Application layer DDoS attack detection and defense method based on multiple feature entropies

Abstract

The invention discloses an application layer DDoS attack detection and defense method based on multiple feature entropies. The method comprises an application layer connection feature preprocessing module, a multi-time-window resource monitoring module based on inclination calculation, and a multi-feature-entropy harmonic average calculation decision module. The application layer connection feature preprocessing module counts URI resources and sets a resource consumption table, and performs multi-feature decomposition and preprocessing on the connection request in the log to generate a connection feature log; a multi-time-window resource monitoring module based on inclination calculation monitors the total connection and the total load capacity change of servers in a plurality of time windows in real time; and the multi-feature entropy harmonic average calculation decision module calculates a multi-feature entropy harmonic average vector norm, and judges whether an application layer DDoS attack exists or not by comparing an initial threshold value. The method has the advantages that real-time load monitoring and abnormal connection detection can be provided for the servers according to network servers of different scales, and it is guaranteed that the servers can effectively detect DDoS attacks on an application layer in real time.

Description

technical field [0001] The invention relates to the field of computer network communication and network security, in particular to an application layer DDoS attack detection and defense method based on multi-feature entropy. Background technique [0002] Network traffic data is composed of numerous discrete information sources. Entropy can effectively measure the changes in the distribution of system parameters, describe long-term random processes and the distribution of network traffic in certain dimensions. Many researchers at home and abroad use entropy theory to propose A variety of anomaly detection schemes have been proposed. The main idea of ​​the entropy-based anomaly detection system is: once an anomaly occurs, the entropy value of the overall traffic will change accordingly, and the anomaly is detected through the change of the entropy value. Distributed denial of service attack (DDoS) has always been one of the most serious threats faced by Internet service provi...

AI Technical Summary

Problems solved by technology

[0018] Aiming at the problem that the above detection methods suitable for network layer DDoS attacks are not applicable to application layer DDoS detection with stronger concealment and higher attack, the entropy value model is used to detect the problem of single dimension in the detection, in order to consider the difference between burst flow and abnormal The flow problem and the resource consumption problem are not considered in the application layer attack detection method. Based on the self-designed multi-feature entropy model, the present invention constructs an application layer DDOS attack detection method, which can provide network servers with different scales. Real-time load monitoring and abnormal connection detection to ensure that the server can effectively detect DDOS attacks at the application layer in real time

Images