CN108632269B - Distributed denial of service attack detection method based on C4.5 decision tree algorithm - Google Patents
Distributed denial of service attack detection method based on C4.5 decision tree algorithm Download PDFInfo
- Publication number
- CN108632269B CN108632269B CN201810412986.1A CN201810412986A CN108632269B CN 108632269 B CN108632269 B CN 108632269B CN 201810412986 A CN201810412986 A CN 201810412986A CN 108632269 B CN108632269 B CN 108632269B
- Authority
- CN
- China
- Prior art keywords
- information
- attribute
- decision tree
- attack
- gain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a distributed denial of service attack detection method based on a C4.5 decision tree algorithm under a software defined network environment, which comprises the following steps: collecting flow table information returned by the OpenFlow switch through an OpenFlow protocol; extracting field information related to DDoS attack in the flow table information and converting the field information into parameters capable of analyzing network flow distribution change as attributes to form a training set of a decision tree; classifying the flow by using a C4.5 decision tree algorithm, and calculating the category information entropy according to the training set data classification; sequentially calculating the conditional entropy of the attribute, the gain of the information, the information entropy of the attribute and the information gain rate of the attribute; selecting the attribute with the maximum information gain rate as a root node of the decision tree, then selecting the attribute with the maximum information gain rate from the rest attributes as a bifurcation node, and repeating the steps until the decision tree is formed; classifying the new network flow by using the finally formed decision tree, and detecting whether DDoS attack exists; the invention can more accurately detect DDoS attack.
Description
Technical Field
The invention relates to the technical field of computer communication, in particular to a method for detecting denial of service attacks in a software defined environment, and particularly relates to a method for detecting distributed denial of service attacks based on a C4.5 decision tree algorithm.
Background
At present, the number of network devices connected to the internet is increasing at an accelerated rate, and not only is the proliferation of mobile devices, but the number of network devices is also rapidly increasing due to the development of emerging technologies. Accordingly, the ever-increasing size of networks will lead to more complex networks, posing more challenges. Existing network technologies and facilities do not enable such increasingly complex systems. In order to design future networks that can meet these rapidly evolving needs, many approaches have been proposed, of which software-defined networks are one of the more important.
The prominent feature of the software defined network is the decoupling of the data plane and the control plane in the network devices. In a conventional network, a router determines the location to forward a packet through a routing algorithm. In software defined networks, the decision making and forwarding functions are separated, the decision making process being provided by the controller, and the data forwarding being handled by the switches. Simplifying network equipment and centralized management are the most practical features of software-defined networks. Although software-defined networking is advantageous in many respects, there are a number of challenges that need attention. There has been limited research on the security of software-defined networks, whose vulnerabilities stem from its two characteristics: the centralization of the network and the network intelligence in the controller is controlled by software. These functions can lead to trust problems and failure of a single point of management. For trust issues, application authorization and authentication mechanisms can be addressed, and a single point of management failure can be caused by compromising the availability of the controller, and distributed denial of service attacks are one of the most common ways to address such issues. Denial of service attacks are essentially denial of use of system resources to legitimate users and reduced system availability. The basic mechanism is to send a large amount of excess network traffic to the target, making it unable to respond to the real service request. If an attacker uses multiple sources, it is called a distributed denial of service attack, which is more cumbersome than denial of service. One drawback of software-defined networking architectures in the face of distributed denial-of-service attacks is that the switches are too passive and they send all packets with unknown traffic to the controller, which can have catastrophic consequences if the controller saturates with attack traffic due to the central management nature of the controller.
There are some methods for detecting distributed denial of service attacks in a software-defined network environment, for example, by processing information of a data packet and determining whether to attack based on entropy calculation. Potential victims and attackers are found by continuously monitoring the data packet flow; the detection success rate of the methods is low and the frequency of false alarms is high.
Disclosure of Invention
The invention mainly aims to solve the defects in the prior art and provide a distributed denial of service attack detection method based on a C4.5 decision tree algorithm, which can obtain higher detection success rate and lower false alarm rate, and the specific technical scheme is as follows:
a distributed denial of service attack detection method based on C4.5 decision tree algorithm is a detection method for distributed denial of service attack under software defined network environment, the method includes the following steps:
s1: collecting flow table information returned by the OpenFlow switch through an OpenFlow protocol;
s2: extracting field information related to DDoS attack in the flow table information and converting the field information into parameters capable of analyzing network flow distribution change as attributes to form a training set of a decision tree;
s3: classifying the network traffic by using a C4.5 decision tree algorithm, and calculating class information entropy according to training set data classification;
s4: sequentially calculating the conditional entropy of the attribute, the gain of the information, the information entropy of the attribute and the information gain rate of the attribute;
s5: selecting the attribute with the maximum information gain rate as a root node of the decision tree, then selecting the attribute with the maximum information gain rate from the rest attributes as a bifurcation node, and repeating the steps S3 and S4 to form the decision tree;
s6: and classifying the new network traffic by using the decision tree formed in the step S5, and detecting whether a DDoS attack exists.
The invention is further improved in that the attributes comprise a packet number average value ANPPF, a convection ratio PCF, a port speed increasing PGS and a source IP speed increasing SGS, the conditional entropy of the attributes is used for representing the uncertain sum of various categories under the condition of certain attribute, and a formula is passed
The invention has the further improvement that the flow packet number average value ANPPF is used for judging whether illegal IP attack exists; the convection ratio PCF may be used to represent an interaction state when a packet replied by the victim cannot reach the botnet during the attack period; the port speed-increasing PGS and the source IP speed-increasing SGS are obviously changed when the network receives the attack, and can be used for judging whether illegal attacks exist.
The invention is further improved in that the network traffic comprises normal traffic and attack traffic, and the class information entropy pass-through of the two
And (4) calculating.
The invention is further improved in that the information entropy of the attribute is used for representing whether the attribute has split or not, and the formula is as follows
Calculating to obtain; gain-passing Gain (A) of said informationx)=Info(D)-Info(Ax) Calculating to obtain; the information gain ratio is a supplement to the original information gain used alone, and is given by the formula IGR (A)x)=Gain(Ax)/H(Ax) And (4) calculating.
The distributed denial of service attack detection method based on the C4.5 decision tree algorithm comprises the steps of firstly obtaining flow table information returned by an OpenFlow switch through an OpenFlow protocol, then extracting parameters related to DDoS attack in the flow table information and converting the parameters into parameters capable of analyzing network flow distribution change to serve as attributes, and enabling the attributes to form a training set of a decision tree; classifying the types of the network traffic based on a C4.5 decision tree algorithm, respectively calculating the type information entropy, the conditional entropy, the gain, the information gain rate and the information gain rate of the attributes of the network traffic to obtain a decision tree, and finally classifying a new data set through the decision tree to detect whether DDoS attack exists; compared with the prior art, the method and the device can more accurately detect whether the DDoS attack exists in the network, and the detection accuracy is more accurate.
Drawings
FIG. 1 is a block flow diagram of an attack detection method according to the present invention;
FIG. 2 is a block diagram of a software defined network according to the present invention;
fig. 3 is a schematic flow chart of the attack detection method according to the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the described embodiments are merely illustrative of some, but not all, of the embodiments of the invention, and that the preferred embodiments of the invention are shown in the drawings. This invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, but rather should be construed as broadly as the present disclosure is set forth in order to provide a more thorough understanding thereof. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, in the embodiment of the present invention, a distributed denial of service attack detection method based on a C4.5 decision tree algorithm is provided, which is a detection method for a distributed denial of service attack in a software-defined network environment; referring to fig. 2, the network environment includes a network application, a network controller and a data plane, the network application controls data interaction with the data plane through a network, the network controller is connected to the network application and the data plane through specific interfaces, and the data plane includes a plurality of node devices; referring to fig. 3, the method first performs flow statistics on the collected flow table, extracts corresponding features according to the flow table statistics, obtains a detection basis according to the features, then performs new classification on subsequent new flows based on the detection basis, and obtains a final classification result; specifically, the method is described as follows:
s1: collecting flow table information returned by the OpenFlow switch through an OpenFlow protocol;
in the invention, through an OpenFlow protocol, a software-defined network controller periodically sends flow table acquisition messages to all software-defined network switches to acquire flow table information returned by the OpenFlow switches, specifically, the set time interval is 5 seconds and is consistent with the recent missed flow deletion time set by the controller, so that the flow table information can be more comprehensively and completely collected.
