Research On Flood Attack Detection Method Based On Euclidean Distance

With the rapid development of computer networks, the issues of network security become increasingly acute and prominent and a variety of attack methods spring up also. SYN flood attack is one of the distributed denials of service attacks, which is a kind of relatively common network attacks and difficult to be detected and defensive. But it is not widespread ideal in terms of both accuracy and real-time of the existing attack detection methods for SYN flooding attack. Therefore, it has important theoretical significance and practical value to research and design a new SYN flood attack detection method that can detect online in real time, possess higher detection accuracy and lower false alarm rate.This paper discusses the quantity relationships among three types of TCP segments, SYN segment, FIN segment and RST segment, which associated with TCP connection, separately in three conditions: ideal, actual without attack and SYN flood attack. Based on the changes in quantity relationships among SYN segment, FIN segment and RST segment, a SYN flood attack detection method based on Euclidean distance and the corresponding detection algorithm was proposed by using of Euclidean distance and the moving average. This detection algorithm's time complexity is O(N) and its space complexity is O(1).To evaluate and validate the SYN flood attack detection method based on Euclidean distance, both the direct SYN flood attacks and the reflection SYN flood attacks simulation experiments based on public data sets is designed. And analyzed the effect between detect time length, step size, alarm threshold and data point weighting of algorithm main parameters and the detect results.The simulation results show that the SYN flooding attack detection method based on Euclidean distance can detect SYN flood attack effectively, and possess high accuracy, low false alarm rate, high data processing capability. What's more, It can be deployed in large medium-sized backbone network router, and detect on-line SYN flood attacks in real time.