| The DDoS attacks detection method exists problems such as low detection rate, narrowed application range, burst traffic and weakness in distinguishing defects such as DDoS attacks. This paper proposes detecting DDoS attacks methods on the analysis of DDoS attacks relevant to network traffic size and IP address.First, this paper analyzes the flow features, defines the rate of variance of Hurst exponent as the measure so as to distinguish normal traffic and abnormal flow of traffic caused traffic change. Then it analyzes the IP address relevation, defines the similarities of IP address as distinction measure of burst traffic and DDoS attacks and calculates the similarities.The result shows that applying the methods based on traffic flow size and IP address features, it could distinguish DDoS attacks traffic from normal traffic and burst traffic, raising the detecting efficiency.Using the improved algorithm, this thesis designs and partially implements the detection system model based on IP address correlation anomaly. Model is made up of the flow of data acquisition module, flow information statistics module, anomaly detection module and the alarm information presented modules.The collected flow data acquisition module to the first single-stream flow information detect anomalies more obvious on a single stream filtering, then the flow of information will be collected into a database.Statistics module streams information flow information collected aggregated according to certain rules, the data will be stored in the database, and through information presentation module displays the statistical information users are interested in. Anomaly detection module to the new anomaly detection mechanism used in the system. It can not only find traffic anomaly, but warn in time to improve the monitoring system practically. |
PDF Full Text Request