基于偏二叉树SVM多分类算法的应用层DDoS检测方法

doi:10.11959/j.issn.2096-109x.2018020

网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (3): 24-34.doi: 10.11959/j.issn.2096-109x.2018020

基于偏二叉树SVM多分类算法的应用层DDoS检测方法

张斌^1,²,刘自豪^1,²(),董书琴^1,²,李立勋^1,²

¹ 信息工程大学，河南郑州 450001
² 河南省信息安全重点实验室，河南郑州 450001

修回日期:2018-02-02 出版日期:2018-03-01 发布日期:2018-04-09
作者简介:张斌（1969-），男，河南郑州人，信息工程大学教授、博士生导师，主要研究方向为网络空间安全。|刘自豪（1993-），男，湖北十堰人，信息工程大学硕士生，主要研究方向为应用层DDoS攻击检测与评估。|董书琴（1990-），男，河北邢台人，信息工程大学博士生，主要研究方向为网络空间态势感知。|李立勋（1994-），男，四川都江堰人，信息工程大学硕士生，主要研究方向为动态目标防御。
基金资助:
河南省基础与前沿技术研究计划基金资助项目(2014302903);信息保障技术重点实验室开放基金资助项目(KJ-15-109);信息工程大学新兴科研方向培育基金资助项目(2016604703)

App-DDoS detection method using partial binary tree based SVM algorithm

Bin ZHANG^1,²,Zihao LIU^1,²(),Shuqin DONG^1,²,Lixun LI^1,²

¹ Information and Engineering University,Zhengzhou 450001,China
² Key Laboratory of Information Security,Zhengzhou 450001,China

Revised:2018-02-02 Online:2018-03-01 Published:2018-04-09
Supported by:
The Basic and Advanced Technology Research Project of Henan Province(2014302903);The Open Foundation of Key Information Assurance Laboratory(KJ-15-109);The Cultivating Foundation of Emerging Research Direction of Information and Engineering Universit(2016604703)

摘要/Abstract

摘要：

针对基于流量特征的应用层DDoS检测方法侧重于检测持续型应用层DDoS攻击，而忽略检测上升型与脉冲型应用层 DDoS 攻击的问题，提出一种综合检测多类型应用层 DDoS 攻击的方法。首先通过 Hash函数及开放定址防碰撞方法，对多周期内不同源IP地址建立索引，进而实现HTTP GET数的快速统计功能，以支持对刻画数据规模、流量趋势及源 IP 地址分布差异所需特征参数的实时计算；然后采用偏二叉树结构组合SVM分类器分层训练特征参数，并结合遍历与反馈学习的方法，提出基于偏二叉树SVM多分类算法的应用层DDoS检测方法，快速区分出非突发正常流量、突发正常流量及多类型App-DDoS流量。实验表明，所提算法通过划分检测类型、逐层训练检测模型，与传统基于SVM、Navie Bayes的检测方法相比，具有更高的检测率与更低的误检率，且能有效区分出具体攻击类型。

关键词: 应用层DDoS攻击, HTTPGET统计模型, 流量特征参数, SVM多分类器

Abstract:

As it ignored the detection of ramp-up and pulsing type of application layer DDoS (App-DDoS) attacks in existing flow-based App-DDoS detection methods,an effective detection method for multi-type App-DDoS was proposed.Firstly,in order to fast count the number of HTTP GET for users and further support the calculation of feature parameters applied in detection method,the indexes of source IP address in multiple time windows were constructed by the approach of Hash function.Then the feature parameters by combining SVM classifiers with the structure of partial binary tree were trained hierarchically,and the App-DDoS detection method was proposed with the idea of traversing binary tree and feedback learning to distinguish non-burst normal flow,burst normal flow and multi-type App-DDoS flows.The experimental results show that compared with the conventional SVM-based and na?ve-Bayes-based detection methods,the proposed method has more excellent detection performance and can distinguish specific App-DDoS types through subdividing attack types and training detection model layer by layer.

Key words: App-DDoS attack, HTTP GET statistical model, flow feature parameter, SVM multi-classifier

中图分类号:

TP393

张斌,刘自豪,董书琴,李立勋. 基于偏二叉树SVM多分类算法的应用层DDoS检测方法[J]. 网络与信息安全学报, 2018, 4(3): 24-34.

Bin ZHANG,Zihao LIU,Shuqin DONG,Lixun LI. App-DDoS detection method using partial binary tree based SVM algorithm[J]. Chinese Journal of Network and Information Security, 2018, 4(3): 24-34.

图/表 14

图1

图2

图3

图4

图5

表1

图6

图7

图8

图9

图10

图11

表2

表3

参考文献 19

[1]	陈飞, 毕小红, 王晶晶 ,等. DDoS攻击防御技术发展综述[J]. 网络与信息安全学报, 2017,3(10): 16-24.
	CHEN F , BI X H , WANG J J ,et al. Survey of DDoS defense:challenges and directions[J]. Chinese Journal of Network and Information Security, 2017,3(10): 16-24.
[2]	SINGH K , SINGH P , KUMAR K . Application layer HTTP-GET flood DDoS attacks:research landscape and challenges[J]. Computer ＆ Security, 2016,65: 344-372.
[3]	李锦玲, 王斌强 . 基于最大频繁序列模式挖掘的 App-DDoS 攻击的异常检测[J]. 电子与信息学报, 2013,35(7): 1739-1745.
	LI J L , WANG B Q . Detecting App-DDoS attacks based on maximal frequent sequential pattern mining[J]. Journal of Electronics ＆Information Technology, 2013,35(7): 1739-1745.
[4]	SANGJAE L , GISUNG K , SEHUM K . Sequence-order- independent network profiling for detecting application layer DDoS attacks[J]. Eurasip Journal on Wireless Communication ＆ Networking, 2011,50(1): 1-9.
[5]	杨宏宇, 常媛 . 基于 K 均值多重主成分分析的 App-DDoS 检测方法[J]. 通信学报, 2014,35(5): 16-24.
	YANG H Y , CHANG Y . App-DDoS detection method based on K-means multiple principal component analysis[J]. Journal on Communications, 2014,35(5): 16-24.
[6]	YU S , THAPNGAM T , LIU J ,et al. Discriminating DDoS flows from flash crowds using information distance[C]// IEEE The 3rd International Conference on Network and System Security. 2009: 351-356.
[7]	LI K , ZHOU W L , LI P ,et al. Distinguishing DDoS attacks from flash crowds using probability metrics[C]// IEEE The 3rd International Conference on Network and System Security. 2009: 9-17.
[8]	YU S , ZHOU W L , JIA W J ,et al. Discriminating DDoS attacks from flash crowds using flow correlation coefficient[J]. IEEE Transactions on Parallel and Distributed Systems, 2012,23(6): 1073-1080.
[9]	SINGH KJ , THONGAM K , DE T . Entropy-based application layer DDoS attack detection using artificial neural networks[J].Entropy,2016:18(10),350-367. Entropy, 2016,18(10): 350-367.
[10]	NI T G , GUX Q , WANG H Y ,et al. Real-Time detection of applica tion-layer DDoS attack using time series analysis[J]. Journal of Control Science and Engineering, 2013(5): 1-6.
[11]	IRFAN S , AMIT M , VIBHAKAR M . Machine learning techniques used for the detection and analysis of morden types of DDoS attacks[J]. International Research Journal of Engineering and Technology, 2017,4(6): 16-24.
[12]	LIU L , JIN X L , MIN G Y ,et al. Anomaly diagnosis based on regression and classification analysis of statistical traffic features[J]. Security and Communication Networks, 2014,7: 1372-1383.
[13]	PAL R , KUMAR S , SHARMA R L . A detailed classification of flash events:client,server and network characteristics[C]// The International Conference on Computer Science ＆ Service System. 2012: 960-963.
[14]	杨新武, 马壮, 袁顺 . 基于弱分类器调整的多分类 Adaboost 算法[J]. 电子与信息学报, 2016,38(2): 373-380.
	YANG X W , MA Z , YUAN S . Multi-classification adaboost algorithm based on weak classifier adjustment[J]. Journal of Electronics＆ Information Technology, 2016,38(2): 373-380.
[15]	KANGS , CHOS Z , PILSUNG K . Constructing a multi-class classifier using one-against-one approach with different binary classifier[J]. Neurocomputing, 2015,149: 677-682.
[16]	SILVA C , RIBEIRO B . Multiclass ensemble of one-against-all SVM classifiers[C]// The International Symposium on Neural Networks. 2016: 531-539.
[17]	JINDAL A , DUA A , KAUR K ,et al. Decision tree and SVM-based data analytics for theft detection in smart grid[J]. IEEE Transactions on Industrial Informatics, 2016,12(3): 1005-1016.
[18]	CORTES C , VAPNIK V . Support vector networks[J]. Machine Learning, 1995,20: 273-297.
[19]	ITA. WorldCup98[DB/OL]. .

数据集			负载			请求方式	子网规模
数据集	单位	阶段数	峰值	上升时间/min	稳定时间/min	请求方式	子网规模
ATD₁	Trans/s	6	120	9	1	Random	2 000
ATD₂	Trans/s	6	120	0	5	Random	2 000
ATD₃	Trans/s	6	120	0	10	Random	2000
ADD₁	Trans/s	6	150	8	2	Random	2 000
ADD₂	Trans/s	6	150	0	6	Random	2 000
ADD₃	Trans/s	6	150	0	10	Random	2 000

数据集	PBT-SVM	SVM	Navie Bayes
NDD₁	0	0	0
NDD₂	0	0	0
FDD₁	1.67%	3.33%	6.67%
FDD₂	3.33%	8.33%	6.67%
平均值	1.25%	2.92%	3.75%

数据集	PBT-SVM	SVM	Navie Bayes
ADD₁	96.67%	85.00%	83.33%
ADD₂	93.33%	86.67%	81.67%
ADD₃	100.00%	100.00%	100.00%
平均值	96.67%	90.56%	88.33%

基于偏二叉树SVM多分类算法的应用层DDoS检测方法

App-DDoS detection method using partial binary tree based SVM algorithm

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 19

相关文章 15

Metrics

推荐阅读 0

[1]	陈先意, 顾军, 颜凯, 江栋, 许林峰, 付章杰. 针对车牌识别系统的双重对抗攻击[J]. 网络与信息安全学报, 2023, 9(3): 16-27.
[2]	叶天鹏, 林祥, 李建华, 张轩凯, 许力文. 面向雾计算的个性化轻量级分布式网络入侵检测系统[J]. 网络与信息安全学报, 2023, 9(3): 28-37.
[3]	祖立军, 曹雅琳, 门小骅, 吕智慧, 叶家炜, 李泓一, 张亮. 基于隐私风险评估的脱敏算法自适应方法[J]. 网络与信息安全学报, 2023, 9(3): 49-59.
[4]	夏锐琪, 李曼曼, 陈少真. 基于机器学习的分组密码结构识别[J]. 网络与信息安全学报, 2023, 9(3): 79-89.
[5]	袁静怡, 李子川, 彭国军. EN-Bypass：针对邮件代发提醒机制的安全评估方法[J]. 网络与信息安全学报, 2023, 9(3): 90-101.
[6]	余锋, 林庆新, 林晖, 汪晓丁. 基于生成对抗网络的隐私增强联邦学习方案[J]. 网络与信息安全学报, 2023, 9(3): 113-122.
[7]	朱春陶, 尹承禧, 张博林, 殷琪林, 卢伟. 基于多域时序特征挖掘的伪造人脸检测方法[J]. 网络与信息安全学报, 2023, 9(3): 123-134.
[8]	李晓萌, 郭玳豆, 卓训方, 姚恒, 秦川. 载体独立的抗屏摄信息膜叠加水印算法[J]. 网络与信息安全学报, 2023, 9(3): 135-149.
[9]	蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32.
[10]	潘雁, 林伟, 祝跃飞. 渐进式的协议状态机主动推断方法[J]. 网络与信息安全学报, 2023, 9(2): 81-93.
[11]	杨盼, 康绯, 舒辉, 黄宇垚, 吕小少. 基于函数摘要的二进制程序污点分析优化方法[J]. 网络与信息安全学报, 2023, 9(2): 115-131.
[12]	肖天, 江智昊, 唐鹏, 黄征, 郭捷, 邱卫东. 基于深度强化学习的高性能导向性模糊测试方案[J]. 网络与信息安全学报, 2023, 9(2): 132-142.
[13]	袁承昊, 李勇, 任爽. 多关键词动态可搜索加密方案[J]. 网络与信息安全学报, 2023, 9(2): 143-153.
[14]	侯泽洲, 任炯炯, 陈少真. 基于神经网络区分器的SIMON-like算法参数安全性评估[J]. 网络与信息安全学报, 2023, 9(2): 154-163.
[15]	郭学镜, 方毅翔, 赵怡, 张天助, 曾文超, 王俊祥. 基于传统引导机制的深度鲁棒水印算法[J]. 网络与信息安全学报, 2023, 9(2): 175-183.