Research On DDoS Attack Detection Method

Nowadays,people's work and life are inseparable from the Internet.As an information sharing platform,the openness and sharing of the Internet facilitate people's lives,and at the same time,it is difficult to supervise them,resulting in increasing security risks.A distributed denial of service(DDoS)attack means that an attacker sends a large number of invalid requests to a target host by controlling a large number of zombie hosts on the network,so that the system or network resources of the target host are exhausted,and eventually the system cannot be provided to legitimate users.Because its attack method is straightforward and simple,it can be effective for any type of network infrastructure.This type of attack will be one of the main threats to network security for a long time.Researchers in the field of network security have done a lot of research work on DDoS,but there are still some problems,such as the accuracy of detection and the real-time nature of detection can not be well balanced.In view of this paper,this paper aims to propose a detection method based on the combination of popular statistical analysis and cluster analysis techniques in order to perform real-time and accurate detection of DDoS attacks.In this paper,an early attack detection scheme based on the optimized CUSUM(Cumulative Sum: CUSUM)algorithm is proposed for the real-time problem of DDoS attack detection.The theoretical basis of the CUSUM control chart is the sequential probability ratio test in the sequential analysis principle.The algorithm is simplified to improve the computational efficiency of the algorithm without changing the characteristics of the original CUSUM algorithm.For dynamic models such as network traffic,it is difficult to pre-estimate parameters such as thresholds.On the other hand,the overhead of maintaining a large number of network traffic eigenvalues for a long time is also very large,so this paper proposes time-based The window adaptively adjusts the threshold optimization scheme to better adapt to the actual network situation.In this paper,the CUSUM algorithm with two-sided test can effectively deal with the attack behavior of different attack rates.The final test results are determined by the combination of multi-dimensional features,which improves the accuracy of the preliminary detection stage to some extent.The CUSUM algorithm has the advantages of high efficiency and rapidity,but it is difficult to ensure high accuracy of detection results in the face of complex network traffic.This paper further proposes depth detection based on Affinity Propagation(AP)clustering algorithm.model.Compared with other classical clustering algorithms,AP clustering algorithm has many advantages,but its training time complexity is too high or even impossible to implement in the face of large sample sets.In response to this problem,the paper first compresses the data volume of the training set based on the Minimum Enclosing Ball(MEB)algorithm.After the cluster center is initially determined,the remaining data points are directly spaced from the temporary cluster center.The comparison method performs direct correlation,and adaptively adjusts the clusters according to the results of the association,optimizes the clustering results,and greatly improves the training efficiency under the premise of ensuring the accuracy of the final training results of the clusters.In summary,this paper proposes a joint detection scheme of DDoS attack combined with preliminary detection and depth detection.The coarse-grained detection algorithm based on statistical analysis is combined with the fine-grained detection model based on clustering algorithm to enhance strengths and avoid weaknesses.The detection efficiency improves the accuracy of the final test results.