CN114363065B - DDoS detection method based on GSODNN and SDN - Google Patents
DDoS detection method based on GSODNN and SDN Download PDFInfo
- Publication number
- CN114363065B CN114363065B CN202210003465.7A CN202210003465A CN114363065B CN 114363065 B CN114363065 B CN 114363065B CN 202210003465 A CN202210003465 A CN 202210003465A CN 114363065 B CN114363065 B CN 114363065B
- Authority
- CN
- China
- Prior art keywords
- feature
- firefly
- ddos attack
- value
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention relates to the field of computers, in particular to a DDoS detection method based on GSODNN and SDN, which comprises the steps that an SDN controller counts the number of Packet In data packets In each switch time T to judge whether the switch is abnormal, calculates the source IP address entropy value of the Packet In data packets In the abnormal switch time T to judge whether the abnormality is likely to be DDoS attack, extracts the flow table characteristics and the related network flow characteristics if the abnormality is likely to be DDoS attack, adopts an MIC-FCBF algorithm to select the optimal characteristic set, and constructs the characteristics sensitive to the DDoS attack; inputting the selected optimal feature set and the constructed features sensitive to DDoS attack into a deep neural network based on an artificial firefly group optimization algorithm to detect the DDoS attack; according to the invention, data redundancy is removed, instability of manual tuning is avoided in DDoS attack detection, training time is shortened, and detection accuracy is improved.
Description
Technical Field
The invention relates to the field of computers, in particular to a DDoS detection method based on a deep neural network (Deep Neural Network Based on Glowworm Swarm Optimization Algorithm, GSODNN) and a software defined network (Software Defined Network, SDN) of an artificial firefly group optimization algorithm.
Background
Network security has been a hotspot in network research in recent years, how to better avoid DDoS attacks, and many researchers have studied it and proposed many methods. Although there are many studies on DDoS attacks, there are many problems to be overcome due to technical and practical limitations, and there are many challenges facing:
(1) When traffic information is collected for DDoS attack detection. Cui Yunhe et al adopt the continuous polling mode of controller, draw the information that needs to process to the switch message management queue to regard it as the basis of detection, detect whether DDoS attack takes place. The disadvantage of this approach is that extracting traffic information using a polling approach would additionally load the controller and fail to detect the occurrence of DDoS attacks in real time.
(2) And selecting SDN flow characteristics. In an actual application scenario, the effectiveness and efficiency of detection are determined by the flow characteristic selection of DDoS. Yin Wencheng et al use extracting SDN network traffic information that is more relevant to DDoS attacks as model inputs, which may have redundant features and do not fully exploit the DDoS attack characteristics. Tan Liang et al construct some traffic characteristics sensitive to DDoS for this, which does have a good effect, but it does not consider complete, and for normal traffic scenarios like DDoS attacks (e.g. FC traffic) it is possible to create false detections.
(3) Design of DDoS attack detection model. Miao Xianghua et al detect DDoS by using a method based on information entropy, which analyzes data packet information sent to an SDN controller, and determines whether the DDoS attack is suffered according to random changes of destination addresses of data packets in a normal network environment and a DDoS attack network environment. While Xiong Xiong et al use deep neural networks as DDoS detection models, although they do have higher accuracy, they have longer training times and are too dependent on experimenters' experience for optimization of model parameters, with instability.
Disclosure of Invention
Aiming at the problems, the invention provides a DDoS detection method based on GSODNN and SDN, which comprises the following steps:
the SDN controller counts the number of the Packet In data packets In each switch time T to judge whether the switch is abnormal, if so, the source IP address entropy value of the Packet In data packets In the abnormal switch time T is calculated and used for judging whether the abnormality is likely to be DDoS attack;
for a data packet possibly under DDoS attack, extracting flow table characteristics and related network flow characteristics of an abnormal switch by an SDN controller, selecting an optimal characteristic set by adopting an MIC-FCBF algorithm, and constructing characteristics sensitive to the DDoS attack;
And inputting the selected optimal feature set and the constructed features sensitive to the DDoS attack into a deep neural network based on an artificial firefly group optimization algorithm to detect the DDoS attack.
Further, the process of pre-detecting DDoS attack by the controller includes:
the exchanger uploads packet_in data packets which are unsuccessful in matching the flow table to the controller;
the controller calculates the number of packet_in data packets of each switch in a set time period;
if the number of the packet_in data packets of each switch does not exceed the set threshold, the corresponding data are handed to the controller for subsequent processing; otherwise, calculating the entropy value of the source IP address of the data packet;
judging whether the entropy value of the source IP address of the data packet exceeds a set threshold value, if not, delivering corresponding data to a controller for subsequent processing; otherwise, DDoS attack detection is carried out.
Further, the entropy value of the source IP address of the data packet is expressed as:
wherein H (X) is the entropy of the source IP address of the data packet; x is a set of source IP addresses of the data packets; p is p i For the number proportion of the ith source IP address in the source IP address set, n is the number of set elements of the source IP address of the data packet.
Further, the process of selecting the optimal feature set by adopting the MIC-FCBF algorithm comprises the following steps:
101. Calculating the maximum mutual information coefficient of the flow characteristic and the target characteristic, and marking the maximum mutual information coefficient as MIC Yi Selecting m features with the maximum mutual information coefficient values;
102. taking the feature with the maximum value of the maximum mutual information coefficient with the target feature as a main feature F Yi Sequentially calculating the maximum mutual information coefficient value between other selected features and the main feature, and marking the maximum mutual information coefficient value as MIC ij ;
103. If MIC ij ≥MIC Yi The feature j is the redundant feature of the main feature i, and the feature j is deleted;
104. and selecting the characteristic with the highest maximum mutual information coefficient value of the flow characteristic and the target characteristic as the main characteristic, and repeating 102-103.
Further, the calculating of the maximum mutual information coefficient value between the two features includes:
wherein MIC (X, Y) represents the maximum mutual information coefficient value between feature X and feature Y; IG (X|Y) is the information gain between the information entropy of the feature X and the conditional entropy H (X|Y) of the feature X under the premise of knowing the feature Y; h (X) is the information entropy of the feature X; h (Y) is the information entropy of feature Y.
Further, the process of constructing the features sensitive to DDoS attack includes:
the weighted average number of bytes of the packet is expressed as:
weighted stream distribution entropy, expressed as:
the weighted flow table entry increase rate is expressed as:
weighted source IP address entropy, expressed as:
Wherein DST numi I epsilon {1,2,3, …, n } is the address of DST in the switch flow table entry i Number of DST(s) numall For the total number of switch flow entries, ε is a weighted value of the feature, ε (1, 2)];packet bytei I epsilon {1,2,3, …, n } is the number of bytes of the ith Packet In time T, packet num The total number of Packet In data packets In time T; flow(s) i_num The method comprises the steps of collecting the number of ith data flows in a traffic data stage for detecting DDoS attack, wherein FE_num is the total number of the data flows in a network;at t 0 Total number of switch flow entries at time point, +.>At t 0 Total number of switch flow tables at +Δt time point, and Δt approaches 0 indefinitely; srcip i_num For the number of i source IP addresses in the switch flow table, i epsilon {1,2,3, …, n }, n being the total number of source IP addresses; fe_num is the total number of switch flow entries.
Further, the process of inputting the selected optimal feature set and the constructed features sensitive to DDoS attack into the deep neural network based on the artificial firefly group optimization algorithm for DDoS attack detection comprises the following steps:
normalizing the selected optimal feature set and the constructed features sensitive to DDoS attack;
inputting the normalized characteristics into a pre-trained deep neural network based on an artificial firefly group optimization algorithm to detect DDoS attack, judging whether DDoS attack exists, and if so, taking corresponding defensive measures; otherwise, the data packet is handed to the controller for subsequent processing.
Further, the training process of the deep neural network based on the artificial firefly swarm optimization algorithm comprises the following steps:
initializing basic parameters of an artificial firefly group optimization algorithm, and taking the accuracy of deep neural network training as an objective function;
setting a value range of each parameter of the deep neural network, taking the range as a search space of an artificial firefly group optimization algorithm, and randomly initializing n fireflies in the search range, wherein each firefly corresponds to a parameter combination of the deep neural network;
training data are imported into n deep neural networks corresponding to fireflies to respectively train, and objective function values corresponding to each firefly are calculated;
updating the luciferin value of each firefly, and taking other fireflies with the luciferin value larger than that of the current firefly as neighbors of the current firefly;
calculating the selected probability of each firefly in the neighbor set of the current firefly by using a roulette strategy, obtaining a random number by using a random function, moving the accumulated value of the selected probability of each firefly in the neighbor set to the firefly closest to the random number, and updating the current firefly position;
updating the dynamic decision threshold value of each firefly, judging whether the iteration number of the artificial firefly group optimization algorithm reaches the maximum value or reaches a set error threshold value, and ending the iteration process if one of the iteration number and the set error threshold value is reached;
And (3) solving fireflies with highest luciferin values in the last iteration, wherein the fireflies correspond to the deep neural network parameters and are used as the deep neural network parameters.
The invention has the following beneficial effects:
1. the invention adopts the pre-detection method based on entropy situation, judges whether the network flow is abnormal by utilizing the entropy of the flow characteristics which change obviously when DDoS attack occurs, so as to achieve the effect of pre-detecting the flow abnormality, thereby triggering the SDN controller to collect the related flow characteristics for DDoS attack detection.
2. The invention adopts the MIC-FCBF algorithm to extract the flow characteristics and reconstruct the effective characteristics. The quality of the flow characteristic selection is a key factor for determining the accuracy of the detection model, so that the technology considers preprocessing and reconstructing SDN flow characteristics. And carrying out correlation analysis on the flow characteristics and whether DDoS attack occurs or not, selecting the characteristics with larger influence on DDoS attack detection, and reconstructing the flow characteristics according to the obvious network flow change and different points of the DDoS attack flow and the FC flow when the DDoS attack occurs so as to achieve the effects of removing data redundancy and detecting efficiently and accurately.
3. The invention adopts a deep neural network based on an artificial firefly group optimization algorithm as a DDoS attack detection model. The traditional neural network parameter optimization is realized by continuous training, and then parameters are manually adjusted according to the training result and experience of each time, so that a better classification or prediction effect is finally achieved. However, this approach does not necessarily allow for an optimal neural network model, and manual parameter adjustment is too dependent on experimenters' experience, resulting in a high quality model that is too long. Therefore, the technology adopts an artificial firefly group optimization algorithm in an intelligent optimization algorithm to help the neural network to train, takes parameters (the number of hidden layers, the number of hidden layer neurons, the learning rate, the Dropout value, an activation function, an optimizer and the like) of the neural network as firefly individuals, takes a neural network training result as an adaptability function of the artificial firefly group optimization algorithm, and finds a neural network model with optimal parameters through repeated iterative training. Therefore, the instability of manual tuning is avoided, the training time is shortened, and the detection accuracy is improved.
Drawings
Fig. 1 is a flow chart of a DDoS detection method based on GSODNN and SDN;
FIG. 2 is a schematic diagram of an abnormal switch detection of the present invention;
FIG. 3 is a schematic diagram of entropy-based pre-detection of the present invention;
FIG. 4 is a flow feature selection flow chart based on the MIC-FCBF algorithm;
FIG. 5 is a flow chart of the feature extraction and processing of the present invention;
FIG. 6 is a diagram of a neuron structure employed in the present invention;
FIG. 7 is a block diagram of a neural network employed in the present invention;
FIG. 8 is a flow chart of deep neural network training;
FIG. 9 is a flowchart of an artificial firefly swarm optimization algorithm;
FIG. 10 is a flowchart of an artificial firefly swarm optimization algorithm-based deep neural network according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides a DDoS detection method based on GSODNN and SDN, which comprises the following steps:
The SDN controller counts the number of the Packet In data packets In each switch time T to judge whether the switch is abnormal, if so, the source IP address entropy value of the Packet In data packets In the abnormal switch time T is calculated and used for judging whether the abnormality is likely to be DDoS attack;
for a data packet possibly under DDoS attack, extracting flow table characteristics and related network flow characteristics of an abnormal switch by an SDN controller, selecting an optimal characteristic set by adopting an MIC-FCBF algorithm, and constructing characteristics sensitive to the DDoS attack;
and inputting the selected optimal feature set and the constructed features sensitive to the DDoS attack into a deep neural network based on an artificial firefly group optimization algorithm to detect the DDoS attack.
In this embodiment, the method of the present invention is divided into two parts, namely a DDoS attack pre-detection module and a DDoS attack detection module. The DDoS attack pre-detection module has the main functions of timely sensing when DDoS attack occurs and triggering the DDoS attack detection module to collect relevant information for attack detection. The method calculates the number of Packet In data packets In a certain time of each switch, judges whether the specified threshold is exceeded, and if the specified threshold is exceeded, the data packets processed by the switch may be abnormal. At this time, entropy values of source IP addresses of all data packets processed in a certain time of the switch exceeding the threshold are calculated, whether the specified threshold is exceeded or not is judged, if yes, the DDoS attack is judged to possibly occur, and the DDoS attack detection module is triggered to work. The DDoS attack detection module mainly comprises the steps of feature collection, feature selection, feature reconstruction, feature processing and DDoS attack detection. The feature collection is that after the DDoS attack pre-detection module detects that the DDoS attack is possible to be abnormal, the controller collects flow table information and related flow information of an abnormal switch, and data support is provided for DDoS attack detection; the feature selection is to select features by adopting an MIC-FCBF algorithm, remove irrelevant features and remove redundant features; the feature reconstruction means reconstructing flow change features with obvious change when DDoS attack occurs and distinguishing effective features of DDoS attack and FC flow so as to improve the detection effectiveness and accuracy; the feature processing means that the feature is normalized so as to improve the convergence speed and the detection precision of the detection model; the DDoS attack detection is to adopt a trained deep neural network model based on an artificial firefly group optimization algorithm to conduct two-classification on the processed characteristic data so as to judge whether DDoS attack occurs. As shown in fig. 1, the method specifically includes:
One) DDoS attack pre-detection module
The module is mainly responsible for perceiving DDoS attack in advance, marking a switch which possibly receives a DDoS attack packet, and triggering the operation of the DDoS attack module.
1. Judging whether the data flow in the network is normal
The data packets In the SDN are matched and forwarded according to the flow table In the switch, and if the data packets which cannot be matched are encountered, the switch cannot process the data packets and can only be forwarded to the controller for processing In a Packet In mode. As shown in fig. 2, after the controller finishes processing, a corresponding flow table instruction is issued to the switch, so that the data packet and the data packet conforming to the matching rule can be forwarded according to the flow table entry. When DDoS attack occurs, a large number of attack packets are generated, and source IP addresses of the attack packets are often forged and cannot be matched In a switch, so that a large number of Packet In data packets are generated and transferred to a controller for processing, and overload and even downtime of the controller are caused. For this attack characteristic of DDoS, we number switch IDs, noted Si, i= {1,2, …, N }, N being the number of switches. And then counting the number of Packet In data packets of each switch within a certain time T, and marking the Packet In data packets as psi= { Ps1, ps2, ps3, …, psn }, wherein sn is the switch number. And comparing the data packets with a set threshold value P, if the number of Packet In data packets of the switch is greater than P In the time T, considering that the data flow of the switch is abnormal, recording the ID of the switch, and taking the ID of the switch as the object of the next verification. The threshold P is obtained by simulating various DDoS attacks for a plurality of times and analyzing the change rule of the sending rate of the Packet In data Packet of the abnormal switch.
2. Determining whether a DDoS attack is likely
Since there are many cases where Packet In packets are added, the possibility of a DDoS attack is not great, and thus it is necessary to further determine whether or not the abnormal traffic is likely to be a DDoS attack flow. In the previous stage, a set of switch IDs of abnormal traffic is obtained, and is denoted as s= { Si, sj, …, sk }, as shown In fig. 3, in order to further determine whether the abnormal traffic is likely to be a DDoS attack flow, the entropy value H (si_sip) of the source IP address of the Packet In Packet of these switches In the time T is calculated respectively (the value is obtained by an information entropy formula), and compared with a specified threshold H, if the value is greater than H, it is determined that a DDoS attack may occur, and operation of a DDoS detection module is triggered, otherwise normal processing is performed. The threshold H is obtained by simulating multiple DDoS attacks for multiple times and statistically analyzing the entropy change rule of the source IP address of the Packet In data Packet of the abnormal switch within the time T.
The entropy mentioned above refers to information entropy, which is used to measure the degree of uncertainty of information contained within a system. In the mathematical field, information entropy is defined as the expectation of the amount of information, used to determine the uncertainty of a variable, the greater the uncertainty the greater the entropy value of the variable. Based on this characteristic, the information entropy may be used to measure the degree of uncertainty of network traffic characteristics in the SDN network. The following is a formula of information entropy.
For the random variable X, the value set is X= { X 1 ,x 2 ,x 3 ,…,x n Probability distribution of each value xi is p= { P } 1 ,p 2 ,p 3 ,…,p n }, whereinThe information entropy formula of the random variable X is:
in general, DDoS attack adopts the means of IP spoofing, namely falsifies the source IP address, and sends a large number of attack packets to the destination host, so as to achieve the purpose of consuming network system resources. When DDoS attack occurs, a large number of source IP address data packets which do not occur before are generated, so that the source IP addresses are particularly scattered, the information entropy of the source IP address data packets is larger, the source IP addresses of Packet In data packets of an abnormal switch In time T can be extracted, the entropy value of a source IP address set is calculated, if the entropy value is larger than a given threshold value, the DDoS attack is judged to be possible, and the operation of a DDoS detection module is triggered.
Two) DDoS attack detection module
The main function of the module is to collect and extract flow table characteristics and flow characteristics required by detection when possible DDoS attack is detected in a DDoS attack pre-detection stage, and to construct new effective characteristics, then to normalize the characteristics, and finally to transmit the processed characteristic data into a trained GSODNN model for detection so as to judge whether the possible DDoS actually occurs, namely whether a network is detected to have DDoS attack. However, the traffic characteristics in the network are excessive, such as the characteristics of the data packets, the characteristics of the flows, the characteristics of the flow table, etc., which are a key ring for detection. According to the embodiment, network characteristics are selected according to the MIC-FCBF algorithm, then the characteristics are processed, the characteristics with low correlation are removed, and redundant characteristics are removed, so that effective characteristics required by detection can be obtained.
1. Flow characteristic selection based on MIC-FCBF algorithm
With the development of internet technology, a large amount of data is generated every day due to the advent of the large data age, and network data is no exception. In an SDN network, each network traffic is accompanied by a large number of traffic features. When DDoS attack occurs, the flow characteristics which are related to the DDoS attack and change are possibly only a small part, so that irrelevant characteristics and redundant characteristics are required to be removed for DDoS attack detection, and the characteristics are subjected to dimension reduction so as to achieve the purposes of reducing the time complexity of an algorithm and improving the detection accuracy. The flow characteristics are selected based on the MIC-FCBF algorithm.
The FCBF algorithm is based on a significant idea, and adopts a backward sequential search strategy to quickly and effectively find the feature selection method of the optimal feature subset, which adopts symmetric uncertainty SU (Symmetrical uncertainty) to measure whether a feature is related to a target variable or not, and is used for judging whether the features are repeated or not and redundancy.
In the description of the pre-detection phase, a calculation formula of the entropy value of the random variable X is known, which is the entropy value of a single variable and represents the uncertainty of the value set of the variable. On the other hand, knowing another variable Y, the uncertainty of the variable X may decrease, that is, the entropy of X under the condition of Y, which is called conditional entropy, denoted as H (x|y), is calculated as follows:
H(X|Y)=∑p(x)H(Y|X=x)=-∑p(x)∑p(y|x)log(y|x)
As can be seen from the above, the conditional entropy of the variable X under the condition of Y is H (x|y), which is smaller than the information entropy of the variable X, and the magnitude of the reduced entropy is called information gain IG (x|y), and the calculation formula thereof is as follows:
IG(X|Y)=H(X)-H(X|Y)
from the definition of the information gain IG (x|y), it is known that it can represent the extent of influence of one variable on another, i.e. a measure for the correlation between two variables. However, in the FCBF algorithm, the correlation between different features and between the features and the target variable is to be compared, and the type of each feature is different, the value range is also uncertain, and the comparison is not easy, so that the information gain needs to be normalized to SU (Symmetrical uncertainty) symmetry uncertainty, and the calculation formula is as follows:
the symmetry uncertainty (Symmetrical uncertainty, SU) is a measure of the correlation of two variables in the FCBF algorithm, but experiments show that the normalized form of the information gain IG (x|y) in this way may result in too small a normalized value, and the experimental result cannot achieve the expected effect, so the invention uses the maximum mutual information coefficient (Maximal Information Coefficient, MIC) to replace SU as the measure of the correlation of the variables in the FCBF algorithm, and the calculation formula is as follows:
Wherein, min (H (X), H (Y)) < (H (X) +H (Y))/2, so the value normalized by the form can become larger, and the experimental result becomes better.
Based on the above description, the MIC-FCBF algorithm is divided into two steps, namely, removing irrelevant features and removing redundant features, as shown in fig. 4, and the specific principle of the algorithm is as follows:
the first stage: and removing the uncorrelated features to obtain a correlated feature subset. For feature set f= { F 1 ,F 2 ,F 3 ,…,F n -wherein n is the number of features, each feature F is calculated separately i MIC with target variable Y Yi Value, where i.e. [1, n ]]. When MIC Yi T (t is a threshold set in advance), then is considered as a feature related to the target variable, which is added to F Y In the collection. After traversing all the features, a subset F of features associated with the target variable is obtained Y ={F Y1 ,F Y2 ,F Y3 ,…,F Ym Where m is the number of features associated with the target variable, 0.ltoreq.m.ltoreq.n.
And a second stage: and removing redundant features to obtain an optimal feature subset. The following are all based on the first stageRelated feature subset F Y The operation is performed.
(1) Select F Y Middle MIC Yi Characteristic F with maximum value Yi As a main feature;
(2) at F Y Sequentially select MIC Yj A value less than the MIC of the main feature Yi Other features of value F Yj Respectively calculate the characteristic F Yj And main feature F Yi MIC between ij Value and combine it with the main feature F Yi MIC with target variable Y Yi Comparing the values;
(3) if MIC ij ≥MIC Yi Then the characteristic F Yj As main feature F Yi Is the redundancy feature of (1), at F Y Removing the materials;
(4) after traversing through F Y After the aggregation, the redundant features corresponding to the main features of the round are removed, and the steps (1), 2 and 3) are repeatedly executed, wherein the main features selected before can not be selected as the main features;
(5) when set F Y The main feature is not selected, the algorithm flow is ended, and the set F is obtained at the moment Y The remaining features of (a) constitute the optimal feature subset.
2. Feature construction
Through step 1, an optimal network feature set for detecting the DDoS attack is obtained, but the DDoS attack is detected only according to the correlation between the flow feature and whether the DDoS attack occurs, the method is too one-sided and not persuasive, and the DDoS attack flow and the FC flow cannot be distinguished, so that misjudgment can be caused. Therefore, in this embodiment, 5 features are reconstructed according to the flow features with obvious changes when the DDoS attack occurs and the differences between the DDoS attack flow and the FC flow, and the optimal feature set obtained in the step 1 is used as the feature input of the GSODNN detection model by combining the 5 features, so as to achieve the effect of improving the effectiveness and accuracy of model detection. The following details 5 constructed features:
(1) Weighted destination IP maximum duty cycle (Maximum proportion of destination IP, MPDI)
In general, DDoS attack is initiated against one or several fixed hosts/servers, so when DDoS attack occurs, the destination IP address of the network traffic packet is concentrated on one or several IP addresses, i.e. the duty ratio of some destination IP addresses in the switch flow table entry is rapidly increased, and the maximum duty ratio of the destination IP is also increased. Therefore, whether the DDoS attack occurs can be determined according to the MPDI, and the calculation formula is as follows:
wherein DST numi I epsilon {1,2,3, …, n } is the address of DST in the switch flow table entry i Number of DST(s) numall For the total number of switch flow entries, ε is the weighted value of the feature, ε (1, 2)]Analysis shows that this feature is of greater importance than other flow features, and therefore a weight greater than 1 is added to it.
(2) Weighted average byte count (Packet average bytes, PAB)
When a DDoS attack is initiated, an attacker often sends a large number of packets with small byte lengths (the packets generally include only packet headers and a small amount of data) in order to improve the efficiency of the attack. Therefore, the PAB can obviously sense whether DDoS attack occurs or not, and the calculation formula is as follows:
Wherein, packet bytei I epsilon {1,2,3, …, n } is the number of bytes of the ith Packet In time T, packet num For the total number of Packet In packets In time T, ε is the weighting value of the feature, ε (1, 2)]Analysis shows that this feature is of greater importance than other flow features, and therefore a weight greater than 1 is added to it.
(3) Weighted stream distribution entropy value (Entropy of network flow, ENF):
in an SDN network environment, under the condition of normal traffic, the number of flows in the network and the state of the flows are relatively stable, and most of newly added flows are flows which have occurred before. However, when DDoS occurs, a large number of flows that have not previously occurred in the network occur, so that the network flow set becomes very dispersed, and the entropy value thereof becomes large. Therefore, the ENF can be an important feature for distinguishing whether traffic is DDoS attack flow, and its calculation formula is as follows:
wherein, flow i_num The data traffic stage is collected for detecting DDoS attack, the number of data streams i is i epsilon {1,2,3, …, n }, FE_num is the total number of data streams in the network, epsilon is the weighted value of the feature, epsilon (1, 2)]Analysis shows that this feature is of greater importance than other flow features, and therefore a weight greater than 1 is added to it.
(4) Weighted flow table entry rate of increase (Increase rate of flow entries, IFE):
the research discovers that in order to mask the real attack host address, a DDoS attacker adopts a source IP address forging method, so that when the DDoS attack is initiated, a large number of attack packets cannot be successfully matched in a switch flow table, and only the controller can search the optimal forwarding port and issue the corresponding flow table entry, so that the switch through which the attack packets flow can newly increase the flow table entry. For FC traffic, packets flowing through the switch also increase dramatically, but most of the previously matched packets can be successfully matched in the switch flow table without significantly affecting the increase in flow table entries. Therefore, IFE is not only an important feature to detect DDoS attacks, but also an important feature to distinguish DDoS attack flows from FC traffic. The calculation formula is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,at t 0 Total number of switch flow entries at time point, +.>At t 0 Total number of switch flow tables at +Δt time points, Δt infinitely approaching 0, ∈is a weighted value of the feature, ∈1,2]Analysis shows that this feature is of greater importance than other flow features, and therefore a weight greater than 1 is added to it.
(5) Weighted source IP address entropy (Source IP address entropy, SIAE)
The DDoS attack can forge a large number of source IP addresses, that is, a large number of source IP address data packets which do not appear before can be generated, so that a large number of new source IP address flow table entries can be added in the switch flow table, source IP becomes very dispersed, and information entropy can also become large. When FC traffic occurs, a large number of packets are generated, but the source IP addresses thereof are large, which has been the case, and the degree of dispersion of the source IP addresses in the switch flow table is not greatly affected. Thus, SIAE is not only a feature that can be well-perceived as a DDoS attack, but also can be used to distinguish DDoS attack flows from FC traffic. The calculation formula is as follows:
wherein Srcip is i_num For the number of i-th source IP addresses in the switch flow table, i epsilon {1,2,3, …, n }, n is the total number of source IP addresses, FE_num is the total number of switch flow table entries, epsilon is the weighted value of the feature, epsilon (1, 2)]Analysis shows that this feature is of greater importance than other flow features, and therefore a weight greater than 1 is added to it.
3. Feature extraction and processing
All features for detecting DDoS attacks are obtained through steps 1, 2. These features are extracted from the public dataset during the model training phase and from the data stream and switch flow table during the DDoS detection phase. However, the dimensions of the individual features are not uniform, and most of the features are not an order of magnitude in size, which can affect the results of the model training analysis. In order to solve the problem, the data needs to be normalized, and all the characteristics of the original data are in the same order of magnitude after the original data are normalized, so that the method is suitable for comprehensive comparison and evaluation. The following is a formula for feature normalization:
Wherein x is i ' normalized value for a sample of the ith feature, x i For the value of a sample of the ith feature, max (x i ) For the maximum value of all samples of the ith feature, min (x i ) For the minimum value of all samples of the ith feature, θ is a disturbance factor greater than 0, the denominator is avoided being 0, and the fluctuation of the feature is increased.
As shown in FIG. 5, after the required features are extracted, the model can be input for training and detection after normalization processing.
4. GSODNN-based DDoS attack detection model
After all network characteristics are extracted, constructed and processed, the network characteristics are used as input of a detection model and are classified into two categories of whether DDoS attack occurs, so that whether DDoS attack occurs in the network can be known. The quality of the detection model often determines the quality of the detection result, and in this embodiment, a deep neural network detection model based on an artificial firefly group optimization algorithm is provided. Because the training process of the traditional deep neural network requires experimenters to manually perform parameter tuning, the experimenters experience is not needed to obtain a high-quality model, the model is unstable, and meanwhile, the model needs to be continuously manually adjusted, so that the training time is long. Therefore, the embodiment utilizes the global optimizing capability of the artificial firefly group optimizing algorithm, takes the parameter set of the deep neural network as firefly individuals and the trained good and bad values as an objective function, assists the deep neural network in training, can obtain a good-quality model more stably, and can shorten training time and improve the detection accuracy of the model. The following is a detailed description of the detection model:
(1) Deep neural network
1) Deep neural network structure
Deep neural networks are a more classical, commonly used model in deep learning that is good at mining the hidden complex relationships between feature data and tag values. Deep neural networks are composed of neurons, also known as perceptrons, which conduct external information to the neurons through multiple connections (synapses) and then respond accordingly according to an activation function. The deep neural network is mainly divided into an input layer, a hidden layer and an output layer, wherein the number of neurons of the input layer is determined by the number of characteristics of the input, the number of neurons of the output layer is determined by the classification result and is divided into several types, each layer is directly connected in a full-connection mode, each connection is provided with a corresponding weight, and the output of each neuron is determined by the input value, the weight value and the bias value and the activation function of the neuron. The output result of each layer is transmitted to the next layer by way of forward propagation until the output layer. The basic structure of the neuron and deep neural network is shown in fig. 6 and 7.
2) Training of deep neural networks
The training optimization of the deep neural network is to reversely adjust the weight matrix and the bias vector of each layer according to the direction which can lead the value of the evaluation function to be more optimal by adopting a gradient descent method according to the evaluation function of the training result of each time, so that the next training result of the deep neural network is more optimal. Thus, the model is repeatedly trained by using a large amount of data so as to achieve a high-quality result. The deep neural network training process is shown in fig. 8, which can be divided into the following steps:
(1) Parameter initialization: initializing a basic structure of a model and related parameters, wherein the parameters comprise a weight matrix, bias, activation function, gradient descent learning rate, loss function, training ending threshold value and the like.
(2) Data forward propagation: and inputting the processed characteristics into the model, and calculating the data layer by layer according to the initial parameters from the input layer until the output layer outputs the result.
(3) Reverse adjustment parameters: and calculating cost according to an output result of the output layer and a loss function, and reversely adjusting parameters layer by layer according to an optimization strategy (gradient descent is adopted here).
(4) And (3) repeated training: and (3) repeatedly executing the steps (2) and (3) by using the training set data until the preset training times are exceeded or the training effect reaches the ending threshold.
(5) Model evaluation: and calculating the accuracy, F1 value, recall rate and the like of the trained model according to the test set data, so as to evaluate the superiority and inferiority of the model and adjust the basis of the model parameters.
(2) Artificial firefly group optimization algorithm
The artificial firefly group optimization algorithm (Glowworm Swarm Optimization, GSO) algorithm is an intelligent optimization algorithm proposed by Indian scholars K.N. Krishnanand D.Ghos in 2005 for simulating firefly luminescence in nature, and has good application prospect for solving the optimal solution in continuous space. In nature, when a firefly searches for a prey or attracts a spouse, the tail part of the firefly emits shiny fluorescence, and the more the fluorescence is, the more attractive the firefly attracts the prey or the spouse, wherein each firefly approaches to the firefly with larger attractive force in the perception range. The firefly algorithm simulates the natural phenomenon of fireflies, one solution in a solution space is regarded as one firefly, the high-quality degree of the solution to the objective function represents the luminous brightness of the corresponding fireflies, the fireflies with weak luminescence move towards the fireflies with luminous intensity, and then the process is iterated continuously, so that the brightest fireflies, namely the optimal solution, are finally obtained.
The algorithm flow chart of the artificial firefly group optimization algorithm is shown in fig. 9, and three rules are provided for the GSO algorithm:
(1) it is assumed that all fireflies are independent of sex, i.e. that all fireflies are attractive to each other.
(2) The brightness of fireflies determines their own attractive forces, and the darker and brighter attractive movements between fireflies, if the fireflies are the brightest, move randomly.
(3) The brightness of fireflies is proportional to the objective function, i.e., the better the objective function value, the brighter the fireflies brightness.
(3) Deep neural network detection model based on artificial firefly group optimization algorithm
The basic structure, training process and basic concept and algorithm flow of the artificial firefly group optimization algorithm of the deep neural network are known through the above two parts, and the part explains how the deep neural network obtains an optimal detection model by means of the global optimizing capability of the firefly algorithm, as shown in fig. 10, the basic steps are as follows:
(1) basic parameters of an artificial firefly group optimization algorithm are initialized, wherein the basic parameters comprise the number n of fireflies, the number m of algorithm iterations, an optimization threshold epsilon and the initial luciferin (representing light intensity) h of each firefly 0 Initial dynamic decision range r 0 The domain threshold z, the initial step length l, the fluorescein vanishing rate a, the fluorescein update rate b, the dynamic decision domain update rate c and the firefly perception range r s An algorithmically optimized objective function (where objective function is the accuracy of the deep neural network training in each iteration).
(2) Setting the value ranges of all parameters of the deep neural network, wherein the value ranges of the parameters are the search space (solution space) of an artificial firefly group optimization algorithm, randomly initializing n fireflies in the search range, and each firefly corresponds to a parameter combination of the deep neural network, namely a parameter vector of the deep neural network and is marked as X i Wherein X is i I.e {1,2, …, n }, for the i-th firefly.
(3) The processed DDoS training set characteristic data is imported into n deep neural networks corresponding to fireflies to respectively train, corresponding training accuracy is obtained, namely, the objective function value corresponding to each firefly is recorded as D (x i ) Wherein D (x i ) I.e {1,2, …, n }, which is the objective function value of the ith firefly.
(4) Updating the luciferin value of each firefly, wherein the calculation formula is as follows:
h i (t)=(1-a)h i (t-1)+b D(x i (t))
wherein h is i (t) is fluorescein of the ith firefly after the t-th iteration update, h i (t-1) is luciferin of the ith firefly in the t-1 th iteration, D (x) i (t)) is the objective function value corresponding to the ith firefly at the t-th iteration.
(5) The neighbors of each firefly (i.e., other fireflies that are in the firefly perception range and have luciferin values greater than that of the firefly) are found, and the calculation formula is as follows:
Q i (t)={j:||X j (t)-X i (t)||<r i (t),h j (t)>h i (t)}
wherein Q is i (t) is the neighbor set of the ith firefly at the t iteration, |X j (t)-X i (t) || is the distance of two fireflies at the t-th iteration, r i (t) is the radius of the perception domain of the ith firefly at the t-th iteration.
(6) The moving direction of each firefly is determined by using a roulette strategy, taking the ith firefly as an example. First, the neighbor set Q of the ith firefly is calculated i The probability of each firefly being selected in (t) is calculated as follows:
after the probability of each firefly in the ith firefly neighbor set is obtained, accumulating the probability values to obtain the probability value range of each neighbor, wherein the range is [0,1], then obtaining the random value in [0,1] by using a random function, wherein the random value falls in the probability range of which neighbor, and the direction of the neighbor is the direction of the movement selected by the ith firefly, and the neighbor is marked as j.
(7) The position of each firefly is updated, and the calculation formula is as follows:
wherein X is i (t) is the updated position of the ith firefly at the t-th iteration, X i (t-1) the position of the ith firefly at the t-1 th iteration.
(8) Updating the dynamic decision threshold of each firefly, wherein the calculation formula is as follows:
r i (t)=min{r s ,max{0,r i (t-1),c(z-|Q i (t-1)|)}}
wherein r is i (t) is the dynamic decision threshold value updated by the ith firefly in the t-th iteration, r i (t-1) dynamic decision threshold of ith firefly at t-1 iteration, |Q i (t-1) is the number of neighbors of the ith firefly at the t-1 iteration.
(9) Judging whether the iteration times t of the artificial firefly group optimization algorithm reach m or whether an optimization threshold reaches epsilon, if one of the iteration times t reaches epsilon, ending the iteration process, otherwise, continuing to iterate in the steps (3) (4) (5) (6) (7) (8) (9).
And (3) solving fireflies with highest luciferin values in the last iteration, wherein a deep neural network formed by the corresponding deep neural network parameter combination of the fireflies is an optimal detection model.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (5)
1. A DDoS detection method of a deep neural network GSODNN and a software defined network SDN based on an artificial firefly group optimization algorithm is characterized by comprising the following steps:
the SDN controller counts the number of the Packet In data packets In each switch time T to judge whether the switch is abnormal, if so, the source IP address entropy value of the Packet In data packets In the abnormal switch time T is calculated and used for judging whether the abnormality is likely to be DDoS attack;
for a data packet possibly under DDoS attack, extracting flow table characteristics and related network flow characteristics of an abnormal switch by an SDN controller, selecting an optimal characteristic set by adopting an MIC-FCBF algorithm, and constructing characteristics sensitive to the DDoS attack;
inputting the selected optimal feature set and the constructed features sensitive to DDoS attack into a deep neural network based on an artificial firefly group optimization algorithm to detect the DDoS attack;
the process of selecting the optimal feature set by adopting the MIC-FCBF algorithm comprises the following steps:
101. calculating the maximum mutual information coefficient of the flow characteristic and the target characteristic, and marking the maximum mutual information coefficient as MIC Yi Selecting m features with the maximum mutual information coefficient values; the calculation of the maximum mutual information coefficient value between two features includes:
wherein MIC (X, Y) represents the maximum mutual information coefficient between feature X and feature Y; IG (X|Y) is the information gain between the information entropy of the feature X and the conditional entropy H (X|Y) of the feature X under the premise of knowing the feature Y; h (X) is the information entropy of the feature X; h (Y) is the information entropy of the feature Y;
102. Taking the feature with the maximum value of the maximum mutual information coefficient with the target feature as a main feature F Yi Sequentially calculating the maximum mutual information coefficient value between other selected features and the main feature, and marking the maximum mutual information coefficient value as MIC ij ;
103. If MIC ij ≥MIC Yi The feature j is classified as redundant feature of the main feature i, and the feature j is deleted;
104. selecting the characteristic with the highest maximum mutual information coefficient value of the flow characteristic and the target characteristic as the main characteristic, and repeating 102-103;
the process of constructing features sensitive to DDoS attacks includes:
the weighted destination IP maximum duty cycle is expressed as:
the weighted average number of bytes of the packet is expressed as:
weighted stream distribution entropy, expressed as:
the weighted flow table entry increase rate is expressed as:
weighted source IP address entropy, expressed as:
wherein DST numi I epsilon {1,2,3, …, n } is the address of DST in the switch flow table entry i Number of DST(s) numall For the total number of switch flow entries, ε is a weighted value of the feature, ε (1, 2)];packet bytei I epsilon {1,2,3, …, n } is the number of bytes of the ith Packet In time T, packet num The total number of Packet In data packets In time T; flow(s) i_num The method comprises the steps of collecting the number of ith data flows in a traffic data stage for detecting DDoS attack, wherein FE_num is the total number of the data flows in a network; FE (FE) t0_num At t 0 Total number of switch flow entries, FE, at point in time (t0+Δt)_num At t 0 Total number of switch flow tables at +Δt time point, and Δt approaches 0 indefinitely; srcip i_num For the number of i source IP addresses in the switch flow table, i epsilon {1,2,3, …, n }, n being the total number of source IP addresses; FE_num is the total number of switch flow entries;
the training process of the deep neural network based on the artificial firefly group optimization algorithm comprises the following steps:
initializing basic parameters of an artificial firefly group optimization algorithm, and taking the accuracy of deep neural network training as an objective function;
setting a value range of each parameter of the deep neural network, taking the range as a search space of an artificial firefly group optimization algorithm, and randomly initializing n fireflies in the search range, wherein each firefly corresponds to a parameter combination of the deep neural network;
training data are imported into n deep neural networks corresponding to fireflies to respectively train, and objective function values corresponding to each firefly are calculated;
updating the luciferin value of each firefly, and taking other fireflies with the luciferin value larger than that of the current firefly as neighbors of the current firefly;
calculating the selected probability of each firefly in the neighbor set of the current firefly by using a roulette strategy, obtaining a random number by using a random function, moving the accumulated value of the selected probability of each firefly in the neighbor set to the firefly closest to the random number, and updating the current firefly position;
Updating the dynamic decision threshold value of each firefly, judging whether the iteration number of the artificial firefly group optimization algorithm reaches the maximum value or reaches a set error threshold value, and ending the iteration process if one of the iteration number and the set error threshold value is reached;
and (3) solving fireflies with highest luciferin values in the last iteration, wherein the fireflies correspond to the deep neural network parameters and are used as the deep neural network parameters.
2. The DDoS detection method based on GSODNN and SDN of claim 1, wherein the process of performing DDoS attack pre-detection by the controller includes:
the exchanger uploads packet_in data packets which are unsuccessful in matching the flow table to the controller;
the controller calculates the number of packet_in data packets of each switch in a set time period;
if the number of the packet_in data packets of each switch does not exceed the set threshold, the corresponding data are handed to the controller for subsequent processing; otherwise, calculating the entropy value of the source IP address of the data packet;
judging whether the entropy value of the source IP address of the data packet exceeds a set threshold value, if not, delivering corresponding data to a controller for subsequent processing; otherwise, DDoS attack detection is carried out.
3. The DDoS detection method based on GSODNN and SDN of claim 2, wherein an entropy value of a source IP address of a packet is expressed as:
Wherein H (X) is the entropy of the source IP address of the data packet; x is a set of source IP addresses of the data packets; p is p i For the number proportion of the ith source IP address in the source IP address set, n is the number of set elements of the source IP address of the data packet.
4. The DDoS detection method based on GSODNN and SDN of claim 1, wherein the process of inputting the selected optimal feature set and the constructed feature sensitive to DDoS attack into the deep neural network based on the artificial firefly swarm optimization algorithm for DDoS attack detection comprises:
normalizing the selected optimal feature set and the constructed features sensitive to DDoS attack;
inputting the normalized characteristics into a pre-trained deep neural network based on an artificial firefly group optimization algorithm to detect DDoS attack, judging whether DDoS attack exists, and if so, taking corresponding defensive measures; otherwise, the data packet is handed to the controller for subsequent processing.
5. The DDoS detection method of claim 4, wherein normalizing features in the feature set comprises:
wherein x is i ′ Normalized value, x, for a sample of the ith feature i For the value of a sample of the ith feature, max (x i ) For the maximum value of all samples of the ith feature, min (x i ) For the minimum of all samples for the ith feature, θ is a perturbation factor greater than 0.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210003465.7A CN114363065B (en) | 2022-01-04 | 2022-01-04 | DDoS detection method based on GSODNN and SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210003465.7A CN114363065B (en) | 2022-01-04 | 2022-01-04 | DDoS detection method based on GSODNN and SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114363065A CN114363065A (en) | 2022-04-15 |
| CN114363065B true CN114363065B (en) | 2023-07-25 |
Family
ID=81107347
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210003465.7A Active CN114363065B (en) | 2022-01-04 | 2022-01-04 | DDoS detection method based on GSODNN and SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363065B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115225353B (en) * | 2022-07-04 | 2024-05-03 | 安徽大学 | Attack detection method considering both DoS/DDoS flooding and slow HTTP DoS |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108848095A (en) * | 2018-06-22 | 2018-11-20 | 安徽大学 | The detection of server ddos attack and defence method under SDN environment based on double entropys |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| CN110784481A (en) * | 2019-11-04 | 2020-02-11 | 重庆邮电大学 | DDoS detection method and system based on neural network in SDN network |
| CN112422493A (en) * | 2020-07-27 | 2021-02-26 | 哈尔滨工业大学 | DDoS attack detection method based on multilayer perception neural network MLDNN under SDN network architecture |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656981B (en) * | 2016-10-21 | 2020-04-28 | 东软集团股份有限公司 | Network intrusion detection method and device |
-
2022
- 2022-01-04 CN CN202210003465.7A patent/CN114363065B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108848095A (en) * | 2018-06-22 | 2018-11-20 | 安徽大学 | The detection of server ddos attack and defence method under SDN environment based on double entropys |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| CN110784481A (en) * | 2019-11-04 | 2020-02-11 | 重庆邮电大学 | DDoS detection method and system based on neural network in SDN network |
| CN112422493A (en) * | 2020-07-27 | 2021-02-26 | 哈尔滨工业大学 | DDoS attack detection method based on multilayer perception neural network MLDNN under SDN network architecture |
Non-Patent Citations (2)
| Title |
|---|
| Detection of DDoS Attacks in Software Defined Networks;Karan B. V.;《IEEEXplore》;全文 * |
| 基于Makov链状态转移概率矩阵的网络入侵检测;韩红光;周改云;;控制工程(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114363065A (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021088372A1 (en) | Neural network-based ddos detection method and system in sdn network | |
| Chen et al. | Intrusion detection for wireless edge networks based on federated learning | |
| CN109981691B (en) | SDN controller-oriented real-time DDoS attack detection system and method | |
| Shrivas et al. | An ensemble model for classification of attacks with feature selection based on KDD99 and NSL-KDD data set | |
| CN109768985A (en) | A kind of intrusion detection method based on traffic visualization and machine learning algorithm | |
| Yang et al. | Griffin: an ensemble of autoencoders for anomaly traffic detection in SDN | |
| Öke et al. | A denial of service detector based on maximum likelihood detection and the random neural network | |
| CN114363065B (en) | DDoS detection method based on GSODNN and SDN | |
| Bodström et al. | State of the art literature review on network anomaly detection with deep learning | |
| CN114553475A (en) | Network attack detection method based on network flow attribute directed topology | |
| Zhou et al. | Internet traffic classification using feed-forward neural network | |
| CN107896217A (en) | The caching pollution attack detection method of multi-parameter in content center network | |
| CN112887326A (en) | Intrusion detection method based on edge cloud cooperation | |
| CN111817971B (en) | Data center network flow splicing method based on deep learning | |
| Jaszcz et al. | AIMM: Artificial intelligence merged methods for flood DDoS attacks detection | |
| CN113901448A (en) | Intrusion detection method based on convolutional neural network and lightweight gradient elevator | |
| Tan et al. | Recognizing the content types of network traffic based on a hybrid DNN-HMM model | |
| Wang et al. | Res-TranBiLSTM: An intelligent approach for intrusion detection in the Internet of Things | |
| Abdullah et al. | An artificial deep neural network for the binary classification of network traffic | |
| Zarzoor et al. | Intrusion detection method for internet of things based on the spiking neural network and decision tree method | |
| CN114785548A (en) | Virtual flow anomaly detection method and system based on weighted adaptive ensemble learning and intelligent flow monitoring platform | |
| CN108737429A (en) | A kind of network inbreak detection method | |
| Jasim et al. | K-Means clustering-based semi-supervised for DDoS attacks classification | |
| CN115842647A (en) | Network security threat detection method based on flow data | |
| Shi et al. | A novel traffic identification approach based on multifractal analysis and combined neural network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |