CN112804250A - LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm - Google Patents
LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm Download PDFInfo
- Publication number
- CN112804250A CN112804250A CN202110130808.1A CN202110130808A CN112804250A CN 112804250 A CN112804250 A CN 112804250A CN 202110130808 A CN202110130808 A CN 202110130808A CN 112804250 A CN112804250 A CN 112804250A
- Authority
- CN
- China
- Prior art keywords
- detection
- flow
- attack
- ldos attack
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm, belonging to the field of computer network security. Wherein the method comprises: traffic flowing through a bottleneck link for a period of time is collected as training data by the SDN controller. The training data is divided into multiple detection windows using sliding windows and labeled. The signatures are divided into normal (no LDoS attack) and abnormal (LDoS attack occurred). And calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulation length of the TCP flow of the detection window as characteristics. The labels and features are input into an ensemble learning algorithm to train the classifier. And classifying the test data acquired in real time by using a classifier to obtain class marks. And if the abnormal condition exists, positioning an attacker based on a peak finding algorithm and discarding the attack flow. Otherwise, real-time sampling is continued. The LDoS attack detection and mitigation scheme provided by the invention can effectively detect the LDoS attack and rapidly mitigate the influence caused by the attack.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm.
Background
An LDoS (Low-rate Denial of Service) attack, which is a variant of Denial of Service attack, is an attack initiated against a vulnerability of an adaptive mechanism in a network protocol. It seriously degrades the quality of service by sending periodic high-speed attack pulses, resulting in the inability of normal users to effectively access the server.
The current real-time detection and mitigation scheme aiming at the LDoS attack has the following problems: one is that the network flow when the LDoS attack occurs is very similar to the network flow when a large number of legal users access the network simultaneously, has extremely high concealment and is difficult to be identified by the traditional firewall or anti-denial-of-service attack mechanism; secondly, the existing real-time detection method for the LDoS attack has certain defects, such as higher cost, poorer expandability, low detection precision, inapplicability to big data, weak real-time performance and the like; thirdly, under the traditional network architecture, extra equipment is needed or the existing protocol is changed for deploying the mitigation scheme, so that the cost is high and the implementation is difficult.
SDN (Software Defined Network), a novel Network architecture, decouples a control plane and a data plane, implements centralized control over data path elements, and has programmability. Based on the SDN architecture, a user can write software in an application layer, and the function of the controller is called through a uniform programming interface, so that management of bottom-layer equipment and flow is realized.
The invention provides an LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm. The scheme realizes real-time detection and mitigation of the LDoS attack by utilizing programmability and centralized control of the SDN. The scheme is divided into two steps of real-time detection and attack mitigation. The real-time detection is realized based on an ensemble learning algorithm, and the adopted ensemble learning algorithm is a histogram-based gradient lifting piecewise linear decision tree algorithm. Attack mitigation is implemented based on a peak-finding algorithm.
Disclosure of Invention
Aiming at the defects of the existing LDoS attack detection and mitigation scheme, the LDoS attack detection and mitigation scheme based on the integrated learning and peak-finding algorithm is provided, the scheme can detect and mitigate the LDoS attack in the network in real time without additional equipment or network protocol modification, has higher accuracy and lower complexity, and has the capability of processing large data. Therefore, the detection method can be universally applied to accurate detection and rapid mitigation of the LDoS attack.
The technical scheme adopted by the invention for realizing the aim is as follows: the LDoS attack detection and mitigation scheme mainly comprises four steps: data sampling, feature computation, attack detection, and attack mitigation.
1. And (6) sampling data. According to the scheme, a controller of the SDN is utilized to poll and sample TCP flow and UDP flow passing through a bottleneck link within a period of time as training data, and the polling time interval is 0.5 second. The training data of the polling sampling comprises network traffic of LDoS attack and normal (no LDoS attack) network traffic. The training data is then divided into a plurality of detection windows based on a sliding window algorithm. The size and the moving step size of the window in the sliding window algorithm are specified by a user according to needs and are fixed values. Each detection window needs to be marked, the mark without LDoS attack is normal, and the mark with LDoS attack is abnormal.
2. And (5) calculating characteristics. And calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulation length of the TCP flow in each detection window according to a formula. Wherein let X denote the TCP traffic data sequence sampled in real time, Xi(i ═ 1,2, …, n) is the data in X, and n is the size of the sliding window.
The average mean reflects the central tendency of the data, and when the LDoS attack occurs in the network, the average value of the network flow is obviously lower than the normal state. The average value is calculated as follows:
the variation coefficient variation reflects the discrete degree of data, and when the LDoS attack occurs in the network, the variation coefficient of the network flow is higher than that in a normal state. The coefficient of variation is calculated as follows:
the average absolute time derivative madiff reflects the average fluctuation condition of data, and when an LDoS attack occurs in a network, the network traffic fluctuation is large, so that the average absolute time derivative of the network traffic under the LDoS attack is higher than that in a normal state. The calculation formula of the average absolute time derivative is as follows:
the waveform accumulation length wavelen reflects the overall fluctuation condition of data, and when the LDoS attack occurs in the network, the fluctuation of the network flow is large, so that the waveform accumulation length of the network flow under the LDoS attack is higher than that in a normal state. The calculation formula of the waveform cumulative length is as follows:
because the flow data collected in different time periods have scale differences, which can seriously affect two characteristic values of the average absolute time derivative and the waveform accumulation length, before the average absolute time derivative and the waveform accumulation length of each detection window are calculated, the TCP flow in the detection window is normalized by 0-1, and x is made to be xi' denotes the normalized data, and the 0-1 normalization formula can be expressed as:
3. and (5) attack detection. And training the classifier based on an ensemble learning algorithm according to the features of the training data obtained by calculation. The adopted integrated learning algorithm is a histogram-based gradient lifting piecewise linear decision tree algorithm, and the training process comprises three steps:
1) dividing the features into a plurality of boxes based on percentiles according to the features of the training data obtained by calculation, and constructing a feature histogram;
2) calculating gradient value and Hessians value of each box according to the constructed feature histogram, and recording accumulated valueAndwherein bin represents a bin, hiRepresents the data point xiThe Hessians value of (g), the second partial derivative of the data point loss prediction, giRepresents the data point xiThe gradient value of (a), the partial derivative of the data point loss prediction;
3) and (4) according to the constructed feature histogram and the recorded accumulated value, iteratively constructing a second-order gradient piecewise linear decision tree, continuously updating the gradient value and the Hessians value in the iterative process until the maximum value of the iterative times or the minimum value of the loss function is reached, stopping iteration, and storing the trained classifier. The maximum iteration times are specified by a user, the default value is 100, and the loss function of the decision tree node division is calculated based on the information gain. In information theory and machine learning, the information gain is the amount of information about a random variable or signal obtained from observing another random variable, and generally an attribute with a large mutual amount of information should be prioritized over other attributes. The calculation formula of the information Gain is as follows:
where Ent denotes the entropy of the information, ai(i ═ 1,2, …, m) denotes the features of X, m denotes the feature dimension, and j denotes the nodes of the decision tree partition.
And carrying out classification prediction on the detection window of the TCP flow sampled in real time by using the stored classifier. The real-time sampling process is realized based on a sliding window algorithm, and the sampling mode can be effectively combined with the newly arrived flow and the historical flow for analysis, so that the classification prediction can be made more quickly. The classification prediction results are divided into normal (no LDoS attack) and abnormal (LDoS attack). And when the classification prediction result is normal, the real-time sampling is continuously carried out without carrying out attack mitigation. And when the classification prediction result is abnormal, carrying out an attack relieving step.
4. And (5) attack mitigation. With the IP as a key word, the scheme utilizes an SDN controller to sample UDP traffic of each IP in real time. The real-time sampling process is also realized based on a sliding window algorithm. And positioning the IP of the attacker based on a peak-finding algorithm according to the detection window of the UDP flow obtained by sampling. The peak searching algorithm comprises three steps:
1) according to the UDP flows of the normal detection window and the abnormal detection window in the training data, the local maximum value of the UDP flow in each detection window is found to be the peak of the flow, the projection degree and the width of all the peaks in the flow are calculated, and double thresholds for distinguishing the normal detection window from the abnormal detection window, namely a threshold pth of the projection degree and a threshold wth of the width are obtained. pth is a numerical value that clearly distinguishes the degree of prominence of the two types of windows. The standard deviation of the sequence of widths of the peaks in each detection window is calculated, wth being the number of standard deviations that clearly distinguish the two types of windows.
2) And (3) sampling UDP flow information with IP as a key word in real time, recording the number of peaks with the outburst degree larger than a threshold value pth in each UDP flow, if the number is larger than 1, considering the UDP flow as an attack flow, recording the IP of the flow, completing the step of positioning an attacker, and if not, carrying out the next step.
3) And recording the width of each peak in each stream according to the UDP stream sampled in real time to obtain a sequence of width values, calculating the standard deviation of the sequence, considering the UDP stream as an attack stream if the standard deviation is less than wth, recording the IP of the stream, and finishing the step of positioning an attacker.
And after the IP of the attacker is positioned, adding the IP into the blacklist, and informing the controller to issue a flow rule to discard the flow from the IP in the blacklist so as to relieve the LDoS attack in the SDN.
Advantageous effects
The LDoS attack detection and mitigation scheme based on the integrated learning and peak-finding algorithm has the advantages of high detection accuracy, low false positive and false negative, low time complexity and space complexity, good real-time performance and capability of processing big data, so that the real-time detection and mitigation scheme can be universally and accurately used for detecting the LDoS attack and effectively mitigating adverse effects caused by the attack.
Drawings
Fig. 1 is a diagram of network traffic in an SDN in which an LDoS attack occurs, including TCP traffic and UDP traffic.
Fig. 2 is a diagram comparing the characteristics of an abnormal (occurrence of an LDoS attack) network and a normal (non-occurrence of an LDoS attack) network.
Fig. 3 is a graph comparing peaks of attack and normal flows.
Fig. 4 is a complete framework diagram of an LDoS attack detection and mitigation scheme deployed in an SDN based on an integrated learning and peak-finding algorithm.
Fig. 5 is an algorithm flowchart of an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 5, the algorithm flow of the LDoS attack detection and mitigation scheme based on the ensemble learning and peak finding algorithm mainly includes four steps: data sampling, feature computation, attack detection, and attack mitigation. The data sampling step comprises two parts of training data sampling and test data sampling, wherein the training data obtained by sampling is divided into a plurality of detection windows based on a sliding window algorithm, the detection windows are marked, the marking is divided into normal and abnormal, and the test data is sampled in real time based on the sliding window algorithm to obtain the detection windows. The characteristic calculating step calculates the characteristics of the flow in the detection window according to a formula. And in the attack detection step, an ensemble learning classifier is trained according to the detection window characteristics and the labels of the training data, and then the detection windows of the test data are classified to obtain a classification result. And if the classification result is abnormal, carrying out attack mitigation, positioning an attacker based on a peak finding algorithm and discarding the flow from the attacker. Wherein the integrated learning and peak-finding algorithm is the core of the scheme.
Fig. 1 is a network traffic diagram of an LDoS attack occurring in an SDN, where a network traffic data in a normal state is before a dotted line, and a network traffic data when the LDoS attack occurs is after the dotted line. As can be seen from the figure, the fluctuation of the TCP traffic and the UDP traffic in a normal network state is smooth, and the TCP traffic is a main traffic in network communication, when an LDoS attack occurs, an attacker periodically sends high-speed UDP pulses, which causes a drastic fluctuation of the TCP traffic, and the average traffic is sharply reduced, thereby affecting the network service quality.
FIG. 2 is a characteristic comparison diagram of an abnormal network and a normal network, wherein (a) is an average value of TCP traffic in a normal state and an abnormal state, and the average value of TCP traffic in the normal state is much higher than the average value of TCP traffic in the abnormal state; (b) the variation coefficient of the TCP flow is in a normal state and an abnormal state, and the variation coefficient of the TCP flow in the normal state is far lower than that of the TCP flow in the abnormal state; (c) the average absolute time derivative of the TCP flow in the normal state and the abnormal state is provided, and the average absolute time derivative of the TCP flow in the normal state is far lower than that of the TCP flow in the abnormal state; (d) the waveform accumulation length of the TCP traffic in the normal state and the abnormal state is far lower than that of the TCP traffic in the abnormal state. Therefore, the 4 kinds of feature values can clearly distinguish the network in the normal state from the network in the abnormal state.
Fig. 3 is a graph comparing peaks and their attributes in an attack flow and a normal flow, wherein (a) is the attack flow and (b) is the normal flow. It can be seen from the figure that the normal stream has a low degree of peak protrusion, a large difference in width, and randomness, while the attack stream has a high degree of peak protrusion, and very close widths, and similarity between peaks, and the attack stream can be located by different expressions of peaks in the two streams.
Fig. 4 shows a complete deployment framework of an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm, where the scheme is deployed at a control layer of an SDN, traffic information and device information of an infrastructure layer are obtained by polling a controller, the traffic is analyzed and processed and then input to an attack detection module, a classifier trained in advance is used in the attack detection module for classification, whether to activate a mitigation module is selected according to a classification result, the attack mitigation module locates and adds an IP of an attacker to a blacklist, and finally, a flow rule is issued by the controller to discard flows from the IP in the blacklist.
Claims (9)
1. The LDoS attack detection and mitigation scheme based on the integrated learning and peak-finding algorithm is characterized by comprising the following steps:
step 1, data sampling: collecting flow data passing through a bottleneck link within a period of time by using a controller of an SDN (software defined network), wherein the flow data comprises TCP (transmission control protocol) flow and UDP (user datagram protocol) flow and is used as training data, dividing the training data into a plurality of detection windows in a fixed window size by using a sliding window algorithm, and marking the windows;
step 2, feature calculation: calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulated length of the TCP flow in each detection window as characteristics;
step 3, attack detection: training a classifier based on an integrated learning algorithm according to the characteristics of a detection window, acquiring a TCP detection window obtained by TCP flow in real time by using a sliding window algorithm, and classifying the TCP detection window by using the trained classifier to obtain a classification result;
step 4, attack mitigation: and if the classification result obtained in the step 3 is that LDoS attack occurs, positioning an attacker based on a peak finding algorithm, and discarding the flow from the attacker by using a flow rule issued by a SDN controller.
2. The scheme for detecting and mitigating an LDoS attack as claimed in claim 1, wherein in step 1, a controller of the SDN polls at intervals of 0.5 seconds to obtain TCP traffic and UDP traffic information passing through a bottleneck link in a period of time, as training data, where the bottleneck link is a link with a minimum link bandwidth in the SDN, and the traffic includes data when the LDoS attack occurs and normal user access data, and then uses a sliding window algorithm to divide the training data into a series of detection windows with equal size and mark the detection windows, and a detection window without the occurrence of the LDoS attack is marked as normal, and a detection window with the occurrence of the LDoS attack is marked as abnormal.
3. An LDoS attack detection and mitigation scheme as claimed in claim 1, characterized in that, in step 2, according to the detection windows obtained in step 1, the average value, the coefficient of variation, the average absolute time derivative and the waveform accumulation length of the TCP traffic in each detection window are calculated as features, and in order to avoid the effect of the magnitude difference, the traffic in the detection windows is normalized by 0-1 before calculating the average absolute time derivative and the waveform accumulation length.
4. An LDoS attack detection and mitigation scheme according to claim 1, wherein the attack detection procedure in step 3 comprises three steps:
step 3.1, training a classifier based on an ensemble learning algorithm and storing the classifier according to the characteristics of the detection window obtained by calculation in the step 2 and the mark of the detection window obtained in the step 1;
3.2, sampling TCP flow data flowing through a bottleneck link in real time by using a controller of the SDN based on a sliding window algorithm to obtain a TCP detection window;
and 3.3, calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulated length of the TCP detection window in the step 3.2 as features, classifying according to the classifier stored in the step 3.1 and the characteristic value obtained by calculation, and returning a classification result.
5. An LDoS attack detection and mitigation scheme according to claim 4, characterized in that the ensemble learning algorithm used in step 3.1 is a histogram based gradient boost piecewise linear decision tree algorithm, which completes classification by constructing a gradient boost piecewise linear decision tree and is based on histogram optimization calculation.
6. An LDoS attack detection and mitigation scheme according to claim 4, characterized in that the classification result in step 3.3 includes two kinds: normally, no LDoS attack occurs, and abnormally, LDoS attack occurs.
7. The LDoS attack detection and mitigation scheme as claimed in claim 1, wherein the attack mitigation procedure in step 4 comprises three steps:
4.1, according to the classification result returned in the step 3, if the classification result is normal, the subsequent steps are not carried out, and if the classification result is abnormal, the IP of an attacker is positioned based on a peak searching algorithm;
step 4.2, adding the IP of the attacker into a blacklist according to the IP of the attacker obtained in the step 4.1;
and 4.3, according to the blacklist stored in the step 4.2, installing a flow rule on the switch by using the SDN controller, and discarding the flow from the IP in the blacklist.
8. An LDoS attack detection and mitigation scheme as claimed in claim 7, wherein the peak finding algorithm in step 4.1 locates the attacker based on the peak attribute of the single flow, the specific steps are as follows: based on a sliding window algorithm, IP is used as a keyword, UDP flows from different IPs are collected in real time by using a controller of an SDN, according to the collected UDP flows, a local maximum value in each flow is calculated to be a peak, relevant attributes of the peak comprise the width and the projection degree of the peak, the relevant attributes are compared with a preset threshold value, whether the flow is an LDoS attack flow or not is judged, and if the flow is the LDoS attack flow, the IP of the UDP flow is recorded.
9. An LDoS attack detection and mitigation scheme according to claim 7, wherein the blacklist in step 4.2 is not subject to duplicate IP records and is automatically cleared after expiration of a validity time specified by the user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110130808.1A CN112804250B (en) | 2021-01-29 | 2021-01-29 | LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110130808.1A CN112804250B (en) | 2021-01-29 | 2021-01-29 | LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112804250A true CN112804250A (en) | 2021-05-14 |
CN112804250B CN112804250B (en) | 2022-05-13 |
Family
ID=75813096
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110130808.1A Active CN112804250B (en) | 2021-01-29 | 2021-01-29 | LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112804250B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114039780A (en) * | 2021-11-10 | 2022-02-11 | 湖南大学 | Low-speed DoS attack real-time response scheme based on flow coefficient |
CN115589323A (en) * | 2022-10-18 | 2023-01-10 | 湖南大学 | DLDoS attack detection and mitigation method based on machine learning in data plane |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103139166A (en) * | 2011-11-30 | 2013-06-05 | 中国民航大学 | Low-rate denial of service (LDoS) attack detection method based on small signal detection theory |
CN104125193A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack detection method based on chaotic Dufing oscillators |
CN105100017A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | LDoS attack detection method based on signal cross correlation |
US10320813B1 (en) * | 2015-04-30 | 2019-06-11 | Amazon Technologies, Inc. | Threat detection and mitigation in a virtualized computing environment |
CN110572413A (en) * | 2019-09-27 | 2019-12-13 | 湖南大学 | Low-rate denial of service attack detection method based on Elman neural network |
CN110719272A (en) * | 2019-09-27 | 2020-01-21 | 湖南大学 | LR algorithm-based slow denial of service attack detection method |
US20200257507A1 (en) * | 2019-02-08 | 2020-08-13 | Sap Se | Integration of workflow and logical data objects using visual programming |
CN112202791A (en) * | 2020-09-28 | 2021-01-08 | 湖南大学 | P-F-based software defined network slow denial of service attack detection method |
-
2021
- 2021-01-29 CN CN202110130808.1A patent/CN112804250B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103139166A (en) * | 2011-11-30 | 2013-06-05 | 中国民航大学 | Low-rate denial of service (LDoS) attack detection method based on small signal detection theory |
CN104125193A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack detection method based on chaotic Dufing oscillators |
CN105100017A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | LDoS attack detection method based on signal cross correlation |
US10320813B1 (en) * | 2015-04-30 | 2019-06-11 | Amazon Technologies, Inc. | Threat detection and mitigation in a virtualized computing environment |
US20200257507A1 (en) * | 2019-02-08 | 2020-08-13 | Sap Se | Integration of workflow and logical data objects using visual programming |
CN110572413A (en) * | 2019-09-27 | 2019-12-13 | 湖南大学 | Low-rate denial of service attack detection method based on Elman neural network |
CN110719272A (en) * | 2019-09-27 | 2020-01-21 | 湖南大学 | LR algorithm-based slow denial of service attack detection method |
CN112202791A (en) * | 2020-09-28 | 2021-01-08 | 湖南大学 | P-F-based software defined network slow denial of service attack detection method |
Non-Patent Citations (3)
Title |
---|
DONGSHUO ZHANG,DAN TANG, LIU TANG,RUI DAI,JINGWEN CHEN: "PCA-SVM-Based_Approach_of_Detecting_Low-Rate_DoS_Attack", 《2019 IEEE 21ST INTERNATIONAL CONFERENCE ON HIGH PERFORMANCE COMPUTING AND COMMUNICATIONS》 * |
YUDONG YAN,DAN TANG,SIJIA ZHAN,RUI DAI,JINGWENCHEN,NINGBO ZHU: "Low-Rate_DoS_Attack_Detection_Based_on_Improved_Logistic_Regression", 《2019 IEEE 21ST INTERNATIONAL CONFERENCE ON HIGH PERFORMANCE COMPUTING AND COMMUNICATIONS》 * |
颜通,白志华,高镇,闫丽娜,周蕾: "SDN环境下的LDoS攻击检测与防御技术", 《计算机科学与探索》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114039780A (en) * | 2021-11-10 | 2022-02-11 | 湖南大学 | Low-speed DoS attack real-time response scheme based on flow coefficient |
CN114039780B (en) * | 2021-11-10 | 2022-08-16 | 湖南大学 | Low-speed DoS attack real-time response method based on flow coefficient |
CN115589323A (en) * | 2022-10-18 | 2023-01-10 | 湖南大学 | DLDoS attack detection and mitigation method based on machine learning in data plane |
CN115589323B (en) * | 2022-10-18 | 2024-04-02 | 湖南大学 | DLDoS attack detection and alleviation method based on machine learning in data plane |
Also Published As
Publication number | Publication date |
---|---|
CN112804250B (en) | 2022-05-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6703613B2 (en) | Anomaly detection in data stream | |
CN112804250B (en) | LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm | |
Dewaele et al. | Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures | |
US11509539B2 (en) | Traffic analysis apparatus, system, method, and program | |
Zhang et al. | Proword: An unsupervised approach to protocol feature word extraction | |
CN111212053A (en) | Industrial control honeypot-oriented homologous attack analysis method | |
Erhan et al. | Hybrid DDoS detection framework using matching pursuit algorithm | |
KR100628329B1 (en) | Generation apparatus and method of detection rules for attack behavior based on information of network session | |
CN113904881B (en) | Intrusion detection rule false alarm processing method and device | |
CN114021135A (en) | LDoS attack detection and defense method based on R-SAX | |
Mdini et al. | Monitoring the network monitoring system: Anomaly Detection using pattern recognition | |
Hammerschmidt et al. | Behavioral clustering of non-stationary IP flow record data | |
Chawathe | Analysis of burst header packets in optical burst switching networks | |
CN114039780B (en) | Low-speed DoS attack real-time response method based on flow coefficient | |
Chen et al. | A MSPCA based intrusion detection algorithm tor detection of DDoS attack | |
CN110995713A (en) | Botnet detection system and method based on convolutional neural network | |
CN115334005B (en) | Encryption flow identification method based on pruning convolutional neural network and machine learning | |
Kozik | Distributed system for botnet traffic analysis and anomaly detection | |
Dusi et al. | Ip traffic classification for qos guarantees: The independence of packets | |
CN110995465A (en) | Communication point panoramic view information operation and maintenance method and system | |
Juliette et al. | Online and Scalable Unsupervised Network Anomaly Detection Method | |
Tosi et al. | OPTWIN: Drift identification with optimal sub-windows | |
CN111565187B (en) | DNS (Domain name System) anomaly detection method, device, equipment and storage medium | |
Long et al. | An SR-ISODATA algorithm for IDS alerts aggregation | |
Simmross-Wattenberg et al. | Modelling network traffic as α-stable stochastic processes: An approach towards anomaly detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |