@techreport{oai:ipsj.ixsq.nii.ac.jp:00195784,
 author = {林, 裕平 and 鈴木, 彦文 and 西岡, 孟朗 and Yuhei, Hayashi and Hikofumi, Suzuki and Takeaki, Nishioka},
 issue = {12},
 month = {May},
 note = {近年，L3，L4のプロトコルを悪用し，パルス状に DDoS を行う高度な攻撃が新たに観測されている．この攻撃は短時間の攻撃を繰り返し行うため，観測される攻撃通信帯域の時間平均が小さい値として観測される場合がある．一方，ネットワークにはルータ等の転送装置が既に広く配置されており，NetFlow 等から得られる通信フローの情報を用いて最新の DDoS 攻撃を検知できれば，DDoS 対策の水準を経済的かつ迅速に向上させることができる．そのような中，フロー情報から通信帯域を計算し，それを機械学習と組み合わせるこで，DDoS攻撃の検知を行う従来研究が存在する．しかし，これらの手法は攻撃通信の帯域が小さく，通常通信の帯域と有意な差が現れない場合は，攻撃検知が難しい課題がある．本研究では従来研究の課題解決のため，低帯域の L3，L4 DDoS 攻撃を検知可能とする特徴量とその高速な計算手法を提案する．当該特徴量は (src_ip, dst_ip, dst_port) で定義される3-tuple flow 中に存在する 5-tuple flow 数の分布が通常通信と攻撃通信で異なる考察に基づく．また，信州大学のネットワークに対し攻撃ツールを用いて低帯域な攻撃を行いつつ取得したトラフィックデータと，WIDE が公開しているトラフィックデータに対し当該特徴量を計算し，Local Outline Filter (LOF) と組み合わせた際の攻撃検知精度の評価を実施した．評価の結果，提案特徴量は偽陰性率及び偽陽性率を低く抑えつつ攻撃検知が可能であることが解った．, Recently, new sophisticated attacks such as pulse-wave DDoS has been observed. The DDoS attack repeats short duration attacks, so the time-averaged bandwidth of the attack traffic can be observed as low rate. On the other hand, routers are already deployed in their network and it can send traffic flow information by using NetFlow etc. Level of DDoS countermeasure can be raised economically and quickly if the attacks can be detected by the flow information. Some researchers proposed to detect DDoS attack by calculating bandwidth　from the flow information and collaborating it and machine learning. However, in a case where the bandvddth of attack is low so there is no significant difference between attack traffic and normal traffic in terms of bandwidth, the conventional approach is not effective. To make up for the disadvantage of the conventional method, we propose a new feature value and its fast calculation method for detection low-bandwidth L3, L4 DDoS attacks. This feature value is based on a consideration that the number of 5-tuple flows existing in 3-tuple flow defined by (src_ip, dst_ip, dst_port) differs between normal traffic and attack traffic. In addition, we evaluated attack detection accuracy when our proposed feature value and Local Outline Filter (LOF) collaborate. Under the evaluation, we used the dataset obtained by carrying out attacks on the Shinshu University network. We also used the dataset obtained at the transit link of WIDE. The evaluation results show that the proposed feature value is effective to detect low-bandwidth L3, L4 attack while suppressing false negative and false positive.},
 title = {3-tupleフロー中の5-tupleフロー数による低帯域L3，L4DDoS検知特徴量},
 year = {2019}
}