| Distributed denial-of-service attack is a malicious network behavior.By consuming the resources of the target,the attacker can prevent the target(the target of attack)from providing services to legitimate users.General DDoS attacks are based on puppet(zombie)hosts.When the scale of hosts participating in DDoS attacks reaches a certain level,attackers use the corresponding network technology,namely botnet,to solve the problem of Botnet management.The botnet needs to use a specific way to maintain communication.Heartbeat is a conventional way.Therefore,the research work of this thesis starts from heartbeat detection.Firstly,the method of heartbeat detection is studied.Then,the relationship between heartbeat networks is studied by a self-designed heartbeat Association graph.On this basis,a malicious level model of host based on UDP heartbeat network is proposed and deployed on the boundary of Nanjing main node network of CERNET.In order to obtain the heartbeat data in real traffic,a universal message data flow platform Violet for global traffic is established.The platform collects all traffic data flowing through the network boundary of the main node of CERNET in Nanjing,and provides two data sources for traffic analysis,i.e.full traffic data stream with fixed length and complete message data stream filtered out based on specific rules.Subsequently,the definition of heartbeat network and the characteristics of heartbeat in application layer are discussed.It is considered that heartbeat network has the characteristics of "small message","low frequency","short interval" and "continuity".On this basis,a set of detection rules is designed and implemented in a UDP heartbeat flow detection algorithm.The algorithm is deployed at the network boundary of the main node of CERNET in Nanjing,and a large number of heartbeat networks are detected.After that,in order to discuss the propagation relationship of host attributes between heartbeat networks,a set of definitions of heartbeat networks are given,including heartbeat networks,the relationship between heartbeat networks,heartbeat correlation graphs and so on.Based on these definitions,a heartbeat correlation graph construction algorithm is designed.The algorithm takes the heartbeat detection results as input,and can give the relationship between heartbeat hosts in the network.Then,according to the characteristics of relativity in the behavior of member hosts in the same heartbeat network,based on heartbeat correlation graph,a host attribute propagation algorithm based on heartbeat network is proposed.As an application of heartbeat correlation graph,the basic characteristics of host attribute propagation algorithm are discussed,including "reflexivity","infinity","quantitative tendency" and "Quality Tendency",etc.Finally,according to the DDoS attack information provided by IDS,this thesis gives a definition of malicious attributes of hosts,and proposes an algorithm to evaluate the initial malicious attributes of hosts according to the DDoS attack behavior of hosts.On the basis of PageRank algorithm,this paper also designs an attribute propagation algorithm for heartbeat Association graph.By applying this algorithm to the heartbeat correlation graph,malicious levels of all hosts in the correlation graph can be given.In order to detect the effect of the algorithm in the real environment,this thesis uses the DDoS attack detection information provided by an IDS system running at the network boundary of the main node of CERNET Nanjing and the UDP heartbeat detection results at the same location as the data sources to detect the malicious level model in the real network environment.The experimental results show that the model can find DDoS malicious hosts which are not located by IDS accurately. |
PDF Full Text Request