基于混合深度学习的多类型低速率DDoS攻击检测方法

doi:10.11959/j.issn.2096-109x.2022001

摘要/Abstract

摘要：

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击，对网络服务质量造成了巨大威胁，具有隐蔽性强、攻击速率低和周期性的特点。现有检测方法存在检测类型单一和识别精度低的问题，因此提出了一种基于混合深度学习的多类型低速率 DDoS 攻击检测方法。模拟不同类型的低速率DDoS 攻击和 5G 环境下不同场景的正常流量，在网络入口处收集流量并提取其流特征信息，得到多类型低速率DDoS攻击数据集；从统计阈值和特征工程的角度，分别分析了不同类型低速率DDoS攻击的特征，得到了40维的低速率DDoS攻击有效特征集；基于该有效特征集采用CNN-RF混合深度学习算法进行离线训练，并对比该算法与LSTM-LightGBM和LSTM-RF算法的性能；在网关处部署CNN-RF检测模型，实现了多类型低速率DDoS攻击的在线检测，并使用新定义的错误拦截率和恶意流量检测率指标进行了性能评估。结果显示，在120 s的时间窗口下，所提方法能够在线检测出4种类型的低速率DDoS攻击，包括Slow Headers攻击、Slow Body 攻击、Slow Read 攻击和 Shrew 攻击，错误拦截率达到 11.03%，恶意流量检测率达到 96.22%。结果表明，所提方法能够显著降低网络入口处的低速率DDoS攻击流量强度，并在实际环境中部署和应用。

关键词: 多类型, 低速率DDoS攻击, 混合深度学习, 特征分析, 攻击检测

Abstract:

Low-Rate distributed denial of service (DDoS) attack attacks the vulnerabilities in the adaptive mechanism of network protocols, posing a huge threat to the quality of network services.Low-Rate DDoS attack was characterized by high secrecy, low attack rate, and periodicity.Existing detection methods have the problems of single detection type and low identification accuracy.In order to solve them, a multi-type low-rate DDoS attack detection method based on hybrid deep learning was proposed.Different types of low-rate DDoS attacks and normal traffic in different scenarios under 5G environment were simulated.Traffic was collected at the network entrance and its traffic characteristic information was extracted to obtain multiple types of low-rate DDoS attack data sets.From the perspective of statistical threshold and feature engineering, the characteristics of different types of low-rate DDoS attacks were analyzed respectively, and the effective feature set of 40-dimension low-rate DDoS attacks was obtained.CNN-RF hybrid deep learning algorithm was used for offline training based on the effective feature set, and the performance of this algorithm was compared with LSTM-Light GBM and LSTM-RF algorithms.The CNN-RF detection model was deployed on the gateway to realize the online detection of multiple types of low-rate DDoS attacks, and the performance was evaluated by using the newly defined error interception rate and malicious traffic detection rate indexes.The results show that the proposed method can detect four types of low-rate DDoS attacks online, including Slow Headers attack, Slow Body attack, Slow Read attack and Shrew attack, and the error interception rate reaches 11.03% in 120 s time window.The detection rate of malicious traffic reaches 96.22%.It can be judged by the results that the proposed method can significantly reduce the intensity of low-rate DDoS attack traffic at the network entrance, and can be deployed and applied in the actual environment.

Key words: multi-type, low-rate DDoS attack, hybrid deep learning, feature analysis, attack detection

中图分类号:

TP393

李丽娟, 李曼, 毕红军, 周华春. 基于混合深度学习的多类型低速率DDoS攻击检测方法[J]. 网络与信息安全学报, 2022, 8(1): 73-85.

Lijuan LI, Man LI, Hongjun BI, Huachun ZHOU. Multi-type low-rate DDoS attack detection method based on hybrid deep learning[J]. Chinese Journal of Network and Information Security, 2022, 8(1): 73-85.

图/表 15

图1

表1

表2

图2

表3

图3

图4

图5

图6

表4

图7

图8

表5

表6

表7

参考文献 19

[1]	陈兴蜀, 滑强, 王毅桐 ,等. 云环境下SDN网络低速率DDoS攻击的研究[J]. 通信学报, 2019,40(6): 210-222.
	CHEN X S , HUA Q , WANG Y T ,et al. Research on low-rate DDoS attack of SDN network in cloud environment[J]. Journal on Communications, 2019,40(6): 210-222.
[2]	KUZMANOVIC A , KNIGHTLY E W . Low-rate TCP-targeted denial of service attacks and counter strategies[J]. IEEE/ACM Transactions on Networking, 2006,14(4): 683-696.
[3]	WU X , TANG D , TANG L ,et al. A low-rate DoS attack detection method based on Hilbert spectrum and correlation[C]// Proceedings of 2018 IEEE Smart-World,Ubiquitous Intelligence ＆ Computing,Advanced ＆ Trusted Computing,Scalable Computing ＆ Communications,Cloud ＆ Big Data Computing,Internet of People and Smart City Innovation. 2018: 1358-1363.
[4]	WU Z , PAN Q , YUE M ,et al. Sequence alignment detection of TCP-targeted synchronous low-rate DoS attacks[J]. Computer Networks, 2019,152: 64-77.
[5]	KAUR G , SAXENA V , GUPTA J P . Detection of TCP targeted high bandwidth attacks using self-similarity[J]. Journal of King Saud University:Computer and Information Sciences, 2020,32(1): 35-49.
[6]	ZHANG D , TANG D , TANG L ,et al. Pca-svm-based approach of detecting low-rate DoS attack[C]// Proceedings of 2019 IEEE 21st International Conference on High Performance Computing and Communications. 2019: 1163-1170.
[7]	LIU Z , YIN X , HU Y . CPSS LR-DDoS detection and defense in edge computing utilizing DCNN Q-Learning[J]. IEEE Access, 2020,8: 42120-42130.
[8]	WU Z J , XU Q , WANG J J ,et al. Low-rate DDoS attack detection based on factorization machine in software defined network[J]. IEEE Access, 2020,8: 17404-17418.
[9]	PéREZ-DíAZ J A , VALDOVINOS I A , CHOO K K R ,et al. A flexible SDN-based architecture for identifying and mitigating low-rate DDoS attacks using machine learning[J]. IEEE Access, 2020,8: 155859-155872.
[10]	MALIK J , AKHUNZADA A , BIBI I ,et al. Hybrid deep learning:an efficient reconnaissance and surveillance detection mechanism in SDN[J]. IEEE Access, 2020,8: 134695-134706.
[11]	GARG S , KAUR K , KUMAR N ,et al. Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN:a social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019,21(3): 566-578.
[12]	GUO Y K , LI Y Y , XU Y . Study on the application of LSTM-LightGBM model in stock rise and fall prediction[J]. MATEC Web of Conferences, 2021,336:05011.
[13]	HU W , SHI Y X . Prediction of online consumers’ buying behavior based on LSTM-RF model[C]// Proceedings of 2020 5th International Conference on Communication,Image and Signal Processing (CCISP). 2020: 224-228.
[14]	JAZI H H , GONZALEZ H , STAKHANOVA N ,et al. Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling[J]. Computer Networks, 2017,121: 25-36.
[15]	王子恒 . 基于区块链的海量连接管理架构设计与实现[D]. 北京:北京交通大学, 2021.
	WANG Z H . Design and implementation of mass connection management architecture based on blockchain[D]. Beijing:Beijing Jiaotong University, 2021.
[16]	ROSENBROCK K H , ANDERSEN N P S . The third generation partnership project (3GPP)[M]. GSM and UMTS. Chichester,UK:John Wiley ＆ Sons,Ltd,, 221-261.
[17]	PACKET S . Institute of electrical and electronics engineers[J]. IEEE Standard Computer Dictionary a Compilation of IEEE Standard Computer Glossaries, 2009,3(8): 128.
[18]	GUALBERTO E S , DE SOUSA R T , DE BRITO VIEIRA T P ,et al. The answer is in the text:multi-stage methods for phishing detection based on feature engineering[J]. IEEE Access, 2020,8: 223529-223547.
[19]	SUSILO B , SARI R F . Intrusion detection in IoT networks using deep learning algorithm[J]. Information, 2020,11(5): 279.

攻击时间	源IP	目的IP	流量类型
	23.1.0.2	23.1.1.2	Slow Headers
2021.5.23	23.1.0.10	23.1.1.2	Slow Body
15:35-16:15	23.1.0.11	23.1.1.2	Slow Read
	23.1.0.12	23.1.1.2	Shrew
	23.1.0.20~23.1.0.29	23.1.1.7	正常流量

流量类型	数据样本数	攻击流量占正常流量的比例
Slow Headers	100 793	1:4.5
Slow Body	110 044	1:4.2
Slow Read	68 074	1:6.7
Shrew	45 389	1:10
正常流量	460 619	—

特征数目	训练时间/s	测试时间/s	准确率
83	281.631 2	5.490 0	0.980 1
40	266.966 9	4.798 6	0.990 5

数据集类型	正常流量样本数	攻击流量样本数
训练集	288 544	267 900
测试集	129 632	108 843

模型类别	LSTM-LightGBM	LSTM-RF	CNN-RF
检测时间/s	259.894 7	308.493 2	268.235 4