高级检索

    基于HMM的分布式拒绝服务攻击检测方法

    A DDoS Attack Detection Method Based on Hidden Markov Model

    • 摘要: 在分布式拒绝服务(DDoS)攻击时,网络中数据包的统计特征会显示出异常.检测这种异常是一项重要的任务.一些检测方法基于数据包速率的假设,然而这种假设在一些情况下是不合理的.另一些方法基于IP地址和数据报长度的统计特征,但这些方法在IP地址欺骗攻击时检测率急剧下降.提出了一种基于隐马尔可夫模型(HMM)的DDoS异常检测方法.该方法集成了4种不同的检测模型以对付不同类型的攻击.通过从数据包中提取TCP标志位,UDP端口和ICMP类型及代码等属性信息建立相应的TCP,UDP和ICMP 的隐马尔可夫模型,用于描述正常情况下网络数据包序列的统计特征.然后用它来检测网络数据包序列,判断是否有DDoS攻击.实验结果显示该方法与其他同类方法相比通用性更好、检测率更高.

       

      Abstract: The statistical characteristics of the selected data packets show anomalies under distributed denial of service (DDoS) attacks. The detection of the anomalies is an important task. Some detection methods are based on the hypothesis of data packet rates. This hypothesis, however, is unreasonable in some situations. Other detection methods are based on the statistics of IP addresses and the length of data packets, but their detection accuracy declines rapidly under the IP spoofing attack. In this paper, an HMM-based detection method of DDoS attacks is presented. The method integrates four different detection models against different type attacks. The models are established based on selected normal network data packet attributes, which are the flag bits of TCP packets, the ports of UDP packets, and the type and code of ICMP packets. These packets are from normal audit data. The models simulate the statistical characteristics of normal network data packets. The models are then used to detect the DDoS attacks by processing selected target audit data packets. Experimental results show that this method outperforms other methods reported on the DDoS attacks in adaptability and detection accuracy.

       

    /

    返回文章
    返回