摘要
针对基于流量特征的应用层DDo S检测方法侧重于检测持续型应用层DDo S攻击,而忽略检测上升型与脉冲型应用层DDo S攻击的问题,提出一种综合检测多类型应用层DDo S攻击的方法。首先通过Hash函数及开放定址防碰撞方法,对多周期内不同源IP地址建立索引,进而实现HTTP GET数的快速统计功能,以支持对刻画数据规模、流量趋势及源IP地址分布差异所需特征参数的实时计算;然后采用偏二叉树结构组合SVM分类器分层训练特征参数,并结合遍历与反馈学习的方法,提出基于偏二叉树SVM多分类算法的应用层DDo S检测方法,快速区分出非突发正常流量、突发正常流量及多类型App-DDo S流量。实验表明,所提算法通过划分检测类型、逐层训练检测模型,与传统基于SVM、Navie Bayes的检测方法相比,具有更高的检测率与更低的误检率,且能有效区分出具体攻击类型。
As it ignored the detection of ramp-up and pulsing type of application layer DDoS (App-DDoS) attacks in existing flow-based App-DDoS detection methods, an effective detection method for multi-type App-DDoS was proposed. Firstly, in order to fast count the number of HTTP GET for users and further support the calculation of feature parameters applied in detection method, the indexes of source 1P address in multiple time windows were constructed by the approach of Hash function. Then the feature parameters by combining SVM classifiers with the structure of partial binary tree were trained hierarchically, and the App-DDoS detection method was proposed with the idea of traversing binary tree and feedback learning to distinguish non-burst normal flow, burst normal flow and multi-type App-DDoS flows. The experimental results show that compared with the conventional SVM-based and na'ive-Bayes-based detection methods, the proposed method has more excellent detection performance and can dis- tinguish specific App-DDoS types through subdividing attack types and training detection model layer by layer.
作者
张斌
刘自豪
董书琴
李立勋
ZHANG Bin1'2, LIU Zihao1'2, DONG Shuqin1'2, LI Lixun1'2(1. Information and Engineering University, Zhengzhou 450001, China 2. Key Laboratory of Information Security, Zhengzhou 450001, Chin)
出处
《网络与信息安全学报》
2018年第3期24-34,共11页
Chinese Journal of Network and Information Security
基金
河南省基础与前沿技术研究计划基金资助项目(No.2014302903)
信息保障技术重点实验室开放基金资助项目(No.KJ-15-109)
信息工程大学新兴科研方向培育基金资助项目(No.2016604703)~~
