CN102238047A - Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group - Google Patents

Abstract

The invention discloses a distributed denial-of-service attack detection method based on the external connection behaviors of a Web communication group. The method comprises the following steps of: 1) setting a port mirror image on network equipment, and copying and transmitting all network messages passing through the equipment to an attach detection front-end processor; 2) extracting the communication group of a given Web server and the external connection behaviors of the communication group, and transmitting the communication group and the external connection behaviors thereof to an attack detection server by using the attack detection front-end processor; 3) counting external connection behavior parameters comprising the number CN_MLN of clients connected with a plurality of external connection nodes and a total client number CN of the Web communication group, and monitoring the offset of ratio of the two parameters by using an improved cumulative sum (CUSUM) algorithm to judge the occurrence of an application layer distributed denial-of-service (DDoS) attack according to the offset by using the attack detection server; and 4) reporting whether the application layer DDoS attack occurs to the given Web server or not to a network monitoring terminal at the end of each time period.

Description

Denial of Service attack detection method based on the external behavior of Web communication group

Technical field

The present invention relates to a kind of network security technology, relate in particular to a kind of Denial of Service attack detection method based on the external behavior of Web communication group.

Background technology

Web service is a most widely used application type in the Internet, yet because its important society and commercial value, Web server also becomes in the Internet topmost by target of attack simultaneously.Denial of Service attack (Distributed Denial-of-Service attack, DDoS) be one of most important threat that Web server faced, ddos attack is meant that the assailant passes through puppet's main frame, consumes the computational resource of target of attack, stops target to provide service for validated user.Consumable computational resource can be CPU, internal memory, bandwidth, database server etc.In recent years, ddos attack is emerge in an endless stream [1-5], Amazon, and eBay, Yahoo, Sina, domestic and international famous website such as Baidu all once was subjected to ddos attack, had caused great economic loss.

Detect and control and carried out big quantity research [6] at ddos attack.Yet, detect and control technology in order to evade constantly perfect DDoS, reach desirable attack effect, the assailant is also updating its attack technology.Ddos attack is varied, Mirkovic[6] etc. the people according to attributes such as the address validity of attack packets, attack rate ddos attack has been carried out exhaustive division.The present invention continues to use Xie[7] and people's [8] such as Xiao Jun sorting technique ddos attack is divided into two big classes: a class is the network layer ddos attack, by sending a large amount of rubbish bags, consume the victim host processor resource, block the victim host inbound link, as SYN Flooding; Another kind of is the application layer ddos attack, by setting up normal connection, submits a large amount of legal service requests to destination server, consumes the server computational resource, as HTTP Flooding and CyberSlam[9].Current, the means of detection and Control Network layer ddos attack are abundanter, make this class attack pattern obtain more effectively containment.When the network layer ddos attack can't be obtained promising result, the assailant tended to adopt the application layer ddos attack to evade detection.

In the application layer ddos attack, attack end and set up TCP by target of attack and be connected, and legal request on the transmission exhibiting high surface, traditional network layer ddos attack detection method is no longer suitable.Though the application layer ddos attack can make flow increase rapidly, unfortunately, the Flash Crowd that is produced by a large number of users central access has similar traffic characteristic, and the two is difficult to distinguish.At present existing researcher detects at the application layer ddos attack and some researchs have been carried out in filtration, but more these detection methods be fit to be deployed in and attacked end, can not avoid the impact of application layer ddos attack to the basic network bandwidth.If can attack end border router or trunk link detecting and filter and attack data flow, the infringement that can effectively reduce attack and caused.

Summary of the invention

Purpose of the present invention provides a kind of Denial of Service attack detection method based on the external behavior of Web communication group exactly for remedying the deficiencies in the prior art.This detection method is regarded Web server and its client as an integral body (the present invention is called the colony that communicates by letter), by analyzing this communication colony and extraneous interbehavior, discovery outreaches the unusual of cybernetics control number, and detects the generation of application layer ddos attack in view of the above.This method does not need message load is analyzed, and computation complexity is low, is fit to be deployed in backbone network.

For achieving the above object, the present invention adopts following technical scheme:

Based on the Denial of Service attack detection method of the external behavior of Web communication group, the detection step of this method is as follows:

Step1: Port Mirroring is set on the network equipment, the all-network message of this network equipment of flowing through is replicated sends to network monitoring front, on network monitoring front, extract the communication colony of particular Web server and outreach behavior, be sent to the detection server;

Step2: the feature that outreaches of in detecting server, extracting the web server communication colony described in the Step1: client terminal quantity CN with outreach the client terminal quantity CN_MLN that node is connected more; With sequence { x _nRepresent that visit outreaches the client terminal quantity of node and the ratio of client sum, { y more in the different time sections _nThe interior client sum of expression different time sections and the ratio of visiting the client terminal quantity that outreaches node, { C more _nExpression client sum, { M _nRepresent that visit outreaches the client terminal quantity of node more, is calculated as follows sequence { x _nAnd { y _nValue x in n Δ t _nWith y _n:

$x_n=\frac{M_n}{C_n},$ $y_n=\frac{C_n}{M_n},n=\mathrm{1,2,3}...$

Step3: in detecting server, utilize improved CUSUM Algorithm Analysis Web colony to outreach feature, judge whether to have taken place attack; Calculate { x respectively _nAnd { y _nN respective detection value Z _n ^xAnd Z _n ^y, its recurrence formula is as follows:

$Z_n^x=\max \{0,Z_{n-1}^x+x_n-{\mathrm{\δ}}_n^x-d^x\},n=\mathrm{1,2,3},...$

$Z_n^y=\max \{0,Z_{n-1}^y+y_n-{\mathrm{\δ}}_n^y-d^y\},n=\mathrm{1,2,3},...$

Wherein,

Be respectively { x _nAnd { y _nExponentially weighted moving average (EWMA), d ^x, d ^yMake respectively

Under normal circumstances less than 0 deviant,

Be sequence { x _nN-1 detected value,

Be sequence { y _nN-1 detected value,

Be sequence { x _nN detected value, it is used for having the detection of the attack that outreaches the visit behavior,

Be sequence { y _nN detected value, its ddos attack that is used to not have the visit of outreaching detects;

Step4: to Z _n ^x, Z _n ^yWith corresponding threshold value

Compare respectively, judge whether to have taken place the Ddos attack;

Step5: when each time period finishes, whether taken place at the application layer ddos attack of specifying Web server to the network monitoring terminal report.

Among the described Step1, described communication colony refers to mutual correspondence closely and have a set of one group of main frame of identical load characteristic.

Among the described Step2, the process of extracting communication colony is as follows:

A. monitor network link, find a new message after, extract its source IP address, purpose IP address and destination interface thereof;

B. judge whether destination address is the web server address of appointment, and destination interface is the SYN message of 80 ports, then changes step C in this way over to and carry out, carry out otherwise change step e over to;

C. judge that its source IP address whether in client records, then returns steps A in this way and continues to carry out, otherwise increase a client records then for this web server, return steps A then and continue to carry out;

D. judge whether its source IP address or purpose IP address are client address, then change step e in this way over to and continue to carry out, continue to carry out otherwise return steps A;

E. judge whether source IP address and purpose IP address occur, and then do not increase a record if having, and return A in outreaching the limit record.

Among the described Step3, δ _nAs follows with the computational methods of d:

${\mathrm{\δ}}_n^x=(1-\mathrm{\α}){\mathrm{\δ}}_{n-1}^x+\mathrm{\α}{x}_n,$ ${\mathrm{\δ}}_0^x=x_0$ $d^x={\mathrm{\μ\δ}}_n^x,$

${\mathrm{\δ}}_n^y=(1-\mathrm{\α}){\mathrm{\δ}}_{n-1}^y+{\mathrm{\αx}}_n,$ ${\mathrm{\δ}}_0^y=y_0$ $d^y={\mathrm{\μ\δ}}_n^y,$

Wherein,

Represent the weighted moving average initial value respectively, x ₀, y ₀Represent that respectively { xn} is with { initial value of yn}, α are the exponentially weighted moving average (EWMA) coefficient to sequence, and scope is 0.01～0.03, and parameter μ obtains by the statistics of real data.

Among the described Step4, deterministic process is as follows: for Z _n ^xAnd Z _n ^yCorresponding threshold value

(1) if

And

The CUSUM of n detected value accumulates and is not offset before illustrating, detected object is a normal condition;

(2) if

Perhaps Then detected object has taken place unusually at n detected value, application layer DDos has promptly taken place attacked.

Beneficial effect of the present invention: this paper is characterized as the basis with outreaching of colony of Web communication, utilize the CUSUM method to detect the ANOMALOUS VARIATIONS that outreaches characteristic parameter, not only can judge the generation of abnormal behaviour, and can accurately distinguish Flash Crowd and ddos attack, network layer ddos attack and application layer ddos attack are all had quite good detecting effectiveness.Simultaneously, the present invention outreach by conversion message proportion grading the existing blind area of algorithm, and provided effective solution, promptly a plurality of nodes that outreach are carried out single-point and detect simultaneously.The advantage of this detection method do not need to be message load is analyzed, and only need construct the figure of UNICOM of Web colony and get final product.This method is suitable at backbone network or attacks the end border networks and detect, and can be contained attacking more effectively, reduces the impact of attacking basic network caused.

Description of drawings

Fig. 1 is application scenarios figure;

Fig. 2 is the logical schematic diagram of Web communication group sports association;

Fig. 3 is the flow chart of statistics of the present invention web colony communication feature;

Fig. 4 is a detection method flow chart of the present invention.

Wherein: 1. router, 2. network monitoring front, 3. server, 4. monitor terminal.

Embodiment

The invention will be further described below in conjunction with drawings and Examples:

In order more effectively to tackle the application layer ddos attack, designed a kind of application layer ddos attack detection method that is deployed in backbone network.The application scenarios of this detection method is as shown in Figure 1: Port Mirroring is set on the network equipments such as router one or switch, the all-network message of this equipment of flowing through is replicated sends to network monitoring front 2; Front end processor is sent to according to correspondence structure Web communication colony and detects server 3; Server 3 extracts Web colony and outreaches behavioural characteristic, detects the skew that outreaches the behavior parameter, judges the application layer ddos attack, and reports the generation of attacking to network monitoring terminal 4.

Detect the application layer ddos attack at backbone network and face challenge aspect two, on the one hand, drop into a large amount of computational resources and resolve infeasible Web communications applications layer data; On the other hand, the Internet adopts the dynamic routing strategy, and same user's access data may be passed through different paths, and this causes can not observing complete communication data a monitoring point.Therefore, the fine granularity DDoS detection method of analysing in depth telex network is unsuitable for being deployed in backbone network, and the present invention is from a higher level-communication colony-detection application layer ddos attack.

(1) measures Web communication colony

Communication colony refer to mutual correspondence closely and have identical load characteristic the set of one group of main frame.The client of Web server and this server of visit is common to constitute Web colony that communicates by letter.The part client is in the visit Web server, and the host node communication outside the colony that can communicate by letter with Web inevitably, the present invention are called these external host nodes and outreach node, client and outreach connection between the node and be called and outreach.The present invention further is divided into and outreaches node more and singly outreach node outreaching node, outreach node if there are a plurality of Web clients to be connected to certain, this node is to outreach node one more so, and this category node generally includes by other server of same website, related other close website to be formed; Outreach node if having only a Web client to be connected to certain, this node is one and singly outreaches node so, and the individual access behavior by the user produces usually.Be called the degree of connection of this node with a certain node (Web server, client or the outreach node) number of nodes in communication.

Fig. 2 is UNICOM's schematic diagram of a small-sized Web communication colony, the logical figure of Web communication group sports association is a non-directed graph, connecting maximum core points among the figure is Web server, round dot represents to be connected to the client of Web server, annulus is represented the main frame that client outreaches, and the main frame of identical ip addresses can not repeat in the drawings.As can see from Figure 2, when a computer access Web server, also may produce simultaneously the flow with other compunications, the present invention calls this communication and outreaches communication.

The Web amount of communication data is big in the backbone network, needs therefrom to extract the communication colony that specifies Web server.Concrete steps (seeing flow chart 3):

A. monitor network link, find a new message after, extract its source IP address, purpose IP address and destination interface thereof;

B. judge whether destination address is the web server address of appointment, and destination interface is the SYN message of 80 ports, then changes step C in this way over to and carry out, carry out otherwise change step e over to;

C. judge that its source IP address whether in client records, then returns steps A in this way and continues to carry out, otherwise increase a client records then for this web server, return steps A then and continue to carry out;

D. judge whether its source IP address or purpose IP address are client address, then change step e in this way over to and continue to carry out, continue to carry out otherwise return steps A;

E. judgement＜source IP address, purpose IP address〉whether in outreaching the limit record, occur, then do not increase a record if having, return A.

(2) extract Web colony and outreach feature

Detect ddos attack and need extract the characteristic parameter that to distinguish normal visit and abnormal access.The communication data of DDoS puppet main frame in attack process is made up of two parts, to the attack message that destination host sends, the individual access behavior of the actual user of puppet's main frame.And user's individual access behavior can form usually and singly outreach node, and seldom can constitute the node that outreaches of Web colony more.When attack taking place, the client terminal quantity of Web colony can roll up, and is similar to increase in proportion with singly outreaching the client terminal quantity that node is connected, and with outreach the client terminal quantity that node is connected more and can not increase substantially.With sequence { x _nRepresent that visit outreaches the client terminal quantity of node and the ratio of client sum, { C more in the different time sections _nExpression client sum, { M _nExpression visit outreaches the client terminal quantity of node more, suppose from n+1 (implication of all n is identical in the present invention, and n is a natural number, and n=1,2,3...) attack has taken place in the moment, attack terminal number amount is A, normal client quantity is R _N+1Then have

$x_n=\frac{M_n}{C_n}$

$x_{n+1}=\frac{M_{n+1}}{C_{n+1}}=\frac{M_{n+1}}{R_{n+1}+A}$

Certainly do not get rid of the assailant who has yet and kept a spot of access request that outreaches that is mingled with between the request message in order to hide attack better, this visit behavior significantly increases except causing Web colony client terminal quantity, also can significantly increase the quantity that visit outreaches the client of node more, use L _N+1The expression visit outreaches the quantity of the attack end of node more, then has

$x_{n+1}=\frac{L_{n+1}{M}_A}{R_{n+1}+A}$

The variation that this moment visit outreaches the ratio of the client terminal quantity of node and client sum more is uncertain, is subjected to outreaching the influence of the factors such as the time interval of the occurrence frequency of visit behavior and measurement.Work as M _A/ A is greater than L _N+1/ R _N+1, sequence produces upwards skew, works as M _A/ A is less than L _N+1/ R _N+1, then occur offseting downward.

Comprehensive above the analysis, the present invention detects sequence respectively

$x_n=\frac{M_n}{C_n}$ With $y_n=\frac{C_n}{M_n},n=\mathrm{1,2,3}...$

Upwards skew, { x _nUpwards offset table be shown with and have the attack that outreaches the visit behavior { y takes place _nUpwards be offset and then represent to have taken place not have the ddos attack that outreaches.

(3) utilize improved CUSUM algorithm to carry out abnormality detection

The CUSUM algorithm belongs to the sequential detection method in the change point detection method, can detect the variation of a statistic processes average.In the particular Web communication colony, and outreach client terminal quantity M that node is connected and the sequence of ratio values { x of the total C of client more _n=M _n/ C _nAnd { y _n=C _n/ M _nCan be used as the present invention and carry out the foundation that ddos attack detects.For the ease of calculating, reduce the expense of online detection, the present invention uses the recurrence formula (wherein replacing δ/2 with indefinite parameter k) of Non-parametric CUSUM Algorithm:

Z _n＝max{0，Z _n-1+X _n-k}，n＝1，2，3，...

If select threshold value h＞0 in advance, Z _N-1The average of n-1 detected value is not offset before≤h the explanation, and detected object is a normal condition.If certain Z _n＞h, then detected object has taken place unusually.

Realize rate of false alarm and the balance between detection time by selection parameter k and h in the Non-parametric CUSUM Algorithm.The k that selects is big more, at { Z _nIn occur on the occasion of possibility just more little, thereby be accumulated to a bigger value and find that the possibility of attacking is more little.H attacks thresholding, and h is big more, and rate of false alarm is low more, but detection time is long more.For the complexity and the dynamic that adapt to network environment better, the present invention improves the CUSUM algorithm, and upwards the recurrence formula of skew is:

Z _n＝max{0，Z _n-1+X _n-δ _n-d}，n＝1，2，3，...

Wherein, δ _nBe { x _nExponentially weighted moving average (EWMA) EWMA, d makes Z _nUnder normal circumstances less than 0 deviant, δ _nComputational methods as follows

δ _n＝(1-α)δ _n-1+αX _n，δ ₀＝X ₀

In order to adapt to the dynamic change of network, can not cause the raising of rate of failing to report again, the value of EWMA factor alpha is less, and scope is 0.01～0.03.{ the x that causes according to attack _nAnd { y _nJitter conditions, can set d=μ δ _n, h=λ δ _n, the parameter μ in the formula can obtain by the statistics of real data.And the value of parameter lambda really rule depend on the tolerance of user to rate of false alarm, and detection time of user expectation, span can be in (1～10).For example, if make λ=2, then can in no more than 4 time intervals, detect the attack more than 50% that degrees of offset reaches average, and in no more than 20 time slots, detect the attack more than 10% that degrees of offset reaches average.

Detect unusual method treatment step (seeing flow chart 4):

1). Port Mirroring is set on the network equipment, the all-network message of this equipment of flowing through is replicated sends to the attack detecting front end processor;

2). the attack detecting front end processor extracts the communication colony of particular Web server and outreaches behavior, is sent to the attack detecting server;

3). the behavior that the outreaches parameter of attack detecting server statistics Web communication colony, promptly with outreach client terminal quantity CN_MLN and the client sum CN that node is connected more, and, judge the generation of application layer ddos attack behavior in view of the above with the skew of two parameter ratios of improved CUSUM algorithm monitors;

4). when each time period finishes, whether taken place at the application layer ddos attack of specifying Web server to the network monitoring terminal report.

With the skew of two parameter ratios of improved CUSUM algorithm monitors, judge that in view of the above the process of generation of application layer ddos attack behavior is as follows in the described step 3): calculate { x respectively _nAnd { y _nN detected value Z _n ^xAnd Z _n ^y, its recurrence formula is as follows:

$Z_n^x=\max \{0,Z_{n-1}^x+x_n-{\mathrm{\δ}}_n^x-d^x\},n=\mathrm{1,2,3},...$

$Z_n^y=\max \{0,Z_{n-1}^y+y_n-{\mathrm{\δ}}_n^y-d^y\},n=\mathrm{1,2,3},...$

To Z _n ^x, Z _n ^yWith corresponding threshold value

Compare respectively,

(1) if

And

The CUSUM accumulation of n detected value and not being offset before illustrating, detected object is a normal condition, proceeds detection;

(2) if

Perhaps Then detected object has taken place unusually at n detected value, and the Ddos attack has promptly taken place.

The list of references of using herein:

[1]Wortham，Jenna，Kramer，Andrew?E.Professor?Main?Target?of?Assault?on?Twitter，New?York?Times，2009-08-07；

[2]Garda?inquiry?under?way?into?alleged?attacks?on?CAO?website，The?Irish?Times，2010-08-28；

[3]Shachtman，Norah，Activists?Launch?Hack?Attacks?on?Tehran?Regime，Wired，2009-06-15；

[4]Factsheet-Root?server?attack?on?6?February?2007.ICANN.2007-03-01.Retrieved?2009-08-01；

[5] http://net.chinabyte.com/519DNS/；

[6]J.Mirkovic，P.Reiher，A?Taxonomy?of?DDoS?Attack?and?DDoS?Defense?Mechanisms，ACM?SIGCOMM?Computer?Communication?Review，2004，34(2)：39-54；

[7]Y.Xie?and?S.Yu.A?large-scale?hidden?semi-Markov?model?for?anomaly?detection?on?user?browsing?behaviors.IEEE/ACM?transaction?on?networking，17(1)：54-65，2009；

[8] Xiao Jun, Yun Xiaochun, Zhang Yongzheng, dialogue-based abnormality degree application of model layer distributed denial of service attack filters, Chinese journal of computers, 2010,33 (9);

[9]S.Kandula，D.Katabi，M.Jacob，and?A.W.Berger，Botz-4-Sale：Surviving?Organized?DDoS?Attacks?that?Mimic?Flash?Crowds，MIT，Tech.Rep.TR-969，2004[Online].Available：

http://www.usenix.org/events/nsdi05/tech/kandula/kandula.pdf。

Claims (5)

1. based on the Denial of Service attack detection method of the external behavior of Web communication group, it is characterized in that the detection step of this method is as follows:

Step1: Port Mirroring is set on the network equipment, the all-network message of this network equipment of flowing through is replicated sends to network monitoring front, on network monitoring front, extract the communication colony of Web server and outreach behavior, be sent to the detection server;

Step2: the feature that outreaches of in detecting server, extracting the web server communication colony described in the Step1: client terminal quantity CN with outreach the client terminal quantity CN_MLN that node is connected more; With sequence { x _nRepresent that visit outreaches the client terminal quantity of node and the ratio of client sum, { y more in the different time sections _nThe interior client sum of expression different time sections and the ratio of visiting the client terminal quantity that outreaches node, { C more _nExpression client sum, { M _nRepresent that visit outreaches the client terminal quantity of node more, is calculated as follows sequence { x _nAnd { y _nValue x in n Δ t _nWith y _n:

$x_n=\frac{M_n}{C_n},$ $y_n=\frac{C_n}{M_n},n=\mathrm{1,2,3}...$

Step3: in detecting server, utilize improved CUSUM Algorithm Analysis Web colony to outreach feature, judge whether to have taken place attack; Calculate { x respectively _nAnd { y _nN detected value Z _n ^xAnd Z _n ^y, its recurrence formula is as follows:

$Z_n^x=\max \{0,Z_{n-1}^x+x_n-{\mathrm{\δ}}_n^x-d^x\},n=\mathrm{1,2,3},...$

$Z_n^y=\max \{0,Z_{n-1}^y+y_n-{\mathrm{\δ}}_n^x-d^y\},n=\mathrm{1,2,3},...$

Wherein, Be respectively { x _nAnd { y _nExponentially weighted moving average (EWMA), d ^x, d ^yMake respectively

Under normal circumstances less than 0 deviant, Be sequence { x _nN-1 detected value,

Be sequence { y _nN-1 detected value,

Be sequence { x _nN detected value, it is used for having the detection of the attack that outreaches the visit behavior, Be sequence { y _nN detected value, its ddos attack that is used to not have the visit of outreaching detects;

Step4: to Z _n ^x, Z _n ^yWith corresponding threshold value

Compare respectively, judge whether to have taken place the Ddos attack;

Step5: when each time period finishes, whether taken place at the application layer ddos attack of specifying Web server to the network monitoring terminal report.

2. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that, among the described Step1, described communication colony refers to mutual correspondence closely and have a set of one group of main frame of identical load characteristic.

3. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that, among the described Step2, the process of extracting communication colony is as follows:

A. monitor network link, find a new message after, extract its source IP address, purpose IP address and destination interface thereof;

B. judge whether destination address is the web server address of appointment, and destination interface is the SYN message of 80 ports, then changes step C in this way over to and carry out, carry out otherwise change step e over to;

C. judge that its source IP address whether in client records, then returns steps A in this way and continues to carry out, otherwise increase a client records then for this web server, return steps A then and continue to carry out;

D. judge whether its source IP address or purpose IP address are client address, then change step e in this way over to and continue to carry out, continue to carry out otherwise return steps A;

E. judge whether source IP address and purpose IP address occur, and then do not increase a record if having, and return A in outreaching the limit record.

4. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that, among the described Step3, and δ _nAs follows with the computational methods of d:

${\mathrm{\δ}}_n^x=(1-\mathrm{\α}){\mathrm{\δ}}_{n-1}^x+\mathrm{\α}{x}_n,$ ${\mathrm{\δ}}_0^x=x_0$ $d^x={\mathrm{\μ\δ}}_n^x,$

${\mathrm{\δ}}_n^y=(1-\mathrm{\α}){\mathrm{\δ}}_{n-1}^y+{\mathrm{\αx}}_n,$ ${\mathrm{\δ}}_0^y=y_0$ $d^y={\mathrm{\μ\δ}}_n^y,$

Wherein,

Represent the weighted moving average initial value respectively, x ₀, y ₀Represent sequence { x respectively _nAnd { y _nInitial value, α is the exponentially weighted moving average (EWMA) coefficient, scope is 0.01～0.03, the statistics of parameter μ by real data obtains.

5. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that among the described Step4, deterministic process is as follows: for Z _n ^xAnd Z _n ^yCorresponding threshold value

(1) if

And

The CUSUM of n detected value accumulates and is not offset before illustrating, detected object is a normal condition;

(2) if

Perhaps

Then detected object has taken place unusually at n detected value, application layer DDos has promptly taken place attacked.

Images