软件学报
軟件學報
연건학보
JOURNAL OF SOFTWARE
2013年
5期
1272-1280
,共9页
IP网络%分布式拒绝服务%大偏差
IP網絡%分佈式拒絕服務%大偏差
IP망락%분포식거절복무%대편차
IP network%distributed denial of service (DDoS)%large deviation
针对Http洪泛Web DDoS(distributed denial of service)攻击,提出了一种检测机制.该机制首先采用型方法量化处理用户访问的网页序列,以得到用户访问不同网页的实际点击概率分布;然后,利用大偏差统计模型分析了用户访问行为的实际点击概率分布与网站先验概率分布的偏差;最后,依据大偏差概率检测恶意DDoS攻击.对该机制的性能进行仿真,结果表明,正常用户的大偏差概率大于恶意攻击者,并且大部分正常用户的大偏差概率大于10?36,而大部分恶意攻击者的大偏差概率则小于10?40.由此,该机制能够有效地检测Http洪泛Web DDoS攻击,当检测门限设置为10?60时,其有效检测率可达97.5%,而误检率仅为0.6%.另外,将该机制与基于网页转移概率的检测方法进行性能比较,结果表明,该检测机制的检测率优于基于网页专业概率的检测机制,并且在误检率小于5%的情况下,该机制的检测率比现有检测机制提高0.6%.
針對Http洪汎Web DDoS(distributed denial of service)攻擊,提齣瞭一種檢測機製.該機製首先採用型方法量化處理用戶訪問的網頁序列,以得到用戶訪問不同網頁的實際點擊概率分佈;然後,利用大偏差統計模型分析瞭用戶訪問行為的實際點擊概率分佈與網站先驗概率分佈的偏差;最後,依據大偏差概率檢測噁意DDoS攻擊.對該機製的性能進行倣真,結果錶明,正常用戶的大偏差概率大于噁意攻擊者,併且大部分正常用戶的大偏差概率大于10?36,而大部分噁意攻擊者的大偏差概率則小于10?40.由此,該機製能夠有效地檢測Http洪汎Web DDoS攻擊,噹檢測門限設置為10?60時,其有效檢測率可達97.5%,而誤檢率僅為0.6%.另外,將該機製與基于網頁轉移概率的檢測方法進行性能比較,結果錶明,該檢測機製的檢測率優于基于網頁專業概率的檢測機製,併且在誤檢率小于5%的情況下,該機製的檢測率比現有檢測機製提高0.6%.
침대Http홍범Web DDoS(distributed denial of service)공격,제출료일충검측궤제.해궤제수선채용형방법양화처리용호방문적망혈서렬,이득도용호방문불동망혈적실제점격개솔분포;연후,이용대편차통계모형분석료용호방문행위적실제점격개솔분포여망참선험개솔분포적편차;최후,의거대편차개솔검측악의DDoS공격.대해궤제적성능진행방진,결과표명,정상용호적대편차개솔대우악의공격자,병차대부분정상용호적대편차개솔대우10?36,이대부분악의공격자적대편차개솔칙소우10?40.유차,해궤제능구유효지검측Http홍범Web DDoS공격,당검측문한설치위10?60시,기유효검측솔가체97.5%,이오검솔부위0.6%.령외,장해궤제여기우망혈전이개솔적검측방법진행성능비교,결과표명,해검측궤제적검측솔우우기우망혈전업개솔적검측궤제,병차재오검솔소우5%적정황하,해궤제적검측솔비현유검측궤제제고0.6%.
This paper focuses on Http-Flood DDoS (distributed denial of service) attack and proposes a detection scheme based on large deviation statistical model. The detection scheme characterizes the user access behavior with its Web-pages accessed and adopts the type method quantizing user’s access behavior. Based on this quantization method, this study analyzes the deviation of ongoing user’s empirical access behavior from the website’s priori one with large deviation statistical model, and detects Http-Flood DDoS with large deviation probability. This paper also provides preliminary simulation regarding the efficiency of the scheme, and the simulation results show that the large deviation of most normal Web surfers is larger than 10?36, yet, the attacker’s is smaller than 10?40. Thus, this scheme is promising to detect Http-Flood DDoS. Specifically, the scheme can achieve 0.6% false positive and 97.5% true positive with detection threshold of 10?60. And compared with the existing detection methods, this detection scheme can outperform them in detection performance. In particular, this scheme can improve the true positive ratio 0.6%over the transition probability based detection scheme with the false positive below 5%.
