KR101326804B1 - Distributed denial of service detection method and system - Google Patents

Abstract

The present invention relates to a method and system for efficiently detecting DDoS by using a power law distribution. The method for detecting DDoS according to the present invention includes the steps of: collecting a flow for a monitoring period; calculating the collected flow value; and determining the DDoS based on the calculated value.

Description

Distributed Denial of Service detection method and system

The present invention relates to a distributed service denial (DDoS) attack detection method and system, and more particularly to a method and system that can efficiently detect a distributed service denial (DDoS) attack using Power Law Distribution.

Along with the rapid development of the Internet, network traffic attack methods using the main characteristics of the Internet, openness and scalability, have also been rapidly developed.

Distributed Denial of Service (DDoS) attacks are known as representative network attacks. DDoS attack is a generic type of attack that prevents other normal users from receiving service by simultaneously transmitting traffic using users in physically and logically distributed locations to target servers. DDoS attacks are known to be difficult for the defender to distinguish between normal and abnormal traffic because the attacking party (the zombie PC) sends the traffic without knowing it. DDoS attacks have been extensively studied in the last five years, but unfortunately, they are still vulnerable to detection and defense. In the case of Korea, social interest in DDoS is increasing in 2011, including 3.3 DDoS, 7.7 DDoS attacks, Nonghyup network failure, and Blue House DDoS attacks. Researches are being conducted to analyze and detect various anomalies that occur on the network, including DDoS attacks.

Network anomaly detection can be summarized into three main categories: 1) Statistical Based Approach, 2) Anomaly Based Approach, and 3) Information Theory Based Approach. Information Based Approach). Recently, the Equilibrium method has been proposed to detect the abnormality of the network by using the property that the volume change pattern of traffic flow in the non-saturated network link cancels the volume change in a short time interval and is stationary. It was.

Early DDoS detection method has been progressed through statistical methods, mainly using the method of observing traffic volume and generating and using characteristic matrix. Disclosed is a method of detecting a network abnormality through a statistical method, or a method of observing a flow in traffic through a characteristic matrix and monitoring a transmitted packet using a number or a byte size. Lakhina et al. Proposed a method to collect IP address and port information, generate a volume change matrix, and detect it using information entropy proposed by C. E. Shannon in 1948. In addition, a study to improve the detection speed and accuracy by modifying the existing information entropy has been proposed. The ASTUTE scheme, which is a method of observing network status using flow independence and stationary characteristics with time changes, is also presented.

The above suggestions are mainly proposed by Capability Based Approach, which focuses on the filtering concept of how to find and defend the network Anomaly, and uses the strategy of accepting Anomaly traffic including DDoS attacks to the extent allowed by the system. It became. Examples include SpeakUp, Portcullis, TVA, and NetFense. In the case of Capability Based Approach, the main goal is to construct a DDoS-resistant network rather than the detection itself. The filtering concept has the advantage that it can be fully defended and easily applied to legacy networks if accurate anomaly detection is possible, while the decision rules required for filtering can increase exponentially. The disadvantage is that a False Alarm exists at any time. Capability Based Approach has the advantage of eliminating the extra computational process such as complex filtering process or end-to-end encryption, while routers in the network manage the capability by link and control the flow to the destination. There is a downside to it. Although small, there is also a disadvantage in that there is a basic overhead in all situations.

The present invention has been made in the technical background as described above, the object of the present invention is to improve the performance of the DDoS detection and defense method.

In order to solve this problem, the present invention efficiently detects distributed service denial (DDoS) attacks using Power Law Distribution.

와

값을 계산하는 단계; 및 계산된 상기

와

값을 기반으로 DDoS 공격이 있는지를 판단하는 단계를 포함하며, 상기 판단하는 단계에서는 상기

값이 미리 정한 임계값(Threshold value)이상으로 변하는 경우 DDoS 공격이 있는 것으로 판단하되, 현재 관찰시간을 t, 다음 관찰시간을 t+1이라고 할 때, 상기 임계값은 t에서 생성된

값과 관측된 플로우 수로 다음의 수학식에 따라 계산한다.That is, the DDoS attack detection method according to an aspect of the present invention, collecting the flow during the monitoring interval in the connection established; Of the flow collected

Wow

Calculating a value; And the above calculated

Wow

Determining whether there is a DDoS attack based on a value, and in the determining, the

When the value changes above a predetermined threshold value, it is determined that there is a DDoS attack, but when the current observation time is t and the next observation time is t + 1, the threshold value is generated at t.

The value and the number of flows observed are calculated according to the following equation.

The method may further include generating an alarm if the determination result is a DDoS attack.

와

값을 계산하고 계산된 상기

와

값을 기반으로 DDoS 공격이 있는지를 판단하며, 상기 DDoS 공격이 있는지의 판단은 상기

값이 미리 정한 임계값(Threshold value)이상으로 변하는 경우 DDoS 공격이 있는 것으로 판단하되, 현재 관찰시간을 t, 다음 관찰시간을 t+1이라고 할 때, 상기 임계값은 t에서 생성된

값과 관측된 플로우 수로 상기 수학식에 따라 계산한다.DDoS attack detection system according to another aspect of the present invention, the flow collection device for collecting the flow in the network traffic; And a processor for processing data based on the collected flow, wherein the processor is configured to process the collected flow.

Wow

Calculate the value and calculate the above

Wow

It is determined whether there is a DDoS attack based on the value, and the determination of whether there is a DDoS attack is

When the value changes above a predetermined threshold value, it is determined that there is a DDoS attack, but when the current observation time is t and the next observation time is t + 1, the threshold value is generated at t.

The value and the number of flows observed are calculated according to the above equation.

Preferably, the DDoS attack detection system further includes an alarm generating device that generates an alarm if the DDoS attack is a result of the determination.

According to the present invention, it is possible to provide an effective and excellent DDoS detection method by using a power law characteristic in the volume variation of traffic flow.

In addition, the DDoS detection method according to an embodiment of the present invention has the advantage that it can be easily ported to any platform in the future, and has a simple and does not consume much computational resources.

1 shows a conceptual diagram of network traffic and flow.
2 is a distribution diagram of volume changes of flows observed using real Internet traffic data, and shows upper left: Chicago 1, upper right: Chicago 2, lower left: MAWI, and lower right: CAIDA DDoS.
3 is a flowchart of a DDoS attack detection algorithm according to an embodiment of the present invention.
4 shows a topology used for the simulation of the DDoS attack detection method according to an embodiment of the present invention.
5 and 6 show the results of the simulation of the DDoS attack detection method using the topology of FIG. 4, FIG. 5 shows Experiment 1 (trigger alarm when only normal traffic is sent), and FIG. 6 shows Experiment 2 ( 25 seconds rest while sending normal traffic, alarm occurs when sending 5 seconds DDoS traffic, sending DDoS traffic twice per minute).

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. It is noted that the terms "comprises" and / or "comprising" used in the specification are intended to be inclusive in a manner similar to the components, steps, operations, and / Or additions.

Hereinafter, a DDoS detection method according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

1. Power Law

The present invention proposes a DDoS detection and defense method utilizing a Power Law (PL) distribution different from the previously studied approach.

으로 표현할 수 있다. 여기서 a와 k는 상수이며,

는 small function이다. 위 식이 의미하는 바는 특정 이벤트의 빈도수(frequency)가 어떤 이벤트 속성(k, scaling parameter)을 따를 경우 PL 현상을 가진다고 표현할 수 있다. M. Faloutsos는 인터넷 트래픽을 분석한 결과 Out-degree rank, Degree Frequency, Total number of pair-nodes 등에서 경험적으로 PL 분포가 존재함을 보였다[5]. PL is the probability distribution introduced by Italian economist Vilfredo Pareto, also called the 8-2 rule, or Pareto distribution. PL has been studied as a distribution explaining economic and social phenomena. For example, a country's wealth is a phenomenon in which 80% of a country's wealth is owned by a 20% upper class, 80% of a country's population in 20% of cities, 20 in a specific language. % Words account for more than 80% of the conversation. In mathematical terms

. Where a and k are constants,

Is a small function. Meaning of the above expression can be expressed as having a PL phenomenon when the frequency of a particular event follows a certain event property ( k, scaling parameter). M. Faloutsos analyzed the Internet traffic and showed that the distribution of PL empirically exists in Out-degree rank, Degree Frequency, Total number of pair-nodes [5].

값을 관찰함으로써 기존의 복잡한 모니터링 메카니즘을 탈피하여 손쉽게 DDoS를 탐지 가능함을 이용하는 것이다. 정상적인 형태의 네트워크 트래픽 특성은 짧은 관찰 기간 내에서는 Stationary distribution을 갖게 되는데, 이때 트래픽 내부의 플로우 볼륨(flow volume)들은 특정 분포를 따르고 그 분포 특성은 이상 상황이 아닌 이상 일정하게 유지된다. 하지만 DDoS와 같이 특정 노드(target node 혹은 victim)의 서비스를 중지시키기 위하여 분산된 장소에서 수많은 노드들이 대량의 패킷을 특정 노드에 전송하기 시작하면 네트워크는 플로우 볼륨 변화를 경험하게 된다. 이때 해당 분포가 PL을 따른다면, PL 분포를 특징 짓는 파라미터 값을 관찰하게 되면 DDoS 유무를 판단할 수 있다.The idea of DDoS detection using PL is called scaling parameter of PL distribution.

By observing the value, the DDoS can be easily detected by breaking the existing complex monitoring mechanism. Normal network traffic characteristics have a stationary distribution within a short observation period. In this case, the flow volumes within the traffic follow a specific distribution, and the distribution characteristics remain constant unless an abnormal situation occurs. However, when a large number of nodes in a distributed place, such as DDoS, stop sending services to a specific node (target node or victim), the network experiences a change in flow volume. At this time, if the distribution follows the PL, the presence of the DDoS can be determined by observing a parameter value characterizing the PL distribution.

The PL distribution has been used as a tool to explain real-world phenomena in many areas since it was proposed by Vilfredo Pareto. Fatoutsos has shown that PL distribution has more than 96% probability in rank exponent, out-degree exponent, and node pair distribution that can express the relationship between nodes and edges of the Internet. Pryadkin et al. It is shown that the distribution of has a PL distribution. Aaron Clauset proposed the PL distribution verification method using the Maximum-likelihood fitting method, and proved the existence of PL distribution in 48 kinds of real-world data including HTTP size, website link and hit, Internet degree. Adamic et al. Recently studied the connectivity of the Internet web and showed that the connectivity of the Internet web page also follows the PL distribution.

2. System Modeling

First, system modeling of the DDoS detection method according to an embodiment of the present invention will be described.

2.1 Assumptions of System Modeling

Several assumptions are needed to apply PL distribution to DDoS detection. In order to design a detection system using PL, flow independence and flow stationary conditions are required for Internet traffic flow. In general, a traffic flow is defined as a set of packets having the same specific characteristics of traffic, and may be variously defined according to a situation. For example, a flow may be expressed as a set of packets having the same source IP address and a destination IP address in a packet, or a set of packets having the same port number as the source and destination. In the present specification, the term Flow refers to a set of packets having the same source / destination address. In the following, studies on flow independence and flow volume uniformity attempt to replace the suitability of the assumption.

2.1.1 Flow Independence

, 특정 시간에 특정 링크(link)에서 발생하는 플로우의 수를 볼륨

라 했을 때,

는 'discrete-time marked point process'를 따르게 되고, 각각의 time bin에서의

의 개수를 관찰할 수 있게 된다. 이때 플로우

는 아래의 세가지 파라미터를 통해 식별할 수 있다.In order to observe the traffic flow, it is divided into predetermined time units (called time slots or time bins), and flows generated at specific unit times are collected. Flow

The volume of flows that occur on a particular link at a specific time,

When I say

Will follow a 'discrete-time marked point process', with each time bin

The number of can be observed. Flow

Can be identified through the following three parameters.

: 플로우

가 지나가는 링크의 time binㆍ

Flow

Bin of the link passing by

:

가 지나가는 time bin의 수ㆍ

:

Of time bins that pass by

: 각각의

에서 관측되는 플로우에 대한 벡터ㆍ

: Each

Vector of the flow observed in

은 다른 플로우의 특성과 독립적이라는 의미이다. 플로우 독립성이 성립하지 않는 상황은 2가지 경우 가능하다. 첫째, 어떤 플로우들이 몇 개의 세션(sessions)으로 그룹화 되는 경우이다(예: 하나의 클라이언트가 특정 서버로부터 웹사이트를 다운로드를 완료하고, 다른 서버로부터 이전에 다운로드 받은 웹페이지에 속해 있던 object를 다운로드 하는 경우 플로우들간 의존성(dependency) 발생). 둘째, 네트워크 congestion이 발생한 경우 플로우들이 동일 라우터의 큐에 속하게 되면 플로우들의 특성들이 상호 연관되어 독립적이지 않게 된다.Flow independence

Means that it is independent of the characteristics of other flows. There are two cases where flow independence does not hold. First, some flows are grouped into several sessions (e.g. one client completes a website download from a particular server and then downloads an object that belongs to a webpage previously downloaded from another server). Case dependencies between flows). Second, when network congestion occurs, when flows belong to the same router queue, the characteristics of the flows are related to each other and are not independent.

가 독립적이라는 트래픽의 특징은 일반 트래픽과 DDoS 트래픽이 구분될 수 있다는 이론적 조건으로 사용된다.Although there is a possibility that flow independence does not exist, data analysis of actual Internet traffic shows that flow independence is maintained in most cases. Accordingly, in the present specification, each for DDoS detection using PL

The characteristic of traffic that is independent is used as the theoretical condition that general traffic and DDoS traffic can be distinguished.

2. 1.2 Flow Volume Stationarity

Flow volume uniformity means that the characteristics of the distribution do not change when the volume of the flow is observed in the network. However, if you observe traffic on the Internet for a long time (one day or a week), it is not uncommon to see a constant. However, when the observation unit (period or time bin) is made small, the flow volume of Internet traffic has a stationarity. Previous studies on Internet traffic have demonstrated that stationarity fits well in observation periods of less than one hour. One of the previous studies found that when the traffic observation unit is less than 5 minutes, abnormal traffic breaks the flow volume uniformity characteristic, which can detect an abnormal state of the network.

If there is a traffic volume uniformity, the traffic volume uniformity is broken and the PL distribution changes when DDoS occurs. By monitoring these changes, you can detect abnormal conditions in your network.

2.2 Design of DDoS Detection System Using PL

2.2.1 PL formulation with Volume Change Rate

1 shows a conceptual diagram of network traffic and flow.

Assuming the case of observing traffic flowing at a short time in one network link, the flows of traffic passing through the link are independent of each other by the above-described assumption, and the distribution of change according to the short observation period is stationary.

에서 총 볼륨변화에 관심이 있으며, 이를 위하여 먼저 다음과 같이 몇 개의 용어를 정의한다. 본 발명의 실시예에 따른 DDoS 탐지 시스템에서 사용하는 볼륨의 의미는 같은 특정 관찰기간에서 플로우가 나타난 빈도수를 의미한다.At what point we are

We are interested in the total volume change in. First of all, we define some terms as follows. The volume used in the DDoS detection system according to an embodiment of the present invention means a frequency in which flows appear in the same specific observation period.

: 관찰하고자 하는 데이터 링크(link)ㆍ

: Data link to observe

: time bin에서 플로우 개수ㆍ

: Count of flows in time bin

: 관찰 기간(monitoring duration)ㆍ

: Monitoring duration

: 시간

에서 플로우

의 볼륨ㆍ

: time

Flow

Volume of

: 플로우

가 관찰기간

에서 볼륨

를 가질 확률ㆍ

Flow

Observation period

Volume

Probability of having

: 연속적인 관찰시간에서

의 볼륨의 변화율ㆍ

In continuous observation time

Rate of change of volume

에서

개의 플로우들(

)이

을 통과하고 있다면, 전체 트래픽 볼륨은 다음과 같다.If a particular observation period

in

Flows (

)this

If passing through, the total traffic volume is

에서 전체 트래픽 볼륨의 기대치(expected value)는 정의에 따라, 다음의 [수학식 1]과 같이 정리할 수 있다.time

Expected value of the total traffic volume can be summarized as in Equation 1 below by definition.

의 엔트로피는 다음의 [수학식 2]와 같다.As defined by Information Entropy

The entropy of is shown in Equation 2 below.

는 상호 배타적으로 분할될 수 있으므로 전확률의 법칙(total probability law)에 따라 다음의 [수학식 3]이 성립한다.According to the assumption of flow independence

Since can be mutually exclusively divided, the following Equation 3 holds according to the total probability law.

의 분포를 구하기 위해 MEP(Maximum Entropy Principal)를 이용하면 다음의 [수학식 4]와 같으며, 이때 상기한 [수학식 1] 및 [수학식 3]을 만족하여야 한다.

