基于K均值多重主成分分析的App-DDoS检测方法

doi:10.3969/j.issn.1000-436x.2014.05.003

摘要/Abstract

摘要：

针对应用层分布式拒绝服务攻击，利用 Web日志的数据挖掘方法提出一种 K 均值多重主成分分析算法和基于该算法的App-DDoS检测方法。首先，通过分析正常用户和攻击者的访问行为区别，给出提取统计属性特征的方法；其次，根据主成分分析法的数据降维特性并利用最大距离划分法，提出一种K均值多重主成分分析算法，构建基于该算法的检测模型。最后，采用CTI-DATA数据集及模拟攻击获取的数据集，进行与模糊综合评判、隐半马尔科夫模型、D-S证据理论3种检测方法的App-DDoS攻击检测对比实验，实验结果证明 KMPCAA检测算法具有较好的检测性能。

关键词: 应用层, 网络攻击, 主成分分析, 均值聚类, 日志

Abstract:

Aiming at the application layer distributed deny of service(App-DDoS) attacks, a K-means multiple principal component analysis algorithm(KMPCAA) utilizing the Web log mining was proposed, then an App-DDoS detection method based on KMPCAA was presented. Firstly, a statistical properties feature extracting method was designed by ana-lyzing the difference between normal users' and attackers' access behavior. Secondly, a k-means multiple principal com-ponent analysis algorithm was proposed by using the maximum distance classification method according to the data di-mension reduction property of the principal component analysis, and then the testing model based on the algorithm was established. Finally, an App-DDoS attack detection experiment on the CTI-DATA dataset and the simulated attack data-set was conducted. In this experiment, the proposed method was compared with the fuzzy synthetical evaluation (FSE) algorithm, the hidden semi-Markov model (HsMM) detection algorithm and the dempster-shafer evidence theory (D-S) algorithm. Experimental results demonstrate that the KMPCAA detection algorithm has better detection performance.

Key words: application layer, network attack, principal component analysis, means clustering, log

杨宏宇,常媛. 基于K均值多重主成分分析的App-DDoS检测方法[J]. 通信学报, 2014, 35(5): 16-24.

Hong-yu YANG,Yuan CHANG. App-DDoS detection method based on K-means multiple principal component analysis[J]. Journal on Communications, 2014, 35(5): 16-24.

图/表 12

图1

图2

表1

表2

表3

表4

表5

表6

表7

表8

表9

图3

参考文献 19

[1]	第30次中国互联网络发展状况统计报告[R]．中国互联网络信息中心, 2012.The 30th China Internet Network Development State Statistic Re-port[R]. China Internet Network Information Center, 2012.
[2]	张鹏 . Arbor Pravail APS：专注抵御应用层DDoS攻击[J]. 通信世界， 2011:41. ZHANG P . Arbor Pravail APS: focus on the application layer DDoS attack[J]. Communications World Weekly, 2011:41.
[3]	2011年中国互联网网络安全态势综述[R]．国家计算机网络应用技术处理协调中心， 2012.In 2011 China's Internet Network Security Situation Were Re-viewed[R]. National Computer Network Application Technology Proc-essing Coordination Center, 2012.
[4]	龙士工，赵梦龙 . 基于可信度的App-DDoS攻击的分布式流量控制模型[J]. 信息安全， 2009,25(3-3): 75-76,302. LONG S G , ZHAO M L . Distributed flow control model of the App -DDoS attacks based on the credibility[J]. Information Security, 2009,25(3-3): 75-76,302.
[5]	魏兵，徐震 . 基于验证机制的应用层DDoS攻击防御方法[J]. 计算机工程与设计， 2010,(31)2: 231-234. WEI B , XU Z . Defense approach against application level DDoS at-tacks based on authentication mechanism[J]. Computer Engineering and Design, 2010,(31)2: 231-234.
[6]	张苒 . 基于权重队列的HTTP DDoS防范技术研究[J]. 辽宁师专学报， 2007,9(4): 40-42. ZHANG R . Based on the weight of queue HTTP DDoS prevention technology research[J]. Journal of Liaoning Teachers College, 2007,9(4): 40-42.
[7]	赵国锋，喻守成，文晟 . 基于用户行为分析的应用层 DDoS 攻击检测方法[J]. 计算机应用研究， 2011,28(2): 717-719. ZHAO G F , YU S C , WEN C . Detecting application-layer DDoS at-tack based on analysis of users'behaviors[J]. Application Research of Computers, 2011,28(2): 717-719.
[8]	郁继锋 . 基于数据挖掘的Web应用入侵异常检测研究[D]. 武汉：华中科技大学, 2011. YU J F . Research on Anomaly Intrusion Detection of Web Application Based on Data Mining[D]. Wuhan： Huazhong University of Science and Technology, 2011.
[9]	张烜 . 基于应用层的DDoS 攻击检测防御技术研究[D]. 北京：北京邮电大学, 2009. ZHANG H . Based on Application Layer DDoS Attack Detection De-Fense Technology Research[D]. Beijing： Beijing University of Posts and Telecommunications, 2009.
[10]	毛丽玮 . 基于BP神经网络的产能建设单井效益评价研究[D]. 青岛：中国石油大学(华东), 2012. MAO L W . Research into the Evaluation of Oil Well Performance in Productivity Construction Based on the BP Neural Network[D]. Qingdao： China university of Petroleum(East China), 2012.
[11]	王秀芳，王岩 . 优化K均值随机初始中点的改进算法[J]. 化工自动化及仪表， 2012,39(10): 1302-1304. WANG X F , WANG Y . Optimize K-means random initial midpoint algorithm[J]. Chemical industry automation and instrumentation, 2012,39(10): 1302-1304.
[12]	谢逸，余顺争 . 基于Web用户浏览行为的统计异常检测[J]. 软件学报， 2007,18(4): 967-977. XIE Y , YU S Z . A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors[J]. IEEE/ACM Trans Netw, 2009,17(1): 54-65.
[13]	KHATTAB S , GOBRIEL S , MELHEM R , et al. Live baiting for ser-vice-level DoS attackers[A]. Proc of the Infocom[C]. 2008. 682-690.
[14]	徐鹏 . 通用应用层 DDoS 检测防护模型的研究[D]. 南京：南京理工大学, 2008. XV P . General Protective Model of Application Layer DDoS Detec-tion[D]. Nanjing： Nanjing University of Science and Technology, 2008.
[15]	谢亚 . 基于模糊综合评判的应用层 DDOS 攻击检测方法研究[D]. 成都：西南交通大学, 2012. XIE Y . Research on Anomaly Intrusion Detection of Web Application Based on Data Mining[D]. Chengdu： Southwest Jiaotong University, 2009.
[16]	张伟，范宽，张梦媛 . 基于D-S证据理论应用层DDOS攻击检测[J]. 江苏科技大学学报(自然科学版), 2012,26(3): 295-299. ZHANG W , FAN K , ZHANG M Y An application layer DDoS attack detection method based on D-S evidence theory[J]. Journal of Jiangsu University of Science and Technology(Natural Science Edition), 2012,26(3): 295-299.
[17]	LEE S , SUNG J , KIM D . Incremental update of linear appearance models and its application to AAM: incremental AAM[A]. Lecture Notes Computer Science[C]. Victoria B C, Canada, 2007. 538-547.
[18]	YATAGAI T , ISOHARA T , SASASE I . Detection of HTTP-GET flood attack based on analysis of page access behavior[A]. Proceedings IEEE Pacific RIM Conference on Communications. Computers and Signal Processing[C]. Victoria B C, Canada, 2007. 232-235.
[19]	XUAN Y , SHIN I , THAIMT E T A L . Detecting application de-nial-of-service attacks: a group-testing-based approach[J]. IEEE Trans on Parallel and Distributed Systems, 2010,21(8): 1203-1216.

文件名称	内容
cti_cod.txt	所有Web页面
cti_nav.txt	会话预处理信息
cti_std.txt	会话—页面时长矩阵
cti_tra.txt	会话访问无重复序列
cti_stats.txt	原始数据记录的统计信息

数据集名称	请求数目	会话数	页面数
dataSet_train	58361	9674	411
dataSet_normal_test	20146	4071	233

数据集名称	请求数目	会话数	页面数
dataSet_attack_test	29418	5000	53

重要参数	设定值
隶属度函数边界值[a,c]	0～7
权重矩阵一致性指标CR	0.1
权重矩阵元素标度范围	1～9

重要参数	设定值
序列长度阈值T0	50
正常度范围	-3～-7
阈值判断的左右阈值	-12.3～-2.2