节点文献

DDoS攻击流及其源端网络自适应检测算法的研究

Study of DDoS Traffic and Its Adaptive Detection at Soucre-end Networks

【作者】 于明

【导师】 周希元;

【作者基本信息】 西安电子科技大学 , 通信与信息系统, 2007, 博士

【摘要】 以匀速DDoS攻击流的源端网络自适应检测算法研究为核心,重点讨论了与源端网络DDoS对抗有关的五个问题,即(ⅰ)DDoS攻防技术;(ⅱ)对TCP DDoS攻击流的行为建模;(ⅲ)针对匀速DDoS攻击流的源端网络自适应检测算法的设计;(ⅳ)不同发送方式下DDoS攻击流的破坏性;(ⅴ)源端网络中不同发送方式下DDoS攻击流的可检测性。首先,系统地分析了DDoS攻击的分类、组织形式、典型的攻击方法以及其他攻击过程中涉及到的关键问题,提出“源端网络将成为未来DDoS攻防对抗的焦点”,并以集中式防御结构中的末端网络防御、中间网络防御和源端网络防御为主线,对当前的DDoS防御技术进行了分析。其次,提出了一种新的攻击流发送方式——组群式脉冲发送,并以FCFS和SFQ这两种典型的调度方式为例,对匀速发送、迸发式脉冲发送和组群式脉冲发送下DDoS攻击流的攻击性能进行了讨论,重点研究了目标网络中调度方式的选择与配置对不同发送方式下DDoS攻击流破坏性的影响。仿真试验结果表明,在三种攻击流发送方式下,组群式脉冲攻击流不仅具有较强的破坏性,而且可以通过灵活的攻击配置来对抗目标网络调度方式对攻击流的抑制作用。第三,建立了描述TCP DDoS攻击流破坏行为的数学模型。在攻击源数目和攻击源发送速率相同的情况下,利用该模型可以对匀速攻击流、迸发式脉冲攻击流和组群式脉冲攻击流三者之间的行为差异做出如下解释。(ⅰ)匀速攻击流和组群式脉冲攻击流对网络资源的占用均与时间无关,但二者相比,组群式脉冲攻击流的链路带宽占用率和资源占用函数值均低于匀速攻击流。(ⅱ)对于进发式脉冲攻击流而言,其链路带宽占用率、资源占用函数和网络资源占用增益函数均与时间有关,但其突发期间对网络资源的占用与匀速攻击流的情况接近。第四,分析了当前国内外有关源端网络DDoS攻击流检测方法研究的发展现状和最新成果,重点关注了三类检测方法,即基于攻击特征匹配的攻击流检测、基于网络流量自相似性的攻击流检测和基于双向报文比的攻击流检测。提出了基于双向报文比统一构建源端网络TCP/UDP DDoS攻击流检测统计量的方法,并建立了相应的数学模型。第五,提出了一种基于正态分布假设的自适应EWMA算法——A-EWMA算法,并就虚警概率、攻击期间的漏警概率、检测概率和检测时延等检测指标对其检测性能进行了理论分析。与传统的EWMA算法相比,A-EWMA算法具有以下三个典型特征。(ⅰ)根据对检测统计量序列统计特性的在线估计进行异常检测。(ⅱ)根据检测结果自动调整检测门限,增强了算法对网络流量状况的自适应性。(ⅲ)采用连续累计检测法降低突发网络异常对检测性能的干扰。针对SYN洪流攻击和UDP洪流攻击的仿真试验结果表明,(ⅰ)在遵循相同的有效检测确认标准的前提下,无论是针对SYN洪流攻击还是针对UDP洪流攻击,采用A-EWMA算法进行检测的结果均优于采用固定门限方法进行检测的结果;(ⅱ)与现有文献中针对同类攻击的检测结果相比,A-EWMA算法在检测性能方面也占有较大的优势;(ⅲ)采用A-EWMA算法对SYN洪流攻击的检测结果优于其对UDP洪流攻击的检测结果,但相对于固定门限检测而言,A-EWMA算法针对SYN洪流攻击和UDP洪流攻击的检测结果间的差异要更小一些。第六,提出了一种非参量自适应CUSUM算法——A-CUSUM算法。该算法基于切比雪夫不等式解决了传统CUSUM算法中检测门限无法自适应设置的问题,并增加了在告警后实施异常终止监控的功能。同时,对该算法的虚警概率、异常发生期间的漏警概率、攻击起始/终止检测时延等检测性能指标进行了理论推导,给出了相应的表达式。比较了A-CUSUM算法与A-EWMA算法针对SYN洪流攻击和UDP洪流攻击的仿真试验结果,并建议利用A-CUSUM算法和A-EWMA算法对网络流量实施并行检测,以进一步提高防御系统对微弱DDoS攻击流的检测能力。最后,以一种独立于具体检测算法的方式考察并比较了匀速攻击流、进发式脉冲攻击流和组群式脉冲攻击流在源端网络中的可检测性。仿真结果表明,在三种攻击流发送方式下,组群式脉冲攻击流具有较低的可检测性。

【Abstract】 Five problems on source-end defense against DDoS attacks are discussed. Respectively,they are(ⅰ) DDoS attacks and defense,(ⅱ) TCP DDoS traffic modeling, (ⅲ) adaptive algorithms for source-end detection of constant rate DDoS traffic,(ⅳ) disruption caused by different DDoS traffic,and(ⅴ) detectability of different DDoS traffic.Firstly,DDoS attacks are systematically discussed,including their classification, organization,some typical attacks and other problems involved in an attack.We conclude that countermeasures against DDoS attacks will be focused on their source-end networks.Analysis on current DDoS defense mechanisms is made following a line of victim-end defense,intermediate defense and source-end defense.Secondly,a new kind of traffic transmitting policy named grouped pulsing transmission is proposed.Under the ground of two typical scheduling mechanisms, FCFS(First Come First Served) and SFQ(Start-time Fair Queuing),discussion is made on the disruption of constant rate traffic,pulsing traffic and grouped pulsing traffic,emphasized on the influence of scheduling mechanisms on these different DDoS traffic.Simulation results show that grouped pulsing traffic with flexible configurations can not only result in heavy disruption at the victims,but also decrease the efficacy of scheduling mechanisms in suppressing DDoS traffic.Thirdly,a model is proposed for describing behavior of different TCP DDoS traffic.According to this model,explanation is made as follows on the behavior diversity of constant rate traffic,pulsing traffic and grouped pulsing traffic when the number of attacking machines and the transmission rate are equally configured.(ⅰ) Occupation on network resources by constant rate traffic and grouped pulsing traffic is independent of time.However,grouped pulsing traffic may result in less link bandwidth occupation ratio and resource occupation compared with constant rate traffic.(ⅱ) As far as pulsing traffic is concerned,the link bandwidth occupation ratio, function of resource occupation and plus function of resource occupation are all independent of time.However,the resource occupation by pulsing traffic during its pulsing time is similar with that of constant rate traffic.Fourthly,development of source-end detection of DDoS traffic is analyzed, emphasized on three detection methods,namely,character matching,detection based on self-similarity of the traffic and detection based on two-way packets ratio.A generic detection statistic is constructed for source-end detection of TCP/UDP DDoS traffic based on the two-way packets ratio,and a model is established for it.Fifthly,an adaptive algorithm named A-EWMA is proposed based on the assumption of normal distribution.Performance analysis is made in terms of probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay.Compared with the traditional EWMA algorithm, A-EWMA has three distinct characters,that is,(ⅰ) forming on-line estimations of the statistical characters of the detection statistic,(ⅱ) adjusting its detection threshold according to the variations of network traffic and the latest detection result,(ⅲ) decreasing disturbance of random abnormalities in the normal network traffic by consecutive cumulation of threshold violations.Simulations results on source-end detection of SYN flooding and UDP flooding show(ⅰ) A-EWMA excels methods with fixed threshold following the same valid detection confirmation rules,(ⅱ) A-EWMA excels the existing source-end detection algorithms in detecting the same kind of attacks,(ⅲ) A-EWMA works better in detecting SYN flooding than it does in detecting UDP flooding;However,the discrepancy in detecting SYN flooding and UDP flooding by A-EWMA is less than that by methods with fixed threshold.Sixthly,a nonparametric adaptive CUSUM algorithm named A-CUSUM is proposed.In the traditional CUSUM algorithm,detection threshold can not be set adaptively,which is solved by A-CUSUM based on the Chebyshev inequality.In addition,a distinct function is added which can continue monitoring the anomaly for its possible end after an alarm is raised.Analytical results on probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay are deduced.By comparing the simulation results of A-CUSUM and A-EWMA in detecting SYN flooding and UDP flooding,we suggest adopting both algorithms in parallel anomaly detection of network traffic so as to further improve the detection of subtle DDoS traffic.Lastly,comparisons on the detectability of constant rate traffic,pulsing traffic and grouped pulsing traffic in their source-end networks are made in a way independent of any detection algorithms.Simulation results show that grouped pulsing traffic excels the other two.

节点文献中: