CN112242973A - DDoS attack detection method, device, computing equipment and computer storage medium - Google Patents

Abstract

The embodiment of the invention relates to the technical field of network security, and discloses a DDoS attack detection method, a device, a computing device and a computer storage medium, wherein the method comprises the following steps: extracting header information of a message from network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs. Through the mode, the embodiment of the invention models the historical flow through the deep learning technology, and simultaneously comprises the macroscopic level data and the microscopic level data, thereby reducing the occurrence of missing report and false report, and improving the accuracy and stability of DDoS detection.

Description

DDoS attack detection method, device, computing equipment and computer storage medium

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to a DDoS attack detection method, a DDoS attack detection device, a computing device and a computer storage medium.

Background

A Distributed Denial of Service (DDoS) attack is a form of attack in which a computer or network cannot provide normal services by sending a large number of data packets. The method can exhaust network resources or system resources of an attacked object in a short time, so that legal user requests cannot respond, and huge harm is brought to the attacked object and even the network. The existing DDoS attack detection method is divided into three categories, one category is a method based on information entropy, and the other category is a detection method based on flow characteristics, artificial characteristics are extracted from network flow, normal flow is modeled, and a threshold value is set. And comparing the detected flow characteristics with the normal flow characteristics, and judging that the change exceeds the threshold range to be attack flow.

The information entropy-based method is used for counting the traffic distribution in each time window, and specifically, the probability distributions of the accessed target Internet Protocol Address (IP Address), the target port and the like can be counted, so that the information entropy of the accessed target IP and the target port is obtained. Since this method assumes that the destination IP distribution of access within each time slice is uniform, the information entropy should be small. When a DDoS attack occurs, since a large number of accesses are usually made to a specific IP, the accessed IPs in certain time slices are relatively concentrated, and thus the information entropy of the IP distribution is increased.

The detection method based on the flow characteristics is to extract artificial characteristics from normal flow, establish characteristic base lines of the normal flow and set a threshold value. An attack is detected when the access traffic characteristics exceed the baseline by a certain threshold. The flow characteristics are created artificially, and can be various artificial statistics such as the total flow size in a period of time, the number of TCP packets and the like. The threshold value is set depending on personal experience, for example, a certain percentage of the normal level is exceeded before a human attack occurs.

In the process of implementing the embodiment of the present invention, the inventors found that: the disadvantage of attack detection by information entropy is that false alarm or false alarm can be caused when the network environment does not meet the assumption. For example, in a normal situation, the visited destination IP itself is relatively centralized, for example, when a certain service suddenly populates in a large scale, the system may cause misjudgment. Or the attacked objects are scattered when the DDoS occurs, so that the total information entropy is still very low even if the attack occurs, and the report is missed. The main disadvantage of the detection method based on the flow characteristics and the manual threshold is that the method is dependent on human intervention and experience and is formed by a large number of rules in nature. Due to the limitation of artificial features, only shallow features can be extracted, and complex and hidden rules cannot be expressed, so that complex attack behaviors or novel attack mode restraints cannot be treated. In addition, due to the introduction of manual threshold, how to determine the threshold is also a problem which is difficult to solve, and how to accept or reject false alarm and missed alarm is directly influenced.

Disclosure of Invention

In view of the foregoing, embodiments of the present invention provide a DDoS attack detection method, apparatus, computing device and computer storage medium, which overcome the foregoing problems or at least partially solve the foregoing problems.

According to an aspect of the embodiments of the present invention, a DDoS attack detection method is provided, where the method includes: extracting header information of a message from network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs.

In an optional manner, the extracting header information of the packet from the network traffic includes: acquiring network flow from a mirror image at a network inlet in a bypass mode; and extracting header information of the message from the network flow, wherein the header information comprises IP, TCP, UDP and ICMP messages.

In an optional manner, the extracting a plurality of statistical features according to the header information of the packet at every preset time unit, and abstracting the statistical features into a serialized numerical feature vector includes: performing abstract statistics on a plurality of statistical characteristics every other preset time unit according to header information of the message; each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

In an alternative approach, the statistical features include: the method comprises the steps of TCP packet number, UDP packet number, ICMP packet number, TCP packet proportion, UDP packet proportion, ICMP packet proportion, destination ip count, destination port count, destination ip distribution information entropy, destination port distribution information entropy, TCP SYN packet proportion, TCP ACK packet proportion, TCP RST packet proportion, TCP newly-built link number, TCP closed link number, TCP holding link number, TCP connection duration and UDP packet size.

In an optional manner, the applying a long-short term memory network model to perform modeling classification output on the feature vectors, and determining whether a DDoS attack occurs includes: inputting the feature vectors in N continuous time units into the long-short term memory network model, wherein N is a positive integer; modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model; carrying out weighted nonlinear excitation output on the external state through a full connection layer; and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

In an alternative mode, the long-term and short-term memory network model comprises a forgetting gate, an input gate, an output gate, a state unit and an output result, and the long-term and short-term memory network model is obtained by calculating according to the following formulas:

f_t＝σ(W_fx_t+U_fh_t-1+b_f)

i_t＝σ(W_ix_t+U_ih_t-1+b_i)

o_t＝σ(W_ox_t+U_oh_t-1+b_o)

h_t＝o_t⊙tanh(c_t)

wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs a weight matrix of the input gate, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs the weight of the output gateMatrix, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

In an optional manner, the method further comprises: when DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times; and extracting source IPs corresponding to the first k target IPs as DDoS sources.

According to another aspect of the embodiments of the present invention, there is provided a DDoS attack detection apparatus, including: a header information obtaining unit, configured to extract header information of a packet for network traffic; the characteristic extraction unit is used for extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the modeling unit is used for performing modeling classification output on the characteristic vectors by applying a long-short term memory network model and judging whether DDoS attack occurs or not.

According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the steps of the DDoS attack detection method.

According to another aspect of the embodiments of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes the processor to execute the steps of the DDoS attack detection method.

The embodiment of the invention extracts the header information of the message by the network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the long-short term memory network model is applied to model and classify the characteristic vectors to output, whether DDoS attack occurs is judged, historical flow is modeled through a deep learning technology, macroscopic level data and microscopic level data are contained, the occurrence of missing report and false report is reduced, and the DDoS detection accuracy and stability are improved.

The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

fig. 1 shows a schematic flow diagram of a DDoS attack detection method provided by an embodiment of the present invention;

FIG. 2 shows an LSTM model diagram of a DDoS attack detection method provided by the embodiment of the present invention;

fig. 3 shows a schematic diagram of unit computation of an LSTM model of a DDoS attack detection method provided by an embodiment of the present invention;

fig. 4 shows a schematic structural diagram of a DDoS attack detection apparatus provided in an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a computing device provided by an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

Fig. 1 shows a flow diagram of a DDoS attack detection method provided by an embodiment of the present invention. As shown in fig. 1, the DDoS attack detection method includes:

step S11: and extracting the header information of the message from the network flow.

In order to avoid affecting normal service, DDoS attack detection is carried out in a bypass mode, and incoming network flow is directly mirrored to analysis equipment from a network entrance. In step S11, network traffic is obtained from the mirror image at the network entry in a bypass manner; extracting header information of the packet from the network traffic, including header information of an IP, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) packet.

And obtaining the source IP, the destination IP, the source port, the destination port, the protocol Type, the data size, the Time To Live (TTL), the TCP flag and the TCP state of the flow according To the header information of each message, wherein the information comprises various information such as newly-built connection, connection maintenance, connection closing, ICMP Type and the like.

Step S12: and extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector.

Since various information extracted from the flow data cannot be directly used for modeling, the original data needs to be preliminarily processed, i.e., preprocessed, to extract necessary features. Specifically, a plurality of statistical characteristics are abstractly counted every other preset time unit according to header information of the message; each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

In the embodiment of the present invention, the original traffic data is divided by using time units of the same time interval, for example, every 5 seconds as a time unit, and the original traffic data is divided into many small blocks. The statistical features are abstracted for one source IP. Wherein, the statistical characteristics include: the Number of TCP packets, the Number of UDP packets, the Number of ICMP packets, the TCP packet ratio, the UDP packet ratio, the ICMP packet ratio, the destination IP count, the destination port count, the destination IP distribution information entropy, the destination port distribution information entropy, the proportion of TCP synchronization Sequence Number (SYN) packets, the proportion of TCP Acknowledgement (ACK) packets, the proportion of TCP Reset connection (RST) packets, the TCP new link Number, the TCP close link Number, the TCP hold link Number, the TCP connection duration, and the UDP packet size. The statistical characteristics comprise macroscopic characteristics such as protocol types, protocol subtypes and request response duration, microscopic characteristics such as protocol marks and the like, and macroscopic states and microscopic details are considered.

Each time unit is a sample, such as a source IP, and the communication behavior within a time unit, such as 5 minutes, a plurality of statistical features of each sample d (i) e { d0, d1, … …, dn } are abstracted into a feature vector of a serialized numerical type [ [ d11, d12, … d1m ], [ d21, d22, … …, d2m ], … …, [ dn1, dn2, … …, dnm ] ] to form a feature vector of size n × m, wherein n is the length of the time series and m is the number of features. For example, statistics for the first 10s every 10 seconds include: the number of TCP packets, the proportion of TCP packets, the distribution information entropy of source IP, destination IP, source port and destination port, the proportion of SYN packets, the proportion of ACK packets, etc. The statistical indexes in the first N continuous time units are preprocessed and then input into a Long Short-Term Memory network (LSTM) model.

Step S13: and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs.

Aiming at the statistical characteristics of the flow data of the time sequence, the embodiment of the invention adopts an LSTM recurrent neural network model to model the time sequence, so as to solve the long-term and short-term dependence problem in the time sequence problem. The LSTM introduces a new internal state (internal state) c by improving a Recurrent Neural Network (RNN) unit (cell) structure_tSpecially for linear cyclic information transfer, while using non-linear excitation function to output information to the external state h of hidden layer_t. The LSTM model can solve and predict important events with very long intervals and delays in time sequence and can capture the front of trafficLater correlation, and extraction of deep features.

In step S13, inputting the feature vectors in N consecutive time units into the long-short term memory network model, where N is a positive integer; modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model; carrying out weighted nonlinear excitation output on the external state through a full connection layer; and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

The LSTM model is specifically seen in fig. 2 and 3, including an input layer, a hidden layer, a fully connected layer, and a Softmax classifier layer. The long and short term memory network model comprises a forgetting gate, an input gate, an output gate, a state unit and an output result, x_tFor feature vector input at the t-th moment, wherein the gate f is forgotten_tControlling the internal state c of the last moment_t-1How much information needs to be forgotten; input door i_tControlling candidate states at the current time

How much information needs to be saved; output gate o_tControlling the internal state c at the present moment_tHow much information needs to be output to the external state h_t. Specifically, the method is obtained by the following formula:

the state update function is obtained by a non-linear function,

forget the door: f. of_t＝σ(W_fx_t+U_fh_t-1+b_f)

An input gate: i.e. i_t＝σ(W_ix_t+U_ih_t-1+b_i)

An output gate: o_t＝σ(W_ox_t+U_oh_t-1+b_o)

Outputting an external state h_t：h_t＝o_t⊙tanh(c_t)

Wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs a weight matrix of the input gate, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs a weight matrix of output gates, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

The output external state is weighted nonlinear excitation output through a full connection layer, and the calculation formula of the full connection layer is as follows: f_t＝σ(wh_t+F_b) Where w is the weight matrix of the full connection layer, F_bIs the bias term for the fully connected layer.

And the Softmax classifier layer outputs results, maximizes the output probability of each output, judges malicious flow and normal flow and further judges whether the DDoS attack occurs. If the traffic is malicious, DDoS attack is generated; if the flow is normal, the DDoS attack does not occur.

And predicting whether the current flow is abnormal or not by the LSTM model according to the flow statistical characteristics of the time units of a sequence, and extracting specific DDoS flow from the current time unit when the current flow is abnormal. Specifically, the LSTM model is classified, the output result is whether DDoS occurs, if DDoS attack does not occur, the initial state is returned, the LSTM model is continuously applied to model subsequent flow data, and otherwise, the detection result is output. When DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times; and extracting source IPs corresponding to the first k target IPs as DDoS sources, wherein k is a positive integer.

The embodiment of the invention starts from data completely, gives consideration to the fact that macroscopic level and microscopic level data depend on artificial intelligence technology and uses the LSTM model to carry out time sequence modeling on the flow, makes up the assumption that the IP of DDoS attack is randomly distributed in the existing method, reduces the occurrence of missing report and false report, and simultaneously makes up the defect of insufficient detection capability caused by simple rules and artificial threshold given by the existing baseline detection method. For a traditional machine learning mode, the defect that certain special DDoS is missed due to the fact that only microscopic data are modeled is overcome, and the DDoS detection accuracy and stability are improved.

The embodiment of the invention extracts the header information of the message by the network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the long-short term memory network model is applied to model and classify the characteristic vectors to output, whether DDoS attack occurs is judged, historical flow is modeled through a deep learning technology, macroscopic level data and microscopic level data are contained, the occurrence of missing report and false report is reduced, and the DDoS detection accuracy and stability are improved.

Fig. 4 shows a schematic structural diagram of a DDoS attack detection apparatus according to an embodiment of the present invention. As shown in fig. 2, the DDoS attack detection apparatus includes: a header information acquisition unit 401, a feature extraction unit 402, and a modeling unit 403. Wherein:

the header information obtaining unit 401 is configured to extract header information of a packet for network traffic; the feature extraction unit 402 is configured to extract a plurality of statistical features according to header information of the packet every preset time unit, and abstract the statistical features into a serialized numerical feature vector; the attack determination unit 403 is configured to apply a long-term and short-term memory network model to perform modeling classification output on the feature vectors, and determine whether a DDoS attack occurs.

In an optional manner, the header information obtaining unit 401 is further configured to: acquiring network flow from a mirror image at a network inlet in a bypass mode; and extracting header information of the message from the network flow, wherein the header information comprises IP, TCP, UDP and ICMP messages.

In an alternative manner, the feature extraction unit 402 is configured to: performing abstract statistics on a plurality of statistical characteristics every other preset time unit according to header information of the message; each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

In an alternative approach, the statistical features include: the method comprises the steps of TCP packet number, UDP packet number, ICMP packet number, TCP packet proportion, UDP packet proportion, ICMP packet proportion, destination ip count, destination port count, destination ip distribution information entropy, destination port distribution information entropy, TCP SYN packet proportion, TCP ACK packet proportion, TCP RST packet proportion, TCP newly-built link number, TCP closed link number, TCP holding link number, TCP connection duration and UDP packet size.

In an alternative approach, the modeling unit 403 is configured to: inputting the feature vectors in N continuous time units into the long-short term memory network model, wherein N is a positive integer; modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model; carrying out weighted nonlinear excitation output on the external state through a full connection layer; and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

In an alternative mode, the long-term and short-term memory network model comprises a forgetting gate, an input gate, an output gate, a state unit and an output result, and the long-term and short-term memory network model is obtained by calculating according to the following formulas:

f_t＝σ(W_fx_t+U_fh_t-1+b_f)

i_t＝σ(W_ix_t+U_ih_t-1+b_i)

o_t＝σ(W_ox_t+U_oh_t-1+b_o)

h_t＝o_t⊙tanh(c_t)

wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs a weight matrix of the input gate, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs a weight matrix of output gates, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

In an alternative approach, the modeling unit 403 is configured to: when DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times; and extracting source IPs corresponding to the first k target IPs as DDoS sources.

The embodiment of the invention extracts the header information of the message by the network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the long-short term memory network model is applied to model and classify the characteristic vectors to output, whether DDoS attack occurs is judged, historical flow is modeled through a deep learning technology, macroscopic level data and microscopic level data are contained, the occurrence of missing report and false report is reduced, and the DDoS detection accuracy and stability are improved.

The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the DDoS attack detection method in any method embodiment.

The executable instructions may be specifically configured to cause the processor to:

extracting header information of a message from network flow;

extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector;

and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs.

In an alternative, the executable instructions cause the processor to:

acquiring network flow from a mirror image at a network inlet in a bypass mode;

and extracting header information of the message from the network flow, wherein the header information comprises IP, TCP, UDP and ICMP messages.

In an alternative, the executable instructions cause the processor to:

performing abstract statistics on a plurality of statistical characteristics every other preset time unit according to header information of the message;

each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

In an alternative approach, the statistical features include: the method comprises the steps of TCP packet number, UDP packet number, ICMP packet number, TCP packet proportion, UDP packet proportion, ICMP packet proportion, destination ip count, destination port count, destination ip distribution information entropy, destination port distribution information entropy, TCP SYN packet proportion, TCP ACK packet proportion, TCP RST packet proportion, TCP newly-built link number, TCP closed link number, TCP holding link number, TCP connection duration and UDP packet size.

In an alternative, the executable instructions cause the processor to:

inputting the feature vectors in N continuous time units into the long-short term memory network model, wherein N is a positive integer;

modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model;

carrying out weighted nonlinear excitation output on the external state through a full connection layer;

and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

In an alternative mode, the long-term and short-term memory network model comprises a forgetting gate, an input gate, an output gate, a state unit and an output result, and the long-term and short-term memory network model is obtained by calculating according to the following formulas:

f_t＝σ(W_fx_t+U_fh_t-1+b_f)

i_t＝σ(W_ix_t+U_ih_t-1+b_i)

o_t＝σ(W_ox_t+U_oh_t-1+b_o)

h_t＝o_t⊙tanh(c_t)

wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs a weight matrix of the input gate, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs a weight matrix of output gates, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

In an alternative, the executable instructions cause the processor to:

when DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times;

and extracting source IPs corresponding to the first k target IPs as DDoS sources.

The embodiment of the invention extracts the header information of the message by the network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the long-short term memory network model is applied to model and classify the characteristic vectors to output, whether DDoS attack occurs is judged, historical flow is modeled through a deep learning technology, macroscopic level data and microscopic level data are contained, the occurrence of missing report and false report is reduced, and the DDoS detection accuracy and stability are improved.

An embodiment of the present invention provides a computer program product, where the computer program product includes a computer program stored on a computer storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer is caused to execute the DDoS attack detection method in any of the above-mentioned method embodiments.

The executable instructions may be specifically configured to cause the processor to:

extracting header information of a message from network flow;

extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector;

and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs.

In an alternative, the executable instructions cause the processor to:

acquiring network flow from a mirror image at a network inlet in a bypass mode;

and extracting header information of the message from the network flow, wherein the header information comprises IP, TCP, UDP and ICMP messages.

In an alternative, the executable instructions cause the processor to:

performing abstract statistics on a plurality of statistical characteristics every other preset time unit according to header information of the message;

each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

In an alternative approach, the statistical features include: the method comprises the steps of TCP packet number, UDP packet number, ICMP packet number, TCP packet proportion, UDP packet proportion, ICMP packet proportion, destination ip count, destination port count, destination ip distribution information entropy, destination port distribution information entropy, TCP SYN packet proportion, TCP ACK packet proportion, TCP RST packet proportion, TCP newly-built link number, TCP closed link number, TCP holding link number, TCP connection duration and UDP packet size.

In an alternative, the executable instructions cause the processor to:

inputting the feature vectors in N continuous time units into the long-short term memory network model, wherein N is a positive integer;

modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model;

carrying out weighted nonlinear excitation output on the external state through a full connection layer;

and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

In an alternative mode, the long-term and short-term memory network model comprises a forgetting gate, an input gate, an output gate, a state unit and an output result, and the long-term and short-term memory network model is obtained by calculating according to the following formulas:

f_t＝σ(W_fx_t+U_fh_t-1+b_f)

i_t＝σ(W_ix_t+U_ih_t-1+b_i)

o_t＝σ(W_ox_t+U_oh_t-1+b_o)

h_t＝o_t⊙tanh(c_t)

wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs a weight matrix of the input gate, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs a weight matrix of output gates, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

In an alternative, the executable instructions cause the processor to:

when DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times;

and extracting source IPs corresponding to the first k target IPs as DDoS sources.

The embodiment of the invention extracts the header information of the message by the network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the long-short term memory network model is applied to model and classify the characteristic vectors to output, whether DDoS attack occurs is judged, historical flow is modeled through a deep learning technology, macroscopic level data and microscopic level data are contained, the occurrence of missing report and false report is reduced, and the DDoS detection accuracy and stability are improved.

Fig. 5 is a schematic structural diagram of an embodiment of the apparatus according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the apparatus.

As shown in fig. 5, the apparatus may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.

Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 for communicating with network elements of other devices, such as clients or other servers. The processor 502 is configured to execute the program 510, and may specifically execute relevant steps in the above DDoS attack detection method embodiment.

In particular, program 510 may include program code that includes computer operating instructions.

The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.

And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

The program 510 may specifically be used to cause the processor 502 to perform the following operations:

extracting header information of a message from network flow;

extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector;

and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs.

In an alternative, the program 510 causes the processor to:

acquiring network flow from a mirror image at a network inlet in a bypass mode;

and extracting header information of the message from the network flow, wherein the header information comprises IP, TCP, UDP and ICMP messages.

In an alternative, the program 510 causes the processor to:

performing abstract statistics on a plurality of statistical characteristics every other preset time unit according to header information of the message;

each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

In an alternative, the program 510 causes the processor to:

the statistical features include: the method comprises the steps of TCP packet number, UDP packet number, ICMP packet number, TCP packet proportion, UDP packet proportion, ICMP packet proportion, destination ip count, destination port count, destination ip distribution information entropy, destination port distribution information entropy, TCP SYN packet proportion, TCP ACK packet proportion, TCP RST packet proportion, TCP newly-built link number, TCP closed link number, TCP holding link number, TCP connection duration and UDP packet size.

In an alternative, the program 510 causes the processor to:

inputting the feature vectors in N continuous time units into the long-short term memory network model, wherein N is a positive integer;

modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model;

carrying out weighted nonlinear excitation output on the external state through a full connection layer;

and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

In an alternative mode, the long-term and short-term memory network model comprises a forgetting gate, an input gate, an output gate, a state unit and an output result, and the long-term and short-term memory network model is obtained by calculating according to the following formulas:

f_t＝σ(W_fx_t+U_fh_t-1+b_f)

i_t＝σ(W_ix_t+U_ih_t-1+b_i)

o_t＝σ(W_ox_t+U_oh_t-1+b_o)

h_t＝o_t⊙tanh(c_t)

wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs a weight matrix of the input gate, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs a weight matrix of output gates, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

In an alternative, the program 510 causes the processor to:

when DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times;

and extracting source IPs corresponding to the first k target IPs as DDoS sources.

The embodiment of the invention extracts the header information of the message by the network flow; extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector; and the long-short term memory network model is applied to model and classify the characteristic vectors to output, whether DDoS attack occurs is judged, historical flow is modeled through a deep learning technology, macroscopic level data and microscopic level data are contained, the occurrence of missing report and false report is reduced, and the DDoS detection accuracy and stability are improved.

The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A DDoS attack detection method is characterized by comprising the following steps:

extracting header information of a message from network flow;

extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit, and abstracting the statistical characteristics into a serialized numerical characteristic vector;

and modeling, classifying and outputting the characteristic vectors by using a long-short term memory network model, and judging whether DDoS attack occurs.

2. The method of claim 1, wherein extracting header information of the packet from the network traffic comprises:

acquiring network flow from a mirror image at a network inlet in a bypass mode;

and extracting header information of the message from the network flow, wherein the header information comprises IP, TCP, UDP and ICMP messages.

3. The method according to claim 1, wherein said extracting a plurality of statistical features from header information of said packet every predetermined time unit, and abstracting a serialized numerical feature vector comprises:

performing abstract statistics on a plurality of statistical characteristics every other preset time unit according to header information of the message;

each time unit is a sample, and a plurality of statistical features are abstracted into feature vectors of a serialized numerical type.

4. The method of claim 1, wherein the statistical features comprise: the method comprises the steps of TCP packet number, UDP packet number, ICMP packet number, TCP packet proportion, UDP packet proportion, ICMP packet proportion, destination ip count, destination port count, destination ip distribution information entropy, destination port distribution information entropy, TCP SYN packet proportion, TCP ACK packet proportion, TCP RST packet proportion, TCP newly-built link number, TCP closed link number, TCP holding link number, TCP connection duration and UDP packet size.

5. The method of claim 1, wherein the applying a long-short term memory network model to perform modeling classification output on the feature vectors to determine whether a DDoS attack occurs comprises:

inputting the feature vectors in N continuous time units into the long-short term memory network model, wherein N is a positive integer;

modeling and outputting an external state according to a time sequence by adopting the long-short term memory network model;

carrying out weighted nonlinear excitation output on the external state through a full connection layer;

and performing classification maximization output through a softmax classifier according to the output of the full connection layer, and judging whether the DDoS attack occurs.

6. The method of claim 5, wherein the long-short term memory network model comprises a forgetting gate, an input gate, an output gate, a status unit and an output result, and is calculated by the following formulas:

f_t＝σ(W_fx_t+U_fh_t-1+b_f)

i_t＝σ(W_ix_t+U_ih_t-1+b_i)

o_t＝σ(W_ox_t+U_oh_t-1+b_o)

h_t＝o_t⊙tanh(c_t)

wherein f is_tIndicating forgetting to remember gate, i_tDenotes an input gate, o_tRepresents an output gate, c_tRepresents a status unit, h_tIndicates an external state, W_iIs the right of the input gateHeavy matrix, b_iIs an offset term of the input gate, W_fWeight matrix representing forgetting to remember gates, b_fIs a biased term of forgetting to remember the gate, W_oIs a weight matrix of output gates, b_oIs the offset term of the output gate, the gate activation function is sigmoid (σ), the value field is (0, 1), the output activation function is tanh function, which indicates the vector element product.

7. The method of claim 1, further comprising:

when DDoS attack is determined to occur, sequencing accessed IPs in the current time unit from high to low according to the access times;

and extracting source IPs corresponding to the first k target IPs as DDoS sources.

8. A DDoS attack detection apparatus, the apparatus comprising:

a header information obtaining unit, configured to extract header information of a packet for network traffic;

the characteristic extraction unit is used for extracting a plurality of statistical characteristics according to the header information of the message every other preset time unit and abstracting the statistical characteristics into a serialized numerical characteristic vector;

and the modeling unit is used for performing modeling classification output on the characteristic vectors by applying a long-short term memory network model and judging whether DDoS attack occurs or not.

9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the DDoS attack detection method according to any one of claims 1-7.

10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of the DDoS attack detection method according to any one of claims 1-7.

Images