[go: up one dir, main page]

CN117675381A - Reflection attack detection method and system based on port data and electronic equipment - Google Patents

Reflection attack detection method and system based on port data and electronic equipment Download PDF

Info

Publication number
CN117675381A
CN117675381A CN202311689563.1A CN202311689563A CN117675381A CN 117675381 A CN117675381 A CN 117675381A CN 202311689563 A CN202311689563 A CN 202311689563A CN 117675381 A CN117675381 A CN 117675381A
Authority
CN
China
Prior art keywords
public network
reflection attack
traffic
attack detection
reflection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311689563.1A
Other languages
Chinese (zh)
Inventor
归翀
胥旭波
苏伟胜
陶亮
罗婷倚
唐亚森
刘斌
韦才超
古原
谭文玮
黄永州
方增俊
陈三喜
梁夏
罗柳芬
李宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Qiangjiang Road Engineering Consulting Co ltd
Guangxi Beitou Highway Construction Investment Group Co ltd
Original Assignee
Guangxi Qiangjiang Road Engineering Consulting Co ltd
Guangxi Beitou Highway Construction Investment Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Qiangjiang Road Engineering Consulting Co ltd, Guangxi Beitou Highway Construction Investment Group Co ltd filed Critical Guangxi Qiangjiang Road Engineering Consulting Co ltd
Priority to CN202311689563.1A priority Critical patent/CN117675381A/en
Publication of CN117675381A publication Critical patent/CN117675381A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于端口数据的反射攻击检测方法、系统及电子设备,涉及计算机网络安全技术领域。方法包括:基于公网流量构建训练集;公网流量为端口数据;利用训练集训练机器学习模型,得到反射攻击检测模型;获取公网实时流量的特征向量为实时特征向量;将实时特征向量输入到反射攻击检测模型中,得到反射攻击检测结果。本发明基于端口数据构建数据集训练反射攻击检测模型,能够提高反射攻击的检测精度。

The invention discloses a reflection attack detection method, system and electronic equipment based on port data, and relates to the technical field of computer network security. The method includes: constructing a training set based on public network traffic; public network traffic is port data; using the training set to train a machine learning model to obtain a reflection attack detection model; obtaining the feature vector of the public network real-time traffic as a real-time feature vector; inputting the real-time feature vector Go to the reflection attack detection model to obtain the reflection attack detection results. The present invention builds a data set based on port data to train a reflection attack detection model, which can improve the detection accuracy of reflection attacks.

Description

一种基于端口数据的反射攻击检测方法、系统及电子设备A reflection attack detection method, system and electronic device based on port data

技术领域Technical field

本发明涉及计算机网络安全技术领域,特别是涉及一种基于端口数据的反射攻击检测方法、系统及电子设备。The invention relates to the technical field of computer network security, and in particular to a reflection attack detection method, system and electronic equipment based on port data.

背景技术Background technique

近几年,互联网攻击事件明显增多,攻击流量也明显增大,超过1Gb的攻击流量频频出现,严重危害为互联网安全,分布式拒绝服务(Distributed Denial of Service,DDoS)攻击一直都是网络安全研究中的热点议题。用户数据包协议(UserDatagramProtocol,UDP)反射DDoS攻击(以下简称为UDP反射攻击)是DDoS攻击中的一种主要攻击类型。UDP反射攻击是利用有漏洞的应用层服务协议(以下简称服务协议)发起的DDoS攻击,这些服务均使用UDP作为传输协议。2017年《中国互联网网络安全态势综述》称,2017年大流量DDoS攻击事件数量全年持续增加,10Gbps以上攻击事件数量全年日均达133次,占日均攻击事件的29.4%,另外100Gbs以上攻击事件数量日均达到6起以上,从攻击方式来看,反射攻击依旧占据主流。因此,反射攻击的特征提取和识别技术对维护互联网安全至关重要。In recent years, Internet attacks have increased significantly, and attack traffic has also increased significantly. Attack traffic exceeding 1Gb has frequently appeared, seriously endangering Internet security. Distributed Denial of Service (DDoS) attacks have always been a focus of network security research. hot topics in. User Datagram Protocol (UDP) reflection DDoS attack (hereinafter referred to as UDP reflection attack) is a major type of attack in DDoS attacks. UDP reflection attacks are DDoS attacks initiated by exploiting vulnerable application layer service protocols (hereinafter referred to as service protocols). These services all use UDP as the transmission protocol. According to the 2017 "China Internet Network Security Situation Review", the number of high-traffic DDoS attacks continued to increase throughout the year in 2017. The number of attacks above 10Gbps reached an average of 133 per day throughout the year, accounting for 29.4% of the average daily attack events. In addition, the number of attacks above 100Gbps The average number of attacks per day reaches more than 6. In terms of attack methods, reflection attacks still dominate. Therefore, feature extraction and identification technology of reflection attacks are crucial to maintaining Internet security.

现有的面向DDoS入侵检测的报文特性提取方法,根据报文协议将DDoS攻击分为欺骗攻击、流量攻击、反射攻击、慢连接攻击和连接耗尽攻击五类,并针对不同的类型提取其特征向量,增加了攻击报文特征的纬度与表达能力,完成DDoS攻击报文的识别,但是该方法采用实验环境中以自攻击方式获取的数据集进行特性提取,其检测精度在实际应用时有所下降。The existing packet feature extraction method for DDoS intrusion detection divides DDoS attacks into five categories: spoofing attacks, traffic attacks, reflection attacks, slow connection attacks and connection exhaustion attacks according to the message protocol, and extracts them for different types. Feature vectors increase the dimension and expressiveness of attack message features and complete the identification of DDoS attack messages. However, this method uses data sets obtained through self-attacks in the experimental environment for feature extraction, and its detection accuracy is limited in practical applications. dropped.

发明内容Contents of the invention

本发明的目的是提供一种基于端口数据的反射攻击检测方法、系统及电子设备,能够提高反射攻击的检测精度。The purpose of the present invention is to provide a reflection attack detection method, system and electronic device based on port data, which can improve the detection accuracy of reflection attacks.

为实现上述目的,本发明提供了如下方案:In order to achieve the above objects, the present invention provides the following solutions:

一种基于端口数据的反射攻击检测方法,包括:A reflection attack detection method based on port data, including:

基于公网流量构建训练集;所述公网流量为端口数据;Construct a training set based on public network traffic; the public network traffic is port data;

利用所述训练集训练机器学习模型,得到反射攻击检测模型;Use the training set to train a machine learning model to obtain a reflection attack detection model;

获取公网实时流量的特征向量为实时特征向量;所述特征向量包括协议类型、单位时间内接收的报文数量、报文长度、单位时间内源端口号的标准差和单位时间内目标端口号的标准差;Obtaining the feature vector of real-time traffic on the public network is a real-time feature vector; the feature vector includes the protocol type, the number of packets received per unit time, the length of the packet, the standard deviation of the source port number per unit time, and the target port number per unit time. standard deviation;

将所述实时特征向量输入到反射攻击检测模型中,得到反射攻击检测结果;所述反射攻击检测结果为公网实时流量是否为反射攻击流量。The real-time feature vector is input into the reflection attack detection model to obtain a reflection attack detection result; the reflection attack detection result is whether the public network real-time traffic is reflection attack traffic.

可选的,基于公网流量构建训练集,包括:Optionally, build a training set based on public network traffic, including:

构建空集为数据集;Construct an empty set as a data set;

获取当前公网流量;Get the current public network traffic;

对所述当前公网流量进行预处理,得到预处理后的当前公网流量;Preprocess the current public network traffic to obtain the preprocessed current public network traffic;

根据所述预处理后的当前公网流量,确定当前公网流量的带宽放大系数和报文放大因子;According to the preprocessed current public network traffic, determine the bandwidth amplification factor and message amplification factor of the current public network traffic;

根据所述带宽放大系数和所述报文放大因子,确定当前公网流量的流量类型;所述流量类型包括正常流量和反射攻击流量;Determine the traffic type of the current public network traffic according to the bandwidth amplification factor and the message amplification factor; the traffic type includes normal traffic and reflection attack traffic;

在当前公网流量的流量类型为反射攻击流量时,提取当前公网流量的特征向量;When the traffic type of the current public network traffic is reflection attack traffic, extract the feature vector of the current public network traffic;

将当前公网流量的特征向量添加到所述数据集中;Add the feature vector of the current public network traffic to the data set;

更新当前公网流量,并返回步骤“对所述当前公网流量进行预处理,得到预处理后的当前公网流量”,直至所述数据集中特征向量的数量达到数量阈值,确定所述数据集为训练集。Update the current public network traffic, and return to the step "Preprocess the current public network traffic to obtain the preprocessed current public network traffic" until the number of feature vectors in the data set reaches the quantity threshold, and determine the data set is the training set.

可选的,所述带宽放大系数为:Optionally, the bandwidth amplification factor is:

其中,BAF为带宽放大系数;len(UDP payload)atv为单位时间Δt内放大器回复报文的UDP负载长度;len(UDP payload)ata为单位时间Δt内放大器收到请求报文的UDP负载长度。Among them, BAF is the bandwidth amplification factor; len(UDP payload)atv is the UDP payload length of the amplifier reply message within unit time Δt; len(UDP payload)ata is the UDP payload length of the request message received by the amplifier within unit time Δt.

可选的,所述报文放大因子为:Optionally, the message amplification factor is:

其中,PAF为报文放大因子;Numatv为单位时间Δt内放大器回复报文的数量;Numata为单位时间Δt内放大器收到请求报文的数量。Among them, PAF is the message amplification factor; Num atv is the number of reply messages from the amplifier in unit time Δt; Num ata is the number of request messages received by the amplifier in unit time Δt.

可选的,根据所述带宽放大系数和所述报文放大因子,确定当前公网流量的流量类型,包括:Optionally, determine the traffic type of the current public network traffic based on the bandwidth amplification factor and the message amplification factor, including:

根据所述带宽放大系数和所述报文放大因子判断当前公网流量是否符合正常流量条件,得到判断结果;所述正常流量条件为所述带宽放大系数小于带宽放大系数阈值,且所述报文放大因子小于报文放大因子阈值;Determine whether the current public network traffic meets the normal traffic conditions according to the bandwidth amplification factor and the message amplification factor, and obtain a judgment result; the normal traffic condition is that the bandwidth amplification factor is less than the bandwidth amplification factor threshold, and the message The amplification factor is less than the message amplification factor threshold;

若所述判断结果为是,则确定当前公网流量的流量类型为正常流量;If the judgment result is yes, it is determined that the traffic type of the current public network traffic is normal traffic;

若所述判断结果为否,则确定当前公网流量的流量类型为反射攻击流量。If the judgment result is no, it is determined that the traffic type of the current public network traffic is reflection attack traffic.

可选的,利用所述训练集训练机器学习模型,得到反射攻击检测模型,包括:Optionally, use the training set to train a machine learning model to obtain a reflection attack detection model, including:

以特征向量为输入,以公网流量是否为反射攻击流量为输出,对机器学习模型进行训练,得到反射攻击检测模型。Using the feature vector as input and whether the public network traffic is reflection attack traffic as the output, the machine learning model is trained to obtain a reflection attack detection model.

可选的,在将所述实时特征向量输入到反射攻击检测模型中,得到反射攻击检测结果之后,还包括:Optionally, after inputting the real-time feature vector into the reflection attack detection model and obtaining the reflection attack detection result, it also includes:

在所述反射攻击检测结果为反射攻击流量时,将所述实时特征向量,添加到训练集中,并返回步骤“利用所述训练集训练机器学习模型,得到反射攻击检测模型”。When the reflection attack detection result is reflection attack traffic, add the real-time feature vector to the training set, and return to the step of "using the training set to train a machine learning model to obtain a reflection attack detection model."

一种基于端口数据的反射攻击检测系统,包括:A reflection attack detection system based on port data, including:

训练集构建模块,用于基于公网流量构建训练集;所述公网流量为端口数据;A training set construction module, used to construct a training set based on public network traffic; the public network traffic is port data;

反射攻击检测模型训练模块,用于利用所述训练集训练机器学习模型,得到反射攻击检测模型;A reflection attack detection model training module, used to train a machine learning model using the training set to obtain a reflection attack detection model;

实时特征向量确定模块,用于获取公网实时流量的特征向量为实时特征向量;所述特征向量包括协议类型、单位时间内接收的报文数量、报文长度、单位时间内源端口号的标准差和单位时间内目标端口号的标准差;The real-time feature vector determination module is used to obtain the feature vector of real-time public network traffic as a real-time feature vector; the feature vector includes standards for protocol type, number of messages received per unit time, message length, and source port number per unit time. difference and the standard deviation of the target port number per unit time;

反射攻击检测模块,用于将所述实时特征向量输入到反射攻击检测模型中,得到反射攻击检测结果;所述反射攻击检测结果为公网实时流量是否为反射攻击流量。A reflection attack detection module is used to input the real-time feature vector into the reflection attack detection model to obtain a reflection attack detection result; the reflection attack detection result is whether the real-time traffic on the public network is reflection attack traffic.

一种电子设备,可选的,包括存储器及处理器,所述存储器用于存储计算机程序,所述处理器运行所述计算机程序以使所述电子设备执行所述的一种基于端口数据的反射攻击检测方法。An electronic device, optionally, including a memory and a processor. The memory is used to store a computer program. The processor runs the computer program to cause the electronic device to perform the port data-based reflection. Attack detection methods.

可选的,所述存储器为可读存储介质。Optionally, the memory is a readable storage medium.

根据本发明提供的具体实施例,本发明公开了以下技术效果:According to the specific embodiments provided by the present invention, the present invention discloses the following technical effects:

本发明提供的一种基于端口数据的反射攻击检测方法、系统及电子设备,基于攻击过程并结合UDP协议本身特性,提取报文特征值并建立反射攻击的特征向量,通过阈值判定和特征匹配的方法对流量进行检测,能够实时检测流量攻击和有效负荷放大攻击,能够提高放大型DDos攻击流量的检测精度。The invention provides a reflection attack detection method, system and electronic equipment based on port data. Based on the attack process and combined with the characteristics of the UDP protocol itself, the message feature value is extracted and the feature vector of the reflection attack is established. Through threshold determination and feature matching, The method detects traffic, can detect traffic attacks and payload amplification attacks in real time, and can improve the detection accuracy of amplified DDos attack traffic.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the drawings needed to be used in the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some of the drawings of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without exerting creative efforts.

图1为本发明实施例1中基于端口数据的反射攻击检测方法流程图;Figure 1 is a flow chart of a reflection attack detection method based on port data in Embodiment 1 of the present invention;

图2为本发明实施例2中基于端口数据的反射攻击检测系统运行流程图。Figure 2 is an operation flow chart of the reflection attack detection system based on port data in Embodiment 2 of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of the present invention.

本发明的目的是提供一种基于端口数据的反射攻击检测方法、系统及电子设备,能够提高反射攻击的检测精度。The purpose of the present invention is to provide a reflection attack detection method, system and electronic device based on port data, which can improve the detection accuracy of reflection attacks.

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。In order to make the above objects, features and advantages of the present invention more obvious and understandable, the present invention will be described in further detail below with reference to the accompanying drawings and specific embodiments.

实施例1Example 1

如图1所示,本实施例提供了一种基于端口数据的反射攻击检测方法,包括:As shown in Figure 1, this embodiment provides a reflection attack detection method based on port data, including:

步骤101:基于公网流量构建训练集。公网流量为端口数据。Step 101: Construct a training set based on public network traffic. Public network traffic is port data.

步骤102:利用训练集训练机器学习模型,得到反射攻击检测模型。步骤102包括以特征向量为输入,以公网流量是否为反射攻击流量为输出,对机器学习模型进行训练,得到反射攻击检测模型。Step 102: Use the training set to train the machine learning model to obtain a reflection attack detection model. Step 102 includes using the feature vector as an input and using whether the public network traffic is reflection attack traffic as an output to train the machine learning model to obtain a reflection attack detection model.

步骤103:获取公网实时流量的特征向量为实时特征向量。特征向量包括协议类型、单位时间内接收的报文数量、报文长度、单位时间内源端口号的标准差和单位时间内目标端口号的标准差。Step 103: Obtain the feature vector of the real-time traffic on the public network as a real-time feature vector. The feature vector includes protocol type, number of packets received per unit time, packet length, standard deviation of the source port number per unit time and standard deviation of the destination port number per unit time.

步骤104:将实时特征向量输入到反射攻击检测模型中,得到反射攻击检测结果。反射攻击检测结果为公网实时流量是否为反射攻击流量。Step 104: Input the real-time feature vector into the reflection attack detection model to obtain the reflection attack detection result. The reflection attack detection result is whether the real-time traffic on the public network is reflection attack traffic.

步骤101包括:Step 101 includes:

步骤101-1:构建空集为数据集。Step 101-1: Construct the empty set as a data set.

步骤101-2:获取当前公网流量。Step 101-2: Obtain the current public network traffic.

步骤101-3:对当前公网流量进行预处理,得到预处理后的当前公网流量。Step 101-3: Preprocess the current public network traffic to obtain the preprocessed current public network traffic.

步骤101-4:根据预处理后的当前公网流量,确定当前公网流量的带宽放大系数和报文放大因子。Step 101-4: Determine the bandwidth amplification factor and packet amplification factor of the current public network traffic based on the preprocessed current public network traffic.

其中,带宽放大系数为:Among them, the bandwidth amplification factor is:

其中,BAF为带宽放大系数。len(UDP payload)atv为单位时间Δt内放大器回复报文的UDP负载长度。len(UDP payload)ata为单位时间Δt内放大器收到请求报文的UDP负载长度。Among them, BAF is the bandwidth amplification factor. len(UDP payload)atv is the UDP payload length of the amplifier reply message within unit time Δt. len(UDP payload)ata is the UDP payload length of the request message received by the amplifier within unit time Δt.

报文放大因子为:The message amplification factor is:

其中,PAF为报文放大因子。Numatv为单位时间Δt内放大器回复报文的数量。Numata为单位时间Δt内放大器收到请求报文的数量。Among them, PAF is the packet amplification factor. Num atv is the number of messages replied by the amplifier within unit time Δt. Num ata is the number of request messages received by the amplifier within unit time Δt.

步骤101-5:根据带宽放大系数和报文放大因子,确定当前公网流量的流量类型。流量类型包括正常流量和反射攻击流量。Step 101-5: Determine the traffic type of the current public network traffic based on the bandwidth amplification factor and the packet amplification factor. Traffic types include normal traffic and reflection attack traffic.

步骤101-6:在当前公网流量的流量类型为反射攻击流量时,提取当前公网流量的特征向量。Step 101-6: When the traffic type of the current public network traffic is reflection attack traffic, extract the feature vector of the current public network traffic.

步骤101-7:将当前公网流量的特征向量添加到数据集中。Step 101-7: Add the feature vector of the current public network traffic to the data set.

步骤101-8:更新当前公网流量,并返回步骤101-3,直至数据集中特征向量的数量达到数量阈值,确定数据集为训练集。Step 101-8: Update the current public network traffic and return to step 101-3 until the number of feature vectors in the data set reaches the quantity threshold, and the data set is determined to be a training set.

步骤101-5,包括:Step 101-5, including:

步骤101-5-1:根据带宽放大系数和报文放大因子判断当前公网流量是否符合正常流量条件,得到判断结果。若判断结果为是,则执行步骤101-5-2;若判断结果为否,则执行步骤101-5-3。正常流量条件为带宽放大系数小于带宽放大系数阈值,且报文放大因子小于报文放大因子阈值。Step 101-5-1: Determine whether the current public network traffic meets the normal traffic conditions based on the bandwidth amplification factor and the message amplification factor, and obtain the judgment result. If the judgment result is yes, step 101-5-2 is executed; if the judgment result is no, step 101-5-3 is executed. The normal traffic condition is that the bandwidth amplification factor is smaller than the bandwidth amplification factor threshold, and the packet amplification factor is smaller than the packet amplification factor threshold.

步骤101-5-2:确定当前公网流量的流量类型为正常流量。Step 101-5-2: Confirm that the traffic type of the current public network traffic is normal traffic.

步骤101-5-3:确定当前公网流量的流量类型为反射攻击流量。Step 101-5-3: Determine the traffic type of the current public network traffic as reflection attack traffic.

在步骤104之后,还包括:After step 104, also include:

步骤105:在反射攻击检测结果为反射攻击流量时,将实时特征向量,添加到训练集中,并返回步骤102。Step 105: When the reflection attack detection result is reflection attack traffic, add the real-time feature vector to the training set and return to step 102.

实施例2Example 2

为了执行上述实施例1对应的方法,以实现相应的功能和技术效果,下面提供了一种基于端口数据的反射攻击检测系统,包括:In order to perform the method corresponding to the above-mentioned Embodiment 1 and achieve corresponding functions and technical effects, a reflection attack detection system based on port data is provided below, including:

训练集构建模块,用于基于公网流量构建训练集。公网流量为端口数据。The training set construction module is used to build a training set based on public network traffic. Public network traffic is port data.

反射攻击检测模型训练模块,用于利用训练集训练机器学习模型,得到反射攻击检测模型。The reflection attack detection model training module is used to train the machine learning model using the training set to obtain the reflection attack detection model.

实时特征向量确定模块,用于获取公网实时流量的特征向量为实时特征向量。特征向量包括协议类型、单位时间内接收的报文数量、报文长度、单位时间内源端口号的标准差和单位时间内目标端口号的标准差。The real-time feature vector determination module is used to obtain the feature vector of real-time traffic on the public network as the real-time feature vector. The feature vector includes protocol type, number of packets received per unit time, packet length, standard deviation of the source port number per unit time and standard deviation of the destination port number per unit time.

反射攻击检测模块,用于将实时特征向量输入到反射攻击检测模型中,得到反射攻击检测结果。反射攻击检测结果为公网实时流量是否为反射攻击流量。The reflection attack detection module is used to input real-time feature vectors into the reflection attack detection model to obtain reflection attack detection results. The reflection attack detection result is whether the real-time traffic on the public network is reflection attack traffic.

如图2,本实施例提供的基于端口数据的反射攻击检测系统包括:As shown in Figure 2, the reflection attack detection system based on port data provided by this embodiment includes:

1)报文采集模块。1) Message collection module.

报文采集流量是通过脚本将带有Payload的请求报文自动化发送到对应的IP和Port。Packet collection traffic is to automatically send request packets with payload to the corresponding IP and Port through scripts.

2)数据预处理模块。2) Data preprocessing module.

由于公网流量混杂大量的非UDP报文,因此需要预先对数据进行处理。通过scapy库剔除非UDP流量,提取出源IP、Port、Payload、单位时间内接收/响应的报文长度以及数量等特征信息。Since public network traffic is mixed with a large number of non-UDP packets, the data needs to be processed in advance. Use the scapy library to eliminate non-UDP traffic and extract characteristic information such as source IP, Port, Payload, length and quantity of received/responsed messages per unit time.

3)流量阈值检测模块。3) Traffic threshold detection module.

将数据预处理模块得到的数据计算带宽放大系数BAF和报文放大因子PAF:Calculate the bandwidth amplification factor BAF and packet amplification factor PAF from the data obtained by the data preprocessing module:

其中,len(UDP payload)atv为单位时间Δt内放大器回复报文的UDP负载长度。len(UDP payload)ata为单位时间Δt内放大器收到请求报文的UDP负载长度。Among them, len(UDP payload)atv is the UDP payload length of the amplifier reply message within unit time Δt. len(UDP payload)ata is the UDP payload length of the request message received by the amplifier within unit time Δt.

其中,len(UDP payload)amp为单位时间Δt内放大器回复报文的数量。len(UDPpayload)ata为单位时间Δt内放大器收到请求报文的数量。Among them, len(UDP payload)amp is the number of amplifier reply messages in unit time Δt. len(UDPpayload)ata is the number of request packets received by the amplifier within unit time Δt.

根据近年来发现的反射放大特征将BAF阈值设置为3,PAF阈值设置为2,最终结果分为两种不同情况:BAF和PAF均未达到阈值,放行本次流量;BAF和PAF任一系数达到阈值,代表本次流量符合反射放大特征,判定为反射放大流量,将流量导入特征匹配模块进行后续检测。According to the reflection amplification characteristics discovered in recent years, the BAF threshold is set to 3 and the PAF threshold is set to 2. The final results are divided into two different situations: neither BAF nor PAF reaches the threshold, and the flow is allowed; either BAF or PAF coefficient reaches The threshold value means that this traffic meets the reflection amplification characteristics and is determined to be reflection amplification traffic. The traffic is imported into the feature matching module for subsequent detection.

4)特征匹配模块。4) Feature matching module.

基于攻击过程并结合UDP协议本身特性,提取报文特征值并建立反射攻击的特征向量,利用机器学习通过对已训练的模型标记出攻击报文,尽可能第一时间发现反射攻击。Based on the attack process and combined with the characteristics of the UDP protocol itself, the message feature values are extracted and the feature vector of the reflection attack is established. Machine learning is used to mark the attack packets through the trained model, so as to detect the reflection attack as soon as possible.

反射攻击的特征向量可表示为v=(p,n,l,σsp,σdp),其中p为协议类型,n为单位时间内接收的报文数量,l为报文长度,σsp和σdp分别为单位时间内源端口号和目标端口号的标准差。The characteristic vector of a reflection attack can be expressed as v = (p, n, l, σ sp , σ dp ), where p is the protocol type, n is the number of messages received per unit time, l is the message length, σ sp and σ dp is the standard deviation of the source port number and the target port number in unit time respectively.

5)攻击处理模块。5) Attack processing module.

将标记出攻击报文的源IP与Port记录在数据库中,下次匹配可直接识别为反射攻击。The source IP and Port of the marked attack packet are recorded in the database, and the next match can be directly identified as a reflection attack.

实施例3Example 3

本实施例提供了一种电子设备,包括存储器及处理器,存储器用于存储计算机程序,处理器运行计算机程序以使电子设备执行实施例1所述的一种基于端口数据的反射攻击检测方法。其中,存储器为可读存储介质This embodiment provides an electronic device, including a memory and a processor. The memory is used to store a computer program. The processor runs the computer program to cause the electronic device to execute the port data-based reflection attack detection method described in Embodiment 1. Among them, the memory is a readable storage medium

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的系统而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner. Each embodiment focuses on its differences from other embodiments. The same and similar parts between the various embodiments can be referred to each other. As for the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple. For relevant details, please refer to the description in the method section.

本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处。综上所述,本说明书内容不应理解为对本发明的限制。This article uses specific examples to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only used to help understand the method and the core idea of the present invention; at the same time, for those of ordinary skill in the art, according to the present invention There will be changes in the specific implementation methods and application scope of the ideas. In summary, the contents of this description should not be construed as limitations of the present invention.

Claims (10)

1. The reflection attack detection method based on the port data is characterized by comprising the following steps:
constructing a training set based on public network traffic; the public network traffic is port data;
training a machine learning model by using the training set to obtain a reflection attack detection model;
acquiring a feature vector of the real-time traffic of the public network as a real-time feature vector; the feature vector comprises a protocol type, the number of messages received in unit time, the message length, the standard deviation of an endogenous port number in unit time and the standard deviation of a target port number in unit time;
inputting the real-time feature vector into a reflection attack detection model to obtain a reflection attack detection result; and the reflection attack detection result is whether the public network real-time traffic is the reflection attack traffic or not.
2. The method for detecting reflection attack based on port data according to claim 1, wherein constructing the training set based on public network traffic comprises:
constructing an empty set as a data set;
acquiring current public network flow;
preprocessing the current public network flow to obtain preprocessed current public network flow;
determining a bandwidth amplification factor and a message amplification factor of the current public network flow according to the preprocessed current public network flow;
determining the flow type of the current public network flow according to the bandwidth amplification factor and the message amplification factor; the traffic types include normal traffic and reflected attack traffic;
extracting a characteristic vector of the current public network flow when the flow type of the current public network flow is the reflection attack flow;
adding the feature vector of the current public network flow into the data set;
updating the current public network flow, returning to the step of preprocessing the current public network flow to obtain the preprocessed current public network flow until the number of the feature vectors in the data set reaches a number threshold value, and determining the data set as a training set.
3. The method for detecting a reflection attack based on port data according to claim 2, wherein the bandwidth amplification factor is:
wherein BAF is the bandwidth amplification factor; len (UDP payload) atv is the UDP load length of the amplifier reply message within the unit time delta t; len (UDP payload) ata is the UDP load length of the request message received by the amplifier within a unit time deltat.
4. The method for detecting reflection attack based on port data according to claim 2, wherein the message amplification factor is:
wherein PAF is message amplification factor; num (Num) atv The number of the reply messages of the amplifier in the unit time delta t; num (Num) ata The number of request messages received by the amplifier per unit time deltat.
5. The method for detecting reflection attack based on port data according to claim 2, wherein determining the traffic type of the current public network traffic according to the bandwidth amplification factor and the message amplification factor comprises:
judging whether the current public network flow accords with a normal flow condition according to the bandwidth amplification factor and the message amplification factor, and obtaining a judging result; the normal flow condition is that the bandwidth amplification factor is smaller than a bandwidth amplification factor threshold value and the message amplification factor is smaller than a message amplification factor threshold value;
if the judgment result is yes, determining that the flow type of the current public network flow is normal flow;
and if the judging result is negative, determining that the flow type of the current public network flow is the reflection attack flow.
6. The method for detecting a reflection attack based on port data according to claim 2, wherein training a machine learning model by using the training set, obtaining a reflection attack detection model, comprises:
and training the machine learning model by taking the feature vector as input and taking whether the public network flow is the reflected attack flow as output to obtain a reflected attack detection model.
7. The method for detecting a reflection attack based on port data according to claim 1, wherein after inputting the real-time feature vector into a reflection attack detection model to obtain a reflection attack detection result, further comprising:
when the reflection attack detection result is the reflection attack flow, adding the real-time feature vector into a training set, and returning to the step of training a machine learning model by using the training set to obtain a reflection attack detection model.
8. A reflection attack detection system based on port data, comprising:
the training set construction module is used for constructing a training set based on the public network traffic; the public network traffic is port data;
the reflection attack detection model training module is used for training the machine learning model by utilizing the training set to obtain a reflection attack detection model;
the real-time feature vector determining module is used for acquiring the feature vector of the public network real-time flow as a real-time feature vector; the feature vector comprises a protocol type, the number of messages received in unit time, the message length, the standard deviation of an endogenous port number in unit time and the standard deviation of a target port number in unit time;
the reflection attack detection module is used for inputting the real-time feature vector into a reflection attack detection model to obtain a reflection attack detection result; and the reflection attack detection result is whether the public network real-time traffic is the reflection attack traffic or not.
9. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform a reflection attack detection method based on port data as claimed in any one of claims 1 to 7.
10. The electronic device of claim 9, wherein the memory is a readable storage medium.
CN202311689563.1A 2023-12-11 2023-12-11 Reflection attack detection method and system based on port data and electronic equipment Pending CN117675381A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311689563.1A CN117675381A (en) 2023-12-11 2023-12-11 Reflection attack detection method and system based on port data and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311689563.1A CN117675381A (en) 2023-12-11 2023-12-11 Reflection attack detection method and system based on port data and electronic equipment

Publications (1)

Publication Number Publication Date
CN117675381A true CN117675381A (en) 2024-03-08

Family

ID=90069552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311689563.1A Pending CN117675381A (en) 2023-12-11 2023-12-11 Reflection attack detection method and system based on port data and electronic equipment

Country Status (1)

Country Link
CN (1) CN117675381A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160028750A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Signature creation for unknown attacks
CN107135238A (en) * 2017-07-12 2017-09-05 中国互联网络信息中心 A kind of DNS reflection amplification attacks detection method, apparatus and system
CN109450876A (en) * 2018-10-23 2019-03-08 中国科学院信息工程研究所 A kind of DDos recognition methods and system based on various dimensions state-transition matrix feature
CN112953956A (en) * 2021-03-05 2021-06-11 中电积至(海南)信息技术有限公司 Reflection amplifier identification method based on active and passive combination
CN113206860A (en) * 2021-05-17 2021-08-03 北京交通大学 DRDoS attack detection method based on machine learning and feature selection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160028750A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Signature creation for unknown attacks
CN107135238A (en) * 2017-07-12 2017-09-05 中国互联网络信息中心 A kind of DNS reflection amplification attacks detection method, apparatus and system
CN109450876A (en) * 2018-10-23 2019-03-08 中国科学院信息工程研究所 A kind of DDos recognition methods and system based on various dimensions state-transition matrix feature
CN112953956A (en) * 2021-03-05 2021-06-11 中电积至(海南)信息技术有限公司 Reflection amplifier identification method based on active and passive combination
CN113206860A (en) * 2021-05-17 2021-08-03 北京交通大学 DRDoS attack detection method based on machine learning and feature selection

Similar Documents

Publication Publication Date Title
CN114666162B (en) Flow detection method, device, equipment and storage medium
CN112235264B (en) Network traffic identification method and device based on deep migration learning
US9843521B2 (en) Processing packet header with hardware assistance
CN110798488B (en) Web application attack detection method
CN109117634B (en) Malicious software detection method and system based on network traffic multi-view fusion
CN109818970B (en) Data processing method and device
CN113746804B (en) DNS hidden channel detection method, device, equipment and storage medium
CN112600792B (en) A method and system for detecting abnormal behavior of Internet of Things devices
CN115348188B (en) DNS tunnel traffic detection method and device, storage medium and terminal
CN117955745B (en) A network attack homology analysis method integrating network traffic characteristics and threat intelligence
CN111224941A (en) Threat type identification method and device
CN111835763A (en) A kind of DNS tunnel traffic detection method, device and electronic device
CN110351291A (en) Ddos attack detection method and device based on multiple dimensioned convolutional neural networks
CN117376307B (en) Domain name processing method, device and equipment
CN107979567A (en) A kind of abnormality detection system and method based on protocal analysis
CN114492613A (en) Internet of things and non-Internet of things equipment identification method, system, terminal and readable storage medium
CN114070800A (en) SECS2 traffic rapid identification method combining deep packet inspection and deep stream inspection
CN107592299B (en) Proxy internet access identification method, computer device and computer readable storage medium
EP3799398B1 (en) Domain name identification
CN117675381A (en) Reflection attack detection method and system based on port data and electronic equipment
CN109257384B (en) Application layer DDoS attack identification method based on access rhythm matrix
CN108650274B (en) A kind of network intrusion detection method and system
CN110097258A (en) A kind of customer relationship network creating method, device and computer readable storage medium
CN113395367B (en) HTTPS service identification method and device, storage medium and electronic equipment
CN112866278A (en) Computer network information safety protection system based on big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination