【作者】 裴大权；

【导师】 陆松年；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2008， 硕士

【摘要】 DDoS(分布式拒绝服务)攻击是一种分布、协作的大规模攻击方式。通过联合或控制网络上若干主机同时发动DoS攻击,制造数以百万计的数据分组流入欲攻击的目标,大量消耗目标系统资源,从而造成合法用户无法获得服务。DDoS攻击给网络的正常运行带来了极大的危害,具有隐蔽性和分布性,难以进行检测和防范,这使得近年来研究DDoS攻击的检测与防范方法成为入侵检测领域的一个研究热点。本文主要基于流量的自相似性,利用小波方法来研究DDoS攻击的检测和防范。本文首先概述了入侵检测相关技术的研究现状、采用的一般原理与方法,结合大量资料分析了DDoS方面的国内外研究进展。其次,本文简要介绍了近年来理论界和工程界采用较多的一种方法――小波变换,其具有的多尺度分析特性可以对信号进行更为准确的分析。学术界的研究成果以及本文实测数据均表明:网络流量具有自相似性。利用小波方法分析自相似性可以取得很好的效果,本文推导了利用小波来分析网络流量的方法,作为本文的理论基础。再次,本文描述了DoS攻击的一般步骤,对DoS攻击的机理进行了分析,尤其是结合TCP拥塞控制机制对弱DoS攻击机理进行了较为深入的研究。弱DoS攻击并不产生很大的总流量,因而难以用常规的流量控制手段加以遏制。为了比较好地检测到弱DoS攻击,本文设计了一种DDoS检测与防范模型。该模型采集IP包头获得流量信息;利用小波方法计算流量的Hurst参数,以是否超出阈值来判断是否遭受DoS攻击;采用数字滤波的方案对作为判决基准的Hurst参数对不同网络情况进行自适应;当认为受到攻击后,结合连接信任域来进行响应。实验表明:该模型可以检测到弱DoS攻击。在DDoS检测模型的实现上,对性能要求较高的两项技术是流量采集和流量分析。本文先对现有流量采集技术进行了回顾,然后设计并应用了两种基于Linux系统的流量采集方案。在流量分析中,采用了一些技巧以提高效率。为了验证模型,本文采用了比较权威的MIT Lincoln Laboratory的DDoS攻击数据集进行实验。最后,本文探讨了该DDoS检测模型的应用环境。描述了DDoS检测模型可能应用的网络环境;考虑到信息安全发展的趋势是各信息安全模块应该具有联动的功能,对DoS检测模型与防火墙系统、与安全审计系统的联动进行了一定的探讨。更多还原

【Abstract】 DDoS(Distributed Denial of Service) is a kind of distributed and cooperated attack. It collaborates and controls a lot of hosts to commit DoS attack and produces millions of packets to the target system, exhausting the target system’s resource, which make the legitimate user unable to obtain service. DDoS has caused disastrous loss to the network. But since the hideness and distributing it’s hard to detect and prevent. In recently years it has become a hotspot to research on the detection and prevention of DDoS attack. In this thesis we base on the self-similarity of network traffic, try to research on the detection and prevention of DDoS attack using wavelet analysis.In this thesis, we firstly give out a description about the status, the principle and method of intrusion detection. Then we analyze the status of research on DDoS. Wavelet analysis has become a popular method in theory and engineering field. Its multi-scale analytical capability enables us to do more accurate analysis on a signal. Furthermore, both research results and our experiment results show that network traffic satisfies the self-similarity characteristic. So we give out the algorithm to evaluate the self-similarity of network traffic by wavelet method, which is the theory basis of this thesis.Secondly we describe the routines of DoS attack, analyze the mechanism of it, especially the mechanism of low-rate DoS attack from the point of TCP’s congestion control. We design a DDoS detection and prevention model to deal with DDoS. The model gets the traffic information from the IP packet header, and calculates the Hurst parameter and decides whether the traffic is in normal state or not. The reference Hurst parameter is self-adaptered using a way like digital filter in signal processing. When attack is detected, the model uses connection-domain concept to prevent the target system. As is shown in the experiment the model can detect both high-rate DoS attack and low-rate DoS attack. Which is more, the target system can provide service to legitimate user to some extent even under DoS attack.In the model traffic capturing and information extracting are mostly efficiency-required. We develop two methods to perform traffic capturing based on Linux. In traffic information extracting, it can achieve better performance if some tricks used.At the end, we investigate the potential application environment of the DDoS detection and prevention model. Considering the trend of information security is that different security modules can interaction with each other, we investigate the interaction method of our model with firewall system and security audit system.更多还原