信息网络安全 ›› 2024, Vol. 24 ›› Issue (4): 509-519.doi: 10.3969/j.issn.1671-1122.2024.04.002

• 专题论文: 入侵检测 • 上一篇    下一篇

基于时空图神经网络的应用层DDoS攻击检测方法

王健(), 陈琳, 王凯崙, 刘吉强   

  1. 北京交通大学智能交通数据安全与隐私保护北京市重点实验室,北京 100044
  • 收稿日期:2024-02-25 出版日期:2024-04-10 发布日期:2024-05-16
  • 通讯作者: 王健 wangjian@bjtu.edu.cn
  • 作者简介:王健(1975—),男,山东,副教授,博士,主要研究方向为密码应用、区块链、网络安全|陈琳(1998—),女,山东,硕士研究生,主要研究方向为应用层DDoS检测|王凯崙(1998—),男,北京,博士研究生,主要研究方向为隐私计算|刘吉强(1973—),男,山东,教授,博士,CCF会员,主要研究方向为可信计算、隐私保护、云计算
  • 基金资助:
    国家重点研发计划(2023YFB2703702)

Application Layer DDoS Detection Method Based on Spatio-Temporal Graph Neural Network

WANG Jian(), CHEN Lin, WANG Kailun, LIU Jiqiang   

  1. Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing 100044, China
  • Received:2024-02-25 Online:2024-04-10 Published:2024-05-16

摘要:

分布式拒绝服务(Distributed Denial of Service,DDoS)攻击已经成为网络安全的主要威胁之一,其中应用层DDoS攻击是主要的攻击手段。应用层DDoS攻击是针对具体应用服务的攻击,其在网络层行为表现正常,传统安全设备无法有效抵御。同时,现有的针对应用层DDoS攻击的检测方法检测能力不足,难以适应攻击模式的变化。为此,文章提出一种基于时空图神经网络(Spatio-Temporal Graph Neural Network,STGNN)的应用层DDoS攻击检测方法,利用应用层服务的特征,从应用层数据和应用层协议交互信息出发,引入注意力机制并结合多个GraphSAGE层,学习不同时间窗口下的实体交互模式,进而计算检测流量与正常流量的偏差,完成攻击检测。该方法仅利用时间、源IP、目的IP、通信频率、平均数据包大小5维数据便可有效识别应用层DDoS攻击。由实验结果可知,该方法在攻击样本数量较少的情况下,与对比方法相比可获得较高的RecallF1分数。

关键词: DDoS攻击, 时空图神经网络, 异常检测, 注意力机制

Abstract:

Distributed denial of service (DDoS) attacks have emerged as one of the principal threats to cybersecurity, among which application layer DDoS attacks stand as a primary mode of assault. Application layer DDoS attacks target specific application services and exhibit normal behavior at the network layer, rendering traditional security devices ineffective against them. Moreover, existing detection methods for application layer DDoS attacks are insufficient in detection capability and struggle to adapt to the changing patterns of attacks. In response, this paper proposed a detection method for application layer DDoS attacks based on spatio-temporal graph neural network (STGNN). This method utilized the characteristics of application layer services, starting from application layer data and protocol interaction information. It introduced an attention mechanism and combined multiple GraphSAGE layers to learn the patterns of entity interactions across different time windows. Consequently, it calculated the deviation between the detection traffic and normal traffic to accomplish attack detection. The method effectively identified application layer DDoS attacks using only five dimensional data, including time, source IP, destination IP, communication frequency, and average packet size. According to the experimental results, this method achieves higher Recall and F1 scores compared to benchmark methods, even with a smaller number of attack samples.

Key words: DDoS attacks, spatio-temporal graph neural network, anomaly detection, attention mechanism

中图分类号: