Research On Low-rate Distributed Denial-of-service(L-DDoS) Attack Detecting Algorithms Based On Data Center Networks

With latency,diversity and synchronization of data flows,data center networks can easily lead to emerge a covert low-rate distributed denial-of-service(L-DDoS)attack.The traditional detecting L-DDoS algorithms mainly have three problems.Firstly,in collecting traffic and setting period,the assumption that some detection methods have complete control function is not enough to meet the reality,resulting in collecting incompletely and non-intelligently;And setting the detection period lacks more flexibility,which leads to more unreasonableness.Secondly,in terms of attribute statistics,most of traditional machine learning algorithms use Shannon entropy to measure the attribute,but Shannon entropy has a high false positive rate in L-DDoS detection.In the machine learning algorithm,traditional methods do not consider the relevance of data packets,resulting in a low accuracy;And most of these methods can detect single-type attacks but not all kinds of attacks,resulting in poor adaptability to a variety of L-DDoS attacks.The three problems of detecting L-DDoS attack about data center networks are studied in this paper.The software defined network(SDN)technology is used to control the intelligent detection traffic and set the proper period.From the viewpoint of stochastic distribution,a Renyi entropy is proposed to add the entropy difference between the normal traffic and L-DDoS.Therefore,the false positive is accordingly reduced in the property.From the perspective of probability,a probabilistic model of combining Renyi entropy and Hidden Markov Model(HMM-R)is proposed to define a variety of states with double stochastic processes of implicit states and observed states.In the paper,the detection architecture includes four modules: data preprocessing,HMM-R model initializing,training and detecting.First,PACKET_IN stands for the beginning of the detection process.And in the process of data preprocessing,before Renyi entropy are calculated in the source IP and destination IP,data packets should be parsed.Then,HMM-R model is initialized with clustering the above data and obtaining the observed sequence of training data.Baum-Welch trains the observed sequence to optimize HMM-R model.Finally,the Viterbi algorithm with model parameters is used to solve the hidden state sequence which maximizes the probability,and then the process of detecting is carried out.This paper adapts MIT DARPA and CAIDA 2007 data sets.From the point of entropy gap between the normal traffic and L-DDoS attack traffic,we analyze the performance between Renyi and Shannon entropy in the detection of attack attribute statistics.Then,the SDN environment is built through Mininet and POX to compare HMM-R algorithm with KNN,SVM,SOM and BP with three different forms.These three forms includes different windows,rates and different orders.The experimental results show that compared with Shannon entropy,Renyi entropy can add the entropy gap between the normal traffic and L-DDoS attack traffic.Compared with KNN,SVM,SOM and BP,HMM-R algorithm can at least reduce the false positive rate by 2%.And compared with KNN and SVM,it can improve the accuracy about 4%.And compared with SOM and BP,it can greatly reduce the detection time.Thus,This method has a significant improvement in reducing the false positive rate,increasing the accuracy and enhancing the adaptability.