Method of Detecting Application-Layer DDoS Based on the Out-Linking Behavior of Web Community

Abstract

PDF HTML阅读 XML下载 导出引用 引用提醒 一种基于Web 群体外联行为的应用层DDoS 检测方法 DOI: 10.3724/SP.J.1001.2013.04274 作者: 作者单位: 作者简介: 通讯作者: 中图分类号: 基金项目: 国家自然科学基金(60803142); 山东省科技攻关计划(2010GGX10117) Method of Detecting Application-Layer DDoS Based on the Out-Linking Behavior of Web Community Author: Affiliation: Fund Project: 摘要 | 图/表 | 访问统计 | 参考文献 | 相似文献 | 引证文献 | 资源附件 | 文章评论 摘要:由于攻击者采用各种技术手段隐藏攻击行为,DDoS 攻击变得越发难以发现,应用层DDoS 成为Web 服务器所面临的最主要威胁之一.从通信群体的层面分析Web 通信的外联行为特征的稳定性,并提出了一种应用层DDoS 检测方法.该方法用CUSUM 算法检测Web 群体外联行为参数的偏移,据此来判断DDoS 攻击行为的发生.由于外联行为模型刻画的是Web 通信群体与外界的交互,并非用户个体行为,所以攻击者难以通过模仿正常访问行为规避检测.该方法不仅能够发现用户群体访问行为的异常,而且能够有效区分突发访问和应用层DDoS 攻击.模拟实验结果表明,该方法能够有效检测针对Web 服务器的不同类型的DDoS 攻击. Abstract:Distributed denial of service (DDoS) attacks have become more and more difficult to detect due to various hiding techniques that have been adopted. Application-Layer the DDoS attack is becoming a major threat to the current network. This paper analyzes the stability of out-linking behavior on the level of Web community and proposes an approach for detecting application-layer DDoS aimed at Web server. CUSUM is used to detect the offset of out-linking parameters and determine the attack occurring. Rather than the individual behavior, out-linking parameters are about the group behavior of Web community, so it is difficult to circumvent detecting by simulating normal accesses. This approach can not only detect the anomaly of accessing behavior, but can also distinguish flash crowd and application-layer DDoS. The results of simulated experiments show that this approach can detect various types of DDoS attacks aiming at Web servers effectively. 参考文献 相似文献 引证文献