摘要
针对DCD(distributed change-point detection)方案存在受害端开销大、检测率低等问题,提出了一种基于带权CAT(change aggregation trees)的检测方案.采用分布式分级体系结构,将检测任务分布到互联网源端、中间网络和受害端,实现攻击的早期检测;利用CUSUM算法对微小变化的敏感性,在源端主机和中间网络的路由器处进行基于到达目标数据包数量的检测以及基于超级流聚合变化的检测;受害端进行基于域树权重的检测.实验和分析表明,CAT方案对UDP攻击的检测率从DCD的最高0.72提高到0.94,TCP攻击检测率也略有提高;网络的通信开销和受害端的存储开销从o(mnk)降为o(mk),受害端的计算开销从o(mn)降为o(m).系统在实现检测的同时,获得了攻击路径和攻击的准确位置,实现了DDoS攻击的分布式追踪.
In order to solve the problem about heavy overhead at the victim end and low detection rate in DCD scheme, a new detection scheme is proposed based on weighted CAT. By designing a Multi-tier distributed architecture, the detection task is distributed to the source end, the intermediate network, and the victim end over the Internet to implement the early detection of attacks. Using the sensitivity of CU- SUM algorithm to slight changes, the detection is carried out based on the quantity of outgoing packets to a destination address at the source end host as well as the super stream aggregation change at the intermediate network. The victim end detection is based on the weight of AS tree. Experimental results and analysis indicate that the detection rate for UDP attacks is raised from 0.72 in DCD to 0.94 in CAT and the detection rate for TCP attacks is improved too; the overhead of the network communication and the storage is reduced from o(mnk) to o(mk), the cost of computation from o(mn) to o(m). The system attains the attack path and the exact host or router or domain where the anomaly is observed during the detection of suspicious abnormality. Once a DDoS attack is detected,the distributed traceback is performed.
出处
《武汉大学学报(理学版)》
CAS
CSCD
北大核心
2008年第5期626-630,共5页
Journal of Wuhan University:Natural Science Edition
基金
国家自然科学基金(60673156)
教育部科学技术重点项目(105129)
关键词
分布式拒绝服务攻击
分布式检测
变化聚合树
CUSUM算法
协作检测
DDoS (distributed denial of service) attacks
distributed detection
CAT(change aggregation trees)
CUSUM Algorithm
collaborative detection
