CN117220958A - DDoS attack detection method based on sketch under high-speed network scene - Google Patents
DDoS attack detection method based on sketch under high-speed network scene Download PDFInfo
- Publication number
- CN117220958A CN117220958A CN202311214640.8A CN202311214640A CN117220958A CN 117220958 A CN117220958 A CN 117220958A CN 202311214640 A CN202311214640 A CN 202311214640A CN 117220958 A CN117220958 A CN 117220958A
- Authority
- CN
- China
- Prior art keywords
- stream
- data
- time
- timestamp
- circular queue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 19
- 239000000284 extract Substances 0.000 claims abstract description 4
- 238000000034 method Methods 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 238000010845 search algorithm Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A DDoD attack detection method based on a sketch under a high-speed network scene comprises the following steps: 1) The host computer extracts the information of the data packet to generate a stream ID; 2) Calculating the difference value of the current timestamp and the timestamp recorded last time in the corresponding stream in the timestamp array, and updating the circulation queue, the timestamp array and the counter if the difference value is larger than the time window, and only updating the value of the counter if the difference value is smaller than the time window; 3) Traversing data in the circular queue every other time period T1, and judging whether the sum of data packet counts of each stream in a corresponding time window exceeds a local threshold value; 4) And calculating the rate of each stream according to the uploaded information, and detecting DDoS attack. 5) Traversing the time stamp array at intervals of a larger time period T2, subtracting the time stamp obtained by traversing by using the current system time stamp, if the difference is larger than the time period T2, reporting the data of the data stream stored in the skip and the circular queue to the controller, and then setting the corresponding counter and the circular queue in the skip to 0.
Description
Technical Field
The invention relates to the fields of network measurement and computer network security, in particular to a DDoS attack detection method based on a sketch under a high-speed network scene.
Background
In recent years, distributed denial of service (DDoS) attacks have become one of the most serious threats faced by the internet. According to the DDoS attack report issued by cabas in 2020, the number of DDoS attacks is increased by 87.5% compared with 2019. Over the last several decades, many efforts have been made to detect DDoS attacks. Many intrusion detection and prevention systems have been proposed. However, these systems have difficulty in making a good tradeoff between scalability and accuracy. Other methods, such as entropy-based methods, achieve higher accuracy in abnormal traffic detection, but have the disadvantage of large computational effort.
In order to reduce a large amount of data processing overhead, a series of DDoS attack detection methods based on the sketch have been proposed. The sketch is a compact data structure that can store data features of large volumes of network traffic in a limited space. Due to its low storage overhead, the slot-based anomaly detection method is applied to detect DDoS attacks in high-speed networks. However, these anomaly detection methods based on the sketch are mainly focused on the total amount of data packets of the concerned flow, and ignoring some rate change modes of DDoS, for example, yo-Yo DDoS attack can change the rate of the request traffic, so that the cloud server frequently changes the resource configuration, thereby causing great economic loss. Such DDoS attacks cannot be accurately detected only by detecting the number of packets of the traffic, and it is also necessary to monitor the rate change condition of the traffic.
Therefore, the prior art does not obtain an obvious and accurate prediction effect in the aspect of DDoS attack detection, and in order to solve the problems, an effective attack detection method is urgently needed to be provided in the current complex network environment.
Disclosure of Invention
In order to overcome the defects of the existing detection method, the invention provides a DDoS attack detection method based on the sketch under a high-speed network scene.
The technical scheme adopted for solving the technical problems is as follows:
a DDoS attack detection method based on a sketch under a high-speed network scene comprises the following steps:
1) When a data packet arrives at a host, the host extracts quintuple information of the data packet to generate a stream ID character string str, wherein the quintuple information comprises a source IP, a source port, a target IP, a target port and a protocol type;
2) Obtaining a corresponding skip counter, a timestamp array and an index of a circulation queue of a stream according to the extracted stream ID character string, calculating a difference value between a system timestamp of the arrival of a current data packet and a timestamp of the arrival of the data stream recorded in one-dimensional array, storing a counter value of the corresponding stream in the skip structure into the circulation queue corresponding to the stream if the difference value is larger than a preset time window, updating the timestamp recorded in the array into the system timestamp of the arrival of the current data packet, adding 1 to the counter value of the stream if the difference value is smaller than the preset time window, and adding 1 to the counter corresponding to the stream;
3) Each host traverses the data in the circular queue every other time period T1 according to a preset local threshold value, judges whether the sum of the data packet counts of each stream in the corresponding time window exceeds the local threshold value, and if so, forms a table from the information such as the total data packet quantity of the corresponding stream, the number of the data packets in each time window and the like and uploads the table to the controller; in addition, each host detects whether the flow has been disconnected every other large period of time T2, and resets the corresponding counter and the circular queue of the disconnected flow to save resources.
4) The controller gathers all the information uploaded by the host, calculates the rate of each stream according to the uploaded information, and observes the change characteristic of the rate of each stream along with time, thereby detecting whether DDoS attack exists. The rate is calculated as follows:
diff=(q[tail]-q[head]+qSize)mod(qSize)
wherein diff is the difference between the head index and the tail index, q is the circular queue to which a stream corresponds, tail is the tail index of the circular queue, head is the head index of the circular queue, qSize is the length of the circular queue, w is the time window size, x represents the front x time windows, f (x) represents the rate of the stream from the latest time window to the front x time windows, unit: number of packets per second (Packet Per Second, PPS).
Further, the Sketch structure in step 2) is a Count-Min Sketch, which is composed of a two-dimensional array structure of d rows and w columns, each row corresponds to a hash function hash i The entry of the hash function is the stream ID string of each stream, the output is the index of each stream in the ith row group, i.e. in each row, the index of each stream corresponding to the counter is determined by hashing, i.e. index = hash i (str). Wherein the hash functions are implemented by Bob hash functions, each of which has a mapping range of [0,w-1]]。
Still further, in step 2), there are a total of w circular queues, each circular queue being formed of a one-dimensional array of length qSize. The element stored in the circular queue each time is the minimum value of d counters corresponding to the data stream, wherein the mapping relationship between the data stream and its corresponding circular queue is determined by calculating an index through a hash function, and likewise, the mapping range of the hash function is [0,w-1].
The time for storing the minimum value in the d counters of the corresponding data stream in the corresponding circular queue in the step 2) is determined by relying on a one-dimensional array of time stamps with length w. Stored in the array is the timestamp of the last update cycle queue for each data stream, the corresponding index of the different data stream in the data is obtained by hashing the stream ID, and the mapping range of the hash function is [0,w-1]. When a data packet belonging to a certain data stream arrives at a host, firstly obtaining that the index of the data stream in a timestamp array is i through hashing, then taking out the timestamp [ i ], calculating the difference value between the timestamp of the current system and the timestamp [ i ], comparing the difference value with a time window, if the difference value is more than or equal to the time window, updating the timestamp [ i ] into the current system timestamp, adding the number of the data packets of the data stream stored in a sketch structure into a circular queue, and then adding 1 to the number of the data packets of the data stream in the sketch structure; if the difference is smaller than the time window, the number of data packets of the data stream in the slot structure is increased by 1.
The table uploaded by the host in the step 3) has the following information: quintuple information of a data stream, a total number of traffic packets of the data stream, and a total number of data packets recorded by the data stream under qSize time windows.
The controller in step 4) is configured to aggregate information in tables sent by all hosts. The controller calculates the rate change of each data flow under different time windows to judge, if the rate change condition is abnormal, the data flow is judged to be DDoS attack flow, a corresponding filtering rule is generated, and the filtering rule is issued to all hosts to prevent DDoS attack.
Further, the method includes a data flow disconnection checking mechanism. Every other larger time period T2, traversing the one-dimensional array timetags, subtracting the time stamp obtained by traversing from the current system time stamp, if the difference is larger than the time period T2, the current data stream has no data packet reaching the host for a long time, and the current data stream can be considered to be disconnected, the data of the data stream stored in the slot and the circular queue are reported to the controller, then the corresponding counter and the circular queue in the slot are set to 0, and the useless information is cleared in time, so that the new connection service is facilitated.
The technical concept of the invention is that a corresponding circulation queue is added on the basis of a Count-Min search algorithm, the total amount of data packets of a data stream in different time windows is collected by using a timestamp value recorded by a one-dimensional array, then the rate of the data stream in each time window is calculated, and whether DDoS attack exists is judged by the rate change and the total amount of the data packets.
The beneficial effects of the invention are mainly shown in the following steps: by adding the circular queue on the basis of the Count-Min search algorithm, the flow characteristic acquisition and attack detection are successfully performed, and compared with the prior method, the method has the advantage of obtaining a better detection effect.
Drawings
Fig. 1 is a flow chart of the method of the present invention.
FIG. 2 is a block diagram of the invention's sketch structure and circular queue, where X in the circular queue represents the counter value recorded for the previous time window.
Detailed Description
The invention will be further described with reference to the accompanying drawings,
referring to fig. 1, a method for detecting DDoS attack based on a sketch in a high-speed network scene includes the following steps:
1) When a data packet arrives at a host, the host extracts quintuple information of the data packet to generate a stream ID character string str, wherein the quintuple information comprises a source IP, a source port, a target IP, a target port and a protocol type;
2) Obtaining a corresponding skip counter, a timestamp array and an index of a circulation queue of a stream according to the extracted stream ID character string, calculating a difference value between a system timestamp of the arrival of a current data packet and a timestamp of the arrival of the data stream recorded in one-dimensional array, storing a counter value of the corresponding stream in the skip structure into the circulation queue corresponding to the stream if the difference value is larger than a preset time window, updating the timestamp recorded in the array into the system timestamp of the arrival of the current data packet, adding 1 to the counter value of the stream if the difference value is smaller than the preset time window, and adding 1 to the counter corresponding to the stream;
3) Each host traverses the data in the circular queue every other time period T1 according to a preset local threshold value, judges whether the sum of the data packet counts of each stream in the corresponding time window exceeds the local threshold value, and if so, forms a table from the information such as the total data packet quantity of the corresponding stream, the number of the data packets in each time window and the like and uploads the table to the controller; in addition, each host detects whether the flow has been disconnected every other large period of time T2, and resets the corresponding counter and the circular queue of the disconnected flow to save resources.
4) The controller gathers all the information uploaded by the host, calculates the rate of each stream according to the uploaded information, and observes the change characteristic of the rate of each stream along with time, thereby detecting whether DDoS attack exists. The rate is calculated as follows:
diff=(q[tail]-q[head]+qSize)mod(qSize)
wherein diff is the difference between the head index and the tail index, q is the circular queue to which a stream corresponds, tail is the tail index of the circular queue, head is the head index of the circular queue, qSize is the length of the circular queue, w is the time window size, x represents the front x time windows, f (x) represents the rate of the stream from the latest time window to the front x time windows, unit: number of packets per second (Packet Per Second, PPS). Further, the Sketch structure in step 2) is a Count-Min Sketch, which is composed of a two-dimensional array structure of d rows and w columns, each row corresponds to a hash function hash i The entry of the hash function is the stream ID string of each stream, the output is the index of each stream in the ith row group, i.e. in each row, the index of each stream corresponding to the counter is determined by hashing, i.e. index = hash i (str). Wherein the hash functions are implemented by Bob hash functions, each of which has a mapping range of [0,w-1]]。
Still further, in step 2), there are a total of w circular queues, each circular queue being formed of a one-dimensional array of length qSize. The element stored in the circular queue each time is the minimum value of d counters corresponding to the data stream, wherein the mapping relationship between the data stream and its corresponding circular queue is determined by calculating an index through a hash function, and likewise, the mapping range of the hash function is [0,w-1].
The time for storing the minimum value in the d counters of the corresponding data stream in the corresponding circular queue in the step 2) is determined by relying on a one-dimensional array of time stamps with length w. Stored in the array is the timestamp of the last update cycle queue for each data stream, the corresponding index of the different data stream in the data is obtained by hashing the stream ID, and the mapping range of the hash function is [0,w-1]. When a data packet belonging to a certain data stream arrives at a host, firstly obtaining that the index of the data stream in a timestamp array is i through hashing, then taking out the timestamp [ i ], calculating the difference value between the timestamp of the current system and the timestamp [ i ], comparing the difference value with a time window, if the difference value is more than or equal to the time window, updating the timestamp [ i ] into the current system timestamp, adding the number of the data packets of the data stream stored in a sketch structure into a circular queue, and then adding 1 to the number of the data packets of the data stream in the sketch structure; if the difference is smaller than the time window, the number of data packets of the data stream in the slot structure is increased by 1.
The table uploaded by the host in the step 3) has the following information: quintuple information of a data stream, a total number of traffic packets of the data stream, and a total number of data packets recorded by the data stream under qSize time windows.
The controller in step 4) is configured to aggregate information in tables sent by all hosts. The controller calculates the rate change of each data flow under different time windows to judge, if the rate change condition is abnormal, the data flow is judged to be DDoS attack flow, a corresponding filtering rule is generated, and the filtering rule is issued to all hosts to prevent DDoS attack.
Further, the method includes a data flow disconnection checking mechanism. Every other larger time period T2, traversing the one-dimensional array timetags, subtracting the time stamp obtained by traversing from the current system time stamp, if the difference is larger than the time period T2, the current data stream has no data packet reaching the host for a long time, and the current data stream can be considered to be disconnected, the data of the data stream stored in the slot and the circular queue are reported to the controller, then the corresponding counter and the circular queue in the slot are set to 0, and the useless information is cleared in time, so that the new connection service is facilitated.
The invention adds corresponding circulation queues based on the Count-Min search algorithm, collects the total amount of data packets of the data flow in different time windows by using the timestamp value recorded by the one-dimensional array, then calculates the speed of the flow in each time window, and judges whether DDoS attack exists or not by the speed change and the total amount of the data packets. The method belongs to the fields of network security and network measurement, and successfully realizes detection of DDoS attack.
The embodiments described in the present specification are merely examples of implementation forms of the inventive concept, and the scope of protection of the present invention should not be construed as being limited to the specific forms set forth in the embodiments, and the scope of protection of the present invention and equivalent technical means that can be conceived by those skilled in the art based on the inventive concept.
Claims (7)
1. A DDoS attack detection method based on a sketch under a high-speed network scene is characterized by comprising the following steps:
1) When a data packet arrives at a host, the host extracts quintuple information of the data packet to generate a stream ID character string str, wherein the quintuple information comprises a source IP, a source port, a target IP, a target port and a protocol type;
2) Obtaining a corresponding skip counter, a timestamp array and an index of a circulation queue of a stream according to the extracted stream ID character string, calculating a difference value between a system timestamp of the arrival of a current data packet and a timestamp of the arrival of the data stream recorded in one-dimensional array, storing a counter value of the corresponding stream in the skip structure into the circulation queue corresponding to the stream if the difference value is larger than a preset time window, updating the timestamp recorded in the array into the system timestamp of the arrival of the current data packet, adding 1 to the counter value of the stream if the difference value is smaller than the preset time window, and adding 1 to the counter corresponding to the stream;
3) Each host traverses the data in the circular queue every other time period T1 according to a preset local threshold value, judges whether the sum of the data packet counts of each stream in the corresponding time window exceeds the local threshold value, and if so, forms a table from the information such as the total data packet quantity of the corresponding stream, the number of the data packets in each time window and the like and uploads the table to the controller; in addition, each host detects whether the flow has been disconnected every other large period of time T2, and resets the corresponding counter and the circular queue of the disconnected flow to save resources.
4) The controller gathers all the information uploaded by the host computers, calculates the rate of each stream according to the uploaded information, and observes the change characteristic of the rate of each stream along with time so as to detect whether DDoS attack exists; the rate is calculated as follows:
diff=(q[tail]-q[head]+qSize)mod(qSize)
wherein diff is the difference between the head index and the tail index, q is the circular queue to which a stream corresponds, tail is the tail index of the circular queue, head is the head index of the circular queue, qSize is the length of the circular queue, w is the time window size, x represents the front x time windows, f (x) represents the rate of the stream from the latest time window to the front x time windows, unit: number of packets per second (Packet Per Second, PPS).
2. The method for detecting a DDoS attack based on a search in a high-speed network scenario as claimed in claim 1, wherein:
the Sketch structure in the step 2) is a Count-Min Sketch and consists of a two-dimensional array structure of d rows and w columns, and each row corresponds to a hash function hash i The entry of the hash function is the stream ID string of each stream, the output is the index of each stream in the ith row group, i.e. in each row, the index of each stream corresponding to the counter is determined by hashing, i.e. index = hash i (str); wherein the hash functions are implemented by Bob hash functions, each of which has a mapping range of [0,w-1]]。
3. The method for detecting a DDoS attack based on a search in a high-speed network scenario as claimed in claim 1, wherein:
the total of w circulating queues in the step 2) exist, and each circulating queue consists of a one-dimensional array with the length of qSize; the element stored in the circular queue each time is the minimum value of d counters corresponding to the data stream, wherein the mapping relationship between the data stream and its corresponding circular queue is determined by calculating an index through a hash function, and likewise, the mapping range of the hash function is [0,w-1].
4. The DDoS attack detection method based on the search in the high-speed network scenario as claimed in claim 3, wherein:
the time for storing the minimum value in the d counters of the corresponding data stream into the corresponding circular queue in the step 2) is judged by depending on a one-dimensional array timer with the length of w; the array stores the time stamp of the last update cycle queue of each data stream, the corresponding index of different data streams in the data is obtained by carrying out hash calculation on the stream ID, and the mapping range of the hash function is [0,w-1]; when a data packet belonging to a certain data stream arrives at a host, firstly obtaining that the index of the data stream in a timestamp array is i through hashing, then taking out the timestamp [ i ], calculating the difference value between the timestamp of the current system and the timestamp [ i ], comparing the difference value with a time window, if the difference value is more than or equal to the time window, updating the timestamp [ i ] into the current system timestamp, adding the number of the data packets of the data stream stored in a sketch structure into a circular queue, and then adding 1 to the number of the data packets of the data stream in the sketch structure; if the difference is smaller than the time window, the number of data packets of the data stream in the slot structure is increased by 1.
5. The method for detecting a DDoS attack based on a search in a high-speed network scenario as claimed in claim 1, wherein:
the table uploaded by the host in the step 3) has the following information: quintuple information of a data stream, a total number of traffic packets of the data stream, and a total number of data packets recorded by the data stream under qSize time windows.
6. The method for detecting a DDoS attack based on a search in a high-speed network scenario as claimed in claim 1, wherein: the controller in the step 4) gathers the information in the tables sent by all the hosts; the controller calculates the rate change of each data flow under different time windows to judge, if the rate change condition is abnormal, the data flow is judged to be DDoS attack flow, a corresponding filtering rule is generated, and the filtering rule is issued to all hosts to prevent DDoS attack.
7. The method for detecting a DDoS attack based on a search in a high-speed network scenario as claimed in claim 1, wherein: a data stream disconnection checking mechanism exists; every other larger time period T2, traversing the one-dimensional array timetags, subtracting the time stamp obtained by traversing from the current system time stamp, if the difference is larger than the time period T2, the current data stream has no data packet reaching the host for a long time, and the current data stream can be considered to be disconnected, the data of the data stream stored in the slot and the circular queue are reported to the controller, then the corresponding counter and the circular queue in the slot are set to 0, and the useless information is cleared in time, so that the new connection service is facilitated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311214640.8A CN117220958A (en) | 2023-09-20 | 2023-09-20 | DDoS attack detection method based on sketch under high-speed network scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311214640.8A CN117220958A (en) | 2023-09-20 | 2023-09-20 | DDoS attack detection method based on sketch under high-speed network scene |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117220958A true CN117220958A (en) | 2023-12-12 |
Family
ID=89036776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311214640.8A Pending CN117220958A (en) | 2023-09-20 | 2023-09-20 | DDoS attack detection method based on sketch under high-speed network scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117220958A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117424762A (en) * | 2023-12-19 | 2024-01-19 | 广东省科技基础条件平台中心 | DDOS attack detection method, medium and device |
-
2023
- 2023-09-20 CN CN202311214640.8A patent/CN117220958A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117424762A (en) * | 2023-12-19 | 2024-01-19 | 广东省科技基础条件平台中心 | DDOS attack detection method, medium and device |
| CN117424762B (en) * | 2023-12-19 | 2024-03-19 | 广东省科技基础条件平台中心 | DDOS attack detection method, medium and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9130982B2 (en) | System and method for real-time reporting of anomalous internet protocol attacks | |
| JP5666685B2 (en) | Failure analysis apparatus, system thereof, and method thereof | |
| CN110225037B (en) | DDoS attack detection method and device | |
| US20070248084A1 (en) | Symmetric connection detection | |
| US7669241B2 (en) | Streaming algorithms for robust, real-time detection of DDoS attacks | |
| CN112134894A (en) | Moving target defense method for DDoS attack | |
| CN113114694B (en) | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene | |
| CN117220958A (en) | DDoS attack detection method based on sketch under high-speed network scene | |
| Huang et al. | You Can Drop but You Can't Hide: $ K $-persistent Spread Estimation in High-speed Networks | |
| Lahiri et al. | Space-efficient tracking of persistent items in a massive data stream | |
| CN113518057B (en) | Method and device for detecting distributed denial of service attack and computer equipment thereof | |
| WO2018120915A1 (en) | Ddos attack detection method and device | |
| CN107302534A (en) | A kind of DDoS network attack detecting methods and device based on big data platform | |
| Braun et al. | Packet sampling for worm and botnet detection in TCP connections | |
| JP2008118242A (en) | Method and device for detecting abnormal traffic, and program | |
| CN112788039B (en) | DDoS attack identification method, device and storage medium | |
| CN103269337B (en) | Data processing method and device | |
| Kim et al. | Counting network flows in real time | |
| Hu et al. | Entropy based adaptive flow aggregation | |
| Al-Share et al. | Detecting and mitigating collusive interest flooding attacks in named data networking | |
| Shomura et al. | Analyzing the number of varieties in frequently found flows | |
| US11265237B2 (en) | System and method for detecting dropped aggregated traffic metadata packets | |
| Bellaïche et al. | SYN flooding attack detection by TCP handshake anomalies | |
| Odegbile et al. | Hierarchical virtual bitmaps for spread estimation in traffic measurement | |
| Xiong et al. | ActiveGuardian: An accurate and efficient algorithm for identifying active elephant flows in network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |