• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

计算机工程与科学

• 计算机网络与信息安全 • 上一篇    下一篇

基于多核学习的自适应DDoS攻击检测方法

张晨1,唐湘滟1,2,程杰仁1,2,3,董哲1,李俊麒1   

  1. (1.海南大学计算机与网络空间安全学院,海南 海口 570228;
    2.海南大学海南省Internet信息检索重点实验室,海南 海口 570228;
    3.海南大学南海海洋资源利用国家重点实验室,海南 海口 570228)
  • 收稿日期:2018-12-21 修回日期:2019-03-19 出版日期:2019-08-25 发布日期:2019-08-25
  • 基金资助:

    国家自然科学基金(61762033,61702539);海南省自然科学基金(617048,2018CXTD333);湖南省自然科学基金(2018JJ3611 );浙江省公益技术应用社会发展项目(LGF18F020019);海南大学博士启动基金(kyqd1328);海南大学青年基金(qnjj14444);南海海洋资源利用国家重点实验室资助

An adaptive DDoS attack detection
method based on multiple-kernel learning

ZHANG Chen1,TANG Xiang-yan1,2,CHENG Jie-ren1,2,3,DONG Zhe1,LI Jun-qi1   

  1. (1.School of Computer Science & Cyberspace Security,Hainan University,Haikou 570228;
    2.Key Laboratory of Internet Information Retrieval of Hainan Province,Hainan University,Haikou 570228;
    3.State Key Laboratory of Marine Resource Utilization in South China Sea,Hainan University,Haikou 570228,China)
     
     
  • Received:2018-12-21 Revised:2019-03-19 Online:2019-08-25 Published:2019-08-25

摘要:

分布式拒绝服务DDoS攻击是互联网安全的主要威胁之一。当前大多数检测方法采用单一特征,在大数据环境下不能有效地检测DDoS早期攻击。提出了一种基于多核学习的特征自适应DDoS攻击检测方法FADADM,根据DDoS攻击流量的突发性、地址的分布性以及通信双方的交互性定义了5个特征。基于集成学习框架,分别提出采用增大同类方差与异类均值差的比值IS/M和减少同类方差与异类均值差的比值RS/M的方式自适应地调整各特征值的权重,基于简单多核学习SimpleMKL模型训练出IS/M-SimpleMKL和RS/M-SimpleMKL 2种具有不同特性的多核学习模型,以识别DDoS早期攻击。实验结果表明,本文方法能够快速、准确地检测DDoS早期攻击。

关键词: 多核学习, DDoS攻击, 自适应, 集成学习

Abstract:

The distributed denial of service (DDoS) attack is one of the main threats to internet security. Most of the current detection methods based on single feature cannot effectively detect early DDoS attacks in big data environment. We propose a feature adaptive DDoS attack detection method (FADADM) based on multiple kernel learning. We define five features to describe the characteristics of network flow according to the burstiness of DDoS attack flow, the distribution of address and the interactivity of communication. Based on ensemble learning framework, the weight of each dimension is adaptively adjusted by increasing the ratio of variance to mean (IS/M)and reducing the ratio of variance to the mean (RS/M), and by training the simple multiple kernel learning (SimpleMKL) model, two multiple-kernel learning models (IS/M-SimpleMKL and RS/M-SimpleMKL) with different characteristics are establish to identify early DDoS attacks. Experimental results show that the proposed method can detect early DDoS attacks quickly and accurately.
 

Key words: multiple-kernel learning, DDoS attack, self-adaption, ensemble learning