CN113542295A - DDoS attack detection method, device, equipment and computer program product - Google Patents

DDoS attack detection method, device, equipment and computer program product Download PDF

Info

Publication number
CN113542295A
CN113542295A CN202110847099.9A CN202110847099A CN113542295A CN 113542295 A CN113542295 A CN 113542295A CN 202110847099 A CN202110847099 A CN 202110847099A CN 113542295 A CN113542295 A CN 113542295A
Authority
CN
China
Prior art keywords
flow information
target
clustering center
current
ddos attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110847099.9A
Other languages
Chinese (zh)
Other versions
CN113542295B (en
Inventor
李艺伟
李姣姣
胡辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110847099.9A priority Critical patent/CN113542295B/en
Publication of CN113542295A publication Critical patent/CN113542295A/en
Application granted granted Critical
Publication of CN113542295B publication Critical patent/CN113542295B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a DDoS attack detection method, which comprises the following steps: acquiring a flow information sample; initializing a semi-supervised fuzzy C-means SS-FCM model to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample; inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center; and if the DDoS attack clustering center in the target clustering center has the flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow. The invention also discloses a DDoS attack detection device, equipment and a computer program product. The invention can determine the clustering center of the flow sample according to the dynamic threshold without manually setting the threshold and the characteristic structure, thereby reducing the calculation amount of DDoS attack detection and improving the accuracy and efficiency of the DDoS attack detection.

Description

DDoS attack detection method, device, equipment and computer program product
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a DDoS attack detection method, apparatus, device, and computer program product.
Background
With the rapid development of computer network technology, the network attack destruction behavior is increasing. Among them, DDoS (Distributed Denial of Service) attacks have a remarkable destructive power and a great influence, and are a means of attacking seriously threatening network security. DDoS attacks usually utilize botnet to send a large number of service requests to victims, which results in a large amount of consumption of victim resources, and thus cannot respond to the requests of legitimate users in time, even completely paralysis. With the development of network technology, the DDoS attack traffic is increasing, making it more and more difficult to detect.
At present, DDoS attack detection in a DDoS attack detection and defense system is the core of the whole system. Common DDoS attack detection includes entropy-based DDoS attack detection and attack feature-based DDoS attack detection. The DDoS attack detection based on entropy subdivides the DDoS attack into different threat levels, and detects the attack of each threat level for different times. DDoS attack detection based on attack characteristics adopts a linear prediction technology, a simple and efficient ARMA (2,1) prediction model is established for an IFFV time sequence of a normal network flow, DDoS attacks can be rapidly and effectively detected, and the false alarm rate is reduced.
However, in DDoS attack detection based on entropy, a judgment threshold needs to be set according to expert experience, false detection rate is increased when the threshold is set too low, false detection rate is increased when the threshold is set too high, and feature extraction and feature construction are performed on DDoS attack detection based on attack features through a large amount of data according to the expert experience, so that accuracy of DDoS attack detection is low.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a DDoS attack detection method, a device, equipment and a computer program product, aiming at solving the technical problem of lower accuracy of the existing DDoS attack detection.
In order to achieve the above object, the present invention provides a DDoS attack detection method, which comprises the following steps:
obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center;
and if the DDoS attack clustering center in the target clustering center has the flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow.
Further, the step of inputting the flow information samples into the target SS-FCM model for model training iterative training, and determining the target clustering center and the flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center includes:
inputting the flow information samples into the target SS-FCM model, and obtaining a target function corresponding to the distance between each flow information sample and each clustering center through the target SS-FCM model;
determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initialized membership degree;
determining current membership and a current clustering center corresponding to each current flow information of current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model;
and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center.
Further, the step of inputting the traffic information samples into the target SS-FCM model and obtaining an objective function corresponding to the distance between each traffic information sample and each cluster center through the target SS-FCM model includes:
acquiring a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model;
determining, by the target SS-FCM model, the objective function based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, the unlabeled traffic information, and the labeled traffic information.
Further, the step of determining the current membership and the current clustering center corresponding to each piece of traffic information based on the lagrangian function and the constraint condition of the initial membership through the target SS-FCM model includes:
and determining a minimum value corresponding to the Lagrangian function through the target SS-FCM model based on the initial membership and the constraint condition of the initial membership to obtain the current membership corresponding to each flow information and the current clustering center.
Further, the step of determining the target clustering center and the traffic information corresponding to each target clustering center based on the current membership corresponding to each traffic information of the current iteration and the current clustering center includes:
acquiring an error corresponding to the target SS-FCM after current iterative training;
if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership degree;
and if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to execute the step of carrying out model training on the flow information sample and the target SS-FCM model.
Further, the step of determining the flow information corresponding to each target clustering center based on the current membership degree includes:
for each flow information, determining the minimum membership degree in the current membership degrees corresponding to the flow information;
and determining the target clustering center corresponding to the minimum membership degree, and taking flow information as the flow information of the target clustering center corresponding to the minimum membership degree.
Further, the step of obtaining the traffic information sample includes:
acquiring flow information to be processed based on NetFlow, and respectively carrying out standardization processing and normalization processing on the flow information to be processed to obtain processed flow information;
and acquiring label information of first flow information in the processed flow information, and taking the first flow information and second flow information as flow information samples, wherein the second flow information is other flow information except the first flow information in the processed flow information.
In addition, in order to achieve the above object, the present invention further provides a DDoS attack detection apparatus, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a flow information sample, the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
the initialization module is used for initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
the training module is used for inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each current flow information of current iteration and the current clustering center;
and the determining module is used for determining that the flow information in the DDoS attack clustering center is DDoS attack flow if the DDoS attack clustering center in the target clustering center has the flow information.
In addition, in order to achieve the above object, the present invention further provides a DDoS attack detection device, including: the DDoS attack detection program is stored on the memory and can run on the processor, and when being executed by the processor, the DDoS attack detection program realizes the steps of the DDoS attack detection method.
In addition, to achieve the above object, the present invention also provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the DDoS attack detection method described above.
The method comprises the steps of obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information; initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample; inputting the flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information in the iterative training; and then if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow, determining the target clustering center through the membership degree of each iteration, determining the clustering center of the flow sample according to a dynamic threshold, and automatically classifying the flow information according to a semi-supervised classification method of a fuzzy principle without manually setting the threshold and a characteristic structure, so that the calculation amount of DDoS attack detection is reduced, and the accuracy and efficiency of DDoS attack detection are improved. Meanwhile, when the initial clustering center comprises a plurality of attack strengths or types of clustering centers, different types of DDoS attack detection can be realized, and the applicability of DDoS attack detection is improved.
Drawings
Fig. 1 is a schematic structural diagram of a DDoS attack detection device in a hardware operating environment according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a DDoS attack detection method according to a first embodiment of the present invention;
fig. 3 is a functional module diagram of an embodiment of a DDoS attack detection apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a DDoS attack detection device in a hardware operating environment according to an embodiment of the present invention.
The DDoS attack detection device in the embodiment of the present invention may be a PC, or may be a mobile terminal device having a display function, such as a smart phone, a tablet computer, an electronic book reader, an MP3(Moving Picture Experts Group Audio Layer III, motion video Experts compression standard Audio Layer 3) player, an MP4(Moving Picture Experts Group Audio Layer IV, motion video Experts compression standard Audio Layer 4) player, a portable computer, or the like.
As shown in fig. 1, the DDoS attack detection device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the DDoS attack detection device may further include a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like. Such as light sensors, motion sensors, and other sensors. Of course, other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor may also be configured on the DDoS attack detection device, and are not described herein again.
Those skilled in the art will appreciate that the terminal architecture shown in fig. 1 does not constitute a limitation of DDoS attack detection devices and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a DDoS attack detection program.
In the DDoS attack detection device shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and processor 1001 may be used to invoke a DDoS attack detection program stored in memory 1005.
In this embodiment, a DDoS attack detection device includes: the DDoS attack detection method includes a memory 1005, a processor 1001, and a DDoS attack detection program stored in the memory 1005 and executable on the processor 1001, where the processor 1001 calls the DDoS attack detection program stored in the memory 1005 and executes the steps of the DDoS attack detection method in each of the following embodiments.
The invention also provides a DDoS attack detection method, and referring to FIG. 2, FIG. 2 is a flow diagram of a first embodiment of the DDoS attack detection method of the invention.
In this embodiment, the DDoS attack detection method includes the following steps:
step S101, obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
in this embodiment, the traffic information sample refers to sample data that needs to be subjected to DDoS attack detection, and includes a plurality of pieces of traffic information, where the traffic information includes unmarked traffic information and marked traffic information, and each piece of traffic information includes a source IP address, a source port, a destination IP address, a destination port, and a data volume.
Step S102, initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
the SS-FCM (Semi-supervised Fuzzy C-Means) clustering algorithm is an improvement on clustering algorithm, and the core idea of the algorithm is to continuously update the clustering center and the membership function until the optimal clustering center is reached.
In this embodiment, after a traffic information sample is obtained, a semi-supervised fuzzy C-means SS-FCM model is initialized based on a preset number of initial clustering centers to obtain a target SS-FCM model, and specifically, a current clustering center of the target SS-FCM model is set as the dehumidifying clustering center, for example, if the number of categories of the initial clustering centers C is C, the number of corresponding initial clustering centers is C, and the categories of the initial clustering centers C at least include DDoS attack clustering centers and non-DDoS attack clustering centers.
And then, acquiring initial membership degrees corresponding to all the flow information in the flow information sample, wherein the initial membership degrees are the membership degrees between all the flow information and all the initial clustering centers respectively, the initial membership degrees can be reasonably set according to the number c of the initial clustering centers, and the sum of the initial membership degrees between each flow information and all the initial clustering centers is 1.
Step S103, inputting a flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information of the current iteration;
in this embodiment, after the initial membership degree is obtained, the traffic information samples are input to the target SS-FCM model for iterative training, so as to obtain the current membership degree and the current clustering center corresponding to each current flow information of the current iteration, and the target SS-FCM model of the current iteration.
And then, determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information of the current iteration, specifically, if the target SS-FCM model of the current iteration meets a preset iteration ending condition, determining the target clustering center corresponding to each flow information based on the current membership degree and the current clustering center, acquiring the minimum membership degree of the current membership degrees between each flow information and each current clustering center for each flow information, and taking the current clustering center corresponding to the minimum membership degree as the target clustering center corresponding to the flow information.
And step S104, if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow.
In this embodiment, the target clustering centers correspond to the categories of the initial clustering centers one to one, and therefore, after the target clustering centers are determined, whether flow information exists in DDoS attack clustering centers in the target clustering centers is determined, if the flow information exists, the flow information in the DDoS attack clustering centers is determined to be DDoS attack flow, and prompt information corresponding to the DDoS attack flow is output.
However, the design is not limited to this, in other embodiments, the initial clustering center may set a plurality of clustering centers of DDoS attack strengths according to the strength of DDoS attack, and then, when a target clustering center is obtained, a DDoS attack clustering center in which traffic information exists in the target clustering center of each DDoS attack strength is obtained, and the traffic information in the DDoS attack clustering center in which traffic information exists is DDoS attack traffic.
In the DDoS attack detection method provided in this embodiment, a traffic information sample is obtained, where the traffic information sample includes a plurality of pieces of traffic information, and the traffic information includes unmarked traffic information and marked traffic information; initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample; inputting the flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information in the iterative training; and then if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow, determining the target clustering center through the membership degree of each iteration, determining the clustering center of the flow sample according to a dynamic threshold, and automatically classifying the flow information according to a semi-supervised classification method of a fuzzy principle without manually setting the threshold and a characteristic structure, so that the calculation amount of DDoS attack detection is reduced, and the accuracy and efficiency of DDoS attack detection are improved. Meanwhile, when the initial clustering center comprises a plurality of attack strengths or types of clustering centers, different types of DDoS attack detection can be realized, and the applicability of DDoS attack detection is improved.
Based on the first embodiment, a second embodiment of the DDoS attack detection method of the present invention is proposed, in this embodiment, step S103 includes:
step S201, inputting the flow information samples into the target SS-FCM model, and obtaining a target function corresponding to the distance between each flow information sample and each clustering center through the target SS-FCM model;
step S202, determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initialized membership degree;
step S203, determining the current membership and the current clustering center corresponding to each current flow information of the current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model;
step S204, determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center.
In this embodiment, the traffic information samples are input into the target SS-FCM model, and an objective function corresponding to a distance between each traffic information sample and each clustering center is obtained through the target SS-FCM model, specifically, the step S201 includes:
step a, acquiring a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model;
and b, determining the target function based on the fuzzy weighting index, the central quantity, the sample quantity, the initial membership degree, the unmarked flow information and the marked flow information through the target SS-FCM model.
In this embodiment, a fuzzy weighting index, the number of centers of the initial clustering centers, and the number of samples of marked traffic information corresponding to each initial clustering center are obtained, and the objective function is determined based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, unmarked traffic information, and marked traffic information, where the fuzzy weighting index may be reasonably set, the number of centers of the initial clustering centers is the number of initial clustering centers, and specifically, the objective function has the following formula:
Figure BDA0003179817420000091
wherein, Js(U, C) is an objective function, xjFor the jth traffic information, uijIs the initial degree of membership of the jth flow information, ciIs the ith initial clustering center, c is the number of centers, m is the fuzzy weighting index, niFor marked traffic information belonging to the ith class (i-th initial class)Beginning cluster center) of training samples, x'i,kFor the jth training sample of the ith class (ith initial cluster center) in the labeled traffic information, α is the weighting coefficient of the supervision term.
Order to
Figure BDA0003179817420000101
The formula of the objective function is simplified as:
Figure BDA0003179817420000102
then, based on the initialized membership degree, determining a lagrangian function corresponding to the target function through the target SS-FCM model, specifically, the formula of the lagrangian function is as follows:
Figure BDA0003179817420000103
wherein the content of the first and second substances,
Figure BDA0003179817420000104
is a Lagrangian function, λjIs the jth lagrangian coefficient.
Then, determining a current membership and a current clustering center corresponding to each current flow information of the current iteration based on the constraint conditions of the lagrangian function and the initial membership through the target SS-FCM model, specifically, the step S203 includes:
and c, determining a minimum value corresponding to the Lagrangian function through the target SS-FCM model based on the initial membership and the constraint condition of the initial membership to obtain the current membership corresponding to each flow information and the current clustering center.
Wherein, the constraint condition of the initial membership means that the sum of the initial membership between each piece of flow information and each initial clustering center is 1, that is:
Figure BDA0003179817420000105
in this embodiment, the minimum value corresponding to the lagrangian function is determined by the target SS-FCM model based on the initial membership and the constraint condition of the initial membership, so as to obtain a current membership and a current clustering center corresponding to each piece of traffic information, where a formula of the current membership and a formula of the current clustering center are respectively:
Figure BDA0003179817420000111
Figure BDA0003179817420000112
wherein the content of the first and second substances,
Figure BDA0003179817420000113
is uijThe (th) iteration of (a),
Figure BDA0003179817420000114
is ciT +1 th iteration.
And finally, determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center, specifically, if the target SS-FCM model of the current iteration meets a preset iteration ending condition, determining the target clustering center corresponding to each flow information based on the current membership and the current clustering center, acquiring the minimum membership in the current membership between each flow information and each current clustering center for each flow information, and taking the current clustering center corresponding to the minimum membership as the target clustering center corresponding to the flow information.
In the DDoS attack detection method provided in this embodiment, traffic information samples are input into the target SS-FCM model, and a target function corresponding to a distance between each traffic information sample and each clustering center is obtained through the target SS-FCM model; then determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initialized membership degree; then determining the current membership and the current clustering center corresponding to each current flow information of the current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model; and then, based on the current membership degree and the current clustering center corresponding to each flow information of the current iteration, determining a target clustering center and the flow information corresponding to each target clustering center, and determining the clustering center of a flow sample according to a dynamic threshold obtained by a target SS-FCM model, so that the flow information is automatically classified by a semi-supervised classification method according to a fuzzy principle, and the accuracy and the efficiency of DDoS attack detection are further improved.
Based on the first embodiment, a third embodiment of the DDoS attack detection method of the present invention is proposed, in this embodiment, step S103 includes:
step S301, obtaining an error corresponding to the target SS-FCM after current iterative training;
step S302, if the error is smaller than a preset error, the current clustering center is used as a target clustering center, and flow information corresponding to each target clustering center is determined based on the current membership degree;
and S303, if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to execute the step of performing model training on the flow information sample and the target SS-FCM model.
In this embodiment, after each iterative training is performed through the target SS-FCM model, an error corresponding to the target SS-FCM model after the current iterative training is obtained, and whether the error is smaller than a preset error is determined.
And if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership. Specifically, step S102 includes:
d, determining the minimum membership degree in the current membership degrees corresponding to the flow information for each flow information;
and e, determining the target clustering center corresponding to the minimum membership degree, and taking flow information as the flow information of the target clustering center corresponding to the minimum membership degree.
In this embodiment, the current membership degree corresponding to the flow information is obtained first, and each current membership degree is compared to obtain the minimum membership degree, and then the target clustering center corresponding to the minimum membership degree is determined, and the flow information is used as the flow information of the target clustering center corresponding to the minimum membership degree, so that the flow information of the target clustering center can be accurately obtained according to the minimum membership degree, and the DDoS attack detection of the dynamic threshold value is realized through the current membership degree obtained through each iteration.
And if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to the step of performing model training on the target SS-FCM model of the flow information sample for next iterative training.
In the DDoS attack detection method provided by this embodiment, an error corresponding to the target SS-FCM model after current iterative training is obtained; then if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership; if the error is larger than or equal to a preset error, the current membership is used as the initial membership, a semi-supervised fuzzy C-means SS-FCM model is initialized based on the current clustering center to obtain a target SS-FCM model, and the step of performing model training on the target SS-FCM model of the flow information sample is returned, so that a target clustering center can be accurately obtained according to the current membership and the current clustering center, and the accuracy and efficiency of DDoS attack detection are further improved.
Based on the foregoing embodiments, a fourth embodiment of the DDoS attack detection method of the present invention is provided, where in this embodiment, step S101 includes:
step S401, acquiring flow information to be processed based on NetFlow, and respectively carrying out standardization processing and normalization processing on the flow information to be processed to obtain processed flow information;
step S402, obtaining tag information of first traffic information in the processed traffic information, and taking the first traffic information and second traffic information as traffic information samples, where the second traffic information is other traffic information than the first traffic information in the processed traffic information.
In this embodiment, to-be-processed flow information is acquired based on NetFlow, and then the to-be-processed flow information is subjected to standardization processing to obtain standardized flow information, and specifically, to-be-processed flow information in different formats is subjected to standardization processing according to a template format required by data analysis processing to obtain standardized flow information in a uniform format. And then, carrying out normalization processing on the standardized flow information to obtain the processed flow information so as to facilitate calculation in DDoS attack detection, reduce the calculated amount and improve the DDoS attack detection efficiency.
The label information of the first traffic information in the processed traffic information is obtained, the first traffic information and the second traffic information are used as traffic information samples, and for the processed traffic information, samples (first traffic information) of at least a part of determined categories can be marked to obtain the label information of the first traffic information.
In the DDoS attack detection method provided by this embodiment, to-be-processed flow information is obtained based on NetFlow, and the to-be-processed flow information is respectively subjected to normalization processing and normalization processing to obtain processed flow information; and then, label information of first flow information in the processed flow information is obtained, and the first flow information and second flow information are used as flow information samples, wherein the second flow information is other flow information except the first flow information in the processed flow information, so that the flow information is subjected to standardization processing and normalization processing to obtain flow information in a unified format, calculation in DDoS attack detection is facilitated, the calculated amount is reduced, and the DDoS attack detection efficiency is improved.
The invention also provides a DDoS attack detection device, referring to fig. 3, the DDoS attack detection device comprises:
an obtaining module 10, configured to obtain a traffic information sample, where the traffic information sample includes a plurality of pieces of traffic information, and the traffic information includes unmarked traffic information and marked traffic information;
the initialization module 20 is configured to initialize a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and obtain initial membership degrees corresponding to each piece of traffic information in a traffic information sample;
the training module 30 is configured to input the traffic information samples into a target SS-FCM model for iterative training, and determine a target clustering center and traffic information corresponding to each target clustering center based on a current membership corresponding to each current iterative traffic information and a current clustering center;
and the determining module 40 is configured to determine that the traffic information in the DDoS attack clustering center is DDoS attack traffic if the DDoS attack clustering center in the target clustering center has the traffic information.
The method executed by each program unit can refer to each embodiment of the DDoS attack detection method of the present invention, and is not described herein again.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention stores DDoS attack detection program, and the DDoS attack detection program implements the steps of the DDoS attack detection method described above when executed by a processor.
The method implemented when the DDoS attack detection program running on the processor is executed may refer to each embodiment of the DDoS attack detection method of the present invention, and details are not described here.
In addition, an embodiment of the present invention further provides a computer program product, where the computer program product includes a DDoS attack detection program, and the DDoS attack detection program, when executed by a processor, implements the steps of the DDoS attack detection method described above.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A DDoS attack detection method is characterized by comprising the following steps:
obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center;
and if the DDoS attack clustering center in the target clustering center has the flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow.
2. The DDoS attack detection method of claim 1, wherein the step of inputting the traffic information samples into the target SS-FCM model for model training iterative training, and determining the target clustering center and the traffic information corresponding to each target clustering center based on the current membership corresponding to each traffic information of the current iteration and the current clustering center comprises:
inputting the flow information samples into the target SS-FCM model, and obtaining a target function corresponding to the distance between each flow information sample and each clustering center through the target SS-FCM model;
determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initialized membership degree;
determining current membership and a current clustering center corresponding to each current flow information of current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model;
and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center.
3. The DDoS attack detection method according to claim 2, wherein the step of inputting the traffic information samples into the target SS-FCM model and obtaining the objective function corresponding to the distance between each traffic information sample and each cluster center through the target SS-FCM model comprises:
acquiring a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model;
determining, by the target SS-FCM model, the objective function based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, the unlabeled traffic information, and the labeled traffic information.
4. The DDoS attack detection method of claim 2, wherein the step of determining, by the target SS-FCM model based on the lagrangian function and the constraint condition of the initial membership, a current membership and a current clustering center corresponding to each traffic information includes:
and determining a minimum value corresponding to the Lagrangian function through the target SS-FCM model based on the initial membership and the constraint condition of the initial membership to obtain the current membership corresponding to each flow information and the current clustering center.
5. The DDoS attack detection method of claim 1, wherein the step of determining the target clustering center and the traffic information corresponding to each target clustering center based on the current membership corresponding to each traffic information of the current iteration and the current clustering center comprises:
acquiring an error corresponding to the target SS-FCM after current iterative training;
if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership degree;
and if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to execute the step of carrying out model training on the flow information sample and the target SS-FCM model.
6. The DDoS attack detection method of claim 5, wherein the step of determining the traffic information corresponding to each target cluster center based on the current membership comprises:
for each flow information, determining the minimum membership degree in the current membership degrees corresponding to the flow information;
and determining the target clustering center corresponding to the minimum membership degree, and taking flow information as the flow information of the target clustering center corresponding to the minimum membership degree.
7. The DDoS attack detection method of any of claims 1-6, wherein the step of obtaining traffic information samples comprises:
acquiring flow information to be processed based on NetFlow, and respectively carrying out standardization processing and normalization processing on the flow information to be processed to obtain processed flow information;
and acquiring label information of first flow information in the processed flow information, and taking the first flow information and second flow information as flow information samples, wherein the second flow information is other flow information except the first flow information in the processed flow information.
8. A DDoS attack detection device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a flow information sample, the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
the initialization module is used for initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
the training module is used for inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each current flow information of current iteration and the current clustering center;
and the determining module is used for determining that the flow information in the DDoS attack clustering center is DDoS attack flow if the DDoS attack clustering center in the target clustering center has the flow information.
9. A DDoS attack detection device, comprising: memory, processor and DDoS attack detection program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the DDoS attack detection method of any of claims 1 to 7.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, realizes the steps of the DDoS attack detection method according to any of the claims 1 to 7.
CN202110847099.9A 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium Active CN113542295B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110847099.9A CN113542295B (en) 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110847099.9A CN113542295B (en) 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN113542295A true CN113542295A (en) 2021-10-22
CN113542295B CN113542295B (en) 2023-04-07

Family

ID=78120949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110847099.9A Active CN113542295B (en) 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113542295B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101980480A (en) * 2010-11-04 2011-02-23 西安电子科技大学 Semi-supervised anomaly intrusion detection method
CN110719270A (en) * 2019-09-26 2020-01-21 湖南大学 FCM algorithm-based slow denial of service attack detection method
US20200322368A1 (en) * 2019-04-03 2020-10-08 Deutsche Telekom Ag Method and system for clustering darknet traffic streams with word embeddings

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101980480A (en) * 2010-11-04 2011-02-23 西安电子科技大学 Semi-supervised anomaly intrusion detection method
US20200322368A1 (en) * 2019-04-03 2020-10-08 Deutsche Telekom Ag Method and system for clustering darknet traffic streams with word embeddings
CN110719270A (en) * 2019-09-26 2020-01-21 湖南大学 FCM algorithm-based slow denial of service attack detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
冯海涛: ""基于模糊聚类算法的DDoS攻击检测方法的研究与实现"", 《中国优秀硕士学位论文全文数据库 》 *

Also Published As

Publication number Publication date
CN113542295B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
US10547618B2 (en) Method and apparatus for setting access privilege, server and storage medium
CN109862003B (en) Method, device, system and storage medium for generating local threat intelligence library
CN107273416B (en) Webpage hidden link detection method and device and computer readable storage medium
CN110351291B (en) DDoS attack detection method and device based on multi-scale convolutional neural network
CN111523588B (en) Method for classifying APT attack malicious software traffic based on improved LSTM
CN111932544A (en) Tampered image detection method and device and computer readable storage medium
CN114422271B (en) Data processing method, device, equipment and readable storage medium
CN111310743A (en) Face recognition method and device, electronic equipment and readable storage medium
CN113596001B (en) DDoS attack detection method, device, equipment and computer readable storage medium
Yujie et al. End-to-end android malware classification based on pure traffic images
CN113542295B (en) DDoS attack detection method, device, equipment and computer readable storage medium
CN110851828A (en) Malicious URL monitoring method and device based on multi-dimensional features and electronic equipment
CN116959059A (en) Living body detection method, living body detection device and storage medium
CN114143074B (en) webshell attack recognition device and method
CN115883242A (en) Network intrusion detection method and device
CN114124460A (en) Industrial control system intrusion detection method and device, computer equipment and storage medium
CN113836300A (en) Log analysis method, system, device and storage medium
CN114399028A (en) Information processing method, graph convolution neural network training method and electronic equipment
CN114363039A (en) Method, device, equipment and storage medium for identifying fraud websites
CN114124448A (en) Cross-site scripting attack identification method based on machine learning
CN113362069A (en) Dynamic adjustment method, device and equipment of wind control model and readable storage medium
Li et al. Unsupervised steganalysis over social networks based on multi-reference sub-image sets
CN117454380B (en) Malicious software detection method, training method, device, equipment and medium
CN114885294B (en) Wi-Fi indoor positioning method and device for resisting malicious AP attack
CN116074081B (en) DGA domain name detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant