基于深度学习的实时DDoS攻击检测

分布式拒绝服务(DDoS)攻击是一种分布式、协作式的大规模网络攻击方式,提出了一种基于深度学习的DDoS攻击检测方法,该方法包含特征处理和模型检测两个阶段:特征处理阶段对输入的数据分组进行特征提取、格式转换和维度重构;模型检测阶段将处理后的特征输入深度学习网络模型进行检测,判断输入的数据分组是否为DDoS攻击分组.通过ISCX2012数据集训练模型,并通过实时的DDoS攻击对模型进行验证.结果表明,基于深度学习的DDoS攻击检测方法具有高检测精度、对软硬件设备依赖小、深度学习网络模型易于更新等优点.     

基于SNMP和神经网络的DDoS攻击检测

DDoS（Distributed Denial of Service）已经严重威胁计算机网络安全。对DDoS攻击检测的关键是找到能反映攻击流和正常流区别的特征,设计简单高效的算法,实时检测。通过对攻击特点的分析,总结出15个基于SNMP（Simple Network Management Protocol）的检测特征。利用BP神经网络高效的计算性能,设计了基于SNMP和神经网络的DDoS攻击检测模型,提高了检测实时性和准确性。实验表明：该检测模型对多种DDoS攻击都具有很好的检测效果。     

基于隐马尔可夫模型的医院通信网络DDoS攻击检测方法

常规的医院通信网络DDoS攻击检测矩阵结构一般设定为独立形式,致使攻击检测范围的扩大受到限制,进而一定程度上导致DDoS攻击检测召回率下降。针对上述问题,文章提出了一种基于隐马尔可夫模型的医院通信网络DDoS攻击检测方法。该方法根据当前的测定需求及标准对DDoS攻击进行特征提取,采用多目标的方式设计检测矩阵,解析DDoS攻击方向具体位置以及攻击的范围。在此基础上,构建隐马尔可夫医院通信网络DDoS攻击检测模型,采用多元识别+组合处理的方式来实现DDoS攻击的检测目标。测试结果表明：采用本文所设计的方法,DDoS攻击检测召回率可以达到80%以上,对于医院通信网络的攻击检测效率更高,泛化能力明显提升,具有实际的应用价值。     

基于用户信誉值防御DDoS攻击的协同模型

提出了一种基于用户信誉值防御DDoS攻击协同(CDDACR,cooperation defense DDoS attack based on client reputation)模型来检测和防御DDoS攻击.该模型在逻辑上由2个检测代理构成:路由器端的RDA(router detection agent)和服务器端的SDA(server detection agent).RDA对用户数据流进行粗粒度检测,旨在过滤具有明显DDoS攻击特征的恶意数据流;SDA对用户数据流进行细粒度检测,检测并过滤恶意的狡猾攻击和低流量攻击,RDA和SDA协同工作来实时监测网络状况.实验结果表明,CDDACR模型能实时地识别和防御DDoS攻击,并且在异常发生时有效地阻止服务器被攻击的可能性.     

DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service,DDoS）网络攻击知识库研究不足的问题,提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建,包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类;网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模,并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling,DOTS）协议搭建分布式知识库,实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明,DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量,并具备分布式知识库间的知识更新和推理功能,表现出良好的可扩展性。     

DDoS攻击原理及其防御机制的研究

DDoS攻击是一种被黑客广泛应用的攻击方式,它以破坏计算机系统或网络的可用性为目标,危害性极大。本文首先介绍了DDoS攻击的攻击原理,接着从DDoS攻击的攻击手段和攻击方式两个方面对DoS攻击进行分类介绍,然后针对DDoS攻击的方式,提出了一种检测和防御DDoS攻击的模型,最后利用入侵检测技术和数据包过滤技术,设计了一个针对DDoS攻击的检测与防御系统,该系统具有配置简单、易于扩展、实用性较强等优点。     

一种新的DDoS攻击检测算法

为了准确及时的进行DDoS攻击检测,提出了一种新的DDoS攻击检测算法。该算法在基于传统的小波分析检测DDoS攻击的基础上融入了主成分分析法和小波分析法中DDoS检测方法,并根据该算法设计相应的模型和算法来检测 DDoS 攻击,并且引入信息论中的信息熵对源IP地址的分散程度进行度量,根据初始阶段Hurst指数及熵值的变化自适应地设定阈值以检测攻击的发生。实验结果表明,该方法大幅度的提高了DDoS检测的速度。     

DDoS攻击原理与防御

分布式拒绝服务攻击(Distributed Denial of Serviece Attack)是目前黑客用的比较多的攻击手段,这种攻击对网络造成的危害性越来越大.为了更好地了解这种攻击的特点,从而避免产生更大的损失,这里从DoS和DDoS的攻击原理进行探讨研究,研究常见的DDOS攻击的类型如Smurf攻击、Trinoo攻击等.根据这些攻击的特点,提出DDoS攻击的检测方法即基于特征的攻击检测和基于异常的攻击检测.这两种检测技术各有所长,在实际使用中往往需要将两者结合起来,共同提高DDoS检测的准确性.     

基于自相似检测DDoS攻击的小波分析方法

针对传统检测方法不能有效检测弱DDoS攻击和区分繁忙业务和攻击的问题,在研究 DDOS攻击对网络流量自相似性影响的基础上,提出了小波分析检测DDoS攻击的方法,并设计了采用该方法检测DDoS攻击的模型,解决了方法实现过程中小波选择、求解Hurst参数的一些关键问题,实验表明,提出的方法能够识别繁忙业务、检测到弱DDoS攻击引起的Hurst参数值的变化,比传统的检测方法准确灵敏.     

基于数字信号处理的一种Shrew DDoS攻击检测方法

首先简要介绍了传统DDoS的一般检测方法，进而介绍了一种新型的DDoS攻击——Shrew DDoS攻击，这是一种不同于传统DDoS的低频攻击。针对这种攻击提出了一种基于数字信号处理的检测方法。     

Research on low-rate DDoS attack of SDN network in cloud environment

Aiming at the problems of low-rate DDoS attack detection accuracy in cloud SDN network and the lack of unified framework for data plane and control plane low-rate DDoS attack detection and defense,a unified framework for low-rate DDoS attack detection was proposed.First of all,the validity of the data plane DDoS attacks in low rate was analyzed,on the basis of combining with low-rate of DDoS attacks in the aspect of communications,frequency characteristics,extract the mean value,maximum value,deviation degree and average deviation,survival time of ten dimensions characteristics of five aspects,to achieve the low-rate of DDoS attack detection based on bayesian networks,issued by the controller after the relevant strategies to block the attack flow.Finally,in OpenStack cloud environment,the detection rate of low-rate DDoS attack reaches 99.3% and the CPU occupation rate is 9.04%.It can effectively detect and defend low-rate DDoS attacks.     

新网络环境下应用层DDoS攻击的剖析与防御

针对新网络环境下近两年新出现的应用层分布式拒绝服务攻击,本文将详细剖析其原理与特点,并分析现有检测机制在处理这种攻击上的不足.最后,本文提出一种基于用户行为的检测机制,它利用Web挖掘的方法通过Web访问行为与正常用户浏览行为的偏离程度检测与过滤恶意的攻击请求,并通过应用层与传输层的协作实现对攻击源的隔离.     

基于HMM的分布式拒绝服务攻击检测方法

文章根据分布式拒绝服务攻击（DDoS）的本质特点，提出了一种基于隐马尔可夫模型（HMM）的DDoS攻击检测方法。该方法通过IP地址信息库．保存当前常用服务的源IP地址，然后对新到数据包的IP地址用HMM建模。通过离线训练，更新IP地址信息库，优化HMM参数。在线检测时，IP地址信息库在线学习更新，HMM实时检测．并根据检测结果通过边界路由器进行积极响应。实验结果显示，该方法具有很好的检测效果，并能及时响应，保持常用服务的延续性。     

Monitoring the Application-Layer DDoS Attacks for Popular Websites

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.      

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.     

The detection method of low-rate DoS attack based on multi-feature fusion

As a new type of Denial of Service (DoS) attacks, the Low-rate Denial of Service (LDoS) attacks make the traditional method of detecting Distributed Denial of Service Attack (DDoS) attacks useless due to the characteristics of a low average rate and concealment. With features extracted from the network traffic, a new detection approach based on multi-feature fusion is proposed to solve the problem in this paper. An attack feature set containing the Acknowledge character(ACK) sequence number, the packet size, and the queue length is used to classify normal and LDoS attack traffics. Each feature is digitalized and preprocessed to fit the input of the K-Nearest Neighbor (KNN) classifier separately, and to obtain the decision contour matrix. Then a posteriori probability in the matrix is fused, and the fusion decision index D is used as the basis of detecting the LDoS attacks. Experiments proved that the detection rate of the multi-feature fusion algorithm is higher than those of the single-based detection method and other algorithms.     

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.     

LDDoS attack detection method based on wavelet decomposition and sliding windows

As a special type of distributed denial of service (DDoS) attacks, the low-rate DDoS (LDDoS) attacks have characteristics of low average rate and strong concealment, thus, it is hard to detect such attacks by traditional approaches. Through signal analysis, a new identification approach based on wavelet decomposition and sliding detecting window is proposed. Wavelet decomposition extracted from the traffic are used for multifractal analysis of traffic over different time scale. The sliding window from flow control technology is designed to identify the normal and abnormal traffic in real-time. Experiment results show that the proposed approach has advantages on detection accuracy and timeliness.