CN115603939A - Distributed denial of service attack detection method based on long-short term memory and attention model - Google Patents
Distributed denial of service attack detection method based on long-short term memory and attention model Download PDFInfo
- Publication number
- CN115603939A CN115603939A CN202211018545.6A CN202211018545A CN115603939A CN 115603939 A CN115603939 A CN 115603939A CN 202211018545 A CN202211018545 A CN 202211018545A CN 115603939 A CN115603939 A CN 115603939A
- Authority
- CN
- China
- Prior art keywords
- data
- attack
- host
- packet
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Abstract
The distributed denial of service attack detection method based on the long-short term memory and attention model detects the distributed denial of service attack in the network, and the method integrally comprises the following steps: the method has the advantages that a detection model facing the distributed denial of service attack problem is built, an effective flow characteristic extraction method is used, and a combined device monitoring alarm mode is adopted, so that when the alarm is generated on abnormal flow activities, the input data packet can be judged in time, specific DDoS attack types can be pointed out when the attacks are received, and more effective information is provided for the design of flow filtering rules for cleaning and filtering abnormal flows. In addition, the switch can capture all data packets passing through the equipment, so that the effect that a plurality of pieces of equipment can be detected by deploying one detection host can be realized, and the cost for deploying a detection model is effectively saved.
Description
Technical Field
The invention relates to the field of computer network security, in particular to a distributed denial of service attack detection method based on a long-term and short-term memory and attention model.
Background
Distributed Denial of Service (DDoS) attacks refer to multiple attackers in different locations launching attacks to one or several targets at the same time. Since the points of attack launch are distributed in different places, this type of attack is known as a distributed denial of service attack. DDoS attacks have been known for a long time and can threaten almost all areas, including business, politics, finance, and even military. The distributed denial of service attack causes the situation that large websites cannot be operated for many times, so that the normal use of users is influenced, and the loss caused by the distributed denial of service attack is very huge. Therefore, the research on the detection technology of the distributed denial of service attack is significant.
When the distributed denial of service attack mode is used for attacking, the source IP address can be forged, so that the attack has very good concealment when the attack occurs, and meanwhile, the attack is very difficult to detect, so that the attack mode also becomes one of the attacks which are difficult to prevent. Existing research work proposes a plurality of detection technologies for DDoS attack problems, and can be divided into three strategies as a whole: monitoring devices, session management, and detecting traffic characteristics. The monitoring device monitors data such as Central Processing Unit (CPU) load of the server, network bandwidth load of the server, response time of the application, and the like, and can detect an attack of an unknown type through the monitoring device, but it cannot be determined whether the attack is an abnormal change caused by DDoS attack only through an abnormal change of the device itself, and the type of the attack cannot be distinguished. Although the session management technology has a good detection effect on the DDoS attack based on the TCP protocol, the session management technology has a poor detection effect on the DDoS attack based on the UDP protocol. The technique of detecting flow characteristics is a knowledge-based detection method. Firstly, various characteristics of known DDoS attacks are collected, and then messages in the current network are compared with the collected various data characteristics. If the features match those of a DDoS attack, it can be detected that the DDoS attack is suffered. The detection method can accurately detect the attack behavior, distinguish the attack type and adopt corresponding measures to prevent the attack. But the defects are that the flow characteristic extraction is difficult, and the effect is poor when a large number of zombie machines are used for attacking. Therefore, the detection technology for the distributed denial of service attack based on the traffic characteristic strategy is designed to effectively extract the traffic characteristics, and has important significance.
Disclosure of Invention
In order to overcome the defects of the background technology, the invention provides a distributed denial of service attack detection method based on a long-short term memory and attention model, aiming at realizing effective detection of the distributed denial of service attack.
In order to achieve the technical goal, the invention provides the following technical scheme:
a distributed denial of service attack detection method based on a long-short term memory and attention model comprises the following steps:
1) Constructing a network structure facing to the detection problem of the distributed denial of service attack;
2) Carrying out different kinds of DDoS attacks on a target host, wherein the DDoS attacks comprise ICMP Flood, smurf attach, SYN Flood and SYN-ACK Flood;
3) Capturing and forwarding the packet, acquiring all input data packets of the attacked host and forwarding the data packets to the detection host;
4) Preprocessing data, and making the obtained data packet into a format of model input by a detection host;
5) Training the model, inputting the prepared data set into the model for training;
6) And carrying out attack detection, deploying the model on a detection host, and carrying out network attack detection on the network data stream.
Further, the network structure for the distributed denial of service attack detection problem in the step 1) comprises a switch, a target host, a reflection amplification host, an attack host, a client host and a detection host, wherein the local area network is formed by the above devices, all the hosts are directly connected with the switch to be accessed into the local area network, and the hosts are not connected with each other. The detection host and the target host are connected with the same switch, and the switch is used for realizing the function of interconnecting the physically connected devices in a network structure, and is also used for capturing and sending the data packet forwarded to the target host through the switch to the detection host. The target host provides services for other hosts through configuration, the other hosts can send messages to the target host to achieve the purpose of accessing, and the target host plays the role of a victim and is attacked by the other hosts. The attack host has the capability of running attack scripts, and the reflection amplification host can be configured as a server (such as a domain name server, a time server and a website server) in an attack process and provides a reflection amplification effect for DDoS attack. The client host is responsible for carrying out specific access on the target host in the attack so as to check whether the attack is successful or not and detect the data sent by the switch through a deployed detection algorithm.
Meanwhile, the following settings are provided for the network model facing the distributed denial of service attack detection problem in the step 1):
11 All devices in the network model have the capability of discovering and connecting with each other;
12 The performance of the switch can meet the condition that the forwarding of the message to the detection host is not limited by bandwidth;
13 Attack host is not limited by its firewall when running a script for DDoS attack on a target host;
14 Detect that the host will not communicate with other devices except receiving the data packet for the target host sent from the switch in the whole structure, prevent itself from being used as an amplifying device for DDoS attack;
15 Reflection amplification host does not use a firewall during operation.
In the step 2), carrying out DDoS attack on the target host of the network structure built in the step 1); firstly, according to the attack type of the DDoS, a corresponding attack script is written out and is deployed on an attack host, and all the attack hosts attack a target host in the same time period.
Further, in step 2), the specific steps of performing DDoS attack on the target host are as follows:
21 After the network deployment is completed, the IP addresses and subnet masks of all the devices are set, and the function of automatically obtaining the IP is closed;
22 Writing a corresponding attack script aiming at the DDoS attack to be detected: compiling a corresponding attack script for an attack, running the script on an attack host after the completion of the programming, observing the performance conditions (cpu load, flow input and service corresponding time) on the target host, and debugging the script according to the performance of the target host so as to achieve the optimal attack effect;
23 Configure the reflection amplification host: before a DDoS attack script based on reflection amplification is run, a required reflection amplification host is configured according to the attack requirement. For example: when a domain name server Amplification Attack (DNS Amplification attach) is operated, configuring a reflection Amplification host as a domain name server;
24 Run DDoS attack script on attack host: and deploying the well-debugged DDoS attack script on each attack host. All attacking hosts only run the same attack at the same time, the target IP address is set as the IP address of the target host, the client host accesses the target host through the protocol which is the same as the attack type while each attack is carried out, and the attack success can be calculated only if the client host can not access the target host or the response of the target host has obvious time delay.
And 3) in the exchanger, the data packet forwarded to the target host is subjected to packet capture through tcpdump software, and the data packet is packaged and forwarded to the detection host.
In the step 3), the data packet acquisition step specifically comprises the following steps:
31 Establish communication of the switch with the detection host: starting an SSH service function of the switch, configuring an IP, generating an encryption key, and configuring a login password managed by the SSH; installing Xshell software in a detection host, and transmitting a packet captured by a switch to the detection host through SSH service started in the switch;
32 Configure switch and detect host software: tcpdump software was installed in the switch. Installing a wireshark tool in the detection host, remotely connecting the switch through Xshell software, and acquiring the root authority of the switch;
33 Grab packet for normal data packet: the method comprises the steps that a command of packet capturing in a switch and transmitting back to the local is input in Xshell software on a detection host, so that a data packet input to a target host is captured through tcpdump software installed on the switch, transmitted to wireshark software in the detection host through SSH service and stored in a specified folder in the detection host. In the process of packet capturing, all attack hosts and client hosts normally access the service provided by the target host in a normal mode, and the duration time of the whole packet capturing is determined by the data demand;
34 Attack on the target host: and the physical connection between the local area network and the outside is disconnected by taking the switch as the local area network, so that the external network is prevented from interfering the attack process and the operation of the attack is prevented from interfering the external network. After the normal data packet is grabbed in the step 33), only one attack is implemented on the attack in the step 2) according to one round of attack, all attack hosts start to attack the target host at the same time, and the process of each attack lasts for 1 hour and then the next attack is carried out;
35 Capture the abnormal data packet: and in the process of attacking, capturing the abnormal data packet by using the same command as that used in the step 3) 33) for capturing the normal data packet, recording the stored packet, and determining the corresponding attack type.
In step 4), the data packet obtained in step 3) is made into a format of model input, and a training set and a test set are divided, and the specific steps are as follows:
41 Classify the packet: dividing normal and abnormal data packets obtained by packet capturing according to protocol types (ICMP, UDP, IP-in-IP, TCP and the like) in an IP message protocol, sequencing the data packets with the same protocol according to packet capturing time, putting the data packets in the same folder, attaching information whether the data packets are abnormal data packets or not, and recording the information as y ij Wherein y is ij Only two values of 0 and 1 exist, wherein 0 represents a normal data packet, and 1 represents an abnormal data packet; i represents the ith protocol; j represents the jth packet under this protocol;
42 For headers in a packet core protocolLine processing: extracting information of each type of protocol data packet, extracting the header of each message using the protocol (ICMP, UDP, IP-in-IP, TCP, etc.) according to the protocol type in the IP data packet as standard, storing the header with binary number (the header data length of different protocols may be different, but the header data length of the same protocol is the same), and recording as x ij0 Wherein x is ij0 The binary value stored in this step for each packet is indicated, i indicates the ith protocol; j denotes the jth packet under this protocol;
43 Processing an ethernet frame header and an IP packet of a packet: extracting 96 bits in total of a destination MAC address (48 bits) and a source MAC address (48 bits) in a frame header of each packet Ethernet in a binary number form; extracting total 112 bits of service type (8 bits), identification (16 bits), mark (3 bits), chip offset (13 bits), survival time (8 bits), source IP address (32 bits) and destination IP address (32 bits) in each data packet IP message in a binary number form; the two parts of data are stored respectively and marked as x ij1 、 x ij2 Wherein x is ij1 Indicating the binary value, x, stored in the header of the Ethernet frame for each packet ij2 The binary value of each data packet stored in the IP message is represented, and i represents the ith protocol; j represents the jth packet under this protocol;
44 Processing the data portion of the packet core protocol: carrying out information extraction processing on the data packet of each type of protocol, and counting the data part of each message using the protocol (ICMP, UDP, IP-in-IP, TCP and the like) according to the protocol type in the IP data packet as a standard; the statistical data part is the number of 0-F according to the hexadecimal coding mode and is stored as a matrix as shown in the following:
wherein x ij3 A matrix stored in this step is represented for each packet, the matrix is composed of 4 rows and 4 columns, i represents the ith protocol; j denotes such a protocolThe jth packet below; x is the number of 0 xF represents the number of 0 to F (e.g., x) when the data portion is encoded in hexadecimal format 0 Representing the number of 0 hexadecimal digits when the data portion is in hexadecimal coding mode);
45 Convolve the data: the data x correspondingly stored in the step 42) and the step 43) are added ij0 、x ij1 And x ij2 Converted into two-dimensional matrices of n × 16, 12 × 8, and 14 × 8, respectively. Then different convolution calculations are respectively carried out on the three two-dimensional matrixes to obtain three 4 x 4 matrixes, and the x is replaced by the convolved matrix ij0 、x ij1 And x ij2 。
46 Fuse data: storing the data x corresponding to the step 44) and the step 45) ij0 、x ij1 、 x ij2 And x ij3 And a corresponding tag y ij Fusion, resulting in the following form:
(x ij ,y ij )
wherein
The extracted data in the jth packet of the ith protocol is represented as a 4 x 4 matrix; and label y ij Indicating whether the jth packet of the ith protocol is an abnormal data packet or not;
47 Make a data set: fusing the data (x) in step 46) ij ,y ij ) Arranging according to the time sequence of packet capturing, classifying into normal and abnormal data, and then classifying the abnormal data and the normal data (x) ij ,y ij ) Under the condition of ensuring that the sequence of the same type of data is not changed, the two types of data are randomly crossed to achieve the purpose of mixing, and a corresponding data set under the protocol is ensured to be obtained:
D i =(X i ,Y i )
wherein X i ={x ij },Y i ={y ij And i represents the ith protocol.
In step 5), training the model by using the data set obtained by processing in step 4), and debugging the model parameters according to the test result, wherein the method comprises the following specific steps:
51 Partition data set: the data D generated by each type of protocol obtained in the step 4) is processed j 80% training set without disturbing the order
And 20% as test set
Dividing;
52 Building a model: connecting the LSTM and the AM algorithm in a parallel mode, wherein the connection mode is as follows: the input layers of the LSTM and the AM are used together as the input layer of the whole model, but the output layers of the LSTM and the AM are correspondingly added to obtain the output of the model, and the hidden layer of the model is obtained by parallel hidden layers of the LSTM and the AM;
53 Training the model: initializing the ith protocol data set D i Model m of i The method comprises the following steps of self-defining and setting training epoch times, batch sizes, an optimizer, a learning rate and a loss function, wherein the optimizer adopts random gradient descent, the learning rate is set to be cos cosine learning rate of initial 0.1, the loss function is added with regularization parameters of lambda on the basis of a cross entropy function, and a model training target is expressed as the following formula:
where p (-) represents the true label of the sample, q (-) represents the prediction probability of the model, x ij Samples representing input of i protocols, phi represents a model parameter, and lambda represents a regularization coefficient;
saving the original model m after training i ;
54 Debugging model: test data set corresponding to the protocol
Inputting the trained initial model m j Is obtained by calculationThe accuracy of the corresponding predicted value; adjusting parameters of the model, only adjusting one parameter each time, training the model after adjustment, and then testing to obtain the accuracy of the set of parameters; continuously repeating the modes of parameter adjustment, training and testing to obtain a group of parameters with the highest accuracy, and obtaining a model m under the group of parameters i 。
55 Obtain models for all protocol classes: repeating the steps 53) and 54) for all data sets which are subjected to packet grabbing and processing to obtain a complete detection model M for the DDoS attack, wherein M = { M = { (M) } i }。
Step 6), the model is deployed in the switch, and network attack detection is carried out on the network data stream, and the specific steps are as follows:
61 Configure target host traffic alert system: installing Nagios software in a switch, installing an additional program NRPE of the Nagios software, and installing Nagios software and dependent software for realizing webpage display in a detection host; configuring the switch as a client, configuring the detection host as a server and monitoring each port in the switch through Nagios software; setting a flow alarm threshold, and alarming when the flow exceeds the threshold;
62 Establish a data retention mechanism: setting the wireshark of the detection host computer as an automatic saving file, automatically generating a new data packet file every 1 second of captured data, and automatically deleting the earliest file after generating two data files;
63 Build data pre-processing program: automatically acquiring a first file in a folder for automatically saving files by the wireshark every second, and processing all data packets generated within 1 second newly captured according to the process in the step 4) to obtain data X capable of being input into the model j And extracting data from the protocol part of the IP message of each data packet to obtain the protocol code c corresponding to each data packet ij Obtaining a data set (X) i ,C i ) In which C is i ={c ij I represents the ith protocol, j represents the jth packet under the protocol, and stores the data in a folder for storing the input data of the detection modelPerforming the following steps;
64 Model optimization: writing a protocol matching function, and executing corresponding detection operation after the protocol is matched, wherein the specific operation is as follows: cyclically acquiring the latest data (X) in the folder in which the input data is stored in a manner of cyclically acquiring the latest data once every 1 second j ,C j ) And used as input to the detection model. For the input data set (X) i ,C i ) Each of c ij Match is made to find the data (x) ij ,c ij ) And x is ij Detection model m input to class i protocol i To obtain a corresponding detection result y ij Therefore, whether the data is abnormal data generated based on the ith protocol or not can be judged, and the detection effect is achieved;
65 Automated execution of the detection model: writing a python script program, calling a module, opening the target host flow alarm system of 61) in the step 6), detecting whether an alarm event occurs, and if the alarm event occurs, inputting a command preset in the script into the Xshell software of the detection host establishing SSH service with the switch to realize packet capture of the flow input to the target host and return the flow to the detection host. Then, automatically saving the data of the wireshark, running a data preprocessing program, and starting the optimized model 64) in the step 6).
The invention has the beneficial effects that: the method has the advantages that a detection model facing the distributed denial of service attack problem is built, an effective flow characteristic extraction method is used, and a combined device monitoring alarm mode is adopted, so that when the alarm is generated on abnormal flow activities, the input data packet can be judged in time, specific DDoS attack types can be pointed out when the attacks are received, and more effective information is provided for the design of flow filtering rules for cleaning and filtering abnormal flows. In addition, the switch can capture all data packets passing through the equipment, so that the effect that a plurality of pieces of equipment can be detected by deploying one detection host can be realized, and the cost for deploying a detection model is effectively saved.
Drawings
FIG. 1 is a diagram of a network model for the distributed denial of service attack detection problem;
FIG. 2 is a diagram of packet extraction processing during data processing;
FIG. 3 is a diagram of a neural network architecture of a detection model;
FIG. 4 is a flow chart of a detection model;
fig. 5 is a flow chart of the method of the present invention.
Detailed Description
In order to more clearly describe the technical contents of the present invention, the following further description is made in conjunction with specific examples.
Referring to fig. 1 to 4, a distributed denial of service attack detection method based on a long-short term memory and attention model, which considers capturing a data packet input to a target host and uses a data processing mode based on a network protocol format to reduce data redundancy and more completely retain valid information for the problem of distributed denial of service attack detection. In the actual deployment of the model, a flow alarm system is adopted, when an input flow value in a target host reaches a certain threshold value, an alarm is given, and the packet capturing and detection of the input flow are immediately carried out. The DDoS attack event can be timely judged, and meanwhile, resource consumption caused by long-time packet capturing detection can be avoided. When the data packet features are extracted, the data features are effectively extracted through a parallel neural network structure based on long-term and short-term memory and attention models, and the detection rate of DDoS attack events is effectively improved.
The method for detecting the distributed denial of service attack provided by the embodiment of the invention comprises the following steps:
step 1) constructing a network structure facing the distributed denial of service attack detection problem, wherein the structure comprises a switch, a target host, a reflection amplification host, an attack host, a client host and a detection host, the local area network is formed by the above devices, all the hosts are directly connected with the switch to be accessed into the local area network, and the hosts are not connected with each other. The detection host and the target host are connected with the same switch, and the switch is used for realizing the function of interconnecting the physically connected devices in a network structure, and is also used for capturing and sending the data packet forwarded to the target host through the switch to the detection host. The target host provides services for other hosts through configuration, the other hosts can send messages to the target host to achieve the purpose of accessing, and the target host plays the role of a victim and is attacked by the other hosts. The attack host has the capability of running attack scripts, and the reflection amplification host can be configured as a server (such as a domain name server, a time server and a website server) in an attack process and provides a reflection amplification effect for DDoS attack. The client host is responsible for carrying out specific access on the target host in the attack so as to check whether the attack is successful or not and detect the data sent by the switch through a deployed detection algorithm. As shown in fig. 1, the network model for the distributed denial of service attack detection problem in step 1) is described as follows:
11 All devices in the network model have the capability of discovering and connecting with each other;
12 The switch can meet the condition that the forwarding of the message to the detection host is not limited by bandwidth;
13 Attack host is not limited by firewall of itself when running script of DDoS attack aiming at target host;
14 Detect that the host will not communicate with other devices in the whole structure except for receiving the data packet for the target host sent by the switch, and prevent itself from being used as an amplifying device for DDoS attack;
15 Reflection amplifying hosts do not use firewalls during operation.
Step 2), the specific process of performing DDoS attack on the target host is as follows:
21 After the network deployment is completed, the IP addresses and subnet masks of all the devices are set, and the function of automatically obtaining the IP is closed;
22 Corresponding attack scripts are compiled aiming at DDoS attacks which need to be detected: compiling a corresponding attack script for an attack, running the script on an attack host after the completion of the programming, observing the performance conditions (cpu load, flow input and service corresponding time) on the target host, and debugging the script according to the performance of the target host so as to achieve the optimal attack effect;
23 Configure the reflection amplification host: before a DDoS attack script based on reflection amplification is run, a required reflection amplification host is configured according to the attack requirement. For example: when a domain name server Amplification Attack (DNS Amplification attach) is operated, configuring a reflection Amplification host as a domain name server;
24 A DDoS attack script is run on an attack host: and deploying the debugged DDoS attack script on each attack host. All attacking hosts only operate the same attack at the same time, the target IP address is set as the IP address of the target host, the client host accesses the target host through the protocol with the same type as the attack while each attack is carried out, and the attack success can be calculated only if the client host cannot access the target host or the response of the target host has obvious time delay.
Step 3), the specific process of acquiring the data packet is as follows:
31 Establish communication of the switch with the detection host: starting an SSH service function of the switch, configuring an IP, generating an encryption key, and configuring a login password managed by the SSH; installing Xshell software in a detection host, and transmitting packets captured by a switch to the detection host through SSH service started in the switch;
32 Configure switch and detect host software: tcpdump software was installed in the switch. Installing a wireshark tool in the detection host, remotely connecting the switch through the Xshell software, and acquiring the root permission of the switch;
33 Grab packet for normal data packet: the method comprises the steps that a command of packet capturing in a switch and transmitting back to the local is input in Xshell software on a detection host, so that a data packet input to a target host is captured through tcpdump software installed on the switch, transmitted to wireshark software in the detection host through SSH service and stored in a specified folder in the detection host. In the process of packet capturing, all attack hosts and client hosts normally access the service provided by the target host in a normal mode, and the duration time of the whole packet capturing is determined by the data demand;
34 Attack on the target host: and the physical connection between the local area network and the outside is disconnected by taking the switch as the local area network, so that the external network is prevented from interfering the attack process and the operation of the attack is prevented from interfering the external network. After the step 33) of capturing the normal data packet is completed, only one attack is implemented on the attack in the step 2) according to one round of attack, all attacking hosts simultaneously start the attack to the target host, and the process of each attack lasts for 1 hour and then the next attack is carried out;
35 Grab the abnormal data packet: and in the process of attacking, capturing the abnormal data packet by using the same command as the command in the step 33) when capturing the normal data packet, recording the stored packet, and determining the corresponding attack type.
And 4) making the data packet obtained in the step 3) into a format of model input, and dividing a training set and a test set. As shown in fig. 2, the specific process is as follows:
41 Classify the packet: dividing normal and abnormal data packets obtained by packet capturing according to protocol types (ICMP, UDP, IP-in-IP, TCP and the like) in an IP message protocol, sequencing the data packets with the same protocol according to packet capturing time, putting the data packets in the same folder, attaching information whether the data packets are abnormal data packets or not, and recording the information as y ij Wherein y is ij Only two values of 0 and 1 exist, wherein 0 represents a normal data packet, and 1 represents an abnormal data packet; i represents the ith protocol; j denotes the jth packet under this protocol;
42 Processing headers of a packet core protocol: extracting information from the data packet of each protocol, extracting the header of each message using the protocol (ICMP, UDP, IP-in-IP, TCP, etc.) according to the protocol type in the IP data packet, storing the header with binary number (different protocol header data lengths may be different, but the header data lengths of the same protocol are the same), and recording as x ij0 Wherein x is ij0 The binary value stored in this step for each packet is indicated, i indicates the ith protocol; j denotes such a protocolThe next jth packet;
43 Processing an ethernet frame header and an IP packet of a packet: extracting 96 bits in total of a destination MAC address (48 bits) and a source MAC address (48 bits) in a frame header of each packet Ethernet in a binary number form; extracting total 112 bits of service type (8 bits), identification (16 bits), mark (3 bits), chip offset (13 bits), survival time (8 bits), source IP address (32 bits) and destination IP address (32 bits) in each data packet IP message in a binary number form; the above two parts of data are stored separately and marked as xij 1 、 x ij2 Wherein x is ij1 Indicating the binary value, x, stored in the header of the Ethernet frame for each packet ij2 The binary value of each data packet stored in the IP message is represented, and i represents the ith protocol; j represents the jth packet under this protocol;
44 Processing the data portion of the packet core protocol: the data packets of each type of protocol are processed by information extraction, and the data part of each message using the protocol (ICMP, UDP, IP-in-IP, TCP, etc.) is counted according to the protocol type in the IP data packet as the standard. The statistical data part is the number of 0-F according to the hexadecimal coding mode and is stored as a matrix as shown in the following:
wherein x is ij3 A matrix stored in the step is represented by each data packet, the matrix is composed of 4 rows and 4 columns, and i represents the ith protocol; j represents the jth packet under this protocol; x is the number of 0 ~x F Representing the number of 0-F (e.g. x) when the data portion is encoded in hexadecimal fashion 0 Representing the number of 0 hexadecimal digits when the data portion is in hexadecimal coding mode);
45 Convolve the data: storing the data x correspondingly in the step 42) and the step 43) ij0 、x ij1 And x ij2 Converted into two-dimensional matrices of n × 16, 12 × 8, and 14 × 8, respectively. Then the three two-dimensional matrixes are respectivelyCarrying out different convolution calculations to obtain three 4 x 4 matrices, and replacing x with the convolved matrices ij0 、x ij1 And x ij2 。
46 Fuse data: storing the data x corresponding to the step 44) and the step 45) ij0 、 x ij1 、x ij2 And x ij3 And a corresponding tag y ij Fusion, resulting in the following form:
(x ij ,y ij )
wherein
The extracted data in the jth packet of the ith protocol is represented as a 4 x 4 matrix; and label y ij Indicating whether the jth packet of the ith protocol is an abnormal data packet or not;
47 ) make data sets: fusing the data (x) in step 46) ij ,y ij ) Arranging according to the time sequence of packet capturing, classifying into normal and abnormal data, and then classifying the abnormal data and the normal data (x) ij ,y ij ) Under the condition of ensuring that the sequence of the same type of data is not changed, the two types of data are randomly crossed to achieve the purpose of mixing, and a corresponding data set under the protocol is ensured to be obtained:
D i =(X i ,Y i )
wherein X i ={x ij },Y i ={y ij And i represents the ith protocol.
Step 5), training the model, and debugging the model parameters according to the test result, wherein the specific process is as follows:
51 Partition data set: the data D generated by each type of protocol obtained in the step 4) is processed i 80% training set without disturbing the sequence
And 20% as test set
Dividing;
52 Building a model: as shown in fig. 3, the LSTM and AM algorithms are connected in parallel in the following manner: the input layers of the LSTM and the AM are used together as the input layer of the whole model, but the output layers of the LSTM and the AM are correspondingly added to obtain the output of the model, and the hidden layer of the model is obtained by parallel hidden layers of the LSTM and the AM;
53 Training the model: initializing the ith protocol data set D i Model m of i The method comprises the following steps of self-defining and setting the training epoch times, batch size, optimizer, learning rate and loss function, wherein the optimizer adopts random gradient descent, the learning rate is set to be cos cosine learning rate of initial 0.1, the loss function is added with regularization parameters of lambda on the basis of a cross entropy function, and a model training target is expressed as the following formula:
where p (-) represents the true label of the sample, q (-) represents the prediction probability of the model, x ij Represents samples of the i protocol inputs, #representsthe model parameters, and λ represents the regularization coefficients.
Saving the original model m after training i 。
54 Debugging the model: test data set corresponding to the protocol
Inputting the trained initial model m i And calculating to obtain the accuracy of the corresponding predicted value. And adjusting parameters of the model, only adjusting one parameter each time, training the model after adjustment, and testing to obtain the accuracy of the set of parameters. Continuously repeating the modes of parameter adjustment, training and testing to obtain a group of parameters with the highest accuracy, and obtaining a model m under the group of parameters i 。
55 Obtain models for all protocol classes: repeating the steps 53) and 54) for all data sets subjected to packet grabbing and processing), and obtaining the complete data set for DDoS attackDetecting a model M, wherein M = { M = { [ M ] i }。
And 6) deploying the model in the switch, and carrying out network attack detection on the network data flow. The specific process is as follows:
61 Configure target host traffic alert system: installing Nagios software in a switch, installing an additional program NRPE of the Nagios software, and installing Nagios software and dependent software for realizing webpage display in a detection host; configuring the switch as a client, configuring the detection host as a server and monitoring each port in the switch through Nagios software; setting a flow alarm threshold, and alarming when the flow exceeds the threshold;
62 Establish a data retention mechanism: setting the wireshark of the detection host as an automatic storage file, setting the wireshark as an automatic generation new data package file every 1 second of captured data, and automatically deleting the earliest file after every two data files are generated;
63 Build data pre-processing program: automatically acquiring a first file in a folder of the wireshark automatically-stored files every other one second, and processing all data packets generated within 1 second newly captured according to the process in the step 4) to obtain data X capable of being input into the model i And extracting data from the protocol part of the IP message of each data packet to obtain the protocol code c corresponding to each data packet ij Obtaining a data set (X) i ,C i ) In which C is i ={c ij I represents the ith protocol, j represents the jth packet under the protocol, and data is stored in a folder for storing input data of the detection model;
64 Model optimization: writing a protocol matching function, and executing a corresponding detection operation after the protocol matching, as shown in a flowchart of fig. 4, specifically operating as follows: cyclically acquiring the latest data (X) in the folder in which the input data is stored in a manner of cyclically acquiring the latest data once every 1 second i ,C i ) And used as input to the detection model. For the input data set (X) i ,C i ) Each of c ij Match is made to find the data (x) ij ,c ij ) And x is ij Detection model m input to class i protocol i To obtain the corresponding detection result y ij Therefore, whether the data is abnormal data generated under the ith type of protocol can be obtained, and the detection effect is achieved.
65 Automated execution of the detection model: writing a python script program, calling a module, opening the target host flow alarm system in the step 61), detecting whether an alarm event occurs, and if the alarm event occurs, inputting a command preset in the script in the Xshell software of the detection host establishing SSH service with the switch to realize packet capture of the flow input to the target host and return to the detection host. And then opening the automatic saving of the data of the wireshark, running a data preprocessing program, and opening the optimized model in the step 64).
Claims (7)
1. The distributed denial of service attack detection method based on the long-short term memory and attention model comprises the following steps:
1) Constructing a network structure facing the detection problem of the distributed denial of service attack;
2) Carrying out different kinds of DDoS attacks on a target host, wherein the DDoS attacks comprise ICMP Flood, smurf attach, SYN Flood and SYN-ACK Flood;
3) Capturing and forwarding the packet, acquiring all input data packets of the attacked host and forwarding the data packets to the detection host;
4) Preprocessing data, and making the obtained data packet into a format of model input by a detection host;
5) Training the model, inputting the prepared data set into the model for training;
6) And carrying out attack detection, deploying the model on a detection host, and carrying out network attack detection on the network data stream.
2. The distributed denial of service attack detection method according to claim 1, wherein the network structure for detecting the problem of distributed denial of service attack in step 1) comprises a switch, a target host, a reflection amplification host, an attack host, a client host and a detection host, and the above devices form a local area network, all hosts are directly connected to the switch to access the local area network, and the hosts are not connected to each other. The detection host and the target host are connected with the same switch, and the switch is used for realizing the function of interconnecting the physically connected devices in a network structure, and is also used for capturing and sending the data packet forwarded to the target host through the switch to the detection host. The target host provides services for other hosts through configuration, the other hosts can send messages to the target host to achieve the purpose of accessing, and the target host plays the role of a victim and is attacked by the other hosts. The attack host has the capability of running attack scripts, and the reflection amplification host can be configured as a server (such as a domain name server, a time server and a website server) in the attack process and provides a reflection amplification effect for DDoS attack; the client host is responsible for carrying out specific access on the target host in the attack so as to check whether the attack is successful or not, and the detection host detects the data sent by the switch through a deployed detection algorithm.
3. The distributed denial of service attack detection method of claim 2 based on long short term memory and attention model, further characterized by: in the step 2), carrying out DDoS attack on the target host of the network structure built in the step 1); firstly, according to the attack type of the DDoS, compiling a corresponding attack script and deploying the attack script on an attack host, wherein all the attack hosts attack a target host in the same time period; the specific steps of carrying out DDoS attack on the target host are as follows:
21 After the network deployment is completed, the IP addresses and subnet masks of all the devices are set, and the function of automatically obtaining the IP is closed;
22 Corresponding attack scripts are compiled aiming at DDoS attacks which need to be detected: writing a corresponding attack script for an attack, firstly running the script on an attack host after writing, observing performance conditions (CPU load, flow input and service corresponding time) on a target host, and debugging the script according to the performance of the target host so as to achieve the optimal attack effect;
23 Configure the reflection amplification host: before a DDoS attack script based on reflection amplification is run, a required reflection amplification host is configured according to the attack requirement. For example: when a domain name server Amplification Attack (DNS Amplification attach) is operated, configuring a reflection Amplification host as a domain name server;
24 A DDoS attack script is run on an attack host: and deploying the well-debugged DDoS attack script on each attack host. All attacking hosts only run the same attack at the same time, the target IP address is set as the IP address of the target host, the client host accesses the target host through the protocol which is the same as the attack type while each attack is carried out, and the attack success can be calculated only if the client host can not access the target host or the response of the target host has obvious time delay.
4. The long-short term memory and attention model-based distributed denial of service attack detection method of claim 3, wherein: in the step 3), the data packet forwarded to the destination host is captured by tcpdump software in the switch, and the data packet is packaged and forwarded to the detection host, wherein the data packet collection comprises:
31 Establish communication of the switch with the detection host: starting an SSH service function of the switch, configuring an IP, generating an encryption key, and configuring a login password managed by the SSH; installing Xshell software in a detection host, and transmitting packets captured by a switch to the detection host through SSH service started in the switch;
32 Configure switch and detect host software: installing tcpdump software in the switch, installing a wireshark tool in the detection host, remotely connecting the switch through the Xshell software, and acquiring the root authority of the switch;
33 Grab packet for normal data packet: the method comprises the steps that a command of packet capturing in a switch and transmitting back to the local is input in Xshell software on a detection host, so that a data packet input to a target host is captured through tcpdump software installed on the switch, transmitted to wireshark software in the detection host through SSH service and stored in a specified folder in the detection host. All attack hosts and client hosts normally access the service provided by the target host in a normal mode in the packet capturing process, and the whole packet capturing duration is determined by the data demand;
34 Attack on the target host: and disconnecting the physical connection between the local area network and the outside by taking the switch as the local area network so as to avoid the interference of an external network on the attack process and prevent the operation of the attack from interfering the external network. After the step 33) of capturing the normal data packet is completed, only one attack is implemented on the attack in the step 2) according to one round of attack, all attacking hosts simultaneously start the attack to the target host, and the process of each attack lasts for 1 hour and then the next attack is carried out;
35 Grab the abnormal data packet: and in the process of attacking, using the same command as that in the step 33) to capture the normal data packet to capture the abnormal data packet, and recording the stored packet to determine the corresponding attack type.
5. The distributed denial of service attack detection method of claim 4 based on long short term memory and attention models in which: in step 4), the data packet acquired in step 3) is made into a format of model input, and a training set and a test set are divided, and the specific steps are as follows:
41 Classify the packet: dividing normal and abnormal data packets obtained by packet capturing according to protocol types (ICMP, UDP, IP-in-IP, TCP and the like) in an IP message protocol, sequencing the data packets with the same protocol according to packet capturing time, putting the data packets in the same folder, attaching information whether the data packets are abnormal data packets or not, and recording the information as y ij Wherein y is ij Only two values of 0 and 1 exist, wherein 0 represents a normal data packet, and 1 represents an abnormal data packet; i represents the ith protocol; j denotes the jth packet under this protocol;
42 Processing headers of a packet core protocol: extracting information from the data packet of each protocol, and using the protocol (ICMP, UDP, IP-in-IP) according to the protocol type in the IP data packetTCP, etc.) are extracted and stored as binary numbers (header data length of different protocols may be different, but header data length of the same protocol is the same), which are marked as x ij0 Wherein x is ij0 The binary value stored in this step for each packet is indicated, i indicates the ith protocol; j represents the jth packet under this protocol;
43 Processing an ethernet frame header and an IP packet of a packet: extracting 96 bits in total of a destination MAC address (48 bits) and a source MAC address (48 bits) in a frame header of each packet Ethernet in a binary number form; extracting total 112 bits of service type (8 bits), identification (16 bits), mark (3 bits), chip offset (13 bits), survival time (8 bits), source IP address (32 bits) and destination IP address (32 bits) in each data packet IP message in a binary number form; the data of the two parts are respectively stored and marked as x ij1 、x ij2 Wherein x is ij1 Indicating the binary value, x, stored in the header of the Ethernet frame for each packet ij2 The binary value of each data packet stored in the IP message is represented, and i represents the ith protocol; j represents the jth packet under this protocol;
44 Processing the data portion of the packet core protocol: carrying out information extraction processing on the data packet of each type of protocol, and counting the data part of each message using the protocol (ICMP, UDP, IP-in-IP, TCP and the like) according to the protocol type in the IP data packet as a standard; the statistical data part is the number of 0-F according to the hexadecimal coding mode and is stored as a matrix as follows:
wherein x ij3 A matrix stored in this step is represented for each packet, the matrix is composed of 4 rows and 4 columns, i represents the ith protocol; j denotes the jth packet under this protocol; x is the number of 0 ~x F Representing the number of 0-F (e.g. x) when the data portion is encoded in hexadecimal 0 Is represented by the numberThe number of 0 hexadecimal digits when the data portion is hexadecimal encoded);
45 Convolve the data: the data x correspondingly stored in the step 42) and the step 43) are added ij0 、x ij1 And x ij2 Converted into two-dimensional matrices of n × 16, 12 × 8, and 14 × 8, respectively. Then different convolution calculations are respectively carried out on the three two-dimensional matrixes to obtain three 4 x 4 matrixes, and the x is replaced by the convolved matrix ij0 、x ij1 And x ij2 ;
46 Fuse data: corresponding the step 44) and the step 45) to the stored data x ij0 、x ij1 、x ij2 And x ij3 And a corresponding tag y ij Fusion, resulting in the following form:
(x ij ,y ij )
wherein
Representing the extracted data in the j packet of the ith protocol, which is a 4 x 4 matrix; and label y ij Indicating whether the jth packet of the ith protocol is an abnormal data packet or not;
47 Make a data set: fusing the data (x) in the step 46) ij ,y ij ) Arranging according to the time sequence of packet capturing, classifying into normal and abnormal data, and then classifying the abnormal data and the normal data (x) ij ,y ij ) Under the condition of ensuring that the sequence of the same type of data is not changed, the two types of data are randomly crossed to achieve the purpose of mixing, and a corresponding data set under the protocol is ensured to be obtained:
D i =(X i ,Y i )
wherein X i ={x ij },Y i ={y ij And i represents the ith protocol.
6. The distributed denial of service attack detection method of claim 5 based on long short term memory and attention models in which: in step 5), training the model by using the data set obtained by processing in step 4), and debugging the model parameters according to the test result, wherein the method comprises the following specific steps:
51 Partition data set: data D generated by each type of protocol obtained in the step 4) i 80% training set without disturbing the sequence
And 20% as test set
Dividing;
52 Building a model: connecting the LSTM and the AM algorithm in a parallel mode, wherein the connection mode is as follows: the input layers of the LSTM and the AM are used together as the input layer of the whole model, but the output layers of the LSTM and the AM are correspondingly added to obtain the output of the model, and the hidden layer of the model is obtained by parallel hidden layers of the LSTM and the AM;
53 Training the model: initializing the ith protocol data set D i Model m of i The method comprises the following steps of self-defining and setting training epoch times, batch sizes, an optimizer, a learning rate and a loss function, wherein the optimizer adopts random gradient descent, the learning rate is set to be cos cosine learning rate of initial 0.1, the loss function is added with regularization parameters of lambda on the basis of a cross entropy function, and a model training target is expressed as the following formula:
where p (-) represents the true label of the sample, q (-) represents the prediction probability of the model, x ij The method comprises the steps of representing samples of i kinds of protocol input, wherein phi represents a model parameter, and lambda represents a regularization coefficient;
saving the original model m after training i ;
54 Debugging model: test data set corresponding to the protocol
Inputting the trained initial model m i Obtaining the accuracy of the corresponding predicted value through calculation; adjusting parameters of the model, only adjusting one parameter each time, training the model after adjustment, and then testing to obtain the accuracy of the set of parameters; continuously repeating the modes of parameter adjustment, training and testing to obtain a group of parameters with the highest accuracy, and obtaining a model m under the group of parameters i ;
55 Obtain models for all protocol classes: repeating the steps 53) and 54) for all data sets which are subjected to packet grabbing and processing to obtain a complete detection model M for the DDoS attack, wherein M = { M = { (M) } i }。
7. The distributed denial of service attack detection method of claims 2, 3, 4, 5, 6 based on long short term memory and attention models characterized in that: step 6), the model is deployed in the switch, and network attack detection is performed on the network data flow, and the specific steps are as follows:
61 Configure target host traffic alert system: nagios software and an additional program NRPE are installed in the switch, and Nagios software and dependent software for realizing webpage display are installed in the detection host; configuring the switch as a client, configuring the detection host as a server and monitoring each port in the switch through Nagios software; setting a flow alarm threshold, and alarming when the flow exceeds the threshold;
62 Establish a data retention mechanism: setting the wireshark of the detection host computer as an automatic saving file, automatically generating a new data packet file every 1 second of captured data, and automatically deleting the earliest file after generating two data files;
63 Build data pre-processing program: automatically acquiring a first file in a folder for automatically saving files by the wireshark every second, and processing all data packets generated within 1 second newly captured according to the process in the step 4) to obtain data X capable of being input into the model i And extracting data from the protocol part of the IP message of each data packet to obtain the protocol corresponding to each data packetConference coding c ij Obtaining a data set (X) i ,C i ) In which C is i ={c ij I represents the ith protocol, j represents the jth packet under the protocol, and data is stored in a folder for storing input data of the detection model;
64 Model optimization: writing a protocol matching function, and executing corresponding detection operation after the protocol is matched, wherein the specific operation is as follows: cyclically acquiring the latest data (X) in the folder in which the input data is stored in such a manner that the data is cyclically acquired once every 1 second i ,C i ) And used as input to the detection model. For the input data set (X) i ,C i ) Each of c ij Match is made to find the data (x) ij ,c ij ) And x is ij Detection model m input to class i protocol i To obtain the corresponding detection result y ij Therefore, whether the data is abnormal data generated based on the ith protocol or not can be judged, and the detection effect is achieved;
65 Automated execution of the detection model: writing a python script program, calling a module, opening the target host flow alarm system in the step 61), detecting whether an alarm event occurs, and if the alarm event occurs, inputting a command preset in the script in the Xshell software of the detection host establishing SSH service with the switch to realize packet capture of the flow input to the target host and return to the detection host. And then opening automatic saving of data of the wireshark, running a data preprocessing program, and opening the optimized model in the step 64).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211018545.6A CN115603939A (en) | 2022-08-24 | 2022-08-24 | Distributed denial of service attack detection method based on long-short term memory and attention model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211018545.6A CN115603939A (en) | 2022-08-24 | 2022-08-24 | Distributed denial of service attack detection method based on long-short term memory and attention model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115603939A true CN115603939A (en) | 2023-01-13 |
Family
ID=84842744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211018545.6A Pending CN115603939A (en) | 2022-08-24 | 2022-08-24 | Distributed denial of service attack detection method based on long-short term memory and attention model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115603939A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116975934A (en) * | 2023-09-20 | 2023-10-31 | 北京安天网络安全技术有限公司 | File security detection method and system |
-
2022
- 2022-08-24 CN CN202211018545.6A patent/CN115603939A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116975934A (en) * | 2023-09-20 | 2023-10-31 | 北京安天网络安全技术有限公司 | File security detection method and system |
| CN116975934B (en) * | 2023-09-20 | 2023-12-15 | 北京安天网络安全技术有限公司 | File security detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110011999B (en) | IPv6 network DDoS attack detection system and method based on deep learning | |
| Chen et al. | Defending against TCP SYN flooding attacks under different types of IP spoofing | |
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| Strayer et al. | Botnet detection based on network behavior | |
| EP1908219B1 (en) | Active packet content analyzer for communications network | |
| US7051369B1 (en) | System for monitoring network for cracker attack | |
| US11570166B2 (en) | Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices | |
| US20050060562A1 (en) | Method and system for displaying network security incidents | |
| US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
| US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
| EP2661049A2 (en) | System and method for malware detection | |
| Aiello et al. | Basic classifiers for DNS tunneling detection | |
| US11038900B2 (en) | Structural command and control detection of polymorphic malware | |
| CN111314276A (en) | Method, device and system for detecting multiple attack behaviors | |
| CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
| US20220263846A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
| Swami et al. | DDoS attacks and defense mechanisms using machine learning techniques for SDN | |
| CN115603939A (en) | Distributed denial of service attack detection method based on long-short term memory and attention model | |
| Kaushik et al. | Network forensic system for ICMP attacks | |
| CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| Gandhi et al. | Detecting and preventing attacks using network intrusion detection systems | |
| Vijayalakshmi et al. | IP traceback system for network and application layer attacks | |
| Sayadi et al. | Detection of covert channels over ICMP protocol | |
| US20230199005A1 (en) | Method and apparatus for detecting network attack based on fusion feature vector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |