Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2020, Vol. 54 Issue (4): 704-711    DOI: 10.3785/j.issn.1008-973X.2020.04.009
Computer Technology, Inf ormation Engineering     
Early warning model of DDoS attack situation based on adaptive threshold
Yi-han LUO1(),Jie-ren CHENG1,2,*(),Xiang-yan TANG1,Ming-wang OU1,Tian WANG1
1. School of Computer and Cyberspace Security, Hainan University, Haikou 570228, China
2. State Key Laboratory of Marine Resource Utilization in South China Sea, Hainan University, Haikou 570228, China
Download: HTML     PDF(973KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

The distributed denial of service (DDoS) attack situation warning technology was analyzed in order to accurately identify the DDoS attack situation warning level. The logical structure of DDoS attack situation early warning model was designed, and the regional network security vulnerability factor (SVF) was defined. Then a dynamic adaptive threshold based DDoS attacks situation warning model was proposed based on the long-short-time memory (LSTM) prediction model and SVF. IP-data-counts feature (IPDCF) was extracted, which was modeled by using LSTM prediction model to predict the normal traffic flow. The early warning threshold and the early warning interval were dynamically calculated according to the prediction results and the SVF, and the situation warning level was set based on the early warning threshold and the early warning interval. The experimental results show that the model can be used to predict the DDoS attack situation in real time, and accurately identify the DDoS attack situation security level.

Key wordsdistributed denial of service (DDoS)      attack situation      early warning model      long-short-time memory (LSTM)      adaptive threshold     
Received: 26 January 2019      Published: 05 April 2020
CLC:  TP 393  
Corresponding Authors: Jie-ren CHENG     E-mail: lyhphonbe@163.com;cjr22@163.com
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Yi-han LUO
Jie-ren CHENG
Xiang-yan TANG
Ming-wang OU
Tian WANG
Cite this article:

Yi-han LUO,Jie-ren CHENG,Xiang-yan TANG,Ming-wang OU,Tian WANG. Early warning model of DDoS attack situation based on adaptive threshold. Journal of ZheJiang University (Engineering Science), 2020, 54(4): 704-711.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2020.04.009     OR     http://www.zjujournals.com/eng/Y2020/V54/I4/704


基于自适应阈值的DDoS攻击态势预警模型

为了准确识别分布式拒绝服务(DDoS)攻击态势预警级别,研究DDoS攻击态势预警技术,设计DDoS攻击态势预警模型逻辑结构,定义区域网络安全脆弱性因子(SVF). 基于长短时记忆(LSTM)网络流量预测模型和区域网络安全脆弱性因子,提出基于动态自适应阈值的DDoS攻击态势预警模型. 提取IP数据包统计特征(IPDCF),使用LSTM预测模型对IPDCF序列建模,对正常流进行预测. 根据预测结果和SVF实时动态地计算预警阈值和预警区间,基于预警阈值和预警区间设定态势预警级别. 实验结果表明,利用该模型能够实时、有效地预警DDoS攻击态势,准确地识别DDoS攻击态势安全级别.


关键词: 分布式拒绝服务(DDoS),  攻击态势,  预警模型,  长短时记忆(LSTM),  自适应阈值 
Fig.1 Logical structure of DDoS attack situation warning model
Fig.2 LSTM neural network diagram
Fig.3 DDoS attack situation warning system architecture diagram
Fig.4 Comparison chart of actual and predicted data values
Fig.5 First simulation attack situation warning effect map
Fig.6 Second simulation attack situation warning effect map
Fig.7 Third simulation attack situation warning effect map
Fig.8 Fourth simulation attack situation warning effect map
实验 受攻击时刻 安全脆弱性因子 预测值 实时监测值 阈值 阈值区间 预警级别
第1次攻击 第36分钟 0.6 1 680 5 142 3 920 1 120 2级
第1次攻击 第37分钟 0.6 2 223 7 601 5 187 1 482 2级
第2次攻击 第45分钟 0.6 1 976 10 095 4 611 1 317 4级
第3次攻击 第14分钟 0.6 1 696 6 000 3 957 1 130 2级
第3次攻击 第15分钟 0.6 2 314 5 699 5 399 1 542 1级
第3次攻击 第37分钟 0.6 2 074 8 880 4 839 1 383 3级
第3次攻击 第38分钟 0.6 2 442 14 000 5 698 1 628 4级
第4次攻击 第19分钟 0.6 1 672 6 888 3 901 1 115 3级
第4次攻击 第20分钟 0.6 1 872 9 936 4 368 1 248 4级
Tab.1 DDoS attack warning result based on dynamic adaptive threshold
实验 受攻击时刻 预测值 实时监测值 阈值 预警
第1次攻击 第36分钟 1 680 5 142 5 928 无攻击
第1次攻击 第37分钟 2 223 7 601 5 928 攻击预警
第2次攻击 第45分钟 1 976 10 095 4 934 攻击预警
第3次攻击 第14分钟 1 696 6 000 5 750 攻击预警
第3次攻击 第15分钟 2 314 5 699 5 750 无攻击
第3次攻击 第37分钟 2 074 8 880 5 650 攻击预警
第3次攻击 第38分钟 2 442 14 000 5 650 攻击预警
第4次攻击 第19分钟 1 672 6 888 4 578 攻击预警
第4次攻击 第20分钟 1 872 9 936 4 578 攻击预警
Tab.2 DDoS attack warning result without adaptive threshold
[1]   PRAS A, SANTANNA J, STEINBERGER J. DDoS 3.0: how terrorists bring down the internet [M]. New York: Springer, 2016: 1-4.
[2]   PALMIERI F, RICCIARDI S, FIORE U, et al Energy-oriented denial of service attacks: an emerging menace for large cloud infrastructures[J]. Journal of Supercomputing, 2015, 71 (5): 1620- 1641
doi: 10.1007/s11227-014-1242-6
[3]   CNOERT/CC. 2017 China Internet cyber security report [EB/OL]. 2018-08-02. http://www.cert.org.cn/publish/main/17/index.html.
[4]   XIANG Y, LI K, ZHOU W Low-rate DDoS attacks detection and trace back by using new information metrics[J]. IEEE Transactions on Information Forensics and Security, 2011, 6 (2): 426- 437
doi: 10.1109/TIFS.2011.2107320
[5]   LI K, ZHOU W, LI P, et al. Distinguishing DDoS attacks from flash crowds using probability metrics [C]// International Conference on Network and System Security. Gold Coast, Queensland, Australia: IEEE, 2009: 9-17.
[6]   CHENG J, ZHOU J, LIU Q, et al A DDoS detection method for socially aware networking based on forecasting fusion feature sequence[J]. The Computer Journal, 2018, 61 (7): 959- 970
doi: 10.1093/comjnl/bxy025
[7]   CHENG J, XU R, TANG X, et al An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment[J]. Computers, Materials and Continua, 2018, 55 (1): 95- 119
[8]   TOKLU S, ?IM?EK M Two-layer approach for mixed high-rate and low-rate distributed denial of service (DDoS) attack detection and filtering[J]. Arabian Journal for Science and Engineering, 2018, 43 (12): 7923- 7931
doi: 10.1007/s13369-018-3236-9
[9]   KESAVAMOORTHY R, SOUNDAR K R Swarm intelligence based autonomous DDoS attack detection and defense using multi agent system[J]. Cluster Computing, 2018, 22 (1): 1- 8
[10]   HOQUE N, KASHYAP H, BHATTACHARYYA D K Real-time DDoS attack detection using FPGA[J]. Computer Communications, 2017, 110: 48- 58
[11]   WANG D, ZHANG Z, WANG P, et al. Targeted online password guessing: an underestimated threat [C]// 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna: ACM, 2016: 1242-1254..
[12]   DING W, PING W. On the implications of Zipf’s law in passwords [C]// European Symposium on Research in Computer Security. Heraklion, Greece: Springer, 2016.
[13]   XYLOGIANNOPOULOS K, KARAMPELAS P, ALHAJJ R. Early DDoS detection based on data mining techniques [C]// 8th IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Crete: Springer, 2014: 190-199.
[14]   LIU Q, YIN J, CAI Z, et al. A novel threat assessment method for DDoS early warning using network vulnerability analysis [C]// 4th International Conference on Network and System Security. Melbourne: IEEE, 2010: 70-74.
[15]   LIU C, ZHANG S. A bidirectional-based DDoS detection mechanism [C]// 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing. Beijing: IEEE, 2009: 1-4.
[16]   XIAO B, CHEN W, HE Y A novel approach to detecting DDoS attacks at an early stage[J]. Journal of Supercomputing, 2006, 36 (3): 235- 248
doi: 10.1007/s11227-006-8295-0
[17]   YI Z, YAO S J, WANG L Researches on brittle seam mining based situation assessment and prediction mechanism of DDoS attacks in cloud computing platform[J]. Applied Mechanics and Materials, 2014, 519-520: 262- 270
doi: 10.4028/www.scientific.net/AMM.519-520.262
[18]   LIU Z, ZHANG B, ZHU N, et al. Hierarchical network threat situation assessment method for DDoS based on D-S evidence theory [C]// IEEE International Conference on Intelligence and Security Informatics. Beijing: IEEE, 2017: 49-53.
[19]   LIU X Analysis on early warning technology of network security situational awareness[J]. Journal of Science and Technology Monthly, 2016, 29 (13): 132- 133
[20]   龚俭, 臧小东, 苏琪, 等 网络安全态势感知综述[J]. 软件学报, 2017, 28 (4): 1010- 1026
GONG Jian, ZANG Xiao-dong, SU Qi, et al Overview of network security situational awareness[J]. Journal of Software, 2017, 28 (4): 1010- 1026
[21]   胡浩, 叶润国, 张红旗, 等 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017, 38 (10): 122- 134
HU Hao, YE Run-guo, ZHANG Hong-qi, et al Quantitative method of network security situation based on attack prediction[J]. Journal on Communications, 2017, 38 (10): 122- 134
doi: 10.11959/j.issn.1000-436x.2017204
[22]   CHENG J, LIU B, CAI K, et al ETC intelligent navigation path planning method[J]. Journal of Internet Technology, 2018, 19 (2): 619- 631
[23]   HU H. Network intrusion detection, early warning and security management technology (strategic early warning) (2001AA142030) [R]. 长沙: 国防科技大学, 2003.
[24]   NASHAT D, JIANG X, KAMEYAMA M Group testing based detection of web service DDoS attackers[J]. IEICE Transactions on Communications, 2010, 93-B (5): 1113- 1121
[25]   AGOSTA J M, WASSER C D, CHANDRASHEKAR J, et al. An adaptive anomaly detector for worm detection [C]// Proceedings of the 2nd USENIX Workshop on Tackling Computer Systems Problems with Machine Learning Techniques. Renton: [s.n.], 2007: 1-6.
[26]   XIA Z, LU S, LI J Adaptive detection method for abnormal traffic based on self-similarity[J]. Computer Engineering, 2010, 35 (5): 23- 25
[27]   SUN Z, TANG Y, CHENG Y, et al Abnormal traffic detection of router based on improved CUSUM algorithm[J]. Journal of Software, 2005, 16 (12): 2117- 2123
doi: 10.1360/jos162117
[28]   LINCOLN Laboratory. DARPA intrusion detection evaluation data set [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/1999data.html.
[29]   LINCOLN Laboratory. DARPA intrusion detection scenario specific data sets [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/2000data.html.
[30]   程杰仁, 罗逸涵, 唐湘滟, 等 基于LSTM流量预测的DDoS攻击检测方法[J]. 华中科技大学学报: 自然科学版, 2019, 47 (4): 32- 36
CHENG Jie-ren, LUO Yi-han, TANG Xiang-yan, et al DDoS attack detection method based on LSTM traffic prediction[J]. Journal of Huazhong University of Science and Technology: Natural Science Edition, 2019, 47 (4): 32- 36
[1] WEI Wei, DONG E-Bei, LU Dong-Meng. Multi-resource max-min fairness and support vector machine based DDoS defense[J]. Journal of ZheJiang University (Engineering Science), 2010, 44(2): 265-270.