Research On DDoS Detection Technology Based On Multi-Core CPU

Distributed Denial of Service (DDoS) attack is a simple and effective network intrusion method. The intruder controls a large amount of instrumented systems to send packets to the victims. The packets used by the DDoS attackers have little difference with the normal packets. DDoS attacks can bring huge damage and is hard to detect. The development of network technology makes the network speed increase quickly, so that DDoS detection systems must handle more information. In order to detect the attacks in real time, it is necessary to research detection technology on high speed networks with big data flow and improve the detection speed of DDoS detection systems.On the research of DDoS attack, a DDoS detection system based on multi-core CPU is proposed in this thesis. Traditional detection systems need to check the contents of packets to detect the attacks, but this method is not efficient. To improve the efficiency, the attributes of the IP flow are analyzed in the detection system. In this way, the heads of the packets is checked only instead of the contents. The characteristic of IP flows under DDoS attack is analyzed and five features are summarized. Furthermore, the features of normal traffic and features of traffic under DDoS attack are compared. Artificial neural networks are capable of classification and identification, so this thesis applies BP neural network to analyze the IP flow of every interval with the research of structure and leaning algorithm of it. BP neural network classifies IP flow into normal traffic and traffic with attack by using the five features of IP flow.WinPcap is used to capture packets from networks in the attack detection system. IP flow statistic module resolves the captured packets and creates flows to statistic the IP flow features of every interval. The process of calculating IP flow attributes is designed into parallel executing mode, so the advantages of multi-core CPU can be fully used. In the IP flows analyzing module, a BP neural network classifier applying LM algorithm to adjust parameters is designed to classify IP flow. An improvement of codes of neural network is made on multi-core CPU with OpenMP.Experiment results show that the detection system has low false positive rate and false negative rate and works well on detecting attacks. The running speed of the system on machines with multi-core CPU is quicker.