基于混合深度学习的多类型低速率 DDoS 攻击检测方法

Multi-type low-rate DDoS attack detection method based on hybrid deep learning

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击,对网络服务质量造成了巨大威胁,具有隐蔽性强、攻击速率低和周期性的特点。现有检测方法存在检测类型单一和识别精度低的问题,因此提出了一种基于混合深度学习的多类型低速率DDoS攻击检测方法。模拟不同类型的低速率DDoS攻击和5G环境下不同场景的正常流量,在网络入口处收集流量并提取其流特征信息,得到多类型低速率DDoS攻击数据集;从统计阈值和特征工程的角度,分别分析了不同类型低速率DDoS攻击的特征,得到了40维的低速率DDoS攻击有效特征集;基于该有效特征集采用CNN-RF混合深度学习算法进行离线训练,并对比该算法与LSTM-LightGBM和LSTM-RF算法的性能;在网关处部署CNN-RF检测模型,实现了多类型低速率DDoS攻击的在线检测,并使用新定义的错误拦截率和恶意流量检测率指标进行了性能评估。结果显示,在120 s的时间窗口下,所提方法能够在线检测出4种类型的低速率DDoS攻击,包括Slow Headers攻击、Slow Body攻击、Slow Read攻击和Shrew攻击,错误拦截率达到11.03%,恶意流量检测率达到96.22%。结果表明,所提方法能够显著降低网络入口处的低速率DDoS攻击流量强度,并在实际环境中部署和应用。

Low-Rate distributed denial of service(DDoS)attack attacks the vulnerabilities in the adaptive mechanism of network protocols,posing a huge threat to the quality of network services.Low-Rate DDoS attack was characterized by high secrecy,low attack rate,and periodicity.Existing detection methods have the problems of single detection type and low identification accuracy.In order to solve them,a multi-type low-rate DDoS attack detection method based on hybrid deep learning was proposed.Different types of low-rate DDoS attacks and normal traffic in different scenarios under 5G environment were simulated.Traffic was collected at the network entrance and its traffic characteristic information was extracted to obtain multiple types of low-rate DDoS attack data sets.From the perspective of statistical threshold and feature engineering,the characteristics of different types of low-rate DDoS attacks were analyzed respectively,and the effective feature set of 40-dimension low-rate DDoS attacks was obtained.CNN-RF hybrid deep learning algorithm was used for offline training based on the effective feature set,and the performance of this algorithm was compared with LSTM-Light GBM and LSTM-RF algorithms.The CNN-RF detection model was deployed on the gateway to realize the online detection of multiple types of low-rate DDoS attacks,and the performance was evaluated by using the newly defined error interception rate and malicious traffic detection rate indexes.The results show that the proposed method can detect four types of low-rate DDoS attacks online,including Slow Headers attack,Slow Body attack,Slow Read attack and Shrew attack,and the error interception rate reaches 11.03%in 120 s time window.The detection rate of malicious traffic reaches 96.22%.It can be judged by the results that the proposed method can significantly reduce the intensity of low-rate DDoS attack traffic at the network entrance,and can be deployed and applied in the actual environment.