CN117411726B - DDoS attack and cloud WAF defense method based on neural network - Google Patents
DDoS attack and cloud WAF defense method based on neural network Download PDFInfo
- Publication number
- CN117411726B CN117411726B CN202311707132.3A CN202311707132A CN117411726B CN 117411726 B CN117411726 B CN 117411726B CN 202311707132 A CN202311707132 A CN 202311707132A CN 117411726 B CN117411726 B CN 117411726B
- Authority
- CN
- China
- Prior art keywords
- information
- matrix
- value
- data
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013528 artificial neural network Methods 0.000 title claims abstract description 22
- 230000007123 defense Effects 0.000 title claims abstract description 22
- 239000011159 matrix material Substances 0.000 claims abstract description 46
- 238000001914 filtration Methods 0.000 claims abstract description 26
- 230000006835 compression Effects 0.000 claims abstract description 6
- 238000007906 compression Methods 0.000 claims abstract description 6
- 238000007781 pre-processing Methods 0.000 claims abstract description 6
- 238000012545 processing Methods 0.000 claims abstract description 6
- 230000010365 information processing Effects 0.000 claims abstract description 5
- 230000035945 sensitivity Effects 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 125000004122 cyclic group Chemical group 0.000 claims description 4
- 230000035772 mutation Effects 0.000 claims description 2
- 230000006870 function Effects 0.000 description 7
- 230000000694 effects Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 238000011176 pooling Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 210000002569 neuron Anatomy 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000004665 defense response Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0499—Feedforward networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention provides a DDoS attack and cloud WAF defense method based on a neural network, which relates to the technical field of DDoS attack and cloud WAF defense, and is used for capturing traffic at a network outlet and collecting information flow data; preprocessing the acquired information flow data, and extracting information values from the information flow data; establishing a BP neural network, inputting an information value into the BP neural network for compression information processing; the compressed information values form an information matrix X, and the information matrix X is subjected to data processing to obtain a front characteristic matrix U * The method comprises the steps of carrying out a first treatment on the surface of the According to the front characteristic matrix U * Judging whether DDoS attack occurs or not; and filtering the data packet of the attack host to realize the defense of DDoS attack.
Description
Technical Field
The invention relates to the technical field of DDoS attack resistance and cloud WAF defense, in particular to a neural network-based DDoS attack resistance and cloud WAF defense method.
Background
DDoS is an attack that aims to deplete bandwidth resources or application resources of the attacked host, making it impossible for legitimate users to access the service. Such attacks are easy to implement and difficult to guard against, while also having a certain degree of concealment. After the real attack source of the DDoS attack is tracked, the DDoS attack is effectively defended next. In the traditional network environment, a common method for defending DDoS attacks is to realize flow filtering and flow limiting by installing specific modules on a router, but the defect of the method is that unified management is difficult to achieve. The concept of global network is not considered when the DDoS attack defense is realized, and unified protection measures and real-time response cannot be realized.
Most security vulnerabilities occur due to the vulnerability of the WAF. In the WAF-hardened server architecture, after abnormal traffic is monitored, if access to the traffic is directly denied, then an attacker will continually look for rules that may be able to pass the WAF.
Responses to network attacks can be classified into two main categories according to time sequence, one category is to respond immediately after the attack is detected, for example, the response is realized by realizing the migration of functions at a victim host, and the defense is realized by realizing the filtering of corresponding attack traffic or closing of corresponding ports and the like; the other type is to trace the source of the attack, trace the real position of the attacker, prevent the continuous occurrence of the attack from the source, and perform the evidence collection operation of the network attack accident. Although the former method can quickly make defense response to attacks existing in the network, the method cannot cause any threat to the attacker, possibly can cause more rampant of the attacker, and launch more attack behaviors, and the latter method can find out a real defense method of an attack source through network tracing, so that the attack behaviors can be quickly prevented from continuously happening from the source, and the attacker can get due punishment through legal means by accident evidence collection. Therefore, the attack tracing plays a role in network security, on one hand, the real position of the attack source can be positioned, corresponding defense strategies can be timely adopted from the source to minimize the harm of the attack to the network, on the other hand, the basis for legal punishment of the attacker can be collected, and a certain deterrent effect is achieved for the attacker in a legal mode.
Disclosure of Invention
In order to solve the technical problems, the invention provides a DDoS attack and cloud WAF defense method based on a neural network, which is characterized by comprising the following steps:
s1, capturing traffic at an outlet of a network, and collecting information flow data;
s2, preprocessing the acquired information flow data, and extracting information values from the information flow data;
s3, establishing a BP neural network, and inputting the information value into the BP neural network for compression information processing;
s4, forming the compressed information values into an information matrix X, and performing data processing on the information matrix X to obtain a front feature matrix U * ;
S5, according to the front characteristic matrix U * Judging whether DDoS attack occurs or not;
s6, filtering the data packet of the attack host to realize the defense of DDoS attack.
Further, in step S3, the importance index F of the data is:
;
wherein N is the number of information values, F i Score of the ith information value, p i Representing the probability of attack brought by the ith information value;
setting sensitivity threshold F th The importance index F of the data is below the sensitivity threshold F th Viewed as an attack feature, into a compressed queue.
Further, the score F of the ith information value i The method comprises the following steps:
;
wherein p is i Representing the i-th information value r i Probability of attack is brought;
;
H S entropy of source address information, H D Entropy is the destination port information.
Further, in step S5, a pre-calculation feature matrix U is calculated * Average value d of I-th line eigenvector I And the average d of the I th row and the I+1 th row I+1 Absolute value D of difference of (2) I When the absolute value D of the difference I Mutation indicates the occurrence of DDoS attack.
Further, in step S6, let the information stream data sequence to be mapped to the filtering space be T, and the mapping variable be S j And if the penalty coefficient is P, the filtering function is:
;
TC j for the information stream data sequence TThe j-th information stream data, Q is the total number of information stream data in the information stream data sequence T, w j For the mapping distance of the information stream data to the filter space,is the filtered information flow data.
Further, in step S4, M information values are formed into an information matrix X, in which rows represent M eigenvectors of each receiving period, and a period number is represented;
each column of the information matrix X is averaged in a cyclic manner, and the result is put into a row vector [ m ]]The method comprises the steps of carrying out a first treatment on the surface of the With each row of the matrix and a row vector m]Making difference, and putting the result into a new matrix n a In (a) and (b); for a new matrix n a Covariance calculation is carried out on each column of the number to obtain a characteristic value e J From the characteristic value e J Forming a feature matrix U; the characteristic value e J Sorting from big to small, for the characteristic value e J And (3) summing:
;
when the sum of the k characteristic values exceeds a threshold value, the k characteristic values form a front characteristic matrix U * 。
Further, in step S2, in the information stream data sequence t= { TC 1 ,…,TC h ,…,TC n Inserting encryption information data, the h information stream data in the information stream data sequence is TC h ={label h ,hash h },label h The label value corresponding to the h information stream data in the stream table is represented, and the encrypted data is hash h The method comprises the steps of carrying out a first treatment on the surface of the Normalizing the information stream data sequence, and extracting hash from the information stream data if the tag values are not identical during input h Information value of (a): source address information entropy H S Destination port information entropy H D 。
Compared with the prior art, the invention has the following beneficial technical effects:
capturing the flow at the outlet of the network and collecting information flow data; pre-processing the collected information flow dataProcessing, extracting information values from the information stream data; establishing a BP neural network, inputting an information value into the BP neural network for compression information processing; the compressed information values form an information matrix X, and the information matrix X is subjected to data processing to obtain a front characteristic matrix U * The method comprises the steps of carrying out a first treatment on the surface of the According to the front characteristic matrix U * Judging whether DDoS attack occurs or not; and filtering the data packet of the attack host to realize the defense of DDoS attack.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a flowchart of a method for defending against DDoS attack and cloud WAF based on a neural network according to the present invention;
fig. 2 is a schematic diagram showing the filtering effect of different information flow data volumes at different filtering times.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In the drawings of the specific embodiments of the present invention, in order to better and more clearly describe the working principle of each element in the system, the connection relationship of each part in the device is represented, but only the relative positional relationship between each element is clearly distinguished, and the limitations on the signal transmission direction, connection sequence and the structure size, dimension and shape of each part in the element or structure cannot be constructed.
IP-based attacks. When IP packets are delivered over a network, the packets are divided into smaller fragments. And after the destination is reached, merging and reloading are carried out, and the DDoS attacks the server by utilizing the overlapping phenomenon of recombination after the IP message is fragmented, so that the kernel collapse of the server can be caused.
TCP-based attacks. The process of SYN Flood attack is three-way handshake in TCP protocol, and SYN Flood denial of service attack is realized through three-way handshake. In the three-way handshake of the TCP connection, if a user suddenly crashes or drops after sending a SYN message to the server, the server cannot receive the ACK message of the client after sending a syn+ack response message, in this case, the server retries, sends a syn+ack to the client again, and discards the unfinished connection after waiting for a period of time, and the server consumes a very large amount of resources to maintain a very large semi-connection list.
The attack based on the application layer imitates the interaction behavior between the user and the Web application, the difficulty of judgment is increased, the WAF has more efficient means when processing DDoS attack, the WAF analyzes HTTP traffic in detail, models normal access requests, and uses the models to distinguish normal requests from requests triggered by an attacker using a robot or a script.
As shown in fig. 1, the flow chart of the DDoS attack and cloud WAF defense method based on the neural network of the invention comprises the following steps:
s1, capturing traffic at an outlet of a network and collecting information flow data.
The flow table information flow data comprises normal flow data and abnormal flow data, the flow data is generated in real time by using a Python script, a normal flow training sample is generated by a source host in normal network access, and DDoS attack is selected for generating abnormal flow.
The controller periodically sends a Flow table request instruction to the OpenFlow switch, and the switch receives the information and replies. And after the flow table entry in the switch executes the command, reading the redirection file to collect the flow table.
S2, preprocessing the acquired information flow data, and extracting information values from the information flow data.
Preprocessing the acquired information flow data, converging the flow by utilizing convergence and diversion, and removing the problem information flow data in the flow, wherein the problem information flow data comprises retransmission information flow data caused by network delay, request failure information flow data caused by server errors and other damaged or non-artificial information flow data.
Then, according to whether the residual information stream data uses the encryption protocol, the information stream data sequence T= { TC 1 ,…,TC h ,…,TC n Inserting encryption information data, the ith information stream data in the information stream data sequence being TC h ={label h ,hash h },label h The label value corresponding to the h information stream data in the stream table is represented, and the encrypted data is hash h The method comprises the steps of carrying out a first treatment on the surface of the Normalizing the information stream data sequence, and extracting hash from the information stream data if the tag values are not identical during input h Information value of (a): source address information entropy H S Destination port information entropy H D 。
S3, establishing a BP neural network, and inputting the information value into the BP neural network for compression information processing.
And (3) collecting information values in the information flow data acquired in the step (S2) and generating learning data comprising an information value set. The BP neural network is trained using the learning data. The BP neural network performs compression expression of an information value set, M information values are compressed into M/4 compressed information processes,
score F of the ith information value i The method comprises the following steps:
;
wherein p is i Representing the probability of attack brought by the ith information value, r i Is an information value.
;
H S Entropy of source address information, H D The information entropy is the destination port information entropy;
the importance index F of the data is:
;
wherein N is the number of information values, P i Indicating the probability of an attack occurring.
The importance index F of the data can be used to characterize the attack sensitivity of the information value, setting a sensitivity threshold F th The importance index F of the data is below the sensitivity threshold F th The compressed information can be regarded as an attack characteristic, is easy to be an object of attack injection by an attacker, enters a compressed queue, and has M compressed information values.
The BP neural network comprises: a number of convolutional layers, an advanced encoder, and an attention mechanism layer, wherein: the convolution kernel length of the first layer of convolution layers is 1 for the step length of the clock cycle of the application curve set, the convolution kernel lengths of other convolution layers are 3, and the steps are 1; the pooling length in the pooling layer is 2, the steps are 2, and the maximum pooling is used.
The number of channels doubles after each pooling layer.
The high-level encoder traverses the output of all convolution layers after pooling the layers each time from the forward direction and the reverse direction respectively, combines the convolution layers by using different combination modes (according to the time dimension or the data channel dimension) according to different complexity degrees of side channel information, wherein the number of units in the high-level encoder is 128 or 256, the activation function is tanh, and the cyclic activation function is sigmoid.
The two coding network structures with different directions respectively have independent attention mechanisms, so that the attention mechanisms are directional, the two attention mechanisms with different directions can mutually cooperate to determine the main interval of side channel information leakage, and the learning sequence length in actual training is reduced.
The attention mechanism layer directly acts on the output of the advanced encoder, the network structure of the single neuron is used for judging the importance of each data according to the unified standard, the output of the network structure of the single neuron is input into the softmax activation function, and finally the importance index of the data is obtainedF, setting a sensitivity threshold F th The importance index F of the data is below the sensitivity threshold F th The compressed information can be regarded as an attack characteristic, is easy to be an object of attack injection by an attacker, enters a compressed queue, and has M compressed information values.
S4, forming the compressed information values into an information matrix X, and performing data processing on the information matrix X to obtain a front feature matrix U * 。
M information values are formed into an information matrix X, wherein rows in the information matrix X represent M eigenvectors of each receiving period, and columns represent period serial numbers.
Each column of the information matrix X is averaged in a cyclic manner, and the result is put into a row vector [ m ]]The method comprises the steps of carrying out a first treatment on the surface of the With each row of the matrix and a row vector m]Making difference, and putting the result into a new matrix n a In (a) and (b); for a new matrix n a Covariance calculation is carried out on each column of the number to obtain a characteristic value e J From the characteristic value e J Forming a feature matrix U; the characteristic value e J Sorting from big to small, for the characteristic value e J And (3) summing:
;
when the sum of the k characteristic values exceeds a threshold value, the k characteristic values form a front characteristic matrix U * 。
S5, according to the front characteristic matrix U * And judging whether DDoS attack occurs.
Before-calculation feature matrix U * The absolute value of the difference between the average value of the characteristic vector of the I row and the average value of the I+1 row is d I Represents the average value of the characteristic vector of the I line, d I+1 Represents the average value of the I+1st line eigenvector, D I The absolute value of the difference between the average values of the I-th row and the i+1-th row is represented.
In a normal state, the absolute value of the difference between the average values of each row and the next row is very small, and the average value d of the feature vector of each row I The sequence formed is also a stable sequence, i.e. the absolute value of the difference of the averages of each row and the next is substantially stable.
When a DDoS attack occurs, the average value d is due to the huge number of hosts and the wide distribution I A large change will occur, the absolute value D of the difference between the average value of each row and the next row I A large change will occur.
S6, filtering the data packet of the attack host to realize the defense of DDoS attack.
After the exchanger and the port connected with the attack host are tracked, a flow table entry mode is dynamically modified on the exchanger by the controller for issuing a message, the data packet of the exchanger port connected with the attack host is filtered, the defense of DDoS attack is realized from the source, and the defense method does not influence the mutual communication among other devices in the network.
Absolute value D of difference of average value I Information flow data TC when abrupt change occurs j Mapping to a filter space, and establishing a filter model in the filter space.
Setting the information stream data sequence T to be mapped to the filtering space, wherein the mapping variable is s j And if the penalty coefficient is P, the filtering function is:
;
TC j for the j-th information stream data in the information stream data sequence T, Q is the total number of the information stream data in the information stream data sequence T, w j For the mapping distance of the information stream data to the filter space,is the filtered information flow data.
As shown in fig. 2, the filtering effect of different information flow data amounts at different filtering times is shown, wherein the dotted line and the solid line respectively represent the different information flow data amounts,
the mapping variable s is adjusted in the process of attack information filtering, damage information filtering and redundant information filtering respectively i And punishment coefficient P, so that data separation and filtering are more effective.
The filtering precision index is adopted to measure the filtering effect of the information flow data, and the filtering capability of the information flow data is expressed.
Accuracy J of once filtering information stream data 1 The definition is as follows:
;
accuracy J of k times of filtering of information flow data k The definition is as follows:
;
wherein TC is j Represents the j-th information stream data to be filtered of the input,representing once filtered information stream data, < >>And->Representing k times and k-1 filtered information stream data, respectively.
The WAF can monitor and filter out some traffic that might otherwise subject the application to DDOS attacks. WAFs detect suspicious accesses before HTTP traffic reaches the application server, while they also prevent some unauthorized data from being obtained from the Web application.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (3)
1. The DDoS attack and cloud WAF defense method based on the neural network is characterized by comprising the following steps:
s1, capturing traffic at an outlet of a network, and collecting information flow data;
s2, preprocessing the acquired information flow data, and extracting information values from the information flow data;
in the information stream data sequence t= { TC 1 ,…,TC h ,…,TC n Inserting encryption information data, the h information stream data in the information stream data sequence is TC h ={label h ,hash h },label h The label value corresponding to the h information stream data in the stream table is represented, and the encrypted data is hash h The method comprises the steps of carrying out a first treatment on the surface of the Normalizing the information stream data sequence, and extracting hash from the information stream data if the tag values are not identical during input h Information value of (a): source address information entropy H S Destination port information entropy H D ;
S3, establishing a BP neural network, and inputting the information value into the BP neural network for compression information processing;
s4, forming the compressed information values into an information matrix X for informationData processing is carried out on the matrix X to obtain a front characteristic matrix U * ;
Forming an information matrix X by M compressed information values, wherein rows in the information matrix X represent M eigenvectors of each receiving period, and represent period serial numbers;
each column of the information matrix X is averaged in a cyclic manner, and the result is put into a row vector [ m ]]The method comprises the steps of carrying out a first treatment on the surface of the With each row of the matrix and a row vector m]Making difference, and putting the result into a new matrix n a In (a) and (b); for a new matrix n a Covariance calculation is carried out on each column of the number to obtain a characteristic value e J From the characteristic value e J Forming a feature matrix U; the characteristic value e J Sorting from big to small, for the characteristic value e J And (3) summing:
the method comprises the steps of carrying out a first treatment on the surface of the When the sum of the k characteristic values exceeds a threshold value, the k characteristic values form a front characteristic matrix U * ;
S5, according to the front characteristic matrix U * Judging whether DDoS attack occurs or not;
before-calculation feature matrix U * Average value d of I-th line eigenvector I And the average d of the I th row and the I+1 th row I+1 Absolute value D of difference of (2) I When the absolute value D of the difference I Mutation indicates that DDoS attack occurs;
s6, filtering the data packet of the attack host to realize the defense of DDoS attack;
let the information stream data sequence to be mapped to the filtering space be T and the mapping variable be s j And if the penalty coefficient is P, the filtering function is:
;
TC j for the j-th information stream data in the information stream data sequence T, Q is the total number of the information stream data in the information stream data sequence T, w j For the mapping distance of the information stream data to the filter space,is the filtered information flow data.
2. The DDoS attack and cloud WAF defense method according to claim 1, wherein in step S3, the importance index F of the data is:
;
wherein N is the number of information values, F i Score of the ith information value, p i Representing the probability of attack brought by the ith information value; setting sensitivity threshold F th The importance index F of the data is below the sensitivity threshold F th Viewed as an attack feature, into a compressed queue.
3. The method for preventing DDoS attack and cloud WAF defense based on neural network according to claim 2, wherein the score F of the i-th information value i The method comprises the following steps:
the method comprises the steps of carrying out a first treatment on the surface of the Wherein p is i Representing the i-th information value r i Probability of attack is brought;
;H S entropy of source address information, H D Entropy is the destination port information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311707132.3A CN117411726B (en) | 2023-12-13 | 2023-12-13 | DDoS attack and cloud WAF defense method based on neural network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311707132.3A CN117411726B (en) | 2023-12-13 | 2023-12-13 | DDoS attack and cloud WAF defense method based on neural network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117411726A CN117411726A (en) | 2024-01-16 |
| CN117411726B true CN117411726B (en) | 2024-03-12 |
Family
ID=89496539
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311707132.3A Active CN117411726B (en) | 2023-12-13 | 2023-12-13 | DDoS attack and cloud WAF defense method based on neural network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117411726B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483512A (en) * | 2017-10-11 | 2017-12-15 | 安徽大学 | SDN controllers DDoS detections and defence method based on temporal characteristics |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| WO2021088372A1 (en) * | 2019-11-04 | 2021-05-14 | 重庆邮电大学 | Neural network-based ddos detection method and system in sdn network |
| WO2023103231A1 (en) * | 2021-12-07 | 2023-06-15 | 苏州大学 | Low-rate ddos attack detection method and system, and related device |
| CN116668051A (en) * | 2022-02-22 | 2023-08-29 | 腾讯科技(深圳)有限公司 | Alarm information processing method, device, program, electronic and medium for attack behavior |
| CN116827690A (en) * | 2023-08-29 | 2023-09-29 | 天津市亿人科技发展有限公司 | DDoS attack and cloud WAF defense method based on distribution type |
-
2023
- 2023-12-13 CN CN202311707132.3A patent/CN117411726B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483512A (en) * | 2017-10-11 | 2017-12-15 | 安徽大学 | SDN controllers DDoS detections and defence method based on temporal characteristics |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| WO2021088372A1 (en) * | 2019-11-04 | 2021-05-14 | 重庆邮电大学 | Neural network-based ddos detection method and system in sdn network |
| WO2023103231A1 (en) * | 2021-12-07 | 2023-06-15 | 苏州大学 | Low-rate ddos attack detection method and system, and related device |
| CN116668051A (en) * | 2022-02-22 | 2023-08-29 | 腾讯科技(深圳)有限公司 | Alarm information processing method, device, program, electronic and medium for attack behavior |
| CN116827690A (en) * | 2023-08-29 | 2023-09-29 | 天津市亿人科技发展有限公司 | DDoS attack and cloud WAF defense method based on distribution type |
Non-Patent Citations (1)
| Title |
|---|
| 神经网络和IP标记在DDoS攻击防御中的应用;唐林;唐治德;马超;;计算机仿真;20080215(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117411726A (en) | 2024-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | An entropy-based distributed DDoS detection mechanism in software-defined networking | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| Sung et al. | Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation | |
| CN113067804B (en) | Network attack detection method and device, electronic equipment and storage medium | |
| CN110011983B (en) | Flow table characteristic-based denial of service attack detection method | |
| Wu et al. | A novel distributed denial-of-service attack detection scheme for software defined networking environments | |
| Buragohain et al. | Anomaly based DDoS attack detection | |
| Khedr et al. | FMDADM: A multi-layer DDoS attack detection and mitigation framework using machine learning for stateful SDN-based IoT networks | |
| Chen et al. | Defending malicious attacks in cyber physical systems | |
| Li et al. | Research on DDoS attack detection based on ELM in IoT environment | |
| Dai et al. | Eclipse attack detection for blockchain network layer based on deep feature extraction | |
| Verma et al. | A meta-analysis of role of network intrusion detection systems in confronting network attacks | |
| Mohsin et al. | Performance evaluation of SDN DDoS attack detection and mitigation based random forest and K-nearest neighbors machine learning algorithms | |
| CN112953910B (en) | DDoS attack detection method based on software defined network | |
| Sukhni et al. | A systematic analysis for botnet detection using genetic algorithm | |
| Saleh et al. | Optimal specifications for a protective framework against HTTP-based DoS and DDoS attacks | |
| Elhalabi et al. | A review of peer-to-peer botnet detection techniques | |
| Catak | Two-layer malicious network flow detection system with sparse linear model based feature selection | |
| CN117411726B (en) | DDoS attack and cloud WAF defense method based on neural network | |
| CN116827690A (en) | DDoS attack and cloud WAF defense method based on distribution type | |
| Keshri et al. | DoS attacks prevention using IDS and data mining | |
| CN115065519A (en) | Distributed edge-end cooperative DDoS attack real-time monitoring method | |
| Prathibha et al. | A comparative study of defense mechanisms against SYN flooding attack | |
| Han et al. | Effective discovery of attacks using entropy of packet dynamics | |
| CN114285606A (en) | DDoS (distributed denial of service) multi-point cooperative defense method for Internet of things management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |