Research On DDOS Attack Detection Based On Wavlet Anaysis

DDoS(Distributed Denial of Service) is a kind of distributed and cooperated attack. It collaborates and controls a lot of hosts to commit DoS attack and produces millions of packets to the target system, exhausting the target system's resource, which make the legitimate user unable to obtain service. DDoS has caused disastrous loss to the network. But since the hideness and distributing it's hard to detect and prevent. In recently years it has become a hotspot to research on the detection and prevention of DDoS attack. In this thesis we base on the self-similarity of network traffic, try to research on the detection and prevention of DDoS attack using wavelet analysis.In this thesis, we firstly give out a description about the status, the principle and method of intrusion detection. Then we analyze the status of research on DDoS. Wavelet analysis has become a popular method in theory and engineering field. Its multi-scale analytical capability enables us to do more accurate analysis on a signal. Furthermore, both research results and our experiment results show that network traffic satisfies the self-similarity characteristic. So we give out the algorithm to evaluate the self-similarity of network traffic by wavelet method, which is the theory basis of this thesis.Secondly we describe the routines of DoS attack, analyze the mechanism of it, especially the mechanism of low-rate DoS attack from the point of TCP's congestion control. We design a DDoS detection and prevention model to deal with DDoS. The model gets the traffic information from the IP packet header, and calculates the Hurst parameter and decides whether the traffic is in normal state or not. The reference Hurst parameter is self-adaptered using a way like digital filter in signal processing. When attack is detected, the model uses connection-domain concept to prevent the target system. As is shown in the experiment the model can detect both high-rate DoS attack and low-rate DoS attack. Which is more, the target system can provide service to legitimate user to some extent even under DoS attack.In the model traffic capturing and information extracting are mostly efficiency-required. We develop two methods to perform traffic capturing based on Linux. In traffic information extracting, it can achieve better performance if some tricks used.At the end, we investigate the potential application environment of the DDoS detection and prevention model. Considering the trend of information security is that different security modules can interaction with each other, we investigate the interaction method of our model with firewall system and security audit system.