Summary of the invention
The objective of the invention is to overcome existing distributed Denial of Service attack detection method and rely on the high defective of bad adaptability, rate of false alarm that single detected characteristics is brought, thereby a kind of attack detection method that has than high-adaptability and detection accuracy rate is provided.
To achieve these goals, the invention provides a kind of detection method of distributed denial of service attack, comprising:
Step 1), receiving network data bag extract relevant with Detection of Distributed Denial of Service Attacks in described network packet and are used to prove the detected characteristics of distributed denial of service attack existence;
Step 2), with described detected characteristics as the evidence in the naive credibility model, calculate the evidence confidence level; Wherein, described naive credibility model has increased the evidence in the knowledge and always supports conclusion for really supposing on the basis of credibility model;
Step 3), create knowledge in the described naive credibility model, calculate the confidence level of described knowledge according to described detected characteristics; Wherein, in the knowledge of described naive credibility model, the corresponding knowledge independently of independent detection feature in the described detected characteristics, and the coherent detection feature in the described detected characteristics is in same knowledge;
Step 4), with the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge, the conclusion incident relevant with distributed denial of service attack carried out confidence level calculates.
In the technique scheme, in described step 1), described relevant with Detection of Distributed Denial of Service Attacks and be used for proving that detected characteristics that distributed denial of service attack exists comprises at least two of following feature: the global data traffic characteristic, global data packet rate feature, global data flow extreme difference feature, global data packet rate extreme difference feature, global source IP distribution scale feature, global source IP regularity of distribution feature, overall situation purpose IP regularity of distribution feature, purpose IP traffic measure feature, purpose IP packet rate feature, purpose IP traffic amount extreme difference feature, purpose IP packet rate extreme difference feature, the source IP traffic measure feature of purpose IP correspondence, the source IP packet rate feature of purpose IP correspondence, the source IP traffic amount extreme difference feature of purpose IP correspondence, the source IP packet rate extreme difference feature of purpose IP correspondence, the source IP distribution scale feature of purpose IP correspondence, the source IP distribution scale extreme difference feature of purpose IP correspondence, the source IP regularity of distribution feature of purpose IP correspondence, the Dan Bao source IP distribution scale feature of purpose IP correspondence, the source IP packet rate uniformity feature of purpose IP correspondence, the source IP flow uniformity feature of purpose IP correspondence, the long uniformity feature of source IP bag of purpose IP correspondence.
In the technique scheme, described step 2) comprising:
Step 2-1), investigate the purpose IP and the corresponding source IP thereof of global data and all type of data packet correspondences, judge whether related detected characteristics exists unusually,, carry out next step, as if there not being unusually execution in step 2-3 if exist unusually);
Step 2-2), the intensity of anomaly of detected characteristics is done normalized, calculate the confidence level of detected characteristics, continue to handle next packet as evidence according to the normalization result;
Step 2-3), detected characteristics is made as 0 as the confidence level of evidence, continue to handle next packet then.
In the technique scheme, at described step 2-2) in, described normalized adopts following normalization formula:
Wherein, P
iThe statistical value of representing a detected characteristics, thrsh
iThe threshold value of representing this detected characteristics, c
iThe fluctuation ratio that expression allows, CF (E
i) expression evidence E
iConfidence level.
In the technique scheme, in described step 3), comprise according to described 22 resulting knowledge of detected characteristics:
K
1:E
1∨E
2→H CF
1(H,E)
K
2:E
3∨E
4→H CF
2(H,E)
K
3:(E
5∨E
6)∧E
7→H CF
3(H,E)
K
4:E
8∨E
9→H CF
4(H,E)
K
5:E
10∨E
11→H CF
5(H,E)
K
6:E
12∨E
13→S CF
6(S,E)
K
7:E
14∨E
15→S CF
7(S,E)
K
8:E
16→H CF
8(H,E)
K
9:E
17→H CF
9(H,E)
K
10:E
18→H CF
10(H,E)
K
11:(E
16∨E
18)∧E
19→F CF
11(F,E)
K
12:E
20∨E
21∨E
22→S CF
12(S,E)
Wherein, E
1The resulting evidence of expression global data traffic characteristic; E
2The resulting evidence of expression global data packet rate feature; E
3The resulting evidence of expression global data flow extreme difference feature; E
4The resulting evidence of expression global data packet rate extreme difference feature; E
5The resulting evidence of expression global source IP distribution scale feature; E
6The resulting evidence of expression global source IP regularity of distribution feature; E
7Represent the resulting evidence of overall purpose IP regularity of distribution feature; E
8The resulting evidence of expression purpose IP traffic measure feature; E
9The resulting evidence of expression purpose IP packet rate feature; E
10The resulting evidence of expression purpose IP traffic amount extreme difference feature; E
11The resulting evidence of expression purpose IP packet rate extreme difference feature; E
12The resulting evidence of source IP traffic measure feature of expression purpose IP correspondence; E
13The resulting evidence of source IP packet rate feature of expression purpose IP correspondence; E
14The resulting evidence of source IP traffic amount extreme difference feature of expression purpose IP correspondence; E
15The resulting evidence of source IP packet rate extreme difference feature of expression purpose IP correspondence; E
16The resulting evidence of source IP distribution scale feature of expression purpose IP correspondence; E
17The resulting evidence of source IP distribution scale extreme difference feature of expression purpose IP correspondence; E
18The resulting evidence of source IP regularity of distribution feature of expression purpose IP correspondence; E
19The resulting evidence of Dan Bao source IP distribution scale feature of expression purpose IP correspondence; E
20The resulting evidence of source IP packet rate uniformity feature of expression purpose IP correspondence; E
21The resulting evidence of source IP flow uniformity feature of expression purpose IP correspondence; E
22The resulting evidence of the long uniformity feature of source IP bag of expression purpose IP correspondence; H represents that the conclusion incident " exists ddos attack and definite target of attack "; S represents that the conclusion incident " determines the attack source "; F represents conclusion incident " ddos attack that has stochastic cook source IP ", CF
iThe confidence level of (i=1~12) expression knowledge.
In the technique scheme, in described step 4), the conclusion incident relevant with distributed denial of service attack comprises the conclusion incident H that is used for expression " having ddos attack and definite target of attack " in the described knowledge.
In the technique scheme, in described step 4), the conclusion incident relevant with distributed denial of service attack also comprises conclusion incident S that is used for expression " determining the attack source " and the conclusion incident F that is used for expression " ddos attack that has stochastic cook source IP " in the described knowledge.
In the technique scheme, in described step 4), described confidence level computing formula comprises compound evidence confidence level computing formula and conclusion confidence level computing formula; Wherein,
Described compound evidence confidence level computing formula comprises:
When described evidence was the conjunction incident, E was expressed as E=E with evidence
1∧ ... ∧ En, then its confidence level computing formula is:
CF(E)=CF(E
1∧...∧En)=min{CF(E
1),...,CF(En)}; (1)
When described evidence when extracting incident, E is expressed as E=E with evidence
1∨ ... ∨ En, then its confidence level computing formula is:
CF(E)=CF(E
1∨...∨En)=max{CF(E
1),...,CF(En)}; (2)
When evidence is when comprising the compound event of the conjunction incident and the incident of extracting simultaneously, it to be disassembled into the some conjunction and the incident of extracting, distinguish application of formula (1) and (2) and try to achieve;
The computing formula of described conclusion confidence level comprises to the conclusion confidence level computing formula of a knowledge and to the synthetic computing formula of the same conclusion of many knowledge; Wherein,
The conclusion confidence level computing formula of a described knowledge comprises:
CF(H)=CF(H,E)×CF(E) (3)
Described CF (H) represents described conclusion confidence level, and CF (E) represents described evidence confidence level, CF (H, E) expression knowledge confidence level;
The synthetic computing formula of the same conclusion of described many knowledge comprises:
CF(H)=CF
1(H)+CF
2(H)-CF
1(H)×CF
2(H) (4)
Described CF
1(H) be illustrated in the knowledge confidence level, CF to conclusion H
2(H) be illustrated in another knowledge confidence level to conclusion H.
The present invention also provides a kind of detection system of distributed denial of service attack, comprises detected characteristics extraction module, evidence confidence level computing module, knowledge creating module and Detection of Distributed Denial of Service Attacks module; Wherein,
Described detected characteristics extraction module receiving network data bag extracts relevant with Detection of Distributed Denial of Service Attacks in described network packet and is used to prove the detected characteristics of distributed denial of service attack existence;
Described evidence confidence level computing module as the evidence in the naive credibility model, calculates the evidence confidence level with described detected characteristics; Wherein, described naive credibility model has increased the evidence in the knowledge and always supports conclusion for really supposing on the basis of credibility model;
Described knowledge creating module is created knowledge in the described naive credibility model according to described detected characteristics, calculates the confidence level of described knowledge;
Described Detection of Distributed Denial of Service Attacks module is carried out the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge confidence level to the conclusion incident relevant with distributed denial of service attack and is calculated.
The invention has the advantages that: have stronger detectability, higher detection accuracy rate also has handling property preferably simultaneously.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is illustrated.
Uncertain inference is the important component part in artificial intelligence study field, and it is insufficient, inaccurate for solving required knowledge, or many reasons cause the application problem of same conclusion that solid theory and effective method means are provided.1975, people (E.H.Shortliffe and B.G.Buchanan such as Xiao Te Lifei, " A Model of Inexact Reasoning in Medicine; " MathematicalBiosciences, vol.23, pp.351-379,1975) a kind of credibility model (Certainty Factor model of uncertain inference proposed, abbreviate the CF model as), and in medical consultation system MYCIN, obtained successful Application.The scientific practice activity shows, it is unusual often to present different network behaviors in the ddos attack process, and simultaneously, ddos attack detects problem and also has imperfect, the inaccurate characteristics of known Heuristics, therefore, the present invention considers to adopt the CF model to solve ddos attack detection problem.For ease of the practical application of CF model, the present invention has increased a hypothesis on its basis: the evidence in the knowledge always supports that conclusion is true, thereby has proposed a kind of naive credibility model (NaiveCertainty Factor model abbreviates the N-CF model as).The N-CF model has characteristics such as simple, directly perceived, practical.Understand for convenience, at first the notion of naive credibility model and concrete content are illustrated at this.
Define 1 knowledge (Knowledge is abbreviated as K).Knowledge is meant that going out conclusion by evidential reasoning is genuine rule, represents with production rule that usually its general form is:
K:E→H
Wherein, E is an evidence, and H is a conclusion.Evidence is a simple event or by conjunction and/or the compound event of extracting and constituting, conclusion is one or more incidents, and the conclusion of a knowledge also can be used as the evidence of another knowledge.
Define 2 confidence levels (Certainty Factor is abbreviated as CF).Confidence level is meant determines that the object incident is genuine credibility, comprises evidence confidence level CF (E), knowledge confidence level CF (H, E) and conclusion confidence level CF (H), its size is explained with fuzzy number (∈ [0,1]) usually, when confidence level is 0, the indicated object incident is false or uncorrelated.
Provide the computing formula of confidence level in the N-CF model below.
1, the calculating of compound evidence confidence level
If evidence is the conjunction incident, be made as E=E
1∧ ... ∧ En, then its confidence level computing formula is:
CF(E)=CF(E
1∧...∧En)=min{CF(E
1),...,CF(En)} (1)
If evidence is the incident of extracting, be made as E=E
1∨ ... ∨ En, then its confidence level computing formula is:
CF(E)=CF(E
1∨...∨En)=max{CF(E
1),...,CF(En)} (2)
If evidence is a compound event, then it is disassembled into the some conjunction and the incident of extracting, application of formula (1) and (2) is tried to achieve respectively.
