CN106209861A - A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device - Google Patents

Abstract

The present invention analyzes Web application layer and occurs HTTP Flood attack and HTTP Post to connect at a slow speed attack, the diversity shown in flow attribution and user behavior characteristic attribute and similarity.Propose Web server ddos attack detection method based on Jie Kade similarity coefficient and device thereof, the method can carry out similarity system design with the multiple attribute character of first use, simulation experiment shows, the method can not only effectively detect that HTTP Flood attacks and HTTP Post connects at a slow speed attack, also can accurately distinguish burst flow, have that on-line checking is real-time and accuracy rate high.

Description

A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method And device

Technical field

The present invention relates to Web application layer ddos attack test problems, Jie Kade similarity coefficient is applied to Web application layer In ddos attack detection.

Background technology

Distributed denial of service (Distributed Denial of Service, DDoS) is attacked, and always affects interconnection One significant threat of net safety.And in recent years, application layer DDoS gradually demonstrates that it attacks power.Application layer ddos attack Maximum from traditional ddos attack different be exactly the former be set up with server is connected right-on in the case of, with consumption For the purpose of system resource thus reach refusal service.

Along with network technology sends out develop rapidly with Internet widely available, Web service has become in people's life Important component part, the ddos attack for Web application layer is the most increasing, is broadly divided into two classes: a class is HTTP-Flood Attacking, another kind of is that HTTP-Post attacks.

Currently for detection Web application layer ddos attack method mainly have: Kandula et al. propose based on Whether the detection of " PUZZLE " and defence method, when the resource of server exceedes threshold value set in advance, can suspect and be subject to Attack.Owing to attacking by Program Generating, do not have intelligent, the most just may require that user answers some simple questions and judges The legitimacy of user, erroneous answers, then can be identified as attack source.But this method not only can affect the experience of validated user, And can not effectively distinguish burst flow.Mahajan et al. proposes to utilize source address IP entropy to judge whether ddos attack, The method can effectively distinguish burst flow and HTTP-Flood flood attack, but do not consider that HTTP-Post connects at a slow speed and attack Hit, thank to ease et al. and propose a kind of abnormal method based on user access activity, use HMM to describe user's Normally access behavior, by judging that the normal degree of user access activity judges malicious attack program or validated user Normal accessing, the method training process is loaded down with trivial details, and computation complexity is the highest and online real-time is poor.

Summary of the invention

The deficiency detected ddos attack according to prior art the most in this paper, proposes a kind of based on Jie Kade phase Like the Web application layer ddos attack detection method of coefficient, analyze and occur HTTP-Flood flood attack and HTTP-Post to attack at a slow speed Hit traffic characteristic to choose rational various features and set up Similarity Model, using the data volume in the unit interval as computational item, logical Cross compare with normal discharge in the case of similarity threshold attack judging whether, be shown experimentally that the method can not only Enough effective detection HTTP-Flood attack and HTTP-Post connects at a slow speed attack, moreover it is possible to preferably distinguish burst flow, and Line detection property in real time is strong.

The present invention solves above-mentioned technical problem by the following technical solutions:

Jie Kade similarity coefficient is proposed to be used for measuring the similarity between two set, the Jie Kade of narrow sense by jaccard The value of similarity coefficient set element can only be 0 or 1, and the element value of the Jie Kade similarity coefficient of broad sense can be real Number, it is possible to the information of expressed in abundance.

And in ddos attack detects, we need to use many attribute, and the eigenvalue of each attribute is the most different, institute It is not appropriate for in this article with the Jie Kade similarity coefficient of narrow sense.

Broad sense Jie Kade similarity coefficient is used to calculate current one time attribute set and the normal community set of history herein Similarity.Computing formula is as follows:

$\begin{array}{cc}Sim(x,x_i)=\frac{(x*x_i)}{\left(\right|\left|x\right|{|}^2+\left|\right|x_i|{|}^2-x*x_i)}& (0<Sim(x,x_i)\&le;1)\end{array}$

Wherein: x represent repeatedly take different history normal data calculate each attribute character average composition attribute to Amount；x_iThe attribute vector of each attribute character composition calculated in representing the current t time；

As Sim (x, x_i) value when being closer to 1, represent x and x_iThe most similar, i.e. it is closer to normal discharge；And if only if X=x_iTime equal sign set up, represent x and x_iThe most similar i.e. similar value is 1.

In order to preferably react the similarity attack different with identification of normal stream, attack stream, choosing in attribute character Not only need to choose attack stream variant with normal stream, it is contemplated that when occurring difference to attack, different attacks are at each Value on attribute also will diversity, according to analysis above, we choose following three attribute features composition attributes to Amount:

A, ip address, source entropy

1) when there is the HTTP-Flood flood attack for Web server, it may appear that a large amount of new IP addresses, thus newly The rate of increase of IP address can sharply increase, and causes source IP address entropy less than normal stream IP entropy；And when there is burst flow, in a large number The appearance that IP address can be repeated, source IP entropy can be higher than normal stream.

2), when occurring HTTP-Post to connect attack at a slow speed, due to the lasting multiple connection of holding, then source IP address is in unit Can repeat in time, source address IP entropy can be higher than normal stream.

It is as follows that ip address, calculating source entropy obtains step:

Step a1, defines IP_all={IP₁,IP₂,...IP_i,...IP_n, IP_all represents t time interval endogenous IP ground Location is gathered；

Step a2, defines P={p₁,p₂,...,p_i,...,p_n, p_iRepresent IP_iProbability distribution；

Step a3, by step a1, a2 show that the entropy of source IP address is in t time interval:

B, the entropy of data package size

1) assailant is for the resource consuming destination host that do one's best, and reduces the complexity of Attacking Packets, by The Attacking Packets size similarity degree that corpse machine sends is big, data package size distribution is concentrated, and packet under normal circumstances Size ratio is more random, and when therefore occurring to attack, the entropy of data package size is less than normal stream；

2) and burst flow is visited by the caused a large number of users of issue of positive shocking news or popular product often simultaneously The result asked, therefore within this period, the packet that normal users sends basic simlarity in size, so the entropy of packet Value also can be less than normal stream.

The entropy step calculating data package size is as follows:

Step b1, is flow by the i-th stream data definition flowing to destination host_i, then the stream that collects in t time interval Just can be expressed as to the data stream flow_all of destination host:

Flow_all={flow₁,flow₂,...flow_i,...flow_n}；

Step b2, if P is (flow_i) it is the quantity of packet on i-th stream, use p_iRepresent that its probability distribution is:

Wherein

$P(flow\_all)=\underset{i=1}{\overset{n}{\&Sigma;}}P\left({\mathrm{flow}}_i\right);$

Step b3, by step b1, b2 show that the entropy of data package size is:

C, TCP connect number and HTTP request number ratio

1), when there is HTTP-Flood flood attack, assailant, in order to consume host resource as soon as possible, sets up after connecting single Substantial amounts of HTTP request can be sent in bit time；

2) when occurring HTTP-Post to connect attack at a slow speed, setting up after connecting, just sending a HTTP with the longer time please Ask；

3), when there is burst flow, the incipient stage can make the number of request of user to increase, but owing to network performance declines, often The number of request of resource can be reduced by individual user.

4) therefore, in measurement period, a TCP connects, the ratio of the number of request of HTTP, if ratio mistake in the cycle May well be that HTTP-Post connects at a slow speed attack, too small be likely to be HTTP-Flood flood attack, and owing to burst flow has The individual process being gradually reduced, ratio can be more than flood attack less than normal stream.

Calculate TCP connection number as follows with the step of HTTP request number ratio:

Step c1, defines tcp_numNumber is connected for TCP total in t time interval；

Step c2, defines http_req_numFor HTTP request number total in t time interval；

Step c3, by step c1, c2 obtains connection request ratio and is:

In theory: rate_HDDoS＜ rate_FC＜ rate_Norm＜ rate_LDDoS

Here, rate_LDDoSRepresent that when generation HTTP-Post connects at a slow speed attack, TCP connects number and HTTP request number ratio； rate_HDDoSWhen representing generation HTTP-Flood flood attack, TCP connects number and HTTP request number ratio；rate_FCThere is burst flow Time TCP connect number and HTTP request number ratio；rate_NormRepresent that TCP connects number and HTTP request number ratio under normal circumstances； rate_LDDoSMuch larger than normal value.

So, in sum, only can there is an obvious difference in packet entropy and normal stream when there is burst flow, and In other two attribute compared to occur attack time little, therefore the value of similarity can be bigger.Occur flood attack with at a slow speed When connecting attack, having gap in the value of three attribute compared with under normal circumstances, similarity can be smaller.Therefore theoretical On can well distinguish from exception stream burst flow and can well to flood attack and at a slow speed connect attack make detection.

Concrete technical scheme is as follows:

The present invention relates to a kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, including such as Lower step:

Step one: set interval t；

Step 2: using the data volume in t time interval as computational item, by using broad sense Jie Kade similarity coefficient to calculate Formula calculates community set and the similarity of the normal community set of history in current t time interval；

Step 3: the Jie Kade similarity coefficient calculated in step 2 is compared with similar threshold value γ set in advance, with This is for according to judging whether generation ddos attack.

The invention still further relates to one and detect device based on broad sense Jie Kade similarity coefficient Web application layer ddos attack, including:

Time interval arranges module: be used for the t that sets interval；

Similarity system design module: for using the data volume in t time interval as computational item, by using broad sense Jie Kade Similarity coefficient computing formula calculates community set and the similarity of the normal community set of history in current t time interval；

Attack recognition module: Jie Kade similarity coefficient and the similar threshold value γ ratio set in advance that will calculate in step 2 Relatively, judge whether on this basis ddos attack.

The present invention uses above technical scheme compared with prior art, has following technical effect that

The method can carry out similarity system design with the multiple attribute character of first use, and it can not only effectively detect HTTP-Flood flood attack and HTTP-Post connect at a slow speed attack, moreover it is possible to distinguish burst flow accurately, have online inspection Survey real-time and accuracy rate high.

Accompanying drawing explanation

Fig. 1 is application layer ddos attack detection algorithm schematic diagram based on broad sense Jie Kade similarity coefficient in the present invention；

Fig. 2 is the normal discharge list of capture in the embodiment of the present invention.

Fig. 3 be in the embodiment of the present invention normal connect the lower libpcap of use capture traffic characteristic vector (or claim attribute to Amount) list；

Fig. 4 be in the embodiment of the present invention HTTP-Post attack time use libpcap capture traffic characteristic vector (or claim Attribute vector) list；

Fig. 5 be in the embodiment of the present invention HTTP-Flood attack time use libpcap capture traffic characteristic vector (or claim Attribute vector) list；

Fig. 6 is the burst flow list of capture in the embodiment of the present invention；

Fig. 7 is similarity system design result figure in the embodiment of the present invention；

Detailed description of the invention

With example, the present invention is further described below in conjunction with the accompanying drawings.

Embodiment one

The present invention relates to a kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, including such as Lower step:

Step one: set interval t.

Step 2: using the data volume in t time interval as computational item, by using broad sense Jie Kade similarity coefficient to calculate Formula calculates community set and the similarity of the normal community set of history in current t time interval.

Described community set is the attribute vector of some attribute character composition, described broad sense Jie Kade similarity coefficient meter Calculation formula is as follows:

$\begin{array}{cc}Sim(x,x_i)=\frac{(x*x_i)}{\left(\right|\left|x\right|{|}^2+\left|\right|x_i|{|}^2-x*x_i)}& (0<Sim(x,x_i)\&le;1)\end{array}---\left(4\right)$

Wherein: x represents that taking different history normal data in t time interval several times calculates each attribute character and average The attribute vector of composition；x_iThe attribute vector of each attribute character composition calculated in representing current t time interval；

Specifically include following steps:

Step 2.1: average calculating x by history normal data different in t time interval several times；

Step 2.2: calculate the x in current t time interval_iValue；

Step 2.3: calculate Jie Kade similarity coefficient Sim (x, x_i)。

Described attribute character includes that source IP address entropy, the entropy of data package size and TCP connect number and ask with HTTP Seek several ratio.

The calculation procedure of described source IP address entropy is as follows:

Step a1: definition IP_all={IP₁,IP₂,...IP_i,...IP_n, IP_all represents t time interval endogenous IP ground Location is gathered；

Step a2: definition P={p₁,p₂,...,p_i,...,p_n, p_iRepresent IP_iProbability distribution；

Step a3: by step a1, a2 show that the entropy of source IP address is in t time interval:

$E\left({\mathrm{IP}}_{src}\right)=-\frac{1}{\ln n}\underset{i=1}{\overset{n}{\&Sigma;}}{p}_i{\mathrm{logp}}_i---\left(1\right).$

The calculation procedure of the entropy of described data package size is as follows:

Step b1: be flow by the i-th stream data definition flowing to destination host_i, then the stream that collects in t time interval It is expressed as to the data stream flow_all of destination host:

Flow_all={flow₁,flow₂,...flow_i,...flow_n}；

Step b2: set P (flow_i) it is the quantity of packet on i-th stream, use p_iRepresent that its probability distribution is:

Wherein

$P(flow\_all)=\underset{i=1}{\overset{n}{\&Sigma;}}P\left({\mathrm{flow}}_i\right);$

Step b3: by step b1, b2 show that the entropy of data package size is:

$E\left(P\right)=-\frac{1}{\ln n}\underset{i=1}{\overset{n}{\&Sigma;}}{p}_i{\mathrm{logp}}_i---\left(2\right).$

It is as follows with the calculation procedure of HTTP request number ratio that described TCP connects number:

Step c1: definition tcp_numNumber is connected for TCP total in t time interval；

Step c2: definition http_req_numFor HTTP request number total in t time interval；

Step c3: by step c1, c2 obtains connection request ratio and is:

$\mathrm{rate}=\frac{{\mathrm{tcp}}_{\mathrm{num}}}{{\mathrm{http}\_\mathrm{req}}_{\mathrm{num}}},0<\mathrm{rate}\&le;1---\left(3\right).$

Step 3: the Jie Kade similarity coefficient calculated in step 2 is compared with similar threshold value γ set in advance, with This is for according to judging whether generation ddos attack.

Specifically include following steps:

Step 3.1: Jie Kade similarity coefficient Sim (x, the x that will calculate in step 2_i) and similar threshold value set in advance γ compares, if Sim is (x, x_i) ＞ γ then carries out entering after step 3.2 step 3.4, the most then enter step after carrying out step 3.3 3.4；

Step 3.2: by x_iAdd history normal data；

Step 3.3: report to the police, make attack-response；

Step 3.4: return to step 2.

Described similar threshold value γ is arranged as follows:

Step 1: gathered destination Web server HTTP request in each time interval t since the most some hours As history normal data, take different each attribute character meansigma methods of history normal data composition attribute vector, this attribute vector As the x in Jie Kade similarity coefficient computing formula；

Step 2: simulation ddos attack, in capturing several time intervals t, data on flows is as sample, calculates each time In the t of interval, the attribute vector of data on flows is as the x in Jie Kade similarity coefficient computing formula_i, calculate the similar system of its Jie Kade Number Sim (x, x_i)；

After available DDOSIM and SlowHTTPTest simulates HTTP-Flood and HTTP-Post attack respectively, capture respectively In several time intervals t, data on flows is as sample, calculates in each time interval t the attribute vector of data on flows as outstanding person X in card moral similarity coefficient computing formula_i, calculate its Jie Kade similarity coefficient Sim (x, x_i)；

Step 3: take one more than all ddos attack datas on flows as sample Jie Kade similarity coefficient Sim (x, x_i) value as similar threshold value γ.This similar threshold value γ is preferably as close possible to all ddos attack flow numbers as sample According to Jie Kade similarity coefficient Sim (x, x_i) maximum.

The invention still further relates to a kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection device, it is special Levy and be, including:

Time interval arranges module: be used for the t that sets interval；

Similarity system design module: for using the data volume in t time interval as computational item, by using broad sense Jie Kade Similarity coefficient computing formula calculates community set and the similarity of the normal community set of history in current t time interval；

Attack recognition module: by similar to set in advance for the Jie Kade similarity coefficient that calculates in similarity system design module Threshold gamma compares, and judges whether on this basis ddos attack.

Described community set is the attribute vector of some attribute character composition, the broad sense described in similarity system design module Jie Kade similarity coefficient computing formula is as follows:

$\begin{array}{cc}Sim(x,x_i)=\frac{(x*x_i)}{\left(\right|\left|x\right|{|}^2+\left|\right|x_i|{|}^2-x*x_i)}& (0<Sim(x,x_i)\&le;1)\end{array}---\left(4\right)$

Wherein: x represents that taking different history normal data in t time interval several times calculates each attribute character and average The attribute vector of composition；x_iThe attribute vector of each attribute character composition calculated in representing current t time interval；

Described similarity system design module specifically includes:

X attribute vector computing module: average calculating x by history normal data different in t time interval several times；

x_iAttribute vector computing module: calculate the x in current t time interval_iValue；

Similarity coefficient computing module: calculate Jie Kade similarity coefficient Sim (x, x_i)。

Described attribute character includes that source IP address entropy, the entropy of data package size and TCP connect number and ask with HTTP Seek several ratio.

The calculation procedure of described source IP address entropy is as follows:

Step a1: definition IP_all={IP₁,IP₂,...IP_i,...IP_n, IP_all represents t time interval endogenous IP ground Location is gathered；

Step a2: definition P={p₁,p₂,...,p_i,...,p_n, p_iRepresent IP_iProbability distribution；

Step a3: by step a1, a2 show that the entropy of source IP address is in t time interval:

$E\left({\mathrm{IP}}_{src}\right)=-\frac{1}{\ln n}\underset{i=1}{\overset{n}{\&Sigma;}}{p}_i{\mathrm{logp}}_i---\left(1\right).$

The calculation procedure of the entropy of described data package size is as follows:

Step b1: be flow by the i-th stream data definition flowing to destination host_i, then the stream that collects in t time interval It is expressed as to the data stream flow_all of destination host:

Flow_all={flow₁,flow₂,...flow_i,...flow_n}；

Step b2: set P (flow_i) it is the quantity of packet on i-th stream, use p_iRepresent that its probability distribution is:

Wherein

$P(flow\_all)=\underset{i=1}{\overset{n}{\&Sigma;}}P\left({\mathrm{flow}}_i\right);$

Step b3: by step b1, b2 show that the entropy of data package size is:

$E\left(P\right)=-\frac{1}{\ln n}\underset{i=1}{\overset{n}{\&Sigma;}}{p}_i{\mathrm{logp}}_i---\left(2\right).$

It is as follows with the calculation procedure of HTTP request number ratio that described TCP connects number:

Step c1: definition tcp_numNumber is connected for TCP total in t time interval；

Step c2: definition http_req_numFor HTTP request number total in t time interval；

Step c3: by step c1, c2 obtains connection request ratio and is:

$\mathrm{rate}=\frac{{\mathrm{tcp}}_{\mathrm{num}}}{{\mathrm{http}\_\mathrm{req}}_{\mathrm{num}}},0<\mathrm{rate}\&le;1---\left(3\right).$

Described attack recognition module includes:

Attack recognition comparison module: for the Jie Kade similarity coefficient Sim (x, the x that will calculate in similar comparison module_i) Compare with similar threshold value γ set in advance, if Sim is (x, x_i) ＞ γ be connected into after being then connected into attack recognition memory module attack know Other loop module, the most then be connected into attack recognition loop module after being connected into attack recognition alarm module；

Attack recognition memory module: for by x_iAttack recognition loop module is entered after adding history normal data；

Attack recognition alarm module: be used for reporting to the police, enters attack recognition loop module after making attack-response；

Attack recognition loop module: be used for returning to similar comparison module.

The invention still further relates to a similar threshold value and module is set, including:

Mean value calculation module: since being used for gathering destination Web server the most some hours between each time In t, HTTP request is as history normal data, take different each attribute character meansigma methods of history normal data composition attribute to Amount, this attribute vector is as the x in Jie Kade similarity coefficient computing formula；

Attack sample similarity coefficient computing module: be used for simulating ddos attack, capture flow number in several time intervals t According to as sample, calculate in each time interval t the attribute vector of data on flows as in Jie Kade similarity coefficient computing formula X_i, calculate its Jie Kade similarity coefficient Sim (x, x_i)；

After available DDOSIM and SlowHTTPTest simulates HTTP-Flood and HTTP-Post attack respectively, capture respectively In several time intervals t, data on flows is as sample, calculates in each time interval t the attribute vector of data on flows as outstanding person X in card moral similarity coefficient computing formula_i, calculate its Jie Kade similarity coefficient Sim (x, x_i)；

Similar threshold value computing module: for taking a Jie Kade more than all ddos attack datas on flows as sample Similarity coefficient Sim (x, x_i) value as similar threshold value γ, this similar threshold value γ preferably as close possible to all as sample Jie Kade similarity coefficient Sim (x, the x of ddos attack data on flows_i) maximum.

Embodiment two

In order to verify the effectiveness of this ddos attack detection method, the present invention uses DDOSIM and SlowHTTPTest to simulate HTTP-Flood attacks and HTTP-Post attacks.DDOSIM is that a distributed local servers that can be used for experimental situation is attacked Hitting simulator, server can be tested by it for process and the load capacity of DDOS attack flow.DDOSIM passes through mould Intending zombie host, and set up complete TCP with destination server and is connected, after completing connection, DDOSIM proceeds by test. SlowHTTPTest is a configurable application layer Denial of Service attack test, and this instrument can be simulated under low bandwidth consuming Ddos attack, such as HTTP-Post connects at a slow speed attack.For the verity of experience data, specific experiment step is as follows:

1. obtain normal discharge.

Step 101, has gathered Web service of campus networks device HTTP request since 8 hours, as normal data.

Step 102, normal discharge after treatment is as shown in Figure 2.

2. set up normal connection, and capture flow.

Step 201, takes the meansigma methods of data in 1 as characteristic vector (or claiming attribute vector) x in the case of normal discharge.

Step 202, under every machine Linux environment in LAN, installs DDOSIM instrument.

Step 203, inputs in order line to order: ./ddosim-d 192.168.1.2-p 80-c 10-r HTTP_ INVALID-i eth0 represents that use random IP address is set up 10 TCP and is connected with server.

Step 204, sends effective HTTP request.

Step 205, uses libpcap to capture the data in every 10s, obtain traffic characteristic vector (or claiming attribute vector) as Shown in Fig. 3.

3. start ddos attack, and capture flow.

Step 301, installs SlowHTTPTest instrument under the linux environment of every PC, and simulation HTTP-Post attacks.

Step 302, inputs in order line to order: ./slowhttptest-c 1000-B-g-o my_body_ Stats-i 110-r 20-s 8100-t FAKEVERB u represents that setting up one every 110 seconds with server is connected, and connects speed Degree is 20 per second, and content-length is 8100.

Step 303, uses libcap to capture the data in every 10s, obtain traffic characteristic vector (or claiming attribute vector) as Shown in Fig. 4.

Step 304, installs DDOSIM instrument under the linux environment of every PC.

Step 305, inputs in order line to order: ./ddosim-d 192.168.1.2-p 80-c 10-r HTTP_ INVALID-i eth0 represents that use random IP address is set up 10 TCP and is connected with server, and sends effective HTTP and ask Ask.

Step 306, uses libcap to capture the data in every 10s, obtain traffic characteristic vector (or claiming attribute vector) as Shown in Fig. 5.

4. the acquisition of burst flow.

Step 401, chooses the moon in this campus network year, and during students' needs, a large number of users accesses server, as burst flow Data, the traffic characteristic obtained vector (or claiming attribute vector) is as shown in Figure 6.

5. experimental result.

Step 501, we choose every kind and attack and 1000 groups of data of burst flow, carry out Similarity measures, obtain Result is as shown in Figure 7.

Step 502, when learning that generation difference is attacked according to Fig. 7, the value of similarity the most difference, there is burst flow During Flash-Crowed, the value of sim is between 0.65～0.83.

Step 503, when occurring HTTP-Flood to attack, the value of sim is between 0.6～0.68.

Step 504, when occurring HTTP-Post to attack, the value of sim is between 0.43～0.63.Step 505, when sim's When value is 0.7, the detection performance of the present invention reaches to maximize, and can not only effectively identify burst flow, moreover it is possible to effectively examine Measuring other two kinds attacks, rate of accuracy reached to 93.8%, rate of failing to report is 2.4%, and rate of false alarm is 3.1%, and compare additive method Detection accuracy be 88%, rate of false alarm is 3%, and the present invention detects performance bigger raising.

Claims (10)

1. one kind based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, it is characterised in that include as follows Step:

Step one: set interval t；

Step 2: using the data volume in t time interval as computational item, by using broad sense Jie Kade similarity coefficient computing formula Calculate community set and the similarity of the normal community set of history in current t time interval；

Step 3: the Jie Kade similarity coefficient calculated in step 2 is compared with similar threshold value γ set in advance, as According to judging whether generation ddos attack.

One the most according to claim 1 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, described community set is the attribute vector of some attribute character composition, the broad sense outstanding person card described in step 2 Moral similarity coefficient computing formula is as follows:

$Sim(x,x_i)=\frac{(x*x_i)}{\left(\left|\right|x|{|}^2+|\left|x_i\right|{|}^2-x*x_i\right)},(0<Sim(x,x_i)\&le;1)---\left(4\right)$

Wherein: x represents that taking different history normal data in t time interval several times calculates each attribute character and average composition Attribute vector；x_iThe attribute vector of each attribute character composition calculated in representing current t time interval；

Described step 2 specifically includes following steps:

Step 2.1: average calculating x by history normal data different in t time interval several times；

Step 2.2: calculate the x in current t time interval_iValue；

Step 2.3: calculate Jie Kade similarity coefficient Sim (x, x_i)。

One the most according to claim 2 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, described attribute character includes that source IP address entropy, the entropy of data package size and TCP connect number and HTTP Number of request ratio.

One the most according to claim 3 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, the calculation procedure of described source IP address entropy is as follows:

Step a1: definition IP_all={IP₁,IP₂,...IP_i,...IP_n, IP_all represents t time interval endogenous IP address set Close；

Step a2: definition P={p₁,p₂,...,p_i,...,p_n, p_iRepresent IP_iProbability distribution；

Step a3: by step a1, a2 show that the entropy of source IP address is in t time interval:

$E\left({\mathrm{IP}}_{src}\right)=-\frac{1}{\ln n}\underset{i=1}{\overset{n}{\&Sigma;}}{p}_i\log p_i---\left(1\right).$

One the most according to claim 3 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, the calculation procedure of the entropy of described data package size is as follows:

Step b1: be flow by the i-th stream data definition flowing to destination host_i, then collect in t time interval flows to mesh The data stream flow_all of mark main frame is expressed as:

Flow_all={flow₁,flow₂,...flow_i,...flow_n}；

Step b2: set P (flow_i) it is the quantity of packet on i-th stream, use p_iRepresent that its probability distribution is:

Wherein

$P(flow\_all)=\underset{i=1}{\overset{n}{\&Sigma;}}P\left({\mathrm{flow}}_i\right);$

Step b3: by step b1, b2 show that the entropy of data package size is:

$E\left(P\right)=-\frac{1}{\ln n}\underset{i=1}{\overset{n}{\&Sigma;}}{p}_i\log p_i---\left(2\right).$

One the most according to claim 3 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, it is as follows with the calculation procedure of HTTP request number ratio that described TCP connects number:

Step c1: definition tcp_numNumber is connected for TCP total in t time interval；

Step c2: definition http_req_numFor HTTP request number total in t time interval；

Step c3: by step c1, c2 obtains connection request ratio and is:

$rate=\frac{{\mathrm{tcp}}_{num}}{http\_{\mathrm{req}}_{num}},0<rate\&le;1---\left(3\right).$

One the most according to claim 2 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, described step 3 specifically includes following steps:

Step 3.1: Jie Kade similarity coefficient Sim (x, the x that will calculate in step 2_i) with similar threshold value γ ratio set in advance Relatively, if Sim is (x, x_i) ＞ γ then carries out entering after step 3.2 step 3.4, the most then enter step 3.4 after carrying out step 3.3；

Step 3.2: by x_iAdd history normal data；

Step 3.3: report to the police, make attack-response；

Step 3.4: return to step 2.

One the most according to claim 2 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, It is characterized in that, described similar threshold value γ is arranged as follows:

Step 1: gathered destination Web server HTTP request conduct in each time interval t since the most some hours History normal data, takes different each attribute character meansigma methods of history normal data composition attribute vector, this attribute vector conduct X in Jie Kade similarity coefficient computing formula；

Step 2: simulation ddos attack, in capturing several time intervals t, data on flows is as sample, calculates each time interval In t, the attribute vector of data on flows is as the x in Jie Kade similarity coefficient computing formulaⁱ, calculate its Jie Kade similarity coefficient Sim (x,x_i)；

Step 3: take Jie Kade similarity coefficient Sim (x, an x more than all ddos attack datas on flows as sample_i) Value is as similar threshold value γ.

9. one kind is detected device based on broad sense Jie Kade similarity coefficient Web application layer ddos attack, it is characterised in that including:

Time interval arranges module: be used for the t that sets interval；

Similarity system design module: for using the data volume in t time interval as computational item, by using broad sense Jie Kade similar Coefficient formulas calculates community set and the similarity of the normal community set of history in current t time interval；

Attack recognition module: Jie Kade similarity coefficient and the similar threshold value set in advance that will calculate in similarity system design module γ compares, and judges whether on this basis ddos attack.

10. similar threshold value arranges a module, including:

Mean value calculation module: since being used for gathering destination Web server the most some hours in each time interval t HTTP request, as history normal data, takes different each attribute character meansigma methods of history normal data composition attribute vector, this Attribute vector is as the x in Jie Kade similarity coefficient computing formula；

Attacking sample similarity coefficient computing module: be used for simulating ddos attack, in capturing several time intervals t, data on flows is made For sample, calculate in each time interval t the attribute vector of data on flows as the x in Jie Kade similarity coefficient computing formula_i, Calculate its Jie Kade similarity coefficient Sim (x, x_i)；

Similar threshold value computing module: similar more than all Jie Kade as the ddos attack data on flows of sample for taking one Coefficient S im (x, x_i) value as similar threshold value γ.