基于偏二叉树SVM多分类算法的应用层DDoS检测方法

doi:10.11959/j.issn.2096-109x.2018020

网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (3): 24-34.doi: 10.11959/j.issn.2096-109x.2018020

基于偏二叉树SVM多分类算法的应用层DDoS检测方法

张斌^1,²,刘自豪^1,²(),董书琴^1,²,李立勋^1,²

¹ 信息工程大学，河南郑州 450001
² 河南省信息安全重点实验室，河南郑州 450001

修回日期:2018-02-02 出版日期:2018-03-01 发布日期:2018-04-09
作者简介:张斌（1969-），男，河南郑州人，信息工程大学教授、博士生导师，主要研究方向为网络空间安全。|刘自豪（1993-），男，湖北十堰人，信息工程大学硕士生，主要研究方向为应用层DDoS攻击检测与评估。|董书琴（1990-），男，河北邢台人，信息工程大学博士生，主要研究方向为网络空间态势感知。|李立勋（1994-），男，四川都江堰人，信息工程大学硕士生，主要研究方向为动态目标防御。
基金资助:
河南省基础与前沿技术研究计划基金资助项目(2014302903);信息保障技术重点实验室开放基金资助项目(KJ-15-109);信息工程大学新兴科研方向培育基金资助项目(2016604703)

App-DDoS detection method using partial binary tree based SVM algorithm

Bin ZHANG^1,²,Zihao LIU^1,²(),Shuqin DONG^1,²,Lixun LI^1,²

¹ Information and Engineering University,Zhengzhou 450001,China
² Key Laboratory of Information Security,Zhengzhou 450001,China

Revised:2018-02-02 Online:2018-03-01 Published:2018-04-09
Supported by:
The Basic and Advanced Technology Research Project of Henan Province(2014302903);The Open Foundation of Key Information Assurance Laboratory(KJ-15-109);The Cultivating Foundation of Emerging Research Direction of Information and Engineering Universit(2016604703)

摘要/Abstract

摘要：

针对基于流量特征的应用层DDoS检测方法侧重于检测持续型应用层DDoS攻击，而忽略检测上升型与脉冲型应用层 DDoS 攻击的问题，提出一种综合检测多类型应用层 DDoS 攻击的方法。首先通过 Hash函数及开放定址防碰撞方法，对多周期内不同源IP地址建立索引，进而实现HTTP GET数的快速统计功能，以支持对刻画数据规模、流量趋势及源 IP 地址分布差异所需特征参数的实时计算；然后采用偏二叉树结构组合SVM分类器分层训练特征参数，并结合遍历与反馈学习的方法，提出基于偏二叉树SVM多分类算法的应用层DDoS检测方法，快速区分出非突发正常流量、突发正常流量及多类型App-DDoS流量。实验表明，所提算法通过划分检测类型、逐层训练检测模型，与传统基于SVM、Navie Bayes的检测方法相比，具有更高的检测率与更低的误检率，且能有效区分出具体攻击类型。

关键词: 应用层DDoS攻击, HTTPGET统计模型, 流量特征参数, SVM多分类器

Abstract:

As it ignored the detection of ramp-up and pulsing type of application layer DDoS (App-DDoS) attacks in existing flow-based App-DDoS detection methods,an effective detection method for multi-type App-DDoS was proposed.Firstly,in order to fast count the number of HTTP GET for users and further support the calculation of feature parameters applied in detection method,the indexes of source IP address in multiple time windows were constructed by the approach of Hash function.Then the feature parameters by combining SVM classifiers with the structure of partial binary tree were trained hierarchically,and the App-DDoS detection method was proposed with the idea of traversing binary tree and feedback learning to distinguish non-burst normal flow,burst normal flow and multi-type App-DDoS flows.The experimental results show that compared with the conventional SVM-based and na?ve-Bayes-based detection methods,the proposed method has more excellent detection performance and can distinguish specific App-DDoS types through subdividing attack types and training detection model layer by layer.

Key words: App-DDoS attack, HTTP GET statistical model, flow feature parameter, SVM multi-classifier

中图分类号:

TP393

张斌,刘自豪,董书琴,李立勋. 基于偏二叉树SVM多分类算法的应用层DDoS检测方法[J]. 网络与信息安全学报, 2018, 4(3): 24-34.

Bin ZHANG,Zihao LIU,Shuqin DONG,Lixun LI. App-DDoS detection method using partial binary tree based SVM algorithm[J]. Chinese Journal of Network and Information Security, 2018, 4(3): 24-34.

图/表 14

图1

图2

图3

图4

图5

表1

图6

图7

图8

图9

图10

图11

表2

表3

参考文献 19

[1]	陈飞, 毕小红, 王晶晶 ,等. DDoS攻击防御技术发展综述[J]. 网络与信息安全学报, 2017,3(10): 16-24.
	CHEN F , BI X H , WANG J J ,et al. Survey of DDoS defense:challenges and directions[J]. Chinese Journal of Network and Information Security, 2017,3(10): 16-24.
[2]	SINGH K , SINGH P , KUMAR K . Application layer HTTP-GET flood DDoS attacks:research landscape and challenges[J]. Computer ＆ Security, 2016,65: 344-372.
[3]	李锦玲, 王斌强 . 基于最大频繁序列模式挖掘的 App-DDoS 攻击的异常检测[J]. 电子与信息学报, 2013,35(7): 1739-1745.
	LI J L , WANG B Q . Detecting App-DDoS attacks based on maximal frequent sequential pattern mining[J]. Journal of Electronics ＆Information Technology, 2013,35(7): 1739-1745.
[4]	SANGJAE L , GISUNG K , SEHUM K . Sequence-order- independent network profiling for detecting application layer DDoS attacks[J]. Eurasip Journal on Wireless Communication ＆ Networking, 2011,50(1): 1-9.
[5]	杨宏宇, 常媛 . 基于 K 均值多重主成分分析的 App-DDoS 检测方法[J]. 通信学报, 2014,35(5): 16-24.
	YANG H Y , CHANG Y . App-DDoS detection method based on K-means multiple principal component analysis[J]. Journal on Communications, 2014,35(5): 16-24.
[6]	YU S , THAPNGAM T , LIU J ,et al. Discriminating DDoS flows from flash crowds using information distance[C]// IEEE The 3rd International Conference on Network and System Security. 2009: 351-356.
[7]	LI K , ZHOU W L , LI P ,et al. Distinguishing DDoS attacks from flash crowds using probability metrics[C]// IEEE The 3rd International Conference on Network and System Security. 2009: 9-17.
[8]	YU S , ZHOU W L , JIA W J ,et al. Discriminating DDoS attacks from flash crowds using flow correlation coefficient[J]. IEEE Transactions on Parallel and Distributed Systems, 2012,23(6): 1073-1080.
[9]	SINGH KJ , THONGAM K , DE T . Entropy-based application layer DDoS attack detection using artificial neural networks[J].Entropy,2016:18(10),350-367. Entropy, 2016,18(10): 350-367.
[10]	NI T G , GUX Q , WANG H Y ,et al. Real-Time detection of applica tion-layer DDoS attack using time series analysis[J]. Journal of Control Science and Engineering, 2013(5): 1-6.
[11]	IRFAN S , AMIT M , VIBHAKAR M . Machine learning techniques used for the detection and analysis of morden types of DDoS attacks[J]. International Research Journal of Engineering and Technology, 2017,4(6): 16-24.
[12]	LIU L , JIN X L , MIN G Y ,et al. Anomaly diagnosis based on regression and classification analysis of statistical traffic features[J]. Security and Communication Networks, 2014,7: 1372-1383.
[13]	PAL R , KUMAR S , SHARMA R L . A detailed classification of flash events:client,server and network characteristics[C]// The International Conference on Computer Science ＆ Service System. 2012: 960-963.
[14]	杨新武, 马壮, 袁顺 . 基于弱分类器调整的多分类 Adaboost 算法[J]. 电子与信息学报, 2016,38(2): 373-380.
	YANG X W , MA Z , YUAN S . Multi-classification adaboost algorithm based on weak classifier adjustment[J]. Journal of Electronics＆ Information Technology, 2016,38(2): 373-380.
[15]	KANGS , CHOS Z , PILSUNG K . Constructing a multi-class classifier using one-against-one approach with different binary classifier[J]. Neurocomputing, 2015,149: 677-682.
[16]	SILVA C , RIBEIRO B . Multiclass ensemble of one-against-all SVM classifiers[C]// The International Symposium on Neural Networks. 2016: 531-539.
[17]	JINDAL A , DUA A , KAUR K ,et al. Decision tree and SVM-based data analytics for theft detection in smart grid[J]. IEEE Transactions on Industrial Informatics, 2016,12(3): 1005-1016.
[18]	CORTES C , VAPNIK V . Support vector networks[J]. Machine Learning, 1995,20: 273-297.
[19]	ITA. WorldCup98[DB/OL]. .

数据集			负载			请求方式	子网规模
数据集	单位	阶段数	峰值	上升时间/min	稳定时间/min	请求方式	子网规模
ATD₁	Trans/s	6	120	9	1	Random	2 000
ATD₂	Trans/s	6	120	0	5	Random	2 000
ATD₃	Trans/s	6	120	0	10	Random	2000
ADD₁	Trans/s	6	150	8	2	Random	2 000
ADD₂	Trans/s	6	150	0	6	Random	2 000
ADD₃	Trans/s	6	150	0	10	Random	2 000

数据集	PBT-SVM	SVM	Navie Bayes
NDD₁	0	0	0
NDD₂	0	0	0
FDD₁	1.67%	3.33%	6.67%
FDD₂	3.33%	8.33%	6.67%
平均值	1.25%	2.92%	3.75%

数据集	PBT-SVM	SVM	Navie Bayes
ADD₁	96.67%	85.00%	83.33%
ADD₂	93.33%	86.67%	81.67%
ADD₃	100.00%	100.00%	100.00%
平均值	96.67%	90.56%	88.33%

基于偏二叉树SVM多分类算法的应用层DDoS检测方法

App-DDoS detection method using partial binary tree based SVM algorithm

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 19

相关文章 15

Metrics

推荐阅读 0

[1]	任奎, 孟泉润, 闫守琨, 秦湛. 人工智能模型数据泄露的攻击与防御研究综述[J]. 网络与信息安全学报, 2021, 7(1): 1-10.
[2]	张青青, 汤红波, 游伟, 李英乐. 基于免疫算法的网络功能异构冗余部署方法[J]. 网络与信息安全学报, 2021, 7(1): 46-56.
[3]	张涛, 伍前红, 唐宗勋. 基于比特币区块链的隐蔽信息传输研究[J]. 网络与信息安全学报, 2021, 7(1): 84-92.
[4]	王滨, 陈靓, 钱亚冠, 郭艳凯, 邵琦琦, 王佳敏. 面向对抗样本攻击的移动目标防御[J]. 网络与信息安全学报, 2021, 7(1): 113-120.
[5]	苗春雨, 范渊, 李晖, 葛凯强, 张小孟. 基于移动Sink的WSN安全数据收集方法[J]. 网络与信息安全学报, 2021, 7(1): 121-129.
[6]	陈璐, 汤红波, 游伟, 柏溢. 移动边缘计算安全防御研究[J]. 网络与信息安全学报, 2021, 7(1): 130-142.
[7]	孙澄, 胡浩, 杨英杰, 张红旗. 融合宏观与微观的双层威胁分析模型[J]. 网络与信息安全学报, 2021, 7(1): 143-156.
[8]	张颖君,刘尚奇,杨牧,张海霞,黄克振. 基于日志的异常检测技术综述[J]. 网络与信息安全学报, 2020, 6(6): 1-12.
[9]	熊小兵,舒辉,康绯. 基于融合编译的软件多样化保护方法[J]. 网络与信息安全学报, 2020, 6(6): 13-24.
[10]	张鑫,羌卫中,吴月明,邹德清,金海. 基于卷积神经网络恶意安卓应用行为模式挖掘[J]. 网络与信息安全学报, 2020, 6(6): 35-44.
[11]	周天昱,申文博,杨男子,李金库,秦承刚,喻望. Docker组件间标准输入输出复制的DoS攻击分析[J]. 网络与信息安全学报, 2020, 6(6): 45-56.
[12]	尚菁菁,朱宇佳,刘庆云. 电子邮件安全扩展协议应用分析[J]. 网络与信息安全学报, 2020, 6(6): 69-79.
[13]	王标,刘兴洋,许卡,刘汪洋,王克楠,夏宇清. 政府开放数据的国家安全风险评估模型研究[J]. 网络与信息安全学报, 2020, 6(6): 80-87.
[14]	熊钢,葛雨玮,褚衍杰,曹卫权. 基于跨域协同的网络空间威胁预警模式[J]. 网络与信息安全学报, 2020, 6(6): 88-96.
[15]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.