1. School of Computer and Cyberspace Security, Hainan University, Haikou 570228, China 2. State Key Laboratory of Marine Resource Utilization in South China Sea, Hainan University, Haikou 570228, China
The distributed denial of service (DDoS) attack situation warning technology was analyzed in order to accurately identify the DDoS attack situation warning level. The logical structure of DDoS attack situation early warning model was designed, and the regional network security vulnerability factor (SVF) was defined. Then a dynamic adaptive threshold based DDoS attacks situation warning model was proposed based on the long-short-time memory (LSTM) prediction model and SVF. IP-data-counts feature (IPDCF) was extracted, which was modeled by using LSTM prediction model to predict the normal traffic flow. The early warning threshold and the early warning interval were dynamically calculated according to the prediction results and the SVF, and the situation warning level was set based on the early warning threshold and the early warning interval. The experimental results show that the model can be used to predict the DDoS attack situation in real time, and accurately identify the DDoS attack situation security level.
Yi-han LUO,Jie-ren CHENG,Xiang-yan TANG,Ming-wang OU,Tian WANG. Early warning model of DDoS attack situation based on adaptive threshold. Journal of ZheJiang University (Engineering Science), 2020, 54(4): 704-711.
Tab.1DDoS attack warning result based on dynamic adaptive threshold
实验
受攻击时刻
预测值
实时监测值
阈值
预警
第1次攻击
第36分钟
1 680
5 142
5 928
无攻击
第1次攻击
第37分钟
2 223
7 601
5 928
攻击预警
第2次攻击
第45分钟
1 976
10 095
4 934
攻击预警
第3次攻击
第14分钟
1 696
6 000
5 750
攻击预警
第3次攻击
第15分钟
2 314
5 699
5 750
无攻击
第3次攻击
第37分钟
2 074
8 880
5 650
攻击预警
第3次攻击
第38分钟
2 442
14 000
5 650
攻击预警
第4次攻击
第19分钟
1 672
6 888
4 578
攻击预警
第4次攻击
第20分钟
1 872
9 936
4 578
攻击预警
Tab.2DDoS attack warning result without adaptive threshold
[1]
PRAS A, SANTANNA J, STEINBERGER J. DDoS 3.0: how terrorists bring down the internet [M]. New York: Springer, 2016: 1-4.
[2]
PALMIERI F, RICCIARDI S, FIORE U, et al Energy-oriented denial of service attacks: an emerging menace for large cloud infrastructures[J]. Journal of Supercomputing, 2015, 71 (5): 1620- 1641
doi: 10.1007/s11227-014-1242-6
[3]
CNOERT/CC. 2017 China Internet cyber security report [EB/OL]. 2018-08-02. http://www.cert.org.cn/publish/main/17/index.html.
[4]
XIANG Y, LI K, ZHOU W Low-rate DDoS attacks detection and trace back by using new information metrics[J]. IEEE Transactions on Information Forensics and Security, 2011, 6 (2): 426- 437
doi: 10.1109/TIFS.2011.2107320
[5]
LI K, ZHOU W, LI P, et al. Distinguishing DDoS attacks from flash crowds using probability metrics [C]// International Conference on Network and System Security. Gold Coast, Queensland, Australia: IEEE, 2009: 9-17.
[6]
CHENG J, ZHOU J, LIU Q, et al A DDoS detection method for socially aware networking based on forecasting fusion feature sequence[J]. The Computer Journal, 2018, 61 (7): 959- 970
doi: 10.1093/comjnl/bxy025
[7]
CHENG J, XU R, TANG X, et al An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment[J]. Computers, Materials and Continua, 2018, 55 (1): 95- 119
[8]
TOKLU S, ?IM?EK M Two-layer approach for mixed high-rate and low-rate distributed denial of service (DDoS) attack detection and filtering[J]. Arabian Journal for Science and Engineering, 2018, 43 (12): 7923- 7931
doi: 10.1007/s13369-018-3236-9
[9]
KESAVAMOORTHY R, SOUNDAR K R Swarm intelligence based autonomous DDoS attack detection and defense using multi agent system[J]. Cluster Computing, 2018, 22 (1): 1- 8
[10]
HOQUE N, KASHYAP H, BHATTACHARYYA D K Real-time DDoS attack detection using FPGA[J]. Computer Communications, 2017, 110: 48- 58
[11]
WANG D, ZHANG Z, WANG P, et al. Targeted online password guessing: an underestimated threat [C]// 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna: ACM, 2016: 1242-1254..
[12]
DING W, PING W. On the implications of Zipf’s law in passwords [C]// European Symposium on Research in Computer Security. Heraklion, Greece: Springer, 2016.
[13]
XYLOGIANNOPOULOS K, KARAMPELAS P, ALHAJJ R. Early DDoS detection based on data mining techniques [C]// 8th IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Crete: Springer, 2014: 190-199.
[14]
LIU Q, YIN J, CAI Z, et al. A novel threat assessment method for DDoS early warning using network vulnerability analysis [C]// 4th International Conference on Network and System Security. Melbourne: IEEE, 2010: 70-74.
[15]
LIU C, ZHANG S. A bidirectional-based DDoS detection mechanism [C]// 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing. Beijing: IEEE, 2009: 1-4.
[16]
XIAO B, CHEN W, HE Y A novel approach to detecting DDoS attacks at an early stage[J]. Journal of Supercomputing, 2006, 36 (3): 235- 248
doi: 10.1007/s11227-006-8295-0
[17]
YI Z, YAO S J, WANG L Researches on brittle seam mining based situation assessment and prediction mechanism of DDoS attacks in cloud computing platform[J]. Applied Mechanics and Materials, 2014, 519-520: 262- 270
doi: 10.4028/www.scientific.net/AMM.519-520.262
[18]
LIU Z, ZHANG B, ZHU N, et al. Hierarchical network threat situation assessment method for DDoS based on D-S evidence theory [C]// IEEE International Conference on Intelligence and Security Informatics. Beijing: IEEE, 2017: 49-53.
[19]
LIU X Analysis on early warning technology of network security situational awareness[J]. Journal of Science and Technology Monthly, 2016, 29 (13): 132- 133
[20]
龚俭, 臧小东, 苏琪, 等 网络安全态势感知综述[J]. 软件学报, 2017, 28 (4): 1010- 1026 GONG Jian, ZANG Xiao-dong, SU Qi, et al Overview of network security situational awareness[J]. Journal of Software, 2017, 28 (4): 1010- 1026
[21]
胡浩, 叶润国, 张红旗, 等 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017, 38 (10): 122- 134 HU Hao, YE Run-guo, ZHANG Hong-qi, et al Quantitative method of network security situation based on attack prediction[J]. Journal on Communications, 2017, 38 (10): 122- 134
doi: 10.11959/j.issn.1000-436x.2017204
[22]
CHENG J, LIU B, CAI K, et al ETC intelligent navigation path planning method[J]. Journal of Internet Technology, 2018, 19 (2): 619- 631
[23]
HU H. Network intrusion detection, early warning and security management technology (strategic early warning) (2001AA142030) [R]. 长沙: 国防科技大学, 2003.
[24]
NASHAT D, JIANG X, KAMEYAMA M Group testing based detection of web service DDoS attackers[J]. IEICE Transactions on Communications, 2010, 93-B (5): 1113- 1121
[25]
AGOSTA J M, WASSER C D, CHANDRASHEKAR J, et al. An adaptive anomaly detector for worm detection [C]// Proceedings of the 2nd USENIX Workshop on Tackling Computer Systems Problems with Machine Learning Techniques. Renton: [s.n.], 2007: 1-6.
[26]
XIA Z, LU S, LI J Adaptive detection method for abnormal traffic based on self-similarity[J]. Computer Engineering, 2010, 35 (5): 23- 25
[27]
SUN Z, TANG Y, CHENG Y, et al Abnormal traffic detection of router based on improved CUSUM algorithm[J]. Journal of Software, 2005, 16 (12): 2117- 2123
doi: 10.1360/jos162117
[28]
LINCOLN Laboratory. DARPA intrusion detection evaluation data set [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/1999data.html.
[29]
LINCOLN Laboratory. DARPA intrusion detection scenario specific data sets [EB/OL]. [2019-01-20]. https://www.ll.mit.edu/ideval/data/2000data.html.
[30]
程杰仁, 罗逸涵, 唐湘滟, 等 基于LSTM流量预测的DDoS攻击检测方法[J]. 华中科技大学学报: 自然科学版, 2019, 47 (4): 32- 36 CHENG Jie-ren, LUO Yi-han, TANG Xiang-yan, et al DDoS attack detection method based on LSTM traffic prediction[J]. Journal of Huazhong University of Science and Technology: Natural Science Edition, 2019, 47 (4): 32- 36
