Research On Key Technology Of Application Layer DDoS Detection And Evaluation

Distributed denial of service(DDoS)attack often disrupts and destroys network information systems,which is a great threat to the network security.Depending on the layer DDoS attack utilizing,it can devide into network layer DDoS attack,transport layer DDoS attack and application layer DDoS attack(App-DDoS).Because of the strong concealment and similarity of flash crowd,App-DDoS attack can effectively evade the defense means of the network and transport layers.So App-DDoS attack is one of the most important and difficult issue at present.This paper researchs the problems of single detection type,tedious training process,difficult updating operation and the subjective evalutation method etc in App-DDoS detection and evaluation methods.The main works and innovations are as follows.1.As it ignored the detection of ramp-up and pulsing type of application layer DDoS attacks in existing flow-based App-DDoS detection methods,an effective detection method for multi-type App-DDoS was proposed,which can be deployed at key network nodes.Firstly,in order to fast count the number of HTTP GET for users and further support the calculation of feature parameters applied in detection method,the indexes of source IP address in multiple time windows were constructed by the approach of Hash function.Then we hierarchically trained the feature parameters by combining SVM classifiers with the structure of partial binary tree,and proposed the App-DDoS detection method with the idea of traversing binary tree and feedback learning to distinguish non-burst normal flow,burst normal flow and multi-type App-DDoS flows.The experimental results show that compared with the conventional SVM-based and na?ve-Bayes-based detection methods,the proposed method has more excellent detection performance and can distinguish specific App-DDoS types through subdividing attack types and training detection model layer by layer.2.As it is complicated for training samples and difficult for updating models in behavior-based application layer DDoS detection methods,an adaptive App-DDoS detection method based on improved affinity propagation(IAP)algorithm was proposed,which can be deployed at the attacked host.Firstly,to optimize the affinity propagation algorithm,we previously divided the dataset into several parts utilizing the limited priori knowledge,and merged the similar clusters for enhancing the ability of processing large amount of data.Besides,the abnormal clusters cleaning mechanism was introduced so as to avoid their interference for the detection results.Secondly,some user behavior attributes were given to represent behavior features,and the improved AP algorithm was applied to efficiently clustering the proposed attributes,as a result,improving the detection rate for abnormal users.Then by evaluating the quality of clusters with Silhouette index in real-time,a self-updating learning mechanism was put forward to support the resistance of analyzing the distribution of normal users' attributions,which further reduced the false positive rate and increased the detection rate.The experimental results on real dataset,show that the proposed method is more effective and more accurate compared with the conventional AP algorithm and KMPCA algorithm,as well as can update clusters by itself in the process of detection.3.As it is difficult to select the evaluation indexes and subjective to evaluate the threat situation for App-DDoS attacks based on analytic hierarchy process method,a hierarchical network threat situation assessment method for App-DDoS attack based on D-S evidence theory was proposed.Firstly,we introduced the transition function to convert the usage rate indexes of host and network to the consumption degree indexes of host and network based on the historical data.Then the consumption degree indexes were combined with service quality indexes to describe the elements App-DDoS impact on attacked hosts.Next to avoid evaluating device threat value by subject weight of indexes,we analyed the relations between indexes by D-S evidence theory,and futher got the threat degree App-DDoS influence on devices.Futhermore,we associated the importance of service and location to determine the importance of device which was weighted by device threat value to evaluate the network threat situation for App-DDoS attacks.The experimental results show that the proposed method can effectively evaluate the threat situation App-DDoS attacks effect on.4.As it is difficult to deal with the increasing amount of information handled,an App-DDoS detection and evaluation solution on distributed stream processing Storm platform was designed based on the proposed detection and evaluation methods,which was divided into the parts of offline training,online detection and online evaluation.In the part of offline training,to train the mutli-type and mutil-period features at the same time,we adopt the multi-spout mechanism with distributed characteristic,so as to improve the efficiency of traning.Besides,in order to reduce detection delay,the Slot BasedExtract mechanism with stream processing characteristic was designed to extract online features in the way of circular queue and the periodical sending of cached data.The experimental results show that the proposed detection and evaluation method can be effectively implemented on Storm platform to detect and evaluate App-DDoS attack in real time.