Research Of A DDoS Detection Method Based On Multi-feature Likeness

With the rapid development of the Internet in recent years, network attacks happen frequently and various kinds of attack methods appear ceaselessly. The DDoS attack is one of the most destructive attacks. Thus how to detect the attack and reduce the damage of this attack have become the topic of network security research throughout the world at present.Aiming at this problem, the thesis studies under the special LAN in campus. The main work can be divided into four sections. Firstly, studying of detection methods of DDoS attacks. This thesis analyses the current detection methods and current detection models of DDoS attacks, and sums up the merits and the flaws of the misuse detection method and anomaly detection method. Then the thesis analyses the current detection models and describes their principle of realization and suitable circumstance. The thesis chooses the anomaly detection method based on the study. Secondly, proposing a DDoS detection method based on multi-feature likeness after analyzing the traffic distribution to the inner network and the changes of network features when there is an attack. The thesis chooses the features including traffic distribution, packet size distribution and network protocol distribution, and detects the attacks through the statistic data. Thirdly, constructing a framework of anomaly detection system for DDoS attacks. The system can be divided into data collection module, attacks detection module and tracking module. The process falls into three steps: first it collects the traffic data flowing into the inner network, sorts them according to the three features, and lists the top N data of each feature within the sampling time; then it calculates the likenesses of adjacent sampling time and mixes them up into a new likeness with the method of dynamic weight; at last, it analyses the likeness of adjacent sampling time and detects the anomaly according to the threshold. If there is an anomaly, then it calls the tracking module to detect attacks. Finally, analysing the result of the simulation experiment. This part simulates the system and validates the availability of the proposed detection method.From a great number of experiments, it finds that the detection method based on multi-feature likeness can detect the DDoS attacks against the large scale network traffic, to some extent, the method can decrease the false positive rate and false negative rate, can obtain good effect of detection before the DDoS attacks the Internet, and can be applied to detect unknown types of DDoS attacks.