CN111224916B - DDOS attack detection method and device - Google Patents

DDOS attack detection method and device Download PDF

Info

Publication number
CN111224916B
CN111224916B CN201811406288.7A CN201811406288A CN111224916B CN 111224916 B CN111224916 B CN 111224916B CN 201811406288 A CN201811406288 A CN 201811406288A CN 111224916 B CN111224916 B CN 111224916B
Authority
CN
China
Prior art keywords
class
detection
dimensionless
detected
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811406288.7A
Other languages
Chinese (zh)
Other versions
CN111224916A (en
Inventor
冯剑
王晨光
周川楷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201811406288.7A priority Critical patent/CN111224916B/en
Publication of CN111224916A publication Critical patent/CN111224916A/en
Application granted granted Critical
Publication of CN111224916B publication Critical patent/CN111224916B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for detecting DDOS (distributed denial of service) attacks, wherein the method comprises the steps of obtaining a characteristic vector of flow in unit time, carrying out normalization processing on the characteristic vector to obtain a dimensionless sample to be detected, clustering the dimensionless sample to be detected with a common center class in a detection model to determine two classes to be detected, determining the detection model by carrying out semi-supervised learning based on characteristic clustering according to historical flow samples, and determining the dimensionless sample to be detected as the DDOS attack sample if the class to be detected in which the dimensionless sample to be detected is located only comprises the dimensionless sample to be detected. Because whether the dimensionless sample to be detected is a DDOS attack sample or not is detected through the detection model obtained through the semi-supervised learning based on the feature clustering, compared with the existing detection scheme, the false alarm rate and the missing report rate of DDOS attack detection can be reduced, the resource consumption of the system is reduced, and the detection capability of various DDOS attacks is enhanced.

Description

DDOS attack detection method and device
Technical Field
The embodiment of the invention relates to the technical field of big data, in particular to a method and a device for detecting Distributed Denial of Service (DDOS) attacks.
Background
The data required for DDOS detection currently comes from Netflow logs that provide various network behavior data, including seven-tuple information (Protocol of interconnection between source networks (IP), source port, destination IP, destination port, Protocol, number of packets, number of bytes).
On the basis of acquiring Netflow log data, the current detection technical scheme is to establish a threshold value for the number of packets or the flow rate of the packets flowing into a certain IP according to a unit of every minute, and when the number of packets or the flow rate of a certain class is found to be abnormally increased and exceeds the threshold value, the relevant DDOS attack is considered to be received.
However, the current DDOS attack detection scheme has a large number of false alarms and false negatives in practice, and therefore, a new DDOS attack detection method is urgently needed.
Disclosure of Invention
The embodiment of the invention provides a DDOS attack detection method and device, which are used for reducing the false alarm rate and the missing report rate of DDOS attack detection and reducing the resource consumption of a system.
The DDOS attack detection method provided by the embodiment of the invention comprises the following steps:
acquiring a characteristic vector of flow in unit time;
normalizing the characteristic vector to obtain a dimensionless sample to be detected;
clustering the dimensionless sample to be detected and a common center class in a detection model to determine two classes to be detected; the detection model is determined by semi-supervised learning based on feature clustering according to historical flow samples;
and if the class to be detected of the dimensionless sample to be detected only comprises the dimensionless sample to be detected, determining that the dimensionless sample to be detected is a DDOS attack sample.
Because whether the dimensionless sample to be detected is a DDOS attack sample or not is detected through the detection model obtained through the semi-supervised learning based on the feature clustering, compared with the existing detection scheme, the false alarm rate and the missing report rate of DDOS attack detection can be reduced, the resource consumption of the system is reduced, and the detection capability of various DDOS attacks is enhanced.
Optionally, the determining the detection model by performing semi-supervised learning of feature clustering according to the historical flow sample includes:
obtaining a historical flow sample of unit time;
carrying out normalization processing on each historical flow sample to obtain a dimensionless two-dimensional vector;
performing first clustering on the dimensionless two-dimensional vectors by using a K-means clustering algorithm based on Euclidean distance to obtain class center points of K classes;
performing secondary clustering by using the class center points of the K classes as clustering samples to obtain two detection classes;
judging whether the two detection classes comprise attack central points or not, if so, removing all dimensionless two-dimensional vectors contained in the attack central points in the dimensionless two-dimensional vectors, and clustering the rest dimensionless two-dimensional vectors to obtain a plurality of common central points as the detection models; otherwise, the class center points of the K classes obtained by the first clustering are used as the detection model.
Optionally, the determining whether the two detection classes include an attack center point includes:
determining a class center point closest to a far point in the detection classes as a first class center point aiming at any one of the two detection classes;
clustering the first-class central point and all central points in another detection class to obtain two judgment classes;
if the judgment class in which the first class central point is located only contains the first class central point, determining the class center in the detection class as the attack central point; otherwise, determining that the first class central point is not the attack central point, determining a class central point next to the far point in the detection class as the first class central point, and continuing to cluster the first class central point and all central points in the other detection class until all class central points in the detection class are not the attack central points.
Optionally, the feature vector of the flow rate includes a flow rate mean value and a flow connection density entropy; the flow connection density is the number of flows in a unit time.
Optionally, the detection model includes a maximum value and a minimum value of the flow average value and a maximum value and a minimum value of the flow connection density entropy;
the step of performing normalization processing on the feature vectors to obtain a dimensionless sample to be detected comprises the following steps:
and carrying out normalization processing on the feature vectors according to the maximum value and the minimum value of the flow mean value and the maximum value and the minimum value of the flow connection density entropy to obtain a dimensionless sample to be detected.
Correspondingly, the embodiment of the invention also provides a device for detecting the DDOS attack, which comprises the following steps:
an acquisition unit configured to acquire a feature vector of a flow rate in a unit time;
the processing unit is used for carrying out normalization processing on the characteristic vectors to obtain a dimensionless sample to be detected; clustering the dimensionless sample to be detected and a common center class in the detection model to determine two classes to be detected; the detection model is determined by semi-supervised learning based on feature clustering according to historical flow samples; and if the class in which the dimensionless sample to be detected is located only comprises the dimensionless sample to be detected, determining that the dimensionless sample to be detected is a DDOS attack sample.
Optionally, the processing unit is specifically configured to:
obtaining a historical flow sample of unit time;
carrying out normalization processing on each historical flow sample to obtain a dimensionless two-dimensional vector;
performing first clustering on the dimensionless two-dimensional vectors by using a K-means clustering algorithm based on Euclidean distance to obtain class center points of K classes;
performing secondary clustering by using the class center points of the K classes as clustering samples to obtain two detection classes;
judging whether the two detection classes comprise attack central points or not, if so, removing all dimensionless two-dimensional vectors contained in the attack central points in the dimensionless two-dimensional vectors, and clustering the rest dimensionless two-dimensional vectors to obtain a plurality of common central points serving as the detection models; otherwise, the class center points of the K classes obtained by the first clustering are used as the detection model.
Optionally, the processing unit is specifically configured to:
determining a class center point closest to a far point in the detection classes as a first class center point aiming at any one of the two detection classes;
clustering the first-class central point and all central points in another detection class to obtain two judgment classes;
if the judgment class in which the first class central point is located only contains the first class central point, determining the class center in the detection class as the attack central point; otherwise, determining that the first class central point is not the attack central point, determining a class central point next to the far point in the detection class as the first class central point, and continuing to cluster the first class central point and all central points in the other detection class until all class central points in the detection class are not the attack central points.
Optionally, the feature vector of the flow rate includes a flow rate mean value and a flow connection density entropy; the flow connection density is the number of flows in a unit time.
Optionally, the detection model includes a maximum value and a minimum value of the flow average value and a maximum value and a minimum value of the flow connection density entropy;
the processing unit is specifically configured to:
and carrying out normalization processing on the feature vectors according to the maximum value and the minimum value of the flow mean value and the maximum value and the minimum value of the flow connection density entropy to obtain a dimensionless sample to be detected.
Correspondingly, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the DDOS attack detection method according to the obtained program.
Correspondingly, the embodiment of the invention also provides a computer-readable non-volatile storage medium, which comprises computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is enabled to execute the method for detecting the DDOS attack.
The embodiment of the invention shows that the characteristic vector of the flow in unit time is obtained, the characteristic vector is normalized to obtain a dimensionless sample to be detected, the dimensionless sample to be detected is clustered with a common center class in a detection model to determine two classes to be detected, the detection model is determined by performing semi-supervised learning based on characteristic clustering according to historical flow samples, and if the class to be detected in which the dimensionless sample to be detected is located only comprises the dimensionless sample to be detected, the dimensionless sample to be detected is determined to be a DDOS attack sample. Because whether the dimensionless sample to be detected is a DDOS attack sample or not is detected through the detection model obtained through the semi-supervised learning based on the feature clustering, compared with the existing detection scheme, the false alarm rate and the missing report rate of DDOS attack detection can be reduced, the resource consumption of the system is reduced, and the detection capability of various DDOS attacks is enhanced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a DDOS attack detection method according to an embodiment of the present invention;
fig. 3a to fig. 3c are schematic diagrams of a cluster according to an embodiment of the present invention;
fig. 4 is a schematic clustering diagram of a detection model according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a cluster according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a DDOS attack detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 illustrates an exemplary system architecture, which may be a server 100, including a processor 110, a communication interface 120, and a memory 130, to which embodiments of the present invention are applicable.
The communication interface 120 is used for communicating with a terminal device, and transceiving information transmitted by the terminal device to implement communication.
The processor 110 is a control center of the server 100, connects various parts of the entire server 100 using various interfaces and lines, performs various functions of the server 100 and processes data by running or executing software programs and/or modules stored in the memory 130 and calling data stored in the memory 130. Alternatively, processor 110 may include one or more processing units.
The memory 130 may be used to store software programs and modules, and the processor 110 executes various functional applications and data processing by operating the software programs and modules stored in the memory 130. The memory 130 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to a business process, etc. Further, memory 130 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
It should be noted that the structure shown in fig. 1 is only an example, and the embodiment of the present invention is not limited thereto.
Based on the above description, fig. 2 exemplarily shows a flow of a method for detecting a DDOS attack provided by an embodiment of the present invention, where the flow may be performed by an apparatus for detecting a DDOS attack, such as the above-mentioned server.
As shown in fig. 2, the specific steps of the process include:
step 201, obtaining a feature vector of the flow rate in unit time.
The feature vector of 1 minute of a certain IP is counted in real time, and the feature vector includes a flow mean and a flow join density entropy, that is, a two-dimensional vector composed of the flow mean and the flow join density entropy, for example, [ flow mean, flow join density entropy ].
The real network has many situation characteristics, and the flow rate per unit time is only one of the situation characteristics. The "entropy of flow connection density" is a feature that can represent the dispersion of network traffic in unit time.
For example, a triple defining access to a certain IP: < source IP, source port, destination port >, all packets passing through this triplet are called a flow, and the number of flows per unit time is called the flow connection density. Entropy represents the degree of misordering of information.
The calculation method of the stream connection density entropy may be as follows:
triplet: <1.1.1.1,8081,8088>2 times;
triplet: <201.192.1.10,1288,8088>4 times;
triplet: <19.13.10.1,201,8088>4 times;
calculating the triad to obtain H (U) (2/10) × log (2/10) - (4/10) × log (4/10) - (4/10) × log (4/10) ═ 0.4580; h (U) represents the stream join density entropy.
Since the legal user accesses the service required in a certain time period, the service is single or less, and the IP address is fixed, the rising mode of the 'stream connection density entropy' caused by the increase of the normal access traffic is obviously different from the rising mode of the 'stream connection density entropy' when the DDOS attack occurs.
Step 202, normalizing the characteristic vectors to obtain a dimensionless sample to be detected.
After the feature vector in unit time is obtained, normalization processing needs to be performed on the feature vector, where the maximum value and the minimum value of the flow average value and the maximum value and the minimum value of the flow connection density entropy included in the detection model need to be used, and the maximum value and the minimum value of the flow average value and the maximum value and the minimum value of the flow connection density entropy can be obtained after the detection model is determined.
And normalizing the characteristic vector through the maximum value and the minimum value of the flow mean value and the maximum value and the minimum value of the flow connection density entropy to obtain the dimensionless sample to be detected.
When normalization processing is performed, the normalization processing may specifically be: g (Ui) ═ uzin)/(Umax-Umin), where g (Ui) denotes the normalized result of the element Ui, Umin is the minimum of the element Ui, Umax is the minimum of the element Ui, where Ui may be the flow average or the flow connection density entropy. For example, the feature vector is [960000,2.3], and after normalization processing, a value of [0.6,0.45] is obtained.
And 203, clustering the dimensionless sample to be detected and the common center class in the detection model to determine two classes to be detected.
The detection module can perform semi-supervised learning determination based on feature clustering according to historical flow samples. Specifically, historical flow samples in unit time need to be obtained first, and normalization processing is performed on each historical flow sample to obtain a dimensionless two-dimensional vector; secondly, performing primary clustering on the dimensionless two-dimensional vectors by using a K-means clustering algorithm based on Euclidean distance to obtain class center points of K classes, and performing secondary clustering by using the class center points of the K classes as clustering samples to obtain two detection classes; finally, judging whether the two detection classes comprise attack central points or not, if so, removing all dimensionless two-dimensional vectors contained in the attack central points in the dimensionless two-dimensional vectors, and clustering the rest dimensionless two-dimensional vectors to obtain a plurality of common central points as detection models; otherwise, the class center points of the K classes obtained by the first clustering are used as detection models.
It should be noted that, when determining whether the two detection classes include the attack center point, specifically, the following steps may be performed: determining a class center point closest to a far point in the detection classes as a first class center point aiming at any one of the two detection classes; clustering the first-class central points with all the central points in another detection class to obtain two judgment classes; if the judgment class in which the first class central point is located only contains the first class central point, determining the class center in the detection class as an attack central point; otherwise, determining that the first class central point is not the attack central point, determining the class central point next to the far point in the detection class as the first class central point, and continuously clustering the first class central point and all central points in another detection class until all class central points in the detection class are not the attack central points. By the method, whether the class center point in all the detection classes is the attack center point can be traversed.
For example, from netflow logs of bihounds and workdays, the flow mean and the flow connection density entropy per minute are obtained through statistics, and the statistics per minute form a 2-dimensional vector [ the flow mean, the flow connection density entropy ]. Since the units of the 2 dimensions are different, a dimensionless 2-dimensional vector needs to be processed by normalization. And obtaining a large number of sample vectors as a set to be divided.
Based on the clustering number k of the k-means clustering algorithm of the Euclidean example, the larger k is, the more accurate the clustering is. There is a clustering effect coefficient &, indicating accuracy, and when k is large to a certain extent, & no longer changes. When & does not change, this k is the minimum k for which clustering is most accurate.
Firstly, all the normalized sample sets are gathered into k classes, and class centers of the k classes are obtained. As shown by the solid dots "●" in fig. 3 a. Then, using the k class centers as clustering samples, performing secondary clustering to obtain 2 classes, as shown by "x" in fig. 3 a.
Based on the clustered class center points in fig. 3a, assume: the "x" located at the upper part of fig. 3a is the class center point of the "attack center point", and the "x" located at the lower part of fig. 3a is the class center point of the "normal center point".
First, take the closest "center of attack" to the distant point, called @, as shown by the point "●" within the circle in FIG. 3 b.
Then, the @ and all the common center points are taken to perform clustering with the class number of 2, that is, clustering with the "common center point" at the lower part of fig. 3a, so as to obtain the detection class shown in fig. 3 c.
Finally, if the detection class where @ is included only contains @, it is determined that the upper detection class in fig. 3a has an attack center point (i.e., the upper "x" in fig. 3 a), and all points that are clustered on the "x" are attack center points, and the determination is ended if they are satisfied. If the detection class where the @ is located does not only contain the @, the @ is considered to be a common central point, the 'attack central point' next to the origin is taken, the steps are repeated until all the attack points are found not to be attack points, the assumption is considered to fail, the initial clustering result shown in the figure 3a is considered to have no attack central point, and the judgment is finished.
In this way, if it is determined that the attack center point is included in fig. 3a, all samples included in the attack center point in the original sample set are removed, and the remaining samples are clustered to obtain a plurality of common center points as a final detection model; if no attack center point is determined in fig. 3a, the primary clustering result is the final detection model required, as shown in fig. 4. Accordingly, a judgment baseline for detecting the DDOS attack can be obtained.
The detection model shown in fig. 4 includes the maximum and minimum values of the flow, the maximum and minimum values of the flow connection density entropy, "●" in fig. 4, that is, a 2-dimensional vector, that is, all common central points.
After the detection model is obtained, the dimensionless sample to be detected and the common center class in the detection model can be clustered to determine two classes to be detected, as shown in fig. 5, a "x" in an upper circle in fig. 5 represents a class center point of the class to be detected, and a "x" in a lower circle represents a class center point of another class to be detected.
Step 204, if the class in which the dimensionless sample to be detected is located only includes the dimensionless sample to be detected, determining that the dimensionless sample to be detected is a DDOS attack sample.
According to the detection class shown in fig. 5, it can be found that the detection class in which the dimensionless sample to be detected is located in the upper circle only includes the dimensionless sample to be detected, and the dimensionless sample to be detected can be regarded as a DDOS attack sample, that is, the dimensionless sample to be detected includes an attack situation.
The embodiment shows that the characteristic vector of the flow in unit time is obtained, the characteristic vector is normalized to obtain the dimensionless sample to be detected, the dimensionless sample to be detected is clustered with the common center class in the detection model to determine two classes to be detected, the detection model is determined by performing feature clustering-based semi-supervised learning on the historical flow sample, and if the class to be detected in which the dimensionless sample to be detected is located only includes the dimensionless sample to be detected, the dimensionless sample to be detected is determined to be the DDOS attack sample. Because whether the dimensionless sample to be detected is a DDOS attack sample or not is detected through the detection model obtained through the semi-supervised learning based on the feature clustering, compared with the existing detection scheme, the false alarm rate and the missing report rate of DDOS attack detection can be reduced, the resource consumption of the system is reduced, and the detection capability of various DDOS attacks is enhanced.
In the embodiment of the invention, the flow average value and the flow connection density entropy counted in 1 minute are used as a sample vector [ the flow average value and the flow connection density entropy ] to be classified. And calculating to obtain a large number of sample sets to be classified in the range of the rest days and the working days. And obtaining a base line containing the characteristic information of the normal network situation from the sample set by using a k-means clustering algorithm and a business rule.
And judging whether the real-time network situation is abnormal or not by using the baseline.
The embodiment of the invention can solve the following technical problems:
1. the problem that the actual detection effect is not ideal due to the fact that the current detection scheme contains too much human experience is solved;
2. improving the timeliness of current detection schemes;
3. the detection capability of various DDOS attacks is enhanced, including low-speed attacks and pulse attacks;
4. the calculation consumption resource is low.
Based on the same technical concept, fig. 6 exemplarily shows an apparatus for DDOS attack detection provided by an embodiment of the present invention, which can perform a flow of DDOS attack detection.
As shown in fig. 6, the apparatus may include:
an obtaining unit 601, configured to obtain a feature vector of a flow rate in a unit time;
the processing unit 602 is configured to perform normalization processing on the feature vector to obtain a dimensionless sample to be detected; clustering the dimensionless sample to be detected and a common center class in the detection model to determine two classes to be detected; the detection model is determined by semi-supervised learning based on feature clustering according to historical flow samples; and if the class to be detected of the dimensionless sample to be detected only comprises the dimensionless sample to be detected, determining that the dimensionless sample to be detected is a DDOS attack sample.
Optionally, the processing unit 602 is specifically configured to:
obtaining historical flow samples in unit time;
carrying out normalization processing on each historical flow sample to obtain a dimensionless two-dimensional vector;
performing first clustering on the dimensionless two-dimensional vectors by using a K-means clustering algorithm based on Euclidean distance to obtain class center points of K classes;
performing secondary clustering by using the class center points of the K classes as clustering samples to obtain two detection classes;
judging whether the two detection classes comprise attack central points or not, if so, removing all dimensionless two-dimensional vectors contained in the attack central points in the dimensionless two-dimensional vectors, and clustering the rest dimensionless two-dimensional vectors to obtain a plurality of common central points as the detection models; otherwise, the class center points of the K classes obtained by the first clustering are used as the detection model.
Optionally, the processing unit 602 is specifically configured to:
determining a class center point closest to a far point in the detection classes as a first class center point aiming at any one of the two detection classes;
clustering the first-class central point and all central points in another detection class to obtain two judgment classes;
if the judgment class in which the first class central point is located only contains the first class central point, determining the class center in the detection class as the attack central point; otherwise, determining that the first class central point is not the attack central point, determining a class central point next to the far point in the detection class as the first class central point, and continuing to cluster the first class central point and all central points in the other detection class until all class central points in the detection class are not the attack central points.
Optionally, the feature vector of the flow includes a flow mean value and a flow connection density entropy; the flow connection density is the number of flows in a unit time.
Optionally, the detection model includes a maximum value and a minimum value of the flow average value and a maximum value and a minimum value of the flow connection density entropy;
the processing unit 602 is specifically configured to:
and carrying out normalization processing on the feature vectors according to the maximum value and the minimum value of the flow mean value and the maximum value and the minimum value of the flow connection density entropy to obtain a dimensionless sample to be detected.
Based on the same technical concept, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the DDOS attack detection method according to the obtained program.
Based on the same technical concept, the embodiment of the present invention further provides a computer-readable non-volatile storage medium, which includes computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute the above DDOS attack detection method.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for detecting distributed denial of access DDOS attack is characterized by comprising the following steps:
acquiring a characteristic vector of flow in unit time;
normalizing the characteristic vectors to obtain a dimensionless sample to be detected;
clustering the dimensionless sample to be detected and a common central point in a detection model to determine two classes to be detected; the detection model is determined by semi-supervised learning based on feature clustering according to historical flow samples;
if the class in which the dimensionless sample to be detected is located only comprises the dimensionless sample to be detected, determining that the dimensionless sample to be detected is a DDOS attack sample;
the determining the detection model by performing semi-supervised learning of feature clustering according to historical flow samples comprises the following steps:
obtaining historical flow samples in unit time;
carrying out normalization processing on each historical flow sample to obtain a dimensionless two-dimensional vector;
performing first clustering on the dimensionless two-dimensional vectors by using a K-means clustering algorithm based on Euclidean distance to obtain class center points of K classes;
performing secondary clustering by using the class center points of the K classes as clustering samples to obtain two detection classes;
judging whether the two detection classes comprise attack central points or not, if so, removing all dimensionless two-dimensional vectors contained in the attack central points in the dimensionless two-dimensional vectors, and clustering the rest dimensionless two-dimensional vectors to obtain a plurality of common central points as the detection models; otherwise, the class center points of the K classes obtained by the first clustering are used as the detection model.
2. The method of claim 1, wherein said determining whether the two detection classes include an attack center point comprises:
determining a class center point closest to a far point in the detection classes as a first class center point aiming at any one of the two detection classes;
clustering the first-class central points and all central points in another detection class to obtain two judgment classes;
if the judgment class in which the first class central point is located only contains the first class central point, determining the class center in the detection class as the attack central point; otherwise, determining that the first class central point is not the attack central point, determining a class central point next to the far point in the detection class as the first class central point, and continuing to cluster the first class central point and all central points in the other detection class until all class central points in the detection class are not the attack central points.
3. The method of claim 1 or 2, wherein the feature vector of the flow comprises a flow mean and a flow join density entropy; the flow connection density is the number of flows in a unit time.
4. The method of claim 3, wherein the detection model includes a maximum and a minimum of the flow mean and a maximum and a minimum of the flow connection density entropy;
the step of carrying out normalization processing on the feature vectors to obtain a dimensionless sample to be detected comprises the following steps:
and carrying out normalization processing on the feature vectors according to the maximum value and the minimum value of the flow mean value and the maximum value and the minimum value of the flow connection density entropy to obtain a dimensionless sample to be detected.
5. An apparatus for distributed denial of access (DDOS) attack detection, comprising:
an acquisition unit configured to acquire a feature vector of a flow rate in a unit time;
the processing unit is used for carrying out normalization processing on the characteristic vectors to obtain a dimensionless sample to be detected; clustering the dimensionless sample to be detected and a common central point in a detection model to determine two classes to be detected; the detection model is determined by semi-supervised learning based on feature clustering according to historical flow samples; if the class in which the dimensionless sample to be detected is located only comprises the dimensionless sample to be detected, determining that the dimensionless sample to be detected is a DDOS attack sample;
the processing unit is specifically configured to:
obtaining a historical flow sample of unit time;
carrying out normalization processing on each historical flow sample to obtain a dimensionless two-dimensional vector;
performing first clustering on the dimensionless two-dimensional vectors by using a K-means clustering algorithm based on Euclidean distance to obtain class center points of K classes;
performing secondary clustering by taking the class center points of the K classes as clustering samples to obtain two detection classes;
judging whether the two detection classes comprise attack central points or not, if so, removing all dimensionless two-dimensional vectors contained in the attack central points in the dimensionless two-dimensional vectors, and clustering the rest dimensionless two-dimensional vectors to obtain a plurality of common central points as the detection models; otherwise, the class center points of the K classes obtained by the first clustering are used as the detection model.
6. The apparatus as claimed in claim 5, wherein said processing unit is specifically configured to:
determining a class center point closest to a far point in the detection classes as a first class center point aiming at any one of the two detection classes;
clustering the first-class central point and all central points in another detection class to obtain two judgment classes;
if the judgment class in which the first class central point is located only contains the first class central point, determining the class center in the detection class as the attack central point; otherwise, determining that the first class central point is not the attack central point, determining a class central point next to the far point in the detection class as the first class central point, and continuing to cluster the first class central point and all central points in the other detection class until all class central points in the detection class are not the attack central points.
7. The apparatus of claim 5 or 6, wherein the feature vector of the flow comprises a flow mean and a flow join density entropy; the flow connection density is the number of flows in a unit time.
8. The apparatus of claim 7, wherein the detection model includes a maximum and a minimum of the flow mean and a maximum and a minimum of the flow connection density entropy;
the processing unit is specifically configured to:
and carrying out normalization processing on the feature vectors according to the maximum value and the minimum value of the flow mean value and the maximum value and the minimum value of the flow connection density entropy to obtain a dimensionless sample to be detected.
9. A computing device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of any one of claims 1 to 4 in accordance with the obtained program.
10. A computer-readable non-transitory storage medium including computer-readable instructions which, when read and executed by a computer, cause the computer to perform the method of any one of claims 1 to 4.
CN201811406288.7A 2018-11-23 2018-11-23 DDOS attack detection method and device Active CN111224916B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811406288.7A CN111224916B (en) 2018-11-23 2018-11-23 DDOS attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811406288.7A CN111224916B (en) 2018-11-23 2018-11-23 DDOS attack detection method and device

Publications (2)

Publication Number Publication Date
CN111224916A CN111224916A (en) 2020-06-02
CN111224916B true CN111224916B (en) 2022-07-01

Family

ID=70813461

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811406288.7A Active CN111224916B (en) 2018-11-23 2018-11-23 DDOS attack detection method and device

Country Status (1)

Country Link
CN (1) CN111224916B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848160A (en) * 2010-05-26 2010-09-29 钱叶魁 Method for detecting and classifying all-network flow abnormity on line
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN107248996A (en) * 2017-06-29 2017-10-13 南京邮电大学 A kind of detection of DNS amplification attacks and filter method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484602B (en) * 2014-12-09 2018-01-16 中国科学院深圳先进技术研究院 A kind of intrusion detection method, device
CN107392015B (en) * 2017-07-06 2019-09-17 长沙学院 A kind of intrusion detection method based on semi-supervised learning

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848160A (en) * 2010-05-26 2010-09-29 钱叶魁 Method for detecting and classifying all-network flow abnormity on line
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN107248996A (en) * 2017-06-29 2017-10-13 南京邮电大学 A kind of detection of DNS amplification attacks and filter method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种新的半监督入侵检测算法;宋凌等;《计算机应用》;20080731;正文第1-2页 *
基于信息熵与K-MEANS融合算法的网络入侵检测模型;朱娴睿等;《安徽农业科学》;20141231;正文第1-2页 *

Also Published As

Publication number Publication date
CN111224916A (en) 2020-06-02

Similar Documents

Publication Publication Date Title
CN111935170B (en) Network abnormal flow detection method, device and equipment
CN108768943B (en) Method and device for detecting abnormal account and server
CN108965347B (en) Distributed denial of service attack detection method, device and server
CN108718298B (en) Malicious external connection flow detection method and device
CN109271793B (en) Internet of things cloud platform equipment category identification method and system
CN109150859B (en) Botnet detection method based on network traffic flow direction similarity
CN111191767A (en) Vectorization-based malicious traffic attack type judgment method
CN110011932B (en) Network traffic classification method capable of identifying unknown traffic and terminal equipment
CN109218321A (en) A kind of network inbreak detection method and system
CN112422554B (en) Method, device, equipment and storage medium for detecting abnormal traffic external connection
CN111800430A (en) Attack group identification method, device, equipment and medium
CN111049783A (en) Network attack detection method, device, equipment and storage medium
CN112437037A (en) Sketch-based DDoS flooding attack detection method and device
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN111478922B (en) Method, device and equipment for detecting communication of hidden channel
CN114363212A (en) Equipment detection method, device, equipment and storage medium
CN112530074A (en) Queuing and calling reminding method, device, equipment and storage medium
CN111224916B (en) DDOS attack detection method and device
CN113037748A (en) C and C channel hybrid detection method and system
CN113098852A (en) Log processing method and device
CN112235242A (en) C &amp; C channel detection method and system
CN111224890A (en) Traffic classification method and system of cloud platform and related equipment
CN106817364B (en) Brute force cracking detection method and device
CN117391214A (en) Model training method and device and related equipment
CN114186637A (en) Traffic identification method, traffic identification device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant