摘要
Distributed Denial of Service (DDoS) attack is a major threat to the availability of Web service. The inherent presence of self-similarity in Web traffic motivates the applicability of time series analysis in the study of the burst feature of DDoS attack. This paper presents a method of detecting DDoS attacks against Web server by analyzing the abrupt change of time series data obtained from Web traffic. Time series data are specified in reference sliding window and test sliding window, and the abrupt change is modeled using Auto-Regressive (AR) process. By comparing two adjacent nonoverlapping windows of the time series, the attack traffic could be detected at a time point. Combined with alarm correlation and location correlation, not only the presence of DDoS attack, but also its occurring time and location can be deter mined. The experimental results in a test environment are illustrated to justify our method.
Distributed Denial of Service (DDoS) attack is a major threat to the availability of Web service. The inherent presence of self-similarity in Web traffic motivates the applicability of time series analysis in the study of the burst feature of DDoS attack. This paper presents a method of detecting DDoS attacks against Web server by analyzing the abrupt change of time series data obtained from Web traffic. Time series data are specified in reference sliding window and test sliding window, and the abrupt change is modeled using Auto-Regressive (AR) process. By comparing two adjacent nonoverlapping windows of the time series, the attack traffic could be detected at a time point. Combined with alarm correlation and location correlation, not only the presence of DDoS attack, but also its occurring time and location can be deter mined. The experimental results in a test environment are illustrated to justify our method.
基金
Supported by the National Natural Science Funda-tion of China (60373075)
