CN106209861A - A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device - Google Patents
A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device Download PDFInfo
- Publication number
- CN106209861A CN106209861A CN201610556957.3A CN201610556957A CN106209861A CN 106209861 A CN106209861 A CN 106209861A CN 201610556957 A CN201610556957 A CN 201610556957A CN 106209861 A CN106209861 A CN 106209861A
- Authority
- CN
- China
- Prior art keywords
- similarity coefficient
- time interval
- jie kade
- ddos attack
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention analyzes Web application layer and occurs HTTP Flood attack and HTTP Post to connect at a slow speed attack, the diversity shown in flow attribution and user behavior characteristic attribute and similarity.Propose Web server ddos attack detection method based on Jie Kade similarity coefficient and device thereof, the method can carry out similarity system design with the multiple attribute character of first use, simulation experiment shows, the method can not only effectively detect that HTTP Flood attacks and HTTP Post connects at a slow speed attack, also can accurately distinguish burst flow, have that on-line checking is real-time and accuracy rate high.
Description
Technical field
The present invention relates to Web application layer ddos attack test problems, Jie Kade similarity coefficient is applied to Web application layer
In ddos attack detection.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) is attacked, and always affects interconnection
One significant threat of net safety.And in recent years, application layer DDoS gradually demonstrates that it attacks power.Application layer ddos attack
Maximum from traditional ddos attack different be exactly the former be set up with server is connected right-on in the case of, with consumption
For the purpose of system resource thus reach refusal service.
Along with network technology sends out develop rapidly with Internet widely available, Web service has become in people's life
Important component part, the ddos attack for Web application layer is the most increasing, is broadly divided into two classes: a class is HTTP-Flood
Attacking, another kind of is that HTTP-Post attacks.
Currently for detection Web application layer ddos attack method mainly have: Kandula et al. propose based on
Whether the detection of " PUZZLE " and defence method, when the resource of server exceedes threshold value set in advance, can suspect and be subject to
Attack.Owing to attacking by Program Generating, do not have intelligent, the most just may require that user answers some simple questions and judges
The legitimacy of user, erroneous answers, then can be identified as attack source.But this method not only can affect the experience of validated user,
And can not effectively distinguish burst flow.Mahajan et al. proposes to utilize source address IP entropy to judge whether ddos attack,
The method can effectively distinguish burst flow and HTTP-Flood flood attack, but do not consider that HTTP-Post connects at a slow speed and attack
Hit, thank to ease et al. and propose a kind of abnormal method based on user access activity, use HMM to describe user's
Normally access behavior, by judging that the normal degree of user access activity judges malicious attack program or validated user
Normal accessing, the method training process is loaded down with trivial details, and computation complexity is the highest and online real-time is poor.
Summary of the invention
The deficiency detected ddos attack according to prior art the most in this paper, proposes a kind of based on Jie Kade phase
Like the Web application layer ddos attack detection method of coefficient, analyze and occur HTTP-Flood flood attack and HTTP-Post to attack at a slow speed
Hit traffic characteristic to choose rational various features and set up Similarity Model, using the data volume in the unit interval as computational item, logical
Cross compare with normal discharge in the case of similarity threshold attack judging whether, be shown experimentally that the method can not only
Enough effective detection HTTP-Flood attack and HTTP-Post connects at a slow speed attack, moreover it is possible to preferably distinguish burst flow, and
Line detection property in real time is strong.
The present invention solves above-mentioned technical problem by the following technical solutions:
Jie Kade similarity coefficient is proposed to be used for measuring the similarity between two set, the Jie Kade of narrow sense by jaccard
The value of similarity coefficient set element can only be 0 or 1, and the element value of the Jie Kade similarity coefficient of broad sense can be real
Number, it is possible to the information of expressed in abundance.
And in ddos attack detects, we need to use many attribute, and the eigenvalue of each attribute is the most different, institute
It is not appropriate for in this article with the Jie Kade similarity coefficient of narrow sense.
Broad sense Jie Kade similarity coefficient is used to calculate current one time attribute set and the normal community set of history herein
Similarity.Computing formula is as follows:
Wherein: x represent repeatedly take different history normal data calculate each attribute character average composition attribute to
Amount;xiThe attribute vector of each attribute character composition calculated in representing the current t time;
As Sim (x, xi) value when being closer to 1, represent x and xiThe most similar, i.e. it is closer to normal discharge;And if only if
X=xiTime equal sign set up, represent x and xiThe most similar i.e. similar value is 1.
In order to preferably react the similarity attack different with identification of normal stream, attack stream, choosing in attribute character
Not only need to choose attack stream variant with normal stream, it is contemplated that when occurring difference to attack, different attacks are at each
Value on attribute also will diversity, according to analysis above, we choose following three attribute features composition attributes to
Amount:
A, ip address, source entropy
1) when there is the HTTP-Flood flood attack for Web server, it may appear that a large amount of new IP addresses, thus newly
The rate of increase of IP address can sharply increase, and causes source IP address entropy less than normal stream IP entropy;And when there is burst flow, in a large number
The appearance that IP address can be repeated, source IP entropy can be higher than normal stream.
2), when occurring HTTP-Post to connect attack at a slow speed, due to the lasting multiple connection of holding, then source IP address is in unit
Can repeat in time, source address IP entropy can be higher than normal stream.
It is as follows that ip address, calculating source entropy obtains step:
Step a1, defines IP_all={IP1,IP2,...IPi,...IPn, IP_all represents t time interval endogenous IP ground
Location is gathered;
Step a2, defines P={p1,p2,...,pi,...,pn, piRepresent IPiProbability distribution;
Step a3, by step a1, a2 show that the entropy of source IP address is in t time interval:
B, the entropy of data package size
1) assailant is for the resource consuming destination host that do one's best, and reduces the complexity of Attacking Packets, by
The Attacking Packets size similarity degree that corpse machine sends is big, data package size distribution is concentrated, and packet under normal circumstances
Size ratio is more random, and when therefore occurring to attack, the entropy of data package size is less than normal stream;
2) and burst flow is visited by the caused a large number of users of issue of positive shocking news or popular product often simultaneously
The result asked, therefore within this period, the packet that normal users sends basic simlarity in size, so the entropy of packet
Value also can be less than normal stream.
The entropy step calculating data package size is as follows:
Step b1, is flow by the i-th stream data definition flowing to destination hosti, then the stream that collects in t time interval
Just can be expressed as to the data stream flow_all of destination host:
Flow_all={flow1,flow2,...flowi,...flown};
Step b2, if P is (flowi) it is the quantity of packet on i-th stream, use piRepresent that its probability distribution is:
Wherein
Step b3, by step b1, b2 show that the entropy of data package size is:
C, TCP connect number and HTTP request number ratio
1), when there is HTTP-Flood flood attack, assailant, in order to consume host resource as soon as possible, sets up after connecting single
Substantial amounts of HTTP request can be sent in bit time;
2) when occurring HTTP-Post to connect attack at a slow speed, setting up after connecting, just sending a HTTP with the longer time please
Ask;
3), when there is burst flow, the incipient stage can make the number of request of user to increase, but owing to network performance declines, often
The number of request of resource can be reduced by individual user.
4) therefore, in measurement period, a TCP connects, the ratio of the number of request of HTTP, if ratio mistake in the cycle
May well be that HTTP-Post connects at a slow speed attack, too small be likely to be HTTP-Flood flood attack, and owing to burst flow has
The individual process being gradually reduced, ratio can be more than flood attack less than normal stream.
Calculate TCP connection number as follows with the step of HTTP request number ratio:
Step c1, defines tcpnumNumber is connected for TCP total in t time interval;
Step c2, defines http_reqnumFor HTTP request number total in t time interval;
Step c3, by step c1, c2 obtains connection request ratio and is:
In theory: rateHDDoS< rateFC< rateNorm< rateLDDoS
Here, rateLDDoSRepresent that when generation HTTP-Post connects at a slow speed attack, TCP connects number and HTTP request number ratio;
rateHDDoSWhen representing generation HTTP-Flood flood attack, TCP connects number and HTTP request number ratio;rateFCThere is burst flow
Time TCP connect number and HTTP request number ratio;rateNormRepresent that TCP connects number and HTTP request number ratio under normal circumstances;
rateLDDoSMuch larger than normal value.
So, in sum, only can there is an obvious difference in packet entropy and normal stream when there is burst flow, and
In other two attribute compared to occur attack time little, therefore the value of similarity can be bigger.Occur flood attack with at a slow speed
When connecting attack, having gap in the value of three attribute compared with under normal circumstances, similarity can be smaller.Therefore theoretical
On can well distinguish from exception stream burst flow and can well to flood attack and at a slow speed connect attack make detection.
Concrete technical scheme is as follows:
The present invention relates to a kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, including such as
Lower step:
Step one: set interval t;
Step 2: using the data volume in t time interval as computational item, by using broad sense Jie Kade similarity coefficient to calculate
Formula calculates community set and the similarity of the normal community set of history in current t time interval;
Step 3: the Jie Kade similarity coefficient calculated in step 2 is compared with similar threshold value γ set in advance, with
This is for according to judging whether generation ddos attack.
The invention still further relates to one and detect device based on broad sense Jie Kade similarity coefficient Web application layer ddos attack, including:
Time interval arranges module: be used for the t that sets interval;
Similarity system design module: for using the data volume in t time interval as computational item, by using broad sense Jie Kade
Similarity coefficient computing formula calculates community set and the similarity of the normal community set of history in current t time interval;
Attack recognition module: Jie Kade similarity coefficient and the similar threshold value γ ratio set in advance that will calculate in step 2
Relatively, judge whether on this basis ddos attack.
The present invention uses above technical scheme compared with prior art, has following technical effect that
The method can carry out similarity system design with the multiple attribute character of first use, and it can not only effectively detect
HTTP-Flood flood attack and HTTP-Post connect at a slow speed attack, moreover it is possible to distinguish burst flow accurately, have online inspection
Survey real-time and accuracy rate high.
Accompanying drawing explanation
Fig. 1 is application layer ddos attack detection algorithm schematic diagram based on broad sense Jie Kade similarity coefficient in the present invention;
Fig. 2 is the normal discharge list of capture in the embodiment of the present invention.
Fig. 3 be in the embodiment of the present invention normal connect the lower libpcap of use capture traffic characteristic vector (or claim attribute to
Amount) list;
Fig. 4 be in the embodiment of the present invention HTTP-Post attack time use libpcap capture traffic characteristic vector (or claim
Attribute vector) list;
Fig. 5 be in the embodiment of the present invention HTTP-Flood attack time use libpcap capture traffic characteristic vector (or claim
Attribute vector) list;
Fig. 6 is the burst flow list of capture in the embodiment of the present invention;
Fig. 7 is similarity system design result figure in the embodiment of the present invention;
Detailed description of the invention
With example, the present invention is further described below in conjunction with the accompanying drawings.
Embodiment one
The present invention relates to a kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, including such as
Lower step:
Step one: set interval t.
Step 2: using the data volume in t time interval as computational item, by using broad sense Jie Kade similarity coefficient to calculate
Formula calculates community set and the similarity of the normal community set of history in current t time interval.
Described community set is the attribute vector of some attribute character composition, described broad sense Jie Kade similarity coefficient meter
Calculation formula is as follows:
Wherein: x represents that taking different history normal data in t time interval several times calculates each attribute character and average
The attribute vector of composition;xiThe attribute vector of each attribute character composition calculated in representing current t time interval;
Specifically include following steps:
Step 2.1: average calculating x by history normal data different in t time interval several times;
Step 2.2: calculate the x in current t time intervaliValue;
Step 2.3: calculate Jie Kade similarity coefficient Sim (x, xi)。
Described attribute character includes that source IP address entropy, the entropy of data package size and TCP connect number and ask with HTTP
Seek several ratio.
The calculation procedure of described source IP address entropy is as follows:
Step a1: definition IP_all={IP1,IP2,...IPi,...IPn, IP_all represents t time interval endogenous IP ground
Location is gathered;
Step a2: definition P={p1,p2,...,pi,...,pn, piRepresent IPiProbability distribution;
Step a3: by step a1, a2 show that the entropy of source IP address is in t time interval:
The calculation procedure of the entropy of described data package size is as follows:
Step b1: be flow by the i-th stream data definition flowing to destination hosti, then the stream that collects in t time interval
It is expressed as to the data stream flow_all of destination host:
Flow_all={flow1,flow2,...flowi,...flown};
Step b2: set P (flowi) it is the quantity of packet on i-th stream, use piRepresent that its probability distribution is:
Wherein
Step b3: by step b1, b2 show that the entropy of data package size is:
It is as follows with the calculation procedure of HTTP request number ratio that described TCP connects number:
Step c1: definition tcpnumNumber is connected for TCP total in t time interval;
Step c2: definition http_reqnumFor HTTP request number total in t time interval;
Step c3: by step c1, c2 obtains connection request ratio and is:
Step 3: the Jie Kade similarity coefficient calculated in step 2 is compared with similar threshold value γ set in advance, with
This is for according to judging whether generation ddos attack.
Specifically include following steps:
Step 3.1: Jie Kade similarity coefficient Sim (x, the x that will calculate in step 2i) and similar threshold value set in advance
γ compares, if Sim is (x, xi) > γ then carries out entering after step 3.2 step 3.4, the most then enter step after carrying out step 3.3
3.4;
Step 3.2: by xiAdd history normal data;
Step 3.3: report to the police, make attack-response;
Step 3.4: return to step 2.
Described similar threshold value γ is arranged as follows:
Step 1: gathered destination Web server HTTP request in each time interval t since the most some hours
As history normal data, take different each attribute character meansigma methods of history normal data composition attribute vector, this attribute vector
As the x in Jie Kade similarity coefficient computing formula;
Step 2: simulation ddos attack, in capturing several time intervals t, data on flows is as sample, calculates each time
In the t of interval, the attribute vector of data on flows is as the x in Jie Kade similarity coefficient computing formulai, calculate the similar system of its Jie Kade
Number Sim (x, xi);
After available DDOSIM and SlowHTTPTest simulates HTTP-Flood and HTTP-Post attack respectively, capture respectively
In several time intervals t, data on flows is as sample, calculates in each time interval t the attribute vector of data on flows as outstanding person
X in card moral similarity coefficient computing formulai, calculate its Jie Kade similarity coefficient Sim (x, xi);
Step 3: take one more than all ddos attack datas on flows as sample Jie Kade similarity coefficient Sim (x,
xi) value as similar threshold value γ.This similar threshold value γ is preferably as close possible to all ddos attack flow numbers as sample
According to Jie Kade similarity coefficient Sim (x, xi) maximum.
The invention still further relates to a kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection device, it is special
Levy and be, including:
Time interval arranges module: be used for the t that sets interval;
Similarity system design module: for using the data volume in t time interval as computational item, by using broad sense Jie Kade
Similarity coefficient computing formula calculates community set and the similarity of the normal community set of history in current t time interval;
Attack recognition module: by similar to set in advance for the Jie Kade similarity coefficient that calculates in similarity system design module
Threshold gamma compares, and judges whether on this basis ddos attack.
Described community set is the attribute vector of some attribute character composition, the broad sense described in similarity system design module
Jie Kade similarity coefficient computing formula is as follows:
Wherein: x represents that taking different history normal data in t time interval several times calculates each attribute character and average
The attribute vector of composition;xiThe attribute vector of each attribute character composition calculated in representing current t time interval;
Described similarity system design module specifically includes:
X attribute vector computing module: average calculating x by history normal data different in t time interval several times;
xiAttribute vector computing module: calculate the x in current t time intervaliValue;
Similarity coefficient computing module: calculate Jie Kade similarity coefficient Sim (x, xi)。
Described attribute character includes that source IP address entropy, the entropy of data package size and TCP connect number and ask with HTTP
Seek several ratio.
The calculation procedure of described source IP address entropy is as follows:
Step a1: definition IP_all={IP1,IP2,...IPi,...IPn, IP_all represents t time interval endogenous IP ground
Location is gathered;
Step a2: definition P={p1,p2,...,pi,...,pn, piRepresent IPiProbability distribution;
Step a3: by step a1, a2 show that the entropy of source IP address is in t time interval:
The calculation procedure of the entropy of described data package size is as follows:
Step b1: be flow by the i-th stream data definition flowing to destination hosti, then the stream that collects in t time interval
It is expressed as to the data stream flow_all of destination host:
Flow_all={flow1,flow2,...flowi,...flown};
Step b2: set P (flowi) it is the quantity of packet on i-th stream, use piRepresent that its probability distribution is:
Wherein
Step b3: by step b1, b2 show that the entropy of data package size is:
It is as follows with the calculation procedure of HTTP request number ratio that described TCP connects number:
Step c1: definition tcpnumNumber is connected for TCP total in t time interval;
Step c2: definition http_reqnumFor HTTP request number total in t time interval;
Step c3: by step c1, c2 obtains connection request ratio and is:
Described attack recognition module includes:
Attack recognition comparison module: for the Jie Kade similarity coefficient Sim (x, the x that will calculate in similar comparison modulei)
Compare with similar threshold value γ set in advance, if Sim is (x, xi) > γ be connected into after being then connected into attack recognition memory module attack know
Other loop module, the most then be connected into attack recognition loop module after being connected into attack recognition alarm module;
Attack recognition memory module: for by xiAttack recognition loop module is entered after adding history normal data;
Attack recognition alarm module: be used for reporting to the police, enters attack recognition loop module after making attack-response;
Attack recognition loop module: be used for returning to similar comparison module.
The invention still further relates to a similar threshold value and module is set, including:
Mean value calculation module: since being used for gathering destination Web server the most some hours between each time
In t, HTTP request is as history normal data, take different each attribute character meansigma methods of history normal data composition attribute to
Amount, this attribute vector is as the x in Jie Kade similarity coefficient computing formula;
Attack sample similarity coefficient computing module: be used for simulating ddos attack, capture flow number in several time intervals t
According to as sample, calculate in each time interval t the attribute vector of data on flows as in Jie Kade similarity coefficient computing formula
Xi, calculate its Jie Kade similarity coefficient Sim (x, xi);
After available DDOSIM and SlowHTTPTest simulates HTTP-Flood and HTTP-Post attack respectively, capture respectively
In several time intervals t, data on flows is as sample, calculates in each time interval t the attribute vector of data on flows as outstanding person
X in card moral similarity coefficient computing formulai, calculate its Jie Kade similarity coefficient Sim (x, xi);
Similar threshold value computing module: for taking a Jie Kade more than all ddos attack datas on flows as sample
Similarity coefficient Sim (x, xi) value as similar threshold value γ, this similar threshold value γ preferably as close possible to all as sample
Jie Kade similarity coefficient Sim (x, the x of ddos attack data on flowsi) maximum.
Embodiment two
In order to verify the effectiveness of this ddos attack detection method, the present invention uses DDOSIM and SlowHTTPTest to simulate
HTTP-Flood attacks and HTTP-Post attacks.DDOSIM is that a distributed local servers that can be used for experimental situation is attacked
Hitting simulator, server can be tested by it for process and the load capacity of DDOS attack flow.DDOSIM passes through mould
Intending zombie host, and set up complete TCP with destination server and is connected, after completing connection, DDOSIM proceeds by test.
SlowHTTPTest is a configurable application layer Denial of Service attack test, and this instrument can be simulated under low bandwidth consuming
Ddos attack, such as HTTP-Post connects at a slow speed attack.For the verity of experience data, specific experiment step is as follows:
1. obtain normal discharge.
Step 101, has gathered Web service of campus networks device HTTP request since 8 hours, as normal data.
Step 102, normal discharge after treatment is as shown in Figure 2.
2. set up normal connection, and capture flow.
Step 201, takes the meansigma methods of data in 1 as characteristic vector (or claiming attribute vector) x in the case of normal discharge.
Step 202, under every machine Linux environment in LAN, installs DDOSIM instrument.
Step 203, inputs in order line to order: ./ddosim-d 192.168.1.2-p 80-c 10-r HTTP_
INVALID-i eth0 represents that use random IP address is set up 10 TCP and is connected with server.
Step 204, sends effective HTTP request.
Step 205, uses libpcap to capture the data in every 10s, obtain traffic characteristic vector (or claiming attribute vector) as
Shown in Fig. 3.
3. start ddos attack, and capture flow.
Step 301, installs SlowHTTPTest instrument under the linux environment of every PC, and simulation HTTP-Post attacks.
Step 302, inputs in order line to order: ./slowhttptest-c 1000-B-g-o my_body_
Stats-i 110-r 20-s 8100-t FAKEVERB u represents that setting up one every 110 seconds with server is connected, and connects speed
Degree is 20 per second, and content-length is 8100.
Step 303, uses libcap to capture the data in every 10s, obtain traffic characteristic vector (or claiming attribute vector) as
Shown in Fig. 4.
Step 304, installs DDOSIM instrument under the linux environment of every PC.
Step 305, inputs in order line to order: ./ddosim-d 192.168.1.2-p 80-c 10-r HTTP_
INVALID-i eth0 represents that use random IP address is set up 10 TCP and is connected with server, and sends effective HTTP and ask
Ask.
Step 306, uses libcap to capture the data in every 10s, obtain traffic characteristic vector (or claiming attribute vector) as
Shown in Fig. 5.
4. the acquisition of burst flow.
Step 401, chooses the moon in this campus network year, and during students' needs, a large number of users accesses server, as burst flow
Data, the traffic characteristic obtained vector (or claiming attribute vector) is as shown in Figure 6.
5. experimental result.
Step 501, we choose every kind and attack and 1000 groups of data of burst flow, carry out Similarity measures, obtain
Result is as shown in Figure 7.
Step 502, when learning that generation difference is attacked according to Fig. 7, the value of similarity the most difference, there is burst flow
During Flash-Crowed, the value of sim is between 0.65~0.83.
Step 503, when occurring HTTP-Flood to attack, the value of sim is between 0.6~0.68.
Step 504, when occurring HTTP-Post to attack, the value of sim is between 0.43~0.63.Step 505, when sim's
When value is 0.7, the detection performance of the present invention reaches to maximize, and can not only effectively identify burst flow, moreover it is possible to effectively examine
Measuring other two kinds attacks, rate of accuracy reached to 93.8%, rate of failing to report is 2.4%, and rate of false alarm is 3.1%, and compare additive method
Detection accuracy be 88%, rate of false alarm is 3%, and the present invention detects performance bigger raising.
Claims (10)
1. one kind based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method, it is characterised in that include as follows
Step:
Step one: set interval t;
Step 2: using the data volume in t time interval as computational item, by using broad sense Jie Kade similarity coefficient computing formula
Calculate community set and the similarity of the normal community set of history in current t time interval;
Step 3: the Jie Kade similarity coefficient calculated in step 2 is compared with similar threshold value γ set in advance, as
According to judging whether generation ddos attack.
One the most according to claim 1 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, described community set is the attribute vector of some attribute character composition, the broad sense outstanding person card described in step 2
Moral similarity coefficient computing formula is as follows:
Wherein: x represents that taking different history normal data in t time interval several times calculates each attribute character and average composition
Attribute vector;xiThe attribute vector of each attribute character composition calculated in representing current t time interval;
Described step 2 specifically includes following steps:
Step 2.1: average calculating x by history normal data different in t time interval several times;
Step 2.2: calculate the x in current t time intervaliValue;
Step 2.3: calculate Jie Kade similarity coefficient Sim (x, xi)。
One the most according to claim 2 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, described attribute character includes that source IP address entropy, the entropy of data package size and TCP connect number and HTTP
Number of request ratio.
One the most according to claim 3 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, the calculation procedure of described source IP address entropy is as follows:
Step a1: definition IP_all={IP1,IP2,...IPi,...IPn, IP_all represents t time interval endogenous IP address set
Close;
Step a2: definition P={p1,p2,...,pi,...,pn, piRepresent IPiProbability distribution;
Step a3: by step a1, a2 show that the entropy of source IP address is in t time interval:
One the most according to claim 3 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, the calculation procedure of the entropy of described data package size is as follows:
Step b1: be flow by the i-th stream data definition flowing to destination hosti, then collect in t time interval flows to mesh
The data stream flow_all of mark main frame is expressed as:
Flow_all={flow1,flow2,...flowi,...flown};
Step b2: set P (flowi) it is the quantity of packet on i-th stream, use piRepresent that its probability distribution is:
Wherein
Step b3: by step b1, b2 show that the entropy of data package size is:
One the most according to claim 3 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, it is as follows with the calculation procedure of HTTP request number ratio that described TCP connects number:
Step c1: definition tcpnumNumber is connected for TCP total in t time interval;
Step c2: definition http_reqnumFor HTTP request number total in t time interval;
Step c3: by step c1, c2 obtains connection request ratio and is:
One the most according to claim 2 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, described step 3 specifically includes following steps:
Step 3.1: Jie Kade similarity coefficient Sim (x, the x that will calculate in step 2i) with similar threshold value γ ratio set in advance
Relatively, if Sim is (x, xi) > γ then carries out entering after step 3.2 step 3.4, the most then enter step 3.4 after carrying out step 3.3;
Step 3.2: by xiAdd history normal data;
Step 3.3: report to the police, make attack-response;
Step 3.4: return to step 2.
One the most according to claim 2 based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method,
It is characterized in that, described similar threshold value γ is arranged as follows:
Step 1: gathered destination Web server HTTP request conduct in each time interval t since the most some hours
History normal data, takes different each attribute character meansigma methods of history normal data composition attribute vector, this attribute vector conduct
X in Jie Kade similarity coefficient computing formula;
Step 2: simulation ddos attack, in capturing several time intervals t, data on flows is as sample, calculates each time interval
In t, the attribute vector of data on flows is as the x in Jie Kade similarity coefficient computing formulai, calculate its Jie Kade similarity coefficient Sim
(x,xi);
Step 3: take Jie Kade similarity coefficient Sim (x, an x more than all ddos attack datas on flows as samplei)
Value is as similar threshold value γ.
9. one kind is detected device based on broad sense Jie Kade similarity coefficient Web application layer ddos attack, it is characterised in that including:
Time interval arranges module: be used for the t that sets interval;
Similarity system design module: for using the data volume in t time interval as computational item, by using broad sense Jie Kade similar
Coefficient formulas calculates community set and the similarity of the normal community set of history in current t time interval;
Attack recognition module: Jie Kade similarity coefficient and the similar threshold value set in advance that will calculate in similarity system design module
γ compares, and judges whether on this basis ddos attack.
10. similar threshold value arranges a module, including:
Mean value calculation module: since being used for gathering destination Web server the most some hours in each time interval t
HTTP request, as history normal data, takes different each attribute character meansigma methods of history normal data composition attribute vector, this
Attribute vector is as the x in Jie Kade similarity coefficient computing formula;
Attacking sample similarity coefficient computing module: be used for simulating ddos attack, in capturing several time intervals t, data on flows is made
For sample, calculate in each time interval t the attribute vector of data on flows as the x in Jie Kade similarity coefficient computing formulai,
Calculate its Jie Kade similarity coefficient Sim (x, xi);
Similar threshold value computing module: similar more than all Jie Kade as the ddos attack data on flows of sample for taking one
Coefficient S im (x, xi) value as similar threshold value γ.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610556957.3A CN106209861B (en) | 2016-07-14 | 2016-07-14 | One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610556957.3A CN106209861B (en) | 2016-07-14 | 2016-07-14 | One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106209861A true CN106209861A (en) | 2016-12-07 |
CN106209861B CN106209861B (en) | 2019-07-12 |
Family
ID=57475446
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610556957.3A Active CN106209861B (en) | 2016-07-14 | 2016-07-14 | One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106209861B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107248996A (en) * | 2017-06-29 | 2017-10-13 | 南京邮电大学 | A kind of detection of DNS amplification attacks and filter method |
CN108173884A (en) * | 2018-03-20 | 2018-06-15 | 国家计算机网络与信息安全管理中心 | Based on network attack with the ddos attack population analysis method of behavior |
CN109002261A (en) * | 2018-07-11 | 2018-12-14 | 佛山市云端容灾信息技术有限公司 | Difference block big data analysis method, apparatus, storage medium and server |
CN109784411A (en) * | 2019-01-23 | 2019-05-21 | 四川虹微技术有限公司 | To the defence method of resisting sample, device, system and storage medium |
CN110162969A (en) * | 2018-10-08 | 2019-08-23 | 腾讯科技(深圳)有限公司 | A kind of analysis method and device of flow |
CN110265104A (en) * | 2019-05-08 | 2019-09-20 | 长沙市中心医院 | Diagnosis report degree of conformity detection method, device, computer equipment and storage medium |
CN110602109A (en) * | 2019-09-17 | 2019-12-20 | 东南大学 | Application layer DDoS attack detection and defense method based on multi-feature entropy |
CN111478893A (en) * | 2020-04-02 | 2020-07-31 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN113259324A (en) * | 2021-04-21 | 2021-08-13 | 深圳供电局有限公司 | Data attack detection method and device, computer equipment and readable storage medium |
CN118018325A (en) * | 2024-04-08 | 2024-05-10 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101267313A (en) * | 2008-04-23 | 2008-09-17 | 华为技术有限公司 | Flooding attack detection method and detection device |
CN102638474A (en) * | 2012-05-08 | 2012-08-15 | 山东大学 | Application layer DDOS (distributed denial of service) attack and defense method |
CN102821081A (en) * | 2011-06-10 | 2012-12-12 | 中国电信股份有限公司 | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow |
CN103095711A (en) * | 2013-01-18 | 2013-05-08 | 重庆邮电大学 | Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website |
-
2016
- 2016-07-14 CN CN201610556957.3A patent/CN106209861B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101267313A (en) * | 2008-04-23 | 2008-09-17 | 华为技术有限公司 | Flooding attack detection method and detection device |
CN102821081A (en) * | 2011-06-10 | 2012-12-12 | 中国电信股份有限公司 | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow |
CN102638474A (en) * | 2012-05-08 | 2012-08-15 | 山东大学 | Application layer DDOS (distributed denial of service) attack and defense method |
CN103095711A (en) * | 2013-01-18 | 2013-05-08 | 重庆邮电大学 | Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107248996A (en) * | 2017-06-29 | 2017-10-13 | 南京邮电大学 | A kind of detection of DNS amplification attacks and filter method |
CN108173884A (en) * | 2018-03-20 | 2018-06-15 | 国家计算机网络与信息安全管理中心 | Based on network attack with the ddos attack population analysis method of behavior |
CN109002261A (en) * | 2018-07-11 | 2018-12-14 | 佛山市云端容灾信息技术有限公司 | Difference block big data analysis method, apparatus, storage medium and server |
CN110162969A (en) * | 2018-10-08 | 2019-08-23 | 腾讯科技(深圳)有限公司 | A kind of analysis method and device of flow |
CN109784411B (en) * | 2019-01-23 | 2021-01-05 | 四川虹微技术有限公司 | Defense method, device and system for confrontation sample and storage medium |
CN109784411A (en) * | 2019-01-23 | 2019-05-21 | 四川虹微技术有限公司 | To the defence method of resisting sample, device, system and storage medium |
CN110265104A (en) * | 2019-05-08 | 2019-09-20 | 长沙市中心医院 | Diagnosis report degree of conformity detection method, device, computer equipment and storage medium |
CN110265104B (en) * | 2019-05-08 | 2022-04-29 | 长沙市中心医院 | Diagnostic report conformity detection method, device, computer equipment and storage medium |
CN110602109A (en) * | 2019-09-17 | 2019-12-20 | 东南大学 | Application layer DDoS attack detection and defense method based on multi-feature entropy |
CN111478893A (en) * | 2020-04-02 | 2020-07-31 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN111478893B (en) * | 2020-04-02 | 2022-06-28 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN113259324A (en) * | 2021-04-21 | 2021-08-13 | 深圳供电局有限公司 | Data attack detection method and device, computer equipment and readable storage medium |
CN113259324B (en) * | 2021-04-21 | 2022-09-02 | 深圳供电局有限公司 | Data attack detection method and device, computer equipment and readable storage medium |
CN118018325A (en) * | 2024-04-08 | 2024-05-10 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
Also Published As
Publication number | Publication date |
---|---|
CN106209861B (en) | 2019-07-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106209861A (en) | A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device | |
CN109167789B (en) | Cloud environment LDoS attack data flow detection method and system | |
Yeung et al. | Parzen-window network intrusion detectors | |
CN103581186B (en) | A kind of network security situational awareness method and system | |
CN104519032B (en) | A kind of security strategy and system of internet account number | |
CN106254368B (en) | The detection method and device of Web vulnerability scanning | |
CN108900513B (en) | DDOS effect evaluation method based on BP neural network | |
CN106685984A (en) | Network threat analysis system and method based on data pocket capture technology | |
CN104901971B (en) | The method and apparatus that safety analysis is carried out to network behavior | |
CN110474878B (en) | DDoS attack situation early warning method and server based on dynamic threshold | |
CN105407103A (en) | Network threat evaluation method based on multi-granularity anomaly detection | |
Ahmad et al. | Application of artificial neural network in detection of probing attacks | |
CN103095711A (en) | Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website | |
CN108470003A (en) | Fuzz testing methods, devices and systems | |
CN110535874A (en) | A kind of network attack detecting method and system of antagonism network | |
CN111818102B (en) | Defense efficiency evaluation method applied to network target range | |
Liao et al. | Feature extraction and construction of application layer DDoS attack based on user behavior | |
Xu et al. | Detection on application layer DDoS using random walk model | |
CN107682317A (en) | Establish method, data detection method and the equipment of Data Detection model | |
CN107026731A (en) | A kind of method and device of subscriber authentication | |
CN107248996A (en) | A kind of detection of DNS amplification attacks and filter method | |
CN110493262A (en) | It is a kind of to improve the network attack detecting method classified and system | |
CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
CN110445766A (en) | Ddos attack method for situation assessment and device | |
Hu et al. | Network data analysis and anomaly detection using CNN technique for industrial control systems security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |