【作者】 陈世文；

【导师】 邬江兴；

【作者基本信息】 解放军信息工程大学 ， 通信与信息系统， 2013， 博士

【摘要】 结合国家863项目“高可信网络业务管控系统”和“面向三网融合的统一安全管控网络”的研究需求,按照“分布式检测、层级化拦阻和集中态势感知”的总体思路,本文对DDoS攻击检测技术展开专门研究,从宏观攻击流感知与微观检测方法两个角度,提出了基于IP流序列谱分析的泛洪攻击与低速率拒绝服务(Low-rate Denial of Service, LDoS)攻击感知方法,在感知到攻击的基础上,将DDoS攻击检测转化为机器学习的二分类问题,利用隐马尔科夫模型、孪生支持向量机和条件随机场三种机器学习模型,实现概率点检测、分类超平面检测以及融合多特征处理优势的条件随机场检测方法。针对宏观感知问题,提出了基于快速分数阶Fourier变换估计Hurst旨数的泛洪DDoS攻击感知方法,利用DDoS攻击对网络流量自相似性的影响,通过监测Hurst指数变化阈值判断是否存在DDoS攻击,相比于小波分析等方法,该方法计算复杂度低,Hurst旨数估计精度高；对于隐蔽性较强的低速率拒绝服务LDoS攻击,提出了基于巴特利特功率谱估计的感知方法,相比于矩形窗和三角窗方法,巴特利特功率谱估计一致性好,对低速率拒绝服务LDoS攻击检测率高。针对微观的具体攻击特征检测问题,提出了基于隐马尔科夫模型、基于孪生支持向量机和基于条件随机场等三种统计机器学习方法的攻击检测策略。首先,从概率点判别角度,提出了一种基于多特征并行隐马尔科夫模型(Multi-Feature Parallel Hidden Markov Model, MFP-HMM)的DDoS攻击检测方法。该方法利用HMM隐状态序列与特征观测序列的对应关系,将攻击引起的多维特征异常变化转化为离散型随机变量,通过概率计算来刻画当前滑动窗口序列与正常行为轮廓的偏离程度。MFP-HMM模型架构采用多维特征并行处理模式,有利于扩展新的特征模块。特征序列通过滑动窗口后形成观测序列送入HMM,可通过硬件实现多级流水加速,为可重构设计与分布式部署提供条件。实验结果表明,基于MFP-HMM的方法优于标准HMM等机器学习方法,检测准确率高,虚警率低。其次,从分类超平面判别角度,提出了基于最小二乘孪生支持向量机(Least Square Twin Support Vector Machine, LSTSVM)的DDoS攻击分类超平面检测方法,该方法借助最优化方法来解决机器学习问题,利用支持向量机模型较好的非线性处理能力与泛化能力,采用IP包五元组熵、IP标识、TCP头标志和包速率等作为LSTSVM模型的多维检测特征向量,以体现DDoS攻击存在的流分布特性。基于DARPA2000数据集和TFN2K攻击采集数据集下的实验表明,该方法优于标准支持向量机(Support Vector Machine, SVM)等机器学习方法,对于正常突发流量与DDoS攻击流量检测准确率较高、虚警率较低。最后,提出了一种融合多种判别规则的条件随机场DDoS攻击检测方法。该方法不要求各个特征量必须满足独立同分布的假设条件,在充分利用条件随机场综合处理多特征优势的基础上,将基于特征匹配与异常检测的方法有效地统一起来,实现高检测率与低误报率。DARPA2000数据集实验表明,基于条件随机场的方法优于传统SVM等方法,准确率高于99.5%,虚警率FPR低于0.6%,并且抗背景噪声能力强,鲁棒性好。更多还原

【Abstract】 According to the fundamental technique research tasks of the "New Generation Network with High Trustability" and "Common Security and Control Framework in Tri-Network Convergence" projects of the National High-Tech Research and Development Program of China (863Program), this thesis studies the DDoS attacks detection methods under the unitary scheme of the "Distributed Detection, Hiberarchy Defence, and Centralized Situational Awareness". From the macrocosmic attacks awareness and the microcosmic specific detection methods, this thesis proposes the spectrum analysis based sensing methods for flooding attacks and low-rate attacks by IP packets seqence. At the same time, DDoS attacks detection is transformed into the binary classification problem in machine learning. With the use of the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields, the DDoS attacks detection methods including are implemented.To the macrocosmic awareness, this thesis proposes flooding DDoS attacks detection method based on the Hurst parameter estimation with fast fractional Fourier transform (FFrFT). Because DDoS attacks would influence the self-similarity characteristic of the network traffic, DDoS attacks can be estimated by monitoring the change threshold of Hurst parameter. The Hurst parameter estimation method based on FFrFT with low computation complexity and high estimation accuracy outperforms other well-known methods such as R/S, wavelet analysis, etc. Meanwhile, this thesis proposed a detection method based on the estimation of Bartlett power spectrum for low-rate DoS attacks. Our experiments reveal that the consistency and true positive rate of the Bartlett power spectrum method are better than the rectangular window based method and the triangular window based method.For the specific detection methods of DDoS attacks, three detection strategies based on statistical machine learning models are proposed separately. The machine learning models are the Hidden Markov Model, the Twin Support Vector Machine and the Conditional Random Fields.Firstly, based on the multi-feature parallel Hidden Markov Model (MFP-HMM), a DDoS attack detection method is proposed according to probability point discriminant. With the relationship between HMM hidden-state sequence and observed characteristics sequence, the multi-dimensional feature changes, which caused by the DDoS attacks, have been translated into discrete random variables. Then, the deviations between the current sliding window sequence and the normal behavior profile are characterized by calculating the probability of the sequence. The architecture of MFP-HMM model uses parallel processing mode for multi-dimensional characteristics, which is conducive to the expansion of new processing module. Meanwhile, the observation sequence, translated from characteristic sequence by passing the sliding window, could be accelerated by multi-level hardware pipeline. So, it established the foundation for reconfigurable design and distributed deployment. Our experiments reveal that the MFP-HMM based method with higher detection accuracy and lower false positive rate is better than the standard HMM. Secondly, based on the Least Squares Twin Support Vector Machine (LSTSVM), a DDoS attack detection method with the classification of hyperplane discriminant is proposed. With the help of the optimization method in the solution of machine learning, this method improves the detection rate and reduces the false positive rate. The dispersion of source IP and the concentration of destination IP under DDoS attacks are reflected by taking the features such as the IP Flow Entropy, the IP identification, the TCP header flag, the packet rate and etc. Under the DARPA2000datasets and TFN2K-attack collection datasets, the experiment revealed that this method with the high detection accuracy and the low false positive rate is better than the Naive Bayes Algorithm, K-nearest neighborhood, the standard SVM and some other methods in the identification between normal burst traffic and DDoS attacks.Finally, the Conditional Random Fields based method is proposed. It can make full use of the multi-feature fusion together, while it doesn’t demand the characteristics are independent strictly. So, it could combine the pattern matching based methods and the anomaly detection based approach effectively. The detection rate and false positive rate have been improved under conditional random fields. The IP flow quintuple entropy conception is put forward as the DDoS attacks detection multi-feature vector. Our experiments reveal that CRF-based method has higher detection accuracy and lower false positive rate, as well as strong ability of anti-background-noise, and good robustness.更多还原