CN110719270A - FCM algorithm-based slow denial of service attack detection method - Google Patents
FCM algorithm-based slow denial of service attack detection method Download PDFInfo
- Publication number
- CN110719270A CN110719270A CN201910914381.7A CN201910914381A CN110719270A CN 110719270 A CN110719270 A CN 110719270A CN 201910914381 A CN201910914381 A CN 201910914381A CN 110719270 A CN110719270 A CN 110719270A
- Authority
- CN
- China
- Prior art keywords
- clustering
- service attack
- time
- detection
- slow denial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
Abstract
The invention discloses a slow denial of service attack detection method based on a fuzzy C-means (FCM) algorithm, belonging to the field of network security. Wherein the method comprises: taking a time slice as a detection unit, acquiring a data message of a network to be detected in real time, calculating a characteristic value of the data message in the time slice, and avoiding over-high weight of certain data by using dispersion standardization operation; and classifying the time slices by using a membership calculation method based on the extracted characteristic values of the data messages in the time slices and the clustering centers and the clustering labels obtained by using an FCM algorithm in advance, and determining whether the time slices have slow denial of service attacks according to the clustering labels so as to determine whether the slow denial of service attacks occur in corresponding detection windows. The detection method based on the FCM algorithm can accurately and efficiently detect the slow denial of service attack.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a slow denial of service attack detection method based on an FCM algorithm.
Background
The method comprises the steps of refusing service attack, using a high-strength data packet to exhaust resources of an attacked object, enabling a victim not to provide normal service and resource access for a legal user, even causing breakdown or stopping response, and still being one of the biggest threats faced by the internet. The principle of the slow denial of service attack is mainly to use a common self-adaptive mechanism in an end system or a network to use periodic high-speed pulse data flow to attack a victim end and trigger the victim network to change according to the self-adaptive mechanism so as to achieve the purpose of reducing the service performance of the victim end.
The current slow denial of service attack detection has two problems: the method is characterized in that firstly, due to the high concealment of the attack behavior, the traditional denial of service attack detection method is different from the traditional denial of service attack, the detection is difficult to detect, and secondly, the problems of low accuracy and high complexity generally exist in the existing slow denial of service attack detection method.
The invention aims at the common characteristics of low accuracy, high complexity and the like of the existing slow denial of service attack detection method. By analyzing the characteristics of network flow subjected to slow denial of service attack and based on a fuzzy C-means (FCM) algorithm, a slow denial of service attack detection method based on the FCM algorithm is provided. The method adopts FCM algorithm, clusters the network characteristic value of the slow denial of service attack, obtains corresponding judgment threshold value, and carries out attack detection on the data to be detected according to the judgment threshold value, thereby achieving the purpose of detection. The method for detecting the slow denial of service attack can effectively detect the slow denial of service attack, has high detection accuracy, low false alarm rate and low missing report rate, and simultaneously has low space complexity and time complexity of an algorithm. Therefore, the detection method can be universally and accurately used for detecting the slow denial of service attack.
Disclosure of Invention
The method for detecting the slow denial of service attack is provided aiming at the common characteristics of low accuracy, high complexity and the like of the existing method for detecting the slow denial of service attack. The method for detecting the slow denial of service attack can effectively detect the slow denial of service attack, has high detection accuracy, low false alarm rate and low missing report rate, and simultaneously has low space complexity and time complexity of an algorithm. Therefore, the detection method can be universally and accurately used for detecting the slow denial of service attack.
The technical scheme adopted by the invention for realizing the aim is as follows: the method for detecting the slow denial of service attack mainly comprises five steps: sampling data, feature value calculation, training data, processing data, and decision detection.
1. The data is sampled. For related data messages in a key server (router) in a network, a TCP message and a UDP message within a fixed time length are obtained in a fixed sampling time, and original values of a training sample and a test sample are formed.
2. And calculating a characteristic value. The method comprises the steps of dividing original values of a training sample and a test sample into a plurality of time slices in a fixed time, calculating and obtaining a TCP standard deviation and a UDP standard deviation by using a standard deviation calculation formula for each time slice, avoiding the problem that the weight of certain data is too high, enabling the convergence speed of the algorithm to be better, and carrying out dispersion standard calculation on the TCP standard deviation and the UDP standard deviation to form characteristic values of the training sample and the test sample.
3. Training data. And performing clustering training on the characteristic values of the training samples based on the FCM algorithm to obtain a training result, a clustering center and a clustering label. The method comprises the following steps: 1) carrying out primary clustering on the characteristic values of the training samples based on a K-means algorithm to obtain an initial clustering center of an FCM algorithm; 2) setting the maximum cluster number according to the initial clustering center obtained in the last step, and clustering the training sample characteristic values by using different cluster numbers based on the FCM algorithm; 3) and analyzing the clustering result based on the effective function of the clustering result according to the different clustering results obtained in the last step to obtain the optimal clustering result, the clustering center and the clustering label.
Wherein the clustering result validity function is: and functions such as a Partition Coefficient (PC) index, a minimum Square Error (SE) index and the like for measuring the quality of the clustering result. The cluster label is defined as: classes in which a slow denial of service attack occurred and classes in which a slow denial of service attack did not occur.
4. And processing the data. And performing membership calculation on the characteristic value of the test sample of each time slice based on a membership calculation method in the FCM algorithm according to the obtained characteristic value of the test sample, the obtained training result and the clustering center, and classifying the time slices into the class with the maximum membership to obtain a test sample detection result.
Wherein, c cluster centers are arranged, dijDenotes xjAnd class ciThe distance between them, usually the Euclidean distance, m is the ambiguity index in the FCM algorithm, test sample xjThe degree of membership for the ith (1. ltoreq. i. ltoreq. c) class can be expressed as:
5. and (5) judging and detecting. Dividing a test sample into a plurality of detection windows in a larger fixed time, wherein each time window comprises a plurality of time slices, judging and detecting the detection window according to the detection result of the test sample and a clustering label, and if the time slice in the given detection window, which has a slow denial of service attack, exceeds a certain proportion of the total time slices in the detection window, the detection window has a slow denial of service attack.
Advantageous effects
The method for detecting the slow denial of service attack can effectively detect the slow denial of service attack, has high detection accuracy, low false alarm rate and low missing report rate, and simultaneously has low space complexity and time complexity of an algorithm. Therefore, the detection method can be universally and accurately used for detecting the slow denial of service attack.
Drawings
Fig. 1 is a comparison diagram of network traffic characteristic values in three network states, including a non-attack state, a denial-of-service attack state, and a slow denial-of-service attack state. FIG. 1(a) is a comparison of TCP standard deviations for three network states; fig. 1(b) is a comparison graph of UDP standard deviation under the same three network conditions.
FIG. 2 is a comparison graph of clustering results before and after the FCM clustering algorithm is improved.
Fig. 3 is a flowchart of a slow denial of service attack detection method based on the FCM algorithm.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 3, the slow denial of service attack detection method mainly includes five steps: sampling data, feature value calculation, training data, processing data, and decision detection.
Fig. 1 is a comparison diagram of network traffic characteristic values in three network states. When attack does not occur, the TCP standard deviation is in a smaller and more stable state, and even under the condition of sudden increase, the UDP standard deviation is also smaller and more stable, namely the TCP standard deviation and the UDP standard deviation are both smaller; under the state of denial of service attack, the standard deviation of TCP and the standard deviation of UDP are in a smaller and more stable state, and are smaller and more stable than the state when attack occurs; under the state of the slow denial of service attack, the standard deviation of the TCP and the standard deviation of the UDP are larger and larger than the standard deviation under the former two states. In combination with the above situations, the standard deviation data in the three network states are in different forms, so that the standard deviation of the effective TCP data and UDP data traffic is calculated in a time slice and used as the characteristic values of the training sample and the test sample for the slow denial of service attack detection.
FIG. 2 is a comparison graph of clustering results before and after the FCM clustering algorithm is improved. The FCM algorithm has the problem of sensitivity to initial clustering centers, and after an improper clustering center is initialized, the algorithm is easy to fall into a local optimal solution in an iteration process. Aiming at the problem that the initial clustering center is sensitive, the K-means algorithm is used for optimizing the initial clustering center, the probability of trapping the local optimal solution after optimization is obviously reduced, the iteration times of the FCM algorithm are also reduced, the optimization method effectively relieves the problem of trapping the local optimal solution, and resource consumption is reduced.
Claims (7)
1. A slow denial of service attack detection method based on FCM algorithm is characterized in that the slow denial of service attack detection method comprises the following steps:
step 1, sampling data: acquiring related data messages in a key server (router) in real time, and sampling all related data messages in unit time to form original values of a training sample and a test sample;
step 2, calculating a characteristic value: dividing original values of a training sample and a test sample into a plurality of time slices in fixed time, and calculating to obtain a sample characteristic value by each time slice to form the characteristic values of the training sample and the test sample;
step 3, training data: based on the FCM algorithm, clustering the characteristic values of the training samples to obtain a training result, a clustering center and a clustering label;
and 4, processing data: classifying the characteristic values of the test samples in each time slice according to the training results to obtain test sample detection results;
step 5, judging and detecting: dividing the test sample into a plurality of detection windows within a larger fixed time, wherein each time window comprises a plurality of time slices, and judging and detecting the detection windows according to the test sample detection result and the clustering label to obtain the detection result.
2. The method according to claim 1, wherein the TCP packets and UDP packets within a fixed time duration (unit time) are obtained with a fixed sampling time for the related data packets in the key server (router) in the network in step 1, so as to form the original sample value.
3. The method for detecting the slow denial of service attack as claimed in claim 1, wherein in step 2, according to the original values of the training samples and the test samples obtained in step 1, the TCP standard deviation and the UDP standard deviation of each time slice are obtained as the sample characteristic values by calculation according to a standard deviation calculation formula.
4. The slow denial of service attack detection method of claim 1, wherein the step 3 is performed with cluster training based on the FCM algorithm according to the training sample feature value calculated in the step 2, comprising three steps:
3.1, carrying out primary clustering on the characteristic values of the training samples based on a K-means algorithm to obtain an initial clustering center of the FCM algorithm;
3.2, setting the maximum cluster number according to the initial clustering center obtained in the step 3.1, and clustering the characteristic values of the training samples by using different cluster numbers based on the FCM algorithm;
and 3.3, analyzing the clustering result based on the effective function of the clustering result according to the different clustering results obtained in the step 3.2 to obtain the optimal clustering result, the optimal clustering center and the optimal clustering label.
5. The method of claim 4, wherein the cluster result validity function in step 3.3 is defined as: the method comprises functions for measuring the advantages and the disadvantages of clustering results, such as a Partition Coefficient (PC) index, a minimum Square Error (SE) index and the like. The clustering label obtained in step 3.3 is defined as: classes in which a slow denial of service attack occurred and classes in which a slow denial of service attack did not occur.
6. The method according to claim 1, wherein in step 4, according to the eigenvalue of the test sample obtained in step 2 and the clustering center obtained in step 3, the membership calculation is performed on the eigenvalue of the test sample of each time slice based on the membership calculation method in the FCM algorithm, and the time slice is classified into the class with the highest membership.
7. The method for detecting a slow denial of service attack as claimed in claim 1, wherein the criterion for determining and detecting the detection window in step 5 according to the cluster label obtained in step 3 and the detection result of the test sample obtained in step 4 is as follows: and in the given detection window, if the time slice of the slow denial of service attack exceeds a certain proportion of the total time slices in the detection window, the slow denial of service attack occurs in the detection window.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910914381.7A CN110719270A (en) | 2019-09-26 | 2019-09-26 | FCM algorithm-based slow denial of service attack detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910914381.7A CN110719270A (en) | 2019-09-26 | 2019-09-26 | FCM algorithm-based slow denial of service attack detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110719270A true CN110719270A (en) | 2020-01-21 |
Family
ID=69210938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910914381.7A Pending CN110719270A (en) | 2019-09-26 | 2019-09-26 | FCM algorithm-based slow denial of service attack detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110719270A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111416819A (en) * | 2020-03-18 | 2020-07-14 | 湖南大学 | Low-speed denial of service attack detection method based on AKN algorithm |
| CN111600876A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Slow denial of service attack detection method based on MFOPA algorithm |
| CN112350994A (en) * | 2020-09-28 | 2021-02-09 | 湖南大学 | Low-speed denial of service attack detection method based on TC-UTR algorithm |
| CN112788058A (en) * | 2021-01-28 | 2021-05-11 | 湖南大学 | LDoS attack detection and mitigation scheme based on SDN controller |
| CN113542295A (en) * | 2021-07-26 | 2021-10-22 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, equipment and computer program product |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102768638A (en) * | 2012-05-18 | 2012-11-07 | 北京工业大学 | Software behavior credibility detecting method based on state transition diagram |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| US9130864B2 (en) * | 2011-06-27 | 2015-09-08 | Citrix Systems, Inc. | Prioritizing classes of network traffic to provide a predetermined quality of service |
| US20180124020A1 (en) * | 2016-11-02 | 2018-05-03 | Cisco Technology, Inc. | Feature-based classification of individual domain queries |
| CN109067722A (en) * | 2018-07-24 | 2018-12-21 | 湖南大学 | A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm |
| CN109729091A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm |
| CN109726553A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on SNN-LOF algorithm |
-
2019
- 2019-09-26 CN CN201910914381.7A patent/CN110719270A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9130864B2 (en) * | 2011-06-27 | 2015-09-08 | Citrix Systems, Inc. | Prioritizing classes of network traffic to provide a predetermined quality of service |
| CN102768638A (en) * | 2012-05-18 | 2012-11-07 | 北京工业大学 | Software behavior credibility detecting method based on state transition diagram |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| US20180124020A1 (en) * | 2016-11-02 | 2018-05-03 | Cisco Technology, Inc. | Feature-based classification of individual domain queries |
| CN109067722A (en) * | 2018-07-24 | 2018-12-21 | 湖南大学 | A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm |
| CN109729091A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm |
| CN109726553A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on SNN-LOF algorithm |
Non-Patent Citations (3)
| Title |
|---|
| S.VARUNA ET AL: "An Integration of K-Means Clustering and Naïve Bayes Classifier for Intrusion Detection", 《2015 3RD INTERNATIONAL CONFERENCE ON SIGNAL PROCESSING, COMMUNICATION AND NETWORKING (ICSCN)》 * |
| 姚四霞: "低速率拒绝服务攻击的协同检测方法研究", 《中国优秀硕士论文全文库信息科技辑》 * |
| 祖 志文等: "基于马氏距离的模糊聚类优化算法—KM-FCM", 《河 北 科 技 大 学 学 报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111416819A (en) * | 2020-03-18 | 2020-07-14 | 湖南大学 | Low-speed denial of service attack detection method based on AKN algorithm |
| CN111600876A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Slow denial of service attack detection method based on MFOPA algorithm |
| CN112350994A (en) * | 2020-09-28 | 2021-02-09 | 湖南大学 | Low-speed denial of service attack detection method based on TC-UTR algorithm |
| CN112788058A (en) * | 2021-01-28 | 2021-05-11 | 湖南大学 | LDoS attack detection and mitigation scheme based on SDN controller |
| CN113542295A (en) * | 2021-07-26 | 2021-10-22 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, equipment and computer program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719270A (en) | FCM algorithm-based slow denial of service attack detection method | |
| CN109729090B (en) | Slow denial of service attack detection method based on WEDMS clustering | |
| WO2021088372A1 (en) | Neural network-based ddos detection method and system in sdn network | |
| CN107483455B (en) | Flow-based network node anomaly detection method and system | |
| CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
| EP2661049B1 (en) | System and method for malware detection | |
| CN109067722B (en) | LDoS detection method based on two-step clustering and detection piece analysis combined algorithm | |
| CN109587179A (en) | A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow | |
| CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| CN112261000B (en) | LDoS attack detection method based on PSO-K algorithm | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN110719272A (en) | LR algorithm-based slow denial of service attack detection method | |
| CN114021135A (en) | LDoS attack detection and defense method based on R-SAX | |
| CN112788007A (en) | DDoS attack detection method based on convolutional neural network | |
| CN107360127A (en) | A kind of Denial of Service attack detection method at a slow speed based on AEWMA algorithms | |
| Yan et al. | Low-rate dos attack detection based on improved logistic regression | |
| Patcha et al. | Network anomaly detection with incomplete audit data | |
| CN115021997A (en) | Network intrusion detection system based on machine learning | |
| CN110086829B (en) | Method for detecting abnormal behaviors of Internet of things based on machine learning technology | |
| CN111600877A (en) | LDoS attack detection method based on MF-Ada algorithm | |
| CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
| CN110650157B (en) | Fast-flux domain name detection method based on ensemble learning | |
| CN110650145A (en) | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm | |
| Liang | Research on network security filtering model and key algorithms based on network abnormal traffic analysis | |
| KR20110107880A (en) | Ddos detection method using fast information entropy and adaptive moving average window detector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200121 |