基于流量矩阵和Kalman滤波的DDoS攻击检测方法

计算机科学 ›› 2014, Vol. 41 ›› Issue (3): 176-180.

基于流量矩阵和Kalman滤波的DDoS攻击检测方法

颜若愚

河南财经政法大学计算机与信息工程学院郑州450002

出版日期:2018-11-14 发布日期:2018-11-14
基金资助:
本文受国家自然科学基金项目(61101211,5),湖南省自然科学基金项目(11JJ9010),河南省自然科学基金项目(132300410337),河南省教育厅项目(13B520901)资助

DDoS Attacks Detection Method Based on Traffic Matrix and Kalman Filter

YAN Ruo-yu

Online:2018-11-14 Published:2018-11-14

摘要/Abstract

摘要： 针对分布式拒绝服务(DDoS)攻击产生的流量往往对路由器造成难以承受的负担的问题,提出一种既能减轻路由器负荷又能快速准确检测DDoS攻击的方法。该方法首先在路由器中构造端口对之间的流量矩阵来准确描述DDoS攻击的流量汇聚特性,然后利用Kalman滤波对流量矩阵进行估计,接着使用GLR统计测试进行异常检测,进而判断路由器端口是否受到DDoS攻击。最后,基于实际数据进行了仿真实验,结果表明,所提方法相比主成分分析(PCA)方法具有更高的检测率、更低的误检率和更小的检测延迟。

关键词: 分布式拒绝服务,卡尔曼滤波,异常检测,流量分析,流量矩阵中图法分类号TP393.08文献标识码A

Abstract: Distributed Denial of Service (DDoS) attack traffic often is an unbearable burden on router,so a new DDoS attack detection method was proposed to release the burden and to detect the attack fast and accurately．In this method,traffic matrix between ports on the router is first constructed to precisely describe DDoS attack traffic aggregation cha-racteristics．Then Generalized Likelihood Ratio (GLR) statistical test is used to detect traffic anomaly after Kalman filter is applied to estimate traffic matrix．After that whether each router port is attacked by DDoS is judged．Finally,a simulation experiment with actual data was conducted to compare the method with PCA method,which shows that the proposed method has higher detection rate,lower false alarm rate and smaller detection lag time．

Key words: Distributed denial of service,Kalman filter,Anomaly detection,Traffic analysis,Traffic matrix

颜若愚. 基于流量矩阵和Kalman滤波的DDoS攻击检测方法[J]. 计算机科学, 2014, 41(3): 176-180. https://doi.org/

YAN Ruo-yu. DDoS Attacks Detection Method Based on Traffic Matrix and Kalman Filter[J]. Computer Science, 2014, 41(3): 176-180. https://doi.org/

参考文献

[1] Peng T,Leckie C,Rramaohanarao K．Protection from distributed denial of service attacks using history-based IP filtering[C]∥Proceedings of the International Conference on Communication (ICC).Anchorage:IEEE,2003:482-486
[2] Pu S．Choosing parameters for detecting DDoS attack[C]∥Proceedings of the International Conference on Wavelet Active Media Technology and Information Processing．Chengdu:IEEE Computer Society,2012:239-242
[3] Chen Y H,Wang K,Ku W S．Collaborative detection of DDoS attacks over multiple network domains[J]．IEEE transactions on parallel and distributed systems,2007,18(12):1649-1662
[4] 莫家庆,胡忠望,林瑜华.非参数PCUSUM算法DDoS攻击检测[J].计算机工程与应用,2011,7(22):96-98
[5] 任勋益,王汝传,王海艳．基于自相似检测 DDoS 攻击的小波分析方法[J]．通信学报,2006,7(5):6-11
[6] Thapngam T,Yu S,Zhou W L．DDoS discrimination by linear discriminant analysis (LDA)[C]∥Proceedings of the 2012International Conference on Computing,Networking and Communications (ICNC)．Maui:IEEE Computer Society,2012:532-536
[7] Xia Z M,Lu S N,Li J H．DDoS flood attack detection based on fractal parameters[C]∥Proceedings of the 8th International Conference on Wireless Communications,Networking and Mobile Computing．Shanghai,IEEE,2012:1-5
[8] Lakhina A,Papagiannaki K,Crovella M,et al.Structural analysis of network traffic flow[C]∥Proceedings of the SIGMETRICS/Performance．New York:ACM,2004:61-72
[9] Lakhina A,Crovella M,Diot C．Diagnosing network-wide traffic anomalies[C]∥Proceedings of the SIGCOMM’04．Portland:ACM,2004:219-230
[10] Ringberg H,Soule A,Rexford J P,et al.Sensitivity of PCA for traffic anomaly detection[C]∥Proceedings of the SIGMETRICS’07．San Diego:ACM,2007:109-120
[11] Soule A,Salamatian K,Taft N．Combining filtering and statistical methods for anomaly detection[C]∥Proceedings of the USENIX Internet Measurement Conference．Philadelphia:ACM,2005:331-344
[12] Cisco IOS NetFlow White Papers [EB/OL]． http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html,2006-08-21
[13] Cisco NetFlow Performance Analysis White Papers [EB/OL].http://www.cisco.com/en/US/technologies/tk543/tk812/tech-nologies_white_paper0900aecd802a0eb9_ps6601_Products_White_Paper.html,2007-06-15
[14] Hawkinds D M,Qin P H,Kang C W．The changepoint model forstatistical process control [J]．Journal of Quality Technology,2003,35(4):355-366
[15] Moore D,Voelker G M,Savge S．Inferring internet Denial-of-Service activity [J]．ACM Transactions on Computer Systems,2006,24(2):115-139

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed