Research Of DDOS Detection Method Based On I/O Traffic And Features Likeness

Network is a two-bladed sword,along with it brings the convenience to people,it also produces lots of problems such as network attacks happen freqently and various kinds of attack methods appear ceaselessly.DDOS take advantage of protocol loopholes to attack,one of the most destructive attack.So far,people hava not found a good way to eradicate.Thus,how to detect the attack and reduce the damage of this attack have become the topic of network security research throughout the world at present.This paper analyzes some of the existing DDOS attack detection method,these detection ways were divided into hardware detection and software detection,and summarize their respective advantages and disavantages.And then,compare of some software detect ways,and explained the detect principles and suitable environment. Base on these detect method,and campus network for partioular large-scale LAN environment.Thought a lot of normal and DDOS attack experiment found I/O traffic change,protocol statistics,packet data statistic and port statistic and so on,shese features have badly changes,made research of DDOS detection method based on I/O traffic and features likeness.The main detect process of the way,as follow:at first,through multi-batch and large sample statistics,we are compare of these samples and analysizes to found a suit sample,we are assume the sample is normal, according to the suit sample to to set up confidence interval,we are use of confidence interval to misjudge the abnormal flow behaviour.we will make likeness for porotocol, packet and port distribute if the traffic was found abnormal.and list the top N data of each feature within the sampling time,and calculating weighted the likenesses of adjacent sampling time and mix them up into a new weighted value.Finally,analyzing the likeness of adjacent sampling time and detect the abnormal according to the threshold.According to DDOS attack experiments and long time campus network observation can found that the campus network abnormal according confidence interval, when abnormal flow was found calculated DDOS character likeness will better to judge the DDOS attack.This method have efficient compare to traditional ways.