Research On DDOS Attacks Detection Technology

With the prosperity of Internet, network crime is more frequent, all kinds of security incidents is reported frequently.Among all threats to network security, distributed denial of service attack (known as DDoS) is the first major hazard, and in recent years the DDoS attacks gradually shifted to the top layer of TCP/IP protocol stack--application layer, which is more destructive and more difficult to detect. Flourish of application layer DDoS attack is a serious threat to the network security, which disturbs the normal economic order, harm enterprise and common customer’s interests. The network urgently needs an effective way to be able to detect and defend application layer DDoS attack.First, the author analyses a lot of material in recent years on the application layer of DDoS attack, such as security reports, white papers, academic literature. The author make a summary of application layer DDoS attack’s trends, application layer DDoS attack detection technology are also summarized, great emphasis is laid on Web-target application layer DDoS attack and detection technology. After that, the author studied about clustering technology and anomaly detection technology.Next, the author analyses normal user and attack user’s accessing behavior respectively.To depict normal users’accessing behabior, the author has done a large number of data analysis and statistical work, five real sites’log file is analyzed.User access frequency, distribution of page visited by user, user’request interval distribution is analysed, and related parameter’mean value is gained. Distance between attack users, distance between normal and attack user is also studied.Then, based on the above work, the author proposes the Web-targeted application layer DDoS attack detection algorithm DBDD. The algorithm is based on anomaly detection theory, and taking the requirements of application layer DDoS attack detection into consideration, the author modifies classical density clustering algorithm DBSCAN, to achieve the goal of application layer DDoS attack’s detection and defense.The field of data mining theory and method is applied to the network attack detection, and DBDD algorithm is proposed to detect application layer DDos attack.Finally, the author designs and builds the scheme and platform to test Web-targeted application layer DDoS attack detection algorithm, and validate the algorithm. DDoS attack records is generated by c++program, then combine with real web log records to form source data, which is used to test the algorithm’s performance. Experiment resullt shows that DBDD algorithm has high detection rate and low false alarm rate.