摘要
基于TCP协议中Syn,Fin和Rst 3种报文段的关系,提出了一种新的SynFlood攻击检测方法:将Syn,Fin和Rst 3者之间的关系映射到欧氏空间中,将某一时间段内的Syn,Fin和Rst的关系映射为一个点,将无攻击行为存在时的Syn,Fin和Rst之间的关系映射为一条线,分析点与线之间的距离来检测SynFlood攻击,同时使用移动平均技术对上述距离进行平滑处理,以提高检测效率和准确度。实验结果表明,该方法对直接式SynFlood攻击和反射式SynFlood攻击均具有较好的检测准确度,并且产生的误报率较低,数据报文处理能力较高,能够部署于大中型网络的骨干路由器上。
This paper gave a new method to detect the SynFlood attack by analyzing the relationship between Syn seg- ment, Fin segment and Rst segment in TCP protocol. Firstly, the relationship between Syn segment, Fin segment and Rst segment is mapped to Space Geo-metry: the relationship in a given time frame is mapped to one point in Space Geo- metry while that when no attack behavior exists is mapped to a line in Space Geometry. The distance between the point to the line can hence be used to detect and determine the SynFlood attack. Furthermore,the efficiency and accuracy are improved by using moving average technology which can anti-aliasing the distance discribed above. The experimental re- sult shows that the method can detect the direct SynFlood attack and the reflect SynFlood attack accurately and have low rate of false alarrrL Also the method can be deployed to mid-large scale networks because of its high performance for processing data packets.
出处
《计算机科学》
CSCD
北大核心
2011年第12期82-87,共6页
Computer Science
基金
国家自然科学基金(60873030)资助
关键词
Syn洪泛攻击
欧氏空间距离
偏离度
移动平均
攻击判别值
SynFlood attack, Distance in space geometry, Deviation, Moving average, Attack discriminant
