网络流单边连接密度的时间序列分析

检测分布式拒绝服务（DDoS）攻击的困难性在于攻击数据包与正常数据包并无本质上的区别，为了正确识别DDoS，需要找到它与正常流的根本区别。使用虚假源IP地址的攻击包能够耗尽目标主机的网络带宽和系统资源，却无法与目标机建立完整的双向通信。因此，用于直观反映网络流异常的单边连接密度(OWCD)概念被提出并用于识别DDoS攻击，同时对OWCD的时间序列的进行了分析，揭示了OWCD序列的性质，为利用这个指标来进行DDoS检测提供依据。实验表明，OWCD能直观地区分正常流和攻击流，其序列为白噪声序列，能够作为DDoS检测的独立指标。OWCD序列不仅能够检测DDoS攻击，还能反映攻击强度。

Time Series Analysis for One-Way Connection Density of Network Flow

It is a critical problem to detect distributed denial service(DDoS) attack with low false positive and negative in Internet.However,precisely detecting DDoS attack is very difficult,because there isn't an essential difference between attack flow and normal flow.Attack packets with spoofing source IP address,consuming out bandwidth and system resources of destination hosts,can't build a two-way connection with destination.From this view,a new conception to reflect the exception of network flow,One-Way Connection Density(OWCD),which can detect DDoS attack,was proposed.In order to understand the characters of OWCD series,the time series analysis of OWCD series was studied and the OWCD was used to detect DDoS.Experiments showed that OWCD series is a white noise series.It can not only detect DDoS attack,but also indicate attack intensity.