基于组合相关度的随机森林DDoS攻击检测方法

DDoS Attack Detection Method Based on Combination Correlation Degree and Random Forest

提出了一种基于组合相关度的随机森林(random forest,RF) DDoS攻击检测方法.根据攻击流的非对称性和半交互性定义网络流组合相关度(combination correlation degree,CCD),该相关度以地址相关统计(address correla-tion statistics,ACS)特征以及单向流半交互度(unidirectional flow semi interaction,UFSI)二元组来描述网络流的特点.然后提出基于CCD特征序列的遗传算法对RF中决策树的最大数量和最大深度两个关键参数进行优化,对参数优化的RF模型进行训练以生成分类模型来检测攻击.实验结果表明,与同类方法相比,该方法具有较高的准确率、较低的误报率和漏报率及较好的鲁棒性,适用于大数据下检测DDoS攻击.

A DDoS attack detection method based on combination correlation and random forest( RF)was proposed. The network flow combination correlation degree( CCD) was defined based on the nonsymmetric and the semi-double interaction characterizes of attack flow;and the two tuples form of address correlation statistics( ACS) and unidirectional flow semi interaction( UFSI) was used as the feature of the network flow in CCD. Then the genetic algorithm with the CCD feature sequences was used for the optimization of two key parameters of the decision tree in the RF,namely,the number of maximum trees and the maximum depth of the decision tree. And the RF model within optimized parameters was applied to train the classification model which could be used for the DDoS attack detection. The experiment suggested that the proposed method was suitable for detecting the DDoS attack in big data environment with higher accuracy rate,lower false alarm rate,and missing alarm rate compared with existing DDoS attack detection methods.