A Novel DDoS Attack Detection Method Using Optimized Generalized Multiple Kernel Learning

Distributed Denial of Service (DDoS) attack has become one of the most destructive network attacks which can pose a mortal threat to Internet security. Existing detection methods cannot effectively detect early attacks. In this paper, we propose a detection method of DDoS attacks based on generalized multiple kernel learning (GMKL) combining with the constructed parameter R. The super-fusion feature value (SFV) and comprehensive degree of feature (CDF) are defined to describe the characteristic of attack flow and normal flow. A method for calculating R based on SFV and CDF is proposed to select the combination of kernel function and regularization paradigm. A DDoS attack detection classifier is generated by using the trained GMKL model with R parameter. The experimental results show that kernel function and regularization parameter selection method based on R parameter reduce the randomness of parameter selection and the error of model detection, and the proposed method can effectively detect DDoS attacks in complex environments with higher detection rate and lower error rate.     

Novel DDoS Feature Representation Model Combining Deep Belief Network and Canonical Correlation Analysis

Distributed denial of service (DDoS) attacks launch more and more frequently and are more destructive. Feature representation as an important part of DDoS defense technology directly affects the efficiency of defense. Most DDoS feature extraction methods cannot fully utilize the information of the original data, resulting in the extracted features losing useful features. In this paper, a DDoS feature representation method based on deep belief network (DBN) is proposed. We quantify the original data by the size of the network flows, the distribution of IP addresses and ports, and the diversity of packet sizes of different protocols and train the DBN in an unsupervised manner by these quantified values. Two feedforward neural networks (FFNN) are initialized by the trained deep belief network, and one of the feedforward neural networks continues to be trained in a supervised manner. The canonical correlation analysis (CCA) method is used to fuse the features extracted by two feedforward neural networks per layer. Experiments show that compared with other methods, the proposed method can extract better features.     

DDoS attack protection in the era of cloud computing and Software-Defined Networking

Cloud computing has become the real trend of enterprise IT service model that offers cost-effective and scalable processing. Meanwhile, Software-Defined Networking (SDN) is gaining popularity in enterprise networks for flexibility in network management service and reduced operational cost. There seems a trend for the two technologies to go hand-in-hand in providing an enterprise’s IT services. However, the new challenges brought by the marriage of cloud computing and SDN, particularly the implications on enterprise network security, have not been well understood. This paper sets to address this important problem.We start by examining the security impact, in particular, the impact on DDoS attack defense mechanisms, in an enterprise network where both technologies are adopted. We find that SDN technology can actually help enterprises to defend against DDoS attacks if the defense architecture is designed properly. To that end, we propose a DDoS attack mitigation architecture that integrates a highly programmable network monitoring to enable attack detection and a flexible control structure to allow fast and specific attack reaction. To cope with the new architecture, we propose a graphic model based attack detection system that can deal with the dataset shift problem. The simulation results show that our architecture can effectively and efficiently address the security challenges brought by the new network paradigm and our attack detection system can effectively report various attacks using real-world network traffic.     

DDoS攻击检测研究综述

DDoS攻击作为当前网络安全最严重的威胁之一,近年来随着僵尸网络的盛行,其攻击影响日趋扩大,因此对DDoS攻击进行检测变得尤为重要。本文按照攻击层次和检测位置的不同,对于不同的DDoS攻击检测方法给出了详细的分类,同时在此基础上对各类检测方法进行分析和性能比较,明确了各种检测方法的特点和应用范围,最后讨论了当前攻击检测存在的问题及进一步研究的方向。     

Web应用防火墙的设计与实现

大部分Web应用都存在安全漏洞从而为攻击者提供了一扇攻击的大门,并且传统安全设备如网络防火墙、入侵检测系统只能保护开放系统互连（OSI）参考模型的较低层,并不能有效防御应用层的攻击。在分析了主流的Web应用层的攻击方法后提出一个Web应用防火墙的整个实现架构和一些过滤策略。Web应用防火墙用Python实现,经测试,可以有效地阻止各种恶意的攻击,如SQL注入、跨站脚本攻击和应用层拒绝服务攻击。     

基于人工免疫的分布式入侵检测模型

针对现有分布式入侵检测系统交互流量大、单点失效及检测效率偏低的问题,基于人工免疫理论建立了一种新的分布式入侵检测模型,并提出了一种中心检测器配置及使用方法,并将异常检测与误用检测相结合。基于OMNeT+〖KG-*3〗+网络仿真平台设计了仿真模型,进行了仿真实验。仿真实验结果表明,改进模型交互流量明显减小,检测效率明显提高并有效解决了单点失效问题。仿真结果证明了改进模型的正确性与有效性。     

DNS服务器的DDoS攻击检测系统的研究

建立一个针对DNS服务器DDoS攻击的检测系统,该系统采集DNS服务器端的网络数据,并从中提取出6个特征属性作为流量特征记录;利用经过遗传优化的BP网络建立检测模型,对流量特征记录进行检测;输出检测结果。通过实验结果可以看到利用提取的流量特征属性值,该系统能有效检测到DDoS攻击行为;而且比标准BP算法建立的检测模型具有更好的训练性能和更高的检测准确率。     

一种新的IP溯源追踪方案

在匿名DDoS攻击源追踪算法中,Savage等人提出的压缩边分段采样算法（CEFS）以其高效性和灵活性成为业内关注的焦点,但是该算法在重构路径时所需数据包数﹑分片组合次数方面存在不足。针对这些问题提出一种基于CEFS改进的算法,只需两个有效的分片就可以进行溯源,同时利用路由器身份标识字段减少了重构路径时分段的组合数,提高了溯源的时效性,理论分析和实验结果证明了该方案的有效性。     

DDoS detection based on wavelet kernel support vector machine

To enhance the detection accuracy and deduce false positive rate of distributed denial of service （DDoS） attack detection, a new machine learning method was proposed. With the analysis of support vector machine （SVM） and the wavelet kernel function theory, an admissive support vector kernel, which is a wavelet kernel constructed in this article, implements the combination of the wavelet technique with SVM. Then, wavelet support vector machine （WSVM） is applied to DDoS attack detections and as a classifying means to test the validity of the wavelet kernel function. Simulation experiments show that under the same conditions, the predictive ability of WSVM is improved and the computation burden is alleviated. The detection accuracy of WSVM is higher than the traditional SVM by about 4%, while its false positive is lower than the traditional SVM. Thus, for DDoS detections, WSVM shows better detection performance and is more adaptive to the changing network environment.     

防御DDoS攻击的包标记联合部署方案

提出了一种新的结合确定包标记和路径标识的方案,其在源边界路由器以概率形式选择执行确定性包标记或路径标识。该方案以下游网络拥塞程度和路径追溯结果为依据,动态调整数据包标记操作,并在受害主机处根据不同的标记策略采取不同的防御措施。基于大规模权威因特网拓扑数据集的仿真实验表明,该方案防御效果较好,能有效减轻受害主机遭受DDoS攻击的影响。