CN116614265A - Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method - Google Patents
Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method Download PDFInfo
- Publication number
- CN116614265A CN116614265A CN202310510837.XA CN202310510837A CN116614265A CN 116614265 A CN116614265 A CN 116614265A CN 202310510837 A CN202310510837 A CN 202310510837A CN 116614265 A CN116614265 A CN 116614265A
- Authority
- CN
- China
- Prior art keywords
- data
- ddos attack
- point cloud
- ddos
- classification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000011218 segmentation Effects 0.000 title claims abstract description 30
- 238000003066 decision tree Methods 0.000 claims abstract description 16
- 238000001514 detection method Methods 0.000 claims abstract description 15
- 238000011897 real-time detection Methods 0.000 claims abstract description 14
- 238000007781 pre-processing Methods 0.000 claims abstract description 8
- 238000012216 screening Methods 0.000 claims abstract description 8
- 230000002708 enhancing effect Effects 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 15
- 238000003860 storage Methods 0.000 claims description 15
- 238000012549 training Methods 0.000 claims description 7
- 238000001914 filtration Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000000638 solvent extraction Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000009191 jumping Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011176 pooling Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a point cloud characteristic enhanced block chain DDoS attack classification and segmentation method, belonging to the technical field of network security. The method comprises the following steps: based on the CIC-DDoS2019 data set, acquiring data of a plurality of DDoS attack types, and establishing a data set with the DDoS attack types; preprocessing data except for data of a plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics; inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics; generating a DDoS real-time detection dataset based on the second data with key features and the dataset with DDoS attack type; inputting second data with key characteristics to the point cloud, enhancing the characteristics of the point cloud, and establishing a detection model; and inputting the DDoS real-time detection data set into a detection model to obtain classification and segmentation results of DDoS attack flow. Therefore, the embodiment of the application can effectively classify and divide DDoS attacks in a distributed network environment.
Description
Technical Field
The application relates to the technical field of network security, in particular to a point cloud characteristic enhanced blockchain DDoS attack classification and segmentation method.
Background
Mesh topologies are used to build peer-to-peer (P2P) network structures that make up a blockchain. In the context of a blockchain network, each node may act as both a client and a server. Since each node on the blockchain network can send and receive data, traffic is not concentrated as in the client, server networks, but is distributed across all network nodes. Because of the distributed network architecture employed by blockchain systems, there are multiple connection points that may make some network nodes more vulnerable to attack. Furthermore, since the blockchain system provides a common database, an attacker can quickly acquire all of the system-related data in order to attack the system more successfully.
DDoS attacks are one of the most significant risks faced by blockchain security, a network attack in which an attacker tries to flood a network or server with traffic from various sources to break the service. DDoS attacks have different features in the blockchain ecosystem than in a typical network environment. Compared with DDoS attacks in a traditional network environment, an attacker can use a large number of attacked nodes to launch the attacks, flood inbound connections of target nodes, and finally lead to network paralysis. Furthermore, an attacker may take advantage of network congestion as a means of interfering with the proper functioning of the network and reducing node availability and reliability.
In recent years, artificial intelligence algorithms have evolved into one of the possible options for identifying DDoS attacks. The proposed framework is characterized by high accuracy and lightweight algorithms for detecting emerging DDoS attacks. DDoS attacks are detected using machine learning algorithms and bloom filters, but do not involve the multi-class classification required by security professionals to detect DDoS attack types. While DDoS attacks often exhibit concurrency in blockchain ecosystems, multiple different attack types may occur simultaneously. Current DDoS attack detection techniques cannot properly detect different forms of attacks, including LDAP, MSSQL, netBIOS, portmap, syn, UDP, UDPLag, etc. In a blockchain scenario, a normal node and a node attacked by DDoS exist in the same network, and can both communicate with other nodes. Because the node under DDoS attack cannot work normally and can not process the transaction requests from other nodes in time, the efficiency of the whole network is reduced and the stability of the blockchain is affected.
Disclosure of Invention
In order to solve the existing technical problems, the embodiment of the application provides a method for classifying and segmenting the DDoS attack of a block chain with enhanced point cloud characteristics. The technical scheme is as follows:
in a first aspect, a method for classifying and partitioning a blockchain DDoS attack with enhanced point cloud features is provided, which is characterized in that the method includes:
based on the CIC-DDoS2019 data set, acquiring data of a plurality of DDoS attack types, and establishing a data set with the DDoS attack types;
preprocessing data except the data of the plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics;
inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics;
generating a DDoS real-time detection data set according to the second data with the key characteristics and the data set with the DDoS attack type;
inputting the second data with the key characteristics to the point cloud, enhancing the point cloud characteristics, establishing a detection model, inputting the DDoS real-time detection data set to the detection model, and obtaining classification and segmentation results of DDoS attack flow.
Further, the data set with DDoS attack type includes: a subset with a DDoS attack type and a subset without a DDoS attack type, wherein the proportion of data of the subset with the DDoS attack type and the subset without the DDoS attack type each accounts for half of the data set with the DDoS attack type.
Further, the subset of DDoS attack types includes at least seven, and the subset of DDoS attack types not includes at least one.
Further, the preprocessing the data other than the data of the plurality of DDoS attack types in the CIC-DDoS2019 data set includes: deleting the data containing null values and zero values and unchanged features to obtain first features; based on the first feature, removing useless features to obtain a second feature; based on the second features, counting the correlation among the features, deleting the residual features with high correlation, and obtaining the first data with the effective features.
Further, the process of inputting the first data with the valid characteristic to the decision tree model for screening comprises the following steps: the decision tree model trains the first data with the effective characteristics and groups the first data according to the importance of the training result to obtain second data with the key characteristics.
Further, each feature data normalization process of the second data having the key feature.
Further, the DDoS real-time detection dataset includes at least fourteen feature data and eight tag types.
Further, the detection model detects classification and segmentation of DDoS attack traffic simultaneously.
In a second aspect, a computer readable storage medium is provided, wherein at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the storage medium, and the at least one instruction, the at least one program, the set of codes, or the set of instructions are loaded and executed by a processor to implement the point cloud feature enhanced blockchain DDoS attack classification and segmentation method according to any of claims 1 to 7.
In a third aspect, a computer device is provided, wherein the computer device includes a processor and a memory, the memory storing at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the point cloud feature enhanced blockchain DDoS attack classification and segmentation method of any of claims 1-7.
The technical scheme provided by the embodiment of the application has the beneficial effects that: a series of typical and abnormal modes using deep learning are investigated based on CIC-DDoS2019 data sets by a point cloud feature enhanced blockchain DDoS attack classification and segmentation method. The data is processed and screened by using statistical technology, and features are screened by using a decision tree method. And then, classifying whether DDoS attack exists or not by using the improved point cloud. The multi-dimensional, accurate and effective DDoS attack classification and segmentation method is provided for the blockchain environment, and is beneficial to maintaining the stability and safety of a blockchain system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a method for classifying and partitioning a blockchain DDoS attack with enhanced point cloud features according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a feature screening flow based on decision trees according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a data set with random sample data values and tag values provided by an embodiment of the present application;
fig. 4 is a schematic diagram of an improved point cloud network structure according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application as detailed in the accompanying claims.
In the description of the present application, it should be understood that the terms "first," "second," "third," and the like are used merely to distinguish between similar objects and are not necessarily used to describe a particular order or sequence, nor should they be construed to indicate or imply relative importance. The specific meaning of the above terms in the present application can be understood by those of ordinary skill in the art according to the specific circumstances. Furthermore, in the description of the present application, unless otherwise indicated, "a plurality" means two or more.
As shown in fig. 1, an embodiment of the present application provides a method for classifying and partitioning a blockchain DDoS attack with enhanced point cloud features, the method includes the following steps:
s101, acquiring data of a plurality of DDoS attack types based on a CIC-DDoS2019 data set, and establishing a data set with the DDoS attack types.
In a blockchain scenario, a normal node and a node attacked by DDoS exist in the same network and both communicate with other nodes. However, since the node attacked by DDoS cannot work normally and cannot process the transaction requests from other nodes in time, the efficiency of the whole network is reduced, and the stability of the blockchain is affected. The CIC-DDoS2019 dataset is a dataset set for detecting DDoS attacks, which can more accurately represent actual scene conditions due to its high diversity. Therefore, developing a model using the CIC-DDoS2019 dataset is more suitable for identifying various DDoS attacks. First, randomly selecting a subset of DDoS attack entries from a CIC-DDoS2019 dataset, and creating a dataset with DDoS attack types, wherein the dataset with DDoS attack types comprises 50% of entries with and without DDoS attacks, the entry without DDoS attack comprises 10500 pieces of data with BENIGN tags, and the entry with DDoS attack comprises 1500 pieces of data with the following tags: LDAP, MSSQL, netBIOS, portmap, syn, UDP and UDPLag.
S102, preprocessing data except the data of the plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics.
Preprocessing 87 characteristic quantities except for a plurality of DDoS attack types of data in CIC-DDoS2019 data set, verifying each piece of data, and deleting zero value and null value data; secondly, deleting the BwdPSHFlags, fwdURGFlags and PSHFlagCount and other 12 characteristics which remain unchanged all the time to obtain a first characteristic; then, removing 6 feature quantities which do not have the usual statistical correlation based on the first feature, namely deleting the 6 feature quantities which are not used for model training, wherein the 6 feature quantities comprise FlowID, sourceIP, destinationIP, timestamp, similarHTTP, unnamed:0, and obtaining a second feature; then, based on the second feature, counting the correlation between the feature amounts, deleting 30 redundant feature amounts with high correlation including the total length of the Bwd data packet and fwdii't larger than 0.9; after removal of FwdPSHFlags, synFlagCount, CWEFlagCount, etc., only 29 feature quantities are retained as valid features, including ActiveMean, activeStd, activeMax, activeMin and IdleStd and an additional 0 value.
S103, inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics.
The remaining 29 valid features are further filtered using a decision tree approach, as shown in fig. 2, which requires training data in order to divide the data set into subsets and partition the features. First, from the start position, all data is divided into one node, i.e., the root node. Then, two judging steps are carried out, wherein the judging conditions comprise: if the data is an empty set, jumping out of the cycle; if the node is the root node, returning to Null; if the node is an intermediate node, marking the node as the class with the most class in the training data; if the samples belong to the same class, jumping out of the loop, and marking the nodes as the class; if neither judgment condition has jumped out of the loop, the node is considered to be divided. In order to improve efficiency and accuracy, the optimal attribute division under the current condition is selected, namely, the best characteristic is selected for division, and the base index is selected as an index in training. The k-class distribution has a base index as shown in the following formula, and the larger the base index is, the larger the uncertainty of the sample is.
After the steps are divided, generating new nodes, then circulating judgment conditions, continuously generating new branch nodes until all the nodes jump out of circulation and then finishing, and obtaining a feature screening result decision tree; wherein, to avoid overfitting, the decision tree is pruned once constructed; inputting a data sample, and classifying by using a decision tree; starting from the root node, it proceeds to the leaf node by searching each layer according to the eigenvalues of the input samples. The classification result of the input sample is the class corresponding to the leaf node. Each leaf node of the decision tree represents a class and each branch reflects the value of a feature represented by each internal node. Obviously, the internal node of the tree structure feature is one of its most important elements, and is grouped according to importance, resulting in second data including source port, destination port, protocol, total number of forwarded packets, total number of backward packets, forwarded packet length, maximum backward packet length, stream bytes/second, stream IAT average, stream IAT standard, maximum packet length, ACK flag count, URG flag count, inbound and other 14 features, i.e. having key features.
S104, generating a DDoS real-time detection data set according to the second data with the key characteristics and the data set with the DDoS attack type.
In subsequent training, data is filtered for key feature source and destination ports, only 10 of the common port numbers are reserved, while the values of the remaining port numbers are set to-1. Then, in order to create a set of normalized data, each feature quantity is normalized by taking its value and subtracting it from its average value and dividing by its standard deviation. Based on the key features and the data set with the DDoS attack type, a data set for DDoS real-time detection is generated, including at least fourteen feature data and eight tag types. In the DDoS detection process, a mode can collect a plurality of feature labels at the same time, and then detect the results of classification (judging whether DDoS attack exists/not exists) and segmentation (dividing which type of DDoS attack belongs to) at the same time; another way is to use random extraction to create a set of available DDoS real-time detection data based on the 14 important features screened above, as shown in table 1, the feature rows and category columns are in one-to-one correspondence, without
TABLE 1
The DDoS attack category is represented by category "0" and the DDoS attack category is represented by category "1". Further, fig. 3 shows the data values and tag values of random samples in the established dataset with DDoS attack type, each element in each sample having a one-to-one correlation with its tag value, numerals 1 to 8 representing benign, l dap, mssq l, netB IOS, portmap, syn, UDP and UDPLag types, respectively. It should be noted that in samples with DDoS attacks, the number and type of DDoS attacks that may occur simultaneously may be different.
S105, inputting the second data with the key characteristics to the point cloud, enhancing the point cloud characteristics, establishing a detection model, and inputting the DDoS real-time detection data set to the detection model to obtain classification and segmentation results of DDoS attack flow.
The point network deep learning architecture is used for processing point cloud data, uses multi-layer perceptrons to learn point cloud characteristics, and has a symmetrical architecture to quickly process point clouds (MLPs). Thus, DDoS attacks can be detected using point clouds. To discover possible attack patterns and learn network traffic characteristics efficiently, the point cloud may analyze network traffic to detect DDoS attacks. It can be trained to distinguish between legitimate and malicious traffic and can classify new incoming traffic. The point cloud processes the point cloud data more efficiently than other computers because it uses globally shared feature extraction techniques, can handle a variety of point clouds, and is order insensitive. The number of point clouds often limits the learning method. First, in this part of enhanced point cloud, 3D points are processedThe cloud uses a standard point cloud, where the point cloud has three channels in total. The improved point cloud network structure is shown in fig. 4, and the DDoS detection problem is solved by using 14-channel point clouds. The improved point cloud receives in its input layer a data sample having a plurality of entries, each entry having 14 feature quantities, denoted as an n x14 two-dimensional tensor. Then, the global branch and the local branch of the improved point cloud convert the low-dimensional features into a high-dimensional space through feature dimension enhancement operation, so that the network can learn complex feature representation more easily, and classification and segmentation accuracy are improved. In the global branch, global features are implemented by mapping low-dimensional features to high-dimensional space using a fully connected layer. In local branching, local features are achieved by mapping low-dimensional features to high-dimensional space using a point convolution layer. The global features obtained by the maximum pooling are of 2048 elements in total and are used for detecting whether classification problems of DDoS attacks exist. In the local branches, 64-dimensional high-dimensional features obtained by feature transformation are connected with 2048-dimensional global features to obtain a 2062-dimensional feature tensor. Therefore, the segmentation result of the DDoS attack type can be obtained after the full connection layer processing. Calculation process of point convolution: let the input point cloud beWhere N represents the number of points in the point cloud and C represents the number of features per point. The output of the dot convolution layer is +.>Where D represents the number of features output. The parameters of the dot convolution layer are +.>The calculation process of the point convolution layer is the same as y=xw. Since the dimensionality reduction mapping process converts Gao Weidian cloud data into a low-dimensional space, fewer parameters are required in the classification and segmentation network to extract the global features of the point cloud. This enhances the generalization capability of the network. This layer connects the outputs of the global and local branches at the output layer of the network and uses the fully connected layer to transfer them to the output space. Output layer uses soft for classification tasksmax activation function, s igmoid activation function is used for the split tasks. The s igmoid function produces a number between 0 and 1 that indicates the likelihood that the sample belongs to a particular class.
Specifically, the classification method is that a set of all point cloud data input into one frame is expressed as a two-dimensional tensor of nx14, wherein n represents the number of point clouds, and 14 corresponds to x, y and z coordinates. Input data is aligned by multiplying the input data with a T-Net learned conversion matrix, so that invariance of the model to specific space conversion is ensured. And carrying out feature extraction on cloud data of each point through convolution of multiple times of MLP by using shared weight, and then aligning the features by using a T-Net. A max pooling operation is performed on each dimension of the feature to obtain the final global feature. Predicting the final classification score of the global feature through MLP (multi-level processing) for the classification task; and (3) carrying out series connection on the global features and the local features of each point cloud learned before on the segmentation task, and obtaining a classification result of each data point through the MLP. The global features extracted by the improved point cloud can well complete classification tasks.
The application discloses a point cloud characteristic enhanced blockchain DDoS attack classification and segmentation method, and belongs to the technical field of network security. The method comprises the following steps: based on the CIC-DDoS2019 data set, acquiring data of a plurality of DDoS attack types, and establishing a data set with the DDoS attack types; preprocessing data except for data of a plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics; inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics; generating a DDoS real-time detection dataset based on the second data with key features and the dataset with DDoS attack type; inputting second data with key characteristics to the point cloud, enhancing the characteristics of the point cloud, and establishing a detection model; and inputting the DDoS real-time detection data set into a detection model to obtain classification and segmentation results of DDoS attack flow. Therefore, the embodiment of the application can classify and divide DDoS attack in a multi-dimensional, accurate and effective way in a distributed network environment, and is beneficial to maintaining the stability and safety of a blockchain system.
Based on the same technical concept, corresponding to the method of the present application, the embodiment of the present application further provides a computer readable storage medium, where at least one instruction, at least one section of program, a code set or an instruction set is stored in the storage medium, where the at least one instruction, the at least one section of program, the code set or the instruction set is loaded and executed by a processor to implement the above-mentioned method for classifying and partitioning a blockchain DDoS attack with enhanced point cloud characteristics.
Based on the same technical conception, the embodiment of the application also provides computer equipment, which can generate relatively large difference due to different configurations or performances and comprises one or more processors and a memory, wherein the memory can be short-term storage or permanent storage. The memory may store at least one instruction, at least one program, a set of codes, or a set of instructions that are loaded and executed by the processor to implement the point cloud feature enhanced blockchain DDoS attack classification and segmentation method described above.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (10)
1. The method for classifying and segmenting the DDoS attack of the block chain with the enhanced point cloud characteristics is characterized by comprising the following steps:
based on the CIC-DDoS2019 data set, acquiring data of a plurality of DDoS attack types, and establishing a data set with the DDoS attack types;
preprocessing data except the data of the plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics;
inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics;
generating a DDoS real-time detection data set according to the second data with the key characteristics and the data set with the DDoS attack type;
inputting the second data with the key characteristics to the point cloud, enhancing the point cloud characteristics, establishing a detection model, inputting the DDoS real-time detection data set to the detection model, and obtaining classification and segmentation results of DDoS attack flow.
2. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the dataset with DDoS attack types comprises: a subset with a DDoS attack type and a subset without a DDoS attack type, wherein the proportion of data of the subset with the DDoS attack type and the subset without the DDoS attack type each accounts for half of the data set with the DDoS attack type.
3. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 2, wherein the subset of DDoS attack types includes at least seven, and the subset of DDoS attack types not includes at least one.
4. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the preprocessing of data other than the plurality of DDoS attack types in the CIC-DDoS2019 dataset comprises: deleting the data containing null values and zero values and unchanged features to obtain first features; based on the first feature, removing useless features to obtain a second feature; based on the second features, counting the correlation among the features, deleting the residual features with high correlation, and obtaining the first data with the effective features.
5. The method of point cloud feature enhanced blockchain DDoS attack classification and segmentation of claim 1, wherein the process of inputting the first data with valid features into the decision tree model for filtering comprises: the decision tree model trains the first data with the effective characteristics and groups the first data according to the importance of the training result to obtain second data with the key characteristics.
6. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 5, wherein each feature data of the second data with key features is normalized.
7. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the DDoS real-time detection dataset comprises at least fourteen feature data and eight tag types.
8. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the detection model detects classification and segmentation of DDoS attack traffic simultaneously.
9. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set loaded and executed by a processor to implement the point cloud feature enhanced blockchain DDoS attack classification and splitting method of any of claims 1 to 7.
10. A computer device comprising a processor and a memory having stored therein at least one instruction, at least one program, code set, or instruction set that is loaded and executed by the processor to implement the point cloud feature enhanced blockchain DDoS attack classification and segmentation method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310510837.XA CN116614265A (en) | 2023-05-08 | 2023-05-08 | Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310510837.XA CN116614265A (en) | 2023-05-08 | 2023-05-08 | Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116614265A true CN116614265A (en) | 2023-08-18 |
Family
ID=87682809
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310510837.XA Pending CN116614265A (en) | 2023-05-08 | 2023-05-08 | Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116614265A (en) |
-
2023
- 2023-05-08 CN CN202310510837.XA patent/CN116614265A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111565205B (en) | Network attack identification method and device, computer equipment and storage medium | |
| Wang et al. | A dynamic MLP-based DDoS attack detection method using feature selection and feedback | |
| Bendiab et al. | IoT malware network traffic classification using visual representation and deep learning | |
| Balasubramaniam et al. | Optimization Enabled Deep Learning‐Based DDoS Attack Detection in Cloud Computing | |
| CN113469366B (en) | Encrypted traffic identification method, device and equipment | |
| KR100960117B1 (en) | Signature Pattern Matching Method, the System for the Same and Computer Readable Medium Storing a Signature Pattern | |
| CN113992349B (en) | Malicious traffic identification method, device, equipment and storage medium | |
| CN109474691B (en) | Method and device for identifying equipment of Internet of things | |
| CN111935185B (en) | Method and system for constructing large-scale trapping scene based on cloud computing | |
| CN112468487A (en) | Method and device for realizing model training and method and device for realizing node detection | |
| Kozik et al. | Pattern extraction algorithm for NetFlow‐based botnet activities detection | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| US20180152385A1 (en) | Packet Classification | |
| CN113705604A (en) | Botnet flow classification detection method and device, electronic equipment and storage medium | |
| CN114024761B (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| KR102525593B1 (en) | Network attack detection system and network attack detection method | |
| CN114584522A (en) | Identification method, system, medium and terminal of Internet of things equipment | |
| CN116346434A (en) | Method and system for improving monitoring accuracy of network attack behavior of power system | |
| CN106487535B (en) | Method and device for classifying network traffic data | |
| Kousar et al. | DDoS attack detection system using Apache spark | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN116614265A (en) | Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method | |
| CN111447169A (en) | Method and system for identifying malicious webpage in real time on gateway | |
| Sija et al. | Automatic payload signature generation for accurate identification of internet applications and application services | |
| CN112866267B (en) | System, method, equipment and storage medium for dynamically identifying and dividing network service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |