CN112543183B - Network denial of service attack detection method based on directional likelihood ratio test - Google Patents

Network denial of service attack detection method based on directional likelihood ratio test Download PDF

Info

Publication number
CN112543183B
CN112543183B CN202011290957.6A CN202011290957A CN112543183B CN 112543183 B CN112543183 B CN 112543183B CN 202011290957 A CN202011290957 A CN 202011290957A CN 112543183 B CN112543183 B CN 112543183B
Authority
CN
China
Prior art keywords
network
attack
attack detection
likelihood ratio
statistic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011290957.6A
Other languages
Chinese (zh)
Other versions
CN112543183A (en
Inventor
李健
苏秦
安豆
孙静春
高杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN202011290957.6A priority Critical patent/CN112543183B/en
Publication of CN112543183A publication Critical patent/CN112543183A/en
Application granted granted Critical
Publication of CN112543183B publication Critical patent/CN112543183B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention discloses a network denial of service attack detection method based on directional likelihood ratio detection, belonging to the field of computer network security. The method comprises the following steps: in the training stage, network flow characteristic vectors in a non-attack state are obtained, and a mean vector and a covariance matrix are calculated after regularization; obtaining a threshold value of attack detection statistic for judging whether the attack is performed or not through Monte Carlo simulation; in the testing stage, regularizing each network flow characteristic vector, calculating a mean vector and a covariance matrix of a sample formed by the network flow characteristic vectors, and calculating directional likelihood ratio test statistics in each possible variation direction; and taking the sum of the maximum plurality of directional likelihood ratio test statistics as a combined attack detection statistic, and comparing the combined attack detection statistic with a threshold value to judge whether the network is attacked by the denial of service attack or not. The method of the invention can effectively detect the network denial of service attack by utilizing the correlation among the network flow characteristics.

Description

Network denial of service attack detection method based on directional likelihood ratio test
Technical Field
The invention belongs to the field of computer network security, and relates to a network denial of service attack detection method based on directional likelihood ratio detection.
Background
Network security involves aspects in which denial-of-service attacks may consume host and network resources by sending large, useless packets, thereby causing the attacks. The attack is usually initiated based on a network, is not high in coupling degree with a host, and is simple and effective.
In order to effectively detect denial of service attacks and identify the current running state of a network system, people adopt a method of machine learning and statistical analysis to depict network flow under a non-attack state, construct attack detection statistics and determine a threshold value for distinguishing attacks and non-attacks. The methods aim at network flow modeling, identify the abnormal mode deviating from the legal flow, and provide guarantee for safe and efficient operation of a network system.
The correlation exists among all characteristics of the network flow, which is often ignored by the existing detection method and cannot be utilized well, so that the false alarm rate is high. Even if the correlation is considered, the correlation between every two characteristics cannot be integrated into a combined attack detection statistic by the existing detection method, and the specific practice is troublesome. Therefore, the invention utilizes the directional likelihood ratio test of the mean vector and the covariance matrix, fuses the mean value and the variance of each characteristic and the correlation between each two characteristics, fully considers the directionality of characteristic change, and can effectively detect the network denial of service attack.
Disclosure of Invention
The invention aims to provide a network denial of service attack detection method based on directional likelihood ratio test, which utilizes the advantage that the directional likelihood ratio test of a mean vector and a covariance matrix can fuse the mean value and the variance of each network traffic characteristic and the correlation between every two of the network traffic characteristics, fully considers a plurality of directions which are most likely to have variation, and finally forms a combined attack detection statistic. The method has obvious detection effect and is easy to implement, and the economical efficiency and the safety of the operation of the network system can be effectively guaranteed.
The invention provides a network denial of service attack detection method based on directional likelihood ratio detection, which comprises the following steps:
the network denial of service attack is effectively detected by utilizing the correlation among the network flow characteristics; comprises the following steps:
(1) extracting each network flow characteristic to form a characteristic vector, acquiring a plurality of characteristic vectors in a non-attack state, regularizing to enable the mean value of each characteristic data to be 0 and the variance to be 1, and then solving the mean value vector and the covariance matrix;
(2) randomly generating a plurality of vectors which are subjected to multivariate normal distribution by taking the parameters estimated in the step (1) as a mean vector and a covariance matrix to form a sample;
(3) calculating a mean vector and a covariance matrix of the samples generated in the step (2), calculating directional likelihood ratio test statistics in each possible variation direction, and taking the sum of the maximum directional likelihood ratio test statistics as an attack detection statistic;
(4) repeating steps (2) and (3) for a plurality of times to obtain a plurality of attack detection statistics which can determine the probability distribution of the attack detection statistics in a non-attack state;
(5) according to the false alarm rate, combining a plurality of attack detection statistics obtained in the step (4), and obtaining a threshold value of attack detection statistics for judging whether attacks exist or not;
(6) collecting network flow data which is uncertain whether attacks are contained or not from a network, extracting features to form a network flow feature vector, regularizing the network flow feature vector to form a sample with the same size as that in the step (2), and calculating a directional likelihood ratio test statistic in each possible variation direction based on the sample;
(7) and taking the sum of the maximum plurality of directional likelihood ratio test statistics as attack detection statistics, comparing the attack detection statistics with a threshold value, if the attack detection statistics are larger than the threshold value, the network is attacked by denial of service, otherwise, the network is not attacked.
The attack detection statistic formula in the step (3) is specifically as shown in formula 1:
Figure BDA0002783772840000021
wherein Wi(i-1, … p (p +3)/2) is the following each statistic UiAnd VijThe values are arranged from large to small in sequence, p is the dimension of the network flow characteristic, and R is the first R largest WiAnd, the integer r may be between 10% and 20% of p (p +3)/2,
Figure BDA0002783772840000022
Figure BDA0002783772840000023
where tr is the trace of the matrix, [ A ]](ij)Is the element (i, j) of matrix A, n is the sample size, μ0Sum-sigma0Respectively is the mean vector and the covariance matrix obtained in the step (1),
Figure BDA0002783772840000024
and
Figure BDA0002783772840000025
respectively the mean vector and covariance matrix of the samples calculated in step (3), eiIs a p-dimensional column vector, only the ith element is 1, and the rest are 0; let EijIs a matrix of p, with only elements (i, j) and (j, i) being 1 and the remainder being 0.
Repeating the step (4) for T times to obtain attack detection statistic R1,…,RTThey can determine the probability distribution of the attack detection statistic in a non-attack state, where T is typically greater than 10000.
In the step (5), the threshold value of the attack detection statistic is completely determined by the probability distribution of the attack detection statistic in a non-attack state, the T attack detection statistics obtained in the step (4) are arranged from small to large in sequence, and the value at the position of (1-alpha) multiplied by 100 percent is selected, namely the value at the position of the small to large
Figure BDA0002783772840000026
The value is used as a threshold value of an attack detection statistic for discriminating between attack and non-attack, and the threshold value is recorded as L, wherein
Figure BDA0002783772840000031
Is a rounding operation. The threshold value is determined without a normal distribution, i.e. muR±zα/2σRIs approximated by, where μRAnd σRRespectively mean and standard deviation of the attack detection statistic in the non-attack state, zα/2Is the upper alpha/2 quantile of the standard normal distribution.
The step (7) is to calculate each directional likelihood ratio test statistic U obtained based on the kth sampleikAnd VijkArranged from big to small in sequence and sequentially marked as Wik(i is 1, … p (p +3)/2), taking the sum of the former r directional likelihood ratio test statistics as the final detection statistics, namely
Figure BDA0002783772840000032
R is to bekComparing with threshold value L to judge if the network is attacked, if R isk>L, the network is attacked by denial of service, otherwise, the network is not attacked.
Compared with the prior art, the invention has the beneficial effects that:
the method of the invention adopts the directional likelihood ratio test of the mean vector and the covariance matrix, which can fuse the mean value and the variance of each network flow characteristic and the correlation between each two of the network flow characteristics, takes the sum of the maximum directional likelihood ratio test statistics as the attack detection statistics, which can fully consider the most possibly varied directions, and finally forms the attack detection statistics as a joint statistic instead of designing a detection statistic for each characteristic. The result shows that the method has low false alarm rate, obvious detection effect and easy implementation, and can effectively ensure the economy and the safety of the operation of the network system.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
Referring to fig. 1, the network denial of service attack detection method based on the directional likelihood ratio test designed by the invention comprises the following steps:
(1) extracting each network flow characteristic to form p-dimensional characteristic vector, and obtaining a plurality of network flow characteristic vectors y at continuous time under the non-attack statek=[yk1,…,ykp]T(k-1, …, M). The mean and variance were found to be (i ═ 1, …, p) for each feature dimension
Figure BDA0002783772840000033
Figure BDA0002783772840000034
For network traffic feature vector yk=[yk1,…,ykp]TRegularizing to obtain the regularized features
Figure BDA0002783772840000041
So that the respective feature data mean is 0 and the variance is 1. Then, the network flow characteristic mean vector (0) and the covariance matrix under the attack-free state are respectively obtained as
Figure BDA0002783772840000042
Figure BDA0002783772840000043
(2) Randomly generating n obeys each in μ0Sum-sigma0Multivariate normal distribution N (mu) as mean vector and covariance matrix0;Σ0) Vector z of1,…,znA sample of size n is formed.
(3) Let eiIs a p-dimensional column vector, only the ith element is 1, and the rest are 0; let EijIs a matrix of p, only the elements (i, j) and (j, i) are 1, the remainder are 0. Calculating a mean vector and a covariance matrix of the sample generated in the step (2) to be respectively
Figure BDA0002783772840000044
Figure BDA0002783772840000045
Calculating directional likelihood ratio test statistics in each possible variation direction, the directions including each element of the mean vector, p directions in total, the directional likelihood ratio test statistics being respectively
Figure BDA0002783772840000046
And each element of the covariance matrix, p (p +1)/2 in total in consideration of symmetry, and the directional likelihood ratio test statistics are respectively
Figure BDA0002783772840000047
Where tr is the trace of the matrix, [ A ]](ij)Is the element (i, j) of matrix a. Each U isiAnd VijArranged from big to small in sequence and marked as Wi(i ═ 1, … p (p + 3)/2). Taking the sum of the first r values, i.e. the sum of the largest r directional likelihood ratio test statistics, as the attack detection statistic, i.e. the sum of the first r directional likelihood ratio test statistics
Figure BDA0002783772840000048
The integer r can be between 10% and 20% of p (p + 3)/2.
(4) Repeating the steps (2) and (3) for T times to obtain an attack detection statistic R1,…,RTThey can determine the probability distribution of the attack detection statistic in a non-attack state, where T is typically greater than 10000.
(5) Arranging the T attack detection statistics obtained in the step (4) from small to large according to the false alarm rate alpha, and selecting a value at the position of (1-alpha) multiplied by 100 percent as a threshold value of the attack detection statistics for distinguishing attack and non-attack, namely the first attack from small to large
Figure BDA0002783772840000051
A value, wherein
Figure BDA0002783772840000052
Is a rounding operation. The threshold value is recorded as L.
(6) And collecting network flow data which is uncertain whether to contain attacks from the network to form a network flow characteristic vector sample with the size of n. Let the kth sample be xk1,…,xkn(xkj=[xkj1,…,xkjp]TJ ═ 1, …, n). Regularizing the sample to obtain a regularized feature of
Figure BDA0002783772840000053
Based on the normalized sample, calculating the mean vector and the covariance matrix respectively
Figure BDA0002783772840000054
Figure BDA0002783772840000055
Computing directional likelihood ratio test statistics
Figure BDA0002783772840000056
Figure BDA0002783772840000057
Wherein the column vector eiAnd matrix EijAs defined in step (3).
(7) Testing each directional likelihood ratio to obtain statistic UikAnd VijkArranged from big to small in sequence and sequentially marked as Wik(i ═ 1, … p (p + 3)/2). Taking the sum of the first r directional likelihood ratio test statistics as the final detection statistic, i.e.
Figure BDA0002783772840000058
R is to bekAnd comparing the threshold value L to judge whether the network is attacked or not. If R isk>L, the network is attacked by denial of service attack, otherwiseThen it is not.

Claims (5)

1. A network denial of service attack detection method based on directional likelihood ratio inspection, utilize the correlation among every network flow characteristic, the effective detection network denial of service attacks; the method is characterized by comprising the following steps:
(1) extracting each network flow characteristic to form a characteristic vector, acquiring a plurality of characteristic vectors in a non-attack state, regularizing to enable the mean value of each characteristic data to be 0 and the variance to be 1, and then solving the mean value vector and the covariance matrix;
(2) randomly generating a plurality of vectors which are subjected to multivariate normal distribution by taking the parameters estimated in the step (1) as a mean vector and a covariance matrix to form a sample;
(3) calculating a mean vector and a covariance matrix of the samples generated in the step (2), calculating directional likelihood ratio test statistics in each possible variation direction, and taking the sum of the maximum directional likelihood ratio test statistics as an attack detection statistic;
(4) repeating steps (2) and (3) for a plurality of times to obtain a plurality of attack detection statistics which can determine the probability distribution of the attack detection statistics in a non-attack state;
(5) according to the false alarm rate, combining a plurality of attack detection statistics obtained in the step (4), and obtaining a threshold value of attack detection statistics for judging whether attacks exist or not;
(6) collecting network flow data which is uncertain whether attacks are contained or not from a network, extracting features to form a network flow feature vector, regularizing the network flow feature vector to form a sample with the same size as that in the step (2), and calculating a directional likelihood ratio test statistic in each possible variation direction based on the sample;
(7) and taking the sum of the maximum plurality of directional likelihood ratio test statistics as attack detection statistics, comparing the attack detection statistics with a threshold value, if the attack detection statistics are larger than the threshold value, the network is attacked by denial of service, otherwise, the network is not attacked.
2. The method for detecting network denial of service attack based on directional likelihood ratio test as claimed in claim 1, wherein the attack detection statistic formula of step (3) is specifically formula 1:
Figure FDA0003259060390000011
wherein Wi(i-1, … p (p +3)/2) is the following each statistic UiAnd VijThe values are arranged from large to small in sequence, p is the dimension of the network flow characteristic, and R is the first R largest WiThe integer r is 10% to 20% of p (p +3)/2,
Figure FDA0003259060390000012
Figure FDA0003259060390000013
where tr is the trace of the matrix, [ A ]](ij)Is the element (i, j) of matrix A, n is the sample size, μ0Sum-sigma0Respectively is the mean vector and the covariance matrix obtained in the step (1),
Figure FDA0003259060390000014
and
Figure FDA0003259060390000015
respectively the mean vector and covariance matrix of the samples calculated in step (3), eiIs a p-dimensional column vector, only the ith element is 1, and the rest are 0; let EijIs a matrix of p, with only elements (i, j) and (j, i) being 1 and the remainder being 0.
3. The method of claim 1, wherein the step (4) is repeated T times to obtain an attack detection statistic R1,…,RTThey can determine the probability distribution of the attack detection statistic in a non-attack state, where T is greater than 10000.
4. The method according to claim 1, wherein in step (5), given a false positive rate α, the threshold value of the attack detection statistic is completely determined by the probability distribution of the attack detection statistic in a non-attack state, the T attack detection statistics obtained in step (4) are arranged from small to large, and the value at (1- α) x 100% position, that is, the first from small to large position, is selected
Figure FDA0003259060390000021
The value is used as a threshold value of an attack detection statistic for discriminating between attack and non-attack, and the threshold value is recorded as L, wherein
Figure FDA0003259060390000022
For rounding operations, the threshold value is determined without a normal distribution, i.e. muR±zα/2σRIs approximated by, where μRAnd σRRespectively mean and standard deviation of the attack detection statistic in the non-attack state, zα/2Is the upper alpha/2 quantile of the standard normal distribution.
5. The method of claim 1, wherein the step (7) is to obtain each directional likelihood ratio test statistic U based on the k-th sampleikAnd VijkArranged from big to small in sequence and sequentially marked as Wik(i ═ 1, … p (p +3)/2), p being the dimension of the network traffic characteristics; taking the sum of the first r directional likelihood ratio test statistics as the final detection statistic, i.e.
Figure FDA0003259060390000023
R is to bekAnd threshold valueL is compared to judge if the network is attacked, if R isk>L, the network is attacked by denial of service, otherwise, the network is not attacked.
CN202011290957.6A 2020-11-17 2020-11-17 Network denial of service attack detection method based on directional likelihood ratio test Active CN112543183B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011290957.6A CN112543183B (en) 2020-11-17 2020-11-17 Network denial of service attack detection method based on directional likelihood ratio test

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011290957.6A CN112543183B (en) 2020-11-17 2020-11-17 Network denial of service attack detection method based on directional likelihood ratio test

Publications (2)

Publication Number Publication Date
CN112543183A CN112543183A (en) 2021-03-23
CN112543183B true CN112543183B (en) 2021-11-19

Family

ID=75014164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011290957.6A Active CN112543183B (en) 2020-11-17 2020-11-17 Network denial of service attack detection method based on directional likelihood ratio test

Country Status (1)

Country Link
CN (1) CN112543183B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388885A (en) * 2008-07-23 2009-03-18 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN109450957A (en) * 2019-01-03 2019-03-08 湖南大学 A kind of low speed Denial of Service attack detection method based on cloud model
CN111600876A (en) * 2020-05-14 2020-08-28 湖南大学 Slow denial of service attack detection method based on MFOPA algorithm

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8359650B2 (en) * 2002-10-01 2013-01-22 Skybox Secutiry Inc. System, method and computer readable medium for evaluating potential attacks of worms
CN109729090B (en) * 2019-01-03 2021-06-01 湖南大学 Slow denial of service attack detection method based on WEDMS clustering
CN109729091A (en) * 2019-01-03 2019-05-07 湖南大学 A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm
CN111600878A (en) * 2020-05-14 2020-08-28 湖南大学 Low-rate denial of service attack detection method based on MAF-ADM

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388885A (en) * 2008-07-23 2009-03-18 成都市华为赛门铁克科技有限公司 Detection method and system for distributed denial of service
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN109450957A (en) * 2019-01-03 2019-03-08 湖南大学 A kind of low speed Denial of Service attack detection method based on cloud model
CN111600876A (en) * 2020-05-14 2020-08-28 湖南大学 Slow denial of service attack detection method based on MFOPA algorithm

Also Published As

Publication number Publication date
CN112543183A (en) 2021-03-23

Similar Documents

Publication Publication Date Title
Ektefa et al. Intrusion detection using data mining techniques
CN111107102A (en) Real-time network flow abnormity detection method based on big data
CN108718310A (en) Multi-level attack signatures generation based on deep learning and malicious act recognition methods
CN113283476B (en) Internet of things network intrusion detection method
Jongsuebsuk et al. Network intrusion detection with fuzzy genetic algorithm for unknown attacks
CN112819336B (en) Quantification method and system based on network threat of power monitoring system
CN106709349B (en) A kind of malicious code classification method based on various dimensions behavioural characteristic
CN105553998A (en) Network attack abnormality detection method
CN104901971B (en) The method and apparatus that safety analysis is carried out to network behavior
CN112738015A (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN102420723A (en) Anomaly detection method for various kinds of intrusion
CN109067722B (en) LDoS detection method based on two-step clustering and detection piece analysis combined algorithm
Fadlil et al. Review of detection DDOS attack detection using naive bayes classifier for network forensics
CN108769079A (en) A kind of Web Intrusion Detection Techniques based on machine learning
CN111817982A (en) Encrypted flow identification method for category imbalance
CN109766992A (en) Industry control abnormality detection and attack classification based on deep learning
CN105959270A (en) Network attack detection method based on spectral clustering algorithm
CN102045357A (en) Affine cluster analysis-based intrusion detection method
CN111191720B (en) Service scene identification method and device and electronic equipment
Fadil et al. A novel ddos attack detection based on gaussian naive bayes
Hu et al. Network data analysis and anomaly detection using CNN technique for industrial control systems security
CN1223941C (en) Hierarchial invasion detection system based on related characteristic cluster
Mechtri et al. Intrusion detection using principal component analysis
CN111600878A (en) Low-rate denial of service attack detection method based on MAF-ADM
CN112543183B (en) Network denial of service attack detection method based on directional likelihood ratio test

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant