Please wait a minute...
浙江大学学报(工学版)
浙江大学学报(工学版)  2020, Vol. 54 Issue (4): 704-711    DOI: 10.3785/j.issn.1008-973X.2020.04.009
计算机技术、信息工程     
基于自适应阈值的DDoS攻击态势预警模型
罗逸涵1(),程杰仁1,2,*(),唐湘滟1,欧明望1,王天1
1. 海南大学 计算机与网络空间安全学院,海南 海口 570228
2. 海南大学 南海海洋资源利用国家重点实验室,海南 海口 570228
Early warning model of DDoS attack situation based on adaptive threshold
Yi-han LUO1(),Jie-ren CHENG1,2,*(),Xiang-yan TANG1,Ming-wang OU1,Tian WANG1
1. School of Computer and Cyberspace Security, Hainan University, Haikou 570228, China
2. State Key Laboratory of Marine Resource Utilization in South China Sea, Hainan University, Haikou 570228, China
 全文: PDF(973 KB)   HTML
摘要:

为了准确识别分布式拒绝服务(DDoS)攻击态势预警级别,研究DDoS攻击态势预警技术,设计DDoS攻击态势预警模型逻辑结构,定义区域网络安全脆弱性因子(SVF). 基于长短时记忆(LSTM)网络流量预测模型和区域网络安全脆弱性因子,提出基于动态自适应阈值的DDoS攻击态势预警模型. 提取IP数据包统计特征(IPDCF),使用LSTM预测模型对IPDCF序列建模,对正常流进行预测. 根据预测结果和SVF实时动态地计算预警阈值和预警区间,基于预警阈值和预警区间设定态势预警级别. 实验结果表明,利用该模型能够实时、有效地预警DDoS攻击态势,准确地识别DDoS攻击态势安全级别.
关键词: 分布式拒绝服务(DDoS)攻击态势预警模型长短时记忆(LSTM)自适应阈值    
Abstract:

The distributed denial of service (DDoS) attack situation warning technology was analyzed in order to accurately identify the DDoS attack situation warning level. The logical structure of DDoS attack situation early warning model was designed, and the regional network security vulnerability factor (SVF) was defined. Then a dynamic adaptive threshold based DDoS attacks situation warning model was proposed based on the long-short-time memory (LSTM) prediction model and SVF. IP-data-counts feature (IPDCF) was extracted, which was modeled by using LSTM prediction model to predict the normal traffic flow. The early warning threshold and the early warning interval were dynamically calculated according to the prediction results and the SVF, and the situation warning level was set based on the early warning threshold and the early warning interval. The experimental results show that the model can be used to predict the DDoS attack situation in real time, and accurately identify the DDoS attack situation security level.
Key words: distributed denial of service (DDoS)    attack situation    early warning model    long-short-time memory (LSTM)    adaptive threshold
收稿日期: 2019-01-26 出版日期: 2020-04-05
CLC:  TP 393  
基金资助: 国家自然科学基金资助项目(61762033);海南省自然科学基金资助项目(2019RC041,2019RC098)
通讯作者: 程杰仁     E-mail: lyhphonbe@163.com;cjr22@163.com
作者简介: 罗逸涵(1992—),女,硕士生,从事人工智能、网络安全研究. E-mail: lyhphonbe@163.com
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
罗逸涵
程杰仁
唐湘滟
欧明望
王天

引用本文:

罗逸涵,程杰仁,唐湘滟,欧明望,王天. 基于自适应阈值的DDoS攻击态势预警模型[J]. 浙江大学学报(工学版), 2020, 54(4): 704-711.

Yi-han LUO,Jie-ren CHENG,Xiang-yan TANG,Ming-wang OU,Tian WANG. Early warning model of DDoS attack situation based on adaptive threshold. Journal of ZheJiang University (Engineering Science), 2020, 54(4): 704-711.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2020.04.009        http://www.zjujournals.com/eng/CN/Y2020/V54/I4/704

图 1  DDoS攻击态势预警模型逻辑结构
图 2  LSTM神经网络图
图 3  DDoS攻击态势预警系统架构图
图 4  实际数据和预测数据的对比图
图 5  第1次模拟攻击态势预警效果图
图 6  第2次模拟攻击态势预警效果图
图 7  第3次模拟攻击态势预警效果图
图 8  第4次模拟攻击态势预警效果图
实验 受攻击时刻 安全脆弱性因子 预测值 实时监测值 阈值 阈值区间 预警级别
第1次攻击 第36分钟 0.6 1 680 5 142 3 920 1 120 2级
第1次攻击 第37分钟 0.6 2 223 7 601 5 187 1 482 2级
第2次攻击 第45分钟 0.6 1 976 10 095 4 611 1 317 4级
第3次攻击 第14分钟 0.6 1 696 6 000 3 957 1 130 2级
第3次攻击 第15分钟 0.6 2 314 5 699 5 399 1 542 1级
第3次攻击 第37分钟 0.6 2 074 8 880 4 839 1 383 3级
第3次攻击 第38分钟 0.6 2 442 14 000 5 698 1 628 4级
第4次攻击 第19分钟 0.6 1 672 6 888 3 901 1 115 3级
第4次攻击 第20分钟 0.6 1 872 9 936 4 368 1 248 4级
表 1  基于动态自适应阈值的DDoS攻击预警结果
实验 受攻击时刻 预测值 实时监测值 阈值 预警
第1次攻击 第36分钟 1 680 5 142 5 928 无攻击
第1次攻击 第37分钟 2 223 7 601 5 928 攻击预警
第2次攻击 第45分钟 1 976 10 095 4 934 攻击预警
第3次攻击 第14分钟 1 696 6 000 5 750 攻击预警
第3次攻击 第15分钟 2 314 5 699 5 750 无攻击
第3次攻击 第37分钟 2 074 8 880 5 650 攻击预警
第3次攻击 第38分钟 2 442 14 000 5 650 攻击预警
第4次攻击 第19分钟 1 672 6 888 4 578 攻击预警
第4次攻击 第20分钟 1 872 9 936 4 578 攻击预警
表 2  无自适应阈值的DDoS攻击预警结果
1 PRAS A, SANTANNA J, STEINBERGER J. DDoS 3.0: how terrorists bring down the internet [M]. New York: Springer, 2016: 1-4.
2 PALMIERI F, RICCIARDI S, FIORE U, et al Energy-oriented denial of service attacks: an emerging menace for large cloud infrastructures[J]. Journal of Supercomputing, 2015, 71 (5): 1620- 1641
doi: 10.1007/s11227-014-1242-6
3 CNOERT/CC. 2017 China Internet cyber security report [EB/OL]. 2018-08-02. http://www.cert.org.cn/publish/main/17/index.html.
4 XIANG Y, LI K, ZHOU W Low-rate DDoS attacks detection and trace back by using new information metrics[J]. IEEE Transactions on Information Forensics and Security, 2011, 6 (2): 426- 437
doi: 10.1109/TIFS.2011.2107320
5 LI K, ZHOU W, LI P, et al. Distinguishing DDoS attacks from flash crowds using probability metrics [C]// International Conference on Network and System Security. Gold Coast, Queensland, Australia: IEEE, 2009: 9-17.
6 CHENG J, ZHOU J, LIU Q, et al A DDoS detection method for socially aware networking based on forecasting fusion feature sequence[J]. The Computer Journal, 2018, 61 (7): 959- 970
doi: 10.1093/comjnl/bxy025
7 CHENG J, XU R, TANG X, et al An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment[J]. Computers, Materials and Continua, 2018, 55 (1): 95- 119
8 TOKLU S, ?IM?EK M Two-layer approach for mixed high-rate and low-rate distributed denial of service (DDoS) attack detection and filtering[J]. Arabian Journal for Science and Engineering, 2018, 43 (12): 7923- 7931
doi: 10.1007/s13369-018-3236-9
9 KESAVAMOORTHY R, SOUNDAR K R Swarm intelligence based autonomous DDoS attack detection and defense using multi agent system[J]. Cluster Computing, 2018, 22 (1): 1- 8
10 HOQUE N, KASHYAP H, BHATTACHARYYA D K Real-time DDoS attack detection using FPGA[J]. Computer Communications, 2017, 110: 48- 58
11 WANG D, ZHANG Z, WANG P, et al. Targeted online password guessing: an underestimated threat [C]// 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna: ACM, 2016: 1242-1254..
12 DING W, PING W. On the implications of Zipf’s law in passwords [C]// European Symposium on Research in Computer Security. Heraklion, Greece: Springer, 2016.
13 XYLOGIANNOPOULOS K, KARAMPELAS P, ALHAJJ R. Early DDoS detection based on data mining techniques [C]// 8th IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Crete: Springer, 2014: 190-199.
14 LIU Q, YIN J, CAI Z, et al. A novel threat assessment method for DDoS early warning using network vulnerability analysis [C]// 4th International Conference on Network and System Security. Melbourne: IEEE, 2010: 70-74.
15 LIU C, ZHANG S. A bidirectional-based DDoS detection mechanism [C]// 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing. Beijing: IEEE, 2009: 1-4.
16 XIAO B, CHEN W, HE Y A novel approach to detecting DDoS attacks at an early stage[J]. Journal of Supercomputing, 2006, 36 (3): 235- 248
doi: 10.1007/s11227-006-8295-0
17 YI Z, YAO S J, WANG L Researches on brittle seam mining based situation assessment and prediction mechanism of DDoS attacks in cloud computing platform[J]. Applied Mechanics and Materials, 2014, 519-520: 262- 270
doi: 10.4028/www.scientific.net/AMM.519-520.262
18 LIU Z, ZHANG B, ZHU N, et al. Hierarchical network threat situation assessment method for DDoS based on D-S evidence theory [C]// IEEE International Conference on Intelligence and Security Informatics. Beijing: IEEE, 2017: 49-53.
19 LIU X Analysis on early warning technology of network security situational awareness[J]. Journal of Science and Technology Monthly, 2016, 29 (13): 132- 133
20 龚俭, 臧小东, 苏琪, 等 网络安全态势感知综述[J]. 软件学报, 2017, 28 (4): 1010- 1026
GONG Jian, ZANG Xiao-dong, SU Qi, et al Overview of network security situational awareness[J]. Journal of Software, 2017, 28 (4): 1010- 1026
21 胡浩, 叶润国, 张红旗, 等 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017, 38 (10): 122- 134
HU Hao, YE Run-guo, ZHANG Hong-qi, et al Quantitative method of network security situation based on attack prediction[J]. Journal on Communications, 2017, 38 (10): 122- 134
doi: 10.11959/j.issn.1000-436x.2017204
22 CHENG J, LIU B, CAI K, et al ETC intelligent navigation path planning method[J]. Journal of Internet Technology, 2018, 19 (2): 619- 631
23 HU H. Network intrusion detection, early warning and security management technology (strategic early warning) (2001AA142030) [R]. 长沙: 国防科技大学, 2003.
24 NASHAT D, JIANG X, KAMEYAMA M Group testing based detection of web service DDoS attackers[J]. IEICE Transactions on Communications, 2010, 93-B (5): 1113- 1121
25 AGOSTA J M, WASSER C D, CHANDRASHEKAR J, et al. An adaptive anomaly detector for worm detection [C]// Proceedings of the 2nd USENIX Workshop on Tackling Computer Systems Problems with Machine Learning Techniques. Renton: [s.n.], 2007: 1-6.
26 XIA Z, LU S, LI J Adaptive detection method for abnormal traffic based on self-similarity[J]. Computer Engineering, 2010, 35 (5): 23- 25
27 SUN Z, TANG Y, CHENG Y, et al Abnormal traffic detection of router based on improved CUSUM algorithm[J]. Journal of Software, 2005, 16 (12): 2117- 2123
doi: 10.1360/jos162117
28 LINCOLN Laboratory. DARPA intrusion detection evaluation data set [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/1999data.html.
29 LINCOLN Laboratory. DARPA intrusion detection scenario specific data sets [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/2000data.html.
30 程杰仁, 罗逸涵, 唐湘滟, 等 基于LSTM流量预测的DDoS攻击检测方法[J]. 华中科技大学学报: 自然科学版, 2019, 47 (4): 32- 36
CHENG Jie-ren, LUO Yi-han, TANG Xiang-yan, et al DDoS attack detection method based on LSTM traffic prediction[J]. Journal of Huazhong University of Science and Technology: Natural Science Edition, 2019, 47 (4): 32- 36
[1] 魏蔚, 董亚波, 鲁东明. 基于支持向量机和多资源最大最小公平的DDoS防御[J]. J4, 2010, 44(2): 265-270.
[2] 方健 郑伟 王匡. ATETS: 针对H.264的自适应提前终止搜索算法[J]. J4, 2007, 41(4): 607-611.
[3] 郭斯羽 张煦芳. 一种基于模型的自适应阈值分割算法[J]. J4, 2005, 39(12): 1950-1953.