Method and system for monitoring DDOS (distributed denial of service) attacks in small flow

Abstract

The invention discloses a method and a system for monitoring DDOS (distributed denial of service) attacks in small flow, solves the problems that the existing DDOS attack detection technology is high in cost, complex to implement and high in misjudgment rate, cannot respond to DDOS attacks aiming at an application layer and the like, and provides the monitoring scheme of an integrated DPI (dots per inch) technology. A baseline analysis, component analysis and similarity analysis method is used to establish a normal use model, characteristics are accurately matched to detect the attacks in small flow and the application layer attacks, deployment at one point of an operator network and complete coverage of the operator network are achieved, and detection accuracy is increased.

Description

technical field [0001] The invention belongs to the technical field of mobile Internet security, and in particular relates to a method and a system for monitoring small flow DDOS attacks. Background technique [0002] Distributed denial of service attack (distributed denial of service attack, referred to as DDOS) is to attack the target system at the same time by controlling multiple machines with relatively weak security defenses on the Internet, causing the victim host system or network to be overloaded and unable to receive or respond to external requests in a timely manner. , so as to achieve the purpose of denial of service attack. [0003] Generally, on broadband networks, the specific form of DDOS attack is to create high-flow useless data, causing network congestion and interrupting network services. At present, most of the websites on the Internet are hosts with high bandwidth. In principle, it is almost impossible to cause any blockage simply by directly sending p...

AI Technical Summary

Problems solved by technology

However, in the face of DDoS attacks, the IDS system often cannot meet the requirements, the main reasons are:

[0008] First, although the intrusion detection system can detect attacks at the application layer, the basic mechanism is based on rules, and protocol sessions need to be restored. Currently, most DDoS attacks use attack traffic based on legal data packets, so the IDS system is very difficult. Difficult to effectively detect these attacks

Although some IDS systems also have the ability to detect certain protocol anomalies, this requires manual configuration by security experts to take effect, and its implementation costs are high and ease of use is extremely low;

[0009] Second, due to the high false positive rate of IDS may form a new denial of service, causing legitimate users to be unable to access network resources

[0011] First, the NetFlow data format cannot provide detailed L4-L7 layer information, and cannot respond to DDoS targeting the application layer;

[0012] Second, due to the consideration of the CPU and memory load of the egress router, the sampling rate of NetFlow is usually adjusted to be relatively high, such as 3000:1 or 5000:1. Due to the sampling error, it can only be used to detect whether there is a large flow exceeding the preset threshold. Network layer attacks make judgments, so low-rate DDoS attacks cannot be detected, and fine-grained security protection cannot be achieved

[0013] Through the above analysis, the industry still lacks an effective method for small traffic DDOS attack monitoring

Images