Research On DDoS Attack Detection And Response Technology

The development of network technology has profoundly changed people’s life style.Since the various unsafe factors existing in the network have led to the occurance of manykinds of network attack events, the use of network services has been affected seriously.Among all kinds of attacks, DDoS attack which derives from DoS attack is considered asone of the most serious threats that the network faces at present. Therefore, research of theDDoS attack is a hot spot in academia. In this paper, the main research content is DDoSattack detection and response technology.Firstly, the subject research background, research purpose, significance and researchstatus were summarized. Furthermore, DDoS attack principle, classification and someattack abnormal detection, filtering and defense technologies were introduced.Secondly, DDoS attack detection method based on the self-similarity of networktraffic was analyzed. And on that basis, some improvement in the high false positive ratewas made, and a detection algorithm WAIE was proposed. The new algorithm used themethod of wavelet analysis to calculate the Hurst value according to the packet arrivaltime and introduced information entropy of the information theory to measure thedispersion degree of source IP addresses. According to the Hurst and entropy value of theearly phase, the thresholds can be set self-adaptively to detect the occurrence of attack.Thirdly, the feature extraction method based on the statistical analysis, which was oneof the DDoS attack filtering mechanisms, were analyzed. And on that basis, someimprovement in the ineffective protection of the legitimate flow was made, and a responsemechanism RSPF was put forward. The new mechanism identified the legal source IP anddestination IP address couple by analyzing packet head attrbutes. And a kind of storagemethod was put forward to store the legitimate users’ IP addresses which hadcommunicated with the servers. When the flow exceeded the set threshold or attack wasdetected, the new mechanism can set the filtering probability, start to filter andpreferentially forward the packets which had the legal IP addresses.Lastly, under the platform of MATLAB and Wireshark, contrast experiments between the detection algorithm WAIE and the traditional self-similarity method were carried outusing two datasets released by the MIT Lincoln Laboratory and one dataset captured in thelaboratory environment. The experimental results showed that the algorithm WAIE candetect the occurance of attack more accurately.