CN109726553B - SNN-LOF algorithm-based slow denial of service attack detection method - Google Patents
SNN-LOF algorithm-based slow denial of service attack detection method Download PDFInfo
- Publication number
- CN109726553B CN109726553B CN201910004189.4A CN201910004189A CN109726553B CN 109726553 B CN109726553 B CN 109726553B CN 201910004189 A CN201910004189 A CN 201910004189A CN 109726553 B CN109726553 B CN 109726553B
- Authority
- CN
- China
- Prior art keywords
- detection
- service attack
- data
- algorithm
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a slow denial of service attack detection method based on a shared neighbor density clustering and outlier factor (SNN-LOF) algorithm, and belongs to the field of network security. Wherein the method comprises: and acquiring the traffic data information in the key route within a period of time by setting a fixed sampling time interval. And segmenting the flow data to form a plurality of detection units, and counting the discrete attributes of the TCP flow and the total flow in each detection unit to form a detection data sample. And constructing a shared neighbor similarity matrix for the detection samples, and performing density clustering by taking the shared neighbor similarity matrix as a density measure to form a divided cluster set. And introducing a known data sample, calculating an outlier factor of the introduced data by using an outlier factor algorithm, classifying the cluster according to a judgment criterion, and judging whether the slow denial of service attack exists or not. The detection method based on the SNN-LOF algorithm can accurately, quickly and efficiently detect the slow denial of service attack.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to special denial of service attack detection.
Background
The core idea of the slow denial of service attack is to attack a bottleneck link or a router, which generates congestion instantly, resulting in a large amount of TCP messages being lost, forcing the network to send a congestion signal, enabling a TCP congestion control mechanism at a source end, adaptively adjusting the size of a sending window, and attempting to recover to a stable state. The periodic attack may cause the oscillation of the TCP traffic transmission performance, and seriously reduce the throughput of the network. The attack can not only achieve the expected effect, but also easily escape detection, and has great prevention difficulty. There are no mature solutions available today, despite the numerous approaches proposed. It can be seen that the slow denial of service attack is very covert and aggressive, and has already posed a serious potential threat to network security. At present, the detection method for the slow denial of service attack mainly modifies a specific protocol to remove security vulnerabilities existing in the protocol. Many protocols are widely implemented and applied and if modified, may affect the benefits of most users and are therefore not practical.
The invention provides a low-speed denial of service attack detection method based on shared neighbor density clustering and an outlier factor algorithm based on detection of network flow characteristics. The method adopts a shared neighbor density clustering algorithm to cluster the flow characteristics, and divides the set of data objects into similar object classes. So that objects in the same cluster have higher similarity, and objects in different clusters have higher dissimilarity. And by introducing a known class sample, classifying the classified clusters by using an outlier factor algorithm, and judging whether the cluster containing the slow denial of service attack exists or not, thereby achieving the purpose of detecting the slow denial of service attack. The method for detecting the slow denial of service attack has the advantages of high detection efficiency, low false alarm rate and false negative rate and higher accuracy, and can be applied to accurately detecting the slow denial of service attack in different environments.
Disclosure of Invention
The method for detecting the slow denial of service attack aims at solving the problems of low practicability, high resource consumption, low accuracy and the like of the traditional method for detecting the slow denial of service attack. The method utilizes the shared neighbor density clustering to cluster objects with similar network flow characteristics into the same cluster, and utilizes the outlier factor algorithm to accurately classify the cluster, thereby achieving the purpose of accurately detecting the slow denial of service attack. The detection method has higher detection accuracy and high speed on the low-speed denial of service attack, consumes less resources and can be suitable for various network environments.
The technical scheme adopted by the invention for realizing the aim is as follows: the slow denial of service attack detection method mainly comprises four steps: raw data acquisition, flow characteristic extraction, shared neighbor (SNN) cluster detection and outlier factor (LOF) algorithm classification judgment.
1. And collecting original data. The method comprises the steps of obtaining a flow data message of a key route in a network, and collecting all related flow data within a period of time to form initial original data.
2. And (4) extracting flow characteristics. According to the acquired original data, a specific time length is set, the original data are divided into a plurality of detection units, the variance, the average difference and the variation coefficient of the TCP flow and the total flow in each detection unit are calculated, and the three groups of acquired feature data are used as data samples to be detected.
3. And (4) sharing neighbor cluster detection. And according to the data sample to be detected, taking the data sample as an input data sample of the shared neighbor cluster, generating a data sample neighbor list, and constructing a shared neighbor similarity matrix. Wherein the similarity of sample point p and sample point q can be expressed as
Simlarity(p,q)=size(NN(p)∩NN(q))
Where NN (p) and NN (q) represent the neighbor lists of sample point p and sample point q, respectively.
And (4) carrying out nearest neighbor sparse processing on the similarity matrix, taking the sparse matrix as density measurement, setting clustering parameters, and carrying out density clustering. As shown in fig. 1, the idea of the density clustering algorithm is to extract an unprocessed sample point from a data sample, if the extracted sample point is a core point, find out all objects whose densities can be reached from the point to form a cluster, otherwise, the extracted sample point is a boundary point, and then continue to extract the next unprocessed sample point. And clustering the detection samples into a plurality of cluster sets after traversing all the sample points.
4. And (4) classifying and judging by an outlier factor algorithm. And introducing known class samples into the divided different cluster sets, wherein the known class samples comprise normal samples and slow denial of service attack samples. And respectively calculating the local reachable densities of all the introduced sample points in different cluster sets, wherein the formula of the local reachable densities can be expressed as
Wherein reach-dist k (p, o) denotes the kth reachable distance of the sample point o to the sample point p, the kth reachable distance being at least the distance or actual distance from the kth distant sample point, e.g. the 5 th reachable distance of the sample point p is shown in FIG. 2, N k (p) a k-th distance neighborhood representing sample point p, | N k (p) | represents the number of points in the kth distance neighborhood of sample point p.
According to the local reachable density of the introduced sample points in different cluster sets, calculating by utilizing an outlier factor algorithm to obtain a local outlier factor, wherein the formula of the local outlier factor can be expressed as
And calculating the mean value of the outlier factors of the similar introduced sample points in different clusters, and based on a preset threshold value, if the mean value of the outlier factors is smaller than the threshold value, determining that the cluster and the introduced sample belong to the same class. And if the cluster set after clustering division is classified as a slow denial of service attack cluster set, judging that the slow denial of service attack exists in the period of time.
Advantageous effects
The method for detecting the slow denial of service attack has the advantages of high accuracy, low false alarm rate and low missing report rate, good detection effect under various network environments, small space complexity and time complexity of the algorithm, low resource consumption and capability of quickly obtaining a detection result. Therefore, the detection method can be suitable for detecting the slow denial of service attack in the network environment.
Drawings
FIG. 1 is a schematic diagram of a process of a density clustering algorithm that uses density relationships between data objects to divide a collection of data objects into similar object classes. So that objects in the same cluster have higher similarity, and objects in different clusters have higher dissimilarity.
Fig. 2 is a schematic diagram of the 5 th distance of a data sample point p, the k-th reachable distance of the data sample point being at least the distance or actual distance from the k-th distant sample point.
FIG. 3 is a flow chart of a slow denial of service attack detection based on SNN-LOF algorithm, and the detection method mainly comprises four steps of raw data acquisition, flow characteristic extraction, shared neighbor cluster detection and outlier factor algorithm classification judgment.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a density clustering algorithm process. The clustering algorithm mainly extracts an unprocessed sample point from a data sample, if the extracted sample point is a core point, all objects with the density reaching from the point are found out to form a cluster, otherwise, the extracted sample point is a boundary point, then the next unprocessed sample point is continuously extracted, and after all the sample points are traversed, the detection samples are clustered into a plurality of cluster sets.
Fig. 2 is a schematic diagram of the 5 th distance of the data sample point p. The k-th reachable distance of the data sample points refers to a distance or an actual distance at least from the k-th far sample point, the local reachable density of the introduced sample points in different clusters can be calculated according to the reachable distance between the sample points, then the local outlier factor is calculated according to an outlier factor algorithm, and the divided clusters are classified according to a comparison result of the local outlier factor and the threshold value, so that whether the slow denial of service attack occurs in the network is judged.
Fig. 3 is a flowchart of a slow denial of service attack algorithm based on the SNN-LOF algorithm, and the slow denial of service attack detection method mainly includes four steps: the method comprises the steps of raw data acquisition, flow characteristic extraction, shared neighbor cluster detection and outlier factor algorithm classification judgment. Firstly, extracting the characteristics of acquired data, constructing an SNN similarity matrix as density measurement, carrying out density clustering to form a plurality of cluster sets, introducing known samples into different cluster sets, calculating the outlier factor value of the introduced sample by using an outlier factor algorithm, comparing the outlier factor value with a set threshold value, and classifying the divided cluster sets so as to judge whether the slow denial of service attack exists or not.
Claims (9)
1. A slow denial of service attack detection method based on a shared neighbor clustering and outlier factor algorithm (SNN-LOF) is characterized by comprising the following steps:
step 1, acquiring a flow data message of a key route in a network, and collecting all related flow data within a period of time to form initial original data;
step 2, dividing the original data into a plurality of detection units according to the time length, and counting discrete characteristic values of the detection units to form detection data samples;
step 3, based on a shared neighbor (SNN) density clustering algorithm, clustering and dividing the detection samples to obtain different clusters;
and 4, classifying the divided clusters based on an outlier factor (LOF) algorithm, and judging whether the network has a slow denial of service attack.
2. The method according to claim 1, wherein in step 1, the traffic data information in the critical route is obtained within a certain period of time by setting a fixed sampling time interval, and the obtained information is used as initial raw data.
3. The method for detecting the slow denial of service attack as claimed in claim 1, wherein a specific time length is set in the step 2, and the original data is segmented to form a plurality of detection units, and discrete attributes such as a TCP flow, a variance and an average difference of a total flow in each detection unit are counted to form a detection data sample.
4. The method for detecting a slow denial of service attack as claimed in claim 1, wherein the step 3 of sharing neighbor density clustering partition detection samples specifically comprises the following steps:
step 3.1, generating a data sample neighbor table according to the detected data sample, and constructing a shared neighbor similarity matrix;
and 3.2, carrying out nearest neighbor sparse processing on the similarity matrix, taking the sparse matrix as density measurement, setting clustering parameters, and carrying out density clustering to form a partitioned cluster set.
5. The method of claim 4, wherein the shared neighbor similarity matrix in step 3.1 is defined as: the number of shared adjacent points among the sample points is used as a matrix constructed by the similarity among the sample points.
6. The slow denial of service attack detection method of claim 4 wherein the nearest neighbor sparsification process of step 3.2 is defined as: and carrying out sparsification on the similarity between the sample point and the non-adjacent sample point.
7. The method for detecting a slow denial of service attack according to claim 1, wherein the clustering of the clusters by the outlier algorithm in step 4 comprises the following steps:
step 4.1, introducing known class samples into the divided different cluster sets, and respectively calculating local reachable densities of the introduced samples in the different cluster sets;
and 4.2, calculating to obtain a local outlier factor by using an outlier factor algorithm according to the local reachable density of the introduced sample in different clusters, classifying the clusters according to a judgment criterion, and judging whether the network has a slow denial of service attack.
8. The method of claim 7, wherein the local reachability in step 4.1 is defined as: the reciprocal of the mean of the reachable distances of all other sample points in the neighborhood of a sample point to that sample point.
9. The method of claim 7 wherein the local outlier is defined in step 4.2 as: the average of the ratio of the local achievable density of a point in the neighborhood of a sample point to the local achievable density of that sample point.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910004189.4A CN109726553B (en) | 2019-01-03 | 2019-01-03 | SNN-LOF algorithm-based slow denial of service attack detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910004189.4A CN109726553B (en) | 2019-01-03 | 2019-01-03 | SNN-LOF algorithm-based slow denial of service attack detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109726553A CN109726553A (en) | 2019-05-07 |
| CN109726553B true CN109726553B (en) | 2023-02-03 |
Family
ID=66299601
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910004189.4A Active CN109726553B (en) | 2019-01-03 | 2019-01-03 | SNN-LOF algorithm-based slow denial of service attack detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109726553B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110719270A (en) * | 2019-09-26 | 2020-01-21 | 湖南大学 | FCM algorithm-based slow denial of service attack detection method |
| CN110650145A (en) * | 2019-09-26 | 2020-01-03 | 湖南大学 | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm |
| CN110580030A (en) * | 2019-10-11 | 2019-12-17 | 南京铁道职业技术学院 | Pharmaceutical factory environment purification control system based on Internet of things |
| CN111444501B (en) * | 2020-03-16 | 2023-04-18 | 湖南大学 | LDoS attack detection method based on combination of Mel cepstrum and semi-space forest |
| CN112887332A (en) * | 2021-03-01 | 2021-06-01 | 山西警察学院 | DDOS attack detection method under cloud environment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10200382B2 (en) * | 2015-11-05 | 2019-02-05 | Radware, Ltd. | System and method for detecting abnormal traffic behavior using infinite decaying clusters |
| CN105959270A (en) * | 2016-04-25 | 2016-09-21 | 盐城工学院 | Network attack detection method based on spectral clustering algorithm |
| CN107360127A (en) * | 2017-03-29 | 2017-11-17 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on AEWMA algorithms |
-
2019
- 2019-01-03 CN CN201910004189.4A patent/CN109726553B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109726553A (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109726553B (en) | SNN-LOF algorithm-based slow denial of service attack detection method | |
| CN110505179B (en) | Method and system for detecting network abnormal flow | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN108076040B (en) | APT attack scene mining method based on killer chain and fuzzy clustering | |
| CN109729090B (en) | Slow denial of service attack detection method based on WEDMS clustering | |
| CN111371735B (en) | Botnet detection method, system and storage medium | |
| CN112261000B (en) | LDoS attack detection method based on PSO-K algorithm | |
| CN113114694B (en) | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene | |
| CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
| CN110719270A (en) | FCM algorithm-based slow denial of service attack detection method | |
| CN113037567A (en) | Network attack behavior simulation system and method for power grid enterprise | |
| CN111600877A (en) | LDoS attack detection method based on MF-Ada algorithm | |
| Xie et al. | An anomaly detection method based on fuzzy c-means clustering algorithm | |
| Khoshgoftaar et al. | Intrusion detection in wireless networks using clustering techniques with expert analysis | |
| CN113872962B (en) | Low-speed port scanning detection method for high-speed network sampling data acquisition scene | |
| CN112633353A (en) | Internet of things equipment identification method based on packet length probability distribution and k nearest neighbor algorithm | |
| CN116170212A (en) | IoT malicious traffic detection device against concept drift | |
| CN107124410A (en) | Network safety situation feature clustering method based on machine deep learning | |
| CN113079176B (en) | High-speed network flow abnormity detection system suitable for mass data | |
| CN110650145A (en) | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm | |
| CN113794653B (en) | High-speed network traffic classification method based on sampling data flow | |
| CN115664777A (en) | Slow flow table overflow attack detection and mitigation method based on two-stage threshold | |
| CN114666075B (en) | Distributed network anomaly detection method and system based on depth feature coarse coding | |
| CN115473688A (en) | Software defined network-oriented anomaly detection method, device and equipment | |
| CN112367325A (en) | Unknown protocol message clustering method and system based on closed frequent item mining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |