CN102238047B - Denial-of-service attack detection method based on external connection behaviors of Web communication group - Google Patents

Abstract

The invention discloses a distributed denial-of-service attack detection method based on the external connection behaviors of a Web communication group. The method comprises the following steps of: 1) setting a port mirror image on network equipment, and copying and transmitting all network messages passing through the equipment to an attach detection front-end processor; 2) extracting the communication group of a given Web server and the external connection behaviors of the communication group, and transmitting the communication group and the external connection behaviors thereof to an attack detection server by using the attack detection front-end processor; 3) counting external connection behavior parameters comprising the number CN_MLN of clients connected with a plurality of external connection nodes and a total client number CN of the Web communication group, and monitoring the offset of ratio of the two parameters by using an improved cumulative sum (CUSUM) algorithm to judge the occurrence of an application layer distributed denial-of-service (DDoS) attack according to the offset by using the attack detection server; and 4) reporting whether the application layer DDoS attack occurs to the given Web server or not to a network monitoring terminal at the end of each time period.

Description

Denial of Service attack detection method based on the external behavior of Web communication group

Technical field

The present invention relates to a kind of network security technology, relate in particular to a kind of Denial of Service attack detection method based on the external behavior of Web communication group.

Background technology

Web service is most widely used application type in the Internet, yet because its important society and commercial value, Web server also becomes in the Internet topmost by target of attack simultaneously.Denial of Service attack (Distributed Denial-of-Service attack, DDoS) be one of most important threat of facing of Web server, ddos attack refers to that the assailant passes through puppet's main frame, consumes the computational resource of target of attack, stops target to provide service for validated user.Consumable computational resource can be CPU, internal memory, bandwidth, database server etc.In recent years, ddos attack is emerge in an endless stream [1-5], Amazon, and eBay, Yahoo, Sina, the domestic and international famous website such as Baidu all once was subject to ddos attack, had caused great economic loss.

Detect and control and carried out large quantity research [6] for ddos attack.Yet, detect and control technology in order to evade constantly perfect DDoS, reach desirable attack effect, the assailant is also updating its attack technology.Ddos attack is varied, Mirkovic[6] etc. the people according to attributes such as the address validity of attack packets, attack rate ddos attack has been carried out exhaustive division.The present invention continues to use Xie[7] and the people's [8] such as Xiao Jun sorting technique ddos attack is divided into two large classes: a class is the network layer ddos attack, by sending a large amount of rubbish bags, consume the victim host processor resource, block the victim host inbound link, such as SYN Flooding; Another kind of is the application layer ddos attack, by setting up normal connection, submits a large amount of legal service requests to destination server, consumes the server computational resource, such as HTTP Flooding and CyberSlam[9].Current, the means that detect and control the network layer ddos attack are abundanter, make this class attack pattern obtain more effectively containment.When the network layer ddos attack can't be obtained promising result, the assailant tended to adopt the application layer ddos attack to evade detection.

In the application layer ddos attack, attack end and set up TCP by target of attack and be connected, and legal request on the transmission exhibiting high surface, traditional network layer ddos attack detection method is no longer applicable.Although the application layer ddos attack can make flow increase rapidly, unfortunately, the Flash Crowd that is produced by a large number of users central access has similar traffic characteristic, and the two is difficult to distinguish.At present existing researcher detects for the application layer ddos attack and some researchs have been carried out in filtration, but more these detection methods be fit to be deployed in and attacked end, can not avoid the application layer ddos attack to the impact of basic network bandwidth.If can attacking end border router or trunk link detecting and filtering and attack data flow, can effectively reduce the infringement that attack causes.

Summary of the invention

Purpose of the present invention provides a kind of Denial of Service attack detection method based on the external behavior of Web communication group exactly for remedying the deficiencies in the prior art.This detection method is regarded Web server and its client as an integral body (the present invention is called the colony that communicates by letter), by analyzing the interbehavior in this communication colony and the external world, discovery outreaches the unusual of cybernetics control number, and detects accordingly the generation of application layer ddos attack.The method does not need message load is analyzed, and computation complexity is low, is fit to be deployed in backbone network.

For achieving the above object, the present invention adopts following technical scheme:

Based on the Denial of Service attack detection method of the external behavior of Web communication group, the detecting step of the method is as follows:

Step1: Port Mirroring is set at the network equipment, the all-network message of this network equipment of flowing through is replicated sends to network monitoring front, extract the communication colony of particular Web server and outreach behavior in network monitoring front, be sent to the detection server;

Step2: the feature that outreaches of in detecting server, extracting the web server communication colony described in the Step1: client terminal quantity CN with the client terminal quantity CN_MLN that outreaches node more and be connected; With sequence { x _nRepresent that access outreaches the client terminal quantity of node and the ratio of client sum, { y more in the different time sections _nThe interior client sum of expression different time sections and the ratio of accessing the client terminal quantity that outreaches node, { C more _nExpression client sum, { M _nRepresent that access outreaches the client terminal quantity of node more, is calculated as follows sequence { x _nAnd { y _nValue x in n Δ t _nWith y _n:

$x_n=\frac{M_n}{C_n},$ $y_n=\frac{C_n}{M_n},n=\mathrm{1,2,3}...$

Step3: in detecting server, utilize improved CUSUM Algorithm Analysis Web colony to outreach feature, judge whether to have occured attack; Calculate respectively { x _nAnd { y _nN corresponding detected value Z _n ^xAnd Z _n ^y, its recurrence formula is as follows:

$Z_n^x=\max \{0,Z_{n-1}^x+x_n-{\mathrm{\δ}}_n^x-d^x\},n=\mathrm{1,2,3},...$

$Z_n^y=\max \{0,Z_{n-1}^y+y_n-{\mathrm{\δ}}_n^y-d^y\},n=\mathrm{1,2,3},...$

Wherein,

Be respectively { x _nAnd { y _nExponentially weighted moving average (EWMA), d ^x, d ^yMake respectively

Under normal circumstances less than 0 deviant,

Be sequence { x _nN-1 detected value,

Be sequence { y _nN-1 detected value,

Be sequence { x _nN detected value, it is used for the detection with the attack that outreaches the access behavior,

Be sequence { y _nN detected value, it is used for detecting without the ddos attack that outreaches access;

Step4: to Z _n ^x, Z _n ^yWith corresponding threshold value

Compare respectively, judge whether to have occured the Ddos attack;

Step5: when each time period finishes, whether occured for the application layer ddos attack of specifying Web server to the network monitoring terminal report.

Among the described Step1, the described colony that communicates by letter refers to mutual correspondence closely and has the set of one group of main frame of identical load characteristic.

Among the described Step2, the process of extracting communication colony is as follows:

A. monitor network link, find a new message after, extract its source IP address, purpose IP address and destination interface thereof;

B. judge the whether web server address of appointment of destination address, and destination interface is the SYN message of 80 ports, then changes in this way step C over to and carry out, carry out otherwise change step e over to;

C. judge that its source IP address whether in client records, then returns in this way steps A and continues to carry out, otherwise increase a client records then for this web server, then return steps A and continue to carry out;

D. judge whether its source IP address or purpose IP address are client address, then change in this way step e over to and continue to carry out, continue to carry out otherwise return steps A;

E. judge whether source IP address and purpose IP address occur in outreaching the limit record, if without then increasing a record, return A.

Among the described Step3, δ _nAs follows with the computational methods of d:

${\mathrm{\δ}}_n^x=(1-\mathrm{\α}){\mathrm{\δ}}_{n-1}^x+\mathrm{\α}{x}_n,$ ${\mathrm{\δ}}_0^x=x_0$ $d^x={\mathrm{\μ\δ}}_n^x,$

${\mathrm{\δ}}_n^y=(1-\mathrm{\α}){\mathrm{\δ}}_{n-1}^y+{\mathrm{\αx}}_n,$ ${\mathrm{\δ}}_0^y=y_0$ $d^y={\mathrm{\μ\δ}}_n^y,$

Wherein, Represent respectively the weighted moving average initial value, x ₀, y ₀Represent that respectively { xn} is with { initial value of yn}, α are the exponentially weighted moving average (EWMA) coefficient to sequence, and scope is 0.01～0.03, and parameter μ obtains by the statistics of real data.

Among the described Step4, deterministic process is as follows: for Z _n ^xAnd Z _n ^yCorresponding threshold value

(1) if

And

The CUSUM of n detected value accumulates and is not offset before illustrating, detected object is normal condition;

(2) if

Perhaps

Then detected object has occured unusually at n detected value, application layer DDos has namely occured attacked.

Beneficial effect of the present invention: this paper is characterized as the basis with outreaching of colony of Web communication, utilize the CUSUM method to detect the ANOMALOUS VARIATIONS that outreaches characteristic parameter, not only can judge the generation of abnormal behaviour, and can accurately distinguish Flash Crowd and ddos attack, network layer ddos attack and application layer ddos attack are all had detect preferably effect.Simultaneously, the present invention outreach by conversion message proportion grading the existing blind area of algorithm, and provided effective solution, namely a plurality of nodes that outreach are carried out single-point and detect simultaneously.The advantage of this detection method do not need to be message load is analyzed, and only need to construct the figure of UNICOM of Web colony and get final product.The method is suitable at backbone network or attacks the end border networks and detect, and can more effectively be contained attacking, and reduces and attacks the impact that basic network is caused.

Description of drawings

Fig. 1 is application scenarios figure;

Fig. 2 is the logical schematic diagram of Web communication group sports association;

Fig. 3 is the flow chart of statistics of the present invention web colony communication feature;

Fig. 4 is detection method flow chart of the present invention.

Wherein: 1. router, 2. network monitoring front, 3. server, 4. monitor terminal.

Embodiment

The invention will be further described below in conjunction with drawings and Examples:

In order more effectively to tackle the application layer ddos attack, designed a kind of application layer ddos attack detection method that is deployed in backbone network.The application scenarios of this detection method is as shown in Figure 1: at network equipments such as router one or switches Port Mirroring is set, the all-network message of this equipment of flowing through is replicated sends to network monitoring front 2; Front end processor is sent to according to correspondence structure Web communication colony and detects server 3; Server 3 extracts Web colony and outreaches behavioural characteristic, detects the skew that outreaches behavioral parameters, judges the application layer ddos attack, and reports the generation of attacking to network monitoring terminal 4.

Detect the application layer ddos attack at backbone network and face challenge aspect two, on the one hand, drop into a large amount of computational resources and resolve infeasible to Web communications applications layer data; On the other hand, the Internet adopts the dynamic routing strategy, and same user's visit data may pass through different paths, and this causes can not observing complete communication data a monitoring point.Therefore, the fine granularity DDoS detection method of analysing in depth telex network is unsuitable for being deployed in backbone network, and the present invention is from a higher level-communication colony-detection application layer ddos attack.

(1) measures Web communication colony

Communication colony refer to mutual correspondence closely and have identical load characteristic the set of one group of main frame.The client of Web server and this server of access is common to consist of Web colony that communicates by letter.The part client is in the access Web server, and the host node communication outside the colony that can communicate by letter with Web inevitably, the present invention are called these external host nodes and outreach node, client and outreach connection between the node and be called and outreach.The present invention further is divided into and outreaches node more and singly outreach node outreaching node, outreach node if there are a plurality of Web clients to be connected to certain, this node is to outreach node one more so, and this category node generally includes by other server of same website, related other close website and forms; Outreach node if only have a Web client to be connected to certain, this node is one and singly outreaches node so, usually by user's individual access behavior generation.Be called the degree of connection of this node with the number of the node of a certain node (Web server, client or outreach node) communication.

Fig. 2 is UNICOM's schematic diagram of a small-sized Web communication colony, the logical figure of Web communication group sports association is a non-directed graph, connecting maximum core points among the figure is Web server, round dot represents to be connected to the client of Web server, annulus represents the main frame that client outreaches, and the main frame of identical ip addresses can not repeat in the drawings.As can see from Figure 2, when a computer access Web server, also may produce simultaneously the flow with other compunications, the present invention calls this communication and outreaches communication.

The Web amount of communication data is large in the backbone network, needs therefrom to extract the communication colony that specifies Web server.Concrete steps (seeing flow chart 3):

A. monitor network link, find a new message after, extract its source IP address, purpose IP address and destination interface thereof;

B. judge the whether web server address of appointment of destination address, and destination interface is the SYN message of 80 ports, then changes in this way step C over to and carry out, carry out otherwise change step e over to;

C. judge that its source IP address whether in client records, then returns in this way steps A and continues to carry out, otherwise increase a client records then for this web server, then return steps A and continue to carry out;

D. judge whether its source IP address or purpose IP address are client address, then change in this way step e over to and continue to carry out, continue to carry out otherwise return steps A;

E. judgement＜source IP address, purpose IP address〉whether in outreaching the limit record, occur, if without then increasing a record, return A.

(2) extract Web colony and outreach feature

Detect ddos attack and need to extract the characteristic parameter that to distinguish normal access and abnormal access.The communication data of DDoS puppet main frame in attack process is comprised of two parts, to the attack message that destination host sends, the individual access behavior of the actual user of puppet's main frame.And user's individual access behavior usually can form and singly outreach node, and seldom can consist of the node that outreaches of Web colony more.When attack occuring, the client terminal quantity of Web colony can roll up, and is similar in proportion increase with singly outreaching the client terminal quantity that node is connected, and with outreach the client terminal quantity that node is connected more and substantially can not increase.With sequence { x _nRepresent that access outreaches the client terminal quantity of node and the ratio of client sum, { C more in the different time sections _nExpression client sum, { M _nExpression access outreaches the client terminal quantity of node more, suppose from n+1 (implication of all n is identical in the present invention, and n is natural number, and n=1,2,3...) attack has occured in the moment, attack terminal number amount is A, normal client quantity is R _N+1Then have

$x_n=\frac{M_n}{C_n}$

$x_{n+1}=\frac{M_{n+1}}{C_{n+1}}=\frac{M_{n+1}}{R_{n+1}+A}$

Certainly do not get rid of the assailant that has yet and kept a small amount of access request that outreaches that is mingled with between the request message for hiding attack behavior better, this access behavior is except causing Web colony client terminal quantity significantly to increase, also can significantly increase the quantity that access outreaches the client of node more, use L _N+1The expression access outreaches the quantity of the attack end of node more, then has

$x_{n+1}=\frac{L_{n+1}{M}_A}{R_{n+1}+A}$

The variation that this moment access outreaches the ratio of the client terminal quantity of node and client sum more is uncertain, is subject to outreaching the impact of the factors such as the time interval of the occurrence frequency of access behavior and measurement.Work as M _A/ A is greater than L _N+1/ R _N+1, sequence generation is skew upwards, works as M _A/ A is less than L _N+1/ R _N+1, then occur offseting downward.

Comprehensive above the analysis, the present invention detects respectively sequence

$x_n=\frac{M_n}{C_n}$ With $y_n=\frac{C_n}{M_n},n=\mathrm{1,2,3}...$

Upwards skew, { x _nUpwards offset table be shown with the attack that outreaches the access behavior { y occur _nMaking progress to be offset has then represented to have occured the ddos attack that nothing outreaches.

(3) utilize improved CUSUM algorithm to carry out abnormality detection

The CUSUM algorithm belongs to the sequential detection method in the change point detection method, can detect the variation of a statistic processes average.In the particular Web communication colony, and outreach client terminal quantity M that node is connected and the sequence of ratio values { x of the total C of client more _n=M _n/ C _nAnd { y _n=C _n/ M _nCan be used as the present invention and carry out the foundation that ddos attack detects.For the ease of calculating, reduce the online expense that detects, the present invention uses the recurrence formula (wherein replacing δ/2 with indefinite parameter k) of Non-parametric CUSUM Algorithm:

Z _n＝max{0，Z _n-1+X _n-k}，n＝1，2，3，...

If select in advance threshold value h＞0, Z _N-1The average of n-1 detected value is not offset before≤h the explanation, and detected object is normal condition.If certain Z _n＞h, then detected object has occured unusually.

Realize rate of false alarm and the balance between detection time by selection parameter k and h in the Non-parametric CUSUM Algorithm.The k that selects is larger, at { Z _nIn occur on the occasion of possibility just less, thereby be accumulated to a larger value and find that the possibility of attacking is less.H attacks thresholding, and h is larger, and rate of false alarm is lower, but detection time is longer.For the complexity and the dynamic that adapt to better network environment, the present invention improves the CUSUM algorithm, and upwards the recurrence formula of skew is:

Z _n＝max{0，Z _n-1+X _n-δ _n-d}，n＝1，2，3，...

Wherein, δ _nBe { x _nExponentially weighted moving average (EWMA) EWMA, d makes Z _nUnder normal circumstances less than 0 deviant, δ _nComputational methods as follows

δ _n＝(1-α)δ _n-1+αX _n，δ ₀＝X ₀

In order to adapt to the dynamic change of network, can not cause again the raising of rate of failing to report, the value of EWMA factor alpha is less, and scope is 0.01～0.03.{ the x that causes according to attack _nAnd { y _nJitter conditions, can set d=μ δ _n, h=λ δ _n, the parameter μ in the formula can obtain by the statistics of real data.And the value of parameter lambda really rule depend on the user to the tolerance of rate of false alarm, and detection time of user expectation, span can be in (1～10).For example, if make λ=2, then can within no more than 4 time intervals, detect the attack more than 50% that degrees of offset reaches average, and in no more than 20 time slots, detect the attack more than 10% that degrees of offset reaches average.

Detect unusual method treatment step (seeing flow chart 4):

1). at the network equipment Port Mirroring is set, the all-network message of this equipment of flowing through is replicated sends to the attack detecting front end processor;

2). the attack detecting front end processor extracts the communication colony of particular Web server and outreaches behavior, is sent to the attack detecting server;

3). the attack detecting server is added up the behavioral parameters that outreaches of Web communication colony, namely with outreach client terminal quantity CN_MLN and the client sum CN that node is connected more, and with the skew of two parameter ratios of improved CUSUM algorithm monitors, judge accordingly the generation of application layer ddos attack behavior;

4). when each time period finishes, whether occured for the application layer ddos attack of specifying Web server to the network monitoring terminal report.

Described step 3) with the skew of two parameter ratios of improved CUSUM algorithm monitors, judges that accordingly the process of generation of application layer ddos attack behavior is as follows in: calculating { x respectively _nAnd { y _nN detected value Z _n ^xAnd Z _n ^y, its recurrence formula is as follows:

$Z_n^x=\max \{0,Z_{n-1}^x+x_n-{\mathrm{\δ}}_n^x-d^x\},n=\mathrm{1,2,3},...$

$Z_n^y=\max \{0,Z_{n-1}^y+y_n-{\mathrm{\δ}}_n^y-d^y\},n=\mathrm{1,2,3},...$

To Z _n ^x, Z _n ^yWith corresponding threshold value

Compare respectively,

(1) if

And

The CUSUM accumulation of n detected value and not being offset before illustrating, detected object is normal condition, proceeds detection;

(2) if Perhaps

Then detected object has occured unusually at n detected value, and the Ddos attack has namely occured.

The list of references of using herein:

[1]Wortham，Jenna，Kramer，Andrew?E.Professor?Main?Target?of?Assault?on?Twitter，New?York?Times，2009-08-07；

[2]Garda?inquiry?under?way?into?alleged?attacks?on?CAO?website，The?Irish?Times，2010-08-28；

[3]Shachtman，Norah，Activists?Launch?Hack?Attacks?on?Tehran?Regime，Wired，2009-06-15；

[4]Factsheet-Root?server?attack?on?6?February?2007.ICANN.2007-03-01.Retrieved?2009-08-01；

[5] http://net.chinabyte.com/519DNS/；

[6]J.Mirkovic，P.Reiher，A?Taxonomy?of?DDoS?Attack?and?DDoS?Defense?Mechanisms，ACM?SIGCOMM?Computer?Communication?Review，2004，34(2)：39-54；

[7]Y.Xie?and?S.Yu.A?large-scale?hidden?semi-Markov?model?for?anomaly?detection?on?user?browsing?behaviors.IEEE/ACM?transaction?on?networking，17(1)：54-65，2009；

[8] Xiao Jun, Yun Xiaochun, Zhang Yongzheng, the application layer distributed denial of service attack of dialogue-based abnormality degree model filters, Chinese journal of computers, 2010,33 (9);

[9]S.Kandula，D.Katabi，M.Jacob，and?A.W.Berger，Botz-4-Sale：Surviving?Organized?DDoS?Attacks?that?Mimic?Flash?Crowds，MIT，Tech.Rep.TR-969，2004[Online].Available：

http://www.usenix.org/events/nsdi05/tech/kandula/kandula.pdf。

Claims (5)

1. based on the Denial of Service attack detection method of the external behavior of Web communication group, it is characterized in that the detecting step of the method is as follows:

Step1: Port Mirroring is set at the network equipment, the all-network message of this network equipment of flowing through is replicated sends to network monitoring front, extract the communication colony of Web server and outreach behavior in network monitoring front, be sent to the detection server;

Step2: the feature that outreaches of in detecting server, extracting the web server communication colony described in the Step1: client terminal quantity CN with the client terminal quantity CN_MLN that outreaches node more and be connected; With sequence { x _nRepresent that access outreaches the client terminal quantity of node and the ratio of client sum, { y more in the different time sections _nThe interior client sum of expression different time sections and the ratio of accessing the client terminal quantity that outreaches node, { C more _nExpression client sum, { M _nRepresent that access outreaches the client terminal quantity of node more, is calculated as follows sequence { x _nAnd { y _nValue x in n Δ t _nWith y _n:

Step3: in detecting server, utilize improved CUSUM Algorithm Analysis Web colony to outreach feature, judge whether to have occured attack;

Calculate respectively { x _nAnd { y _nN detected value Z _n ^xAnd Z _n ^y, its recurrence formula is as follows:

Wherein,

Be respectively { x _nAnd { y _nExponentially weighted moving average (EWMA), d ^x, d ^yMake respectively

Under normal circumstances less than 0 deviant,

Be sequence { x _nN-1 detected value,

Be sequence { y _nN-1 detected value,

Be sequence { x _nN detected value, it is used for the detection with the attack that outreaches the access behavior,

Be sequence { y _nN detected value, it is used for detecting without the ddos attack that outreaches access;

Step4: to Z _n ^x, Z _n ^yWith corresponding threshold value

Compare respectively, judge whether to have occured the DDos attack;

Step5: when each time period finishes, whether occured for the application layer ddos attack of specifying Web server to the network monitoring terminal report.

2. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that, among the described Step1, the described colony that communicates by letter refers to mutual correspondence closely and has the set of one group of main frame of identical load characteristic.

3. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that, among the described Step2, the process of extracting communication colony is as follows:

A. monitor network link, find a new message after, extract its source IP address, purpose IP address and destination interface thereof;

B. judge the whether web server address of appointment of destination address, and destination interface is the SYN message of 80 ports, then changes in this way step C over to and carry out, carry out otherwise change step e over to;

C. judge that its source IP address whether in client records, then returns in this way steps A and continues to carry out, otherwise increase a client records then for this web server, then return steps A and continue to carry out;

D. judge whether its source IP address or purpose IP address are client address, then change in this way step e over to and continue to carry out, continue to carry out otherwise return steps A;

E. judge whether source IP address and purpose IP address occur in outreaching the limit record, if without then increasing a record, return A.

4. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that, among the described Step3,

With d ^x, d ^yComputational methods as follows:

Wherein,

Represent respectively the weighted moving average initial value, x ₀, y ₀Represent respectively sequence { x _nAnd { y _nInitial value, α is the exponentially weighted moving average (EWMA) coefficient, scope is 0.01～0.03, the statistics of parameter μ by real data obtains.

5. the Denial of Service attack detection method based on the external behavior of Web communication group as claimed in claim 1 is characterized in that among the described Step4, deterministic process is as follows: for Z _n ^xAnd Z _n ^yCorresponding threshold value

(1) if

And

The CUSUM of n detected value accumulates and is not offset before illustrating, detected object is normal condition;

(2) if

Perhaps

Then detected object has occured unusually at n detected value, application layer DDos has namely occured attacked.

Images