Journal on Communications ›› 2022, Vol. 43 ›› Issue (9): 224-239.doi: 10.11959/j.issn.1000-436x.2022166
• Correspondences • Previous Articles Next Articles
Jing ZHAO1,2, Jun LI1,2, Chun LONG1,2, Wei WAN1,2, Jinxia WEI1,2, Kai CHEN1,2
Revised:
2022-08-12
Online:
2022-09-25
Published:
2022-09-01
Supported by:
CLC Number:
Jing ZHAO, Jun LI, Chun LONG, Wei WAN, Jinxia WEI, Kai CHEN. Unsupervised detection method of RoQ covert attacks based on multilayer features[J]. Journal on Communications, 2022, 43(9): 224-239.
"
设备 | 配置 |
攻击主机 | Windows 10系统,处理器Intel(R) Core (TM),i7-6700,CPU @ 3.40 GHz,8 GB RAM |
正常主机 | Windows 10系统,处理器Intel(R) Core (TM),i7-6498DU,CPU @ 2.50GHz,8 GB RAM |
捕获主机 | Windows10系统,处理器Intel(R) Core (TM),i7-9700,CPU @ 3.00 GHz,8 GB RAM,配置Wireshark 流量捕获软件 |
目标服务器 | Apache,Windows Server 7,处理器Intel(R) Core (TM),i7-6700,CPU @ 3.40GHz,8 GB RAM |
图形工作站 | Windows 10系统,处理器Intel(R) Xeon(R) Gold 5218, CPU @ 2.30 GHz (2颗),内存128 GB,显卡NVIDIA Quadro RTX 5000 |
"
序号 | 数据集 | 异常/正常比例 | 异常/正常比例 | 协议 | 描述 | |||
包 | 流 | 包 | 流 | |||||
1 | Slowheaders | 1:100 | 1:40 | 6728507 | 3950 | HTTP | ISCX-SlowDoS-2016数据集中Slowheaders攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合 | |
2 | WebDoS | 1:35 | 1:10 | 6852052 | 4931 | HTTP | CIC-DDoS-2019 数据集中 WebDoS 攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合 | |
3 | DoS slowloris | 1:20 | 1:18 | 9072873 | 8808 | HTTP | ISCX-SlowDoS-2016数据集中Slowbody2攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合 | |
4 | TCP-Congestion DoS | 1:129 | 1:50 | 6711428 | 8433 | TCP | 实验环境中利用TCP拥塞控制机制的攻击流量和真实网络正常流量的混合 | |
5 | Router LDoS | 1:100 | 1:30 | 8741118 | 4785 | IP | 实验环境中利用路由器队列机制的攻击流量和真实网络正常流量的混合 | |
6 | 混合数据1 | 1:100 | 1:100 | 7162332 | 10188 | 全栈 | 1、2、3的混合流量 | |
7 | 混合数据2 | 1:100 | 1:100 | 7852130 | 8795 | 全栈 | 1、2、3、4、5的混合流量 | |
8 | 隐蔽攻击1[ | 1:1000 | 1:1000 | 420000 | 3500 | TCP | 侧信道攻击 |
"
特征名称 | 特征描述 |
数据包总量 | 一段时间内数据包总数量 |
包数量最大值 | 一定时间间隔形成流中包数量的最大值 |
包数量最小值 | 一定时间间隔形成流中包数量的最小值 |
包数量差值 | 一定时间间隔形成流中包数量的最大值与最小值的差值 |
频域 | 一段时间内数据包数量在频域上的转换 |
源IP地址信息熵 | 一段时间内数据包的源IP地址的信息熵 |
源端口信息熵 | 一段时间内数据包的源端口的信息熵 |
目的端口信息熵 | 一段时间内数据包的目的端口的信息熵 |
包长度信息熵 | 一段时间内数据包长度的信息熵 |
时间信息熵 | 一段时间内数据包之间时间间隔信息熵 |
IP分离率 | 源IP和目的IP信息熵特征的分离率 |
端口分离率 | 源端口和目的端口信息熵特征的分离率 |
"
数据集 | K-means | Autoencoder | Whisper | u-Shapelet | 本文方法 |
Slowheaders | 50.00% | 85.44% | 92.98% | 90.79% | |
Slowbody2 | 50.00% | 74.23% | 93.67% | 92.84% | |
DoS slowloris | 59.56% | 82.42% | 94.45% | 92.80% | 94.18% |
TCP-Congestion DoS | 58.82% | 78.47% | 90.88% | 94.36% | |
Router LDoS | 50.55% | 68.04% | 86.67% | 88.71% | |
混合数据1 | 60.19% | 83.78% | 91.78% | 92.10% | |
混合数据2 | 55.45% | 66.17% | 88.24% | 86.96% | |
隐蔽攻击1 | 39.36% | 76.73% | 83.33% | 87.25% |
"
数据集 | K-means | Autoencoder | Whisper | u-Shapelet | 本文方法 |
Slowheaders | 45.45% | 86.18% | 89.77% | 92.24% | |
Slowbody2 | 45.45% | 75.36% | 91.87% | 91.70% | |
DoS slowloris | 57.27% | 84.07% | 87.64% | 91.73% | |
TCP-Congestion DoS | 55.00% | 73.16% | 87.82% | 91.33% | |
Router LDoS | 45.91% | 65.73% | 85.95% | 87.59% | |
混合数据1 | 55.45% | 85.23% | 90.98% | 93.25% | |
混合数据2 | 50.45% | 65.09% | 83.55% | 69.09% | |
隐蔽攻击1 | 36.36% | 73.14% | 85.39% | 70.91% |
"
数据集 | K-means | Autoencoder | Whisper | u-Shapelet | 本文方法 |
Slowheaders | 50.00% | 87.66% | 90.61% | 92.70% | |
Slowbody2 | 47.37% | 78.81% | 92.45% | 92.35% | |
