基于时间序列分析的SYN Flooding源端检测方法

提出了一种基于时间序列分析从源端对SYN Flooding攻击进行检测的方法。该方法是为了从源端对网络流量进行检测并预测,从而判断是否发生了SYN Flooding攻击,为受害者端及时响应提供依据;利用攻击网络流量的自相似性,采用Bloom Filter提取数据流特征信息,构造网络流量时间序列,建立自回归预报模型;通过动态预测网络流量并与设定的阈值进行比较来对攻击预警,提前作出响应。仿真实验结果表明,该方法能准确地统计出网络中数据包和新源IP数据包的出现次数,具有较好的检测率和较低的误报率,能够较准确地预测出下一时间段甚至几个时间段的网络流量,能为有效防御SYN Flooding攻击提供有力的数据支撑。

Detection method against SYN Flooding attacks based on source end by analysis of time series

This paper proposed a method of detecting DDoS attacks based on source end by analyzing the abrupt change of time series data. By detecting and predicting the data flow in the Internet at source end, the method could judge whether SYN Flooding was occurred or not for providing the foundation for the victim end. It extracted the characteristic information of data flow by using the self-similarity of network traffic flow and Bloom Filter algorithm, so that it could construct the time series of the network traffic flow and build the auto-regressive(AR) forecasting model.By dynamically forecasting traffic flow and comparing with definite threshold, pre-alert was sent and response was ahead adopted. The experimental results show that the scheme can count the number of the data packages and the number of the new IP data packages with the better detection rate and lower misinformation rate, besides, it can predict the traffic flow in the next period even several periods correctly, which can provide strong support for effectively defending against SYN Flooding attacks.