| Distributed Denial of Service (DDoS) is evolved from Denial of Service (DoS), which is to prevent normal users from using services through depleting network and server resources. DDoS has the characteristics of sudden large flow, high intensity, short duration, etc., which requires that detection system should detect attacks rapidly and effectively. The purpose of this paper is to research a fast, efficient detection method, in order to maximally protect network and servers.Firstly, from the standpoint of transmitting packets, the paper analyses the relationship between packets and network connection when network suffers DDoS attacks. In the case of suffering DDoS attacks, there are plenty of packets which are unable to establish communication with servers in the network, as is called One-Way Connection Packet, whose capacity can be reflected by the density of One-Way Connection. This paper adopts the One-Way Connection Packet Density to detect DDoS attacks, and uses the updated-dropped method to timely calculate One-Way Connection Packet Density in order to reduce detection time.Secondly, the detection algorithm which is based on Nonparametric CUSUM Algorithm, can improve detection accuracy. Set the offset which generate negative mean sequence to improve the Algorithm self-adaptive according to One Way Connection Density Mean. In the alarm section, for one thing, evaluation of reliability of alarm is introduced, which can give the administrator suggestion; for the other thing, the alarm monitor module is added, which is used to decide when to lift the alarm according to the changes of the original sequence. It can reduce the depletion of alarm resources and check effect of resistance to attack.Finally, the paper designs the detection system architecture and analyses every module functions and technologies in detail, and realizes the detection system on Linux system environment. The experimental results illustrate that the detection characteristics and algorithm are effective. |
PDF Full Text Request