Research On DDoS Detection Algorithm At Application Layer

With the rapid development of information technology,Web application service types have become more complex and diverse.In view of the large increase in Web services,hackers tend to target network attacks as application layer services.In all application layer attacks,DDoS attacks are undoubtedly the most harmful one.Compared with network-layer DDoS attacks,application-layer attacks have the characteristics of low data traffic,strong concealment,and difficulty to detect.The security of application layer services poses a great threat.According to the "Perception of Global Threat Landscape Report for the First Quarter of 2017" published by Imperva,network-layer DDoS attacks have been on a downward trend for the fourth consecutive quarter,and application-layer DDoS attacks have reached nearly 1,100 per week.How to effectively prevent application-layer DDoS attacks has become a hot research issue for maintaining network security.This paper studies the detection methods of application layer DDoS attacks.The main tasks are as follows:(1)this paper studies The principle of application-layer DDoS attacks is analyzed and compared with traditional network-layer DDoS attacks.The differences in DDoS attacks at different network levels are summarized,and the characteristics of application-layer DDoS attacks are highlighted.Then it analyzes the widely used HTTP protocol at the application layer and two typical DDoS attack methods based on the HTTP protocol.(2)Application-layer DDoS attacks are usually controlled by hackers to attack the target and attack them.There is a huge difference from normal users’ access behavior.In order to effectively identify the attack behavior,the paper proposes a DDoS attack anomaly detection algorithm based on k-means and principal component analysis(referred to as KMPCAD algorithm in this article)in combination with principal component analysis and improved K-Means algorithm.Firstly,according to the difference between normal users and hackers’access behavior,the algorithm analyzes the web logs statistically,extracts the features that can reflect the user’s access behavior,and then uses the improved K-means algorithm to cluster the statistical feature datasets.The obtained K data classes determine the category of the real-time session.Finally,the PCA calculates the reconstruction error of the session and compares it with the set threshold to determine its legitimacy.(3)In order to detect mixed application-layer DDoS attacks with HTTP-Flood and slow connection attacks,the DDoS anomaly detection method based on the time series autoregressive model is only effective for distinguishing between HTTP flood attacks and FlashCrowed,but also for the application layer.The problem of slow detection cannot be reasonably detected.An improved application-layer DDoS detection algorithm based on autoregressive model is proposed.The algorithm applies packet size information entropy to the detection model,thereby separating the attack behavior from normal access behavior.