DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service，DDoS）网络攻击知识库研究不足的问题，提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建，包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类；网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模，并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling，DOTS）协议搭建分布式知识库，实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明，DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量，并具备分布式知识库间的知识更新和推理功能，表现出良好的可扩展性。

Construction of DDoS attacks malicious behavior knowledge base construction

Aiming at the problem of insufficient research on the knowledge base of distributed denial of service (DDoS) network attacks, a method for constructing a knowledge base of DDoS attacks malicious behavior was proposed.The knowledge base was constructed based on the knowledge graph, and contains two parts: a malicious traffic detection database and a network security knowledge base.The malicious traffic detection database detects and classifies malicious traffic caused by DDoS attacks, the network security knowledge base detects DDoS attacks from traffic characteristics and attack frameworks model malicious behaviors, and perform inference, tracing and feedback on malicious behaviors.On this basis, a distributed knowledge base was built based on the DDoS open threat signaling (DOTS) protocol to realize the functions of data transmission between distributed nodes, DDoS attack defense, and malicious traffic mitigation.The experimental results show that the DDoS attack malicious behavior knowledge base can effectively detect and mitigate the malicious traffic caused by DDoS attacks at multiple gateways, and has the knowledge update and reasoning function between the distributed knowledge bases, showing good scalability.