CN102394868A - Detection method for DDoS attacked address of dynamic threshold - Google Patents

Abstract

The invention, which belongs to the communication technology field, relates to a detection method for a DDoS attacked address of a dynamic threshold. According to the method, data flow addresses that are collected within a period are collected and an overflow accumulation variable is calculated. When a real-time data flow is greater than a threshold, values of increased overflow accumulation variables are added up until the value of the overflow accumulation variable is less than or equal to zero; and meanwhile, the value of the overflow accumulation variable is set into zero when the real-time data flow is less than the threshold. According to the method, it is determined whether an IP address is attacked or not according to a value of a data overflow accumulation variable; and real-time updating is carried out on a threshold; furthermore, data information is updated and real-time monitoring is carried out on an attacked situation of the attacked network IP address.

Description

A kind of dynamic threshold DDoS is attacked address detection method

Technical field

The present invention relates to a kind of dynamic threshold DDoS and attacked address detection method, belong to communication technical field.

Background technology

Being on the defensive to the ddos attack that possibly exist is that the data flow is monitored.There is stationary threshold value DDoS to be attacked address inspecting and measuring technique and dynamic threshold DDoS detection technique in the prior art.

It is simple to operate that stationary threshold value DDoS is attacked address inspecting and measuring technique; Be easy to dispose, efficiency of algorithm is high, but is inappropriate for the bigger network environment of flow and lacks flexibility; Static threshold is difficult for confirming simultaneously, improper meeting is set causes detection efficiency and the reduction that detects effect.

The calculating of threshold value has two kinds of methods in the dynamic threshold DDoS detection technique: interval average thresholding algorithm and EWMA algorithm.Interval average thresholding algorithm is treated the influence of all flow value degree threshold values on an equal basis; Tax is with identical weights; In fact this effect is differentiated, and general recent values affect is bigger than values affect at a specified future date, changes in the violent environment in network traffics; The threshold value and the actual flow gap that according to said method produce can be very big, often do not have detection effect.

Existing threshold value generating algorithm shortcoming based on the EWMA algorithm be when the Chief Web Officer time be in less than the threshold value of being calculated under the low load condition, if suddenly load becomes conference and causes owing to low threshold value produces wrong report.

In addition, the setting of interval average thresholding algorithm and EWMA algorithm threshold value is all only based on current network traffics, threshold value do not left between the buffering area of increase with the traffic the bursting property of anti-shake algorithm when adapting to proper communication to increase, also the higher limit of setting threshold not.

Summary of the invention

Technical problem to be solved by this invention is to the deficiency of above-mentioned background technology, provides a kind of dynamic threshold DDoS to be attacked address detection method.

The present invention adopts following technical scheme for realizing the foregoing invention purpose:

A kind of dynamic threshold DDoS is attacked address detection method and is comprised the steps:

Step 1, the analysis of history tables of data obtains threshold value TH _nAnd the threshold data table, wherein: TH _nThe threshold value of being predicted when being the n time renewal, n is the natural number more than or equal to 1;

Step 2, image data bag in data collection cycle extracts the IP address to the packet of gathering, statistics real time data flow TF _n, TF _nReal time data flow when being the n time renewal;

Step 3, contrast real time data flow TF _nWith threshold value TH _n, calculate each data and when upgrading for the n time, overflow accumulation variable S _nValue, and upgrade and to overflow accumulation variable S _nThe storage list of value overflows accumulation variable S _nThe specific algorithm of value is following:

Work as TF _n＞TH _nThe time, get into step 3-1;

Work as TF _n≤TH _nThe time, get into step 3-2;

Step 3-1 utilizes formula S _n=S _N-1+ TF _n-TH _nCalculate and overflow accumulation variable S when upgrading for the n time _nValue;

Step 3-2 works as S _N-1＞0 o'clock, utilize following formula to calculate and overflow accumulation variable S when upgrading for the n time _nValue;

$S_n=\left\{\begin{array}{cc}{S}_{n-1}\&divide;2,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)<(S_{n-1}\&divide;2)\\ S_{n-1}+{\mathrm{TF}}_n-{\mathrm{TH}}_n,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)>(S_{n-1}\&divide;2)\end{array}\right.$

Wherein, S ₁=0;

Work as S _N-1≤0, S _n=0;

Step 4, it is S that the maximum of overflowing the accumulation variable is set _Max, overflow accumulation variable S when relatively upgrading for the n time _nValue with overflow the accumulation variable maximum S _Max, only work as S _n＞S _MaxThe time, S _n=S _Max

Step 5 is checked and is overflowed accumulation variable S when each IP address is upgraded for the n time _nValue whether be 0,

Work as S _n, represent that this IP address is by the attack end at＜0 o'clock;

Work as S _n, classify this IP address as suffer ddos attack destination address at＞0 o'clock;

Work as S _n=0 o'clock, utilize following formula to calculate this IP address threshold, upgrade the threshold data table, the data on flows of not attacked with the IP address covers the historical data table:

${\mathrm{TH}}_n=\mathrm{\&alpha;}{\mathrm{TH}}_n+(1-\mathrm{\&alpha;}){\mathrm{TF}}_n\&PlusMinus;\sqrt{\underset{i=n-m+1}{\overset{n-1}{\mathrm{\&Sigma;}}}{({\mathrm{TH}}_i-{\mathrm{TH}}_{i-1})}^2}+\mathrm{BT};$

Wherein, α is the Data Update coefficient, and BT is a buffer traffic, 0≤α≤1, m ∈ n;

Step 6 gets into next data collection cycle, returns step 2.

Said dynamic threshold DDoS is attacked in the address detection method, the choosing according to following principle of sign in the step 5:

When calculating the n subthreshold, then just get greater than the n-2 time data traffic as if the n-1 time data traffic, otherwise get negative.

The present invention adopts technique scheme, has following beneficial effect: dynamically update threshold value, implement the situation that monitoring network IP address is attacked.

Description of drawings

Fig. 1 is attacked the flow chart of address detection method for dynamic threshold DDoS.

Fig. 2 is the sketch map of BloomFilter algorithm map addresses.

Embodiment

Be elaborated below in conjunction with the technical scheme of accompanying drawing to invention:

As shown in Figure 1, a kind of dynamic threshold DDoS is attacked address detection method, comprises the steps:

Step 1, m historical data of historical data table storage, the threshold value TH that the storage of threshold data table obtains according to m historical data address _n, TH _nThe threshold value of being predicted when being the n time renewal, m is any natural number, n is the natural number more than or equal to 1.

Step 2, image data bag in data collection cycle t is pressed packet IP map addresses to IP address date table, and counting the real time data flow to each IP address is TF _n, TF _nReal time data flow when being the n time renewal.

As shown in Figure 2: as to adopt BloomFilter algorithm mapping address.In the system of IPv4 address, the IP address is divided into 4 sections, every section value desirable metric 1 to 255.According to Bloom Filter algorithm a list structure of 4 * 256 of being made up of 4 independent hash functions being set comes in the tracking time section t IP that arrives the various objectives address through router to wrap number.After an IP bag gets into router; Its destination address by 4 independently hash function (to 4 sections of IP address mappings respectively) be mapped to some (value to each section is shone upon) in 256 different separately territories respectively; Be kept at this moment by the variable a in mapping territory (totally 4, corresponding one of each hash) _Ij(1≤i≤256,1≤j≤4) add 1.

Step 3, contrast real time data flow TF _nWith threshold value TH _n, calculate each data and when upgrading for the n time, overflow accumulation variable S _nValue, and upgrade and to overflow accumulation variable S _nThe storage list of value overflows accumulation variable S _nThe specific algorithm of value is following:

Work as TF _n＞TH _nThe time, get into step 3-1;

Work as TF _n≤TH _nThe time, get into step 3-2;

Step 3-1 utilizes formula S _n=S _N-1+ TF _n-TH _nCalculate and overflow accumulation variable S when upgrading for the n time _nValue;

Step 3-2 works as S _N-1＞0 o'clock, utilize following formula to calculate and overflow accumulation variable S when upgrading for the n time _nValue;

$S_n=\left\{\begin{array}{cc}{S}_{n-1}\&divide;2,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)<(S_{n-1}\&divide;2)\\ S_{n-1}+{\mathrm{TF}}_n-{\mathrm{TH}}_n,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)>(S_{n-1}\&divide;2)\end{array}\right.,$

Wherein, S ₁=0;

Work as S _N-1≤0, S _n=0;

Step 4, it is S that the maximum of overflowing the accumulation variable is set _Max, overflow accumulation variable S when relatively upgrading for the n time _nValue with overflow the accumulation variable maximum S _Max, only work as S _n＞S _MaxThe time, S _n=S _Max

Step 5 is checked and is overflowed accumulation variable S when each IP address is upgraded for the n time _nValue whether be 0,

Work as S _n, represent that this IP address is by the attack end at＜0 o'clock;

Work as S _n, classify this IP address as suffer ddos attack destination address at＞0 o'clock;

Work as S _n, utilize following formula to calculate S at=0 o'clock _nValue equals 0 o'clock pairing IP address threshold, upgrades the threshold data table, and the data on flows of not attacked with the IP address covers the historical data table:

${\mathrm{TH}}_n=\mathrm{\&alpha;}{\mathrm{TH}}_n+(1-\mathrm{\&alpha;}){\mathrm{TF}}_n\&PlusMinus;\sqrt{\underset{i=n-m+1}{\overset{n-1}{\mathrm{\&Sigma;}}}{({\mathrm{TH}}_i-{\mathrm{TH}}_{i-1})}^2}+\mathrm{BT}(0\&le;\mathrm{\&alpha;}\&le;1,m\&Element;N);$

Wherein, α is the Data Update coefficient, and BT is a buffer traffic, the choosing according to following principle of sign in the formula: when calculating the n subthreshold, if the n-1 time data traffic then just gets greater than the n-2 time data traffic, otherwise get negative.

Step 6 gets into next data collection cycle, returns step 2.

Claims (2)

1. a dynamic threshold DDoS is attacked address detection method, it is characterized in that comprising the steps:

Step 1, the analysis of history tables of data obtains threshold value TH _nAnd the threshold data table, wherein: TH _nThe threshold value of being predicted when being the n time renewal, n is the natural number more than or equal to 1;

Step 2, image data bag in data collection cycle extracts the IP address to the packet of gathering, statistics real time data flow TF _n, TF _nReal time data flow when being the n time renewal;

Step 3, contrast real time data flow TF _nWith threshold value TH _n, calculate each data and when upgrading for the n time, overflow accumulation variable S _nValue, and upgrade and to overflow accumulation variable S _nThe storage list of value overflows accumulation variable S _nThe specific algorithm of value is following:

Work as TF _n＞TH _nThe time, get into step 3-1;

Work as TF _n≤TH _nThe time, get into step 3-2;

Step 3-1 utilizes formula S _n=S _N-1+ TF _n-TH _nCalculate and overflow accumulation variable S when upgrading for the n time _nValue;

Step 3-2 works as S _N-1＞0 o'clock, utilize following formula to calculate and overflow accumulation variable S when upgrading for the n time _nValue;

$S_n=\left\{\begin{array}{cc}{S}_{n-1}\&divide;2,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)<(S_{n-1}\&divide;2)\\ S_{n-1}+{\mathrm{TF}}_n-{\mathrm{TH}}_n,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)>(S_{n-1}\&divide;2)\end{array}\right.$

Wherein, S ₁=0;

Work as S _N-1≤0, S _n=0;

Step 4, it is S that the maximum of overflowing the accumulation variable is set _Max, overflow accumulation variable S when relatively upgrading for the n time _nValue with overflow the accumulation variable maximum S _Max, only work as S _n＞S _MaxThe time, S _n=S _Max

Step 5 is checked and is overflowed accumulation variable S when each IP address is upgraded for the n time _nValue whether be 0,

Work as S _n, represent that this IP address is by the attack end at＜0 o'clock;

Work as S _n, classify this IP address as suffer ddos attack destination address at＞0 o'clock;

Work as S _n=0 o'clock, utilize following formula to calculate this IP address threshold, upgrade the threshold data table, the data on flows of not attacked with the IP address covers the historical data table:

${\mathrm{TH}}_n=\mathrm{\&alpha;}{\mathrm{TH}}_n+(1-\mathrm{\&alpha;}){\mathrm{TF}}_n\&PlusMinus;\sqrt{\underset{i=n-m+1}{\overset{n-1}{\mathrm{\&Sigma;}}}{({\mathrm{TH}}_i-{\mathrm{TH}}_{i-1})}^2}+\mathrm{BT};$

Wherein, α is the Data Update coefficient, and BT is a buffer traffic, 0≤α≤1, m ∈ n;

Step 6 gets into next data collection cycle, returns step 2.

2. dynamic threshold DDoS according to claim 1 is attacked address detection method, it is characterized in that in the formula described in the step 5 the choosing according to following principle of sign:

When calculating the n subthreshold, then just get greater than the n-2 time data traffic as if the n-1 time data traffic, otherwise get negative.

Images