When using MEP (Maximum Entropy Principal) to obtain the distribution of Equation 4, the following Equation 1 and Equation 3 must be satisfied.

[Equation 1] and [Equation 3] can be modified in the same manner as in the following [Equation 5] and [Equation 6].

Applying the Lagrange Multiplier method using [Equation 5] and [Equation 6] to find the maximum value of [Equation 4], it becomes as [Equation 7] below,

에 대하여 편미분 후 0이 되는 값을 찾으면 아래의 [수학식 8]을 얻는다.Of Equation 7

If we find a value that becomes 0 after partial derivatives for, Equation 8 below.

[Equation 3] and [Equation 8] can be arranged as follows,

=

1 =

=

=

),If you have enough flows (

),

Solve by substituting [Equation 8] into [Equation 1],

In this case, if you solve the inner equation of Equation 10 in the same way as in Equation 9,

Substituting Equation 11 into Equation 10,

Solving [Equation 12] into [Equation 8] to solve,

로 치환하면 [수학식 13]은

If you substitute with Equation 13

에서 플로우 볼륨이 발생할 확률이 PL을 따른다는 것을 이론적인 정리를 통해 증명하였다.[Equation 14] is a general PL form, which allows us to time

Theoretical theorem demonstrates that the probability of the flow volume to follow the PL.

2.2.2 Power Law Existence with Empirical Review

In order to determine the inflow of abnormal traffic into the network using PL, the assumption that the traffic volume distribution has PL characteristics in addition to the two assumptions listed above, flow independence and flow volume stationarity. This is necessary. To support these assumptions, we observed the following four data provided to the public for research purposes. We use time stamp information of each data to classify packets at 5 second time bins, analyze source / destination IP addresses to find source-destination pairs, and then The number of flows that occurred was counted. After the observation of all the data, the most frequent flows are arranged in descending order from the lowest flow, and each occurrence frequency is expressed in FIG. 2 by calculating the probability value for the total occurrence frequency.

That is, FIG. 2 is a distribution diagram of volume changes of flows observed using real Internet traffic data, and shows upper left: Chicago1, upper right: Chicago2, lower left: MAWI, and lower right: CAIDA DDoS.

를 나타내었다. In FIG. 2, the horizontal axis has the flow having the highest occurrence frequency at the leftmost side and the flow having the lowest occurrence frequency at the rightmost side, and the occurrence frequency (probability) for the entire flow is indicated on the vertical axis. As a result of analyzing the four real network data, the flow volume (frequency or frequency in this case) is the same function as the above-described PL.

Indicated.

The data used in this specification are data collected from the actual Internet, and are selected to best represent general Internet traffic flows, and Chicago 1 and 2 are backbones connecting Chicago and Seattle on the Chicago equnix-chicago internet data collection monitor. Traffic data from the network. DDoS data is a collection of DDoS actual data that lasted for one hour on August 4, 2007. MAWI data is actual data collected from trans-Pacific internet lines via Japan. Four types of data characteristics are summarized in the following [Table 1].

data
name offer
Agency produce
Time Data rate
(packet / sec) Chicago1 CAIDA month 90,660 Chicago2 CAIDA month 94,256 MAWI MAWI month 58,789 DDoS CAIDA month 167,737

As a result of analyzing the actual Internet traffic data, it was confirmed that the flow volume of all the used data has a PL characteristic, and it is assumed that PL is a general phenomenon appearing in the traffic flow volume in the PL design, which is a key element of the present invention.

2.2.3 DDoS Detection Method

값만을 관찰함으로써 트래픽 볼륨의 변화 상태를 파악할 수 있다. To take advantage of the fact that Internet traffic exhibits PL characteristics, we need to look at the mathematical characteristics of PLs. The characteristics of the PL can be characterized by a long tail distribution. The differences from the normal distribution are summarized in [Table 2] below. PL is represented by scaling parameters

By observing only the values, it is possible to grasp the change of traffic volume.

division Power Law distribution Gaussian distribution percentage
density
function

여기서,

=0+

은

lower bound이며,

은 0에 근접한 양의 수

here,

= 0 +

silver

lower bound,

Is a positive number near zero

Para
Meter

Scaling parameters

here

Is the frequency

(Average) =

(Standard deviation)

DDoS
Application Case none ASTUTE (Sigcomm) [2] Advantages Mathematical modeling is possible by utilizing the Maximum Entropy Pricipal, and it is applicable to general data through Empirical Analysis.

Only need to observe) Applicable to all data according to the Central Limit Threom, if the number of samples is sufficient, it can be applied regardless of data distribution

As observed in FIG. 2, the flow volume variation of both the normal traffic and the DDoS traffic has a PL characteristic, but it can be seen that the scaling parameter value changes according to the dataset.

값이 정상 트래픽보다 상승하는 현상이 나타난다. PL을 이용한 탐지 알고리즘은 평소 일정 관찰시간(monitoring interval)으로 트래픽을 수집하고, 수집된 트래픽에서 각각 플로우의 볼륨 변화량을 계산하게 된다. 이러한 볼륨의 변화량이 PL 특성을 따르게 되고, 트래픽 볼륨 변화량으로

값을 계산한다. 본 명세서에서는 관찰 시간을 1초로 설정하여 실험하였다. 지속적으로

값을 관찰하다가 임계점(threshold value)이상으로 변하게 되면 DDoS 공격이 존재한다고 판단하게 된다. In general, DDoS attacks can cause packets to converge at specific destinations.

The value rises above normal traffic. The detection algorithm using the PL collects traffic at regular monitoring intervals and calculates the volume variation of each flow in the collected traffic. The amount of change in volume follows the PL characteristic, and the amount of change in traffic volume

Calculate the value. In this specification, the experiment was set by setting the observation time to 1 second. Continuously

Observing the value and changing above the threshold value determines that a DDoS attack exists.

3 is a flowchart of a DDoS attack detection algorithm according to an embodiment of the present invention.

와

값을 계산한다. 이를 기반으로 DDoS 공격이 있는지를 판단하고, 판단 결과 DDoS 공격이면 알람을 발생시킨다.As shown in FIG. 3, the flow is collected during the monitoring interval in the state of establishing a connection,

Wow

Calculate the value. Based on this, it is determined whether there is a DDoS attack, and if the result is a DDoS attack, an alarm is generated.

값과 관측된 플로우 수로 계산하며, 임계값(Threshold) 계산 방식은 다음과 같다. When the current observation time is t and the next observation time is t + 1, the threshold is generated at t.

The value and the number of observed flows are calculated. The threshold calculation method is as follows.

: 시간 t+1에서의 임계값From here,

: Threshold at time t + 1

: 상위 및 하위 임계값 변화량

: Upper and lower threshold changes

: 시간 t 에서의 scaling parameter

Scaling parameter at time t

: 시간 t 에서의 플로우(flow) 수

: Number of flows at time t

3. Simulation and Performance Evaluation

3. 1 Data Sets

The data set used to evaluate the DDoS detection capability using the PL property was used the CAIDA (The Coorperative Association for Internet Data Analysis) data set shown in Table 1. CAIDA is a representative institution that collects and shares various types of network traffic data on a regular basis, and thus it was determined / used as suitable for the experiment of the present invention because the objectivity of the data can be maintained. The data used herein are Chicago 1 and DDoS in Table 1.

Chicago1: The data was collected from the high-speed Internet backbone line connecting Chicago and Sanjose in the United States, and used as the ground truth data. The DDoS dataset shown in Table 1 is data collected on August 4, 2007 in the United States, and the traffic that the Internet-connected servers cannot use resources by depleting the Internet bandwidth.

Internet backbone: We can see a trend of concentrating traffic at almost twice the level (167,737 packets / sec) than Chicago1 traffic capacity (90,660 packets / sec) (see Table 1), which is a typical DDoS traffic type.

3. 2 Simulation Setup

In this simulation, three computers and one router were used to create a realistic environment. A and B are IBM laptops, CPUs are Intel core 2.0 GHz and memory is 2Gbytes. Computer C is an Asus laptop with a CPU of Intel core i5 2.3 GHz and 6Gbytes of memory. In the case of A and B, reading each dataset transmits the packet at the maximum rate that each PC can send (without considering special hardware sending rate). The topology used in this simulation is shown in FIG. 4.

In Fig. 4, Computer A is a normal traffic generator, Computer B is a DDoS traffic generator, and Computer C is a PL detector.

In this specification, the experiment was divided into two types to distinguish between a steady state and an abnormal state. In the first experiment, computer A in FIG. 4 reads Chicago1 traffic data and continuously transmits it to the router and observes whether a DDoS occurrence warning occurs. At this time, computer B does nothing, and computer C implements / installs an ASTUTE detector and a PL detector. In the ASTUTE implementation, the value of aav, which is a decision criterion, is set to 2. In order to set up the environment similar to the PL detector, the monitoring paramenter of ASTUTE is implemented by reflecting only the volume change rate for network flows with the same source and destination IP addresses. In the second experiment, computer A continuously transmits normal traffic as in the first experiment, computer B transmits nothing for 25 seconds (Sleep Condition), and then generates and sends DDoS traffic to the router for 5 seconds. The router sends traffic from computer A and B to computer C, and computer C observes the status of the traffic. If the DDoS state is detected, computer C notifies the network administrator of the occurrence of a network attack (DDoS attack trigger). In each experiment, computer C uses ASTUTE and PL detectors.

3.3 Analysis

The results of the two experiments described above are shown in FIGS. 5 and 6, respectively.

That is, FIGS. 5 and 6 show simulation results of the DDoS attack detection method using the topology of FIG. 4. FIG. 5 shows Experiment 1 (an alarm generated by a detector when only normal traffic is sent), and FIG. 6 shows an experiment. 2 (rests 25 seconds while sending normal traffic, alarm occurs when sending 5 seconds of DDoS traffic. DDoS traffic is sent twice per minute). In the figure, the time on the horizontal axis represents minutes, the upper figure shows the ASTUTE and the lower figure shows the operation result of the PL detector.

In each figure, a dot (ASTUTE is a blue dot, PL detector is a red dot) is the point that triggered the alarm. Also, the solid red line is the point of reference for intrusion detection, and the solid blue line is an observation of the scaling parameter of the ASTUTE aav and PL detectors. The horizontal axis represents the observation time, and the unit is minutes. In case of ASTUTE, one alarm is generated when only normal traffic is transmitted. The PL detector, on the other hand, generated four alarms.

In normal traffic, ASTUTE generated a small number of false alarms (false positives). However, it is worth noting that performance is a constant DDoS attack (two DDoS attacks per minute, 5 seconds duration), in which case ASTUTE rarely detects intrusions (two alarms generated), while PL detectors Alarms can be generated to effectively detect network abnormalities, especially DDoS attacks.

As described above, it can be confirmed experimentally that the power law characteristic exists in the volume variation of traffic flow through the actual internet backbone traffic analysis, and the mathematical analysis shows that the distribution of the variation in traffic volume shows the power law characteristic. It was confirmed through modeling.

The superiority of the detection capability of the DDoS detection method using the power law according to the embodiment of the present invention was confirmed through simulation, and the DDoS detection method according to the embodiment of the present invention can be easily ported to any platform in the future. It has the advantage of being simple and not consuming much computational resources.

While the invention has been described in terms of the preferred embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the invention. Accordingly, the appended claims are intended to embrace all such modifications and variations as fall within the true spirit of the invention.

Claims (4)

Collecting flows during the monitoring interval in a state of being established;
Of the flow collected

Wow

Calculating a value; And
Calculated Remind

Wow

Determining whether there is a DDoS attack based on the value,
In the determining step,

If the value changes above a predetermined threshold, it is determined that there is a DDoS attack.
When the current observation time is t and the next observation time is t + 1, the threshold is generated at t.

DDoS attack detection method calculated according to Equation 15 as a value and the number of flows observed.
&Quot; (15) "

The method of claim 1,
And generating an alarm if the determination result is a DDoS attack. A flow collection device for collecting flows in the network traffic; And
A DDoS attack detection system including a processor for processing data based on the collected flow,
The processor is configured to

Wow

Calculate the value and calculate the above

Wow

Value to determine if there is a DDoS attack.
The determination of whether there is a DDoS attack

If the value changes above a predetermined threshold, it is determined that there is a DDoS attack.
When the current observation time is t and the next observation time is t + 1, the threshold is generated at t.

DDoS attack detection system that calculates the value and the number of observed flows according to Equation 15 below.
&Quot; (15) "

The method of claim 3,
DDoS attack detection system further comprises an alarm generating device for generating an alarm if the result of the determination DDoS attack.

Images