Identifying Application Layer DDoS Attacks Based On Request Rhythm Matrix

Since the discovery of the DDoS attack,the attack mode has brought great destructive power and has become the main research content of acting and personnel in the field of network security.With the development of the times and the advancement of technology,the style and types of DDoS attacks have undergone great changes in recent years.While many traditional attack methods such as SYN flood,ICMP,and UDP flooding are prevalent,more and more application layer DDoS attack traffic is discovered,such as HTTP,HTTPS,and DNS.Here,we collectively refer to this type of DDoS attack as an application layer DDoS attack(application layer distributed denial of service attack).In the current network situation:the situation we face is that the requirements of attackers to launch attacks are getting lower and lower,and a large number of free and easy application layer DDoS attack generation tools have appeared on the network.At the same time,due to the increasing number of Internet users and the lack of attention to security issues,more and more botnets and downtimes have emerged,and even the use of rental zombies for money transactions to achieve profitability.Because of the simplicity of these production tools and the public's blindness to the damage caused by the attack,many lawless elements see the business opportunities,and the purposeful person can simply launch an attack.The attack target may be a person,or a company or even a company.A government agency.Since we have no way to prevent the emergence of criminals and the spread of attack tools on the network,efficient and accurate application layer DDoS attack detection systems become very necessary.DDoS attacks can be roughly divided into three phases:generation,propagation,and attack.We can't stop the attack and stop blocking it.Therefore,the server cannot be immune to the possibility of DDoS attacks.What we can do is to accurately detect the attack at the beginning of the attack,so as to take a series of countermeasures to minimize the impact of the attack.Due to various attack modes of DDoS attacks at the application layer,our system only selects application layer DDoS flooding attacks as our main research object.The attack detection method we use is based on request rhythm matrix.The construction of the request rhythm matrix draws on the way musicians record the rhythm of music.Corresponding to our traffic data,we extract the corresponding characteristics of the packet,such as the size of the packet and the interval arrival time of the packet.By linearly transforming the above two features,the three adjacent packet features in our redefined data stream are integrated and integrated to obtain a pair of eigenvalues.Each pair of feature values,we will get corresponds to our initialized matrix and define the matrix as the request rhythm matrix.The request rhythm matrix records the overall characteristics of the data traffic within a data window.By observing the different request rhythm matrices constructed by different traffic data,we find that there is a significant difference between the request rhythm matrix of attack traffic and the request rhythm matrix of normal traffic.Therefore,we define an anomaly for each request rhythm matrix.The definition of the degree of abnormality is based on the request rhythm matrix in the normal state,and the degree of abnormality represents the difference between each request rhythm matrix and the normal request rhythm matrix.By counting the statistics of the request rhythm matrix built for normal traffic,we define the threshold for the degree of abnormality.Once the anomaly of the request rhythm matrix generated by a data window exceeds the threshold,we believe that an application layer DDoS attack has occurred within the data window.After detecting the attack,our algorithm can also identify the IP of the access host in the subsequent data window,and mark the attack host IP.