2, the calculating of knowledge confidence level
The knowledge confidence level directly provides by having the domain expert who enriches professional knowledge and practical experience usually, perhaps calculate by study or training method by the objective history data, its principle is: the appearance of evidence is that genuine support is high more to conclusion, and then the value of knowledge confidence level is big more.
3, the calculating of conclusion confidence level
The conclusion confidence level of a, a knowledge is calculated
The conclusion confidence level computing formula of a knowledge is:
CF(H)=CF(H,E)×CF(E) (3)
Synthesizing of b, the same conclusion of many knowledge
If two knowledge K
1And K
2Can infer same conclusion H, and K
1Evidence E
1With K
2Evidence E
2Be separate, then can calculate the comprehensive confidence level of the conclusion of two knowledge releases by compose operation, the computing formula of its conclusion compose operation is as follows:
CF(H)=CF
1(H)+CF
2(H)-CF
1(H)×CF
2(H) (4)
More than be explanation, on above-mentioned model based, can realize whether network is subjected to the detection of distributed denial of service attack naive credibility model involved in the present invention.Detecting method of distributed denial of service attacking of the present invention is the receiving network data bag in the given time interval, from network packet, extract the detected characteristics relevant with distributed denial of service attack, calculating is by the confidence level of the formed evidence of these detected characteristics, then according to the knowledge in the aforesaid detected characteristics establishment naive credibility model, utilize the confidence level of conclusion in the confidence level calculation knowledge of the confidence level of evidence and knowledge at last, thereby draw the conclusion that whether has distributed denial of service attack in the network.Understand for convenience, hereinafter will be in conjunction with Fig. 1 and a specific embodiment, the detection method of distributed denial of service attack of the present invention is illustrated.
With reference to figure 1, before distributed denial of service attack is done concrete detecting operation, at first should do initialization operation to the parameter relevant with detection.For example, timer T is set to 0, will be set to T detection time
0
After finishing initialization operation to parameter, just can the receiving network data bag, and network packet carried out protocol assembly, with the network layer stem of obtaining network packet and the information of transport layer stem.In the present embodiment, described protocol assembly is the ICP/IP protocol reduction, and the network layer stem that can obtain and the information of transport layer stem comprise source IP, purpose IP, source port, destination interface, agreement, bag length, TCP flag information etc.
Obtain the information of the network layer stem of network packet and transport layer stem by protocol assembly after, according to the type of these information explicit data bags, and then according to type of data packet statistics relevant detection feature.In the present embodiment, the type of data packet that can detect has multiple, includes but not limited to ICMP bag, ICMP Echo bag (type Type is 8 ICMP bag), ICMP Reply (type Type is 0 ICMP bag), ICMP Unreachable bag (type Type is 3 ICMP bag), TCP bag, TCP Syn bag (flag bit is the TCP bag of Syn), TCP Rst bag (flag bit is the TCP bag of Rst), UDP bag, DNS bag, HTTP bag etc.The corresponding ddos attack type of type of data packet, the quantity of the type of data packet that can detect has been represented the detectability of detection method of the present invention to the ddos attack type.In the present embodiment, whether described detected characteristics is network flow characteristic and/or the behavioural characteristic that is presented when ddos attack takes place, can find to exist in the network Distributed Services to attack by these detected characteristics.The kind of detected characteristics and quantity can be selected as required by those skilled in the art, in the present embodiment, selected detected characteristics falls into 5 types 22, and the statistics of different detected characteristics is stored respectively, and the detailed content of these detected characteristics will be illustrated respectively hereinafter.
After obtaining the detected characteristics of network packet, whether counter T has been surpassed interval T detection time
0Judge,, then do not continue the receiving network data bag if surpass if surpass the confidence level of then calculating their formed evidences according to these detected characteristics.The confidence level of evidence can be measured with the intensity of anomaly of above-mentioned detected characteristics.The detailed content of how calculating about the evidence confidence level will be illustrated in conjunction with aforesaid 22 features hereinafter.
After the confidence level of the evidence that obtains generating by detected characteristics, according to detected characteristics is that naive credibility model is created relevant knowledge, then with evidence confidence level substitution naive credibility model, thereby utilize the confidence level of related conclusions in the confidence level computing formula calculation knowledge in the naive credibility model, and then draw the result whether network exists distributed denial of service attack.
It more than is the explanation of detecting method of distributed denial of service attacking of the present invention roughly implementation procedure in one embodiment.Do further discussion with regard to some the concrete ins and outs in this method below.
One, about 22 detected characteristics of 5 classes
The first kind: at the global traffic feature of all packets that collected.Consider that flow type ddos attack often presents the unusual of network in general flow in attack process, therefore be necessary to extract the global traffic feature.This category feature specifically comprises:
A, global data traffic characteristic (unit: bps, bits per second, bps);
B, global data packet rate feature (unit: pps, packets per second, bag/second);
C, global data flow extreme difference feature;
D, global data packet rate extreme difference feature.
Related extreme difference is meant the poor of the maximum of described object in detection time at interval and minimum value in feature c and d.
Second class: at the global I P distribution characteristics of all packets that collected.Consider that non-flow type ddos attack often presents unusual that network in general IP address distributes in attack process, therefore be necessary to extract global I P distribution characteristics.This category feature specifically comprises:
E, global source IP distribution scale feature;
F, global source IP regularity of distribution feature;
G, overall purpose IP regularity of distribution feature;
Wherein, distribution scale is the number of described object different in detection time at interval; The regularity of distribution is the numeric distribution characteristic of at interval interior described object detection time, can adopt disclosed technology and method to calculate, and for example the global source IP regularity of distribution can adopt relative entropy to calculate, and the overall purpose IP regularity of distribution can adopt absolute entropy to calculate.
The 3rd class: at the traffic characteristic of the pairing packet of each purpose IP.Consider that flow type ddos attack often presents the unusual of the data traffic that flows to the target ip address of being injured in attack process, therefore be necessary to extract each purpose IP traffic characteristic.This category feature specifically comprises:
H, purpose IP traffic measure feature;
I, purpose IP packet rate feature;
J, purpose IP traffic amount extreme difference feature;
K, purpose IP packet rate extreme difference feature;
L, source IP traffic measure feature;
M, source IP packet rate feature;
N, source IP traffic amount extreme difference feature;
O, source IP packet rate extreme difference feature.
The 4th class: at the source IP distribution characteristics of the pairing packet of each purpose IP.Considering that non-flow type ddos attack often presents in attack process flows to unusual that source IP address distributes in the target ip address flow of being injured, and therefore is necessary to extract the source IP distribution characteristics of each purpose IP.This category feature specifically comprises:
P, source IP distribution scale feature;
Q, source IP distribution scale extreme difference feature;
R, source IP regularity of distribution feature;
S, Dan Bao source IP distribution scale feature.
Wherein, Dan Bao source IP is for sending the source IP of one or several packet to purpose IP.Dan Bao source IP distribution scale feature is one of foundation of detecting of the ddos attack of stochastic cook source IP.
The 5th class: at the uniformity feature of the pairing packet of each source IP.Consider that in the ddos attack process packet that each attack source sends often presents similitude or uniformity, therefore be necessary to extract the packet uniformity feature of each source IP.This category feature specifically comprises:
T, packet rate uniformity feature;
U, flow uniformity feature;
V, the long uniformity feature of bag.
In the present invention, the detected characteristics relevant with the ddos attack detection that can extract is not limited to 22 detected characteristics of above-mentioned 5 classes that present embodiment is mentioned, in other embodiments, also can adopt other detected characteristics, for example the ratio feature of TCP Syn bag and TCPAck/Syn bag, outflow flow and ratio feature, IP address, port, protocol type and the data payload feature etc. that flow into flow.
Two, about the calculating of the evidence confidence level of detected characteristics
Confidence level by the formed evidence of detected characteristics can be measured with the intensity of anomaly of detected characteristics, and its size is explained with fuzzy number (∈ [0,1]) usually.For aforementioned 22 detected characteristics, their evidence confidence level computational methods are similar, all comprise: investigate global data and pairing purpose IP of all type of data packet and source IP thereof, judge whether their related detected characteristics are unusual,, then its intensity of anomaly is done normalized if unusual, calculate the confidence level of evidence, if not unusual, the confidence level that then makes its corresponding evidence is 0, continues to handle next data.Repeat said process until handling global data and pairing purpose IP of all type of data packet and source IP thereof.Wherein, whether unusual judgement generally can compare by the statistic that aforementioned detected characteristics is related and its corresponding threshold to detected characteristics.Described threshold value can be provided with respectively for each feature according to practical experience and applied environment, can be made as 1Mbps, 300Kbps respectively such as flow and extreme difference threshold value thereof, packet rate and extreme difference threshold value thereof can be made as 500pps, 200pps respectively, distribution scale and extreme difference threshold value thereof can be made as 1024,256 respectively, regularity of distribution threshold value can be made as 0.5, and uniformity threshold value can be made as 0.95.In addition, described threshold value also can carry out training in advance and learn being provided with to the network data of using environment by adopting disclosed technology and method.Can adopt in the prior art disclosed method to the normalized of described intensity of anomaly, utilize these disclosed method intensity of anomaly is mapped to a fuzzy number (∈ [0,1]), as the linear function method for normalizing, y=(x-Min)/(Max-Min), x ∈ [Min, Max], y ∈ [0,1].For the ease of understanding, provide a mapping formula that is used for intensity of anomaly is mapped to fuzzy number below:
Wherein, P
iThe statistical value of representing above-mentioned feature, thrsh
iThe threshold value of representing this feature, c
iThe fluctuation ratio that expression allows, CF (E
i) expression evidence E
iConfidence level.
Because the correlation technique when calculating the evidence confidence level of detected characteristics can pass through existing techniques in realizing, therefore, does brief description at this.
Three, about how utilizing naive credibility model to calculate the confidence level of conclusion
In naive credibility model, knowledge can change according to scene (mainly being the content of the detected characteristics) difference that naive credibility model was suitable for.Therefore, before the correlation computations of carrying out naive credibility model, need make up knowledge, when making up, should make independently corresponding knowledge of detected characteristics, and relevant detected characteristics be in same knowledge according to detected characteristics.22 of 5 classes of being mentioned with present embodiment are characterized as the basis below, provide one and are used for the knowledge base example that ddos attack detects:
K
1:E
1∨E
2→H CF
1(H,E)
K
2:E
3∨E
4→H CF
2(H,E)
K
3:(E
5∨E
6)∧E
7→H CF
3(H,E)
K
4:E
8∨E
9→H CF
4(H,E)
K
5:E
10∨E
11→H CF
5(H,E)
K
6:E
12∨E
13→S CF
6(S,E)
K
7:E
14∨E
15→S CF
7(S,E)
K
8:E
16→H CF
8(H,E)
K
9:E
17→H CF
9(H,E)
K
10:E
18→H CF
10(H,E)
K
11:(E
16∨E
18)∧E
19→F CF
11(F,E)
K
12:E
20∨E
21∨E
22→S CF
12(S,E)
Wherein, E
i(i=1~22) represent above-mentioned described 22 pairing evidences of feature successively, specifically, and E
1The resulting evidence of expression global data traffic characteristic; E
2The resulting evidence of expression global data packet rate feature; E
3The resulting evidence of expression global data flow extreme difference feature; E
4The resulting evidence of expression global data packet rate extreme difference feature; E
5The resulting evidence of expression global source IP distribution scale feature; E
6The resulting evidence of expression global source IP regularity of distribution feature; E
7Represent the resulting evidence of overall purpose IP regularity of distribution feature; E
8The resulting evidence of expression purpose IP traffic measure feature; E
9The resulting evidence of expression purpose IP packet rate feature; E
10The resulting evidence of expression purpose IP traffic amount extreme difference feature; E
11The resulting evidence of expression purpose IP packet rate extreme difference feature; E
