Research On DDoS Intrusion Detection Method Based On Multidimensional Entropy

With the development of society,computers and Internet technologies are also rapidly spreading,accompanied by an endless stream of information and network security issues.The Distributed Denial of Service(DDo S)attack originated from the original Do S attack.It is a large-scale,cooperative attack and is one of the most prevalent malicious attacks on the Internel.DDo S attackers use the weaknesses of the TCP/IP protocol in the network protocol to exhaust the victim's service resources and computing power through a large number of malicious accesses to divert traffic,so that they can not provide normal services for legitimate users[1].The DDo S attacker aims to attempt to limit the normal access and link of the user by destroying the accessibility of the destination server so that the server cannot provide normal services,whether it is for the network bandwidth,or for CPU computing resources of the server,or The memory resources of the server or the connectivity to the target port,DDo S attacks must send a large number of connection requests to the target within a short time,consume the resources of the destination server,and thus the target host cannot provide services normally.According to statistics from the Gibson Research Group,which is part of the International Communication Network Security Committee,[2],in the past decade,the scale of “botnets” in the world has continuously expanded and spread over more than 100 countries and regions in the world.At the same time,DDo S attacks have also shown a significant increase.According to Gibson,the frequency of DDo S attacks worldwide has reached more than 4,000 times a week.The direct and indirect economic losses caused by DDo S attacks on the Internet are as high as trillions of yuan each year.However,the difficulty in defense against DDo S attacks at this stage is that the attacker first controls the downtime,and then the downtime controls the botnet indirectly to attack the target host or server.Because the attacker does not directly participate in the attack,but by controlling the attacker to control the "botnet" in the way of attack,it is very difficult to track the DDo S attack and track the attacker's traceability relative to other invasion methods.Detection techniques for DDo S attacks are mostly based on the detection technology at the end.However,existing network security systems,including firewalls,IDS,IPS,and tracking technologies for DDo S attacks,are isolated from the detection function and can only fight known attacks.Moreover,it is impossible to accurately and timely distinguish between legitimate users and malicious attackers.It is an externally attached and passive defense method.Therefore,it is unable to deal with the DDo S destruction line with diversity,randomness,concealment,and ambiguity [3].At this stage,the DDo S intrusion detection methods are mostly based on the anomaly of a certain attribute in the network traffic and establish a model for detection.These methods may have a good detection effect against a specific DDo S attack.However,in reality,the DDo S attack People often use multiple DDo S attack softwares and hybrid attacks.They will not adopt a single attack method,and even use small traffic and IP spoofing to bypass firewalls and intrusion detection systems.Based on the above analysis,this paper proposes a DDo S detection method based on multidimensional entropy for the first time.This method analyzes the concept and characteristics of DDo S network attacks and combines network traffic attributes,and then combines common DDo S network attacks and detection techniques.Based on the above,a DDo S intrusion detection method is proposed which integrates the network properties of each network.This method chooses the three most important features to build a model and builds a DDo S intrusion detection model with good discrimination.Different detection methods were adopted for different characteristics,comprehensive analysis was performed to detect various attributes of network traffic,and the final results were analyzed using a multi-window continuous hypothesis test.Finally,the MIT Lincoln Laboratory published the DARPA 99 data set in 1999 [4].And the DARPA2000 data set published in 2000 tested this method.A comparative test is designed and verified by the verification that the method has a good detection effect on DDo S attacks and can meet the needs of DDo S detection and detection.Moreover,this method also has good scalability,and has a certain detection effect for new DDo S attacks.