CN116781338A - DDos attack recognition method and device, electronic equipment and storage medium - Google Patents
DDos attack recognition method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116781338A CN116781338A CN202310691959.3A CN202310691959A CN116781338A CN 116781338 A CN116781338 A CN 116781338A CN 202310691959 A CN202310691959 A CN 202310691959A CN 116781338 A CN116781338 A CN 116781338A
- Authority
- CN
- China
- Prior art keywords
- data packet
- value
- window
- network
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000001514 detection method Methods 0.000 claims abstract description 79
- 230000002159 abnormal effect Effects 0.000 claims abstract description 60
- 238000004422 calculation algorithm Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 22
- 230000002776 aggregation Effects 0.000 claims description 7
- 238000004220 aggregation Methods 0.000 claims description 7
- 230000005856 abnormality Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 206010033799 Paralysis Diseases 0.000 description 3
- 206010034759 Petit mal epilepsy Diseases 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011478 gradient descent method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000003245 working effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application is suitable for the technical field of network attack detection and provides a DDos attack identification method, a device, electronic equipment and a storage medium. The method comprises the following steps: acquiring a data packet flow value in a target network; the data Packet flow value comprises an IP data Packet flow value of the network equipment and a Packet-in data Packet flow value of the controller; determining a detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold; if the detection result is abnormal, acquiring a source address data packet set and a destination address data packet set in a current network window of the target network according to the abnormal type; and determining a window entropy value of the current network window according to the source address data packet set and the destination address data packet set, and determining a recognition result of the DDos attack according to the window entropy value and the dynamic entropy threshold value. The application can improve the accuracy and efficiency of DDos attack recognition and simultaneously improve the real-time performance of DDos attack recognition.
Description
Technical Field
The present application relates to the field of network attack detection technologies, and in particular, to a DDos attack recognition method, a DDos attack recognition device, an electronic device, and a storage medium.
Background
With the continuous development of informatization, new network architectures have been applied to many industries. Taking a software defined network (Software Defined Network, SDN) in a novel network architecture as an example, the network control and forwarding separation is realized, so that the network is more intelligent, and the network is widely applied to an electric power comprehensive data network in the electric power industry. The SDN adopts a network architecture of centralized control and distributed forwarding, and in the SDN, a controller on a control plane uses a control-forwarding communication interface to perform centralized control on network devices on the forwarding plane. However, SDN centric network architecture makes it very vulnerable to network attacks, especially against distributed denial of service (Distributed Denial of Service, DDos) attacks, where a light person causes a data plane device to service down and a heavy person causes a control plane to fail, ultimately resulting in the entire network being paralyzed.
In the related art, for an SDN or a network with the same network architecture as the SDN, DDos attack recognition methods mainly include a method based on a statistical calculation threshold and a method based on machine learning classification. However, the two methods have the problems of low attack recognition accuracy, poor efficiency, poor real-time performance and the like.
Disclosure of Invention
In view of the above, the embodiments of the present application provide a DDos attack recognition method, a device, an electronic apparatus, and a storage medium, so as to solve the technical problems of low accuracy, poor efficiency, and poor real-time performance of the DDos attack recognition method in the related art.
In a first aspect, an embodiment of the present application provides a DDos attack recognition method, including: acquiring a data packet flow value in a target network; the data Packet flow value comprises an IP data Packet flow value of the network equipment and a Packet-in data Packet flow value of the controller; determining a detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold; if the detection result is abnormal, acquiring a source address data packet set and a destination address data packet set in a current network window of the target network according to the detected abnormal type of the DDos attack; and determining a window entropy value of the current network window according to the source address data packet set and the destination address data packet set, and determining a recognition result of the DDos attack according to the window entropy value and the dynamic entropy threshold value.
In a possible implementation manner of the first aspect, the anomaly type includes a network device anomaly or a controller anomaly; determining a detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold value, wherein the detection result comprises the following steps: determining a dynamic flow threshold according to the historical data packet flow value; the dynamic flow threshold comprises an IP flow threshold and a Packet-in flow threshold; judging whether the IP data packet flow value is larger than an IP flow threshold value or not; if the IP data packet flow value is larger than the IP flow threshold value, determining that the detection result is abnormal, and determining that the abnormal type is abnormal of the network equipment; judging whether the Packet-in data Packet flow value is larger than the Packet-in flow threshold; if the Packet-in data Packet flow value is larger than the Packet-in flow threshold, determining that the detection result is abnormal, and determining that the abnormal type is abnormal of the controller.
In a possible implementation manner of the first aspect, determining the dynamic traffic threshold according to the historical packet traffic value includes: determining the attribute of the detection date; wherein the attributes include weekdays, weekends, or holidays; acquiring a corresponding historical data packet flow value in a preset time period before a detection date according to the attribute; the historical data Packet flow value comprises a historical IP data Packet flow value and a historical Packet-in data Packet flow value; according to the historical IP data packet flow value, adopting an aggregation algorithm and a sliding window algorithm to determine an IP data packet flow average value and an IP fluctuation value, and taking the sum of the IP data packet flow average value and the IP fluctuation value as an IP flow threshold; according to the historical Packet-in data Packet flow value, an aggregation algorithm and a sliding window algorithm are adopted to determine the Packet-in data Packet flow average value and the Packet-in fluctuation value, and the sum of the Packet-in data Packet flow average value and the Packet-in fluctuation value is taken as the Packet-in flow threshold.
In a possible implementation manner of the first aspect, the source address Packet set includes a source IP Packet set and a source Packet-in Packet set, the destination address Packet set includes a destination IP Packet set and a destination Packet-in Packet set, and the anomaly type includes a network device anomaly or a controller anomaly; if the detection result is abnormal, acquiring a source address data packet set and a destination address data packet set in a current network window of the target network according to the detected abnormal type of the DDos attack, wherein the method comprises the following steps: if the detection result is abnormal, and the type of the abnormality is abnormal of the network equipment, acquiring a source IP data packet set and a destination IP data packet set in a current network window of the target network; if the detection result is abnormal, and the type of the abnormality is abnormal, acquiring a source Packet-in data Packet set and a destination Packet-in data Packet set in a current network window of the target network.
In a possible implementation manner of the first aspect, determining the window entropy value of the current network window according to the source address data packet set and the destination address data packet set includes: determining the network state of the current network window by adopting a shannon entropy algorithm according to the source address data packet set and the destination address data packet set; according to the historical source address data packet set and the historical destination address data packet set, determining the network state mean value of a preset number of network windows before the current network window by adopting a shannon entropy algorithm; and determining an entropy value between the network state and the network state mean value by adopting a Renyi cross entropy algorithm according to the network state and the network state mean value, and taking the determined entropy value as a window entropy value of a current network window.
In a possible implementation manner of the first aspect, the identification result includes a presence attack and an absence attack; determining a recognition result of the DDos attack according to the window entropy value and the dynamic entropy value threshold value, wherein the recognition result comprises: judging whether the window entropy value is larger than a dynamic entropy value threshold value or not; wherein, the dynamic entropy threshold value is determined by adopting an RMSprop algorithm; if the window entropy value is larger than the dynamic entropy value threshold value, determining that the current network window is abnormal, and identifying that an attack exists; if the window entropy value is smaller than or equal to the dynamic entropy value threshold value, determining that the current network window is normal, and identifying that no attack exists.
In a possible implementation manner of the first aspect, the identification result includes a presence attack and an absence attack; after determining the recognition result of the DDos attack according to the window entropy value and the dynamic entropy value threshold value, the method further comprises the following steps: if the identification result shows that no attack exists, acquiring a data packet flow value of a detection date according to the abnormal type; and carrying out average value calculation on the data packet flow value of the detection date, taking the calculated average value as a new data packet flow average value, updating the dynamic flow threshold value based on the sum of the new data packet flow average value and the fluctuation value, and determining the fluctuation value according to the historical data packet flow value.
In a second aspect, an embodiment of the present application provides a DDos attack recognition device, including:
the first acquisition module is used for acquiring a data packet flow value in the target network; the Packet flow value includes an IP Packet flow value of the network device and a Packet-in Packet flow value of the controller.
And the first determining module is used for determining the detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold value.
And the second acquisition module is used for acquiring a source address data packet set and a destination address data packet set in the current network window of the target network according to the detected abnormal type of the DDos attack when the detection result is abnormal.
The second determining module is used for determining the window entropy value of the current network window according to the source address data packet set and the destination address data packet set, and determining the identification result of the DDos attack according to the window entropy value and the dynamic entropy threshold value.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory and a processor, where the memory stores a computer program executable on the processor, and the processor implements the DDos attack identification method according to any one of the first aspects when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium storing a computer program, which when executed by a processor implements a DDos attack recognition method according to any of the first aspects.
In a fifth aspect, an embodiment of the present application provides a computer program product, which when run on an electronic device, causes the electronic device to perform the DDos attack identification method according to any of the first aspects above.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
According to the DDos attack identification method, the device, the electronic equipment and the storage medium, which are provided by the embodiment of the application, aiming at the network equipment and the controller in the target network, the DDos attack is detected and identified according to the acquired data of different data packets, and meanwhile, a dynamic threshold value is set in the detection and identification process, so that the accuracy and the efficiency of the DDos attack identification can be improved, the instantaneity of the DDos attack identification can be improved, and the DDos attack to the network equipment and the controller can be identified simultaneously.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a DDos attack recognition method according to an embodiment of the present application;
FIG. 2 is a flow chart of a DDos attack recognition method according to another embodiment of the present application;
FIG. 3 is a flow chart of a DDos attack recognition method according to another embodiment of the present application;
fig. 4 is a schematic structural diagram of a DDos attack recognition device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be more clearly described with reference to the following examples. The following examples will assist those skilled in the art in further understanding the function of the present application, but are not intended to limit the application in any way. It should be noted that variations and modifications could be made by those skilled in the art without departing from the inventive concept. These are all within the scope of the present application.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
In the description of the present specification and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
Furthermore, references to "a plurality of" in embodiments of the present application should be interpreted as two or more.
With the continuous development of informatization, new network architectures have been applied to many industries. Taking SDN in a novel network architecture as an example, separation of network control and forwarding is realized, so that a network is more intelligent, and the network is widely applied to the power industry. The SDN adopts a network architecture of centralized control and distributed forwarding, and in the SDN, a controller on a control plane uses a control-forwarding communication interface to perform centralized control on network devices on the forwarding plane. However, the network architecture centralized by SDN makes it very vulnerable in terms of network attacks, especially facing DDos attacks, the light person causes service paralysis of the data plane device, the heavy person causes control plane failure, and finally the whole network is paralyzed. In the related art, for an SDN or a network with the same network architecture as the SDN, DDos attack recognition methods mainly include a method based on a statistical calculation threshold and a method based on machine learning classification. However, the two methods have the problems of low attack recognition accuracy, poor efficiency, poor real-time performance and the like.
Based on the above-mentioned problems, the inventors have found that DDos attack detection and identification can be performed on network devices and controllers in a target network by monitoring corresponding packet flow values, and corresponding sets of source address packets and destination address packets.
Fig. 1 is a flow chart of a DDos attack recognition method according to an embodiment of the present application. As shown in fig. 1, the method in the embodiment of the present application may include:
step 101, obtaining a data packet flow value in a target network.
The data Packet flow value comprises an IP data Packet flow value of the network equipment and a Packet-in data Packet flow value of the controller.
The target network is an SDN, or a network with the same network architecture as the SDN, for example. The network architecture of the target network comprises a controller and network equipment, and the controller utilizes a control-forwarding communication interface to perform centralized control on the network equipment. Wherein the network device is a server or a switch, etc.
Step 102, determining the detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold.
Wherein the anomaly type includes a network device anomaly or a controller anomaly.
In one possible implementation, referring to fig. 2, the present embodiment may include steps 1021 to 1023 when determining the detection result of the DDos attack.
Step 1021, determining a dynamic flow threshold according to the historical data packet flow value; the dynamic traffic threshold includes an IP traffic threshold and a Packet-in traffic threshold.
Step 1022, judging whether the IP data packet flow value is greater than the IP flow threshold; if the IP data packet flow value is larger than the IP flow threshold value, determining that the detection result is abnormal, and determining that the abnormal type is abnormal of the network equipment.
Step 1023, judging whether the Packet-in data Packet flow value is larger than the Packet-in flow threshold; if the Packet-in data Packet flow value is larger than the Packet-in flow threshold, determining that the detection result is abnormal, and determining that the abnormal type is abnormal of the controller.
Optionally, in this embodiment, if the IP Packet flow value is less than or equal to the IP flow threshold and the Packet-in Packet flow value is less than or equal to the Packet-in flow threshold, then the detection result is determined to be normal.
In this embodiment, whether the DDos attack is abnormal is detected according to the IP Packet flow value and the IP flow threshold, and whether the DDos attack is abnormal is detected according to the Packet-in Packet flow value and the Packet-in flow threshold, so that the detection efficiency is fast, the algorithm is simple, the occupied resources are small, and the conditions that excessive network equipment and controller resources are consumed and normal service operation is affected are reduced.
In one possible implementation, the present embodiment may include A1 to A4 when determining the dynamic traffic threshold based on the historical packet traffic value.
A1, determining the attribute of the detection date.
A2, acquiring a corresponding historical data packet flow value in a preset time period before the detection date according to the attribute. The historical data Packet flow value comprises a historical IP data Packet flow value and a historical Packet-in data Packet flow value.
Wherein the attribute comprises a weekday, a weekend, or a holiday. In the power industry, the data packet flow value in the power integrated data network may also be referred to as traffic, and has a strong relationship with factors such as the work and rest law, the working property, and the holiday of network users, so that the data packet flow value presents a certain periodicity, and has a periodic characteristic. Based on the above, a corresponding historical data packet flow value is obtained according to the attribute of the detection date, and a corresponding dynamic flow threshold is determined according to the corresponding historical data packet flow value.
Optionally, the date of detection is the date of detection of the DDos attack. In this embodiment, when the DDos attack is detected in real time, the detection date may be the current date.
In this embodiment, if the attribute of the detection date is a working day, a historical packet flow value of the working day in a preset period of time before the detection date is obtained. Similarly, if the attribute of the detection date is a weekend, the historical data packet flow value of the weekend in the preset time period before the detection date is obtained, and if the attribute of the detection date is a holiday, the historical data packet flow value of the holiday in the preset time period before the detection date is obtained. The preset time period may be set as required, for example, the preset time period may be one month, or half year, etc., and the detection date may have different attributes, and the corresponding preset time period may be different.
For example, if the attribute of the detection date is a working day and the preset time period is one month, the historical data packet flow value of the working day within one month before the detection date is obtained.
A3, according to the historical IP data packet flow value, determining an IP data packet flow average value and an IP fluctuation value by adopting an aggregation algorithm and a sliding window algorithm, and taking the sum of the IP data packet flow average value and the IP fluctuation value as an IP flow threshold.
In this embodiment, when determining the IP traffic threshold according to the historical IP packet traffic value, the aggregation processing is performed on the corresponding historical IP packet traffic value in the preset time period according to the preset duration, so as to obtain a plurality of aggregated IP data, for example, the preset duration may be 5 minutes. Wherein each aggregated IP data may be determined according to the following formula (1).
Wherein X is the aggregated IP data, X (K) is the K-th historical IP data packet flow value in the preset time, and K is the number of the historical IP data packet flow values in the preset time. It should be noted that, from the foregoing, according to the attribute of the detection date, the corresponding historical IP packet flow value is obtained. For example, if the detection date is a working day, a historical IP packet traffic value of the working day is obtained.
Optionally, in this embodiment, after determining a plurality of aggregated IP data, outlier processing is performed on the determined plurality of aggregated IP data to remove outliers.
The above-mentioned plurality of aggregated IP data are grouped randomly, for example, into four groups, but may be grouped into other numbers as needed. And calculates the mean and fluctuation values of each group using a sliding window. The window size and the sliding step length of the sliding window can be set according to requirements.
Alternatively, the mean value and the fluctuation value of each set of data may be determined according to the following formula (2) and formula (3), respectively.
In the method, in the process of the invention,mean of group p, X pj The flow size in the jth sliding window in the P-th group, i.e. the sum of the summation of the aggregated IP data in the jth sliding window in the P-th group, J is the number of sliding windows in the P-th group, and P is the number of packets. Wherein different groups may correspond to different numbers of sliding windows.
Wherein S is p Is the ripple value of group p.
The average value and the fluctuation value of each group are calculated, the smallest fluctuation value is taken as an IP fluctuation value, the average value corresponding to the group with the smallest fluctuation value is taken as the flow average value of the IP data packet, and the sum of the flow average value of the IP data packet and the IP fluctuation value is taken as the IP flow threshold.
And A4, determining a Packet-in data Packet flow average value and a Packet-in fluctuation value by adopting an aggregation algorithm and a sliding window algorithm according to the historical Packet-in data Packet flow value, and taking the sum of the Packet-in data Packet flow average value and the Packet-in fluctuation value as a Packet-in flow threshold.
For example, in this embodiment, when determining the Packet-in flow threshold according to the historical Packet-in Packet flow value, the specific implementation principle and process of determining the IP flow threshold according to the historical IP Packet flow value in the foregoing embodiment A3 may be referred to, which are not described herein.
In this embodiment, the setting of the dynamic traffic threshold can more accurately reflect the current state of the target network, so that the situation that the current state of the target network cannot be accurately measured due to the setting of the fixed threshold is reduced, and meanwhile, according to the attribute of the detection date, the corresponding historical data packet traffic value is obtained to determine the dynamic traffic threshold, so that the accuracy of the dynamic traffic threshold can be improved, and further the accuracy and the efficiency of DDos attack detection are improved.
And step 103, if the detection result is abnormal, acquiring a source address data packet set and a destination address data packet set in the current network window of the target network according to the detected abnormal type of the DDos attack.
The source address data Packet set comprises a source IP data Packet set and a source Packet-in data Packet set, the destination address data Packet set comprises a destination IP data Packet set and a destination Packet-in data Packet set, and the anomaly type comprises network equipment anomaly or controller anomaly.
In one possible implementation, this embodiment may include steps 1031 to 1032 when acquiring the source address packet set and the destination address packet set in the current network window of the target network.
Step 1031, if the detection result is that the detection is abnormal and the type of the abnormality is that the network device is abnormal, acquiring a source IP data packet set and a destination IP data packet set in a current network window of the target network.
Step 1032, if the detection result is that the detection is abnormal and the type of the abnormality is that the controller is abnormal, acquiring a source Packet-in data Packet set and a destination Packet-in data Packet set in the current network window of the target network.
Illustratively, the window size of the current network window may be set as desired. The source IP data packet set comprises a plurality of different source IP data packets, and the destination IP data packet set comprises a plurality of different destination IP data packets. Similarly, the source Packet-in Packet set includes a plurality of different source Packet-in packets, and the destination Packet-in Packet set includes a plurality of different destination Packet-in packets.
Step 104, determining a window entropy value of the current network window according to the source address data packet set and the destination address data packet set, and determining a recognition result of the DDos attack according to the window entropy value and the dynamic entropy threshold value.
In a possible implementation manner, referring to fig. 3, when determining the window entropy value of the current network window in this embodiment, steps 1041 to 1043 may be included.
Step 1041, determining the network state of the current network window by shannon entropy algorithm according to the source address data packet set and the destination address data packet set.
In this embodiment, the source address packet set includes a plurality of different source address packets, and the destination address packet set includes a plurality of different destination address packets. And (3) adopting a shannon entropy algorithm, and respectively determining a first entropy value of a source address data packet and a second entropy value of a destination address data packet in the current network window according to the following formula (4).
Wherein, when H is the first entropy value of the source address data packet in the current network window, n m The number of occurrence times of the mth source address data packet is M, and the total number of the source address data packets is Q, which is the number of the source address data packets in the source address data packet set. When H is the second entropy value of the destination address data packet in the current network window, n m The number of times of occurrence of the mth destination address data packet is M, and Q is the number of destination address data packets in the destination address data packet set. For convenience of description, the first will beEntropy is recorded as H so The second entropy value is recorded as H de 。
According to the first entropy value and the second entropy value, defining a network state V (w) = (H) of the current network window so ,H de )。
The shannon entropy algorithm can calculate the distribution randomness of the network characteristic quantity defined in the current network and perform the valued processing on the network characteristic quantity. Meanwhile, the shannon entropy can increase the difference of network characteristic quantity distribution among different network windows, has a better amplifying effect on abnormal network characteristic quantity, can discover small-flow attack of DDos attack in early stage more quickly, and improves the real-time performance of attack identification. In this embodiment, the network characteristic is an address packet.
It should be noted that, as shown in the foregoing embodiment, the source address Packet set includes a source IP Packet set and a source Packet-in Packet set, and the destination address Packet set includes a destination IP Packet set and a destination Packet-in Packet set. The present embodiment may include: and determining the network state of the current network window corresponding to the IP data packet according to the source IP data packet set and the destination IP data packet set. And determining the network state of the current network window corresponding to the Packet-in data Packet according to the source Packet-in data Packet set and the destination Packet-in data Packet set.
Step 1042, determining the network state mean value of the preset number of network windows before the current network window by shannon entropy algorithm according to the historical source address data packet set and the historical destination address data packet set.
In this embodiment, a sub-historical source address packet set and a sub-historical destination address packet set corresponding to each network window of a preset number before the current network window are obtained. Each sub-historical source address data packet set forms a historical source address data packet set, and each sub-historical destination address data packet set forms a historical destination address data packet set. For convenience of description, each network window of the preset number before the current network window is simply referred to as each historical network window. The preset number can be set according to the needs, and each history network window is a normal network window, namely a network window which is not attacked by DDos. The sub-historical source address data packet set comprises a plurality of different historical source address data packets, and the sub-historical destination address data packet set comprises a plurality of different historical destination address data packets.
In this embodiment, for each history network window, a shannon entropy algorithm is used to determine a third entropy value of a corresponding sub-history source address packet and a fourth entropy value of a corresponding sub-history destination address packet in each history network window. The above steps for determining the third entropy values and the fourth entropy values respectively may refer to the specific implementation process and principle in step 1041 in the foregoing embodiment, which are not described herein again.
Optionally, for each history network window, determining the network state of each history network window according to the third entropy value of the corresponding sub-history source address data packet and the fourth entropy value of the corresponding sub-history destination address data packet, taking the average value of the network states of all the history network windows, and recording as the network state average value of the history network windows, namely the network state average value of the preset number of network windows before the current network window
The sub-history source address data Packet set includes a sub-history source IP data Packet set and a sub-history source Packet-in data Packet set, and the sub-history destination address data Packet set includes a sub-history destination IP data Packet set and a sub-history destination Packet-in data Packet set. The determining the network status of each historical network window in this embodiment may include: according to the sub-history source IP data packet set and the sub-history destination IP data packet set, determining the network state of each history network window corresponding to the sub-history IP data packet, and further determining the network state average value corresponding to the history IP data packet. According to the sub-history source Packet-in data Packet set and the sub-history destination Packet-in data Packet set, determining the network state of each history network window corresponding to the sub-history Packet-in data Packet, and further determining the network state average value corresponding to the history Packet-in data Packet.
Step 1043, determining an entropy value between the network state and the network state mean value by adopting a Renyi cross entropy algorithm according to the network state and the network state mean value, and taking the determined entropy value as a window entropy value of the current network window.
Illustratively, in the present embodiment, the entropy value between the network state and the network state mean value is determined according to the following equation (5).
Wherein H is α [V-(w-1),V(w)]And alpha is a preset coefficient and is more than or equal to 0 and less than 1. And taking the entropy value between the determined network state and the network state mean value as the window entropy value of the current network window.
It should be noted that, as can be seen from the foregoing description, the network state includes a network state corresponding to the IP Packet and a network state corresponding to the Packet-in Packet, and the network state average includes a network state average corresponding to the IP Packet and a network state average corresponding to the Packet-in Packet. And determining the window entropy value of the current network window corresponding to the IP data packet according to the network state corresponding to the IP data packet and the network state average value corresponding to the IP data packet. And determining the window entropy value of the current network window corresponding to the Packet-in data Packet according to the network state corresponding to the Packet-in data Packet and the network state average value corresponding to the Packet-in data Packet.
In the embodiment, based on the shannon entropy algorithm and the Renyi cross entropy algorithm, the recognition result of the DDos attack is determined, so that the early small flow attack of the DDos attack can be discovered more quickly, and the accuracy and the instantaneity of attack recognition are improved.
In one possible implementation manner, the identification result includes the presence of an attack and the absence of an attack, the dynamic entropy value threshold is determined by adopting an RMSprop algorithm, and the embodiment may include steps 1051 to 1053 when determining the identification result of the DDos attack according to the window entropy value and the dynamic entropy value threshold.
Step 1051, determine whether the window entropy is greater than a dynamic entropy threshold.
Step 1052, if the window entropy is greater than the dynamic entropy threshold, determining that the current network window is abnormal, and identifying that the attack exists as a result.
Step 1053, if the window entropy is smaller than or equal to the dynamic entropy threshold, determining that the current network window is normal, and identifying that no attack exists.
The dynamic entropy threshold comprises a dynamic entropy threshold corresponding to the IP data Packet and a dynamic entropy threshold corresponding to the Packet-in data Packet.
If the window entropy value of the current network window corresponding to the IP data packet is greater than the dynamic entropy value threshold corresponding to the IP data packet, determining that the current network window is abnormal, wherein the identification result is that an attack exists, and the attack type is that the network equipment attacks. If the window entropy value of the current network window corresponding to the Packet-in data Packet is larger than the dynamic entropy value threshold corresponding to the Packet-in data Packet, determining that the current network window is abnormal, wherein the recognition result is that an attack exists, and the attack type is a controller attack.
If the window entropy of the current network window corresponding to the IP data Packet is less than or equal to the dynamic entropy threshold corresponding to the IP data Packet, and the window entropy of the current network window corresponding to the Packet-in data Packet is less than or equal to the dynamic entropy threshold corresponding to the Packet-in data Packet, it is determined that the current network window is normal, and the recognition result is that no attack exists.
Alternatively, as described above, the RMSprop algorithm is used to determine the dynamic entropy threshold in this embodiment. Specifically, the dynamic entropy value threshold is determined according to the following formulas (6) to (9).
In θ w G is the dynamic entropy threshold value w And setting the current network window as a w-th network window for the Renyi cross entropy change gradient at the current network window. S is S w Is the state variable of the current network window. Beta is the learning rate, here set to 0.001. To avoid the denominator of equation (6) being 0, a pre-set is setSetting a parameter epsilon, and here the preset parameter is set as e -6 。
γS w-1 +(1-γ)(g w ) 2 →S w (7)
Wherein S is w-1 The state variable of the first network window before the current network window is also the state variable of the w-1 th network window, and the number of the network windows before the current network window is w-1, namely the number of the historical network windows is w-1. S is S 0 The value of the gradient accumulation variable is 0.g i Is the Renyi cross entropy change gradient at the w-i th network window preceding the current network window. Gamma is a super parameter, and gamma is more than or equal to 0 and less than or equal to 1.
It should be noted that, in one possible implementation manner, when the RMSprop algorithm is used to determine the dynamic entropy threshold, a small batch of random gradient descent method is used to determine the number of network windows before the current network window. Specifically, the number of network windows preceding the current network window is determined to be 1/(1- γ), where 1/(1- γ) is rounded, and 1/(1- γ) =Φ is defined.
Alternatively, if w is less than or equal to φ, S is determined according to equation (8) above w . If w is greater than φ, S is determined according to the following equation (9) w 。
It should be noted that, according to the related data corresponding to the IP data packet, a dynamic entropy threshold corresponding to the IP data packet is determined. And determining a dynamic entropy threshold corresponding to the Packet-in data Packet according to the related data corresponding to the Packet-in data Packet.
In one possible implementation manner, as mentioned before, the identification result includes the presence attack and the absence attack, after determining the identification result of the DDos attack according to the window entropy value and the dynamic entropy value threshold value, the embodiment may further include: if the identification result shows that no attack exists, acquiring a data packet flow value of a detection date according to the abnormal type; and calculating the average value of the data packet flow value of the detection date, taking the calculated average value as a new data packet flow average value, updating a dynamic flow threshold value based on the sum of the new data packet flow average value and the fluctuation value, and only using the updated dynamic flow threshold value for the current date of the detection date.
The fluctuation value is determined according to the historical packet flow value in step 1021 in the foregoing embodiment, and will not be described herein.
In this embodiment, if the detection result is abnormal detection and the corresponding identification result is that no attack exists, it indicates that the network bearer traffic is large on the detection date, and the dynamic traffic threshold needs to be updated, so as to improve the accuracy of detection and identification of DDos attack. The detection result should correspond to the identification result, for example, the detection result is a detection result of the DDos attack of the network device, and the identification result should also be a identification result of the DDos attack of the network device.
The DDos attack recognition method provided by the embodiment of the application is used for detecting and recognizing the DDos attack according to the acquired different data packet data aiming at the network equipment and the controller in the target network, and simultaneously setting a dynamic threshold in the detection and recognition process, so that the accuracy and the efficiency of the DDos attack recognition can be improved, the instantaneity of the DDos attack recognition can be improved, and the DDos attack to the network equipment and the controller can be recognized simultaneously.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
Fig. 4 is a schematic structural diagram of a DDos attack recognition device according to an embodiment of the present application. As shown in fig. 4, the DDos attack recognition device provided in this embodiment may include: a first acquisition module 201, a first determination module 202, a second acquisition module 203, and a second determination module 204.
The first obtaining module 201 is configured to obtain a packet flow value in a target network; the Packet flow value includes an IP Packet flow value of the network device and a Packet-in Packet flow value of the controller.
The first determining module 202 is configured to determine a detection result of the DDos attack according to the packet flow value and the dynamic flow threshold.
And the second obtaining module 203 is configured to obtain, when the detection result is that the detection is abnormal, a source address data packet set and a destination address data packet set in a current network window of the target network according to the detected abnormal type of the DDos attack.
The second determining module 204 is configured to determine a window entropy value of the current network window according to the source address packet set and the destination address packet set, and determine an identification result of the DDos attack according to the window entropy value and the dynamic entropy threshold.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 5, the electronic apparatus 300 of this embodiment includes: a processor 310, a memory 320, and a computer program 321 executable on the processor 310 is stored in the memory 320. The steps of any of the various method embodiments described above, such as steps 101 through 104 shown in fig. 1, are implemented when the processor 310 executes the computer program 321. Alternatively, the processor 310, when executing the computer program 321, performs the functions of the modules/units in the above-described apparatus embodiments, for example, the functions of the modules 201 to 204 shown in fig. 4.
By way of example, the computer program 321 may be partitioned into one or more modules/units that are stored in the memory 320 and executed by the processor 310 to complete the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing the specified functions, which instruction segments are used to describe the execution of the computer program 321 in the electronic device 300.
It will be appreciated by those skilled in the art that fig. 5 is merely an example of an electronic device and is not meant to be limiting, and may include more or fewer components than shown, or may combine certain components, or different components, such as input-output devices, network access devices, buses, etc.
The processor 310 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 320 may be an internal storage unit of the electronic device, for example, a hard disk or a memory of the electronic device, or an external storage device of the electronic device, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the electronic device. The memory 320 may also include both internal storage units and external storage devices of the electronic device. The memory 320 is used to store computer programs and other programs and data required by the electronic device. The memory 320 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/electronic device and method may be implemented in other manners. For example, the apparatus/electronic device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.
Claims (10)
1. A DDos attack recognition method, comprising:
acquiring a data packet flow value in a target network; the data Packet flow value comprises an IP data Packet flow value of network equipment and a Packet-in data Packet flow value of a controller;
determining a detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold;
if the detection result is abnormal, acquiring a source address data packet set and a destination address data packet set in a current network window of the target network according to the detected abnormal type of the DDos attack;
and determining a window entropy value of the current network window according to the source address data packet set and the destination address data packet set, and determining a recognition result of the DDos attack according to the window entropy value and a dynamic entropy threshold value.
2. The DDos attack recognition method of claim 1, wherein the anomaly type comprises a network device anomaly or a controller anomaly;
the determining the detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold value comprises the following steps:
determining a dynamic flow threshold according to the historical data packet flow value; the dynamic flow threshold comprises an IP flow threshold and a Packet-in flow threshold;
judging whether the IP data packet flow value is larger than an IP flow threshold value or not;
if the IP data packet flow value is larger than the IP flow threshold value, determining that the detection result is abnormal, wherein the abnormal type is abnormal of network equipment;
judging whether the Packet-in data Packet flow value is larger than a Packet-in flow threshold value or not;
if the Packet-in data Packet flow value is larger than the Packet-in flow threshold, determining that the detection result is abnormal, and determining that the abnormal type is abnormal of the controller.
3. The DDos attack recognition method of claim 2, wherein the determining a dynamic traffic threshold from historical packet traffic values comprises:
determining the attribute of the detection date; wherein the attribute comprises a weekday, weekend, or holiday;
Acquiring a corresponding historical data packet flow value in a preset time period before a detection date according to the attribute; the historical data Packet flow value comprises a historical IP data Packet flow value and a historical Packet-in data Packet flow value;
according to the historical IP data packet flow value, an aggregation algorithm and a sliding window algorithm are adopted to determine an IP data packet flow average value and an IP fluctuation value, and the sum of the IP data packet flow average value and the IP fluctuation value is taken as the IP flow threshold;
and according to the historical Packet-in data Packet flow value, determining a Packet-in data Packet flow average value and a Packet-in fluctuation value by adopting an aggregation algorithm and a sliding window algorithm, and taking the sum of the Packet-in data Packet flow average value and the Packet-in fluctuation value as the Packet-in flow threshold.
4. The DDos attack recognition method of claim 1, wherein the source address Packet set comprises a source IP Packet set and a source Packet-in Packet set, the destination address Packet set comprises a destination IP Packet set and a destination Packet-in Packet set, and the anomaly type comprises a network device anomaly or a controller anomaly;
If the detection result is abnormal, acquiring a source address data packet set and a destination address data packet set in a current network window of the target network according to the detected abnormal type of the DDos attack, including:
if the detection result is abnormal and the abnormality type is abnormal of the network equipment, acquiring a source IP data packet set and a destination IP data packet set in a current network window of the target network;
and if the detection result is abnormal and the abnormality type is abnormal of the controller, acquiring a source Packet-in data Packet set and a destination Packet-in data Packet set in a current network window of the target network.
5. The DDos attack recognition method of claim 1, wherein the determining the window entropy value of the current network window from the set of source address packets and the set of destination address packets comprises:
determining the network state of the current network window by adopting a shannon entropy algorithm according to the source address data packet set and the destination address data packet set;
according to the historical source address data packet set and the historical destination address data packet set, determining the network state mean value of a preset number of network windows before the current network window by adopting a shannon entropy algorithm;
And determining an entropy value between the network state and the network state mean value by adopting a Renyi cross entropy algorithm according to the network state and the network state mean value, and taking the determined entropy value as a window entropy value of the current network window.
6. A DDos attack recognition method according to any of claims 1 to 5, characterized in that the recognition result comprises presence and absence of an attack;
the determining the recognition result of the DDos attack according to the window entropy value and the dynamic entropy value threshold value comprises the following steps:
judging whether the window entropy value is larger than the dynamic entropy value threshold value or not; wherein, the dynamic entropy threshold is determined by adopting an RMSprop algorithm;
if the window entropy value is larger than the dynamic entropy value threshold value, determining that the current network window is abnormal, wherein the recognition result is that an attack exists;
and if the window entropy value is smaller than or equal to the dynamic entropy value threshold, determining that the current network window is normal, wherein the identification result is that no attack exists.
7. The DDos attack recognition method of claim 1, wherein the recognition result includes presence and absence of an attack;
after the identification result of the DDos attack is determined according to the window entropy value and the dynamic entropy value threshold value, the method further comprises the following steps:
If the identification result is that no attack exists, acquiring a data packet flow value of a detection date according to the abnormal type;
and carrying out average value calculation on the data packet flow value of the detection date, taking the calculated average value as a new data packet flow average value, and updating the dynamic flow threshold value based on the sum of the new data packet flow average value and a fluctuation value, wherein the fluctuation value is determined according to the historical data packet flow value.
8. A DDos attack recognition device, comprising:
the first acquisition module is used for acquiring a data packet flow value in the target network; the data Packet flow value comprises an IP data Packet flow value of network equipment and a Packet-in data Packet flow value of a controller;
the first determining module is used for determining the detection result of the DDos attack according to the data packet flow value and the dynamic flow threshold value;
the second acquisition module is used for acquiring a source address data packet set and a destination address data packet set in a current network window of the target network according to the detected abnormal type of the DDos attack when the detection result is abnormal;
and the second determining module is used for determining the window entropy value of the current network window according to the source address data packet set and the destination address data packet set, and determining the identification result of the DDos attack according to the window entropy value and the dynamic entropy threshold value.
9. An electronic device comprising a memory and a processor, the memory having stored therein a computer program executable on the processor, wherein the processor implements a DDos attack recognition method according to any of claims 1 to 7 when the computer program is executed by the processor.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the DDos attack identification method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310691959.3A CN116781338A (en) | 2023-06-12 | 2023-06-12 | DDos attack recognition method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310691959.3A CN116781338A (en) | 2023-06-12 | 2023-06-12 | DDos attack recognition method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116781338A true CN116781338A (en) | 2023-09-19 |
Family
ID=87995733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310691959.3A Pending CN116781338A (en) | 2023-06-12 | 2023-06-12 | DDos attack recognition method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116781338A (en) |
-
2023
- 2023-06-12 CN CN202310691959.3A patent/CN116781338A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108829715B (en) | Method, apparatus, and computer-readable storage medium for detecting abnormal data | |
| CN112188531B (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and computer storage medium | |
| CN111813624B (en) | Robot execution time length estimation method based on time length analysis and related equipment thereof | |
| CN110830450A (en) | Abnormal flow monitoring method, device and equipment based on statistics and storage medium | |
| US11157346B2 (en) | System and method for binned inter-quartile range analysis in anomaly detection of a data series | |
| CN113037595B (en) | Abnormal device detection method and device, electronic device and storage medium | |
| US11061915B2 (en) | System and method for anomaly characterization based on joint historical and time-series analysis | |
| CN110474862B (en) | Network traffic anomaly detection method and device | |
| CN111753875A (en) | Power information system operation trend analysis method and device and storage medium | |
| CN111626360B (en) | Method, apparatus, device and storage medium for detecting boiler fault type | |
| CN115905927A (en) | Method and device for identifying abnormal electricity consumption user, electronic equipment and storage medium | |
| CN113723861A (en) | Abnormal electricity consumption behavior detection method and device, computer equipment and storage medium | |
| CN116781338A (en) | DDos attack recognition method and device, electronic equipment and storage medium | |
| CN111159009B (en) | Pressure testing method and device for log service system | |
| CN109871403B (en) | Industrial big data analysis method based on industrial supply chain | |
| CN110874601B (en) | Method for identifying running state of equipment, state identification model training method and device | |
| CN111555899A (en) | Alarm rule configuration method, equipment state monitoring method, device and storage medium | |
| CN114221851B (en) | Fault analysis method and device | |
| CN115333770A (en) | Network security risk monitoring system and method for electric power system | |
| CN115019219A (en) | Intelligent construction progress management method and system for intelligent construction site | |
| CN114928467A (en) | Network security operation and maintenance association analysis method and system | |
| CN113587362A (en) | Abnormity detection method and device and air conditioning system | |
| CN113672469A (en) | Associated chip operation control method and system based on abnormal operation of chip | |
| CN113656256A (en) | Regulation and control method and system based on abnormal operation of chip | |
| CN111695829A (en) | Index fluctuation period calculation method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |