CN110474878A - Ddos attack situation method for early warning and server based on dynamic threshold - Google Patents

Ddos attack situation method for early warning and server based on dynamic threshold Download PDF

Info

Publication number
CN110474878A
CN110474878A CN201910646959.5A CN201910646959A CN110474878A CN 110474878 A CN110474878 A CN 110474878A CN 201910646959 A CN201910646959 A CN 201910646959A CN 110474878 A CN110474878 A CN 110474878A
Authority
CN
China
Prior art keywords
network
ddos attack
target area
warning
threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910646959.5A
Other languages
Chinese (zh)
Other versions
CN110474878B (en
Inventor
唐湘滟
程杰仁
黄梦醒
罗逸涵
欧明望
王天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hainan University
Original Assignee
Hainan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hainan University filed Critical Hainan University
Priority to CN201910646959.5A priority Critical patent/CN110474878B/en
Publication of CN110474878A publication Critical patent/CN110474878A/en
Application granted granted Critical
Publication of CN110474878B publication Critical patent/CN110474878B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Biophysics (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a kind of ddos attack situation method for early warning and server based on dynamic threshold, is related to ddos attack detection technique field.Method includes: to generate IP packet statistics characteristic time sequence, and model to IP packet statistics characteristic time sequence using LSTM neural network prediction model, obtains LSTM prediction model;It is predicted using network under test flow of the LSTM prediction model to target area, the threshold value and threshold tolerances of target area is calculated according to prediction result and the network security vulnerabilities factor, divides multiple warning levels;For target area in the network flow of object time, Target IP packet statistics feature is generated, and then identifies ddos attack and determines the warning level of network under test flow.Ddos attack early warning accuracy rate can be improved using the present invention.

Description

Ddos attack situation method for early warning and server based on dynamic threshold
Technical field
The present invention relates to ddos attack detection technique field, in particular to a kind of ddos attack situation based on dynamic threshold Method for early warning and server.
Background technique
Distributed denial of service (Distributed Denial of Service, DDoS) attack is that current hacker is frequent Using user is difficult to the attack means taken precautions against.It is derived by refusal service (Denial of Service, DoS) attack Attack technology.This kind attack is usually that attacker utilizes more puppet's machines of different location to implement big rule simultaneously to victim Mould network attack, either multiple attackers in different location launch a offensive to one or several targets simultaneously.It is attacked Destructiveness it is big, damaging range is wide, is easily achieved and is difficult to track, takes precautions against and early warning, the safety of internet can be generated huge It threatens.
With the fast development of Electronic Coding ideal money technology, internet of things equipment continues to increase, and ddos attack is also climing Prolong to ideal money transaction field and internet of things field, and attack pattern more tends to complicated diversification.Especially in recent years Several biggish ddos attacks occurred are the attacks initiated by weak passwurd.In recent years, researchers examine in ddos attack Surveying aspect has some new breakthroughs.Such as: Wang D et al. has studied TarGuess frame, utilizes multiple Design of Mathematical Model Guess algorithm, solves the problems, such as that cross-site weak passwurd guesses (Wang D, Zhang Z, Wang P, et al.Targeted online Online Password Guessing:An Underestimated Threat[C]//ACM CCS 2016.ACM, 2016.)。
The present inventor has found ddos attack detection side in the prior art when studying ddos attack detection method Method lacks accurately prediction mode, it is more difficult to early warning, ddos attack in the ddos attack to become more diverse in face of attack means Early warning effect lag, accuracy are lower.
Summary of the invention
The purpose of the present invention is to provide a kind of ddos attack situation method for early warning and server based on dynamic threshold, solution Part or all of problem certainly of the existing technology.The technical solution is as follows:
In a first aspect, providing a kind of ddos attack situation method for early warning based on dynamic threshold, which comprises
Network flow is sampled according to some cycles, and extracts the IP packet statistics feature of each periodic samples, is generated IP packet statistics characteristic time sequence;
The IP packet statistics characteristic time sequence is trained using LSTM neural network model, building LSTM is pre- Survey model;
Calculate the network security vulnerabilities factor of target area;
It is predicted using network under test flow of the LSTM prediction model to the target area, obtains prediction knot Fruit;
The threshold value and threshold value of the target area are calculated according to the prediction result and the network security vulnerabilities factor Tolerance, and multiple warning levels are divided according to the threshold value and the threshold tolerances;
Real-time monitoring is carried out to the network flow of the target area, the network flow of the object time monitored is carried out Analysis processing;
For the target area in the network flow of the object time, Target IP packet statistics feature is generated;
The warning level of the network under test flow is determined according to the Target IP packet statistics feature.
Optionally, the formula of IP packet statistics characteristic time sequence is calculated are as follows:
IPDCF=∑ { Packet }Δt
Wherein, Packet is the number of data packet, and Δ t is the data packet sampling period.
Optionally, the calculation formula of the network security vulnerabilities factor of the target area are as follows:
Wherein, m is the classification number of problem, njFor the problems in every class problem number, QijFor the answer of each problem, if answered Case is "Yes", then QijValue be 1, otherwise value be 0.
Optionally,
The calculation formula of the threshold value of the target area are as follows:
The calculation formula of the threshold tolerances of the target area are as follows:
Wherein, ItPrediction result for t moment based on LSTM Neural Network model predictive.
Second aspect provides a kind of server, and the server includes memory and processor, and the memory is used for Computer program is stored, when the computer program is executed by the processor, realizes method as described in relation to the first aspect.
Therefore invention defines the network security vulnerabilities factors in region.It is then based on long short-term memory (Long-Short-Time Memory, LSTM) prediction model and the Local Area Network Security Vulnerability factor are proposed based on dynamic certainly Adapt to the ddos attack situation Early-warning Model of threshold value.The model is special to IP packet statistics using LSTM neural network prediction model (IP-Data-counts Feature, IPDCF) Series Modeling is levied, flow measurement is treated based on LSTM neural network prediction model and is carried out Prediction.And then dynamic threshold setting in real time, early warning ddos attack state are done according to prediction result and the network security vulnerabilities factor Gesture rank.Compared to the prior art, the present invention can early warning ddos attack situation in real time, be effectively reduced rate of false alarm and fail to report Rate accurately identifies ddos attack situation security level, to take corresponding defensive measure as early as possible, preferably solves existing big The problems such as most ddos attack method for early warning accuracys rate are not high and pre-warning time lags.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the schematic diagram of ddos attack situation Early-warning Model provided by one embodiment of the present invention;
Fig. 2 is the process of the ddos attack situation method for early warning provided by one embodiment of the present invention based on dynamic threshold Figure;
Fig. 3 is a kind of LSTM neural network diagram provided by one embodiment of the present invention;
Fig. 4 is a kind of ddos attack situation early warning system architecture diagram provided by one embodiment of the present invention;
Fig. 5 is a kind of comparison diagram of test value and predicted value provided by one embodiment of the present invention;
Fig. 6 is first time provided by one embodiment of the present invention simulation attack situation early warning effect picture;
Fig. 7 is second of simulation attack situation early warning effect picture provided by one embodiment of the present invention;
Fig. 8 is third time provided by one embodiment of the present invention simulation attack situation early warning effect picture;
Fig. 9 is that situation early warning effect picture is attacked in the 4th simulation provided by one embodiment of the present invention;
Figure 10 is a kind of structural schematic diagram of server provided by one embodiment of the present invention.
Specific embodiment
Below in conjunction with attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that institute The embodiment of description is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, Every other embodiment obtained by those of ordinary skill in the art without making creative efforts, belongs to this hair The range of bright protection.
In order to effectively utilize each perception key node of network, ddos attack state is dynamically analyzed from global angle Gesture identifies and predicts in real time the development trend of ddos attack according to dynamic adaptive threshold, so that user takes rapidly accordingly Defensive measure, the present invention construct the ddos attack situation early warning using the ddos attack situation method for early warning based on dynamic threshold Model.The logical construction of ddos attack situation Early-warning Model may refer to Fig. 1, which uses layered structure, by victim end Monitoring point, attack source monitoring point, each backbone monitoring point and ddos attack situation warning center composition.Model totality function It can are as follows:
(1) real-time monitoring is carried out to the network flow of each monitoring point.
(2) data monitored are analyzed and processed.
(3) by the data transmission handled well of analysis to ddos attack situation warning center.
(4) ddos attack situation warning center detects sudden ddos attack by LSTM prediction model.
(5) according to Early-warning Model assessment and early warning based on dynamic adaptive threshold, and warning level is issued.
The present invention mainly studies the monitoring and warning at victim end and backbone end.Victim end is mainly by the pass in region Key host composition, backbone are mainly the critical link for linking victim.Ddos attack situation warning center is by being embedded in LSTM The server and dynamic adaptive threshold arithmetic server of prediction model form.
Fig. 2 is a kind of process of the ddos attack situation method for early warning based on dynamic threshold provided in an embodiment of the present invention Figure.
S201 samples network flow according to some cycles, and extracts the IP packet statistics feature of each periodic samples, Generate IP packet statistics characteristic time sequence.
It defines 1: time interval being carried out to network flow (Net Flow, NF) and is the sampling of Δ t=1min, and defines network flow IPDCF:
IPDCF=∑ { Packet }Δt (1)
Wherein Packet is the number of data packet, data packet sampling time T ∈ (0, N), Δ t=1.
S202 models the IP packet statistics characteristic time sequence using LSTM neural network prediction model, Obtain LSTM prediction model.
Long short-term memory (Long-Short-Time Memory, LSTM) neural network is a kind of recurrent neural network, is fitted It closes processing and predicted time sequence and is suitable under big data environment.Network flow is carried out using LSTM neural network model pre- It surveys, first has to be acquired network flow data, be stored in database, then carry out feature extraction.It is retouched using IPDCF State the state change feature of network flow.
IPDCF time series is modeled, data carry out the sampling that time interval is Δ t, and calculate and sample every time IPDCF value obtains IPDCF timed sample sequence M, M (N, Δ t)={ IPDCF after n times samplingi, i=1,2 ..., N }, N is sequence Column length.
Finally the time series is trained using LSTM neural network model, when constructing LSTM prediction model, with every Minute is that time interval is predicted that the prediction model built has chosen two hidden layers, wherein first hidden layer has 512 Neuron, second hidden layer have 256 neurons, and output layer only one predicted value Y, LSTM neural network diagram may refer to Fig. 3.
Detection ddos attack actually judges whether the IPDCF value of each time samples point is abnormal, once discovery is non- Normal IPDCF value, then can assert and ddos attack has occurred, meanwhile, which can eliminate network noise and just Normal influence of the network congestion to prediction result.
S203 calculates the network security vulnerabilities factor of target area;
In order to more accurately define DDOS attack warning level, invention defines the Security Vulnerability factors in region (Security-Vulnerabilities-Factor, SVF) carrys out setting regions risk class.The main function of SVF is assessment Then the level of security of some Local Area Network sets the threshold value of ddos attack early warning according to SVF.And existing real-time dynamic setting Index not assessing region security.Threshold value setting of the invention is combined with region security factor, for difference Region ddos attack situation early warning.In view of the assessment mode in the region oneself each region You Ge, the present invention uses user's questionnaire The mode of investigation.The Security Vulnerability application form for filling in oneself region by Regional Admin first, then according in application form As a result it is weighted, obtains the Security Vulnerability factor.The value interval of obtained Security Vulnerability factor S VF is (0,1). The network security vulnerabilities factor calculation expression of certain region K can be such that
M is the classification number of problem, n in above formulajFor the problems in every class problem number, QijFor the answer of each problem, if Answer is "Yes", then QijValue be 1, otherwise value be 0.
Regional Risk can be divided into 5 risk class according to SVF and be determined as prime risk as SVF < 0.2, when 0.2 When≤SVF < 0.4, it is determined as second level risk, as 0.4≤SVF < 0.6, is determined as tertiary risk, as 0.6≤SVF < 0.8, It is determined as level Four risk, as SVF >=0.8, is determined as Pyatyi risk.Network security vulnerabilities are lower, determine that the region occurs A possibility that ddos attack, is smaller.
Compared with existing correlation technique, DDOS attack situation warning level, is effectively reduced according to set by SVF The wrong report of ddos attack early warning and rate of failing to report.
S204 is predicted using network under test flow of the LSTM prediction model to target area, obtains prediction result;
S205 calculates the threshold value and threshold tolerances of target area according to prediction result and the network security vulnerabilities factor, and Multiple warning levels are divided according to threshold value and threshold tolerances;
Define 2:ItPredicted value for t moment based on LSTM Neural Network model predictive, SVFkFor the network security of region K Fragile sex factor, then the threshold value U of definition region K:
Define 3: region K threshold interval D:
In the IPDCF value of real time monitoring network flow, the relationship between flow and threshold value is analyzed, different early warning is defined Rank.As IPDCF < U, it is determined as no attack, warning level is green.As U≤IPDCF < U+D, it is determined as that level-one is attacked, Warning level is blue.As U+D≤IPDCF < U+2D, it is determined as that second level is attacked, warning level is yellow.When U+2D≤ When IPDCF < U+3D, it is determined as that three-level is attacked, warning level is orange.As IPDCF >=U+3D, it is determined as that level Four is attacked, in advance Alert rank is red.Wherein level-one attack and second level attack are slight early warning, and three-level and level Four attacks results decision are severe early warning.With Family can take appropriate measures according to different warning levels.
S206 carries out real-time monitoring to the network flow of target area, to the network flow of the object time monitored into Row analysis processing.
S207 generates Target IP packet statistics feature for target area in the network flow of the object time.
S208 determines the warning level of the network under test flow according to the Target IP packet statistics feature.
A kind of ddos attack situation early warning system framework provided in an embodiment of the present invention is as shown in figure 4, according to its function Region security fragility sex factor and historical data predicted value given threshold carry out the early warning of ddos attack situation, issue different stage Warning information, major function includes:
(1) area information is obtained, the zoning Security Vulnerability factor establishes Security Vulnerability factor data library.
(2) predicting network flow is carried out using LSTM neural network model according to the data information of historical data base.
(3) ddos attack situation Warning Service device will be passed to after the data processing of each monitoring point, according to LSTM neural network The prediction result of model carries out real-time traffic monitoring, while the data on flows of monitoring is stored in historical data base.
(4) according to the ddos attack situation Early-warning Model based on dynamic adaptive threshold judge whether occur ddos attack with And it is under attack after ddos attack situation warning level.
(5) ddos attack situation warning level is shown in visual form.
Security Officer can take emergency plan according to different ddos attack situation warning levels from the angle of Attack Defence Slightly it is on the defensive.Attack source is tracked as early as possible, and cutting is contacted with attack source, associated nodes situation is monitored, to stop from Know the attack that attack node carries out.
Applicant of the present invention has carried out further analysis and verifying to technical solution of the present invention by experiment.Specifically such as Under:
Experiment is carried out in Python environment, and Massachusetts science and engineering laboratory laboratory network data on flows in 1999 is chosen It is trained and predicts.The data included three weeks altogether, each Friday day, daily 24 hours, 360 hours total, and 21600 Minute.Wherein 1-20160 minutes are training sample data, and 20161-21600 is test sample data.Then Massachusetts science and engineering is used Laboratory laboratory attack data in 2000 carry out simulation attack situation early warning test.
Experiment is divided into 3 parts, extracts IPDCF feature to data first, using one day be the period, minute is label, will be counted It is extracted according to by one minute for time interval.Then it is predicted using the LSTM neural network model of xxx training, last root The identification of ddos attack situation warning level is carried out according to dynamic adaptive threshold.Prediction result is carried out visualization presentation by the present invention, The ddos attack detection method proposed by the present invention based on LSTM neural network prediction is verified with better Series Modeling.Such as figure Shown in 5, be test one day predicted value and true value data cases, wherein band × orange line be truthful data, blue line For prediction data;It can be seen that the network flow data and true number of prediction from the test result of the LSTM neural network model of Fig. 5 According to coincideing substantially, method accuracy rate is higher.
According to prediction result, the present invention simulates four ddos attacks using attack sample data and tests, adaptive according to dynamic Threshold value visualization is answered to provide ddos attack warning level.Attack test result is as shown in Fig. 6-Fig. 9.
In the simulation attack experiment of Fig. 6-Fig. 9, network environment simulates " government's net ", requirement of government's net to network security Higher, XXX, xxx, being calculated according to formula (2) and obtaining its network security vulnerabilities factor is 0.6.And four simulations attack is not With the attack of time and different stage, other conditions are identical.According to the prediction result of the LSTM model of t moment, wherein blue line For predicted value (predict value), orange line is real-time monitoring value (actual value).Then according to threshold value and threshold zone Between give two sections line of demarcation, green line indicates attack threshold value line of demarcation (U value), and monitor value is less than this attack threshold value Line is determined as no attack, and monitor value is greater than the attack threshold line, i.e. sending ddos attack early warning.In early warning ddos attack, it is Convenient for showing, only given the cut-off rule (U+2D of slight a ddos attack early warning and severe ddos attack warning level Value), i.e. threshold value and 2 times of section superposition values, are indicated with red curve.Under red curve, as slight ddos attack is pre- It is alert, in red curve, as severe ddos attack early warning.As can be seen that threshold value is a dynamic change from figure 5-8 Curve, rather than a fixed straight line, early warning section are also as the variation of dynamic threshold carries out dynamic change.
Ddos attack beginning and ending time section is respectively 36-37,45-45,14-15 and 37-38,19-20 minutes in Fig. 6-Fig. 9 (minute).Each figure is the results show that IPDCF: under normal circumstances, monitor value and predicted value are coincide substantially, therefore can be preferably anti- Answer network flow state change;When attacking, monitor value and predicted value generate biggish deviation, therefore can preferably distinguish and attack Hit stream mode.Adaptive attack threshold value in each figure: under normal circumstances, all monitor values all in the normal range, and are being attacked In the case of hitting, all monitor values above attack threshold value, and the self-adapting attack threshold value that dynamic is set can be according to network flow State change dynamic self-adapting threshold value can preferably identify ddos attack, reduce rate of false alarm and rate of failing to report.From attacking in each figure It hits threshold value and is wired to warning level cut-off rule and show, warning level interval value can be set according to network flow state change dynamic, be had Attack situation warning level is accurately identified conducive to ddos attack situation Early-warning Model.
Fig. 6-Fig. 9's the experimental results showed that, it is established by the present invention based on LSTM neural network and Local Area Network it is crisp safely The ddos attack situation Early-warning Model of weak sex factor, can dynamically set adaptive threshold.And dynamic threshold section can be passed through Warning level is set, can preferably identify ddos attack, is conducive to the robustness for improving ddos attack situation Early-warning Model, accurately Identification attack situation warning level.
The results are shown in Table 1 for ddos attack early warning based on dynamic adaptive threshold, given in table Security Vulnerability because Son, predicted value, real-time monitoring value, threshold value, threshold interval and warning level, wherein real-time monitoring value was only presented by the attack moment Real-time monitoring value.Table 2 is to carry out dynamic threshold setting without introducing SVF, and simply use 2 times of previous predicted value The result that single static threshold value is determined.Table 1 the result shows that, it is established by the present invention be based on LSTM neural network and regional network The ddos attack situation Early-warning Model of the network Security Vulnerability factor, can preferably set adaptive threshold and warning level, quasi- Really identify attack warning level.Table 2 can have certain rate of failing to report using the setting method of single static threshold value as the result is shown And rate of false alarm, the 36th minute the 15th minute attacked with third time of first time attack experiment should be attacked, but deposit It is failed to report 22.2%.This can also make setting warning level static state interval value insincere simultaneously.Tables 1 and 2 comparison shows this Invent the ddos attack situation Early-warning Model based on LSTM neural network and the Local Area Network Security Vulnerability factor established, energy Enough dynamic setting adaptive thresholds and warning level, are effectively reduced rate of false alarm and rate of failing to report, and can accurately identify ddos attack Situation security level.Security Officer can take corresponding defensive measure according to different ddos attack situation warning levels.Than Such as, when being attacked by weak passwurd, Security Officer by warning level, determine a need for carrying out network attack trace back, filtering with And the operation such as updating apparatus.
Ddos attack early warning result of the table 1 based on dynamic adaptive threshold
Tab.1 DDoS attack warning result based on dynamic adaptive threshold
Ddos attack early warning result of the table 2 without adaptive threshold
Tab.2 DDoS attack warning result without adaptive threshold
Therefore the present invention models IPDCF sequence by LSTM neural network prediction model, based on LSTM mind Flow measurement is treated through Network Prediction Model to be predicted, and then real-time earthquake is done according to prediction result and the network security vulnerabilities factor The setting of state threshold value, early warning ddos attack situation rank.Compared to downstream technique, the present invention being capable of early warning ddos attack state in real time Gesture is effectively reduced rate of false alarm and rate of failing to report, identifies ddos attack situation security level, accurately to take corresponding defence as early as possible Measure.
It is described the embodiment of the invention also provides a kind of server (referring to Figure 1 0) based on a total inventive concept Server includes memory and processor, and the memory is for storing computer program, and the computer program is by the place When managing device execution, above-mentioned method is realized.Its realization principle and technical effect to be achieved above have discussion, herein not It repeats again.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to be realized by hardware.Based on such Understand, substantially the part that contributes to existing technology can embody above-mentioned technical proposal in the form of software products in other words Out, the software product for being somebody's turn to do the ddos attack situation early warning based on dynamic threshold can store in server readable storage medium storing program for executing In, such as ROM/RAM, magnetic disk, CD, including storage some instructions use so that a server execute each embodiment or Method described in certain parts of embodiment.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (5)

1. a kind of ddos attack situation method for early warning based on dynamic threshold, which is characterized in that the described method includes:
Network flow is sampled according to some cycles, and extracts the IP packet statistics feature of each periodic samples, generates IP number According to packet statistical nature time series;
The IP packet statistics characteristic time sequence is modeled using LSTM neural network prediction model, it is pre- to obtain LSTM Survey model;
Calculate the network security vulnerabilities factor of target area;
It is predicted using network under test flow of the LSTM prediction model to the target area, obtains prediction result;
The threshold value and threshold tolerances of the target area are calculated according to the prediction result and the network security vulnerabilities factor, And multiple warning levels are divided according to the threshold value and the threshold tolerances;
Real-time monitoring is carried out to the network flow of the target area, the network flow of the object time monitored is analyzed Processing;
For the target area in the network flow of the object time, Target IP packet statistics feature is generated;
The warning level of the network under test flow is determined according to the Target IP packet statistics feature.
2. the method as described in claim 1, which is characterized in that calculate the formula of IP packet statistics characteristic time sequence are as follows:
IPDCF=∑ { Packet }Δt
Wherein, Packet is the number of data packet, and Δ t is the data packet sampling period.
3. the method as described in claim 1, which is characterized in that the calculating of the network security vulnerabilities factor of the target area Formula are as follows:
Wherein, m is the classification number of problem, njFor the problems in every class problem number, QijFor the answer of each problem, if answer is "Yes", then QijValue be 1, otherwise value be 0.
4. method as claimed in claim 3, which is characterized in that
The calculation formula of the threshold value of the target area are as follows:
The calculation formula of the threshold tolerances of the target area are as follows:
Wherein, ItPrediction result for t moment based on LSTM Neural Network model predictive.
5. a kind of server, which is characterized in that the server includes memory and processor, and the memory is based on storing Calculation machine program when the computer program is executed by the processor, realizes side according to any one of claims 1 to 4 Method.
CN201910646959.5A 2019-07-17 2019-07-17 DDoS attack situation early warning method and server based on dynamic threshold Active CN110474878B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910646959.5A CN110474878B (en) 2019-07-17 2019-07-17 DDoS attack situation early warning method and server based on dynamic threshold

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910646959.5A CN110474878B (en) 2019-07-17 2019-07-17 DDoS attack situation early warning method and server based on dynamic threshold

Publications (2)

Publication Number Publication Date
CN110474878A true CN110474878A (en) 2019-11-19
CN110474878B CN110474878B (en) 2021-09-24

Family

ID=68509661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910646959.5A Active CN110474878B (en) 2019-07-17 2019-07-17 DDoS attack situation early warning method and server based on dynamic threshold

Country Status (1)

Country Link
CN (1) CN110474878B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073255A (en) * 2020-03-25 2020-12-11 长扬科技(北京)有限公司 Industrial control network flow prediction method and device based on deep learning
CN112333168A (en) * 2020-10-27 2021-02-05 杭州安恒信息技术股份有限公司 Attack identification method, device, equipment and computer readable storage medium
CN112738808A (en) * 2020-12-30 2021-04-30 北京邮电大学 DDoS attack detection method in wireless network, cloud server and mobile terminal
CN114465756A (en) * 2021-12-20 2022-05-10 中盈优创资讯科技有限公司 Optimized DDOS (distributed denial of service) safety protection method and device
CN114866296A (en) * 2022-04-20 2022-08-05 武汉大学 Intrusion detection method, device, equipment and readable storage medium
CN114866347A (en) * 2022-07-06 2022-08-05 浙江御安信息技术有限公司 Network security early warning method for DDoS attack recognition based on artificial intelligence
US20220329613A1 (en) * 2021-04-12 2022-10-13 General Electric Company Attack detection and localization with adaptive thresholding

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2109282A1 (en) * 2008-04-11 2009-10-14 Deutsche Telekom AG Method and system for mitigation of distributed denial of service attacks based on IP neighbourhood density estimation
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
WO2018208336A1 (en) * 2017-05-11 2018-11-15 Google Llc Detecting and suppressing voice queries
CN108900542A (en) * 2018-08-10 2018-11-27 海南大学 Ddos attack detection method and device based on LSTM prediction model
US20190190932A1 (en) * 2014-09-12 2019-06-20 Level 3 Communications, Llc Dynamic configuration of settings in response to ddos attack
CN109981691A (en) * 2019-04-30 2019-07-05 山东工商学院 A kind of real-time ddos attack detection system and method towards SDN controller

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2109282A1 (en) * 2008-04-11 2009-10-14 Deutsche Telekom AG Method and system for mitigation of distributed denial of service attacks based on IP neighbourhood density estimation
US20190190932A1 (en) * 2014-09-12 2019-06-20 Level 3 Communications, Llc Dynamic configuration of settings in response to ddos attack
WO2018208336A1 (en) * 2017-05-11 2018-11-15 Google Llc Detecting and suppressing voice queries
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108900542A (en) * 2018-08-10 2018-11-27 海南大学 Ddos attack detection method and device based on LSTM prediction model
CN109981691A (en) * 2019-04-30 2019-07-05 山东工商学院 A kind of real-time ddos attack detection system and method towards SDN controller

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JIEREN CHENG等: "Adaptive DDoS Attack Detection Method Based on Multiple-Kernel Learning", 《SECURITY AND COMMUNICATION NETWORKS》 *
MONIKA ROOPAK等: "Deep Learning Models for Cyber Security in IoT Networks", 《2019 IEEE 9TH ANNUAL COMPUTING AND COMMUNICATION WORKSHOP AND CONFERENCE(CCWC)》 *
程杰仁等: "基于LSTM流量预测的DDoS攻击检测方法", 《华中科技大学学报(自然科学版)》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073255A (en) * 2020-03-25 2020-12-11 长扬科技(北京)有限公司 Industrial control network flow prediction method and device based on deep learning
CN112073255B (en) * 2020-03-25 2021-07-20 长扬科技(北京)有限公司 Industrial control network flow prediction method and device based on deep learning
CN112333168A (en) * 2020-10-27 2021-02-05 杭州安恒信息技术股份有限公司 Attack identification method, device, equipment and computer readable storage medium
CN112738808A (en) * 2020-12-30 2021-04-30 北京邮电大学 DDoS attack detection method in wireless network, cloud server and mobile terminal
CN112738808B (en) * 2020-12-30 2022-05-20 北京邮电大学 DDoS attack detection method in wireless network, cloud server and mobile terminal
US20220329613A1 (en) * 2021-04-12 2022-10-13 General Electric Company Attack detection and localization with adaptive thresholding
US11916940B2 (en) * 2021-04-12 2024-02-27 Ge Infrastructure Technology Llc Attack detection and localization with adaptive thresholding
CN114465756A (en) * 2021-12-20 2022-05-10 中盈优创资讯科技有限公司 Optimized DDOS (distributed denial of service) safety protection method and device
CN114866296A (en) * 2022-04-20 2022-08-05 武汉大学 Intrusion detection method, device, equipment and readable storage medium
CN114866296B (en) * 2022-04-20 2023-07-21 武汉大学 Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium
CN114866347A (en) * 2022-07-06 2022-08-05 浙江御安信息技术有限公司 Network security early warning method for DDoS attack recognition based on artificial intelligence

Also Published As

Publication number Publication date
CN110474878B (en) 2021-09-24

Similar Documents

Publication Publication Date Title
CN110474878A (en) Ddos attack situation method for early warning and server based on dynamic threshold
Singh et al. Collaborative ids framework for cloud
CN110380896A (en) Network security situation awareness model and method based on attack graph
CN105847283A (en) Information entropy variance analysis-based abnormal traffic detection method
CN110545280B (en) Quantitative evaluation method based on threat detection accuracy
CN106209861B (en) One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
TWI476628B (en) A malware signature-based analysis of information security risk assessment system
CN105681274B (en) A kind of method and device of original alarm information processing
CN106685984A (en) Network threat analysis system and method based on data pocket capture technology
CN111818102B (en) Defense efficiency evaluation method applied to network target range
Stiawan et al. Characterizing network intrusion prevention system
CN105959316A (en) Network security authentication system
CN106973039A (en) A kind of network security situation awareness model training method and device based on information fusion technology
Nadiammai et al. A comprehensive analysis and study in intrusion detection system using data mining techniques
US10681059B2 (en) Relating to the monitoring of network security
CN110322049B (en) Public security big data early warning method
Naidu et al. An effective approach to network intrusion detection system using genetic algorithm
Maslan et al. Ddos detection on network protocol using neural network with feature extract optimization
Shakya et al. Intrusion detection system using back propagation algorithm and compare its performance with self organizing map
Wan et al. An attack behaviors prediction model based on bag representation in time series
Ciptaningtyas et al. Network traffic anomaly prediction using Artificial Neural Network
Alocious et al. Intrusion detection system using Bayesian network modeling
Huang et al. An adaptive rule-based intrusion alert correlation detection method
Wang et al. SWIM: An Effective Method to Perceive Cyberspace Situation from Honeynet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant