基于条件随机场的DDoS 攻击检测方法
作者:
基金项目:

国家自然科学基金(61070198, 60970034, 60903040)


Detection Approach of DDoS Attacks Based on Conditional Random Fields
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [28]
  • |
  • 相似文献 [20]
  • |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    近年来,基于机器学习算法的分布式拒绝服务(distributed denial-of-service,简称DDoS)攻击检测技术已取得了很大的进展,但仍存在一些不足:(1) 不能充分利用蕴涵于标记和特征观测序列中的上下文信息;(2) 对多特征的概率分布存在过强的假设.条件随机场模型具有融合利用上下文信息和多特征的能力,将其应用于DDoS 检测,能够有效地弥补上述不足.提出了一种基于条件随机场的DDoS 攻击检测方法:首先,定义流特征条件熵(traffic feature conditional entropy,简称TFCE)、行为轮廓偏离度(behavior profile deviate degree,简称BPDD)两组统计量,对TCP flood,UDP flood,ICMP flood 这3 类攻击的特点进行描述;然后以此为基础,使用条件随机场,通过对其有效训练,分别为3 类攻击建立分类模型;最后,通过对模型的有效训练,应用模型推断来完成对DDoS 攻击的检测.实验结果表明,该方法能够充分发挥条件随机场模型的优势,准确区分正常流量和攻击流量,与同类方法相比,具有更好的抗背景流量干扰的能力.

    Abstract:

    In recent years, the detection technology based on machine learning algorithms for distributed denialof- service (DDoS) attacks has made great progress. However, there are still some deficiencies, which are: (1) being unable to make full use of contextual information in both the label and observed features series; (2) making too strong assumptions on the probability distribution of multiple features. Featured with the strong capability in integrating and exploiting contextual information and multiple features, the conditional random fields (CRF) model can be applied to detect DDoS attacks for effectively overcoming the above mentioned problems. A detection approach based on CRF model is proposed in this paper. First, two group of statistics are defined, which include traffic feature conditional entropy (TFCE) and behavior profile deviate degree (BPDD), to depict the characteristics of three types DDoS attacks: TCP flood, UDP flood and ICMP flood. Then, the CRF is trained to build the classification model for the addressed three types of attacks respectively. Lastly, the trained CRF models are used to identify the attacks with model inference. The experimental results demonstrate that the proposed approach can sufficiently exploit the advantages of CRF. The proposed detection approach not only can distinguish between attack traffic and normal traffic accurately, but is also more robust to resist disturbance of background traffic than the similar approaches.

    参考文献
    [1] Moore D, Voelker G, Savage S. Inferring Internet denial-of-service activity. In: Proc. of the 10th USENIX Security Symp. Washington, 2001. 9?22. [doi: 10.1145/1132026.1132027]
    [2] Jiang H, Dovrolis C. Why is the Internet traffic bursty in short time scales? In: Proc. of the ACM SIGMETRICS 2005. New York, 2005. 241?252. [doi: 10.1145/1071690.1064240]
    [3] Sang A, Li SQ. A predictability analysis of network traffic. In: Proc. of the INFOCOM 2000. Tel Aviv, 2000. 342?351. [doi: 10.1109/INFCOM.2000.832204]
    [4] Lafferty JD, McCallum A, Pereira FCN. Conditional random fields: Probabilistic models for segmenting and labeling sequence data. In: Brodley C, Danyluk A, eds. Proc. of the 18th Int’l Conf. on Machine Learning (ICML 2001). San Francisco: Morgan Kaufmann Publishers, 2001. 282?289.
    [5] Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies. In: Proc. of the ACM SIGCOMM 2004. Portland, 2004. 219?230. [doi: 10.1145/1015467.1015492]
    [6] Peng T, Leckie C, Ramamohanarao K. Proactively detecting distributed denial of service attacks using source IP address monitoring. In: Proc. of the 3rd Int’l IFIP-TC6 Networking Conf. Athens, 2004. 771?782. [doi: 10.1007/978-3-540-24693-0_63]
    [7] Sun ZX, Li QD. Defending DDos attacks based on the source and destination IP address database. Journal of Software, 2007, 18(10):2613?2623 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/18/2613.htm [doi: 10.1360/jos182613]
    [8] Sun QD, Zhang DY, Gao P. Detecting distributed denial of service attacks based on time series analysis. Chinese Journal of Computers, 2005,28(5):767?773 (in Chinese with English abstract).
    [9] Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distributions. In: Proc. of the ACM SIGCOMM 2005. Philadelphia, 2005. 217?228. [doi: 10.1145/1090191.1080118]
    [10] Gil TM, Poletto M. Multops: A data-structure for bandwidth attack detection. In: Proc. of the 10th USENIX Security of Symp. Washington, 2001. 3?14.
    [11] Kim Y, Lau WC, Chuah MC, Chao HJ. PacketScore—A statistics-based packet filtering scheme against distributed denial-ofservice attacks. IEEE Trans. on Dependable and Secure Computing, 2006,3(2):141?155. [doi: 10.1109/TDSC.2006.25]
    [12] Zhou DQ, Zhang HF, Zhang SW, Hu XP. A DDoS attack detection method based on hidden Markov model. Journal of Computer Research and Development, 2005,42(9):1594?1599 (in Chinese with English abstract). [doi: 10.1360/crad20050921]
    [13] Noh S, Jung G, Choi K, Lee C. Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. Applied Soft Computing, 2008,8(3):1200?1210. [doi: 10.1016/j.asoc.2007.02.016]
    [14] Ghahramani Z. An introduction to hidden Markov models and Bayesian networks. Int’l Journal of Pattern Recognition and Artificial Intelligence, 2001,15(1):9?42. [doi: 10.1142/S0218001401000836]
    [15] Zhong P, Wang RS. Using combination of statistical models and multilevel structural information for detecting urban areas from a single gray-level image. IEEE Trans. on Geoscience and Remote Sensing, 2007,45(5):1469?1482. [doi: 10.1109/TGRS.2007. 893739]
    [16] McCallum A, Li W. Early results for named entity recognition with conditional random fields, feature induction and Web-enhanced lexicons. In: Proc. of the 7th CoNLL. Edmonton: Morgan Kaufmann Publishers, 2003. 188?191. [doi: 10.3115/1119176.1119206]
    [17] Gupta KK, Nathn B, Kotagiri R. Layered approach using conditional random fields for intrusion detection. IEEE Trans. on Dependable and Secure Computing, 2008,7(1):35?49. [doi: 10.1109/TDSC.2008.20]
    [18] Sun ZX, Tang YW, Zhang W, Gong J, Wang RC. A router anomaly traffic filter algorithm based on character aggregation. Journal of Software, 2006,17(2):295?304 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/17/295.htm [doi: 10.1360/jos170295]
    [19] MIT Lincoln Laboratory. 2000. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html
    [20] Xu M, Chen C, Ying J. A two-layer Markov chain anomaly detection model. Journal of Software, 2005,16(2):276?285 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/16/276.htm
    [21] Li SZ. Markov Random Field Modeling in Image Analysis. 3rd ed., London: Springer-Verlag, 2009. 28?30.
    [22] Kumar S, Hebert M. Discriminative random fields: A discriminative framework for contextual interaction in cassification. In: Proc. of the IEEE Int’l Conf. on Computer Vision. Nice, 2003. 1150?1157. [doi: 10.1109/ICCV.2003.1238478]
    [23] Kumar S, Hebert M. Discriminative fields for modeling spatial dependencies in natural images. In: Proc. of the Conf. on Advances in Neural Information Processing Systems. Vancouver, 2003. 1531?1538.
    [24] Dietterich TG, Ashenfelter A, Bulatov Y. Training conditional random fields via gradient tree boosting. In: Proc. of the Int’l Conf. on Machine Learning. Banff, 2004. 217?224. [doi: 10.1145/1015330.1015428]
    [25] Sha F, Pereira F. Shallow parsing with conditional random fields. In: Proc. of the Human Language Technology Conf. and North American Chapter of the Association for Computational Linguistics (HLT-NAACL 2003). Edmonton: Morgan Kaufmann Publishers, 2003. 213?220. [doi: 10.3115/1073445.1073473]
    [26] Kschischang FR, Frey BJ, Loeliger HA. Factor graphs and the sum-product algorithm. IEEE Trans. on Information Theory, 2001, 47(2):498?519. [doi: 10.1109/18.910572]
    [27] Murphy K. CRF toolbox for matlab. 2004. http://www.cs.ubc.ca/~murphyk/Software/CRF/crfGeneralOld.html
    [28] Chang CC, Lin CJ. LIBSVM: A library for support vector machines. 2001. http://www.csie.ntu.edu.tw/~cjlin/libsvm/
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

刘运,蔡志平,钟平,殷建平,程杰仁.基于条件随机场的DDoS 攻击检测方法.软件学报,2011,22(8):1897-1910

复制
分享
文章指标
  • 点击次数:4695
  • 下载次数: 8695
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2010-04-21
  • 最后修改日期:2010-08-13
文章二维码
您是第19780923位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号