Research On DDoS Detection Method Based On HMM Of Traffic Flow Principal Component

DDo S attack is one of the most serious threats against network security and network quality of service. The principle is simple, the attack forms are various and the effect is obvious, therefore it has got the focus of researches. At the same time, due to the diversity of its attack characteristics, the difficulty of detection increased. How to extract DDo S traffic characteristic information from mess complicated network flow indicators and through the characteristic information to detect the DDo S traffic flow become our goal.The main work of this thesis is mainly contains:First, use principal component analysis method to reduce the multi dimension of complex network traffic parameters. The goal of principal component analysis method is to simplify the study variables size, weight distributed for multidimensional flow parameters in network traffic, and get a few new uncorrelated principal component variables. Keep the original variables in the greatest degree of the information at the same time, greatly reduce the workload of the data processing. Analysis the network traffic variable characteristics synthetically. The researched eight traffic characteristics are extracted through the comparison of statistical and interactive characteristics of normal traffic and DDo S traffic. Through principal component analysis method, analyze the original traffic characteristics and get three principal component characteristics.Second, analyze the principal component of original network traffic using the method of principal component analysis. Map the principal component to 3D coordinate to observe the distribution of normal traffic and DDo S attack traffic, and then cluster them use the DBSCAN algorithm, different clusters means different observation state.Third, take advantage of its statistical characteristics, we use Hidden Markov Model as the theoretical basis, and create a Hidden Markov Model of network traffic principal component, and realize the detection of DDo S attack traffic. Create a Hidden Markov Model of traffic principal component. Initial the state transfer process using the clustering results, then training and evaluation the Hidden Markov Model based on the dataset. Realize the comprehensive and accurate detection of DDo S attacks.Analysis and validation of the method are made base on the public data sets, from which got the principal component of the traffic flow, according to the distribution characteristics of the principal component and the clustering results, it completed the initial construction of the model. Further, by using the experimental data for training to get a completed detection model. Compared with other detection methods in the aspects of accuracy and time delay, summarize the result that out method is more effective on detect mixed DDo S attack traffic.