CN119696904B - Deep learning DDoS detection method based on feature distribution test - Google Patents
Deep learning DDoS detection method based on feature distribution testInfo
- Publication number
- CN119696904B CN119696904B CN202411878793.7A CN202411878793A CN119696904B CN 119696904 B CN119696904 B CN 119696904B CN 202411878793 A CN202411878793 A CN 202411878793A CN 119696904 B CN119696904 B CN 119696904B
- Authority
- CN
- China
- Prior art keywords
- ddos
- features
- data
- tcn
- encoder
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a deep learning DDoS detection method based on feature distribution inspection, belonging to the field of information security. The method comprises the steps of S1, collecting and preprocessing access data, S2, obtaining statistical features and frequency domain features by using a statistical method and FFT, S3, extracting dynamic features by using a TCN (TCN self-encoder), S4, extracting static features by using CNN for the statistical features and the frequency domain features, S5, establishing a loss function by using HSIC (high speed integrated circuit), carrying out parameter optimization on the TCN self-encoder, S6, splicing the dynamic features and the static features, inputting the dynamic features and the static features into a classifier to obtain a detection result, S7, establishing the loss function, combining a result label, training network parameters, and S8, carrying out DDoS attack detection on real-time access data by using a trained network. The method can improve the accuracy of the DDoS attack detection result, and meanwhile, the cut trained network can directly carry out high-efficiency and accurate DDoS attack detection on time sequence data in a time domain.
Description
Technical Field
The invention relates to a deep learning DDoS detection method based on feature distribution inspection, belongs to the field of information security, and particularly relates to deep learning DDoS detection based on feature distribution inspection.
Background
With the rapid development of the internet, the network security problem is increasingly prominent, and especially, a distributed denial of service (Distributed Denial of Service, abbreviated as DDoS) attack has become an important threat affecting the availability and stability of network services. DDoS attacks flood the target server with a large amount of malicious traffic, causing it to fail to respond normally to legitimate users' requests. This way of attack not only affects the normal operation of the enterprise, but also can cause significant economic losses and reputation damage. Therefore, it is important to study an effective DDoS detection method.
At present, detection technologies for DDoS attacks can be mainly classified into (1) a threshold-based method of determining whether a DDoS attack occurs by setting a flow threshold. When the flow exceeds a set threshold, the system will sound an alarm. This approach is simple and easy to implement, but has major limitations. Firstly, an attacker can avoid threshold detection by dispersing traffic, and secondly, the fluctuation of normal traffic can also cause false alarm to influence the reliability of the system. (2) The method identifies DDoS attack by analyzing the characteristics of network traffic, such as traffic rate, connection number, data packet size, etc. Common feature extraction techniques include statistical analysis, flow clustering, and the like. This approach is relatively efficient, but still relies on manually selected features, and may not adapt in time in the face of new attacks. (3) Machine learning-based methods as machine learning technology evolves, more and more research is beginning to be applied to DDoS detection. By training the model, the system can automatically learn the difference between normal traffic and attack traffic. Common machine learning algorithms include Support Vector Machines (SVMs), decision trees, random forests, and the like. These methods improve the accuracy of detection to some extent, but still face challenges such as feature selection, model training, and real-time. (4) The deep learning-based method can automatically extract high-dimensional characteristics by using a deep learning model such as a convolutional neural network, a cyclic neural network and the like, and is suitable for complex flow modes. Although deep learning exhibits good performance in DDoS detection, its demand for computational resources is high and the interpretability of the model is poor, which may lead to difficulties in practical applications.
In essence, detection of DDoS attacks is a two-classification problem, which can be implemented using a classifier. And the accuracy of the representation of the classified variables, i.e., features, is a determining factor in determining the accuracy of classification. Features of a single dimension can lead to information incompleteness, and feature fusion of multiple dimensions can cause mutual interference and confusion of information.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a deep learning DDoS detection method based on feature distribution detection, which is used for accurately detecting DDoS attack. The method aims at extracting decoupling characteristics of a time domain and a frequency domain through a deep learning network, then utilizes Hilbert-Schmitt independence criteria (HSIC) to couple distribution characteristics of the time domain and the frequency domain, further realizes optimization of parameters of the deep learning network, and finally utilizes a classifier to accurately classify the characteristics.
In order to achieve the above purpose, the present invention provides the following technical solutions:
The deep learning DDoS detection method based on the feature distribution test is characterized by comprising the following steps of:
s1, collecting access data of a server, and performing pretreatment to obtain time sequence data;
S2, respectively processing time sequence data by using a statistical method and Fast Fourier Transform (FFT) to obtain statistical characteristics and frequency domain characteristics;
S3, performing feature extraction on time sequence data by using a Time Convolutional Network (TCN) self-encoder to obtain dynamic features of DDoS;
s4, splicing the statistical features and the frequency domain features by Concat connection, and then extracting features by using a Convolutional Neural Network (CNN) to obtain static features of the DDoS;
s5, utilizing the HSIC to establish a loss function to measure the distribution difference of the dynamic characteristics of the DDoS and the static characteristics of the DDoS, and optimizing the parameters of the TCN self-encoder;
s6, connecting the dynamic characteristics of the DDoS with the static characteristics Concat of the DDoS, and inputting the dynamic characteristics and the static characteristics of the DDoS into a classifier to obtain a detection result of DDoS attack;
s7, establishing a loss function, and combining historical time sequence data with detection result labels to train a convolutional neural network, a TCN self-encoder and a classifier;
and S8, detecting DDoS attack on the real-time access data of the server by utilizing the network trained in the step S7.
Further, the server access data is a network monitoring feature vector captured by selecting a proper monitoring tool (such as WIRESHARK, TCPDUMP, etc.), and also comprises information such as a request time stamp, a source IP address, a target port, a request type, etc.
Further, the preprocessing described in step S1 includes the steps of:
S101, data cleaning, including processing missing values, repeated data and abnormal values, and ensuring the integrity of a data set;
s102, data formatting, namely encoding and normalizing the data format;
and S103, data sorting, namely sorting the data according to time stamps one by one IP address and dividing the data according to sampling periods.
For the time series data { x t |t=1,.. the statistical features described in step S2 include: mean value ofAnd variance { Dx t |t=1,..t }, wherein,X i,t is the monitoring feature vector of the ith access device in the T moment, i is more than or equal to 1 and less than or equal to d, T is the end moment of the monitoring period, d is the total number of access devices; The frequency domain features are the monitoring features of any ith access equipment in 1~T cycles by utilizing FFT And the treated output is equal to or more than 1 and equal to or less than d.
It should be noted that the mean and variance reflect the overall static condition of the monitored feature vector, in order to correct for occasional changes in the individual access devices, while the frequency domain features reflect the local static condition of the individual access devices.
Further, the convolutional neural network input is the statistical characteristic and the frequency domain characteristic of a single access device in 1~T cycles, and the input of the TCN self-encoder is the time sequence data of the single access device in 1~T cycles.
Further, the dimensions of the dynamic characteristic x of the DDoS and the static characteristic y of the DDoS are consistent, that is, the output dimensions of the convolutional neural network and the TCN self-encoder are consistent.
Further, the TCN self-encoder in step S3 is a self-encoder constructed by using a TCN network, where Encoder and the Decoder of the self-encoder are both TCN networks, and the loss function thereof uses a mean-square error (MSE) function.
Further, the HSIC in step S5 is configured to measure a distribution difference between the dynamic characteristic x of the DDoS and the static characteristic y of the DDoS, and a loss function thereof: Wherein the cross covariance operator μx=Exφ(x),Is tensor product, phi (x),For a given nonlinear mapping of x, y, E x、Ey is the mean operator for x, y, E xy is the expected operator for the joint distribution of x, y, for any matrix A= [ a i,j ], there is
Further, the classifier is a classifier built by a support vector machine or a random forest, and the corresponding classes are DDoS attack behaviors and DDoS attack-free behaviors.
Preferably, the classifier is a multi-classifier, and the corresponding classes are all DDoS attack behaviors and DDoS-free attack behaviors.
Preferably, the loss function described in step S7 is a cross entropy loss function.
Preferably, for real-time detection, the Concat connection in step S6 is replaced by weighted average, and in real-time detection, only the trained TCN self-encoder serial classifier is adopted in step S8 to directly perform real-time detection of DDoS attack.
Furthermore, for the purpose of result interpretation, the TCN self-encoder is replaced by a Kolmogorov-Arnold Network (KAN for short), the classifier is a linear transformation y=a·x+b connected in series with a Sigmoid function, so that efficient and interpretable DDoS attack real-time detection can be realized, wherein A, B is a weight matrix to be trained, X is a weighted average vector, and Y is a one-dimensional result.
Further, the Loss function is loss=l cross(s,label)+||A||2+||B||2, wherein L cross (s, label) is a cross entropy Loss function, s is a detection result of DDoS attack output by the classifier, and label is a label of time sequence data.
An electronic device comprising at least one processor, and a memory communicatively coupled to the at least one processor, wherein,
The memory stores a computer program for execution by the at least one processor to enable the at least one processor to perform the feature distribution verification-based deep learning DDoS detection method described above.
Finally, the invention also discloses a computer readable storage medium, wherein the computer readable storage medium stores computer instructions, and the computer instructions are used for enabling the processor to implement the deep learning DDoS detection method based on the feature distribution test when the processor executes the method.
The deep learning DDoS detection method based on the feature distribution test has the advantages that the feature is decoupled from the time domain and the frequency domain, then the dynamic and static features are separated by combining statistical analysis, the features are extracted through the convolutional neural network which is connected in parallel and is used for extracting the static features of the DDoS and the TCN self-encoder which is used for extracting the dynamic features of the DDoS, the orthogonalization of the feature distribution space is realized by utilizing the HSIC, and the generalization capability of the network and the expression precision of the features are improved. The invention adopts a supervised learning mode to improve the accuracy of the DDoS attack detection result, and simultaneously adopts the tailored trained network to directly carry out high-efficiency and accurate DDoS attack detection on time sequence data in the time domain.
Drawings
In order to make the purpose and technical scheme of the invention more clear, the invention is illustrated by the following drawings:
fig. 1 is a flowchart of a deep learning DDoS detection method based on feature distribution test in embodiment 1 of the present invention, wherein solid arrows are data transmission directions, and dotted arrows are training feedback directions;
fig. 2 is a flowchart of a deep learning DDoS detection method based on feature distribution test in embodiment 2 of the present invention, wherein solid arrows are data transmission directions, and dotted arrows are training feedback directions;
FIG. 3 is a diagram of a network architecture for trained DDoS detection in example 2 of the present invention;
fig. 4 is a flowchart of a deep learning DDoS detection method based on feature distribution test in embodiment 3 of the present invention, wherein solid arrows are data transmission directions, and dotted arrows are training feedback directions;
FIG. 5 is a diagram of a network architecture for trained DDoS detection in example 3 of the present invention;
fig. 6 is a schematic structural diagram of an electronic device in embodiment 4 of the present invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings and examples in order to make the objects and technical solutions of the present invention more clear.
Embodiment 1 for a server providing access query service outside of the pair, in order to guarantee the security of the server, it is now proposed to detect DDoS attacks and types thereof in real time, but because of the lack of historical data of the server, training and testing are considered herein by using the CSE-CIC-IDS2018 dataset (https:// www.unb.ca/CIC/datasets/IDS-2018. Html) as the historical dataset, and then analyzing the monitoring characteristics of the server sampled in real time. The present embodiment provides a "deep learning DDoS detection method based on feature distribution verification".
Specifically, in connection with fig. 1, the following steps are included:
And step one, carrying out pretreatment on the CSE-CIC-IDS2018 data set to obtain time sequence data.
The CSE-CIC-IDS2018 data set contains 80 monitoring feature vectors, wherein the feature vectors cover various attributes of network traffic and are used for providing comprehensive data support for the research of an intrusion detection system. In this embodiment, only whether DDoS attack exists is considered, and only the features of the CSE-CIC-IDS2018 dataset part, such as the timestamp, the source IP address, the access traffic and other part monitoring features, are used, and the tag of the specific attack category is also included.
The pretreatment steps specifically include:
S101, data cleaning, including processing missing values, repeated data and abnormal values, and ensuring the integrity of a data set;
s102, data formatting, namely encoding the data format by using one-hot encoding and normalizing by using Z-Score Normalization;
and S103, data sorting, namely sorting the data according to time stamps one by one IP address and dividing the data according to sampling periods.
And secondly, respectively processing the time sequence data by using a statistical method and Fast Fourier Transform (FFT) to obtain statistical characteristics and frequency domain characteristics.
For time series data { x t |t=1,., T }, the statistical features include: mean value ofAnd variance { Dx t |t=1,..t }, wherein,X i,t is the monitoring feature vector of the ith access device in the T moment, i is more than or equal to 1 and less than or equal to d, T is the end moment of the monitoring period, d is the total number of access devices; The frequency domain features are the monitoring features of any ith access equipment in 1~T cycles by utilizing FFT And the treated output is equal to or more than 1 and equal to or less than d.
And thirdly, performing feature extraction on time-series data by using a TCN self-encoder to obtain dynamic features of the DDoS.
The TCN self-encoder is constructed by utilizing a TCN network, wherein Encoder and a Decoder of the self-encoder are both TCN networks, and a loss function of the TCN self-encoder adopts a mean-square error (MSE) function. The input of the TCN self-encoder is the sequential data of a single access device over 1~T cycles.
And fourthly, splicing the statistical features and the frequency domain features by utilizing Concat connection, and then extracting the features by utilizing a Convolutional Neural Network (CNN) to obtain the static features of the DDoS.
The dimensions of the dynamic characteristic x of the DDoS and the static characteristic y of the DDoS are consistent, namely the output dimensions of the convolutional neural network and the TCN self-encoder are consistent. The convolutional neural network inputs are the statistical and frequency domain characteristics of a single access device over a 1~T period.
And fifthly, utilizing the HSIC to establish a loss function to measure the distribution difference of the dynamic characteristics of the DDoS and the static characteristics of the DDoS, and optimizing the parameters of the TCN self-encoder.
The HSIC is used for measuring the distribution difference of the dynamic characteristic x of the DDoS and the static characteristic y of the DDoS, and the loss function is as follows: Wherein the cross covariance operator Is tensor product, phi (x),For a given nonlinear mapping of x, y, E x、Ey is the mean operator for x, y, E xy is the expected operator for the joint distribution of x, y, for any matrix A= [ a i,j ], there is
Step six, connecting the dynamic characteristics of the DDoS with the static characteristics Concat of the DDoS, and inputting the connected dynamic characteristics and static characteristics Concat of the DDoS into a classifier to obtain a detection result of DDoS attack.
The classifier is a multi-classifier supporting a vector machine, and the classes corresponding to the classifier are all DDoS attack behaviors and DDoS attack-free behaviors.
And step seven, establishing a Focal loss function based on cross entropy, combining historical time sequence data with detection result labels, and training a convolutional neural network, a TCN self-encoder and a classifier.
And step eight, detecting DDoS attack on the real-time access data of the server by utilizing the network trained in the step S7.
Embodiment 2 for the scenario of embodiment 1, only real-time detection of DDoS attack or not needs to be considered, and timeliness of real-time data detection is considered to be improved, and the embodiment provides a deep learning DDoS detection method based on feature distribution detection.
The same parts as those of embodiment 1 will not be described in detail here, and with reference to fig. 2, the steps include:
And step one, carrying out pretreatment on the CSE-CIC-IDS2018 data set to obtain time sequence data.
Wherein, the labels of the CSE-CIC-IDS2018 data set need to be reprocessed into DDoS attacks and non-DDoS attacks.
And secondly, respectively processing the time sequence data by using a statistical method and Fast Fourier Transform (FFT) to obtain statistical characteristics and frequency domain characteristics.
And thirdly, performing feature extraction on time-series data by using a TCN self-encoder to obtain dynamic features of the DDoS.
And fourthly, splicing the statistical features and the frequency domain features by utilizing Concat connection, and then extracting the features by utilizing a Convolutional Neural Network (CNN) to obtain the static features of the DDoS.
And fifthly, utilizing the HSIC to establish a loss function to measure the distribution difference of the dynamic characteristics of the DDoS and the static characteristics of the DDoS, and optimizing the parameters of the TCN self-encoder.
Step six, the dynamic characteristics of the DDoS and the static characteristics of the DDoS are input into a classifier after weighted average, and a detection result of the DDoS attack is obtained.
The classifier is a classifier built by a random forest, and the corresponding classes are DDoS attack behaviors and DDoS attack behaviors.
And step seven, establishing a cross entropy loss function of the two classifications, and combining historical time sequence data with detection result labels to train the convolutional neural network, the TCN self-encoder and the classifier.
And step eight, combining with fig. 3, directly performing real-time detection of DDoS attack by using the TCN self-encoder serial classifier trained in the step S7.
Embodiment 3 aiming at personal electronic equipment such as mobile computers, mobile phones, intelligent wearable equipment and the like, in order to protect the equipment from DDoS attacks and analyze the reasons for the attacks, the invention provides a deep learning DDoS detection method based on feature distribution inspection.
The training set and the test set used are still the same as those of embodiment 2, and the method steps are also substantially the same as those of embodiment 2, wherein the same parts are not described herein, and the steps in connection with fig. 4 include the following steps:
And step one, carrying out pretreatment on the CSE-CIC-IDS2018 data set to obtain time sequence data.
Wherein, the labels of the CSE-CIC-IDS2018 data set need to be reprocessed into DDoS attacks and non-DDoS attacks.
And secondly, respectively processing the time sequence data by using a statistical method and Fast Fourier Transform (FFT) to obtain statistical characteristics and frequency domain characteristics.
And thirdly, performing feature extraction on the time sequence data by using KAN to obtain dynamic features of the DDoS.
And fourthly, splicing the statistical features and the frequency domain features by utilizing Concat connection, and then extracting the features by utilizing a Convolutional Neural Network (CNN) to obtain the static features of the DDoS.
And fifthly, utilizing the HSIC to establish a loss function to measure the distribution difference of the dynamic characteristics of the DDoS and the static characteristics of the DDoS, and optimizing the parameters of the TCN self-encoder.
Step six, the dynamic characteristics of the DDoS and the static characteristics of the DDoS are input into a classifier after weighted average, and a detection result of the DDoS attack is obtained.
Wherein, the classifier is a linear transformation y=a·x+b connected in series with a Sigmoid function, A, B is a weight matrix to be trained, X is a weighted average vector, and Y is a threshold of the Sigmoid function in the one-dimensional result, which is set to 0.5.
And seventhly, establishing a Loss function as los=L cross(s,label)+||A||2+||B||2, and combining historical time sequence data with detection result labels to train the convolutional neural network, the KAN and the classifier.
L cross (s, label) is a cross entropy loss function, s is a detection result of DDoS attack output by the classifier, and label is a label of time sequence data.
And step eight, combining with fig. 5, directly detecting DDoS attack in real time by using the KAN serial classifier trained in the step S7.
And step nine, when the DDoS attack is identified, disconnecting the authority of the access equipment, generating symbol expressions corresponding to the input and the output by utilizing the symbol expression function of KAN, and selecting the characteristic corresponding to the time sequence data with the maximum weight through weight analysis.
Embodiment 4 for the scenario of embodiment 1, fig. 6 shows a schematic diagram of the structure of an electronic device (90) that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.
Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device (90) includes at least one processor (91), and a memory, such as a Read Only Memory (ROM) (92), a Random Access Memory (RAM) (93), etc., communicatively connected to the at least one processor (91), in which the memory stores a computer program executable by the at least one processor, and the processor (91) may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) (92) or the computer program loaded from the storage unit (98) into the Random Access Memory (RAM) (93). In the RAM 43, various programs and data required for the operation of the electronic device (90) may also be stored. The processor (91), the ROM 42 and the RAM 43 are connected to each other by a bus (94). An input/output (I/O) interface (95) is also connected to the bus (94).
The components in the electronic device (90) are connected to an I/O interface (95) including an input unit (96) such as a keyboard, mouse, etc., an output unit (97) such as various types of displays, speakers, etc., a storage unit (98) such as a magnetic disk, optical disk, etc., and a communication unit (99) such as a network card, modem, wireless communication transceiver, etc. The communication unit (99) allows the electronic device (90) to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor (91) may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of the processor (91) include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor (91) performs the various methods and processes described above, such as a deep learning DDoS detection method based on feature distribution verification.
In some embodiments, the feature distribution verification-based deep learning DDoS detection method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as a storage unit (98). In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device (90) via the ROM (92) and/or the communication unit (99). When a computer program is loaded into RAM (93) and executed by processor (91), one or more steps of the deep learning DDoS detection method described above based on feature distribution verification may be performed. Alternatively, in other embodiments, the processor (91) may be configured to perform the feature distribution verification-based deep learning DDoS detection method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), a blockchain network, and the Internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
Finally, it is noted that the above-mentioned preferred embodiments are only intended to illustrate rather than limit the invention, and that, although the invention has been described in detail by means of the above-mentioned preferred embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention as defined by the appended claims.
Claims (9)
1. The deep learning DDoS detection method based on the feature distribution test is characterized by comprising the following steps of:
s1, collecting access data of a server, and performing pretreatment to obtain time sequence data;
S2, respectively processing time sequence data by using a statistical method and Fast Fourier Transform (FFT) to obtain statistical characteristics and frequency domain characteristics;
S3, performing feature extraction on time sequence data by using a Time Convolutional Network (TCN) self-encoder to obtain dynamic features of DDoS;
s4, splicing the statistical features and the frequency domain features by Concat connection, and then extracting features by using a Convolutional Neural Network (CNN) to obtain static features of the DDoS;
s5, utilizing the HSIC to establish a loss function to measure the distribution difference of the dynamic characteristics of the DDoS and the static characteristics of the DDoS, and optimizing the parameters of the TCN self-encoder;
s6, connecting the dynamic characteristics of the DDoS with the static characteristics Concat of the DDoS, and inputting the dynamic characteristics and the static characteristics of the DDoS into a classifier to obtain a detection result of DDoS attack;
s7, establishing a loss function, and combining historical time sequence data with detection result labels to train a convolutional neural network, a TCN self-encoder and a classifier;
S8, detecting DDoS attack on the real-time access data of the server by utilizing the network trained in the step S7;
For the time series data { x t |t=1,.. the statistical features described in step S2 include: mean value of And variance { Dx t |t=1,..t }, wherein,X i,t is the monitoring feature vector of the ith access device in the T moment, i is more than or equal to 1 and less than or equal to d, T is the end moment of the monitoring period, d is the total number of access devices; The frequency domain features are the monitoring features of any ith access equipment in 1~T cycles by utilizing FFT The processed output is more than or equal to 1 and less than or equal to d;
The convolutional neural network input is the statistical characteristic and the frequency domain characteristic of a single access device in 1~T period; the input of the TCN self-encoder is the time sequence data of a single access device in 1~T periods;
The dimension of the dynamic characteristic x of the DDoS is consistent with that of the static characteristic y of the DDoS, namely the output dimension of the convolutional neural network and the TCN self-encoder is consistent;
The TCN self-encoder in step S3 is a self-encoder constructed by using a TCN network, where Encoder and the Decoder of the self-encoder are both TCN networks, and a mean-square error (MSE) function is adopted as a loss function;
the HSIC in step S5 is configured to measure the distribution difference between the dynamic characteristic x of the DDoS and the static characteristic y of the DDoS, and its loss function: Wherein the cross covariance operator μx=Exφ(x),
Is tensor product, phi (x),For a given nonlinear mapping of x, y, E x、Ey is the mean operator for x, y, E xy is the expected operator for the joint distribution of x, y, for any matrix A= [ a i,j ], there is
The classifier is a classifier built by a support vector machine or a random forest, and the corresponding classes are DDoS attack behaviors and DDoS attack-free behaviors.
2. The feature distribution verification-based deep learning DDoS detection method according to claim 1, wherein the preprocessing of step S1 comprises the steps of:
S101, data cleaning, including processing missing values, repeated data and abnormal values, and ensuring the integrity of a data set;
s102, data formatting, namely encoding and normalizing the data format;
and S103, data sorting, namely sorting the data according to time stamps one by one IP address and dividing the data according to sampling periods.
3. The deep learning DDoS detection method based on feature distribution inspection of claim 1, wherein the classifier is a multi-classifier, and the corresponding classes are all DDoS attacks and no DDoS attacks.
4. The feature distribution verification-based deep learning DDoS detection method of claim 1, wherein the loss function of step S7 is a cross entropy loss function.
5. The method for deep learning DDoS detection based on feature distribution test as claimed in claim 1, wherein Concat connections in step S6 are replaced by weighted averages, and in real-time monitoring, only trained TCN self-encoder serial classifiers are adopted in step S8 to directly perform real-time detection of DDoS attack.
6. The method for detecting DDoS based on feature distribution test according to claim 5, wherein the TCN self-encoder is replaced by a Kolmogorov-Arnold Network (KAN for short), the classifier is a linear transformation Y=A.X+B connected in series with a Sigmoid function, and can realize efficient and interpretable real-time detection of DDoS attack, wherein A, B is a weight matrix to be trained, X is a weighted average vector, and Y is a one-dimensional result.
7. The deep learning DDoS detection method based on feature distribution inspection of claim 6, wherein the Loss function is loss=l cross(s,label)+||A||2+||B||2, wherein L cross (s, label) is a cross entropy Loss function, s is a detection result of DDoS attack output by a classifier, and label is a label of time series data.
8. An electronic device as claimed in any one of claims 1 to 7, characterized in that it comprises at least one processor and a memory communicatively connected to the at least one processor, wherein the memory stores a computer program to be executed by the at least one processor, and the computer program is executed by the at least one processor, so that the at least one processor can execute the aforementioned deep learning DDoS detection method based on feature distribution verification.
9. A computer readable storage medium applied to any one of claims 1 to 7, wherein the computer readable storage medium stores computer instructions, and the computer instructions are configured to cause a processor to implement the deep learning DDoS detection method based on feature distribution verification when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411878793.7A CN119696904B (en) | 2024-12-19 | 2024-12-19 | Deep learning DDoS detection method based on feature distribution test |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411878793.7A CN119696904B (en) | 2024-12-19 | 2024-12-19 | Deep learning DDoS detection method based on feature distribution test |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119696904A CN119696904A (en) | 2025-03-25 |
| CN119696904B true CN119696904B (en) | 2025-09-23 |
Family
ID=95036810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411878793.7A Active CN119696904B (en) | 2024-12-19 | 2024-12-19 | Deep learning DDoS detection method based on feature distribution test |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119696904B (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117834291A (en) * | 2024-01-10 | 2024-04-05 | 内蒙古工业大学 | A DDoS attack detection method and device in an SDN environment |
| CN118233200A (en) * | 2024-04-16 | 2024-06-21 | 中国工商银行股份有限公司 | DDoS attack detection method, device, equipment, storage medium and program product |
-
2024
- 2024-12-19 CN CN202411878793.7A patent/CN119696904B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| A Temporal Convolutional Network-based Approach for Network Intrusion Detection;Rukmini Nazre Et.AL;《2024 International Conference on Integrated Intelligence and Communication Systems (ICIICS)》;20241223;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119696904A (en) | 2025-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zebin et al. | An explainable AI-based intrusion detection system for DNS over HTTPS (DoH) attacks | |
| JP7373611B2 (en) | Log auditing methods, equipment, electronic equipment, media and computer programs | |
| CN113452700B (en) | Method, device, equipment and storage medium for processing safety information | |
| Dawabsheh et al. | An enhanced phishing detection tool using deep learning from URL | |
| WO2024098699A1 (en) | Entity object thread detection method and apparatus, device, and storage medium | |
| CN117061216A (en) | Automatic blocking method, device, equipment and storage medium for network attack | |
| Chen et al. | An efficient network intrusion detection model based on temporal convolutional networks | |
| CN111669385A (en) | A Malicious Traffic Monitoring System Integrating Deep Neural Networks and Hierarchical Attention Mechanisms | |
| CN119030795A (en) | A server security risk assessment system and method based on big data | |
| CN118432897A (en) | Flow abnormity detection method, system, equipment and medium based on flow clustering | |
| CN115589339B (en) | Network attack type identification method, device, equipment and storage medium | |
| CN117609862A (en) | A method, device, equipment and medium for determining the abnormality level of power grid data | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN115189963A (en) | Abnormal behavior detection method and device, computer equipment and readable storage medium | |
| CN119696904B (en) | Deep learning DDoS detection method based on feature distribution test | |
| CN117149486B (en) | Alarm and root cause positioning method, model training method, device, equipment and medium | |
| CN116915463B (en) | Call chain data security analysis method, device, equipment and storage medium | |
| CN119011190A (en) | Abnormal flow detection method and related equipment | |
| CN119814421B (en) | Network abnormal flow detection method based on feature screening | |
| CN115941295A (en) | Abnormal network behavior detection method and device | |
| CN115037791A (en) | Event pushing method, device and system, electronic equipment and storage medium | |
| Kaaniche et al. | Efficient hybrid model for intrusion detection systems | |
| Jahromy et al. | A new method for detecting network intrusion by using a combination of genetic algorithm and support vector machine classifier | |
| Roponena et al. | Netflow anomaly detection dataset creation for traffic analysis | |
| Dunaev et al. | Logs analysis to search for anomalies in the functioning of large technology platforms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |