CN112671743A - DDoS intrusion detection method based on flow self-similarity and related device - Google Patents

DDoS intrusion detection method based on flow self-similarity and related device Download PDF

Info

Publication number
CN112671743A
CN112671743A CN202011495970.5A CN202011495970A CN112671743A CN 112671743 A CN112671743 A CN 112671743A CN 202011495970 A CN202011495970 A CN 202011495970A CN 112671743 A CN112671743 A CN 112671743A
Authority
CN
China
Prior art keywords
similarity
self
flow
ddos
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011495970.5A
Other languages
Chinese (zh)
Inventor
金经南
范渊
杨勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202011495970.5A priority Critical patent/CN112671743A/en
Publication of CN112671743A publication Critical patent/CN112671743A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a DDoS intrusion detection method based on flow self-similarity, which comprises the following steps: carrying out flow characteristic extraction processing on the collected flow data to obtain flow characteristics; performing self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity; judging whether the self-similarity is smaller than a preset similarity or not; and if so, judging that DDoS intrusion occurs. Whether intrusion detection occurs or not is judged through the self-similarity by analyzing the self-similarity of the flow, and the recognition rate of the intrusion detection is improved. The application also discloses a DDoS intrusion detection device based on the flow self-similarity, a server and a computer readable storage medium, which have the beneficial effects.

Description

DDoS intrusion detection method based on flow self-similarity and related device
Technical Field
The present application relates to the field of network technologies, and in particular, to a DDoS intrusion detection method, a DDoS intrusion detection apparatus, a server, and a computer-readable storage medium based on traffic self-similarity.
Background
With the continuous development of network technology, the unsafe behavior in the network environment is more and more. Among them, Denial of Service (DoS) is always a threat to network security. Distributed denial of service (DDoS) is a Distributed, collaborative, large-scale denial of service attack that can cause an attacker to lose all normal network services completely within a certain time. DDoS attack is one of the attack means commonly used by hackers, has the characteristics of simple implementation, strong concealment, wide attack range, simplicity, effectiveness and the like, often brings heavy attacks to the network, and even paralyzes the whole network in serious cases. DDoS is an evolution of DoS, and changes the traditional one-to-one attack mode, but a distributed, cooperative, and large-scale DoS attack mode invokes a large number of network puppet machines, so that hundreds of millions of data flows move with the purpose of attacking targets, consuming network bandwidth or system resources, thereby causing a network service to be congested with target requests and unable to provide normal network service, and finally causing a target system to be broken down.
In the related art, DoS attacks are generally often identified. However, when DDoS attack occurs, the distributed nature of DDoS attack is the characteristics of strong concealment, wide attack range and the like in the attack process, so that intrusion detection operation cannot be performed well, the accuracy of DDoS attack intrusion detection is reduced, and further the protection operation on a service system is reduced.
Therefore, how to accurately perform intrusion detection identification on DDoS attacks is a key issue of attention of those skilled in the art.
Disclosure of Invention
The application aims to provide a DDoS intrusion detection method, a DDoS intrusion detection device, a server and a computer readable storage medium based on flow self-similarity, wherein the flow self-similarity is analyzed, and then whether intrusion detection occurs or not is judged according to the self-similarity, so that the recognition rate of intrusion detection is improved.
In order to solve the above technical problem, the present application provides a DDoS intrusion detection method based on traffic self-similarity, including:
carrying out flow characteristic extraction processing on the collected flow data to obtain flow characteristics;
performing self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity;
judging whether the self-similarity is smaller than a preset similarity or not;
and if so, judging that DDoS intrusion occurs.
Optionally, the flow characteristic extraction processing is performed on the collected flow data to obtain the flow characteristic, and the flow characteristic extraction processing includes:
acquiring the flow data in a packet capturing mode;
analyzing the flow data according to a TCP/IP protocol family to obtain characteristic information;
and carrying out flow characteristic extraction processing on the characteristic information to obtain the flow characteristic.
Optionally, performing self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain a self-similarity, including:
and carrying out self-similarity analysis on the flow characteristics according to a wavelet packet decomposition algorithm to obtain the self-similarity.
Optionally, the method further includes:
and carrying out abnormal traffic identification on the traffic data according to the self-similarity analysis result and the long correlation of the traffic data to obtain attack traffic data and normal traffic data.
Optionally, the method further includes:
and when the DDoS invasion is judged to occur, carrying out alarm processing according to a preset identification rate and a preset missing report rate.
The application also provides a DDoS intrusion detection device based on traffic self-similarity, which comprises:
the flow characteristic extraction module is used for carrying out flow characteristic extraction processing on the acquired flow data to obtain flow characteristics;
the self-similarity analysis module is used for carrying out self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity;
the similarity judging module is used for judging whether the self-similarity is smaller than a preset similarity or not;
and the intrusion judgment module is used for judging that DDoS intrusion occurs when the self-similarity is smaller than the preset similarity.
Optionally, the flow characteristic extraction module includes:
the packet capturing unit is used for acquiring the flow data in a packet capturing mode;
the data analysis unit is used for analyzing the flow data according to a TCP/IP protocol family to obtain characteristic information;
and the characteristic extraction unit is used for carrying out flow characteristic extraction processing on the characteristic information to obtain the flow characteristic.
Optionally, the self-similarity analysis module is specifically configured to perform self-similarity analysis on the traffic characteristics according to a wavelet packet decomposition algorithm to obtain the self-similarity.
The present application further provides a server, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the DDoS intrusion detection method when the computer program is executed.
The present application further provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the DDoS intrusion detection method as described above.
The DDoS intrusion detection method based on the flow self-similarity comprises the following steps: carrying out flow characteristic extraction processing on the collected flow data to obtain flow characteristics; performing self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity; judging whether the self-similarity is smaller than a preset similarity or not; and if so, judging that DDoS intrusion occurs.
The method comprises the steps of firstly carrying out flow characteristic extraction processing on collected flow data to obtain corresponding flow characteristics, then carrying out corresponding self-similarity analysis to obtain self-similarity of the flow data, and finally judging whether DDoS intrusion occurs or not according to the self-similarity, so that the intrusion problem in the flow is judged in a self-similarity mode, distributed attacks are well identified, and the identification rate of intrusion detection is improved.
The application also provides a DDoS intrusion detection device, a server and a computer readable storage medium based on the flow self-similarity, which have the beneficial effects, and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a DDoS intrusion detection method based on traffic self-similarity according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a DDoS intrusion detection device based on traffic self-similarity according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a DDoS intrusion detection method, a DDoS intrusion detection device, a server and a computer readable storage medium based on flow self-similarity, and whether intrusion detection occurs or not is judged through self-similarity by analyzing the flow self-similarity, so that the recognition rate of intrusion detection is improved.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the related art, DoS attacks are generally often identified. However, when DDoS attack occurs, the distributed nature of DDoS attack is the characteristics of strong concealment, wide attack range and the like in the attack process, so that intrusion detection operation cannot be performed well, the accuracy of DDoS attack intrusion detection is reduced, and further the protection operation on a service system is reduced.
Therefore, the DDoS intrusion detection method based on the flow self-similarity is provided, the acquired flow data is subjected to flow feature extraction processing to obtain corresponding flow features, corresponding self-similarity analysis is performed to obtain the self-similarity of the flow data, and finally whether DDoS intrusion occurs or not is judged through the self-similarity, so that the intrusion problem in the flow is judged through the self-similarity, distributed attacks are well identified, and the identification rate of intrusion detection is improved.
The DDoS intrusion detection method based on traffic self-similarity provided by the present application is described below by an embodiment.
Referring to fig. 1, fig. 1 is a flowchart of a DDoS intrusion detection method based on traffic self-similarity according to an embodiment of the present application.
In this embodiment, the method may include:
s101, carrying out flow characteristic extraction processing on the collected flow data to obtain flow characteristics;
the step aims to extract the flow characteristics of the collected flow data to obtain the flow characteristics. That is, flow characteristics for performing self-similarity analysis are extracted from the collected flow data.
The traffic data may be data that may appear to be traffic in the network. Furthermore, corresponding flow data can be extracted from the network in a data packet capturing mode.
Further, in order to perform the flow characteristic extraction processing in this embodiment, the step may further include:
step 1, collecting flow data in a packet capturing mode;
step 2, analyzing the flow data according to a TCP/IP protocol family to obtain characteristic information;
and 3, carrying out flow characteristic extraction processing on the characteristic information to obtain flow characteristics.
It can be seen that the present alternative scheme mainly explains how to perform flow characteristic extraction. In the alternative scheme, firstly, flow data is acquired in a packet capturing mode; then, analyzing the flow data according to a TCP/IP protocol family to obtain characteristic information; among them, TCP/IP (Transmission Control Protocol/Internet Protocol) refers to a Protocol family capable of realizing information Transmission among a plurality of different networks. And finally, carrying out flow characteristic extraction processing on the characteristic information to obtain flow characteristics. The flow characteristic extraction method may refer to any flow characteristic extraction method provided in the prior art, and is not specifically limited herein.
S102, carrying out self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity;
on the basis of S101, the step aims to carry out self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity;
where self-similarity means that the features of a structure or process are similar from different spatial or temporal scales, or that the local properties or local structure of a system or structure are similar to the whole. In addition, there may also be self-similarity between whole and whole or part and part. In general, self-similarity has a relatively complex expression form, rather than simply completely coinciding with the whole body after being amplified by a certain factor. However, the quantitative properties such as fractal dimension characterizing a self-similar system or structure do not change due to operations such as scaling up or down, but only their external representation. Self-similarity is usually only related to the dynamics of nonlinear complex systems. It can be seen that in the traffic domain of network data, the characteristics of traffic are similar from different spatial or temporal scales, or the local nature or structure of a system or structure is similar to the whole. Thus, the suspicious place appearing in the network traffic can be analyzed by the self-similarity.
Further, in order to improve the effect of the self-similarity analysis on the flow characteristics in this step, this step may include:
and carrying out self-similarity analysis on the flow characteristics according to a wavelet packet decomposition algorithm to obtain self-similarity.
It can be seen that the present alternative is primarily illustrative of how a self-similarity analysis may be performed. In the alternative scheme, self-similarity analysis is mainly carried out on the flow characteristics according to a wavelet packet decomposition algorithm to obtain self-similarity. The wavelet packet decomposition may also be referred to as a wavelet packet or a subband tree and an optimal subband tree structure. The concept is to use an analysis tree to represent the wavelet packet, i.e. to analyze the detail part of the input signal by using the multi-iteration wavelet transform. From the perspective of function theory, wavelet packet decomposition projects a signal into a space spanned by wavelet packet basis functions. From a signal processing point of view, it is to pass the signal through a series of filters of different center frequencies but of the same bandwidth. Wavelet packet decomposition can provide a more refined analysis method for the signal. Wavelet packet analysis divides the time-frequency plane more finely, with a higher resolution for the high-frequency part of the signal than for the dyadic wavelet.
S103, judging whether the self-similarity is smaller than a preset similarity or not;
on the basis of S102, this step is intended to determine whether the self-similarity is smaller than a preset similarity. Namely, whether the abnormal flow condition larger than the preset similarity occurs is judged, namely whether the DDoS invasion occurs is judged.
The preset similarity may be set through experience of a technician, may be set through a current network environment, and may be set through a current device performance. It is to be understood that the setting is not exclusive and is not limited thereto.
And S104, if yes, judging that DDoS invasion occurs.
On the basis of the step S103, the step aims to judge that DDoS intrusion occurs when the self-similarity is smaller than the preset similarity.
Further, the method can further comprise the following steps:
and carrying out abnormal flow identification on the flow data according to the self-similarity analysis result and the long correlation of the flow data to obtain attack flow data and normal flow data.
It can be seen that the present alternative is mainly illustrative of the subsequent processing. Specifically, in the alternative scheme, abnormal traffic identification is performed on the traffic data according to the self-similarity analysis result and the long correlation of the traffic data, so that attack traffic data and normal traffic data are obtained. Among them, long correlation is an important characteristic exhibited by both lan and wan traffic, i.e., past conditions may have an impact on the present or future.
Further, the method can further comprise the following steps:
and when the DDoS intrusion is judged to occur, carrying out alarm processing according to the preset identification rate and the preset missing report rate.
Therefore, the alternative scheme mainly explains how to perform alarm operation when DDoS intrusion is judged to occur. The alternative scheme is mainly used for carrying out alarm processing according to the preset identification rate and the preset missing report rate when DDoS intrusion is judged to occur. The preset identification rate refers to how many DDoS intrusions with probability are to be generated, and alarm operation is needed. The preset missing report rate refers to how many data probabilities the DDoS intrusion will occur to be filtered, and no alarm operation is performed. The preset identification rate and the preset false negative rate can be set through experience of technicians, can be set through the current network environment, and can be set through the current equipment performance. It is to be understood that the setting manner is not exclusive and is not limited herein.
In summary, in the embodiment, the traffic feature extraction processing is performed on the acquired traffic data to obtain the corresponding traffic feature, the corresponding self-similarity analysis is performed to obtain the self-similarity of the traffic data, and finally, whether DDoS intrusion occurs or not is judged through the self-similarity, so that the problem of intrusion in traffic is judged through a self-similarity manner, distributed attacks are well identified, and the identification rate of intrusion detection is improved.
A DDoS intrusion detection method based on traffic self-similarity provided by the present application is further described below by a specific embodiment.
In this embodiment, DDoS intrusion is an artificial large-scale data flow, which destroys the self-similarity and multi-fractal property of network traffic and shows the abnormal changes of self-similarity H parameters and H (t) function. The change can be used for accurately identifying whether the DDoS intrusion occurs or not, and the scale of the DDoS intrusion and the DDoS type information.
The intrusion detection system in this implementation is mainly composed of three modules. The name and function of each module is as follows:
the real-time acquisition and information extraction module comprises: the module is based on a LIBPCAP function library, is packaged in a C + + class, and can be easily embedded into an intrusion detection system to be used as a module for front-end stream acquisition and information extraction. Consider that an IDS (intrusion detection system) is a real-time system, and the design principle of the module is that the measured traffic is sufficient to cope with subsequent anomaly detection. For the system described in this embodiment, the information extraction is to extract the packet length information from the data packet under test.
In the attack identification and decision module, a user detects abnormal flow according to the set identification probability and the set omission probability.
The alarm module alarms the attack in various modes according to the identification probability and the report missing probability set by the user.
The real-time acquisition and information extraction module adopts a reusable design method based on a Graphical User Interface (GUI). The result of the flow analysis is output through a GUI interface, and the interface operation of the intrusion detection system is carried out, so that the next module is realized: packet capture and pre-processing of attack recognition and decision extraction. The key problems of this module are two: firstly, selecting proper detection characteristics according to an identification method; secondly, how to realize reliable detection and identification. Reliable identification means that a user can preset a required identification probability and a missing detection probability. Let x (t) be the arrival flow function. The minimum flow constraint function is represented by F (I) (I > 0), and the cumulative flow reached in the interval [0, I ] is not less than F (I) ═ min [ x (t + I) -x (t) ], and the minimum flow constraint function interval time is represented in the time interval [ (N-1) I, nI ] (N ═ 1, 2 … in, N), F (I, N). It is a random sequence of n. Each interval [ (n-1) I, nI ] is divided by M each segment length to L. For the mth segment (m ═ 1, 2 …, m), the average value E [ f (I, n) ] m is taken. When m > At 10, E [ f (I, n) ] m follows a Gaussian distribution. When the intrusion detects a low rate attack, it alerts the user and informs the security management center to make a defense decision. According to the requirement, the alarm information can be sent to other networks to form a comprehensive and three-dimensional network security solution. When the alarm information appears, the following alarm modes can be adopted: the method comprises the following steps of turning on an alarm lamp, popping up an interface, turning on an alarm bell, sending a short message to a high-level decision maker, sending an e-mail to the high-level decision maker and the like, wherein the alarm modes can be used independently or in combination.
When the alarm occurs, the security management center is also informed, and if the attack is serious large-scale attack, other networks are informed, so that the attack is prevented from causing large-scale damage to the network. Otherwise, internal processing is performed. The low rate attack discussed here is that an attacker targets the TCP protocol to cause an interruption in the link through an RTO (Retransmission Timeout) timer, thereby causing congestion in the TCP control mechanism. The attacked data stream is a square wave with a certain period. The attack flow rate is low, but the attack efficiency is high. RTO is a tcp-RTO protocol used to ensure that the network has enough time to recover from congestion. If the RTO is too large and packet loss occurs, TCP will wait too long to retransmit the packet, which increases the transmission time of the TCP message. If the RTO is too small, unnecessary retransmission can be caused, and an overtime retransmission algorithm of the TCP is triggered by mistake, so that the sending rate of the TCP is reduced, and the performance of the TCP is reduced. This is the principle of attack.
Setting the RTO value of TCP to 1s, the attacker will create a running interrupt at time 0. The TCP sender waits for 1s retransmission and doubles the RTO. If the attacker creates another interrupt between 1s and RTT, forcing TCP to wait 2s, the attacker can create similar interrupts at 3s, 7s, 15s … … using the KAM (KAM theorem) algorithm. In this way, it is possible to attack at a very low average rate and cause the server to deny service to the TCP flow. It follows that if the DDoS period is similar to RTO, TCP will always have a packet loss event. Therefore, the end-time-out retransmission state remains unchanged, resulting in an almost zero throughput. Therefore, the key to a low rate attack is whether the attacker can accurately predict the RTO. In addition, the duration of the pulse is also important. The literature indicates that the attack efficiency is high when L ═ maxi { RTTi } and T ═ RTO.
Wherein, a complete DDoS attack system consists of an attacker, a host, an agent and a target. The host and the agent are respectively used for controlling and actually launching the attack, wherein the host only sends a command and does not participate in the actual attack, the actual attack packet sent by the agent, and a DDoS attacker has control right or partial control right to the host and the agent, and the DDoS attacker can hide the DDoS in various modes in the attack process. When a real attacker sends an attack command to the host, the attacker can close or leave the network, and the host can issue the command to various proxy hosts, so that the attacker is prevented from being tracked. Each attack agent host may send a large number of service request packets to the target host that are masquerading and unable to identify their source. In addition, the service requested by these packets often consumes a lot of system resources, so that the target host cannot provide normal service users for the target host, and even the system crashes.
In summary, compared with high-rate attacks, one of the most important features of low-rate DDoS attacks is to concentrate on sending malicious data in a short time, which makes the average rate of the attack data flow relatively low, thereby avoiding conventional intrusion detection.
From the perspective of the whole system flow analysis process, the original data packet is firstly obtained from the data acquisition module, frequency statistics is carried out on the original data packet, and the first N bits of the destination IP sorted according to the flow are calculated. Then, the tracking analysis module is called according to the suspicious standard, and the tracking analysis module judges according to the suspicious standard. After decision making, the data will be written into the RRD database, and according to the decision making, the alarm result is determined, and in the whole system, the key modules of the system are concentrated on two aspects of "determination of suspicious points" and "determination of flow number and average packet length".
And (3) suspicious point determination: and analyzing the change process of the similarity of the DDoS attack once, wherein the DDoS attack can cause some IP traffic at Ti. In both cases, the surge leads to a decrease in similarity. One is that the last attacked IP is not the first N bits. However, since the attack enters the first N bits of traffic, the two traffic distributions are very different and the similarity is reduced. Another reason is that the attacked IP has the previous N names in the last count, but this time the attack has owned the other IP names in the previous N names. That flow ratio varies significantly, resulting in similarity. Due to the persistence of the attack, the IP attacked at Ti +1 continues at the first N. Therefore, the similarity value continues to increase. At Ti +2, the similarity tends to stabilize until the Tm time. At the end of the attack, the attacked IP traffic is drastically reduced and the similarity decreases as the previous N traffic distributions change again.
Although an anomaly in the network can be detected by a change in similarity, it was also mentioned above if both have high bandwidth. Large file transfers between hosts in order to identify this situation at …, an additional strategy is employed herein to track and analyze suspicious ip and is implemented by the "number of flows, average packet length determination" module. Determination of the number of flows and the average packet length: and (5) tracking and analyzing suspicious points after the abnormality is found, and comparing the Ti time with the Ti + 1. The IP that contributes most to the similarity change, i.e., the IP whose traffic changes most, is found, and then the IP in progress is distinguished. Or attacks, cause dramatically changing traffic. Individual IPs can be easily distinguished by analyzing their traffic composition. High bandwidth large file transmission and DDoS attacks. DDoS attacks generally use a random source IP to hide an attack source, so that the number of flows is large, and small packets are many or packet lengths are random; however, when the number of high-bandwidth large file transfers is small, the large file transfers are basically large packet transfers (1K or more).
Therefore, the method for distinguishing the two cases is simple, and only the number of source IPs and the average data packet of the IPs need to be analyzed at the sampling time. If the threshold is exceeded, it is considered to be below the attack. The system mainly analyzes the average packet length and the access condition of the suspicious IP at the moment of Ti + N + 1. The process is repeated in the next cycle to realize DDoS attack detection.
It can be seen that the intrusion alarm is mainly performed through the following two points in the present embodiment. (1) According to the set recognition probability and the detection missing probability, alarming various attacks and giving out reasons for reducing the similarity; (2) by the "determine number of flows and average packet length" module. Determination of the number of flows and the average packet length: tracking and analyzing suspicious points after the abnormality is found, and comparing Ti time with Ti + 1; the IP that contributes most to the similarity change, i.e., the IP whose traffic changes most, is found, and then the ongoing IPs are distinguished.
Based on the above description, the present embodiment may specifically include the following modules:
the data acquisition and extraction module is used for acquiring a section of flow meeting the requirement of subsequent abnormal detection and extracting the packet length information in the detected data packet; after packet capturing, analyzing data through a callback function, and realizing data sharing between the callback function and a thread class; the header and control information for each layer is unwrapped according to the TCP/IP protocol family structure. Carrying out frequency statistics on the destination IP address and the destination IP address, and calculating the first N bits of the destination IP according to flow sequencing; and outputting the flow analysis result to an intrusion detection system through a GUI (graphical user interface) to realize attack identification and strategy extraction.
And the attack identification module is used for detecting abnormal flow according to the high probability and the missing rate set by the user. Specifically, whether the actual internet traffic has self-similarity is calculated through a Hurst parameter based on wavelet packet decomposition; DDOS attacks are distinguished from normal traffic based on the long correlation of the self-similarity of network traffic with the amount of data.
And the alarm module is used for alarming attacks in various modes according to the identification rate and the missing report rate set by the user. Specifically, when a low-rate attack is detected, an alarm is sent to the user, and the security management center is informed to make a defense decision. Wherein, the alarm can be given through the modes of popup interface, alarm bell, short message sending, email sending and the like. When a serious large-scale attack is detected, other networks are informed, and the attack is prevented from causing large-scale damage to the network.
Wherein, the network packet capture can be realized by utilizing the LIBPCAP library. The major functions provided by the library are as follows (see LIBPCAP manual):
pcap _ open _ live (): obtaining a descriptor of the capture packet, and checking the transmission condition of the network packet;
pcap _ lookup dev (): returning a device pointer used by Pcap _ open _ live ();
pcap _ open _ offset (): opening a package file for offline analysis;
pcap _ dump _ open (): opening a file write data packet;
pcap _ setfilter (): setting a packet filtering program;
pcap _ loop (): packet capture is initiated.
There are many methods for estimating self-similarity parameters of network traffic, but research shows that these methods have certain limitations in precision and calculation. In this embodiment, on the basis of wavelet packet decomposition, a Hurst parameter estimation method based on wavelet packet decomposition is obtained in consideration of energy distribution of a signal in a decomposition process. By combining the two parameter estimations into data, the method is proved to have the advantages of inheriting the advantages of wavelet transform calculation, and a more accurate estimation result can be obtained. The method is applied to calculate that the actual network flow is a self-similar parameter, and the influence of the network worm attack on the self-similar flow change is analyzed on the basis, so that beneficial conclusions are drawn.
In the 5DDoS intrusion detection method based on the network flow self-similarity, in the related technology, when one data flow has long correlation, no matter whether the data amount added into the data flow has the long correlation or not, the data flow still has the long correlation after aggregation. However, the hurst coefficients, mean and variance of the aggregate data stream all change. In addition to appearance correlation, normal network traffic can also be described in a self-similar model. When a DDOS attacks, although the large amount of traffic collected by the DDOS still exhibits long dependencies, its parameters may vary greatly.
It can be seen that, in the embodiment, the traffic feature extraction processing is performed on the acquired traffic data to obtain the corresponding traffic feature, the corresponding self-similarity analysis is performed to obtain the self-similarity of the traffic data, and finally, whether DDoS intrusion occurs or not is judged through the self-similarity, so that the problem of intrusion in traffic is judged through a self-similarity manner, distributed attacks are well identified, and the identification rate of intrusion detection is improved.
In the following, a DDoS intrusion detection device based on traffic self-similarity provided in an embodiment of the present application is introduced, and a DDoS intrusion detection device based on traffic self-similarity described below and a DDoS intrusion detection method based on traffic self-similarity described above may be referred to correspondingly.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a DDoS intrusion detection apparatus based on traffic self-similarity according to an embodiment of the present application.
In this embodiment, the apparatus may include:
a flow characteristic extraction module 100, configured to perform flow characteristic extraction processing on the acquired flow data to obtain a flow characteristic;
the self-similarity analysis module 200 is configured to perform self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain a self-similarity;
a similarity judging module 300, configured to judge whether the self-similarity is smaller than a preset similarity;
and the intrusion determination module 400 is configured to determine that DDoS intrusion occurs when the self-similarity is smaller than the preset similarity.
Optionally, the flow characteristic extraction module 100 may include:
the packet capturing unit is used for acquiring flow data in a packet capturing mode;
the data analysis unit is used for analyzing the flow data according to the TCP/IP protocol family to obtain characteristic information;
and the characteristic extraction unit is used for carrying out flow characteristic extraction processing on the characteristic information to obtain flow characteristics.
Optionally, the self-similarity analysis module 200 is specifically configured to perform self-similarity analysis on the traffic characteristics according to a wavelet packet decomposition algorithm to obtain a self-similarity.
An embodiment of the present application further provides a server, including:
a memory for storing a computer program;
a processor, configured to implement the steps of the DDoS intrusion detection method according to the above embodiments when executing the computer program.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the DDoS intrusion detection method according to the above embodiment are implemented.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The DDoS intrusion detection method, DDoS intrusion detection apparatus, server, and computer-readable storage medium provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (10)

1. A DDoS intrusion detection method based on flow self-similarity is characterized by comprising the following steps:
carrying out flow characteristic extraction processing on the collected flow data to obtain flow characteristics;
performing self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity;
judging whether the self-similarity is smaller than a preset similarity or not;
and if so, judging that DDoS intrusion occurs.
2. A DDoS intrusion detection method according to claim 1, wherein the step of performing traffic feature extraction processing on the collected traffic data to obtain traffic features comprises:
acquiring the flow data in a packet capturing mode;
analyzing the flow data according to a TCP/IP protocol family to obtain characteristic information;
and carrying out flow characteristic extraction processing on the characteristic information to obtain the flow characteristic.
3. A DDoS intrusion detection method according to claim 1, wherein performing self-similarity analysis on said traffic features according to a self-similarity algorithm to obtain self-similarity, comprising:
and carrying out self-similarity analysis on the flow characteristics according to a wavelet packet decomposition algorithm to obtain the self-similarity.
4. A DDoS intrusion detection method according to claim 1, further comprising:
and carrying out abnormal traffic identification on the traffic data according to the self-similarity analysis result and the long correlation of the traffic data to obtain attack traffic data and normal traffic data.
5. A DDoS intrusion detection method according to claim 1, further comprising:
and when the DDoS invasion is judged to occur, carrying out alarm processing according to a preset identification rate and a preset missing report rate.
6. A DDoS intrusion detection device based on flow self-similarity is characterized by comprising:
the flow characteristic extraction module is used for carrying out flow characteristic extraction processing on the acquired flow data to obtain flow characteristics;
the self-similarity analysis module is used for carrying out self-similarity analysis on the flow characteristics according to a self-similarity algorithm to obtain self-similarity;
the similarity judging module is used for judging whether the self-similarity is smaller than a preset similarity or not;
and the intrusion judgment module is used for judging that DDoS intrusion occurs when the self-similarity is smaller than the preset similarity.
7. A DDoS intrusion detection device according to claim 6, wherein the traffic feature extraction module comprises:
the packet capturing unit is used for acquiring the flow data in a packet capturing mode;
the data analysis unit is used for analyzing the flow data according to a TCP/IP protocol family to obtain characteristic information;
and the characteristic extraction unit is used for carrying out flow characteristic extraction processing on the characteristic information to obtain the flow characteristic.
8. A DDoS intrusion detection device according to claim 6, wherein the self-similarity analysis module is specifically configured to perform self-similarity analysis on the traffic characteristics according to a wavelet packet decomposition algorithm to obtain the self-similarity.
9. A server, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the DDoS intrusion detection method according to any one of claims 1 to 5 when executing said computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the DDoS intrusion detection method according to any one of claims 1 to 5.
CN202011495970.5A 2020-12-17 2020-12-17 DDoS intrusion detection method based on flow self-similarity and related device Pending CN112671743A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011495970.5A CN112671743A (en) 2020-12-17 2020-12-17 DDoS intrusion detection method based on flow self-similarity and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011495970.5A CN112671743A (en) 2020-12-17 2020-12-17 DDoS intrusion detection method based on flow self-similarity and related device

Publications (1)

Publication Number Publication Date
CN112671743A true CN112671743A (en) 2021-04-16

Family

ID=75404750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011495970.5A Pending CN112671743A (en) 2020-12-17 2020-12-17 DDoS intrusion detection method based on flow self-similarity and related device

Country Status (1)

Country Link
CN (1) CN112671743A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259324A (en) * 2021-04-21 2021-08-13 深圳供电局有限公司 Data attack detection method and device, computer equipment and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1983714A1 (en) * 2007-04-20 2008-10-22 Nokia Siemens Networks Oy Method for detection of malign instrusions in a communication system and related detector
CN111740999A (en) * 2020-06-22 2020-10-02 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1983714A1 (en) * 2007-04-20 2008-10-22 Nokia Siemens Networks Oy Method for detection of malign instrusions in a communication system and related detector
CN111740999A (en) * 2020-06-22 2020-10-02 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
何慧等: "一种基于相似度的DDoS攻击检测方法", 《通信学报》 *
刘渊等: "基于小波包分析的网络流量随机模拟", 《计算机工程与设计》 *
郝志宇等: "基于相似度的DDoS异常检测系统", 《计算机工程与应用》 *
陈宏聪等: "基于网络流量自相似性的入侵检测技术", 《计算机安全》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259324A (en) * 2021-04-21 2021-08-13 深圳供电局有限公司 Data attack detection method and device, computer equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US11316878B2 (en) System and method for malware detection
US8001601B2 (en) Method and apparatus for large-scale automated distributed denial of service attack detection
US9130982B2 (en) System and method for real-time reporting of anomalous internet protocol attacks
Najafabadi et al. Machine learning for detecting brute force attacks at the network level
US7607170B2 (en) Stateful attack protection
CN106027559B (en) Large scale network scanning detection method based on network session statistical nature
US7752665B1 (en) Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory
Celenk et al. Predictive network anomaly detection and visualization
CN106603326B (en) NetFlow sampling processing method based on abnormal feedback
CN110224970B (en) Safety monitoring method and device for industrial control system
CN112671759A (en) DNS tunnel detection method and device based on multi-dimensional analysis
Thakur et al. Detection and Prevention of Botnets and malware in an enterprise network
Song et al. Flow-based statistical aggregation schemes for network anomaly detection
Du et al. Detecting DoS attacks using packet size distribution
Rajakumaran et al. Early detection of LDoS attack using SNMP MIBs
CN112671743A (en) DDoS intrusion detection method based on flow self-similarity and related device
Allen et al. The LoSS technique for detecting new denial of service attacks
Tartakovsky et al. A nonparametric multichart CUSUM test for rapid intrusion detection
Kaur et al. A novel multi scale approach for detecting high bandwidth aggregates in network traffic
Yin et al. Applying genetic programming to evolve learned rules for network anomaly detection
US9426174B2 (en) Protecting computing assets from segmented HTTP attacks
CN112367331A (en) Real-time processing system and method for denial of service attack based on running state of computer system
Dihua et al. Data mining for intrusion detection
Shah et al. Dynamic modeling of internet traffic for intrusion detection
Qin et al. Monitoring abnormal traffic flows based on independent component analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210416

RJ01 Rejection of invention patent application after publication