ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (4): 822-833.doi: 10.7544/issn1000-1239.2021.20200183

• 信息安全 • 上一篇    下一篇

云环境下一种基于信任的加密流量DDoS发现方法

潘雨婷,林莉   

  1. (北京工业大学信息学部计算机学院 北京 100124) (可信计算北京市重点实验室(北京工业大学) 北京 100124) (panyt_aurora@foxmail.com)
  • 出版日期: 2021-04-01
  • 基金资助: 
    国家自然科学基金项目(61502017);北京市教委科技计划一般项目(KM201710005024)

A Trust-Based DDoS Discovery Approach for Encrypted Traffic in Cloud Environment

Pan Yuting, Lin Li   

  1. (College of Computer Science,Faculty of Information Technology,Beijing University of Technology,Beijing 100124) (Beijing Key Laboratory of Trusted Computing(Beijing University of Technology),Beijing 100124)
  • Online: 2021-04-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61502017) and the Scientific Research Common Program of Beijing Municipal Commission of Education (KM201710005024).

摘要: 针对云环境下分布式拒绝服务(distributed denial-of-service, DDoS)攻击加密攻击流量隐蔽性更强、更容易发起、规模更大的问题,提出了一种云环境下基于信任的加密流量DDoS发现方法TruCTCloud.该方法在现有基于机器学习的DDoS攻击检测中引入信任的思想,结合云服务自身的安全认证,融入基于签名和环境因素的信任评估机制过滤合法租户的显然非攻击流量,在无需对加密流量解密的前提下保障合法租户流量中包含的敏感信息.其后,对于其他加密流量和非加密流量,引入流包数中位值、流字节数中位值、对流比、端口增速、源IP增速这5种特征,基于特征构建Ball-tree并提出基于k近邻(k-nearest neighbors, kNN)的流量分类算法.最后,在OpenStack云环境下检测了提出方法的效果,实验表明TruCTCloud方法能快速发现异常流量和识别DDoS攻击的早期流量,同时,能够有效保护合法用户的敏感流量信息.

关键词: 云环境, DDoS攻击发现, 信任过滤, 加密流量检测, k近邻算法

Abstract: In the cloud environment, DDoS(distributed denial of service) attacks may be more covert, easier to launch and potentially larger because data flow can be encrypted. A trust-based DDoS attack discovery approach for the encrypted traffic in the cloud environment called TruCTCloud is proposed. Firstly, a trust evaluation mechanism is introduced to filter the non-attack traffic of legitimate tenants by exploiting signature of the cloud service itself with the other environmental factors, and then the sensitive information contained in legitimate tenants’ traffic is guaranteed. Secondly, a traffic classification algorithm based on the kNN(k-nearest neighbors) is proposed to detect and identify for the filtered encrypted traffic and other unencrypted traffic, where five kinds of characteristics including flow median of packets per flow, flow median of bytes per flow, percentage of correlative flow, port growth rate and source IP growth rate are introduced to construct a Ball-tree data structure of characteristics. Finally, some experiments are conducted to evaluate the proposed method in the OpenStack cloud platform. The results suggest that our method can quickly detect the abnormal traffic or early traffic of DDoS attack and effectively protect the sensitive traffic information of legitimate users from the DDoS attack.

Key words: cloud environment, DDoS attack discovery, trust-based filtering, encrypted flow detection, kNN algorithm

中图分类号: