【作者】 母军臣；

【导师】 申石磊；

【作者基本信息】 河南大学 ， 计算机应用技术， 2007， 硕士

【摘要】 近年来,分布式拒绝服务攻击(DDoS, Distributed Denial of Service)严重影响着Internet安全,给Internet的应用和发展带来了极大危害。目前,网络流量的自相似性、时间序列分析和IP包过滤等已经成为DDoS攻击检测和防御中重要的策略和技术。但是,当这些策略和技术单独使用时,DDoS攻击检测和防御效果并不十分理想。原因在于,网络流量的自相似性和时间序列分析仅能检测DDoS攻击,检测结果有延迟、误报和漏报现象,即使检测到DDoS攻击也不能防御。虽然IP包过滤技术能较好防御DDoS攻击,但该技术中使用的数据量非常大,查询和更新数据需要占用大量系统资源(如CPU和内存等),增加了系统开销,且仅使用IP包过滤技术无法检测DDoS攻击。首先,论文以网络流量、TCP/IP协议为依据对DDoS攻击进行了分类,并对两种分类方法中的DDoS攻击类型做了简单的分析。此外,还分析了以网络流量为分类依据的各DDoS攻击类型的检测和防御策略,并对这些策略进行了比较。然后,论文结合时间序列分析和IP包过滤技术的优点,并对这两种技术进行了改进,提出一种复合式的DDoS攻击检测和防御模型。模型中的检测模块以时间序列分析为基础,定义了一个时间序列PDD(Port to Port Data Density),用非参数检验法检验时间序列PDD的平稳性特征。根据检验结果,论文使用在线分析能力较强、计算量较小的非平稳时间序列AAR模型处理时间序列PDD。非参数CUSUM算法使用AAR模型处理后的时间序列检测DDoS攻击,针对检测结果中可能出现的误报和漏报,论文提出了一种检测修正算法,修正非参数CUSUM算法的检测结果。模型中的防御模块以改进后的动态IP包过滤技术为基础防御DDoS攻击,论文所使用的动态IP包过滤技术,在一定程度上解决了数据量大、查询和更新数据占用系统资源较多等缺点。为了辅助动态IP包过滤技术防御DDoS攻击,防御模块中加入了DDoS攻击(或网络拥塞)预检技术。此外,网络噪声对检测结果会造成一定的影响,因此模型中引入了小波滤波技术,滤去部分网络噪声。最后,论文在Linux环境下,以NS2网络模拟器为测试平台,测试了模型中部分模块的功能,并对测试结果进行了分析。更多还原

【Abstract】 During these years, distributed denials of service (DDoS) attacks have done great harm to the application and the development of Internet. Currently, the self-similarity of network traffic, time series analysis and IP packet filtering have been the important strategies and technologies of DDoS attacks detection and defense. But these strategies and technologies are used individually; whereas the results of DDoS detection and defense are not ideal, the reason lies in that self-similarity of network traffic and time series analysis only can detect DDoS attacks, but they can’t defend DDoS attacks. There are delayed detection, false alarm and omission alarm in the detecting results. Although the traditional IP packets filtering technology can defend DDoS attacks well, it is used in a great number of data, querying and updating data require a lot of system resources, such as CPU and memory, etc., and IP packet filtering technology used single can not detect DDoS attacks.First, in this paper, DDoS attacks are classified based on the network tranfic and TCP/IP protocols. The types of DDoS attacks are analyzed simplely. In addition, the strategies of DDoS attacks detection and defense are analyzed and compared.Secondly, a complex model of DDoS attacks detection and defense is proposed based on the advantages of time series analysis and IP packet filtering technology. A time sequence PDD (Port to Port Data Density) is defined, and the stationary feature of PDD is tested by non-parameter testing. According to the testing results, we deal with time series PDD by using non-stationary time series AAR (additive autoregressive) model. Online analysis of AAR model is well, and the computation of AAR model is small. The time sequence produced by AAR model is used to detect DDoS attacks by non-parameter CUSUM algorithm. Because of the false alarm and omission alarm from detection, a revising algorithm is proposed to revise the results of detection. The defense module of the model is used to defend DDoS attacks based on the dynamic IP packet filtering technology, and the problems containing great number of data, querying and updating data requiring many system resources are solved. To assist dynamic IP packet filtering technology so as to defend DDoS attacks or avoid network congestion, a pre-detection algorithm is proposed. In addition, the noise of network will affect the results of detection; we introduce Wavelet to filter the partial noise in the model.Finally, we test the function of partial modules in NS2 which run on Linux (Red Hat 9.0), and analyze the results of testing.更多还原