CN110557397A

CN110557397A - DDoS attack detection method based on chaos theory analysis

Info

Publication number: CN110557397A
Application number: CN201910864121.3A
Authority: CN
Inventors: 王颖舒; 刘晴; 左宇; 张娟娟; 袁舒; 黄韬; 徐拓之; 李易; 韦倩
Original assignee: Guizhou Power Grid Co Ltd
Current assignee: Guizhou Power Grid Co Ltd
Priority date: 2019-09-12
Filing date: 2019-09-12
Publication date: 2019-12-10

Abstract

the invention discloses a DDoS attack detection method based on chaos theory analysis, which comprises the following steps: step 1, collecting traffic data of a communication network, and preprocessing the collected traffic data; step 2, establishing a network normal flow model by adopting a sequence prediction algorithm in a time sequence model; step 3, carrying out subtraction on the network flow normal model and the network flow measured value to obtain a corresponding new sequence, thereby obtaining an abnormal subsequence of the network flow; step 4, analyzing the abnormal subsequence by using the Lyapunov exponent in the chaos theory, and judging the state of the system at the current moment; the problem that in the prior art, most attack flows of DDoS attack have no obvious malicious characteristics and even appear to be legal normal requests because of single data is solved, so that the DDoS attack has great difficulty in detection; at present, an effective solution is lacked for detecting DDoS attack to avoid or reduce the brought harm and other technical problems.

Description

DDoS attack detection method based on chaos theory analysis

Technical Field

The invention belongs to a network attack detection technology, and particularly relates to a DDoS attack detection method based on chaos theory analysis.

background

The DDoS attack process is roughly divided into the following steps:

(1) Collecting information of the host: the target host refers to a host with low self defense capability within a certain range, and the process of collecting host information mainly acquires important information of the target host which can be infected, such as the external open condition of a target network host port, an IP address, bandwidth accommodation capability and the like. (2) Finding a victim host: the method for infecting the victim host is various, and the host with configuration error and weak system protection is mostly found as the primary infected person by a port scanning method. Meanwhile, the network host with less update and less maintenance is also the best infection target searched by the attacker. (3) Controlling the victim host: when the damaged network host is infected by the attacker, the attacker installs control software on the infected host, so that the attacker can conveniently send commands in the future, and meanwhile, the attacker continuously enlarges the control range of the attacker by the same means. Thus, the range of force and attack scale of the attacker is also enlarged. (4) And (3) launching a network attack: in order to better hide the position of an attacker, the probability of being tracked and identified is reduced to the greatest extent, and the whole attack process is roughly divided into two parts: firstly, sending a specific attack command to a controlled puppet machine; then the puppet machine executes the command and sends a large amount of illegal connection request messages with false source IP addresses to the target server within a specified time. These illegal connections occupy most of the resources of the target server, even filling up the semi-connection queue, until the target server cannot respond to the legal connection request of the normal user, eventually causing the target server to crash.

DDoS attacks can also be classified according to the rate of the attack flow, and can be classified into constant-speed attacks and variable-speed attacks, and variable-speed attacks can be further classified into speed-increasing attacks and fluctuating-rate attacks. An extreme form of fluctuating-rate attack is a pulsed attack, where if all attacking agents produce pulsed behavior simultaneously, the victim system experiences periodic service outages.

for DDoS detection, most existing intrusion detection systems (e.g., Bro, Snort, etc.) detect attacks according to attack features such as specific ports, flag bits, data contents, etc. The main advantage of this approach is that the misjudgment rate is low, but the misjudgment rate cannot be identified in the case of new-type or modified attack behaviors. The detection method adopts a virus rule comparison method just like the virus detection technology of the antivirus software used by people at present, but has the defect that the virus rule must be updated regularly to defend against new types or modified viruses. Similarly, the detection technique of feature comparison also needs to update the feature library frequently to detect a new attack.

at present, flooding of DDoS attack tools and diversified attack methods are layered, and if the system is protected by simply depending on a mode of updating a rule base, the effect of safety protection is greatly reduced. The detection algorithm is required to be intelligent, the network characteristics can be learnt by self, the defense rules can be updated automatically, and the capability of resisting the impending attacks can be realized. In recent years, many researches adopt technologies such as artificial intelligence or data mining to achieve better detection effect, and the current research results show the potential of the intrusion detection method in the aspect of intrusion detection, but the detection rate and the false alarm rate have room for improvement. Defending against DDoS attacks relies on high accuracy detection and network-wide security deployment. Although the social DDoS defense manufacturers have a plurality of excellent products, such as the Riverhead DDoS defense system in Cisco and the 'black hole' of the green union, the manufacturers research attack detection algorithms and defense means respectively, and strictly keep the technologies secret without published technical documents, so that the overall level of the DDoS defense capability is uneven, and the DDoS defense capability of the whole network is influenced. Therefore, in the aspect of detecting DDoS attacks by an intelligent algorithm, a plurality of topics worth discussion exist, the overall level of DDoS detection capability can be improved through research results, and the development of a global defense DDoS technology is accelerated. By classifying DDoS attacks, most of the attack flows have no obvious malicious characteristics from a single data, and even appear to be legal and normal requests, so that the detection has great difficulty. At present, the detection of DDoS attack has attracted extensive attention, but an effective solution for avoiding or reducing the harm is still lacked, and the root cause is mainly that:

(1) The first is the main background of its existence: the design principles and network protocols of the Internet are deficient. The Internet design principle follows the 'edge theory' design principle, the Internet intermediate transmission network is as simple as possible, except some necessary routing states are stored, any state is not basically stored, only the message is forwarded according to the destination address, and the complex and intelligent parts in the network are concentrated to the edge of the network and an end system as much as possible. Due to the characteristic of 'Stateless', managers are difficult to effectively supervise and audit network behaviors, and DDoS attacks are more favorable. In addition, the continuously exposed network protocol loopholes provide more opportunities for attackers to start attacks, so that the malicious purpose is achieved. None of these background problems can be solved in a short time.

(2) Secondly, the attack tools are constantly evolving: with the increase and popularization of network users, the attack with extremely strong destructiveness is easier to launch, and related attack tools, such as Trinoo, TFN, stacheltraht and Trinity, can be downloaded anywhere on the network, are convenient to use, and can easily launch the attack even by a common user. New attack means are continuously researched, an old security detection system can be bypassed, new security measures are developed to cope with the old security detection system, and the DDoS attack technology is continuously evolved and presents new characteristics in the process of continuous countermeasure. For example, in recent years, the abuse of Worm (word) viruses creates convenience conditions for DDoS attacks, greatly shortens the preparation time of the DDoS attacks, and provides a wider launching platform for attackers.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: the DDoS attack detection method based on chaos theory analysis is provided to solve the problem that in the prior art, the DDoS attack has great difficulty in detection because most attack flows are from a single data without obvious malicious characteristics and even appear to be legal and normal requests; at present, an effective solution is lacked for detecting DDoS attack to avoid or reduce the brought harm and other technical problems.

The technical scheme of the invention is as follows:

a DDoS attack detection method based on chaos theory analysis comprises the following steps:

Step 1, collecting traffic data of a communication network, and preprocessing the collected traffic data;

step 2, establishing a network normal flow model by adopting a sequence prediction algorithm in a time sequence model;

step 3, carrying out subtraction on the network flow normal model and the network flow measured value to obtain a corresponding new sequence, thereby obtaining an abnormal subsequence of the network flow;

Step 4, analyzing the abnormal subsequence by using the Lyapunov exponent in the chaos theory, and judging the state of the system at the current moment;

step 5, if DDoS attack occurs, the current system is non-chaotic, and the Lyapunov exponent is less than 0;

And 6, if the DDoS attack does not occur, the current system is chaotic, and the Lyapunov exponent is more than or equal to 0.

The method for preprocessing the collected flow data comprises the following steps:

Calculated over a time range t_kmean sequence of

In the formula: x is the number of_nthe flow data at time n is represented,

The entire flow sequence is then expressed as: x is the number of₁,x₂,...,x_k,...,x_n。

The method for establishing the network normal flow model comprises the following steps:

The establishment of the normal network flow model, namely the establishment of the prediction sequence of the network flow, adopts

After an AR autoregressive model is obtained, a linear prediction algorithm PLC in AR is used for obtaining a prediction sequence:

The AR autoregressive model is as follows:

where s (n) is the initial sequence, p is the prediction order,Is a predicted sequence;

The predicted value at time t is derived from the data preceding time t, where a_iIs a prediction coefficient;

By finding a set of a that minimizes the output power of the prediction error value_iTo obtain a predicted sequence;

Directly determining a set of prediction coefficients a from a known signal₁,a₂,...,a_pthe set of prediction coefficients is considered as parameters of the system function h (z) in the signal generation model, which minimizes the mean square prediction error in a segment of the signal waveform; theoretically using the mean square error E²(n)]The minimum criterion, E [. cndot. ] represents the mathematical expectation or average of the square of the error; to obtain E [ E ]²(n)]minimum ak, can be E [ E ]²(n)]obtaining a partial derivative for each coefficient, and making the result zero

substituting equation 10 into equation 9 yields:

-2E[e(n)s(n-k)]＝0,k＝1,2,...,p (11)

Unfolding e (n) to obtain:

let the autocorrelation sequence of s (n) be:

R(k)＝E[s(n)s(n-k)] (13)

since the autocorrelation sequence is even symmetric, therefore

R(k)＝R(-k)＝E[s(n)s(n+k)] (14)

Equation 12 can be expressed as:

p prediction coefficients a₁,a₂,...,a_pThe method is obtained through the formula; the matrix obtained by the PLC is as follows:

Autocorrelation coefficients of r (k) ═ s (n) × (n-k), referred to as s (n), in the matrix; e_PA minimum power that is a prediction error value; wherein E (p) has an iterative relationship with E (p-1); the matrix is solved through a linear recursion method, and a prediction coefficient can be obtained, so that a prediction sequence of the network flow is generated.

The method for obtaining the abnormal subsequence of the network flow comprises the following steps:

Obtaining a prediction error value:

in the formulaRepresenting a predicted sequence x_n；

Predicting error value, namely abnormal subsequence, namely abnormal flow; the actual traffic of a network is expressed as the sum of normal traffic and abnormal traffic, i.e.

The method for judging the state of the system at the current moment by analyzing the abnormal subsequence through the Lyapunov exponent in the chaos theory comprises the following steps:

Establishing a formula: lambda [ alpha ]_k≈{ln(Δx_k/Δx₀)}/t_k

According to λ_kJudging the chaos of the abnormal subsequence;

if λ_k>0, then { Δ x_kThe data flow rate is chaotic, which indicates that the flow rate change is caused when normal flow enters the system, no DDoS attack flow rate exists, and no DDoS attack occurs;

if λ_k0, then { Δ x_kMaintaining a stable state, which indicates that no new flow enters the system and no DDoS attack occurs;

If λ_k<0, then { Δ x_kis no longer chaotic; it indicates that the traffic change is caused by DDoS attack traffic entering the system, and DDoS attack occurs.

the invention has the beneficial effects that:

The invention discloses a DDoS attack detection method based on chaos theory analysis, which comprises the following steps:

The characteristics of DDoS attacks are summarized probably as follows: first, the initiator of an attack is usually one or a few; the attackers of the attack are a large number of 'broilers' or botnet; the recipients of the attack are one or a few (usually servers). Due to the characteristics, the change of network traffic of the DDoS in the attack process can show strong purposiveness and certainty.

The abnormal network traffic is represented in the time series model as a time series prediction error value, namely an error between the actual network traffic and the traffic estimated by the user. This error may be caused by normal traffic variations or DDOS attacks. Network abnormal traffic in a normal state (which means that DDoS attack does not occur) is usually white noise and shows a kind of carelessness and randomness. In the analysis process of the method, the network abnormal flow in the normal state is regarded as chaotic. When DDoS attack occurs, the network traffic change shows strong purposiveness and determinacy, and the network abnormal traffic can be regarded as non-chaotic.

?, why the network abnormal flow under the normal state can be regarded as chaos, firstly, the chaos means that a determined system has sensitive dependency on the initial state, so that an intrinsic randomness appears in the system, the chaos theory discloses the nature of uncertain behaviors in a deterministic complex system, the chaos is the result of dissipation (detailed in the section 2.5 in the second chapter) and nonlinear interaction, the chaotic system is wholly and extensively represented as stable and phase volume contraction due to the dissipation effect, the track is locally unstable due to the nonlinear action result, the instability is locally separated, the overall stable and local instability forms the singular behaviors of the chaotic system, and finally the complex motion form and the infinite-level self-similar structure are represented.

The network system has abundant nonlinear dynamics characteristics and self-organized space-time ordered forms. As a complex system with high nonlinearity, openness, dissipation and unbalance, the network is essentially a dissipation system, and theoretically, a power system consisting of massive information in a network environment should have the characteristics of a chaotic system.

The chaos analysis method is just based on the above premises, and the chaos of the network abnormal flow is judged by using the chaos property, thereby realizing the detection of DDoS attack.

The invention provides a network distributed abnormal behavior detection method based on collection and pretreatment of network abnormal flow and combined with a Lyapunov index analysis method in the existing chaos theory, wherein a DDoS attack method is taken as an example, briefly, when the chaos theory is applied for analysis, the network abnormal flow caused by normal behavior is regarded as chaos, and the chaos state can be destroyed after the DDoS attack flow enters a system, so that the DDoS attack detection can be realized, and further, the method can be expanded to the detection of other network distributed abnormal behaviors.

The problem that in the prior art, most attack flows of DDoS attack have no obvious malicious characteristics and even appear to be legal normal requests because of single data is solved, so that the DDoS attack has great difficulty in detection; at present, an effective solution is lacked for detecting DDoS attack to avoid or reduce the brought harm and other technical problems.

Drawings

FIG. 1 is a schematic flow diagram of the present invention;

FIG. 2 is a schematic illustration of initial flow rates in an embodiment;

FIG. 3 is a schematic illustration of pretreatment flow in an embodiment;

FIG. 4 is a schematic illustration of predicted flow in an embodiment;

FIG. 5 is a schematic diagram illustrating a comparison between predicted flow and actual flow in an embodiment;

FIG. 6 is a schematic diagram of abnormal flow in an embodiment.

Detailed Description

The invention constructs a network normal flow model by utilizing a readable file of network data information, and further designs a network distributed abnormal behavior detection algorithm based on a chaos theory, wherein the flow is as follows:

1. large-scale communication network traffic data is collected and this traffic information is preprocessed according to the needs of the study.

2. And establishing a normal network flow model by adopting a sequence prediction algorithm in the time sequence model.

3. And carrying out subtraction on the network flow normal model obtained by prediction and the network flow measured value to obtain a corresponding innovation sequence, thereby obtaining an abnormal subsequence of the network flow.

4. And (3) analyzing the abnormal subsequence by using the Lyapunov exponent in the chaos theory, and detecting whether the system is chaotic or non-chaotic at the current moment.

5. If DDoS attack occurs, the current system is non-chaotic. The Lyapunov exponent is less than 0.

6. If DDoS attack does not occur, the current system is chaotic. The Lyapunov exponent is greater than or equal to 0.

collection and pre-processing of network traffic

the collection and pre-treatment of the flow is a prerequisite for the whole invention. We adopt time series to represent the occurrence state of network traffic if x is used_nTo represent traffic data at time n, then the entire traffic sequence can be represented as: x is the number of₁,x₂,...,x_k,...,x_nInitial flow has many sharp "spikes"; to suppress the burstiness of the traffic and to get a relatively stable result, we preprocess the traffic, where we calculate the average sequence over a time range k:

The treated flow rate has no protrusion and becomes continuous and easy to analyze; meanwhile, the flow after pretreatment truly reflects the change trend of the flow.

Establishing a normal model of network traffic

A preprocessed sequence is obtained and then a normal model of the flow needs to be established. And establishing a normal model of the network, namely establishing a prediction sequence of network flow. Here we use an AR autoregressive model and then use the linear prediction algorithm (PLC) in AR to obtain the predicted sequence.

the AR model is as follows:

where s (n) is the initial sequence, p is the prediction order,Is a predicted sequence.

The basic idea of the AR model is: predicted value at time tCan be derived from the data before time t, where a_iAre prediction coefficients.

the PLC algorithm is a method for calculating the prediction sequence of the AR model, and the basic idea is to search a group of a which can minimize the output power of the prediction error value_iTo obtain a predicted sequence.

The basic problem of linear prediction is to directly find a set of prediction coefficients a from a known signal₁,a₂,...,a_pthe set of prediction coefficients is considered as parameters of the system function h (z) in the signal generation model, which minimizes the mean square prediction error in a short segment of the signal waveform. Common in theory is the mean square error E [ E ]²(n)]The minimum criterion, E [. cndot. ] represents the mathematical expectation or average of the square of the error. To obtain E [ E ]²(n)]Minimum ak, can be E [ E ]²(n)]The partial derivatives are calculated for each coefficient and the result is made zero. Namely, it is

While

Substituting equation 10 into equation 9 can result in:

-2E[e(n)s(n-k)]＝0,k＝1,2,...,p (11)

equations 2-5 are referred to as orthogonal equations.

Unfolding e (n) to obtain:

Let the autocorrelation sequence of s (n) be:

R(k)＝E[s(n)s(n-k)] (13)

since the autocorrelation sequence is even symmetric, therefore

R(k)＝R(-k)＝E[s(n)s(n+k)] (14)

equation 12 can be expressed as:

Thus, p prediction coefficients a₁,a₂,...,a_pcan be obtained by the above formula. The matrix obtained by the PLC is as follows:

the autocorrelation coefficients of the matrix r (k) ═ s (n) × s (n-k), referred to as s (n). E_PIs the minimum power of the prediction error value. In the formula, E (p) and E (p-1) have an iterative relationship. The matrix is solved through a linear recursion method, and a prediction coefficient can be obtained, so that a prediction sequence of the network flow is generated.

Obtaining an abnormal subsequence of network traffic

In the previous section, use x_nThe sequence prediction sequence represented by (A) can be represented byThus, the prediction error value may be expressed as:

the prediction error value is an abnormal subsequence, which is referred to as abnormal traffic. It is also noted here that the actual traffic of a network can be expressed as the sum of normal traffic and abnormal traffic, i.e. the sum of normal traffic and abnormal traffic

But cannot determine whether the abnormal traffic is caused by normal operation or DDoS. Further analysis is therefore required.

analysis of abnormal subsequences using chaos theory

chaotic analysis is carried out on the abnormal subsequence, and the general flow is as follows: firstly, based on chaotic knowledge, the abnormal subsequence caused by normal flow is determined to be chaotic, and the abnormal subsequence caused by DDoS attack flow is determined to be non-chaotic. And then, judging the chaos of the abnormal subsequence obtained by us by applying the knowledge of the chaos, thereby detecting the DDoS attack.

This section mainly introduces how to judge the chaos of a sequence. We have mentioned in the introduction of the chaos theory that the most important feature of the chaos system is the sensitive dependence on the initial value. In any system, two traces that are very close to the initial value will separate after some time in the manner of a Lyapunov exponent. When the Lyapunov exponent is less than or equal to 0, the phase position of the track is in a contracted state, and the system is finally classified as 'static', namely the system is insensitive to an initial value, so that the system is non-chaotic. When the Lyapunov exponent is greater than 0, the phase positions of the tracks are divergent, and the system is chaotic.

The Lyapunov index can be expressed as:

λ_k≈{ln(Δx_k/Δx₀)}/t_kEquation 3-1

in the research process of network flow chaos, we can be based on lambda_kThe chaos of the abnormal subsequence is judged.

if λ_k>0, then { Δ x_kit is still chaotic. This means that normal traffic entering the system causes traffic changes, no DDoS attack traffic, and no DDoS attack.

If λ_k0, then { Δ x_kthe system keeps a steady state, which means that no new traffic enters the system, and of course no DDoS attacks occur.

If λ_k<0, then { Δ x_kIt is no longer chaotic, which means that the traffic changes due to DDoS attack traffic entering the system, where a DDoS attack occurs.

Actual physical significance of Lyapunov index in analysis process

The Lyapunov index is the key of DDoS attack method detection based on chaos theory, and the mathematical significance of the Lyapunov index is detailed in the second chapter. But how to understand the physical significance of the Lyapunov exponent in network traffic will be explained in this section.

The Lyapunov index can be expressed as: lambda [ alpha ]_k≈{ln(Δx_k/Δx₀)}/t_kIt indicates the error of the actual flow rate and the predicted normal flow rate when the time k elapses_^number separation case, Δ x in this equation_kis the prediction error value, Δ x, we said before_k＝x_k-x_k。

The difficulty of the index in the process of operating simulation is Delta x₀the actual physical meaning of. By analogy with mathematical meanings of Δ x₀should be the error between the actual flow and the initial value of the predicted flow. Namely, it isbut for a certain number in a prediction sequenceis determined by the number before time t. t is t₀is the beginning of the sequence and is therefore theoretically correctIs absent.

In consideration, the present invention contemplates acquisition of a flow sequence, which starts when t is 0 and ends when t is n. But the traffic of the whole network system never starts from t ═ 0, but very early. Therefore, we can predict the position by only selecting t as 0The invention starts with the fifth number of all sequences as zero. So that the flow sequence becomes x_-4,x_-3,x_-2,x_-1,x₀,x₁,x₂,...,x_n. Thus, the device is provided withHas practical physical significance.

Claims

1. A DDoS attack detection method based on chaos theory analysis comprises the following steps:

2. The DDoS attack detection method based on chaos theory analysis according to claim 1, characterized in that: the method for preprocessing the collected flow data comprises the following steps: calculated over a time range t_kMean sequence of In the formula: x is the number of_nrepresenting the flow data at time n, the entire flow sequence is then represented as: x is the number of₁,x₂,...,x_k,...,x_n。

3. The DDoS attack detection method based on chaos theory analysis according to claim 1, characterized in that: the method for establishing the network normal flow model comprises the following steps:

The method comprises the following steps of establishing a normal network flow model, namely establishing a prediction sequence of network flow, adopting an AR autoregressive model, and then obtaining the prediction sequence by using a linear prediction algorithm PLC in an AR:

the AR autoregressive model is as follows:

The predicted value at time t is derived from the data preceding time t, where a_iis a prediction coefficient; by finding a set of a that minimizes the output power of the prediction error value_ito obtain a predicted sequence;

substituting equation 10 into equation 9 yields:

-2E[e(n)s(n-k)]＝0,k＝1,2,...,p (11)

Unfolding e (n) to obtain:

Let the autocorrelation sequence of s (n) be:

R(k)＝E[s(n)s(n-k)] (13)

Since the autocorrelation sequence is even symmetric, therefore

R(k)＝R(-k)＝E[s(n)s(n+k)] (14)

Equation 12 can be expressed as:

4. The DDoS attack detection method based on chaos theory analysis according to claim 1, characterized in that: the method for obtaining the abnormal subsequence of the network flow comprises the following steps:

Obtaining a prediction error value:

In the formulaRepresenting a predicted sequence x_n；

5. The DDoS attack detection method based on chaos theory analysis according to claim 1, characterized in that: the method for judging the state of the system at the current moment by analyzing the abnormal subsequence through the Lyapunov exponent in the chaos theory comprises the following steps:

establishing a formula: lambda [ alpha ]_k≈{ln(Δx_k/Δx₀)}/t_k

According to λ_kJudging the chaos of the abnormal subsequence;