本文選題：DDoS + Counting　； 參考：《電子科技大學》2017年碩士論文

【摘要】：隨著信息技術的快速發(fā)展,網(wǎng)絡異常行為事件爆發(fā)的頻率越來越高,給人們日常生活帶來的負面影響也日益顯著。近年來,越來越多的國內外研究學者開始關注網(wǎng)絡異常行為,他們對網(wǎng)絡異常行為的分析展開了很多研究。在此背景下,本文針對網(wǎng)絡異常行為中的分布式拒絕服務(DDoS)攻擊,以SYN flood攻擊行為作為重點研究對象。傳統(tǒng)SYN flood攻擊行為檢測算法大都以深度包分析方法為主,通過報文統(tǒng)計的手段對網(wǎng)絡流數(shù)據(jù)報文進行細致解析。然而骨干通信網(wǎng)絡存在著規(guī)模持續(xù)增大、數(shù)據(jù)量超大的基本特性,會導致傳統(tǒng)檢測方法的運行時間成倍增加,方法成本開銷加劇并且方法的實時性效率降低。此外,由于突發(fā)訪問行為與分布式拒絕服務攻擊在表現(xiàn)形式上有諸多相似之處,現(xiàn)有異常行為識別方法的識別效果都會有不小的誤檢率和誤識別率。為了解決上述問題,本文在流連接圖基礎上提出了基于Counting Bloom Filter的SYN flood攻擊檢測算法,并且提出了一種基于圖挖掘的SYN flood攻擊檢測算法。本文主要工作如下:(1)提出了一種基于Counting Bloom Filter的SYN flood攻擊檢測算法:根據(jù)TCP三次握手過程中SYN、SYN|ACK、ACK報文數(shù)量大致相等的特性,監(jiān)測時間片內SYN|ACK與ACK報文數(shù)量是否平衡,用差值與時間窗口內的ACK報文數(shù)值相比。再通過自適應調整時間窗口的大小,實時檢測網(wǎng)絡狀態(tài),并且用基于信息熵的方法去確定疑似的被攻擊的目標。最后通過與其他兩種報文統(tǒng)計的檢測算法相比較,驗證了本文算法在保證較高檢測率的同時,又能有效地與突發(fā)訪問進行區(qū)分。(2)提出了一種基于圖挖掘的SYN flood檢測算法:根據(jù)SYN flood攻擊對虛假源IP地址的重復利用率將其分為兩類。利用圖挖掘技術,將兩類不同的SYN flood攻擊構圖進行模式匹配,從而檢測到網(wǎng)絡是否發(fā)生異常。當發(fā)生突發(fā)訪問時,其網(wǎng)絡行為表現(xiàn)形式與第二類SYN flood攻擊有諸多相似之處,再利用第三級判斷區(qū)分出第二類SYN flood攻擊與突發(fā)訪問,最后實驗驗證了算法的有效性。
[Abstract]:With the rapid development of information technology, the frequency of network abnormal behavior has become more and more frequent, and the negative impact on people's daily life has become increasingly significant. In recent years, more and more researchers at home and abroad have begun to pay attention to network abnormal behavior, they have carried out a lot of research on the analysis of network abnormal behavior. In this context, this paper focuses on the distributed denial of service (DDoS) attacks in network anomaly behavior, and focuses on the SYN flood attacks. Most of the traditional SYN flood attack detection algorithms are based on depth packet analysis (DPA). The network stream data packets are analyzed in detail by means of packet statistics. However, the backbone communication network has the basic characteristics of continuous increase in scale and large amount of data, which will lead to the increase of the running time of the traditional detection methods, the increase of the cost of the methods and the decrease of the real-time efficiency of the methods. In addition, due to the similarity between burst access behavior and distributed denial of service attack, the recognition effect of existing methods for identifying abnormal behavior will have not small error detection rate and error recognition rate. In order to solve the above problems, a SYN flood attack detection algorithm based on Counting Bloom Filter and a SYN flood attack detection algorithm based on graph mining are proposed in this paper. The main work of this paper is as follows: (1) A SYN flood attack detection algorithm based on Counting Bloom Filter is proposed. According to the characteristic that the number of SYNG-SYN-SYN-SYN-ACK packets is approximately equal in the process of shaking hands three times in TCP, the balance of the number of SYN ACK and ACK packets in the time frame is monitored. The difference value is compared with the ACK message value in the time window. Then the network state is detected in real time by adjusting the size of the time window, and the suspected target is determined by the method based on information entropy. Finally, by comparing with the other two algorithms of packet statistics, it is proved that the proposed algorithm can guarantee a high detection rate. An algorithm for SYN flood detection based on graph mining is proposed. It can be divided into two categories according to the repeated utilization of false source IP addresses by SYN flood attacks. Using graph mining technique, two kinds of SYN flood attacks are combined to match the patterns, and the anomaly of the network is detected. When burst access occurs, the network behavior is similar to that of the second type of SYN flood attack. The second type of SYN flood attack is distinguished from the burst access by the third level judgment. Finally, the effectiveness of the algorithm is verified by experiments.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前8條

1 方峰;蔡志平;肇啟佳;林加潤;朱明;;使用Spark Streaming的自適應實時DDoS檢測和防御技術[J];計算機科學與探索;2016年05期

2 楊季;石亮山;陳波;汪明達;胡光岷;;基于子圖模式的網(wǎng)絡流量分類方法研究[J];計算機應用研究;2014年06期

3 田小梅;張大方;謝鯤;胡燦;楊曉波;史長瓊;;基于計數(shù)布魯姆過濾器的集合調和算法[J];通信學報;2012年08期

4 趙慧明;劉衛(wèi)國;;基于信息熵聚類的DDoS檢測算法[J];計算機系統(tǒng)應用;2010年12期

5 曹敏;程東年;張建輝;吳曦;;基于自適應閾值的網(wǎng)絡流量異常檢測算法[J];計算機工程;2009年19期

6 周穎杰;胡光岷;賀偉淞;;基于時間序列圖挖掘的網(wǎng)絡流量異常檢測[J];計算機科學;2009年01期

7 孫知信;李清東;;基于源目的IP地址對數(shù)據(jù)庫的防范DDos攻擊策略[J];軟件學報;2007年10期

8 謝逸;余順爭;;基于Web用戶瀏覽行為的統(tǒng)計異常檢測[J];軟件學報;2007年04期

，

本文編號：1952288