CN112543183B - Network denial of service attack detection method based on directional likelihood ratio test - Google Patents
Network denial of service attack detection method based on directional likelihood ratio test Download PDFInfo
- Publication number
- CN112543183B CN112543183B CN202011290957.6A CN202011290957A CN112543183B CN 112543183 B CN112543183 B CN 112543183B CN 202011290957 A CN202011290957 A CN 202011290957A CN 112543183 B CN112543183 B CN 112543183B
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- attack detection
- likelihood ratio
- statistic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a network denial of service attack detection method based on directional likelihood ratio detection, belonging to the field of computer network security. The method comprises the following steps: in the training stage, network flow characteristic vectors in a non-attack state are obtained, and a mean vector and a covariance matrix are calculated after regularization; obtaining a threshold value of attack detection statistic for judging whether the attack is performed or not through Monte Carlo simulation; in the testing stage, regularizing each network flow characteristic vector, calculating a mean vector and a covariance matrix of a sample formed by the network flow characteristic vectors, and calculating directional likelihood ratio test statistics in each possible variation direction; and taking the sum of the maximum plurality of directional likelihood ratio test statistics as a combined attack detection statistic, and comparing the combined attack detection statistic with a threshold value to judge whether the network is attacked by the denial of service attack or not. The method of the invention can effectively detect the network denial of service attack by utilizing the correlation among the network flow characteristics.
Description
Technical Field
The invention belongs to the field of computer network security, and relates to a network denial of service attack detection method based on directional likelihood ratio detection.
Background
Network security involves aspects in which denial-of-service attacks may consume host and network resources by sending large, useless packets, thereby causing the attacks. The attack is usually initiated based on a network, is not high in coupling degree with a host, and is simple and effective.
In order to effectively detect denial of service attacks and identify the current running state of a network system, people adopt a method of machine learning and statistical analysis to depict network flow under a non-attack state, construct attack detection statistics and determine a threshold value for distinguishing attacks and non-attacks. The methods aim at network flow modeling, identify the abnormal mode deviating from the legal flow, and provide guarantee for safe and efficient operation of a network system.
The correlation exists among all characteristics of the network flow, which is often ignored by the existing detection method and cannot be utilized well, so that the false alarm rate is high. Even if the correlation is considered, the correlation between every two characteristics cannot be integrated into a combined attack detection statistic by the existing detection method, and the specific practice is troublesome. Therefore, the invention utilizes the directional likelihood ratio test of the mean vector and the covariance matrix, fuses the mean value and the variance of each characteristic and the correlation between each two characteristics, fully considers the directionality of characteristic change, and can effectively detect the network denial of service attack.
Disclosure of Invention
The invention aims to provide a network denial of service attack detection method based on directional likelihood ratio test, which utilizes the advantage that the directional likelihood ratio test of a mean vector and a covariance matrix can fuse the mean value and the variance of each network traffic characteristic and the correlation between every two of the network traffic characteristics, fully considers a plurality of directions which are most likely to have variation, and finally forms a combined attack detection statistic. The method has obvious detection effect and is easy to implement, and the economical efficiency and the safety of the operation of the network system can be effectively guaranteed.
The invention provides a network denial of service attack detection method based on directional likelihood ratio detection, which comprises the following steps:
the network denial of service attack is effectively detected by utilizing the correlation among the network flow characteristics; comprises the following steps:
(1) extracting each network flow characteristic to form a characteristic vector, acquiring a plurality of characteristic vectors in a non-attack state, regularizing to enable the mean value of each characteristic data to be 0 and the variance to be 1, and then solving the mean value vector and the covariance matrix;
(2) randomly generating a plurality of vectors which are subjected to multivariate normal distribution by taking the parameters estimated in the step (1) as a mean vector and a covariance matrix to form a sample;
(3) calculating a mean vector and a covariance matrix of the samples generated in the step (2), calculating directional likelihood ratio test statistics in each possible variation direction, and taking the sum of the maximum directional likelihood ratio test statistics as an attack detection statistic;
(4) repeating steps (2) and (3) for a plurality of times to obtain a plurality of attack detection statistics which can determine the probability distribution of the attack detection statistics in a non-attack state;
(5) according to the false alarm rate, combining a plurality of attack detection statistics obtained in the step (4), and obtaining a threshold value of attack detection statistics for judging whether attacks exist or not;
(6) collecting network flow data which is uncertain whether attacks are contained or not from a network, extracting features to form a network flow feature vector, regularizing the network flow feature vector to form a sample with the same size as that in the step (2), and calculating a directional likelihood ratio test statistic in each possible variation direction based on the sample;
(7) and taking the sum of the maximum plurality of directional likelihood ratio test statistics as attack detection statistics, comparing the attack detection statistics with a threshold value, if the attack detection statistics are larger than the threshold value, the network is attacked by denial of service, otherwise, the network is not attacked.
The attack detection statistic formula in the step (3) is specifically as shown in formula 1:
wherein Wi(i-1, … p (p +3)/2) is the following each statistic UiAnd VijThe values are arranged from large to small in sequence, p is the dimension of the network flow characteristic, and R is the first R largest WiAnd, the integer r may be between 10% and 20% of p (p +3)/2,
where tr is the trace of the matrix, [ A ]](ij)Is the element (i, j) of matrix A, n is the sample size, μ0Sum-sigma0Respectively is the mean vector and the covariance matrix obtained in the step (1),andrespectively the mean vector and covariance matrix of the samples calculated in step (3), eiIs a p-dimensional column vector, only the ith element is 1, and the rest are 0; let EijIs a matrix of p, with only elements (i, j) and (j, i) being 1 and the remainder being 0.
Repeating the step (4) for T times to obtain attack detection statistic R1,…,RTThey can determine the probability distribution of the attack detection statistic in a non-attack state, where T is typically greater than 10000.
In the step (5), the threshold value of the attack detection statistic is completely determined by the probability distribution of the attack detection statistic in a non-attack state, the T attack detection statistics obtained in the step (4) are arranged from small to large in sequence, and the value at the position of (1-alpha) multiplied by 100 percent is selected, namely the value at the position of the small to largeThe value is used as a threshold value of an attack detection statistic for discriminating between attack and non-attack, and the threshold value is recorded as L, whereinIs a rounding operation. The threshold value is determined without a normal distribution, i.e. muR±zα/2σRIs approximated by, where μRAnd σRRespectively mean and standard deviation of the attack detection statistic in the non-attack state, zα/2Is the upper alpha/2 quantile of the standard normal distribution.
The step (7) is to calculate each directional likelihood ratio test statistic U obtained based on the kth sampleikAnd VijkArranged from big to small in sequence and sequentially marked as Wik(i is 1, … p (p +3)/2), taking the sum of the former r directional likelihood ratio test statistics as the final detection statistics, namely
R is to bekComparing with threshold value L to judge if the network is attacked, if R isk>L, the network is attacked by denial of service, otherwise, the network is not attacked.
Compared with the prior art, the invention has the beneficial effects that:
the method of the invention adopts the directional likelihood ratio test of the mean vector and the covariance matrix, which can fuse the mean value and the variance of each network flow characteristic and the correlation between each two of the network flow characteristics, takes the sum of the maximum directional likelihood ratio test statistics as the attack detection statistics, which can fully consider the most possibly varied directions, and finally forms the attack detection statistics as a joint statistic instead of designing a detection statistic for each characteristic. The result shows that the method has low false alarm rate, obvious detection effect and easy implementation, and can effectively ensure the economy and the safety of the operation of the network system.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
Referring to fig. 1, the network denial of service attack detection method based on the directional likelihood ratio test designed by the invention comprises the following steps:
(1) extracting each network flow characteristic to form p-dimensional characteristic vector, and obtaining a plurality of network flow characteristic vectors y at continuous time under the non-attack statek=[yk1,…,ykp]T(k-1, …, M). The mean and variance were found to be (i ═ 1, …, p) for each feature dimension
For network traffic feature vector yk=[yk1,…,ykp]TRegularizing to obtain the regularized features
So that the respective feature data mean is 0 and the variance is 1. Then, the network flow characteristic mean vector (0) and the covariance matrix under the attack-free state are respectively obtained as
(2) Randomly generating n obeys each in μ0Sum-sigma0Multivariate normal distribution N (mu) as mean vector and covariance matrix0;Σ0) Vector z of1,…,znA sample of size n is formed.
(3) Let eiIs a p-dimensional column vector, only the ith element is 1, and the rest are 0; let EijIs a matrix of p, only the elements (i, j) and (j, i) are 1, the remainder are 0. Calculating a mean vector and a covariance matrix of the sample generated in the step (2) to be respectively
Calculating directional likelihood ratio test statistics in each possible variation direction, the directions including each element of the mean vector, p directions in total, the directional likelihood ratio test statistics being respectively
And each element of the covariance matrix, p (p +1)/2 in total in consideration of symmetry, and the directional likelihood ratio test statistics are respectively
Where tr is the trace of the matrix, [ A ]](ij)Is the element (i, j) of matrix a. Each U isiAnd VijArranged from big to small in sequence and marked as Wi(i ═ 1, … p (p + 3)/2). Taking the sum of the first r values, i.e. the sum of the largest r directional likelihood ratio test statistics, as the attack detection statistic, i.e. the sum of the first r directional likelihood ratio test statistics
The integer r can be between 10% and 20% of p (p + 3)/2.
(4) Repeating the steps (2) and (3) for T times to obtain an attack detection statistic R1,…,RTThey can determine the probability distribution of the attack detection statistic in a non-attack state, where T is typically greater than 10000.
(5) Arranging the T attack detection statistics obtained in the step (4) from small to large according to the false alarm rate alpha, and selecting a value at the position of (1-alpha) multiplied by 100 percent as a threshold value of the attack detection statistics for distinguishing attack and non-attack, namely the first attack from small to largeA value, whereinIs a rounding operation. The threshold value is recorded as L.
(6) And collecting network flow data which is uncertain whether to contain attacks from the network to form a network flow characteristic vector sample with the size of n. Let the kth sample be xk1,…,xkn(xkj=[xkj1,…,xkjp]TJ ═ 1, …, n). Regularizing the sample to obtain a regularized feature of
Based on the normalized sample, calculating the mean vector and the covariance matrix respectively
Computing directional likelihood ratio test statistics
Wherein the column vector eiAnd matrix EijAs defined in step (3).
(7) Testing each directional likelihood ratio to obtain statistic UikAnd VijkArranged from big to small in sequence and sequentially marked as Wik(i ═ 1, … p (p + 3)/2). Taking the sum of the first r directional likelihood ratio test statistics as the final detection statistic, i.e.
R is to bekAnd comparing the threshold value L to judge whether the network is attacked or not. If R isk>L, the network is attacked by denial of service attack, otherwiseThen it is not.
Claims (5)
1. A network denial of service attack detection method based on directional likelihood ratio inspection, utilize the correlation among every network flow characteristic, the effective detection network denial of service attacks; the method is characterized by comprising the following steps:
(1) extracting each network flow characteristic to form a characteristic vector, acquiring a plurality of characteristic vectors in a non-attack state, regularizing to enable the mean value of each characteristic data to be 0 and the variance to be 1, and then solving the mean value vector and the covariance matrix;
(2) randomly generating a plurality of vectors which are subjected to multivariate normal distribution by taking the parameters estimated in the step (1) as a mean vector and a covariance matrix to form a sample;
(3) calculating a mean vector and a covariance matrix of the samples generated in the step (2), calculating directional likelihood ratio test statistics in each possible variation direction, and taking the sum of the maximum directional likelihood ratio test statistics as an attack detection statistic;
(4) repeating steps (2) and (3) for a plurality of times to obtain a plurality of attack detection statistics which can determine the probability distribution of the attack detection statistics in a non-attack state;
(5) according to the false alarm rate, combining a plurality of attack detection statistics obtained in the step (4), and obtaining a threshold value of attack detection statistics for judging whether attacks exist or not;
(6) collecting network flow data which is uncertain whether attacks are contained or not from a network, extracting features to form a network flow feature vector, regularizing the network flow feature vector to form a sample with the same size as that in the step (2), and calculating a directional likelihood ratio test statistic in each possible variation direction based on the sample;
(7) and taking the sum of the maximum plurality of directional likelihood ratio test statistics as attack detection statistics, comparing the attack detection statistics with a threshold value, if the attack detection statistics are larger than the threshold value, the network is attacked by denial of service, otherwise, the network is not attacked.
2. The method for detecting network denial of service attack based on directional likelihood ratio test as claimed in claim 1, wherein the attack detection statistic formula of step (3) is specifically formula 1:
wherein Wi(i-1, … p (p +3)/2) is the following each statistic UiAnd VijThe values are arranged from large to small in sequence, p is the dimension of the network flow characteristic, and R is the first R largest WiThe integer r is 10% to 20% of p (p +3)/2,
where tr is the trace of the matrix, [ A ]](ij)Is the element (i, j) of matrix A, n is the sample size, μ0Sum-sigma0Respectively is the mean vector and the covariance matrix obtained in the step (1),andrespectively the mean vector and covariance matrix of the samples calculated in step (3), eiIs a p-dimensional column vector, only the ith element is 1, and the rest are 0; let EijIs a matrix of p, with only elements (i, j) and (j, i) being 1 and the remainder being 0.
3. The method of claim 1, wherein the step (4) is repeated T times to obtain an attack detection statistic R1,…,RTThey can determine the probability distribution of the attack detection statistic in a non-attack state, where T is greater than 10000.
4. The method according to claim 1, wherein in step (5), given a false positive rate α, the threshold value of the attack detection statistic is completely determined by the probability distribution of the attack detection statistic in a non-attack state, the T attack detection statistics obtained in step (4) are arranged from small to large, and the value at (1- α) x 100% position, that is, the first from small to large position, is selectedThe value is used as a threshold value of an attack detection statistic for discriminating between attack and non-attack, and the threshold value is recorded as L, whereinFor rounding operations, the threshold value is determined without a normal distribution, i.e. muR±zα/2σRIs approximated by, where μRAnd σRRespectively mean and standard deviation of the attack detection statistic in the non-attack state, zα/2Is the upper alpha/2 quantile of the standard normal distribution.
5. The method of claim 1, wherein the step (7) is to obtain each directional likelihood ratio test statistic U based on the k-th sampleikAnd VijkArranged from big to small in sequence and sequentially marked as Wik(i ═ 1, … p (p +3)/2), p being the dimension of the network traffic characteristics; taking the sum of the first r directional likelihood ratio test statistics as the final detection statistic, i.e.
R is to bekAnd threshold valueL is compared to judge if the network is attacked, if R isk>L, the network is attacked by denial of service, otherwise, the network is not attacked.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011290957.6A CN112543183B (en) | 2020-11-17 | 2020-11-17 | Network denial of service attack detection method based on directional likelihood ratio test |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011290957.6A CN112543183B (en) | 2020-11-17 | 2020-11-17 | Network denial of service attack detection method based on directional likelihood ratio test |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112543183A CN112543183A (en) | 2021-03-23 |
CN112543183B true CN112543183B (en) | 2021-11-19 |
Family
ID=75014164
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011290957.6A Active CN112543183B (en) | 2020-11-17 | 2020-11-17 | Network denial of service attack detection method based on directional likelihood ratio test |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112543183B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
CN104967629A (en) * | 2015-07-16 | 2015-10-07 | 网宿科技股份有限公司 | Network attack detection method and apparatus |
CN109450957A (en) * | 2019-01-03 | 2019-03-08 | 湖南大学 | A kind of low speed Denial of Service attack detection method based on cloud model |
CN111600876A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Slow denial of service attack detection method based on MFOPA algorithm |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8359650B2 (en) * | 2002-10-01 | 2013-01-22 | Skybox Secutiry Inc. | System, method and computer readable medium for evaluating potential attacks of worms |
CN109729090B (en) * | 2019-01-03 | 2021-06-01 | 湖南大学 | Slow denial of service attack detection method based on WEDMS clustering |
CN109729091A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm |
CN111600878A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Low-rate denial of service attack detection method based on MAF-ADM |
-
2020
- 2020-11-17 CN CN202011290957.6A patent/CN112543183B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
CN104967629A (en) * | 2015-07-16 | 2015-10-07 | 网宿科技股份有限公司 | Network attack detection method and apparatus |
CN109450957A (en) * | 2019-01-03 | 2019-03-08 | 湖南大学 | A kind of low speed Denial of Service attack detection method based on cloud model |
CN111600876A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Slow denial of service attack detection method based on MFOPA algorithm |
Also Published As
Publication number | Publication date |
---|---|
CN112543183A (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ektefa et al. | Intrusion detection using data mining techniques | |
CN111107102A (en) | Real-time network flow abnormity detection method based on big data | |
CN108718310A (en) | Multi-level attack signatures generation based on deep learning and malicious act recognition methods | |
CN113283476B (en) | Internet of things network intrusion detection method | |
Jongsuebsuk et al. | Network intrusion detection with fuzzy genetic algorithm for unknown attacks | |
CN112819336B (en) | Quantification method and system based on network threat of power monitoring system | |
CN106709349B (en) | A kind of malicious code classification method based on various dimensions behavioural characteristic | |
CN105553998A (en) | Network attack abnormality detection method | |
CN104901971B (en) | The method and apparatus that safety analysis is carried out to network behavior | |
CN112738015A (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
CN102420723A (en) | Anomaly detection method for various kinds of intrusion | |
CN109067722B (en) | LDoS detection method based on two-step clustering and detection piece analysis combined algorithm | |
Fadlil et al. | Review of detection DDOS attack detection using naive bayes classifier for network forensics | |
CN108769079A (en) | A kind of Web Intrusion Detection Techniques based on machine learning | |
CN111817982A (en) | Encrypted flow identification method for category imbalance | |
CN109766992A (en) | Industry control abnormality detection and attack classification based on deep learning | |
CN105959270A (en) | Network attack detection method based on spectral clustering algorithm | |
CN102045357A (en) | Affine cluster analysis-based intrusion detection method | |
CN111191720B (en) | Service scene identification method and device and electronic equipment | |
Fadil et al. | A novel ddos attack detection based on gaussian naive bayes | |
Hu et al. | Network data analysis and anomaly detection using CNN technique for industrial control systems security | |
CN1223941C (en) | Hierarchial invasion detection system based on related characteristic cluster | |
Mechtri et al. | Intrusion detection using principal component analysis | |
CN111600878A (en) | Low-rate denial of service attack detection method based on MAF-ADM | |
CN112543183B (en) | Network denial of service attack detection method based on directional likelihood ratio test |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |