Unlock instant, AI-driven research and patent intelligence for your innovation.

Method for identifying DDoS (distributed denial of service) attack flow

A flow identification and distributed technology, applied in the field of network information security, can solve the problems of inability to achieve effective defense against DDoS attacks and rapid response, and achieve the effect of avoiding a large number of attacks from being missed and reducing processing and storage overhead

Inactive Publication Date: 2011-07-13
GUANGZHOU UNIVERSITY
View PDF1 Cites 12 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0013] Most of these defense methods are deployed on the victim end, because on the network nodes close to the victim end, the attack data traffic is very large, and DDoS can still block the network outside the defense system or even the defense system itself, so the deployment of the victim end cannot realize the protection against DDoS attacks Effective Defense and Quick Response

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for identifying DDoS (distributed denial of service) attack flow
  • Method for identifying DDoS (distributed denial of service) attack flow
  • Method for identifying DDoS (distributed denial of service) attack flow

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0027] The following is attached image 3 The implementation of the present invention is further described, specifically comprising the following steps:

[0028] (1) Source host attack detection. The source host uses the CUSUM algorithm to detect changes in the number of packets arriving at the destination address, and sends an alarm packet to the router connected to it if suspicious conditions are found.

[0029] The CUSUM algorithm uses the product of the number of data packets and the size of the source host as a detection indicator for detection, and detects DDoS attacks at the source host where the traffic changes slowly, and the abnormal information and attack characteristics are not obvious. let x m,n Represents reaching the destination address D within time n m The product of the number of data packets and the size, MaxEx is x when there is no network attack m,n expected maximum value, compute y m,n =max(0,y m,n-1 +x m,n -MaxEx), n=1, 2, ..., m = 1, 2, ..., y m...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for identifying DDoS (distributed denial of service) attack flow. In the method, a distributed three-level architecture is adopted. The method comprises: carrying out source-end host detection until achieving the number change of arrival target address packets by setting an aggregation tree server in each autonomous system; once a suspicious situation is found, sending an alarm packet to a router connected with the source-end host; detecting whether attack or attack spreading exists, simultaneously determining the number of attacked hosts according to the number of received local alarm packets, and sending the alarm packet containing a weight as the number of hosts to the local aggregation tree server after the attack is detected; constructing a weighted aggregation tree sub-tree by each aggregation tree server according to the alarm packet; and constructing the whole weighted aggregation domain-tree by the suffered-terminal aggregation tree server to identify DDoS attack flow according to set conditions. The experiments show that by utilizing the method, the processing and storage cost of the DDoS attack suffered-terminal can be greatly reduced, and the attack situation of the source-end host connected with the router end is also considered at the router end, therefore, a large amount of undetected attacks due to fewer router can be prevented.

Description

technical field [0001] The invention belongs to the field of network information security, and in particular relates to a distributed DDoS attack flow identification method based on an aggregation tree structure. Background technique [0002] DDoS attacks usually use hundreds or even thousands of distributed hosts to attack single or multiple targets concurrently, consuming the resources of the target host or the target network, thereby interfering or completely preventing services for legitimate users. DDoS attacks are easy to launch and difficult to track, leading to the widespread occurrence of DDoS attacks and becoming a serious threat on the Internet. The economic losses caused by them rank second among the losses caused by various network security problems. Second to the number one computer virus. [0003] The defense against DDoS attacks in the current environment can be broadly divided into: pre-event defense methods based on DDoS detection, mid-event defense method...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L29/08
Inventor 谢冬青綦科周再红熊伟
Owner GUANGZHOU UNIVERSITY