本文選題：DDoS + Counting�。� 參考：《電子科技大學(xué)》2017年碩士論文

【摘要】：隨著信息技術(shù)的快速發(fā)展,網(wǎng)絡(luò)異常行為事件爆發(fā)的頻率越來越高,給人們?nèi)粘Ｉ顜淼呢?fù)面影響也日益顯著。近年來,越來越多的國內(nèi)外研究學(xué)者開始關(guān)注網(wǎng)絡(luò)異常行為,他們對網(wǎng)絡(luò)異常行為的分析展開了很多研究。在此背景下,本文針對網(wǎng)絡(luò)異常行為中的分布式拒絕服務(wù)(DDoS)攻擊,以SYN flood攻擊行為作為重點(diǎn)研究對象。傳統(tǒng)SYN flood攻擊行為檢測算法大都以深度包分析方法為主,通過報(bào)文統(tǒng)計(jì)的手段對網(wǎng)絡(luò)流數(shù)據(jù)報(bào)文進(jìn)行細(xì)致解析。然而骨干通信網(wǎng)絡(luò)存在著規(guī)模持續(xù)增大、數(shù)據(jù)量超大的基本特性,會(huì)導(dǎo)致傳統(tǒng)檢測方法的運(yùn)行時(shí)間成倍增加,方法成本開銷加劇并且方法的實(shí)時(shí)性效率降低。此外,由于突發(fā)訪問行為與分布式拒絕服務(wù)攻擊在表現(xiàn)形式上有諸多相似之處,現(xiàn)有異常行為識別方法的識別效果都會(huì)有不小的誤檢率和誤識別率。為了解決上述問題,本文在流連接圖基礎(chǔ)上提出了基于Counting Bloom Filter的SYN flood攻擊檢測算法,并且提出了一種基于圖挖掘的SYN flood攻擊檢測算法。本文主要工作如下:(1)提出了一種基于Counting Bloom Filter的SYN flood攻擊檢測算法:根據(jù)TCP三次握手過程中SYN、SYN|ACK、ACK報(bào)文數(shù)量大致相等的特性,監(jiān)測時(shí)間片內(nèi)SYN|ACK與ACK報(bào)文數(shù)量是否平衡,用差值與時(shí)間窗口內(nèi)的ACK報(bào)文數(shù)值相比。再通過自適應(yīng)調(diào)整時(shí)間窗口的大小,實(shí)時(shí)檢測網(wǎng)絡(luò)狀態(tài),并且用基于信息熵的方法去確定疑似的被攻擊的目標(biāo)。最后通過與其他兩種報(bào)文統(tǒng)計(jì)的檢測算法相比較,驗(yàn)證了本文算法在保證較高檢測率的同時(shí),又能有效地與突發(fā)訪問進(jìn)行區(qū)分。(2)提出了一種基于圖挖掘的SYN flood檢測算法:根據(jù)SYN flood攻擊對虛假源IP地址的重復(fù)利用率將其分為兩類。利用圖挖掘技術(shù),將兩類不同的SYN flood攻擊構(gòu)圖進(jìn)行模式匹配,從而檢測到網(wǎng)絡(luò)是否發(fā)生異常。當(dāng)發(fā)生突發(fā)訪問時(shí),其網(wǎng)絡(luò)行為表現(xiàn)形式與第二類SYN flood攻擊有諸多相似之處,再利用第三級判斷區(qū)分出第二類SYN flood攻擊與突發(fā)訪問,最后實(shí)驗(yàn)驗(yàn)證了算法的有效性。
[Abstract]:With the rapid development of information technology, the frequency of network abnormal behavior has become more and more frequent, and the negative impact on people's daily life has become increasingly significant. In recent years, more and more researchers at home and abroad have begun to pay attention to network abnormal behavior, they have carried out a lot of research on the analysis of network abnormal behavior. In this context, this paper focuses on the distributed denial of service (DDoS) attacks in network anomaly behavior, and focuses on the SYN flood attacks. Most of the traditional SYN flood attack detection algorithms are based on depth packet analysis (DPA). The network stream data packets are analyzed in detail by means of packet statistics. However, the backbone communication network has the basic characteristics of continuous increase in scale and large amount of data, which will lead to the increase of the running time of the traditional detection methods, the increase of the cost of the methods and the decrease of the real-time efficiency of the methods. In addition, due to the similarity between burst access behavior and distributed denial of service attack, the recognition effect of existing methods for identifying abnormal behavior will have not small error detection rate and error recognition rate. In order to solve the above problems, a SYN flood attack detection algorithm based on Counting Bloom Filter and a SYN flood attack detection algorithm based on graph mining are proposed in this paper. The main work of this paper is as follows: (1) A SYN flood attack detection algorithm based on Counting Bloom Filter is proposed. According to the characteristic that the number of SYNG-SYN-SYN-SYN-ACK packets is approximately equal in the process of shaking hands three times in TCP, the balance of the number of SYN ACK and ACK packets in the time frame is monitored. The difference value is compared with the ACK message value in the time window. Then the network state is detected in real time by adjusting the size of the time window, and the suspected target is determined by the method based on information entropy. Finally, by comparing with the other two algorithms of packet statistics, it is proved that the proposed algorithm can guarantee a high detection rate. An algorithm for SYN flood detection based on graph mining is proposed. It can be divided into two categories according to the repeated utilization of false source IP addresses by SYN flood attacks. Using graph mining technique, two kinds of SYN flood attacks are combined to match the patterns, and the anomaly of the network is detected. When burst access occurs, the network behavior is similar to that of the second type of SYN flood attack. The second type of SYN flood attack is distinguished from the burst access by the third level judgment. Finally, the effectiveness of the algorithm is verified by experiments.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前8條

1 方峰;蔡志平;肇啟佳;林加潤;朱明;;使用Spark Streaming的自適應(yīng)實(shí)時(shí)DDoS檢測和防御技術(shù)[J];計(jì)算機(jī)科學(xué)與探索;2016年05期

2 楊季;石亮山;陳波;汪明達(dá);胡光岷;;基于子圖模式的網(wǎng)絡(luò)流量分類方法研究[J];計(jì)算機(jī)應(yīng)用研究;2014年06期

3 田小梅;張大方;謝鯤;胡燦;楊曉波;史長瓊;;基于計(jì)數(shù)布魯姆過濾器的集合調(diào)和算法[J];通信學(xué)報(bào);2012年08期

4 趙慧明;劉衛(wèi)國;;基于信息熵聚類的DDoS檢測算法[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2010年12期

5 曹敏;程東年;張建輝;吳曦;;基于自適應(yīng)閾值的網(wǎng)絡(luò)流量異常檢測算法[J];計(jì)算機(jī)工程;2009年19期

6 周穎杰;胡光岷;賀偉淞;;基于時(shí)間序列圖挖掘的網(wǎng)絡(luò)流量異常檢測[J];計(jì)算機(jī)科學(xué);2009年01期

7 孫知信;李清東;;基于源目的IP地址對數(shù)據(jù)庫的防范DDos攻擊策略[J];軟件學(xué)報(bào);2007年10期

8 謝逸;余順爭;;基于Web用戶瀏覽行為的統(tǒng)計(jì)異常檢測[J];軟件學(xué)報(bào);2007年04期

，

本文編號：1952288