Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device

A promiscuous mode, attack detection technology

Inactive Publication Date: 2011-06-22
THE PLA INFORMATION ENG UNIV
View PDF0 Cites 34 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Anomaly-based DDoS detection is to establish a positive behavior model, the detection rate is high, but the false positive rate is also high
However, a single detection based on packet statistics or flow statistics is powerless against DDoS attacks with strong concealment
At present, most of the patents on DDoS attack detection use anomaly detection methods. These methods are usually implemented based on a single message or

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device
  • Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device
  • Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0021] Embodiment one: see Figure 5 , the DDoS attack detection method based on the promiscuous mode of the present invention, the basic detection process is: the traffic in the DDoS database is based on the dual-scale statistics of the message and the flow, and the promiscuous mode combining misuse detection and anomaly detection is adopted. Detect traffic and generate DDoS attack alarm messages. In this promiscuous mode, packet detection and flow detection are performed in parallel, and anomaly detection and misuse detection are detected in series.

[0022] At the beginning, when there were few feature samples in the misuse detection mode, the method of anomaly detection was used to detect DDoS attacks for the first time. With the continuous increase of feature samples, the detection of DDoS attacks was converted to the method of misuse detection. .

Embodiment 2

[0023] Embodiment two: see image 3, this embodiment is based on the promiscuous mode DDoS attack detection method, on the basis of Embodiment 1, specifically discloses the anomaly detection based on the message and the abnormal detection process based on the flow: the abnormal detection based on the message, with the real non-abnormal The statistical value of the historical packets of the data is used as the benchmark data to calculate the proportion distribution and statistical number of each type of data packets in the total number of data packets per unit time, and predict the threshold value of the proportion distribution and statistical number of various types of data packets at the current moment. The threshold Calculated according to the "sliding weighted average" algorithm, the sliding window adopts four granularities of second level, minute level, hour level, and day level, and compares the predicted threshold with the current data packet proportion distribution and s...

Embodiment 3

[0024] Embodiment three: see Figure 4 , the present embodiment is based on the promiscuous mode DDoS attack detection method, on the basis of the second embodiment, specifically discloses the message-based misuse detection and flow-based misuse detection process: message-based misuse detection, excerpted typical The DDoS attack anomaly feature value obtained by the packet-based anomaly detection is put into the misuse pattern feature library as the detection feature of the misuse pattern. When a certain feature is the same, it is judged that a DDoS attack has occurred; for flow-based misuse detection, the typical DDoS attack abnormal feature value obtained by flow-based anomaly detection is extracted and put into the misuse pattern feature library as the detection feature of the misuse pattern. When the characteristics of flow proportion distribution and statistical number are the same as a certain characteristic in the misuse detection characteristic library, it is judged th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to the technical field of computer network security, in particular to a promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device. In the promiscuous mode-based DDoS attack detection method, flows in a DDoS database are realized by adopting a promiscuous mode combining a misuse detection and an anomaly detection on the basis of the conditions of double-scale counting on messages and the flows to generate a DDoS attack warning message; the detection device comprises a flow monitoring module, the DDoS database, a promiscuous detecting module, a warning pushing module and a Web module, wherein a flow copy inlet of the flow monitoring module is connected with an outside light split device and used for receiving link flows copied by the light split device; the DDoS database is used for providing tabular information in the database for the promiscuous detecting module through a database interface and simultaneously receiving and saving a detection result of the promiscuous detecting module; and the promiscuous detecting module is connected with the warning pushing module via a promiscuous detecting module interface.

Description

technical field [0001] The invention relates to the technical field of computer network security, in particular to a promiscuous mode-based DDoS attack detection method and detection device. Background technique [0002] Among Internet attacks, DDoS attack has become a popular form of attack that destroys the availability of computer or network resources, and it is one of the most serious threats facing the Internet at present. In recent years, the number of DDoS attacks has been increasing rapidly. [0003] The launch of DDoS attacks easily leads to the widespread occurrence of DDoS attacks. According to reports, there are 12,000 DDoS attacks every week around the world. Many famous foreign websites have suffered DDoS attacks. On February 7, 2000, Yahoo, Buy.corn, eBay, Amazon, news website CNN and many other websites in the United States were successively attacked by DDoS attacks launched by unidentified hackers, and the system was paralyzed. For ten hours, economic loss...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L12/56H04L12/26
Inventor 陈庶樵张博伊鹏王鹏于婧王保进王雨张风雨程东年赵靓
Owner THE PLA INFORMATION ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap