摘要
在分布式拒绝服务(DDoS)攻击时,网络中数据包的统计特征会显示出异常.检测这种异常是一项重要的任务.一些检测方法基于数据包速率的假设,然而这种假设在一些情况下是不合理的.另一些方法基于IP地址和数据报长度的统计特征,但这些方法在IP地址欺骗攻击时检测率急剧下降.提出了一种基于隐马尔可夫模型(HMM)的DDoS异常检测方法.该方法集成了4种不同的检测模型以对付不同类型的攻击.通过从数据包中提取TCP标志位,UDP端口和ICMP类型及代码等属性信息建立相应的TCP,UDP和ICMP的隐马尔可夫模型,用于描述正常情况下网络数据包序列的统计特征.然后用它来检测网络数据包序列,判断是否有DDoS攻击.实验结果显示该方法与其他同类方法相比通用性更好、检测率更高.
The statistical characteristics of the selected data packets show anomalies under distributed denial of service (DDoS) attacks. The detection of the anomalies is an important task. Some detection methods are based on the hypothesis of data packet rates. This hypothesis, however, is unreasonable in some situations. Other detection methods are based on the statistics of IP addresses and the length of data packets, but their detection accuracy declines rapidly under the IP spoofing attack. In this paper, an HMM-based detection method of DDoS attacks is presented. The method integrates four different detection models against different type attacks. The models are established based on selected normal network data packet attributes, which are the flag bits of TCP packets, the ports of UDP packets, and the type and code of ICMP packets. These packets are from normal audit data. The models simulate the statistical characteristics of normal network data packets. The models are then used to detect the DDoS attacks by processing selected target audit data packets. Experimental results show that this method outperforms other methods reported on the DDoS attacks in adaptability and detection accuracy.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2005年第9期1594-1599,共6页
Journal of Computer Research and Development
基金
国家自然科学基金重点项目(70031020)
辽宁省自然科学基金项目(2001101074)~~
关键词
分布式拒绝服务
隐马尔可夫模型
异常检测
distributed denial of service
hidden Markov model
anomaly detection
