CN114900357A - Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link - Google Patents

Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link Download PDF

Info

Publication number
CN114900357A
CN114900357A CN202210494274.5A CN202210494274A CN114900357A CN 114900357 A CN114900357 A CN 114900357A CN 202210494274 A CN202210494274 A CN 202210494274A CN 114900357 A CN114900357 A CN 114900357A
Authority
CN
China
Prior art keywords
time
graph
network
matrix
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210494274.5A
Other languages
Chinese (zh)
Inventor
杨坚
程思雨
陈双武
承孝敏
张勇东
徐正欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yangtze River Delta Information Intelligence Innovation Research Institute
Original Assignee
Yangtze River Delta Information Intelligence Innovation Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yangtze River Delta Information Intelligence Innovation Research Institute filed Critical Yangtze River Delta Information Intelligence Innovation Research Institute
Priority to CN202210494274.5A priority Critical patent/CN114900357A/en
Publication of CN114900357A publication Critical patent/CN114900357A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/048Activation functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02ATECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE
    • Y02A10/00TECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE at coastal zones; at river basins
    • Y02A10/40Controlling or monitoring, e.g. of flood or hurricane; Forecasting, e.g. risk assessment or mapping

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Molecular Biology (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Software Systems (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the field of network space security and artificial intelligence, and discloses a method, equipment and a storage medium for detecting a flooding attack of a time-space diagram neural network link. The method comprises the following steps: s1, constructing a graph by topology, and modeling a network area to be protected into a graph suitable for LFA detection; s2, feature extraction, wherein flow features and statistical features suitable for LFA detection are selected; s3, adopting the STGCN model to construct flow space-time characteristics, and using the classification network to detect the LFA attack. The method utilizes a space-time diagram neural network, fully models the space-time characteristics of the network flow to be protected according to three dimensions of minutes, days and weeks, gives different weights through means such as an attention mechanism and the like, and can efficiently detect the LFA attack.

Description

Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link
Technical Field
The invention relates to the field of network space security and artificial intelligence, in particular to a method, equipment and a storage medium for detecting flooding attacks of a time-space diagram neural network link.
Background
Denial of Service (DoS) attacks are attacks on network targets such as national backbone networks, important network facilities and important websites by illegally organizing and utilizing controlled resources, so that a target server is disconnected and finally stops providing services. Traditional DoS attack traffic usually reaches the victim host and is clearly distinguished from legitimate traffic, and as the means for detecting such traditional DoS attacks has increased in recent years, it has not been difficult to detect such traditional DoS attacks.
However, recent research finds a new type of Link Flooding Attacks (LFAs), where LFAs can effectively cut off network connections in a target area and are not easily detected by a terminal network security detection device. LFA is divided into concrete attack modes such as Coremelt, Crossfire and the like. For example, the primary link of a game service is subject to a Crossfire attack, rendering it unusable for a long period of time. In addition, LFAs are also used by attackers to attack specific links of major internet switching points.
The LFA specific attack process is divided into the following two stages: the first stage is that an attacker utilizes a controlled host to detect a link and select an attack target link; and in the second stage, an attacker utilizes a large number of controlled hosts to generate low-speed flow to pass through the target link, so that the aim of flooding the target link is fulfilled. LFAs are difficult to detect because the target link is chosen by the attacker, which may be located in different locations in the target area; and attack traffic does not reach the target area, so the victim is not aware that an attack is being sustained; each controlled host sends protocol-compliant low-speed traffic to the common server, invalidating the signature-based detection; the controlled host may change the traffic pattern such that detection based on the abnormal traffic pattern is invalid.
In contrast, the conventional detection method is mainly based on detection of relevant statistical characteristics of a selected link, only part of the link is usually considered, the traditional detection method based on heuristic LFA detection algorithm too depends on expert experience, and the detection method based on artificial intelligence cannot well model the time-space characteristics of LFA attack.
Disclosure of Invention
The invention aims to provide a link flooding attack detection method based on a space-time diagram neural network, which utilizes the space-time diagram neural network to fully model the space-time characteristics of the network flow to be protected according to three dimensions of minutes, days and weeks, and gives different weights by means of attention mechanism and the like, so that the LFA attack can be efficiently detected.
In order to achieve the above object, a first aspect of the present invention provides a method for detecting a link flooding attack of a space-time neural network, the method comprising:
s1, constructing a graph by topology, and modeling a network area to be protected into a graph suitable for LFA detection;
s2, feature extraction, wherein flow features and statistical features suitable for LFA detection are selected;
s3, adopting the STGCN model to construct flow space-time characteristics, and using the classification network to detect the LFA attack.
Preferably, step S1 includes:
in an SDN scene, a controller has a network global topology; abstracting the global topology, selecting the network to be protected, and defining the network to be protected as an undirected graph G S =(V S ,E S ,A S ) Wherein V is S A finite set of nodes, V, representing the network to be protected S |=N S ,N S Is G S The number of middle nodes; e S Represents the set of links, E, between network nodes to be protected S |=M S ,M S Is G S The number of the medium links;
Figure BDA0003631931320000021
represents G S The adjacency matrix of (a); link E in a network S Modeling as a point in the topological graph, and converting the connection of adjacent links in the topological graph into an edge in the topological graphTo G L =(V L ,E L ,A L ) Wherein V is L Representing a constructed set of nodes | V of the topology graph L |=M S ,E L Represents the set of links of the constructed topological graph,
Figure BDA0003631931320000022
represents G L The specific transformation process of the adjacent matrix is as follows:
first, E is put in order S Labeling each edge of the matrix; then, a zero matrix A is constructed L Go through A S Edges in the matrix, adjacent edges being at A L And assigning values in the matrix to obtain a topological graph for LFA detection.
Preferably, step S2 includes:
using link traffic, link utilization, ABW, packet loss rate and RTT as features of LFA detection, defined as
Figure BDA0003631931320000031
Wherein,
Figure BDA0003631931320000032
indicating the characteristics of the ith link at time t,
Figure BDA0003631931320000033
f is the characteristic number, F is 5,
Figure BDA0003631931320000034
and
Figure BDA0003631931320000035
respectively representing link flow, utilization rate, ABW, packet loss rate and RTT of the ith link at the time t; thus is provided with
Figure BDA0003631931320000036
Figure BDA0003631931320000037
Which characterizes all network links at time t, wherein,
Figure BDA0003631931320000038
definition of X ═ (X) 1 ,X 2 ,...,X τ ) T All features representing all nodes for tau time slices,
Figure BDA0003631931320000039
because the network flow characteristics not only have the space characteristics but also have the stronger time characteristics, the time characteristics of the network link are further described: defining default time interval as 5min and window length as T p Respectively extracting characteristic sequences of a minute level, a day level and a week level as the description of a time dimension, and respectively defining the characteristic sequences as X m 、X d And
Figure BDA00036319313200000310
Figure BDA00036319313200000311
Figure BDA00036319313200000312
Figure BDA00036319313200000313
preferably, in step S3, a space-time Attention-driven neural network (ASTGCN) is adopted, three-dimensional inputs are used to model the periodic dependence relationships of the historical traffic at the minute level, the hour level and the day level respectively, the dynamic space-time correlation of the network traffic is captured, and full-connection network is used for LFA attack detection.
Preferably, step S3 includes:
adaptively capturing, in a spatial dimension, dynamic correlations between nodes in the spatial dimension using an attention mechanism;
take the r-1 layer in the minute scale as an example:
Figure BDA0003631931320000041
Figure BDA0003631931320000042
wherein,
Figure BDA0003631931320000043
input representing the r-th layer space-time block, C r-1 Indicates the number of channels input in the r-th layer, and when r is 1, C 0 =F,T r-1 Is the time dimension of r layers, T when r is 1 0 =T p
Figure BDA0003631931320000044
Figure BDA0003631931320000045
Are learnable parameters; the spatial correlation matrix S is determined by varying inputs, the elements S of S i,j Representing the intensity of dependence between times i and j, using a normalized exponential Softmax function pair S i,j And (4) carrying out normalization processing, and finally applying the normalized spatial attention moment array to input.
Preferably, step S3 further includes:
in the time dimension, different weights are adaptively given to data in different time periods by adopting an attention mechanism;
take the operation on the r-1 th layer on the minute scale as an example:
Figure BDA0003631931320000046
Figure BDA0003631931320000047
wherein,
Figure BDA0003631931320000048
are learnable parameters; the time-dependent matrix E is determined by varying the input, the elements E of E i,j Representing the strength of dependence between times i and j, using the Softmax function on E i,j Normalization processing is carried out, and finally, the normalized time attention moment array is applied to input, so that the following results can be obtained:
Figure BDA0003631931320000049
preferably, step S3 further includes:
processing flow information by adopting a spectrogram method-based graph convolution on each time slice, and processing the correlation of network flow on a space dimension; in the spectrogram method, a graph is represented by a corresponding Laplace matrix, and the property of a graph structure can be obtained by analyzing the Laplace matrix and the characteristic value thereof; defining a laplacian matrix L ═ D-a of the graph, where D is a diagonal matrix and D is a diagonal matrix ii =∑ j A ij A is a contiguous matrix, normalized to
Figure BDA0003631931320000051
I N Is a matrix of the units,
Figure BDA0003631931320000052
eigenvalue decomposition of the Laplace matrix into L ═ UΛ U T ,Λ=diag([λ 0 ,...,λ N-1 ]) According to the property of the Laplace matrix, U is an orthogonal matrix; fourier transform of a signal
Figure BDA0003631931320000053
Inverse transformation therewith
Figure BDA0003631931320000054
Thus, graph G can be obtained L The signal x on is passed through a convolution kernel g θ
g θ*G x=g θ (L)x=g θ (UΛU T )x=Ug θ (Λ)U T x
Wherein G is a graph convolution operation; the convolution operation of the graph signals is equal to the product of these signals of the Fourier transform of the graph into the spectral domain, so that the above formula separately transforms g θ And x is transformed to a spectrum domain through Fourier transform, and the result is multiplied and then inverse Fourier transform is carried out to obtain the final result of the convolution operation;
however, when the scale of the graph is large, a chebyshev polynomial approximation is used:
Figure BDA0003631931320000055
wherein θ ∈ R K Is a vector of coefficients of a polynomial,
Figure BDA0003631931320000056
λ max is the maximum eigenvalue of the Laplace matrix, and the recursion of the Chebyshev polynomial is defined as T k (x)=2xT k-1 (x)-T k-2 (x),T 0 (x)=1,T 1 (x) X; solving the Chebyshev polynomial using approximate expansion of the formula corresponds to a convolution kernel g θ Extracting the information of 0 to K-1 order neighborhood of each node in the graph; graph convolution uses a Linear rectification function (ReLU) as the final activation function, ReLU (g) θ*G x);
After the graph convolution captures the neighborhood information of each node in the space dimension, the graph convolution updates the information of the node by one-dimensional convolution in the time dimension, taking the operation on the r-th layer in the minute level as an example:
Figure BDA0003631931320000057
wherein, denotes one-dimensional convolution operation, phi is a time convolution kernel parameter, and the activation function is ReLu; and finally, fusing different outputs, and endowing each part with different weights:
Figure BDA0003631931320000058
wherein, "" represents a Hadamard product, W m ,W d ,W w Representing a learnable parameter reflecting the degree of influence of the three-dimensional time component on the prediction target; and the Mean Square Error (MSE) between the predicted value and the actual value is used as a loss function to reversely propagate and optimize the model parameters.
Preferably, the method for predicting the network traffic behavior characteristics through the space-time diagram neural network in the step 3
Figure BDA0003631931320000061
The real network traffic behavior characteristic X at the moment is measured now And the predicted value
Figure BDA0003631931320000062
And (4) performing subtraction, inputting the obtained result into the full-connection LFA detection network, and reversely transmitting the optimized model parameters by using the cross entropy as a loss function, so that the LFA attack can be accurately detected.
A second aspect of the invention provides an apparatus comprising a processor and a memory; wherein the memory is used for storing a computer program, and the processor is used for executing the method for detecting the link flooding attack of the space-time diagram neural network according to the first aspect of the invention according to the computer program.
A third aspect of the present invention provides a computer-readable storage medium for storing a computer program for executing the method for detecting a link flooding attack of a space-time graph neural network according to the first aspect of the present invention.
According to the technical scheme, the invention is used as an important network attack means aiming at DoS attack, and novel attack modes such as LFA and the like are derived in recent years, so that the detection is more and more difficult, and the detection requirement on the LFA is increased. The traditional detection method mainly uses a heuristic algorithm or an artificial intelligence algorithm to detect relevant statistical characteristics of a selected link, only part of links are generally considered, the space-time characteristic of the LFA cannot be effectively modeled, and the method relies on expert experience.
Additional features and advantages of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a general architecture diagram of a system in a method for detecting a link flooding attack based on a space-time diagram neural network according to the present invention;
FIG. 2 is a schematic diagram of a topological diagram construction example in the method for detecting a link flooding attack based on a space-time diagram neural network provided by the invention;
fig. 3 is an exemplary diagram of time sequence construction in the method for detecting a flooding attack on a neural network link based on a space-time diagram according to the present invention;
fig. 4 is a schematic diagram of an LFA detection framework of an ASTGCN in the method for detecting a link flooding attack based on a space-time diagram neural network according to the present invention;
fig. 5 is a campus network topology diagram in an embodiment provided by the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are given by way of illustration and explanation only, not limitation.
In recent years, the development of Graph Convolutional neural Networks (GCNs) brings a new solution to the problem of processing non-european data, and GCNs are applied to solve problems such as network modeling and recommendation systems. The GCN is then combined with other neural Networks to propose a space-time Graph Convolutional neural network (STGCN), which extracts and analyzes information contained in the data from a Temporal and Spatial perspective, respectively. STGCN is widely used in the fields of traffic flow prediction, recognition action, recommendation systems, and the like.
With an emerging network model, Software Defined Networking (SDN) is emerging. The data plane programmable technology under the SDN can obtain fine-grained network states, and not only can obtain fine-grained network state time characteristics, but also can obtain spatial characteristics of the network states.
The invention provides a link flooding attack detection method based on a space-time diagram neural network, which comprises the following steps:
s1, constructing a graph by topology, and modeling a network area to be protected into a graph suitable for LFA detection;
s2, feature extraction, wherein flow features and statistical features suitable for LFA detection are selected;
s3, adopting the STGCN model to construct flow space-time characteristics, and using the classification network to detect the LFA attack.
Wherein, LFA is a flooding attack mode aiming at the link, the invention aims to construct the space-time characteristics of LFA through STGCN. The input of the STGCN should be network link information, not switch node information, so the present invention considers constructing the network topology from the link perspective into an LFA detection topology map suitable for the STGCN input, which is briefly described as a topology map below.
Specifically, step S1 includes:
in an SDN scene, a controller has a network global topology; abstracting the global topology, selecting the network to be protected, and defining the network to be protected as an undirected graph G S =(V S ,E S ,A S ) Wherein V is S A finite set of nodes, V, representing the network to be protected S |=N S ,N S Is G S The number of middle nodes; e S Represents the set of links, E, between network nodes to be protected S |=M S ,M S Is G S The number of the medium links;
Figure BDA0003631931320000081
represents G S The adjacency matrix of (a); link E in a network S Modeling as a point in the topological graph, and converting the connection of adjacent links in the topological graph into an edge in the topological graph to obtain G L =(V L ,E L ,A L ) Wherein, V L Representing a constructed set of nodes | V of the topology graph L |=M S ,E L Represents the set of links of the constructed topological graph,
Figure BDA0003631931320000082
represents G L The specific transformation process of the adjacent matrix is as follows:
first, E is put in order S Labeling each edge of the matrix; then, a zero matrix A is constructed L Go through A S Edges in the matrix, adjacent edges being at A L And assigning values in the matrix to obtain a topological graph for LFA detection. In this way, a topology map for LFA detection can be obtained, and a specific construction example of the topology map is shown in fig. 2.
The present embodiment selects features closely related to LFA detection as inputs to the STGCN and uses a link information collection module to collect information from each node. And the link information collection module runs in the SDN controller and is responsible for collecting link information. The SDN controller may read and analyze the link information in real time.
When a link is blocked, the packet loss rate of the link is increased, Round-Trip Time (RTT) is increased, and Available Bandwidth (ABW) is obviously reduced. In the switch node, when the arrival rate of the data packet is larger than the outgoing rate, the data packet is temporarily stored in a first-in first-out buffer queue. Once this situation continues for a while, subsequent packets will be dropped after the queue is full, which will result in a large increase in packet loss rate and RTT. If the bandwidth of the LFA attack traffic reaches or exceeds the maximum bandwidth of the link, the ABW will be fixed within a certain range, and the ABW will float around the fixed value no matter how much the LFA attack traffic increases. However, there will be large variations in packet loss rate and RTT. Therefore, the above-described link characteristics are crucial to detecting LFA attacks.
Accordingly, step S2 of the present invention includes:
using link traffic, link utilization, ABW, packet loss rate and RTT as features of LFA detection, defined as
Figure BDA0003631931320000091
Wherein,
Figure BDA0003631931320000092
indicating the characteristics of the ith link at time t,
Figure BDA0003631931320000093
f is the characteristic number, F is 5,
Figure BDA0003631931320000094
and
Figure BDA0003631931320000095
respectively representing link flow, utilization rate, ABW, packet loss rate and RTT of the ith link at the time t; thus is provided with
Figure BDA0003631931320000096
Figure BDA0003631931320000097
Which characterizes all network links at time t, wherein,
Figure BDA0003631931320000098
definition of X ═ (X) 1 ,X 2 ,...,X τ ) T Representing all the characteristics of the tau time slices for all nodes,
Figure BDA0003631931320000099
because the network traffic characteristics not only have spatial characteristics but also have strong temporal characteristics, different working days and rest days of the week, different hours of the day and different minutes of the hour have strong temporal characteristics. The invention extracts LAfter important characteristics detected by the FA and spatial characteristics describing the network link, time characteristics of the network link are further described: as shown in FIG. 3, the default time interval is defined as 5min, and the window length is T p Respectively extracting characteristic sequences of a minute level, a day level and a week level as the description of a time dimension, and respectively defining the characteristic sequences as X m 、X d And
Figure BDA00036319313200000910
Figure BDA00036319313200000911
Figure BDA00036319313200000912
Figure BDA00036319313200000913
in terms of a detection model, in step S3, the invention adopts a space-time Attention-driven neural network (ASTGCN), uses inputs of three dimensions to model periodic dependency relationships of the historical traffic at a minute level, an hour level and a day level, respectively, captures dynamic space-time correlation of the network traffic, and uses a full-connection network to perform LFA attack detection, and the overall framework of the detection model is as shown in fig. 4.
In the spatial dimension, the traffic of different links affects each other, the impact being highly dynamic. Therefore, step S3 includes:
adaptively capturing, in a spatial dimension, dynamic correlations between nodes in the spatial dimension using an attention mechanism;
take the r-1 layer in the minute scale as an example:
Figure BDA0003631931320000101
Figure BDA0003631931320000102
wherein,
Figure BDA0003631931320000103
input representing the r-th layer space-time block, C r-1 Indicates the number of channels input in the r-th layer, and when r is 1, C 0 =F,T r-1 Is the time dimension of r layers, T when r is 1 0 =T p
Figure BDA0003631931320000104
Figure BDA0003631931320000105
Are learnable parameters; the spatial correlation matrix S is determined by varying inputs, the elements S of S i,j Representing the intensity of dependence between times i and j, using a normalized exponential Softmax function pair S i,j And (4) carrying out normalization processing, and finally applying the normalized spatial attention moment array to input.
Further, step S3 further includes:
in the time dimension, there is a correlation between the traffic conditions for different time periods, and the correlation will also differ from case to case. The invention adopts an attention mechanism to adaptively give different weights to data in different time periods;
take the operation on the r-1 th layer on the minute scale as an example:
Figure BDA0003631931320000106
Figure BDA0003631931320000111
wherein,
Figure BDA0003631931320000112
are learnable parameters; the time-dependent matrix E is determined by varying the input, the elements E of E i,j Representing the strength of dependence between times i and j, using the Softmax function on E i,j Normalization processing is carried out, and finally, the normalized time attention moment array is applied to input, so that the following results can be obtained:
Figure BDA0003631931320000113
the spatio-temporal convolution consists of a graph convolution in one spatial dimension, which acquires spatial dependencies from the neighborhood, and a convolution in one temporal dimension, which acquires temporal dependencies from neighboring times. The spectrogram method generalizes convolution operations to data of a graph structure. Step S3 of the present invention further includes:
processing flow information by adopting a spectrogram method-based graph convolution on each time slice, and processing the correlation of network flow on a space dimension; in the spectrogram method, a graph is represented by a corresponding Laplace matrix, and the property of a graph structure can be obtained by analyzing the Laplace matrix and the characteristic value thereof; defining a laplacian matrix L ═ D-a of the graph, where D is a diagonal matrix and D is a diagonal matrix ii =∑ j A ij A is a contiguous matrix, normalized to
Figure BDA0003631931320000114
I N Is a matrix of the units,
Figure BDA0003631931320000115
eigenvalue decomposition of the Laplace matrix into L ═ UΛ U T ,Λ=diag([λ 0 ,...,λ N-1 ]) According to the property of the Laplace matrix, U is an orthogonal matrix; fourier transform of a signal
Figure BDA0003631931320000116
Inverse transformation therewith
Figure BDA0003631931320000117
Thus, graph G can be obtained L The signal x on is passed through a convolution kernel g θ
g θ*G x=g θ (L)x=g θ (UΛU T )x=Ug θ (Λ)U T x
Wherein G is a graph convolution operation; the convolution operation of the graph signals is equal to the product of these signals of the Fourier transform of the graph into the spectral domain, so that the above formula separately transforms g θ And x is transformed to a spectrum domain through Fourier transform, and the result is multiplied and then inverse Fourier transform is carried out to obtain the final result of the convolution operation;
however, when the scale of the graph is large, a chebyshev polynomial approximation is used:
Figure BDA0003631931320000118
wherein θ ∈ R K Is a vector of coefficients of a polynomial,
Figure BDA0003631931320000121
λ max is the maximum eigenvalue of the Laplace matrix, and the recursion of the Chebyshev polynomial is defined as T k (x)=2xT k-1 (x)-T k-2 (x),T 0 (x)=1,T 1 (x) X; solving the Chebyshev polynomial using approximate expansion of the formula corresponds to a convolution kernel g θ Extracting the information of 0 to K-1 order neighborhood of each node in the graph; graph convolution uses a Linear rectification function (ReLU) as the final activation function, ReLU (g) θ*G x);
After the graph convolution captures the neighborhood information of each node in the space dimension, the graph convolution updates the information of the node by one-dimensional convolution in the time dimension, taking the operation on the r-th layer in the minute level as an example:
Figure BDA0003631931320000122
wherein, denotes one-dimensional convolution operation, phi is a time convolution kernel parameter, and the activation function is ReLu; finally, different outputs are fused, and each part is endowed with different weights:
Figure BDA0003631931320000123
wherein, "" represents a Hadamard product, W m ,W d ,W w Representing a learnable parameter, reflecting the influence degree of the three-dimensional time component on the prediction target; and the Mean Square Error (MSE) between the predicted value and the actual value is used as a loss function to reversely propagate and optimize the model parameters.
Predicting network flow behavior characteristics by using method of space-time diagram neural network in step 3
Figure BDA0003631931320000124
The real network traffic behavior characteristic X at the moment is measured now And the predicted value
Figure BDA0003631931320000125
And (4) performing subtraction, inputting the obtained result into the full-connection LFA detection network, and reversely transmitting the optimized model parameters by using the cross entropy as a loss function, so that the LFA attack can be accurately detected.
By the technical scheme, the DoS attack is taken as an important network attack means, and novel attack modes such as LFA and the like are derived in recent years, so that the detection is more and more difficult, and the detection requirement on the LFA is increasingly increased. The traditional detection method mainly uses a heuristic algorithm or an artificial intelligence algorithm to detect the relevant statistical characteristics of the selected link, generally only part of the link is considered, the space-time characteristics of the LFA cannot be effectively modeled, and the method is more dependent on the problem of expert experience.
In addition, the invention also provides equipment, which comprises a processor and a memory; the memory is used for storing a computer program, and the processor is used for executing the above-mentioned method for detecting the link flooding attack of the space-time graph neural network according to the computer program.
Likewise, the present invention also provides a computer-readable storage medium for storing a computer program for executing the above-mentioned method for detecting a flooding attack on a link of a space-time neural network.
In one embodiment, as shown in fig. 5, which is a topology of a campus network connected to the Internet, where link L4 is located near the campus network egress link, which has a high link utilization in the long term, a controlled Host near Host2 can access Public server to reach the purpose of flooding link L4, resulting in a network outage of a Host near Host 1. The method of the invention can effectively model the time-space mode of the campus network flow, effectively protect the campus network and avoid the invasion of LFA flooding attack.
The preferred embodiments of the present invention have been described in detail with reference to the accompanying drawings, however, the present invention is not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solution of the present invention within the technical idea of the present invention, and these simple modifications are within the protective scope of the present invention.
It should be noted that the various technical features described in the above embodiments can be combined in any suitable manner without contradiction, and the invention is not described in any way for the possible combinations in order to avoid unnecessary repetition.
In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as the disclosure of the present invention as long as it does not depart from the spirit of the present invention.

Claims (10)

1. A method for detecting a link flooding attack of a space-time graph neural network, the method comprising:
s1, constructing a graph by topology, and modeling a network area to be protected into a graph suitable for LFA detection;
s2, feature extraction, wherein flow features and statistical features suitable for LFA detection are selected;
s3, adopting the STGCN model to construct flow space-time characteristics, and using the classification network to detect the LFA attack.
2. The method according to claim 1, wherein step S1 includes:
in an SDN scene, a controller has a network global topology; abstracting the global topology, selecting the network to be protected, and defining the network to be protected as an undirected graph G S =(V S ,E S ,A S ) Wherein V is S A finite set of nodes, V, representing the network to be protected S |=N S ,N S Is G S The number of middle nodes; e S Represents the set of links, E, between network nodes to be protected S |=M S ,M S Is G S The number of the medium links;
Figure FDA0003631931310000011
represents G S The adjacency matrix of (a); link E in a network S Modeling as a point in the topological graph, and converting the connection of adjacent links in the topological graph into an edge in the topological graph to obtain G L =(V L ,E L ,A L ) Wherein V is L Representing a constructed set of nodes | V of the topology graph L |=M S ,E L Represents the set of links of the constructed topological graph,
Figure FDA0003631931310000018
represents G L The specific transformation process of the adjacent matrix is as follows:
first, E is put in order S Labeling each edge of the matrix; then, a zero matrix A is constructed L Go through A S Edges in the matrix, adjacent edges being at A L And assigning values in the matrix to obtain a topological graph for LFA detection.
3. The method according to claim 1, wherein step S2 includes:
using link traffic, link utilization, ABW, packet loss rate and RTT as features of LFA detection, defined as
Figure FDA0003631931310000012
Wherein,
Figure FDA0003631931310000013
indicating the characteristics of the ith link at time t,
Figure FDA0003631931310000014
f is the characteristic number, F is 5,
Figure FDA0003631931310000015
and
Figure FDA0003631931310000016
respectively representing link flow, utilization rate, ABW, packet loss rate and RTT of the ith link at the time t; thus is provided with
Figure FDA0003631931310000017
Figure FDA0003631931310000021
Which characterizes all network links at time t, wherein,
Figure FDA0003631931310000022
definition of X ═ (X) 1 ,X 2 ,...,X τ ) T Representing all the characteristics of the tau time slices for all nodes,
Figure FDA0003631931310000023
because the network flow characteristics not only have the space characteristics but also have the stronger time characteristics, the time characteristics of the network link are further described: define the default time interval as 5min and the window length asT p Respectively extracting characteristic sequences of a minute level, a day level and a week level as the description of a time dimension, and respectively defining the characteristic sequences as X m 、X d And
Figure FDA0003631931310000024
Figure FDA0003631931310000025
Figure FDA0003631931310000026
Figure FDA0003631931310000027
4. the method of claim 1, wherein in step S3, a space-time Attention-driven neural network (ASTGCN) is adopted, three-dimensional inputs are used to model the periodic dependence of the historical traffic at the minute level, hour level and day level respectively, the dynamic space-time correlation of the network traffic is captured, and full-connection network is used for LFA attack detection.
5. The method according to claim 4, wherein step S3 includes:
adaptively capturing, in a spatial dimension, dynamic correlations between nodes in the spatial dimension using an attention mechanism;
take the r-1 layer in the minute scale as an example:
Figure FDA0003631931310000028
Figure FDA0003631931310000029
wherein,
Figure FDA00036319313100000210
input representing the r-th layer space-time block, C r-1 Indicates the number of channels input in the r-th layer, and when r is 1, C 0 =F,T r-1 Is the time dimension of r layers, T when r is 1 0 =T p ;V e
Figure FDA0003631931310000031
Figure FDA0003631931310000032
Are learnable parameters; the spatial correlation matrix S is determined by varying inputs, the elements S of S i,j Representing the intensity of dependence between times i and j, using a normalized exponential Softmax function pair S i,j And (4) carrying out normalization processing, and finally applying the normalized spatial attention moment array to input.
6. The method according to claim 4, wherein step S3 further comprises:
in the time dimension, different weights are adaptively given to data in different time periods by adopting an attention mechanism;
take the operation on the r-1 th layer on the minute scale as an example:
Figure FDA0003631931310000033
Figure FDA0003631931310000034
wherein, V e
Figure FDA0003631931310000035
Are learnable parameters; the time-dependent matrix E is determined by varying the input, the elements E of E i,j Representing the strength of dependence between times i and j, using the Softmax function on E i,j Normalization processing is carried out, and finally, the normalized time attention moment array is applied to input, so that the following results can be obtained:
Figure FDA0003631931310000036
7. the method according to claim 4, wherein step S3 further comprises:
processing flow information by adopting a spectrogram method-based graph convolution on each time slice, and processing the correlation of network flow on a space dimension; in the spectrogram method, a graph is represented by a corresponding Laplace matrix, and the property of a graph structure can be obtained by analyzing the Laplace matrix and the characteristic value thereof; defining a laplacian matrix L ═ D-a of the graph, where D is a diagonal matrix and D is a diagonal matrix ii =∑ j A ij A is a contiguous matrix, normalized to
Figure FDA0003631931310000037
I N Is a matrix of the units,
Figure FDA0003631931310000038
eigenvalue decomposition of the Laplace matrix into L ═ UΛ U T ,Λ=diag([λ 0 ,...,λ N-1 ]) According to the property of the Laplace matrix, U is an orthogonal matrix; fourier transform of a signal
Figure FDA0003631931310000041
Inverse transformation therewith
Figure FDA0003631931310000042
Thus, graph G can be obtained L Signal onx is passed through a convolution kernel g θ
g θ*G x=g θ (L)x=g θ (UΛU T )x=Ug θ (Λ)U T x
Wherein G is a graph convolution operation; the convolution operation of the graph signals is equal to the product of these signals of the Fourier transform of the graph into the spectral domain, so that the above formula separately transforms g θ And x is transformed to a spectrum domain through Fourier transform, and the result is multiplied and then inverse Fourier transform is carried out to obtain the final result of the convolution operation;
however, when the scale of the graph is large, a chebyshev polynomial approximation is used:
Figure FDA0003631931310000043
wherein θ ∈ R K Is a vector of coefficients of a polynomial,
Figure FDA0003631931310000044
λ max is the maximum eigenvalue of the Laplace matrix, and the recursion of the Chebyshev polynomial is defined as T k (x)=2xT k-1 (x)-T k-2 (x),T 0 (x)=1,T 1 (x) X; solving the chebyshev polynomial using an approximate expansion of the formula corresponds to extracting information of 0 to K-1 order neighborhoods of each node in the graph by a convolution kernel g θ; graph convolution uses a Linear rectification function (ReLU) as the final activation function, ReLU (g) θ*G x);
After the graph convolution captures the neighborhood information of each node in the space dimension, the graph convolution updates the information of the node by one-dimensional convolution in the time dimension, taking the operation on the r-th layer in the minute level as an example:
Figure FDA0003631931310000045
wherein, denotes one-dimensional convolution operation, phi is a time convolution kernel parameter, and the activation function is ReLu; finally, different outputs are fused, and each part is endowed with different weights:
Figure FDA0003631931310000046
wherein, "" represents a Hadamard product, W m ,W d ,W w Representing a learnable parameter, reflecting the influence degree of the three-dimensional time component on the prediction target; and the Mean Square Error (MSE) between the predicted value and the actual value is used as a loss function, and the parameters of the optimization model are propagated reversely.
8. The method of claim 4, wherein the method of traversing the spatio-temporal neural network in step 3 predicts network traffic behavior characteristics
Figure FDA0003631931310000051
The real network traffic behavior characteristic X at the moment is measured now And the predicted value
Figure FDA0003631931310000052
And (4) performing subtraction, inputting the obtained result into the full-connection LFA detection network, and reversely transmitting the optimized model parameters by using the cross entropy as a loss function, so that the LFA attack can be accurately detected.
9. An apparatus, comprising a processor and a memory; wherein the memory is configured to store a computer program, and the processor is configured to execute the method for detecting a spatio-temporal neural network link flooding attack according to any one of claims 1-8 according to the computer program.
10. A computer-readable storage medium for storing a computer program for executing the method for detecting a time-space diagram neural network link flooding attack according to any one of claims 1-8.
CN202210494274.5A 2022-05-07 2022-05-07 Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link Pending CN114900357A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210494274.5A CN114900357A (en) 2022-05-07 2022-05-07 Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210494274.5A CN114900357A (en) 2022-05-07 2022-05-07 Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link

Publications (1)

Publication Number Publication Date
CN114900357A true CN114900357A (en) 2022-08-12

Family

ID=82720866

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210494274.5A Pending CN114900357A (en) 2022-05-07 2022-05-07 Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link

Country Status (1)

Country Link
CN (1) CN114900357A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115422694A (en) * 2022-11-03 2022-12-02 深圳市城市交通规划设计研究中心股份有限公司 Road section missing flow calculation method, electronic equipment and storage medium
CN116473514A (en) * 2023-03-29 2023-07-25 西安电子科技大学广州研究院 Parkinson's disease detection based on plantar pressure adaptive directed space-time graph neural network
CN118509255A (en) * 2024-07-17 2024-08-16 中国计量大学 Attack identification method adopting multi-mode data fusion

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111292562A (en) * 2020-05-12 2020-06-16 北京航空航天大学 Aviation flow prediction method
CN113450568A (en) * 2021-06-30 2021-09-28 兰州理工大学 Convolutional network traffic flow prediction method based on space-time attention mechanism
CN113705880A (en) * 2021-08-25 2021-11-26 杭州远眺科技有限公司 Traffic speed prediction method and device based on space-time attention diagram convolutional network
CN113852492A (en) * 2021-09-01 2021-12-28 南京信息工程大学 Network flow prediction method based on attention mechanism and graph convolution neural network
CN114077811A (en) * 2022-01-19 2022-02-22 华东交通大学 Electric power Internet of things equipment abnormality detection method based on graph neural network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111292562A (en) * 2020-05-12 2020-06-16 北京航空航天大学 Aviation flow prediction method
CN113450568A (en) * 2021-06-30 2021-09-28 兰州理工大学 Convolutional network traffic flow prediction method based on space-time attention mechanism
CN113705880A (en) * 2021-08-25 2021-11-26 杭州远眺科技有限公司 Traffic speed prediction method and device based on space-time attention diagram convolutional network
CN113852492A (en) * 2021-09-01 2021-12-28 南京信息工程大学 Network flow prediction method based on attention mechanism and graph convolution neural network
CN114077811A (en) * 2022-01-19 2022-02-22 华东交通大学 Electric power Internet of things equipment abnormality detection method based on graph neural network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李昊天;盛益强;: "单时序特征图卷积网络融合预测方法", 计算机与现代化, no. 09 *
陈卓等: "基于时空图卷积网络的无人机网络入侵检测方法", 《北京航空航天大学学报》, vol. 47, no. 5, pages 1068 - 1076 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115422694A (en) * 2022-11-03 2022-12-02 深圳市城市交通规划设计研究中心股份有限公司 Road section missing flow calculation method, electronic equipment and storage medium
CN116473514A (en) * 2023-03-29 2023-07-25 西安电子科技大学广州研究院 Parkinson's disease detection based on plantar pressure adaptive directed space-time graph neural network
CN116473514B (en) * 2023-03-29 2024-02-23 西安电子科技大学广州研究院 Parkinson disease detection method based on plantar pressure self-adaptive directed space-time graph neural network
CN118509255A (en) * 2024-07-17 2024-08-16 中国计量大学 Attack identification method adopting multi-mode data fusion

Similar Documents

Publication Publication Date Title
CN114900357A (en) Method, equipment and storage medium for detecting flooding attack of time-space diagram neural network link
US10609057B2 (en) Digital immune system for intrusion detection on data processing systems and networks
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
Soleimani et al. Multi-layer episode filtering for the multi-step attack detection
CN112769869B (en) SDN network security prediction method based on Bayesian attack graph and corresponding system
Janabi et al. Convolutional neural network based algorithm for early warning proactive system security in software defined networks
Zolotukhin et al. On artificial intelligent malware tolerant networking for IoT
Khalaf et al. An adaptive model for detection and prevention of DDoS and flash crowd flooding attacks
Saurabh et al. Nfdlm: A lightweight network flow based deep learning model for ddos attack detection in iot domains
Rajesh et al. Evaluation of machine learning algorithms for detection of malicious traffic in scada network
CN114866310A (en) Malicious encrypted flow detection method, terminal equipment and storage medium
CN114760087A (en) DDoS attack detection method and system in software defined industrial internet
Grottke et al. On the efficiency of sampling and countermeasures to critical-infrastructure-targeted malware campaigns
Qiu et al. Abnormal traffic detection method of internet of things based on deep learning in edge computing environment
Tuncer et al. Detection SYN flooding attacks using fuzzy logic
Narender et al. Preemptive modelling towards classifying vulnerability of DDoS attack in SDN environment
JP2019514315A (en) Graph-Based Joining of Heterogeneous Alerts
CN114422277B (en) Method, device, electronic equipment and computer readable medium for defending network attack
Bishnoi et al. A deep learning-based methodology in fog environment for DDOS attack detection
CN114866438A (en) Abnormal hidden danger prediction method and system under cloud architecture
Saranya et al. Integrated quantum flow and hidden Markov chain approach for resisting DDoS attack and C-Worm
Grottke et al. WAP: Models and metrics for the assessment of critical-infrastructure-targeted malware campaigns
Pisetskiy et al. Software Implementation of the Detection System of Distributed Network Attacks Type “Denial of Service”
García et al. Modeling the spatio-temporal dynamics of worm propagation in smartphones based on cellular automata
Kharkwal et al. Cross-layer DoS attack detection technique for internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220812