DoS slowloris | 61.83% | 86.04% | 88.09% | 92.26% | |
TCP-Congestion DoS | 58.33% | 73.99% | 88.55% | 93.43% | |
Router LDoS | 47.92% | 69.05% | 87.20% | 88.50% | |
混合数据1 | 56.52% | 86.972% | 91.72% | 93.93% | |
混合数据2 | 52.83% | 69.72% | 84.11% | 63.83% | |
隐蔽攻击1 | 42.53% | 74.73% | 86.44% | 68.63% |
"
攻击 | 比例 | 本文方法 | K-means | Autoencoder | u-Shapelet |
1:1 | 0.912 | 0.781 | 0.771 | 0.870 | |
Slowheaders+TLS | 1:2 | 0.875 | 0.625 | 0.840 | 0.770 |
1:4 | 0.930 | 0.521 | 0.763 | 0.780 | |
1:8 | 0.890 | 0.623 | 0.611 | 0.758 | |
1:1 | 0.903 | 0.710 | 0.840 | 0.810 | |
Slowbody2+TLS | 1:2 | 0.925 | 0.520 | 0.700 | 0.823 |
1:4 | 0.842 | 0.421 | 0.860 | 0.782 | |
1:8 | 0.894 | 0.628 | 0.611 | 0.691 | |
1:1 | 0.940 | 0.500 | 0.861 | 0.851 | |
WebDoS+TLS | 1:2 | 0.952 | 0.880 | 0.755 | 0.720 |
1:4 | 0.891 | 0.785 | 0.880 | 0.761 | |
1:8 | 0.910 | 0.341 | 0.810 | 0.650 | |
1:1 | 0.897 | 0.823 | 0.779 | 0.879 | |
TCP-Congettion DoS+TLS | 1:2 | 0.914 | 0.575 | 0.659 | 0.875 |
1:4 | 0.880 | 0.129 | 0.762 | 0.840 | |
1:8 | 0.814 | 0.620 | 0.830 | 0.852 | |
1:1 | 0.896 | 0.680 | 0.681 | 0.871 | |
Router LDoS+TLS | 1:2 | 0.850 | 0.700 | 0.700 | 0.813 |
1:4 | 0.760 | 0.355 | 0.813 | 0.660 | |
1:8 | 0.793 | 0.400 | 0.790 | 0.560 |
[1] | GUIRGUIS M , THARP J , BESTAVROS A ,et al. Assessment of vulnerability of content adaptation mechanisms to RoQ attacks[C]// Proceedings of the 8th International Conference on Networks. Piscataway:IEEE Press, 2009: 445-450. |
[2] | GUIRGUIS M , BESTAVROS A , MATTA I . Exploiting the transients of adaptation for RoQ attacks on Internet resources[C]// Proceedings of the 12th IEEE International Conference on Network Protocols. Piscataway:IEEE Press, 2004: 184-195. |
[3] | LUO X P , CHANG R K C . On a new class of pulsing denial-of-service attacks and the defense[C]// Proceedings of the NDSS Symposium 2005. Piscataway:IEEE Press, 2005: 1-19. |
[4] | GUIRGUIS M , BESTAVROS A , MATTA I ,et al. Reduction of quality (RoQ) attacks on dynamic load balancers:vulnerability assessment and design tradeoffs[C]// Proceedings of the 26th IEEE International Conference on Computer Communications. Piscataway:IEEE Press, 2007: 857-865. |
[5] | JAZI H H , GONZALEZ H , STAKHANOVA N ,et al. Detecting HTTP-based application layer DoS attacks on Web servers in the presence of sampling[J]. Computer Networks, 2017,121: 25-36. |
[6] | YUE M , WANG M X , WU Z J . Low-high burst:a double potency varying-RTT based full-buffer shrew attack model[J]. IEEE Transactions on Dependable and Secure Computing, 2019,18(5): 2285-2300. |
[7] | VACCARI I , AIELLO M , CAMBIASO E . SlowITe,a novel denial of service attack affecting MQTT[J]. Sensors, 2020,20(10): 2932. |
[8] | MERGET R , SOMOROVSKY J , AVIRAM N ,et al. Scalable scanning and automatic classification of TLS padding oracle vulnerabilities[C]// Proceedings of the 28th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2019: 1029-1046. |
[9] | CHEN Y , HWANG K . Collaborative detection and filtering of shrew DDoS attacks using spectral analysis[J]. Journal of Parallel and Distributed Computing, 2006,66(9): 1137-1151. |
[10] | AGRAWAL N , TAPASWI S . Low rate cloud DDoS attack defense method based on power spectral density analysis[J]. Information Processing Letters, 2018,138: 44-50. |
[11] | 吴志军, 裴宝崧 . 基于小信号检测模型的LDoS攻击检测方法的研究[J]. 电子学报, 2011,39(6): 1456-1460. |
WU Z J , PEI B S . The detection of LDoS attack based on the model of small signal[J]. Acta Electronica Sinica, 2011,39(6): 1456-1460. | |
[12] | TANG D , CHEN K , CHEN X S ,et al. A new detection method based on AEWMA algorithm for LDoS attacks[J]. Journal of Networks, 1969,9(11): 2981. |
[13] | TANG D , DAI R , TANG L ,et al. Low-rate DoS attack detection based on two-step cluster analysis[C]// Information and Communications Security. Berlin:Springer, 2018: 92-104. |
[14] | TANG D , DAI R , TANG L ,et al. Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis[J]. Human-Centric Computing and Information Sciences, 2020,10(1): 1-20. |
[15] | WU Z J , ZHANG L Y , YUE M . Low-rate DoS attacks detection based on network multifractal[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 559-567. |
[16] | KOAY A , CHEN A , WELCH I ,et al. A new multi classifier system using entropy-based features in DDoS attack detection[C]// Proceedings of 2018 International Conference on Information Networking (ICOIN). Piscataway:IEEE Press, 2018: 162-167. |
[17] | TANG D , ZHANG S Q , CHEN J W ,et al. The detection of low-rate DoS attacks using the SADBSCAN algorithm[J]. Information Sciences, 2021,565: 229-247. |
[18] | TANG D , TANG L , DAI R ,et al. MF-Adaboost:LDoS attack detection based on multi-features and improved Adaboost[J]. Future Generation Computer Systems, 2020,106: 347-359. |
[19] | 吴志军, 刘亮, 岳猛 . 基于ANN与KPCA的LDoS攻击检测方法[J]. 通信学报, 2018,39(5): 11-22. |
WU Z J , LIU L , YUE M . Detection method of LDoS attacks based on combination of ANN & KPCA[J]. Journal on Communications, 2018,39(5): 11-22. | |
[20] | LIU L , WANG H Y , WU Z J ,et al. The detection method of low-rate DoS attack based on multi-feature fusion[J]. Digital Communications and Networks, 2020,6(4): 504-513. |
[21] | WANG X , QIAN B Y , DAVIDSON I . On constrained spectral clustering and its applications[J]. Data Mining and Knowledge Discovery, 2014,28(1): 1-30. |
[22] | CHEN F , YU R , LIU W M . Internet of things attack group identification model combined with spectral clustering[C]// Proceedings of 2021 IEEE 21st International Conference on Communication Technology. Piscataway:IEEE Press, 2021: 778-782. |
[23] | YE L X , KEOGH E . Time series shapelets:a new primitive for data mining[C]// Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2009: 947-956. |
[24] | ZAKARIA J , MUEEN A , KEOGH E . Clustering time series using unsupervised-shapelets[C]// Proceedings of 2012 IEEE 12th International Conference on Data Mining. Piscataway:IEEE Press, 2012: 785-794. |
[25] | HILLS J , LINES J , BARANAUSKAS E ,et al. Classification of time series by shapelet transformation[J]. Data Mining and Knowledge Discovery, 2014,28(4): 851-881. |
[26] | HU W J , YANG Y , CHENG Z Q ,et al. Time-series event prediction with evolutionary state graph[C]// Proceedings of the 14th ACM International Conference on Web Search and Data Mining. New York:ACM Press, 2021: 580-588. |
[27] | MEDICO R , RUYSSINCK J , DESCHRIJVER D ,et al. Learning multivariate shapelets with multi-layer neural networks for interpretable time-series classification[J]. Advances in Data Analysis and Classification, 2021,15(4): 911-936. |
[28] | SHARAFALDIN I , LASHKARI A H , HAKAK S ,et al. Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy[C]// Proceedings of 2019 International Carnahan Conference on Security Technology (ICCST). Piscataway:IEEE Press, 2019: 1-8. |
[29] | MONTAZERISHATOORI M , DAVIDSON L , KAUR G ,et al. Detection of DoH tunnels using time-series classification of encrypted traffic[C]// Proceedings of 2020 IEEE International Conference on Dependable,Autonomic and Secure Computing,International Conference on Pervasive Intelligence and Computing,International Conference on Cloud and Big Data Computing,International Conference on Cyber Science and Technology Congress. Piscataway:IEEE Press, 2020: 63-70. |
[30] | FENG X W , FU C P , LI Q ,et al. Off-path TCP exploits of the mixed IPID assignment[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 1323-1335. |
[31] | ZHANG Q , WU J , ZHANG P ,et al. Salient subsequence learning for time series clustering[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019,41(9): 2193-2207. |
[32] | HINDY H , ATKINSON R , TACHTATZIS C ,et al. Utilising deep learning techniques for effective zero-day attack detection[J]. Electronics, 2020,9(10): 1684. |
[33] | FU C P , LI Q , SHEN M ,et al. Realtime robust malicious traffic detection via frequency domain analysis[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 3431-3446. |
[1] | Zhen LIU,Na’na WANG,Xiaodong WANG,Yongqi SUN. Spectral clustering and embedding-enhanced POI recommendation in location-based social network [J]. Journal on Communications, 2020, 41(3): 197-206. |
[2] | Weijin JIANG, Yang WANG, Xiaoliang LIU, Sijian LYU. Multi-attribute spectral clustering emergency detection based on word correlation feature [J]. Journal on Communications, 2020, 41(12): 193-204. |
[3] | Xuesong QIU,Xuchuan HUANG,Wencui LI,Wenjing LI,Shaoyong GUO. Group-scheduling mechanism for large-scale time-sensitive network [J]. Journal on Communications, 2020, 41(11): 124-131. |
[4] | Yunqiu LYU,Kai LIU,Fei CHENG. Kernelized correlation tracking based on point trajectories [J]. Journal on Communications, 2018, 39(6): 190-198. |
[5] | Liang FANG,Li-hua YIN,Feng-hua LI,Bin-xing FANG. Spectral-clustering-based abnormal permission assignments hunting framework [J]. Journal on Communications, 2017, 38(12): 63-72. |
[6] | Chun-nan ZHOU,Shao-bin HUANG,Rong-hua CHI,Ya LI,Da-peng LANG. High-order fuzzy time series self-adaption prediction method based on spectral clustering [J]. Journal on Communications, 2016, 37(2): 107-115. |
[7] | Kuang-yu QIN,Chuan-he HUANG,Cai-hua WANG,Jiao-li SHI,Di WU,Xi CHEN. Balanced multiple controllers placement with latency and capacity bound in software-defined network [J]. Journal on Communications, 2016, 37(11): 90-103. |
[8] | Jie XIANG,Dong-qin ZHAO. Improved spectral clustering algorithm and its application in MCI detection [J]. Journal on Communications, 2015, 36(4): 27-34. |
[9] | Jian WU,Zhi-ming CUI,Yu-jie SHI,Sheng-li SHENG,Sheng-rong GONG. Local density-based similarity matrix construction for spectral clustering [J]. Journal on Communications, 2013, 34(3): 14-22. |
[10] | Sen XU,Zhi-mao LU,Guo-chang GU. Spectral clustering algorithms for document cluster ensemble problem [J]. Journal on Communications, 2010, 31(6): 0-66. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|