期刊文献+

基于流数据分类和分形维分析的DoS攻击检测 被引量:12

DoS Attack Detection Based on Classification of Stream Data and Fractal Dimension Analysis
下载PDF
导出
摘要 DoS攻击检测是入侵检测系统中的重要课题,针对这一亟待解决的问题,综合数据挖掘技术、分形技术和通信流分类技术,分析现有基于网络的DoS攻击检测方法的不足,提出基于熵的属性分类挖掘方法和基于分形维的DoS攻击检测算法FDD DoS,FDD DoS算法分为训练和检测两个阶段,在训练阶段,首先获取到达服务器的通信流,通过计算得到分类后通信流的分形维数值和偏差阈值。在检测阶段,FDD DoS实时计算通信流的分形维,如果偏差小于训练阶段得到的阈值,则修改分形维值(学习进化的过程),否则,可判定发生了DoS攻击。在实际网络环境cs.scu.edu.cn上对FDD DoS算法进行了连续8周的测试,利用训练结果,并模拟DoS攻击,试验证明该算法能有效检测DoS攻击。 Detecting DoS attack is an important issue in IDS. Due to the non-stability of the network flow, the accuracy of the existing methods is poor. To solve the problem, Borrowing the idea from data mining and Fraction math, this article makes following contributions: 1) analyzes flaw of existing method. 2) puts forward a new algorithm named FDD-DoS based on fractal to detect DoS attack according to classification of WEB server's flow. The algorithm is divided into two steps. In learning phase, FDD-DoS records the normal users' character of access, and then computes the correlation fractal dimension and threshold. In detecting phase, FDD-DoS computes the correlation fractal dimension real-timely using FDD-DoS algorithm; if difference of the correlation fractal dimension between learning and detecting is less than threshold, FDD-DoS modifies the correlation fractal dimension (evolved through self-learning), otherwise reports DoS attack. 3) Implements the FDD-DoS system based Linux and tests it on a real environment. The experiment results, for 8 weeks, show that correlation fractal dimension and threshold is very stable. When simulating DoS attack on the real environment cs.scu.edu.cn with bursting packages, the WEB server and all connection can work normally.
出处 《四川大学学报(工程科学版)》 EI CAS CSCD 2004年第6期87-92,共6页 Journal of Sichuan University (Engineering Science Edition)
基金 教育部博士点专项基金资助项目(20020610007) 国家自然科学基金资助项目(60473071)
关键词 DOS攻击 分形维 数据挖掘 分类 Algorithms Classification (of information) Data mining Fractals Real time systems
  • 相关文献

参考文献11

  • 1Kent S. Security architecture for the internet protocol[S].RFC 2401 Nov,1998.
  • 2Ioannidis J, Bellovin S.Implementing pushback: router-based defense against DDoS attacks[A].Proceedings of Network and Distributed System Security Symposium[C].Catamaran Resort Hotel San Diego, California,February,2002.
  • 3Ahsan H, Mohamed M, Hefeeda, Bharat B. Detecting service violations and DoS attacks[R]. CERIAS Tech Report TR 2002-15.
  • 4Ptacek, Thomas H, Timothy N N. Insertion, evasion, and denial of service: eluding network intrusion detection[C]. January, 1998. http://citeseer.ist.psu.edu/ptacek98insertion.html.
  • 5Matthew V, Mahoney, Philip K C. Learning nonstationary models of normal network traffic for detecting novel attacks[A]. Proceedings of KDD'02[C].Edmonton, Alberta, Canada, February 2002.376-385.
  • 6Stefan A. The base-rate fallacy and its implications for the difficulty of intrusion detection[A].Proceedings of the 6th ACM Conference on Computer and Communications Security[C].Singapore, 1999.1-7.
  • 7Leland W, Taqq M, Willinger W,et al. On the self-similar nature of ethernet traffic[A].Proceedings of ACM SIGCOMM'93[C]. San Francisco, California, August,1993.183-193.
  • 8Han Jiawei,Kamber M. Data mining:concepts and techniques[M].USA:Morgan Kaufmann Publishers,2001.81-93.
  • 9Ls Liebovitch, Toth T. A fast algorithm to determine fractal dimensions by box counting[J].Physics Letters, 1989,141A(8): 386-390.
  • 10Moore D,Voelker G M,Savage S. Inferring internet denial-of-service activity[A]. Proceeding Of the 10th USENIX Security Symposium[C].Boston,USA. 2001.9-22.

共引文献1

同被引文献88

引证文献12

二级引证文献63

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部