分布式增速拒绝服务(DIDoS)攻击采用逐步提升发包速率的方式来造成受害者资源的慢消耗,较之传统的分布式拒绝服务(DDoS)攻击更具隐蔽性,如何尽可能早地将其捕获是一个亟待研究的问题.本文针对DIDoS攻击的特点,提出了一种基于改进AAR模型的DIDoS攻击早期检测方法.为此,首先提出了一组基于条件熵的检测特征:流特征条件熵(TFCE),用以反映DIDoS攻击流速的增长变化;然后根据改进的AAR模型对TFCE值进行多步预测;最后采用经过训练的SVM分类器对预测值进行分类,以识别攻击企图.实验结果表明,在保证检测精度相当的前提下,该方法比部分现有方法能够更快检测到攻击.%Distributed Increasing-rate Denial-of-Service (DIDOS) attacks gradually increase the sending rate of packets to exhaust the victim's resources slowly, so DIDOS attacks have a higher concealment than the traditional DDoS attacks.How to detect DIDoS attacks as soon as possible is an urgent problem we should study.In view of the characteristics of DIDoS attacks, a novel approach for early detection based on an improved adaptive autoregressive (AAR) model is proposed.In this approach, a set of novel detection features based on the conditional entropy called the Traffic Feature Conditional Entropy (TFCE), are used to reflect the increase of DIDoS attack traffic rate.Then an improved AAR model is used to predict the multistep TFCE values.Finally a trained SVM classifier is adopted to identify the tendency of attacks by classifying the predicted TFCE values.The experimental results demonstrate that our approach can not only guarantee the comparative precision of detection but also detect DIDoS attacks more quickly than some existing approaches.
展开▼
