通信学报 ›› 2022, Vol. 43 ›› Issue (9): 224-239.doi: 10.11959/j.issn.1000-436x.2022166
赵静1,2, 李俊1,2, 龙春1,2, 万巍1,2, 魏金侠1,2, 陈凯1,2
修回日期:
2022-08-12
出版日期:
2022-09-25
发布日期:
2022-09-01
作者简介:
赵静(1987- ),女,甘肃武威人,博士,中国科学院计算机网络信息中心高级工程师,主要研究方向为网络空间安全、信息安全、计算机网络等基金资助:
Jing ZHAO1,2, Jun LI1,2, Chun LONG1,2, Wei WAN1,2, Jinxia WEI1,2, Kai CHEN1,2
Revised:
2022-08-12
Online:
2022-09-25
Published:
2022-09-01
Supported by:
摘要:
针对 RoQ 攻击隐藏在海量背景流量中难以识别,且现有样本稀少无法提供大规模学习数据的问题,提出了在极少先验知识条件下基于多层次特征的 RoQ 隐蔽攻击无监督检测方法。首先,考虑到大部分正常流量会对后续结果产生干扰,基于流特征,研究了半监督谱聚类的流量筛选方法,实现被筛除的流量中正常样本比例接近 100%。其次,为了找到隐蔽攻击特征与正常流量之间的微小差异且不依赖于攻击样本,基于时序包特征,构造了基于n-Shapelet子序列的无监督检测模型,使用具有明显辨识度的局部特征来辨别微小差异,从而实现RoQ隐蔽攻击的检测。实验结果表明,在只有少量学习样本的情况下,所提方法与现有方法相比具有较高的精确率和召回率,对规避攻击具有稳健性。
中图分类号:
赵静, 李俊, 龙春, 万巍, 魏金侠, 陈凯. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022, 43(9): 224-239.
Jing ZHAO, Jun LI, Chun LONG, Wei WAN, Jinxia WEI, Kai CHEN. Unsupervised detection method of RoQ covert attacks based on multilayer features[J]. Journal on Communications, 2022, 43(9): 224-239.
表1
实验环境配置"
设备 | 配置 |
攻击主机 | Windows 10系统,处理器Intel(R) Core (TM),i7-6700,CPU @ 3.40 GHz,8 GB RAM |
正常主机 | Windows 10系统,处理器Intel(R) Core (TM),i7-6498DU,CPU @ 2.50GHz,8 GB RAM |
捕获主机 | Windows10系统,处理器Intel(R) Core (TM),i7-9700,CPU @ 3.00 GHz,8 GB RAM,配置Wireshark 流量捕获软件 |
目标服务器 | Apache,Windows Server 7,处理器Intel(R) Core (TM),i7-6700,CPU @ 3.40GHz,8 GB RAM |
图形工作站 | Windows 10系统,处理器Intel(R) Xeon(R) Gold 5218, CPU @ 2.30 GHz (2颗),内存128 GB,显卡NVIDIA Quadro RTX 5000 |
表2
本文实验使用的数据集详情"
序号 | 数据集 | 异常/正常比例 | 异常/正常比例 | 协议 | 描述 | |||
包 | 流 | 包 | 流 | |||||
1 | Slowheaders | 1:100 | 1:40 | 6728507 | 3950 | HTTP | ISCX-SlowDoS-2016数据集中Slowheaders攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合 | |
2 | WebDoS | 1:35 | 1:10 | 6852052 | 4931 | HTTP | CIC-DDoS-2019 数据集中 WebDoS 攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合 | |
3 | DoS slowloris | 1:20 | 1:18 | 9072873 | 8808 | HTTP | ISCX-SlowDoS-2016数据集中Slowbody2攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合 | |
4 | TCP-Congestion DoS | 1:129 | 1:50 | 6711428 | 8433 | TCP | 实验环境中利用TCP拥塞控制机制的攻击流量和真实网络正常流量的混合 | |
5 | Router LDoS | 1:100 | 1:30 | 8741118 | 4785 | IP | 实验环境中利用路由器队列机制的攻击流量和真实网络正常流量的混合 | |
6 | 混合数据1 | 1:100 | 1:100 | 7162332 | 10188 | 全栈 | 1、2、3的混合流量 | |
7 | 混合数据2 | 1:100 | 1:100 | 7852130 | 8795 | 全栈 | 1、2、3、4、5的混合流量 | |
8 | 隐蔽攻击1[ | 1:1000 | 1:1000 | 420000 | 3500 | TCP | 侧信道攻击 |
表3
流特征描述"
特征名称 | 特征描述 |
数据包总量 | 一段时间内数据包总数量 |
包数量最大值 | 一定时间间隔形成流中包数量的最大值 |
包数量最小值 | 一定时间间隔形成流中包数量的最小值 |
包数量差值 | 一定时间间隔形成流中包数量的最大值与最小值的差值 |
频域 | 一段时间内数据包数量在频域上的转换 |
源IP地址信息熵 | 一段时间内数据包的源IP地址的信息熵 |
源端口信息熵 | 一段时间内数据包的源端口的信息熵 |
目的端口信息熵 | 一段时间内数据包的目的端口的信息熵 |
包长度信息熵 | 一段时间内数据包长度的信息熵 |
时间信息熵 | 一段时间内数据包之间时间间隔信息熵 |
IP分离率 | 源IP和目的IP信息熵特征的分离率 |
端口分离率 | 源端口和目的端口信息熵特征的分离率 |
表8
不同方法在不同数据集上聚类纯度P的性能表现"
数据集 | K-means | Autoencoder | Whisper | u-Shapelet | 本文方法 |
Slowheaders | 50.00% | 85.44% | 92.98% | 90.79% | |
Slowbody2 | 50.00% | 74.23% | 93.67% | 92.84% | |
DoS slowloris | 59.56% | 82.42% | 94.45% | 92.80% | 94.18% |
TCP-Congestion DoS | 58.82% | 78.47% | 90.88% | 94.36% | |
Router LDoS | 50.55% | 68.04% | 86.67% | 88.71% | |
混合数据1 | 60.19% | 83.78% | 91.78% | 92.10% | |
混合数据2 | 55.45% | 66.17% | 88.24% | 86.96% | |
隐蔽攻击1 | 39.36% | 76.73% | 83.33% | 87.25% |
表9
不同方法在不同数据集上兰德系数RI的性能表现"
数据集 | K-means | Autoencoder | Whisper | u-Shapelet | 本文方法 |
Slowheaders | 45.45% | 86.18% | 89.77% | 92.24% | |
Slowbody2 | 45.45% | 75.36% | 91.87% | 91.70% | |
DoS slowloris | 57.27% | 84.07% | 87.64% | 91.73% | |
TCP-Congestion DoS | 55.00% | 73.16% | 87.82% | 91.33% | |
Router LDoS | 45.91% | 65.73% | 85.95% | 87.59% | |
混合数据1 | 55.45% | 85.23% | 90.98% | 93.25% | |
混合数据2 | 50.45% | 65.09% | 83.55% | 69.09% | |
隐蔽攻击1 | 36.36% | 73.14% | 85.39% | 70.91% |
表10
不同方法在不同数据集上F1值的性能表现"
数据集 | K-means | Autoencoder | Whisper | u-Shapelet | 本文方法 |
Slowheaders | 50.00% | 87.66% | 90.61% | 92.70% | |
Slowbody2 | 47.37% | 78.81% | 92.45% | 92.35% | |
DoS slowloris | 61.83% | 86.04% | 88.09% | 92.26% | |
TCP-Congestion DoS | 58.33% | 73.99% | 88.55% | 93.43% | |
Router LDoS | 47.92% | 69.05% | 87.20% | 88.50% | |
混合数据1 | 56.52% | 86.972% | 91.72% | 93.93% | |
混合数据2 | 52.83% | 69.72% | 84.11% | 63.83% | |
隐蔽攻击1 | 42.53% | 74.73% | 86.44% | 68.63% |
表12
不同方法在不同比例(恶意流量/良性流量)时对5种攻击的AUC值"
攻击 | 比例 | 本文方法 | K-means | Autoencoder | u-Shapelet |
1:1 | 0.912 | 0.781 | 0.771 | 0.870 | |
Slowheaders+TLS | 1:2 | 0.875 | 0.625 | 0.840 | 0.770 |
1:4 | 0.930 | 0.521 | 0.763 | 0.780 | |
1:8 | 0.890 | 0.623 | 0.611 | 0.758 | |
1:1 | 0.903 | 0.710 | 0.840 | 0.810 | |
Slowbody2+TLS | 1:2 | 0.925 | 0.520 | 0.700 | 0.823 |
1:4 | 0.842 | 0.421 | 0.860 | 0.782 | |
1:8 | 0.894 | 0.628 | 0.611 | 0.691 | |
1:1 | 0.940 | 0.500 | 0.861 | 0.851 | |
WebDoS+TLS | 1:2 | 0.952 | 0.880 | 0.755 | 0.720 |
1:4 | 0.891 | 0.785 | 0.880 | 0.761 | |
1:8 | 0.910 | 0.341 | 0.810 | 0.650 | |
1:1 | 0.897 | 0.823 | 0.779 | 0.879 | |
TCP-Congettion DoS+TLS | 1:2 | 0.914 | 0.575 | 0.659 | 0.875 |
1:4 | 0.880 | 0.129 | 0.762 | 0.840 | |
1:8 | 0.814 | 0.620 | 0.830 | 0.852 | |
1:1 | 0.896 | 0.680 | 0.681 | 0.871 | |
Router LDoS+TLS | 1:2 | 0.850 | 0.700 | 0.700 | 0.813 |
1:4 | 0.760 | 0.355 | 0.813 | 0.660 | |
1:8 | 0.793 | 0.400 | 0.790 | 0.560 |
[1] | GUIRGUIS M , THARP J , BESTAVROS A ,et al. Assessment of vulnerability of content adaptation mechanisms to RoQ attacks[C]// Proceedings of the 8th International Conference on Networks. Piscataway:IEEE Press, 2009: 445-450. |
[2] | GUIRGUIS M , BESTAVROS A , MATTA I . Exploiting the transients of adaptation for RoQ attacks on Internet resources[C]// Proceedings of the 12th IEEE International Conference on Network Protocols. Piscataway:IEEE Press, 2004: 184-195. |
[3] | LUO X P , CHANG R K C . On a new class of pulsing denial-of-service attacks and the defense[C]// Proceedings of the NDSS Symposium 2005. Piscataway:IEEE Press, 2005: 1-19. |
[4] | GUIRGUIS M , BESTAVROS A , MATTA I ,et al. Reduction of quality (RoQ) attacks on dynamic load balancers:vulnerability assessment and design tradeoffs[C]// Proceedings of the 26th IEEE International Conference on Computer Communications. Piscataway:IEEE Press, 2007: 857-865. |
[5] | JAZI H H , GONZALEZ H , STAKHANOVA N ,et al. Detecting HTTP-based application layer DoS attacks on Web servers in the presence of sampling[J]. Computer Networks, 2017,121: 25-36. |
[6] | YUE M , WANG M X , WU Z J . Low-high burst:a double potency varying-RTT based full-buffer shrew attack model[J]. IEEE Transactions on Dependable and Secure Computing, 2019,18(5): 2285-2300. |
[7] | VACCARI I , AIELLO M , CAMBIASO E . SlowITe,a novel denial of service attack affecting MQTT[J]. Sensors, 2020,20(10): 2932. |
[8] | MERGET R , SOMOROVSKY J , AVIRAM N ,et al. Scalable scanning and automatic classification of TLS padding oracle vulnerabilities[C]// Proceedings of the 28th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2019: 1029-1046. |
[9] | CHEN Y , HWANG K . Collaborative detection and filtering of shrew DDoS attacks using spectral analysis[J]. Journal of Parallel and Distributed Computing, 2006,66(9): 1137-1151. |
[10] | AGRAWAL N , TAPASWI S . Low rate cloud DDoS attack defense method based on power spectral density analysis[J]. Information Processing Letters, 2018,138: 44-50. |
[11] | 吴志军, 裴宝崧 . 基于小信号检测模型的LDoS攻击检测方法的研究[J]. 电子学报, 2011,39(6): 1456-1460. |
WU Z J , PEI B S . The detection of LDoS attack based on the model of small signal[J]. Acta Electronica Sinica, 2011,39(6): 1456-1460. | |
[12] | TANG D , CHEN K , CHEN X S ,et al. A new detection method based on AEWMA algorithm for LDoS attacks[J]. Journal of Networks, 1969,9(11): 2981. |
[13] | TANG D , DAI R , TANG L ,et al. Low-rate DoS attack detection based on two-step cluster analysis[C]// Information and Communications Security. Berlin:Springer, 2018: 92-104. |
[14] | TANG D , DAI R , TANG L ,et al. Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis[J]. Human-Centric Computing and Information Sciences, 2020,10(1): 1-20. |
[15] | WU Z J , ZHANG L Y , YUE M . Low-rate DoS attacks detection based on network multifractal[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 559-567. |
[16] | KOAY A , CHEN A , WELCH I ,et al. A new multi classifier system using entropy-based features in DDoS attack detection[C]// Proceedings of 2018 International Conference on Information Networking (ICOIN). Piscataway:IEEE Press, 2018: 162-167. |
[17] | TANG D , ZHANG S Q , CHEN J W ,et al. The detection of low-rate DoS attacks using the SADBSCAN algorithm[J]. Information Sciences, 2021,565: 229-247. |
[18] | TANG D , TANG L , DAI R ,et al. MF-Adaboost:LDoS attack detection based on multi-features and improved Adaboost[J]. Future Generation Computer Systems, 2020,106: 347-359. |
[19] | 吴志军, 刘亮, 岳猛 . 基于ANN与KPCA的LDoS攻击检测方法[J]. 通信学报, 2018,39(5): 11-22. |
WU Z J , LIU L , YUE M . Detection method of LDoS attacks based on combination of ANN & KPCA[J]. Journal on Communications, 2018,39(5): 11-22. | |
[20] | LIU L , WANG H Y , WU Z J ,et al. The detection method of low-rate DoS attack based on multi-feature fusion[J]. Digital Communications and Networks, 2020,6(4): 504-513. |
[21] | WANG X , QIAN B Y , DAVIDSON I . On constrained spectral clustering and its applications[J]. Data Mining and Knowledge Discovery, 2014,28(1): 1-30. |
[22] | CHEN F , YU R , LIU W M . Internet of things attack group identification model combined with spectral clustering[C]// Proceedings of 2021 IEEE 21st International Conference on Communication Technology. Piscataway:IEEE Press, 2021: 778-782. |
[23] | YE L X , KEOGH E . Time series shapelets:a new primitive for data mining[C]// Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2009: 947-956. |
[24] | ZAKARIA J , MUEEN A , KEOGH E . Clustering time series using unsupervised-shapelets[C]// Proceedings of 2012 IEEE 12th International Conference on Data Mining. Piscataway:IEEE Press, 2012: 785-794. |
[25] | HILLS J , LINES J , BARANAUSKAS E ,et al. Classification of time series by shapelet transformation[J]. Data Mining and Knowledge Discovery, 2014,28(4): 851-881. |
[26] | HU W J , YANG Y , CHENG Z Q ,et al. Time-series event prediction with evolutionary state graph[C]// Proceedings of the 14th ACM International Conference on Web Search and Data Mining. New York:ACM Press, 2021: 580-588. |
[27] | MEDICO R , RUYSSINCK J , DESCHRIJVER D ,et al. Learning multivariate shapelets with multi-layer neural networks for interpretable time-series classification[J]. Advances in Data Analysis and Classification, 2021,15(4): 911-936. |
[28] | SHARAFALDIN I , LASHKARI A H , HAKAK S ,et al. Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy[C]// Proceedings of 2019 International Carnahan Conference on Security Technology (ICCST). Piscataway:IEEE Press, 2019: 1-8. |
[29] | MONTAZERISHATOORI M , DAVIDSON L , KAUR G ,et al. Detection of DoH tunnels using time-series classification of encrypted traffic[C]// Proceedings of 2020 IEEE International Conference on Dependable,Autonomic and Secure Computing,International Conference on Pervasive Intelligence and Computing,International Conference on Cloud and Big Data Computing,International Conference on Cyber Science and Technology Congress. Piscataway:IEEE Press, 2020: 63-70. |
[30] | FENG X W , FU C P , LI Q ,et al. Off-path TCP exploits of the mixed IPID assignment[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 1323-1335. |
[31] | ZHANG Q , WU J , ZHANG P ,et al. Salient subsequence learning for time series clustering[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019,41(9): 2193-2207. |
[32] | HINDY H , ATKINSON R , TACHTATZIS C ,et al. Utilising deep learning techniques for effective zero-day attack detection[J]. Electronics, 2020,9(10): 1684. |
[33] | FU C P , LI Q , SHEN M ,et al. Realtime robust malicious traffic detection via frequency domain analysis[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 3431-3446. |
[1] | 刘真,王娜娜,王晓东,孙永奇. 位置社交网络中谱嵌入增强的兴趣点推荐算法[J]. 通信学报, 2020, 41(3): 197-206. |
[2] | 蒋伟进, 王扬, 刘晓亮, 吕斯健. 基于词相关性特征的多归属谱聚类突发事件检测[J]. 通信学报, 2020, 41(12): 193-204. |
[3] | 邱雪松,黄徐川,李文萃,李温静,郭少勇. 面向大规模时间敏感网络的分组调度机制[J]. 通信学报, 2020, 41(11): 124-131. |
[4] | 吕韵秋,刘凯,程飞. 基于点轨迹的核相关滤波器跟踪算法[J]. 通信学报, 2018, 39(6): 190-198. |
[5] | 房梁,殷丽华,李凤华,方滨兴. 基于谱聚类的访问控制异常权限配置挖掘机制[J]. 通信学报, 2017, 38(12): 63-72. |
[6] | 周春楠,黄少滨,迟荣华,李雅,郎大鹏. 基于谱聚类的高阶模糊时序自适应预测方法[J]. 通信学报, 2016, 37(2): 107-115. |
[7] | 覃匡宇,黄传河,王才华,史姣丽,吴笛,陈希. SDN网络中受时延和容量限制的多控制器均衡部署[J]. 通信学报, 2016, 37(11): 90-103. |
[8] | 相洁,赵冬琴. 改进谱聚类算法在MCI患者检测中的应用研究[J]. 通信学报, 2015, 36(4): 27-34. |
[9] | 吴健,崔志明,时玉杰,盛胜利,龚声蓉. 基于局部密度构造相似矩阵的谱聚类算法[J]. 通信学报, 2013, 34(3): 14-22. |
[10] | 徐森,卢志茂,顾国昌. 使用谱聚类算法解决文本聚类集成问题[J]. 通信学报, 2010, 31(6): 0-66. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|