CN109936554A - A kind of detection method and device of distributed denial of service - Google Patents

A kind of detection method and device of distributed denial of service Download PDF

Info

Publication number
CN109936554A
CN109936554A CN201711450402.1A CN201711450402A CN109936554A CN 109936554 A CN109936554 A CN 109936554A CN 201711450402 A CN201711450402 A CN 201711450402A CN 109936554 A CN109936554 A CN 109936554A
Authority
CN
China
Prior art keywords
data
training data
projection
projector space
test data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711450402.1A
Other languages
Chinese (zh)
Other versions
CN109936554B (en
Inventor
陈君
黄河
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinrand Network Technology Co ltd
Institute of Acoustics CAS
Original Assignee
Institute of Acoustics CAS
Beijing Intellix Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Acoustics CAS, Beijing Intellix Technologies Co Ltd filed Critical Institute of Acoustics CAS
Publication of CN109936554A publication Critical patent/CN109936554A/en
Application granted granted Critical
Publication of CN109936554B publication Critical patent/CN109936554B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of detection method and device of distributed denial of service, this method comprises: determining the first projector space to the projection that training data is iterated.The test data received is projected to the projection that test data is determined to the first projector space.According to the projection of test data at a distance from training data in the first projector space, the safety of test data is determined.The system resource of method provided in an embodiment of the present invention is few, can effective guarantee firewall with faster rate distinguish initiate ddos attack data source.

