基于多层次特征的RoQ隐蔽攻击无监督检测方法

doi:10.11959/j.issn.1000-436x.2022166

Abstract

Abstract:

To solve the problems that RoQ covert attacks are hidden in overwhelming background traffic and difficult to identify, besides the existing samples are scarce and cannot provide large-scale learning data, an unsupervised detection method of RoQ covert attacks based on multilayer features was proposed under the condition of very little prior knowledge.First, considering that most normal flow might interfere with subsequent results, a classification method based on semi-supervised spectral clustering was studied by flow characteristics, so that the proportion of normal samples in the filtered traffic was close to 100%.Secondly, in order to distinguish the nuance between the hidden attack features and normal flow without relying on the attack samples, an unsupervised detection model based on the n-Shapelet subsequence was constructed by packet characteristics, and the subsequences with obvious difference were used, which enabled detection of RoQ convert attacks.Experimental results demonstrate that with only a small number of learning samples, the proposed method has higher precision and recall rate than existing methods, and is robust to evading attacks.

Key words: RoQ converts attack, spectral clustering, semi-supervised clustering, Shapelet subsequence

CLC Number:

TP18

Jing ZHAO, Jun LI, Chun LONG, Wei WAN, Jinxia WEI, Kai CHEN. Unsupervised detection method of RoQ covert attacks based on multilayer features[J]. Journal on Communications, 2022, 43(9): 224-239.

Figures/Tables 17

v	P	RI	F1
2	93.26%	89.00%	91.60%
3	$94 . 39 %$	$91 . 33 %$	$93 . 43 %$
4	93.89%	90.83%	93.06%
5	$94 . 74 %$	90.00%	92.31%
6	93.91%	91.00%	93.20%
7	90.25%	80.24%	82.71%
8	$94 . 82 %$	91.00%	93.13%

数据集	K-means	Autoencoder	Whisper	u-Shapelet	本文方法
Slowheaders	50.00%	85.44%	92.98%	90.79%	$95 . 11 %$
Slowbody2	50.00%	74.23%	93.67%	92.84%	$94 . 51 %$
DoS slowloris	59.56%	82.42%	94.45%	92.80%	94.18%
TCP-Congestion DoS	58.82%	78.47%	90.88%	94.36%	$94 . 39 %$
Router LDoS	50.55%	68.04%	86.67%	$89 . 51 %$	88.71%
混合数据1	60.19%	83.78%	91.78%	92.10%	$92 . 74 %$
混合数据2	55.45%	66.17%	$88 . 87 %$	88.24%	86.96%
隐蔽攻击1	39.36%	76.73%	$87 . 49 %$	83.33%	87.25%

数据集	K-means	Autoencoder	Whisper	u-Shapelet	本文方法
Slowheaders	45.45%	86.18%	$92 . 52 %$	89.77%	92.24%
Slowbody2	45.45%	75.36%	91.87%	91.70%	$93 . 41 %$
DoS slowloris	57.27%	84.07%	$94 . 23 %$	87.64%	91.73%
TCP-Congestion DoS	55.00%	73.16%	87.82%	$93 . 32 %$	91.33%
Router LDoS	45.91%	65.73%	85.95%	87.59%	$89 . 09 %$
混合数据1	55.45%	85.23%	90.98%	93.25%	$93 . 64 %$
混合数据2	50.45%	65.09%	83.55%	69.09%	$84 . 09 %$
隐蔽攻击1	36.36%	73.14%	85.39%	70.91%	$86 . 20 %$

数据集	K-means	Autoencoder	Whisper	u-Shapelet	本文方法
Slowheaders	50.00%	87.66%	$93 . 16 %$	90.61%	92.70%
Slowbody2	47.37%	78.81%	92.45%	92.35%	$93 . 92 %$
DoS slowloris	61.83%	86.04%	$94 . 72 %$	88.09%	92.26%
TCP-Congestion DoS	58.33%	73.99%	88.55%	$93 . 84 %$	93.43%
Router LDoS	47.92%	69.05%	87.20%	88.50%	$90 . 16 %$
混合数据1	56.52%	86.972%	91.72%	93.93%	$94 . 26 %$
混合数据2	52.83%	69.72%	84.11%	63.83%	$95 . 11 %$
隐蔽攻击1	42.53%	74.73%	86.44%	68.63%	$87 . 37 %$

方法	精确率	RI	召回率	F1
方法A	88.98%	88.86%	90.86%	89.90%
方法B	89.15%	89.09%	91.08%	90.11%
方法C	90.69%	91.55%	94.17%	92.40%
本文方法	$92 . 74 %$	$93 . 64 %$	$95 . 83 %$	$94 . 26 %$

References 33

[1]	GUIRGUIS M , THARP J , BESTAVROS A ,et al． Assessment of vulnerability of content adaptation mechanisms to RoQ attacks［C］// Proceedings of the 8th International Conference on Networks． Piscataway:IEEE Press, 2009: 445-450．
[2]	GUIRGUIS M , BESTAVROS A , MATTA I ． Exploiting the transients of adaptation for RoQ attacks on Internet resources［C］// Proceedings of the 12th IEEE International Conference on Network Protocols． Piscataway:IEEE Press, 2004: 184-195．
[3]	LUO X P , CHANG R K C ． On a new class of pulsing denial-of-service attacks and the defense［C］// Proceedings of the NDSS Symposium 2005． Piscataway:IEEE Press, 2005: 1-19．
[4]	GUIRGUIS M , BESTAVROS A , MATTA I ,et al． Reduction of quality (RoQ) attacks on dynamic load balancers:vulnerability assessment and design tradeoffs［C］// Proceedings of the 26th IEEE International Conference on Computer Communications． Piscataway:IEEE Press, 2007: 857-865．
[5]	JAZI H H , GONZALEZ H , STAKHANOVA N ,et al． Detecting HTTP-based application layer DoS attacks on Web servers in the presence of sampling［J］． Computer Networks, 2017,121: 25-36．
[6]	YUE M , WANG M X , WU Z J ． Low-high burst:a double potency varying-RTT based full-buffer shrew attack model［J］． IEEE Transactions on Dependable and Secure Computing, 2019,18(5): 2285-2300．
[7]	VACCARI I , AIELLO M , CAMBIASO E ． SlowITe,a novel denial of service attack affecting MQTT［J］． Sensors, 2020,20(10): 2932．
[8]	MERGET R , SOMOROVSKY J , AVIRAM N ,et al． Scalable scanning and automatic classification of TLS padding oracle vulnerabilities［C］// Proceedings of the 28th USENIX Conference on Security Symposium． Berkeley:USENIX Association, 2019: 1029-1046．
[9]	CHEN Y , HWANG K ． Collaborative detection and filtering of shrew DDoS attacks using spectral analysis［J］． Journal of Parallel and Distributed Computing, 2006,66(9): 1137-1151．
[10]	AGRAWAL N , TAPASWI S ． Low rate cloud DDoS attack defense method based on power spectral density analysis［J］． Information Processing Letters, 2018,138: 44-50．
[11]	吴志军, 裴宝崧．基于小信号检测模型的LDoS攻击检测方法的研究［J］．电子学报, 2011,39(6): 1456-1460．
	WU Z J , PEI B S ． The detection of LDoS attack based on the model of small signal［J］． Acta Electronica Sinica, 2011,39(6): 1456-1460．
[12]	TANG D , CHEN K , CHEN X S ,et al． A new detection method based on AEWMA algorithm for LDoS attacks［J］． Journal of Networks, 1969,9(11): 2981．
[13]	TANG D , DAI R , TANG L ,et al． Low-rate DoS attack detection based on two-step cluster analysis［C］// Information and Communications Security． Berlin:Springer, 2018: 92-104．
[14]	TANG D , DAI R , TANG L ,et al． Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis［J］． Human-Centric Computing and Information Sciences, 2020,10(1): 1-20．
[15]	WU Z J , ZHANG L Y , YUE M ． Low-rate DoS attacks detection based on network multifractal［J］． IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 559-567．
[16]	KOAY A , CHEN A , WELCH I ,et al． A new multi classifier system using entropy-based features in DDoS attack detection［C］// Proceedings of 2018 International Conference on Information Networking (ICOIN)． Piscataway:IEEE Press, 2018: 162-167．
[17]	TANG D , ZHANG S Q , CHEN J W ,et al． The detection of low-rate DoS attacks using the SADBSCAN algorithm［J］． Information Sciences, 2021,565: 229-247．
[18]	TANG D , TANG L , DAI R ,et al． MF-Adaboost:LDoS attack detection based on multi-features and improved Adaboost［J］． Future Generation Computer Systems, 2020,106: 347-359．
[19]	吴志军, 刘亮, 岳猛．基于ANN与KPCA的LDoS攻击检测方法［J］．通信学报, 2018,39(5): 11-22．
	WU Z J , LIU L , YUE M ． Detection method of LDoS attacks based on combination of ANN ＆ KPCA［J］． Journal on Communications, 2018,39(5): 11-22．
[20]	LIU L , WANG H Y , WU Z J ,et al． The detection method of low-rate DoS attack based on multi-feature fusion［J］． Digital Communications and Networks, 2020,6(4): 504-513．
[21]	WANG X , QIAN B Y , DAVIDSON I ． On constrained spectral clustering and its applications［J］． Data Mining and Knowledge Discovery, 2014,28(1): 1-30．
[22]	CHEN F , YU R , LIU W M ． Internet of things attack group identification model combined with spectral clustering［C］// Proceedings of 2021 IEEE 21st International Conference on Communication Technology． Piscataway:IEEE Press, 2021: 778-782．
[23]	YE L X , KEOGH E ． Time series shapelets:a new primitive for data mining［C］// Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining． New York:ACM Press, 2009: 947-956．
[24]	ZAKARIA J , MUEEN A , KEOGH E ． Clustering time series using unsupervised-shapelets［C］// Proceedings of 2012 IEEE 12th International Conference on Data Mining． Piscataway:IEEE Press, 2012: 785-794．
[25]	HILLS J , LINES J , BARANAUSKAS E ,et al． Classification of time series by shapelet transformation［J］． Data Mining and Knowledge Discovery, 2014,28(4): 851-881．
[26]	HU W J , YANG Y , CHENG Z Q ,et al． Time-series event prediction with evolutionary state graph［C］// Proceedings of the 14th ACM International Conference on Web Search and Data Mining． New York:ACM Press, 2021: 580-588．
[27]	MEDICO R , RUYSSINCK J , DESCHRIJVER D ,et al． Learning multivariate shapelets with multi-layer neural networks for interpretable time-series classification［J］． Advances in Data Analysis and Classification, 2021,15(4): 911-936．
[28]	SHARAFALDIN I , LASHKARI A H , HAKAK S ,et al． Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy［C］// Proceedings of 2019 International Carnahan Conference on Security Technology (ICCST)． Piscataway:IEEE Press, 2019: 1-8．
[29]	MONTAZERISHATOORI M , DAVIDSON L , KAUR G ,et al． Detection of DoH tunnels using time-series classification of encrypted traffic［C］// Proceedings of 2020 IEEE International Conference on Dependable,Autonomic and Secure Computing,International Conference on Pervasive Intelligence and Computing,International Conference on Cloud and Big Data Computing,International Conference on Cyber Science and Technology Congress． Piscataway:IEEE Press, 2020: 63-70．
[30]	FENG X W , FU C P , LI Q ,et al． Off-path TCP exploits of the mixed IPID assignment［C］// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security． New York:ACM Press, 2020: 1323-1335．
[31]	ZHANG Q , WU J , ZHANG P ,et al． Salient subsequence learning for time series clustering［J］． IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019,41(9): 2193-2207．
[32]	HINDY H , ATKINSON R , TACHTATZIS C ,et al． Utilising deep learning techniques for effective zero-day attack detection［J］． Electronics, 2020,9(10): 1684．
[33]	FU C P , LI Q , SHEN M ,et al． Realtime robust malicious traffic detection via frequency domain analysis［C］// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security． New York:ACM Press, 2021: 3431-3446．

Metrics

Recommended 0

No Suggested Reading articles found!

设备	配置
攻击主机	Windows 10系统，处理器Intel(R) Core (TM)，i7-6700，CPU @ 3.40 GHz，8 GB RAM
正常主机	Windows 10系统，处理器Intel(R) Core (TM)，i7-6498DU，CPU @ 2.50GHz，8 GB RAM
捕获主机	Windows10系统，处理器Intel(R) Core (TM)，i7-9700，CPU @ 3.00 GHz，8 GB RAM，配置Wireshark 流量捕获软件
目标服务器	Apache，Windows Server 7，处理器Intel(R) Core (TM)，i7-6700，CPU @ 3.40GHz，8 GB RAM
图形工作站	Windows 10系统，处理器Intel(R) Xeon(R) Gold 5218， CPU @ 2.30 GHz （2颗），内存128 GB，显卡NVIDIA Quadro RTX 5000

序号	数据集	异常/正常比例		异常/正常比例		协议	描述
序号	数据集	包	流	包	流	协议	描述
1	Slowheaders	1:100	1:40	6728507	3950	HTTP	ISCX-SlowDoS-2016数据集中Slowheaders攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合
2	WebDoS	1:35	1:10	6852052	4931	HTTP	CIC-DDoS-2019 数据集中 WebDoS 攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合
3	DoS slowloris	1:20	1:18	9072873	8808	HTTP	ISCX-SlowDoS-2016数据集中Slowbody2攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合
4	TCP-Congestion DoS	1:129	1:50	6711428	8433	TCP	实验环境中利用TCP拥塞控制机制的攻击流量和真实网络正常流量的混合
5	Router LDoS	1:100	1:30	8741118	4785	IP	实验环境中利用路由器队列机制的攻击流量和真实网络正常流量的混合
6	混合数据1	1:100	1:100	7162332	10188	全栈	1、2、3的混合流量
7	混合数据2	1:100	1:100	7852130	8795	全栈	1、2、3、4、5的混合流量
8	隐蔽攻击1^[30]	1:1000	1:1000	420000	3500	TCP	侧信道攻击

特征名称	特征描述
数据包总量	一段时间内数据包总数量
包数量最大值	一定时间间隔形成流中包数量的最大值
包数量最小值	一定时间间隔形成流中包数量的最小值
包数量差值	一定时间间隔形成流中包数量的最大值与最小值的差值
频域	一段时间内数据包数量在频域上的转换
源IP地址信息熵	一段时间内数据包的源IP地址的信息熵
源端口信息熵	一段时间内数据包的源端口的信息熵
目的端口信息熵	一段时间内数据包的目的端口的信息熵
包长度信息熵	一段时间内数据包长度的信息熵
时间信息熵	一段时间内数据包之间时间间隔信息熵
IP分离率	源IP和目的IP信息熵特征的分离率
端口分离率	源端口和目的端口信息熵特征的分离率

特征名称	特征描述
源IP	一个数据包内源IP地址
目的IP	一个数据包内目的IP地址
目的端口	一个数据包内目的端口
协议	一个数据包内协议
包长度	一个数据包的长度
TCP窗口	TCP窗口大小
序列号	TCP序列号
前序包差值	与前一个数据包大小的差值

监督信息在总数据中的占比	聚类纯度P
0%（M=0）	94.1%
0.5%（M=400）	98.5%
1%（M=800）	99.7%
1.5%（M=1 200）	99.6%
2%（M=1 600）	99.8%

Unsupervised detection method of RoQ covert attacks based on multilayer features

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 33

Related Articles 10

Metrics

Recommended 0

k	P	RI	F1
5%	88.73%	81.29%	84.57%
8%	93.75%	84.67%	87.77%
10%	93.26%	89.00%	91.60%
15%	92.71%	88.00%	90.82%
20%	83.94%	77.36%	77.76%

攻击	比例	本文方法	K-means	Autoencoder	u-Shapelet
	1:1	0.912	0.781	0.771	0.870
Slowheaders+TLS	1:2	0.875	0.625	0.840	0.770
	1:4	0.930	0.521	0.763	0.780
	1:8	0.890	0.623	0.611	0.758
	1:1	0.903	0.710	0.840	0.810
Slowbody2+TLS	1:2	0.925	0.520	0.700	0.823
	1:4	0.842	0.421	0.860	0.782
	1:8	0.894	0.628	0.611	0.691
	1:1	0.940	0.500	0.861	0.851
WebDoS+TLS	1:2	0.952	0.880	0.755	0.720
	1:4	0.891	0.785	0.880	0.761
	1:8	0.910	0.341	0.810	0.650
	1:1	0.897	0.823	0.779	0.879
TCP-Congettion DoS+TLS	1:2	0.914	0.575	0.659	0.875
	1:4	0.880	0.129	0.762	0.840
	1:8	0.814	0.620	0.830	0.852
	1:1	0.896	0.680	0.681	0.871
Router LDoS+TLS	1:2	0.850	0.700	0.700	0.813
	1:4	0.760	0.355	0.813	0.660
	1:8	0.793	0.400	0.790	0.560

[1]	Zhen LIU,Na’na WANG,Xiaodong WANG,Yongqi SUN. Spectral clustering and embedding-enhanced POI recommendation in location-based social network [J]. Journal on Communications, 2020, 41(3): 197-206.
[2]	Weijin JIANG, Yang WANG, Xiaoliang LIU, Sijian LYU. Multi-attribute spectral clustering emergency detection based on word correlation feature [J]. Journal on Communications, 2020, 41(12): 193-204.
[3]	Xuesong QIU,Xuchuan HUANG,Wencui LI,Wenjing LI,Shaoyong GUO. Group-scheduling mechanism for large-scale time-sensitive network [J]. Journal on Communications, 2020, 41(11): 124-131.
[4]	Yunqiu LYU,Kai LIU,Fei CHENG. Kernelized correlation tracking based on point trajectories [J]. Journal on Communications, 2018, 39(6): 190-198.
[5]	Liang FANG,Li-hua YIN,Feng-hua LI,Bin-xing FANG. Spectral-clustering-based abnormal permission assignments hunting framework [J]. Journal on Communications, 2017, 38(12): 63-72.
[6]	Chun-nan ZHOU,Shao-bin HUANG,Rong-hua CHI,Ya LI,Da-peng LANG. High-order fuzzy time series self-adaption prediction method based on spectral clustering [J]. Journal on Communications, 2016, 37(2): 107-115.
[7]	Kuang-yu QIN,Chuan-he HUANG,Cai-hua WANG,Jiao-li SHI,Di WU,Xi CHEN. Balanced multiple controllers placement with latency and capacity bound in software-defined network [J]. Journal on Communications, 2016, 37(11): 90-103.
[8]	Jie XIANG,Dong-qin ZHAO. Improved spectral clustering algorithm and its application in MCI detection [J]. Journal on Communications, 2015, 36(4): 27-34.
[9]	Jian WU,Zhi-ming CUI,Yu-jie SHI,Sheng-li SHENG,Sheng-rong GONG. Local density-based similarity matrix construction for spectral clustering [J]. Journal on Communications, 2013, 34(3): 14-22.
[10]	Sen XU,Zhi-mao LU,Guo-chang GU. Spectral clustering algorithms for document cluster ensemble problem [J]. Journal on Communications, 2010, 31(6): 0-66.