CN107733886A - The application layer ddos attack detection method that a kind of logic-based returns - Google Patents
The application layer ddos attack detection method that a kind of logic-based returns Download PDFInfo
- Publication number
- CN107733886A CN107733886A CN201710939442.6A CN201710939442A CN107733886A CN 107733886 A CN107733886 A CN 107733886A CN 201710939442 A CN201710939442 A CN 201710939442A CN 107733886 A CN107733886 A CN 107733886A
- Authority
- CN
- China
- Prior art keywords
- user
- function
- logic
- regression models
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to the application layer ddos attack detection method that a kind of logic-based returns, including:Using the IP address for accessing user as mark, the feature set of user access activity is extracted;Calculate the logistic regression function value of user;Maximum likelihood function is obtained according to Logic Regression Models, the loss function of Logic Regression Models is exactly the opposite number of maximum likelihood function;Using loss function as object function, object function is solved using quantum particle swarm optimization to obtain the parameter of Logic Regression Models so that the desired value of loss function is minimum;Unlabelled user characteristics is predicted using the Logic Regression Models after solution, obtains the classification of the user.
Description
Technical field
The present invention relates to computer network security field, specifically a kind of application layer ddos attack detection method.
Technical background
The ddos attack mode of early stage is based on network layer, and attacker is launched a offensive using network layer protocol leak mostly,
Such as SYN Flood, ICMP Flood send substantial amounts of packet to destination host and cause the attack of flood formula to cause main frame to paralyse.
At present due to network layer protocol constantly improve, and such attack detecting technology maturation, most destination host can be detected simultaneously
Filter such attack stream.Attacker is in order to effectively be again carried out attacking, and using a kind of ddos attack for application layer, it has
There is the features such as disguised strong, attack effect is notable.Attacker, which using the real IP of corpse machine establishes TCP with server and is connected, to be sent
Legitimate request, the detection of server firewall can be avoided, and constantly request server resource, final server can not carry height
The request of load causes the machine of delaying.
Increasingly it is taken seriously for the detection technique of application layer ddos attack, and traditional detection method is in the presence of higher
Rate of false alarm, relatively low verification and measurement ratio, and the effective of application layer ddos attack detection is constrained the problems such as higher computation complexity
Property.Therefore, the present invention provides a kind of detection method of the disaggregated model of lightweight two, and accuracy of detection is greatly improved, simultaneously
Reduce the detection spent time.
The content of the invention
It is an object of the invention to provide the application layer ddos attack inspection that a kind of lightweight, practical, logic-based return
Survey method.This method improves the solution essence of parameter by the parameter of quantum particle swarm optimization solution logic regression model
Degree, while reduce the time for solving parameter.The user for accessing server is carried out using the Logic Regression Models established pre-
Survey, obtain accessing the classification of user, so as to detect the ddos attack user of application layer.To achieve the above object, this hair
It is bright to use following technical scheme:
The application layer ddos attack detection method that a kind of logic-based returns, comprises the following steps:
Step (1):Using the IP address for accessing user as mark, the feature set of user access activity is extracted, with (x(i),y(i))
Represent to access user characteristics collection, i is i-th of user, and x is one group of feature of user;Y is the classification of user, and value is 0 and 1;
Step (2):Calculate the logistic regression function value of user:The general of y=1 is solved under the conditions of known to user characteristics x
Rate, it is (the 1+exp (- θ of logistic regression function value p (y=1 | x)=1/ of the userTX)), wherein θ is logistic regression function
Parameter, note logistic regression function expression formula is h (θTx);If the probability of each user labeled 0 or 1 is p (y | x, θ), foundation is patrolled
Collect regression model;
Step (3):Maximum likelihood function l (θ) is obtained according to Logic Regression Models, the loss function of Logic Regression Models is just
It is the opposite number of maximum likelihood function, the expression formula for remembering loss function is loss (θ), and wherein θ is the unique variable of loss function,
And the parameter that Logic Regression Models are to be solved;
Step (4):Using loss function as object function, object function is asked using quantum particle swarm optimization
Solution obtains the parameter θ of Logic Regression Models*So that the desired value of loss function is minimum;
Step (5):Unlabelled user characteristics is predicted using the Logic Regression Models after solution, obtains the user
Classification.
Preferably, in step (1), user, which accesses to be characterized as accessing from the user of a time window, concentrates extraction user's
Eight yuan of features, eight yuan of feature difference are as follows:Number that user accesses, user access different page number, user's requesting interval
Average value, the total amount of byte of user requests webpage, the duration of user's access, the average byte number of user's request, user ask
Intensity of variation, the entropy of user's requesting interval of URL number of levels are sought, totally eight features.
In step (5), the method being predicted using Logic Regression Models to unknown access user is:For unmarked
Access user eight tuple features, solve h (θTX) logistic regression function value, when the logistic regression function value tried to achieve is more than
It is attack user by the access user's mark, otherwise mark is when 0.5.
For the present invention due to using above technical scheme, it has advantages below:
The present invention uses Logic Regression Models in machine learning to detect the user of access.Logic Regression Models are relative
In conventional models such as Markov model, large deviation statistical model, random walk models, have model simple, can be extensive etc. excellent
Point.The expense of degree reduction system that can be very big when establishing model, can be accessed in detection with the shorter time
The classification of user.At the same time, the present invention instead of traditional Newton method come solution logic using quantum telepotation method
The parameter of regression model, because quantum telepotation method has the ability of Fast Convergent and global optimizing, reduce logic
The time that regression model is established, while more accurate solving model parameter, improve the precision to attack detecting.
In order to preferably verify the validity of this method, our methods with traditional Newton Algorithm Logic Regression Models
Contrasted.In the case where simulated conditions are consistent, this method has higher verification and measurement ratio, relatively low false drop rate and establishes mould
It is linear relationship between the time-consuming degree and training samples number of type.Therefore, it can prove that there is the present invention preferably detection to imitate
Fruit.
Brief description of the drawings
Fig. 1 is the overhaul flow chart of application layer ddos attack.
Fig. 2 is verification and measurement ratio block diagram of the different model solution methods to application layer ddos attack.Using different parameters
Method for solving obtains Logic Regression Models, and test sample is detected respectively, and obtained verification and measurement ratio is listed in block diagram.Its
In, QPSO-Logistic uses quantum particle swarm optimization solution logic regression model, and Newton-Logistic uses ox
Pause method solution logic regression model.
Fig. 3 is false drop rate block diagram of the different model solution methods to application layer ddos attack.
Fig. 4 is the different method for solving training time consuming graphs of a relation of Logic Regression Models.
Embodiment
Below by specific embodiments and the drawings, the present invention is further illustrated.This example is only limitted to the explanation present invention
A kind of implementation, do not represent the limitation to coverage of the present invention.
The application layer ddos attack detection method that a kind of logic-based of the present invention returns, concrete implementation process description is such as
Under:
The first step, the access log of application layer services device is obtained, data cleansing is carried out to obtained daily record.
Setting sliding time window is 1 hour, obtain the user access logses within 1 hour, then to obtaining
Daily record collection carries out data cleansing.The purpose for the arrangement is that remove the access record of redundancy.User is when clicking on a page, simultaneously
The static resource embedded in meeting requests for page, such as:The text embedded in the page, picture and style sheet etc..Only retain user
Request to dynamic home page.Obtain the daily record collection after data cleansing and enter second step.
Second step, using the IP address for accessing user as mark, extract each user eight yuan are concentrated from the daily record cleaned
Group feature.
Daily record collection after data cleansing, each of which access record and include following information:Access User IP, time
Stamp, the URI addresses of accession page, http protocol, solicited status code, the byte-sized accessed.The process of feature extraction uses
The mode of java programmings.The method for writing eight processing data collection, respectively processing each access IP access times, accession page
Species, average request interval, request byte sum, Session Time, average request byte number, URL levels degree, requesting interval are discrete
Degree.Same IP access collection is obtained in principal function simultaneously, 8 methods above is called respectively, obtained result is stored in
In text.
3rd step, the access collection of analog simulation application layer ddos attack user.The attack user of simulation considers following three
Individual factor:Attack the number, the scope of attack user requests webpage, the request time interval for attacking user of user.
4th step, training Logic Regression Models obtain logistic regression parameter θ.
The step for the loss function that is returned by quantum particle swarm optimization solution logic, obtain logistic regression parameter
θ.The object function of optimization, it that is to say that loss function is as follows:
Because logistic regression is the study that has supervision, the classification of training sample is known.θ in above object function is
Unique unknown quantity.
The not phase that Logic Regression Models obtain before having the parameter value that scalability, each dimension obtain after stretching and stretching
Deng.Therefore, it should the feature of each dimension is standardized, used formula is as follows:
The search space (- 100,100) of particle is set on the premise of use above normalized form, and by substantial amounts of real
Testing emulation proves that the search space is effective.Meanwhile particle iteration is set 50 times, stopping is to target letter after iteration 50 times
Several optimizing search.The specific execution flow of quantum particle swarm optimization is provided below in conjunction with Logic Regression Models:
1) 20 particles are initialized in search space and optimizing search is carried out to loss function, put iterations t=0, and
The desired positions of recording individual and the average desired positions of colony.
2) 3) -5 are performed to each particle in population) step.
3) adaptive value of i-th of particle current location is calculated, and compared with the adaptive value of the particle individual desired positions.Such as
The position of the current adaptive value of fruit is optimal, then more new individual desired positions.
4) adaptive value of i-th of particle current location is compared with global desired positions.If the position of current adaptive value is most
It is excellent, then update global desired positions.
5) new position of particle is calculated by the evolution equation of particle.
If 6) end condition of algorithm is unsatisfactory for, t=t+1 is put, return to step 2, otherwise termination algorithm.
When algorithm terminates, obtained global desired positions are exactly the parameter θ in Logic Regression Models
Logic Regression Models are predicted by the 5th step.For the eight tuple features of unlabelled access user, solving should
The logistic regression function value h (θ of feature groupTx).When the logistic regression function value tried to achieve is more than 0.5, by the access user's mark
To attack user, otherwise mark is.
Claims (3)
1. the application layer ddos attack detection method that a kind of logic-based returns, comprises the following steps:
Step (1):Using the IP address for accessing user as mark, the feature set of user access activity is extracted, with (x(i),y(i)) represent
User characteristics collection is accessed, i is i-th of user, and x is one group of feature of user;Y is the classification of user, and value is 0 and 1;
Step (2):Calculate the logistic regression function value of user:Y=1 probability is solved under the conditions of known to user characteristics x, i.e.,
It is (the 1+exp (- θ of logistic regression function value p (y=1 | x)=1/ of the userTX)), wherein θ is the parameter of logistic regression function,
Remember that logistic regression function expression formula is h (θTx);If the probability of each user labeled 0 or 1 is p (y | x, θ), establishes logic and return
Return model;
Step (3):Maximum likelihood function l (θ) is obtained according to Logic Regression Models, the loss function of Logic Regression Models is exactly most
The opposite number of maximum-likelihood function, the expression formula for remembering loss function is loss (θ), and wherein θ is the unique variable of loss function, and
Logic Regression Models parameter to be solved;
Step (4):Using loss function as object function, object function solve using quantum particle swarm optimization
To the parameter θ of Logic Regression Models*So that the desired value of loss function is minimum;
Step (5):Unlabelled user characteristics is predicted using the Logic Regression Models after solution, obtains the class of the user
Not.
2. according to the method for claim 1, it is characterised in that in step (1), user accesses and is characterized as from a time window
The user of mouth accesses eight yuan of features for concentrating extraction user, and eight yuan of features difference are as follows:The number of user's access, user access not
Page number together, the average value of user's requesting interval, the total amount of byte of user requests webpage, the duration of user's access, use
Average byte number, intensity of variation, the entropy of user's requesting interval of user's request URL number of levels of family request, totally eight features.
3. according to the method for claim 1, it is characterised in that in step (5), using Logic Regression Models to unknown visit
Ask that the method that user is predicted is:For the eight tuple features of unlabelled access user, h (θ are solvedTX) logistic regression
Functional value, when the logistic regression function value tried to achieve be more than 0.5 when, by the access user's mark for attack user, otherwise mark for
Normal users.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710939442.6A CN107733886A (en) | 2017-09-30 | 2017-09-30 | The application layer ddos attack detection method that a kind of logic-based returns |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710939442.6A CN107733886A (en) | 2017-09-30 | 2017-09-30 | The application layer ddos attack detection method that a kind of logic-based returns |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107733886A true CN107733886A (en) | 2018-02-23 |
Family
ID=61208742
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710939442.6A Pending CN107733886A (en) | 2017-09-30 | 2017-09-30 | The application layer ddos attack detection method that a kind of logic-based returns |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107733886A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566392A (en) * | 2018-04-11 | 2018-09-21 | 四川长虹电器股份有限公司 | Defence CC attacking systems based on machine learning and method |
CN109767071A (en) * | 2018-12-14 | 2019-05-17 | 深圳壹账通智能科技有限公司 | User credit ranking method, device, computer equipment and storage medium |
CN110119837A (en) * | 2019-04-15 | 2019-08-13 | 天津大学 | A kind of Spatial Load Forecasting method based on urban land property and development time |
CN110719272A (en) * | 2019-09-27 | 2020-01-21 | 湖南大学 | LR algorithm-based slow denial of service attack detection method |
CN111212067A (en) * | 2019-12-31 | 2020-05-29 | 南京联成科技发展股份有限公司 | Industrial network security risk assessment system based on threat prediction |
CN111583024A (en) * | 2020-05-08 | 2020-08-25 | 南京甄视智能科技有限公司 | Credit evaluation method, device, storage medium and server |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656981A (en) * | 2016-10-21 | 2017-05-10 | 东软集团股份有限公司 | Network intrusion detection method and device |
-
2017
- 2017-09-30 CN CN201710939442.6A patent/CN107733886A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656981A (en) * | 2016-10-21 | 2017-05-10 | 东软集团股份有限公司 | Network intrusion detection method and device |
Non-Patent Citations (1)
Title |
---|
张雪博 等: "基于改进Logistic回归算法的抗Web DDoS攻击模型的设计与实现", 《信息网络安全》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108566392A (en) * | 2018-04-11 | 2018-09-21 | 四川长虹电器股份有限公司 | Defence CC attacking systems based on machine learning and method |
CN109767071A (en) * | 2018-12-14 | 2019-05-17 | 深圳壹账通智能科技有限公司 | User credit ranking method, device, computer equipment and storage medium |
CN110119837A (en) * | 2019-04-15 | 2019-08-13 | 天津大学 | A kind of Spatial Load Forecasting method based on urban land property and development time |
CN110119837B (en) * | 2019-04-15 | 2023-01-03 | 天津大学 | Space load prediction method based on urban land property and development time |
CN110719272A (en) * | 2019-09-27 | 2020-01-21 | 湖南大学 | LR algorithm-based slow denial of service attack detection method |
CN111212067A (en) * | 2019-12-31 | 2020-05-29 | 南京联成科技发展股份有限公司 | Industrial network security risk assessment system based on threat prediction |
CN111583024A (en) * | 2020-05-08 | 2020-08-25 | 南京甄视智能科技有限公司 | Credit evaluation method, device, storage medium and server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107733886A (en) | The application layer ddos attack detection method that a kind of logic-based returns | |
Zhu et al. | A deep learning approach for network anomaly detection based on AMF-LSTM | |
CN102035698B (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
CN108737439B (en) | Large-scale malicious domain name detection system and method based on self-feedback learning | |
CN109391602A (en) | A kind of zombie host detection method | |
CN107483488A (en) | A kind of malice Http detection methods and system | |
CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
Krishnan et al. | Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing | |
CN109873810B (en) | Network fishing detection method based on goblet sea squirt group algorithm support vector machine | |
CN107046586B (en) | A kind of algorithm generation domain name detection method based on natural language feature | |
CN109117634A (en) | Malware detection method and system based on network flow multi-view integration | |
CN108491714A (en) | The man-machine recognition methods of identifying code | |
CN102571487A (en) | Distributed bot network scale measuring and tracking method based on multiple data sources | |
CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
CN107818132A (en) | A kind of webpage agent discovery method based on machine learning | |
CN106169050B (en) | A kind of PoC Program extraction method based on webpage Knowledge Discovery | |
CN107766234A (en) | A kind of assessment method, the apparatus and system of the webpage health degree based on mobile device | |
CN110995652B (en) | Big data platform unknown threat detection method based on deep migration learning | |
Li et al. | Street-Level Landmarks Acquisition Based on SVM Classifiers. | |
Yang et al. | A novel detection method for word-based DGA | |
Li et al. | Understanding the usage of industrial control system devices on the internet | |
CN106850658B (en) | The network malicious act detection method of real-time online study | |
CN102984242B (en) | A kind of automatic identifying method of application protocol and device | |
CN112882899B (en) | Log abnormality detection method and device | |
CN109450876A (en) | A kind of DDos recognition methods and system based on various dimensions state-transition matrix feature |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180223 |