CN113055381A - Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network - Google Patents

Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network Download PDF

Info

Publication number
CN113055381A
CN113055381A CN202110267529.XA CN202110267529A CN113055381A CN 113055381 A CN113055381 A CN 113055381A CN 202110267529 A CN202110267529 A CN 202110267529A CN 113055381 A CN113055381 A CN 113055381A
Authority
CN
China
Prior art keywords
network
ddos
page
fully
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110267529.XA
Other languages
Chinese (zh)
Inventor
王洪君
丁作亚
胡燕南
韩长江
程野
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University
Original Assignee
Shandong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University filed Critical Shandong University
Priority to CN202110267529.XA priority Critical patent/CN113055381A/en
Publication of CN113055381A publication Critical patent/CN113055381A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/75Information technology; Communication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/10Detection; Monitoring
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Signal Processing (AREA)
  • Virology (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method, equipment and a storage medium for realizing DDoS flow detection of an Internet of things based on a page-type network, wherein the method comprises the following steps: (1) acquiring a data set; (2) preprocessing a data set; (3) constructing a DDoS flow detection model; (4) training a DDoS flow detection model; (5) detecting DDoS flow; and preprocessing the DDoS flow of the Internet of things to be detected and then inputting the preprocessed DDoS flow into a trained DDoS flow detection model to realize DDoS flow detection. The page type network is more suitable for being deployed and implemented in the edge environment, and the identification rate of the DDoS malicious traffic of the IoT equipment by using a neural network algorithm in the edge environment is improved.

Description

Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network
Technical Field
The invention relates to an improved full-connection neural network, which can better realize the detection of DDoS (distributed denial of service) flow of an Internet of things by utilizing deep learning in an edge environment and belongs to the technical field of deep learning.
Background
Distributed denial of service (DDoS) is a network attack means with extremely strong harmfulness and distributed and large-scale cooperative combat, and an attacker uses a plurality of zombie hosts or internet of things devices controlled by the attacker to simultaneously launch denial of service attacks (DoS) to an attacked target, so that system resources of the attacked target are exhausted and even crashed, and the attacked target "rejects" to provide required services for normal users. The DDoS attack mainly aims at system resources and network bandwidth of an attacked target, and the attack range comprises a network layer to an application layer. In 2016, in 10 months, the Mirai botnet controls over one hundred thousand Internet of Things (IOT) devices to perform DDoS attacks on the Dyn DNS infrastructure, and many well-known websites including gitubs, amazons, Netflix, Twitter, CNNs, and Paypal, etc., are all inaccessible within hours. In the fourth quarter of 2017, compared with the fourth quarter of 2016, the total number of DDoS attacks is increased by 14%, and the DDoS attacks have serious security threats to systems and networks, and according to recent research, almost all DDoS attackers perform attack activities by using more than two vector attack modes, so that detection of malicious traffic becomes increasingly difficult.
As an emerging technology, the artificial neural network is widely applied to the field of Internet DDoS detection, and has a good effect, and the application in DDoS attack detection has unique advantages due to the general abstract capability, the learning and self-adapting capability and the inherent parallel computing characteristic. In DDoS attack detection, edge nodes firstly extract features of data flow, filter and analyze extracted feature values by means of a neural network, and then conduct qualitative analysis on flow behavior patterns. The attack of the malicious node is a dynamic process, and for a dynamic system, a neural network is a commonly used effective resisting strategy. However, the neural networks such as CNN, LSTM and the like which are popular at present have the disadvantages of large parameter scale, high deployment requirement and the like, and are difficult to deploy and implement in the marginal environment, so that the more efficient and lightweight deep learning model is put forward urgently.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for realizing the detection of the DDoS flow of the Internet of things based on a page-type network; the invention utilizes the full-connection neural network in a special form to realize detection and defend DDoS attack initiated by an attacker by means of Internet of things botnet equipment.
The invention also provides a computer device and a storage medium;
at present, a defense strategy for the DDoS of the Internet of things mainly focuses on detecting malicious traffic by using an abnormal detection algorithm at a central node, wherein a deep learning algorithm is most effective, but the defense method has the defects of high calculation overhead, high running memory and the like, so that the invention provides a light-weight DDoS attack defense neural network suitable for being deployed at the edge of the network. Compared with the traditional convolution neural network, the page type neural network designed by the invention has higher detection accuracy and smaller parameter scale, and is more suitable for deployment and implementation in the marginal environment.
Interpretation of terms:
1. forward calculation: is the forward propagation and operation process after the previous data enters the neural network.
2. LSTM: long Short-term Memory Networks (LSTM): the method is a special type of a circulating network, and can learn long-term dependence information. LSTM was proposed by Hochreiter & Schmidhuber (1997) and recently improved and generalized by Alex Graves. LSTM is specifically aimed at avoiding long term dependency problems. Remember for a long time that information is actually their default behavior, not something they have difficulty learning!
3. CNN, a Convolutional Neural Network (CNN) is a kind of feed forward Neural network (fed forward Neural network) containing convolution calculation and having a deep structure, and is one of the representative algorithms of deep learning (deep learning). The convolutional neural network has a feature learning (representation learning) capability, and can perform shift-invariant classification (shift-invariant classification) on input information according to a hierarchical structure thereof, and is also called a 'shift-invariant artificial neural network'.
4. IoT: the Internet of Things (Internet of Things, IOT for short) is used for collecting any object or process needing monitoring, connection and interaction in real time and collecting various required information such as sound, light, heat, electricity, mechanics, chemistry, biology and position through various devices and technologies such as various information sensors, radio frequency identification technologies, global positioning systems, infrared sensors and laser scanners, and realizing the ubiquitous connection of objects and people through various possible network accesses and the intelligent sensing, identification and management of the objects and the processes.
5. The software Wireshark (formerly Ethereal) is a network packet analysis software. The function of the network packet analysis software is to capture the network packets and display the most detailed network packet data as possible. Wireshark uses WinPCAP as an interface and directly exchanges data messages with the network card.
6. The sub-full-connection network and the gathering full-connection network form a page type neural network, the sub-full-connection network receives characteristic vector input from a preprocessed data set, then the characteristic vector input is output in parallel, the sub-full-connection network and the gathering full-connection network enter the next-stage network, namely the gathering full-connection network, the gathering full-connection network gathers output data of the sub-full-connection network, the purpose of edge light weight deployment is finally achieved, accuracy is improved, and calculated amount is reduced.
7. The loss function is used for estimating the degree of inconsistency between the predicted value f (x) and the true value Y of the model, and is a non-negative real value function which is generally expressed by L (Y, f (x)), and the smaller the loss function is, the better the robustness of the model is.
8. Gradient vector: the objective function f is a univariate function, and is a function of (x1, x2, …, xn) T with respect to the independent variable vector x, and the univariate function f graduates the vector x, and as a result, a vector having the same dimension as the vector x is called a gradient vector.
The technical scheme of the invention is as follows:
a method for realizing DDoS flow detection of the Internet of things based on a page type network comprises the following steps:
(1) acquiring a data set
The data set comprises normal traffic data packets and malicious traffic data packets;
(2) data set preprocessing
Taking four characteristics of source IP divergence, data packet size, communication protocol and time interval in a data set as characteristic values; the source IP divergence refers to the divergence degree of the source IP address of the intercepted data packet; the data packet refers to a normal flow data packet or a malicious flow data packet in a data set; the time interval refers to the time difference between two received continuous data packets; when the communication protocol characteristics are processed, the four communication protocol types with the highest occurrence frequency are mapped into numbers, for the source IP divergence, the problems of the flow characteristics of the Internet of things equipment, calculation and storage expenses and the like are comprehensively considered, and the influence of 10 and 100 backtracking numbers on the detection result is only analyzed.
Mapping the characteristic value through a python language to obtain a corresponding vector;
(3) constructing DDoS flow detection model
(4) Training DDoS flow detection model
Preferably, in step (4), training the DDoS traffic detection model includes:
inputting the vector obtained in the step (2) into a DDoS flow detection model, namely performing forward propagation to obtain a score;
inputting the score into an error function loss function, and comparing the score with an expected value to obtain an error; judging the recognition degree through errors (the smaller the loss value is, the better the recognition degree is);
determining a gradient vector by back propagation;
adjusting each weight value through a gradient vector, and adjusting the score to enable the error to be between 0 and 0.05 or the convergence trend;
the above process is repeated until the set number of times or the average value of the error does not fall any more (lowest point).
For each method, the test set is tested once every iteration (1 Epoch training) on the training set. Training knotAnd (4) storing the best test result on the test set after the beam is finished, and taking the best test result as a DDoS attack flow detection result of each method. For fair comparison, the two methods adopt the same training mode, and the optimizer is Adam and the momentum parameter beta of Adam is used in the training process1=0.9,β2When the learning rate is 0.999, 200 epochs are trained. The Size of the Batch used for training (Batch Size) is 128.
(5) DDoS traffic detection
And preprocessing the DDoS flow of the Internet of things to be detected and then inputting the preprocessed DDoS flow into a trained DDoS flow detection model to realize DDoS flow detection.
The convolutional neural network can process two-dimensional information in a small parameter scale to a certain extent, and when H is larger than or equal to 4 and W is larger than or equal to 4 (H, W is the input size of the input two-dimensional tensor), the network parameters reach 104Level, which still presents a large storage and computation burden for the edge compute nodes. The method further simplifies the network structure and reduces the parameter scale, and has important significance for applying deep learning to DDoS attack flow detection of edge nodes.
Aiming at the characteristics of a DDoS traffic characteristic time domain of the Internet of things and considering both parameter scale and network complexity, the invention provides a page type neural network. The core principle is as follows: for the process of extracting DDoS attack traffic characteristic information from the internet of things characteristic tensor X, the information density of the spatial characteristic (horizontal direction) is lower than that of the temporal characteristic (vertical direction), that is, more DDoS attack traffic characteristics can be extracted from the vertical element of X. In the process of processing X, sufficient attention should be paid to the temporal change of the characteristics of the individual species, and therefore the page-type network proposed by the present invention satisfies the requirements.
Preferably according to the invention, the acquiring of the data set comprises:
the normal flow data packet acquisition process comprises the following steps: using Wireshark software to collect normal flow data packets and recording all the normal flow data packets; the acquisition result is stored in a pcap file, and the operating environment of Wireshark is as follows: acer Tx40-G1, Intel Core i5-6200U (2.3GHz)4GB DDR3 RAM,64bit, Windows 10. In the experiment, Acer Tx40-G1 is used as a gateway node in a mode of opening a hotspot network and the like, and the gateway node can be connected with the Internet. A total of 198874 normal traffic packets were collected in the experiment.
The acquisition process of the malicious traffic is relatively simple, and the flow acquisition is carried out by simulating an attack environment by means of a virtual machine, wherein the implementation method comprises the following steps: two Kali Linux virtual machines are installed on the VMware software, wherein one machine simulates infected equipment and runs a Mirai virus, and the other machine runs a C & C server and a DNS server. Simulating a DoS attack initiator infected with Mirai malicious virus, and using an Apache Web server in a running state as a victim of the Mirai virus.
However, simulating Mirai virus by means of Kali virtual machine to launch DDoS attack has two disadvantages: firstly, the communication protocol of the DDoS attack data packet needs to be preset before the attack is initiated under the method, so that sample data has insufficient persuasion when the communication protocol is analyzed; secondly, the method is only suitable for simulating the state of the DDoS attack, the time of the zombie node for launching the DDoS attack is usually scattered, and the deep learning model can not identify the state information of the zombie node when the DDoS attack is not launched by using the data. Therefore, the acquisition process of the malicious traffic data packet is as follows: all data traffic, including 654401 malicious traffic packets, sent between 22 o ' clock 50 o ' clock 23 o ' clock 13 o ' clock 22 o ' clock 2018 after a certain piece of internet-of-things equipment provided in the SecRepo data security sample research library was infected with Mirai virus.
Preferably, according to the present invention, the DDoS traffic detection model refers to a page-type neural network, the structure of the page-type neural network includes a sub-fully-connected network group and a summary fully-connected network, the sub-fully-connected network group includes W parallel sub-fully-connected networks, the structure of which is shown in fig. 1,
for the sub-fully-connected network, the initial random parameter of the input layer of the sub-fully-connected network is H, which is matched with the line number of the input tensor X, wherein X is the input tensor, namely the vector obtained after the data set preprocessing in the step (2); the dimensionality of the hidden layer of the sub fully-connected network is 16 and 16 respectively; the reason for designing a sub-fully connected network is: in the case of a limited parameter size, the sub-network can extract sufficiently the temporal characteristics of the networked traffic.
The input of the total connection network is parallel connection of all sub total connection network outputs, the dimension of an input layer of the total connection network is W multiplied by 16, the dimension of a hidden layer of the total connection network is 32, and the dimension of an output layer of the total connection network is 16 and 2;
further preferably, using fci() represents the calculation process of the ith sub-fully-connected network, i ═ 1,2, … W, and FC (·) represents the aggregated fully-connected network, then the forward calculation flow of the page-type neural network is represented by formula (i):
result=FC([fc1(X(1)),fc2(X(2)),…,fcW(X(W))]) (Ⅰ)
in the formula (I), X(i)The ith column element represents X, and result refers to the resulting calculation.
Preferably, the backward propagation mode of the leaf type neural network has a certain difference from that of a general fully-connected network, and the difference is mainly concentrated at the intersection of the sub fully-connected network and the summary fully-connected network. Suppose the network weight of the last layer of the ith sub-fully-connected network is WiThen, from the view of the page type neural network, the expression of the initial random parameter of the last layer of the ith sub-fully-connected network is shown as formula (ii):
Figure BDA0002972831590000051
in the formula (II), W1…WWSetting the initial random parameter of each sub full-connection network and setting the rest positions as zero; w is a weight value in the calculation process of the page type neural network;
constructing a class unit array I according to W, wherein the sizes of I and W are consistent, and the size of I is equal to that of W1…WWIs set to 1, the other positions are set to 0, the loss function is set to E, and the learning rate is α, then the process of updating the initial random parameters of the page-type neural network is as shown in equation (iii):
Figure BDA0002972831590000052
in the formula (III), the delta W refers to the weight value variable quantity in the calculation process of the page type neural network;
the delta W is solved by a chain rule as shown in formula (IV):
Figure BDA0002972831590000053
in the formula (IV), alpha is the output of the activation function of the initial random parameter of the current network layer, namely the page type neural network, and beta is the input of the activation function of the current network layer, then,
Figure BDA0002972831590000061
alpha' is the output of the activation function of the previous layer;
Figure BDA0002972831590000062
depending on the loss function of the network and the activation functions of the layers.
A computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of realizing the method for detecting the DDoS flow of the Internet of things based on a page type network when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of a method for detecting internet of things DDoS traffic based on a page-type network.
The invention has the beneficial effects that:
1. at present, the convolutional neural network is used for network flow abnormity detection more perfectly, but due to the practical reasons of more complex algorithm and the like, the difficulty of deployment and application in the marginal environment is higher, and the network structure which is superior to the convolutional neural network in parameter scale is designed, so that the network structure is more suitable for deployment and implementation in the marginal environment.
2. At present, the accuracy rate of the abnormal detection algorithm detection of the IoT equipment is not high, and the method improves the identification rate of DDoS malicious traffic of the IoT equipment by using a neural network algorithm in the marginal environment.
Drawings
FIG. 1 is a block diagram of a DDoS traffic detection model;
FIG. 2(a) is a schematic diagram showing the comparison of the test accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 5 and the backtracking number is 10 according to the present invention;
FIG. 2(b) is a schematic diagram showing the comparison of the test accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 5 and the backtracking number is 100 according to the present invention;
FIG. 2(c) is a comparison graph of the testing accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 10 and the backtracking number is 10 according to the present invention;
FIG. 2(d) is a comparison graph of the testing accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 10 and the backtracking number is 100 according to the present invention;
FIG. 3(a) is a schematic diagram of the parameters of a convolutional neural network as a function of scale as the length and width dimensions of the input two-dimensional tensor increase;
fig. 3(b) is a schematic diagram showing the variation of the parameters of the page-type network of the present invention with the scale according to the increase of the length and width dimensions of the input two-dimensional tensor.
Detailed Description
The invention is further defined in the following, but not limited to, the figures and examples in the description.
Example 1
A method for realizing DDoS flow detection of the Internet of things based on a page type network comprises the following steps:
(1) acquiring a data set
The data set comprises normal traffic data packets and malicious traffic data packets;
(2) data set preprocessing
Taking four characteristics of source IP divergence, data packet size, communication protocol and time interval in a data set as characteristic values; the source IP divergence refers to the divergence degree of the source IP address of the intercepted data packet; the data packet refers to a normal flow data packet or a malicious flow data packet in a data set; the time interval refers to the time difference between two received continuous data packets; when the communication protocol characteristics are processed, the four communication protocol types with the highest occurrence frequency are mapped into numbers, for the source IP divergence, the problems of the flow characteristics of the Internet of things equipment, calculation and storage expenses and the like are comprehensively considered, and the influence of 10 and 100 backtracking numbers on the detection result is only analyzed.
Mapping the characteristic value through a python language to obtain a corresponding vector;
(3) constructing DDoS flow detection model
(4) Training DDoS flow detection model
(5) DDoS traffic detection
And preprocessing the DDoS flow of the Internet of things to be detected and then inputting the preprocessed DDoS flow into a trained DDoS flow detection model to realize DDoS flow detection.
The convolutional neural network can process two-dimensional information in a small parameter scale to a certain extent, and when H is larger than or equal to 4 and W is larger than or equal to 4 (H, W is the input size of the input two-dimensional tensor), the network parameters reach 104Level, which still presents a large storage and computation burden for the edge compute nodes. The method further simplifies the network structure and reduces the parameter scale, and has important significance for applying deep learning to DDoS attack flow detection of edge nodes.
Aiming at the characteristics of a DDoS traffic characteristic time domain of the Internet of things and considering both parameter scale and network complexity, the invention provides a page type neural network. The core principle is as follows: for the process of extracting DDoS attack traffic characteristic information from the internet of things characteristic tensor X, the information density of the spatial characteristic (horizontal direction) is lower than that of the temporal characteristic (vertical direction), that is, more DDoS attack traffic characteristics can be extracted from the vertical element of X. In the process of processing X, sufficient attention should be paid to the temporal change of the characteristics of the individual species, and therefore the page-type network proposed by the present invention satisfies the requirements.
Example 2
The method for detecting the DDoS traffic of the Internet of things based on the page-type network in the embodiment 1 has the following difference:
acquiring a data set comprising:
the normal flow data packet acquisition process comprises the following steps: using Wireshark software to collect normal flow data packets and recording all the normal flow data packets; the acquisition result is stored in a pcap file, and the operating environment of Wireshark is as follows: acer Tx40-G1, Intel Core i5-6200U (2.3GHz)4GB DDR3 RAM,64bit, Windows 10. In the experiment, Acer Tx40-G1 is used as a gateway node in a mode of opening a hotspot network and the like, and the gateway node can be connected with the Internet. A total of 198874 normal traffic packets were collected in the experiment.
The acquisition process of the malicious traffic is relatively simple, and the flow acquisition is carried out by simulating an attack environment by means of a virtual machine, wherein the implementation method comprises the following steps: two Kali Linux virtual machines are installed on the VMware software, wherein one machine simulates infected equipment and runs a Mirai virus, and the other machine runs a C & C server and a DNS server. Simulating a DoS attack initiator infected with Mirai malicious virus, and using an Apache Web server in a running state as a victim of the Mirai virus.
However, simulating Mirai virus by means of Kali virtual machine to launch DDoS attack has two disadvantages: firstly, the communication protocol of the DDoS attack data packet needs to be preset before the attack is initiated under the method, so that sample data has insufficient persuasion when the communication protocol is analyzed; secondly, the method is only suitable for simulating the state of the DDoS attack, the time of the zombie node for launching the DDoS attack is usually scattered, and the deep learning model can not identify the state information of the zombie node when the DDoS attack is not launched by using the data. Therefore, the acquisition process of the malicious traffic data packet is as follows: all data traffic, including 654401 malicious traffic packets, sent between 22 o ' clock 50 o ' clock 23 o ' clock 13 o ' clock 22 o ' clock 2018 after a certain piece of internet-of-things equipment provided in the SecRepo data security sample research library was infected with Mirai virus.
Example 3
The method for detecting the DDoS traffic of the Internet of things based on the page-type network in the embodiment 2 is characterized in that:
the DDoS flow detection model refers to a page type neural network, the structure of the page type neural network comprises a sub full-connection network group and a summary full-connection network, the sub full-connection network group comprises W parallel sub full-connection networks, the structure is shown in figure 1,
for the sub-fully-connected network, the initial random parameter of the input layer of the sub-fully-connected network is H, which is matched with the line number of the input tensor X, wherein X is the input tensor, namely the vector obtained after the data set preprocessing in the step (2); the dimensionality of the hidden layer of the sub fully-connected network is 16 and 16 respectively; the reason for designing a sub-fully connected network is: in the case of a limited parameter size, the sub-network can extract sufficiently the temporal characteristics of the networked traffic.
The input of the total connection network is parallel connection of all sub total connection network outputs, the dimension of an input layer of the total connection network is W multiplied by 16, the dimension of a hidden layer of the total connection network is 32, and the dimension of an output layer of the total connection network is 16 and 2;
by fci() represents the calculation process of the ith sub-fully-connected network, i ═ 1,2, … W, and FC (·) represents the aggregated fully-connected network, then the forward calculation flow of the page-type neural network is represented by formula (i):
result=FC([fc1(X(1)),fc2(X(2)),…,fcW(X(W))]) (Ⅰ)
in the formula (I), X(i)The ith column element represents X, and result refers to the resulting calculation.
The back propagation mode of the page type neural network has certain difference with the general fully-connected network, and the difference is mainly concentrated at the intersection of the sub fully-connected network and the summary fully-connected network. Suppose the network weight of the last layer of the ith sub-fully-connected network is WiThen, from the view of the page type neural network, the expression of the initial random parameter of the last layer of the ith sub-fully-connected network is shown as formula (ii):
Figure BDA0002972831590000091
in the formula (II), W1…WWSetting the initial random parameter of each sub full-connection network and setting the rest positions as zero; w is a weight value in the calculation process of the page type neural network;
constructing a class unit array I according to W, wherein the sizes of I and W are consistent, and the size of I is equal to that of W1…WWIs set to 1, the other positions are set to 0, the loss function is set to E, and the learning rate is α, then the process of updating the initial random parameters of the page-type neural network is as shown in equation (iii):
Figure BDA0002972831590000092
in the formula (III), the delta W refers to the weight value variable quantity in the calculation process of the page type neural network;
the delta W is solved by a chain rule as shown in formula (IV):
Figure BDA0002972831590000093
in the formula (IV), alpha is the output of the activation function of the initial random parameter of the current network layer, namely the page type neural network, and beta is the input of the activation function of the current network layer, then,
Figure BDA0002972831590000094
alpha' is the output of the activation function of the previous layer;
Figure BDA0002972831590000095
depending on the loss function of the network and the activation functions of the layers.
Example 4
The method for detecting the DDoS traffic of the Internet of things based on the page-type network in the embodiment 3 has the following difference:
in the step (4), training a DDoS traffic detection model means:
inputting the vector obtained in the step (2) into a DDoS flow detection model, namely performing forward propagation to obtain a score;
inputting the score into an error function loss function, and comparing the score with an expected value to obtain an error; judging the recognition degree through errors (the smaller the loss value is, the better the recognition degree is);
determining a gradient vector by back propagation;
adjusting each weight value through a gradient vector, and adjusting the score to enable the error to be between 0 and 0.05 or the convergence trend;
the above process is repeated until the set number of times or the average value of the error does not fall any more (lowest point).
For each method, the test set is tested once every iteration (1 Epoch training) on the training set. And after the training is finished, storing the best test result on the test set, and taking the best test result as a DDoS attack flow detection result of each method. For fair comparison, the two methods adopt the same training mode, and the optimizer is Adam and the momentum parameter beta of Adam is used in the training process1=0.9,β2When the learning rate is 0.999, 200 epochs are trained. The Size of the Batch used for training (Batch Size) is 128.
In order to objectively evaluate the experimental result, the performance of the deep learning model is compared by taking Accuracy (Accuracy), Precision (Precision), Recall rate (Recall) and F1 value as indexes in the experiment, wherein TN represents the number of samples with the predicted value and the actual value both being 0; FP represents the number of samples with a predicted value of 1, but an actual value of 0; FN represents the number of samples with a predicted value of 0, but an actual value of 1; TP represents the number of samples for which the predicted value and the actual value are both 1.
The system analyzes the DDoS attack flow detection performance of the CNN and the page type network, and simultaneously compares the experimental result with other documents. Because an authoritative data set is not formed in the field of the Internet of things at present, an SVM (support vector machine), a KNN (K nearest neighbor) machine learning model and a 4-layer fully-connected neural network model are reproduced, and a test is carried out on an acquired data set.
Table 1 sets the performance comparison of the following five methods for different data packets and backtracking numbers; FIG. 2(a) is a schematic diagram showing the comparison of the test accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 5 and the backtracking number is 10 according to the present invention; FIG. 2(b) is a schematic diagram showing the comparison of the test accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 5 and the backtracking number is 100 according to the present invention; FIG. 2(c) is a comparison graph of the testing accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 10 and the backtracking number is 10 according to the present invention; fig. 2(d) is a comparison graph of the test accuracy of the page type network, the convolutional neural network and the fully-connected neural network when the number of data packets is 10 and the backtracking number is 100 according to the present invention.
TABLE 1
Figure BDA0002972831590000101
Figure BDA0002972831590000111
From table 1 and fig. 2(a) to 2(d), the following conclusions can be drawn:
(1) compared with KNN, SVM and FC, CNN and page type networks all obtain better effects under four evaluation criteria. Specifically, when N ispackIs 5, NbackAt 10, the CNN and the page network are respectively 5.47% and 5.57% higher than FC, 9.9% and 9.8% higher than SVM, and 4.18% and 4.08% higher than KNN in terms of accuracy. The accuracy is respectively 14.76% and 13.78% higher than FC, 24.83% and 25.81% higher than SVM, and 2.94% and 3.92% higher than KNN. From the results of the test, it can be seen that the CNN model and the page-type network model proposed herein are superior to FC, SVM, and KNN models in various evaluation criteria.
(2) For the same method, under the condition that the number of data packets is the same, the higher the backtracking number is, the better the DDoS attack traffic detection performance is. Such as when NpackIs 5, NbackRecall ratio N for a 100-case page networkbackThe accuracy rate of 10 is higher by 2.47%, and the accuracy rate of F1 is higher by 1.6.
(3) Increase for the same backtracking amountThe data packet quantity can improve the accuracy rate of the DDoS attack flow detection of the CNN. Such as NbackWhen it is 10, NpackCNN accuracy ratio N for 10 casespackThe accuracy of 5 is 2.16% higher and 1.14% higher in the value of F1.
(4) Although the number of parameters of the paged network is much lower than CNN, the paged network can still obtain results similar to CNN with the same number of packets and backtracks, some metrics even higher or equal to CNN. Such as NpackIs 5, NbackAt 10, the CNN is only 0.1% higher in accuracy than the page type network, but the page type network is 0.98% higher in accuracy than the CNN. The sub-network of the page network can fully extract the time characteristic of the flow of the Internet of things, and meanwhile, the total-connection network is gathered, so that the effective fusion of the sub-network information can be realized.
Through the analysis, the CNN and the page type network model have the capability of accurately realizing the DDoS attack traffic detection of the Internet of things, wherein the CNN model has the advantage that the input data is converted from the one-dimensional characteristics of a single data packet into the two-dimensional characteristics of a plurality of data packets, so that the time domain change information of the data stream can be fully extracted, and the part of information is also key information for distinguishing normal/abnormal data streams.
The CNN model has the disadvantage of huge number of parameters, which is not favorable for deployment and implementation of edge environment, but the page-type network has obvious advantages in parameter scale: according to the structure of the page-type network, the scale of the parameters is:
Np(Page-Net)=W×(H×16+16×16)+(W×16)×32+32×16+16×2
=16WH+768W+544
from the above calculation, it can be seen that N is present when H.gtoreq.2 and W.gtoreq.2p(Page network) < Np(CNN), the page type network effectively simplifies the network structure and reduces the parameter scale compared to CNN.
Table 2 shows the comparison of the parameter numbers of CNN and page type networks for different data packet numbers; FIG. 3(a) is a schematic diagram of the parameters of a convolutional neural network as a function of scale as the length and width dimensions of the input two-dimensional tensor increase; fig. 3(b) is a schematic diagram showing the variation of the parameters of the page-type network of the present invention with the scale according to the increase of the length and width dimensions of the input two-dimensional tensor.
TABLE 2
Figure BDA0002972831590000121
NpackAt 5, the number of parameters for the page-type network is 26.58% of CNN, NpackAt 10, the number of parameters of the page type network is only 12.05% of the CNN, and at the same time, as known from the foregoing, the page type network can obtain the result similar to the CNN under the condition of the same data packets and backtracking number, which shows that the page type network proposed by the present invention can obtain the excellent DDoS detection effect under the condition of less storage and lower calculation load for the edge node, and thus has larger practical application value compared with the CNN.
Example 5
A computer device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of implementing the method for detecting internet of things DDoS traffic based on a page-type network according to any one of embodiments 1 to 4 when executing the computer program.
Example 6
A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of implementing the method for detecting DDoS traffic of the internet of things according to any one of embodiments 1 to 4 based on a page-type network.

Claims (8)

1. A method for realizing the detection of the DDoS flow of the Internet of things based on a page type network is characterized by comprising the following steps:
(1) acquiring a data set
The data set comprises normal traffic data packets and malicious traffic data packets;
(2) data set preprocessing
Taking four characteristics of source IP divergence, data packet size, communication protocol and time interval in a data set as characteristic values; the source IP divergence refers to the divergence degree of the source IP address of the intercepted data packet; the data packet refers to a normal flow data packet or a malicious flow data packet in a data set; the time interval refers to the time difference between two received continuous data packets;
mapping the characteristic value through a python language to obtain a corresponding vector;
(3) constructing DDoS flow detection model
(4) Training DDoS flow detection model
(5) DDoS traffic detection
And preprocessing the DDoS flow of the Internet of things to be detected and then inputting the preprocessed DDoS flow into a trained DDoS flow detection model to realize DDoS flow detection.
2. The method for detecting the DDoS traffic of the Internet of things based on the page-type network as claimed in claim 1, wherein the DDoS traffic detection model is a page-type neural network, the structure of the page-type neural network comprises a sub-fully-connected network group and a summary fully-connected network, and the sub-fully-connected network group comprises W parallel sub-fully-connected networks;
for the sub-fully-connected network, the initial random parameter of the input layer of the sub-fully-connected network is H, which is matched with the line number of the input tensor X, wherein X is the input tensor, namely the vector obtained after the data set preprocessing in the step (2); the dimensionality of the hidden layer of the sub fully-connected network is 16 and 16 respectively;
the input of the total fully-connected network is parallel connection of all sub fully-connected network outputs, the dimension of the input layer of the total fully-connected network is W multiplied by 16, the dimension of the hidden layer of the total fully-connected network is 32, and the dimension of the output layer of the total fully-connected network is 16 and 2.
3. The method for detecting DDoS traffic of the Internet of things based on the page-type network as claimed in claim 2, wherein fc is usedi() represents the calculation process of the ith sub-fully-connected network, i ═ 1,2, … W, and FC (·) represents the aggregated fully-connected network, then the forward calculation flow of the page-type neural network is represented by formula (i):
result=FC([fc1(X(1)),fc2(X(2)),…,fcW(X(W))]) (Ⅰ)
in the formula (I), X(i)The ith column element represents X, and result refers to the resulting calculation.
4. The method for detecting DDoS traffic of the Internet of things based on the page-type network as claimed in claim 2, wherein the network weight of the last layer of the ith sub-fully-connected network is assumed to be WiThen, from the view of the page type neural network, the expression of the initial random parameter of the last layer of the ith sub-fully-connected network is shown as formula (ii):
Figure FDA0002972831580000021
in the formula (II), W1…WWSetting the initial random parameter of each sub full-connection network and setting the rest positions as zero; w is a weight value in the calculation process of the page type neural network;
constructing a class unit array I according to W, wherein the sizes of I and W are consistent, and the size of I is equal to that of W1…WWIs set to 1, the other positions are set to 0, the loss function is set to E, and the learning rate is α, then the process of updating the initial random parameters of the page-type neural network is as shown in equation (iii):
Figure FDA0002972831580000022
in the formula (III), the delta W refers to the weight value variable quantity in the calculation process of the page type neural network;
the delta W is solved by a chain rule as shown in formula (IV):
Figure FDA0002972831580000023
in formula (IV), alpha is the output of the activation function of the initial random parameter of the current network layer, i.e. the page type neural network, and beta is the currentThe input to the network layer activation function, then,
Figure FDA0002972831580000024
α' is the output of the activation function of the previous layer.
5. The method for detecting the DDoS traffic of the internet of things based on the page-type network as claimed in claim 1, wherein the step (4) of training the DDoS traffic detection model comprises the steps of:
inputting the vector obtained in the step (2) into a DDoS flow detection model, namely performing forward propagation to obtain a score;
inputting the score into an error function loss function, and comparing the score with an expected value to obtain an error;
determining a gradient vector by back propagation;
adjusting each weight value through a gradient vector, and adjusting the score to enable the error to be between 0 and 0.05 or the convergence trend;
the above process is repeated until the set number of times or the average value of the error does not decrease.
6. The method for detecting the DDoS traffic of the Internet of things based on the page-type network as claimed in any one of claims 1 to 5, wherein the step of acquiring the data set comprises the following steps:
the normal flow data packet acquisition process comprises the following steps: using Wireshark software to collect normal flow data packets and recording all the normal flow data packets;
the acquisition process of the malicious flow data packet comprises the following steps: all data traffic, including 654401 malicious traffic packets, sent between 22 o ' clock 50 o ' clock 23 o ' clock 13 o ' clock 22 o ' clock 2018 after a certain piece of internet-of-things equipment provided in the SecRepo data security sample research library was infected with Mirai virus.
7. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the method for detecting internet of things DDoS traffic for a page-based network according to any of claims 1-6.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of carrying out the method for detecting internet of things DDoS traffic on a page-based network as claimed in any one of claims 1 to 6.
CN202110267529.XA 2021-03-12 2021-03-12 Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network Pending CN113055381A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110267529.XA CN113055381A (en) 2021-03-12 2021-03-12 Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110267529.XA CN113055381A (en) 2021-03-12 2021-03-12 Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network

Publications (1)

Publication Number Publication Date
CN113055381A true CN113055381A (en) 2021-06-29

Family

ID=76511700

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110267529.XA Pending CN113055381A (en) 2021-03-12 2021-03-12 Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network

Country Status (1)

Country Link
CN (1) CN113055381A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115499251A (en) * 2022-11-18 2022-12-20 广州信泽信息科技有限公司 Abnormal flow and attack detection method and system for edge IoT (Internet of things) equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167798A (en) * 2018-11-01 2019-01-08 四川长虹电器股份有限公司 A kind of household internet of things equipment DDoS detection method based on machine learning
CN111079813A (en) * 2019-12-10 2020-04-28 北京百度网讯科技有限公司 Classification model calculation method and device based on model parallelism
CN111338798A (en) * 2020-02-21 2020-06-26 北京天融信网络安全技术有限公司 CPU utilization rate prediction method and device
CN111510433A (en) * 2020-03-18 2020-08-07 山东大学 Internet of things malicious flow detection method based on fog computing platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167798A (en) * 2018-11-01 2019-01-08 四川长虹电器股份有限公司 A kind of household internet of things equipment DDoS detection method based on machine learning
CN111079813A (en) * 2019-12-10 2020-04-28 北京百度网讯科技有限公司 Classification model calculation method and device based on model parallelism
CN111338798A (en) * 2020-02-21 2020-06-26 北京天融信网络安全技术有限公司 CPU utilization rate prediction method and device
CN111510433A (en) * 2020-03-18 2020-08-07 山东大学 Internet of things malicious flow detection method based on fog computing platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
韩长江: "基于深度学习的物联网DDoS攻击流量检测算法设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115499251A (en) * 2022-11-18 2022-12-20 广州信泽信息科技有限公司 Abnormal flow and attack detection method and system for edge IoT (Internet of things) equipment
CN115499251B (en) * 2022-11-18 2023-03-28 广州信泽信息科技有限公司 Abnormal flow and attack detection method and system for edge IoT (Internet of things) equipment

Similar Documents

Publication Publication Date Title
Moustafa et al. An ensemble intrusion detection technique based on proposed statistical flow features for protecting network traffic of internet of things
Aysa et al. Iot ddos attack detection using machine learning
Bansal et al. A comparative analysis of machine learning techniques for botnet detection
Barati et al. Distributed Denial of Service detection using hybrid machine learning technique
Xiao et al. Towards network anomaly detection using graph embedding
US8762298B1 (en) Machine learning based botnet detection using real-time connectivity graph based traffic features
CN112165485A (en) Intelligent prediction method for large-scale network security situation
Peng et al. Network intrusion detection based on deep learning
Soe et al. Rule generation for signature based detection systems of cyber attacks in iot environments
CN108494746A (en) A kind of network port Traffic anomaly detection method and system
Niu et al. Identifying APT malware domain based on mobile DNS logging
Biswas et al. Botnet traffic identification using neural networks
Alshra’a et al. Deep learning algorithms for detecting denial of service attacks in software-defined networks
Chkirbene et al. A combined decision for secure cloud computing based on machine learning and past information
Dayal et al. An RBF-PSO based approach for early detection of DDoS attacks in SDN
CN109274651A (en) A kind of ddos attack detection method
Xia et al. An abnormal traffic detection method for IoT devices based on federated learning and depthwise separable convolutional neural networks
Bernieri et al. Kingfisher: An industrial security framework based on variational autoencoders
Thangasamy et al. A Novel Framework for DDoS Attacks Detection Using Hybrid LSTM Techniques.
Gong et al. A mechine learning approach for botnet detection using lightgbm
Agrawal et al. Estimating strength of a DDoS attack in real time using ANN based scheme
CN113055381A (en) Method, equipment and storage medium for realizing DDoS (distributed denial of service) flow detection of Internet of things based on page type network
Yang et al. IoT botnet detection with feature reconstruction and interval optimization
Qamar et al. Detecting Distributed Denial of Service attacks using Recurrent Neural Network
Li et al. Web application-layer DDOS attack detection based on generalized Jaccard similarity and information entropy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210629