Research And Application Of Application Layer Denial Of Service Attack Detection Method

The Denial of Service(DoS)does not allow the server to response the device in a way that prevents legitimate users from accessing normal network resources.The traditional DoS attacks are mainly for the transport layer and the network layer.Flooding attacks are common,like TCP Flood and SYN Flood.These attacks are called Distributed Denial of Service(DDoS).With the rapid development of the Internet,application layer denial of service attacks began to appear.Compared with the traditional DoS,the application layer DoS consumes server resources or network bandwidth by establishing legitimate web requests,which is more concealed and causes greater Hazard.This paper focuses on the CC(Challenge Collapsar)attack and slow HTTP(HyperText Transfer Protocol)attack in the application layer denial of service.Based on the characteristics of the two attacks,this paper proposes methods to effectively detect the two attacks,and conducts experimental analysis and verification.At the same time,the current big data framework technology is combined with two attack detection methods to implement the Spark-based application layer denial of service attack detection system.The specific research content of this paper is as follows:(1)For the detection methods of existing CC attacks,there are problems such as high false positive rate or low execution efficiency.This paper uses an existing HTTP traffic data and DNS(Domain Name System)resolution data to propose an abnormal traffic collection method,which may exist CC.The attacked domain names are extracted and HTTP abnormal traffic is obtained based on these domain names.Through the three effective features of packet rate,URL(Uniform Resource Locator)information entropy and URL condition entropy,the BP(Back Propagation)neural network is used to train the two classification model to classify the abnormal traffic,and finally realize the CC attack detection.Experiments show that the CC attack detection method based on entropy and neural network has higher detection rate than the existing methods,and the method is more suitable for analysis and detection of big data environment.(2)In view of the application-layer slow HTTP attack that has appeared in recent years,domestic research is still relatively rare and the detection rate is not high.This paper first elaborates on the principle of slow HTTP attack,and shows the specific attack form through simulation experiments.Through the interception and observation of the attack packets,and compared with the real traffic,there is a significant difference in the HTTPpacket type distribution at the attack time.This paper proposes a slow HTTP attack detection method based on JS(Jensen-Shannon)divergence for the Slow Header and Slow Body modes in slow HTTP attacks.The method will calculate the similarity of the HTTP packet type probability distribution in the normal unit time window by calculating the similarity of the HTTP packet type probability distribution at the normal time and the attack time,and set a threshold by observing the JS divergence variation feature.If the similarity is greater than a certain threshold,it is determined as a period with an attack feature;otherwise,it is determined to be a normal period.Finally,the effectiveness of the method is verified by simulation experiments and compared with other methods.Experiments show that this method has higher detection rate for single-machine and distributed of slow HTTP attacks in Slow Header and Slow Body mode.(3)Because the network traffic data is large,and the two methods mentioned in this paper are easy to implement in the big data environment,a big data system based on Spark platform is designed according to this paper,and the two algorithms are transplanted to On the big data platform,the advantages of HDFS(Hadoop Distributed File System)distributed storage and Spark distributed computing are utilized to improve the computational efficiency of the detection algorithm in the big data environment.