Key Technologies Research On Detection Of Large-scale DDoS Attacks

With the increasing of network scale and link bandwidth, the distributed denial-of-service(DDoS) attack has become large-scaled, which brings complexities of detection and handling. The key problem of large-scale DDoS attack detection is to restrain the aggregation of the attack traffic. The main problem can be divided into three aspects:(1) C urrently, feature-based early-warning methods, which can be easily cheated by hackers, are insufficient to deal with the changing threats of DDoS attacks.(2) The false alarm brought b y the flash crowds from the normal users.(3) The classification-based DDoS attack detection methods cannot meet the demand of real-time detection detachment.To solve above problems, this paper, supported by the sub-project of attack characteristics and abnormal behavior of Large-Scale DDoS attacks from the National Key Technologies R&D Program(Some Key Technologies Research on C yperspace), deeply analyzes and researches the detection requirements, respectively proposes the superpoint-based detection against DDoS attacks method, the detection approach of DDoS attacks based on flow fingerprints, and lightweight detection approach of DDoS attacks based on GAIG algorithm. The methods warn the attack effectively, judges the DDoS attack and flash crowds accurately, and implements fast classification of DDoS attack packets. The specific research works are as follows:1. Considering the early- warning of DDoS attacks, after analyzing the defects on present early-warning methods and the uncertainty of the threat, this paper proposes a new early-warning method. As an early-warning strategy, the new method uses the multitude-to-one mapping between the source IP addresses and the destination IP addresses, and uses Polymerization Degree of Destination Superpoints as the threaten metric. It applies the superpoint and superpoint detection in network measurement to early warn the DDoS attack and protect the potential victims.2. The current detection methods are confused by differentiating attacks from flash crowds. To address the challenges, the detection approach based on flow fingerprints is proposed in this paper. At first, a generalized discrimination strategy is introduced by analyzing the multitude-to-one-mapping of superpoints in attacks, the platform-dependence on botnets. Based on the strategy, flow fingerprints of flooding behaviors and flooding attacks are built by combining superpoints and flow similarity. The flooding behaviors are located by the polymerization degree of destination superpoints. And a sliding-discrimination algorithm is used in flow similarity measurement for discriminating flooding attacks from flash crowds. The experimental results evaluate the efficiency of the detection approach. To locate the suspicious flows, polymerization degree of destination superpoints is introduced in a moving time window mechanism. Based on the suspicious flows, a sliding-detection algorithm is presented for distinguishing flooding attacks from flash crowds with similarity metrics. Simulation results indicate that our detection approach can detect DDoS attacks efficiently and Total Variation Distance(TVD) is the most suitable metric for discriminating DDoS attack flows from flash crowds. The approach has a better detection rate up to 98%, and improves 6% more than the general classification models.3. To improve the real-time performance of classification-based methods for DDoS attacks detection, the lightweight intrusion detection is introduced. First, a filter algorithm for feature selection, GAIG, is proposed, by combining genetic algorithm as the search strategy and information gain as the evaluation function. Extracting the minimum feature subset with a high classification performance by GAIG, simulation results show that thereal-time performance has been improved without reducing the classification accuracy. Random tree has relatively better classification detection performance. And a lightweight detection system is built on the basis of Random tree. With the strong detection ability to detect unknown attacks, the approach has a better detection rate up to 85%, and improves 5% more than the general classification models.