CN112804250A - LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm - Google Patents

LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm Download PDF

Info

Publication number
CN112804250A
CN112804250A CN202110130808.1A CN202110130808A CN112804250A CN 112804250 A CN112804250 A CN 112804250A CN 202110130808 A CN202110130808 A CN 202110130808A CN 112804250 A CN112804250 A CN 112804250A
Authority
CN
China
Prior art keywords
detection
flow
attack
ldos attack
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110130808.1A
Other languages
Chinese (zh)
Other versions
CN112804250B (en
Inventor
汤澹
张斯琦
陈静文
冯叶
王曦茵
李欣萌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202110130808.1A priority Critical patent/CN112804250B/en
Publication of CN112804250A publication Critical patent/CN112804250A/en
Application granted granted Critical
Publication of CN112804250B publication Critical patent/CN112804250B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm, belonging to the field of computer network security. Wherein the method comprises: traffic flowing through a bottleneck link for a period of time is collected as training data by the SDN controller. The training data is divided into multiple detection windows using sliding windows and labeled. The signatures are divided into normal (no LDoS attack) and abnormal (LDoS attack occurred). And calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulation length of the TCP flow of the detection window as characteristics. The labels and features are input into an ensemble learning algorithm to train the classifier. And classifying the test data acquired in real time by using a classifier to obtain class marks. And if the abnormal condition exists, positioning an attacker based on a peak finding algorithm and discarding the attack flow. Otherwise, real-time sampling is continued. The LDoS attack detection and mitigation scheme provided by the invention can effectively detect the LDoS attack and rapidly mitigate the influence caused by the attack.

Description

LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm.
Background
An LDoS (Low-rate Denial of Service) attack, which is a variant of Denial of Service attack, is an attack initiated against a vulnerability of an adaptive mechanism in a network protocol. It seriously degrades the quality of service by sending periodic high-speed attack pulses, resulting in the inability of normal users to effectively access the server.
The current real-time detection and mitigation scheme aiming at the LDoS attack has the following problems: one is that the network flow when the LDoS attack occurs is very similar to the network flow when a large number of legal users access the network simultaneously, has extremely high concealment and is difficult to be identified by the traditional firewall or anti-denial-of-service attack mechanism; secondly, the existing real-time detection method for the LDoS attack has certain defects, such as higher cost, poorer expandability, low detection precision, inapplicability to big data, weak real-time performance and the like; thirdly, under the traditional network architecture, extra equipment is needed or the existing protocol is changed for deploying the mitigation scheme, so that the cost is high and the implementation is difficult.
SDN (Software Defined Network), a novel Network architecture, decouples a control plane and a data plane, implements centralized control over data path elements, and has programmability. Based on the SDN architecture, a user can write software in an application layer, and the function of the controller is called through a uniform programming interface, so that management of bottom-layer equipment and flow is realized.
The invention provides an LDoS attack detection and mitigation scheme based on integrated learning and peak-finding algorithm. The scheme realizes real-time detection and mitigation of the LDoS attack by utilizing programmability and centralized control of the SDN. The scheme is divided into two steps of real-time detection and attack mitigation. The real-time detection is realized based on an ensemble learning algorithm, and the adopted ensemble learning algorithm is a histogram-based gradient lifting piecewise linear decision tree algorithm. Attack mitigation is implemented based on a peak-finding algorithm.
Disclosure of Invention
Aiming at the defects of the existing LDoS attack detection and mitigation scheme, the LDoS attack detection and mitigation scheme based on the integrated learning and peak-finding algorithm is provided, the scheme can detect and mitigate the LDoS attack in the network in real time without additional equipment or network protocol modification, has higher accuracy and lower complexity, and has the capability of processing large data. Therefore, the detection method can be universally applied to accurate detection and rapid mitigation of the LDoS attack.
The technical scheme adopted by the invention for realizing the aim is as follows: the LDoS attack detection and mitigation scheme mainly comprises four steps: data sampling, feature computation, attack detection, and attack mitigation.
1. And (6) sampling data. According to the scheme, a controller of the SDN is utilized to poll and sample TCP flow and UDP flow passing through a bottleneck link within a period of time as training data, and the polling time interval is 0.5 second. The training data of the polling sampling comprises network traffic of LDoS attack and normal (no LDoS attack) network traffic. The training data is then divided into a plurality of detection windows based on a sliding window algorithm. The size and the moving step size of the window in the sliding window algorithm are specified by a user according to needs and are fixed values. Each detection window needs to be marked, the mark without LDoS attack is normal, and the mark with LDoS attack is abnormal.
2. And (5) calculating characteristics. And calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulation length of the TCP flow in each detection window according to a formula. Wherein let X denote the TCP traffic data sequence sampled in real time, Xi(i ═ 1,2, …, n) is the data in X, and n is the size of the sliding window.
The average mean reflects the central tendency of the data, and when the LDoS attack occurs in the network, the average value of the network flow is obviously lower than the normal state. The average value is calculated as follows:
Figure BDA0002925179900000021
the variation coefficient variation reflects the discrete degree of data, and when the LDoS attack occurs in the network, the variation coefficient of the network flow is higher than that in a normal state. The coefficient of variation is calculated as follows:
Figure BDA0002925179900000022
the average absolute time derivative madiff reflects the average fluctuation condition of data, and when an LDoS attack occurs in a network, the network traffic fluctuation is large, so that the average absolute time derivative of the network traffic under the LDoS attack is higher than that in a normal state. The calculation formula of the average absolute time derivative is as follows:
Figure BDA0002925179900000023
the waveform accumulation length wavelen reflects the overall fluctuation condition of data, and when the LDoS attack occurs in the network, the fluctuation of the network flow is large, so that the waveform accumulation length of the network flow under the LDoS attack is higher than that in a normal state. The calculation formula of the waveform cumulative length is as follows:
Figure BDA0002925179900000024
because the flow data collected in different time periods have scale differences, which can seriously affect two characteristic values of the average absolute time derivative and the waveform accumulation length, before the average absolute time derivative and the waveform accumulation length of each detection window are calculated, the TCP flow in the detection window is normalized by 0-1, and x is made to be xi' denotes the normalized data, and the 0-1 normalization formula can be expressed as:
Figure BDA0002925179900000031
3. and (5) attack detection. And training the classifier based on an ensemble learning algorithm according to the features of the training data obtained by calculation. The adopted integrated learning algorithm is a histogram-based gradient lifting piecewise linear decision tree algorithm, and the training process comprises three steps:
1) dividing the features into a plurality of boxes based on percentiles according to the features of the training data obtained by calculation, and constructing a feature histogram;
2) calculating gradient value and Hessians value of each box according to the constructed feature histogram, and recording accumulated value
Figure BDA0002925179900000032
And
Figure BDA0002925179900000033
wherein bin represents a bin, hiRepresents the data point xiThe Hessians value of (g), the second partial derivative of the data point loss prediction, giRepresents the data point xiThe gradient value of (a), the partial derivative of the data point loss prediction;
3) and (4) according to the constructed feature histogram and the recorded accumulated value, iteratively constructing a second-order gradient piecewise linear decision tree, continuously updating the gradient value and the Hessians value in the iterative process until the maximum value of the iterative times or the minimum value of the loss function is reached, stopping iteration, and storing the trained classifier. The maximum iteration times are specified by a user, the default value is 100, and the loss function of the decision tree node division is calculated based on the information gain. In information theory and machine learning, the information gain is the amount of information about a random variable or signal obtained from observing another random variable, and generally an attribute with a large mutual amount of information should be prioritized over other attributes. The calculation formula of the information Gain is as follows:
Figure BDA0002925179900000034
Figure BDA0002925179900000035
where Ent denotes the entropy of the information, ai(i ═ 1,2, …, m) denotes the features of X, m denotes the feature dimension, and j denotes the nodes of the decision tree partition.
And carrying out classification prediction on the detection window of the TCP flow sampled in real time by using the stored classifier. The real-time sampling process is realized based on a sliding window algorithm, and the sampling mode can be effectively combined with the newly arrived flow and the historical flow for analysis, so that the classification prediction can be made more quickly. The classification prediction results are divided into normal (no LDoS attack) and abnormal (LDoS attack). And when the classification prediction result is normal, the real-time sampling is continuously carried out without carrying out attack mitigation. And when the classification prediction result is abnormal, carrying out an attack relieving step.
4. And (5) attack mitigation. With the IP as a key word, the scheme utilizes an SDN controller to sample UDP traffic of each IP in real time. The real-time sampling process is also realized based on a sliding window algorithm. And positioning the IP of the attacker based on a peak-finding algorithm according to the detection window of the UDP flow obtained by sampling. The peak searching algorithm comprises three steps:
1) according to the UDP flows of the normal detection window and the abnormal detection window in the training data, the local maximum value of the UDP flow in each detection window is found to be the peak of the flow, the projection degree and the width of all the peaks in the flow are calculated, and double thresholds for distinguishing the normal detection window from the abnormal detection window, namely a threshold pth of the projection degree and a threshold wth of the width are obtained. pth is a numerical value that clearly distinguishes the degree of prominence of the two types of windows. The standard deviation of the sequence of widths of the peaks in each detection window is calculated, wth being the number of standard deviations that clearly distinguish the two types of windows.
2) And (3) sampling UDP flow information with IP as a key word in real time, recording the number of peaks with the outburst degree larger than a threshold value pth in each UDP flow, if the number is larger than 1, considering the UDP flow as an attack flow, recording the IP of the flow, completing the step of positioning an attacker, and if not, carrying out the next step.
3) And recording the width of each peak in each stream according to the UDP stream sampled in real time to obtain a sequence of width values, calculating the standard deviation of the sequence, considering the UDP stream as an attack stream if the standard deviation is less than wth, recording the IP of the stream, and finishing the step of positioning an attacker.
And after the IP of the attacker is positioned, adding the IP into the blacklist, and informing the controller to issue a flow rule to discard the flow from the IP in the blacklist so as to relieve the LDoS attack in the SDN.
Advantageous effects
The LDoS attack detection and mitigation scheme based on the integrated learning and peak-finding algorithm has the advantages of high detection accuracy, low false positive and false negative, low time complexity and space complexity, good real-time performance and capability of processing big data, so that the real-time detection and mitigation scheme can be universally and accurately used for detecting the LDoS attack and effectively mitigating adverse effects caused by the attack.
Drawings
Fig. 1 is a diagram of network traffic in an SDN in which an LDoS attack occurs, including TCP traffic and UDP traffic.
Fig. 2 is a diagram comparing the characteristics of an abnormal (occurrence of an LDoS attack) network and a normal (non-occurrence of an LDoS attack) network.
Fig. 3 is a graph comparing peaks of attack and normal flows.
Fig. 4 is a complete framework diagram of an LDoS attack detection and mitigation scheme deployed in an SDN based on an integrated learning and peak-finding algorithm.
Fig. 5 is an algorithm flowchart of an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 5, the algorithm flow of the LDoS attack detection and mitigation scheme based on the ensemble learning and peak finding algorithm mainly includes four steps: data sampling, feature computation, attack detection, and attack mitigation. The data sampling step comprises two parts of training data sampling and test data sampling, wherein the training data obtained by sampling is divided into a plurality of detection windows based on a sliding window algorithm, the detection windows are marked, the marking is divided into normal and abnormal, and the test data is sampled in real time based on the sliding window algorithm to obtain the detection windows. The characteristic calculating step calculates the characteristics of the flow in the detection window according to a formula. And in the attack detection step, an ensemble learning classifier is trained according to the detection window characteristics and the labels of the training data, and then the detection windows of the test data are classified to obtain a classification result. And if the classification result is abnormal, carrying out attack mitigation, positioning an attacker based on a peak finding algorithm and discarding the flow from the attacker. Wherein the integrated learning and peak-finding algorithm is the core of the scheme.
Fig. 1 is a network traffic diagram of an LDoS attack occurring in an SDN, where a network traffic data in a normal state is before a dotted line, and a network traffic data when the LDoS attack occurs is after the dotted line. As can be seen from the figure, the fluctuation of the TCP traffic and the UDP traffic in a normal network state is smooth, and the TCP traffic is a main traffic in network communication, when an LDoS attack occurs, an attacker periodically sends high-speed UDP pulses, which causes a drastic fluctuation of the TCP traffic, and the average traffic is sharply reduced, thereby affecting the network service quality.
FIG. 2 is a characteristic comparison diagram of an abnormal network and a normal network, wherein (a) is an average value of TCP traffic in a normal state and an abnormal state, and the average value of TCP traffic in the normal state is much higher than the average value of TCP traffic in the abnormal state; (b) the variation coefficient of the TCP flow is in a normal state and an abnormal state, and the variation coefficient of the TCP flow in the normal state is far lower than that of the TCP flow in the abnormal state; (c) the average absolute time derivative of the TCP flow in the normal state and the abnormal state is provided, and the average absolute time derivative of the TCP flow in the normal state is far lower than that of the TCP flow in the abnormal state; (d) the waveform accumulation length of the TCP traffic in the normal state and the abnormal state is far lower than that of the TCP traffic in the abnormal state. Therefore, the 4 kinds of feature values can clearly distinguish the network in the normal state from the network in the abnormal state.
Fig. 3 is a graph comparing peaks and their attributes in an attack flow and a normal flow, wherein (a) is the attack flow and (b) is the normal flow. It can be seen from the figure that the normal stream has a low degree of peak protrusion, a large difference in width, and randomness, while the attack stream has a high degree of peak protrusion, and very close widths, and similarity between peaks, and the attack stream can be located by different expressions of peaks in the two streams.
Fig. 4 shows a complete deployment framework of an LDoS attack detection and mitigation scheme based on an integrated learning and peak-finding algorithm, where the scheme is deployed at a control layer of an SDN, traffic information and device information of an infrastructure layer are obtained by polling a controller, the traffic is analyzed and processed and then input to an attack detection module, a classifier trained in advance is used in the attack detection module for classification, whether to activate a mitigation module is selected according to a classification result, the attack mitigation module locates and adds an IP of an attacker to a blacklist, and finally, a flow rule is issued by the controller to discard flows from the IP in the blacklist.

Claims (9)

1. The LDoS attack detection and mitigation scheme based on the integrated learning and peak-finding algorithm is characterized by comprising the following steps:
step 1, data sampling: collecting flow data passing through a bottleneck link within a period of time by using a controller of an SDN (software defined network), wherein the flow data comprises TCP (transmission control protocol) flow and UDP (user datagram protocol) flow and is used as training data, dividing the training data into a plurality of detection windows in a fixed window size by using a sliding window algorithm, and marking the windows;
step 2, feature calculation: calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulated length of the TCP flow in each detection window as characteristics;
step 3, attack detection: training a classifier based on an integrated learning algorithm according to the characteristics of a detection window, acquiring a TCP detection window obtained by TCP flow in real time by using a sliding window algorithm, and classifying the TCP detection window by using the trained classifier to obtain a classification result;
step 4, attack mitigation: and if the classification result obtained in the step 3 is that LDoS attack occurs, positioning an attacker based on a peak finding algorithm, and discarding the flow from the attacker by using a flow rule issued by a SDN controller.
2. The scheme for detecting and mitigating an LDoS attack as claimed in claim 1, wherein in step 1, a controller of the SDN polls at intervals of 0.5 seconds to obtain TCP traffic and UDP traffic information passing through a bottleneck link in a period of time, as training data, where the bottleneck link is a link with a minimum link bandwidth in the SDN, and the traffic includes data when the LDoS attack occurs and normal user access data, and then uses a sliding window algorithm to divide the training data into a series of detection windows with equal size and mark the detection windows, and a detection window without the occurrence of the LDoS attack is marked as normal, and a detection window with the occurrence of the LDoS attack is marked as abnormal.
3. An LDoS attack detection and mitigation scheme as claimed in claim 1, characterized in that, in step 2, according to the detection windows obtained in step 1, the average value, the coefficient of variation, the average absolute time derivative and the waveform accumulation length of the TCP traffic in each detection window are calculated as features, and in order to avoid the effect of the magnitude difference, the traffic in the detection windows is normalized by 0-1 before calculating the average absolute time derivative and the waveform accumulation length.
4. An LDoS attack detection and mitigation scheme according to claim 1, wherein the attack detection procedure in step 3 comprises three steps:
step 3.1, training a classifier based on an ensemble learning algorithm and storing the classifier according to the characteristics of the detection window obtained by calculation in the step 2 and the mark of the detection window obtained in the step 1;
3.2, sampling TCP flow data flowing through a bottleneck link in real time by using a controller of the SDN based on a sliding window algorithm to obtain a TCP detection window;
and 3.3, calculating the average value, the variation coefficient, the average absolute time derivative and the waveform accumulated length of the TCP detection window in the step 3.2 as features, classifying according to the classifier stored in the step 3.1 and the characteristic value obtained by calculation, and returning a classification result.
5. An LDoS attack detection and mitigation scheme according to claim 4, characterized in that the ensemble learning algorithm used in step 3.1 is a histogram based gradient boost piecewise linear decision tree algorithm, which completes classification by constructing a gradient boost piecewise linear decision tree and is based on histogram optimization calculation.
6. An LDoS attack detection and mitigation scheme according to claim 4, characterized in that the classification result in step 3.3 includes two kinds: normally, no LDoS attack occurs, and abnormally, LDoS attack occurs.
7. The LDoS attack detection and mitigation scheme as claimed in claim 1, wherein the attack mitigation procedure in step 4 comprises three steps:
4.1, according to the classification result returned in the step 3, if the classification result is normal, the subsequent steps are not carried out, and if the classification result is abnormal, the IP of an attacker is positioned based on a peak searching algorithm;
step 4.2, adding the IP of the attacker into a blacklist according to the IP of the attacker obtained in the step 4.1;
and 4.3, according to the blacklist stored in the step 4.2, installing a flow rule on the switch by using the SDN controller, and discarding the flow from the IP in the blacklist.
8. An LDoS attack detection and mitigation scheme as claimed in claim 7, wherein the peak finding algorithm in step 4.1 locates the attacker based on the peak attribute of the single flow, the specific steps are as follows: based on a sliding window algorithm, IP is used as a keyword, UDP flows from different IPs are collected in real time by using a controller of an SDN, according to the collected UDP flows, a local maximum value in each flow is calculated to be a peak, relevant attributes of the peak comprise the width and the projection degree of the peak, the relevant attributes are compared with a preset threshold value, whether the flow is an LDoS attack flow or not is judged, and if the flow is the LDoS attack flow, the IP of the UDP flow is recorded.
9. An LDoS attack detection and mitigation scheme according to claim 7, wherein the blacklist in step 4.2 is not subject to duplicate IP records and is automatically cleared after expiration of a validity time specified by the user.
CN202110130808.1A 2021-01-29 2021-01-29 LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm Active CN112804250B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110130808.1A CN112804250B (en) 2021-01-29 2021-01-29 LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110130808.1A CN112804250B (en) 2021-01-29 2021-01-29 LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm

Publications (2)

Publication Number Publication Date
CN112804250A true CN112804250A (en) 2021-05-14
CN112804250B CN112804250B (en) 2022-05-13

Family

ID=75813096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110130808.1A Active CN112804250B (en) 2021-01-29 2021-01-29 LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm

Country Status (1)

Country Link
CN (1) CN112804250B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039780A (en) * 2021-11-10 2022-02-11 湖南大学 Low-speed DoS attack real-time response scheme based on flow coefficient
CN115589323A (en) * 2022-10-18 2023-01-10 湖南大学 DLDoS attack detection and mitigation method based on machine learning in data plane

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN104125193A (en) * 2013-04-24 2014-10-29 中国民航大学 LDDoS attack detection method based on chaotic Dufing oscillators
CN105100017A (en) * 2014-05-12 2015-11-25 中国民航大学 LDoS attack detection method based on signal cross correlation
US10320813B1 (en) * 2015-04-30 2019-06-11 Amazon Technologies, Inc. Threat detection and mitigation in a virtualized computing environment
CN110572413A (en) * 2019-09-27 2019-12-13 湖南大学 Low-rate denial of service attack detection method based on Elman neural network
CN110719272A (en) * 2019-09-27 2020-01-21 湖南大学 LR algorithm-based slow denial of service attack detection method
US20200257507A1 (en) * 2019-02-08 2020-08-13 Sap Se Integration of workflow and logical data objects using visual programming
CN112202791A (en) * 2020-09-28 2021-01-08 湖南大学 P-F-based software defined network slow denial of service attack detection method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN104125193A (en) * 2013-04-24 2014-10-29 中国民航大学 LDDoS attack detection method based on chaotic Dufing oscillators
CN105100017A (en) * 2014-05-12 2015-11-25 中国民航大学 LDoS attack detection method based on signal cross correlation
US10320813B1 (en) * 2015-04-30 2019-06-11 Amazon Technologies, Inc. Threat detection and mitigation in a virtualized computing environment
US20200257507A1 (en) * 2019-02-08 2020-08-13 Sap Se Integration of workflow and logical data objects using visual programming
CN110572413A (en) * 2019-09-27 2019-12-13 湖南大学 Low-rate denial of service attack detection method based on Elman neural network
CN110719272A (en) * 2019-09-27 2020-01-21 湖南大学 LR algorithm-based slow denial of service attack detection method
CN112202791A (en) * 2020-09-28 2021-01-08 湖南大学 P-F-based software defined network slow denial of service attack detection method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DONGSHUO ZHANG,DAN TANG, LIU TANG,RUI DAI,JINGWEN CHEN: "PCA-SVM-Based_Approach_of_Detecting_Low-Rate_DoS_Attack", 《2019 IEEE 21ST INTERNATIONAL CONFERENCE ON HIGH PERFORMANCE COMPUTING AND COMMUNICATIONS》 *
YUDONG YAN,DAN TANG,SIJIA ZHAN,RUI DAI,JINGWENCHEN,NINGBO ZHU: "Low-Rate_DoS_Attack_Detection_Based_on_Improved_Logistic_Regression", 《2019 IEEE 21ST INTERNATIONAL CONFERENCE ON HIGH PERFORMANCE COMPUTING AND COMMUNICATIONS》 *
颜通,白志华,高镇,闫丽娜,周蕾: "SDN环境下的LDoS攻击检测与防御技术", 《计算机科学与探索》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039780A (en) * 2021-11-10 2022-02-11 湖南大学 Low-speed DoS attack real-time response scheme based on flow coefficient
CN114039780B (en) * 2021-11-10 2022-08-16 湖南大学 Low-speed DoS attack real-time response method based on flow coefficient
CN115589323A (en) * 2022-10-18 2023-01-10 湖南大学 DLDoS attack detection and mitigation method based on machine learning in data plane
CN115589323B (en) * 2022-10-18 2024-04-02 湖南大学 DLDoS attack detection and alleviation method based on machine learning in data plane

Also Published As

Publication number Publication date
CN112804250B (en) 2022-05-13

Similar Documents

Publication Publication Date Title
JP6703613B2 (en) Anomaly detection in data stream
CN112804250B (en) LDoS attack detection and mitigation method based on integrated learning and peak-finding algorithm
Dewaele et al. Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures
US11509539B2 (en) Traffic analysis apparatus, system, method, and program
Zhang et al. Proword: An unsupervised approach to protocol feature word extraction
CN111212053A (en) Industrial control honeypot-oriented homologous attack analysis method
Erhan et al. Hybrid DDoS detection framework using matching pursuit algorithm
KR100628329B1 (en) Generation apparatus and method of detection rules for attack behavior based on information of network session
CN113904881B (en) Intrusion detection rule false alarm processing method and device
CN114021135A (en) LDoS attack detection and defense method based on R-SAX
Mdini et al. Monitoring the network monitoring system: Anomaly Detection using pattern recognition
Hammerschmidt et al. Behavioral clustering of non-stationary IP flow record data
Chawathe Analysis of burst header packets in optical burst switching networks
CN114039780B (en) Low-speed DoS attack real-time response method based on flow coefficient
Chen et al. A MSPCA based intrusion detection algorithm tor detection of DDoS attack
CN110995713A (en) Botnet detection system and method based on convolutional neural network
CN115334005B (en) Encryption flow identification method based on pruning convolutional neural network and machine learning
Kozik Distributed system for botnet traffic analysis and anomaly detection
Dusi et al. Ip traffic classification for qos guarantees: The independence of packets
CN110995465A (en) Communication point panoramic view information operation and maintenance method and system
Juliette et al. Online and Scalable Unsupervised Network Anomaly Detection Method
Tosi et al. OPTWIN: Drift identification with optimal sub-windows
CN111565187B (en) DNS (Domain name System) anomaly detection method, device, equipment and storage medium
Long et al. An SR-ISODATA algorithm for IDS alerts aggregation
Simmross-Wattenberg et al. Modelling network traffic as α-stable stochastic processes: An approach towards anomaly detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant