CN110113367B - Zombie host detection method in DDoS attack based on information interference - Google Patents
Zombie host detection method in DDoS attack based on information interference Download PDFInfo
- Publication number
- CN110113367B CN110113367B CN201910559146.2A CN201910559146A CN110113367B CN 110113367 B CN110113367 B CN 110113367B CN 201910559146 A CN201910559146 A CN 201910559146A CN 110113367 B CN110113367 B CN 110113367B
- Authority
- CN
- China
- Prior art keywords
- host
- value
- feature
- detected
- interference
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Abstract
The invention discloses a zombie host detection method in DDoS attack based on information interference, which comprises the following steps: s1, for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; s2, selecting the features to be selected which meet the requirements; s3, constructing an interference message, and calculating the sending rate of the interference message; s4, counting user flow mean values of the host to be detected on all the characteristics, comparing the difference value between the user flow mean value of each characteristic and all the user flow mean values, judging whether the absolute value of the difference value is larger than or equal to a preset threshold value, if all the characteristics meet the conditions, judging the host to be detected to be a zombie host, and if not, judging the host to be detected to be a normal host. The invention provides a thought of interference before detection, which can effectively detect zombie hosts with certain learning capacity, make up for the deficiency in the aspect of detecting a DDoS attack mechanism with certain learning capacity, and provide a thought for detecting more advanced and ingenious DDoS attacks.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a zombie host detection method in DDoS attack based on information interference.
Background
Distributed Denial of Service attack (DDoS) is a method in which an attacker simultaneously attacks one or more targets by controlling a large number of zombie hosts, and cannot process and respond to normal user requests by consuming Service resources or network bandwidth of the attacked targets. With the continuous development of network technology, a plurality of convenient conditions are provided for the development of DDoS attacks, and the DDoS attack strength and the occurrence frequency are increased year by year. In 2018, the peak flow rate of DDoS attack reaches 1.7Tbps, and data published by Imperva show that in a 4-month DDoS attack event in 2019, the DDoS attack strength reaches 580Mpps (packets per second), while China is a country with multiple DDoS attacks. Because DDoS attacks intensity's constantly improvement, simultaneously along with in recent years's various novel network technology and artificial intelligence technology's development, DDoS attacks the mechanism and becomes more complicated and meticulous, and its disguise also constantly improves, has brought huge challenge for DDoS attacks detection and alleviates.
Existing detection mechanisms mostly use inherent characteristics of existing DDoS attack mechanisms to perform detection, for example, differences between attack traffic and normal traffic on the characteristics are analyzed through some message-level characteristics or flow-level characteristics, detection is performed by using a set threshold, and DDoS attack detection is performed through analysis of correlation between flows in some researches. However, for these detection schemes, with the development of DDoS attack technology, an attacker can effectively avoid detection by optimizing its attack mechanism and more elaborately constructing attack packets. In addition, the flooding traffic due to DDoS attack consumes many resources on the path, such as processing time, bandwidth resources, etc., in the process of transmitting from the source end to the destination end. Therefore, the DDoS attack detection aims at detecting the attack as early as possible, which has important significance for the mitigation of the attack, the resource saving and the network stability maintenance, so that a detection mechanism should be deployed at a position close to an attack source as far as possible to achieve early discovery and early warning. Due to the characteristics of the DDoS attack mechanism: generally, a large number of zombie hosts are controlled to simultaneously send attack messages to an attack target, DDoS attack traffic presents the characteristic of continuous convergence from a source end to a destination end, and all converged attack traffic is received at the destination host end, so that attack detection at the destination host end is easier than detection at the attack source end, and therefore, most of the existing detection schemes are deployed at the attack destination end. Generally, when detecting that DDoS attack occurs in a network, the best practice is to disconnect the connection with a zombie host or directly discard a message from the zombie host without any processing. Therefore, the fact that the zombie hosts in the network are identified has important significance for relieving DDoS attack, most of the existing detection schemes can only detect whether the attack occurs in the network, and existing zombie hosts cannot be effectively identified.
Therefore, aiming at the DDoS attack development trend, the DDoS attack detection method which can be deployed at an attack source end and can effectively identify zombie hosts in the network is designed, and the DDoS attack detection method has important significance for improving the network security.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a detection scheme which can be deployed at a DDoS attack source end, achieves the aim of early finding an early alarm, can detect the occurring attack early in time, and provides a zombie host detection method in DDoS attack based on information interference, which is used for defending the attack and relieving the preemption of the first opportunity.
The purpose of the invention is realized by the following technical scheme: a zombie host detection method in DDoS attack based on information interference comprises the following steps:
s1, analyzing and counting the mean value and variance of the normal flow in the network on each candidate feature, and analyzing to obtain the maximum allowable value of each candidate feature; for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; and each feature to be selected is combined into a feature set to be selected;
s2, selecting the candidate features meeting the requirements from the candidate feature set according to the maximum bandwidth of the network where the host to be detected is located, the current flow of the network where the host to be detected is located and the allowable maximum false detection rate;
s3, calculating the deviation value required by each selected feature to be selected in the step S2 on the basis of the mean value of the selected feature, obtaining the set value of each selected feature to construct an interference message, and calculating the sending rate of the interference message;
s4, sending interference flow to the host to be detected, counting user flow mean values of the host to be detected on all characteristics, comparing the difference value between the user flow mean value of each characteristic and all user flow mean values, judging whether the absolute value of the difference value is larger than or equal to a preset threshold value, if all the characteristics meet the conditions, judging that the host to be detected is a zombie host, otherwise, judging that the host to be detected is a normal host.
Further, the specific implementation method of step S2 is as follows: recording n candidate features obtained in step S1, wherein the triple of the ith feature is expressed asWhere n represents the number of features to be selected, μiRepresents the average of the ith feature in the collected normal user traffic,represents the variance, v, of the ith feature in the collected normal user trafficmaxiRepresents the maximum allowable value of the ith feature; recording the allowable maximum error rate as p, i.e. a normal hostThe maximum probability of the zombie host is determined to be p; the maximum bandwidth of the network where the host to be detected is located is BmaxAnd the current flow rate of the network where the host to be detected is located is Bc;
Step S2 includes the following substeps:
s21, combining the n characteristicsAccording to its varianceSorting in ascending order to obtain a sorted feature set F to be selectedasc=(f1,f2,...,fn) Initializing the selected feature set
S22, adding FascHas not added feature set FselectedFirst characteristic f ofjAdding FselectedAnd the selection feature f is calculated by the following formulajThe later false detection rate guarantees epsilonj:
Wherein j is more than or equal to 1 and less than or equal to n;
s23, set Fselected=(f1,...,fm) The error detection rate guarantee parameters corresponding to the characteristics guarantee the error detection rate of the whole calculation:
1≤m≤n,1≤k≤m;
if epsilonnowOutputting the selected feature set F if the number is less than or equal to pselectedAnd performs step S3, otherwise returns to step S22.
Further, the specific implementation method of step S3 is as follows: note FselectedMiddle feature fkAt its mean value μkThe offset value to be added is deltakThe sending rate of the interference message is gamma; the host to be detected sends a signal with rate gamma characterized by FselectedAnd each characteristic value is FVsend=(μ1+Δ1,...,μm+Δm) Constructing an interference message;
step S3 includes the following substeps:
s31, establishing a characteristic deviation value and interference message sending rate optimization model: to ensure the concealment of the interference message and reduce the burden on the network to the maximum extent, delta should be usedkAnd γ min, i.e.:
s32, determining the constraint conditions of the optimization model, including network bandwidth constraint, false detection rate constraint and basic physical meaning constraint;
and S33, solving the optimization model according to the constraint conditions to obtain the optimal characteristic deviation values and the optimal attack message sending rate.
Further, the step S33 includes the following steps:
s331, defining a barrier function:
S332, selecting initial points in the feasible region of the optimization modelInitial penalty factor r1Greater than 0, decreasing coefficient C < 1, allowing calculation of precision ε1,ε2If is more than 0, putting k to be 1;
s333, withAs an initial point, solving the barrier function by Powell correction algorithmOf (2) an optimal solution
S334, checking the iteration termination criterion, if the iteration termination criterion is satisfied
the iterative calculation is stopped and the process is stopped,if the solution is the optimal solution, otherwise, the next step is carried out;
s335, putting rk+1=CrkK is k +1, and the process returns to step S333;
s336, the solved optimal solutionAnd gamma*Is shown to obtain FselectedEach feature fkOptimum offset value ofThen f of each interference message is calculatedkIs characterized by being provided withAnd at a rate gamma*And (5) sending.
Further, in step S333, a Powell correction algorithm is used to solve the barrier functionThe specific algorithm of the optimal solution is as follows:
s3331, taking initial pointConvergence precision epsilon, set as unit vectors of m +1 coordinate axes in the initial direction group
S3333, find the direction in which the function value is reduced the mostAnd calculating the decrease k of the function value in the direction;
S3335, checking whether the termination criterion is met:if the formula is true, the calculation is stopped to obtain the optimal solutionOtherwise, turning to S3336;
s3336, ifThen use the new directionReplacement ofI.e. for i j, j +1, mJuxtaposed to each otherOtherwise, the original m +1 searching directions are still used, and the step S3337 is switched to;
The method identifies the zombie host in the DDoS attack through the thinking of interference and detection, firstly analyzes the mean value and variance of the normal user flow in the network on each feature to be selected, selects the feature set capable of effectively controlling the false detection rate according to the mean value and variance, and adds an offset on the basis of the selected feature mean value to construct an interference message. Due to the characteristics of the zombie host attack mechanism, after being influenced by the interference flow, the distribution mean value of the sent flow on the characteristics can be changed, and the behavior of normal users in the network can not be influenced by the interference flow, so that the distribution mean values of the zombie host flow and the normal host flow on the characteristics can be distinguished, and finally, the zombie host is identified by analyzing whether the offset of the host flow to be detected on the characteristics is larger than a set threshold or not. The method realizes the dynamic feature selection according to the network state, solves the problems of the set value of each feature of the attack message and the sending rate of the message through an optimization model, and can effectively identify the zombie host in the DDoS attack. The invention has the beneficial effects that:
(1) the invention provides a thought of interference before detection, which can effectively detect zombie hosts with certain learning capacity, make up the defects in the aspect of DDoS attack mechanism detection with certain learning capacity, and provide a thought for detecting more advanced and ingenious DDoS attacks;
(2) the invention provides a detection scheme which can be deployed at a DDoS attack source end, achieves the aim of early finding early warning, can early detect the occurring attack in time, and preempts the first opportunity for defense and alleviation of the attack;
(3) the invention can identify the zombie host existing in the network while detecting whether the DDoS attack occurs in the network, and has great significance for relieving the attack.
Drawings
FIG. 1 is a diagram of a network scenario provided by an embodiment of the present invention;
fig. 2 is a flowchart of a zombie host detection method in a DDoS attack based on information interference.
Detailed Description
With the development of network technology, a DDoS attack mechanism is also more advanced and ingenious, if an attacker can collect user traffic in a network before starting an attack, each zombie host can extract features of each collected user message to form a normal message mode and form a simulation dictionary according to the normal message mode, and when constructing an attack message, a normal message mode is randomly and uniformly selected from the simulation dictionary to construct the attack message. When the attack is started, all zombie hosts simultaneously send attack messages to an attack target at a variable rate, so that the purpose of denial of service attack is achieved. Aiming at the variable rate DDoS attack with certain learning capacity, the invention provides a DDoS attack detection method which can be deployed at a source end and can effectively identify zombie hosts existing in a network through interference and detection. The technical scheme of the invention is further explained by combining the attached drawings.
As shown in fig. 1, if there are several zombie hosts in the network, each zombie host collects the user traffic in the network before starting attack, and extracts the characteristics of each collected user message to form a normal message mode and form a simulation dictionary, and when constructing the attack message, randomly and uniformly selects a normal message mode from the simulation dictionary to construct the attack message. When the attack is started, all zombie hosts simultaneously send attack messages to an attack target at a variable rate, so that the purpose of denial of service attack is achieved. To detect zombie hosts with this attack feature:
as shown in fig. 2, a zombie host detection method in DDoS attack based on information interference includes the following steps:
s1, analyzing and counting the mean value and variance of the normal flow in the network on each candidate feature, and analyzing to obtain the maximum allowable value of each candidate feature; for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; and each feature to be selected is combined into a feature set to be selected; the detection host may obtain some normal user traffic in the current network state by using some network sniffing tools, and then perform statistical analysis on values of the normal user traffic on various features, where the features may be features of a message level, such as values of some fields of a message header, such as header length, total length, identifier, slice offset, and lifetime of an IP datagram header. The mean and variance of each feature are obtained through statistics, and the maximum allowable value of each feature can be determined according to specific protocol requirements or network practical conditions, for example, due to the limitation of an IP protocol, the maximum value of a lifetime field in an IP datagram is 255.
S2, selecting the candidate features meeting the requirements from the candidate feature set according to the maximum bandwidth of the network where the host to be detected is located, the current flow of the network where the host to be detected is located and the allowable maximum false detection rate; the specific implementation method comprises the following steps: recording n candidate features obtained in step S1, wherein the triple of the ith feature is expressed asWhere n represents the number of features to be selected, μiRepresents the average of the ith feature in the collected normal user traffic,represents the variance, v, of the ith feature in the collected normal user trafficmaxiRepresents the maximum allowable value of the ith feature; in order to prevent the probability that a normal host is determined as a zombie host during detection from being too high, an allowable maximum false detection rate is set and is marked as p, and the maximum probability that a normal host is determined as a zombie host during detection is p; the maximum bandwidth of the network where the host to be detected is located is BmaxAnd the current flow rate of the network where the host to be detected is located is Bc;
If each feature is regarded as a random variable Xi(i is more than or equal to 1 and less than or equal to n), then a chebyshev inequality is used, and when a certain message is in the characteristic Xi(i is not less than 1 and not more than n) and the mean value mu thereofiA phase difference greater than deltaiHas a probability of being less thanNamely:
therefore, when transmitting the interference traffic, if one of the characteristics f is selectedi(1. ltoreq. i. ltoreq.n) and setting the value thereof to an allowable maximum value vmaxiWhile at the maximum allowable rate Bmax-Bc(wherein BmaxRepresents the maximum bandwidth of the network in which the host to be detected is located, BcRepresenting the current traffic rate in the network), the zombie host is influenced by the interference traffic, and the transmission traffic is in the characteristic fiThe values above are:
the characteristic mean value muiHas a deviation ofWhile normal hosts in the networkThe probability that the transmitted traffic will take on this characteristic to reach this offset is lower than
Through the above analysis, the specific algorithm of the step S2 includes the following sub-steps:
s21, combining the n characteristicsAccording to its varianceSorting in ascending order to obtain a sorted feature set F to be selectedasc=(f1,f2,...,fn) Initializing the selected feature set
S22, adding FascHas not added feature set FselectedFirst characteristic f ofjAdding FselectedAnd the selection feature f is calculated by the following formulajThe later false detection rate guarantees epsilonj:
Wherein j is more than or equal to 1 and less than or equal to n;
s23, set Fselected=(f1,...,fm) The error detection rate guarantee parameters corresponding to the characteristics guarantee the error detection rate of the whole calculation:
1≤m≤n,1≤k≤m;
if epsilonnowOutputting the selected feature set F if the number is less than or equal to pselectedAnd performs step S3, otherwise returns to step S22.
S3, after selecting the available feature set, the interference message can be constructed through the features: calculating the deviation value required by each selected feature to be selected in the step S2 on the basis of the mean value of the selected feature, obtaining the set value of each selected feature to construct an interference message, and calculating the sending rate of the interference message;
the specific implementation method comprises the following steps: note FselectedMiddle feature fkAt its mean value μkThe offset value to be added is deltakSo as to distinguish the distribution rule of normal user traffic on the characteristics; the sending rate of the interference message is gamma; the host to be detected sends a signal with rate gamma characterized by FselectedAnd each characteristic value is FVsend=(μ1+Δ1,...,μm+Δm) Constructing an interference message;
in order to determine the characteristic deviation values delta according to the current network actual conditionsk(k is more than or equal to 1 and less than or equal to m) and the optimal value of the sending rate gamma of the interference message need to be solved through an optimization model, and the method specifically comprises the following substeps:
s31, establishing a characteristic deviation value and interference message sending rate optimization model: to ensure the concealment of the interference message and reduce the burden on the network to the maximum extent, delta should be usedkAnd γ min, i.e.:
wherein 0 is greater than or equal to α is less than or equal to 1, two different quantities of characteristic offset value and interference message sending rate need to be minimized at the same time, different optimization weights can be set for the two quantities through the parameter α, the larger α indicates that the higher importance degree of concealment of the interference message is, the lower importance degree of reduction of network load is, the specific value of α can be determined by the user according to the actual situation.
S32, determining the constraint condition of the optimization model, delta, due to the actual condition of the network and the specific meaning requirement of each characteristick(1. ltoreq. k. ltoreq.m) and γ are subject to the following constraints:
c1 network bandwidth constraints: the sent interference traffic will burden the network, so the rate of the sent interference message is limited by the maximum bandwidth of the network, that is:
γ+Bc≤Bmax(6);
c2 false detection rate constraint: if the host to be detected is a zombie host, after the host receives the interference flow, due to the characteristics of an attack mechanism, the statistical mean value of the flow sent by the host on each characteristic changes, and a certain deviation is generated on the basis of the original mean value. In order to ensure the probability of determining the normal traffic as the attack traffic affected by the interference traffic, it is necessary to ensure that the deviation of the statistical mean value of the attack traffic affected by the interference traffic on each selected feature exceeds a certain threshold.
Suppose the detecting master sends a signal characterized by F at a rate γselectedAnd each characteristic value is FVsend=(μ1+Δ1,...,μm+Δm) Constructed interference message, the zombie host is influenced by interference flow, and the sending flow is characterizedThe values above are:
therefore, in order to ensure that the false detection rate is not higher than p when the zombie host is identified, the probability that a normal host is determined as the zombie host is not higher than p. Offset value Δ for each featurek(k is more than or equal to 1 and less than or equal to m) and the sending rate gamma of the interference message should be constrained as follows:
wherein deltai(i is more than or equal to 1 and less than or equal to m) can be set artificially, but in order to ensure that the false detection rate is not higher than p, the requirements of Chebyshev inequality are met
C3 basic physical meaning constraints: and generating constraint conditions according to the actual meanings of the characteristics and the physical meaning of the sending rate of the attack message. Since each feature and the sending rate γ of the interference message have their specific physical meanings, they should satisfy:
from the above, each characteristic offset value Δ is obtained by considering the actual network environmentk(k is more than or equal to 1 and less than or equal to m) and the selection problem of the sending rate gamma of the interference message are described as the following optimization models:
during solving, the problem of the extreme value with constraint solved is converted into the problem of the extreme value without constraint through a barrier function method during each iterative solving, then the Powell improvement algorithm is used for solving the minimum value of the current iteration, if the minimum value meets the requirement, the iteration is stopped and the optimal solution is obtained, and if the minimum value does not meet the requirement, the iterative process is repeated until the optimal solution is obtained.
S33, solving the optimization model according to the constraint conditions to obtain the optimal characteristic deviation values and the optimal attack message sending rate; the method comprises the following steps:
s331, defining a barrier function:
S332, selecting initial points in the feasible region of the optimization modelInitial penalty factor r1> 0 (e.g. take r)110), a decreasing coefficient C < 1 (for example, C is 0.1), allowing the calculation accuracy ∈ to be calculated1,ε2If is more than 0, putting k to be 1;
s333, withAs an initial point, solving the barrier function by Powell correction algorithmOf (2) an optimal solution
Solving barrier function by Powell correction algorithmThe specific algorithm of the optimal solution is as follows:
s3331, taking initial pointConvergence precision epsilon, set as unit vectors of m +1 coordinate axes in the initial direction group
S3333, find the direction in which the function value is reduced the mostAnd calculating the decrease k of the function value in the direction;
S3335, checking whether the termination criterion is met:if the formula is true, the calculation is stopped to obtain the optimal solutionOtherwise, turning to S3336;
s3336, ifThen use the new directionReplacement ofI.e. for i j, j +1, mJuxtaposed to each otherOtherwise, the original m +1 searching directions are still used, and the step S3337 is switched to;
S334, checking the iteration termination criterion, if the iteration termination criterion is satisfied
the iterative calculation is stopped and the process is stopped,if the solution is the optimal solution, otherwise, the next step is carried out;
s335, putting rk+1=CrkK is k +1, and the process returns to step S333;
s336, the solved optimal solutionAnd gamma*Is shown to obtain FselectedEach feature fkOptimum offset value ofThen f of each interference message is calculatedkIs characterized by being provided withAnd at a rate gamma*And (5) sending.
S4, sending interference flow to the host to be detected, and counting the number of the host to be detected in FselectedUser traffic mean μ 'over all features'k(k is more than or equal to 1 and less than or equal to m), comparing the difference value between the user traffic mean value of each characteristic and all the user traffic mean values, and judging whether the absolute value of the difference value is more than or equal to a preset threshold value:
|μ′k-μk|≥δk(1≤k≤m) (12)
and if all the characteristics meet the conditions, judging the host to be detected to be a zombie host, and otherwise, judging the host to be detected to be a normal host.
It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.
Claims (2)
1. A zombie host detection method in DDoS attack based on information interference is characterized by comprising the following steps:
s1, analyzing and counting the mean value and variance of the normal flow in the network on each candidate feature, and analyzing to obtain the maximum allowable value of each candidate feature; for each feature to be selected, a triple representation of a mean value, a variance and a maximum allowable value is adopted; and each feature to be selected is combined into a feature set to be selected;
s2, selecting the candidate features meeting the requirements from the candidate feature set according to the maximum bandwidth of the network where the host to be detected is located, the current flow of the network where the host to be detected is located and the allowable maximum false detection rate; the specific implementation method comprises the following steps: recording n candidate features obtained in step S1, wherein the triple of the ith feature is expressed asWhere n represents the number of features to be selected, μiRepresents the average of the ith feature in the collected normal user traffic,represents the variance, v, of the ith feature in the collected normal user trafficmaxiRepresents the maximum allowable value of the ith feature; recording the allowable maximum false detection rate as p, namely judging a normal host as a zombie host with the maximum probability of p; the maximum bandwidth of the network where the host to be detected is located is BmaxAnd the current flow rate of the network where the host to be detected is located is Bc;
Step S2 includes the following substeps:
s21, combining the n characteristicsAccording to its varianceSorting in ascending order to obtain a sorted feature set F to be selectedasc=(f1,f2,...,fn) Initializing the selected feature set
S22, adding FascHas not added feature set FselectedFirst characteristic f ofjAdding FselectedAnd the selection feature f is calculated by the following formulajThe later false detection rate guarantees epsilonj:
Wherein j is more than or equal to 1 and less than or equal to n;
s23, set Fselected=(f1,...,fm) The error detection rate guarantee parameters corresponding to the characteristics guarantee the error detection rate of the whole calculation:
1≤m≤n,1≤k≤m;
if epsilonnowOutputting the selected feature set F if the number is less than or equal to pselectedAnd executing the step S3, otherwise returning to the step S22;
s3, calculating the deviation value required by each selected feature to be selected in the step S2 on the basis of the mean value of the selected feature, obtaining the set value of each selected feature to construct an interference message, and calculating the sending rate of the interference message; the specific implementation method comprises the following steps: note FselectedMiddle feature fkAt its mean value μkThe offset value to be added is deltakThe sending rate of the interference message is gamma; the host to be detected sends a signal with rate gamma characterized by FselectedAnd each characteristic value is FVsend=(μ1+Δ1,...,μm+Δm) Constructing an interference message;
step S3 includes the following substeps:
s31, establishing a characteristic deviation value and interference message sending rate optimization model: to ensure the concealment of the interference message and reduce the burden on the network to the maximum extent, delta should be usedkAnd γ min, i.e.:
s32, determining the constraint conditions of the optimization model, including network bandwidth constraint, false detection rate constraint and basic physical meaning constraint;
s33, solving the optimization model according to the constraint conditions to obtain the optimal characteristic deviation values and the optimal attack message sending rate;
step S33 includes the following steps:
s331, defining a barrier function:
S332, selecting initial points in the feasible region of the optimization modelInitial penalty factor r1Greater than 0, decreasing coefficient C < 1, allowing calculation of precision ε1,ε2If is more than 0, putting k to be 1;
s333, withAs an initial point, solving the barrier function by Powell correction algorithmOf (2) an optimal solution
S334, checking the iteration termination criterion, if the iteration termination criterion is satisfied
the iterative calculation is stopped and the process is stopped,if the solution is the optimal solution, otherwise, the next step is carried out;
s335, putting rk+1=CrkK is k +1, and the process returns to step S333;
s336, the solved optimal solutionAnd gamma*Is shown to obtain FselectedEach feature fkOptimum offset value ofThen f of each interference message is calculatedkIs characterized by being provided withAnd at a rate gamma*Sending;
s4, sending interference flow to the host to be detected, counting user flow mean values of the host to be detected on all characteristics, comparing the difference value between the user flow mean value of each characteristic and all user flow mean values, judging whether the absolute value of the difference value is larger than or equal to a preset threshold value, if all the characteristics meet the conditions, judging that the host to be detected is a zombie host, otherwise, judging that the host to be detected is a normal host.
2. The method as claimed in claim 1, wherein in step S333, a Powell correction algorithm is used to solve the barrier functionThe specific algorithm of the optimal solution is as follows:
s3331, taking initial pointConvergence precision epsilon, set as unit vectors of m +1 coordinate axes in the initial direction group
S3333, find the direction in which the function value is reduced the mostAnd calculating the decrease k of the function value in the direction;
S3335, checking whether the termination criterion is met:if the formula is true, the calculation is stopped to obtain the optimal solutionOtherwise, turning to S3336;
s3336, ifThen use the new directionReplacement ofI.e. for i j, j +1, mJuxtaposed to each otherOtherwise, the original m +1 searching directions are still used, and the step S3337 is switched to;
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910559146.2A CN110113367B (en) | 2019-06-26 | 2019-06-26 | Zombie host detection method in DDoS attack based on information interference |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910559146.2A CN110113367B (en) | 2019-06-26 | 2019-06-26 | Zombie host detection method in DDoS attack based on information interference |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110113367A CN110113367A (en) | 2019-08-09 |
CN110113367B true CN110113367B (en) | 2020-04-07 |
Family
ID=67495803
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910559146.2A Active CN110113367B (en) | 2019-06-26 | 2019-06-26 | Zombie host detection method in DDoS attack based on information interference |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110113367B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768917A (en) * | 2017-08-23 | 2018-11-06 | 长安通信科技有限责任公司 | A kind of Botnet detection method and system based on network log |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IL235233A0 (en) * | 2013-12-03 | 2015-01-29 | Verisign Inc | Client-side active validation for mitigating ddos attacks |
CN105791220A (en) * | 2014-12-22 | 2016-07-20 | 中国电信股份有限公司 | Method and system for actively defending distributed denial of service attacks |
-
2019
- 2019-06-26 CN CN201910559146.2A patent/CN110113367B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768917A (en) * | 2017-08-23 | 2018-11-06 | 长安通信科技有限责任公司 | A kind of Botnet detection method and system based on network log |
Also Published As
Publication number | Publication date |
---|---|
CN110113367A (en) | 2019-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107222491B (en) | Intrusion detection rule creating method based on industrial control network variant attack | |
CN107231384B (en) | DDoS attack detection and defense method and system for 5g network slices | |
Patil et al. | DoS attack prevention technique in wireless sensor networks | |
Yan et al. | Detection of DDoS attacks against wireless SDN controllers based on the fuzzy synthetic evaluation decision-making model. | |
CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
Xu et al. | Defending DDoS attacks using hidden Markov models and cooperative reinforcement learning | |
KR100615080B1 (en) | A method for automatic generation of rule-based detection patterns about the bots and worms in the computer network | |
CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
CN112261021B (en) | DDoS attack detection method under software defined Internet of things | |
CN112995202A (en) | SDN-based DDoS attack detection method | |
CN112422584A (en) | DDoS attack backtracking resisting method based on deep learning | |
CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
CN110719272A (en) | LR algorithm-based slow denial of service attack detection method | |
CN110213254A (en) | A kind of method and apparatus that Internet protocol IP packet is forged in identification | |
Hong et al. | Dynamic threshold for DDoS mitigation in SDN environment | |
Islam et al. | Network anomaly detection using lightgbm: A gradient boosting classifier | |
Li et al. | Mitigating routing misbehavior using blockchain-based distributed reputation management system for IoT networks | |
Pu et al. | Self-adjusting share-based countermeasure to interest flooding attack in named data networking | |
CN106656956A (en) | Ad hoc network opportunistic routing method avoiding malicious attacks | |
Kim et al. | Physical identification based trust path routing against sybil attacks on RPL in IoT networks | |
Wu et al. | I-CIFA: An improved collusive interest flooding attack in named data networking | |
CN109787996B (en) | Camouflage attack detection method based on DQL algorithm in fog calculation | |
CN113364810B (en) | Link flooding attack detection and defense system and method | |
CN110113367B (en) | Zombie host detection method in DDoS attack based on information interference | |
Zhang et al. | On effective data aggregation techniques in host–based intrusion detection in manet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |