| Since entering 21 centuries, Internet has developed very rapidly and integrated into our lives. It brings much convenience to us. When people enjoy the welfare of Internet, some distresses are caused. In order to obtain personal interests, the criminals may create much virus software, steal pass- words and individual accounts, or even attack websites directly, causing a lot of loss to the companies and individuals. Among all the forms of attacks, DDOS attack is one of the most serious attacks. The scale of DDOS attack is large and the loss DDOS attack causes is huge, because many computer users ignore computer security defense, which gives the criminals more chances. So it is very valuable and important to research the detection technologies of DDOS attack.According to present research achievements, we know that many researchers have done much work on DDOS attack which is based on the bugs of network protocols or system and occurs in network layer or transport layer.What 's more,the detection technologies which have achieved can resist various attacks happened in the two layers. However, the research on the DDOS attack happened in application layer is much less.Thus, just a few of detection technologies have achieved and their detection rates are low. Making use of the technological difficulties, the attackers are more likely to launch attacks to application layer. They usually use normal HTTP requests and launch attacks in the burst period. At the moment, attack traffic is similar to normal traffic, so that it is hard to detect the attacks by the information of HTTP requests, such as content, quantity, speed, etc. Besides,a few of detection technologies which have be improved can't take account of both detection rate and application range,such as detection technology based on C hi-Square method, detection technology of SYN Flooding. That is, one increases while the other decreases. So the detection technologies can't perform well in the fact.To improve the detection technologies,a detection method based on the feature parameters of self-similarity is put forward. Network traffic is self-similar at different time scales, and is immune to the change of time scales. The self-similarity degree is represented by Hurst index named H.When the attack traffic increases in a short time, the auto correlation function of self- similar sequence varies obviously. Because Hurst index is corresponded to auto correlation function of self- similar sequence named R uniquely,the variation of ?R makes H vary obviously, that is, the difference value of self-similarity named ?H varies obviously(variation range exceeds 0.1), while the ?H of normal traffic varies a little(variation range is within 0.1).So DDOS attack can be judged by comparing the ?H with threshold. In the detection algorithm, H is estimated by R/S method. Then ?H can be solved when H is disposed by selfregression model.The threshold is estimated by the method of maximum likelihood estimate(MLE).Lastly,the test proves that the algorithm put forward can resist various DDOS attacks of application layer and the application scope is wider,which validates the algorithm is feasible. Furthermore,the detection rate is about 10% more than the one of which is judged by the range of H,which validates the algorithm has gotten some improvements in the detection rate. In a word,new algorithm takes account of both detection rate and application scope. The result is satisfactory. |
PDF Full Text Request