Skip to main content
QUICK REVIEW

[论文解读] An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach

Brij B. Gupta, Manoj Misra|arXiv (Cornell University)|Mar 12, 2012
Network Security and Intrusion Detection参考文献 32被引用 44
一句话总结

本文提出一种基于组合统计指标——流量(Volume)与流数(Flow)——并结合六西格玛与公差系数法进行动态阈值设定的ISP级DDoS检测框架,以提升检测准确性。在NS-2仿真环境中评估,该系统在不同僵尸主机数量与攻击强度的多样化攻击场景下,相比传统基于流量的检测方法,显著降低了误报与漏报。

ABSTRACT

Disruption from service caused by DDoS attacks is an immense threat to Internet today. These attacks can disrupt the availability of Internet services completely, by eating either computational or communication resources through sheer volume of packets sent from distributed locations in a coordinated manner or graceful degradation of network performance by sending attack traffic at low rate. In this paper, we describe a novel framework that deals with the detection of variety of DDoS attacks by monitoring propagation of abrupt traffic changes inside ISP Domain and then characterizes flows that carry attack traffic. Two statistical metrics namely, Volume and Flow are used as parameters to detect DDoS attacks. Effectiveness of an anomaly based detection and characterization system highly depends on accuracy of threshold value settings. Inaccurate threshold values cause a large number of false positives and negatives. Therefore, in our scheme, Six-Sigma and varying tolerance factor methods are used to identify threshold values accurately and dynamically for various statistical metrics. NS-2 network simulator on Linux platform is used as simulation testbed to validate effectiveness of proposed approach. Different attack scenarios are implemented by varying total number of zombie machines and at different attack strengths. The comparison with volume-based approach clearly indicates the supremacy of our proposed system.

研究动机与目标

  • 为应对通过资源耗尽或低速率降级导致互联网服务不可用的DDoS攻击日益增长的威胁。
  • 开发一种基于异常检测的系统,有效应对ISP网络域内高流量与低速率DDoS攻击。
  • 通过统计方法而非固定值动态设定阈值,以提高检测准确性。
  • 通过监测突发流量变化并应用流量(Volume)与流数(Flow)指标,对攻击流进行特征刻画。

提出的方法

  • 该框架监控ISP域内流量的突发变化,以检测潜在的DDoS活动。
  • 采用两种统计指标:流量(总数据速率)与流数(活跃连接数),用于检测异常。
  • 应用六西格玛与可变公差系数方法,为每项指标计算动态、数据驱动的阈值。
  • 持续更新阈值以适应正常流量变化,最大限度减少误报与漏报。
  • 根据与统计推导的正常行为的偏离程度,将流量分类为恶意。
  • 使用Linux系统上的NS-2网络仿真器,模拟不同僵尸主机数量与攻击强度的多种DDoS场景。

实验结果

研究问题

  • RQ1如何通过统计流量分析,使ISP级系统检测到包括低速率与高流量变体在内的多样化DDoS攻击?
  • RQ2在ISP网络域内实时检测DDoS异常时,哪些统计指标最为有效?
  • RQ3与静态阈值相比,动态阈值设定在基于异常的DDoS检测中如何提升检测准确性?
  • RQ4结合流量与流数指标的方法在多大程度上减少了DDoS检测中的误报与漏报?
  • RQ5在不同攻击条件下(如不同数量的受控主机与攻击强度)下,所提出系统的表现如何?

主要发现

  • 通过基于六西格玛与公差系数方法的动态阈值设定,所提系统显著降低了误报与漏报。
  • 流量与流数指标的结合,使系统比仅依赖流量的方法更有效地检测高流量与低速率DDoS攻击。
  • 仿真结果表明,该系统在不同僵尸主机数量与攻击强度的多种攻击场景下,均表现出更高的检测准确性。
  • 动态阈值机制能够适应正常流量模式,在保持高检测灵敏度的同时避免触发误报。
  • 与基于流量的检测方法相比,所提框架在识别攻击流量方面表现出更高的精确率与召回率。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。