基于Web行为轨迹的应用层DDoS攻击防御模型

为了有效防御应用层分布式拒绝服务攻击（DDoS），定义了一种搭建在Web应用服务器上的基于Web行为轨迹的防御模型。把用户的访问行为抽象为Web行为轨迹，根据攻击请求的生成方式与用户访问Web页面的行为特征，定义了四种异常因素，分别为访问依赖异常、行为速率异常、轨迹重复异常、轨迹偏离异常。采用行为轨迹化简算法简化行为轨迹的计算，然后计算用户正常访问网站时和攻击访问时产生的异常因素的偏离值，来检测针对Web网站的分布式拒绝服务攻击，在检测出某用户产生攻击请求时，防御模型禁止该用户访问来防御DDoS。实验采用真实数据当作训练集，在模拟不同种类攻击请求下，防御模型短时间识别出攻击并且采取防御机制抵制。实验结果表明，Web行为轨迹的防御模型能够有效防御针对Web网站的分布式拒绝服务攻击。

Application-layer DDoS defense model based on Web behavior trajectory

To defense application-layer Distributed Denial of Service (DDoS) built on the normal network layer, a defense model based on Web behavior trajectory in the Web application server was constructed. User's access behavior was abstracted into Web behavior trajectory, and according to the generation approach about attack request as well as behavior characteristics of user access to Web pages, four kinds of suspicion were defined, including access dependency suspicion, behavior rate suspicion, trajectory similarity suspicion, and trajectory deviation suspicion. The deviation values between normal sessions and attack sessions were calculated to detect the application-layer DDoS to a specific website. The defense model prohibited the user access from DDoS when detecting the attack request generated by the user. In the experiment, real data was acted as the training set. Then, through simulating different kinds of attack request, the defense model could identify the attack request and take the defense mechanism against the attack. The experimental results demonstrate that the model can detect and defense the application-layer DDoS to a specific website.