一种增量式GHSOM算法在DDoS攻击检测中的应用

Incremental GHSOM algorithm for DDoS attack detection

分布式拒绝服务(distributed denial of service,DDoS)攻击自出现以来一直是全球互联网网络安全的重要威胁之一。目前很多DDoS攻击检测方法虽然对已知类型攻击具有较高的检测率,但是不能有效识别新的攻击类型,无法应对DDoS攻击形式变化多和快的特点。为了准确检测出DDoS攻击,同时使检测模型具有良好的自适应性、扩展性和较低的更新代价,以应对层出不穷的DDoS攻击,提出了一种综合考虑网络流量双向特征、固定特征和统计特征,采用增量式GHSOM(Growing Hierarchical Self-Organizing Maps)神经网络算法的DDoS攻击检测方法。首先,根据DDoS攻击流量的特点提取流量特征,组成流量八元组联合特征,然后利用增量式GHSOM神经网络算法进行异常流量分析,最后,通过实验验证检测方法的有效性。实验结果表明,提出的DDoS攻击检测方法不仅能够有效检测出已知类型的DDoS攻击,而且能够实现对检测模型的在线动态更新,对于新出现的DDoS攻击类型,具有相同的检测率。

Distributed denial of service(DDoS)attacks have been one of the important threats to global Internet network security since their emergence.At present,although many current DDoS attack detection methods have a high detection rate for known types of attacks,but they cannot effectively identify new types of attacks and cope with the characteristics of the DDoS attack changing and rapid changes.To accurately detect DDoS attacks,while making the detection model have good adaptability,scalability and low update costin response to emerge in endlessly DDoS attacks,a DDoS attack detection method using incremental growing hierarchical self-organizing map(GHSOM)neural network algorithm and comprehensive consideration of the bidirectional characteristics,fixed characteristics and statistical characteristics of network traffic is proposed.Firstly,according to the characteristics of the network attack traffic,the traffic 8-tuple union feature is extracted.Then,the incremental GHSOM neural network algorithm is used to analyze the abnormal traffic.Finally,the validity of the detection method is verified by the experiments.Experimental results show that the proposed DDoS attack detection method can detect known types of DDoS attacks effectively and realize the online dynamic update of the detection model.The newly detected DDoS attack types have the same detection rate.