CN112491823A - DDoS attack joint defense system and method based on block chain - Google Patents

DDoS attack joint defense system and method based on block chain Download PDF

Info

Publication number
CN112491823A
CN112491823A CN202011267709.XA CN202011267709A CN112491823A CN 112491823 A CN112491823 A CN 112491823A CN 202011267709 A CN202011267709 A CN 202011267709A CN 112491823 A CN112491823 A CN 112491823A
Authority
CN
China
Prior art keywords
ddos
information
block chain
equipment
abnormal flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011267709.XA
Other languages
Chinese (zh)
Other versions
CN112491823B (en
Inventor
禹继国
王越
闫碧薇
王桂娟
董安明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qilu University of Technology
Original Assignee
Qilu University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qilu University of Technology filed Critical Qilu University of Technology
Priority to CN202011267709.XA priority Critical patent/CN112491823B/en
Publication of CN112491823A publication Critical patent/CN112491823A/en
Priority to PCT/CN2021/082097 priority patent/WO2022099966A1/en
Application granted granted Critical
Publication of CN112491823B publication Critical patent/CN112491823B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention discloses a DDoS attack combined defense system and a DDoS attack combined defense method based on block chains, belongs to the technical field of DDoS attack defense, and aims to solve the technical problem of how to realize safe, quick and effective defense on DDoS attack. A system, comprising: a terminal device, at least one; the edge equipment is provided with at least one Ether house client side in parallel; the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract and used for realizing information sharing among all edge nodes based on a block chain consensus mechanism; the edge device is used for detecting the DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to the block chain based on the device information sharing intelligent contract.

Description

DDoS attack joint defense system and method based on block chain
Technical Field
The invention relates to the technical field of DDoS attack defense, in particular to a DDoS attack combined defense system and a DDoS attack combined defense method based on a block chain.
Background
With the rapid development of 5G and Internet of Things (IoT), Internet of everything interconnection has become an unchangeable trend. Security problems are ignored in system design of most internet of things devices, and hackers can easily use security vulnerabilities of the internet of things devices as new tools of traditional network attacks (malicious codes such as Mirai and Aidra infect intelligent devices) to launch DDoS (distributed initiative of service) attacks, so that serious consequences such as target denial of service and related service offline are caused.
For DDoS attacks, the traditional method is to defend from an attacked target, but due to the high-frequency data packet arrival rate and the lack of connection context, a deployment scheme at the attacked target can only perform limited statistical analysis, so that the analysis result error rate is high. In order to overcome the defect of detecting the DDoS at an attack target, the method can consider detecting the abnormal flow information of the DDoS at a source of DDoS attack initiation. And in the edge node network, the edge node can control the terminal equipment of the Internet of things under the control of the edge node to communicate. Therefore, the edge node can be specified to perform traffic anomaly detection and filtering on the equipment of the internet of things under the jurisdiction of the edge node.
In an edge node environment, an attacker and a victim are not in the same network domain in most cases, and the pure intra-domain defense cannot achieve the best effect, so that intra-domain detection should be expanded to inter-domain cooperation, so that all edge nodes in the whole network participate in DDoS attack defense of the whole network. A Software Defined Networking (SDN) architecture is developed for overcoming the defects of the existing traditional network architecture, the SDN architecture separates network control from forwarding equipment, and a controller can obtain a global view of a network, has the characteristics of high reliability, simplicity and flexibility, and can effectively solve the inter-domain communication problem. However, centralized network control in the SDN has a risk of single-point attack, which is always a hidden danger of the system.
Based on the above, how to realize the safe, fast and effective defense against DDoS attacks is a technical problem to be solved.
Disclosure of Invention
The technical task of the invention is to provide a DDoS attack joint defense system and method based on a block chain aiming at the defects, so as to solve the technical problem of how to realize safe, quick and effective defense on DDoS attack.
In a first aspect, the present invention provides a block chain-based DDoS attack joint defense system, including:
the terminal equipment, at least one of the terminal equipment, the initiating source of the DDoS attack is the terminal equipment;
the system comprises edge equipment, at least one of which is provided with an Ethernet client, and the edge equipment is added into a block chain network as an edge node after the validity is verified, and broadcasts terminal equipment subordinate to the edge node to the block chain network; (ii) a
The block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract and used for realizing information sharing among all edge nodes based on a block chain consensus mechanism;
the edge device is used for detecting DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract;
based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain is used for sending the filtering information of the DDoS attack equipment to the edge node through the equipment filtering intelligent contract;
the edge node is used for filtering the DDoS attack equipment based on the DDoS attack equipment filtering information and providing points for a provider of the DDoS attack equipment filtering information for rewarding;
the edge node is used for performing DDoS anomaly detection model training based on DDoS anomaly flow information and optimizing parameters of the DDoS anomaly detection model, and the integral is used for supporting a provider of DDoS attack equipment filtering information to acquire the optimized parameters from the edge node in a block chain transaction mode.
Preferably, when a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal traffic information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
Preferably, the block Chain is configured with an information sharing model, where the information sharing model is an S-Chain information sharing model, and includes:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the equipment information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
Preferably, the edge node detects and classifies the network traffic based on a DDoS anomaly detection model;
the DDoS anomaly detection model identifies DDoS attack flow and normal flow through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) and forming a decision forest by the m decision trees.
Preferably, the device filtering intelligent contract is configured with an attack device filtering rule, and the block chain is used for sending DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and DDoS abnormal traffic information;
the filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
Preferably, the edge node filters the attacker through a defense model, and the defense model includes:
the method comprises the following steps that a gratuitous defense model is applied to a scene that an attacker and a victim belong to the same edge node, after detecting DDoS abnormal flow information, the edge node inquires an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, and in the filtering process of DDoS abnormal equipment, the edge node filters the IP address of the attacker and the MAC address of terminal equipment subordinate to the attacker;
the method comprises the steps that a paid defense model is applied to scenes that an attacker and a victim belong to different edge nodes, after detecting DDoS abnormal flow information, the edge nodes broadcast the DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, after receiving the DDoS abnormal flow information, other edge nodes inquire an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, if terminal equipment which belongs to other edge nodes receiving the DDoS abnormal flow information has the attacker or the victim, the other edge nodes filter the attacker or the disguise, and meanwhile, integration is provided for the edge nodes providing the DDoS abnormal flow information; if the terminal devices under the other edge nodes which receive the DDoS abnormal flow information do not have an attacker or a victim, when new terminal devices exist under the other edge nodes which receive the DDoS abnormal flow information and join the other edge nodes, the DDoS flow information needs to be inquired, if the DDoS abnormal flow information shared by the edge nodes which issue the DDoS abnormal flow information helps the other edge nodes to filter the access of malicious devices, and the other edge nodes provide integrals for the edge nodes which provide the DDoS abnormal flow information.
Preferably, the block chain is composed of a created block and a common block;
the created block is the first block in a block chain, the block sequence number is 0, two equal edge nodes in a block chain network have the same block, and the two equal edge nodes are paired with each other and synchronize the blocks;
the common block consists of a block head and a block body, wherein the block head comprises three groups of metadata which are respectively a first metadata group, a second metadata group and a third metadata group, the first metadata group comprises index data, the second metadata group comprises mining difficulty, a random number and a time stamp, and the third metadata group comprises Mercker number root data;
the index data is used to connect the hash values of the previous block and the parent block;
the ore excavation difficulty, the random number and the timestamp are used for workload certification;
the Mercker tree root data is used for summarizing and inducing all transaction data in the check block;
the block body includes transaction data including, but not limited to, abnormal traffic information and credits for DDoS.
In a second aspect, the present invention provides a block chain based DDoS attack joint defense method, which implements filtering of DDoS attack initiating devices by using the block chain based DDoS attack joint defense system according to any one of the first aspects, and the method includes the following steps:
the method comprises the steps that edge equipment carries out DDoS anomaly detection to obtain DDoS anomaly flow information, the DDoS anomaly flow information is stored through local data of the edge equipment, the DDoS anomaly flow information is uploaded to a block chain based on an equipment information sharing intelligent contract, and the block chain realizes information sharing among edge nodes based on a block chain consensus mechanism;
based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain sends the filtering information of the DDoS attack equipment to the edge node through an equipment filtering intelligent contract;
the edge node filters the DDoS attack equipment based on the DDoS attack equipment filtering information and provides points for providers of the DDoS attack equipment filtering information for rewarding;
the edge node conducts DDoS anomaly detection model training based on DDoS anomaly flow information and optimizes parameters of the DDoS anomaly detection model, and a provider of DDoS attack equipment filtering information acquires the optimized parameters from the edge node in a block chain transaction mode based on integral.
Preferably, when a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal traffic information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
the block Chain is configured with an information sharing model, wherein the information sharing model is an S-Chain information sharing model and comprises the following steps:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the equipment information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
Preferably, the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and includes the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) forming a decision forest by the m decision trees;
an attack device filtering rule is configured in the device filtering intelligent contract, and a block chain sends DDoS attack device filtering information to an edge node through the device filtering intelligent contract based on the attack device filtering rule and the DDoS abnormal flow information;
the filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
The DDoS attack combined defense system and method based on the block chain have the following advantages:
1. the occurrence of the block chain and the intelligent contract can be used for information interaction across multiple domains and can also eliminate the risk of single-point attack, and the existing information sharing method can be simplified to a certain extent while the flexibility is realized by using an interaction scheme based on the block chain;
2. when an attacker tries to attack the system, more than 51% of edge nodes in the network need to be controlled to damage the network, the system consists of a plurality of edge nodes, a centralized central node does not exist, the risk of single-point attack is effectively avoided, and the system has strong anti-attack capability;
3. information storage is divided into three forms: the method comprises the steps of local storage, equipment filtering chain storage and equipment information storage, wherein an edge node detects DDoS abnormal flow information, an equipment abstract information sharing intelligent contract deployed on a block chain uploads an information abstract of the DDoS abnormal flow information to the equipment filtering chain, when the information abstract uploading of the DDoS abnormal flow information is finished and no DDoS attack exists in a network, the equipment information sharing intelligent contract deployed on the block chain uploads the DDoS abnormal flow information to the equipment information chain, and when locally stored data is damaged, the data in the block chain can be downloaded at any time for maintenance, so that the integrity of the data is guaranteed;
4. because the data in the block chain is stored in the form of Merkle Tree (Merkle Tree), the information is exposed immediately after being modified, and meanwhile, the consensus mechanism of the block chain can perform data consistency operation on the modified block to make malicious modification invalid, thereby ensuring the safety of information storage;
5. under the action of a block chain common identification mechanism, a new edge node applies for joining a block chain network and can join the block chain network only by obtaining any edge node authentication in the block chain, the time consumed by common verification of all nodes is reduced to a certain extent, the node verification speed is improved, the existing edge node in the block chain firstly verifies the legality of the node number of the newly joined edge node, the newly joined edge node broadcasts a subordinate terminal device to the network after verification is passed, other edge nodes have the edge node and the subordinate terminal device thereof to ensure that DDoS attack defense is carried out smoothly, equipment expansion is mainly verified by an integration method deployed in an Ethernet client of the edge node, external force interference does not exist in the verification process, and safety is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a network architecture diagram of a DDoS attack joint defense system based on a block chain in embodiment 1;
fig. 2 is a schematic block diagram of a defense model in the DDoS attack combined defense system based on the block chain in embodiment 1;
fig. 3 is a working principle block diagram of a DDoS attack joint defense system based on a block chain in embodiment 1;
fig. 4 is a flow chart of the DDoS attack joint defense method based on the block chain in embodiment 2.
Detailed Description
The present invention is further described in the following with reference to the drawings and the specific embodiments so that those skilled in the art can better understand the present invention and can implement the present invention, but the embodiments are not to be construed as limiting the present invention, and the embodiments and the technical features of the embodiments can be combined with each other without conflict.
It is to be understood that the first and second,
the embodiment of the invention provides a DDoS attack joint defense system and a DDoS attack joint defense method based on a block chain, which are used for solving the technical problem of how to realize safe, quick and effective defense on DDoS attack.
Example 1:
as shown in fig. 1, a DDoS attack joint defense system based on a block chain of the present invention includes at least one terminal device, an edge device, and a block chain, where an initiation source of a DDoS attack is the terminal device; at least one edge device is provided with an Ether house client side, and the edge devices are added into a block chain network to serve as edge nodes; the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract, and the block chain is used for realizing information sharing among all edge nodes based on a block chain consensus mechanism. The edge device is used for detecting DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract; based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain is used for sending the filtering information of the DDoS attack equipment to the edge node through the equipment filtering intelligent contract; the edge node is used for filtering the DDoS attack equipment based on the DDoS attack equipment filtering information and providing points for a provider of the DDoS attack equipment filtering information for rewarding; and the edge node performs DDoS anomaly detection model training based on DDoS anomaly flow information and integral.
In this embodiment, the terminal device includes terminal devices such as an intelligent traffic light, a computer, and an intelligent camera that are commonly used in human life. Typically, the source of the DDoS attack is the terminal devices. The plurality of terminal devices form a terminal layer.
The edge device is a main attack target of a DDoS attack initiator, after the edge device verifies the validity, the edge device is added into the block chain network to be used as an edge node, and terminal devices subordinate to the edge node are broadcasted to the block chain network. The existing edge node in the block chain firstly verifies the legality of the node number of the newly added edge node, and broadcasts the newly added edge node and the subordinate terminal equipment to the network after the verification is passed, so that other edge nodes have the edge node and the subordinate terminal equipment thereof to ensure that DDoS attack defense is carried out smoothly. The equipment extension is mainly verified by an integration method deployed in the Etherhouse client of the edge node.
In this embodiment, the edge device mainly assumes responsibility for DDoS anomaly detection, DDoS anomaly detection model training, and DDoS anomaly device filtering.
The block chain is formed by Ethernet clients deployed on the edge devices, and the block chain mainly realizes information sharing among edge nodes through a block chain consensus mechanism. The edge device of the Ethernet client can be added into the block chain network after passing the verification, and the edge device newly added into the block chain network realizes the data consistency with the original edge device in the network through a consensus mechanism of the block chain.
The edge nodes detect and classify network traffic based on a DDoS anomaly detection model, and the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm.
The DDoS anomaly detection model identifies DDoS attack flow and normal flow through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) and (4) taking the extracted feature vectors as test data, inputting the test data into a random forest, and determining the category of the test data through voting classification results.
Random decision forests were proposed by the bell laboratory's hessian, and subsequently developed into algorithms for random forests. The algorithmic approach combines the Bootstrap gathering idea of Breimans and the random subspace method idea of Ho to build a set of decision trees. The random forest is a classifier comprising a plurality of decision trees, the output classes of the random forest are counted by the output results of all the decision trees, and the result with the largest number of votes is determined as the final output result of the random forest.
The principle is as follows: the possibility that the same DDoS abnormal flow sample is selected certainly when n times of extraction are put back from n DDoS abnormal flow samples. Let us assume that u (k) represents the probability that the kth extracted DDoS abnormal traffic sample is extracted to a different sample. Then U (k-1) represents the probability that the (k-1) th sample will be drawn into a different sample of DDoS abnormal traffic.
Probability of sampling to different samples of DDoS abnormal flow at the k-1 st time: u (k-1) and nU (k-1) DDoS abnormal flow samples are not extracted. And in the k-th sampling, DDoS abnormal flow samples of nU (k-1) -U (k-1) are not extracted. Thus, it is possible to provide
Figure BDA0002776717040000101
Wherein U (1) ═ 1. Therefore, the expected values of different DDoS abnormal traffic samples for k times of playback sampling are:
Figure BDA0002776717040000102
using the properties of an equal ratio series, we get:
Figure BDA0002776717040000103
when n is sufficiently large and k ═ n:
Figure BDA0002776717040000104
each bootstrapping sampling is repeated n times, and only 63.2% of the samples are sampled.
The random forest implementation process comprises the following steps:
(1) the method of bootstrap is adopted from the training DDoS abnormal flow sample set to repeat sampling to select n DDoS abnormal flow samples, namely the training data set of each tree is different and the training data set contains repeated DDoS abnormal flow training samples.
(2) And selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree.
(3) Repeating the steps m times to build m decision trees.
(4) The m decision trees form a random forest, and the decision on which type the test data belongs is determined through voting classification results.
Under the condition that a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
The information sharing among the edge nodes comprises terminal equipment information sharing, information abstract sharing of DDoS abnormal flow information and detailed information sharing of the DDoS abnormal flow information. In this embodiment, an intelligent contract for sharing information of devices is written, and a double-Chain mode (Strong-Chain) information sharing model is designed to implement information sharing between edge nodes under the common action of a POW consensus mechanism of an ethernet block Chain platform.
As shown in fig. 3, the information sharing model is an S-Chain information sharing model, and the information sharing model is composed of two private chains, namely an equipment filtering Chain and an equipment information Chain, where the equipment filtering Chain mainly stores an information abstract of DDoS abnormal traffic information, and the information abstract of DDoS abnormal traffic information includes an attacker IP address, an attacker MAC address, and a victim IP address; the device filtering chain is mainly used for synchronizing DDoS abnormal traffic information detected by edge nodes to other edge nodes at the first time, so that the attacked edge nodes can accurately and quickly filter initiating devices attacked by DDoS. The device information chain is mainly used for storing detailed information of DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism, and the device information chain is mainly used for providing the latest DDoS abnormal flow information for a model to train the model when the DDoS attack detection model cannot accurately detect the DDoS abnormal flow information, so that the DDoS attack detection model always keeps high identification rate.
In a block Chain network environment with an intelligent contract function of equipment information sharing, an S-Chain information sharing model realizes the sharing of DDoS abnormal flow information among edge nodes through the following processes.
(1) Under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
(2) the block chain is composed of two types of created blocks and common blocks, and the data blocks are combined into a chain type data structure in a sequential connection mode according to the time sequence;
(3) after receiving the synchronous information, other edge nodes firstly verify the identity of the information sender and the legality of the sent information. And when both the information are verified, updating the information abstract library of the local DDoS abnormal flow information and the detailed information library of the DDoS abnormal flow information.
The created block is the first block in the block chain, and its block number is 0. It is the only block in the block chain that does not point to the previous block, and at the same time it does not contain any transaction information. The synchronization of information between edge nodes is determined by the genesis blocks, if two peer edge nodes in the network have the same genesis block, then the edge nodes pair with each other and synchronize the blocks, otherwise they will reject each other.
Normal blocks, the blocks in the block chain except the created blocks are all normal blocks. Each Block is composed of a Block Header (Block Header) and a Block body (Block). The block header comprises three groups of metadata which are respectively a first metadata group, a second metadata group and a third metadata group, the first metadata group comprises index data used for connecting the previous block and a parent block hash value, the second metadata group comprises a mine digging difficulty, a random number and a time stamp used for workload certification, the random number (Nonce) is used as a counter of a workload certification algorithm, and the third metadata group comprises Merkle tree root data capable of summarizing and rapidly summarizing all transaction data in the check block. The block mainly includes Transaction data (TX), which includes abnormal traffic information and credits of the DDoS.
After the information abstract of the DDoS abnormal flow information is successfully added, the intelligent contract of equipment filtering can be automatically triggered, the intelligent contract of equipment filtering is calculated according to a preset rule, the filtering information is finally sent to the corresponding edge node Ethernet client, and the edge node which is free from damage and filters the abnormal equipment through the edge node provides integral reward for the edge node issuing the DDoS abnormal flow information.
In this embodiment, an attack device filtering rule is configured in the device filtering intelligent contract, and the block chain sends DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and DDoS abnormal traffic information. The filtering rule of the attack device is as follows: according to the characteristics of DDoS attack, the abnormal equipment is classified into grades, and then the filtering sequence of the equipment is arranged according to the danger grade. As shown in Table 1, the DDoS risk level (DL) is established according to the grading rule and the weight of the DDoS attack. The calculation formula is as follows:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
table 1 scoring and weight distribution:
scoring rules Weight (%)
Number of connections (N) 5
Connection period (T) 5
Connection duration (t) 20
Transmission data packet frequency (F) 40
Byte count from source to target (B) 30
As shown in fig. 2, the edge node filters the attacker through defense models, which include a gratuitous defense model and a gratuitous defense model.
The method comprises the following steps that a gratuitous defense model is applied to a scene that an attacker and a victim belong to the same edge node, after detecting DDOS abnormal flow information, the edge node inquires an IP address and an MAC address corresponding to the attacker according to the DDOS abnormal flow information, and in the filtering process of DDOS abnormal equipment, the edge node filters the IP address of the attacker and the MAC address of terminal equipment subordinate to the attacker;
the method comprises the steps that a paid defense model is applied to scenes that an attacker and a victim belong to different edge nodes, after the paid defense model detects DDoS abnormal flow information, the edge nodes broadcast the DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, after other edge nodes receive the DDoS abnormal flow information, IP addresses and MAC addresses corresponding to the attacker are inquired according to the DDoS abnormal flow information, if terminal equipment which belongs to other edge nodes receiving the DDoS abnormal flow information has the attacker or the victim, the other edge nodes filter the attacker or the disguise, and meanwhile, integration is provided for the edge nodes providing the DDoS abnormal flow information; if the terminal devices under the other edge nodes which receive the DDoS abnormal flow information do not have an attacker or a victim, when new terminal devices exist under the other edge nodes which receive the DDoS abnormal flow information and join the other edge nodes, the DDoS flow information needs to be inquired, if the DDoS abnormal flow information shared by the edge nodes which issue the DDoS abnormal flow information helps the other edge nodes to filter the access of malicious devices, and the other edge nodes provide points for the edge nodes which provide the DDoS abnormal flow information.
As shown in fig. 3, the DDoS attack joint defense system based on the block chain provided by the present invention is completed by all internet of things devices, such as edge devices and terminal devices, participating together in the system.
As shown by a sparse dotted line in fig. 3, when the terminal device a1 is used as an attacker launched by the DDoS to launch an attack on the terminal device D1 (victim), the edge node a will detect that the terminal device a1 has an abnormal communication behavior and then share information (such as an IP address, an MAC address, connection times per second, and an IP of the victim) of the terminal device a1 with DDoS abnormal traffic information through an S-Chain information sharing model. After receiving the shared information, the edge node B, the edge node C, and the edge node D update the local abnormal device information table, and query whether there is a counterfeiter (as shown by the dashed line in fig. 3, the edge device a1 forges the IP address of the edge device B2 to launch a persistent attack to the edge device D1, thereby affecting the excessive consumption of the internet of things device resources) or a victim in the subordinate terminal devices through the MAC address of the terminal device a 1.
Edge node B (edge node where counterfeiter exists): the edge node B finds that its subordinate terminal device B2 is a fake (no victim exists) by inquiring the MAC address in the local abnormal device information table and the IP address of the victim, and shares the information of the terminal device B2 into the network. Since the edge node B filters the counterfeiter through DDoS abnormal traffic information provided by the edge node a, the edge node B needs to provide an information sharing integral to the edge node a.
Edge node C (normal edge node): by inquiring the MAC address in the local abnormal device information table and the IP address of the victim, the fact that no counterfeiters or victims exist in the subordinate terminal devices of the local abnormal device information table is found, and the edge node C does not need to provide information sharing integral for the edge node A temporarily. When a new terminal device joins the edge node C, the edge node C will automatically detect whether the MAC address of the terminal device is in the local abnormal device information table, if so, the device is prohibited from joining the edge node C, and meanwhile, the edge node A is provided with information sharing integration.
The edge node D (edge node with victim) finds that the victim exists in its subordinate terminal equipment by querying the MAC in the local abnormal equipment information table and the IP address of the victim (there is no counterfeiter), and provides the information sharing integral to the edge equipment a and the edge equipment B. When the edge node a and the edge node B receive the information sharing integral provided by the edge node D, they respectively filter the subordinate terminal devices a1 and B2.
The DDoS attack joint defense system based on the block chain assumes that a DDoS attack initiating device initiates DDoS attack on a certain terminal device in the block chain network, and the working flow is as follows:
(1) a DDoS attack detection model for deploying edge nodes automatically identifies abnormal DDoS attack flow;
(2) the edge nodes upload information abstracts of DDoS abnormal flow information to an equipment filtering chain through an equipment filtering information sharing intelligent contract, other edge nodes realize information abstraction synchronization of the DDoS abnormal flow information among all edge nodes according to a common identification mechanism of a block chain (under the condition that a network environment does not have DDoS attack, edge equipment uploads detailed information of the last detected DDoS abnormal flow information to the equipment information chain through an equipment information sharing intelligent contract, and other edge nodes realize detailed information synchronization of the DDoS abnormal flow information among all edge nodes according to the common identification mechanism of the block chain;
(3) sending DDoS attack equipment filtering information to an edge node through an equipment filtering intelligent contract according to shared DDoS abnormal flow information and an attack equipment filtering rule;
(4) the edge nodes filter the attack devices according to the received attack device filtering information, provide integral rewards for providers (DDoS abnormal information providing edge devices) of the attack device filtering information, and preferentially update the DDoS attack detection model through the integral to keep the DDoS attack detection model capable of detecting the latest DDoS attack information.
The edge node can train a local DDos anomaly detection model according to the DDos anomaly traffic information detected by the edge node to optimize the parameters of the DDos anomaly detection model, and other edge nodes which acquire the integral acquire the optimized parameters of the DDos anomaly detection model from the edge node in a block chain transaction mode. And taking the points and the optimized parameters as transaction objects, acquiring the optimized parameters in a block chain transaction mode based on the points, and selecting the existing public block chain transaction mode.
Example 2:
the block chain-based DDoS attack joint defense method realizes the filtration of DDoS attack initiating equipment through the block chain-based DDoS attack joint defense system disclosed in the embodiment 1.
As shown in fig. 4, the method includes the steps of:
s100, the edge device performs DDoS abnormal detection to obtain DDoS abnormal flow information, stores the DDoS abnormal flow information through the local data of the edge device, uploads the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract, and the block chain realizes information sharing among all edge nodes based on a block chain consensus mechanism;
s200, based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain sends the filtering information of the DDoS attack equipment to the edge node through an equipment filtering intelligent contract;
S300、。
the DDoS anomaly detection model identifies DDoS attack flow and normal flow through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) and (4) taking the extracted feature vectors as test data, inputting the test data into a random forest, and determining the category of the test data through voting classification results.
Random decision forests were proposed by the bell laboratory's hessian, and subsequently developed into algorithms for random forests. The algorithmic approach combines the Bootstrap gathering idea of Breimans and the random subspace method idea of Ho to build a set of decision trees. The random forest is a classifier comprising a plurality of decision trees, the output classes of the random forest are counted by the output results of all the decision trees, and the result with the largest number of votes is determined as the final output result of the random forest.
The principle is as follows: the possibility that the same DDoS abnormal flow sample is selected certainly when n times of extraction are put back from n DDoS abnormal flow samples. Let us assume that u (k) represents the probability that the kth extracted DDoS abnormal traffic sample is extracted to a different sample. Then U (k-1) represents the probability that the (k-1) th sample will be drawn into a different sample of DDoS abnormal traffic.
Probability of sampling to different samples of DDoS abnormal flow at the k-1 st time: u (k-1) and nU (k-1) DDoS abnormal flow samples are not extracted. And in the k-th sampling, DDoS abnormal flow samples of nU (k-1) -U (k-1) are not extracted. Thus, it is possible to provide
Figure BDA0002776717040000161
Wherein U (1) ═ 1. Therefore, the expected values of different DDoS abnormal traffic samples for k times of playback sampling are:
Figure BDA0002776717040000162
using the properties of an equal ratio series, we get:
Figure BDA0002776717040000171
when n is sufficiently large and k ═ n:
Figure BDA0002776717040000172
each bootstrapping sampling is repeated n times, and only 63.2% of the samples are sampled.
The random forest implementation process comprises the following steps:
(1) the method of bootstrap is adopted from the training DDoS abnormal flow sample set to repeat sampling to select n DDoS abnormal flow samples, namely the training data set of each tree is different and the training data set contains repeated DDoS abnormal flow training samples.
(2) And selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree.
(3) Repeating the steps m times to build m decision trees.
(4) The m decision trees form a random forest, and the decision on which type the test data belongs is determined through voting classification results.
Under the condition that a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
The information sharing among the edge nodes comprises terminal equipment information sharing, information abstract sharing of DDoS abnormal flow information and detailed information sharing of the DDoS abnormal flow information. In this embodiment, an intelligent contract for sharing information of devices is written, and a double-Chain mode (Strong-Chain) information sharing model is designed to implement information sharing between edge nodes under the common action of a POW consensus mechanism of an ethernet block Chain platform.
The information sharing model is an S-Chain information sharing model and consists of two private chains, namely an equipment filtering Chain and an equipment information Chain, wherein the equipment filtering Chain is mainly used for storing an information abstract of DDoS abnormal flow information, and the information abstract of the DDoS abnormal flow information comprises an attacker IP address, an attacker MAC address and a victim IP address; the device filtering chain is mainly used for synchronizing DDoS abnormal traffic information detected by edge nodes to other edge nodes at the first time, so that the attacked edge nodes can accurately and quickly filter initiating devices attacked by DDoS. The device information chain is mainly used for storing detailed information of DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism, and the device information chain is mainly used for providing the latest DDoS abnormal flow information for a model to train the model when the DDoS attack detection model cannot accurately detect the DDoS abnormal flow information, so that the DDoS attack detection model always keeps high identification rate.
In a block Chain network environment with an intelligent contract function of equipment information sharing, an S-Chain information sharing model realizes the sharing of DDoS abnormal flow information among edge nodes through the following processes.
(1) Under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
(2) the block chain is composed of two types of created blocks and common blocks, and the data blocks are combined into a chain type data structure in a sequential connection mode according to the time sequence;
(3) after receiving the synchronous information, other edge nodes firstly verify the identity of the information sender and the legality of the sent information. And when both the information are verified, updating the information abstract library of the local DDoS abnormal flow information and the detailed information library of the DDoS abnormal flow information.
After the information abstract of the DDoS abnormal flow information is successfully added, the intelligent contract of equipment filtering can be automatically triggered, the intelligent contract of equipment filtering is calculated according to a preset rule, the filtering information is finally sent to the corresponding edge node Ethernet client, and the edge node which is free from damage and filters the abnormal equipment through the edge node provides integral reward for the edge node issuing the DDoS abnormal flow information.
And an attack device filtering rule is configured in the device filtering intelligent contract, and the block chain sends DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and the DDoS abnormal flow information. The filtering rule of the attack device in this embodiment is: according to the characteristics of DDoS attack, the abnormal equipment is classified into grades, and then the filtering sequence of the equipment is arranged according to the danger grade. And (3) grading rules and weights of the DDoS attacks, and formulating DDoS danger grades (DL) through the rules. The calculation formula is as follows:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
While the invention has been shown and described in detail in the drawings and in the preferred embodiments, it is not intended to limit the invention to the embodiments disclosed, and it will be apparent to those skilled in the art that various combinations of the code auditing means in the various embodiments described above may be used to obtain further embodiments of the invention, which are also within the scope of the invention.

Claims (10)

1. DDoS attack joint defense system based on block chain, its characterized in that includes:
the terminal equipment, at least one of the terminal equipment, the initiating source of the DDoS attack is the terminal equipment;
the system comprises edge equipment, at least one of which is provided with an Ethernet client, and the edge equipment is added into a block chain network as an edge node after the validity is verified, and broadcasts terminal equipment subordinate to the edge node to the block chain network;
the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract and used for realizing information sharing among all edge nodes based on a block chain consensus mechanism;
the edge device is used for detecting DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract;
based on the device filtering intelligent contract and the DDoS abnormal flow information, the block chain is used for sending DDoS attack device filtering information to the edge node through the device filtering intelligent contract;
the edge node is used for filtering the DDoS attack equipment based on the DDoS attack equipment filtering information and providing points for a provider of the DDoS attack equipment filtering information for rewarding;
the edge node is used for performing DDoS anomaly detection model training based on DDoS anomaly flow information and optimizing parameters of the DDoS anomaly detection model, and the integral is used for supporting a provider of DDoS attack equipment filtering information to acquire the optimized parameters from the edge node in a block chain transaction mode.
2. The defense system of DDoS based on block chains according to claim 1, wherein in case of DDoS attack in a network environment, an edge node uploads an information summary of DDoS abnormal traffic information to a block chain based on a device information sharing intelligent contract, and the block chain synchronizes the information summary of DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
3. A block Chain based DDoS defense system according to claim 2, characterised in that said block Chain is configured with an information sharing model, said information sharing model being an S-Chain information sharing model comprising:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the equipment information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
4. The block chain based DDoS defense system of claim 1, wherein the edge nodes detect and classify network traffic based on DDoS anomaly detection model;
the DDoS anomaly detection model identifies DDoS attack flow and normal flow through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) and forming a decision forest by the m decision trees.
5. The DDoS defense system according to claim 1, wherein the device filtering intelligent contract is configured with an attack device filtering rule, and the blockchain is configured to send DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and DDoS abnormal traffic information;
the filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
6. The block chain based DDoS defense system of claim 1, characterized in that the edge nodes filter attackers through a defense model comprising:
the method comprises the following steps that a gratuitous defense model is applied to a scene that an attacker and a victim belong to the same edge node, after detecting DDoS abnormal flow information, the edge node inquires an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, and in the filtering process of DDoS abnormal equipment, the edge node filters the IP address of the attacker and the MAC address of terminal equipment subordinate to the attacker;
the method comprises the steps that a paid defense model is applied to scenes that an attacker and a victim belong to different edge nodes, after detecting DDoS abnormal flow information, the edge nodes broadcast the DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, after receiving the DDoS abnormal flow information, other edge nodes inquire an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, if terminal equipment which belongs to other edge nodes receiving the DDoS abnormal flow information has the attacker or the victim, the other edge nodes filter the attacker or the disguise, and meanwhile, integration is provided for the edge nodes providing the DDoS abnormal flow information; if the terminal devices under the other edge nodes which receive the DDoS abnormal flow information do not have an attacker or a victim, when new terminal devices exist under the other edge nodes which receive the DDoS abnormal flow information and join the other edge nodes, the DDoS flow information needs to be inquired, if the DDoS abnormal flow information shared by the edge nodes which issue the DDoS abnormal flow information helps the other edge nodes to filter the access of malicious devices, and the other edge nodes provide integrals for the edge nodes which provide the DDoS abnormal flow information.
7. A block chain based DDoS defense system according to claim 1, characterized in that said block chain consists of founder blocks and normal blocks;
the created block is the first block in a block chain, the block sequence number is 0, two equal edge nodes in a block chain network have the same block, and the two equal edge nodes are paired with each other and synchronize the blocks;
the common block consists of a block head and a block body, wherein the block head comprises three groups of metadata which are respectively a first metadata group, a second metadata group and a third metadata group, the first metadata group comprises index data, the second metadata group comprises mining difficulty, a random number and a time stamp, and the third metadata group comprises Mercker number root data;
the index data is used to connect the hash values of the previous block and the parent block;
the ore excavation difficulty, the random number and the timestamp are used for workload certification;
the Mercker tree root data is used for summarizing and inducing all transaction data in the check block;
the block body includes transaction data including, but not limited to, abnormal traffic information and credits for DDoS.
8. A block chain based DDoS attack joint defense method, characterized in that the filtering of DDoS attack initiating devices is realized by the block chain based DDoS attack joint defense system according to any of claims 1-7, the method comprising the steps of:
the method comprises the steps that edge equipment carries out DDoS anomaly detection to obtain DDoS anomaly flow information, the DDoS anomaly flow information is stored through local data of the edge equipment, the DDoS anomaly flow information is uploaded to a block chain based on an equipment information sharing intelligent contract, and the block chain realizes information sharing among edge nodes based on a block chain consensus mechanism;
based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain sends the filtering information of the DDoS attack equipment to the edge node through an equipment filtering intelligent contract;
the edge node filters the DDoS attack equipment based on the DDoS attack equipment filtering information and provides points for providers of the DDoS attack equipment filtering information for rewarding;
the edge node conducts DDoS anomaly detection model training based on DDoS anomaly flow information and optimizes parameters of the DDoS anomaly detection model, and a provider of DDoS attack equipment filtering information acquires the optimized parameters from the edge node in a block chain transaction mode based on integral.
9. The DDoS attack joint defense method based on the block chain as claimed in claim 8, characterized in that, when a DDoS attack exists in a network environment, an edge node uploads an information summary of DDoS abnormal traffic information to a block chain based on a device information sharing intelligent contract, and the block chain synchronizes the information summary of the DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
the block Chain is configured with an information sharing model, wherein the information sharing model is an S-Chain information sharing model and comprises the following steps:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the equipment information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
10. The block chain based DDoS attack combined defense method according to claim 8 or 9, characterized in that the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, comprising the steps of:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) forming a decision forest by the m decision trees;
an attack device filtering rule is configured in the device filtering intelligent contract, and a block chain sends DDoS attack device filtering information to an edge node through the device filtering intelligent contract based on the attack device filtering rule and the DDoS abnormal flow information;
the filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
CN202011267709.XA 2020-11-13 2020-11-13 DDoS attack joint defense system and method based on block chain Active CN112491823B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202011267709.XA CN112491823B (en) 2020-11-13 2020-11-13 DDoS attack joint defense system and method based on block chain
PCT/CN2021/082097 WO2022099966A1 (en) 2020-11-13 2021-03-22 Blockchain-based ddos attack joint defense system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011267709.XA CN112491823B (en) 2020-11-13 2020-11-13 DDoS attack joint defense system and method based on block chain

Publications (2)

Publication Number Publication Date
CN112491823A true CN112491823A (en) 2021-03-12
CN112491823B CN112491823B (en) 2022-07-19

Family

ID=74930171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011267709.XA Active CN112491823B (en) 2020-11-13 2020-11-13 DDoS attack joint defense system and method based on block chain

Country Status (2)

Country Link
CN (1) CN112491823B (en)
WO (1) WO2022099966A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113315752A (en) * 2021-04-22 2021-08-27 阚中强 Intelligent medical attack tracing method based on block chain and medical big data system
CN113392429A (en) * 2021-05-26 2021-09-14 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device
CN114024739A (en) * 2021-11-03 2022-02-08 中国联合网络通信集团有限公司 DDoS attack resisting cooperative defense method, platform, equipment and medium
CN114143828A (en) * 2021-11-09 2022-03-04 中国联合网络通信集团有限公司 Terminal access management method and device
CN114285606A (en) * 2021-12-08 2022-04-05 重庆邮电大学 DDoS (distributed denial of service) multi-point cooperative defense method for Internet of things management
CN114500071A (en) * 2022-02-10 2022-05-13 江苏大学 Self-adaptive fingerprint attack method and system for dynamic growth of target website
WO2022099966A1 (en) * 2020-11-13 2022-05-19 齐鲁工业大学 Blockchain-based ddos attack joint defense system and method
CN114520774A (en) * 2021-12-28 2022-05-20 武汉虹旭信息技术有限责任公司 Deep message detection method and device based on intelligent contract
CN116132080A (en) * 2022-05-29 2023-05-16 北京理工大学长三角研究院(嘉兴) Alliance chain DDoS defense method based on moving target defense technology

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115102767B (en) * 2022-06-24 2023-06-30 天津大学 DDoS active defense system and method based on distributed collaborative learning
CN116828087B (en) * 2023-06-25 2024-01-16 北京中科网芯科技有限公司 Information security system based on block chain connection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616534A (en) * 2018-04-28 2018-10-02 中国科学院信息工程研究所 A kind of method and system for protecting internet of things equipment ddos attack based on block chain
CN109426567A (en) * 2017-08-22 2019-03-05 汇链丰(北京)科技有限公司 A kind of node deployment and electoral machinery of block chain
CN110024422A (en) * 2016-12-30 2019-07-16 英特尔公司 The name of Internet of Things and block chained record
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain
CN110598446A (en) * 2019-09-16 2019-12-20 腾讯科技(深圳)有限公司 Block chain based test method and device, storage medium and computer equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11245721B2 (en) * 2018-12-19 2022-02-08 Mcafee, Llc Using a blockchain for distributed denial of service attack mitigation
CN111541704A (en) * 2020-04-28 2020-08-14 深圳中科国威信息系统技术有限公司 Method and device for preventing malicious attack by combining block chain and Internet of things and storage device
CN112491823B (en) * 2020-11-13 2022-07-19 齐鲁工业大学 DDoS attack joint defense system and method based on block chain

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110024422A (en) * 2016-12-30 2019-07-16 英特尔公司 The name of Internet of Things and block chained record
CN109426567A (en) * 2017-08-22 2019-03-05 汇链丰(北京)科技有限公司 A kind of node deployment and electoral machinery of block chain
CN108616534A (en) * 2018-04-28 2018-10-02 中国科学院信息工程研究所 A kind of method and system for protecting internet of things equipment ddos attack based on block chain
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain
CN110598446A (en) * 2019-09-16 2019-12-20 腾讯科技(深圳)有限公司 Block chain based test method and device, storage medium and computer equipment

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022099966A1 (en) * 2020-11-13 2022-05-19 齐鲁工业大学 Blockchain-based ddos attack joint defense system and method
CN113315752A (en) * 2021-04-22 2021-08-27 阚中强 Intelligent medical attack tracing method based on block chain and medical big data system
CN113392429A (en) * 2021-05-26 2021-09-14 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device
CN113392429B (en) * 2021-05-26 2023-12-12 江苏省电力试验研究院有限公司 Block chain-based power distribution Internet of things data safety protection method and device
CN114024739A (en) * 2021-11-03 2022-02-08 中国联合网络通信集团有限公司 DDoS attack resisting cooperative defense method, platform, equipment and medium
CN114024739B (en) * 2021-11-03 2024-02-06 中国联合网络通信集团有限公司 DDoS attack resistant cooperative defense method, platform, equipment and medium
CN114143828A (en) * 2021-11-09 2022-03-04 中国联合网络通信集团有限公司 Terminal access management method and device
CN114285606B (en) * 2021-12-08 2023-08-08 深圳市星华时代科技有限公司 DDoS multi-point cooperative defense method for Internet of things management
CN114285606A (en) * 2021-12-08 2022-04-05 重庆邮电大学 DDoS (distributed denial of service) multi-point cooperative defense method for Internet of things management
CN114520774A (en) * 2021-12-28 2022-05-20 武汉虹旭信息技术有限责任公司 Deep message detection method and device based on intelligent contract
CN114520774B (en) * 2021-12-28 2024-02-23 武汉虹旭信息技术有限责任公司 Deep message detection method and device based on intelligent contract
CN114500071A (en) * 2022-02-10 2022-05-13 江苏大学 Self-adaptive fingerprint attack method and system for dynamic growth of target website
CN114500071B (en) * 2022-02-10 2024-04-16 江苏大学 Self-adaptive fingerprint attack method and system aiming at dynamic growth of target website
CN116132080A (en) * 2022-05-29 2023-05-16 北京理工大学长三角研究院(嘉兴) Alliance chain DDoS defense method based on moving target defense technology

Also Published As

Publication number Publication date
WO2022099966A1 (en) 2022-05-19
CN112491823B (en) 2022-07-19

Similar Documents

Publication Publication Date Title
CN112491823B (en) DDoS attack joint defense system and method based on block chain
CN110113328B (en) Software defined opportunistic network DDoS defense method based on block chain
CN109361670B (en) Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots
CN109564740B (en) Block chain-based security threat detection method and system
Strayer et al. Detecting botnets with tight command and control
CN100493085C (en) P2P worm defending system
CN100413290C (en) Method for setting up notification function for route selection according to border gateway protocol
CN105429968B (en) Network forensics load affiliation method based on Bloom filter and system
CN109167798A (en) A kind of household internet of things equipment DDoS detection method based on machine learning
CN110677438A (en) Attack chain construction method, device, equipment and medium
CN108965248B (en) P2P botnet detection system and method based on traffic analysis
Uddin et al. Intrusion detection system to detect DDoS attack in gnutella hybrid P2P network
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
CN110177123B (en) Botnet detection method based on DNS mapping association graph
Narang et al. PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification
CN103905418A (en) APT multi-dimensional detection and defense system and method
Preamthaisong et al. Enhanced DDoS detection using hybrid genetic algorithm and decision tree for SDN
Tarng et al. The analysis and identification of P2P botnet's traffic flows
TWI596498B (en) FedMR-based botnet reconnaissance method
Peterson et al. Towards detection of selfish mining using machine learning
CN109981596A (en) A kind of host external connection detection method and device
CN115190056B (en) Method, device and equipment for identifying and analyzing programmable flow protocol
Catherine et al. Efficient host based intrusion detection system using Partial Decision Tree and Correlation feature selection algorithm
CN104468601A (en) P2P worm detecting system and method
CN115208767B (en) Ethernet network detection method, device, equipment and medium based on simulation technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant