) and MC-HMM are described. The multi-features include the S-D-P feature, TCP header Flags, and IP header ID field. In addition, we used Kaufman algorithm to adjust and upgrade threshold value dynamically. Our experiments show that our approach effectively reduces false-positive rate and false-negative rate, and detection precision of MC-HMM based on multiple detection features is clearly better than other main algorithms based on single-feature. Our MC-HMM method could early detect DDoS attacks, and could adapt to a more complex network detection environment.At last, the contents of the paper are summarized and future works are proposed. |
PDF Full Text Request