CN114172697A - Method for defending IP address spoofing DDoS attack in high-speed network - Google Patents
Method for defending IP address spoofing DDoS attack in high-speed network Download PDFInfo
- Publication number
- CN114172697A CN114172697A CN202111399436.9A CN202111399436A CN114172697A CN 114172697 A CN114172697 A CN 114172697A CN 202111399436 A CN202111399436 A CN 202111399436A CN 114172697 A CN114172697 A CN 114172697A
- Authority
- CN
- China
- Prior art keywords
- address
- flow
- attack
- data set
- ddos attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000012549 training Methods 0.000 claims abstract description 31
- 230000007123 defense Effects 0.000 claims abstract description 16
- 238000001514 detection method Methods 0.000 claims description 19
- 238000005070 sampling Methods 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 11
- 239000006185 dispersion Substances 0.000 claims description 10
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 6
- 238000002372 labelling Methods 0.000 claims description 5
- 238000010801 machine learning Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 5
- 230000000694 effects Effects 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000002156 mixing Methods 0.000 claims description 3
- 230000009897 systematic effect Effects 0.000 claims description 3
- 239000000284 extract Substances 0.000 abstract description 4
- 238000013106 supervised machine learning method Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Signal Processing (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for defending DDoS attack of IP address spoofing in a high-speed network, which comprises offline training and online defense. In off-line training, addresses of DDoS attack public data sets are translated and then mixed with high-speed network flow public data sets to obtain mixed flow data sets, the mixed flow data sets are sampled systematically, flow characteristics are extracted and marked by a Sketch structure comprising 6 counters and 1 hash table based on source MAC addresses and target IP addresses, and then the marked flow characteristics are used for training and generating an attack flow classifier under a supervised machine learning method. In the online defense, the method is deployed on a high-speed network boundary node, samples an input high-speed network flow system and extracts flow characteristics, an attack flow classifier is used for detecting, an alarm list containing an attack flow address pair (a source MAC address and a destination IP address) is given, and finally a boundary router is informed to filter the flow in the alarm list to realize the defense. The invention can be used by a network manager for defending the DDoS attack of IP address spoofing in a high-speed network.
Description
Technical Field
The invention relates to a method for defending DDoS attack of IP address spoofing in a high-speed network, belonging to the technical field of network security.
Background
DDoS attacks refer to that multiple attackers in different positions attack one or more targets at the same time, or that one attacker controls multiple machines in different positions and uses the machines to attack victims at the same time. Each attack proxy host sends a large number of service request data packets to the target host, and the service requested by the data packets usually consumes a large number of system resources, so that the target host cannot provide normal service for users, and even the system is crashed. DDoS attacks have become an important threat to network security at present. Meanwhile, because the existing internet routing protocol does not need to verify the source IP address, the existing DDoS attack is generally a DDoS attack forged by the source IP address, and because an attacker can be effectively hidden, the DDoS attack deceived by the IP address is widely adopted. Therefore, defending against the DDoS attack of IP address spoofing has important significance for a network manager to maintain network security.
At present, researchers have proposed a series of methods for detecting and defending against DDoS attacks in high-speed networks, but these defending methods have some problems in the face of IP address spoofing, and the application effect is not ideal.
(1) Defending method based on attacked address
Defending by getting the IP address of the victim in the detection and blocking all access to the victim, but this will render the victim completely inoperable.
(2) Defense method based on attack flow source IP address
And detecting and acquiring a source IP address in the attack traffic, and adding the source IP address as an IP address of a malicious host into a blacklist for defense. However, blacklisting false source IP addresses in the presence of source IP address spoofing can reduce the effectiveness of the defense system.
Meanwhile, researchers also provide an IP backtracking method aiming at source IP address spoofing, but the method has the practical application problem and cannot be applied to the Internet to solve the problem that a DDoS attack defense system cannot cope with the source IP address spoofing.
(1) Packet marking technique
Packet tagging requires routers to write a label in some specific packet field. The attacker locates the attack source by integrating the packet tag. However, this technique requires modification of existing standard protocols and requires extensive infrastructure support and is not widely applicable in practice.
(2) Log recording technique
The logging technique requires the router to log all forwarded packets. When an attack occurs, the attack path is reconstructed through records in the router. However, these techniques require a significant amount of storage and computational overhead, and deploying the application, especially in a high-speed network environment, can result in a dramatic increase in cost. Meanwhile, the risks of privacy disclosure, network topology disclosure and the like exist, and the method is limited.
(3) Hybrid packet marking and logging techniques
The hybrid technology simultaneously applies the data packet marking technology and the log recording technology, only alleviates the problems faced by the log recording and data packet marking technology, cannot completely avoid the problems such as storage overhead and calculation overhead, log timeliness and the like, and risks such as privacy leakage and network topology leakage of cross-autonomous domain tracing and tracing still exist.
Disclosure of Invention
In order to solve the problems, the invention discloses a method for defending DDoS attack of IP address spoofing in a high-speed network, which comprises offline training and online defense. In off-line training, addresses of DDoS attack public data sets are translated and then mixed with high-speed network flow public data sets to obtain mixed flow data sets, the mixed flow data sets are sampled systematically, flow characteristics are extracted and marked by a Sketch structure comprising 6 counters and 1 hash table based on source MAC addresses and target IP addresses, and then the marked flow characteristics are used for training and generating an attack flow classifier under a supervised machine learning method. In the online defense, the method is deployed on a high-speed network boundary node, samples an input high-speed network flow system and extracts flow characteristics, an attack flow classifier is used for detecting, an alarm list containing an attack flow address pair (a source MAC address and a destination IP address) is given, and finally a boundary router is informed to filter the flow in the alarm list to realize the defense. The invention can be used by a network manager for defending the DDoS attack of IP address spoofing in a high-speed network.
In order to realize the purpose of the invention, the specific technical steps of the scheme are as follows:
step (1) a section of DDoS attack public data set and a section of high-speed network flow public data set which is continuously collected for a period of time at a backbone network node are obtained, addresses in the DDoS attack public data set are translated and then mixed with the high-speed network flow public data set, and a mixed flow data set is obtained;
step (2) carrying out systematic sampling with the sampling ratio of 1/mu on the mixed flow data set;
and (3) extracting traffic characteristics on the basis of address pairs (source MAC addresses and destination IP addresses) by using a Sketch structure containing 6 counters and 1 hash table for the sampled traffic.
Labeling flow characteristics to obtain a training set with labels, and performing model training by using the training set under a supervision machine learning algorithm to obtain an attack flow classifier;
and (5) deploying on the boundary node of the high-speed network, setting the sampling ratio to be 1/mu, performing system sampling on the input high-speed network flow, and extracting flow characteristics in the same way as in the step (3).
Step (6) detecting the traffic characteristics under different address pairs (source MAC address and destination IP address) extracted in step (5) by using an attack traffic classifier, and adding the address pairs with detected attack traffic into an alarm list;
and (7) informing the relevant border router according to the alarm list to filter the corresponding address in the alarm list and realize the defense on the DDoS attack of IP address spoofing on the flow.
Further, in the step (1), the specific steps of obtaining the public data set and the mixed data set are as follows:
(1.1) respectively accessing a DDoS attack public data set official network and a high-speed network flow public data set official network to obtain a DDoS attack public data set and a high-speed network flow public data set;
(1.2) in order to mix a DDoS attack public data set and a high-speed network flow public data set, translating a source MAC address and a destination MAC address of the DDoS attack public data set into the source MAC address and the destination MAC address of the high-speed network flow public data set, and simultaneously changing a source IP address in the DDoS attack public data set address into a random IP address to achieve the effect of source IP address deception, but the characteristics of attack data are not changed in the address changing process;
and (1.3) mixing the DDoS attack public data set after the address is changed in the step (1.2) with the high-speed network traffic public data set.
Further, in the step (3), the used Sketch structure detailed information and the specific steps of feature extraction are as follows:
(3.1) based on the characteristics of the SYN Flood attack, the selected TCP flow characteristics are as follows: the number of data packets with loads received under the same address pair, the number of data packets with loads sent under the same address pair, the number of data packets without loads received under the same address pair, the number of data packets without loads sent under the same address pair, the number of data packets with SYN marks received under the same address pair, the number of data packets with SYN marks sent under the same address pair, the dispersion degree of ports of a sender under the same address pair, the speed of receiving data packets under the same address pair and the speed of sending data packets under the same address pair; based on the characteristics of UDP Flood attack, the selected UDP flow characteristics are as follows: the number of data packets with loads received by the same address pair, the number of data packets with loads sent by the same address pair and the dispersion degree of the ports of a sending party of the same address pair;
and (3.2) designing DDoS attack detection Sketch for extracting traffic characteristics according to the selected characteristics, wherein the DDoS attack detection Sketch consists of a plurality of two-dimensional array buckets, each bucket comprises 6 counters and 1 hash table, and the distribution condition of the hash tables reflects the dispersion degree of the ports of the sender. The source MAC address and the destination IP address are not influenced by IP address deception, an address pair consisting of the source MAC address and the destination IP address is used as a key of a mapping bucket in the characteristic extraction process, and a plurality of characteristics of the lower flow of the same address pair are stored in the bucket. DDoS attack detection Sketch supports three basic operations: an update operation, a query operation, and an extract operation. The update operation is to update the data of the Sketch structure by using the address pair as a key when a data packet arrives. The query operation refers to returning the smallest count bucket value of all buckets mapped by the same address pair. The extraction operation is that when the number of data packets of the same address pair reaches a threshold value theta, the query operation is triggered to obtain a returned bucket value, the dispersion degree of ports of a sending party of the same address pair, the speed of receiving the data packets under the same address pair and the speed of sending the data packets under the same address pair are calculated to obtain a characteristic vector record corresponding to the address pair, and the minimum counting bucket value is subtracted from the value in all buckets mapped by the address pair;
(3.3) when a data packet arrives, an address pair consisting of a source MAC address and a destination IP address of the data packet is extracted to be used as a key, the extracted key is used as the input of a hash function, and DDoS attack detection Sketch processes TCP and UDP data packets at the same time;
(3.4) the output of the hash function is divided into a plurality of parts, each part is mapped to a certain address of each line in the Sketch, and the bucket at the address position is updated;
and (3.5) when the sum of the data packets of the same address pair reaches a threshold value theta, executing extraction operation, and obtaining the characteristic vector records under each address pair to be used as the basis of the training of the attack traffic classifier.
Further, the specific steps in the step (4) are as follows:
(4.1) marking the attack flow and the normal flow in the sample according to the target IP address in the address pair to obtain a lower flow characteristic training set of each address pair with a label;
and (4.2) carrying out model training based on the training set with the label by using a supervised machine learning algorithm to obtain the attack traffic classifier. Further, the specific steps in the step (7) are as follows:
(7.1) finding out a relevant boundary router according to the address pair in the alarm list;
and (7.2) filtering the flow by the corresponding address on the router interface corresponding to the source MAC address in the address pair to realize the defense on the DDoS attack of IP address spoofing without influencing other flows outside the alarm list.
Compared with the prior art, the technical scheme of the invention has the following advantages and beneficial effects.
(1) The invention does not use the source IP address of the data packet, but uses the address pair which is not influenced by IP deception and consists of the source MAC address and the destination IP address of the attack flow as the detection object of DDoS attack, thereby effectively resisting IP address deception and having stronger practicability.
(2) The invention realizes defense by adopting a fine-grained flow filtering method based on the address pairs in the alarm list, which has no influence on other flows from the outside of the alarm list and has better feasibility.
(3) The invention can be applied to the Internet without any protocol and architecture extension, and the Sketch technology is used for extracting the characteristics of the data stream, which is also feasible under the condition that the data stream is sampled, so that the invention can be applied to a high-speed network scene and has stronger practicability.
Drawings
FIG. 1 is an overall architecture diagram of the present invention;
FIG. 2 is a structural diagram of a DDoS attack detection sketch designed by the present invention;
fig. 3 is a schematic diagram of an embodiment of the present invention.
Detailed Description
The technical solutions provided by the present invention will be described in detail below with reference to specific examples, and it should be understood that the following specific embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention.
The specific embodiment is as follows: the invention provides a method for defending IP address spoofing DDoS attack in a high-speed network, the general architecture of which is shown in figure 1, comprising the following steps:
step (1) a section of DDoS attack public data set and a section of high-speed network flow public data set which is continuously collected for a period of time at a backbone network node are obtained, addresses in the DDoS attack public data set are translated and then mixed with the high-speed network flow public data set, and a mixed flow data set is obtained;
step (2) carrying out systematic sampling with the sampling ratio of 1/mu on the mixed flow data set;
and (3) extracting traffic characteristics on the basis of address pairs (source MAC addresses and destination IP addresses) by using a Sketch structure containing 6 counters and 1 hash table for the sampled traffic.
Labeling flow characteristics to obtain a training set with labels, and performing model training by using the training set under a supervision machine learning algorithm to obtain an attack flow classifier;
and (5) deploying on the boundary node of the high-speed network, setting the sampling ratio to be 1/mu, performing system sampling on the input high-speed network flow, and extracting flow characteristics in the same way as in the step (3).
Step (6) detecting the traffic characteristics under different address pairs (source MAC address and destination IP address) extracted in step (5) by using an attack traffic classifier, and adding the address pairs with detected attack traffic into an alarm list;
and (7) informing the relevant border router according to the alarm list to filter the corresponding address in the alarm list and realize the defense on the DDoS attack of IP address spoofing on the flow.
In one embodiment of the present invention, in the step (1), the specific steps of obtaining the public data set and the mixed data set are as follows:
(1.1) acquiring a UDP Flood data set collected in a public data set CIC-DDoS2019 of the university at 12 days 1 month in 2018 and a SYN Flood data set collected in 11 days 3 month in 2018 as DDoS attack public data sets in UIB; acquiring a high-speed network flow public data set acquired by the MAWI working group in 6 months and 3 days in 2020;
(1.2) in order to mix a DDoS attack public data set and a high-speed network flow public data set, translating a source MAC address and a destination MAC of the DDoS attack public data set into the source MAC address and the destination MAC address of the high-speed network flow public data set, and simultaneously changing a source IP address of the DDoS attack public data set into a random IP address to achieve the effect of source IP address deception, but the characteristics of attack data cannot be changed in the address changing process; the results after the address change of the attack data set are shown in table 1.
TABLE 1 post-address translation results for attack data sets
And (1.3) mixing the DDoS attack public data set after the address is changed in the step (1.2) with the high-speed network traffic public data set.
In step (2), the system sampling sets the sampling ratio to 1/8.
In the step (3), the specific steps of detecting the Sketch structure detailed information and extracting the characteristics by the DDoS attack are as follows:
(3.1) based on the characteristics of the SYN Flood attack, the selected TCP flow characteristics are as follows: the method comprises the steps that the number Rd of data packets with loads is received under the same address pair, the number Sd of data packets with loads is sent under the same address pair, the number R0 of data packets without loads is received under the same address pair, the number S0 of data packets without loads is sent under the same address pair, the number Rs of data packets with SYN marks is received under the same address pair, the number Ss of data packets with SYN marks are sent under the same address pair, the dispersion degree Ds of ports of a sender under the same address pair, the speed R _ spd of data packets received under the same address pair and the speed S _ spd of data packets sent under the same address pair; based on the characteristics of UDP Flood attack, the selected UDP flow characteristics are as follows: the number Rd of data packets with loads received by the same address pair, the number Sd of data packets with loads sent by the same address pair and the dispersion degree Ds of the ports of the sender of the same address pair. Table 2 summarizes the selected flow characteristics and meanings.
TABLE 2 flow characteristics and meanings
| Feature(s) | Means of |
| R0 | Receiving the number of data packets without load under the same address pair |
| Rd | Number of data packets with load received under same address pair |
| Rs | Number of data packets with SYN flag received under same address pair |
| S0 | Number of data packets without load issued by same address pair |
| Sd | Number of data packets with load sent down by same address pair |
| Ss | Number of data packets with SYN mark sent from same address pair |
| Ds | Degree of divergence of lower sender ports of the same address pair |
| R_spd | Speed of receiving data packet under same address pair |
| S_spd | Speed of sending data packet by same address pair |
(3.2) according to the selected characteristics, designing DDoS attack detection Sketch for extracting traffic characteristics, wherein the DDoS attack detection Sketch structure is shown in FIG. 2, the DDoS attack detection Sketch consists of a plurality of two-dimensional array buckets, each bucket comprises 6 counters and 1 hash table, and the distribution condition of the hash tables reflects the dispersion degree of the ports of the sender. The source MAC address and the destination IP address are not influenced by IP address deception, an address pair consisting of the source MAC address and the destination IP address is used as a key of a mapping bucket in the characteristic extraction process, and a plurality of characteristics of the lower flow of the same address pair are stored in the bucket. DDoS attack detection Sketch supports three basic operations: an update operation, a query operation, and an extract operation. The update operation is to update the data of the Sketch structure by using the address pair as a key when a data packet arrives. The query operation refers to returning the smallest count bucket value of all buckets mapped by the same address pair. The extraction operation is that when the number of data packets of the same address pair reaches a threshold value theta, the query operation is triggered to obtain a returned bucket value, the dispersion degree of ports of a sending party of the same address pair, the speed of receiving the data packets under the same address pair and the speed of sending the data packets under the same address pair are calculated to obtain a characteristic vector record corresponding to the address pair, and the minimum counting bucket value is subtracted from the value in all buckets mapped by the address pair; ds is calculated by summing up values of bits of Hs; r _ spd is obtained by calculating the number of data packets received by the same address pair in unit time; and S _ spd is obtained by calculating the number of data packets sent out by the same address pair in unit time. Table 3 gives the composition of the buckets in the DDoS attack detection Sketch.
TABLE 3 composition of buckets in Sketch for DDoS attack detection
(3.3) when a data packet arrives, an address pair consisting of a source MAC address and a destination IP address of the data packet is extracted to be used as a key, the extracted key is used as the input of a hash function, and DDoS attack detection Sketch processes TCP and UDP data packets at the same time;
(3.4) the output of the hash function is divided into parts, each part is mapped to a certain address in each line of Sketch, and the bucket at the address position is updated;
and (3.5) when the sum of the data packets of the same address pair reaches a threshold value theta, executing extraction operation, and obtaining a characteristic vector record under the address pair to be used as the basis of the training of the attack traffic classifier.
In step (3.5), the threshold for the extraction operation is set to 100.
Step (4) labeling the flow characteristics obtained in the step (3), labeling the attack flow and the normal flow in the sample according to the target IP address to obtain a training set with a label, and performing model training by using the training set with the label under a random forest algorithm to obtain an attack flow classifier; the labeled TCP traffic training set is shown in Table 4, wherein R0, Rs, S0, Ss, Rd, Sd, Ds, R _ spd and S _ spd are TCP traffic characteristics; the labeled UDP traffic training set is shown in Table 5, and Rd, Sd, Ds, R _ spd and S _ spd are UDP traffic characteristics.
Table 4 TCP traffic training set partial data with label
TABLE 5 labeled UDP traffic training set partial data
| Destination IP address | Source MAC address | Rd | Sd | Ds | R_spd | S_spd | label |
| 157.87.95.169 | 00:12:E2:C0:3F:08 | 100 | 0 | 5 | 31066 | 0 | 0 |
| 153.136.185.105 | 00:12:E2:C0:3F:08 | 100 | 0 | 1 | 11552 | 0 | 0 |
| 131.12.203.136 | 00:31:46:64:EC:BF | 0 | 100 | 1 | 0 | 9474 | 0 |
| 94.237.196.102 | 00:12:E2:C0:3F:08 | 100 | 0 | 6 | 4661 | 0 | 0 |
| 180.138.196.239 | 00:12:E2:C0:3F:08 | 100 | 0 | 1 | 2537 | 0 | 0 |
| 192.168.50.1 | 44:AA:50:5A:2F:D0 | 100 | 0 | 16 | 9230 | 0 | 1 |
| 192.168.50.1 | 44:AA:50:5A:2F:D0 | 100 | 0 | 16 | 11135 | 0 | 1 |
| 192.168.50.1 | 44:AA:50:5A:2F:D0 | 100 | 0 | 16 | 9611 | 0 | 1 |
| 192.168.50.1 | 44:AA:50:5A:2F:D0 | 100 | 0 | 16 | 9949 | 0 | 1 |
| 192.168.50.1 | 44:AA:50:5A:2F:D0 | 100 | 0 | 16 | 11287 | 0 | 1 |
In an embodiment of the present invention, step (5) specifically includes the following sub-steps:
(5.1) the network is deployed on a high-speed network boundary node, and the deployment schematic diagram is shown in FIG. 3;
(5.2) setting a sampling ratio to 1/8, and carrying out system sampling on the high-speed network traffic;
(5.3) for the sampled traffic, using the attack detection Sketch containing 6 counters and 1 hash table, extracting traffic characteristics based on address pairs (source MAC address and destination IP address).
The technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications are also considered to be within the scope of the present invention.
Claims (5)
1. A method for defending IP address spoofing DDoS attack in a high-speed network is characterized by comprising the following steps:
step (1) a section of DDoS attack public data set and a section of high-speed network flow public data set which is continuously collected for a period of time at a backbone network node are obtained, addresses in the DDoS attack public data set are translated and then mixed with the high-speed network flow public data set, and a mixed flow data set is obtained;
step (2) carrying out systematic sampling with the sampling ratio of 1/mu on the mixed flow data set;
step (3) extracting flow characteristics of the sampled flow based on an address pair (a source MAC address and a destination IP address) by using a sketch structure containing 6 counters and 1 hash table;
labeling flow characteristics to obtain a training set with labels, and performing model training by using the training set under a supervision machine learning algorithm to obtain an attack flow classifier;
step (5) is deployed on the boundary node of the high-speed network, the sampling ratio is set to be 1/mu, the input high-speed network flow is systematically sampled, and the flow characteristics are extracted in the same way as in step (3):
step (6) detecting the traffic characteristics under different address pairs (source MAC address and destination IP address) extracted in step (5) by using an attack traffic classifier, and adding the address pairs with detected attack traffic into an alarm list;
and (7) informing the relevant border router according to the alarm list to filter the corresponding address in the alarm list and realize the defense on the DDoS attack of IP address spoofing on the flow.
2. The method for defending against IP address spoofing DDoS attacks in a high-speed network as recited in claim 1, wherein in said step (1), the specific steps of obtaining the public data set and the mixed data set are as follows:
(1.1) respectively accessing a DDoS attack public data set official network and a high-speed network flow public data set official network to obtain a DDoS attack public data set and a high-speed network flow public data set;
(1.2) translating a source MAC address and a destination MAC address of a DDoS attack public data set into a source MAC address and a destination MAC address of a high-speed network flow public data set, and changing the source IP address in the DDoS attack public data set address into a random IP address to achieve the effect of source IP address deception;
and (1.3) mixing the DDoS attack public data set after the address is changed in the step (1.2) with the high-speed network traffic public data set.
3. The method for defending against IP address spoofing DDoS attack in high-speed network as claimed in claim 1, wherein in said step (3), the used Sketch structure detail information and the specific steps of extracting features are as follows:
(3.1) based on the characteristics of the SYN Flood attack, the selected TCP flow characteristics are as follows: the number of data packets with loads received under the same address pair, the number of data packets with loads sent under the same address pair, the number of data packets without loads received under the same address pair, the number of data packets without loads sent under the same address pair, the number of data packets with SYN marks received under the same address pair, the number of data packets with SYN marks sent under the same address pair, the dispersion degree of ports of a sender under the same address pair, the speed of receiving data packets under the same address pair and the speed of sending data packets under the same address pair; based on the characteristics of UDP Flood attack, the selected UDP flow characteristics are as follows: the number of data packets with loads received by the same address pair, the number of data packets with loads sent by the same address pair and the dispersion degree of the ports of a sending party of the same address pair;
(3.2) according to the selected characteristics, designing DDoS attack detection Sketch for extracting flow characteristics, wherein the DDoS attack detection Sketch consists of a plurality of two-dimensional array buckets, each bucket comprises 6 counters and 1 hash table, a source MAC address and a destination IP address cannot be influenced by IP address deception, an address pair consisting of the source MAC address and the destination IP address is used as a key for mapping the bucket in the characteristic extraction process, a plurality of characteristics of the same address pair of lower flow are stored in the bucket, and the DDoS attack detection Sketch supports three basic operations: namely, update operation, query operation and extraction operation;
(3.3) when a data packet arrives, an address pair consisting of a source MAC address and a destination IP address of the data packet is extracted to be used as a key, the extracted key is used as the input of a hash function, and DDoS attack detection Sketch processes TCP and UDP data packets at the same time;
(3.4) the output of the hash function is divided into a plurality of parts, each part is mapped to a certain address of each line in the Sketch, and the bucket of the address is updated;
and (3.5) when the sum of the data packets of the same address pair reaches a threshold value theta, executing extraction operation, and obtaining the characteristic vector records under each address pair to be used as the basis of the training of the attack traffic classifier.
4. The method for defending against IP address spoofing DDoS attacks in high-speed networks as claimed in claim 1, wherein the specific steps in said step (4) are as follows:
(4.1) marking the attack flow and the normal flow in the sample according to the target IP address in the address pair to obtain a lower flow characteristic training set of each address pair with a label;
and (4.2) carrying out model training based on the training set with the label by using a supervised machine learning algorithm to obtain the attack traffic classifier.
5. The method for defending against IP address spoofing DDoS attacks in high-speed networks as claimed in claim 1, wherein the specific steps in said step (7) are as follows:
(7.1) finding out a relevant boundary router according to the address pair in the alarm list;
and (7.2) filtering the corresponding address on a router interface corresponding to the source MAC address in the address pair to realize the defense on the DDoS attack of IP address spoofing on the flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111399436.9A CN114172697B (en) | 2021-11-19 | 2021-11-19 | Method for defending IP address spoofing DDoS attack in high-speed network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111399436.9A CN114172697B (en) | 2021-11-19 | 2021-11-19 | Method for defending IP address spoofing DDoS attack in high-speed network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114172697A true CN114172697A (en) | 2022-03-11 |
| CN114172697B CN114172697B (en) | 2024-02-06 |
Family
ID=80480186
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111399436.9A Active CN114172697B (en) | 2021-11-19 | 2021-11-19 | Method for defending IP address spoofing DDoS attack in high-speed network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114172697B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745174A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Access verification system and method for power grid equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090012561A (en) * | 2007-07-30 | 2009-02-04 | 영남대학교 산학협력단 | Bidirectional source-end ddos protection system using per-flow statistic |
| CN109951459A (en) * | 2019-03-06 | 2019-06-28 | 山东信天辰信息安全技术有限公司 | A kind of ARP spoofing attack detection method based on local area network |
| CN113114694A (en) * | 2021-04-17 | 2021-07-13 | 东南大学 | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene |
| CN113206859A (en) * | 2021-05-17 | 2021-08-03 | 北京交通大学 | Detection method and system for low-rate DDoS attack |
-
2021
- 2021-11-19 CN CN202111399436.9A patent/CN114172697B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090012561A (en) * | 2007-07-30 | 2009-02-04 | 영남대학교 산학협력단 | Bidirectional source-end ddos protection system using per-flow statistic |
| CN109951459A (en) * | 2019-03-06 | 2019-06-28 | 山东信天辰信息安全技术有限公司 | A kind of ARP spoofing attack detection method based on local area network |
| CN113114694A (en) * | 2021-04-17 | 2021-07-13 | 东南大学 | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene |
| CN113206859A (en) * | 2021-05-17 | 2021-08-03 | 北京交通大学 | Detection method and system for low-rate DDoS attack |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745174A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Access verification system and method for power grid equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114172697B (en) | 2024-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Khairi et al. | A Review of Anomaly Detection Techniques and Distributed Denial of Service (DDoS) on Software Defined Network (SDN). | |
| US8561188B1 (en) | Command and control channel detection with query string signature | |
| WO2013053407A1 (en) | A method and a system to detect malicious software | |
| CN111953527B (en) | Network attack recovery system | |
| Fei et al. | The abnormal detection for network traffic of power iot based on device portrait | |
| CN114172697B (en) | Method for defending IP address spoofing DDoS attack in high-speed network | |
| KR100770354B1 (en) | Method for ip tracing-back of attacker in ipv6 network | |
| Al-Hemairy et al. | Towards more sophisticated ARP Spoofing detection/prevention systems in LAN networks | |
| Caulkins et al. | A dynamic data mining technique for intrusion detection systems | |
| Subbulakshmi | A learning-based hybrid framework for detection and defence of DDoS attacks | |
| Song et al. | A novel frame switching model based on virtual MAC in SDN | |
| CN115987531A (en) | Intranet safety protection system and method based on dynamic deception parallel network | |
| Berthier et al. | An evaluation of connection characteristics for separating network attacks | |
| Bharti et al. | A Review on Detection of Session Hijacking and Ip Spoofing. | |
| Ullas et al. | Reliable Monitoring Security System to Prevent MAC Spoofing in Ubiquitous Wireless Network | |
| Kunhare et al. | Network packet analysis in real time traffic and study of snort IDS during the variants of DoS attacks | |
| Muthurajkumar et al. | UDP flooding attack detection using entropy in software-defined networking | |
| Gore et al. | Improvised Ensemble Model for Fast Prediction of DoS/DDoS Attacks in Various Networks | |
| Numan et al. | Detection and mitigation of ARP storm attacks using software defined networks | |
| Alaidaros et al. | From Packet-based Towards Hybrid Packet-based and Flow-based Monitoring for Efficient Intrusion Detection: An overview | |
| Ranga et al. | Ant colony based IP traceback scheme | |
| CN117614746B (en) | Switch defense attack method based on historical statistics for judging deviation behaviors | |
| Oh et al. | Architecture and mechanisms for implementing an FPGA-based stateful intrusion detection system | |
| Kotenko et al. | Packet level simulation of cooperative distributed defense against Internet attacks | |
| Langin et al. | A model to use denied Internet traffic to indirectly discover internal network security problems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |