DDoS Attack Situation Information Fusion Method Based on Dempster-Shafer Evidence Theory

摘要

Distributed Denial of Service (DDoS) attacks have caused great damage to the network environment and its services. However, the currently existing single point detection methods for DDoS attack cannot achieve satisfying results. This paper proposes a DDoS attack situation information fusion method based on Dempster-Shafer evidence theory (DS). Firstly, according to the statistics of IP traffic packet, destination IP address data packet, and destination port, the traffic threat value and the traffic weight value based on the target IP address are respectively calculated to indicate the possibility of being attacked and the impact on the network when the attack is performed. Then, the above values were fused to obtain the DDoS attack fusion feature (Network Flow Combination Relevance, CR) to accurately provide an evaluable network situation before and after the attack. Finally, based on the above CR values, a DDoS attack feature fusion model was developed. Combined with DS evidence theory, the network security situation value was given to evaluate the probability of DDoS attack. The experimental results show that compared with similar methods, the proposed method can provide evaluable forecast for potential DDoS attack threats, improve the situational awareness of DDoS attacks, and reduce false alarm rate, missing alarm rate and total error rate.