针对现行分布式拒绝服务(DDoS)攻击检测方法存在检测效率低、适用范围小等缺陷,在分析DDoS攻击对网络流量大小和IP地址相关性影响的基础上,提出基于网络流相关性的DDoS攻击检测方法.对流量大小特性进行相关性分析,定义Hurst指数方差变化率为测度,用以区分正常流量与引起流量显著变化的异常性流量.研究IP地址相关性,定义并计算IP地址相似度作为突发业务流和DDoS攻击的区分测度.实验结果表明,对网络流中流量大小和IP地址2个属性进行相关性分析,能准确地区分出网络中存在的正常流量、突发业务流和DDoS攻击,达到提高DDoS攻击检测效率的目的.%Aiming at the defects such as detection efficiency is still low, the application scope is narrow in currently detection methods, based on analyzing the impact of the correlation of traffic size and IP address caused by Distributed Denial of Service(DDoS) attacks, this paper proposes a method of detecting DDoS attacks based on the correlation of network flow, analyses the correlation of traffic size, defines the rate of variance of hurst exponent as the measure to distinguish the normal traffic and abnormal traffic which cause the original traffic increase notable. The correlation of IP address is analysed, flash traffic and DDoS attacks through the measure of degree of similarity are distinguished. Result shows that through combine correlation analysis of traffic size and IP.address, it can distinguish DDoS attacks traffic from normal traffic and burst traffic, and raise the detection efficiency.
展开▼
