CN112491823B - DDoS attack joint defense system and method based on block chain - Google Patents
DDoS attack joint defense system and method based on block chain Download PDFInfo
- Publication number
- CN112491823B CN112491823B CN202011267709.XA CN202011267709A CN112491823B CN 112491823 B CN112491823 B CN 112491823B CN 202011267709 A CN202011267709 A CN 202011267709A CN 112491823 B CN112491823 B CN 112491823B
- Authority
- CN
- China
- Prior art keywords
- ddos
- information
- block chain
- abnormal flow
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000002159 abnormal effect Effects 0.000 claims abstract description 217
- 238000001914 filtration Methods 0.000 claims abstract description 114
- 230000007246 mechanism Effects 0.000 claims abstract description 37
- 238000001514 detection method Methods 0.000 claims description 39
- 238000003066 decision tree Methods 0.000 claims description 24
- 238000007637 random forest analysis Methods 0.000 claims description 24
- 238000012360 testing method Methods 0.000 claims description 20
- 238000012549 training Methods 0.000 claims description 18
- 238000005070 sampling Methods 0.000 claims description 14
- 239000013598 vector Substances 0.000 claims description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 10
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 230000010354 integration Effects 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 4
- 238000009412 basement excavation Methods 0.000 claims description 2
- 230000001939 inductive effect Effects 0.000 claims description 2
- 238000005065 mining Methods 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 claims description 2
- 230000008093 supporting effect Effects 0.000 claims description 2
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 abstract description 4
- 238000012795 verification Methods 0.000 description 6
- 238000003860 storage Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000005304 joining Methods 0.000 description 2
- 230000009916 joint effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000001976 improved effect Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a DDoS attack combined defense system and a DDoS attack combined defense method based on block chains, belongs to the technical field of DDoS attack defense, and aims to solve the technical problem of how to realize safe, quick and effective defense on DDoS attack. A system, comprising: a terminal device, at least one; the edge equipment is provided with at least one Ether house client side in parallel; the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract and used for realizing information sharing among all edge nodes based on a block chain consensus mechanism; the edge device is used for detecting the DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to the block chain based on the device information sharing intelligent contract.
Description
Technical Field
The invention relates to the technical field of DDoS attack defense, in particular to a DDoS attack combined defense system and a DDoS attack combined defense method based on a block chain.
Background
With the rapid development of 5G and Internet of Things (IoT), Internet of everything interconnection has become an unchangeable trend. Security problems are ignored in system design of most internet of things devices, and hackers can easily use security vulnerabilities of the internet of things devices as new tools of traditional network attacks (malicious codes such as Mirai and Aidra infect intelligent devices) to launch DDoS (distributed initiative of service) attacks, so that serious consequences such as target denial of service and related service offline are caused.
For DDoS attacks, a traditional mode is to defend from an attacked target, but due to the lack of high-frequency data packet arrival rate and connection context, a deployment scheme at the attacked target can only perform limited statistical analysis, so that the error rate of an analysis result is high. In order to overcome the defect of detecting the DDoS at an attack target, the detection of DDoS abnormal flow information at a source initiated by DDoS attack can be considered. And in the edge node network, the edge node can control the terminal equipment of the Internet of things under the jurisdiction thereof to communicate. Therefore, the edge node can be specified to perform abnormal traffic detection and filtering on the managed Internet of things equipment.
In an edge node environment, an attacker and a victim are not in the same network domain in most cases, and the pure intra-domain defense cannot achieve the best effect, so that intra-domain detection should be expanded to inter-domain cooperation, so that all edge nodes in the whole network participate in DDoS attack defense of the whole network. A Software Defined Networking (SDN) architecture is developed for overcoming the defects of the existing traditional network architecture, the SDN architecture separates network control from forwarding equipment, and a controller can obtain a global view of a network, has the characteristics of high reliability, simplicity and flexibility, and can effectively solve the inter-domain communication problem. However, centralized network control in the SDN has a risk of single-point attack, which is always a hidden danger of the system.
Based on the above, how to realize the safe, fast and effective defense against DDoS attacks is a technical problem to be solved.
Disclosure of Invention
The technical task of the invention is to provide a DDoS attack joint defense system and method based on a block chain aiming at the defects, so as to solve the technical problem of how to realize safe, quick and effective defense on DDoS attack.
In a first aspect, the present invention provides a block chain-based DDoS attack joint defense system, including:
the terminal equipment, at least one of the terminal equipment, the initiating source of the DDoS attack is the terminal equipment;
the system comprises edge equipment, at least one edge equipment and Ethernet clients, wherein the edge equipment is provided with the Ethernet clients, adds the Ethernet clients into a block chain network as edge nodes after verifying the validity, and broadcasts terminal equipment subordinate to the edge nodes to the block chain network; (ii) a
The system comprises a block chain, a service node and a service node, wherein the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract and is used for realizing information sharing among all edge nodes based on a block chain consensus mechanism;
the edge device is used for detecting DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract;
Based on the attack equipment filtering rule and DDoS abnormal flow information, the block chain is used for sending DDoS attack equipment filtering information to the edge node through an equipment filtering intelligent contract;
the edge node is used for filtering the DDoS attack equipment based on the DDoS attack equipment filtering information and providing points for providers of the DDoS attack equipment filtering information for rewarding;
the edge nodes are used for performing DDoS anomaly detection model training based on DDoS anomaly flow information and optimizing parameters of the DDoS anomaly detection model, and the integral is used for supporting a provider of DDoS attack equipment filtering information to acquire the optimized parameters from the edge nodes in a block chain transaction mode.
Preferably, when a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
under the condition that DDoS attack does not exist in a network environment, edge nodes upload detailed information of DDoS abnormal flow information to block chains based on an equipment information sharing intelligent contract, and the block chains synchronize the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
Preferably, the block Chain is configured with an information sharing model, where the information sharing model is an S-Chain information sharing model, and includes:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the equipment information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
Preferably, the edge node detects and classifies the network traffic based on a DDoS anomaly detection model;
the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector from the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting classification results;
The construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) and forming a decision forest by the m decision trees.
Preferably, the device filtering intelligent contract is configured with an attack device filtering rule, and the block chain is used for sending DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and DDoS abnormal traffic information;
the filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
Preferably, the edge node filters the attacker through a defense model, and the defense model includes:
The system comprises a gratuitous defense model, a gratuitous defense model and a monitoring module, wherein the gratuitous defense model is applied to a scene that an attacker and a victim belong to the same edge node, after detecting DDoS abnormal flow information, the edge node inquires an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, and in the DDoS abnormal equipment filtering process, the edge node filters the IP address of the attacker and the MAC address of the subordinate terminal equipment of the attacker;
the method comprises the steps that a paid defense model is applied to scenes that an attacker and a victim belong to different edge nodes, after detecting DDoS abnormal flow information, the edge nodes broadcast the DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, after receiving the DDoS abnormal flow information, other edge nodes inquire an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, and if terminal equipment under other edge nodes receiving the DDoS abnormal flow information has the attacker or the victim, the other edge nodes filter the attacker or the disguise and provide integration for the edge nodes providing the DDoS abnormal flow information; if the terminal devices under the other edge nodes which receive the DDoS abnormal flow information do not have an attacker or a victim, when new terminal devices exist under the other edge nodes which receive the DDoS abnormal flow information and are added into the other edge nodes, the DDoS flow information needs to be inquired, if the DDoS abnormal flow information shared by the edge nodes which issue the DDoS abnormal flow information helps the other edge nodes to filter the access of malicious devices, and the other edge nodes provide points for the edge nodes which provide the DDoS abnormal flow information.
Preferably, the block chain consists of a founder block and a common block;
the created block is the first block in a block chain, the block sequence number is 0, two equal edge nodes in a block chain network have the same block, and the two equal edge nodes are paired with each other and synchronize the blocks;
the common block consists of a block head and a block body, wherein the block head comprises three groups of metadata which are respectively a first metadata group, a second metadata group and a third metadata group, the first metadata group comprises index data, the second metadata group comprises mining difficulty, a random number and a time stamp, and the third metadata group comprises Mercker number root data;
the index data is used to connect the hash values of the previous block and the parent block;
the ore excavation difficulty, the random number and the timestamp are used for workload certification;
the Mercker tree root data is used for summarizing and inducing all transaction data in the check block;
the block body includes transaction data including, but not limited to, abnormal traffic information and credits for DDoS.
In a second aspect, the present invention provides a block chain based DDoS attack joint defense method, which implements filtering of DDoS attack initiating devices by using the block chain based DDoS attack joint defense system according to any one of the first aspects, and the method includes the following steps:
The method comprises the steps that edge equipment carries out DDoS anomaly detection to obtain DDoS anomaly flow information, the DDoS anomaly flow information is stored through local data of the edge equipment, the DDoS anomaly flow information is uploaded to a block chain based on an equipment information sharing intelligent contract, and the block chain realizes information sharing among edge nodes based on a block chain consensus mechanism;
based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain sends the filtering information of the DDoS attack equipment to the edge node through an equipment filtering intelligent contract;
the edge node filters DDoS attack equipment based on the DDoS attack equipment filtering information, and provides points for providers of the DDoS attack equipment filtering information for rewarding;
the edge node conducts DDoS anomaly detection model training based on DDoS anomaly flow information and optimizes parameters of the DDoS anomaly detection model, and a provider of DDoS attack equipment filtering information acquires the optimized parameters from the edge node in a block chain transaction mode based on integral.
Preferably, when a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal traffic information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
Under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
the block Chain is configured with an information sharing model, wherein the information sharing model is an S-Chain information sharing model and comprises the following steps:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the equipment information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
Preferably, the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and includes the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) Extracting a feature vector from the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) forming a decision forest by the m decision trees;
an attack device filtering rule is configured in the device filtering intelligent contract, and a block chain sends DDoS attack device filtering information to an edge node through the device filtering intelligent contract based on the attack device filtering rule and the DDoS abnormal flow information;
the filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
The DDoS attack combined defense system and method based on the block chain have the following advantages:
1. the occurrence of the block chain and the intelligent contract can be used for information interaction across multiple domains and can also eliminate the risk of single-point attack, and the existing information sharing method can be simplified to a certain extent while the flexibility is realized by using an interaction scheme based on the block chain;
2. when an attacker tries to attack the system, more than 51% of edge nodes in the network need to be controlled to damage the network, the system consists of a plurality of edge nodes, a centralized central node does not exist, the risk of single-point attack is effectively avoided, and the system has strong anti-attack capability;
3. information storage is divided into three forms: the method comprises the steps of local storage, equipment filtering chain storage and equipment information storage, wherein an edge node detects DDoS abnormal flow information, an equipment abstract information sharing intelligent contract deployed on a block chain uploads an information abstract of the DDoS abnormal flow information to the equipment filtering chain, when the information abstract of the DDoS abnormal flow information is uploaded and no DDoS attack exists in a network, the equipment information sharing intelligent contract deployed on the block chain uploads the DDoS abnormal flow information to the equipment information chain, and when data stored locally is damaged, the data in the block chain can be downloaded at any time for maintenance, so that the integrity of the data is guaranteed;
4. Because the data in the block chain is stored in the form of Merkle Tree (Merkle Tree), the information is exposed immediately after being modified, and meanwhile, the consensus mechanism of the block chain can perform data consistency operation on the modified block to make malicious modification invalid, thereby ensuring the safety of information storage;
5. under the action of a block chain common identification mechanism, a new edge node applies for joining a block chain network and can join the block chain network only by obtaining any edge node authentication in the block chain, the time consumed by common verification of all nodes is reduced to a certain extent, the node verification speed is improved, the existing edge node in the block chain firstly verifies the legality of the node number of the newly joined edge node, the newly joined edge node broadcasts a subordinate terminal device to the network after verification is passed, other edge nodes have the edge node and the subordinate terminal device thereof to ensure that DDoS attack defense is carried out smoothly, equipment expansion is mainly verified by an integration method deployed in an Ethernet client of the edge node, external force interference does not exist in the verification process, and safety is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a network architecture diagram of a DDoS attack joint defense system based on a block chain in embodiment 1;
fig. 2 is a schematic block diagram of a defense model in the DDoS attack combined defense system based on the block chain in embodiment 1;
fig. 3 is a working principle block diagram of a DDoS attack joint defense system based on a block chain in embodiment 1;
fig. 4 is a flow chart of the DDoS attack joint defense method based on the block chain in embodiment 2.
Detailed Description
The present invention is further described in the following with reference to the drawings and the specific embodiments so that those skilled in the art can better understand the present invention and can implement the present invention, but the embodiments are not to be construed as limiting the present invention, and the embodiments and the technical features of the embodiments can be combined with each other without conflict.
It is to be understood that the first and second,
the embodiment of the invention provides a DDoS attack joint defense system and a DDoS attack joint defense method based on a block chain, which are used for solving the technical problem of how to realize safe, quick and effective defense on DDoS attack.
Example 1:
as shown in fig. 1, a DDoS attack joint defense system based on a block chain of the present invention includes at least one terminal device, an edge device, and a block chain, where an initiation source of a DDoS attack is the terminal device; at least one edge device is provided with an Ether house client side, and the edge devices are added into a block chain network to serve as edge nodes; the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract, and the block chain is used for realizing information sharing among all edge nodes based on a block chain consensus mechanism. The edge device is used for detecting DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract; based on the attack equipment filtering rule and the DDoS abnormal flow information, the block chain is used for sending DDoS attack equipment filtering information to the edge node through an equipment filtering intelligent contract; the edge node is used for filtering the DDoS attack equipment based on the DDoS attack equipment filtering information and providing points for a provider of the DDoS attack equipment filtering information for rewarding; and the edge node performs DDoS anomaly detection model training based on DDoS anomaly flow information and integral.
In this embodiment, the terminal device includes terminal devices such as an intelligent traffic light, a computer, and an intelligent camera that are commonly used in human life. Typically, the source of the DDoS attack is the terminal devices. The plurality of terminal devices form a terminal layer.
The edge device is a main attack target of a DDoS attack initiator, after the edge device verifies the validity, the edge device is added into the block chain network to be used as an edge node, and terminal devices subordinate to the edge node are broadcasted to the block chain network. The existing edge node in the block chain firstly verifies the legality of the node number of the newly added edge node, and broadcasts the newly added edge node and the subordinate terminal equipment to the network after the verification is passed, so that other edge nodes have the edge node and the subordinate terminal equipment thereof to ensure that DDoS attack defense is carried out smoothly. The device extensions are mainly verified by an integration method deployed in the etherhouse client of the edge node.
In this embodiment, the edge device mainly assumes responsibility for DDoS anomaly detection, DDoS anomaly detection model training, and DDoS anomaly device filtering.
The block chain is formed by Ethernet clients deployed on the edge devices, and the block chain mainly realizes information sharing among edge nodes through a block chain consensus mechanism. The edge device of the Ethernet client can be added into the block chain network after passing the verification, and the edge device newly added into the block chain network realizes the data consistency with the original edge device in the network through a consensus mechanism of the block chain.
The edge nodes detect and classify network traffic based on a DDoS anomaly detection model, and the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm.
The DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector from the feature packet;
(4) and (4) taking the extracted feature vectors as test data, inputting the test data into a random forest, and determining the category of the test data through voting classification results.
Random decision forests were proposed by the bell laboratory's hessian, and subsequently developed into algorithms for random forests. The algorithmic approach combines the Bootstrap aggregation idea of Breimans with the random subspace method idea of Ho to build a set of decision trees. The random forest is a classifier comprising a plurality of decision trees, the output classes of the random forest are counted by the output results of all the decision trees, and the result with the largest number of votes is determined as the final output result of the random forest.
The principle is as follows: the possibility that the same DDoS abnormal flow sample is selected certainly when n times of extraction are put back from n DDoS abnormal flow samples. Let us assume that u (k) represents the probability that the kth extracted DDoS abnormal traffic sample is extracted to a different sample. Then U (k-1) represents the probability that the k-1 th sample draws a different sample of DDoS abnormal traffic.
Probability of sampling to different samples of DDoS abnormal flow at the k-1 st time: u (k-1) and nU (k-1) DDoS abnormal flow samples are not extracted yet. And in the k-th sampling, DDoS abnormal flow samples of nU (k-1) -U (k-1) are not extracted. Thus, it is possible to provide
Wherein U (1) ═ 1. Therefore, the expected values of different DDoS abnormal traffic samples for k times of playback sampling are:
using the properties of an equal ratio series, we get:
when n is sufficiently large and k ═ n:
each bootstrapping sampling is repeated n times, and only 63.2% of the samples are sampled.
The random forest implementation process comprises the following steps:
(1) the method of bootstrap is adopted from the training DDoS abnormal flow sample set to repeat sampling to select n DDoS abnormal flow samples, namely the training data set of each tree is different and the training data set contains repeated DDoS abnormal flow training samples.
(2) And selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree.
(3) Repeating the steps m times to build m decision trees.
(4) The m decision trees form a random forest, and the decision on which type the test data belongs is determined through voting classification results.
Under the condition that DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
The information sharing among the edge nodes comprises terminal equipment information sharing, information abstract sharing of DDoS abnormal flow information and detailed information sharing of the DDoS abnormal flow information. In this embodiment, an intelligent contract for sharing information of equipment is written, and a double-Chain mode (Strong-Chain) information sharing model is designed to implement information sharing between edge nodes under the joint action of a POW consensus mechanism of an ethernet block Chain platform.
As shown in fig. 3, the information sharing model is an S-Chain information sharing model, and the information sharing model is composed of two private chains, namely an equipment filtering Chain and an equipment information Chain, where the equipment filtering Chain mainly stores an information abstract of DDoS abnormal traffic information, and the information abstract of DDoS abnormal traffic information includes an attacker IP address, an attacker MAC address, and a victim IP address; the device filtering chain is mainly used for synchronizing DDoS abnormal flow information detected by the edge node to other edge nodes at the first time, so that the attacked edge node can accurately and quickly filter initiating devices of DDoS attack. The device information chain is mainly used for storing detailed information of DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism, and the device information chain is mainly used for providing the latest DDoS abnormal flow information for a model to train the model when the DDoS attack detection model cannot accurately detect the DDoS abnormal flow information, so that the DDoS attack detection model always keeps high identification rate.
In a block Chain network environment with an intelligent contract function of equipment information sharing, an S-Chain information sharing model realizes DDoS abnormal flow information sharing among edge nodes through the following processes.
(1) Under the condition that DDoS attack does not exist in a network environment, the edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
(2) the block chain is composed of two types of creature blocks and common blocks, and the data blocks are combined into a chain data structure in a sequential connection mode according to the time sequence;
(3) after receiving the synchronous information, other edge nodes firstly verify the identity of the information sender and the validity of the sent information. And when both the information are verified, updating the information abstract library of the local DDoS abnormal flow information and the detailed information library of the DDoS abnormal flow information.
The founder block is the first block in the block chain and has a block number of 0. It is the only block in the block chain that does not point to the previous block, and at the same time it does not contain any transaction information. The synchronization of information between edge nodes is determined by the genesis blocks, if two peer edge nodes in the network have the same genesis block, then the edge nodes pair with each other and synchronize the blocks, otherwise they will reject each other.
Normal blocks, the blocks in the block chain except the created blocks are all normal blocks. Each Block consists of a Block Header (Block Header) and a Block body (Block). The block header comprises three groups of metadata which are respectively a first metadata group, a second metadata group and a third metadata group, the first metadata group comprises index data used for connecting the previous block and a parent block hash value, the second metadata group comprises a mine digging difficulty, a random number and a time stamp used for workload certification, the random number (Nonce) is used as a counter of a workload certification algorithm, and the third metadata group comprises Merkle tree root data capable of summarizing and rapidly summarizing all transaction data in the check block. The block mainly includes Transaction data (TX), which includes abnormal traffic information and credits of the DDoS.
After the information abstract of the DDoS abnormal flow information is successfully added, the intelligent contract of equipment filtering can be automatically triggered, the intelligent contract of equipment filtering is calculated according to a preset rule, the filtering information is finally sent to the corresponding edge node Ethernet client, and the edge node which is free from damage and filters the abnormal equipment through the edge node provides integral reward for the edge node issuing the DDoS abnormal flow information.
In this embodiment, an attack device filtering rule is configured in the device filtering intelligent contract, and the block chain sends DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and DDoS abnormal traffic information. The filtering rules of the attack device are as follows: according to the characteristics of DDoS attack, the abnormal equipment is classified into grades, and then the filtering sequence of the equipment is arranged according to the danger grade. As shown in Table 1, the DDoS risk level (DL) is established according to the grading rule and the weight of the DDoS attack. The calculation formula is as follows:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
table 1 scoring and weight distribution:
scoring rules | Weight (%) |
Number of connections (N) | 5 |
Connection period (T) | 5 |
Connection duration (t) | 20 |
Transmission data packet frequency (F) | 40 |
Byte count from source to target (B) | 30 |
As shown in fig. 2, the edge node filters the attacker through defense models, which include a gratuitous defense model and a gratuitous defense model.
The method comprises the following steps that a gratuitous defense model is applied to a scene that an attacker and a victim belong to the same edge node, after detecting DDOS abnormal flow information, the edge node inquires an IP address and an MAC address corresponding to the attacker according to the DDOS abnormal flow information, and in the filtering process of DDOS abnormal equipment, the edge node filters the IP address of the attacker and the MAC address of terminal equipment subordinate to the attacker;
The method comprises the steps that a paid defense model is applied to scenes that an attacker and a victim belong to different edge nodes, after the paid defense model detects DDoS abnormal flow information, the edge nodes broadcast the DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, after other edge nodes receive the DDoS abnormal flow information, IP addresses and MAC addresses corresponding to the attacker are inquired according to the DDoS abnormal flow information, if terminal equipment which belongs to other edge nodes receiving the DDoS abnormal flow information has the attacker or the victim, the other edge nodes filter the attacker or the disguise, and meanwhile, integration is provided for the edge nodes providing the DDoS abnormal flow information; if the terminal devices under the other edge nodes which receive the DDoS abnormal flow information do not have an attacker or a victim, when new terminal devices exist under the other edge nodes which receive the DDoS abnormal flow information and join the other edge nodes, the DDoS flow information needs to be inquired, if the DDoS abnormal flow information shared by the edge nodes which issue the DDoS abnormal flow information helps the other edge nodes to filter the access of malicious devices, and the other edge nodes provide points for the edge nodes which provide the DDoS abnormal flow information.
As shown in fig. 3, the DDoS attack joint defense system based on the block chain provided by the present invention is completed by all internet of things devices, such as edge devices and terminal devices, participating together in the system.
As shown by a sparse dotted line in fig. 3, when the terminal device a1 is used as an attacker launched by the DDoS to launch an attack on the terminal device D1 (victim), the edge node a will detect that the terminal device a1 has an abnormal communication behavior, and then share the information (such as an IP address, an MAC address, the connection times per second, and an IP of the victim) of the terminal device a1 with the DDoS abnormal traffic information through an S-Chain information sharing model. After receiving the shared information, the edge node B, the edge node C, and the edge node D update the local abnormal device information tables, respectively, and query whether there is a counterfeiter (as shown by the dashed line in fig. 3, the edge device a1 forges the IP address of the edge device B2 to launch a persistent attack to the edge device D1, thereby affecting excessive consumption of the internet of things device resources) or a victim in the subordinate terminal devices through the MAC address of the terminal device a 1.
Edge node B (edge node where counterfeiter exists): the MAC address in the local abnormal device information table and the IP address of the victim are queried to find that its subordinate terminal device B2 is a counterfeiter (no victim exists), and the edge node B shares the information of the terminal device B2 in the network. Since the edge node B filters the counterfeiter through DDoS abnormal traffic information provided by the edge node a, the edge node B needs to provide an information sharing integral to the edge node a.
Edge node C (normal edge node): by inquiring the MAC address in the local abnormal device information table and the IP address of the victim, the fact that no counterfeiters or victims exist in the subordinate terminal devices of the local abnormal device information table is found, and the edge node C does not need to provide information sharing integral for the edge node A temporarily. When a new terminal device joins the edge node C, the edge node C will automatically detect whether the MAC address of the terminal device is in the local abnormal device information table, if so, the device is prohibited from joining the edge node C, and meanwhile, the edge node A is provided with information sharing integration.
The edge node D (edge node with victim) finds that the victim exists in its subordinate terminal equipment by querying the MAC in the local abnormal equipment information table and the IP address of the victim (there is no counterfeiter), and provides the information sharing integral to the edge equipment a and the edge equipment B. When the edge node a, the edge node B receives the information sharing integral provided by the edge node D, and then filters its subordinate terminal device a1 and terminal device B2, respectively.
The DDoS attack joint defense system based on the block chain of the invention assumes that DDoS attack initiating equipment initiates DDoS attack to certain terminal equipment in a block chain network, and the work flow is as follows:
(1) A DDoS attack detection model for deploying edge nodes automatically identifies DDoS attack abnormal flow;
(2) the edge nodes upload information abstracts of DDoS abnormal flow information to an equipment filtering chain through an equipment filtering information sharing intelligent contract, other edge nodes realize information abstraction synchronization of the DDoS abnormal flow information among all edge nodes according to a common identification mechanism of a block chain (under the condition that a network environment does not have DDoS attack, edge equipment uploads detailed information of the last detected DDoS abnormal flow information to the equipment information chain through an equipment information sharing intelligent contract, and other edge nodes realize detailed information synchronization of the DDoS abnormal flow information among all edge nodes according to the common identification mechanism of the block chain;
(3) sending DDoS attack equipment filtering information to an edge node through an equipment filtering intelligent contract according to shared DDoS abnormal flow information and an attack equipment filtering rule;
(4) the edge nodes filter the attack devices according to the received attack device filtering information, provide integral rewards for providers (DDoS abnormal information providing edge devices) of the attack device filtering information, and preferentially update the DDoS attack detection model through the integral to keep the DDoS attack detection model capable of detecting the latest DDoS attack information.
The edge node can train a local DDos anomaly detection model according to the DDos anomaly traffic information detected by the edge node to optimize the parameters of the DDos anomaly detection model, and other edge nodes which acquire the integral acquire the optimized parameters of the DDos anomaly detection model from the edge node in a block chain transaction mode. And taking the points and the optimized parameters as transaction objects, acquiring the optimized parameters in a block chain transaction mode based on the points, and selecting the existing public block chain transaction mode.
Example 2:
the DDoS attack joint defense method based on the block chain realizes the filtration of DDoS attack launching equipment through the DDoS attack joint defense system based on the block chain disclosed by the embodiment 1.
As shown in fig. 4, the method includes the steps of:
s100, edge equipment performs DDoS abnormal detection to obtain DDoS abnormal flow information, the DDoS abnormal flow information is stored through local data of the edge equipment, the DDoS abnormal flow information is uploaded to a block chain on the basis of an equipment information sharing intelligent contract, and the block chain realizes information sharing among edge nodes on the basis of a block chain consensus mechanism;
s200, based on the filtering rule of the attack equipment and the DDoS abnormal flow information, the block chain sends the filtering information of the DDoS attack equipment to the edge node through an equipment filtering intelligent contract;
S300、。
The DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) and (4) taking the extracted feature vectors as test data, inputting the test data into a random forest, and determining the category of the test data through voting classification results.
Random decision forests were proposed by the bell laboratory's hessian, and subsequently developed into algorithms for random forests. The algorithmic approach combines the Bootstrap aggregation idea of Breimans with the random subspace method idea of Ho to build a set of decision trees. The random forest is a classifier comprising a plurality of decision trees, the output classes of the random forest are counted by the output results of all the decision trees, and the result with the largest number of votes is determined as the final output result of the random forest.
The principle is as follows: the possibility that the same DDoS abnormal flow sample can be selected certainly is that the n times of extraction are returned from the n DDoS abnormal flow samples. Let us assume that u (k) represents the probability that the kth extracted DDoS abnormal traffic sample is extracted to a different sample. Then U (k-1) represents the probability that the (k-1) th sample will be drawn into a different sample of DDoS abnormal traffic.
Probability of sampling to different samples of DDoS abnormal flow at the k-1 st time: u (k-1) and nU (k-1) DDoS abnormal flow samples are not extracted. And in the k-th sampling, the DDoS abnormal flow samples of the nU (k-1) -U (k-1) are not extracted. Thus, it is possible to provide
Wherein U (1) ═ 1. Therefore, the expected values of different DDoS abnormal traffic samples for k times of playback sampling are:
using the properties of an equal ratio series, we get:
when n is sufficiently large and k is n:
each bootstrapping sampling is repeated n times, and only 63.2% of the samples are sampled.
The random forest implementation process comprises the following steps:
(1) the method of bootstrap is adopted from the training DDoS abnormal flow sample set to repeat sampling to select n DDoS abnormal flow samples, namely the training data set of each tree is different and the training data set contains repeated DDoS abnormal flow training samples.
(2) And selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree.
(3) Repeating the steps m times to build m decision trees.
(4) The m decision trees form a random forest, and the decision on which type the test data belongs is determined through voting classification results.
Under the condition that a DDoS attack exists in a network environment, an edge node uploads an information abstract of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
The information sharing among the edge nodes comprises terminal equipment information sharing, information abstract sharing of DDoS abnormal flow information and detailed information sharing of the DDoS abnormal flow information. In this embodiment, an intelligent contract for sharing information of equipment is written, and a double-Chain mode (Strong-Chain) information sharing model is designed to implement information sharing between edge nodes under the joint action of a POW consensus mechanism of an ethernet block Chain platform.
The information sharing model is an S-Chain information sharing model and consists of two private chains, namely an equipment filtering Chain and an equipment information Chain, wherein the equipment filtering Chain is mainly used for storing an information abstract of DDoS abnormal flow information, and the information abstract of the DDoS abnormal flow information comprises an attacker IP address, an attacker MAC address and a victim IP address; the device filtering chain is mainly used for synchronizing DDoS abnormal flow information detected by the edge node to other edge nodes at the first time, so that the attacked edge node can accurately and quickly filter initiating devices of DDoS attack. The device information chain is mainly used for storing detailed information of DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
In a block Chain network environment with an intelligent contract function of equipment information sharing, an S-Chain information sharing model realizes the sharing of DDoS abnormal flow information among edge nodes through the following processes.
(1) Under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
(2) the block chain is composed of two types of created blocks and common blocks, and the data blocks are combined into a chain type data structure in a sequential connection mode according to the time sequence;
(3) after receiving the synchronous information, other edge nodes firstly verify the identity of the information sender and the validity of the sent information. And when both the information are verified, updating the information abstract library of the local DDoS abnormal flow information and the detailed information library of the DDoS abnormal flow information.
After the information abstract of the DDoS abnormal flow information is successfully added, the intelligent contract of equipment filtering can be automatically triggered, the intelligent contract of equipment filtering is calculated according to a preset rule, the filtering information is finally sent to the corresponding edge node Ethernet client, and the edge node which is free from damage and filters the abnormal equipment through the edge node provides integral reward for the edge node issuing the DDoS abnormal flow information.
And an attack device filtering rule is configured in the device filtering intelligent contract, and the block chain sends DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and the DDoS abnormal flow information. The filtering rule of the attack device in this embodiment is: according to the characteristics of DDoS attack, the abnormal equipment is classified into grades, and then the filtering sequence of the equipment is arranged according to the danger grade. And (3) grading rules and weights of the DDoS attacks, and formulating DDoS danger grades (DL) through the rules. The calculation formula is as follows:
DL=N·5%+T·5%+t·20%+F·40%+B·30%
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
While the invention has been shown and described in detail in the drawings and in the preferred embodiments, it is not intended to limit the invention to the embodiments disclosed, and it will be apparent to those skilled in the art that various combinations of the code auditing means in the various embodiments described above may be used to obtain further embodiments of the invention, which are also within the scope of the invention.
Claims (8)
1. DDoS attack joint defense system based on block chain, its characterized in that includes:
The terminal equipment, at least one of the terminal equipment, the initiating source of the DDoS attack is the terminal equipment;
the system comprises edge equipment, at least one of which is provided with an Ethernet client, and the edge equipment is added into a block chain network as an edge node after the validity is verified, and broadcasts terminal equipment subordinate to the edge node to the block chain network;
the block chain is deployed with an equipment information sharing intelligent contract and an equipment filtering intelligent contract and used for realizing information sharing among all edge nodes based on a block chain consensus mechanism;
the edge device is used for detecting DDoS abnormity to obtain DDoS abnormal flow information, storing the DDoS abnormal flow information through local data, and uploading the DDoS abnormal flow information to a block chain based on a device information sharing intelligent contract;
based on the equipment filtering intelligent contract and DDoS abnormal flow information, the block chain is used for sending DDoS attack equipment filtering information to the edge node through the equipment filtering intelligent contract;
the edge node is used for filtering the DDoS attack equipment based on the DDoS attack equipment filtering information and providing points for a provider of the DDoS attack equipment filtering information for rewarding;
The edge node is used for performing DDoS anomaly detection model training based on DDoS anomaly flow information and optimizing parameters of the DDoS anomaly detection model, and the integral is used for supporting a provider of DDoS attack equipment filtering information to acquire the optimized parameters from the edge node in a block chain transaction mode;
the edge node detects and classifies the network traffic based on a DDoS (distributed denial of service) anomaly detection model;
the DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector of the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) Repeating the steps for m times to establish m decision trees;
(4) and forming a decision forest by the m decision trees.
2. The system according to claim 1, wherein in case of DDoS attack in a network environment, an edge node uploads an information digest of DDoS abnormal traffic information to a block chain based on a device information sharing intelligent contract, and the block chain synchronizes the information digest of DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism.
3. The system of claim 2, wherein the blockchain is configured with an information sharing model, the information sharing model being an S-Chain information sharing model, comprising:
the device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
And the device information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
4. The DDoS attack joint defense system based on the block chain as claimed in claim 1, wherein the device filtering intelligent contract is configured with an attack device filtering rule, and the block chain is used for sending DDoS attack device filtering information to the edge node through the device filtering intelligent contract based on the attack device filtering rule and DDoS abnormal traffic information;
the attack equipment filtering rule is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
5. The system of claim 1, wherein the edge nodes filter attackers through a defense model, the defense model comprising:
The system comprises a gratuitous defense model, a gratuitous defense model and a monitoring module, wherein the gratuitous defense model is applied to a scene that an attacker and a victim belong to the same edge node, after detecting DDoS abnormal flow information, the edge node inquires an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, and in the DDoS abnormal equipment filtering process, the edge node filters the IP address of the attacker and the MAC address of the subordinate terminal equipment of the attacker;
the method comprises the steps that a paid defense model is applied to scenes that an attacker and a victim belong to different edge nodes, after detecting DDoS abnormal flow information, the edge nodes broadcast the DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, after receiving the DDoS abnormal flow information, other edge nodes inquire an IP address and an MAC address corresponding to the attacker according to the DDoS abnormal flow information, and if terminal equipment under other edge nodes receiving the DDoS abnormal flow information has the attacker or the victim, the other edge nodes filter the attacker or the disguise and provide integration for the edge nodes providing the DDoS abnormal flow information; if the terminal devices under the other edge nodes which receive the DDoS abnormal flow information do not have an attacker or a victim, when new terminal devices exist under the other edge nodes which receive the DDoS abnormal flow information and are added into the other edge nodes, the DDoS flow information needs to be inquired, if the DDoS abnormal flow information shared by the edge nodes which issue the DDoS abnormal flow information helps the other edge nodes to filter the access of malicious devices, and the other edge nodes provide points for the edge nodes which provide the DDoS abnormal flow information.
6. A block chain based DDoS attack joint defense system according to claim 1, wherein said block chain is composed of a founder block and a regular block;
the created block is the first block in a block chain, the block sequence number is 0, two equal edge nodes in a block chain network have the same block, and the two equal edge nodes are paired with each other and synchronize the blocks;
the common block consists of a block head and a block body, wherein the block head comprises three groups of metadata which are respectively a first metadata group, a second metadata group and a third metadata group, the first metadata group comprises index data, the second metadata group comprises mining difficulty, a random number and a time stamp, and the third metadata group comprises Mercker number root data;
the index data is used to connect the hash values of the previous block and the parent block;
the ore excavation difficulty, the random number and the timestamp are used for workload certification;
the Mercker tree root data is used for summarizing and inducing all transaction data in the check block;
the block body includes transaction data including, but not limited to, abnormal traffic information and credits for DDoS.
7. A block chain based DDoS attack joint defense method, characterized in that the filtering of DDoS attack initiating devices is realized by the block chain based DDoS attack joint defense system as claimed in any of claims 1-6, the method comprises the following steps:
the edge device carries out DDoS abnormal detection to obtain DDoS abnormal flow information, the DDoS abnormal flow information is stored through the edge device local data, the DDoS abnormal flow information is uploaded to a block chain based on a device information sharing intelligent contract, and the block chain realizes information sharing among all edge nodes based on a block chain consensus mechanism;
based on the attack equipment filtering rule and DDoS abnormal flow information, the block chain sends DDoS attack equipment filtering information to the edge node through an equipment filtering intelligent contract;
the edge node filters DDoS attack equipment based on the DDoS attack equipment filtering information, and provides points for providers of the DDoS attack equipment filtering information for rewarding;
an edge node performs DDoS anomaly detection model training based on DDoS anomaly flow information and optimizes parameters of the DDoS anomaly detection model, and a provider of DDoS attack equipment filtering information acquires the optimized parameters from the edge node in a block chain transaction mode based on points;
The DDoS anomaly detection model identifies DDoS attack traffic and normal traffic through an RF algorithm, and comprises the following steps:
(1) extracting a flow packet of the network flow to be detected;
(2) grouping the feature packets according to equipment and time;
(3) extracting a feature vector from the feature packet;
(4) inputting the test data into a random forest by taking the extracted feature vectors as test data, and determining the category of the test data through voting and classifying results;
the construction method of the random forest comprises the following steps:
(1) re-sampling returned by adopting a bootstrapping method from a DDoS abnormal flow sample set to select n DDoS abnormal flow samples;
(2) selectively selecting K attributes from all attributes of the DDoS abnormal flow, and selecting the optimal attribute as a node to establish a decision tree;
(3) repeating the steps for m times to establish m decision trees;
(4) forming a decision forest by the m decision trees;
an attack device filtering rule is configured in the device filtering intelligent contract, and a block chain sends DDoS attack device filtering information to an edge node through the device filtering intelligent contract based on the attack device filtering rule and the DDoS abnormal flow information;
The filtering rule of the attack equipment is as follows: according to the DDoS attack characteristics, the abnormal equipment is graded, the filtering sequence of the equipment is arranged according to the danger grade, and the DDoS danger grade is calculated through the following formula:
where N denotes the number of consecutive times, T denotes the connection period, T denotes the duration of the consecutive time, F denotes the frequency of sending the data packet, and B denotes the source to destination byte count.
8. The DDoS attack joint defense method based on the block chain as claimed in claim 7, characterized in that, under the condition that the DDoS attack exists in the network environment, the edge node uploads the information abstract of the DDoS abnormal traffic information to the block chain based on the device information sharing intelligent contract, and the block chain synchronizes the information abstract of the DDoS abnormal traffic information to other edge nodes based on a block chain consensus mechanism;
under the condition that a DDoS attack does not exist in a network environment, an edge node uploads detailed information of DDoS abnormal flow information to a block chain based on an equipment information sharing intelligent contract, and the block chain synchronizes the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain common identification mechanism;
the block Chain is configured with an information sharing model, wherein the information sharing model is an S-Chain information sharing model and comprises the following steps:
The device filtering chain is used for storing the information abstract of the DDoS abnormal flow information and synchronizing the information abstract of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism;
and the device information chain is used for storing the detailed information of the DDoS abnormal flow information and synchronizing the detailed information of the DDoS abnormal flow information to other edge nodes based on a block chain consensus mechanism, and the detailed information of the DDoS abnormal flow information is used for training a DDoS abnormal detection model.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011267709.XA CN112491823B (en) | 2020-11-13 | 2020-11-13 | DDoS attack joint defense system and method based on block chain |
PCT/CN2021/082097 WO2022099966A1 (en) | 2020-11-13 | 2021-03-22 | Blockchain-based ddos attack joint defense system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011267709.XA CN112491823B (en) | 2020-11-13 | 2020-11-13 | DDoS attack joint defense system and method based on block chain |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112491823A CN112491823A (en) | 2021-03-12 |
CN112491823B true CN112491823B (en) | 2022-07-19 |
Family
ID=74930171
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011267709.XA Active CN112491823B (en) | 2020-11-13 | 2020-11-13 | DDoS attack joint defense system and method based on block chain |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112491823B (en) |
WO (1) | WO2022099966A1 (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491823B (en) * | 2020-11-13 | 2022-07-19 | 齐鲁工业大学 | DDoS attack joint defense system and method based on block chain |
CN113315752B (en) * | 2021-04-22 | 2022-02-25 | 深圳市腾云数据系统有限公司 | Intelligent medical attack tracing method based on block chain and medical big data system |
CN113392429B (en) * | 2021-05-26 | 2023-12-12 | 江苏省电力试验研究院有限公司 | Block chain-based power distribution Internet of things data safety protection method and device |
CN114024739B (en) * | 2021-11-03 | 2024-02-06 | 中国联合网络通信集团有限公司 | DDoS attack resistant cooperative defense method, platform, equipment and medium |
CN114143828A (en) * | 2021-11-09 | 2022-03-04 | 中国联合网络通信集团有限公司 | Terminal access management method and device |
CN114285606B (en) * | 2021-12-08 | 2023-08-08 | 深圳市星华时代科技有限公司 | DDoS multi-point cooperative defense method for Internet of things management |
CN114520774B (en) * | 2021-12-28 | 2024-02-23 | 武汉虹旭信息技术有限责任公司 | Deep message detection method and device based on intelligent contract |
CN114418683A (en) * | 2022-01-14 | 2022-04-29 | 安徽中科美络信息技术有限公司 | Global trip vehicle scheduling method and system based on intermediate platform |
CN114500071B (en) * | 2022-02-10 | 2024-04-16 | 江苏大学 | Self-adaptive fingerprint attack method and system aiming at dynamic growth of target website |
CN116132080B (en) * | 2022-05-29 | 2024-07-12 | 北京理工大学长三角研究院(嘉兴) | Alliance chain DDoS defense method based on moving target defense technology |
CN115102767B (en) * | 2022-06-24 | 2023-06-30 | 天津大学 | DDoS active defense system and method based on distributed collaborative learning |
CN116032632A (en) * | 2023-01-06 | 2023-04-28 | 东南大学 | Active defense method for low-rate distributed denial of service attack of containerized edge scene |
CN116828087B (en) * | 2023-06-25 | 2024-01-16 | 北京中科网芯科技有限公司 | Information security system based on block chain connection |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
CN109426567A (en) * | 2017-08-22 | 2019-03-05 | 汇链丰(北京)科技有限公司 | A kind of node deployment and electoral machinery of block chain |
CN110024422A (en) * | 2016-12-30 | 2019-07-16 | 英特尔公司 | The name of Internet of Things and block chained record |
CN110113328A (en) * | 2019-04-28 | 2019-08-09 | 武汉理工大学 | A kind of software definition opportunistic network DDoS defence method based on block chain |
CN110598446A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain based test method and device, storage medium and computer equipment |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11245721B2 (en) * | 2018-12-19 | 2022-02-08 | Mcafee, Llc | Using a blockchain for distributed denial of service attack mitigation |
CN111541704A (en) * | 2020-04-28 | 2020-08-14 | 深圳中科国威信息系统技术有限公司 | Method and device for preventing malicious attack by combining block chain and Internet of things and storage device |
CN112491823B (en) * | 2020-11-13 | 2022-07-19 | 齐鲁工业大学 | DDoS attack joint defense system and method based on block chain |
-
2020
- 2020-11-13 CN CN202011267709.XA patent/CN112491823B/en active Active
-
2021
- 2021-03-22 WO PCT/CN2021/082097 patent/WO2022099966A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110024422A (en) * | 2016-12-30 | 2019-07-16 | 英特尔公司 | The name of Internet of Things and block chained record |
CN109426567A (en) * | 2017-08-22 | 2019-03-05 | 汇链丰(北京)科技有限公司 | A kind of node deployment and electoral machinery of block chain |
CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
CN110113328A (en) * | 2019-04-28 | 2019-08-09 | 武汉理工大学 | A kind of software definition opportunistic network DDoS defence method based on block chain |
CN110598446A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain based test method and device, storage medium and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
WO2022099966A1 (en) | 2022-05-19 |
CN112491823A (en) | 2021-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112491823B (en) | DDoS attack joint defense system and method based on block chain | |
CN110113328B (en) | Software defined opportunistic network DDoS defense method based on block chain | |
CN109361670B (en) | Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots | |
Samarakoon et al. | 5g-nidd: A comprehensive network intrusion detection dataset generated over 5g wireless network | |
CN100493085C (en) | P2P worm defending system | |
JP2023071805A (en) | Method of high-speed transmission in block chain network and special network node | |
CN105429968B (en) | Network forensics load affiliation method based on Bloom filter and system | |
CN109167798A (en) | A kind of household internet of things equipment DDoS detection method based on machine learning | |
KR100877911B1 (en) | Method for detection of p2p-based botnets using a translation model of network traffic | |
CN108965248B (en) | P2P botnet detection system and method based on traffic analysis | |
CN110677438A (en) | Attack chain construction method, device, equipment and medium | |
CN113221113B (en) | Distributed machine learning and block chain-based internet of things DDoS detection and defense method, detection device and storage medium | |
Preamthaisong et al. | Enhanced DDoS detection using hybrid genetic algorithm and decision tree for SDN | |
CN114172731A (en) | Method, device, equipment and medium for quickly verifying and tracing IPv6 address | |
CN109962879B (en) | Security defense method and controller for distributed reflective denial of service (DRDoS) | |
TWI596498B (en) | FedMR-based botnet reconnaissance method | |
Catherine et al. | Efficient host based intrusion detection system using Partial Decision Tree and Correlation feature selection algorithm | |
CN115190056B (en) | Method, device and equipment for identifying and analyzing programmable flow protocol | |
CN104468601A (en) | P2P worm detecting system and method | |
Sanjeetha et al. | Botnet Forensic Analysis in Software Defined Networks using Ensemble Based Classifier | |
CN115208767B (en) | Ethernet network detection method, device, equipment and medium based on simulation technology | |
Bhumichai et al. | Detection of Ethereum Eclipse Attack based on Hybrid Method and Dynamic Weighted Entropy | |
Choi et al. | An integrated method for application-level internet traffic classification | |
Brunner | Reassembler-Towards a Global DDoS Attack Analysis Using Attack Fingerprints | |
Jeong et al. | Hybrid system to minimize damage by zero-day attack based on NIDPS and HoneyPot |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: 250353 University Road, Changqing District, Ji'nan, Shandong Province, No. 3501 Patentee after: Qilu University of Technology (Shandong Academy of Sciences) Country or region after: China Address before: 250353 University Road, Changqing District, Ji'nan, Shandong Province, No. 3501 Patentee before: Qilu University of Technology Country or region before: China |