| DDoS attack has nearly 10 years'history, it is famous for taking up bandwidth and consuming CPU and memory resources to make legal users can't get normal service. Most famous webs were ever attacked by it. It is statistic that the 13 root servers were attacked several times. Nevertheless, there were no good ways to detect DDoS at present. The victim's network is propitious to detecting but not good at defending and filtering attack packets. The attacker's network is propitious to defending and filtering but not good at detecting. Distributed defending mechanic is considered as an effective defending method aginst DDoS at present, but the existing detection methods were based on part network or single link, they were in low accuracy and effectivless for upper filter. This paper focuses on the existing problems of distributed defending mechanic; through researching DDoS's network-wide detection methods and technology we got the following results and progresses.It is different from traditional methods that we take traffic matrix as detection object, take advantage of the correlation among attack traffic in time domain to detect attack. Because of the strong correlation both attack traffic and the background traffic; we can't analyze traffic matrix's correlation to detect attack directly. In this paper we firstly divide high-dimentional traffic matrix into normal space and anomaly space using PCA transform, remove the correlation in background traffic, and then analyze the anomaly space's correlation to detect attack. The simulation shows that this method can detect DDoS attack effectively.The detection in time domain needs large attack traffic. And the research shows that DDoS anomaly traffic's frequency character is obviously different from normal traffic's, so we change traffic signal detection domain from time domain to frequency domain. Attack traffic and normal traffic's energy are different from each other in different frequency band, the higher proportion energy of attack traffic to sum energy, and the easier of detecting anomaly. The detection method transforms anomaly space into instantaneous frequency at the beginning, through calculating correlation of instantaneous frequency to detect attack. Once we got anomaly space data, we use Hilbert to get the resolve signal of anomaly space, and calculate instantaneous frequency by slider window. The simulation shows that this method detects noise signal available, the same as regular signal.Good detection method needs to complement good defend mechanic. We provide a new distributed network-wide defend mechanic in view of our network-wide detection method. This method was based on local and network-wide double level detection. Local nodes collecte link traffices, link traffic and route information are send to central node by local nodes while run local detection, those information are used for network-wide detection by central node. Once local node detects suspicious traffic, it notices central node to run network-wide detection. In order to make attack detection in real time and reliably, we backup and protect central node. The method we provide complements the traditional filter and traceback method constructs DDoS defending system. |
PDF Full Text Request