Detecting DDoS Attacks Based On Network Traffic Correlation

Distributed denial of service attacks (DDoS) uses of the TCP/IP protocol loopholes existing in current IPV4 network architecture to perform, such as easy to forge IP address,difficult to trace the source of attacks and so on. DDoS adopting distributed way to attack makes the date flow disorder, and difficult to distinguish between legal request and malicious link, those features further increased the difficulty of preventing DDoS attacks. Research shows that, unless amend the entire TCP/IP protocol system, Otherwise, nowadays no connection,no state of packet-switched networks can not completely eradicate DDoS attacks. Only through some macro-method to detecting and preventing DDoS attacks, reducing the attacksagainst.This thesis systematically introduces the basic principle,the type and the feature of DDoS attacks, after researches on the impact of the correlation of the macro-network traffic caused by DDoS attacks, proposes a method for detecting DDoS attacks based on network traffic correlation, makes correlation analysis on two attributes of traffic: the traffic size and IP address, respectively, and are verified through experiment.The first analysis method is based on variance analysis of Hurst exponent mainly researches on the impact of correlation of traffic size caused by DDoS, inspects the law of the Hurst exponent, defines the rate of variance of Hurst exponent as the measure. And then derives the standard of adjudicating DDoS attack through a mass of test with the MIT Lincoln Laboratory DAPRA data sets. Experiment result shows, this method can distinguish normal traffic and DDoS attacks traffic greatly, at the same time, it also has high rate of false positives. The study found that, the similarity in statistics between burst traffic and DDoS attacks causes great interference in the detection method.The second analysis method is based on degree of similarity of IP address researches on the impact of the degree of similarity between burst traffic and DDoS attacks, also defines the concept and the computing method of degree of similarity. Experiments confirms that the method can distinguish DDoS attacks and burst traffic effectively, solve the problem exist on the method based on variance analysis if Hurst exponent.The result shows that applying the method based on network traffic correlation to detect DDoS attacks, combined correlation analysis on the traffic and IP address, it could distinguish DDoS attacks traffic from normal traffic and burst traffic, raising the detection efficiency.