CN111131309A - Distributed denial of service detection method and device and model creation method and device - Google Patents

Abstract

The embodiment of the invention provides a distributed denial of service detection method, a device and a model creation method; the method comprises the following steps: extracting characteristic information of data to be detected; the characteristic information comprises at least one or more of flood flow characteristic, slow attack characteristic and application layer attack characteristic; inputting the characteristic information of the data to be detected into a distributed denial of service detection model, and acquiring a detection result of whether the data to be detected contains distributed denial of service; the distributed denial of service detection model is obtained by training a machine learning mode by taking at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics of known distributed denial of service attack data as sample data, and is used for obtaining a detection result of whether the data to be detected contains distributed denial of service. The embodiment of the invention can simultaneously detect one or more of the flood attack, the slow attack and the application layer attack.

Description

Distributed denial of service detection method and device and model creation method and device

Technical Field

The invention relates to the technical field of network security, in particular to a distributed denial of service detection method and device and a model creation method and device.

Background

Distributed Denial of Service (DDoS) refers to that multiple attackers in different positions simultaneously attack one or more targets, or that an attacker controls multiple machines in different positions and uses the machines to attack victims simultaneously. DDoS has many types, including bandwidth consumption attacks (e.g., flooding attacks), system resource consumption attacks (e.g., malicious misuse of TCP/IP protocol communications, sending malformed messages), and application layer attacks. DDoS attacks can cause websites to be inaccessible, consume a large amount of bandwidth and memory, and are extremely harmful.

DDoS detection is an important ring of DDoS defense. In the prior art, various DDoS detection methods have been proposed. The most common DDoS detection methods include a detection method based on statistics and a detection method based on machine learning.

The detection method based on statistics, such as an entropy detection method, has the advantage of high detection efficiency, but the detection method only works on a specific attack model, and the detection method is more time-consuming and difficult to upgrade when being researched by aiming at a certain attack model.

The machine learning algorithm can find out the back essential information from the mass data, and is popular with researchers at present. The machine learning type detection model has the advantages that as long as the training data contains the information of certain attack, the algorithm can learn the detection of the attack, and the detection model can be rapidly updated in the form of the training data when a novel attack is encountered. Although the machine learning algorithm has many advantages, the training time and the prediction time of the algorithm are long due to the high computational complexity of the machine learning algorithm. In addition, the attack characteristic types selected by the existing DDoS detection method based on machine learning are not wide enough, so that the DDoS attack types which can be identified by the detection model generated by training are limited.

Disclosure of Invention

The embodiment of the invention provides a distributed denial of service detection method and device and a model creation method and device, which are used for solving the defect that attack characteristic types selected by a distributed denial of service detection method in the prior art are not wide enough, so that distributed denial of service attack types which can be identified by a detection model generated by training are limited, and realizing comprehensive and efficient response to distributed denial of service.

An embodiment of a first aspect of the present invention provides a method for detecting a distributed denial of service, including:

extracting characteristic information of data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and acquiring a detection result of whether the data to be detected contains distributed denial of service; the distributed denial of service detection model is obtained by training at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics of known distributed denial of service attack data as sample data in a machine learning mode and is used for obtaining a detection result of whether the data to be detected contains distributed denial of service.

According to any embodiment of the present invention, the flood flow characteristics include at least one or more of the following combinations: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port.

According to any embodiment of the present invention, the flood flow characteristics further include at least one or more of the following combinations: network layer protocol feature protocol, network service or application layer protocol feature service, connection state feature flag, byte number feature des _ bytes from target host to source host, source port feature src _ port, error fragmentation number feature wrong _ fragment, and emergency packet number feature urgent.

Based on any embodiment of the invention, the slow attack features include: the same destination host interaction number feature dst _ host _ count.

According to any embodiment of the invention, the slow attack feature further includes at least one or more of the following combinations: the system comprises a same-destination host same service interaction number feature dst _ host _ srv _ count, a same-destination host same service duty feature dst _ host _ same _ srv _ rate, a same-destination host different service duty feature dst _ host _ diff _ srv _ rate, a same-destination host same source port duty feature dst _ host _ same _ src _ port _ rate, a same-destination host same service different source host duty feature dst _ host _ srv _ diff _ host _ rate, a same-destination host SYN error duty feature dst _ host _ serror _ rate, a same-destination host same service SYN error duty feature dst _ host _ srv _ serror _ rate, a same-destination host REJ error duty feature dst _ host _ srv _ srror _ rate, and a same-destination host same service REJ error duty feature REJ _ host _ srv _ srror _ rror _ rate.

Based on any embodiment of the invention, the application layer attack characteristics include: the file creation operation number characteristic num _ file _ creates.

According to any embodiment of the present invention, the application layer attack features further include at least one or more of the following combinations: whether the visitor logs in the feature is _ guest _ login, the times of access to sensitive files and directories feature hot, the times of login failure feature num _ failed _ login, and whether login is successful feature logged _ in.

Based on any embodiment of the present invention, the inputting the characteristic information of the data to be detected into the pre-constructed distributed denial of service detection model includes:

and performing dimensionality reduction on the characteristic information of the data to be detected, and inputting the characteristic information of the data to be detected after dimensionality reduction into a pre-constructed distributed denial of service detection model.

An embodiment of a second aspect of the present invention provides a method for constructing a distributed denial of service detection model, including:

extracting the characteristic information of known distributed denial of service attack data; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

and training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

Based on any embodiment of the present invention, the using the feature information of the known distributed denial of service attack data as sample data includes:

and performing dimension reduction processing on the characteristic information of the known distributed denial of service attack data, and using the characteristic information of the known distributed denial of service attack data subjected to dimension reduction as sample data.

An embodiment of a third aspect of the present invention provides a distributed denial of service detection apparatus, including:

the first characteristic information extraction module is used for extracting the characteristic information of the data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

the detection module is used for inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model and acquiring a detection result of whether the data to be detected contains distributed denial of service; the distributed denial of service detection model is obtained by training at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics of known distributed denial of service attack data as sample data in a machine learning mode and is used for obtaining a detection result of whether the data to be detected contains the distributed denial of service.

An embodiment of a fourth aspect of the present invention provides a distributed denial of service detection model construction apparatus, including:

the second characteristic information extraction module is used for extracting the characteristic information of the known distributed denial of service attack data; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

and the model training module is used for training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

In a fifth embodiment of the present invention, an electronic device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the distributed denial of service detection method according to the first embodiment of the present invention or implements the steps of the distributed denial of service detection model creation method according to the second embodiment of the present invention when executing the program.

A sixth aspect of the present invention provides a non-transitory computer readable storage medium, having stored thereon a computer program, which when executed by a processor, implements the steps of the distributed denial of service detection method as described in the first aspect of the present invention, or implements the steps of the distributed denial of service detection model creation method as described in the second aspect of the present invention.

The distributed denial of service detection method and device, and the model creation method and device provided by the embodiments of the present invention can simultaneously detect one or more of a flood flow attack, a slow attack and an application layer attack by extracting one or more of a flood flow characteristic, a slow attack characteristic and an application layer attack characteristic for data to be detected, overcome a defect that a distributed denial of service detection method in the prior art can only detect a single type of distributed denial of service, and have a wider application range.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a flowchart of a distributed denial of service detection method according to an embodiment of the present invention;

fig. 2 is a flowchart of a distributed denial of service detection method according to another embodiment of the present invention;

FIG. 3 is a flowchart of a distributed denial of service detection method according to another embodiment of the present invention;

FIG. 4 is a flowchart of a method for creating a distributed denial of service detection model according to an embodiment of the present invention;

FIG. 5 is a flowchart of a method for creating a distributed denial of service detection model according to yet another embodiment of the present invention;

FIG. 6 is a diagram illustrating a distributed denial of service detection apparatus according to an embodiment of the present invention;

FIG. 7 is a diagram illustrating a distributed denial of service detection apparatus according to yet another embodiment of the present invention;

FIG. 8 is a diagram of a distributed denial of service detection model creation apparatus according to an embodiment of the present invention;

FIG. 9 is a diagram of a distributed denial of service detection model creation apparatus according to yet another embodiment of the present invention;

FIG. 10 illustrates a physical schematic of an electronic device;

FIG. 11 is a comparison of the distributed denial of service detection method of the present invention with that of the prior art at a predicted time;

fig. 12 is a comparison diagram of prediction result indexes of the distributed denial of service detection method according to the embodiment of the present invention and the distributed denial of service detection method in the prior art.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 is a flowchart of a distributed denial of service detection method according to an embodiment of the present invention, and as shown in fig. 1, the distributed denial of service detection method according to the embodiment of the present invention includes:

step 101, extracting characteristic information of data to be detected.

In the embodiment of the present invention, the feature information of the data to be detected includes at least one or a combination of multiple flood flow characteristics, slow attack characteristics, and application layer attack characteristics.

The flood flow characteristics are characteristics capable of reflecting flood attacks. The following is found when the flood attack occurs:

a large number of normally connected TCP packets exist in a network where an attacked server is located;

the flow in the network is suddenly increased, so that the network is blocked;

the network is flooded with a large number of false source IP addresses;

a large number of identical or similar data packets occur due to the ability of DDoS attack tools to replicate a large number of data packets;

the source IP addresses are more dispersed, and the destination addresses are more centralized;

a large number of invalid protocols result from an attacker attacking with some kind of protocol vulnerability. TCP uses three-way handshake and retransmission mechanisms and UDP uses reflection to release a large number of identical service requests, eventually leading to a host crash.

Based on the above performance of the flood attack, in the embodiment of the present invention, the extracted features of the flood flow include: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port.

It will be appreciated by those skilled in the art that in other embodiments of the invention, the flood flow characteristics of the data to be detected are not limited to a combination of all of the aforementioned characteristics, but may be a combination of one or more of the aforementioned characteristics.

The slow attack features are features capable of reflecting slow attacks.

Research shows that the intrusion mode of the slow attack is different from the flood attack, many flood attack characteristics cannot be shown in the slow attack, and the duration of the slow attack is longer than that of the flood attack. When the characteristics of the slow attack are collected, the relevant information of the hosts with the same purpose in the corresponding number of connection records can be counted through a plurality of connection time windows. For example, the relevant information of the host with the same destination in 100 connection records is counted through 100 connection time windows.

In the embodiment of the present invention, the extracted slow attack features include: the same destination host interaction number feature dst _ host _ count.

The application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks. Application layer DDoS attacks often enter the server through the application layer, consuming computing resources and bandwidth resources through ways such as script queries, uploading and downloading files, querying databases, and the like. The attack traffic is very similar to the normal traffic, and the attack cannot be detected through the header information, so the attack condition is counted and judged through the condition that the data in the packet accesses the system in the embodiment of the invention.

In the embodiment of the present invention, the extracted application layer attack features include: the file creation operation number characteristic num _ file _ creates.

Step 102, inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and acquiring a detection result whether the data to be detected contains distributed denial of service.

In the embodiment of the invention, the distributed denial of service detection model is a model which is obtained by training at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics of known distributed denial of service attack data as sample data in a machine learning mode and is used for obtaining a detection result of whether the data to be detected contains distributed denial of service.

Distributed denial of service attack data is known to refer to data that has been previously identified as belonging to a distributed denial of service attack.

In the embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data include: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port. In other embodiments of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data are not limited to the combination of all the aforementioned characteristics, and may be a combination of one or more of the aforementioned characteristics.

In the embodiment of the present invention, the known slow attack features of the distributed denial of service attack data include: the same destination host interaction number feature dst _ host _ count.

In the embodiment of the present invention, the known application layer attack features of the distributed denial of service attack data include: the file creation operation number characteristic num _ file _ creates.

In the embodiment of the present invention, the distributed denial of service detection model is obtained based on RNN recurrent Neural Network training, and in other embodiments of the present invention, the distributed denial of service detection model may also be generated by other methods, such as a Multi-layer Perceptron (MLP) and a Convolutional Neural Network (CNN).

The distributed denial of service detection method provided by the embodiment of the invention can detect one or more attack types of flood attack, slow attack and application layer attack, overcomes the defect that the distributed denial of service detection method in the prior art can only detect a single type of distributed denial of service, and has wider application range.

Fig. 2 is a flowchart of a distributed denial of service detection method according to another embodiment of the present invention, and as shown in fig. 2, the distributed denial of service detection method according to another embodiment of the present invention includes:

step 201, extracting characteristic information of the data to be detected.

The data to be detected can be data collected from the internet. In an embodiment of the present invention, the extracted feature information includes a flood flow (flood) traffic feature and a slow attack feature.

The flood flow characteristics are characteristics capable of reflecting flood attacks. The following is found when the flood attack occurs:

a large number of normally connected TCP packets exist in a network where an attacked server is located;

the flow in the network is suddenly increased, so that the network is blocked;

the network is flooded with a large number of false source IP addresses;

a large number of identical or similar data packets occur due to the ability of DDoS attack tools to replicate a large number of data packets;

the source IP addresses are more dispersed, and the destination addresses are more centralized;

a large number of invalid protocols result from an attacker attacking with some kind of protocol vulnerability. TCP uses three-way handshake and retransmission mechanisms and UDP uses reflection to release a large number of identical service requests, eventually leading to a host crash.

Based on the above performance of the flood attack, in the embodiment of the present invention, the extracted features of the flood flow include: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port.

It will be appreciated by those skilled in the art that in other embodiments of the present invention, the flood flow characteristics of the extracted data to be detected may also be a combination of one or more of the above characteristics.

The slow attack features are features capable of reflecting slow attacks.

Research shows that the intrusion mode of the slow attack is different from the flood attack, many flood attack characteristics cannot be shown in the slow attack, and the duration of the slow attack is longer than that of the flood attack. When the characteristics of the slow attack are collected, the relevant information of the hosts with the same purpose in the corresponding number of connection records can be counted through a plurality of connection time windows. For example, the relevant information of the host with the same destination in 100 connection records is counted through 100 connection time windows.

In the embodiment of the present invention, the extracted slow attack features include: the same destination host interaction number feature dst _ host _ count.

Step 202, inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and obtaining a detection result whether the data to be detected contains the distributed denial of service.

In the embodiment of the invention, the distributed denial of service detection model is obtained by training according to the flood flow characteristic and the slow attack characteristic of the known distributed denial of service attack data.

Distributed denial of service attack data is known to refer to data that has been previously identified as belonging to a distributed denial of service attack.

In the embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data include: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port. In other embodiments of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data are not limited to the combination of all the aforementioned characteristics, and may be a combination of one or more of the aforementioned characteristics.

The slow attack features of known distributed denial of service attack data include: the same destination host interaction number feature dst _ host _ count.

In the embodiment of the present invention, the distributed denial of service detection model is obtained based on RNN recurrent Neural Network training, and in other embodiments of the present invention, the distributed denial of service detection model may also be generated by other methods, such as a Multi-layer Perceptron (MLP) and a Convolutional Neural Network (CNN).

After the characteristic information of the data to be detected is input into the distributed denial of service detection model, the distributed denial of service detection model can obtain the detection result of whether the data to be detected contains distributed denial of service, and specifically, the distributed denial of service detection model can obtain the detection result of whether the data to be detected contains a flood attack or a slow attack.

The distributed denial of service detection method provided by the embodiment of the invention can simultaneously detect the flood attack and the slow attack, overcomes the defect that the distributed denial of service detection method in the prior art can only detect the distributed denial of service of a single type, and has wider application range.

Based on any of the above embodiments, in the distributed denial of service detection method provided in another embodiment of the present invention, the inputting the feature information of the data to be detected into the pre-constructed distributed denial of service detection model includes:

and performing dimensionality reduction on the characteristic information of the data to be detected, and inputting the characteristic information of the data to be detected after dimensionality reduction into a pre-constructed distributed denial of service detection model.

In data mining and machine learning, data is represented as vectors. The complexity of many machine learning algorithms and the dimensionality of data are closely related, even exponentially related to the dimensionality. In order to save computing resources and reduce computing time, dimension reduction needs to be carried out on data. Dimension reduction usually means information loss, but because of the correlation often existing in the actual data, the loss of information can be reduced as much as possible while dimension reduction is performed by utilizing the characteristic.

There are various methods for reducing the dimensions of data, such as Principal Component Analysis (PCA), Linear Discriminant Analysis (LDA), and the like. In the embodiment of the invention, PCA is adopted to perform dimension reduction processing on the characteristic information of the data to be detected. The PCA dimension reduction method transforms the original data into a group of representations which are linearly independent of each dimension through linear transformation, can be used for extracting main characteristic components of the data, and is commonly used for dimension reduction of high-dimensional data.

When the PCA is adopted for dimensionality reduction, the implementation steps of the PCA dimensionality reduction operation can be adjusted according to different scenes, for example, for scenes with large flow and high detection efficiency, the PCA can be used for extracting the most main components to conduct dimensionality reduction operation; the scene with low detection efficiency requirement and high detection accuracy requirement can be subjected to dimensionality reduction operation by selecting a plurality of principal components.

Taking m pieces of n-dimensional data as an example, when the dimensionality reduction is performed by adopting a PCA dimensionality reduction method:

firstly, forming a matrix X with n rows and m columns by original data according to columns; then, each row (representing an attribute field) of the matrix X is subjected to zero averaging, namely, the average value of the row is subtracted; then, solving a covariance matrix of the matrix X after zero averaging, and solving an eigenvalue of the covariance matrix and a corresponding eigenvector; finally, the eigenvectors are arranged into a matrix from top to bottom according to the size of the corresponding eigenvalue, and the first k rows are taken to form the matrix P. The obtained matrix P is the data after the original data is reduced to k dimensions.

The distributed denial of service detection method provided by the embodiment of the invention has the advantages that the prediction time is obviously reduced after dimension reduction, and a better detection result can be obtained after the characteristic parameters are adopted.

FIG. 11 is a comparison of the distributed denial of service detection method of the present invention with that of the prior art at a predicted time; fig. 12 is a comparison diagram of prediction result indexes of the distributed denial of service detection method according to the embodiment of the present invention and the distributed denial of service detection method in the prior art. In these two figures, PCA-RNN represents a distributed denial of service detection method provided by the embodiment of the present invention, and a distributed denial of service detection method in the prior art includes: a BP (Back Propagation) Neural Network method, a PCA-BP method, an LSTM (long short-Term Memory Network) method, a PCA-LSTM method, and an RNN (Recurrent Neural Network) method; the RNN method refers to the RNN method using other characteristic parameters in the prior art.

As can be seen from fig. 11, the distributed denial of service detection method provided by the embodiment of the present invention is not the fastest of all methods, but requires about 20% of the detection time compared with the LSTM method, and requires about 30% of the detection time compared with the RNN method in the prior art.

In fig. 12, acc represents the accuracy of the judgment, and F1 represents the confidence of this judgment accuracy. As can be seen from fig. 12, the distributed denial of service detection method provided in the embodiment of the present invention can obtain a better detection result. And comparing fig. 11, it can be found that the BP algorithm with the shortest detection time in fig. 11 has a certain difference in the accuracy of the detection result. Therefore, the distributed denial of service detection method provided by the embodiment of the invention has better balance between the detection time and the detection result.

The distributed denial of service detection method provided by the embodiment of the invention can reduce the data processing amount, reduce the calculation complexity and improve the detection efficiency by performing dimension reduction processing on the characteristic information.

Based on any of the above embodiments, in the distributed denial of service detection method provided in another embodiment of the present invention, the flood flow characteristics include: continuous duration feature duration, source host to destination host byte number feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port, further comprising: network layer protocol feature protocol, network service or application layer protocol feature service, connection state feature flag, byte number feature des _ bytes from target host to source host, source port feature src _ port, error fragmentation number feature wrong _ fragment, and emergency packet number feature urgent.

It will be appreciated by those skilled in the art that in other embodiments of the invention, the flood flow characteristics are not limited to a combination of all of the above features, but may be a combination of one or more of the above features.

The flood flow characteristics selected by the distributed denial of service detection method provided by the embodiment of the invention are more comprehensive, which is beneficial to better identifying the flood attack.

Based on any of the above embodiments, in the distributed denial of service detection method provided in another embodiment of the present invention, the slow attack feature includes: the same-purpose host interaction number feature dst _ host _ count further includes: the system comprises a same-destination host same service interaction number feature dst _ host _ srv _ count, a same-destination host same service duty feature dst _ host _ same _ srv _ rate, a same-destination host different service duty feature dst _ host _ diff _ srv _ rate, a same-destination host same source port duty feature dst _ host _ same _ src _ port _ rate, a same-destination host same service different source host duty feature dst _ host _ srv _ diff _ host _ rate, a same-destination host SYN error duty feature dst _ host _ serror _ rate, a same-destination host same service SYN error duty feature dst _ host _ srv _ serror _ rate, a same-destination host REJ error duty feature dst _ host _ srv _ srror _ rate, and a same-destination host same service REJ error duty feature REJ _ host _ srv _ srror _ rror _ rate.

It will be appreciated by those skilled in the art that in other embodiments of the invention, the slow attack feature is not limited to a combination of all of the above features, but may be a combination of one or more of the above features.

The slow attack features selected by the distributed denial of service detection method provided by the embodiment of the invention are more comprehensive, which is beneficial to better identifying the slow attack.

Fig. 3 is a flowchart of a distributed denial of service detection method according to another embodiment of the present invention, and as shown in fig. 3, the distributed denial of service detection method according to another embodiment of the present invention includes:

step 301, extracting characteristic information of the data to be detected.

In the embodiment of the present invention, the feature information includes a flood flow feature, a slow attack feature, and an application layer attack feature.

The application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks. Application layer DDoS attacks often enter the server through the application layer, consuming computing resources and bandwidth resources through ways such as script queries, uploading and downloading files, querying databases, and the like. The attack traffic is very similar to the normal traffic, and the attack cannot be detected through the header information, so the attack condition is counted and judged through the condition that the data in the packet accesses the system in the embodiment of the invention.

In the embodiment of the present invention, the extracted application layer attack features include: the file creation operation number characteristic num _ file _ creates.

The flood flow characteristics and the slow attack characteristics have been described in detail in the previous embodiments of the present invention, and thus will not be described repeatedly herein.

Step 302, inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and obtaining a detection result whether the data to be detected contains the distributed denial of service.

In the embodiment of the invention, the distributed denial of service detection model is obtained by training according to the flood flow characteristic, the slow attack characteristic and the application layer attack characteristic of the known distributed denial of service attack data.

In the embodiment of the present invention, the known application layer attack features of the distributed denial of service attack data include: the file creation operation number characteristic num _ file _ creates.

The flood flow characteristics and the slow attack characteristics have been described in detail in the previous embodiments of the present invention, and thus will not be described repeatedly herein.

After the characteristic information of the data to be detected is input into the distributed denial of service detection model, the distributed denial of service detection model can obtain the detection result of whether the data to be detected contains the distributed denial of service, and specifically, the distributed denial of service detection model can obtain the detection result of whether the data to be detected contains a flood attack or a slow attack or an application layer attack.

The distributed denial of service detection method provided by the embodiment of the invention can simultaneously detect the flood attack, the slow attack and the application layer attack, overcomes the defect that the distributed denial of service detection method in the prior art can only detect the distributed denial of service of a single type, and has wider application range.

Based on any of the above embodiments, in the distributed denial of service detection method provided in another embodiment of the present invention, the application layer attack features include: the file creation operation times characteristic num _ file _ creates further includes: whether the visitor logs in the feature is _ guest _ login, the times of access to sensitive files and directories feature hot, the times of login failure feature num _ failed _ login, and whether login is successful feature logged _ in.

It will be appreciated by those skilled in the art that in other embodiments of the invention, the application-level attack features are not limited to a combination of all of the above features, but may be a combination of one or more of the above features. The attack characteristics of the application layer selected by the distributed denial of service detection method provided by the embodiment of the invention are more comprehensive, which is beneficial to better identifying the attack of the application layer. Based on any of the above embodiments, fig. 4 is a flowchart of a method for creating a distributed denial of service detection model according to an embodiment of the present invention, and as shown in fig. 4, the method for creating a distributed denial of service detection model according to an embodiment of the present invention includes:

step 401, extracting the characteristic information of the known distributed denial of service attack data.

Known distributed denial of service attack data refers to data that has been previously identified as belonging to a distributed denial of service attack. The characteristic information comprises a flood flow characteristic and a slow attack characteristic.

In the embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data include: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port. Those skilled in the art should understand that in other embodiments of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data are not limited to the combination of all the above characteristics, and may be a combination of one or more of the above characteristics.

The slow attack features of known distributed denial of service attack data include: the same destination host interaction number feature dst _ host _ count.

And 402, training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

In the embodiment of the invention, the distributed denial of service detection model is obtained by training the RNN cyclic neural network by using the flood flow characteristic and the slow attack characteristic of the known distributed denial of service attack data. In other embodiments of the present invention, the distributed denial of service detection model may be generated by other methods, such as a Multi-layer perceptron (MLP), Convolutional Neural Network (CNN).

The distributed denial of service detection model creation method provided by the embodiment of the invention can generate a distributed denial of service detection model for simultaneously detecting the flood attack and the slow attack, and the model can be used for detecting the flood attack and the slow attack, so that the defect that the distributed denial of service detection method in the prior art can only detect the distributed denial of service of a single type is overcome, and the application range is wider.

Based on any one of the embodiments, in the method for creating a distributed denial of service detection model according to still another embodiment of the present invention, the using the feature information of the known distributed denial of service attack data as sample data includes:

and performing dimension reduction processing on the characteristic information of the known distributed denial of service attack data, and using the characteristic information of the known distributed denial of service attack data subjected to dimension reduction as sample data.

In the embodiment of the present invention, a Principal Component Analysis (PCA) method is adopted to perform dimension reduction processing on the feature information of the known distributed denial of service attack data. The PCA dimension reduction method extracts components in a matrix change mode and sorts the extracted components.

When the PCA is adopted for dimensionality reduction, the implementation steps of the PCA dimensionality reduction operation can be adjusted according to different scenes, for example, for scenes with large flow and high detection efficiency, the PCA can be used for extracting the most main components to conduct dimensionality reduction operation; the scene with low detection efficiency requirement and high detection accuracy requirement can be subjected to dimensionality reduction operation by selecting a plurality of principal components.

The method for creating the distributed denial of service detection model provided by the embodiment of the invention can reduce the data processing amount, reduce the calculation complexity and improve the efficiency of model creation by performing dimension reduction processing on the characteristic information.

Based on any of the above embodiments, fig. 5 is a schematic diagram of a method for creating a distributed denial of service detection model according to still another embodiment of the present invention, and as shown in fig. 5, the method for creating a distributed denial of service detection model according to still another embodiment of the present invention includes:

and 501, extracting the characteristic information of the known distributed denial of service attack data.

Known distributed denial of service attack data refers to data that has been previously identified as belonging to a distributed denial of service attack. The characteristic information comprises a flood flow characteristic, a slow attack characteristic and an application layer attack characteristic.

In the embodiment of the invention, the application layer attack characteristics comprise: the file creation operation number characteristic num _ file _ creates.

The flood flow characteristics and the slow attack characteristics have been described in detail in the previous embodiments of the present invention, and thus will not be described repeatedly herein.

And 502, training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

In the embodiment of the invention, the distributed denial of service detection model is obtained by training the RNN (neural network) by using the flood flow characteristic, the slow attack characteristic and the application layer attack characteristic of the known distributed denial of service attack data. In other embodiments of the present invention, the distributed denial of service detection model may also be generated by other methods, such as a Multi-layer Perceptron (MLP), a Convolutional Neural Network (CNN).

The distributed denial of service detection model creation method provided by the embodiment of the invention can generate a distributed denial of service detection model for simultaneously detecting the flood attack, the slow attack and the application layer attack, and the model can be used for detecting the flood attack, the slow attack and the application layer attack, so that the defect that the distributed denial of service detection method in the prior art can only detect the distributed denial of service of a single type is overcome, and the application range is wider.

Based on any of the above embodiments, fig. 6 is a schematic diagram of a distributed denial of service detection apparatus provided in an embodiment of the present invention, and as shown in fig. 6, the distributed denial of service detection apparatus provided in an embodiment of the present invention includes:

a first feature information extraction module 601, configured to extract feature information of data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks.

In the embodiment of the present invention, the flood flow characteristics of the data to be detected include at least one or more of the following combinations: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port.

In another embodiment of the present invention, the flood flow characteristics of the data to be detected further include at least one or more of the following combinations: network layer protocol feature protocol, network service or application layer protocol feature service, connection state feature flag, byte number feature des _ bytes from target host to source host, source port feature src _ port, error fragmentation number feature wrong _ fragment, and emergency packet number feature urgent.

In the embodiment of the present invention, the slow attack features of the data to be detected include: the same destination host interaction number feature dst _ host _ count. In another embodiment of the present invention, the slow attack characteristic of the data to be detected further includes at least one or more of the following combinations: the system comprises a same-destination host same service interaction number feature dst _ host _ srv _ count, a same-destination host same service duty feature dst _ host _ same _ srv _ rate, a same-destination host different service duty feature dst _ host _ diff _ srv _ rate, a same-destination host same source port duty feature dst _ host _ same _ src _ port _ rate, a same-destination host same service different source host duty feature dst _ host _ srv _ diff _ host _ rate, a same-destination host SYN error duty feature dst _ host _ serror _ rate, a same-destination host same service SYN error duty feature dst _ host _ srv _ serror _ rate, a same-destination host REJ error duty feature dst _ host _ srv _ srror _ rate, and a same-destination host same service REJ error duty feature REJ _ host _ srv _ srror _ rror _ rate.

The detection module 602 is configured to input the feature information of the to-be-detected data into a pre-constructed distributed denial-of-service detection model, and obtain a detection result of whether the to-be-detected data includes a distributed denial-of-service; the distributed denial of service detection model is obtained by training at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics of known distributed denial of service attack data as sample data in a machine learning mode and is used for obtaining a detection result of whether the data to be detected contains the distributed denial of service.

In the embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data include at least one or more of the following combinations: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port. In another embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data further include at least one or more of the following combinations: network layer protocol feature protocol, network service or application layer protocol feature service, connection state feature flag, byte number feature des _ bytes from target host to source host, source port feature src _ port, error fragmentation number feature wrong _ fragment, and emergency packet number feature urgent.

In the embodiment of the present invention, the known slow attack features of the distributed denial of service attack data include: the same destination host interaction number feature dst _ host _ count. In another embodiment of the present invention, the slow attack feature of the known distributed denial of service attack data further comprises a combination of at least one or more of the following: the system comprises a same-destination host same service interaction number feature dst _ host _ srv _ count, a same-destination host same service duty feature dst _ host _ same _ srv _ rate, a same-destination host different service duty feature dst _ host _ diff _ srv _ rate, a same-destination host same source port duty feature dst _ host _ same _ src _ port _ rate, a same-destination host same service different source host duty feature dst _ host _ srv _ diff _ host _ rate, a same-destination host SYN error duty feature dst _ host _ serror _ rate, a same-destination host same service SYN error duty feature dst _ host _ srv _ serror _ rate, a same-destination host REJ error duty feature dst _ host _ srv _ srror _ rate, and a same-destination host same service REJ error duty feature REJ _ host _ srv _ srror _ rror _ rate.

The distributed denial of service detection device provided by the embodiment of the invention can simultaneously detect the flood attack and the slow attack, overcomes the defect that the distributed denial of service detection device in the prior art can only detect the distributed denial of service of a single type, and has wider application range.

Based on any of the above embodiments, fig. 7 is a schematic diagram of a distributed denial of service detection apparatus according to another embodiment of the present invention, and as shown in fig. 7, the distributed denial of service detection apparatus according to another embodiment of the present invention includes:

a first feature information extraction module 701, configured to extract feature information of data to be detected; the characteristic information comprises a flood flow characteristic, a slow attack characteristic and an application layer attack characteristic.

The flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks.

In the embodiment of the invention, the application layer attack characteristics comprise: the file creation operation number characteristic num _ file _ creates. In another embodiment of the present invention, the application layer attack features further include a combination of at least one or more of the following: whether the visitor logs in the feature is _ guest _ login, the times of access to sensitive files and directories feature hot, the times of login failure feature num _ failed _ login, and whether login is successful feature logged _ in.

The detection module 702 is configured to input the feature information of the to-be-detected data into a pre-constructed distributed denial-of-service detection model, and obtain a detection result of whether the to-be-detected data includes a distributed denial-of-service.

The distributed denial of service detection model is obtained by training according to known distributed denial of service attack data which comprises a flood flow characteristic, a slow attack characteristic and an application layer attack characteristic.

In the embodiment of the present invention, the application layer attack features of the known distributed denial of service attack data include: the file creation operation number characteristic num _ file _ creates. In another embodiment of the present invention, the application layer attack features of the known distributed denial of service attack data further include at least one or more of the following combinations: whether the visitor logs in the feature is _ guest _ login, the times of access to sensitive files and directories feature hot, the times of login failure feature num _ failed _ login, and whether login is successful feature logged _ in.

The distributed denial of service detection device provided by the embodiment of the invention can simultaneously detect the flood attack, the slow attack and the application layer attack, overcomes the defect that the distributed denial of service detection method in the prior art can only detect the distributed denial of service of a single type, and has wider application range.

Based on any of the above embodiments, fig. 8 is a schematic diagram of a distributed denial of service detection model creation apparatus provided in an embodiment of the present invention, and as shown in fig. 8, the distributed denial of service detection model creation apparatus provided in an embodiment of the present invention includes:

a second feature information extraction module 801, configured to extract feature information of known distributed denial of service attack data; the characteristic information comprises a flood flow characteristic and a slow attack characteristic.

In the embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data include at least one or more of the following combinations: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port. In another embodiment of the present invention, the flooding traffic characteristics of the known distributed denial of service attack data further include at least one or more of the following combinations: network layer protocol feature protocol, network service or application layer protocol feature service, connection state feature flag, byte number feature des _ bytes from target host to source host, source port feature src _ port, error fragmentation number feature wrong _ fragment, and emergency packet number feature urgent.

In the embodiment of the present invention, the known slow attack features of the distributed denial of service attack data include: the same destination host interaction number feature dst _ host _ count. In another embodiment of the present invention, the slow attack feature of the known distributed denial of service attack data further comprises a combination of at least one or more of the following: the system comprises a same-destination host same service interaction number feature dst _ host _ srv _ count, a same-destination host same service duty feature dst _ host _ same _ srv _ rate, a same-destination host different service duty feature dst _ host _ diff _ srv _ rate, a same-destination host same source port duty feature dst _ host _ same _ src _ port _ rate, a same-destination host same service different source host duty feature dst _ host _ srv _ diff _ host _ rate, a same-destination host SYN error duty feature dst _ host _ serror _ rate, a same-destination host same service SYN error duty feature dst _ host _ srv _ serror _ rate, a same-destination host REJ error duty feature dst _ host _ srv _ srror _ rate, and a same-destination host same service REJ error duty feature REJ _ host _ srv _ srror _ rror _ rate.

The model training module 802 is configured to use the feature information of the known distributed denial of service attack data as sample data, train in a machine learning manner, and generate a distributed denial of service detection model for obtaining a detection result of whether the data to be detected includes distributed denial of service.

The distributed denial of service detection model creation device provided by the embodiment of the invention can generate a distributed denial of service detection model for simultaneously detecting the flood attack and the slow attack, and the model can be used for detecting the flood attack and the slow attack, so that the defect that the distributed denial of service detection device in the prior art can only detect the distributed denial of service of a single type is overcome, and the application range is wider.

Based on any of the above embodiments, fig. 9 is a schematic diagram of a distributed denial of service detection model creation apparatus according to still another embodiment of the present invention, and as shown in fig. 9, the distributed denial of service detection model creation apparatus according to still another embodiment of the present invention includes:

a second feature information extraction module 901, configured to extract feature information of known distributed denial of service attack data; the characteristic information comprises a flood flow characteristic, a slow attack characteristic and an application layer attack characteristic;

in the embodiment of the present invention, the application layer attack features of the known distributed denial of service attack data include: the file creation operation number characteristic num _ file _ creates. In another embodiment of the present invention, the application layer attack features of the known distributed denial of service attack data further include: whether the visitor logs in the feature is _ guest _ login, the times of access to sensitive files and directories feature hot, the times of login failure feature num _ failed _ login, and whether login is successful feature logged _ in.

The model training module 902 is configured to use the feature information of the known distributed denial of service attack data as sample data, train in a machine learning manner, and generate a distributed denial of service detection model for obtaining a detection result of whether the data to be detected includes distributed denial of service.

The distributed denial of service detection model creation device provided by the embodiment of the invention can generate a distributed denial of service detection model for simultaneously detecting the flood attack, the slow attack and the application layer attack, and the model can be used for detecting the flood attack, the slow attack and the application layer attack, so that the defect that the distributed denial of service detection device in the prior art can only detect the distributed denial of service of a single type is overcome, and the application range is wider.

Fig. 10 illustrates a physical structure diagram of an electronic device, and as shown in fig. 10, the electronic device may include: a processor (processor)1010, a communication Interface (Communications Interface)1020, a memory (memory)1030, and a communication bus 1040, wherein the processor 1010, the communication Interface 1020, and the memory 1030 communicate with each other via the communication bus 1040. Processor 1010 may call logic instructions in memory 1030 to perform the following method: extracting characteristic information of data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and acquiring a detection result of whether the data to be detected contains distributed denial of service. Or performing the following method: extracting the characteristic information of known distributed denial of service attack data; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; and training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

Furthermore, the logic instructions in the memory 1030 can be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the method provided by the foregoing embodiments, for example, including: extracting characteristic information of data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and acquiring a detection result of whether the data to be detected contains distributed denial of service. Or for example, include: extracting the characteristic information of known distributed denial of service attack data; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; and training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (14)

1. A method for distributed denial of service detection, comprising:

extracting characteristic information of data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model, and acquiring a detection result of whether the data to be detected contains distributed denial of service; the distributed denial of service detection model is a model which is obtained by training in a machine learning mode and is used for obtaining a detection result of whether the data to be detected contains distributed denial of service by taking at least one or more combinations of a flood flow characteristic, a slow attack characteristic and an application layer attack characteristic of known distributed denial of service attack data as sample data.

2. The distributed denial of service detection method of claim 1 wherein said flooding traffic characteristics comprise combinations of at least one or more of the following: continuous duration feature duration, source host to destination host byte count feature src _ bytes, source IP address feature src _ IP, destination IP address feature dst _ IP, and destination port feature dst _ port.

3. The distributed denial of service detection method of claim 2 wherein said flooding characteristics further comprise combinations of at least one or more of the following: network layer protocol feature protocol, network service or application layer protocol feature service, connection state feature flag, byte number feature des _ bytes from target host to source host, source port feature src _ port, error fragmentation number feature wrong _ fragment, and emergency packet number feature urgent.

4. The distributed denial of service detection method of claim 1 wherein said slow attack feature comprises: the same destination host interaction number feature dst _ host _ count.

5. The distributed denial of service detection method of claim 4 wherein said slow attack feature further comprises a combination of at least one or more of the following: the system comprises a same-destination host same service interaction number feature dst _ host _ srv _ count, a same-destination host same service duty feature dst _ host _ same _ srv _ rate, a same-destination host different service duty feature dst _ host _ diff _ srv _ rate, a same-destination host same source port duty feature dst _ host _ same _ src _ port _ rate, a same-destination host same service different source host duty feature dst _ host _ srv _ diff _ host _ rate, a same-destination host SYN error duty feature dst _ host _ serror _ rate, a same-destination host same service SYN error duty feature dst _ host _ srv _ serror _ rate, a same-destination host REJ error duty feature dst _ host _ srv _ srror _ rate, and a same-destination host same service REJ error duty feature REJ _ host _ srv _ srror _ rror _ rate.

6. The distributed denial of service detection method of claim 1 wherein said application layer attack features comprise: the file creation operation number characteristic num _ file _ creates.

7. The distributed denial of service detection method of claim 6 wherein said application layer attack features further comprise combinations of at least one or more of the following: whether the visitor logs in the feature is _ guest _ login, the times of access to sensitive files and directories feature hot, the times of login failure feature num _ failed _ login, and whether login is successful feature logged _ in.

8. The distributed denial of service detection method of claim 1 wherein said entering the feature information of said data to be detected into a pre-constructed distributed denial of service detection model comprises:

and performing dimensionality reduction on the characteristic information of the data to be detected, and inputting the characteristic information of the data to be detected after dimensionality reduction into a pre-constructed distributed denial of service detection model.

9. A method for constructing a distributed denial of service detection model is characterized by comprising the following steps:

extracting the characteristic information of known distributed denial of service attack data; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

and training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

10. The method according to claim 9, wherein the using the feature information of the known distributed denial of service attack data as sample data comprises:

and performing dimension reduction processing on the characteristic information of the known distributed denial of service attack data, and using the characteristic information of the known distributed denial of service attack data subjected to dimension reduction as sample data.

11. A distributed denial of service detection apparatus, comprising:

the first characteristic information extraction module is used for extracting the characteristic information of the data to be detected; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

the detection module is used for inputting the characteristic information of the data to be detected into a pre-constructed distributed denial of service detection model and acquiring a detection result of whether the data to be detected contains distributed denial of service; the distributed denial of service detection model is obtained by training at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics of known distributed denial of service attack data as sample data in a machine learning mode and is used for obtaining a detection result of whether the data to be detected contains the distributed denial of service.

12. A distributed denial of service detection model building apparatus, comprising:

the second characteristic information extraction module is used for extracting the characteristic information of the known distributed denial of service attack data; the characteristic information comprises at least one or more combinations of flood flow characteristics, slow attack characteristics and application layer attack characteristics; the flood flow characteristics are characteristics capable of reflecting flood attacks, the slow attack characteristics are characteristics capable of reflecting slow attacks, and the application layer attack characteristics are characteristics capable of reflecting application layer distributed denial of service attacks;

and the model training module is used for training by adopting the characteristic information of the known distributed denial of service attack data as sample data and adopting a machine learning mode to generate a distributed denial of service detection model for acquiring the detection result of whether the data to be detected contains distributed denial of service.

13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the distributed denial of service detection method of any of claims 1 to 8 or the steps of the distributed denial of service detection model construction method of claim 9 or 10.

14. A non-transitory computer readable storage medium, having stored thereon a computer program, wherein the computer program, when being executed by a processor, is adapted to carry out the steps of the distributed denial of service detection method of any of the claims 1 to 8, or the steps of the distributed denial of service detection model construction method of claim 9 or 10.

Images