基于联合特征的LDoS攻击检测方法

doi:10.11959/j.issn.1000-436x.2017075

通信学报 ›› 2017, Vol. 38 ›› Issue (5): 19-30.doi: 10.11959/j.issn.1000-436x.2017075

基于联合特征的LDoS攻击检测方法

吴志军,张景安,岳猛,张才峰

中国民航大学电子信息与自动化学院，天津 300300

修回日期:2017-02-17 出版日期:2017-05-01 发布日期:2017-05-28
作者简介:吴志军（1965-），男，河南固始人，博士，中国民航大学教授、博士生导师，主要研究方向为网络空间安全。|张景安（1989-），男，山东临沂人，中国民航大学硕士生，主要研究方向为信息安全、拒绝服务攻击的入侵检测。|岳猛（1984-），男，河北沧州人，中国民航大学讲师，主要研究方向为信息安全、云计算、拒绝服务攻击的入侵检测。|张才峰（1991-），男，山东济南人，中国民航大学硕士生，主要研究方向为信息安全、拒绝服务攻击的入侵检测。
基金资助:
国家自然科学基金资助项目(U1533107);国家自然科学基金资助项目(U1433105);中央高校基本科研业务基金资助项目(3122016D003);中国民航大学研究生课程案例开发基金资助项目;天津市自然科学重点基金资助项目(17JCZDJC30900）)

Approach of detecting low-rate DoS attack based on combined features

Zhi-jun WU,Jing-an ZHANG,Meng YUE,Cai-feng ZHANG

College of Electronics Information and Automation,Civil Aviation University of China,Tianjin 300300,China

Revised:2017-02-17 Online:2017-05-01 Published:2017-05-28
Supported by:
The National Natural Science Foundation of China(U1533107);The National Natural Science Foundation of China(U1433105);Fundamental Scientific Research Foundation of the Central University(3122016D003);Case Development Project of Graduate Program in Civil Aviation University of China;Key Project of Tianjin Natural Science Foundation(17JCZDJC30900）)

摘要/Abstract

摘要：

低速率拒绝服务（LDoS,low-rate denial of service）攻击是一种降质服务（RoQ,reduction of quality）攻击，具有平均速率低和隐蔽性强的特点，它是云计算平台和大数据中心面临的最大安全威胁之一。提取了LDoS攻击流量的3个内在特征，建立基于BP神经网络的LDoS攻击分类器，提出了基于联合特征的LDoS攻击检测方法。该方法将LDoS攻击的3个内在特征组成联合特征作为BP神经网络的输入，通过预先设定的决策指标，达到检测LDoS攻击的目的。采用LDoS攻击流量专用产生工具，在NS2仿真平台和test-bed网络环境中对检测算法进行了测试与验证，实验结果表明通过假设检验得出检测率为 96.68%。与现有研究成果比较说明基于联合特征的LDoS攻击检测性优于单个特征，并具有较高的计算效率。

关键词: 低速率拒绝服务攻击, 联合特征, BP神经网络, 异常检测

Abstract:

LDoS (low-rate denial of service) attack is a kind of RoQ (reduction of quality) attack which has the characteristics of low average rate and strong concealment.These characteristics pose great threats to the security of cloud computing platform and big data center.Based on network traffic analysis,three intrinsic characteristics of LDoS attack flow were extracted to be a set of input to BP neural network,which is a classifier for LDoS attack detection.Hence,an approach of detecting LDoS attacks was proposed based on novel combined feature value.The proposed approach can speedily and accurately model the LDoS attack flows by the efficient self-organizing learning process of BP neural network,in which a proper decision-making indicator is set to detect LDoS attack in accuracy at the end of output.The proposed detection approach was tested in NS2 platform and verified in test-bed network environment by using the Linux TCP-kernel source code,which is a widely accepted LDoS attack generation tool.The detection probability derived from hypothesis testing is 96.68%.Compared with available researches,analysis results show that the performance of combined features detection is better than that of single feature,and has high computational efficiency.

Key words: low-rate denial of service attack, united features, BP neural network, anomaly detection

中图分类号:

TP393.08

吴志军,张景安,岳猛,张才峰. 基于联合特征的LDoS攻击检测方法[J]. 通信学报, 2017, 38(5): 19-30.

Zhi-jun WU,Jing-an ZHANG,Meng YUE,Cai-feng ZHANG. Approach of detecting low-rate DoS attack based on combined features[J]. Journal on Communications, 2017, 38(5): 19-30.

图/表 21

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

表1

表2

图14

图15

图16

图17

表3

表4

参考文献 28

[1]	吴志军, 岳猛 . 基于信号处理的低速率拒绝服务攻击的检测技术[M]. 北京: 科学出版社, 2015.
	WU Z J , YUE M . Detection technology of LDoS attacks based on signal processing[M]. Beijing: Science PressPress, 2015.
[2]	MACIá-FERNáNDEZ G , DíAZ-VERDEJO J E , GARCíA-TEODORO P . Mathematical model for low-rate DoS attacks against application servers[J]. IEEE Transactions on Information Forensics and Security, 2009,4(3): 519-529.
[3]	TANG Y J , LUO X P , HUI Q ,et al. Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks[J]. IEEE Transactions on Information Forensics and Security, 2014,9(3): 339-353.
[4]	FICCO M , RAK M . Stealthy denial of service strategy in cloud computing[J]. IEEE Transactions on Cloud Computing, 2015,3(1): 80-94.
[5]	KUZMANOVIC A , KNIGHTLY E W . Low-rate TCP-targeted denial of service attacks- the Shrew vs.the Mice and Elephants[C]// ACM SIGCOMM 2003. Karlsruhe,Germany, 2003: 25-29.
[6]	KUZMANOVIC A , KNIGHTLY E W . Low-rate TCP-targeted denial of service attacks and counter strategies[J]. IEEE/ACM Transactions on Networking, 2006,14(4): 683-696.
[7]	何炎祥, 刘陶 . 降质服务攻击及其防范方法[M]. 北京: 机械工业出版社, 2011.
	HE Y X , LIU T . Reduction of quality attack and the defense methods[M]. Beijing: China Machine PressPress, 2011.
[8]	TANG Y , LUO X , HUI Q ,et al. Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks[J]. IEEE Transactions on Information Forensics and Security (TIFS), 2014,9(3): 339-353.
[9]	文坤, 杨家海, 张宾 . 低速率拒绝服务攻击研究与进展综述[J]. 软件学报, 2014,25(3): 591-605.
	WEN K , YANG J H , ZHANG B . Survey on research and progress of low-rate denial of service attacks[J]. Journal of Software, 2014,25(3): 591-605.
[10]	ZHU H L , YANG X , WU Q X ,et al. A novel distributed LDoS attack scheme against internet routing[J]. China Communications, 2014,113: 101-107.
[11]	LUO J T , YANG X L . The new shrew attack:a new type of low-rate TCP-targeted DoS attack[C]// International Conference on Communications,Sydney,Australia, 2014: 713-718.
[12]	LUO J T , YANG X L , WANG J ,et al. On a mathematical model for low-rate shrew DDoS[J]. IEEE Transactions on Information Forensics and Security (TIFS), 2014,9(7): 1069-1083.
[13]	张静, 胡华平, 刘波 ,等. 基于ASPQ的LDoS攻击检测方法[J]. 通信学报, 2012,33(5): 79-84.
	ZHANG J , HU H P , LIU B ,et al. Detecting LDoS attack based on ASPQ[J]. Journal on Communications, 2012,33(5): 79-84.
[14]	ZHANG C , YIN J , CAI Z ,et al. RRED:robust RED algorithm to counter low-rate denial-of-service attacks[J]. IEEE Communication Letter, 2010,415: 489-491.
[15]	马建红, 姬莉霞, 文坤 . Shrew 攻击对拥塞控制协议的影响及仿真分析[J]. 河南科技大学学报(自然科学版), 2013,34(4): 51-56.
	MA J H , JI L X , WEN K . Shrew attacks’ influence of congestion control protocol and simulation analysis[J]. Journal of Henan University of Science ＆ Technology (Natural Science), 2013,34(4): 51-56.
[16]	刘文胜, 周长胜 . 基于路由器 BGP 协议的低速率攻击与防御[J]. 北京信息科技大学学报, 2014,29(6): 90-94.
	LIU W S , ZHOU C S . Low-rate attack and defense based on BGP protocol router[J]. Journal of Beijing Information Science and Technology University, 2014,29(16): 90-94.
[17]	WEI W , CHEN F , XIA Y J ,et al. A rank correlation based detection against distributed reflection DoS attacks[J]. IEEE Communications Letters, 2013,17(1): 173-175.
[18]	CHEN Y , HUANG K , KWONG K Y . Collaborative defense against periodic shrew DDoS attacks in frequency domain[C]// ACM Transactions on Information and System Security. ACM:Los Angeles,California,USA, 2005: 2-27.
[19]	TANG D , CHEN K , CHEN X S ,et al. Adaptive EWMA method based on abnormal network traffic for LDoS attacks[J]. Mathematical Problems in Engineering, 2014(3): 166-183.
[20]	WU Z J , ZHANG L Y , YUE M . Low-rate dos attacks detection based on network multifractal[J]. IEEE Transactions on Dependable and Secure Computing, 2016,315: 559-567.
[21]	刘映 . 基于TCP流量统计特征的LDoS攻击检测方法研究[D]. 华中科技大学, 2015.
	LIU Y . Research on LDoS attacks detection method based on the statistical features of TCP traffic[D]. Huazhong University of Science and Technology, 2015.
[22]	KWOK Y K , TRIPATHI R , CHEN Y ,et al. HAWK:halting anomalies with weighted choking to rescue well-behaved TCP sessions from shrew DDoS attacks[C]// Networking and Mobile Computing,Third International Conference,ICCNMC 2005. 2005: 423-432.
[23]	张静, 胡华平, 刘波 ,等. 基于ASPQ的LDoS攻击检测方法[J]. 通信学报, 2012,33(5): 79-84.
	ZHANG J , HU H P , LIU B ,et al. Detecting LDoS attack based on ASPQ[J]. Journal on Communications, 2012,33(5): 79-84.
[24]	吴娜, 穆朝阳, 张良春 . 基于数据流势能特征的分布式拒绝服务隐蔽流量检测[J]. 计算机工程, 2015,42(3): 142-146.
	WU N , MU C Y , ZHANG L C . Distributed denial of service covert flow detection based on data stream potential energy feature[J]. Computer Engineering, 2015,42(3): 142-146.
[25]	李振军, 程杰仁 . 基于多特征分布式拒绝服务攻击的检测[J]. 信息网络安全, 2013(5): 25-28.
	LI Z J , CHENG J R . Detecting distributed denial of service attack based on multi-feature fusion[J]. Netinfo Security, 2013(5): 25-28.
[26]	HSIAO K J , XU K S , CALDER J ,et al. Multicriteria similarity-based anomaly detection using pareto depth analysis[J]. IEEE Transactions on Neural Networks and Learning Systems, 2016,27(6): 1307-1321.
[27]	徐琴珍, 杨绿溪 . 一种优化的神经网络树异常入侵检测方法[J]. 信号处理, 2010,26(11): 1663-1669.
	XU Q Z , YANG L X . An optimized neural network tree based anomaly intrusion detection method[J]. Journal of Signal Processing, 2010,26(11): 1663-1669.
[28]	吴志军, 岳猛 . 基于卡尔曼滤波的LDDoS攻击检测方法[J]. 电子学报, 2008,36(8): 1590-1594.
	WU Z J , YUE M . Detection of LDDoS attack based on Kalman filtering[J]. Acta Electronica Sinica, 2008,26(8): 1590-1594.

D	检测率	漏警率	虚警率
0.1	100%	0%	6%
0.2	100%	0%	2%
0.3	100%	0%	2%
0.4	100%	0%	2%
0.5	100%	0%	2%
0.6	100%	0%	0%
0.7	96%	4%	0%
0.8	90%	10%	0%
0.9	86%	14%	0%

输入的训练特征	检测率	漏警率	虚警率
可用带宽百分比	90%	10%	2%
小分组比例	86%	14%	10%
分组丢失率	94%	6%	4%
可用带宽百分比+小分组比例	86%	14%	10%
可用带宽百分比+分组丢失率	96%	4%	0%
小分组比例+分组丢失率	88%	12%	6%
联合特征	100%	0%	0%

D	P_D	P_FN	P_FP
0.400 0	99.22%	0.78%	10.54%
0.511 5	96.68%	3.32%	3.89%
0.550 0	94.89%	5.11%	2.62%
0.600 0	91.52%	8.48%	1.50%
0.650 0	86.70%	13.30%	0.82%

方法	检测率	漏警率	虚警率
NCPSD	88.00%	12.00%	16.70%
卡尔曼滤波	89.60%	10.40%	12.60%
多重分形	91.00%	9.00%	10.00%
本文方法	96.68%	3.32%	3.89%

基于联合特征的LDoS攻击检测方法

Approach of detecting low-rate DoS attack based on combined features

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 21

参考文献 28

相关文章 15

Metrics

推荐阅读 0

[1]	霍纬纲, 梁锐, 李永华. 基于随机Transformer的多维时间序列异常检测模型[J]. 通信学报, 2023, 44(2): 94-103.
[2]	廖建新, 付霄元, 戚琦, 王敬宇, 孙海峰. 6G-ADM：基于知识空间的6G网络管控体系[J]. 通信学报, 2022, 43(6): 3-15.
[3]	段雪源, 付钰, 王坤. 基于VAE-WGAN的多维时间序列异常检测方法[J]. 通信学报, 2022, 43(3): 1-13.
[4]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[5]	孙海丽, 龙翔, 韩兰胜, 黄炎, 李清波. 工业物联网异常检测技术综述[J]. 通信学报, 2022, 43(3): 196-210.
[6]	陈卓, 朱淼, 杜军威. 基于多视角图神经网络的欺诈检测算法[J]. 通信学报, 2022, 43(11): 225-232.
[7]	段雪源, 付钰, 王坤, 刘涛涛, 李彬. 基于多尺度特征的网络流量异常检测方法[J]. 通信学报, 2022, 43(10): 65-76.
[8]	朱会娟, 陈锦富, 李致远, 殷尚男. 基于多特征自适应融合的区块链异常交易检测方法[J]. 通信学报, 2021, 42(5): 41-50.
[9]	陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138.
[10]	戚琦,申润业,王敬宇. GAD：基于拓扑感知的时间序列异常检测[J]. 通信学报, 2020, 41(6): 152-160.
[11]	杨晓晖,张圣昌. 基于多粒度级联孤立森林算法的异常检测模型[J]. 通信学报, 2019, 40(8): 133-142.
[12]	李佳,云晓春,李书豪,张永铮,谢江,方方. 基于混合结构深度神经网络的HTTP恶意流量检测方法[J]. 通信学报, 2019, 40(1): 24-33.
[13]	王缵,田有亮,李秋贤,杨新欢. 基于信用模型的工作量证明算法[J]. 通信学报, 2018, 39(8): 185-198.
[14]	吴志军,刘亮,岳猛. 基于ANN与KPCA的LDoS攻击检测方法[J]. 通信学报, 2018, 39(5): 11-22.
[15]	俞艺涵,付钰,吴晓平. 基于Shannon信息熵与BP神经网络的隐私数据度量与分级模型[J]. 通信学报, 2018, 39(12): 10-17.