CN104125195A - Method of filtering LDDoS attack traffic based on frequency domain of filter - Google Patents

Abstract

Disclosed is a method of filtering LDDoS attack traffic based on a frequency domain of a filter so as to resist LDDoS (low-rate distributed denial of service) attacks. The LDDoS attacks are gradually becoming one of most serious threats of networks all over the world. Attack methods of the LDDoS attacks use up network resources mainly through continuous sending of a large quantity of data packets so that connection congestion is caused. The method of filtering the LDDoS attack traffic uses a method of digital signal processing to analyze the LDDoS attacks and targets at a characteristic that the LDDoS attacks are higher in energy because a large quantity of data is sent to design a parameter FIR filter to filter frequency components which contain attack traffic in a frequency spectrum so that an LAR (Legitimate traffic to Attacked traffic Ratio) is improved and thus more network resources are available to provide normal services to users.

Description

Filter the method for LDDoS attack traffic based on filter frequency domain

Technical field

The present invention relates to a kind of computer network security technology, especially for low rate denial of service (Low-rate Distributed Denial ofService, the detection of LDDoS) attacking, can effectively detect with filter distribution at the LDDoS of low-frequency range attack stream.

Background technology

Since calendar year 2001, LDDoS was found, cause the concern of Many researchers in the world.In the world, KUZMANOVIC and KNIGHT compare detailed analysis to the generation principle of LDDoS the earliest, and the recurrent pulse characteristic of LDDoS is conducted in-depth research, excavate LDDoS and attacked the method that generation is overflowed, network defence thought has been proposed; The research that Gabriel Maci á-Fern á ndez and Y.Zhang etc. are fairly perfect detect in frequency domain the method that LDDoS attacks, and under NS-2 environment, done l-G simulation test; First CHENG has proposed to utilize the normalized power spectral density NCPSD (Normalized Cumulative Power Spectrum Density) of accumulative total to detect the method that LDDoS attacks in frequency domain (Frequency Domain); BARFORD.P. proposed to adopt the method for abnormal flow in the method Sampling network of signal processing with KLINE.J. etc.; The aspect of performance that Xiapu Luo and Rocky K.C.Chang attack LDDoS has carried out emulation and test, and adopts small echo (wavelet) technology in frequency domain, to detect LDDoS attack; Aleksandar Kuzmanovic and Edward W.Knightly are studied LDDoS attack and Precaution Tactics towards TCP.At present, mostly concentrate in its detection and defence for the research of LDDoS in the world.At home, a kind of method and device that detects low-speed denial of service attack studied by the professor Yang Yixian leader's at Beijing University of Post & Telecommunication's information security center research team, and three grades of detection algorithms of low-speed denial of service attack have been studied by button heart sunrise professor leader's research group; The research group that professor He Yanxiang of School of Computer Science of Wuhan University leads carries out the relevant researchs such as LDDoS challenge model, and has proposed a kind of low rate DoS detection method of extracting based on wavelet character; The performance that LDDoS attacks for quick TCP has been studied by the research group of Chinese University of Science and Technology; DoS attack defence experimental bed has been studied by the professor Duan Haixin leader's in Tsing-Hua University's Information network project research center research group; Professor Liu Wu in Tsing-Hua University's Information network project research center has studied the fragility of ICMPV6 agreement under DoS attack; The distributed low rate DoS attack that the Zhang Changwang of School of Computer Science of the National University of Defense technology etc. has studied based on congested participation detects filter method; The Wei Wei of Zhejiang University etc. has studied the detection response mechanism of low rate TCP Denial of Service attack; The low speed Denial of Service attack mechanism based on quick re-transmission/recovery has been studied by Shanghai Communications University; Analyzing on the principle of LDDoS attack and the basis of generation mechanism, be studied for the performance of its attack, and adopting signal processing technology, the detection based on power spectral density PSD and frequency domain filter LDDoS attack and have made some progress.

Use existing network traffic analyzing method, periodically LDDoS attack pulse is difficult to be detected in time-domain.This is because average shared bandwidth is not very large.In distributed situation, the attack that puppet's machine is at double initiated can further reduce the speed of the single traffic, therefore, just causes detecting more difficult.Distributed attack promoter can reduce average traffic by reducing flank speed or prolongation attack cycle.So attacking by this class of time Sequence Detection is that milli is unfruitful.At present, existing attack detecting means are based on seasonal effect in time series substantially, and the detection that LDDoS is attacked is a blind spot.

The first, intrusion detection means adopt the method for sequential at present, within the detection time of setting, the bag number of attacking are added up, and determine whether to exist attack according to the size of statistic flow.The duration of attacking pulse due to LDDoS is very short, the average detected time of setting much smaller than existing detection method, and also the average discharge that LDDoS attacks is very little, only has the 10%-20% of normal discharge.Therefore, existing detection means is attacked helpless for LDDoS;

The professional knowledge that the second, LDDoS attack needs is higher.Even if general hacker grasps the generation technology that LDDoS attacks, but because attack time is synchronous and the key technology such as traffic aggregation not can solve, so the probability of initiating LDDoS attack is very little;

The 3rd, current, network attack orders about taking money as interests mostly.The attack of high-tech, large density of infection all rests in the skillful hacker's hand of minority.In profitable situation, just hire out attacking network to the people that pays the bill, go to destroy or the selected target of making reprisals.

In the detection and defence research of distributed denial of service DoS attack, at present, the method of popular employing signal processing DSP (Digital Signal Processing) combines with network flow data treatment technology in the world, and classical signal detection theory and filter theory are applied in the detection and filtration of DoS attack flow.For example: adopt normalization integral power spectrum density NCPSD as the judgment basis that detects LDDoS attack; Adopt in addition wavelet analysis technology in frequency component, to find to attack component etc.

Summary of the invention

Utilize chaos system to detect in essence weak periodic signal, utilize its perturbation and sensitiveness thereof to parameter, thereby make Periodic Solutions generation essential change, and then reach the object of detection.Specifically, it is exactly a kind of periodic perturbation using small-signal to be measured as chaos system, although noise is strong, the change of system mode is not affected, once and have a specific perturbation small-signal, due to the sensitiveness of chaos system to cycle small-signal, even if amplitude is less, also can make system that essential phase transformation occurs, computer is by identification system state, can whether exist by decision signal, thereby weak periodic signal under strong background noise is detected.

To arriving TCP and the LDDoS packet systematic sampling of router, obtain a discrete time series x (n).According to Nyquist sampling thheorem, can obtain its amplitude-frequency characteristic.In this process, the effect of low pass filter has also been played in sampling, has eliminated high-frequency noise.The arrival number of packet can represent according to following random process model: { x (t), t=n Δ, n ∈ N}.Wherein Δ is a constant, represents the sampling period, is 1ms in experiment.N is whole number of sampling.X (t) is a stochastic variable, is illustrated in (t-Δ, t) number of the packet of arrival router in interval.Utilize discrete Fourier transform DFT (Discrete Fourier Transform) that time domain sequences is transformed into frequency domain:

$\mathrm{DFT}(x\left(n\right),k)=\frac{1}{N}\underset{n=0}{\overset{N-1}{\mathrm{\Σ}}}x\left(n\right)e^{-j2\mathrm{\πkn}/N},k=\mathrm{0,1},\·\·\·,N-1$

Through DFT conversion, just can carry out from another one angle the characteristic of observation analysis sequence.

In TCP stream, the number of packet has the principle of conservation, on being in particular in that it periodically, that is: on the arbitrary node of network, there is the packet of TCP stream, through RTT (the Round Trip Time) time interval, also a packet that belongs to identical TCP stream will be there is at this node.For this feature is specialized, can use auto-correlation function, as shown in the formula:

R _xx(τ，t)＝E[x(t)x(t+τ)]

But in practice, use power spectral density PSD to observe periodically more direct, effective.In fact PSD function is exactly the DFT conversion of serial autocorrelation function:

$S_{\mathrm{xx}}\left(f\right)={\mathrm{\Σ}}_{k=-\∞}^{\∞}{R}_{\mathrm{xx}}\left(k\right)e^{-j2\mathrm{\πkf}}$

Owing to lacking the complete mathematical description of random process at present, the present invention uses PSD to estimate to replace real PSD.The Yule-Walker modern spectral estimation method using in the present invention, has overcome the low shortcoming of spectral resolution as this classical estimation algorithm of Welch method easily.

Then relatively normal discharge and the Energy distribution with attack traffic, LDDoS attack traffic has more than 90% Energy distribution below 6Hz, and normal TCP flow has 20% to be distributed in below 6Hz.The frequency component that comprises attack filtering out with Finite Impulse Response filter.So-called digital filter is exactly the discrete time linear time-invariant system realizing with limited precision algorithm.The design problem of Finite Impulse Response filter is exactly the frequency response H (e of Finite Impulse Response filter that will be designed ^{j ω}) remove to approach the response H of desired ideal filter _d(e ^{j ω}).From unit-sample response sequence, make exactly the h (n) of filter approach desirable unit-sample response sequences h _d(n).In the present invention, adopt Bartlett window function method design FIR filter.

The forms of time and space of Bartlett window function can be expressed as:

In the time that n is odd number:

$w\left(k\right)=\left\{\begin{array}{c}\frac{2(k-1)}{n-1},1\≤k\≤\frac{n+1}{2}\\ 2-\frac{2(k-1)}{n-1},\frac{n+1}{2}\≤k\≤n\end{array}\right.$

In the time that n is even number:

$w\left(k\right)=\left\{\begin{array}{c}\frac{2(k-1)}{n-1},1\≤k\≤\frac{n}{2}\\ \frac{2(k-1)}{n-1},\frac{n}{2}\≤k\≤n\end{array}\right.$

Bartlett function call mode: w=Bartlett (n)

(1) input parameter n is the length of window function;

(2) the n rank vector that output parameter w is made up of the value of window function;

(3) Bartlett window is the convolution of two rectangular windows;

(4) two ends of the Bartlett window that this function generates always 0;

According to FIR high pass filter of Bartlett THE DESIGN OF WINDOW FUNCTION, cut-off frequency is 5Hz.Before this filter is placed in the end of being injured, for filtering LDDoS attack stream, ensure that legal TCP stream is by this filter.

Brief description of the drawings

Fig. 1 is LDDoS challenge model;

Fig. 2 is the normalized power spectrum that filters front LDDoS attack stream and normal TCP stream;

Fig. 3 is that FIR filter filters LDDoS attack schematic diagram;

Fig. 4 is that cut-off frequency is the FIR filter spectrum figure of 5Hz;

Fig. 5 is the normalized power spectrum that filters rear LDDoS attack stream and normal TCP stream;

Fig. 6 is the applied emulation topological diagram of the present invention;

Embodiment

1, according to the Attack Scenarios of Fig. 6 simulation, the link bandwidth of set client, attacking between end and router is 100Mbps, and one-way delay is 2ms; Bottleneck link bandwidth is 10Mbps, and one-way delay is 10ms.The transmit queue size of router is 100 packets.3 parameter: L=200ms, R=10Mb, T=1200ms that LDDoS attacks.

2, at the end of being injured, the packet of receiving is made to sampling statistics taking 1ms as interval, timing statistics is 6s, produces time domain sequences x (n).

3, the sequence obtaining is transformed to frequency domain as DFT, estimate the PSD of statistical series through spectrum.The stream energy that comprises LDDoS attack at lower frequency region will be apparently higher than normal TCP stream energy, particularly in [0Hz, 6Hz] region.Have reason to believe and carry out filtering that the frequency component that filtering is attacked just can alleviate LDDoS and attack.

4, the amplitude-frequency characteristic of utilizing the designed FIR filter of Bartlett window function method, filter only allows needed frequency component, that is is that the frequency component that normal discharge comprises is passed through.

5, comprise afterwards after filtering LDDoS attack frequency content and obtained good inhibition, most of normal TCP flows the frequency component not comprising, and almost by whole filterings, what permission was passed through is all the rational frequency component of normal discharge.But, due to the filter transition band performance of design, therefore fail to filter completely, also remain the frequency component of fraction attack traffic.

Claims (3)

1. filtering the method for LDDoS (Low-rate Distributed Denial of Service) attack traffic based on filter frequency domain, is a kind of new method with Digital Signal Processing defending against network attacks.LDDoS attacks has hidden characteristic, is not easy to be detected in time domain.But LDDoS attack traffic but shows the characteristic different from normal TCP flow on frequency domain, LDDoS attack traffic is more distributed in low-frequency range.Utilize this characteristic, can design FIR filter, realize the filtration to attack traffic.

2. the LDDoS attaching filtering method based on FIR filter according to claim 1, is characterized in that described filter method comprises the following steps:

(1) set up a Model of network traffic T (t)=P (t)+v (t)+A (t);

(2) at the end of being injured, network traffics are carried out to equal interval sampling, according to the sampling time, construct a discrete series { x (t), t=n Δ, n ∈ N};

(3) sequence x (t) is done to Bartlett spectrum and estimate, draw the power spectral density of sample sequence;

(4) below f frequency, add up power, taking the distributive law of power spectral density (PSD) as detecting foundation;

(5) determine a decision threshold, the PSD below low-frequency range f distributes and can judge that LDDoS occurs to be attacked while exceeding threshold value;

(6) cut-off frequency of design is at the FIR of f high pass filter;

(7) FIR filter is placed in by target of attack front end, filters out the attack traffic in lower frequency region;

Wherein, in step (1), P (t) represents normal TCP flow, and v (t) represents network context noise, and A (t) represents LDDoS attack traffic;

In step (2), the sampling interval is t, sampling period T, and sampled data has just formed a discrete sequence like this;

Step (3) can be expressed as the Bartlett conversion of sample sequence x (t):

Wherein x _l(n) PSD estimation, the PSD that is x (n) estimates.X (n) is a sequence that N is ordered, x _l(n) (l=1,2 ..., L) and be a M point zero lap sequence of x (n), L=N/M

In step (4), LDDoS attack stream 90% concentration of energy is below 6Hz, and the Energy distribution of normal TCP stream 20% is below 6Hz;

In step (5), decision threshold is determined by selected frequency, generally selects F _d=5Hz, thresholding is 90%;

In step (6), cut-off frequency is elected 5Hz as;

In step (7) FIR filter can filter out more than 90% LDDoS attack traffic.

3. according to the LDDoS attaching filtering method based on FIR filter described in 2, it is characterized in that:

(1) set sampling interval 1ms, the sampling period is 6s, forms the sequence of 6000 points;

(2) design Finite Impulse Response filter, H (e ^{j ω})=H (ω) e ^{j θ ω}, wherein H (ω) is the frequency response of window function FIR filter;

(3) high pass filter taking 5Hz as cut-off frequency can filter out 92.88% LDDoS attack, filters out 19.75% normal TCP flow simultaneously, proves effectively to filter attack stream, ensures that most normal discharges pass through.