基于条件随机场的DDoS 攻击检测方法

近年来,基于机器学习算法的分布式拒绝服务(distributed denial-of-service,简称DDoS)攻击检测技术已取得了很大的进展,但仍存在一些不足:(1)不能充分利用蕴涵于标记和特征观测序列中的上下文信息;(2)对多特征的概率分布存在过强的假设.条件随机场模型具有融合利用上下文信息和多特征的能力,将其应用于DDoS检测,能够有效地弥补上述不足.提出了一种基于条件随机场的DDoS攻击检测方法:首先,定义流特征条件熵(traffic feature conditional entropy,简称TFCE)、行为轮廓偏离度(behavior profile deviate degree,简称BPDD)两组统计量,对TCPflood,UDP flood,ICMP flood这3类攻击的特点进行描述;然后以此为基础,使用条件随机场,通过对其有效训练,分别为3类攻击建立分类模型;最后,通过对模型的有效训练,应用模型推断来完成对DDoS攻击的检测.实验结果表明,该方法能够充分发挥条件随机场模型的优势,准确区分正常流量和攻击流量,与同类方法相比,具有更好的抗背景流量干扰的能力.

Detection Approach of DDoS Attacks Based on Conditional Random Fields

In recent years,the detection technology based on machine learning algorithms for distributed denial-of-service(DDoS) attacks has made great progress.However,there are still some deficiencies,which are:(1) being unable to make full use of contextual information in both the label and observed features series;(2) making too strong assumptions on the probability distribution of multiple features.Featured with the strong capability in integrating and exploiting contextual information and multiple features,the c...