国家自然科学基金(61070198, 60970034, 60903040)
近年来,基于机器学习算法的分布式拒绝服务(distributed denial-of-service,简称DDoS)攻击检测技术已取得了很大的进展,但仍存在一些不足:(1) 不能充分利用蕴涵于标记和特征观测序列中的上下文信息;(2) 对多特征的概率分布存在过强的假设.条件随机场模型具有融合利用上下文信息和多特征的能力,将其应用于DDoS 检测,能够有效地弥补上述不足.提出了一种基于条件随机场的DDoS 攻击检测方法:首先,定义流特征条件熵(traffic feature conditional entropy,简称TFCE)、行为轮廓偏离度(behavior profile deviate degree,简称BPDD)两组统计量,对TCP flood,UDP flood,ICMP flood 这3 类攻击的特点进行描述;然后以此为基础,使用条件随机场,通过对其有效训练,分别为3 类攻击建立分类模型;最后,通过对模型的有效训练,应用模型推断来完成对DDoS 攻击的检测.实验结果表明,该方法能够充分发挥条件随机场模型的优势,准确区分正常流量和攻击流量,与同类方法相比,具有更好的抗背景流量干扰的能力.
In recent years, the detection technology based on machine learning algorithms for distributed denialof- service (DDoS) attacks has made great progress. However, there are still some deficiencies, which are: (1) being unable to make full use of contextual information in both the label and observed features series; (2) making too strong assumptions on the probability distribution of multiple features. Featured with the strong capability in integrating and exploiting contextual information and multiple features, the conditional random fields (CRF) model can be applied to detect DDoS attacks for effectively overcoming the above mentioned problems. A detection approach based on CRF model is proposed in this paper. First, two group of statistics are defined, which include traffic feature conditional entropy (TFCE) and behavior profile deviate degree (BPDD), to depict the characteristics of three types DDoS attacks: TCP flood, UDP flood and ICMP flood. Then, the CRF is trained to build the classification model for the addressed three types of attacks respectively. Lastly, the trained CRF models are used to identify the attacks with model inference. The experimental results demonstrate that the proposed approach can sufficiently exploit the advantages of CRF. The proposed detection approach not only can distinguish between attack traffic and normal traffic accurately, but is also more robust to resist disturbance of background traffic than the similar approaches.