S2: extracting field information related to DDoS attack in the flow table information and converting the field information into parameters capable of analyzing network flow distribution change as attributes to form a training set of a decision tree;
generally, in order to form a decision tree, a training set is required to be formed first, in the invention, after flow table information returned by an OpenFlow switch is collected and obtained through an OpenFlow protocol, the invention extracts field information related to DDoS attack in the flow table information, and converts the field information into parameters which can be used for analyzing network flow distribution conditions and are used as attributes to form a related training set; specifically, the attributes include a packet number average ANNPF, a convection ratio PCF, a port speed-up PGS and a source IP speed-up SGS; wherein the average value of the number of stream packets
Wherein PacketsNumi is the number of packets in the ith flow during a time interval, and FlowNum is the total number of flows during the time interval; the flow comparison PCF is 2 multiplied by Pair/FlowNum, wherein Pair is the logarithm of the interactive flow, the PGS (port speed increasing) is PortsNum/interval, wherein the PortsNum is the number of different ports in a certain time interval, and the interval is the time interval; the method comprises the steps that a source IP speed increasing SGS is equal to sIPNum/interval, wherein the sIPNum refers to the number of source IP addresses, and values corresponding to attributes are obtained through calculation, so that a training set of a decision tree is formed; assuming that the training set is D, a corresponding decision tree can be constructed according to the training set D; refer to the subsequent operation of step S3.
In the embodiment of the present invention, the stream packet number average is used because an attacker usually attacks by continuously and randomly generating illegal IPs, the generation speed of the stream is significantly increased, and the number of packets per stream is reduced; the use of the flow ratio is because the packets returned by the victim during the attack cannot reach the botnet, so the interaction state is represented by the flow ratio; port speedup and source IP speedup are used because they change significantly during an attack; that is, the decision tree formed by the training set composed of the attributes can determine whether DDoS attacks exist in the network traffic by superimposing various different determination bases.
S3: classifying the network traffic by using a C4.5 decision tree algorithm, and calculating class information entropy according to training set data classification; and S4: sequentially calculating the conditional entropy of the attribute, the gain of the information, the information entropy of the attribute and the information gain rate of the attribute;
in the present invention, in order to obtain a decision tree, a root node and a branch node of the decision tree need to be found, which is specifically obtained by the following method:
firstly, classifying network traffic through a C4.5 decision tree algorithm, wherein the network traffic can be divided into normal traffic and attack traffic in the embodiment, and then calculating the information entropy of each traffic category according to training set data D, wherein the information entropy is a specific pass-through formula
Calculating to obtain; in the formula, | Ci | is the sample number of normal or attack traffic, | C | is the total sample number; then, the conditional entropies of the four attributes are respectively calculated according to the categories under the attribute values, and the specific pass formula
Calculating to obtain; in the formula, Ax represents each attribute, the training set is divided into n subsets of D1, D2, … and Dn according to the attributes, n is the number of different cases under the attributes Ax, for example, the cases can be divided into three cases of high, middle and low according to the size of the attribute values, | Di | is the number of samples of each case under the total number | D | of the samples, and Info (Di) is the information entropy of each subset; conditional entropy can be used to represent the sum of uncertainties that various classes appear under conditions of certain attributes; the Gain of information is represented by Gain (A)x)=Info(D)-Info(Ax) Calculating to obtain; entropy pass-through of information for each attribute
The information entropy of each attribute can be used as a split information measure obtained by calculation, and the information entropy can be used for considering the number of split branches of a certain attributeInformation and size information are obtained, so that the DDoS attack judgment accuracy is improved; and the information gain ratio of each attribute is represented by the formula IGR (A)x)=Gain(Ax)/H(Ax) The calculation is obtained, and is a supplement to the original simple use of information gain; in summary, by combining the information entropy of the network traffic category, the conditional entropy of each attribute, the gain of the flow table information, the information entropy of each attribute, and the gain rate of the flow table information of each attribute, the characteristics in the network traffic can be well expressed, so that the judgment and prediction of whether the DDoS attack exists in the network traffic can be realized.
S5: selecting the attribute with the maximum information gain rate as a root node of the decision tree, then selecting the attribute with the maximum information gain rate from the rest attributes as a bifurcation node, and repeating the steps S3 and S4 to form the decision tree;
in the present invention, the attributes of the maximum information gain rates calculated in steps S3 and S4 are taken as the root node of the decision tree, the attribute of the maximum information gain rate among the remaining attributes is taken as the branch node, and steps S3 and S4 are repeated multiple times to find out the attributes of the information gain rates at the first and second bits as the root node and branch node of the decision tree, respectively, and finally form the decision tree.
S6: and classifying the new network traffic by using the decision tree formed in the step S5, and detecting whether a DDoS attack exists.
In the embodiment, after the decision tree is formed, the decision tree can be used for carrying out classification operation on the network traffic, so that the DDoS attack detection is realized, the DDoS attack detection in the network traffic is accurately detected, and corresponding countermeasures are taken in time after the DDoS attack detection is detected, so that the safe operation of the network is protected.
The distributed denial of service attack detection method based on the C4.5 decision tree algorithm comprises the steps of firstly obtaining flow table information returned by an OpenFlow switch through an OpenFlow protocol, then extracting parameters related to DDoS attack in the flow table information and converting the parameters into parameters capable of analyzing network flow distribution change to serve as attributes, and enabling the attributes to form a training set of a decision tree; classifying the types of the network traffic based on a C4.5 decision tree algorithm, respectively calculating the type information entropy, the conditional entropy, the gain, the information gain rate and the information gain rate of the attributes of the network traffic to obtain a decision tree, and finally classifying a new data set through the decision tree to detect whether DDoS attack exists; compared with the prior art, the method and the device can more accurately detect whether the DDoS attack exists in the network, and the detection accuracy is more accurate.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing detailed description, or equivalent changes may be made in some of the features of the embodiments described above. All equivalent structures made by using the contents of the specification and the attached drawings of the invention can be directly or indirectly applied to other related technical fields, and are also within the protection scope of the patent of the invention.
Claims (1)
1. A distributed denial of service attack detection method based on a C4.5 decision tree algorithm is a detection method for distributed denial of service attack in a software defined network environment, and is characterized by comprising the following steps:
s1: collecting flow table information returned by the OpenFlow switch through an OpenFlow protocol;
s2: extracting field information related to DDoS attack in the flow table information and converting the field information into parameters capable of analyzing network flow distribution change as attributes to form a training set of a decision tree;
s3: classifying the network traffic by using a C4.5 decision tree algorithm, and calculating class information entropy according to training set data classification;
s4: sequentially calculating the conditional entropy of the attribute, the gain of the information, the information entropy of the attribute and the information gain rate of the attribute;
s5: selecting the attribute with the maximum information gain rate as a root node of the decision tree, then selecting the attribute with the maximum information gain rate from the rest attributes as a bifurcation node, and repeating the steps S3 and S4 to form the decision tree;
s6: classifying the new network traffic by using the decision tree formed in the step S5, and detecting whether a DDoS attack exists;
the attributes comprise a stream packet number average value ANPPF, a stream ratio PCF, a port speed increasing PGS and a source IP speed increasing SGS, the conditional entropy of the attributes is used for representing the uncertain sum of various categories under the condition of certain attribute, and a passing formula
Calculating, wherein Ax represents each attribute, dividing the training set into n subsets of D1, D2, … and Dn according to the attributes, n is the number of different cases under the attribute Ax, | Di | is the number of samples of each case under the total number | D | of samples, and Info (Di) is the information entropy of each subset;
the stream packet number average value ANPPF is used for judging whether illegal IP attacks exist or not; the convection ratio PCF may be used to represent an interaction state when a packet replied by the victim cannot reach the botnet during the attack period; the port speed-increasing PGS and the source IP speed-increasing SGS are obviously changed when the network receives the attack, and can be used for judging whether illegal attack exists or not;
the network traffic comprises normal traffic and attack traffic, and the type information entropy passing formula of the normal traffic and the attack traffic
Calculating, wherein | Ci | in the formula is the sample number of normal or attack traffic, and | C | is the total sample number;
the information entropy of the attribute is used for representing whether the attribute has the condition of splitting or not, and the formula is
Calculating to obtain; gain-passing Gain (A) of said informationx)=Info(D)-Info(Ax) Calculating to obtain; the information gain rate is compared with the original simple gain rateUsing a complement of information gain, by the formula IGR (A)x)=Gain(Ax)/H(Ax) And (4) calculating.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810412986.1A CN108632269B (en) | 2018-05-02 | 2018-05-02 | Distributed denial of service attack detection method based on C4.5 decision tree algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810412986.1A CN108632269B (en) | 2018-05-02 | 2018-05-02 | Distributed denial of service attack detection method based on C4.5 decision tree algorithm |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108632269A CN108632269A (en) | 2018-10-09 |
| CN108632269B true CN108632269B (en) | 2020-06-02 |
Family
ID=63695244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810412986.1A Active CN108632269B (en) | 2018-05-02 | 2018-05-02 | Distributed denial of service attack detection method based on C4.5 decision tree algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108632269B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109831428B (en) * | 2019-01-29 | 2021-04-20 | 内蒙古大学 | SDN network attack detection and defense method and device |
| CN110796331A (en) * | 2019-09-11 | 2020-02-14 | 国网浙江省电力有限公司杭州供电公司 | Power business collaborative classification method and system based on C4.5 decision tree algorithm |
| CN111800419B (en) * | 2020-07-06 | 2021-06-15 | 东北大学 | DDoS attack detection system and method in SDN environment |
| CN114513470B (en) * | 2020-10-23 | 2023-08-15 | 中国移动通信集团河北有限公司 | Network flow control method, device, equipment and computer readable storage medium |
| CN112966741B (en) * | 2021-03-05 | 2022-08-02 | 北京理工大学 | Federal learning image classification method capable of defending Byzantine attack |
| CN112861093B (en) * | 2021-04-25 | 2021-09-10 | 上海派拉软件股份有限公司 | Verification method, device and equipment for access data and storage medium |
| CN113807701A (en) * | 2021-09-18 | 2021-12-17 | 国网福建省电力有限公司 | Power supply service quality analysis method based on information entropy decision tree algorithm |
| CN113741402A (en) * | 2021-09-23 | 2021-12-03 | 广东电网有限责任公司 | Equipment control method and device, computer equipment and storage medium |
| CN117527369A (en) * | 2023-11-13 | 2024-02-06 | 无锡商业职业技术学院 | Hash function-based android malicious attack monitoring method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102054002A (en) * | 2009-10-28 | 2011-05-11 | 中国移动通信集团公司 | Method and device for generating decision tree in data mining system |
| CN102227121A (en) * | 2011-06-21 | 2011-10-26 | 中国科学院软件研究所 | Distributed buffer memory strategy adaptive switching method based on machine learning and system thereof |
| CN102271090A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Transport-layer-characteristic-based traffic classification method and device |
| CN104158800A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) |
| CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035698B (en) * | 2011-01-06 | 2012-07-25 | 西北工业大学 | HTTP tunnel detection method based on decision tree classification algorithm |
-
2018
- 2018-05-02 CN CN201810412986.1A patent/CN108632269B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102054002A (en) * | 2009-10-28 | 2011-05-11 | 中国移动通信集团公司 | Method and device for generating decision tree in data mining system |
| CN102227121A (en) * | 2011-06-21 | 2011-10-26 | 中国科学院软件研究所 | Distributed buffer memory strategy adaptive switching method based on machine learning and system thereof |
| CN102271090A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Transport-layer-characteristic-based traffic classification method and device |
| CN104158800A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) |
| CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
Non-Patent Citations (1)
| Title |
|---|
| 基于C4.5决策树的流量分类方法;徐鹏等;《软件学报》;20091015;第20卷(第10期);第2695页第2.2节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108632269A (en) | 2018-10-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
| US11848950B2 (en) | Method for protecting IoT devices from intrusions by performing statistical analysis | |
| Lu et al. | Clustering botnet communication traffic based on n-gram feature selection | |
| Loukas et al. | Likelihood ratios and recurrent random neural networks in detection of denial of service attacks | |
| US8533819B2 (en) | Method and apparatus for detecting compromised host computers | |
| CN110474885B (en) | Alarm correlation analysis method based on time sequence and IP address | |
| Wang et al. | Research on DDoS attacks detection based on RDF-SVM | |
| Amoli et al. | Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets | |
| Li et al. | Detecting saturation attacks based on self-similarity of OpenFlow traffic | |
| Amoli et al. | A real time unsupervised NIDS for detecting unknown and encrypted network attacks in high speed network | |
| CN112261021B (en) | DDoS attack detection method under software defined Internet of things | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| Tariq et al. | Machine learning based botnet detection in software defined networks | |
| Islam et al. | Network anomaly detection using lightgbm: A gradient boosting classifier | |
| Barthakur et al. | An efficient machine learning based classification scheme for detecting distributed command & control traffic of P2P botnets | |
| ALEKSIEVA et al. | An approach for host based botnet detection system | |
| Wang et al. | Botnet detection using social graph analysis | |
| Karimpour et al. | Intrusion detection in network flows based on an optimized clustering criterion | |
| Songma et al. | Classification via k-means clustering and distance-based outlier detection | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| Niknami et al. | Entropy-kl-ml: Enhancing the entropy-kl-based anomaly detection on software-defined networks | |
| Potteti et al. | Intrusion detection system using hybrid Fuzzy Genetic algorithm | |
| Lee et al. | DDoS attacks detection using GA based optimized traffic matrix | |
| CN115225301B (en) | Hybrid intrusion detection method and system based on D-S evidence theory | |
| Muthumanickam et al. | P2P Botnet detection: Combined host-and network-level analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |