基于Web访问路径的应用层DDoS攻击防御检测模型

Application-layer DDoS attack defense detection model based on Web access path

为了提高防御应用层分布式拒绝服务攻击的有效性、时效性和准确性,对应用层DDoS攻击的演化、模式,以及攻击者的攻击路径和攻击行为进行深入研究。提出一种基于Web访问路径的防御检测模型,根据访问路径轨迹、攻击行为特点和网站链接规则,建立请求路径、请求分布、路径循环、行为时隙和路径长度5种异常检测模型。通过计算合法用户访问网站时的正常值以及具有攻击行为用户的实时异常值偏离程度,可判定是否遭到应用层DDoS攻击。防御模块依据用户非法值大小选取最佳防御策略,抵御应用层DDoS攻击,实现网站数据安全与计算机安全。实验采用真实日志数据进行训练,向实验网站发动5种不同类型的应用层DDoS攻击。结果表明,防御检测模型能在短时间内准确辨别具有攻击行为的用户,并联合防御模块抵抗针对Web服务器的DDoS攻击,能够实现实时检测、实时防御,有效降低误报率。所提出的检测模型可以对路径长度进行监控,提升了异常判定的准确性和可靠性,有效提高了Web网站防御DDoS攻击的能力。

In order to improve the effectiveness and timeliness of defense against distributed denial of service(DDoS)attacks in application layer,the evolution and mode of application-layer DDoS attacks,as well as the attack path and behavior of attackers are explored in depth.A defense detection model based on Web access path is proposed,according to access path trajectory,attack behavior characteristics and website link rules,five anomaly detection models including request path,request distribution,path loop,behavior slot and path length are established.By calculating the normal value of legitimate users accessing websites and the deviation degree of real-time outliers of users with aggressive behavior,it can determine whether it is attacked by application-layer DDoS.In order to improve the accuracy of detection,the defense module chooses the best defense strategy according to the size of user's illegal value,resists application-layer DDoS attacks,and achieves website data security and computer security.The experiment is trained with real log data,launch five different types of application-layer DDoS attacks on experimental website,the result show that the defense detection model can accurately identify users with aggressive behavior in a short time,it combines with defense module to defend the application-layer DDoS to a specific website,realizes real-time detection and real-time defense,and the false alarm rate is significantly reduced.