The Research On A Hybrid DDoS Intrusion Detection Method

During these years,distributed denials of service(DDoS) attacks have done great harm to the application and the development of Interact.Currently,the self-similarity of network traffic and time series analysis have been the important strategies and technologies of DDoS attacks detection.But these strategies and technologies are used individually;whereas the results of DDoS detection are not ideal.This thesis systematically introduces the basic principle,the type and the feature of DDOS attacks,after researches on the impact of the One-Way Connection Density and the heavy-tail property of the macro-network traffic caused by DDoSattacks, proposes a method for detecting DDoSattacks based on network traffic One-Way Connection Density and heavy-tail property.First,a new conception to reflect the exception of network now,one-Way Connection Density(OWCD),which can detect DDos attack,was proposed.In order to understand the characters of OWCDseries,the time series OWCD was studied,the properties of the OWCD time series,such as typical value,variance,auto correlation coefficient,and power spectrum density of the normal flow and the anormal flow are analysed,by which the nornal flows and the anormal ones can be judged,But there is part of the flow have yet to be confirmed.Then,if the four property values of the unidentified flow line with the characteristics of RoQ anormal flow,the flow is burst flow or RoQ anormal flows, because the burst flow and RoQ anormal flow have the similar value of the property. So,brust flows and the RoQ anormal flows will be discriminated by determining wether the network flows accord with heavy-tail property based on the fact that the brust flows will have heavy-tail property while the anormal ones not.Finally,in order to better defense and research DDoS attack,we determine the intensity of attacks by calculating the cumulative Euclidean distances about OWCD time series.The result shows that applying the method based on network One-Way Connection Density and heavy-tail property to detect DDoS attacks,it could distinguish DDoS attacks traffic from normal traffic and burst traffic,raising the detection efficiency.