CN107733886A - The application layer ddos attack detection method that a kind of logic-based returns - Google Patents

The application layer ddos attack detection method that a kind of logic-based returns Download PDF

Info

Publication number
CN107733886A
CN107733886A CN201710939442.6A CN201710939442A CN107733886A CN 107733886 A CN107733886 A CN 107733886A CN 201710939442 A CN201710939442 A CN 201710939442A CN 107733886 A CN107733886 A CN 107733886A
Authority
CN
China
Prior art keywords
user
function
logic
regression models
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710939442.6A
Other languages
Chinese (zh)
Inventor
张雪博
刘敬浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN201710939442.6A priority Critical patent/CN107733886A/en
Publication of CN107733886A publication Critical patent/CN107733886A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to the application layer ddos attack detection method that a kind of logic-based returns, including:Using the IP address for accessing user as mark, the feature set of user access activity is extracted;Calculate the logistic regression function value of user;Maximum likelihood function is obtained according to Logic Regression Models, the loss function of Logic Regression Models is exactly the opposite number of maximum likelihood function;Using loss function as object function, object function is solved using quantum particle swarm optimization to obtain the parameter of Logic Regression Models so that the desired value of loss function is minimum;Unlabelled user characteristics is predicted using the Logic Regression Models after solution, obtains the classification of the user.

Description

The application layer ddos attack detection method that a kind of logic-based returns
Technical field
The present invention relates to computer network security field, specifically a kind of application layer ddos attack detection method.
Technical background
The ddos attack mode of early stage is based on network layer, and attacker is launched a offensive using network layer protocol leak mostly, Such as SYN Flood, ICMP Flood send substantial amounts of packet to destination host and cause the attack of flood formula to cause main frame to paralyse. At present due to network layer protocol constantly improve, and such attack detecting technology maturation, most destination host can be detected simultaneously Filter such attack stream.Attacker is in order to effectively be again carried out attacking, and using a kind of ddos attack for application layer, it has There is the features such as disguised strong, attack effect is notable.Attacker, which using the real IP of corpse machine establishes TCP with server and is connected, to be sent Legitimate request, the detection of server firewall can be avoided, and constantly request server resource, final server can not carry height The request of load causes the machine of delaying.
Increasingly it is taken seriously for the detection technique of application layer ddos attack, and traditional detection method is in the presence of higher Rate of false alarm, relatively low verification and measurement ratio, and the effective of application layer ddos attack detection is constrained the problems such as higher computation complexity Property.Therefore, the present invention provides a kind of detection method of the disaggregated model of lightweight two, and accuracy of detection is greatly improved, simultaneously Reduce the detection spent time.
The content of the invention
It is an object of the invention to provide the application layer ddos attack inspection that a kind of lightweight, practical, logic-based return Survey method.This method improves the solution essence of parameter by the parameter of quantum particle swarm optimization solution logic regression model Degree, while reduce the time for solving parameter.The user for accessing server is carried out using the Logic Regression Models established pre- Survey, obtain accessing the classification of user, so as to detect the ddos attack user of application layer.To achieve the above object, this hair It is bright to use following technical scheme:
The application layer ddos attack detection method that a kind of logic-based returns, comprises the following steps:
Step (1):Using the IP address for accessing user as mark, the feature set of user access activity is extracted, with (x(i),y(i)) Represent to access user characteristics collection, i is i-th of user, and x is one group of feature of user;Y is the classification of user, and value is 0 and 1;
Step (2):Calculate the logistic regression function value of user:The general of y=1 is solved under the conditions of known to user characteristics x Rate, it is (the 1+exp (- θ of logistic regression function value p (y=1 | x)=1/ of the userTX)), wherein θ is logistic regression function Parameter, note logistic regression function expression formula is h (θTx);If the probability of each user labeled 0 or 1 is p (y | x, θ), foundation is patrolled Collect regression model;
Step (3):Maximum likelihood function l (θ) is obtained according to Logic Regression Models, the loss function of Logic Regression Models is just It is the opposite number of maximum likelihood function, the expression formula for remembering loss function is loss (θ), and wherein θ is the unique variable of loss function, And the parameter that Logic Regression Models are to be solved;
Step (4):Using loss function as object function, object function is asked using quantum particle swarm optimization Solution obtains the parameter θ of Logic Regression Models*So that the desired value of loss function is minimum;
Step (5):Unlabelled user characteristics is predicted using the Logic Regression Models after solution, obtains the user Classification.
Preferably, in step (1), user, which accesses to be characterized as accessing from the user of a time window, concentrates extraction user's Eight yuan of features, eight yuan of feature difference are as follows:Number that user accesses, user access different page number, user's requesting interval Average value, the total amount of byte of user requests webpage, the duration of user's access, the average byte number of user's request, user ask Intensity of variation, the entropy of user's requesting interval of URL number of levels are sought, totally eight features.
In step (5), the method being predicted using Logic Regression Models to unknown access user is:For unmarked Access user eight tuple features, solve h (θTX) logistic regression function value, when the logistic regression function value tried to achieve is more than It is attack user by the access user's mark, otherwise mark is when 0.5.
For the present invention due to using above technical scheme, it has advantages below:
The present invention uses Logic Regression Models in machine learning to detect the user of access.Logic Regression Models are relative In conventional models such as Markov model, large deviation statistical model, random walk models, have model simple, can be extensive etc. excellent Point.The expense of degree reduction system that can be very big when establishing model, can be accessed in detection with the shorter time The classification of user.At the same time, the present invention instead of traditional Newton method come solution logic using quantum telepotation method The parameter of regression model, because quantum telepotation method has the ability of Fast Convergent and global optimizing, reduce logic The time that regression model is established, while more accurate solving model parameter, improve the precision to attack detecting.
In order to preferably verify the validity of this method, our methods with traditional Newton Algorithm Logic Regression Models Contrasted.In the case where simulated conditions are consistent, this method has higher verification and measurement ratio, relatively low false drop rate and establishes mould It is linear relationship between the time-consuming degree and training samples number of type.Therefore, it can prove that there is the present invention preferably detection to imitate Fruit.
Brief description of the drawings
Fig. 1 is the overhaul flow chart of application layer ddos attack.
Fig. 2 is verification and measurement ratio block diagram of the different model solution methods to application layer ddos attack.Using different parameters Method for solving obtains Logic Regression Models, and test sample is detected respectively, and obtained verification and measurement ratio is listed in block diagram.Its In, QPSO-Logistic uses quantum particle swarm optimization solution logic regression model, and Newton-Logistic uses ox Pause method solution logic regression model.
Fig. 3 is false drop rate block diagram of the different model solution methods to application layer ddos attack.
Fig. 4 is the different method for solving training time consuming graphs of a relation of Logic Regression Models.
Embodiment
Below by specific embodiments and the drawings, the present invention is further illustrated.This example is only limitted to the explanation present invention A kind of implementation, do not represent the limitation to coverage of the present invention.
The application layer ddos attack detection method that a kind of logic-based of the present invention returns, concrete implementation process description is such as Under:
The first step, the access log of application layer services device is obtained, data cleansing is carried out to obtained daily record.
Setting sliding time window is 1 hour, obtain the user access logses within 1 hour, then to obtaining Daily record collection carries out data cleansing.The purpose for the arrangement is that remove the access record of redundancy.User is when clicking on a page, simultaneously The static resource embedded in meeting requests for page, such as:The text embedded in the page, picture and style sheet etc..Only retain user Request to dynamic home page.Obtain the daily record collection after data cleansing and enter second step.
Second step, using the IP address for accessing user as mark, extract each user eight yuan are concentrated from the daily record cleaned Group feature.
Daily record collection after data cleansing, each of which access record and include following information:Access User IP, time Stamp, the URI addresses of accession page, http protocol, solicited status code, the byte-sized accessed.The process of feature extraction uses The mode of java programmings.The method for writing eight processing data collection, respectively processing each access IP access times, accession page Species, average request interval, request byte sum, Session Time, average request byte number, URL levels degree, requesting interval are discrete Degree.Same IP access collection is obtained in principal function simultaneously, 8 methods above is called respectively, obtained result is stored in In text.
3rd step, the access collection of analog simulation application layer ddos attack user.The attack user of simulation considers following three Individual factor:Attack the number, the scope of attack user requests webpage, the request time interval for attacking user of user.
4th step, training Logic Regression Models obtain logistic regression parameter θ.
The step for the loss function that is returned by quantum particle swarm optimization solution logic, obtain logistic regression parameter θ.The object function of optimization, it that is to say that loss function is as follows:
Because logistic regression is the study that has supervision, the classification of training sample is known.θ in above object function is Unique unknown quantity.
The not phase that Logic Regression Models obtain before having the parameter value that scalability, each dimension obtain after stretching and stretching Deng.Therefore, it should the feature of each dimension is standardized, used formula is as follows:
The search space (- 100,100) of particle is set on the premise of use above normalized form, and by substantial amounts of real Testing emulation proves that the search space is effective.Meanwhile particle iteration is set 50 times, stopping is to target letter after iteration 50 times Several optimizing search.The specific execution flow of quantum particle swarm optimization is provided below in conjunction with Logic Regression Models:
1) 20 particles are initialized in search space and optimizing search is carried out to loss function, put iterations t=0, and The desired positions of recording individual and the average desired positions of colony.
2) 3) -5 are performed to each particle in population) step.
3) adaptive value of i-th of particle current location is calculated, and compared with the adaptive value of the particle individual desired positions.Such as The position of the current adaptive value of fruit is optimal, then more new individual desired positions.
4) adaptive value of i-th of particle current location is compared with global desired positions.If the position of current adaptive value is most It is excellent, then update global desired positions.
5) new position of particle is calculated by the evolution equation of particle.
If 6) end condition of algorithm is unsatisfactory for, t=t+1 is put, return to step 2, otherwise termination algorithm.
When algorithm terminates, obtained global desired positions are exactly the parameter θ in Logic Regression Models
Logic Regression Models are predicted by the 5th step.For the eight tuple features of unlabelled access user, solving should The logistic regression function value h (θ of feature groupTx).When the logistic regression function value tried to achieve is more than 0.5, by the access user's mark To attack user, otherwise mark is.

Claims (3)

1. the application layer ddos attack detection method that a kind of logic-based returns, comprises the following steps:
Step (1):Using the IP address for accessing user as mark, the feature set of user access activity is extracted, with (x(i),y(i)) represent User characteristics collection is accessed, i is i-th of user, and x is one group of feature of user;Y is the classification of user, and value is 0 and 1;
Step (2):Calculate the logistic regression function value of user:Y=1 probability is solved under the conditions of known to user characteristics x, i.e., It is (the 1+exp (- θ of logistic regression function value p (y=1 | x)=1/ of the userTX)), wherein θ is the parameter of logistic regression function, Remember that logistic regression function expression formula is h (θTx);If the probability of each user labeled 0 or 1 is p (y | x, θ), establishes logic and return Return model;
Step (3):Maximum likelihood function l (θ) is obtained according to Logic Regression Models, the loss function of Logic Regression Models is exactly most The opposite number of maximum-likelihood function, the expression formula for remembering loss function is loss (θ), and wherein θ is the unique variable of loss function, and Logic Regression Models parameter to be solved;
Step (4):Using loss function as object function, object function solve using quantum particle swarm optimization To the parameter θ of Logic Regression Models*So that the desired value of loss function is minimum;
Step (5):Unlabelled user characteristics is predicted using the Logic Regression Models after solution, obtains the class of the user Not.
2. according to the method for claim 1, it is characterised in that in step (1), user accesses and is characterized as from a time window The user of mouth accesses eight yuan of features for concentrating extraction user, and eight yuan of features difference are as follows:The number of user's access, user access not Page number together, the average value of user's requesting interval, the total amount of byte of user requests webpage, the duration of user's access, use Average byte number, intensity of variation, the entropy of user's requesting interval of user's request URL number of levels of family request, totally eight features.
3. according to the method for claim 1, it is characterised in that in step (5), using Logic Regression Models to unknown visit Ask that the method that user is predicted is:For the eight tuple features of unlabelled access user, h (θ are solvedTX) logistic regression Functional value, when the logistic regression function value tried to achieve be more than 0.5 when, by the access user's mark for attack user, otherwise mark for Normal users.
CN201710939442.6A 2017-09-30 2017-09-30 The application layer ddos attack detection method that a kind of logic-based returns Pending CN107733886A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710939442.6A CN107733886A (en) 2017-09-30 2017-09-30 The application layer ddos attack detection method that a kind of logic-based returns

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710939442.6A CN107733886A (en) 2017-09-30 2017-09-30 The application layer ddos attack detection method that a kind of logic-based returns

Publications (1)

Publication Number Publication Date
CN107733886A true CN107733886A (en) 2018-02-23

Family

ID=61208742

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710939442.6A Pending CN107733886A (en) 2017-09-30 2017-09-30 The application layer ddos attack detection method that a kind of logic-based returns

Country Status (1)

Country Link
CN (1) CN107733886A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566392A (en) * 2018-04-11 2018-09-21 四川长虹电器股份有限公司 Defence CC attacking systems based on machine learning and method
CN109767071A (en) * 2018-12-14 2019-05-17 深圳壹账通智能科技有限公司 User credit ranking method, device, computer equipment and storage medium
CN110119837A (en) * 2019-04-15 2019-08-13 天津大学 A kind of Spatial Load Forecasting method based on urban land property and development time
CN110719272A (en) * 2019-09-27 2020-01-21 湖南大学 LR algorithm-based slow denial of service attack detection method
CN111212067A (en) * 2019-12-31 2020-05-29 南京联成科技发展股份有限公司 Industrial network security risk assessment system based on threat prediction
CN111583024A (en) * 2020-05-08 2020-08-25 南京甄视智能科技有限公司 Credit evaluation method, device, storage medium and server

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656981A (en) * 2016-10-21 2017-05-10 东软集团股份有限公司 Network intrusion detection method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656981A (en) * 2016-10-21 2017-05-10 东软集团股份有限公司 Network intrusion detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张雪博 等: "基于改进Logistic回归算法的抗Web DDoS攻击模型的设计与实现", 《信息网络安全》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566392A (en) * 2018-04-11 2018-09-21 四川长虹电器股份有限公司 Defence CC attacking systems based on machine learning and method
CN109767071A (en) * 2018-12-14 2019-05-17 深圳壹账通智能科技有限公司 User credit ranking method, device, computer equipment and storage medium
CN110119837A (en) * 2019-04-15 2019-08-13 天津大学 A kind of Spatial Load Forecasting method based on urban land property and development time
CN110119837B (en) * 2019-04-15 2023-01-03 天津大学 Space load prediction method based on urban land property and development time
CN110719272A (en) * 2019-09-27 2020-01-21 湖南大学 LR algorithm-based slow denial of service attack detection method
CN111212067A (en) * 2019-12-31 2020-05-29 南京联成科技发展股份有限公司 Industrial network security risk assessment system based on threat prediction
CN111583024A (en) * 2020-05-08 2020-08-25 南京甄视智能科技有限公司 Credit evaluation method, device, storage medium and server

Similar Documents

Publication Publication Date Title
CN107733886A (en) The application layer ddos attack detection method that a kind of logic-based returns
Zhu et al. A deep learning approach for network anomaly detection based on AMF-LSTM
CN102035698B (en) HTTP tunnel detection method based on decision tree classification algorithm
CN108737439B (en) Large-scale malicious domain name detection system and method based on self-feedback learning
CN109391602A (en) A kind of zombie host detection method
CN107483488A (en) A kind of malice Http detection methods and system
CN111131260B (en) Mass network malicious domain name identification and classification method and system
Krishnan et al. Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing
CN109873810B (en) Network fishing detection method based on goblet sea squirt group algorithm support vector machine
CN107046586B (en) A kind of algorithm generation domain name detection method based on natural language feature
CN109117634A (en) Malware detection method and system based on network flow multi-view integration
CN108491714A (en) The man-machine recognition methods of identifying code
CN102571487A (en) Distributed bot network scale measuring and tracking method based on multiple data sources
CN111245784A (en) Method for multi-dimensional detection of malicious domain name
CN107818132A (en) A kind of webpage agent discovery method based on machine learning
CN106169050B (en) A kind of PoC Program extraction method based on webpage Knowledge Discovery
CN107766234A (en) A kind of assessment method, the apparatus and system of the webpage health degree based on mobile device
CN110995652B (en) Big data platform unknown threat detection method based on deep migration learning
Li et al. Street-Level Landmarks Acquisition Based on SVM Classifiers.
Yang et al. A novel detection method for word-based DGA
Li et al. Understanding the usage of industrial control system devices on the internet
CN106850658B (en) The network malicious act detection method of real-time online study
CN102984242B (en) A kind of automatic identifying method of application protocol and device
CN112882899B (en) Log abnormality detection method and device
CN109450876A (en) A kind of DDos recognition methods and system based on various dimensions state-transition matrix feature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180223