CN115065519B - Distributed side-end cooperative DDoS attack real-time monitoring method - Google Patents

Distributed side-end cooperative DDoS attack real-time monitoring method Download PDF

Info

Publication number
CN115065519B
CN115065519B CN202210647728.8A CN202210647728A CN115065519B CN 115065519 B CN115065519 B CN 115065519B CN 202210647728 A CN202210647728 A CN 202210647728A CN 115065519 B CN115065519 B CN 115065519B
Authority
CN
China
Prior art keywords
data
attack
real
ddos attack
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210647728.8A
Other languages
Chinese (zh)
Other versions
CN115065519A (en
Inventor
杜瑞忠
李爽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei University
Original Assignee
Hebei University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei University filed Critical Hebei University
Priority to CN202210647728.8A priority Critical patent/CN115065519B/en
Publication of CN115065519A publication Critical patent/CN115065519A/en
Application granted granted Critical
Publication of CN115065519B publication Critical patent/CN115065519B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention relates to a distributed edge-coordinated DDoS attack real-time monitoring method, which comprises the steps that firstly, an edge server represents a model boundary by using a k-means algorithm, an independent identification monitoring model group is constructed for equipment in a characteristic vector splitting mode, and relevant parameters of the model group are returned to the equipment end. And then the equipment monitors the generated data flow in real time through the model group, and submits the found suspicious data to the server for analysis. And finally, carrying out fine-grained attack identification by the server by using a k-nearest neighbor algorithm added with threshold selection and judgment. The invention can actively discover DDoS attack in the edge environment in time, and solves the problem of missing report caused by shortened duration of DDoS attack; the training and storage cost of the model can be reduced by constructing a single classification model for each device in a mode based on feature vector splitting; fine-grained identification based on distance threshold enables discovery of updated benign data and dynamic update of models.

Description

Distributed side-end cooperative DDoS attack real-time monitoring method
Technical Field
The invention relates to a DDoS attack detection technology, in particular to a distributed side-end cooperative DDoS attack real-time monitoring method.
Background
The internet of things is an emerging technology, provides uniform connection for equipment with different functions, and realizes automatic operation in different fields of daily life, key infrastructure systems and the like. These devices are used as an essential component of the intelligent environmental infrastructure, and take on the most basic but indispensable tasks of sensing, driving and controlling. However, relying on these devices alone is not sufficient to fully accomplish the complex tasks required in various intelligent environments. In this case, these internet of things devices require a high performance computing platform to offload computation and assist them in making decisions.
The basic idea of edge computing technology is to employ a hierarchy of edge servers with enhanced computing capabilities to handle heterogeneous computing tasks offloaded by the internet of things device, i.e., the edge device. Edge computing has the ability to provide location-aware, bandwidth-efficient, real-time, low-cost services, enabling better support for emerging smart city applications. However, the computing resources of the edge network are limited and are very easy to be exhausted, and the equipment in the edge Internet of things has single function and simple structure and is easy to be invaded by an attacker. One damaged device can infect a large number of identical network devices to form a botnet, and initiate a large-scale DDoS attack, and as the environment of the Internet of things becomes more and more complex, the attack duration of the DDoS attack begins to shorten, and the security of the edge Internet of things is greatly threatened.
The existing research based on DDoS attack detection utilizes a supervised machine learning algorithm to perform model training and passively performs timed attack monitoring. However, as the duration of the DDoS attack is continuously shortened, the traditional passive detection method is difficult to discover the attack in time, so that missing report is caused, and equipment in the internet of things is frequently accessed and updated, and the retraining of the multi-classifier based on machine learning causes huge storage and calculation cost. Moreover, the existing detection scheme carries out model training based on known normal data and attack data, and is difficult to distinguish updated data, so that false alarm occurs.
In view of this, it is needed to provide a real-time monitoring model that can be dynamically updated in an edge environment, accurately identify attack data, and discover equipment update, so as to implement automatic model update, and improve the performance of the detection model and improve the authentication rate, which is a requirement of the edge DDoS attack detection towards practical application.
Disclosure of Invention
The invention aims to provide a distributed side-end collaborative DDoS attack real-time monitoring method to solve the problems that the existing DDoS attack detection scheme is difficult to discover attacks in time and is difficult to distinguish updated data so as to cause false alarm.
The invention is realized in the following way: a distributed side-end collaborative DDoS attack real-time monitoring method comprises the following steps.
a. A set of behavior feature sub-vectors based on the data stream is constructed for each device.
b. And carrying out standardization and PCA dimension reduction processing on the obtained behavior feature sub-vector set.
c. And determining the value of the parameter k through an elbow rule, clustering the processed feature sub-vector set by using a k-means clustering algorithm to obtain k clustering circles, wherein the circumferences of each cluster are combined to represent the boundary of the equipment in the space distribution, so as to form a single classification model.
d. And training the K-NN classifier by using known attack data and benign data as training samples, and determining the maximum value of an attack threshold value to obtain a fine-grained classification model based on the threshold value.
e. The device monitors the data flowing in and out in real time by using the single classification model, judges whether the data is positioned in the boundary of the single classification model of the device, if the data is positioned in the boundary of the single classification model of the device, the data is benign, otherwise, the next threshold judgment is carried out.
f. And sending the data into a fine-grained classification model based on a threshold value for classification, preliminarily determining the class, calculating whether the distance between the data and the adjacent class training sample points exceeds the threshold value, marking the attack class if the distance does not exceed the threshold value, and otherwise marking the attack class as updated benign data.
j. The updated benign data is stored in the server for subsequent model updates, and the update process repeats step c.
In step a, the data streams are distinguished according to the network protocols, and the data stream parameters related to the network protocols are extracted respectively in the same time period.
The network protocol includes 9 kinds of DNS/SSDP/NTP/Other UDP/TLS/HTTP/Other TCP/ARP/ICMP.
In step a, the data flow parameters include the sizes of protocol local input data packets and output data packetsQuantity->And the size of the network input data packet and the output data packet +.>Quantity->
In step a, for each network protocol, parameter statistics is performed on the data packets at the same time t, and the parameters of all network protocols are combined to obtain a feature vector X of the data stream i The feature vector X i Dividing the data stream into a plurality of sub-vectors according to different transport layer protocols, and similarly, integrating the feature vector set D= [ X ] of the data stream 1 ,X 2 ,…,X n ]Split into a number of feature sub-vector sets.
In step e, the detected data are processed according to steps a and b to obtain behavior feature sub-vectors, cluster centers O, R nearest to each feature sub-vector are found out and are used as the radius of the cluster, the distance D between the cluster centers is calculated, and when D= |O-x is calculated i When R is not more thanOtherwise->After all feature sub-vector tests are finished, a probability set is obtainedUse formula +.>Calculating joint probability->As confidence, whenWhen it is indicated that the detected data belongs to the device.
In step D, euclidean distance matrix D between attack data and attack data is calculated respectively att Euclidean distance matrix D between benign data and attack data ben Each of the slave matrices D att And D ben Selecting the smallest k values in a column of (a) to obtain a matrixAnd->Then calculate the matrix +.>And->The average value of each column gets a one-dimensional array +.>And->According to array->And->Determination of threshold interval list T in overlapping regions of numerical distributions List The upper limit is +.>Maximum value of (2), lower limit of +.>If there is no overlap interval between two arrays, then attack array +.>Maximum value as optimal threshold T p From list T List Selecting data for identification accuracy comparison, and selecting data with highest accuracy as a final threshold T p
The invention relates to a DDoS attack real-time monitoring method cooperated with a distributed side (edge server-device). Firstly, an edge server represents a model boundary by using a k-means algorithm, an independent recognition monitoring model group is constructed for the equipment in a characteristic vector splitting mode, and relevant parameters of the model group are returned to the equipment end. And then the equipment monitors the generated data flow in real time through the model group, and submits the found suspicious data to the server for analysis. And finally, carrying out fine-grained attack identification by the server by using a k-nearest neighbor algorithm added with threshold selection and judgment, namely identifying updated benign data and specific categories of attack data, and storing the updated benign data in the server for model updating.
The distributed real-time attack monitoring scheme can actively discover DDoS attacks in the edge environment in time, and solves the problem of missing report caused by shortened duration of the DDoS attacks; the training and storage cost of the model can be reduced by constructing a separate recognition monitoring model group for each device in a mode based on feature vector splitting; fine-grained identification based on distance threshold enables discovery of updated benign data and dynamic update of models.
Drawings
FIG. 1 is a diagram of a method system model of the present invention.
Fig. 2 is a flow chart of an algorithm implementation of the present invention.
FIG. 3 is a schematic diagram of a single classification model according to the present invention.
Detailed Description
As shown in fig. 1, the DDoS attack real-time monitoring system cooperated with a distributed edge server (edge server-device) comprises an edge server and an internet of things device, wherein the edge server establishes a separate identification model group for the internet of things device accessing a network, and distributes the model to the edge device. The device uses the model to monitor the data flowing in and out in real time, and when suspicious data is found, the suspicious data is submitted to an edge server for analysis. The edge server judges whether the edge server belongs to the update data or the attack data according to the threshold value, classifies and identifies the attack data, adopts a corresponding strategy, and stores the update data in the server for subsequent model update.
As shown in FIG. 2, the distributed edge-coordinated DDoS attack real-time monitoring method specifically comprises the following steps.
Step 1, constructing a behavior feature sub-vector set based on the data flow for each device.
Different devices use different main protocols due to different function distribution and different manufacturers. Among them, the application layer protocol type based on the UDP protocol and the TCP protocol is the largest. Meanwhile, the protocols can also effectively distinguish different kinds of denial of service attacks, so that 9 most frequently used protocols in the equipment exchange process are selected, including DNS/SSDP/NTP/Other UDP/TLS/HTTP/Other TCP/ARP/ICMP protocols.
For each type of protocol, its respective associated data stream parameters are extracted over the same time period.
These relevant parameters include: the data transmission method comprises the steps of an active mode feature and a data transmission direction, wherein the active mode feature comprises 2 parameters of average packet rate and average packet size, and the data transmission direction comprises 4 parameters of data inflow and outflow equipment direction, network data and local area network data. Each protocol thus corresponds to 2×4=8 feature parameters, and 9 protocols include 72 feature dimensions in total.
Taking DNS protocol as an example, let the size of local (local) DNS protocol input data packet and output data packet in the data stream in time t beThe number is->The size of the input data packet and the output data packet of the network (Internet) is +.>The number is->Dividing these parameters by time t yields 8 parameters of average packet size and average packet rate, respectively.
The other protocols also adopt the same data packet statistical mode in the same time t, each protocol corresponds to 8 parameters, and the parameters are combined to obtain a feature vector with the dimension of 8×9=72, and the feature vector is as follows:
to enable feature splitting, nine protocols are also grouped according to the transport layer protocol (UDP protocol/TCP protocol/ICMP protocol/ARP protocol) to enable separation into V 1 ,V 2 ,V 3 ,V 4 Four sub-vectors.
Wherein V is 1 : the protocol parameters of the feature vector are UDP protocols, including DNS protocol, SSDP protocol, NTP protocol and Other UDP protocol. SSDP reflection attack is implemented by using SSDP protocol "multicast request, unicast response". At the same time, when an attack occurs, an abnormal response of some other udp packets is caused.
V 2 : the protocol parameters of the feature vector are TCP protocols, including TLS protocol, HTTP protocol and Other TCP protocol. The TLS protocol is widely used, but the encrypted data is difficult to extract some effective data packet level characteristics, and the method of using the data flow level can effectively obtain the behavior characteristics of the device from the TLS protocol data. Meanwhile, TCP-SYN attacks and reflection attacks based on the TCP protocol are the most common type of denial-of-service attacks.
V 3 : the Address Resolution Protocol (ARP) can realize simple mapping of an IP address and a hardware address, is a basic protocol for device communication, and is one of the most commonly used protocols in the interaction process of the Internet of things device. ARP spof attacks use ARP protocol to launch the attack in LAN.
V 4 : the ICMP protocol can determine the network connection condition, and an attacker can launch a ping of device attack and a Smurf attack through the vulnerability of the protocol.
According to the above-mentioned transport layer protocol distinction, the feature vector is split, so for the above-mentioned feature vector:
it can be further expressed as:
X=[V 1 ,V 2 ,V 3 ,V 4 ]
it can be split into four sub-feature vectors:
the same applies to the set d= [ X 1 ,X 2 ,…,X n ]Can be split into four sub-vector sets D udp ,D tcp ,D arp ,D icmp
And 2, establishing a single classification model.
Firstly, carrying out standardization and PCA dimension reduction processing on the obtained behavior feature sub-vector set.
And then determining the value of the parameter k through an elbow rule, clustering the processed feature sub-vector set by using a k-means clustering algorithm to obtain k clustering circles, wherein the circumferences of each cluster are combined to represent the boundary of the equipment in the space distribution, so as to form a single classification model.
In the present invention the k-means algorithm is not used for classification, but rather to represent the distribution boundaries of a single classification model. Clustering a data set generated by one device using the k-means algorithm results in k cluster circles, which all represent the distribution of the device in space because they belong to the same device, while the circumference represents the boundary of the spatial distribution of the device. Points inside the circumference represent data belonging to the device, and data outside the circumference do not belong to the device. As shown in fig. 3, which is a schematic diagram of the single classification model, the abscissa indicates the principal component features 1,2 after PCA processing, respectively.
The specific steps of model construction are as follows:
1) Firstly, carrying out standardization and PCA dimension reduction processing on the sub-vector set obtained in the step 1.
2) The value of the parameter k is determined by an elbow rule, and clustering is carried out by using a k-means clustering algorithm.
3) Recording the cluster parameters, and obtaining a cluster set expressed as C= { C 1 ,C 2 ,,C n }. For the j-th cluster of device M, two attributes { O, R } are included, where O is the center point and R is the radius.
4) Because the data is preprocessed during modeling, standardized parameters of the processed data and related parameters of a PCA algorithm also need to be recorded.
5) And finally returning the models with various parameters recorded.
The training algorithm for this model is as follows:
and step 3, training the K-NN classifier by using known attack data and benign data as training samples, and determining the maximum value of an attack threshold value to obtain a fine-grained classification model based on the threshold value.
Respectively calculating Euclidean distance matrix D between attack data and attack data att Euclidean distance matrix D between benign data and attack data ben Each of the slave matrices D att And D ben Is a column of (2)Selecting the minimum k values to obtain a matrixAnd->Then calculate the matrix +.>And->The average value of each column gets a one-dimensional array +.>And->According to array->Anddetermination of threshold interval list T in overlapping regions of numerical distributions List The upper limit is +.>Maximum value of (2), lower limit of +.>If there is no overlap interval between two arrays, then attack array +.>Maximum value as optimal threshold T p From list T List Selecting data for identification accuracy comparison, and selecting data with highest accuracy as a final threshold T p
The specific model training algorithm is as follows:
definition table of important parameters
And 4, the equipment monitors the inflow and outflow data in real time by using the single classification model, judges whether the data are positioned in the boundary of the single classification model of the equipment, if so, the data are benign data, otherwise, the next threshold judgment is carried out.
Firstly, processing detected data according to the step 1 to obtain behavior feature sub-vectors, respectively finding out a cluster center O, R nearest to each feature sub-vector, which is the radius of the cluster, and calculating the distance D between the cluster center O and the center, wherein when D= |O-x i When R is not more thanOtherwise->After all feature sub-vector tests are finished, a probability set is obtainedUse formula +.>Calculating joint probability->As confidence.
When (when)When the detected data belongs to the device, the mark is goodAnd (5) sex data, otherwise, sending to the next step of threshold judgment.
The specific algorithm of this process is as follows:
and 5, sending the data into a fine-grained classification model based on a threshold value for classification, primarily determining the class, calculating whether the distance from the data to the adjacent class training sample points exceeds the threshold value, marking the attack class if the distance from the data to the adjacent class training sample points does not exceed the threshold value, and otherwise marking the attack class as updated benign data.
The threshold judgment process comprises the following steps: performing traditional k-NN classification on the test data; calculating whether the distance between the same type of point closest to the same type of point exceeds a threshold value; if the threshold is not exceeded, the attack class is marked, otherwise it is marked as benign data. Since benign data at this time is not judged by the boundary but does not belong to attack data, it is regarded as updated benign data.
The algorithm flow of threshold judgment is shown in the following table:
from the data characteristics, the distribution of similar data in the multidimensional space is concentrated, and the knn algorithm classifies the data based on the characteristics. Conversely, the larger the difference between the data, the more spread, i.e., the farther the distance between the different categories of data.
From this we have devised a formula for determining the threshold:
k represents k data that pick up the nearest neighbor,represents the ith data, x, of the k data test Representing test data, < >>The spatial distance between the two data is represented and euclidean distance, manhattan distance, chebyshev distance, etc. may be used. P (P) R The average of the distances of the test data to the respective neighbor training data is represented. P of normal data and attack data in classifier is calculated respectively R And selecting an optimal threshold according to the respective distribution conditions.
And 6, storing the updated benign data in a server for subsequent model updating, and repeating the step 1 in the updating process of the model. In particular, upon updating, the interaction data of the device is re-collected while modeling including benign data stored in the server that is marked as updated, the updating process and the modeling process being consistent. Because the function of the equipment in the internet of things is single, even if the whole model is reconstructed, the time required for reconstructing the whole model is short.
The boundary model models the normal behavior of the equipment, but equipment in the Internet of things is updated frequently, so that the behavior can be changed, and the boundary model needs to be updated in order to keep the accuracy of the model.
The invention relates to a DDoS attack real-time monitoring method cooperated with a distributed side (edge server-device). Firstly, an edge server represents a model boundary by using a k-means algorithm, an independent recognition monitoring model group is constructed for the equipment in a characteristic vector splitting mode, and relevant parameters of the model group are returned to the equipment end. And then the equipment monitors the generated data flow in real time through the model group, and submits the found suspicious data to the server for analysis. And finally, carrying out fine-grained attack identification by the server by using a k-nearest neighbor algorithm added with threshold selection and judgment, namely identifying updated benign data and specific categories of attack data, and storing the updated benign data in the server for model updating.
The invention builds the behavior model for each device, and can be used for monitoring the behavior of the device and finding out the abnormality. Each model only identifies the respective corresponding device, so it is required to be able to accurately describe the device behavior when selecting features. The data flow-based features can greatly reduce the data volume, and solve the problem that features cannot be extracted due to data encryption.
The distributed real-time attack monitoring scheme can actively discover DDoS attacks in the edge environment in time, and solves the problem of missing report caused by shortened duration of the DDoS attacks; the training and storage cost of the model can be reduced by constructing a separate recognition monitoring model group for each device in a mode based on feature vector splitting; fine-grained identification based on distance threshold enables discovery of updated benign data and dynamic update of models.
The DDoS attack real-time monitoring of the present invention works in the edge internet of things environment, and by describing the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general hardware platform. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
What is not described in detail in this specification belongs to the prior art known to those skilled in the art.
The above-described embodiments are merely preferred embodiments for fully explaining the present invention, and the scope of the present invention is not limited thereto. Equivalent substitutions and modifications will occur to those skilled in the art based on the present invention, and are intended to be within the scope of the present invention. The protection scope of the invention is subject to the claims.

Claims (7)

1. A DDoS attack real-time monitoring method of distributed side-end cooperation is characterized by comprising the following steps:
a. constructing a behavior feature sub-vector set based on the data flow for each device;
b. carrying out standardization and PCA dimension reduction treatment on the obtained behavior feature sub-vector set;
c. determining the value of a parameter k through an elbow rule, clustering the processed feature sub-vector set by using a k-means clustering algorithm to obtain k clustering circles, wherein the circumferences of each cluster are combined to represent the boundary of the equipment in space distribution, so as to form a single classification model;
d. training a K-NN classifier by using known attack data and benign data as training samples, and determining the maximum value of an attack threshold value to obtain a fine granularity classification model based on the threshold value;
e. the equipment monitors inflow and outflow data in real time by using the single classification model, judges whether the data is positioned in the boundary of the single classification model of the equipment, if the data is positioned in the boundary of the single classification model of the equipment, the data is benign data, otherwise, the next threshold judgment is carried out;
f. sending the data into a fine-grained classification model based on a threshold value for classification, preliminarily determining the class, calculating whether the distance between the data and the adjacent class training sample points exceeds the threshold value, marking the attack class if the distance does not exceed the threshold value, and otherwise marking the attack class as updated benign data;
j. the updated benign data is stored in the server for subsequent model updates, and the update process repeats step c.
2. The method for monitoring DDoS attack in real time by distributed edge coordination according to claim 1, wherein in step a, data flows are distinguished according to network protocols, and data flow parameters related to each network protocol are extracted in the same time period.
3. The distributed peer-to-peer collaborative DDoS attack real-time monitoring method according to claim 2, wherein the network protocol comprises 9 kinds of DNS/SSDP/NTP/Other UDP/TLS/HTTP/Other TCP/ARP/ICMP.
4. The method for real-time monitoring distributed edge-coordinated DDoS attack according to claim 2, wherein in step a, the data flow parameters include sizes of protocol local input data packets and output data packetsQuantity-> And the size of the network input data packet and the output data packet +.>Quantity->
5. The method for real-time monitoring distributed edge-coordinated DDoS attack according to claim 1, wherein in step a, parameter statistics is performed on data packets in the same time t for each network protocol, and parameters of all network protocols are combined to obtain feature vector X of data flow i The feature vector X i Dividing the data stream into a plurality of sub-vectors according to different transport layer protocols, and similarly, integrating the feature vector set D= [ X ] of the data stream 1 ,X 2 ,…,X n ]Split into a number of feature sub-vector sets.
6. The distributed peer-to-peer collaborative DDoS attack real-time monitoring method according to claim 1, wherein in step e, the detected data is according to steps a and bb, processing to obtain behavior feature sub-vectors, respectively finding out a cluster center O, R nearest to each feature sub-vector as the radius of the cluster, and calculating the distance D between the cluster center O and the cluster center, wherein D is equal to D= |O-x i When R is not more thanOtherwise->After all feature sub-vector tests are finished, a probability set is obtainedUse formula +.>Calculating joint probability->As confidence, when->When it is indicated that the detected data belongs to the device.
7. The distributed peer-to-peer collaborative DDoS attack real-time monitoring method according to claim 1, wherein in step D, the Euclidean distance matrix D between attack data and attack data is calculated respectively att Euclidean distance matrix D between benign data and attack data ben Each of the slave matrices D att And D ben Selecting the smallest k values in a column of (a) to obtain a matrixAnd->Then calculate the matrix +.>And->The average value of each column gets a one-dimensional array +.>And->According to array->Anddetermination of threshold interval list T in overlapping regions of numerical distributions List The upper limit is +.>Maximum value of (2), lower limit of +.>If there is no overlap interval between two arrays, then attack array +.>Maximum value as optimal threshold T p From list T List Selecting data for identification accuracy comparison, and selecting data with highest accuracy as a final threshold T p
CN202210647728.8A 2022-06-09 2022-06-09 Distributed side-end cooperative DDoS attack real-time monitoring method Active CN115065519B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210647728.8A CN115065519B (en) 2022-06-09 2022-06-09 Distributed side-end cooperative DDoS attack real-time monitoring method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210647728.8A CN115065519B (en) 2022-06-09 2022-06-09 Distributed side-end cooperative DDoS attack real-time monitoring method

Publications (2)

Publication Number Publication Date
CN115065519A CN115065519A (en) 2022-09-16
CN115065519B true CN115065519B (en) 2023-08-15

Family

ID=83200292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210647728.8A Active CN115065519B (en) 2022-06-09 2022-06-09 Distributed side-end cooperative DDoS attack real-time monitoring method

Country Status (1)

Country Link
CN (1) CN115065519B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183917A (en) * 2018-01-16 2018-06-19 中国人民解放军国防科技大学 DDoS attack cross-layer cooperative detection method based on software defined network
CN111614627A (en) * 2020-04-27 2020-09-01 中国舰船研究设计中心 SDN-oriented cross-plane cooperation DDOS detection and defense method and system
CN113630420A (en) * 2021-08-17 2021-11-09 昆明理工大学 SDN-based DDoS attack detection method
KR20220071878A (en) * 2020-11-24 2022-05-31 서울대학교산학협력단 Method and apparatus for detecting attack in network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9635050B2 (en) * 2014-07-23 2017-04-25 Cisco Technology, Inc. Distributed supervised architecture for traffic segregation under attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183917A (en) * 2018-01-16 2018-06-19 中国人民解放军国防科技大学 DDoS attack cross-layer cooperative detection method based on software defined network
CN111614627A (en) * 2020-04-27 2020-09-01 中国舰船研究设计中心 SDN-oriented cross-plane cooperation DDOS detection and defense method and system
KR20220071878A (en) * 2020-11-24 2022-05-31 서울대학교산학협력단 Method and apparatus for detecting attack in network
CN113630420A (en) * 2021-08-17 2021-11-09 昆明理工大学 SDN-based DDoS attack detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Inentification of IoT Devices Based on Feature Vector Split;Du Ruizhong, Li Shuang;26th IEEE symposium on computers and communications;1-10 *

Also Published As

Publication number Publication date
CN115065519A (en) 2022-09-16

Similar Documents

Publication Publication Date Title
Kumar et al. Distributed denial of service attack detection using an ensemble of neural classifier
EP2725512B1 (en) System and method for malware detection using multi-dimensional feature clustering
WO2018054342A1 (en) Method and system for classifying network data stream
KR101409563B1 (en) Method and apparatus for identifying application protocol
CN112544059A (en) Method, device and system for network traffic analysis
Tyagi et al. Attack and anomaly detection in IoT networks using supervised machine learning approaches.
Samarakoon et al. 5g-nidd: A comprehensive network intrusion detection dataset generated over 5g wireless network
Bhaya et al. DDoS attack detection approach using an efficient cluster analysis in large data scale
Abraham et al. A comparison of machine learning approaches to detect botnet traffic
CN113098878A (en) Industrial internet intrusion detection method based on support vector machine and implementation system
Blaise et al. Botnet fingerprinting: A frequency distributions scheme for lightweight bot detection
Niranjana et al. Darknet traffic analysis and classification using numerical AGM and mean shift clustering algorithm
Khedr et al. FMDADM: A multi-layer DDoS attack detection and mitigation framework using machine learning for stateful SDN-based IoT networks
Jose et al. Towards detecting flooding DDOS attacks over software defined networks using machine learning techniques
Blaise et al. Botfp: Fingerprints clustering for bot detection
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Yin et al. Identifying iot devices based on spatial and temporal features from network traffic
CN115065519B (en) Distributed side-end cooperative DDoS attack real-time monitoring method
Akanji et al. Mitigating slow hypertext transfer protocol distributed denial of service attacks in software defined networks
Catak Two-layer malicious network flow detection system with sparse linear model based feature selection
Anil A Zero-Trust Security Framework for Granular Insight on Blind Spot and Comprehensive Device Protection in the Enterprise of Internet of Things (E-IOT)
Alrassan et al. Detection of ddos attacks on clouds computing environments using machine learning techniques
Diallo et al. Deep Learning Based Binary and Multi-class Classification Comparison for Anomaly Detection
Alsulami et al. IoT Protocol-Enabled IDS based on Machine Learning
Bishnoi et al. A deep learning-based methodology in fog environment for DDOS attack detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant