基于小信号检测模型的LDoS攻击检测方法的研究

 低速率拒绝服务LDoS(Low-rate Denial of Service)是一种新型的面向TCP协议的DoS攻击方式.LDoS攻击的平均流量仅占正常流量的10-20%,具有明显的周期性小信号特征,隐蔽性强.因此,检测LDoS攻击成为网络安全研究的一个难点.本文采用数字信号处理DSP技术,基于小信号检测理论,提出一种基于小信号模型的LDoS攻击检测的方法.该方法通过构造特征值估算矩阵,对30秒时间内(3000个采样点)到达的数据包个数进行统计;将统计值与设定的判决特征值门限比较,作为判断有无LDoS攻击的依据.如果判定成立,则通过特征值估算矩阵可较精确地计算出LDoS攻击的周期值.在NS-2环境中的仿真实验结果表明本文方法具有较高的LDoS攻击检测率.     

基于TCP状态机的LDoS攻击检测方法

低速率拒绝服务LDoS(Low-rate Denial of Service)攻击是当代大数据中心和云计算平台的最大威胁之一。本文主要通过NS2仿真平台实现LDoS攻击,并利用TCP状态机模型建立HMM模型,计算TCP状态机拥塞控制四个参量求加权平均数,得到的值用NCPSD的值代替,作为判别有无攻击的依据,以此达到检测LDoS攻击的目的。     

基于信号互相关的低速率拒绝服务攻击检测方法

低速率拒绝服务LDoS（Low-rate Denial of Service）攻击是一种基于TCP/IP协议漏洞,采用密集型周期性脉冲的攻击方式.本文针对分布式LDoS攻击脉冲到达目标端的时序关系,提出基于互相关的LDoS攻击检测方法.该方法通过计算构造的检测序列与采样得到的网络流量序列的相关性,得到相关序列,采用基于循环卷积的互相关算法来计算攻击脉冲经过不同传输通道在特定的攻击目标端的精确时间,利用无周期单脉冲预测技术估计LDoS攻击的周期参数,提取LDoS攻击的脉冲持续时间的相关性特征,并设计判决门限规则.实验结果表明基于信号互相关的LDoS攻击检测方法具有较好的检测性能.     

数字图书馆公用网络信息传输通道恶意节点检测方法

以确保数字图书馆用户信息的安全性为目的,研究了数字图书馆公用网络信息传输通道恶意节点检测方法。通过拓扑结构分析网络场景,以有效发送率、转发率、入度与传输时延均值描述节点特征属性,再根据节点特征属性构建恶意节点攻击模型。根据恶意节点攻击特征全方位检测网络节点的运行状态并构建观测序列,然后训练隐半马尔科夫模型,通过确定观测序列对于隐半马尔科夫模型的熵值判断节点是否为恶意节点。实验结果表明：该方法能够有效描述实验对象内的恶意节点攻击行为,并准确检测恶意节点。     

低速率拒绝服务LDoS攻击性能的研究

低速率拒绝服务(LDoS,low-rate denial of service)攻击是一种新型的周期性脉冲式DoS攻击.根据LDoS攻击的特点,通过估算正常TCP流的超时重传(RTO,retransmission time out),模拟产生LDoS攻击的周期流量,对网络目标在攻击下的性能进行了测试.重点研究了Web和FTP 2种服务器在LDoS攻击下吞吐量(thoughtout)性能的变化.实验表明,LDoS攻击具有隐蔽性强和破坏力大的特点,比洪(flood)攻击更具有危害性,此研究成果为LDoS攻击的检测和防御提供了依据.     

基于隐马尔科夫的受攻击光纤网络活跃节点检测方法

传统的受攻击光纤网络活跃节点检测方法通常是被动式的,只能对攻击发生后的行为进行分析,导致检测受攻击活跃节点在光纤网络中的状态值与实际相差较多,为此研究基于隐马尔科夫的受攻击光纤网络活跃节点检测方法。首先对光纤网络活跃节点信号进行去噪处理,通过去噪信号中的数据生成活跃节点特征向量矩阵,进行活跃节点特征融合,在此基础上建立隐马尔科夫受攻击检测模型,定位受攻击光纤网络活跃节点。实验结果表明：该方法在检测受攻击活跃节点在光纤网络中的状态值与实际相接近,精度更高,具有实际的应用价值。     

基于改进神经网络的LDoS攻击感知

低速率拒绝服务(LDoS)攻击又称为降质服务攻击(RoQ),是一种新型的拒绝服务攻击方式,其特点是利用TCP重传超时机制的漏洞,周期性地发送短时高速脉冲攻击数据包,降低TCP吞吐量,由于反复发送LDoS攻击包的速率很高,流量会重复超时,导致网络拒绝服务。由于平均速率较低,即使TCP的吞吐量减少,攻击者仍然不容易被发现,隐蔽性极强,不易检测。文中提出基于LDoS攻击流量在频域的自身特征进行检测,改进BP神经网络,降低训练样本"异常值"对收敛速度的影响,对LDoS特征进行训练学习,综合诊断,从而提高LDoS攻击感知的检测率和鲁棒性。     

基于ASPQ的LDoS攻击检测方法

分析了LDoS攻击对缓冲区队列平均报文长度(ASPQ)的影响,通过实验获得队列报文平均长度在遭受攻击情况下的改变.在此基础上提出了基于ASPQ的LDoS攻击检测方法,并应用在目前典型的队列管理算法(Droptail和RED)中.最后,通过实验证明该方法可以有效检测LDoS攻击.     

利用SVM的聚类算法在时间序列信号识别中的应用

研究了一维时间序列信号识别的问题.针对基于混合高斯模型的隐马尔科夫(HMM)编码准确率低的问题,提出了一种利用多个支持向量机构造混合支持向量机,从而为隐马尔科夫模型提供更精确的观测值编码和发生矩阵,能有效的提高HMM在语音信号识别或者文字识别中的准确率.本方法可以应用到语音识别,文字识别以及生物信息处理等领域.     

基于用户浏览行为相似度的HTTP-Get Flood检测方法

基于页面请求的DDOS攻击比传统的海量报文攻击更具杀伤性且检测困难。传统的检测方法包括：特征检测,利用隐马尔科夫模型分析Web页面访问行为。相比明文解析与数学估计,提出了分析用户浏览行为相似性界定HTTP-GetFlood攻击,将用户浏览页面切换与浏览时间的比值表示用户浏览行为,不同用户利用这个表达式计算的浏览行为值很难相等。DDOS攻击爆发时,肉机行为高度一致,导致浏览行为值重复率偏高,当高于一定阀值时判断遭受DDOS攻击。     

Detection method of LDoS attacks based on combination of ANN ＆ KPCA

Low-rate denial-of-service (LDoS) attack is a new type of attack mode for TCP protocol.Characteristics of low average rate and strong concealment make it difficult for detection by traditional DoS detecting methods.According to characteristics of LDoS attacks,a new LDoS queue future was proposed from the router queue,the kernel principal component analysis (KPCA) method was combined with neural network,and a new method was present to detect LDoS attacks.The method reduced the dimensionality of queue feature via KPCA algorithm and made the reduced dimension data as the inputs of neural network.For the good sell-learning ability,BP neural network could generate a great LDoS attack classifier and this classifier was used to detect the attack.Experiment results show that the proposed approach has the characteristics of effectiveness and low algorithm complexity,which helps the design of high performance router.     

SEDP‐based detection of low‐rate DoS attacks

Low‐rate Denial of Service (LDoS) is a new type of TCP‐targeted attacks, which attempt to deny bandwidth to TCP flows while sending at sufficiently low‐average rate to elude detection of DoS defense system. Therefore, LDoS attacks are difficult to be detected by routers and counter‐DoS mechanisms. In this paper, an approach of detecting LDoS attacks is proposed by using the technology of signal processing based on the model of spectral energy distribution probability. The proposed approach calculates variances between the incoming traffic of normal TCP and attack flows to a server by using packet sampling sequence within a certain period. The network traffic is converted from the time domain to the frequency domain forming a spectral signal, and the distribution probability of spectral energy is estimated based on spectrum characteristics of rectangular pulses. This approach explores that the energy of LDoS attacks is mostly distributed in the main lobe width while that of normal TCP traffic is just concentrated near zero in frequency domain. Both the spectral energy of normal TCP traffic and LDoS attacks distributed in main lobe are calculated, and an energy threshold is set as decision value based on statistical results according to energy distribution properties. The existence of LDoS attacks is determined and detected by comparing calculated variances with the preset decision threshold value. Tests on the detection performance of the proposed approach were performed in NS‐2 simulation environment, and detection rate was obtained by Hypothesis test. Experiment results show that the proposed approach has higher detection accuracy and less computation consuming. Copyright © 2014 John Wiley & Sons, Ltd.     

Approach of detecting low-rate DoS attack based on combined features

LDoS (low-rate denial of service) attack is a kind of RoQ (reduction of quality) attack which has the characteristics of low average rate and strong concealment.These characteristics pose great threats to the security of cloud computing platform and big data center.Based on network traffic analysis,three intrinsic characteristics of LDoS attack flow were extracted to be a set of input to BP neural network,which is a classifier for LDoS attack detection.Hence,an approach of detecting LDoS attacks was proposed based on novel combined feature value.The proposed approach can speedily and accurately model the LDoS attack flows by the efficient self-organizing learning process of BP neural network,in which a proper decision-making indicator is set to detect LDoS attack in accuracy at the end of output.The proposed detection approach was tested in NS2 platform and verified in test-bed network environment by using the Linux TCP-kernel source code,which is a widely accepted LDoS attack generation tool.The detection probability derived from hypothesis testing is 96.68%.Compared with available researches,analysis results show that the performance of combined features detection is better than that of single feature,and has high computational efficiency.     

