CN116614265A - Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method - Google Patents

Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method Download PDF

Info

Publication number
CN116614265A
CN116614265A CN202310510837.XA CN202310510837A CN116614265A CN 116614265 A CN116614265 A CN 116614265A CN 202310510837 A CN202310510837 A CN 202310510837A CN 116614265 A CN116614265 A CN 116614265A
Authority
CN
China
Prior art keywords
data
ddos attack
point cloud
ddos
classification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310510837.XA
Other languages
Chinese (zh)
Inventor
程杰仁
李修来
唐湘滟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hainan University
Original Assignee
Hainan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hainan University filed Critical Hainan University
Priority to CN202310510837.XA priority Critical patent/CN116614265A/en
Publication of CN116614265A publication Critical patent/CN116614265A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a point cloud characteristic enhanced block chain DDoS attack classification and segmentation method, belonging to the technical field of network security. The method comprises the following steps: based on the CIC-DDoS2019 data set, acquiring data of a plurality of DDoS attack types, and establishing a data set with the DDoS attack types; preprocessing data except for data of a plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics; inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics; generating a DDoS real-time detection dataset based on the second data with key features and the dataset with DDoS attack type; inputting second data with key characteristics to the point cloud, enhancing the characteristics of the point cloud, and establishing a detection model; and inputting the DDoS real-time detection data set into a detection model to obtain classification and segmentation results of DDoS attack flow. Therefore, the embodiment of the application can effectively classify and divide DDoS attacks in a distributed network environment.

Description

一种点云特征增强的区块链DDoS攻击分类与分割方法A Blockchain DDoS Attack Classification and Segmentation Method Enhanced by Point Cloud Features

技术领域technical field

本申请涉及网络安全技术领域,尤其涉及一种点云特征增强的区块链DDoS攻击分类与分割方法。The present application relates to the technical field of network security, in particular to a method for classifying and segmenting blockchain DDoS attacks with enhanced point cloud features.

背景技术Background technique

网状拓扑结构用于构建构成区块链的对等(P2P)网络结构。在区块链网络的上下文中,每个节点都可以同时充当客户端和服务器。由于区块链网络上的每个节点都可以发送和接收数据,因此流量不会像在客户端、服务器网络中那样集中,而是分布在所有网络节点上。由于区块链系统采用的分布式网络架构,存在多个连接点,可能使一些网络节点更容易受到攻击。此外,由于区块链系统提供了一个公共数据库,攻击者可以快速获取所有与系统相关的数据,以便更成功地攻击系统。A mesh topology is used to build the peer-to-peer (P2P) network structure that makes up the blockchain. In the context of a blockchain network, each node can act as both a client and a server. Since every node on the blockchain network can send and receive data, traffic is not concentrated like it would be in a client, server network, but distributed across all network nodes. Due to the distributed network architecture adopted by the blockchain system, there are multiple connection points, which may make some network nodes more vulnerable to attack. Moreover, since the blockchain system provides a public database, attackers can quickly obtain all system-related data in order to attack the system more successfully.

DDoS攻击是区块链安全面临的最重大风险之一,这是一种网络攻击,攻击者试图用来自各种来源的流量淹没网络或服务器以中断服务。DDoS攻击在区块链生态系统中与在典型网络环境中具有不同的特征。与传统网络环境中的DDoS攻击相比,攻击者可以使用大量被攻击节点发起攻击,淹没目标节点的入站连接,最终导致网络瘫痪。此外,攻击者可能会利用网络拥塞作为干扰网络正常运行并降低节点可用性和可靠性的手段。One of the most significant risks to blockchain security is a DDoS attack, a type of cyber attack in which attackers attempt to flood a network or server with traffic from various sources in order to disrupt service. DDoS attacks have different characteristics in a blockchain ecosystem than in a typical network environment. Compared with the DDoS attack in the traditional network environment, the attacker can use a large number of attacked nodes to launch an attack, flooding the inbound connection of the target node, and finally causing the network to be paralyzed. Additionally, attackers may exploit network congestion as a means of interfering with the normal functioning of the network and reducing node availability and reliability.

近年来,人工智能算法已经发展成为识别DDoS攻击的可行选择之一。所提出的框架的特点是在检测新兴DDoS攻击时具有高准确率及其轻量级算法。利用机器学习算法和布隆过滤器,检测DDoS攻击,但不涉及安全专业人员检测DDoS攻击类型所需的多类分类。而DDoS攻击在区块链生态系统中经常表现出并发性,其中可能同时出现多种不同的攻击类型。目前的DDoS攻击检测技术无法正确检测到不同形式的攻击,包括LDAP、MSSQL、NetBIOS、Portmap、Syn、UDP、UDPLag等。在区块链场景下,正常节点和被DDoS攻击的节点存在于同一个网络中,并且都可以与其他节点进行通信。由于受到DDoS攻击的节点无法正常工作,也无法及时处理来自其他节点的交易请求,会导致整个网络的效率降低,并影响区块链的稳定性。In recent years, artificial intelligence algorithms have developed into one of the viable options for identifying DDoS attacks. The proposed framework is characterized by its high accuracy in detecting emerging DDoS attacks and its lightweight algorithm. Utilizes machine learning algorithms and Bloom filters to detect DDoS attacks without involving the multi-class classification security professionals need to detect DDoS attack types. However, DDoS attacks often show concurrency in the blockchain ecosystem, where multiple different attack types may occur at the same time. Current DDoS attack detection technologies cannot correctly detect different forms of attacks, including LDAP, MSSQL, NetBIOS, Portmap, Syn, UDP, UDPLag, etc. In the blockchain scenario, normal nodes and nodes attacked by DDoS exist in the same network, and both can communicate with other nodes. Since the nodes attacked by DDoS cannot work normally, and cannot process transaction requests from other nodes in a timely manner, the efficiency of the entire network will be reduced and the stability of the blockchain will be affected.

发明内容Contents of the invention

为了解决现有的技术问题,本申请实施例提供了一种点云特征增强的区块链DDoS攻击分类与分割方法。所述技术方案如下:In order to solve the existing technical problems, the embodiment of the present application provides a blockchain DDoS attack classification and segmentation method with enhanced point cloud features. Described technical scheme is as follows:

第一方面,提供了一种点云特征增强的区块链DDoS攻击分类与分割方法,其特征在于,所述方法包括:In the first aspect, a block chain DDoS attack classification and segmentation method enhanced by point cloud features is provided, wherein the method comprises:

基于CIC-DDoS2019数据集,获取多个DDoS攻击类型的数据,建立具有DDoS攻击类型的数据集;Based on the CIC-DDoS2019 data set, obtain data of multiple DDoS attack types, and establish a data set with DDoS attack types;

预处理CIC-DDoS2019数据集中所述多个DDoS攻击类型的数据以外的数据,得到具有有效特征的第一数据;Preprocessing the data other than the data of the multiple DDoS attack types in the CIC-DDoS2019 data set to obtain the first data with valid features;

输入所述具有有效特征的第一数据到决策树模型进行筛选,得到具有关键特征的第二数据;Inputting the first data with valid features to the decision tree model for screening to obtain second data with key features;

根据所述具有关键特征的第二数据和所述具有DDoS攻击类型的数据集,生成DDoS实时检测数据集;Generate a DDoS real-time detection data set according to the second data with key features and the data set with DDoS attack type;

输入所述具有关键特征的第二数据到点云,增强点云特征,建立检测模型,并输入所述DDoS实时检测数据集到所述检测模型,得到DDoS攻击流量的分类和分割结果。Input the second data with key features into the point cloud, enhance the point cloud features, establish a detection model, and input the DDoS real-time detection data set into the detection model to obtain the classification and segmentation results of DDoS attack traffic.

进一步的,所述具有DDoS攻击类型的数据集包括:具有DDoS攻击类型的子集和不具有DDoS攻击类型的子集,所述具有DDoS攻击类型的子集和所述不具有DDoS攻击类型的子集的数据比例各占所述具有DDoS攻击类型的数据集的一半。Further, the data set with the type of DDoS attack includes: a subset with the type of DDoS attack and a subset without the type of DDoS attack, the subset with the type of DDoS attack and the subset without the type of DDoS attack The proportion of data in each set accounts for half of the data sets with DDoS attack types.

进一步的,所述具有DDoS攻击类型的子集包括至少七种,所述不具有DDoS攻击类型的子集包括至少一种。Further, the subset with DDoS attack types includes at least seven types, and the subset without DDoS attack types includes at least one type.

进一步的,所述预处理CIC-DDoS2019数据集中所述多个DDoS攻击类型的数据以外的数据的过程包括:删除含有空值和零值的数据及不变特征,得到第一特征;基于所述第一特征,排除无用特征,得到第二特征;基于所述第二特征,统计各特征之间的相关性,删除具有高度相关性的剩余特征,得到所述具有有效特征的第一数据。Further, the process of preprocessing data other than the multiple DDoS attack types in the CIC-DDoS2019 data set includes: deleting data and invariant features containing null and zero values to obtain the first feature; based on the The first feature is to exclude useless features to obtain the second feature; based on the second feature, the correlation between the features is counted, and the remaining features with high correlation are deleted to obtain the first data with valid features.

进一步的,所述输入具有有效特征的第一数据到决策树模型进行筛选的过程包括:所述决策树模型训练所述具有有效特征的第一数据,并根据训练结果的重要性进行分组,得到具有关键特征的第二数据。Further, the process of inputting the first data with effective features to the decision tree model for screening includes: training the first data with effective features by the decision tree model, and grouping them according to the importance of the training results to obtain Secondary data with key characteristics.

进一步的,所述具有关键特征的第二数据的每个特征数据标准化处理。Further, each feature data of the second data with key features is standardized.

进一步的,所述DDoS实时检测数据集包括至少十四种特征数据和八种标签类型。Further, the DDoS real-time detection data set includes at least fourteen kinds of characteristic data and eight kinds of tag types.

进一步的,所述检测模型同时检测DDoS攻击流量的分类和分割。Further, the detection model simultaneously detects classification and segmentation of DDoS attack traffic.

第二方面,提供了一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现如权利要求1至7任一所述的点云特征增强的区块链DDoS攻击分类与分割方法。In a second aspect, a computer-readable storage medium is provided, wherein at least one instruction, at least one program, code set or instruction set is stored in the storage medium, and the at least one instruction, the at least one program 1. The code set or instruction set is loaded and executed by a processor to realize the block chain DDoS attack classification and segmentation method enhanced by point cloud features as claimed in any one of claims 1 to 7.

第三方面,提供了一种计算机设备,其特征在于,所述计算机设备包括处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由所述处理器加载并执行以实现如权利要求1至7任一项所述的点云特征增强的区块链DDoS攻击分类与分割方法。In a third aspect, a computer device is provided, wherein the computer device includes a processor and a memory, at least one instruction, at least one section of program, code set or instruction set are stored in the memory, and the at least one instruction , the at least one section of program, the code set or the instruction set is loaded and executed by the processor to realize the blockchain DDoS attack classification and segmentation method of point cloud feature enhancement according to any one of claims 1 to 7 .

本申请实施例提供的技术方案带来的有益效果是:通过一种点云特征增强的区块链DDoS攻击分类与分割方法,基于CIC-DDoS2019数据集调查了一系列使用深度学习的典型和异常模式。使用统计技术对数据进行处理和筛选,利用决策树方法筛选特征。然后,使用改进后的点云对是否存在DDoS攻击以及DDoS攻击类型进行分类。为区块链环境提供了一种多维度的、准确、有效的DDoS攻击分类与分割方法,有助于维护区块链系统的稳定和安全。The beneficial effect brought by the technical solution provided by the embodiment of the application is: through a point cloud feature enhanced blockchain DDoS attack classification and segmentation method, a series of typical and abnormal cases using deep learning are investigated based on the CIC-DDoS2019 data set model. Data is processed and screened using statistical techniques, and features are screened using decision tree methods. Then, the improved point cloud is used to classify whether there is a DDoS attack and the type of DDoS attack. It provides a multi-dimensional, accurate and effective DDoS attack classification and segmentation method for the blockchain environment, which helps to maintain the stability and security of the blockchain system.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图做简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1是本申请实施例提供的一种点云特征增强的区块链DDoS攻击分类与分割方法的流程示意图;Fig. 1 is a schematic flow diagram of a block chain DDoS attack classification and segmentation method with point cloud feature enhancement provided by an embodiment of the present application;

图2是本申请实施例提供的基于决策树的特征筛选流程示意图;FIG. 2 is a schematic diagram of a feature selection process based on a decision tree provided by an embodiment of the present application;

图3是本申请实施例提供的带有随机样本的数据值和标签值的数据集示意图;FIG. 3 is a schematic diagram of a data set with random sample data values and label values provided by the embodiment of the present application;

图4是本申请实施例提供的改进后的点云网络结构示意图。Fig. 4 is a schematic diagram of the improved point cloud network structure provided by the embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.

应当明确,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。It should be clear that the described embodiments are only some of the embodiments of the present application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this application.

下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with aspects of the present application as recited in the appended claims.

在本申请的描述中,需要理解的是,术语“第一”、“第二”、“第三”等仅用于区别类似的对象,而不必用于描述特定的顺序或先后次序,也不能理解为指示或暗示相对重要性。对于本领域的普通技术人员而言,可以根据具体情况理解上述术语在本申请中的具体含义。此外,在本申请的描述中,除非另有说明,“多个”是指两个或两个以上。In the description of the present application, it should be understood that the terms "first", "second", "third", etc. are only used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence, nor can they be Read as indicating or implying relative importance. Those of ordinary skill in the art can understand the specific meanings of the above terms in this application according to specific situations. In addition, in the description of the present application, unless otherwise specified, "plurality" means two or more.

如图1所示,本申请实施例提供了一种点云特征增强的区块链DDoS攻击分类与分割方法,所述方法包括以下步骤:As shown in Figure 1, the embodiment of the present application provides a block chain DDoS attack classification and segmentation method with point cloud feature enhancement, and the method includes the following steps:

S101、基于CIC-DDoS2019数据集,获取多个DDoS攻击类型的数据,建立具有DDoS攻击类型的数据集。S101. Based on the CIC-DDoS2019 data set, obtain data of multiple DDoS attack types, and establish a data set with DDoS attack types.

在区块链场景下,正常节点和被DDoS攻击的节点存在于同一个网络中,并且都与其他节点进行通信。但是,由于受到DDoS攻击的节点无法正常工作,无法及时处理来自其他节点的交易请求,则会导致整个网络的效率降低,影响区块链的稳定性。CIC-DDoS2019数据集是用于检测DDoS攻击的数据集集合,由于其高度的多样性,它可以更准确地代表实际场景情况。因此,利用CIC-DDoS2019数据集开发模型更适合识别各种DDoS攻击。首先,从CIC-DDoS2019数据集中随机选择DDoS攻击条目的子集,建立具有DDoS攻击类型的数据集,其中,所述具有DDoS攻击类型的数据集包括具有和不具有DDoS攻击的条目的百分比均为50%,所述不具有DDoS攻击的条目包括10500条带有BENIGN标签的数据,所述具有DDoS攻击的条目包括1500条带有以下标签的数据:LDAP、MSSQL、NetBIOS、Portmap、Syn、UDP和UDPLag。In the blockchain scenario, normal nodes and nodes attacked by DDoS exist in the same network, and both communicate with other nodes. However, since the nodes attacked by DDoS cannot work normally and cannot process transaction requests from other nodes in time, it will reduce the efficiency of the entire network and affect the stability of the blockchain. The CIC-DDoS2019 dataset is a collection of datasets used to detect DDoS attacks. Due to its high diversity, it can more accurately represent the actual scene situation. Therefore, using the CIC-DDoS2019 dataset to develop models is more suitable for identifying various DDoS attacks. First, randomly select a subset of DDoS attack entries from the CIC-DDoS2019 data set to establish a data set with DDoS attack types, wherein the data set with DDoS attack types includes the percentages of entries with and without DDoS attacks. 50%, the entry without DDoS attack includes 10,500 pieces of data with the label BENIGN, and the entry with DDoS attack includes 1,500 pieces of data with the following labels: LDAP, MSSQL, NetBIOS, Portmap, Syn, UDP and UDPLag.

S102、预处理CIC-DDoS2019数据集中所述多个DDoS攻击类型的数据以外的数据,得到具有有效特征的第一数据。S102. Preprocess data other than the data of the multiple DDoS attack types in the CIC-DDoS2019 data set to obtain first data with valid features.

预处理CIC-DDoS2019数据集中多个DDoS攻击类型的数据以外的87个特征量,对每条数据进行验证,先删除零值和空值的数据;其次,删除BwdPSHFlags、FwdURGFlags和PSHFlagCount等12个始终保持不变的特征,得到第一特征;接着,基于第一特征移除不具有通常统计相关性的,即删除对于模型训练无用的6个特征量,包括FlowID、SourceIP、DestinationIP、Timestamp、SimilarHTTP、Unnamed:0,得到第二特征;然后,基于第二特征,统计各特征量之间的相关性,删除包括Bwd数据包的总长度和大于0.9的FwdIAT的30个具有高相关性的冗余特征量;去除FwdPSHFlags,SynFlagCount,CWEFlagCount等特征后,只保留29个特征量作为有效特征,包括ActiveMean、ActiveStd、ActiveMax、ActiveMin和IdleStd以及额外的0值。Preprocess 87 feature quantities other than data of multiple DDoS attack types in the CIC-DDoS2019 dataset, verify each piece of data, and first delete zero-value and null-value data; secondly, delete 12 always Keep the same features to get the first feature; then, based on the first feature, remove the ones that do not have the usual statistical correlation, that is, delete the 6 feature quantities that are useless for model training, including FlowID, SourceIP, DestinationIP, Timestamp, SimilarHTTP, Unnamed: 0, get the second feature; then, based on the second feature, count the correlation between the feature quantities, delete 30 redundant features with high correlation including the total length of the Bwd data packet and the FwdIAT greater than 0.9 Quantity; After removing features such as FwdPSHFlags, SynFlagCount, and CWEFlagCount, only 29 feature quantities are retained as valid features, including ActiveMean, ActiveStd, ActiveMax, ActiveMin, and IdleStd, as well as additional 0 values.

S103、输入所述具有有效特征的第一数据到决策树模型进行筛选,得到具有关键特征的第二数据。S103. Input the first data with valid features to the decision tree model for screening to obtain second data with key features.

如图2所示,使用决策树方法进一步筛选剩下的29个有效特征,为了将数据集划分为子集并对特征进行分区,决策树需要训练数据。首先,从开始位置,将所有数据划分到一个节点,即根节点。然后经历两个判断步骤,其判断条件包括:若数据是空集,跳出循环;若该节点是根节点,返回Null;若该节点是中间节点,将该节点标记为训练数据中类别最多的类;若样本是属于同一类,则跳出循环,节点标记为该类别;如果经过两个判断条件都没有跳出循环,则考虑对该节点进行划分。为了提高效率和准确度,选择当前条件下的最优属性划分,即,选择最好的特征进行划分,选择基尼指数作为训练中的指标。k类分布的基尼指数如下公式所示,基尼指数越大,样本的不确定性越大。As shown in Figure 2, the remaining 29 effective features are further screened using the decision tree method. In order to divide the dataset into subsets and partition the features, the decision tree needs training data. First, from the beginning position, all data is divided into one node, the root node. Then go through two judgment steps, the judgment conditions include: if the data is an empty set, jump out of the loop; if the node is the root node, return Null; if the node is an intermediate node, mark the node as the class with the most categories in the training data ; If the samples belong to the same category, jump out of the loop, and the node is marked as this category; if the two judgment conditions do not jump out of the loop, consider dividing the node. In order to improve efficiency and accuracy, the optimal attribute division under the current conditions is selected, that is, the best features are selected for division, and the Gini index is selected as the index in training. The Gini index of the k-type distribution is shown in the following formula. The larger the Gini index, the greater the uncertainty of the sample.

通过上述步骤划分后,生成新的节点,然后循环判断条件,不断生成新的分支节点,直到所有节点都跳出循环后结束,得到特征筛选结果决策树;其中,为避免过度拟合,决策树一旦构建就被剪枝;输入数据样本,使用决策树进行分类;从根节点开始,它通过根据输入样本的特征值搜索每一层来进行到叶节点。输入样本的分类结果是叶节点对应的类别。决策树每个叶节点代表一个类别,每个分支反映每个内部节点表示的一个特征的值。显然,树结构特征的内部节点是其最重要的元素之一,根据重要性对其进行分组,得到包括源端口、目标端口、协议、总转发数据包数、向后数据包总数、转发数据包长度、最大向后数据包长度、流字节/秒、流IAT平均值、流IAT标准、最大数据包长度、ACK标志计数、URG标志计数、入站和其他14个特征,即具有关键特征的第二数据。After the above steps are divided, new nodes are generated, and then the conditions are cyclically judged, and new branch nodes are continuously generated until all nodes jump out of the loop, and the decision tree of feature screening results is obtained; among them, in order to avoid overfitting, once the decision tree The build is pruned; the input data sample is classified using a decision tree; starting from the root node, it proceeds to the leaf nodes by searching each layer according to the feature value of the input sample. The classification result of the input sample is the category corresponding to the leaf node. Each leaf node of the decision tree represents a category, and each branch reflects the value of a feature represented by each internal node. Obviously, the internal nodes of the tree structure feature are one of its most important elements, and they are grouped according to importance, including source port, destination port, protocol, total number of forwarded packets, total number of backward packets, forwarded packets Length, Maximum Backward Packet Length, Flow Bytes/Sec, Flow IAT Average, Flow IAT Criterion, Maximum Packet Length, ACK Flag Count, URG Flag Count, Inbound and 14 other characteristics, i.e. second data.

S104、根据所述具有关键特征的第二数据和所述具有DDoS攻击类型的数据集,生成DDoS实时检测数据集。S104. Generate a DDoS real-time detection data set according to the second data with key features and the data set with DDoS attack types.

在随后的训练中,针对关键特征源端口和目标端口过滤数据,仅保留常用端口号中的10个,同时将其余端口号的值设置为-1。然后,为了创建一组标准化数据,通过取其值并从其平均值中减去它并除以其标准差来对每个特征量进行归一化。基于关键特征和具有DDoS攻击类型的数据集,生成用于DDoS实时检测的数据集,包括至少十四种特征数据和八种标签类型。在DDoS检测过程中,一种方式可以同时收集多个特征标签,然后同时检测分类(判断具有DDoS攻击/不具有DDoS攻击)和分割(划分属于哪种类型的DDoS攻击)的结果;另一种方式根据上述筛选的14个重要特征使用随机提取创建的可用于DDoS实时检测数据集,如表1所示,特征行和类别列一一对应,没In the subsequent training, the data is filtered for the key feature source port and target port, and only 10 of the commonly used port numbers are kept, while setting the value of the rest of the port numbers to -1. Then, to create a standardized set of data, each feature quantity is normalized by taking its value and subtracting it from its mean and dividing by its standard deviation. Based on key features and data sets with DDoS attack types, a data set for real-time DDoS detection is generated, including at least fourteen kinds of characteristic data and eight label types. In the DDoS detection process, one method can collect multiple feature labels at the same time, and then detect the results of classification (judging whether there is a DDoS attack/no DDoS attack) and segmentation (dividing which type of DDoS attack belongs to) at the same time; Method According to the 14 important features screened above, a data set that can be used for real-time DDoS detection is created by random extraction. As shown in Table 1, feature rows and category columns correspond one-to-one, and no

表1Table 1

有DDoS攻击类别由类别“0”表示,有DDoS攻击类别由类别“1”表示。进一步地,图3示出了建立的具有DDoS攻击类型的数据集中随机样本的数据值和标签值,每个样本中的每个元素与其标签值具有一对一的相关性,数字1到8分别代表良性、l dap、mssq l、NetBIOS、Portmap、Syn、UDP和UDPLag类型。需要注意的是,在具有DDoS攻击的样本中,可能同时发生的DDoS攻击的数量和类型可能不同。A DDoS attack category is indicated by category "0", and a DDoS attack category is indicated by category "1". Further, Fig. 3 shows the data values and label values of random samples in the established dataset with DDoS attack types, each element in each sample has a one-to-one correlation with its label value, and the numbers 1 to 8 are respectively Represents benign, ldap, mssqll, NetBIOS, Portmap, Syn, UDP, and UDPLag types. It should be noted that among samples with DDoS attacks, the number and types of DDoS attacks that may occur simultaneously may be different.

S105、输入所述具有关键特征的第二数据到点云,增强点云特征,建立检测模型,并输入所述DDoS实时检测数据集到所述检测模型,得到DDoS攻击流量的分类和分割结果。S105. Input the second data with key features into the point cloud, enhance the feature of the point cloud, establish a detection model, and input the DDoS real-time detection data set into the detection model to obtain the classification and segmentation results of DDoS attack traffic.

点网深度学习架构用于处理点云数据,它使用多层感知器来学习点云特征,并具有对称架构来快速处理点云(MLP)。因此,可以使用点云检测DDoS攻击。为了发现可能的攻击模式并有效地学习网络流量特征,点云可以分析网络流量以检测DDoS攻击。它可以被训练来区分合法和恶意流量,并且可以对新的传入流量进行分类。点云比其他计算机更高效地处理点云数据,因为它使用了全局共享的特征提取技术,可以处理多种点云,并且对顺序不敏感。但点云的数量经常限制学习方法。首先在这部分增强点云,处理3D点云使用标准的点云,此时的点云共有三个通道。改进后的点云网络结构如图4所示,使用14通道点云来解决DDoS检测问题。改进后的点云在其输入层中接收具有多个条目的数据样本,每个条目具有14个特征数量,表示为n×14的二维张量。然后,改进后的点云的全局分支和局部分支通过特征维增强操作将低维特征转换为高维空间,使网络更容易学习复杂的特征表示,提高分类和分割精度。在全局分支中,全局特征是通过使用全连接层将低维特征映射到高维空间来实现的。在局部分支中,局部特征通过使用点卷积层将低维特征映射到高维空间来实现。通过最大池化获得的全局特征共有2048个元素,用于检测是否存在DDoS攻击的分类问题。在局部分支中,将特征变换得到的64维高维特征与2048维全局特征连接起来,得到一个2062维特征张量。因此,DDoS攻击类型的分割结果可以通过全连接层处理后获得。点卷积的计算过程:设输入点云为其中N代表点云中点的个数,C代表每个点的特征个数。点卷积层的输出是/>其中D代表输出的特征个数。点卷积层的参数为/>点卷积层的计算过程同Y=XW。由于降维映射过程将高维点云数据转换为低维空间,因此在分类和分割网络中需要更少的参数来提取点云的全局特征。这增强了网络的泛化能力。该层在网络的输出层连接全局分支和局部分支的输出,并使用全连接层将它们传输到输出空间。输出层对分类任务使用softmax激活函数,对分割任务使用s igmoid激活函数。sigmoid函数产生一个介于0和1之间的数字,用于表示样本属于特定类别的可能性。The PointNet deep learning architecture is used to process point cloud data, it uses a multi-layer perceptron to learn point cloud features, and has a symmetric architecture to quickly process point clouds (MLP). Therefore, DDoS attacks can be detected using point clouds. To discover possible attack patterns and effectively learn network traffic characteristics, point clouds can analyze network traffic to detect DDoS attacks. It can be trained to distinguish between legitimate and malicious traffic, and it can classify new incoming traffic. Point Cloud can process point cloud data more efficiently than other computers because it uses globally shared feature extraction technology, can handle multiple point clouds, and is not sensitive to order. But the number of point clouds often limits learning methods. First, enhance the point cloud in this part, and use the standard point cloud to process the 3D point cloud. There are three channels in the point cloud at this time. The improved point cloud network structure is shown in Figure 4, using 14-channel point cloud to solve the DDoS detection problem. The improved point cloud receives in its input layer a data sample with multiple entries, each with 14 feature quantities, represented as n×14 two-dimensional tensors. Then, the global branch and local branch of the improved point cloud convert low-dimensional features into high-dimensional space through feature dimension enhancement operations, making it easier for the network to learn complex feature representations and improve classification and segmentation accuracy. In the global branch, global features are realized by using fully connected layers to map low-dimensional features to high-dimensional spaces. In the local branch, local features are implemented by using point convolutional layers to map low-dimensional features into high-dimensional spaces. The global features obtained by max pooling have a total of 2048 elements, which are used for the classification problem of detecting whether there is a DDoS attack. In the local branch, the 64D high-dimensional features obtained by feature transformation are concatenated with the 2048D global features to obtain a 2062D feature tensor. Therefore, the segmentation results of DDoS attack types can be obtained after being processed by the fully connected layer. The calculation process of point convolution: Let the input point cloud be Among them, N represents the number of points in the point cloud, and C represents the number of features of each point. The output of the point convolutional layer is /> where D represents the number of output features. The parameters of the point convolution layer are /> The calculation process of the point convolution layer is the same as Y=XW. Since the dimensionality reduction mapping process transforms high-dimensional point cloud data into a low-dimensional space, fewer parameters are required in classification and segmentation networks to extract global features of point clouds. This enhances the generalization ability of the network. This layer concatenates the outputs of the global and local branches at the output layer of the network and transfers them to the output space using a fully connected layer. The output layer uses a softmax activation function for classification tasks and a sigmoid activation function for segmentation tasks. The sigmoid function produces a number between 0 and 1 that represents the likelihood that a sample belongs to a particular class.

具体的,分类方法为:输入为一帧的全部点云数据的集合,表示为一个nx14的二维张量,其中n代表点云数量,14对应x、y、z坐标。输入数据先通过和一个T-Net学习到的转换矩阵相乘来对齐,保证了模型的对特定空间转换的不变性。通过多次MLP使用共享权重的卷积,对各点云数据进行特征提取后,再用一个T-Net对特征进行对齐。在特征的各个维度上执行最大池化操作来得到最终的全局特征。对分类任务,将全局特征通过MLP来预测最后的分类分数;对分割任务,将全局特征和之前学习到的各点云的局部特征进行串联,再通过MLP得到每个数据点的分类结果。改进后的点云提取的全局特征能够很好地完成分类任务。Specifically, the classification method is: the input is a collection of all point cloud data of one frame, expressed as a two-dimensional tensor of nx14, where n represents the number of point clouds, and 14 corresponds to x, y, and z coordinates. The input data is first aligned by multiplying it with a transformation matrix learned by T-Net, which ensures the invariance of the model to specific spatial transformations. Through multiple MLP convolutions using shared weights, after feature extraction for each point cloud data, a T-Net is used to align the features. A max pooling operation is performed on each dimension of the feature to obtain the final global feature. For the classification task, the global feature is used to predict the final classification score through MLP; for the segmentation task, the global feature is concatenated with the local features of each point cloud learned before, and then the classification result of each data point is obtained through MLP. The global features extracted from the improved point cloud can perform classification tasks well.

本申请公开了一种点云特征增强的区块链DDoS攻击分类与分割方法,属于网络安全技术领域。所述方法包括:基于CIC-DDoS2019数据集,获取多个DDoS攻击类型的数据,建立具有DDoS攻击类型的数据集;预处理CIC-DDoS2019数据集中多个DDoS攻击类型的数据以外的数据,得到具有有效特征的第一数据;具有有效特征的第一数据输入决策树模型筛选,得到具有关键特征的第二数据;基于具有关键特征的第二数据和具有DDoS攻击类型的数据集,生成DDoS实时检测数据集;输入具有关键特征的第二数据到点云,使点云特征增强,并建立检测模型;输入DDoS实时检测数据集到检测模型,得到DDoS攻击流量的分类和分割结果。因此,本申请实施例可以在分布式网络环境中多维度地、准确、有效地对DDoS攻击进行分类和分割,有助于维护区块链系统的稳定和安全。The application discloses a block chain DDoS attack classification and segmentation method with enhanced point cloud features, which belongs to the technical field of network security. The method includes: based on the CIC-DDoS2019 data set, obtaining data of a plurality of DDoS attack types, setting up a data set with a DDoS attack type; The first data with valid features; the first data with valid features is input into the decision tree model screening, and the second data with key features is obtained; based on the second data with key features and the data set with DDoS attack types, generate DDoS real-time detection Data set; input the second data with key features into the point cloud to enhance the feature of the point cloud and establish a detection model; input the DDoS real-time detection data set into the detection model to obtain the classification and segmentation results of DDoS attack traffic. Therefore, the embodiment of the present application can classify and segment DDoS attacks in a multi-dimensional, accurate and effective manner in a distributed network environment, which helps to maintain the stability and security of the blockchain system.

基于相同的技术构思,对应本申请的方法,本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现上述的点云特征增强的区块链DDoS攻击分类与分割方法。Based on the same technical concept, corresponding to the method of the present application, the embodiment of the present application also provides a computer-readable storage medium, in which at least one instruction, at least one program, code set or instruction set is stored, and the At least one instruction, the at least one program, the code set or the instruction set are loaded and executed by the processor to implement the above-mentioned blockchain DDoS attack classification and segmentation method with enhanced point cloud features.

基于同样的技术构思,本申请实施例还提供了一种计算机设备,所述计算机设备可因配置或性能不同而产生比较大的差异,包括一个或一个以上处理器和存储器,其中,存储器可以是短暂存储或永久存储。存储器可以存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由所述处理器加载并执行以实现上述的点云特征增强的区块链DDoS攻击分类与分割方法。Based on the same technical idea, the embodiment of the present application also provides a computer device, which may have relatively large differences due to different configurations or performances, including one or more processors and memories, where the memories may be Temporary storage or permanent storage. The memory may store at least one instruction, at least one section of program, code set or instruction set, and the at least one instruction, said at least one section of program, said code set or instruction set are loaded and executed by said processor to realize the above points Blockchain DDoS attack classification and segmentation method enhanced by cloud features.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

存储器可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。存储器是计算机可读介质的示例。Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. The memory is an example of a computer readable medium.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus that includes the element.

以上仅为本申请的实施例而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。The above are only examples of the present application, and are not intended to limit the present application. For those skilled in the art, various modifications and changes may occur in this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included within the scope of the claims of the present application.

Claims (10)

1. The method for classifying and segmenting the DDoS attack of the block chain with the enhanced point cloud characteristics is characterized by comprising the following steps:
based on the CIC-DDoS2019 data set, acquiring data of a plurality of DDoS attack types, and establishing a data set with the DDoS attack types;
preprocessing data except the data of the plurality of DDoS attack types in the CIC-DDoS2019 data set to obtain first data with effective characteristics;
inputting the first data with the effective characteristics into a decision tree model for screening to obtain second data with key characteristics;
generating a DDoS real-time detection data set according to the second data with the key characteristics and the data set with the DDoS attack type;
inputting the second data with the key characteristics to the point cloud, enhancing the point cloud characteristics, establishing a detection model, inputting the DDoS real-time detection data set to the detection model, and obtaining classification and segmentation results of DDoS attack flow.
2. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the dataset with DDoS attack types comprises: a subset with a DDoS attack type and a subset without a DDoS attack type, wherein the proportion of data of the subset with the DDoS attack type and the subset without the DDoS attack type each accounts for half of the data set with the DDoS attack type.
3. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 2, wherein the subset of DDoS attack types includes at least seven, and the subset of DDoS attack types not includes at least one.
4. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the preprocessing of data other than the plurality of DDoS attack types in the CIC-DDoS2019 dataset comprises: deleting the data containing null values and zero values and unchanged features to obtain first features; based on the first feature, removing useless features to obtain a second feature; based on the second features, counting the correlation among the features, deleting the residual features with high correlation, and obtaining the first data with the effective features.
5. The method of point cloud feature enhanced blockchain DDoS attack classification and segmentation of claim 1, wherein the process of inputting the first data with valid features into the decision tree model for filtering comprises: the decision tree model trains the first data with the effective characteristics and groups the first data according to the importance of the training result to obtain second data with the key characteristics.
6. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 5, wherein each feature data of the second data with key features is normalized.
7. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the DDoS real-time detection dataset comprises at least fourteen feature data and eight tag types.
8. The point cloud feature enhanced blockchain DDoS attack classification and segmentation method of claim 1, wherein the detection model detects classification and segmentation of DDoS attack traffic simultaneously.
9. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set loaded and executed by a processor to implement the point cloud feature enhanced blockchain DDoS attack classification and splitting method of any of claims 1 to 7.
10. A computer device comprising a processor and a memory having stored therein at least one instruction, at least one program, code set, or instruction set that is loaded and executed by the processor to implement the point cloud feature enhanced blockchain DDoS attack classification and segmentation method of any of claims 1-7.
CN202310510837.XA 2023-05-08 2023-05-08 Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method Pending CN116614265A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310510837.XA CN116614265A (en) 2023-05-08 2023-05-08 Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310510837.XA CN116614265A (en) 2023-05-08 2023-05-08 Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method

Publications (1)

Publication Number Publication Date
CN116614265A true CN116614265A (en) 2023-08-18

Family

ID=87682809

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310510837.XA Pending CN116614265A (en) 2023-05-08 2023-05-08 Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method

Country Status (1)

Country Link
CN (1) CN116614265A (en)

Similar Documents

Publication Publication Date Title
Sun et al. DL‐IDS: Extracting Features Using CNN‐LSTM Hybrid Network for Intrusion Detection System
CN112953924B (en) Network abnormal flow detection method, system, storage medium, terminal and application
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
CN108076040B (en) A method for mining APT attack scenarios based on kill chain and fuzzy clustering
Balasubramaniam et al. Optimization enabled deep learning‐based ddos attack detection in cloud computing
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
Yang et al. TLS/SSL encrypted traffic classification with autoencoder and convolutional neural network
US11449604B2 (en) Computer security
CN117216660A (en) Method and device for detecting abnormal points and abnormal clusters based on time sequence network traffic integration
US11436320B2 (en) Adaptive computer security
US11477225B2 (en) Pre-emptive computer security
Almarshdi et al. Hybrid Deep Learning Based Attack Detection for Imbalanced Data Classification.
CN116915450A (en) Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction
GB2582609A (en) Pre-emptive computer security
Manzano et al. Design of a machine learning based intrusion detection framework and methodology for iot networks
Ahuja et al. DDoS attack traffic classification in SDN using deep learning
CN118337469A (en) Dynamic network intrusion detection method applied to node time sequence interaction
Kousar et al. DDoS attack detection system using Apache spark
CN118075006A (en) An intrusion detection method and system based on self-supervised graph neural network
CN116614265A (en) Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method
CN111314327A (en) Network intrusion detection method and system based on KNN outlier detection algorithm
Cheng et al. A modified PointNet-based DDoS attack classification and segmentation in blockchain
Kim et al. Malicious-traffic classification using deep learning with packet bytes and arrival time
Mohammed et al. An automated signature generation method for zero-day polymorphic worms based on multilayer perceptron model
Acosta-Tejada et al. Analyzing DDoS Attack Classification with Data Imbalance Using Generative Adversarial Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination