CN110650145A - Low-rate denial of service attack detection method based on SA-DBSCAN algorithm - Google Patents
Low-rate denial of service attack detection method based on SA-DBSCAN algorithm Download PDFInfo
- Publication number
- CN110650145A CN110650145A CN201910920919.5A CN201910920919A CN110650145A CN 110650145 A CN110650145 A CN 110650145A CN 201910920919 A CN201910920919 A CN 201910920919A CN 110650145 A CN110650145 A CN 110650145A
- Authority
- CN
- China
- Prior art keywords
- data
- clustering
- low
- service attack
- data unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a low-rate denial of service attack detection method based on an adaptive density clustering (SA-DBSCAN) algorithm, belonging to the field of network security. Wherein the method comprises: dividing the sampling data into a plurality of data units to be detected according to fixed time, and calculating the variance and the average difference of each data unit as characteristic values; carrying out density clustering on the data to be measured in a self-adaptive manner based on an SA-DBSCAN algorithm to obtain a clustering result, wherein the clustering result comprises three labels of 0, 1 and 2, wherein 0 represents a noise unit, 1 represents a normal data unit, and 2 represents a data unit in which low-rate denial of service attack occurs; and finally, further analyzing the noise unit obtained by density clustering, and judging whether the noise unit is a data unit which generates low-rate denial of service attack. The detection method based on the SA-DBSCAN algorithm can effectively detect the low-rate denial of service attack and has the capability of processing big data.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a low-rate denial of service attack detection method based on an SA-DBSCAN algorithm.
Background
The attack of denial of service, attacker jam the target machine with the communication request, make the host computer service connected to Internet interrupted temporarily or indefinitely, so that legitimate users can't use machine or network resource, cause the enormous loss. A low rate denial of service attack is a special type of denial of service attack that aims to reduce system resources, resulting in service degradation rather than complete service interruption. The method utilizes the loophole in the self-adaptive mechanism of the existing network service protocol to periodically send high-speed attack flow, so that the server is in an inefficient state for a long time.
The detection of low-rate denial of service attacks currently has the following problems: one is that the low-rate denial of service attack can cause typical behaviors of a critical system, has good concealment, and is not applicable to the traditional detection method of denial of service attack; secondly, the existing low-rate denial of service attack detection method generally has the defects of high cost, poor adaptability, low detection precision, inapplicability to big data, weak real-time property and the like.
The invention provides a low-rate denial of service attack detection method based on an adaptive density clustering (SA-DBSCAN) algorithm. The method adopts the SA-DBSCAN algorithm to perform cluster analysis on the network data to be detected, makes up for the defect that only spherical clusters can be found based on the distance cluster algorithm, and greatly weakens the influence of instantaneous high-speed normal flow on the detection result. The SA-DBSCAN algorithm can adaptively determine the division threshold value, clustering is completed according to the characteristic value of the data to be detected to obtain the clustering label, the detection precision is greatly improved, and the defects that the existing detection method cannot adapt to big data and is weak in real-time performance are overcome.
Disclosure of Invention
The method has low false alarm rate and low missing report rate, is suitable for real-time network data detection, and has the capacity of processing large data. Therefore, the detection method can be universally suitable for accurate detection of low-rate denial of service attacks.
The technical scheme adopted by the invention for realizing the aim is as follows: the low-rate denial of service attack detection method mainly comprises four steps: obtaining data, calculating characteristic values, density clustering and noise analysis.
1. Data is acquired. All relevant data messages in the network key link are obtained to form a sample original value, and the sample original value is divided into a plurality of data units to be detected in fixed sampling time.
2. And calculating the characteristic value. Calculating the variance and mean difference of tcp flow and udp flow of each data unit according to a formula as characteristic values, wherein x represents the data unit, xiThe ith dimension data representing the data unit, n representing the total number of data units, mean representing the mean, var representing the variance, the variance calculation formula can be expressed as:
let m denote the average difference, the average difference calculation formula can be expressed as:
because the magnitude of the variance is far larger than the average difference, in order to avoid inaccurate clustering result caused by too large weight of a certain dimension characteristic value, the characteristic value is subjected to 0-1 standardization, and f represents one dimension of the characteristic value, xi' denotes the normalized data, and the normalization formula can be expressed as:
3. and (5) density clustering. According to the characteristic value obtained by calculation, carrying out density clustering on the data to be measured based on the SA-DBSCAN algorithm, and in order to avoid the influence of global parameters on a clustering result, the clustering is divided into two parts:
1) and (4) calculating an adaptive threshold. Selecting the two most significant dimensions in the data characteristic values of low-rate denial of service attack as the input of the KNN algorithm, setting the K value in the algorithm to be 4, obtaining the distance values of 4 nearest neighbors of each data unit, arranging all the distance values in a descending order, and taking the middle value of two numbers with the maximum adjacent difference value as the clustering radius epsilon.
And (3) solving a distance matrix D according to the epsilon and the characteristic value obtained by calculation, sequentially inquiring the distance between each data unit and other data units in the D, counting the data units with the distance less than the epsilon to obtain a group of density arrays, wherein if the minimum value of the arrays is more than or equal to the dimension number of the characteristic value plus one, the clustering density MinPts is the minimum value of the arrays, and otherwise, the MinPts takes the dimension number of the characteristic value plus one.
2) And finishing clustering based on a DBSCAN algorithm. According to the epsilon, MinPts and the characteristic value obtained by calculation, starting from a normal data unit, finding out a point of each point, which is located in an epsilon-neighborhood, identifying a core point with a plurality of neighbors (the number of neighbors is more than or equal to MinPts), then finding out other core points which are connected with the core point and are in a neighborhood range, and ignoring all non-core points. If the non-core point is within an epsilon-neighborhood of a cluster, the point is assigned to a nearby cluster, otherwise the point is considered to be a noise point.
The results of density clustering contained 3 types of labels: 0 denotes a noise unit, 1 denotes a normal data unit, and 2 denotes a data unit in which a low-rate denial of service attack occurs. The noise unit is a data unit which is possible to generate a low-rate denial of service attack and needs to be further analyzed.
4. And (5) analyzing noise. And further analyzing and judging the noise units obtained by density clustering, and selecting a data unit with the label of 1 to be combined with the noise units to form a new detection point in order to avoid the influence of the same characteristic on the analysis result in the noise units. The detection point is divided into a plurality of data sheets according to a period of low-rate denial of service attack, clustering is carried out based on an SA-DBSCAN algorithm, and clustering labels are obtained, wherein the clustering labels comprise three types: 0 denotes a noise point, 1 denotes a normal data piece, and 2 denotes a data piece in which a low-rate denial of service attack occurs. And if the number of the data pieces labeled with 2 exceeds a certain proportion of the total number of the data pieces, the noise unit is considered as a data unit in which the low-rate denial of service attack occurs, and otherwise, the noise unit is considered as a normal data unit.
Advantageous effects
The low-rate denial of service attack detection method has the advantages of high detection accuracy, low time complexity and space complexity, good real-time performance and capability of processing big data, and avoids the influence of instantaneous high-speed normal flow on a detection result. Therefore, the detection method can be universally applied to accurately detect the low-rate denial of service attack.
Drawings
Fig. 1 is a flow chart of a normal network after a low-rate denial of service attack occurs, including tcp flow and udp flow.
Fig. 2 is a characteristic value graph under different network states, which is divided into three network states: normal network state (no attack), network state where denial of service attack occurs, network state where low rate denial of service attack occurs. The eigenvalues contain four dimensions: tcp flow variance, tcp flow mean difference, udp flow variance, udp flow mean difference.
FIG. 3 is a flow chart of the SA-DBSCAN algorithm.
Fig. 4 is a flowchart of a method for detecting a low-rate denial of service attack based on the SA-DBSCAN algorithm.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 4, the method for detecting a low-rate denial of service attack mainly includes four steps: the method comprises the steps of obtaining data, calculating a characteristic value, density clustering and noise analysis, wherein the density clustering is the core of the detection method.
Fig. 1 is a network traffic diagram in which a low-rate denial of service attack occurs, and it can be seen from the diagram that tcp traffic and udp traffic in a normal network state fluctuate smoothly, and the tcp traffic is a main traffic in network communication, when a low-rate denial of service attack occurs, an attacker periodically sends a large amount of udp attack traffic, which causes severe fluctuation of the tcp traffic, and the average traffic is reduced sharply, so that the system cannot provide service normally.
Fig. 2 is a graph of eigenvalues for different network states, and it can be seen that 4 eigenvalues can clearly distinguish a network in which a low-rate denial of service attack occurs from other networks.
Fig. 3 introduces the flow of the SA-DBSCAN algorithm, and it can be seen from the figure that the algorithm adaptively calculates the threshold, thereby avoiding the influence of the global fixed parameter on the clustering result, and meanwhile, the density clustering can find clusters of any shape without being interfered by noise points, so that the accuracy of the detection result is higher, and the network causing the critical phenomenon in normal access and the network generating the low-rate denial of service attack can be distinguished.
Claims (7)
1. A low-rate denial of service attack detection method based on SA-DBSCAN algorithm is characterized in that the low-rate denial of service attack detection method comprises the following steps:
step 1, acquiring data: acquiring related data messages in a network key link in real time, sampling all related data messages within a period of time to form a sample original value, and dividing the sample original value into a plurality of data units to be detected within fixed sampling time;
step 2, calculating a characteristic value: calculating the variance and the average difference of each data unit according to a formula to be used as a characteristic value, and carrying out standardization treatment;
step 3, density clustering: performing density clustering based on an SA-DBSCAN algorithm according to the characteristic value of each data unit to obtain a clustering label;
step 4, noise analysis: and (3) further analyzing the data unit labeled with noise obtained by clustering in the step (3), and judging whether the data unit is a data unit subjected to low-rate denial of service attack or not to obtain a final detection result.
2. The method according to claim 1, wherein in step 1, all relevant data packets within the detection time are obtained for the network key link to form a sample original value, and the original value is divided by a fixed sampling time to form a data unit to be detected.
3. The method for detecting the low-rate denial of service attack as claimed in claim 1, wherein in step 2, the variance and the average difference of each data unit are calculated as the eigenvalues according to the data units to be detected obtained in step 1, and the eigenvalues are normalized by 0-1 in order to avoid the influence of the magnitude difference on the clustering result.
4. The method for detecting a low rate denial of service attack as set forth in claim 1, wherein the step 3 is performed with density clustering based on the SA-DBSCAN algorithm according to the eigenvalue of the data unit calculated in the step 2, and comprises three steps:
step 3.1, calculating clustering partition radius based on KNN algorithm according to the sampled low-rate denial of service attack data under different attack parameters;
step 3.2, calculating a clustering density threshold value in a self-adaptive manner based on the distance matrix according to the characteristic value of the data unit obtained in the step 2 and the clustering partition radius in the step 3.1;
and 3.3, performing density clustering based on DBSCAN according to the characteristic value of the data unit obtained in the step 2 and the clustering division threshold value obtained in the step 3.1 and the step 3.2 to obtain a clustering label, and obtaining a preliminary detection result according to the clustering label.
5. The method of claim 4, wherein the cluster labels in step 3.3 include three categories: the label is 1 for normal (no attack occurred) data units, the label is 2 for data units where low rate service attacks occurred, and the label is 0 for noise units.
6. The method for detecting a low rate denial of service attack as claimed in claim 1, wherein the step 4 is to analyze and judge the noise unit according to the cluster label obtained in the step 3, which comprises three steps:
step 4.1, selecting a certain data unit with the clustering label of 1 in the step 3, combining the data unit with the noise unit to form a new point to be measured, and dividing the point to be measured into a plurality of data slices to be measured by taking an attack period of the low-rate denial of service attack as a unit;
step 4.2, calculating the variance and the average difference of each data sheet as characteristic values, and carrying out standardization treatment;
and 4.3, performing density clustering based on the SA-DBSCAN algorithm according to the characteristic values obtained in the step 4.2 to obtain clustering labels, judging whether the noise unit has low-rate denial of service attack according to clustering results, and obtaining final detection results.
7. The method of claim 6 wherein the cluster labels of step 4.3 include three categories: a normal (no attack occurs) piece of data is labeled 1, a low-rate service attack is labeled 2, and a noise point is labeled 0. The criteria for judging whether the noise unit is a data unit with low-rate denial of service attack are as follows: the number of data pieces labeled 2 in a noise cell exceeds a certain proportion of the total number of data pieces.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910920919.5A CN110650145A (en) | 2019-09-26 | 2019-09-26 | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910920919.5A CN110650145A (en) | 2019-09-26 | 2019-09-26 | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110650145A true CN110650145A (en) | 2020-01-03 |
Family
ID=69011513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910920919.5A Pending CN110650145A (en) | 2019-09-26 | 2019-09-26 | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110650145A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600876A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Slow denial of service attack detection method based on MFOPA algorithm |
| CN112261000A (en) * | 2020-09-25 | 2021-01-22 | 湖南大学 | LDoS attack detection method based on PSO-K algorithm |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8819821B2 (en) * | 2007-05-25 | 2014-08-26 | New Jersey Institute Of Technology | Proactive test-based differentiation method and system to mitigate low rate DoS attacks |
| US10069859B2 (en) * | 2015-12-16 | 2018-09-04 | Verizon Digital Media Services Inc. | Distributed rate limiting |
| CN109067722A (en) * | 2018-07-24 | 2018-12-21 | 湖南大学 | A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm |
| CN109167789A (en) * | 2018-09-13 | 2019-01-08 | 上海海事大学 | A kind of cloud environment LDoS attack data-flow detection method and system |
| CN109729091A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm |
| CN109726553A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on SNN-LOF algorithm |
| CN109729090A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on WEDMS cluster |
| CN110097126A (en) * | 2019-05-07 | 2019-08-06 | 江苏优聚思信息技术有限公司 | The method that verification emphasis personnel based on DBSCAN clustering algorithm, house fail to register note |
-
2019
- 2019-09-26 CN CN201910920919.5A patent/CN110650145A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8819821B2 (en) * | 2007-05-25 | 2014-08-26 | New Jersey Institute Of Technology | Proactive test-based differentiation method and system to mitigate low rate DoS attacks |
| US10069859B2 (en) * | 2015-12-16 | 2018-09-04 | Verizon Digital Media Services Inc. | Distributed rate limiting |
| CN109067722A (en) * | 2018-07-24 | 2018-12-21 | 湖南大学 | A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm |
| CN109167789A (en) * | 2018-09-13 | 2019-01-08 | 上海海事大学 | A kind of cloud environment LDoS attack data-flow detection method and system |
| CN109729091A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm |
| CN109726553A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on SNN-LOF algorithm |
| CN109729090A (en) * | 2019-01-03 | 2019-05-07 | 湖南大学 | A kind of Denial of Service attack detection method at a slow speed based on WEDMS cluster |
| CN110097126A (en) * | 2019-05-07 | 2019-08-06 | 江苏优聚思信息技术有限公司 | The method that verification emphasis personnel based on DBSCAN clustering algorithm, house fail to register note |
Non-Patent Citations (4)
| Title |
|---|
| YUDONG YAN: "Low-Rate DoS Attack Detection Based on Improved Logistic Regression", 《2019IEEE 21ST INTERNATIONAL CONFERENCE ON HIGH PERFORMANCE COMPUTING AND COMMUNICATIONS》 * |
| 周刚: "低速率TCP拒绝服务攻击的小波检测方法", 《计算机工程与应用》 * |
| 姚四霞: "低速率拒绝服务攻击的协同检测方法研究", 《万方》 * |
| 曾卫: "低速率拒绝服务攻击的一种检测方法", 《万方》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600876A (en) * | 2020-05-14 | 2020-08-28 | 湖南大学 | Slow denial of service attack detection method based on MFOPA algorithm |
| CN112261000A (en) * | 2020-09-25 | 2021-01-22 | 湖南大学 | LDoS attack detection method based on PSO-K algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN107483455B (en) | Flow-based network node anomaly detection method and system | |
| CN109729090B (en) | Slow denial of service attack detection method based on WEDMS clustering | |
| CN108667856B (en) | Network anomaly detection method, device, equipment and storage medium | |
| CN111092862B (en) | Method and system for detecting communication traffic abnormality of power grid terminal | |
| CN109067722B (en) | LDoS detection method based on two-step clustering and detection piece analysis combined algorithm | |
| CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
| Zhe et al. | DoS attack detection model of smart grid based on machine learning method | |
| CN110719270A (en) | FCM algorithm-based slow denial of service attack detection method | |
| CN109784668B (en) | Sample feature dimension reduction processing method for detecting abnormal behaviors of power monitoring system | |
| CN113542060A (en) | Abnormal equipment detection method based on equipment communication data characteristics | |
| CN107360127A (en) | A kind of Denial of Service attack detection method at a slow speed based on AEWMA algorithms | |
| CN110650145A (en) | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm | |
| CN110719272A (en) | LR algorithm-based slow denial of service attack detection method | |
| CN115021997A (en) | Network intrusion detection system based on machine learning | |
| CN110086829B (en) | Method for detecting abnormal behaviors of Internet of things based on machine learning technology | |
| CN112291213A (en) | Abnormal flow analysis method and device based on intelligent terminal | |
| Khoshgoftaar et al. | Intrusion detection in wireless networks using clustering techniques with expert analysis | |
| CN111490976B (en) | Dynamic baseline management and monitoring method for industrial control network | |
| CN110650157B (en) | Fast-flux domain name detection method based on ensemble learning | |
| CN116527307A (en) | Botnet detection algorithm based on community discovery | |
| Liang | Research on network security filtering model and key algorithms based on network abnormal traffic analysis | |
| CN115085948B (en) | Network security situation assessment method based on improved D-S evidence theory | |
| CN111258788B (en) | Disk failure prediction method, device and computer readable storage medium | |
| CN110995692A (en) | Network security intrusion detection method based on factor analysis and subspace collaborative representation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200103 |