Description

A kind of detection method and device of distributed denial of service
Technical field
The present invention relates to network safety fileds, and in particular to a kind of detection method and device of distributed denial of service.
Background technique
Distributed denial of service (distributed denial of service, DDoS) refers to attacker using distribution Formula technology, the particular disk operating system (disk that control multiple stage computers carry out one or more victim Operating system, DoS) attack, in order to make victim that can not normally provide service or directly results in system Paralysis.
Traditional ddos attack is the loophole using lower layer protocol (especially network layer protocol), is sent useless point a large amount of Group forges transmission control protocol (transmission control protocol, TCP) connection, clogging networks or disappears Consume host resource.There are two types of attack patterns by DDoS: bandwidth exhaustion type and host resource consumption-type.Bandwidth exhaustion type is mainly sent A large amount of legal HTTP requests occupy the bandwidth of target network, cause normal users that can not carry out web access;Host resource exhausts The purpose of type be in order to exhaust the resource of host (such as: central processing unit (central processing unit, CPU) is deposited Reservoir etc.), attacker promotes server to return big file (such as: image, video file etc.) using a small amount of HTTP request, or Person makes server run the shell scripts (cryptographic calculations and verifying etc.) of some complexity.This attack does not need very high rate just The resource of host can be exhausted rapidly, have more concealment.All there is concealment height, still, surface in both attack patterns Feature is difficult to distinguish with normal users access behavior.
Summary of the invention
The purpose of the present invention is overcome in the prior art extract mathematical feature part when, caused by feature reservation excessively cause Inefficiency the problem of.
To achieve the above object, on the one hand, the present invention provides a kind of detection method of distributed denial of service, this method Include: the projection being iterated to training data, determines the first projector space.The test data received is projected to first and is thrown Shadow space determines the projection of test data.According to the projection of test data at a distance from training data in the first projector space, really Determine the safety of test data.The system resource of method provided in an embodiment of the present invention is few, can effective guarantee firewall with Faster rate distinguishes the data source for initiating ddos attack.
In an optional implementation manner, above-mentioned " to the projection that training data is iterated, to determine the first projection sky Between " the step of in may include: according to the maximized principle of relative entropy using projection function iterative method to training data carry out Projection, obtains new projector space.When new projector space no longer deviates, new projector space is the first projector space.
In another optional implementation, above-mentioned " iterative method of projection function " may include: fixed point iteration method.
In another optional implementation, the group number that may include: each group of test data is fixed value;If receiving To test data be greater than the group number of test data received, then randomly select the test data of fixed group number.
It is above-mentioned " according to the projection of test data and the instruction in the first projector space in another optional implementation Practice data distance, determine the safety of test data " the step of in may include: estimating according to Euclidean distance, determine survey Measure the safety of data.
It is above-mentioned " to the projection operation that training data is iterated, to determine first in another optional implementation Before the step of projector space ", it can also include: to be screened to training data, determine the connection features of training data;Make to instruct Practice data center, determines the mathematical feature of training data centralization.
In another optional implementation, above-mentioned " connection features of training data " may include in following at least One: transmission control protocol TCP connection features and traffic statistics feature.Wherein, traffic statistics feature includes: the net of Intrusion Detection based on host The network flow statistic feature of network traffic statistics feature and time.
It is above-mentioned " to make training data centralization, determine the number of training data centralization in another optional implementation It may include: that training data is amplified using spherization operation in the step of feature ".
On the other hand, the present invention provides a kind of detection device of distributed denial of service, the apparatus may include: it calculates Module, the projection for being iterated to training data, determines the first projector space.Projection module, the survey for will receive Data projection is tried to the first projector space, determines the projection of test data;Processing module, for according to the projection of test data with The distance of training data described in first projector space determines the safety of test data.
In an optional implementation manner, above-mentioned " computing module " specifically can be used for: maximized according to relative entropy Principle projects training data using the iterative method of projection function, obtains new projector space.When new projector space not When deviating again, new projector space is the first projector space.
In another optional implementation, above-mentioned " iterative method of projection function " may include: fixed point iteration method.
In another optional implementation, the group number that may include: each group of test data is fixed value;If receiving To test data be greater than the group number of test data received, then randomly select the test data of fixed group number.
In another optional implementation, above-mentioned " processing module " specifically can be used for: according to the survey of Euclidean distance Degree, determines the safety of measurement data.
In another optional implementation, above-mentioned apparatus can also include: selecting module, for training data into Row screening, determines the connection features of training data;Make training data centralization, determines the mathematical feature of training data centralization.
In another optional implementation, above-mentioned " connection features of training data " may include in following at least One: transmission control protocol TCP connection features and traffic statistics feature.Wherein, traffic statistics feature includes: the net of Intrusion Detection based on host The network flow statistic feature of network traffic statistics feature and time.
In another optional implementation, above-mentioned " selecting module " specifically can be used for: be put using spherization operation Big training data.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the detection method of distributed denial of service provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic diagram of spherization operation provided in an embodiment of the present invention;
Fig. 3 is the schematic diagram of the spherization operation of another kind provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of the detection device of distributed denial of service provided in an embodiment of the present invention.
Specific embodiment
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Fig. 1 is a kind of flow chart of the detection method of distributed denial of service provided in an embodiment of the present invention, and this method needs Want the attack traffic data of known type as training sample, with spherization operation.This method comprises:
As shown in Figure 1, this method includes S101-S107:
S101: input training data.
Specifically, the input of detection function includes one of following or a variety of: attack data set, the test number of training The number of axle of projection and the form of iteration function can be controlled according to collection and setting apparatus, the setting apparatus.
Such as: when inputting training data to function entrance, it is desirable that the number of training data can neither be too many, so that occupying More memory spaces drag slow processing speed, can not be very little, so that judgment accuracy is too low;In method provided in this embodiment, For each certain types of attack, the number of training data is 5, in other embodiments, to every a kind of attack distribution Training data number is also possible to other numbers between 5 to 10.
S102: screening the training data, determines the connection features of training data.
Specifically, which is screened, determines the connection features of training data, and extend the number near mean value Statistical nature is protruded accordingly, and training data is then added to iteration queue.
The connection features of training data include at least one of following: transmission control protocol TCP connection features and flow Statistical nature.Wherein, traffic statistics feature includes: the network flow statistic of host-based network traffic statistics feature and time Feature, such as: the REJ packet quantity received in the stipulated time.
Such as: the data of garbled input include following four major class totally 15 groups:
The first kind: the connection essential characteristic of TCP may include: the connection duration, be continuous type, be single with the second Position;The data word joint number exchanged between starting host and destination host, is discrete type, in seconds.
Second class: the connection content characteristic of TCP may include: time to access to the catalogue and file of system sensitive Number, discrete value;Log in failure or successful ratio, successive value;Create the number of operations of file, discrete value.
Third class: traffic statistics feature related to time may include: in nearest 2 seconds and current connection has phase The connection number of same destination host, successive value;In nearest 2 seconds, and current connection has the connection number of same services, continuously Value;In nearest 2 seconds, and current connection has in the connection of same target or service, the percentage of SYN/REJ incorrect link occurs Than successive value;In nearest 2 seconds, and current connection has in the connection of same target, occur with connection at present with identical or The percentage of difference service connection, successive value;In nearest 2 seconds, and current connection has in the connection of same services, occur with Mesh connection has the percentage of identical or different target connection, successive value.
4th class: traffic statistics feature related with destination host, may include: it is nearest 1000 connection in, and at present Connect the connection number with same target, discrete value;In nearest 1000 connections, and connection has same target and identical at present Or the connection percentage of different services, successive value;In nearest 1000 connections, and connection has same target and tool at present There are the connection percentage of homologous or different source ports, successive value;In nearest 1000 connections, and connection at present is with identical In the connection of target, there is the percentage of SYN or REJ incorrect link, successive value;In nearest 1000 connections, and connection at present In connection with same target and same services, there is the percentage of SYN or REJ incorrect link, successive value.
S103: making training data centralization, determines the mathematical feature of training data centralization.
Specifically, make training data centralization, and amplified by inequality proportion, to protrude the mathematics spy of its immediate vicinity Sign.Wherein, should specially can be amplified using spherization operation by inequality proportion amplification, such as: use spherization operation Amplify the data near 0 value, the feature for avoiding the sparse place of remote data is excessively acquired, so that squeezing the data near 0 Feature is showed.Method provided in an embodiment of the present invention is studied the data characteristics near 0 value, so needing to use The spherization method of data makes the data close to mean value be expanded, and the data characteristics of the inside is allowed to show.This is spherization Operation the radius of a ball be with the positively related moderate value of data variance, in the present embodiment, the radius of a ball is 1, other implementation In example, it can also be adjusted according to variance size.Specifically, referring to shown in Fig. 2 and Fig. 3, before Fig. 2 is no variation, Fig. 3 For by the schematic diagram after spherization operation.
S104: the projection being iterated to the training data determines the first projector space.
Specifically, training data is projected using the iterative method of projection function according to the maximized principle of relative entropy, Obtain a new projector space.Too low projecting direction is estimated ignoring, and is reduced the dimension of projector space, is judged projector space It whether is no longer to deviate.The maximized direction of the relative entropy refers to the smallest direction of data association information, the present embodiment provides Method in, classify according to the direction, may make that the degree of correlation between the data projected is minimum, in other embodiments In, axis of projection can also be taken different directions according to the requirement different to the degree of correlation.
When new projector space no longer deviates, new projector space is the first projector space;When new projector space again When secondary offset, repetitive operation S104, until the projector space no longer deviates.
The iterative method of above-mentioned projection function may include: fixed point iteration method.Specifically the iteration of projection function is selected Fixed point iteration method, in order to keep fitting result more preferable, iteration function in addition to meet non-linear and convergence, also to meet as far as possible and The similitude of initial data distribution.Iteration function is a function close with the Probability Characteristics of data, in the present embodiment In, it is compared through making difference to different function acquired results, is chosen to be g (x)=xe-x, in other embodiments, table also can be selected Now preferably have the function of heavy-tailed property.
Training data is projected using the iterative method of projection function according to the maximized principle of relative entropy, each round is all Judge whether the first projector space has the possibility for further deviating and compressing, ginseng of such repeated compression until the first projector space Number is stablized in a suitable value, wherein includes enough data characteristicses in the space.
In addition, the relative entropy between any two direction is all as big as possible in the first projector space of selection, so that base Annoyance level is minimum between any two for signal, can also reduce the dimension of projector space as far as possible without losing information.
S105: the test data received is projected to the projection that test data is determined to the first projector space.
Specifically, the group number of each group of test data is fixed value;If the test data received is greater than the survey received The group number for trying data, then randomly select the test data of fixed group number, forges secure data in specific position to prevent attacker.
S106: according to the projection of test data at a distance from training data in the first projector space, test data is determined Safety.
Specifically, according in the projection of test data and the first projector space training data (being properly termed as base vector) away from From to determine whether safety, if training data more than one set, test vector needs to be constituted from all training vectors super vertical Cube is all remote enough just to calculate safety.
Furthermore it is also possible to which estimating according to Euclidean distance, determines the safety of measurement data.Embodiment provided by the invention Middle use in projector space Euclidean distance estimate rather than the size of angle judges the risk of data, slightly increase Calculation amount, but the erroneous judgement to the impulse flow in same direction is avoided, it is misjudged as safety.Euclidean distance close enough is One as far as possible can distinguish risk data and reduce the distance of False Rate, in the present embodiment, the threshold size set as 1.0500, when being less than threshold value, then test data is judged to be safe, when being greater than threshold value, then judges test data for danger 's.In other embodiments, it is also adjusted according to specific attack type and network environment.
S107: new test request is determined whether.
Specifically, if there is new test request, S105 is returned, is repeated, until not new test request. If not new test request, terminates.
Fig. 4 is a kind of structural schematic diagram of the detection device of distributed denial of service provided in an embodiment of the present invention.Such as Fig. 4 Shown, the apparatus may include computing modules 401, the projection for being iterated to training data, determine first projection sky Between.Projection module 402, for the test data received to be projected to the projection for determining test data to the first projector space;Place Manage module 403, for the projection according to test data with the first projector space described at a distance from training data, determine and test number According to safety.
Above-mentioned computing module 401 specifically can be used for: the iteration of projection function is used according to the maximized principle of relative entropy Method projects training data, obtains new projector space.When new projector space no longer deviates, new projector space is First projector space.
Wherein, the iterative method of projection function may include: fixed point iteration method.The group number of each group of test data is to fix Value;If the test data received is greater than the group number of the test data received, the test data of fixed group number is randomly selected.
Above-mentioned processing module 403 specifically can be used for: according to estimating for Euclidean distance, determine the safety of measurement data.
Above-mentioned apparatus can also include: that selecting module 404 for screening to training data determines training data Connection features;Make training data centralization, determines the mathematical feature of training data centralization.
Wherein, the connection features of training data may include at least one of following: transmission control protocol TCP connection is special It seeks peace traffic statistics feature.Wherein, traffic statistics feature includes: the network of host-based network traffic statistics feature and time Traffic statistics feature.
Selecting module 404 specifically can be used for: amplify training data using spherization operation.
The system resource of method provided in an embodiment of the present invention is few, can effective guarantee firewall distinguished with faster rate Not Fa Qi ddos attack data source.This method innovative point includes: spherization processing average point nearby data and upright projection Obtain feature and iteration convergence.This method needs a certain number of attack data as training set, first carries out at centralization to it The characteristics of managing, concentrating on zero then for data characteristics carries out spheroidising to data and extends the feature of low discharge part. Next according to the maximized principle of relative entropy, more features is obtained using upright projection, selects iteration function similar in feature The data are iterated, iteration obtains a new lower dimensional space about the training data after stablizing, according to test number According to the position inside the space determine its whether risk data.This method the number of iterations is few, and the speed of service is fast, attacks in KDD99 It hits on data set and achieves 90% or more correct judgement rate, have clear improvement compared to general PCA dimension-reduction treatment.
Those of ordinary skill in the art should further appreciate that, describe in conjunction with the embodiments described herein Each exemplary unit and algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clear Illustrate to Chu the interchangeability of hardware and software, generally describes each exemplary group according to function in the above description At and step.These functions hold track actually with hardware or software mode, depending on technical solution specific application and set Count constraint condition.Those of ordinary skill in the art can realize each specific application using distinct methods described Function, but this realization is it is not considered that exceed scope of the present application.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can hold track with hardware, processor Software module or the combination of the two implement.Software module can be placed in random access memory (RAM), memory, read-only storage Device (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology neck In any other form of storage medium well known in domain.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include Within protection scope of the present invention.

Claims (8)

1. a kind of detection method of distributed denial of service, which comprises the following steps:
To the projection that training data is iterated, the first projector space is determined;
The test data received is projected to first projector space, determines the projection of the test data;
According to the projection of the test data with first projector space described at a distance from training data, determine the test The safety of data.
2. the method according to claim 1, wherein the projection being iterated to training data, determines One projector space, comprising:
The training data is projected using the iterative method of projection function according to the maximized principle of relative entropy, is obtained new Projector space;
When the new projector space no longer deviates, the new projector space is first projector space.
3. according to the method described in claim 2, it is characterized in that, the iterative method of the projection function includes: fixed point iteration method.
4. the method according to claim 1, wherein the group number of test data described in each group is fixed value;If The test data received is greater than the group number of the test data received, then randomly selects the survey of fixed group number Try data.
5. the method according to claim 1, wherein the projection according to the test data and described first The distance of the training data in projector space, determines the safety of the test data, comprising:
According to estimating for Euclidean distance, the safety of the measurement data is determined.
6. the method according to claim 1, wherein in the projection operation being iterated to training data, Before the step of determining the first projector space, further includes:
The training data is screened, determines the connection features of the training data;
Make the training data centralization, determines the mathematical feature of the training data centralization.
7. according to the method described in claim 6, it is characterized in that, the connection features of the training data include in following extremely It is one few: transmission control protocol TCP connection features and traffic statistics feature;
Wherein, the traffic statistics feature includes: the network flow statistic of host-based network traffic statistics feature and time Feature.
8. according to the method described in claim 6, determining the instruction it is characterized in that, described make the training data centralization Practice the mathematical feature of data center, comprising:
The training data is amplified using spherization operation.
CN201711450402.1A 2017-12-19 2017-12-27 Detection method and device for distributed denial of service Active CN109936554B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2017113762793 2017-12-19
CN201711376279 2017-12-19

Publications (2)

Publication Number Publication Date
CN109936554A true CN109936554A (en) 2019-06-25
CN109936554B CN109936554B (en) 2021-04-20

Family

ID=66984338

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711450402.1A Active CN109936554B (en) 2017-12-19 2017-12-27 Detection method and device for distributed denial of service

Country Status (1)

Country Link
CN (1) CN109936554B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN101980506A (en) * 2010-10-29 2011-02-23 北京航空航天大学 Flow characteristic analysis-based distributed intrusion detection method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN101980506A (en) * 2010-10-29 2011-02-23 北京航空航天大学 Flow characteristic analysis-based distributed intrusion detection method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王宏: "基于异常检测的网络安全技术的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
贾斌 等: "基于组合分类器的DDoS攻击流量分布式检测模型", 《华中科技大学学报(自然科学版)》 *

Also Published As

Publication number Publication date
CN109936554B (en) 2021-04-20

Similar Documents

Publication Publication Date Title
US7711790B1 (en) Securing an accessible computer system
US10110627B2 (en) Adaptive self-optimzing DDoS mitigation
US7206862B2 (en) Method and apparatus for efficiently matching responses to requests previously passed by a network node
EP2257024B1 (en) Method, network apparatus and network system for defending distributed denial of service ddos attack
US8170020B2 (en) Leveraging active firewalls for network intrusion detection and retardation of attack
US20030097439A1 (en) Systems and methods for identifying anomalies in network data streams
Chapade et al. Securing cloud servers against flooding based DDoS attacks
CN110839017B (en) Proxy IP address identification method, device, electronic equipment and storage medium
JP5947838B2 (en) Attack detection apparatus, attack detection method, and attack detection program
US20120324573A1 (en) Method for determining whether or not specific network session is under denial-of-service attack and method for the same
CN105429940B (en) A method of the extraction of network data flow zero watermarking is carried out using comentropy and hash function
WO2021082834A1 (en) Message processing method, device and apparatus as well as computer readable storage medium
CN105119942A (en) Flood attack detection method
JP6750457B2 (en) Network monitoring device, program and method
US10171492B2 (en) Denial-of-service (DoS) mitigation based on health of protected network device
WO2016195090A1 (en) Detection system, detection device, detection method and detection program
CN113242260A (en) Attack detection method and device, electronic equipment and storage medium
US8661102B1 (en) System, method and computer program product for detecting patterns among information from a distributed honey pot system
CN109936554A (en) A kind of detection method and device of distributed denial of service
Subbulakshmi et al. A unified approach for detection and prevention of DDoS attacks using enhanced support vector machines and filtering mechanisms
CN113765849A (en) Abnormal network traffic detection method and device
CN109257384B (en) Application layer DDoS attack identification method based on access rhythm matrix
CN112261004B (en) Method and device for detecting Domain Flux data stream
CN112491911B (en) DNS distributed denial of service defense method, device, equipment and storage medium
KR101765200B1 (en) Apparatus and method for system security management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210818

Address after: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District

Patentee after: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES

Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District

Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES

Patentee before: BEIJING INTELLIX TECHNOLOGIES Co.,Ltd.

Effective date of registration: 20210818

Address after: Room 1601, 16th floor, East Tower, Ximei building, No. 6, Changchun Road, high tech Industrial Development Zone, Zhengzhou, Henan 450001

Patentee after: Zhengzhou xinrand Network Technology Co.,Ltd.

Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District

Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES

TR01 Transfer of patent right