DDoS攻击恶意行为知识库构建

doi:10.11959/j.issn.1000-0801.2021257

摘要/Abstract

摘要：

针对分布式拒绝服务（distributed denial of service，DDoS）网络攻击知识库研究不足的问题，提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建，包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类；网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模，并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling，DOTS）协议搭建分布式知识库，实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明，DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量，并具备分布式知识库间的知识更新和推理功能，表现出良好的可扩展性。

关键词: DDoS, 分布式, 知识图谱, 恶意行为知识库

Abstract:

Aiming at the problem of insufficient research on the knowledge base of distributed denial of service (DDoS) network attacks, a method for constructing a knowledge base of DDoS attacks malicious behavior was proposed.The knowledge base was constructed based on the knowledge graph, and contains two parts: a malicious traffic detection database and a network security knowledge base.The malicious traffic detection database detects and classifies malicious traffic caused by DDoS attacks, the network security knowledge base detects DDoS attacks from traffic characteristics and attack frameworks model malicious behaviors, and perform inference, tracing and feedback on malicious behaviors.On this basis, a distributed knowledge base was built based on the DDoS open threat signaling (DOTS) protocol to realize the functions of data transmission between distributed nodes, DDoS attack defense, and malicious traffic mitigation.The experimental results show that the DDoS attack malicious behavior knowledge base can effectively detect and mitigate the malicious traffic caused by DDoS attacks at multiple gateways, and has the knowledge update and reasoning function between the distributed knowledge bases, showing good scalability.

Key words: DDoS, distributed, knowledge graph, malicious behavior knowledge base

中图分类号:

TP393

刘飞扬, 李坤, 宋飞, 周华春. DDoS攻击恶意行为知识库构建[J]. 电信科学, 2021, 37(11): 17-32.

Feiyang LIU, Kun LI, Fei SONG, Huachun ZHOU. Construction of DDoS attacks malicious behavior knowledge base construction[J]. Telecommunications Science, 2021, 37(11): 17-32.

图/表 20

图1

图2

表1

图3

表2

表3

表4

表5

图4

图5

图6

图7

图8

表6

表7

图9

表8

图10

图11

表9

参考文献 14

[1]	BONGUET A , BELLAICHE M . A survey of denial-of-service and distributed denial of service attacks and defenses in cloud computing[J]. Future Internet, 2017,9(3): 43.
[2]	ARSHI M , NASREEN M D , MADHAVI K . A survey of DDOS attacks using machine learning techniques[J]. E3S Web of Conferences, 2020(184): 01052.
[3]	XIE X , LI J P , HU X Y ,et al. High performance DDoS attack detection system based on distribution statistics[M]// Lecture Notes in Computer Science. Cham: Springer International Publishing, 2019: 132-142.
[4]	董聪, 姜波, 卢志刚 ,等. 面向网络空间安全情报的知识图谱综述[J]. 信息安全学报, 2020(5): 56-76.
	DONG C , JIANG B , LU Z G ,et al. Knowledge graph for cyberspace security intelligence:a survey[J]. Journal of Cyber Security, 2020(5): 56-76.
[5]	MITRE. Common attack pattern enumeration and classification[EB]. 2009.
[6]	BERMAN D , BUCZAK A , CHAVIS J ,et al. A survey of deep learning methods for cyber security[J]. Information, 2019,10(4): 122.
[7]	OBRST L , CHASE P , MARKELOFF R . Developing an ontology of the cyber security domain[C]// STIDS.[S.l.:s.n.], 2012: 49-56.
[8]	CHEN X J , JIA S B , XIANG Y . A review:knowledge reasoning over knowledge graph[J]. Expert Systems With Applications, 2020(141): 112948.
[9]	王勇超, 罗胜文, 杨英宝 ,等. 知识图谱可视化综述[J]. 计算机辅助设计与图形学学报, 2019,31(10): 1666-1676.
	WANG Y C , LUO S W , YANG Y B ,et al. A survey on knowledge graph visualization[J]. Journal of Computer-Aided Design＆ Computer Graphics, 2019,31(10): 1666-1676.
[10]	陈佳 . 基于知识图谱的 DDoS 攻击源检测研究[J]. 信息安全研究, 2020,6(1): 91-96.
	CHEN J . DDoS attack detection based on knowledge graph[J]. Journal of Information Security Research, 2020,6(1): 91-96.
[11]	ZHANG Z J . Graph databases for knowledge management[J]. IT Professional, 2017,19(6): 26-32.
[12]	MISAKI M , TSUDA T , INOUE S ,et al. Distributed database and application architecture for big data solutions[C]// Proceedings of IEEE Transactions on Semiconductor Manufacturing. Piscataway:IEEE Press, 2016: 328-332.
[13]	SHEN G W , WANG W L , MU Q L ,et al. Data-driven cybersecurity knowledge graph construction for industrial control system security[J]. Wireless Communications and Mobile Computing, 2020,2020: 1-13.
[14]	王子恒 . 基于区块链的海量连接管理架构设计与实现[D]. 北京:北京交通大学, 2021.
	WANG Z H . Design and implementation of mass connection management architecture based on blockchain[D]. Beijing:Beijing Jiaotong University, 2021.

实体	属性	关系
DDoS攻击流节点	流量特征名称、特征值	真实标签
		预测标签
攻击类型节点	攻击类型名称	真实标签
		预测标签

实体	属性	关系
CAPEC节点	攻击名称、攻击 ID、攻击危害、攻击后果、缓解措施、严重程度	攻击间级别弱点利用
CWE节点	弱点名称、弱点描述、弱点危害、缓解措施	弱点间级别攻击关联
CNNVD节点	漏洞名称、漏洞描述、漏洞危害、缓解措施	漏洞间级别

实体	属性	关系
DDoS攻击	DDoS攻击描述	关联攻击方式
攻击方式	5类攻击方式描述	关联攻击类型
攻击类型	21种攻击类型描述	关联流量特征
流量特征	69种流量特征描述	对应攻击类型

实体	属性	关系
攻击时间点	开始时间、结束时间	指向攻击主机
攻击类型	攻击类型描述	指向攻击主机
攻击主机	IP地址、端口号、协议	指向被攻击主机
被攻击主机	IP地址、端口号、协议	连接攻击时间

实体	属性	关系
用户	用户名、群组、角色，权限	拥有设备
设备	设备名、IP地址、端口号	属于用户、利用资源、访问结果
资源	资源名、IP地址、端口号	使用协议