CN110113367B - Zombie host detection method in DDoS attack based on information interference - Google Patents

Abstract

The invention discloses a zombie host detection method in DDoS attack based on information interference, which comprises the following steps: s1, for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; s2, selecting the features to be selected which meet the requirements; s3, constructing an interference message, and calculating the sending rate of the interference message; s4, counting user flow mean values of the host to be detected on all the characteristics, comparing the difference value between the user flow mean value of each characteristic and all the user flow mean values, judging whether the absolute value of the difference value is larger than or equal to a preset threshold value, if all the characteristics meet the conditions, judging the host to be detected to be a zombie host, and if not, judging the host to be detected to be a normal host. The invention provides a thought of interference before detection, which can effectively detect zombie hosts with certain learning capacity, make up for the deficiency in the aspect of detecting a DDoS attack mechanism with certain learning capacity, and provide a thought for detecting more advanced and ingenious DDoS attacks.

Description

Zombie host detection method in DDoS attack based on information interference

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a zombie host detection method in DDoS attack based on information interference.

Background

Distributed Denial of Service attack (DDoS) is a method in which an attacker simultaneously attacks one or more targets by controlling a large number of zombie hosts, and cannot process and respond to normal user requests by consuming Service resources or network bandwidth of the attacked targets. With the continuous development of network technology, a plurality of convenient conditions are provided for the development of DDoS attacks, and the DDoS attack strength and the occurrence frequency are increased year by year. In 2018, the peak flow rate of DDoS attack reaches 1.7Tbps, and data published by Imperva show that in a 4-month DDoS attack event in 2019, the DDoS attack strength reaches 580Mpps (packets per second), while China is a country with multiple DDoS attacks. Because DDoS attacks intensity's constantly improvement, simultaneously along with in recent years's various novel network technology and artificial intelligence technology's development, DDoS attacks the mechanism and becomes more complicated and meticulous, and its disguise also constantly improves, has brought huge challenge for DDoS attacks detection and alleviates.

Existing detection mechanisms mostly use inherent characteristics of existing DDoS attack mechanisms to perform detection, for example, differences between attack traffic and normal traffic on the characteristics are analyzed through some message-level characteristics or flow-level characteristics, detection is performed by using a set threshold, and DDoS attack detection is performed through analysis of correlation between flows in some researches. However, for these detection schemes, with the development of DDoS attack technology, an attacker can effectively avoid detection by optimizing its attack mechanism and more elaborately constructing attack packets. In addition, the flooding traffic due to DDoS attack consumes many resources on the path, such as processing time, bandwidth resources, etc., in the process of transmitting from the source end to the destination end. Therefore, the DDoS attack detection aims at detecting the attack as early as possible, which has important significance for the mitigation of the attack, the resource saving and the network stability maintenance, so that a detection mechanism should be deployed at a position close to an attack source as far as possible to achieve early discovery and early warning. Due to the characteristics of the DDoS attack mechanism: generally, a large number of zombie hosts are controlled to simultaneously send attack messages to an attack target, DDoS attack traffic presents the characteristic of continuous convergence from a source end to a destination end, and all converged attack traffic is received at the destination host end, so that attack detection at the destination host end is easier than detection at the attack source end, and therefore, most of the existing detection schemes are deployed at the attack destination end. Generally, when detecting that DDoS attack occurs in a network, the best practice is to disconnect the connection with a zombie host or directly discard a message from the zombie host without any processing. Therefore, the fact that the zombie hosts in the network are identified has important significance for relieving DDoS attack, most of the existing detection schemes can only detect whether the attack occurs in the network, and existing zombie hosts cannot be effectively identified.

Therefore, aiming at the DDoS attack development trend, the DDoS attack detection method which can be deployed at an attack source end and can effectively identify zombie hosts in the network is designed, and the DDoS attack detection method has important significance for improving the network security.

Disclosure of Invention

The invention aims to overcome the defects of the prior art, provides a detection scheme which can be deployed at a DDoS attack source end, achieves the aim of early finding an early alarm, can detect the occurring attack early in time, and provides a zombie host detection method in DDoS attack based on information interference, which is used for defending the attack and relieving the preemption of the first opportunity.

The purpose of the invention is realized by the following technical scheme: a zombie host detection method in DDoS attack based on information interference comprises the following steps:

s1, analyzing and counting the mean value and variance of the normal flow in the network on each candidate feature, and analyzing to obtain the maximum allowable value of each candidate feature; for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; and each feature to be selected is combined into a feature set to be selected;

s2, selecting the candidate features meeting the requirements from the candidate feature set according to the maximum bandwidth of the network where the host to be detected is located, the current flow of the network where the host to be detected is located and the allowable maximum false detection rate;

s3, calculating the deviation value required by each selected feature to be selected in the step S2 on the basis of the mean value of the selected feature, obtaining the set value of each selected feature to construct an interference message, and calculating the sending rate of the interference message;

s4, sending interference flow to the host to be detected, counting user flow mean values of the host to be detected on all characteristics, comparing the difference value between the user flow mean value of each characteristic and all user flow mean values, judging whether the absolute value of the difference value is larger than or equal to a preset threshold value, if all the characteristics meet the conditions, judging that the host to be detected is a zombie host, otherwise, judging that the host to be detected is a normal host.

Further, the specific implementation method of step S2 is as follows: recording n candidate features obtained in step S1, wherein the triple of the ith feature is expressed as

Where n represents the number of features to be selected, μ_iRepresents the average of the ith feature in the collected normal user traffic,

represents the variance, v, of the ith feature in the collected normal user traffic_maxiRepresents the maximum allowable value of the ith feature; recording the allowable maximum error rate as p, i.e. a normal hostThe maximum probability of the zombie host is determined to be p; the maximum bandwidth of the network where the host to be detected is located is B_maxAnd the current flow rate of the network where the host to be detected is located is B_c；

Step S2 includes the following substeps:

s21, combining the n characteristics

According to its variance

Sorting in ascending order to obtain a sorted feature set F to be selected_asc＝(f₁,f₂,...,f_n) Initializing the selected feature set

S22, adding F_ascHas not added feature set F_selectedFirst characteristic f of_jAdding F_selectedAnd the selection feature f is calculated by the following formula_jThe later false detection rate guarantees epsilon_j：

Wherein j is more than or equal to 1 and less than or equal to n;

s23, set F_selected＝(f₁,...,f_m) The error detection rate guarantee parameters corresponding to the characteristics guarantee the error detection rate of the whole calculation:

1≤m≤n，1≤k≤m；

if epsilon_nowOutputting the selected feature set F if the number is less than or equal to p_selectedAnd performs step S3, otherwise returns to step S22.

Further, the specific implementation method of step S3 is as follows: note F_selectedMiddle feature f_kAt its mean value μ_kThe offset value to be added is delta_kThe sending rate of the interference message is gamma; the host to be detected sends a signal with rate gamma characterized by F_selectedAnd each characteristic value is FV_send＝(μ₁+Δ₁,...,μ_m+Δ_m) Constructing an interference message;

step S3 includes the following substeps:

s31, establishing a characteristic deviation value and interference message sending rate optimization model: to ensure the concealment of the interference message and reduce the burden on the network to the maximum extent, delta should be used_kAnd γ min, i.e.:

s32, determining the constraint conditions of the optimization model, including network bandwidth constraint, false detection rate constraint and basic physical meaning constraint;

and S33, solving the optimization model according to the constraint conditions to obtain the optimal characteristic deviation values and the optimal attack message sending rate.

Further, the step S33 includes the following steps:

s331, defining a barrier function:

wherein

S332, selecting initial points in the feasible region of the optimization model

Initial penalty factor r₁Greater than 0, decreasing coefficient C < 1, allowing calculation of precision ε₁,ε₂If is more than 0, putting k to be 1;

s333, with

As an initial point, solving the barrier function by Powell correction algorithm

Of (2) an optimal solution

S334, checking the iteration termination criterion, if the iteration termination criterion is satisfied

And

the iterative calculation is stopped and the process is stopped,

if the solution is the optimal solution, otherwise, the next step is carried out;

s335, putting r_k+1＝Cr_kK is k +1, and the process returns to step S333;

s336, the solved optimal solution

And gamma^*Is shown to obtain F_selectedEach feature f_kOptimum offset value of

Then f of each interference message is calculated_kIs characterized by being provided with

And at a rate gamma^*And (5) sending.

Further, in step S333, a Powell correction algorithm is used to solve the barrier function

The specific algorithm of the optimal solution is as follows:

s3331, taking initial point

Convergence precision epsilon, set as unit vectors of m +1 coordinate axes in the initial direction group

S3332, from

Starting in the direction of

Performing straight line search to obtain points

S3333, find the direction in which the function value is reduced the most

And calculating the decrease k of the function value in the direction;

s3334, from

Starting in the direction

Performing a straight line search

S3335, checking whether the termination criterion is met:

if the formula is true, the calculation is stopped to obtain the optimal solution

Otherwise, turning to S3336;

s3336, if

Then use the new direction

Replacement of

I.e. for i j, j +1, m

Juxtaposed to each other

Otherwise, the original m +1 searching directions are still used, and the step S3337 is switched to;

s3337, placing

Return is made to step S3332.

The method identifies the zombie host in the DDoS attack through the thinking of interference and detection, firstly analyzes the mean value and variance of the normal user flow in the network on each feature to be selected, selects the feature set capable of effectively controlling the false detection rate according to the mean value and variance, and adds an offset on the basis of the selected feature mean value to construct an interference message. Due to the characteristics of the zombie host attack mechanism, after being influenced by the interference flow, the distribution mean value of the sent flow on the characteristics can be changed, and the behavior of normal users in the network can not be influenced by the interference flow, so that the distribution mean values of the zombie host flow and the normal host flow on the characteristics can be distinguished, and finally, the zombie host is identified by analyzing whether the offset of the host flow to be detected on the characteristics is larger than a set threshold or not. The method realizes the dynamic feature selection according to the network state, solves the problems of the set value of each feature of the attack message and the sending rate of the message through an optimization model, and can effectively identify the zombie host in the DDoS attack. The invention has the beneficial effects that:

(1) the invention provides a thought of interference before detection, which can effectively detect zombie hosts with certain learning capacity, make up the defects in the aspect of DDoS attack mechanism detection with certain learning capacity, and provide a thought for detecting more advanced and ingenious DDoS attacks;

(2) the invention provides a detection scheme which can be deployed at a DDoS attack source end, achieves the aim of early finding early warning, can early detect the occurring attack in time, and preempts the first opportunity for defense and alleviation of the attack;

(3) the invention can identify the zombie host existing in the network while detecting whether the DDoS attack occurs in the network, and has great significance for relieving the attack.

Drawings

FIG. 1 is a diagram of a network scenario provided by an embodiment of the present invention;

fig. 2 is a flowchart of a zombie host detection method in a DDoS attack based on information interference.

Detailed Description

With the development of network technology, a DDoS attack mechanism is also more advanced and ingenious, if an attacker can collect user traffic in a network before starting an attack, each zombie host can extract features of each collected user message to form a normal message mode and form a simulation dictionary according to the normal message mode, and when constructing an attack message, a normal message mode is randomly and uniformly selected from the simulation dictionary to construct the attack message. When the attack is started, all zombie hosts simultaneously send attack messages to an attack target at a variable rate, so that the purpose of denial of service attack is achieved. Aiming at the variable rate DDoS attack with certain learning capacity, the invention provides a DDoS attack detection method which can be deployed at a source end and can effectively identify zombie hosts existing in a network through interference and detection. The technical scheme of the invention is further explained by combining the attached drawings.

As shown in fig. 1, if there are several zombie hosts in the network, each zombie host collects the user traffic in the network before starting attack, and extracts the characteristics of each collected user message to form a normal message mode and form a simulation dictionary, and when constructing the attack message, randomly and uniformly selects a normal message mode from the simulation dictionary to construct the attack message. When the attack is started, all zombie hosts simultaneously send attack messages to an attack target at a variable rate, so that the purpose of denial of service attack is achieved. To detect zombie hosts with this attack feature:

as shown in fig. 2, a zombie host detection method in DDoS attack based on information interference includes the following steps:

s1, analyzing and counting the mean value and variance of the normal flow in the network on each candidate feature, and analyzing to obtain the maximum allowable value of each candidate feature; for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; and each feature to be selected is combined into a feature set to be selected; the detection host may obtain some normal user traffic in the current network state by using some network sniffing tools, and then perform statistical analysis on values of the normal user traffic on various features, where the features may be features of a message level, such as values of some fields of a message header, such as header length, total length, identifier, slice offset, and lifetime of an IP datagram header. The mean and variance of each feature are obtained through statistics, and the maximum allowable value of each feature can be determined according to specific protocol requirements or network practical conditions, for example, due to the limitation of an IP protocol, the maximum value of a lifetime field in an IP datagram is 255.

S2, selecting the candidate features meeting the requirements from the candidate feature set according to the maximum bandwidth of the network where the host to be detected is located, the current flow of the network where the host to be detected is located and the allowable maximum false detection rate; the specific implementation method comprises the following steps: recording n candidate features obtained in step S1, wherein the triple of the ith feature is expressed as

Where n represents the number of features to be selected, μ_iRepresents the average of the ith feature in the collected normal user traffic,

represents the variance, v, of the ith feature in the collected normal user traffic_maxiRepresents the maximum allowable value of the ith feature; in order to prevent the probability that a normal host is determined as a zombie host during detection from being too high, an allowable maximum false detection rate is set and is marked as p, and the maximum probability that a normal host is determined as a zombie host during detection is p; the maximum bandwidth of the network where the host to be detected is located is B_maxAnd the current flow rate of the network where the host to be detected is located is B_c；

If each feature is regarded as a random variable X_i(i is more than or equal to 1 and less than or equal to n), then a chebyshev inequality is used, and when a certain message is in the characteristic X_i(i is not less than 1 and not more than n) and the mean value mu thereof_iA phase difference greater than delta_iHas a probability of being less than

Namely:

therefore, when transmitting the interference traffic, if one of the characteristics f is selected_i(1. ltoreq. i. ltoreq.n) and setting the value thereof to an allowable maximum value v_maxiWhile at the maximum allowable rate B_max-B_c(wherein B_maxRepresents the maximum bandwidth of the network in which the host to be detected is located, B_cRepresenting the current traffic rate in the network), the zombie host is influenced by the interference traffic, and the transmission traffic is in the characteristic f_iThe values above are:

the characteristic mean value mu_iHas a deviation of

While normal hosts in the networkThe probability that the transmitted traffic will take on this characteristic to reach this offset is lower than

Through the above analysis, the specific algorithm of the step S2 includes the following sub-steps:

s21, combining the n characteristics

According to its variance

Sorting in ascending order to obtain a sorted feature set F to be selected_asc＝(f₁,f₂,...,f_n) Initializing the selected feature set

S22, adding F_ascHas not added feature set F_selectedFirst characteristic f of_jAdding F_selectedAnd the selection feature f is calculated by the following formula_jThe later false detection rate guarantees epsilon_j：

Wherein j is more than or equal to 1 and less than or equal to n;

s23, set F_selected＝(f₁,...,f_m) The error detection rate guarantee parameters corresponding to the characteristics guarantee the error detection rate of the whole calculation:

1≤m≤n，1≤k≤m；

if epsilon_nowOutputting the selected feature set F if the number is less than or equal to p_selectedAnd performs step S3, otherwise returns to step S22.

S3, after selecting the available feature set, the interference message can be constructed through the features: calculating the deviation value required by each selected feature to be selected in the step S2 on the basis of the mean value of the selected feature, obtaining the set value of each selected feature to construct an interference message, and calculating the sending rate of the interference message;

the specific implementation method comprises the following steps: note F_selectedMiddle feature f_kAt its mean value μ_kThe offset value to be added is delta_kSo as to distinguish the distribution rule of normal user traffic on the characteristics; the sending rate of the interference message is gamma; the host to be detected sends a signal with rate gamma characterized by F_selectedAnd each characteristic value is FV_send＝(μ₁+Δ₁,...,μ_m+Δ_m) Constructing an interference message;

in order to determine the characteristic deviation values delta according to the current network actual conditions_k(k is more than or equal to 1 and less than or equal to m) and the optimal value of the sending rate gamma of the interference message need to be solved through an optimization model, and the method specifically comprises the following substeps:

s31, establishing a characteristic deviation value and interference message sending rate optimization model: to ensure the concealment of the interference message and reduce the burden on the network to the maximum extent, delta should be used_kAnd γ min, i.e.:

wherein 0 is greater than or equal to α is less than or equal to 1, two different quantities of characteristic offset value and interference message sending rate need to be minimized at the same time, different optimization weights can be set for the two quantities through the parameter α, the larger α indicates that the higher importance degree of concealment of the interference message is, the lower importance degree of reduction of network load is, the specific value of α can be determined by the user according to the actual situation.

S32, determining the constraint condition of the optimization model, delta, due to the actual condition of the network and the specific meaning requirement of each characteristic_k(1. ltoreq. k. ltoreq.m) and γ are subject to the following constraints:

c1 network bandwidth constraints: the sent interference traffic will burden the network, so the rate of the sent interference message is limited by the maximum bandwidth of the network, that is:

γ+B_c≤B_max(6)；

c2 false detection rate constraint: if the host to be detected is a zombie host, after the host receives the interference flow, due to the characteristics of an attack mechanism, the statistical mean value of the flow sent by the host on each characteristic changes, and a certain deviation is generated on the basis of the original mean value. In order to ensure the probability of determining the normal traffic as the attack traffic affected by the interference traffic, it is necessary to ensure that the deviation of the statistical mean value of the attack traffic affected by the interference traffic on each selected feature exceeds a certain threshold.

Suppose the detecting master sends a signal characterized by F at a rate γ_selectedAnd each characteristic value is FV_send＝(μ₁+Δ₁,...,μ_m+Δ_m) Constructed interference message, the zombie host is influenced by interference flow, and the sending flow is characterized

The values above are:

therefore, in order to ensure that the false detection rate is not higher than p when the zombie host is identified, the probability that a normal host is determined as the zombie host is not higher than p. Offset value Δ for each feature_k(k is more than or equal to 1 and less than or equal to m) and the sending rate gamma of the interference message should be constrained as follows:

wherein delta_i(i is more than or equal to 1 and less than or equal to m) can be set artificially, but in order to ensure that the false detection rate is not higher than p, the requirements of Chebyshev inequality are met

C3 basic physical meaning constraints: and generating constraint conditions according to the actual meanings of the characteristics and the physical meaning of the sending rate of the attack message. Since each feature and the sending rate γ of the interference message have their specific physical meanings, they should satisfy:

from the above, each characteristic offset value Δ is obtained by considering the actual network environment_k(k is more than or equal to 1 and less than or equal to m) and the selection problem of the sending rate gamma of the interference message are described as the following optimization models:

during solving, the problem of the extreme value with constraint solved is converted into the problem of the extreme value without constraint through a barrier function method during each iterative solving, then the Powell improvement algorithm is used for solving the minimum value of the current iteration, if the minimum value meets the requirement, the iteration is stopped and the optimal solution is obtained, and if the minimum value does not meet the requirement, the iterative process is repeated until the optimal solution is obtained.

S33, solving the optimization model according to the constraint conditions to obtain the optimal characteristic deviation values and the optimal attack message sending rate; the method comprises the following steps:

s331, defining a barrier function:

wherein

S332, selecting initial points in the feasible region of the optimization model

Initial penalty factor r₁> 0 (e.g. take r)₁10), a decreasing coefficient C < 1 (for example, C is 0.1), allowing the calculation accuracy ∈ to be calculated₁,ε₂If is more than 0, putting k to be 1;

s333, with

As an initial point, solving the barrier function by Powell correction algorithm

Of (2) an optimal solution

Solving barrier function by Powell correction algorithm

The specific algorithm of the optimal solution is as follows:

s3331, taking initial point

Convergence precision epsilon, set as unit vectors of m +1 coordinate axes in the initial direction group

S3332, from

Starting in the direction of

Performing straight line search to obtain points

S3333, find the direction in which the function value is reduced the most

And calculating the decrease k of the function value in the direction;

s3334, from

Starting in the direction

Performing a straight line search

S3335, checking whether the termination criterion is met:

if the formula is true, the calculation is stopped to obtain the optimal solution

Otherwise, turning to S3336;

s3336, if

Then use the new direction

Replacement of

I.e. for i j, j +1, m

Juxtaposed to each other

Otherwise, the original m +1 searching directions are still used, and the step S3337 is switched to;

s3337, placing

Return is made to step S3332.

S334, checking the iteration termination criterion, if the iteration termination criterion is satisfied

And

the iterative calculation is stopped and the process is stopped,

if the solution is the optimal solution, otherwise, the next step is carried out;

s335, putting r_k+1＝Cr_kK is k +1, and the process returns to step S333;

s336, the solved optimal solution

And gamma^*Is shown to obtain F_selectedEach feature f_kOptimum offset value of

Then f of each interference message is calculated_kIs characterized by being provided with

And at a rate gamma^*And (5) sending.

S4, sending interference flow to the host to be detected, and counting the number of the host to be detected in F_selectedUser traffic mean μ 'over all features'_k(k is more than or equal to 1 and less than or equal to m), comparing the difference value between the user traffic mean value of each characteristic and all the user traffic mean values, and judging whether the absolute value of the difference value is more than or equal to a preset threshold value:

|μ′_k-μ_k|≥δ_k(1≤k≤m) (12)

and if all the characteristics meet the conditions, judging the host to be detected to be a zombie host, and otherwise, judging the host to be detected to be a normal host.

It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.

Claims (2)

1. A zombie host detection method in DDoS attack based on information interference is characterized by comprising the following steps:

s1, analyzing and counting the mean value and variance of the normal flow in the network on each candidate feature, and analyzing to obtain the maximum allowable value of each candidate feature; for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; and each feature to be selected is combined into a feature set to be selected;

s2, selecting the candidate features meeting the requirements from the candidate feature set according to the maximum bandwidth of the network where the host to be detected is located, the current flow of the network where the host to be detected is located and the allowable maximum false detection rate; the specific implementation method comprises the following steps: recording n candidate features obtained in step S1, wherein the triple of the ith feature is expressed as

Where n represents the number of features to be selected, μ_iRepresents the average of the ith feature in the collected normal user traffic,

represents the variance, v, of the ith feature in the collected normal user traffic_maxiRepresents the maximum allowable value of the ith feature; recording the allowable maximum false detection rate as p, namely judging a normal host as a zombie host with the maximum probability of p; the maximum bandwidth of the network where the host to be detected is located is B_maxAnd the current flow rate of the network where the host to be detected is located is B_c；

Step S2 includes the following substeps:

s21, combining the n characteristics

According to its variance

Sorting in ascending order to obtain a sorted feature set F to be selected_asc＝(f₁,f₂,...,f_n) Initializing the selected feature set

S22, adding F_ascHas not added feature set F_selectedFirst characteristic f of_jAdding F_selectedAnd the selection feature f is calculated by the following formula_jThe later false detection rate guarantees epsilon_j：

Wherein j is more than or equal to 1 and less than or equal to n;

s23, set F_selected＝(f₁,...,f_m) The error detection rate guarantee parameters corresponding to the characteristics guarantee the error detection rate of the whole calculation:

1≤m≤n，1≤k≤m；

if epsilon_nowOutputting the selected feature set F if the number is less than or equal to p_selectedAnd executing the step S3, otherwise returning to the step S22;

s3, calculating the deviation value required by each selected feature to be selected in the step S2 on the basis of the mean value of the selected feature, obtaining the set value of each selected feature to construct an interference message, and calculating the sending rate of the interference message; the specific implementation method comprises the following steps: note F_selectedMiddle feature f_kAt its mean value μ_kThe offset value to be added is delta_kThe sending rate of the interference message is gamma; the host to be detected sends a signal with rate gamma characterized by F_selectedAnd each characteristic value is FV_send＝(μ₁+Δ₁,...,μ_m+Δ_m) Constructing an interference message;

step S3 includes the following substeps:

s31, establishing a characteristic deviation value and interference message sending rate optimization model: to ensure the concealment of the interference message and reduce the burden on the network to the maximum extent, delta should be used_kAnd γ min, i.e.:

s32, determining the constraint conditions of the optimization model, including network bandwidth constraint, false detection rate constraint and basic physical meaning constraint;

s33, solving the optimization model according to the constraint conditions to obtain the optimal characteristic deviation values and the optimal attack message sending rate;

step S33 includes the following steps:

s331, defining a barrier function:

wherein

S332, selecting initial points in the feasible region of the optimization model

Initial penalty factor r₁Greater than 0, decreasing coefficient C < 1, allowing calculation of precision ε₁,ε₂If is more than 0, putting k to be 1;

s333, with

As an initial point, solving the barrier function by Powell correction algorithm

Of (2) an optimal solution

S334, checking the iteration termination criterion, if the iteration termination criterion is satisfied

And

the iterative calculation is stopped and the process is stopped,

if the solution is the optimal solution, otherwise, the next step is carried out;

s335, putting r_k+1＝Cr_kK is k +1, and the process returns to step S333;

s336, the solved optimal solution

And gamma^*Is shown to obtain F_selectedEach feature f_kOptimum offset value of

Then f of each interference message is calculated_kIs characterized by being provided with

And at a rate gamma^*Sending;

s4, sending interference flow to the host to be detected, counting user flow mean values of the host to be detected on all characteristics, comparing the difference value between the user flow mean value of each characteristic and all user flow mean values, judging whether the absolute value of the difference value is larger than or equal to a preset threshold value, if all the characteristics meet the conditions, judging that the host to be detected is a zombie host, otherwise, judging that the host to be detected is a normal host.

2. The method as claimed in claim 1, wherein in step S333, a Powell correction algorithm is used to solve the barrier function

The specific algorithm of the optimal solution is as follows:

s3331, taking initial point

Convergence precision epsilon, set as unit vectors of m +1 coordinate axes in the initial direction group

S3332, from

Starting in the direction of

Performing straight line search to obtain points

S3333, find the direction in which the function value is reduced the most

And calculating the decrease k of the function value in the direction;

s3334, from

Starting in the direction

Performing a straight line search

S3335, checking whether the termination criterion is met:

if the formula is true, the calculation is stopped to obtain the optimal solution

Otherwise, turning to S3336;

s3336, if

Then use the new direction

Replacement of

I.e. for i j, j +1, m

Juxtaposed to each other

Otherwise, the original m +1 searching directions are still used, and the step S3337 is switched to;

s3337, placing

Return is made to step S3332.

Images