Research Of DDoS Attack Detection Method In The Backbone Communication Network

With the rapid development of information technology,the frequency of abnormal network behavior is getting higher and higher,it would lead to increasingly negative impact on people's daily activities.In recent years,more and more reasearchers at home and abroad have begun to pay more and more attention to abnormal network behavior;they have done a lot of works on the analysis of abnormal network behavior.Based on this underground,this thesis tries to detect the abnormal network behaviors,focusing on the Distributed Denial of Service(DDoS)attacks,and takes the SYN flood attacks as the main research object.The traditional SYN flood attack behavior detection algorithms are mainly based on the depth packet analysis method,analysising network data packet details through the message statistics.However,there are some basic characteristics of increasing the size and large amount of data in the backbone communication network,which will lead to the increase of the running time of the method,while the cost of the method is intensified and the real-time efficiency of the method is reduced.In addition,there are many similarities between the flash crowd behavior and the Distributed Denial of Service attack in the form of expression,and the identification effect of the existing abnormal behavior identification method will have false negative ratio and false positive ratio.In order to solve the above problems,this thesis presents a SYN flood attack detection algorithm based on Counting Bloom Filter,and proposes a SYN flood attack detection algorithm based on graph mining.The main work of this thesis is as follows.(1)SYN flood attack detection algorithm based on Counting Bloom Filter is proposed.According to the characteristics of SYN,SYN|ACK and ACK packets should be balanced in the process of TCP three-way handshake,monitor the number of SYN|ACK and ACK packets in the time window.Comparing the difference with the number of ACK packets in the same time window.And then adjust the time of the window by adaptively adjusting the size of the time window,and the method of information entropy is used to determine the target of the attack.Finally,comparing the detection algorithm with the other two kinds of message statistics detection algorithm,it is verified that the algorithm can distinguish with flash crowd effectively and has the high detection rate at the same time.(2)SYN flood detection algorithm based on graph mining is proposed.According to the re-use rate of the false source IP address,SYN flood attack will be divided into two categories.Using graph mining technology,match the two different DDoS attack with patterns to detect whether the network is abnormal.When there is flash crowd,the network flow behavior manifestations have so many similarities with the second type of SYN flood attacks,and then use the third level judgment to distinguish the second category of DDoS attacks from flash crowd.Finaliy,verify the algorithm effectiveness through experiment.