An adaptive network traffic prediction approach for LDoS attacks detection

Low‐rate denial of service (LDoS) attacks reduce throughput and degrade quality of service (QoS) of network services by sending out attack packets with relatively low average rate. LDoS attack flows are difficult to detect from normal traffic since it has the property of low average rate. The research on network traffic analysis and modeling shows that network traffic measurement data are irregular nonlinear time series. To characterize and analyze network traffic between attack and non‐attack situations, the adaptive normal and abnormal ν‐support vector regression (ν‐SVR) prediction models are constructed on the basis of the reconstructed phase space. In this paper, the dimension of reconstructed phase space for ν‐SVR is optimized by Bayesian information criteria method, and the parameter in the radial basis function is adaptively adjusted by minimizing the within‐class distance and maximizing the between‐class distance in the feature space. The nonthreshold decision function is obtained through calculating the prediction error of adaptive normal and abnormal ν‐SVR prediction models, which is adopted to detect LDoS attacks. Experiments in NS‐2 environment show that the adaptive ν‐SVR prediction model can effectively predict the network traffic measurement time series, and the probability distribution of time series generated by the adaptive ν‐SVR prediction model is quite similar to that of the network traffic measurement data. Experiments also clearly demonstrate the superiority of the proposed approach in LDoS attacks detection.     

The detection method of low-rate DoS attack based on multi-feature fusion

As a new type of Denial of Service (DoS) attacks, the Low-rate Denial of Service (LDoS) attacks make the traditional method of detecting Distributed Denial of Service Attack (DDoS) attacks useless due to the characteristics of a low average rate and concealment. With features extracted from the network traffic, a new detection approach based on multi-feature fusion is proposed to solve the problem in this paper. An attack feature set containing the Acknowledge character(ACK) sequence number, the packet size, and the queue length is used to classify normal and LDoS attack traffics. Each feature is digitalized and preprocessed to fit the input of the K-Nearest Neighbor (KNN) classifier separately, and to obtain the decision contour matrix. Then a posteriori probability in the matrix is fused, and the fusion decision index D is used as the basis of detecting the LDoS attacks. Experiments proved that the detection rate of the multi-feature fusion algorithm is higher than those of the single-based detection method and other algorithms.     

Detection method of LDoS attack based on ACK serial number step-length

Low-rate denial of service (LDoS) attack is a potential security threat to big data centers and cloud computing platforms because of its strong concealment.Based on the analysis of network traffic during the LDoS attack,statistical analysis was given of ACK packets returned by the data receiver to the sender,and result reveals the sequence number step had the characteristics of volatility during the LDoS attack.The permutation entropy method was adopted to extract the characteristics of volatility.Hence,an LDoS attack detection method based on ACK serial number step permutation entropy was proposed.The serial number was sampled and the step length was calculated through collecting the ACK packets that received at the end of sender.Then,the permutation entropy algorithm with strong time-sensitive was used to detect the mutation step time,and achieve the goal of detecting LDoS attack.A test-bed was designed and built in the actual network environment for the purpose of verifying the proposed approach performance.Experimental results show that the proposed approach has better detection performance and has achieved better detection effect.     

An adaptive KPCA approach for detecting LDoS attack

Low‐rate denial‐of‐service (LDoS) attack sends out attack packets at low‐average rate of traffic flow in short time. It is stealthier than traditional DoS attack, which makes detection of LDoS extremely difficult. In this paper, an adaptive kernel principal component analysis method is proposed for LDoS attack detection. The network traffic flow is extracted through wavelet multi‐scale analysis. An adaptive kernel principal component analysis method is adopted to detect LDoS attack through the squared prediction error statistics. Key parameters such as the parameter of the radial basis function, the number of principal components, and the squared prediction error confidence limit are adaptively trained with training data and updated with the network environment. Simulation is accomplished in NS‐2 environment, and results prove the favorable LDoS attack detection efficiency by the proposed approach. Copyright © 2015 John Wiley & Sons, Ltd.     

Identifying LDoS attack traffic based on wavelet energy spectrum and combined neural network

As a special type of denial of service (DoS) attacks, the TCP‐targeted low‐rate denial of service (LDoS) attacks have the characteristics of low average rate and strong concealment, so it is difficult to identify such attack traffic. As multifractal characteristics exist in network traffic, a new identification approach based on wavelet transform and combined neural network is proposed to classify normal network traffic and LDoS attack traffic. Wavelet energy spectrum coefficients extracted from the sampled traffic are used for multifractal analysis of traffic over different time scale. The combined neural network is designed to classify these multiscale spectrum coefficients that show different multifractal characteristics belonging to normal network traffic and LDoS attack traffic. Test results of test‐bed experiments indicate that the proposed approach can identify LDoS attack traffic accurately.