CN114021135A - LDoS attack detection and defense method based on R-SAX - Google Patents
LDoS attack detection and defense method based on R-SAX Download PDFInfo
- Publication number
- CN114021135A CN114021135A CN202111344820.9A CN202111344820A CN114021135A CN 114021135 A CN114021135 A CN 114021135A CN 202111344820 A CN202111344820 A CN 202111344820A CN 114021135 A CN114021135 A CN 114021135A
- Authority
- CN
- China
- Prior art keywords
- sax
- detection
- window
- ldos
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 102
- 230000007123 defense Effects 0.000 title claims abstract description 55
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012549 training Methods 0.000 claims abstract description 15
- 238000005070 sampling Methods 0.000 claims description 11
- 239000011159 matrix material Substances 0.000 claims description 5
- 230000009467 reduction Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 238000002372 labelling Methods 0.000 claims description 2
- 238000013507 mapping Methods 0.000 claims description 2
- 238000006116 polymerization reaction Methods 0.000 claims 1
- 230000002159 abnormal effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 12
- 230000000694 effects Effects 0.000 description 6
- 230000002776 aggregation Effects 0.000 description 3
- 238000004220 aggregation Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000002411 adverse Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an LDoS attack detection and defense method based on R-SAX, belonging to the field of computer network security. Wherein the method comprises: training data is collected based on the sliding window using a software defined network controller. And (3) completing symbolization of flow sequence sequences of each window in the training data by using an R-SAX algorithm, and constructing an abnormal SAX word list as a detection model by using a hash table based on the idea of majority voting. And acquiring network traffic in real time to form a current detection window, and judging whether the current window is attacked or not by using a detection model. And if the IP is judged to be attacked and attack defense is not carried out, the IP of a suspected attacker is positioned by using an R-SAX algorithm and added into the blacklist, a suspicious score is accumulated, if the suspicious score exceeds a threshold value, the IP is judged to be the IP of the attacker, a flow rule is issued to discard the flow from the attacker, and the IP is removed from the blacklist. The attack detection and defense method provided by the invention can detect the LDoS attack in real time and rapidly defend the LDoS attack.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a slow denial of service (LDoS) attack detection and defense method based on real-time symbol aggregation approximation (R-SAX).
Background
The LDoS attack is a variant of denial of service (DoS) attack, utilizes a leak of a self-adaptive mechanism in a network protocol, maliciously creates network congestion by attacking a network bottleneck link through periodic pulses, seriously reduces the network service quality, has an attack effect similar to that of the DoS attack and a distributed denial of service (DDoS) attack, but has a lower average attack rate, enables the LDoS attack to be more concealed and is difficult to be identified by the traditional DoS and DDoS attack detection method.
At present, the detection and defense method for the LDoS attack has the following three problems: one is that the traditional DoS attack detection method is difficult to effectively identify because the LDoS attack has strong concealment; secondly, the existing LDoS attack detection method generally has the problems of low detection rate, high false alarm rate and missing report rate and weak detection real-time property; thirdly, due to the limitation of the traditional network architecture, additional equipment is often required to be added for deploying the defense strategy, so that the defense cost is high and is difficult to implement, and therefore the detection method in the traditional network is difficult to deploy into the actual network.
The software defined network is a novel network architecture based on software, and the network bottom layer equipment only has a data forwarding function by separating a control plane in the network bottom layer equipment, so that the deployment and the updating of network functions and protocols are simplified to a great extent. The software defined network has good manageability and programmability, but the software defined network uses the controller to centrally control the whole network, resulting in the controller being a potential target of attack. If the controller is attacked by the LDoS, the whole network can be threatened, and even the network is paralyzed.
The symbol aggregation approximation (SAX) algorithm is a time series representation algorithm. The algorithm maps an original sequence into a character sequence, the dimensionality reduction of the original sequence is realized, the obtained character sequence can well reflect original sequence information, the algorithm uses global normalization processing, and therefore the algorithm can only be used for offline detection.
The invention provides an LDoS attack detection and defense method based on R-SAX, which is used for detecting and defending LDoS attacks in a software defined network. The method includes the steps of polling a controller at fixed time intervals, obtaining network flow and storing the network flow in a sliding window to form a current detection window, obtaining SAX words corresponding to a flow sequence of the current detection window by using an R-SAX algorithm, building a detection model by using a Hash table through an SAX word set of training data, and providing a judgment criterion to judge whether attacks occur or not. And if the attack is detected to occur, positioning an attacker IP, issuing a defense flow rule through the controller to discard all data from the attacker, and realizing the defense on the LDoS attack. The method can be practically deployed on the controller, realizes the real-time detection and defense of the LDoS attack in the software defined network, has high detection rate, good real-time performance, low false alarm rate and low missing report rate, and does not need to additionally deploy other equipment, so the method can be used for detecting and defending the LDoS attack in the software defined network.
Disclosure of Invention
The invention provides an LDoS attack detection and defense method based on an R-SAX algorithm, aiming at the defects of the existing LDoS attack detection and defense method and the problem that the security of a global network is influenced by the attack of a software defined network controller. The method has the advantages of high detection rate, low false alarm rate and false alarm rate, good instantaneity and low deployment cost of the defense method, so that the method can be applied to LDoS attack detection and defense in a software defined network.
The technical scheme adopted by the invention for realizing the aim is as follows: the LDoS attack detection and defense method mainly comprises five steps: network data sampling, detection window symbolization, detection model construction, judgment detection and attack defense.
1. And sampling network data. The network data sampling is realized based on a sliding window, a software defined network controller is polled at fixed time intervals, the aggregate flow of a bottleneck link switch is obtained, and a window to be detected is formed.
2. The detection window is symbolized. And mapping the window flow sequence to be detected into a character sequence called SAX word by using an R-SAX algorithm.
3. And constructing a detection model. The detection model is constructed based on a Hash table, and SAX words corresponding to the network traffic sequence attacked by LDoS are stored.
4. And (5) judging and detecting. And calculating SAX words corresponding to the flow sequence of the window to be detected by using an R-SAX algorithm, if the words are recorded in the hash table, judging that the window is attacked by the LDoS, and if not, judging that the window is not attacked by the LDoS.
5. And (4) attack defense. When the method detects the LDoS attack and attack defense is not carried out, the attack defense method is utilized for fast defense so as to relieve the adverse effect of the LDoS attack on the network.
Advantageous effects
The LDoS attack detection and defense method uses the Hash table to construct a detection model, and can obtain a detection result within constant time, so that the method has better real-time performance; the R-SAX algorithm adopted by the method can accurately depict the distribution form of the network traffic under different network states, distinguish the normal network traffic from the network traffic under the LDoS attack, and accurately and quickly identify the attack. Relevant experiments are carried out in software definitions built by Mininet and Ryu controllers, the detection rate of the method can reach 97.44%, the false alarm rate can be as low as 1.99%, and the false alarm rate can be as low as 3.75%. After the attack is detected, the method can accurately and quickly locate the suspected attacker, add the suspected attacker into the blacklist, and record the suspicious score of the suspected attacker. Based on the accumulated suspicious scores, an empirically set threshold is used to determine whether the attacker is present. If the attacker is positioned, the flow rule is issued by the software defined network controller to discard all data from the attacker, and the defense on the LDoS attack is completed. The method can complete the detection and defense of the LDoS attack in the software defined network without adding extra equipment, and has very low deployment cost.
Drawings
Fig. 1 is a schematic diagram illustrating a comparison between network traffic distribution in a normal network state and a network traffic distribution under an LDoS attack.
FIG. 2 is a diagram illustrating a correspondence relationship between the equal probability interval number w of the R-SAX algorithm and the segmentation point β.
FIG. 3 is a diagram illustrating the effect of symbolizing a traffic sequence by the R-SAX algorithm.
Fig. 4 is a framework diagram of an LDoS attack detection and defense method deployed in a software defined network based on R-SAX.
FIG. 5 is a flow chart of a method for LDoS attack detection and defense based on R-SAX.
Fig. 6 is a comparison diagram of the distribution of network traffic in which an R-SAX-based LDoS attack detection and defense method is deployed and the method is not deployed.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram illustrating a comparison between network traffic distribution in a normal network state and a network traffic distribution under an LDoS attack. Fig. 1(a) is a network traffic distribution diagram in a normal network state, and fig. 1(b) is a network traffic distribution diagram in an LDoS attack. As can be seen from the figure, the network traffic fluctuation is small in a normal network state, and under the LDoS attack, since an attacker periodically sends short-time high-speed UDP pulses to attack a bottleneck link, a TCP congestion control mechanism is triggered, so that the TCP traffic fluctuation is severe, the average traffic is obviously reduced, and the network service quality is seriously reduced.
As shown in fig. 5, the method for detecting and defending against an LDoS attack mainly includes five steps: network data sampling, detection window symbolization, detection model construction, judgment detection and attack defense.
1. And sampling network data. The network data sampling is realized based on a sliding window, the window length and the step length can be defined by a user, the default window size is 20 data, the sliding step length is 1 data, and one sliding window is used as a basic unit of detection and is called as a detection window. The method includes the steps that a controller is polled at fixed time intervals, flow table item information of a bottleneck link switch is obtained, aggregation flow is obtained through analysis and stored in a sliding window, a window to be detected is formed, the time interval of default polling is 0.5 second, a used software-defined network controller is an Ryu controller, and the version of an OpenFlow protocol is OpenFlow v 1.3.
2. The detection window is symbolized. The detection window symbolization uses an R-SAX algorithm to map the flow sequence of the window to be detected into an SAX word, namely, the flow sequence of each detection window is represented by an SAX word. The R-SAX algorithm includes the following three substeps:
2.1. the step of normalizing the flow sequence of the detection window maps the original flow sequence in the detection window into a standard sequence x' with a mean value of 0 and a standard deviation of 1:
wherein x represents the flow sequence of the window to be detected, xiThe ith sample of the sequence x is represented,
the mean value of the sequence x is shown, δ is the standard deviation of the sequence, and the sequence x' is the normalized sequence.
And 2.2, carrying out data dimension reduction on the flow sequence after the standardization processing by using a PAA algorithm. The PAA algorithm divides the sequence x' into w subsequences with equal length, calculates the mean value of each subsequence, and uses the mean value to represent the subsequences, so as to achieve the purpose of data dimension reduction:
2.3. symbolization uses letters to represent each subsequence. The SAX algorithm divides the distribution space alpha into w equal probability intervals under the Gaussian curve and uses the division point betaiAnd dividing the space. The correspondence between the number of intervals w and the division point β is shown in fig. 2.
The detection window is symbolized to obtain a character sequence called SAX word. Fig. 3 is a schematic diagram illustrating the effect of a traffic sequence symbolized by an R-SAX algorithm, where a TCP congestion control mechanism is periodically triggered by an LDoS attack, so that network traffic distribution is periodic, and a fluctuation period is the same as an attack period, and thus TCP traffic of each period under the LDoS attack has similarity, and is mapped to the same character by the R-SAX algorithm.
3. And constructing a detection model. The construction of the detection model is realized based on an R-SAX algorithm and a hash table, and can be specifically divided into the following four sub-steps:
3.1. and (5) training data acquisition. And collecting network traffic in a normal network state and a network state under LDoS attack and dividing the network traffic into a plurality of detection windows. And labeling the detection window by using a label value, wherein a label 0 indicates that the detection window is not attacked by the LDoS, a label 1 indicates that the detection window is attacked by the LDoS, and the labeled detection window set is used as training data.
3.2. The detection window is symbolized. SAX words of each detection window are calculated by using an R-SAX algorithm, and a SAX word set of training data is obtained.
3.3. And constructing a SAX word frequency matrix. Firstly, a word list is obtained through calculation based on SAX word sets corresponding to detection windows in training data, each word in the word list only appears once, no repeated word exists, and the distribution form of flow of each window in all the training data is recorded. And for each word in the word list, recording the frequency of two labels of each SAX word in the training data to obtain a word frequency matrix.
3.4. Based on the idea of majority voting, when the frequency of a word label being 0 is greater than the frequency of a label being 1, determining that the final label of the word is 0, and indicating that normal network flow exists in a detection window corresponding to the word; and if the frequency of the label of 1 is greater than the frequency of the label of 0, determining that the final label of the word is 1, and indicating that the detection window corresponding to the word is attacked by the LDoS. After the final labels of all the SAX words of the training data are determined, the words with the labels of 1 are stored as keys by using a hash table, and the labels are used as values to form a detection model.
4. And (5) judging and detecting. And judging and detecting, namely calculating SAX words of the window to be detected by using an R-SAX algorithm, inquiring a detection model constructed by a hash table, judging that the window is attacked by the LDoS if the words are in the hash table, and otherwise, judging that the window is not attacked by the LDoS.
5. And (4) attack defense. Fig. 4 is a framework diagram of the detection and defense method deployed in a software defined network. And the defense module performs defense according to the detection result output by the attack module. And if the detection result shows that the LDoS attack is received and the attack defense is not carried out, the defense module responds.
The defense method can be divided into the following four steps:
A. the SAX words of the current window UDP stream are computed using the R-SAX algorithm.
B. Inquiring an attack detection model constructed by the hash table, if the word is in the hash table, judging that the UDP flow is possible to be an attacker, recording a source IP of the UDP flow as a suspicious IP, adding the suspicious IP into a blacklist, recording a suspicious score for the IP, and accumulating the suspicious score when the IP is judged to be the suspicious IP again.
C. And the controller polls and checks suspicious scores of all IPs in the blacklist at fixed time intervals, and when the suspicious score of a certain IP in the blacklist is greater than a set threshold value, the IP is judged to be the IP of the attacker.
D. And setting a defense flow rule, issuing the defense flow rule through the controller to discard all the flow from the IP of the attacker, and deleting the record of the attacker from the blacklist.
The defense flow rule is customized by a user, ipv4_ src in the matching field is set to be a correct attacker IP, eth _ type is set to be 2048, and IP _ proto is set to be UDP; the priority field is set with a larger value, and the default value is 10000; the action field is set to [ ], indicating that all packets are dropped.
FIG. 6 is a comparison graph of the distribution of network traffic with and without the detection and defense method deployed. Network traffic was collected by Wireshark with a sampling interval set to 0.1 seconds. Fig. 6(a) is a network traffic distribution diagram in which the detection and defense method is deployed, data of 90 seconds are collected in total, attack is initiated in 20 seconds, defense is completed in about 10 seconds, and the network is recovered in 8 seconds, so that the method can detect and defend the LDoS attack in real time and timely and accurately relieve adverse effects caused by the LDoS attack. Fig. 6(b) is a network traffic distribution diagram of the undeployed detection and defense method, which collects data for 160 seconds in total, and initiates an attack for about 20 seconds, wherein the attack lasts 120 seconds in total, and the TCP traffic is severely reduced and is always maintained at a low level within 120 seconds of the attack duration.
Claims (7)
1. An LDoS attack detection and defense method based on R-SAX is characterized in that R represents real-time processing, SAX is a time series symbolization algorithm, R-SAX is a real-time series symbolization algorithm, and the LDoS attack detection and defense method comprises the following steps:
step 1, network data sampling: acquiring flow table information in a software defined network bottleneck link switch in real time, sampling all aggregated traffic flowing through the switch in unit time, and storing a current network traffic sequence by using a sliding window to form a detection window;
step 2, detection window symbolization: analyzing flow data of a detection window, calculating to obtain a flow mean sequence, and mapping the flow mean sequence into SAX words by using an R-SAX algorithm;
step 3, constructing a detection model: based on the characteristic that network data traffic has periodicity in distribution under the LDoS attack, calculating SAX words corresponding to traffic sequences of each detection window in training data by using an R-SAX algorithm to obtain an SAX word set as a detection model;
step 4, judging and detecting: judging a window to be detected according to the constructed detection model, and judging that the network in the window to be detected is attacked by LDoS if the network flow of the window to be detected accords with the detection standard of the detection model;
step 5, attack defense: and according to the detection result, if the window to be detected is judged to be attacked by the LDoS, deploying a defense strategy to relieve the LDoS attack.
2. The LDoS attack detection and defense method as claimed in claim 1, wherein the network data sampling in step 1 is implemented based on a software defined network generic southbound interface OpenFlow protocol, the controller polls the aggregate traffic of the bottleneck link switch at fixed time intervals to form original network data, and maintains a sliding window with fixed length and step length to store the collected aggregate traffic to form the current detection window.
3. The method for detecting and defending against LDoS attacks as recited in claim 1, wherein in step 2, according to the detection window obtained in step 1, an R-SAX algorithm is used to symbolize the aggregate traffic of the current detection window, which can be specifically divided into three steps:
step 2.1, standardizing the polymerization flow of the current detection window to obtain a standard sequence;
step 2.2, for the flow sequence processed in step 2.1, using a PAA algorithm to perform dimensionality reduction, wherein the PAA algorithm specifically comprises the following steps: dividing the flow sequence obtained after the processing in the step 2.1 into a plurality of subsequences with equal length, calculating the mean value of each subsequence, and using the mean value of each subsequence to approximately represent the subsequence so as to achieve the purpose of reducing dimension;
and 2.3, dividing the distribution space into a plurality of equal probability intervals under a Gaussian curve, wherein each interval is represented by one letter, and the letters are used for representing the flow sequence obtained in the step 2.2 after the dimension reduction, so that the SAX words of the current detection window are obtained.
4. The LDoS attack detection and defense method according to claim 1, characterized in that, step 3 constructs a detection model according to the detection window symbolization method of step 2, which can be divided into four steps:
step 3.1, firstly, collecting network flow based on the network data sampling method described in claim 2, and labeling the obtained detection window, wherein label 0 indicates that the window is not attacked by LDoS, and label 1 indicates that the window is attacked by LDoS, so as to form training data;
3.2, calculating the SAX words of each detection window by utilizing an R-SAX algorithm according to the training data obtained in the step 3.1 to obtain an SAX word set of the training data;
step 3.3, calculating the frequency of each word with a label of 0 and a label of 1 for the SAX word set obtained in the step 3.2, and obtaining an SAX word frequency matrix of the training data;
and 3.4, determining the label value of each SAX word to be 0 or 1 based on the majority voting idea for the word frequency matrix obtained in the step 3.3, and storing the word with the label of 1 by using a hash table to form a detection model.
5. An LDoS attack detection and defense method as claimed in claim 4, characterized in that, for each word in the SAX word set of step 3.2, the word frequency matrix obtained in step 3.3 is queried, the label with the highest frequency of each SAX word is used as the final classification label of the word, and a SAX word table is constructed by using a hash table to store all the words with the final classification labels of 1 as the detection model.
6. An LDoS attack detection and defense method as claimed in claim 1, characterized in that the decision detection criteria in step 4 are: and calculating to obtain SAX words of the window to be detected by using an R-SAX algorithm, inquiring whether the words are in the detection model, and if so, judging that the window to be detected is attacked by the LDoS.
7. The LDoS attack detection and defense method as claimed in claim 1, wherein step 4 determines that the window to be detected is attacked and is not defended, and step 5 performs attack defense, which can be divided into four steps:
step 5.1, calculating an SAX word corresponding to the UDP flow of the window by using an R-SAX algorithm;
step 5.2, inquiring whether the SAX word obtained in the step 5.1 is in an SAX word list, if so, judging that the source IP of the UDP flow is a suspicious IP, adding the suspicious IP into a blacklist, and accumulating the suspicious score;
step 5.3, if the suspicious scores of the IPs in the blacklist exceed a set threshold value, judging the IPs as attack source IPs;
and 5.4, issuing a flow rule through the software defined network controller, discarding all data from the attack source IP, and realizing the defense on the LDoS attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111344820.9A CN114021135B (en) | 2021-11-15 | 2021-11-15 | LDoS attack detection and defense method based on R-SAX |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111344820.9A CN114021135B (en) | 2021-11-15 | 2021-11-15 | LDoS attack detection and defense method based on R-SAX |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114021135A true CN114021135A (en) | 2022-02-08 |
| CN114021135B CN114021135B (en) | 2024-06-14 |
Family
ID=80064201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111344820.9A Active CN114021135B (en) | 2021-11-15 | 2021-11-15 | LDoS attack detection and defense method based on R-SAX |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114021135B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
| CN115589326A (en) * | 2022-10-25 | 2023-01-10 | 湖南大学 | Real-time detection and mitigation method for LDoS attack of FIN |
| CN115589323A (en) * | 2022-10-18 | 2023-01-10 | 湖南大学 | DLDoS attack detection and mitigation method based on machine learning in data plane |
| CN117951704A (en) * | 2024-03-27 | 2024-04-30 | 宁波和利时信息安全研究院有限公司 | Hash calculation method and device of executable file, electronic equipment and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9338181B1 (en) * | 2014-03-05 | 2016-05-10 | Netflix, Inc. | Network security system with remediation based on value of attacked assets |
| KR20170090161A (en) * | 2016-01-28 | 2017-08-07 | 동서대학교산학협력단 | Mitigating System for DoS Attacks in SDN |
| US20190089720A1 (en) * | 2016-05-31 | 2019-03-21 | University Of South Florida | Systems and methods for detecting attacks in big data systems |
| CN112202791A (en) * | 2020-09-28 | 2021-01-08 | 湖南大学 | P-F-based software defined network slow denial of service attack detection method |
| CN112788062A (en) * | 2021-01-29 | 2021-05-11 | 湖南大学 | ET-EDR-based LDoS attack detection and mitigation method in SDN |
| CN112804250A (en) * | 2021-01-29 | 2021-05-14 | 湖南大学 | LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm |
| US20210258333A1 (en) * | 2020-02-03 | 2021-08-19 | University Of South Florida | Computer networking with security features |
-
2021
- 2021-11-15 CN CN202111344820.9A patent/CN114021135B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9338181B1 (en) * | 2014-03-05 | 2016-05-10 | Netflix, Inc. | Network security system with remediation based on value of attacked assets |
| KR20170090161A (en) * | 2016-01-28 | 2017-08-07 | 동서대학교산학협력단 | Mitigating System for DoS Attacks in SDN |
| US20190089720A1 (en) * | 2016-05-31 | 2019-03-21 | University Of South Florida | Systems and methods for detecting attacks in big data systems |
| US20210258333A1 (en) * | 2020-02-03 | 2021-08-19 | University Of South Florida | Computer networking with security features |
| CN112202791A (en) * | 2020-09-28 | 2021-01-08 | 湖南大学 | P-F-based software defined network slow denial of service attack detection method |
| CN112788062A (en) * | 2021-01-29 | 2021-05-11 | 湖南大学 | ET-EDR-based LDoS attack detection and mitigation method in SDN |
| CN112804250A (en) * | 2021-01-29 | 2021-05-14 | 湖南大学 | LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm |
Non-Patent Citations (3)
| Title |
|---|
| 杨宝旺;: "采用符号动力学方法检测低速率拒绝服务攻击", 西安电子科技大学学报, no. 01, 4 July 2017 (2017-07-04) * |
| 贾冠昕;杨波;陈贞翔;彭立志;: "基于NetFlow时间序列的网络异常检测", 计算机工程与应用, no. 24, 21 August 2008 (2008-08-21) * |
| 陈湘涛;李明亮;陈玉娟;: "基于分割模式的时间序列矢量符号化算法", 计算机工程, no. 04, 20 February 2011 (2011-02-20) * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
| CN115102781B (en) * | 2022-07-14 | 2024-01-09 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
| CN115589323A (en) * | 2022-10-18 | 2023-01-10 | 湖南大学 | DLDoS attack detection and mitigation method based on machine learning in data plane |
| CN115589323B (en) * | 2022-10-18 | 2024-04-02 | 湖南大学 | DLDoS attack detection and alleviation method based on machine learning in data plane |
| CN115589326A (en) * | 2022-10-25 | 2023-01-10 | 湖南大学 | Real-time detection and mitigation method for LDoS attack of FIN |
| CN115589326B (en) * | 2022-10-25 | 2024-04-19 | 湖南大学 | FIN LDoS attack real-time detection and alleviation method |
| CN117951704A (en) * | 2024-03-27 | 2024-04-30 | 宁波和利时信息安全研究院有限公司 | Hash calculation method and device of executable file, electronic equipment and medium |
| CN117951704B (en) * | 2024-03-27 | 2024-06-07 | 宁波和利时信息安全研究院有限公司 | Hash calculation method and device of executable file, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114021135B (en) | 2024-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114021135B (en) | LDoS attack detection and defense method based on R-SAX | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN108076040B (en) | APT attack scene mining method based on killer chain and fuzzy clustering | |
| CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
| CN109729090B (en) | Slow denial of service attack detection method based on WEDMS clustering | |
| US8682812B1 (en) | Machine learning based botnet detection using real-time extracted traffic features | |
| US20070226803A1 (en) | System and method for detecting internet worm traffics through classification of traffic characteristics by types | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| CN111262849A (en) | Method for identifying and blocking network abnormal flow behaviors based on flow table information | |
| Dhakar et al. | A novel data mining based hybrid intrusion detection framework | |
| CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
| CN110719270A (en) | FCM algorithm-based slow denial of service attack detection method | |
| CN113904795B (en) | Flow rapid and accurate detection method based on network security probe | |
| CN111464510B (en) | Network real-time intrusion detection method based on rapid gradient lifting tree classification model | |
| CN110661802A (en) | Low-speed denial of service attack detection method based on PCA-SVM algorithm | |
| CN110602109A (en) | Application layer DDoS attack detection and defense method based on multi-feature entropy | |
| CN111294342A (en) | Method and system for detecting DDos attack in software defined network | |
| CN113872962B (en) | Low-speed port scanning detection method for high-speed network sampling data acquisition scene | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| CN113268735B (en) | Distributed denial of service attack detection method, device, equipment and storage medium | |
| CN112104628B (en) | Adaptive feature rule matching real-time malicious flow detection method | |
| CN112333180A (en) | APT attack detection method and system based on data mining | |
| CN116405261A (en) | Malicious flow detection method, system and storage medium based on deep learning | |
| KR20110107880A (en) | Ddos detection method using fast information entropy and adaptive moving average window detector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |