CN102394868B - Detection method for DDoS attacked address of dynamic threshold - Google Patents

Abstract

The invention, which belongs to the communication technology field, relates to a detection method for a DDoS attacked address of a dynamic threshold. According to the method, data flow addresses that are collected within a period are collected and an overflow accumulation variable is calculated. When a real-time data flow is greater than a threshold, values of increased overflow accumulation variables are added up until the value of the overflow accumulation variable is less than or equal to zero; and meanwhile, the value of the overflow accumulation variable is set into zero when the real-time data flow is less than the threshold. According to the method, it is determined whether an IP address is attacked or not according to a value of a data overflow accumulation variable; and real-time updating is carried out on a threshold; furthermore, data information is updated and real-time monitoring is carried out on an attacked situation of the attacked network IP address.

Description

A kind of dynamic threshold DDoS is attacked address detection method

Technical field

The present invention relates to a kind of dynamic threshold DDoS and attacked address detection method, belong to communication technical field.

Background technology

For the ddos attack that may exist, being on the defensive is that data traffic is monitored.In prior art, there is static fixed threshold DDoS to be attacked address inspecting and measuring technique and dynamic threshold DDoS detection technique.

It is simple to operate that static fixed threshold DDoS is attacked address inspecting and measuring technique, be easy to dispose, efficiency of algorithm is high, but is unsuitable for the network environment that flow is larger and lacks flexibility, static threshold is difficult for determining simultaneously, and the reduction that improper meeting causes detection efficiency and detects effect is set.

In dynamic threshold DDoS detection technique, the calculating of threshold value has two kinds of methods: region average thresholding algorithm and EWMA algorithm.Region average thresholding algorithm is treated the impact of all flow value degree threshold values on an equal basis, tax is with identical weights, in fact this effect is differentiated, general recent value effect value effect more at a specified future date is larger, in network traffics, change in violent environment, the threshold value and the actual flow gap that according to said method produce can be very large, often do not have detection effect.

The existing threshold value generating algorithm shortcoming based on EWMA algorithm is that the threshold value of calculating under compared with low load condition when the Chief Web Officer time is less, if load becomes conference and causes because low threshold value produces wrong report suddenly.

In addition, the setting of region average thresholding algorithm and EWMA algorithm threshold value is network traffics based on current only all, to threshold value, do not leave between the buffering area of increase and the traffic the bursting property of anti-shake algorithm when adapting to proper communication increases, also the higher limit of setting threshold not.

Summary of the invention

Technical problem to be solved by this invention is the deficiency for above-mentioned background technology, provides a kind of dynamic threshold DDoS to be attacked address detection method.

The present invention adopts following technical scheme for achieving the above object:

A kind of dynamic threshold DDoS is attacked address detection method and is comprised the steps:

Step 1, analysis of history tables of data obtains threshold value TH _nand threshold data table, wherein: TH _nthe threshold value of predicting while being the n time renewal, n is more than or equal to 1 natural number;

Step 2, image data bag in data collection cycle, extracts IP address to the packet gathering, statistics real time data flow TF _n, TF _nreal time data flow while being the n time renewal;

Step 3, contrast real time data flow TF _nwith threshold value TH _n, calculate each data and when upgrading for the n time, overflow accumulation variable S _nvalue, and upgrade and to overflow accumulation variable S _nthe storage list of value, overflows accumulation variable S _nthe specific algorithm of value is as follows:

Work as TF _n> TH _ntime, enter step 3-1;

Work as TF _n≤ TH _ntime, enter step 3-2;

Step 3-1, utilizes formula S _n=S _n-1+ TF _n-TH _ncalculate while upgrading for the n time and overflow and accumulate variable S _nvalue;

Step 3-2, works as S _n-1during > 0, utilize following formula to calculate while upgrading for the n time and overflow and accumulate variable S _nvalue;

$S_n=\left\{\begin{array}{cc}{S}_{n-1}\&divide;2,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)<(S_{n-1}\&divide;2)\\ S_{n-1}+{\mathrm{TF}}_n-{\mathrm{TH}}_n,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)>(S_{n-1}\&divide;2)\end{array}\right.$

Wherein, S ₁=0;

Work as S _n-1≤ 0, S _n=0;

Step 4, the maximum that accumulation variable is overflowed in setting is S _max, while relatively upgrading for the n time, overflow accumulation variable S _nvalue with overflow accumulation variable maximum S _max, only work as S _n> S _maxtime, S _n=S _max;

Step 5, checks when each IP address is upgraded for the n time and overflows and accumulate variable S _nvalue whether be 0,

Work as S _nduring < 0, represent that this IP address is attacked and finished;

Work as S _nduring > 0, classify this IP address as suffer ddos attack destination address;

Work as S _n=0 o'clock, utilize following formula to calculate this IP address threshold, upgrade threshold data table, the data on flows of not attacked with IP address covers historical data table:

${\mathrm{TH}}_n=\mathrm{\&alpha;}{\mathrm{TH}}_n+(1-\mathrm{\&alpha;}){\mathrm{TF}}_n\&PlusMinus;\sqrt{\underset{i=n-m+1}{\overset{n-1}{\mathrm{\&Sigma;}}}{({\mathrm{TH}}_i-{\mathrm{TH}}_{i-1})}^2}+\mathrm{BT};$

Wherein, α is Data Update coefficient, and BT is buffer traffic, 0≤α≤1, m ∈ n;

Step 6, enters next data collection cycle, returns to step 2.

Described dynamic threshold DDoS is attacked in address detection method, the following principle of the basis for selecting of sign in step 5:

While calculating n subthreshold, if the data traffic of the n-1 time is greater than the data traffic of the n-2 time, just get, otherwise get negative.

The present invention adopts technique scheme, has following beneficial effect: dynamically update threshold value, implement the situation that monitoring network IP address is attacked.

Accompanying drawing explanation

Fig. 1 is the flow chart that dynamic threshold DDoS is attacked address detection method.

Fig. 2 is the schematic diagram of BloomFilter algorithm address mapping.

Embodiment

Below in conjunction with accompanying drawing, the technical scheme of invention is elaborated:

As shown in Figure 1, a kind of dynamic threshold DDoS is attacked address detection method, comprises the steps:

Step 1, m historical data of historical data table storage, the threshold value TH that the storage of threshold data table obtains according to m historical data address _n, TH _nthe threshold value of predicting while being the n time renewal, m is random natural number, n is more than or equal to 1 natural number.

Step 2, image data bag in Data Collection cycle t, is mapped to IP address date table by packet IP address, and for each IP address, counting real time data flow is TF _n, TF _nreal time data flow while being the n time renewal.

As shown in Figure 2: adopt BloomFilter algorithm mapping address.In the system of IPv4 address, IP address is divided into 4 sections, the value desirable metric 1 to 255 of every section.According to Bloom Filter algorithm, the IP bag number that a list structure of 4 * 256 being comprised of 4 independent hash functions to arrive by router in tracking time section t different destination addresses is set.When an IP bag enters after router, its destination address by 4 independently hash function (for 4 sections of IP address mappings respectively) be mapped to respectively some (value to each section is shone upon) in 256 different separately territories, now be kept at the variable a in mapped territory (totally 4, corresponding one of each hash) _ij(1≤i≤256,1≤j≤4) add 1.

Step 3, contrast real time data flow TF _nwith threshold value TH _n, calculate each data and when upgrading for the n time, overflow accumulation variable S _nvalue, and upgrade and to overflow accumulation variable S _nthe storage list of value, overflows accumulation variable S _nthe specific algorithm of value is as follows:

Work as TF _n> TH _ntime, enter step 3-1;

Work as TF _n≤ TH _ntime, enter step 3-2;

Step 3-1, utilizes formula S _n=S _n-1+ TF _n-TH _ncalculate while upgrading for the n time and overflow and accumulate variable S _nvalue;

Step 3-2, works as S _n-1during > 0, utilize following formula to calculate while upgrading for the n time and overflow and accumulate variable S _nvalue;

$S_n=\left\{\begin{array}{cc}{S}_{n-1}\&divide;2,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)<(S_{n-1}\&divide;2)\\ S_{n-1}+{\mathrm{TF}}_n-{\mathrm{TH}}_n,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)>(S_{n-1}\&divide;2)\end{array}\right.,$

Wherein, S ₁=0;

Work as S _n-1≤ 0, S _n=0;

Step 4, the maximum that accumulation variable is overflowed in setting is S _max, while relatively upgrading for the n time, overflow accumulation variable S _nvalue with overflow accumulation variable maximum S _max, only work as S _n> S _maxtime, S _n=S _max;

Step 5, checks when each IP address is upgraded for the n time and overflows and accumulate variable S _nvalue whether be 0,

Work as S _nduring < 0, represent that this IP address is attacked and finished;

Work as S _nduring > 0, classify this IP address as suffer ddos attack destination address;

Work as S _n, utilize following formula to calculate S at=0 o'clock _nvalue equals 0 o'clock corresponding IP address threshold, upgrades threshold data table, and the data on flows of not attacked with IP address covers historical data table:

${\mathrm{TH}}_n=\mathrm{\&alpha;}{\mathrm{TH}}_n+(1-\mathrm{\&alpha;}){\mathrm{TF}}_n\&PlusMinus;\sqrt{\underset{i=n-m+1}{\overset{n-1}{\mathrm{\&Sigma;}}}{({\mathrm{TH}}_i-{\mathrm{TH}}_{i-1})}^2}+\mathrm{BT}(0\&le;\mathrm{\&alpha;}\&le;1,m\&Element;N);$

Wherein, α is Data Update coefficient, and BT is buffer traffic, the following principle of the basis for selecting of sign in formula: while calculating n subthreshold, just get, otherwise get negative if the data traffic of the n-1 time is greater than the data traffic of the n-2 time.

Step 6, enters next data collection cycle, returns to step 2.

Claims (2)

1. dynamic threshold DDoS is attacked an address detection method, it is characterized in that comprising the steps:

Step 1, analysis of history tables of data obtains threshold value TH _nand threshold data table, wherein: TH _nthe threshold value of predicting while being the n time renewal, n is more than or equal to 1 natural number;

Step 2, image data bag in data collection cycle, extracts IP address to the packet gathering, statistics real time data flow TF _n, TF _nreal time data flow while being the n time renewal;

Step 3, contrast real time data flow TF _nwith threshold value TH _n, calculate each data and when upgrading for the n time, overflow accumulation variable S _nvalue, and upgrade and to overflow accumulation variable S _nthe storage list of value, overflows accumulation variable S _nthe specific algorithm of value is as follows:

Work as TF _n> TH _ntime, enter step 3-1;

Work as TF _n≤ TH _ntime, enter step 3-2;

Step 3-1, utilizes formula S _n=S _n-1+ TF _n-TH _ncalculate while upgrading for the n time and overflow and accumulate variable S _nvalue;

Step 3-2, works as S _n-1during > 0, utilize following formula to calculate while upgrading for the n time and overflow and accumulate variable S _nvalue;

$S_n=\left\{\begin{array}{cc}{S}_{n-1}\&divide;2,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)<(S_{n-1}\&divide;2)\\ S_{n-1}+{\mathrm{TF}}_n-{\mathrm{TH}}_n,& ({\mathrm{TH}}_n-{\mathrm{TF}}_n)>(S_{n-1}\&divide;2)\end{array}\right.$

Wherein, S ₁=0;

Work as S _n-1≤ 0, S _n=0;

Step 4, the maximum that accumulation variable is overflowed in setting is S _max, while relatively upgrading for the n time, overflow accumulation variable S _nvalue with overflow accumulation variable maximum S _max, only work as S _n> S _maxtime, S _n=S _max;

Step 5, checks when each IP address is upgraded for the n time and overflows and accumulate variable S _nvalue whether be 0,

Work as S _nduring < 0, represent that this IP address is attacked and finished;

Work as S _nduring > 0, classify this IP address as suffer ddos attack destination address;

Work as S _n=0 o'clock, utilize following formula to calculate this IP address threshold, upgrade threshold data table, the data on flows of not attacked with IP address covers historical data table:

${\mathrm{TH}}_n=\mathrm{\&alpha;}{\mathrm{TH}}_n+(1-\mathrm{\&alpha;}){\mathrm{TF}}_n\&PlusMinus;\sqrt{\underset{i=n-m+1}{\overset{n-1}{\mathrm{\&Sigma;}}}{({\mathrm{TH}}_i-{\mathrm{TH}}_{i-1})}^2}+\mathrm{BT};$

Wherein, α is Data Update coefficient, and BT is buffer traffic, 0≤α≤1, m ∈ n;

Step 6, enters next data collection cycle, returns to step 2.

2. dynamic threshold DDoS according to claim 1 is attacked address detection method, it is characterized in that in the formula described in step 5 the following principle of the basis for selecting of sign:

While calculating n subthreshold, if the data traffic of the n-1 time is greater than the data traffic of the n-2 time, just get, otherwise get negative.

Images