| Distributed Denial-of-Service (DDoS) attacks, which aim to prevent legitimate users from accessing to expected services by exhausting victim's resources, are a class of network attacks, and seriously threaten the availability of network and network services. Therefore, the detection of DDoS attacks is an important stage in the whole security protection system, and it can provide effective support for security defense by identifying attacks quickly and accurately. In recent years, many researchers have been working at the key technologies of DDoS detection and achieved marked achievements. Howerver, with the development of attack technologies and the more complex network environment, the veracity and real-time of the technology of attacks detection need to be improved further to meet urgent demands for network security. In this dissertation, according to the different characteristics shown by normal flows and attack flows, the key technologies for DDoS attacks detection are study in depth based on machine learning theory. The main contributions of this paper are summarized as follows:(1) A detection method based on Traffic Feature Conditional Entropy(TFCE) is presented. In terms of the distributed pattern of DDoS attacks and the resultant "N-to-one" features, the concept of TFCE is proposed based on the information entropy theory to describe the corresponding relations between traffic features including source IP address, destination IP address and destination port. Then, the SVM (Supprot Vector Machine) classifier is exploited to learn the change of TFCE in attack flows and normal flows. At last, the trained SVM classifier is used to detect DDoS attacks by classifying new traffic data. Experimental results show that the presented method can effectively distinguish DDoS attacks from normal flows, and has higher detection rate and lower false alarm rate than the similar methods.(2) A detection method based on Behavior Profiles Deviation Degree(BPDD) is proposed. Normally, network traffic consists of a few types of packets and thereby has obvious centrality and stability, but it could be changed when DDoS attacks occur. Based on this observation, the concept of BPDD is proposed to measure the deviations between real-time traffic and normal traffic on statistical characteristics. Then, with BPDD as the anomaly indicator, the TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) algorithm is exploited to build the statistical model of normal traffic. At last, the resulting model is used to check whether new traffic data are abnormal or not. Besides, the space complexity of the TCM-KNN algorithm is O(n). To reduce the space overhead of detection system, an improved algorithm,whose space complexity is O(nk),hereκ<<n, is presented. Experimental results demonstrate the proposed method can detect various kinds of attacks and has better detection performance even for the attacks using common types of packets than the similar methods.(3) A detection method based on Conditonal Random Fields(CRF) model is proposed. There are still some deficiencies in the current detection methods based on machine learning algorithms. Firstly, it is hard to make full use of contextual information. Secondly, too strong assumptions are made on the probability distribution of multiple features. Featured with the strong capability in integrating and exploiting contextual information and multiple features, CRF model is firstly applied to detect DDoS attacks for overcoming the above mentioned problems. In this method, the combination of TFCE and BPDD is exploited to depict the characteristics of three types DDoS attacks, namely TCP flooding, UDP flooding and ICMP flooding. Then, the classification model is built and trained according to CRF for addressing three types of attacks respectively. At last, the trained CRF models are used to identify the attacks with model inference. The experimental results demonstrate that the proposed method can sufficiently exploit the advantages of CRF. The proposed method not only can distinguish between attack traffic and normal traffic accurately, but also is more robustness to resist disturbance of background traffic than the similar methods.(4) An early detection method for Increasing-rate DDoS (IDDoS) attacks based on Adaptive AutoRegressive (AAR) model is presented. IDDoS attacks can render the slow exhaustion of the victim's resources and prolong the detection time by means of increasing the packets sending rate gradually, so it has better concealment than tradional DDoS attacks. Guided by early warning, an early detection technique for IDDoS attacks is proposed. The detection system extracts the TFCE measure from traffic as an indicator of attack power. Then, AAR model is applied to predict the TFCE values of future traffic. Lastly, a trained SVM classifier is exploited to find the attack intention by classifying the predicted value. The experimental results demonstrate that, without losses of accuracy, the proposed method can find attacks more quickly than some representative detection methods.
|
PDF Full Text Request