基于流量特征重构与映射的物联网DDoS攻击单流检测方法

doi:10.11959/j.issn.1000-0801.2024012

电信科学 ›› 2024, Vol. 40 ›› Issue (1): 92-105.doi: 10.11959/j.issn.1000-0801.2024012

• 研究与开发 • 上一篇

基于流量特征重构与映射的物联网DDoS攻击单流检测方法

谢丽霞¹, 袁冰迪¹, 杨宏宇¹^,², 胡泽², 成翔³, 张良⁴

¹ 中国民航大学计算机科学与技术学院，天津 300300
² 中国民航大学安全科学与工程学院，天津 300300
³ 扬州大学信息工程学院，江苏扬州 225127
⁴ 亚利桑那大学信息学院，美国亚利桑那图森 AZ 85721

修回日期:2024-01-11 出版日期:2024-01-01 发布日期:2024-01-01
作者简介:谢丽霞（1974- ）,女，中国民航大学教授、硕士生导师，主要研究方向为网络与系统安全、网络安全态势感知
袁冰迪（2000－），女，中国民航大学硕士生，主要研究方向为网络信息安全和DDoS攻击检测
杨宏宇（1969- ），男，博士，中国民航大学教授、博士生导师，CCF专业会员，主要研究方向为网络与系统安全、软件安全检测和网络安全态势感知
胡泽（1989- ），男，博士，中国民航大学讲师、硕士生导师，主要研究方向为人工智能、自然语言处理和网络信息安全
成翔（1988- ），男，博士，扬州大学实验师、硕士生导师，主要研究方向为网络与系统安全、网络安全态势感知和APT攻击检测
张良（1987-），男，博士，亚利桑那大学博士后研究员，主要研究方向为强化学习、基于深度学习的信号处理和网络与系统安全
基金资助:
国家自然科学基金资助项目(62201576);国家自然科学基金资助项目(U1833107);中央高校基本科研业务费项目(3122022050);江苏省基础研究计划自然科学基金青年基金项目(BK20230558)

A single flow detection enabled method for DDoS attacks in IoT based on traffic feature reconstruction and mapping

Lixia XIE¹, Bingdi YUAN¹, Hongyu YANG¹^,², Ze HU², Xiang CHENG³, Liang ZHANG⁴

¹ School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
² School of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China
³ School of Information Engineering, Yangzhou University, Yangzhou 225127, China
⁴ School of Information, The University of Arizona, Tucson AZ 85721, USA

Revised:2024-01-11 Online:2024-01-01 Published:2024-01-01
Supported by:
The National Natural Science Foundation of China(62201576);The National Natural Science Foundation of China(U1833107);Fundamental Research Funds for the Central Universities(3122022050);Jiangsu Provincial Basic Research Program Natural Science Foundation-Youth Fund Project(BK20230558)

摘要/Abstract

摘要：

针对现有检测方法对物联网（IoT）分布式拒绝服务（DDoS）攻击响应速度慢、特征差异性低、检测性能差等不足，提出了一种基于流量特征重构与映射的单流检测方法（SFDTFRM）。首先，为扩充特征，使用队列按照先入先出存储定长时间跨度内接收的流量，得到队列特征矩阵。其次，针对物联网设备正常通信流量与 DDoS 攻击流量存在相似性的问题，提出一种与基线模型相比更加轻量化的多维重构神经网络模型与一种函数映射方法，改进模型损失函数按照相应索引重构队列定量特征矩阵，并通过函数映射方法转化为映射特征矩阵，增强包括物联网设备正常通信流量与 DDoS 攻击流量在内的不同类型流量之间的差异和同类型流量的相似性。最后，使用文本卷积网络、信息熵计算分别提取映射特征矩阵和队列定性特征矩阵的频率信息，得到拼接向量，丰富单条流量的特征信息并使用机器学习分类器进行 DDoS 攻击流量检测。在两个基准数据集上的实验结果表明，SFDTFRM 能够有效检测不同类型的 DDoS 攻击，检测性能指标平均值与现有方法相比最多提升12.01%。

关键词: DDoS攻击检测, 多维重构, 函数映射, 机器学习

Abstract:

To address the slow response time of existing detection modules to Internet of things (IoT) distributed denial of service (DDoS) attacks, their low feature differentiation, and poor detection performance, a single flow detection enabled method based on traffic feature reconstruction and mapping (SFDTFRM) was proposed.Firstly, SFDTFRM employed a queue to store previously arrived flow based on the first in, first out rule.Secondly, to address the issue of similarity between normal communication traffic of IoT devices and DDoS attack traffic, a multidimensional reconstruction neural network model more lightweight compared to the baseline model and a function mapping method were proposed.The modified model loss function was utilized to reconstruct the quantitative feature matrix of the queue according to the corresponding index, and transformed into a mapping feature matrix through the function mapping method, enhancing the differences between different types of traffic, including normal communication traffic of IoT devices and DDoS attack traffic.Finally, the frequency information was extracted using a text convolutional network and information entropy calculation and the machine learning classifier was employed for DDoS attack traffic detection.The experimental results on two benchmark datasets show that SFDTFRM can effectively detect different DDoS attacks, and the average metrics value of SFDTFRM is a maximum of 12.01% higher than other existing methods.

Key words: DDoS attacks detection, multidimensional reconstruction, function mapping, machine learning

中图分类号:

TP393

谢丽霞, 袁冰迪, 杨宏宇, 胡泽, 成翔, 张良. 基于流量特征重构与映射的物联网DDoS攻击单流检测方法[J]. 电信科学, 2024, 40(1): 92-105.

Lixia XIE, Bingdi YUAN, Hongyu YANG, Ze HU, Xiang CHENG, Liang ZHANG. A single flow detection enabled method for DDoS attacks in IoT based on traffic feature reconstruction and mapping[J]. Telecommunications Science, 2024, 40(1): 92-105.

图/表 11

图1

表1

图2

图3

图4

图5

图6

图7

图8

图9

表2

参考文献 28

[1]	YANG H Y , ZHANG L , ZHANG X G ,et al. An adaptive IoT network security situation prediction model[J]. Mobile Networks and Applications, 2022,27(1): 371-381.
[2]	YANG H Y , YUAN H H , ZHANG L . Risk assessment method of IoT host based on attack graph[J]. Mobile Networks and Applications, 2023: 1-10.
[3]	一个藏在我们身边的巨型僵尸网络：Pink[EB]. 2023.
	A giant zombie network hidden around us:Pink[EB]. 2023.
[4]	YANG H Y , ZHANG Z X , XIE L X ,et al. Network security situation assessment with network attack behavior classification[J]. International Journal of Intelligent Systems, 2022,37(10): 6909-6927.
[5]	DDoS attack report for Q3 2022[EB]. 2023.
[6]	DOSHI R , APTHORPE N , FEAMSTER N . Machine learning DDoS detection for consumer Internet of things devices[C]// Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW). Piscataway:IEEE Press, 2018: 29-35.
[7]	LIU Z , HU C Z , SHAN C . Riemannian manifold on stream data:Fourier transform and entropy-based DDoS attacks detection method[J]. Computers ＆ Security, 2021(109): 102392.
[8]	AHMED M E , ULLAH S , KIM H . Statistical application fingerprinting for DDoS attack mitigation[J]. IEEE Transactions on Information Forensics and Security, 2019,14(6): 1471-1484.
[9]	DAS S , VENUGOPAL D , SHIVA S ,et al. Empirical evaluation of the ensemble framework for feature selection in DDoS attack[C]// Proceedings of the 2020 7th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2020 6th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). Piscataway:IEEE Press, 2020: 56-61.
[10]	DOSHI K , YILMAZ Y , ULUDAG S . Timely detection and mitigation of stealthy DDoS attacks via IoT networks[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(5): 2164-2176.
[11]	ZHU T , QIU X K , RAO Y ,et al. HiAtGang:how to mine the gangs hidden behind DDoS attacks[J]. Chinese Journal of Electronics, 2022,31(2): 293-303.
[12]	SALAHUDDIN M A , POURAHMADI V , ALAMEDDINE H A ,et al. Chronos:DDoS attack detection using time-based autoencoder[J]. IEEE Transactions on Network and Service Management, 2022,19(1): 627-641.
[13]	LIU X Q , REN J D , HE H T ,et al. Low-rate DDoS attacks detection method using data compression and behavior divergence measurement[J]. Computers ＆ Security, 2021(100): 102107.
[14]	JIA Y Z , ZHONG F T , ALRAWAIS A ,et al. FlowGuard:an intelligent edge defense mechanism against IoT DDoS attacks[J]. IEEE Internet of Things Journal, 2020,7(10): 9552-9562.
[15]	BHAYO J , JAFAQ R , AHMED A ,et al. A time-efficient approach toward DDoS attack detection in IoT network using SDN[J]. IEEE Internet of Things Journal, 2022,9(5): 3612-3630.
[16]	DING D M , SAVI M , SIRACUSA D . Tracking normalized network traffic entropy to detect DDoS attacks in P4[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(6): 4019-4031.
[17]	RAVI N , SHALINIE S M . Learning-driven detection and mitigation of DDoS attack in IoT via SDN-cloud architecture[J]. IEEE Internet of Things Journal, 2020,7(4): 3559-3570.
[18]	KUSHWAH G S , RANGA V . Optimized extreme learning machine for detecting DDoS attacks in cloud computing[J]. Computers ＆ Security, 2021(105): 102260.
[19]	DORIGUZZI-CORIN R , MILLAR S , SCOTT-HAYWARD S , ,et al. Lucid:a practical,lightweight deep learning solution for DDoS attack detection[J]. IEEE Transactions on Network and Service Management, 2020,17(2): 876-889.
[20]	CVITI? I , PERAKOVIC D , GUPTA B B ,et al. Boosting-based DDoS detection in Internet of things systems[J]. IEEE Internet of Things Journal, 2022,9(3): 2109-2123.
[21]	张龙, 王劲松 . SDN中基于信息熵与DNN的DDoS攻击检测模型[J]. 计算机研究与发展, 2019,56(5): 909-918.
	ZHANG L , WANG J S . DDoS attack detection model based on information entropy and DNN in SDN[J]. Journal of Computer Research and Development, 2019,56(5): 909-918.
[22]	ZHOU L , ZHU Y , ZONG T R ,et al. A feature selection-based method for DDoS attack flow classification[J]. Future Generation Computer Systems, 2022,132: 67-79.
[23]	TORABI H , MIRTAHERI S L , GRECO S . Practical autoencoder based anomaly detection by using vector reconstruction error[J]. Cybersecurity, 2023,6(1): 1-13.
[24]	AYDIN H , ORMAN Z , ALI AYDIN M . A long short-term memory (LSTM)-based distributed denial of service (DDoS) detection and defense system design in public cloud network environment[J]. Computers ＆ Security, 2022(118): 102725.
[25]	AKGUN D , HIZAL S , CAVUSOGLU U . A new DDoS attacks intrusion detection model based on deep learning for cybersecurity[J]. Computers ＆ Security, 2022(118): 102748.
[26]	HAJIMAGHSOODI M , JALILI R . RAD:a statistical mechanism based on behavioral analysis for DDoS attack countermeasure[J]. IEEE Transactions on Information Forensics and Security, 2022(17): 2732-2745.
[27]	The Bot-IoT dataset[EB]. 2023.
[28]	SHARAFALDIN I , LASHKARI A H , HAKAK S ,et al. Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy[C]// Proceedings of the 2019 International Carnahan Conference on Security Technology (ICCST). Piscataway:IEEE Press, 2019: 1-8.

方法框架	定性特征	定量特征	特征衍生	单流检测	轻量化
SAF^[8]	×	√	√	×	√
CIOT^[6]	√	√	×	√	×
TETFS^[9]	×	√	×	√	×
UVRE^[23]	×	√	√	√	×
LSTM^[24]	×	√	×	√	×
NDL^[25]	×	√	×	√	×
RAD^[26]	√	√	√	×	×
SFDTFRM	√	√	√	√	√

方法	CICDDoS2019数据集				Bot-IoT数据集
方法	准确率	精确率	召回率	F1分数	准确率	精确率	召回率	F1分数
CIOT^[6]	0.919 5	0.920 5	0.920 6	0.920 4	0.966 3	0.966 9	0.966 6	0.966 3
RMSD^[7]	0.897 0	0.866 2	0.897 2	0.879 4	0.970 9	0.927 9	0.952 7	0.940 3
LSTM^[24]	0.934 7	0.918 4	0.934 6	0.926 5	0.948 0	0.926 5	0.947 9	0.937 2
NDL^[25]	0.983 4	0.943 4	0.970 2	0.956 8	0.983 7	0.983 8	0.983 6	0.983 7
SDELM^[17]	0.949 0	0.953 1	0.948 9	0.951 0	0.959 8	0.963 0	0.959 0	0.961 0
ODIT^[10]	0.973 9	0.973 9	0.973 7	0.973 7	0.961 5	0.962 7	0.961 4	0.961 7
RAD^[26]	0.999 9	0.801 0	0.999 9	0.889 5	0.999 9	0.810 9	0.999 9	0.895 5
SFDTFRM	0.991 2	0.991 2	0.991 3	0.991 2	0.998 3	0.998 3	0.998 4	0.998 4

基于流量特征重构与映射的物联网DDoS攻击单流检测方法

A single flow detection enabled method for DDoS attacks in IoT based on traffic feature reconstruction and mapping

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 28

相关文章 15

Metrics

推荐阅读 0

[1]	吴如成, 丁文伯, 徐晓敏, 宋林琦, 徐伟涛. 基于柔性太阳能电池和超薄水凝胶薄膜的手势识别[J]. 电信科学, 2023, 39(7): 109-115.
[2]	郭泽华, 朱昊文, 徐同文. 面向分布式机器学习的网络模态创新[J]. 电信科学, 2023, 39(6): 44-51.
[3]	刘雅琼, 吕哲, 赵亚飞, 寿国础. AI技术在卫星通信/互联网领域的应用综述[J]. 电信科学, 2023, 39(2): 10-24.
[4]	赵宇翔, 纪雅欣, 余立, 周天一, 周航. 基于5G语音质差自适应算法研究及应用[J]. 电信科学, 2023, 39(11): 153-163.
[5]	肖仲杉, 王春琦, 冯大权. 基于区块链与深度学习的空间分集协作频谱感知系统[J]. 电信科学, 2023, 39(10): 49-63.
[6]	章坚武, 安彦军, 邓黄燕. DNS攻击检测与安全防护研究综述[J]. 电信科学, 2022, 38(9): 1-17.
[7]	周志超, 冯毅, 夏小涵, 冯瑜瑶, 蔡超, 邱佳慧, 杨立辉, 乌云霄. 基于移动蜂窝网的机器学习室外指纹定位方案[J]. 电信科学, 2021, 37(8): 85-95.
[8]	肖子玉. 面向2030的未来网络关键技术综述——Beyond 5G[J]. 电信科学, 2020, 36(9): 114-121.
[9]	李想,李原,张子飞,杨哲. 基于密度聚类的网络性能故障大数据分析方法[J]. 电信科学, 2020, 36(9): 51-58.
[10]	邱亚星,王希栋,边森,岳磊. 基于聚类分析和深度学习的多频多模网络负载均衡优化[J]. 电信科学, 2020, 36(7): 156-162.
[11]	林锋,徐柳婧,陈晓华,戚伟强,陈可,朱添田. 一种基于多视角特征融合的Webshell检测方法[J]. 电信科学, 2020, 36(6): 125-132.
[12]	欧阳晔,杨爱东,孟凡语. 一种博弈论辅助的机器学习算法检测用户流失行为[J]. 电信科学, 2020, 36(6): 79-89.
[13]	庞涛,丘海华,潘碧莹. 手机终端人工智能关键技术研究[J]. 电信科学, 2020, 36(5): 145-151.
[14]	盛剑涛,陈茂飞,刘东鑫,汪来富,史国水,金华敏. 基于组合分类器的恶意域名检测技术[J]. 电信科学, 2020, 36(5): 47-55.
[15]	钟其柱. 基于机器学习分析VoLTE视频通话质量的研究及应用[J]. 电信科学, 2020, 36(3): 156-165.