| Since the birth of the Internet, distributed denial of service attacks(distributed denial of service, DDo S) has been the impact of a major threat to Internet security. Traditional DDo S attacks mainly is happened on network layer and the transport layer in the OSI Internet protocol, and has been defended by sophisticated network security products such as firewalls or intrusion detection prevention. However, recently changes in computing model makes more services interact through Web, which accelerates the development of DDo S attacks to the application layer. Because of more of Application-layer DDo S attacks’ devastating, more subtle means of attack, and there is no significant difference to the normal user traffic characteristics, it has became the main means of AL-DDo S attack by hackers.Firstly, we study all aspects of the principle of DDo S attacks, the traditional DDo S attacks launch an attack by utilizing the design loophole about TCP/IP protocol on network protocol. They establish a large number of half-open links so that they can consume the system resources rapidly.This paper focuses on the content of the application-layer DDo S attacks. First of all, we listed several common attacks about application layer DDo S attack, and then analyzed that the application-layer DDo S attacks are based on a complete TCP / IP links, and this is the essence difference from the traditional distinction DDo S attacks. Then we analyzed the request based on the HTTP Get protocol and proposed research ideas. In addition, due to the application layer attacks asymmetrical features, most attackers choose the service that can exhaust the system resource as soon as possible. This requires a lot size bots building a lot of opening half links to the target server at the same time. The server will refuse other normal users because that the number of links on the server has exceed the capacity of cache on the target server. That is what the attackers want.Based on the above findings, this paper presents a detection model that detect the application layer DDo S attack based on information entropy clustering. The model first preprocess the data set to calculate request information entropy matrix as an input matrix sequence similarity matrix, then the algorithm is trained to the similarity matrix for getting each cluster center by MEAP(multi-exemplar affinity propagation, MEAP). Then we will calculate Euclidean distance between request sequence which is coming in to the detection system and each cluster centers ore super cluster center. Then we will decide whether the request is an attack request by setting the threshold. In the end, we increase the the window mechanism to updated on each cluster center in non-scheduled. It could unsure the correctness in a period on time. Experimental results show that the detection method in this paper can effectively unknown data clustering, and quickly determine whether the data is attack, finally achieve online real-time detection.On the basic of information entropy, the paper then studies an application-layer DDo S attack detection model based on user browsing behavior. The model will calculate the user information entropy request sequence, and then using the AR model for training, and using a Kalman filter to filter out noise in network traffic noise and using a fixed delay smoothing algorithm. Finally, we will decide whether this request is attack by setting threshold.. Experiments show that the detection model has a good detection results. |
PDF Full Text Request