Research On DDOS Detection And Protection Method Based On Flow And Data Mining

With the astonishingly rapid adoption of network computing and its e-Commerce erivatives, Internet has already penetrated to each aspect of modern society. The Internet and other networks are becoming increasingly important both to commerce and to the government. At the same time, the number of large scale attack reports also has a tremendous growth in recent years. All kinds of large scale attack behaviors especially worms and distributed denial of service (DDOS) attacks bring severe threats to each aspects of internet backbone security. Backbone network has the nature of high speed and huge traffic volume. The traditional Intrusion Detection technology fails to detect large scale threats on backbone network due to its inefficiency and absence of the ability to detection novel attacks. This thesis focuses on mothdologies and technologies researching on macro-scopic network security monitoring and early-bird system construction based on author's pratical experience on backbone network security analysis.DDOS is a attack behavior which threatens the network and the network node,it can cause the paralysis of one of the huge network area or node,because easy to use,so it is used by most of the hackers ,thus it is very important to research on the DDOS detecting methods and protect methods.The paper aim at develop and research several majority DDOS detection and protect methods,compared the fault and the advantage ,on the base of it ,we put foward a kind of method with EWMA(Exponentially Weighted Moving Average),and the data mining frequent projects,it provide a integrate technology solution for the DDOS protection.The unique of the method is that it not only use the pattern matching which based on the sample library,but also introduce a artifical data mining to extract the DDOS flow dynamicly.The method added to the second time verify process,this makes the detection and protection accuraty imporved dramaticly. Finally in connection with reality, this article in the actual network environment against the background of the use of special equipment for the proposed method is verified and have been relatively satisfied with the results.An improved EWMA algoritym is proposed in this thesis using a dynamic weighted value assignment policy to weight the history series properly and each traffic value has been recalculated using different weighted value to different compositions of traffic. We use no-trend Seasonal Winters multiplication method to model and detect anomalies in periodic service type. It has the least expense and describes the traffic contour in more delicate manner. Further more, a two-stage risk evaluation algorithm is proposed to avoid possible false-positive alarms. The experiment shows that our method can effectively detect traffic anomalies caused by large scale attacks.To locate the suspicious victim position quickly, we put forward a fast position-locating and malicious feature extraction algorithm based on Traffic Interestedness Relationship (TIR) modeling and frequent pattern induction algorithm.It need only least information of connections on backbone network and do not depend on any prior knowledge about the novel attack. To reduce the system resource cost, we proposed a two-stage policy to locate the address first and find the attack feature from the located IP address communication respectively. We use visit frequency degree, destination address disperse degree request-acknowledge degree as a constraint condition to identify the suspicious worm contagiums and DDOS victims. And an improved frequency-constrained AOI algorithm has been provided to extract frequent feature pattern from the limited sample space. To further improve the information collect efficiency, we come up with a new fast TIR tree construction algorithm, namely 2-page Hash Table Algorithm. It can greatly improve the processing efficiency.Experiment shows that our policy and algorithm can process and effectively locate the victim positions and extract the unknown attack feature.It put forward a character feedback detection and protection whole building ideas.To be a network abnormal warning system, it is not enough detect the problem after invasion,my aim is to set up a pre-warning and tracking in a combination of proactive monitoring of our defense system.Mechanism based on vulnerability analysis has become possible to make advance warning, and traffic anomaly detection based on the combination of early warning mechanism allows us to more effectively deal with the arrival of possible risks, and to ensure the failure of early warning in advance to ensure that the incident under the premise of the early follow-up so as to establish a reliable a matter of integrity - prior warning, security system.Macro-scopic network security monitoring is a systematic project which concerns many related subjects and technology fields. Issues addressed inside this thesis are still very limited.There are still many aspects of the macro-scopic network security monitoring and relevant technologies need to be discussed and researched. The work of this thesis is only simple attempt and further research is needed.