Computer Technology, Inf ormation Engineering |
|
|
|
|
Early warning model of DDoS attack situation based on adaptive threshold |
Yi-han LUO1(),Jie-ren CHENG1,2,*(),Xiang-yan TANG1,Ming-wang OU1,Tian WANG1 |
1. School of Computer and Cyberspace Security, Hainan University, Haikou 570228, China 2. State Key Laboratory of Marine Resource Utilization in South China Sea, Hainan University, Haikou 570228, China |
|
|
Abstract The distributed denial of service (DDoS) attack situation warning technology was analyzed in order to accurately identify the DDoS attack situation warning level. The logical structure of DDoS attack situation early warning model was designed, and the regional network security vulnerability factor (SVF) was defined. Then a dynamic adaptive threshold based DDoS attacks situation warning model was proposed based on the long-short-time memory (LSTM) prediction model and SVF. IP-data-counts feature (IPDCF) was extracted, which was modeled by using LSTM prediction model to predict the normal traffic flow. The early warning threshold and the early warning interval were dynamically calculated according to the prediction results and the SVF, and the situation warning level was set based on the early warning threshold and the early warning interval. The experimental results show that the model can be used to predict the DDoS attack situation in real time, and accurately identify the DDoS attack situation security level.
|
Received: 26 January 2019
Published: 05 April 2020
|
|
Corresponding Authors:
Jie-ren CHENG
E-mail: lyhphonbe@163.com;cjr22@163.com
|
基于自适应阈值的DDoS攻击态势预警模型
为了准确识别分布式拒绝服务(DDoS)攻击态势预警级别,研究DDoS攻击态势预警技术,设计DDoS攻击态势预警模型逻辑结构,定义区域网络安全脆弱性因子(SVF). 基于长短时记忆(LSTM)网络流量预测模型和区域网络安全脆弱性因子,提出基于动态自适应阈值的DDoS攻击态势预警模型. 提取IP数据包统计特征(IPDCF),使用LSTM预测模型对IPDCF序列建模,对正常流进行预测. 根据预测结果和SVF实时动态地计算预警阈值和预警区间,基于预警阈值和预警区间设定态势预警级别. 实验结果表明,利用该模型能够实时、有效地预警DDoS攻击态势,准确地识别DDoS攻击态势安全级别.
关键词:
分布式拒绝服务(DDoS),
攻击态势,
预警模型,
长短时记忆(LSTM),
自适应阈值
|
|
[1] |
PRAS A, SANTANNA J, STEINBERGER J. DDoS 3.0: how terrorists bring down the internet [M]. New York: Springer, 2016: 1-4.
|
|
|
[2] |
PALMIERI F, RICCIARDI S, FIORE U, et al Energy-oriented denial of service attacks: an emerging menace for large cloud infrastructures[J]. Journal of Supercomputing, 2015, 71 (5): 1620- 1641
doi: 10.1007/s11227-014-1242-6
|
|
|
[3] |
CNOERT/CC. 2017 China Internet cyber security report [EB/OL]. 2018-08-02. http://www.cert.org.cn/publish/main/17/index.html.
|
|
|
[4] |
XIANG Y, LI K, ZHOU W Low-rate DDoS attacks detection and trace back by using new information metrics[J]. IEEE Transactions on Information Forensics and Security, 2011, 6 (2): 426- 437
doi: 10.1109/TIFS.2011.2107320
|
|
|
[5] |
LI K, ZHOU W, LI P, et al. Distinguishing DDoS attacks from flash crowds using probability metrics [C]// International Conference on Network and System Security. Gold Coast, Queensland, Australia: IEEE, 2009: 9-17.
|
|
|
[6] |
CHENG J, ZHOU J, LIU Q, et al A DDoS detection method for socially aware networking based on forecasting fusion feature sequence[J]. The Computer Journal, 2018, 61 (7): 959- 970
doi: 10.1093/comjnl/bxy025
|
|
|
[7] |
CHENG J, XU R, TANG X, et al An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment[J]. Computers, Materials and Continua, 2018, 55 (1): 95- 119
|
|
|
[8] |
TOKLU S, ?IM?EK M Two-layer approach for mixed high-rate and low-rate distributed denial of service (DDoS) attack detection and filtering[J]. Arabian Journal for Science and Engineering, 2018, 43 (12): 7923- 7931
doi: 10.1007/s13369-018-3236-9
|
|
|
[9] |
KESAVAMOORTHY R, SOUNDAR K R Swarm intelligence based autonomous DDoS attack detection and defense using multi agent system[J]. Cluster Computing, 2018, 22 (1): 1- 8
|
|
|
[10] |
HOQUE N, KASHYAP H, BHATTACHARYYA D K Real-time DDoS attack detection using FPGA[J]. Computer Communications, 2017, 110: 48- 58
|
|
|
[11] |
WANG D, ZHANG Z, WANG P, et al. Targeted online password guessing: an underestimated threat [C]// 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna: ACM, 2016: 1242-1254..
|
|
|
[12] |
DING W, PING W. On the implications of Zipf’s law in passwords [C]// European Symposium on Research in Computer Security. Heraklion, Greece: Springer, 2016.
|
|
|
[13] |
XYLOGIANNOPOULOS K, KARAMPELAS P, ALHAJJ R. Early DDoS detection based on data mining techniques [C]// 8th IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Crete: Springer, 2014: 190-199.
|
|
|
[14] |
LIU Q, YIN J, CAI Z, et al. A novel threat assessment method for DDoS early warning using network vulnerability analysis [C]// 4th International Conference on Network and System Security. Melbourne: IEEE, 2010: 70-74.
|
|
|
[15] |
LIU C, ZHANG S. A bidirectional-based DDoS detection mechanism [C]// 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing. Beijing: IEEE, 2009: 1-4.
|
|
|
[16] |
XIAO B, CHEN W, HE Y A novel approach to detecting DDoS attacks at an early stage[J]. Journal of Supercomputing, 2006, 36 (3): 235- 248
doi: 10.1007/s11227-006-8295-0
|
|
|
[17] |
YI Z, YAO S J, WANG L Researches on brittle seam mining based situation assessment and prediction mechanism of DDoS attacks in cloud computing platform[J]. Applied Mechanics and Materials, 2014, 519-520: 262- 270
doi: 10.4028/www.scientific.net/AMM.519-520.262
|
|
|
[18] |
LIU Z, ZHANG B, ZHU N, et al. Hierarchical network threat situation assessment method for DDoS based on D-S evidence theory [C]// IEEE International Conference on Intelligence and Security Informatics. Beijing: IEEE, 2017: 49-53.
|
|
|
[19] |
LIU X Analysis on early warning technology of network security situational awareness[J]. Journal of Science and Technology Monthly, 2016, 29 (13): 132- 133
|
|
|
[20] |
龚俭, 臧小东, 苏琪, 等 网络安全态势感知综述[J]. 软件学报, 2017, 28 (4): 1010- 1026 GONG Jian, ZANG Xiao-dong, SU Qi, et al Overview of network security situational awareness[J]. Journal of Software, 2017, 28 (4): 1010- 1026
|
|
|
[21] |
胡浩, 叶润国, 张红旗, 等 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017, 38 (10): 122- 134 HU Hao, YE Run-guo, ZHANG Hong-qi, et al Quantitative method of network security situation based on attack prediction[J]. Journal on Communications, 2017, 38 (10): 122- 134
doi: 10.11959/j.issn.1000-436x.2017204
|
|
|
[22] |
CHENG J, LIU B, CAI K, et al ETC intelligent navigation path planning method[J]. Journal of Internet Technology, 2018, 19 (2): 619- 631
|
|
|
[23] |
HU H. Network intrusion detection, early warning and security management technology (strategic early warning) (2001AA142030) [R]. 长沙: 国防科技大学, 2003.
|
|
|
[24] |
NASHAT D, JIANG X, KAMEYAMA M Group testing based detection of web service DDoS attackers[J]. IEICE Transactions on Communications, 2010, 93-B (5): 1113- 1121
|
|
|
[25] |
AGOSTA J M, WASSER C D, CHANDRASHEKAR J, et al. An adaptive anomaly detector for worm detection [C]// Proceedings of the 2nd USENIX Workshop on Tackling Computer Systems Problems with Machine Learning Techniques. Renton: [s.n.], 2007: 1-6.
|
|
|
[26] |
XIA Z, LU S, LI J Adaptive detection method for abnormal traffic based on self-similarity[J]. Computer Engineering, 2010, 35 (5): 23- 25
|
|
|
[27] |
SUN Z, TANG Y, CHENG Y, et al Abnormal traffic detection of router based on improved CUSUM algorithm[J]. Journal of Software, 2005, 16 (12): 2117- 2123
doi: 10.1360/jos162117
|
|
|
[28] |
LINCOLN Laboratory. DARPA intrusion detection evaluation data set [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/1999data.html.
|
|
|
[29] |
LINCOLN Laboratory. DARPA intrusion detection scenario specific data sets [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/2000data.html.
|
|
|
[30] |
程杰仁, 罗逸涵, 唐湘滟, 等 基于LSTM流量预测的DDoS攻击检测方法[J]. 华中科技大学学报: 自然科学版, 2019, 47 (4): 32- 36 CHENG Jie-ren, LUO Yi-han, TANG Xiang-yan, et al DDoS attack detection method based on LSTM traffic prediction[J]. Journal of Huazhong University of Science and Technology: Natural Science Edition, 2019, 47 (4): 32- 36
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|