基于ANN与KPCA的LDoS攻击检测方法

doi:10.11959/j.issn.1000-436x.2018073

摘要/Abstract

摘要：

低速率拒绝服务（LDoS,low-rate denial of service）攻击是一种新的面向TCP协议的攻击方式，它具有攻击速率低、隐蔽性强的特点，很难被传统DoS攻击检测措施发现。针对其特点，采用网络大数据分析技术，从路由器队列中挖掘一种LDoS攻击特征，将核主成分分析（KPCA,kernel principal component analysis）方法与神经网络结合，提出一种新的检测LDoS攻击的方法。该方法将路由器队列特征采用KPCA降维，作为神经网络输入，再利用BP神经网络自学习能力生成LDoS分类器，达到检测LDoS攻击的目的。实验结果表明该方法有较好的检测有效性和较低的计算复杂度，对设计防御LDoS攻击的路由器有一些借鉴意义。

关键词: 低速率拒绝服务攻击, 队列特征, 核的主成分分析, 神经网络

Abstract:

Low-rate denial-of-service (LDoS) attack is a new type of attack mode for TCP protocol.Characteristics of low average rate and strong concealment make it difficult for detection by traditional DoS detecting methods.According to characteristics of LDoS attacks,a new LDoS queue future was proposed from the router queue,the kernel principal component analysis (KPCA) method was combined with neural network,and a new method was present to detect LDoS attacks.The method reduced the dimensionality of queue feature via KPCA algorithm and made the reduced dimension data as the inputs of neural network.For the good sell-learning ability,BP neural network could generate a great LDoS attack classifier and this classifier was used to detect the attack.Experiment results show that the proposed approach has the characteristics of effectiveness and low algorithm complexity,which helps the design of high performance router.

Key words: low-rate denial of service, queue feature, kernel principal component analysis, neural network

中图分类号:

TP302

吴志军,刘亮,岳猛. 基于ANN与KPCA的LDoS攻击检测方法[J]. 通信学报, 2018, 39(5): 11-22.

Zhijun WU,Liang LIU,Meng YUE. Detection method of LDoS attacks based on combination of ANN ＆ KPCA[J]. Journal on Communications, 2018, 39(5): 11-22.

图/表 15

图2

图1

图3

图4

图5

图6

图7

图8

图9

图10

表1

图11

表2

表3

表4

参考文献 13

[13]	ZHANG C W , YIN J P , CAI Z P ,et al. Active queue management algorithm to counter DDoS attacks[J]. Journal of Software, 2011,22(9): 2182-2192.
[14]	HAMLET M R , MICHEL K , BéATRICE P P . TCP and network coding:equilibrium and dynamic properties[J]. IEEE/ACM Transactions on Networking, 2016,24(4): 1935-1947.
[15]	ZHAO Y , MA Z G , ZHENG X F ,et al. An improved algorithm of nonlinear RED based on membership cloud theory[J]. Chinese Journal of Electronics, 2017,26(3): 537-543.
[16]	GUIRGUIS M. , BESTAVROS A , MATTA I . Exploiting the transients of adaptation for RoQ attacks on Internet re-sources[C]// IEEE ICNP. 2004: 184-195.
[17]	高海华, 杨辉华, 王行愚 ,等. 基于PCA和KPCA特征抽取的SVM网络入侵检测方法[J]. 华东理工大学学报（自然科学版）, 2006,32(3): 321-326.
	GAO H H , YANG H H , WANG X Y ,et al. PCA/KPCA feature extraction approach to SVM for anomaly detection[J]. Journal of East China University of Science and Technology, 2006,32(3): 321-326.
[18]	ZHANG X Y , WU Z J , CHEN J S ,et al. An adaptive KPCA approach for detecting LDoS attack[J]. International Journal of Communication Systems, 2017,30(4): 1-8.
[19]	ZHANG C W , CAI Z , CHEN W ,et al. Flow level detection and filtering of low-rate DDoS[J]. Computer Networks the International Journal of Computer ＆ Telecommunications Networking, 2012,56(15): 3417-3431.
[20]	FENG W C , KANDLUR D D , SAHA D ,et al. Stochastic fair blue:a queue management algorithm for enforcing fairness[C]// The 20th Joint Conference of the IEEE Computer ＆ Communications Societies. 2001: 1520-1529.
[21]	MOHAN L , BIJESH M G , JOHN J K . Survey of low rate denial of service (LDoS) attack on RED and its counter strategies[C]// IEEE International Conference on Computational Intelligence ＆ Computing Research. 2012: 1-7.
[22]	苏治, 傅晓媛 . 核主成分遗传算法与 SVR 选股模型改进[J]. 统计研究, 2013,30(5): 54-62.
	SU Z , FU X Y . Kernel principal component genetic algorithm and improved SVR stock selection model[J]. Statistical Research, 2013,30(5): 54-62.
[23]	LI J , YU L . Using BP neural networks for the simulation of energy consumption[C]// IEEE International Conference on Systems,Man and Cybernetics. 2014: 3542-3547.
[24]	刘陶, 何炎祥, 熊琦 . 一种基于Q学习的LDoS攻击实时防御机制及其CPN实现[J]. 计算机研究与发展, 2011,48(3): 432-439.
[1]	KUZMANOVIC A , KNIGHTLY E W . Low-rate TCP-targeted denial of service attacks -the shrew vsthe mice and elephants[C]// ACM SIGCOMM. 2003: 25-29.
[2]	KUZMANOVIC A , KNIGHTLY E W . Low-rate TCP-targeted denial of service attacks and counter strategies[J]. IEEE/ACM Transactions on Networking, 2006,14(4): 683-696.
[3]	何炎祥, 刘陶, 曹强 ,等. 低速率拒绝服务攻击研究综述[J]. 计算机科学与探索, 2008,2(1): 1-19.
	HE Y X , LIU T , CAO Q ,et al. A survey of low-rate denial-of-service attacks[J]. Journal of Frontiers of Computer Science and Technology, 2008,2(1): 1-19.
[24]	LIU T , HE Y X , XIONG Q . A Q-learning based real-time mitigating mechanism against LDoS attack and its modeling and simulation with CPN[J]. Journal of Computer Research and Development, 2011,48(3): 432-439.
[25]	WU Z J , ZHANG L Y , YUE M . Low-rate DoS attacks detection based on network multifractal[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2016,13(5): 559-567.
[4]	岳猛, 张才峰, 吴志军 . 隐马尔科夫模型检测 LDoS 攻击方法的研究[J]. 信号处理, 2015,31(11): 1454-1460.
	YUE M , ZHANG C F , WU Z J . The research of detecting LDoS attacks based on hidden Markov model[J]. Journal of Signal Processing, 2015,31(11): 1454-1460.
[26]	赵峰, 张军英 . 一种 KPCA 的快速算法[J]. 控制与决策, 2007,22(9): 1044-1048.
	ZHAO F , ZHANG J Y . Fast algorithm about KPCA[J]. Control and Decision, 2007,22(9): 1044-1048.
[5]	YU C , KAI H , KWOK Y K . Collaborative defense against periodic shrew DDoS attacks in frequency domain[J]. ACM Transactions on Information and System Security, 2005: 2-27.
[6]	何炎祥, 曹强, 刘陶 ,等. 一种基于小波特征提取的低速率DoS检测方法[J]. 软件学报, 2009,20(4): 930-941.
	HE Y X , CAO Q , LIU T ,et al. A low-rate DoS detection method based on feature extraction using wavelet transform[J]. Journal of Software, 2009,20(4): 930-941.
[7]	LIU X , ZHANG M , XU G . Construction of distributed LDoS attack based on one-dimensional random walk algorithm[C]// International Conference on Cloud Computing and Intelligence Systems. 2012: 685-689.
[8]	张静, 胡华平, 刘波 ,等. 基于ASPQ的LDoS攻击检测方法[J]. 通信学报, 2012,33(5): 79-84.
	ZHANG J , HU H P , LIU B ,et al. Detecting LDoS attack based on ASPQ[J]. Journal on Communications, 2012,33(5): 79-84.
[9]	SUN J , ZUKERMAN M . An adaptive neuron AQM for a stable internet[M]// Ad Hoc and Sensor Networks,Wireless Networks,Next Generation Internet. Springer Berlin Heidelberg, 2007: 844-854.
[10]	KUZMANOVIC A . The power of explicit congestion notification[J]. ACM Sigcomm Computer Communication Review, 2005,35(4): 61-72.
[11]	SARAT S , TERZIS A . On the effect of router buffer sizes on low-rate denial of service attacks[C]// International Conference on Computer Communications and Networks. 2005: 281-286.
[12]	MOHAN L , JOHN J K , BIJESH M G . Shrew attack prevention in RED queue with partial flow analysis[J]. International Journal of Computer Applications, 2013,67(8): 9-15.
[13]	张长旺, 殷建平, 蔡志平 ,等. 抗 DDoS 攻击的主动队列管理算法[J]. 软件学报, 2011,22(9): 2182-2192.

阈值η	检测率	虚警概率
0.45	97.21%	8.22%
0.47	96.52%	7.36%
0.49	96.24%	5.71%
0.51	95.62%	3.70%
0.53	95.21%	1.33%
0.55	94.54%	1.15%
0.57	93.25%	1.13%
0.59	92.12%	1.10%
0.61	90.35%	0.91%
0.63	88.21%	0.87%
0.65	85.42%	0.82%

算法	时间复杂度	时间频度/s
NCPSD	O(n²)	24.1
HMM	O(n²)	20.6
Adaptive-KPCA	O(n³)	32.5
KPCA网络	Tn)₀(	5.1

算法	输入数据量	空间复杂度
NCPSD	n	O(n)
HMM	n	O(n)
Adaptive-KPCA	n	O(n)
KPCA网络	n6	O(n)

算法	检测率	漏警概率	虚警概率
NCPSD	88.0%	12.0%	16.7%
HMM	99.9%	0.04%	1.11%
Adaptive-KPCA	99.2%	0.8%	2.0%
KPCA网络（正常）	95.2%	4.8%	1.3%
KPCA网络（突发）	94.2%	5.8%	2.0%