摘要
针对新型LDo S驱动的高分散低速率Qo S侵犯,提出一种新颖的基于网络微观和宏观多维特征的识别方法。在网络微观方面,加权计算了反应TCP包头内部微观变化的Flag控制位,以及计算了反应LDo S固有周期特性的I-I-P 3元组的功率谱密度PSD特征;在网络宏观方面,引入反应网络发送流和确认流比值变化的R特征,共同构成多维观测序列,采用多维隐马尔科夫混合模型multi-stream fused HMM(MF-HMM)自动识别Qo S侵犯。同时,应用Kaufman算法动态调整阈值。大量实验表明,提出的方法有效降低了识别的误报率和漏报率,特别针对新型LDo S驱动的高分散低速率Qo S侵犯,在复杂网络背景流量下依然具有很高的识别率。
To detect new high-distributed low-rate Qo S violation driven by LDo S attack and guarantee high network Qo S,a novel recognition scheme was proposed with the consideration of multiple network features in both macro and micro aspects. At micro-level feature,the weighted sum of FLAG control bits was used to describe an internal micro-change in TCP package header. Meanwhile,the power spectral density( PSD) feature of I-I-P triple was calculated in order to reflect the inherent periodicity of LDo S Attack; at macro-level feature,R feature was introduced to mark the change in ratio of sent_flow and received_flow. Multi-dimensional observation state sequences can be constituted with these features that further form multi-stream fused hidden Markov model( MF-HMM). MF-HMM was applied to automatically recognize Qo S violation. In addition,Kaufman algorithm was used to dynamically adjust and upgrade threshold value. Experiments showed that the approach effectively reduces the false-positive rate and false-negative rate in recognition. Moreover,it has an especially high recognition rate for new high-distributed low-rate Qo S violation driven by LDo S even in complexity background network traffic.
出处
《四川大学学报(工程科学版)》
EI
CAS
CSCD
北大核心
2015年第1期42-48,共7页
Journal of Sichuan University (Engineering Science Edition)
基金
国家自然科学基金资助项目(60703023
61170265)
吉林省科技发展计划资助项目(20090110)