CN113542295B - DDoS attack detection method, device, equipment and computer readable storage medium - Google Patents

DDoS attack detection method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN113542295B
CN113542295B CN202110847099.9A CN202110847099A CN113542295B CN 113542295 B CN113542295 B CN 113542295B CN 202110847099 A CN202110847099 A CN 202110847099A CN 113542295 B CN113542295 B CN 113542295B
Authority
CN
China
Prior art keywords
flow information
target
clustering center
current
membership
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110847099.9A
Other languages
Chinese (zh)
Other versions
CN113542295A (en
Inventor
李艺伟
李姣姣
胡辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110847099.9A priority Critical patent/CN113542295B/en
Publication of CN113542295A publication Critical patent/CN113542295A/en
Application granted granted Critical
Publication of CN113542295B publication Critical patent/CN113542295B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a DDoS attack detection method, which comprises the following steps: acquiring a flow information sample; initializing a semi-supervised fuzzy C-means SS-FCM model to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample; inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center; and if the DDoS attack clustering center in the target clustering center has the flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow. The invention also discloses a DDoS attack detection device, equipment and a computer program product. The invention can determine the clustering center of the flow sample according to the dynamic threshold without manually setting the threshold and the characteristic structure, thereby reducing the calculation amount of DDoS attack detection and improving the accuracy and efficiency of the DDoS attack detection.

Description

DDoS attack detection method, device, equipment and computer readable storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a DDoS attack detection method, apparatus, device, and computer-readable storage medium.
Background
With the rapid development of computer network technology, the network attack destruction behavior is increasing. Among them, DDoS (Distributed Denial of Service) attacks have remarkable destructive power and great influence, and are a means of attacking seriously threatening network security. DDoS attacks usually utilize botnet to send a large number of service requests to victims, which results in a large amount of consumption of victim resources, and thus cannot respond to the requests of legitimate users in time, even completely paralysis. With the development of network technology, the DDoS attack traffic is increasing, making it more and more difficult to detect.
At present, DDoS attack detection in a DDoS attack detection and defense system is the core of the whole system. Common DDoS attack detection includes entropy-based DDoS attack detection and attack feature-based DDoS attack detection. DDoS attack detection based on entropy subdivides DDoS attack into different threat levels, and detects attack of each threat level for different times. DDoS attack detection based on attack characteristics adopts a linear prediction technology, a simple and efficient ARMA (2, 1) prediction model is established for an IFFV time sequence of a normal network flow, DDoS attacks can be rapidly and effectively detected, and the false alarm rate is reduced.
However, in DDoS attack detection based on entropy, a judgment threshold needs to be set according to expert experience, false detection rate is increased when the threshold is set too low, false detection rate is increased when the threshold is set too high, and feature extraction and feature construction are performed on DDoS attack detection based on attack features through a large amount of data according to the expert experience, so that accuracy of DDoS attack detection is low.
The above is only for the purpose of assisting understanding of the technical solution of the present invention, and does not represent an admission that the above is the prior art.
Disclosure of Invention
The invention mainly aims to provide a DDoS attack detection method, a device, equipment and a computer readable storage medium, aiming at solving the technical problem of low accuracy rate of the existing DDoS attack detection.
In order to achieve the above object, the present invention provides a DDoS attack detection method, which comprises the following steps:
obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center;
and if the DDoS attack clustering center in the target clustering center has the flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow.
Further, the step of inputting the flow information samples into the target SS-FCM model for model training iterative training, and determining the target clustering center and the flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center includes:
inputting the flow information samples into the target SS-FCM model, and obtaining a target function corresponding to the distance between each flow information sample and each clustering center through the target SS-FCM model;
determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initial membership degree;
determining current membership and a current clustering center corresponding to each current flow information of current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model;
and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center.
Further, the step of inputting the traffic information samples into the target SS-FCM model and obtaining an objective function corresponding to the distance between each traffic information sample and each cluster center through the target SS-FCM model includes:
acquiring a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model;
determining, by the target SS-FCM model, the objective function based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, the unlabeled traffic information, and the labeled traffic information.
Further, the step of determining the current membership and the current clustering center corresponding to each piece of traffic information based on the lagrangian function and the constraint condition of the initial membership through the target SS-FCM model includes:
and determining a minimum value corresponding to the Lagrangian function through the target SS-FCM model based on the initial membership and the constraint condition of the initial membership to obtain the current membership corresponding to each flow information and the current clustering center.
Further, the step of determining the target clustering center and the traffic information corresponding to each target clustering center based on the current membership corresponding to each traffic information of the current iteration and the current clustering center includes:
obtaining an error corresponding to the target SS-FCM model after current iterative training;
if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership degree;
and if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to execute the step of carrying out model training on the flow information sample and the target SS-FCM model.
Further, the step of determining the traffic information corresponding to each target clustering center based on the current membership degree includes:
for each flow information, determining the minimum membership degree in the current membership degrees corresponding to the flow information;
and determining the target clustering center corresponding to the minimum membership degree, and taking flow information as the flow information of the target clustering center corresponding to the minimum membership degree.
Further, the step of obtaining the traffic information sample includes:
acquiring flow information to be processed based on NetFlow, and respectively carrying out standardization processing and normalization processing on the flow information to be processed to obtain processed flow information;
and acquiring label information of first flow information in the processed flow information, and taking the first flow information and second flow information as flow information samples, wherein the second flow information is other flow information except the first flow information in the processed flow information.
In addition, in order to achieve the above object, the present invention further provides a DDoS attack detection apparatus, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a flow information sample, the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
the initialization module is used for initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
the training module is used for inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of current iteration and the current clustering center;
and the determining module is used for determining that the flow information in the DDoS attack clustering center is DDoS attack flow if the DDoS attack clustering center in the target clustering center has the flow information.
In addition, in order to achieve the above object, the present invention further provides a DDoS attack detection device, including: the DDoS attack detection program is stored on the memory and can run on the processor, and when being executed by the processor, the DDoS attack detection program realizes the steps of the DDoS attack detection method.
In addition, to achieve the above object, the present invention also provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the DDoS attack detection method described above.
The method comprises the steps of obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information; initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership corresponding to each piece of traffic information in a traffic information sample; inputting the flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information in the iterative training; and then if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow, determining the target clustering center through the membership degree of each iteration, determining the clustering center of the flow sample according to a dynamic threshold, and automatically classifying the flow information according to a semi-supervised classification method of a fuzzy principle without manually setting the threshold and a characteristic structure, so that the calculation amount of DDoS attack detection is reduced, and the accuracy and efficiency of DDoS attack detection are improved. Meanwhile, when the initial clustering center comprises a plurality of attack strengths or types of clustering centers, different types of DDoS attack detection can be realized, and the applicability of DDoS attack detection is improved.
Drawings
Fig. 1 is a schematic structural diagram of a DDoS attack detection device in a hardware operating environment according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a DDoS attack detection method according to a first embodiment of the present invention;
fig. 3 is a functional module diagram of an embodiment of a DDoS attack detection apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a DDoS attack detection device in a hardware operating environment according to an embodiment of the present invention.
The DDoS attack detection device in the embodiment of the present invention may be a PC, or may be a mobile terminal device having a display function, such as a smart phone, a tablet computer, an electronic book reader, an MP3 (Moving Picture Experts Group Audio Layer III, motion Picture Experts compression standard Audio Layer 3) player, an MP4 (Moving Picture Experts Group Audio Layer IV, motion Picture Experts compression standard Audio Layer 4) player, a portable computer, and the like.
As shown in fig. 1, the DDoS attack detection device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001 described previously.
Optionally, the DDoS attack detection device may further include a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like. Such as light sensors, motion sensors, and other sensors. Of course, other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor may also be configured on the DDoS attack detection device, and are not described herein again.
Those skilled in the art will appreciate that the terminal architecture shown in fig. 1 does not constitute a limitation of DDoS attack detection devices and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a DDoS attack detection program.
In the DDoS attack detection device shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and processor 1001 may be used to invoke a DDoS attack detection program stored in memory 1005.
In this embodiment, a DDoS attack detection device includes: the DDoS attack detection method includes a memory 1005, a processor 1001, and a DDoS attack detection program stored in the memory 1005 and executable on the processor 1001, where the processor 1001 calls the DDoS attack detection program stored in the memory 1005 and executes the steps of the DDoS attack detection method in each of the following embodiments.
The invention also provides a DDoS attack detection method, and referring to FIG. 2, FIG. 2 is a flow diagram of a first embodiment of the DDoS attack detection method of the invention.
In this embodiment, the DDoS attack detection method includes the following steps:
step S101, obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
in this embodiment, the traffic information sample refers to sample data that needs to be subjected to DDoS attack detection, and includes multiple pieces of traffic information, where the traffic information includes unmarked traffic information and marked traffic information, and each piece of traffic information includes a source IP address, a source port, a destination IP address, a destination port, and a data volume.
Step S102, initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
the SS-FCM (Semi-supervised Fuzzy C-Means) clustering algorithm is an improvement on clustering algorithm, and the core idea of the algorithm is to continuously update the clustering center and the membership function until the optimal clustering center is reached.
In this embodiment, after a traffic information sample is obtained, a semi-supervised fuzzy C-means SS-FCM model is initialized based on a preset number of initial clustering centers to obtain a target SS-FCM model, and specifically, a current clustering center of the target SS-FCM model is set as the initial clustering center, for example, if the number of types of the initial clustering centers C is C, the number of corresponding initial clustering centers is C, and the types of the initial clustering centers C at least include a DDoS attack clustering center and a non-DDoS attack clustering center.
And then, acquiring initial membership degrees corresponding to all the flow information in the flow information sample, wherein the initial membership degrees are the membership degrees between all the flow information and all the initial clustering centers respectively, the initial membership degrees can be reasonably set according to the number c of the initial clustering centers, and the sum of the initial membership degrees between each flow information and all the initial clustering centers is 1.
Step S103, inputting a flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information of the current iteration;
in this embodiment, after the initial membership degree is obtained, the traffic information samples are input to the target SS-FCM model for iterative training, so as to obtain the current membership degree and the current clustering center corresponding to each current flow information of the current iteration, and the target SS-FCM model of the current iteration.
And then, determining a target clustering center corresponding to each flow information in the flow information sample based on the current membership degree and the current clustering center corresponding to each flow information of the current iteration, specifically, if the target SS-FCM model of the current iteration meets a preset iteration ending condition, determining the target clustering center corresponding to each flow information based on the current membership degree and the current clustering center, acquiring the minimum membership degree of the current membership degrees between each flow information and each current clustering center for each flow information, and taking the current clustering center corresponding to the minimum membership degree as the target clustering center corresponding to the flow information.
And step S104, if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow.
In this embodiment, the target clustering centers correspond to the categories of the initial clustering centers one to one, and therefore, after the target clustering centers are determined, whether flow information exists in DDoS attack clustering centers in the target clustering centers is determined, if the flow information exists, the flow information in the DDoS attack clustering centers is determined to be DDoS attack flow, and prompt information corresponding to the DDoS attack flow is output.
However, the design is not limited to this, in other embodiments, the initial clustering center may set a plurality of clustering centers of DDoS attack strengths according to the strength of DDoS attack, and then, when a target clustering center is obtained, a DDoS attack clustering center in which traffic information exists in the target clustering center of each DDoS attack strength is obtained, and the traffic information in the DDoS attack clustering center in which traffic information exists is DDoS attack traffic.
In the DDoS attack detection method provided in this embodiment, a traffic information sample is obtained, where the traffic information sample includes a plurality of pieces of traffic information, and the traffic information includes unmarked traffic information and marked traffic information; initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample; inputting the flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center corresponding to each piece of flow information in the flow information sample based on the current membership and the current clustering center corresponding to each piece of flow information in the iterative training; and then if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow, determining the target clustering center through the membership degree of each iteration, determining the clustering center of the flow sample according to a dynamic threshold, and automatically classifying the flow information according to a semi-supervised classification method of a fuzzy principle without manually setting the threshold and a characteristic structure, so that the calculation amount of DDoS attack detection is reduced, and the accuracy and efficiency of DDoS attack detection are improved. Meanwhile, when the initial clustering center comprises a plurality of attack strengths or types of clustering centers, different types of DDoS attack detection can be realized, and the applicability of DDoS attack detection is improved.
Based on the first embodiment, a second embodiment of the DDoS attack detection method of the present invention is proposed, in this embodiment, step S103 includes:
step S201, inputting the flow information samples into the target SS-FCM model, and obtaining a target function corresponding to the distance between each flow information sample and each clustering center through the target SS-FCM model;
step S202, determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initial membership degree;
step S203, determining the current membership and the current clustering center corresponding to each current flow information of the current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model;
step S204, determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center.
In this embodiment, the traffic information samples are input into the target SS-FCM model, and an objective function corresponding to a distance between each traffic information sample and each clustering center is obtained through the target SS-FCM model, specifically, the step S201 includes:
step a, acquiring a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model;
and b, determining the target function based on the fuzzy weighting index, the central quantity, the sample quantity, the initial membership degree, the unmarked flow information and the marked flow information through the target SS-FCM model.
In this embodiment, a fuzzy weighting index, the number of centers of the initial clustering centers, and the number of samples of marked traffic information corresponding to each initial clustering center are obtained first, and the objective function is determined based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, the unmarked traffic information, and the marked traffic information, where the fuzzy weighting index may be set reasonably, the number of centers of the initial clustering centers is the number of initial clustering centers, and specifically, the objective function has a formula:
Figure 526338DEST_PATH_IMAGE001
wherein, J s (U, C) is an objective function, x j For the jth traffic information, u ij Is the initial degree of membership of the jth flow information, c i Is the ith initial clustering center, c is the number of centers, m is the fuzzy weighting index, n i The number of training samples belonging to the ith class (i-th initial cluster center) in the labeled traffic information,
Figure 799187DEST_PATH_IMAGE002
for the jth training sample of the ith class (ith initial cluster center) in the labeled traffic information, α is the weighting coefficient of the supervision term. />
Order to
Figure 170519DEST_PATH_IMAGE003
,/>
Figure 187017DEST_PATH_IMAGE004
Then the formula of the objective function is simplified as:
Figure 357098DEST_PATH_IMAGE005
then, based on the initial membership, determining a lagrangian function corresponding to the objective function through the target SS-FCM model, specifically, the formula of the lagrangian function is as follows:
Figure 502646DEST_PATH_IMAGE006
wherein the content of the first and second substances,
Figure 390968DEST_PATH_IMAGE007
is a Lagrangian function, λ j Is the jth lagrangian coefficient.
Then, determining a current membership and a current clustering center corresponding to each current flow information of the current iteration based on the constraint conditions of the lagrangian function and the initial membership through the target SS-FCM model, specifically, the step S203 includes:
and c, determining a minimum value corresponding to the Lagrangian function through the target SS-FCM model based on the initial membership and the constraint condition of the initial membership to obtain the current membership corresponding to each flow information and the current clustering center.
Wherein, the constraint condition of the initial membership means that the sum of the initial membership between each piece of flow information and each initial clustering center is 1, that is:
Figure 644445DEST_PATH_IMAGE008
in this embodiment, the minimum value corresponding to the lagrangian function is determined by the target SS-FCM model based on the initial membership and the constraint condition of the initial membership, so as to obtain a current membership and a current clustering center corresponding to each piece of traffic information, where a formula of the current membership and a formula of the current clustering center are respectively:
Figure 934612DEST_PATH_IMAGE009
Figure 80423DEST_PATH_IMAGE010
wherein the content of the first and second substances,
Figure 626679DEST_PATH_IMAGE011
is u ij Is selected, and>
Figure 984979DEST_PATH_IMAGE012
is c i T +1 th iteration.
And finally, determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center, specifically, if the target SS-FCM model of the current iteration meets a preset iteration ending condition, determining the target clustering center corresponding to each flow information based on the current membership and the current clustering center, acquiring the minimum membership in the current membership between each flow information and each current clustering center for each flow information, and taking the current clustering center corresponding to the minimum membership as the target clustering center corresponding to the flow information.
In the DDoS attack detection method provided in this embodiment, traffic information samples are input into the target SS-FCM model, and a target function corresponding to a distance between each traffic information sample and each clustering center is obtained through the target SS-FCM model; then determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initial membership; then determining the current membership and the current clustering center corresponding to each current flow information of the current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model; and then, based on the current membership degree and the current clustering center corresponding to each flow information of the current iteration, determining a target clustering center and the flow information corresponding to each target clustering center, and determining the clustering center of a flow sample according to a dynamic threshold obtained by a target SS-FCM model, so that the flow information is automatically classified by a semi-supervised classification method according to a fuzzy principle, and the accuracy and the efficiency of DDoS attack detection are further improved.
Based on the first embodiment, a third embodiment of the DDoS attack detection method of the present invention is proposed, in this embodiment, step S103 includes:
step S301, obtaining an error corresponding to the target SS-FCM after current iterative training;
step S302, if the error is smaller than a preset error, the current clustering center is used as a target clustering center, and flow information corresponding to each target clustering center is determined based on the current membership degree;
and S303, if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to execute the step of performing model training on the flow information sample of the target SS-FCM model.
In this embodiment, after each iterative training is performed through the target SS-FCM model, an error corresponding to the target SS-FCM model after the current iterative training is obtained, and whether the error is smaller than a preset error is determined.
And if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership. Specifically, step S102 includes:
d, determining the minimum membership degree in the current membership degrees corresponding to the flow information for each flow information;
and e, determining the target clustering center corresponding to the minimum membership degree, and taking flow information as the flow information of the target clustering center corresponding to the minimum membership degree.
In the embodiment, the current membership degree corresponding to the flow information is firstly obtained, each current membership degree is compared to obtain the minimum membership degree, then the target clustering center corresponding to the minimum membership degree is determined, the flow information is used as the flow information of the target clustering center corresponding to the minimum membership degree, the flow information of the target clustering center can be accurately obtained according to the minimum membership degree, and the DDoS attack detection of the dynamic threshold value is realized through the current membership degree obtained through each iteration.
And if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to the step of performing model training on the target SS-FCM model of the flow information sample for next iterative training.
In the DDoS attack detection method provided by this embodiment, an error corresponding to the target SS-FCM model after current iterative training is obtained; if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership; if the error is larger than or equal to a preset error, the current membership is used as the initial membership, a target SS-FCM model is obtained by initializing a semi-supervised fuzzy C mean value SS-FCM model based on the current clustering center, and the step of performing model training on the target SS-FCM model by using a flow information sample is returned, so that a target clustering center can be accurately obtained according to the current membership and the current clustering center, and the accuracy and the efficiency of DDoS attack detection are further improved.
Based on the foregoing embodiments, a fourth embodiment of the DDoS attack detection method of the present invention is provided, where in this embodiment, step S101 includes:
step S401, acquiring flow information to be processed based on NetFlow, and respectively carrying out standardization processing and normalization processing on the flow information to be processed to obtain processed flow information;
step S402, obtaining tag information of first traffic information in the processed traffic information, and taking the first traffic information and second traffic information as traffic information samples, where the second traffic information is other traffic information than the first traffic information in the processed traffic information.
In this embodiment, to-be-processed flow information is obtained based on NetFlow, and then standardized processing is performed on the to-be-processed flow information to obtain standardized flow information, specifically, standardized processing is performed on to-be-processed flow information in different formats according to a template format required by data analysis processing to obtain standardized flow information in a uniform format. And then, carrying out normalization processing on the standardized flow information to obtain the processed flow information so as to facilitate calculation in DDoS attack detection, reduce the calculated amount and improve the DDoS attack detection efficiency.
The label information of the first traffic information in the processed traffic information is obtained, the first traffic information and the second traffic information are used as traffic information samples, and for the processed traffic information, a small number of samples (first traffic information) of a certain category can be marked to obtain the label information of the first traffic information.
In the DDoS attack detection method provided by this embodiment, to-be-processed flow information is obtained based on NetFlow, and the to-be-processed flow information is respectively subjected to normalization processing and normalization processing to obtain processed flow information; and then, label information of the first flow information in the processed flow information is obtained, and the first flow information and second flow information are used as flow information samples, wherein the second flow information is other flow information except the first flow information in the processed flow information, so that the flow information is subjected to standardization processing and normalization processing to obtain flow information in a uniform format, calculation in DDoS attack detection is facilitated, the calculated amount is reduced, and the DDoS attack detection efficiency is improved.
The invention also provides a DDoS attack detection device, referring to fig. 3, the DDoS attack detection device comprises:
an obtaining module 10, configured to obtain a traffic information sample, where the traffic information sample includes multiple pieces of traffic information, and the traffic information includes unmarked traffic information and marked traffic information;
the initialization module 20 is configured to initialize the semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and obtain initial membership corresponding to each piece of traffic information in the traffic information sample;
the training module 30 is configured to input the traffic information samples into a target SS-FCM model for iterative training, and determine a target clustering center and traffic information corresponding to each target clustering center based on a current membership corresponding to each current iterative traffic information and a current clustering center;
and the determining module 40 is configured to determine that the traffic information in the DDoS attack clustering center is DDoS attack traffic if the DDoS attack clustering center in the target clustering center has the traffic information.
The method executed by each program unit can refer to each embodiment of the DDoS attack detection method of the present invention, and details are not described herein.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the invention stores DDoS attack detection program, and the DDoS attack detection program is executed by a processor to realize the steps of the DDoS attack detection method.
The DDoS attack detection program executed on the processor may refer to various embodiments of the DDoS attack detection method of the present invention, and details thereof are not described herein.
In addition, an embodiment of the present invention further provides a computer program product, where the computer program product includes a DDoS attack detection program, and the DDoS attack detection program, when executed by a processor, implements the steps of the DDoS attack detection method described above.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or system comprising the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (9)

1. A DDoS attack detection method is characterized by comprising the following steps:
obtaining a flow information sample, wherein the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model, and acquiring initial membership degrees corresponding to all traffic information in a traffic information sample;
inputting a flow information sample into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on a current membership corresponding to each flow information of current iteration and a current clustering center;
if the DDoS attack clustering center in the target clustering center has flow information, determining the flow information in the DDoS attack clustering center as DDoS attack flow;
the step of inputting the flow information samples into a target SS-FCM model for model training iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of current iteration and the current clustering center comprises the following steps:
acquiring a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model;
determining an objective function based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, the unmarked traffic information and the marked traffic information through the target SS-FCM model, wherein the formula of the objective function is as follows:
Figure 631362DEST_PATH_IMAGE001
wherein, J s (U, C) is an objective function, x j For the jth traffic information, u ij Is the initial degree of membership of the jth flow information, c i Is the ith initial cluster center, c is the number of centers, m is the fuzzy weighting index, n i For the number of training samples belonging to the i-th class in the labeled traffic information,
Figure 682495DEST_PATH_IMAGE002
the training sample is the jth training sample of the ith class in the marked flow information, and alpha is a weighting coefficient of a supervision item;
and determining a target clustering center and flow information corresponding to each target clustering center through the target SS-FCM model based on the target function, the initial membership and the current clustering center corresponding to each flow information of the current iteration.
2. The DDoS attack detection method of claim 1, wherein the step of determining, by the target SS-FCM model, a target cluster center and traffic information corresponding to each target cluster center based on the objective function, the initial membership, and a current membership and a current cluster center corresponding to each traffic information of a current iteration comprises:
determining a Lagrangian function corresponding to the target function through the target SS-FCM model based on the initial membership;
determining current membership and a current clustering center corresponding to each current flow information of current iteration based on the Lagrangian function and the constraint condition of the initial membership through the target SS-FCM model;
and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of the current iteration and the current clustering center.
3. The DDoS attack detection method of claim 2, wherein the step of determining, by the target SS-FCM model based on the lagrangian function and the constraint condition of the initial degree of membership, a current degree of membership and a current clustering center corresponding to each piece of traffic information comprises:
and determining a minimum value corresponding to the Lagrangian function through the target SS-FCM model based on the initial membership and the constraint condition of the initial membership to obtain the current membership corresponding to each flow information and the current clustering center.
4. The DDoS attack detection method of claim 1, wherein the step of determining a target cluster center and traffic information corresponding to each target cluster center based on a current membership and a current cluster center corresponding to each traffic information of a current iteration comprises:
obtaining an error corresponding to the target SS-FCM model after current iterative training;
if the error is smaller than a preset error, taking the current clustering center as a target clustering center, and determining flow information corresponding to each target clustering center based on the current membership degree;
and if the error is larger than or equal to a preset error, taking the current membership as the initial membership, initializing a semi-supervised fuzzy C-means SS-FCM model based on the current clustering center to obtain a target SS-FCM model, and returning to execute the step of carrying out model training on the flow information sample and the target SS-FCM model.
5. The DDoS attack detection method of claim 4, wherein the step of determining the traffic information corresponding to each target cluster center based on the current membership comprises:
for each flow information, determining the minimum membership degree in the current membership degrees corresponding to the flow information;
and determining the target clustering center corresponding to the minimum membership degree, and taking flow information as the flow information of the target clustering center corresponding to the minimum membership degree.
6. The DDoS attack detection method according to any of claims 1 to 5, wherein the step of obtaining traffic information samples comprises:
acquiring flow information to be processed based on NetFlow, and respectively carrying out standardization processing and normalization processing on the flow information to be processed to obtain processed flow information;
and acquiring label information of first flow information in the processed flow information, and taking the first flow information and second flow information as flow information samples, wherein the second flow information is other flow information except the first flow information in the processed flow information.
7. A DDoS attack detection device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a flow information sample, the flow information sample comprises a plurality of pieces of flow information, and the flow information comprises unmarked flow information and marked flow information;
the initialization module is used for initializing a semi-supervised fuzzy C-means SS-FCM model based on a preset number of initial clustering centers to obtain a target SS-FCM model and acquiring initial membership corresponding to each piece of flow information in a flow information sample;
the training module is used for inputting the flow information samples into a target SS-FCM model for iterative training, and determining a target clustering center and flow information corresponding to each target clustering center based on the current membership corresponding to each flow information of current iteration and the current clustering center;
the determining module is used for determining that the flow information in the DDoS attack clustering center is DDoS attack flow if the DDoS attack clustering center in the target clustering center has the flow information;
the training module is further used for obtaining a fuzzy weighting index, the number of centers of the initial clustering centers and the number of samples of marked flow information corresponding to each initial clustering center through the target SS-FCM model; determining a target function based on the fuzzy weighting index, the number of centers, the number of samples, the initial membership, the unmarked traffic information and the marked traffic information through the target SS-FCM model; determining a target clustering center and flow information corresponding to each target clustering center based on the target function, the initial membership and the current clustering center corresponding to each flow information of the current iteration through the target SS-FCM model; the formula of the objective function is:
Figure 981627DEST_PATH_IMAGE001
wherein, J s (U, C) is an objective function, x j For the jth traffic information, u ij Is the initial degree of membership of the jth flow information, c i Is the ith initial clustering center, c is the number of centers, m is the fuzzy weighting index, n i For the number of training samples belonging to the i-th class in the labeled traffic information,
Figure 143618DEST_PATH_IMAGE002
and alpha is the weighting coefficient of the supervision item for the jth training sample of the ith class in the marked flow information.
8. A DDoS attack detection device, comprising: memory, processor and DDoS attack detection program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the DDoS attack detection method of any of claims 1 to 6.
9. A computer readable storage medium, having stored thereon a DDoS attack detection program which, when executed by a processor, implements the steps of the DDoS attack detection method of any of claims 1-6.
CN202110847099.9A 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium Active CN113542295B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110847099.9A CN113542295B (en) 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110847099.9A CN113542295B (en) 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN113542295A CN113542295A (en) 2021-10-22
CN113542295B true CN113542295B (en) 2023-04-07

Family

ID=78120949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110847099.9A Active CN113542295B (en) 2021-07-26 2021-07-26 DDoS attack detection method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113542295B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101980480B (en) * 2010-11-04 2012-12-05 西安电子科技大学 Semi-supervised anomaly intrusion detection method
EP3719685A1 (en) * 2019-04-03 2020-10-07 Deutsche Telekom AG Method and system for clustering darknet traffic streams with word embeddings
CN110719270A (en) * 2019-09-26 2020-01-21 湖南大学 FCM algorithm-based slow denial of service attack detection method

Also Published As

Publication number Publication date
CN113542295A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
US10733294B2 (en) Adversarial attack prevention and malware detection system
CN107273416B (en) Webpage hidden link detection method and device and computer readable storage medium
CN111932544A (en) Tampered image detection method and device and computer readable storage medium
CN110351291B (en) DDoS attack detection method and device based on multi-scale convolutional neural network
CN111523588B (en) Method for classifying APT attack malicious software traffic based on improved LSTM
Wang et al. A posterior evaluation algorithm of steganalysis accuracy inspired by residual co-occurrence probability
CN114422271A (en) Data processing method, device, equipment and readable storage medium
CN114124460A (en) Industrial control system intrusion detection method and device, computer equipment and storage medium
Hou et al. Hybrid intrusion detection model based on a designed autoencoder
CN113596001A (en) DDoS attack detection method, device, equipment and computer program product
CN111310743B (en) Face recognition method and device, electronic equipment and readable storage medium
CN113542295B (en) DDoS attack detection method, device, equipment and computer readable storage medium
CN113780363A (en) Countermeasure sample defense method, system, computer and medium
CN110851828A (en) Malicious URL monitoring method and device based on multi-dimensional features and electronic equipment
CN116959059A (en) Living body detection method, living body detection device and storage medium
CN114399028A (en) Information processing method, graph convolution neural network training method and electronic equipment
CN115098864A (en) Evaluation method and device of image recognition model, medium and electronic equipment
CN113691525A (en) Traffic data processing method, device, equipment and storage medium
CN113935032A (en) Method and device for homologous analysis of malicious code and readable storage medium
CN111626437A (en) Confrontation sample detection method, device and equipment and computer scale storage medium
Li et al. Unsupervised steganalysis over social networks based on multi-reference sub-image sets
CN117454380B (en) Malicious software detection method, training method, device, equipment and medium
CN114885294B (en) Wi-Fi indoor positioning method and device for resisting malicious AP attack
CN113726785B (en) Network intrusion detection method and device, computer equipment and storage medium
US11683692B1 (en) Protecting against potentially harmful app installation on a mobile device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant