基于改进AAR模型的DIDoS攻击早期检测方法
收稿日期: 2010-05-20
修回日期: 2010-10-26
网络出版日期: 2011-04-25
基金资助
国家自然科学基金资助项目(60603062);湖南省教育厅资助科研项目(07C718);湖南省自然科学基金资助项目(06JJ3035);公安部应用创新计划(2007YYCXHNST072)
Distributed IncreasingRate DenialofService Attacks Based on an Improved AAR Model
Received date: 2010-05-20
Revised date: 2010-10-26
Online published: 2011-04-25
分布式增速拒绝服务(DIDoS)攻击采用逐步提升发包速率的方式来造成受害者资源的慢消耗,较之传统的分布式拒绝服务(DDoS)攻击更具隐蔽性,如何尽可能早地将其捕获是一个亟待研究的问题。本文针对DIDoS攻击的特点,提出了一种基于改进AAR模型的DIDoS攻击早期检测方法。为此,首先提出了一组基于条件熵的检测特征:流特征条件熵(TFCE),用以反映DIDoS攻击流速的增长变化;然后根据改进的AAR模型对TFCE值进行多步预测;最后采用经过训练的SVM分类器对预测值进行分类,以识别攻击企图。实验结果表明,在保证检测精度相当的前提下,该方法比部分现有方法能够更快检测到攻击。
关键词: 分布式增速拒绝服务攻击; 流特征条件熵; 自适应自回归; 支持向量机
刘运,殷建平,程杰仁,蔡志平 . 基于改进AAR模型的DIDoS攻击早期检测方法[J]. 计算机工程与科学, 2011 , 33(4) : 1 -7 . DOI: 10.3969/j.issn.1007130X.2011.
Distributed Increasingrate DenialofService (DIDoS) attacks gradually increase the sending rate of packets to exhaust the victim’s resources slowly, so DIDoS attacks have a higher concealment than the traditional DDoS attacks. How to detect DIDoS attacks as soon as possible is an urgent problem we should study. In view of the characteristics of DIDoS attacks, a novel approach for early detection based on an improved adaptive autoregressive (AAR) model is proposed. In this approach, a set of novel detection features based on the conditional entropy called the Traffic Feature Conditional Entropy (TFCE), are used to reflect the increase of DIDoS attack traffic rate. Then an improved AAR model is used to predict the multistep TFCE values. Finally a trained SVM classifier is adopted to identify the tendency of attacks by classifying the predicted TFCE values. The experimental results demonstrate that our approach can not only guarantee the comparative precision of detection but also detect DIDoS attacks more quickly than some existing approaches.
[1]MirRovic J,Reiher P. Taxonomy of DDoS Attack and DDoS Defense Mechanisms[J].ACM SIGCOMM Computer Communication Review, 2004,34(2):3953.
[2]Kim Y, Lau W C, Chuah M C, et al. PacketScoreA StatisticsBased Packet Filtering Scheme Against Distributed DenialofService Attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2006, 3(2):141155.
[3]孙庆东, 张德运,高鹏.基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报, 2005, 28(5):767773.
[4]周东清,张海锋,张绍武,等. 基于HMM的分布式拒绝服务攻击检测方法[J]. 计算机研究与发展,2005,42(9):15941599.
[5]Gupta K K, Nathn B, Kotagiri R. Layered Approach Using Conditional Random Fields for Intrusion Detection[J]. IEEE Transactions on Dependable and Secure Computing, 2010,7(1):3549.
[6]Haggerty J, Shi Q, Merabti M. Early Detection and Prevention of DenialofService Attacks a Novel Mechanism with Propagated TracedBack Attack Blocking[J]. IEEE Journal on Selected Areas in Communications, 2005, 23(10):19942002.
[7]Chen Y, Hwang K, Ku WS. Collaborative Detection of DDoS Attacks over Multiple Network Domains[J]. IEEE Transactions on Parallel and Distributed System,2007,18(12):16491662.
[8]Kumar K, Joshi R C, Singh K. A Distributed Approach using Entropy to Detect DDoS Attacks in ISP Domain[C]∥Proc of IEEE Int’l Conf on Signal Processing, Communications and Networking, 2007:331337.
[9]Kalman R E. A New Approach to Linear Filtering and Prediction Problems[J]. Transactions of the ASMEJournal of Basic Engineering, 1960, 82 (Series D):3545.
[10]Haykin S. Adaptive Filter Theory[M]. Englewood Cliff, NJ:PrenticeHall Inc, 1986.
[11]Su H W, Zhang L, Yu S. Shortterm Traffic Flow Prediction Based on Incremental Support Vector Regression[C]∥Proc of the 3rd Int’l Conf on Natural Computation ,2007:640645.
[12]http://www.ll.mit.edu/IST/ideval/data/1999/1999_data_index.html.
/
| 〈 |
|
〉 |