基于条件随机场的DDoS 攻击检测方法

doi:10.3724/SP.J.1001.2011.03960

微信服务号

微信订阅号

2025年4月3日 14:56 星期四

首页 > 过刊浏览>2011年第22卷第8期 >1897-1910. DOI:10.3724/SP.J.1001.2011.03960

PDF HTML阅读 XML下载导出引用引用提醒

基于条件随机场的DDoS 攻击检测方法
DOI:
                        10.3724/SP.J.1001.2011.03960
                    
CSTR:
                        
                    
作者:
                        刘运刘运
国防科学技术大学 计算机学院,湖南 长沙 410073
在期刊界中查找
在百度中查找
在本站中查找
蔡志平蔡志平
国防科学技术大学 计算机学院,湖南 长沙 410073
在期刊界中查找
在百度中查找
在本站中查找
钟平钟平
国防科学技术大学 电子科学与工程学院,湖南 长沙 410073
在期刊界中查找
在百度中查找
在本站中查找
殷建平殷建平
国防科学技术大学 计算机学院,湖南 长沙 410073
在期刊界中查找
在百度中查找
在本站中查找
程杰仁程杰仁
国防科学技术大学 计算机学院,湖南 长沙 410073
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:国家自然科学基金(61070198, 60970034, 60903040)

Detection Approach of DDoS Attacks Based on Conditional Random Fields

Author:

LIU Yun
LIU Yun
College of Computer, National University of Defense Technology, Changsha 410073, China
在期刊界中查找
在百度中查找
在本站中查找
CAI Zhi-Ping
CAI Zhi-Ping
College of Computer, National University of Defense Technology, Changsha 410073, China
在期刊界中查找
在百度中查找
在本站中查找
ZHONG Ping
ZHONG Ping
College of Electronic Science and Engineering, National University of Defense Technology, Changsha 410073, China
在期刊界中查找
在百度中查找
在本站中查找
YIN Jian-Ping
YIN Jian-Ping
College of Computer, National University of Defense Technology, Changsha 410073, China
在期刊界中查找
在百度中查找
在本站中查找
CHENG Jie-Ren
CHENG Jie-Ren
College of Computer, National University of Defense Technology, Changsha 410073, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [28]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

近年来,基于机器学习算法的分布式拒绝服务(distributed denial-of-service,简称DDoS)攻击检测技术已取得了很大的进展,但仍存在一些不足:(1) 不能充分利用蕴涵于标记和特征观测序列中的上下文信息;(2) 对多特征的概率分布存在过强的假设.条件随机场模型具有融合利用上下文信息和多特征的能力,将其应用于DDoS 检测,能够有效地弥补上述不足.提出了一种基于条件随机场的DDoS 攻击检测方法:首先,定义流特征条件熵(traffic feature conditional entropy,简称TFCE)、行为轮廓偏离度(behavior profile deviate degree,简称BPDD)两组统计量,对TCP flood,UDP flood,ICMP flood 这3 类攻击的特点进行描述;然后以此为基础,使用条件随机场,通过对其有效训练,分别为3 类攻击建立分类模型;最后,通过对模型的有效训练,应用模型推断来完成对DDoS 攻击的检测.实验结果表明,该方法能够充分发挥条件随机场模型的优势,准确区分正常流量和攻击流量,与同类方法相比,具有更好的抗背景流量干扰的能力.

关键词:分布式拒绝服务;条件熵;行为轮廓;条件随机场

Abstract:

In recent years, the detection technology based on machine learning algorithms for distributed denialof- service (DDoS) attacks has made great progress. However, there are still some deficiencies, which are: (1) being unable to make full use of contextual information in both the label and observed features series; (2) making too strong assumptions on the probability distribution of multiple features. Featured with the strong capability in integrating and exploiting contextual information and multiple features, the conditional random fields (CRF) model can be applied to detect DDoS attacks for effectively overcoming the above mentioned problems. A detection approach based on CRF model is proposed in this paper. First, two group of statistics are defined, which include traffic feature conditional entropy (TFCE) and behavior profile deviate degree (BPDD), to depict the characteristics of three types DDoS attacks: TCP flood, UDP flood and ICMP flood. Then, the CRF is trained to build the classification model for the addressed three types of attacks respectively. Lastly, the trained CRF models are used to identify the attacks with model inference. The experimental results demonstrate that the proposed approach can sufficiently exploit the advantages of CRF. The proposed detection approach not only can distinguish between attack traffic and normal traffic accurately, but is also more robust to resist disturbance of background traffic than the similar approaches.

Key words:distributed denial-of-service; conditional entropy; behavior profile; conditional random fields

参考文献

[1] Moore D, Voelker G, Savage S. Inferring Internet denial-of-service activity. In: Proc. of the 10th USENIX Security Symp. Washington, 2001. 9?22. [doi: 10.1145/1132026.1132027]

[2] Jiang H, Dovrolis C. Why is the Internet traffic bursty in short time scales? In: Proc. of the ACM SIGMETRICS 2005. New York, 2005. 241?252. [doi: 10.1145/1071690.1064240]

[3] Sang A, Li SQ. A predictability analysis of network traffic. In: Proc. of the INFOCOM 2000. Tel Aviv, 2000. 342?351. [doi: 10.1109/INFCOM.2000.832204]

[4] Lafferty JD, McCallum A, Pereira FCN. Conditional random fields: Probabilistic models for segmenting and labeling sequence data. In: Brodley C, Danyluk A, eds. Proc. of the 18th Int’l Conf. on Machine Learning (ICML 2001). San Francisco: Morgan Kaufmann Publishers, 2001. 282?289.

[5] Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies. In: Proc. of the ACM SIGCOMM 2004. Portland, 2004. 219?230. [doi: 10.1145/1015467.1015492]

[6] Peng T, Leckie C, Ramamohanarao K. Proactively detecting distributed denial of service attacks using source IP address monitoring. In: Proc. of the 3rd Int’l IFIP-TC6 Networking Conf. Athens, 2004. 771?782. [doi: 10.1007/978-3-540-24693-0_63]

[7] Sun ZX, Li QD. Defending DDos attacks based on the source and destination IP address database. Journal of Software, 2007, 18(10):2613?2623 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/18/2613.htm [doi: 10.1360/jos182613]

[8] Sun QD, Zhang DY, Gao P. Detecting distributed denial of service attacks based on time series analysis. Chinese Journal of Computers, 2005,28(5):767?773 (in Chinese with English abstract).

[9] Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distributions. In: Proc. of the ACM SIGCOMM 2005. Philadelphia, 2005. 217?228. [doi: 10.1145/1090191.1080118]

[10] Gil TM, Poletto M. Multops: A data-structure for bandwidth attack detection. In: Proc. of the 10th USENIX Security of Symp. Washington, 2001. 3?14.

[11] Kim Y, Lau WC, Chuah MC, Chao HJ. PacketScore—A statistics-based packet filtering scheme against distributed denial-ofservice attacks. IEEE Trans. on Dependable and Secure Computing, 2006,3(2):141?155. [doi: 10.1109/TDSC.2006.25]

[12] Zhou DQ, Zhang HF, Zhang SW, Hu XP. A DDoS attack detection method based on hidden Markov model. Journal of Computer Research and Development, 2005,42(9):1594?1599 (in Chinese with English abstract). [doi: 10.1360/crad20050921]

[13] Noh S, Jung G, Choi K, Lee C. Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. Applied Soft Computing, 2008,8(3):1200?1210. [doi: 10.1016/j.asoc.2007.02.016]

[14] Ghahramani Z. An introduction to hidden Markov models and Bayesian networks. Int’l Journal of Pattern Recognition and Artificial Intelligence, 2001,15(1):9?42. [doi: 10.1142/S0218001401000836]

[15] Zhong P, Wang RS. Using combination of statistical models and multilevel structural information for detecting urban areas from a single gray-level image. IEEE Trans. on Geoscience and Remote Sensing, 2007,45(5):1469?1482. [doi: 10.1109/TGRS.2007. 893739]

[16] McCallum A, Li W. Early results for named entity recognition with conditional random fields, feature induction and Web-enhanced lexicons. In: Proc. of the 7th CoNLL. Edmonton: Morgan Kaufmann Publishers, 2003. 188?191. [doi: 10.3115/1119176.1119206]

[17] Gupta KK, Nathn B, Kotagiri R. Layered approach using conditional random fields for intrusion detection. IEEE Trans. on Dependable and Secure Computing, 2008,7(1):35?49. [doi: 10.1109/TDSC.2008.20]

[18] Sun ZX, Tang YW, Zhang W, Gong J, Wang RC. A router anomaly traffic filter algorithm based on character aggregation. Journal of Software, 2006,17(2):295?304 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/17/295.htm [doi: 10.1360/jos170295]

[19] MIT Lincoln Laboratory. 2000. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html

[20] Xu M, Chen C, Ying J. A two-layer Markov chain anomaly detection model. Journal of Software, 2005,16(2):276?285 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/16/276.htm

[21] Li SZ. Markov Random Field Modeling in Image Analysis. 3rd ed., London: Springer-Verlag, 2009. 28?30.

[22] Kumar S, Hebert M. Discriminative random fields: A discriminative framework for contextual interaction in cassification. In: Proc. of the IEEE Int’l Conf. on Computer Vision. Nice, 2003. 1150?1157. [doi: 10.1109/ICCV.2003.1238478]

[23] Kumar S, Hebert M. Discriminative fields for modeling spatial dependencies in natural images. In: Proc. of the Conf. on Advances in Neural Information Processing Systems. Vancouver, 2003. 1531?1538.

[24] Dietterich TG, Ashenfelter A, Bulatov Y. Training conditional random fields via gradient tree boosting. In: Proc. of the Int’l Conf. on Machine Learning. Banff, 2004. 217?224. [doi: 10.1145/1015330.1015428]

[25] Sha F, Pereira F. Shallow parsing with conditional random fields. In: Proc. of the Human Language Technology Conf. and North American Chapter of the Association for Computational Linguistics (HLT-NAACL 2003). Edmonton: Morgan Kaufmann Publishers, 2003. 213?220. [doi: 10.3115/1073445.1073473]

[26] Kschischang FR, Frey BJ, Loeliger HA. Factor graphs and the sum-product algorithm. IEEE Trans. on Information Theory, 2001, 47(2):498?519. [doi: 10.1109/18.910572]

[27] Murphy K. CRF toolbox for matlab. 2004. http://www.cs.ubc.ca/~murphyk/Software/CRF/crfGeneralOld.html

[28] Chang CC, Lin CJ. LIBSVM: A library for support vector machines. 2001. http://www.csie.ntu.edu.tw/~cjlin/libsvm/

引用本文

刘运,蔡志平,钟平,殷建平,程杰仁.基于条件随机场的DDoS 攻击检测方法.软件学报,2011,22(8):1897-1910

复制

文章指标

点击次数:4695
下载次数: 8695
HTML阅读次数: 0
引用次数: 0

历史

收稿日期:2010-04-21
最后修改日期:2010-08-13
录用日期:
在线发布日期:
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码