Application Layer DDoS Attack Detection Based On Spark

Distributed denial of service(DDoS)has become one of the most serious threats to internet security because of its low technical threshold and strong destructiveness.However,with the in-depth study of DDoS attack detection technology,traditional DDoS based on transport layer or network layer has been difficult to produce good attack effect.Meanwhile,with the development of network service to Web side,the trend of DDoS attack turning to the application layer has accelerated.Application layer DDoS attacks usually use real IP and the single requests are legitimate requests,which can perfectly avoid network protection system,which puts forward higher requirements for network security protection.The author did a lot of research on application layer DDoS attack detection and founds that most current application-layer DDoS detection methods require advanced modeling or historical data collection.Although this kind of detection method has a good detection accuracy,but the amount of engineering is generally large and does not have the real-time nature of the detection and the universality of the detection method.For this reason,the author deeply analyzes the attack principle and characteristics of application layer DDoS,and find that its essence is: using a large number of bot-net nodes with the same IP to initiate high frequency requests to the target server in a short time.In order to verify this assertion,the author compares and analyzes the access behavior of normal users and attackers.The author founds that standing on the time dimension and using statistical analysis,there are two distinct features during the application layer DDoS attack:the first is that the requested IP address distribution is relatively fixed;the second is that the request frequency is higher than other normal time periods.Therefore,the author proposes to use IP request entropy to co-ordinate thesetwo characteristics and use it as a basis for judging application-layer DDoS attacks.On the basis of IP request entropy,the author uses the time series prediction model to predict the IP request entropy at the future time.The author comparison the prediction result with the actual value at that moment to get the offset,and compare this offset with the tripled variance of the selected time series.Use the comparison results to determine whether the application layer DDoS attacks.Among them,the time series prediction model prediction refers to not only taking into consideration a set of historical data(horizontal timeline)adjacent to the prediction point but also taking corresponding historical data(vertical timeline)of the different periods of the prediction point.In the time series prediction model,the horizontal and vertical time lines are predicted using the ARIMA prediction model and the quadratic exponential smoothing prediction model respectively.Then the weighted sum of the prediction results of the two is obtained to obtain the final prediction result.Experiments show that the prediction effect under this model is better than the traditional one.In terms of detection,the author uses Spark's fast log information acquisition capabilities and real-time computing capabilities to quickly obtain IP request entropy.This provides a priori conditions for the construction of the IP request entropy time series.Then use the Spark time slicing mechanism to dynamically update the time series data set.To form a set of application layer DDoS detection solutions with real-time and versatility.Finally,the proposed model is proved by experiments.The results show that the model has a good detection effect.