DDoS attack is hard to detect in backbone network, for the reason that attack flows are distributed in multiple links and prone to be masked by tremendous amounts of background traffic. To solve this problem, a detection method based on global abnormal correlation analysis was proposed. The change of correlation between traffic caused by attack flows was exploited for attack detection, the correlation between potentially anomalous traffic was extracted by principle component analysis, and its change degree was used as an indicator of attack. Evaluation shows effectiveness of the proposed method, and proves that it overcomes the difficulties in detecting relatively low volume of DDoS attack transiting in backbone network. Compared with the existing network-wide detection method, it achieves higher detection rate.%骨干网中存在的DDoS攻击,由于背景流量巨大,且分布式指向受害者的多个攻击流尚未汇聚,因此难以进行有效的检测.为了解决该问题,提出一种基于全局流量异常相关分析的检测方法.根据攻击流引起流量之间相关性的变化,采用主成分分析提取多条流量中潜在异常部分之间的相关性,并将相关性变化程度作为攻击检测测度.实验结果证明了该测度的可用性,能够克服骨干网中DDoS攻击流幅值相对低且不易检测的困难,同现有的全局流量检测方法相比,所提出的方法能够取得更高的检测率.
展开▼