Research And Implementation Of DDoS Attack Detection And Cluster Discovery Algorithm For HTTP Traffic Behavior

Botnets are used by hackers to launch DDoS attacks on targets.DDoS attacks not only cause a lot of economic losses,but also are difficult to trace back to the source.Therefore,how to quickly and accurately discover DDoS attacks and how to cluster DDoS attack traffic according to similarity to facilitate security management personnel to trace back to the source has become an urgent problem to be solved.In order to solve the above problems,relevant researches and experiments are carried out in this thesis,and the results are as follows:1.In this thesis,a feature selection algorithm DDoSFSBC is proposed to reduce feature dimensions in the case of accuracy first.The algorithm mainly includes data collection,data preprocessing,feature importance ranking and feature correlation screening.The first two sections aim to increase data diversity and process data.Feature importance ranking is designed to determine the contribution of a feature to model accuracy.Feature correlation screening further screening features through the correlation between features.Experiments show that the accuracy and recall rate can reach 99.5%on average,and the time loss can be reduced by 30%in individual machine learning models.2.This thesis proposes DDoSCluster,a cluster discovery algorithm for DDoS attacks.Firstly,the heterogeneous information network is constructed by meta-path to fix the information needed for comparison.In this paper,the heterogeneous information network is divided into two corresponding relationships and represented and stored by adjacency matrix.At the same time,the path weight in the heterogeneous information network is redistributed.In this paper,matrix segmentation is adopted for the subsequent calculation,and the IP addresses whose similarity is greater than the threshold are divided into a cluster as the final output.Experiments show that the algorithm can completely cover the target cluster,and the accuracy increases with the increase of threshold value.3.A complete DDoS attack detection and cluster discovery system is designed based on DDoSFSBC algorithm model and DDoSCluster algorithm model.The system mainly consists of four modules,which are traffic capture module,traffic processing module,DDoS attack detection module and attack cluster discovery module.After the system is deployed,it can automatically capture network traffic,detect DDoS attack traffic,and persist cluster division results.