12The resulting evidence of source IP traffic measure feature of expression purpose IP correspondence; E
13The resulting evidence of source IP packet rate feature of expression purpose IP correspondence; E
14The resulting evidence of source IP traffic amount extreme difference feature of expression purpose IP correspondence; E
15The resulting evidence of source IP packet rate extreme difference feature of expression purpose IP correspondence; E
16The resulting evidence of source IP distribution scale feature of expression purpose IP correspondence; E
17The resulting evidence of source IP distribution scale extreme difference feature of expression purpose IP correspondence; E
18The resulting evidence of source IP regularity of distribution feature of expression purpose IP correspondence; E
19The resulting evidence of Dan Bao source IP distribution scale feature of expression purpose IP correspondence; E
20The resulting evidence of source IP packet rate uniformity feature of expression purpose IP correspondence; E
21The resulting evidence of source IP flow uniformity feature of expression purpose IP correspondence; E
22The resulting evidence of the long uniformity feature of source IP bag of expression purpose IP correspondence; H represents that the conclusion incident " exists ddos attack and definite target of attack ", and S represents that the conclusion incident " determines the attack source ", and F represents conclusion incident " ddos attack that has stochastic cook source IP ", CF
iThe confidence level of (i=1~12) expression knowledge.The confidence level of each knowledge is directly provided by the domain expert, is perhaps calculated by study or training method by the objective history data, and its tolerance principle should guarantee that the appearance of evidence is that genuine support is high more to conclusion, and then the value of knowledge confidence level is big more.Above knowledge base only is the specific embodiment of the present invention in order to illustrate that detection method provides, and is not limited to the content in the above-mentioned knowledge base when concrete the application.
After above-mentioned knowledge has been arranged,, three conclusion incident H that comprised in the knowledge, the confidence level of S, F are calculated with reference to figure 2 and according to the formula of being mentioned in the above stated specification (1)-(4).In computational process, be the detection threshold that H incident, S incident, F incident are provided with confidence level respectively by practical experience or scientific experiment result; Investigate the purpose IP and the corresponding source IP thereof of global data and all type of data packet correspondences then, in the investigation process, based on the confidence level of above-mentioned 22 evidences, each the knowledge use formula (1) in the knowledge base or (2) are calculated the conjunction incident or/and the evidence confidence level of the incident of extracting; Using formula (3) calculates the conclusion confidence level of each knowledge; By using formula (4) repeatedly the same conclusion confidence level of all knowledge in the knowledge base is carried out compose operation in twos then, finally generate the comprehensive confidence level of conclusion incident; Judge the confidence level of conclusion incident at last.If the comprehensive confidence level of H incident surpasses the detection threshold of this incident, think then to have ddos attack that target of attack is the purpose IP of current investigation; If the confidence level of F incident surpasses the detection threshold of this incident, think further that then this attack is stochastic cook source IP attack, all Dan Bao source IP are confirmed as the attack source simultaneously; Further,, determine that then this source IP is the attack source, generate alert event, write the attack storehouse if the comprehensive confidence level of S incident of the source IP of this purpose IP correspondence surpasses the detection threshold of this incident.If the comprehensive confidence level of H incident is no more than detection threshold, need not then to consider whether the confidence level of S incident and F incident has surpassed corresponding threshold, can think not have ddos attack, continue to handle next data.Repeat said process until purpose IP that handles global data and all type of data packet correspondences and corresponding source IP thereof.
Need to prove, comprise three conclusion incident H, S, F in the above-mentioned knowledge base, in actual applications, and do not required the confidence level of calculating above-mentioned all conclusion incidents, as the confidence level result of calculation of having only conclusion incident H also can, but it is then better to obtain the result of calculation of three conclusion incidents simultaneously.
The present invention also provides a kind of detection system of distributed denial of service attack, comprises detected characteristics extraction module, evidence confidence level computing module, knowledge creating module and Detection of Distributed Denial of Service Attacks module; Wherein,
Described detected characteristics extraction module receiving network data bag extracts relevant with Detection of Distributed Denial of Service Attacks in described network packet and is used to prove the detected characteristics of distributed denial of service attack existence;
Described evidence confidence level computing module as the evidence in the naive credibility model, calculates the evidence confidence level with described detected characteristics;
Described knowledge creating module is created knowledge in the described naive credibility model according to described detected characteristics, calculates the confidence level of described knowledge;
Described Detection of Distributed Denial of Service Attacks module is carried out the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge confidence level to the conclusion incident relevant with distributed denial of service attack and is calculated.
Detecting method of distributed denial of service attacking of the present invention and detection system are in the testing process that realizes ddos attack, utilize naive credibility model that 22 kinds of network traffics of 5 classes such as the traffic characteristic of global traffic feature, global I P distribution characteristics, purpose IP, the corresponding source of purpose IP IP distribution characteristics, source IP packet uniformity feature and behavioural characteristic are merged, utilize individual characteristics to compare with existing method, be all to be enhanced on accuracy rate or the adaptability only isolatedly.In addition, detection method provided by the invention is mainly utilized characteristic statistics and threshold ratio, so method is simple, has good real-time and practicality, is suitable for the detection of ddos attack under the extensive high speed network environment.Once more, method of the present invention is compared with existing method, not only can judge the ddos attack Existence problems, the more important thing is the attack characteristic that further to determine target of attack, attack source and stochastic cook source IP, for further filtration, alleviation and the defence of ddos attack provide effective information.
For further specifying the validity of the inventive method, be that example tests comparison the inventive method and the isolated conventional method that adopts traffic characteristic by one group with UDP Flood attack detecting.
Experimental situation is as follows:
(1) hardware environment: adopt the dawn server, 4 CPU (Dual-Core AMD Opteron, 2211MHz, 64), 4GB internal memory, CentOS Linux 5.264 bit manipulation systems.A CPU deal with data is only adopted in this experiment.
(2) background traffic: the full message flow that gather in the international gateway of certain telecommunications in October, 2008, the rate of on average giving out a contract for a project is 22496pps, average discharge 91.2Mbps.In experimentation, adopt above-mentioned flow flow as a setting all the time.
For the fairness that guarantees to test, 2 kinds of methods are set same flow threshold parameter, concrete threshold parameter is provided with as shown in table 1 below:
Table 1
Wherein purpose IP traffic amount and purpose IP packet rate also are the threshold values of traditional detection method.The knowledge confidence level CF that the inventive method is related
i(i=1~12) are set to 0.2,0.1,0.3,0.5,0.4,0.5,0.4,0.4,0.5,0.4,1.0,0.3 respectively, and the detection threshold of conclusion incident is 0.5, and other threshold values all adopt disclosed learning method to obtain.
We have designed 2 experiments at 2 kinds of attack condition with identical target of attack IP address respectively:
Experiment 1: the detection of attacking at the big flow of 2 true attack sources (background traffic relatively) UDP Flood;
Experiment 2: the detection of attacking at the low discharge UDP Flood of stochastic cook attack source;
Experimental result is as shown in table 2 below:
Table 2
In the above-mentioned experimental result, " √ " expression corresponding detecting method can be used, and " * " expression corresponding detecting method is unavailable.Experimental result shows that conventional method lacks the detectability that low discharge is attacked at a slow speed, and the inventive method has merged multiple behavioural characteristic, has stronger detectability, and higher detection accuracy rate also has handling property preferably simultaneously.
It should be noted last that above embodiment is only unrestricted in order to technical scheme of the present invention to be described.Although the present invention is had been described in detail with reference to embodiment, those of ordinary skill in the art is to be understood that, technical scheme of the present invention is made amendment or is equal to replacement, do not break away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.