基于双通道特征融合的分布式拒绝服务攻击检测算法

doi:10.3969/j.issn.1671-1122.2023.07.009

摘要/Abstract

摘要：

随着物联网的快速发展，接入网络的设备数量迅速增长，导致分布式拒绝服务（Distributed Denial of Service，DDoS）攻击往往具有攻击方式多样、迅速多变的特点。面对大流量且攻击方式多变的混合DDoS攻击，现有的基于统计分析的检测方法过于依赖人为设置阈值，而基于机器学习的异常检测方法存在误报率和漏报率高等问题。因此，文章提出一种基于卷积神经网络（Convolutional Neural Network，CNN）和注意力机制的双通道融合检测模型DCFD-CA，该模型将统计特征样本分别输入基于CNN的局部特征提取通道和基于注意力机制的全局特征提取通道，利用两个通道结构的差异化达到不同的效果，使用CNN可以抽象出局部特征值之间的相关关系，使用注意力机制可以对重要的特征分配更多的权重。为了融合两个通道的功能，首先对各通道输出的抽象特征进行归一化操作，然后利用堆叠方式融合两个不同通道的特征数据，最后通过三层神经网络进行检测分类。在CICIDS2017-DDoS、CICIDS2018-DDoS和CICDDoS2019公开数据集上进行实验，DCFD-CA模型的F1分数分别是0.9863、0.9996和0.9998，均优于SAE-MLP、Composite DNN等模型。

关键词: DDoS攻击, 注意力机制, 卷积神经网络, 异常检测, 深度学习

Abstract:

With the rapid development of the Internet of things, the number of devices accessing the network is increasing rapidly, so the distributed denial of service (DDoS) attacks often have the characteristics of various attack methods and rapid changes. To deal with mixed and variable DDoS attacks with large traffic, the existing detection methods based on statistical analysis rely too much on artificially setting thresholds, while the anomaly detection methods based on machine learning have the problems of high false positive rate and high false negative rate. Therefore, this paper proposed a two-channel feature fusion detection model based on convolutional neural network (CNN) and attention mechanism, which was DCFD-CA. The model inputted the statistical feature samples into the local feature extraction channel based on CNN and the global feature extraction channel based on the attention mechanism respectively, and used the difference of the two model structures to achieve different effects. The former could abstract the relationship between local feature values, and the latter could assign more weight to important features. In order to fuse the functions of the two models, the abstract features output by each channel were normalized, and then the feature data of two different channels was fused by stacking, and finally the three-layer neural network was used for detection and classification. Conducting experiments on the public datasets CICIDS2017-DDoS, CICIDS2018-DDoS and CICDDoS2019, the F1 scores of the DCFD-CA model are 0.9863, 0.9996 and 0.9998 respectively, which are better than SAE-MLP, composite DNN models.

Key words: DDoS attack, attention mechanism, convolutional neural network, anomaly detection, deep learning

中图分类号:

TP309

蒋英肇, 陈雷, 闫巧. 基于双通道特征融合的分布式拒绝服务攻击检测算法[J]. 信息网络安全, 2023, 23(7): 86-97.

JIANG Yingzhao, CHEN Lei, YAN Qiao. Distributed Denial of Service Attack Detection Algorithm Based on Two-Channel Feature Fusion[J]. Netinfo Security, 2023, 23(7): 86-97.

图/表 14

图1

图2

图3

图4

图5

表1

表2

表3

图6

表4

图7

表5

图8

表6

参考文献 27

[1]	YOACHIMIK O. Mitigating a 754 Million PPS DDoS Attack Automatically[EB/OL]. (2020-07-09) [2022-05-16]. https://blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically.
[2]	VIJ A, PASHA S. Azure DDoS Protection-2021 Q3 and Q4 DDoS Attack Trends[EB/OL]. (2022-01-25) [2022-05-16]. https://azure.microsoft.com/zh-cn/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends.
[3]	Tencent Cloud T-Sec DDoS Protection Team, Green Alliance Technology Threat Intelligence Team. 2021 Global DDoS Threat Report[EB/OL]. (2022-01-26) [2022-05-16]. https://cloud.tencent.com/developer/article/1936949.
	腾讯云T-Sec DDoS防护团队, 绿盟科技威胁情报团队. 2021年全球DDoS威胁报告[EB/OL]. (2022-01-26) [2022-05-16]. https://cloud.tencent.com/developer/article/1936949.
[4]	Wangsu Science&Technology. China Internet Security Report for the First Half of 2021[EB/OL]. (2021-11-23) [2022-05-16]. https://www.vzkoo.com/document/992eef6bb162171fd39d55876bf3f19b.html.
	网宿科技. 2021年上半年中国互联网安全报告[EB/OL]. (2021-11-23) [2022-05-16]. https://www.vzkoo.com/document/992eef6bb162171fd39d55876bf3f19b.html.
[5]	LIU Ying, ZHI Ting, SHEN Ming, et al. Software-Defined DDoS Detection with Information Entropy Analysis and Optimized Deep Learning[J]. Future Generation Computer Systems, 2022(129): 99-114.
[6]	LIU Zhen, HU Changzhen, SHAN Chun. Riemannian Manifold on Stream Data: Fourier Transform and Entropy-Based DDoS Attacks Detection Method[J]. Computers & Security, 2021(109): 102392-102407.
[7]	KOAY A, CHEN A, WELCH I, et al. A New Multi Classifier System Using Entropy-Based Features in DDoS Attack Detection[C]// IEEE. 2018 International Conference on Information Networking (ICOIN). New York: IEEE, 2018: 162-167.
[8]	IDHAMMAD M, AFDEL K, BELOUCH M. Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest[J]. Security and Communication Networks, 2018(2): 1-13.
[9]	YE Jin, CHENG Xiangyang, ZHU Jian, et al. A DDoS Attack Detection Method Based on SVM in Software Defined Network[EB/OL]. (2018-01-01) [2022-05-16]. https://dl.acm.org/doi/10.1155/2018/9804061.
[10]	TUAN N N, HUNG P H, NGHIA N D, et al. A DDoS Attack Mitigation Scheme in ISP Networks Using Machine Learning Based on SDN[J]. Electronics, 2020, 9(3): 413-432. doi: 10.3390/electronics9030413 URL
[11]	DE-MIRANDA V R, INÁCIO P R M, MAGONI D, et al. Detection of Reduction-of-Quality DDoS Attacks Using Fuzzy Logic and Machine Learning Algorithms[J]. Computer Networks, 2021(186): 107792-107811.
[12]	MIN Erxue, CHEN Wei, LONG Jun, et al. TR-IDS: Anomaly-Based Intrusion Detection Through Text-Convolutional Neural Network and Random Forest[EB/OL]. (2018-12-16) [2023-01-13]. https://dl.acm.org/doi/10.1155/2018/4943509.
[13]	CHOLLET F. Xception: Deep Learning with Depthwise Separable Convolutions[C]// IEEE. 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2017: 1251-1258.
[14]	GIRSHICK R. Fast R-CNN[C]// IEEE. Proceedings of the IEEE International Conference on Computer Vision. New York: IEEE, 2015: 1440-1448.
[15]	REN A, LI Zhe, DING Caiwen, et al. SC-DCNN: Highly-Scalable Deep Convolutional Neural Network Using Stochastic Computing[J]. ACM SIGPLAN Notices, 2017, 52(4): 405-418. doi: 10.1145/3093336.3037746 URL
[16]	SHAHRIAR M H, HAQUE N I, RAHMAN M A, et al. G-IDS: Generative Adversarial Networks Assisted Intrusion Detection System[C]// IEEE. 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC). New York: IEEE, 2020: 376-385.
[17]	AHUJA N, SINGAL G, MUKHOPADHYAY D. DLSDN: Deep Learning for DDoS Attack Detection in Software Defined Networking[C]// IEEE. 2021 11th International Conference on Cloud Computing, Data Science & Engineering (Confluence). New York: IEEE, 2021: 683-688.
[18]	YANG Kun, ZHANG Junjie, XU Yang, et al. DDoS Attacks Detection with Autoencoder[C]// IEEE. NOMS 2020-2020 IEEE/IFIP Network Operations and Management Symposium. New York: IEEE, 2020: 1-9.
[19]	SALAHUDDIN M A, BARI M F, ALAMEDDINE H A, et al. Time-Based Anomaly Detection Using Autoencoder[C]// IEEE. 2020 16th International Conference on Network and Service Management (CNSM). New York: IEEE, 2020: 1-9.
[20]	AMAIZU G C, NWAKANMA C I, BHARDWAJ S, et al. Composite and Efficient DDoS Attack Detection Framework for B5G Networks[J]. Computer Networks, 2021(188): 107871-107881.
[21]	MA Li, CHAI Ying, CUI Lei, et al. A Deep Learning-Based DDoS Detection Framework for Internet of Things[C]// IEEE. ICC 2020-2020 IEEE International Conference on Communications (ICC). New York: IEEE, 2020: 1-6.
[22]	DORIGUZZI-CORIN R, MILLAR S, SCOTT-HAYWARD S, et al. LUCID: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection[J]. IEEE Transactions on Network and Service Management, 2020, 17(2): 876-889. doi: 10.1109/TNSM.4275028 URL
[23]	LASHKARI A H, DRAPER-GIL G, MAMUN M S I, et al. Characterization of Tor Traffic Using Timebased Features[C]// SciTePress. Proceedings of the 3rd International Conference on Information Systems Security and Privacy. San Francisco: SciTePress, 2017: 253-262.
[24]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep Residual Learning for Image Recognition[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2016: 770-778.
[25]	VASWANI A, SHAZEER N, PARMAR N, et al. Attention Is All You Need[EB/OL]. (2017-06-12) [2023-01-17]. https://arxiv.org/abs/1706.03762.
[26]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[J]. ICISSP, 2018(1): 108-116.
[27]	SHARAFALDIN I, LASHKARI A H, HAKAK S, et al. Developing Realistic Distributed Denial of Service (DDoS) Attack Dataset and Taxonomy[C]// IEEE. 2019 International Carnahan Conference on Security Technology (ICCST). New York: IEEE, 2019: 1-8.

类别	训练集的数量/个	验证集的数量/个	测试集的数量/个
benign	1591168	454619	227310
DoS Hulk	161751	46215	23107
DDoS	89619	25605	12803
DoS GoldenEye	7205	2059	1029
DoS Slowloris	4057	1159	580
DoS Slowhttptest	3849	1100	550

类别	训练集的数量/个	验证集的数量/个	测试集的数量/个
benign	6423367	1835248	917624
DDoS attack-HOIC	480208	137202	68602
DDoS attacks-LOIC-HTTP	403334	115238	57619
DoS attacks-Hulk	323338	92382	46192
DoS attacks-SlowHTTPTest	97923	27978	13989
DoS attacks-GoldenEye	29056	8302	4150
DoS attacks-Slowloris	7693	2198	1099
DDoS attack-LOIC-UDP	1211	346	173

类别	训练集的数量/个	验证集的数量/个	测试集的数量/个
benign	159216	45490	22746
ntp	219545	62727	31364
dns	219545	62727	31364
ldap	219545	62727	31364
mssql	219545	62727	31364
netbios	219545	62727	31364
snmp	219545	62727	31364
ssdp	219545	62727	31364
udp	219545	62727	31364
udplag	219545	62727	31364
syn	219545	62727	31364
tftp	219545	62727	31364

模型	Accuracy	FPR	Precision	Recall
SAE-MLP^[17]	0.9388	0.0134	0.8910	0.6542
Composite DNN^[20]	0.9875	0.0030	0.9814	0.9306
ResNet	0.9829	0.0064	0.9602	0.9191
Attention	0.9483	0.0001	0.9994	0.6398
DCFD-CA	0.9961	0.0030	0.9822	0.9905

模型	Accuracy	FPR	Precision	Recall
SAE-MLP^[17]	0.9328	0.1489	0.9263	0.9755
Composite DNN^[20]	0.9720	0.0436	0.9930	0.9802
ResNet	0.9939	0.0154	0.9920	0.9987
Attention	0.9824	0.0415	0.9787	0.9948
DCFD-CA	0.9995	0.0010	0.9995	0.9998