Distributed denial of service attack recognition based on bag of words model

doi:10.11772/j.issn.1001-9081.2017.06.1644

Journal of Computer Applications ›› 2017, Vol. 37 ›› Issue (6): 1644-1649.DOI: 10.11772/j.issn.1001-9081.2017.06.1644

Previous Articles Next Articles

Distributed denial of service attack recognition based on bag of words model

MA Linjin^1,2, WAN Liang^1,2, MA Shaoju¹, YANG Ting¹, YI Huifan¹

1. College of Computer Science and Technology, Guizhou University, Guiyang Guizhou 550025, China;
2. Institute of Computer Software and Theory, Guizhou University, Guiyang Guizhou 550025, China

Received:2016-11-08 Revised:2017-01-06 Online:2017-06-10 Published:2017-06-14
Supported by:
This work is partially supported by the Guizhou Provincial Science Department Project (KEHE LH[2014]7634, KEHE J[2011]2328).

基于词袋模型的分布式拒绝服务攻击检测

马林进^1,2, 万良^1,2, 马绍菊¹, 杨婷¹, 易辉凡¹

1. 贵州大学计算机科学与技术学院, 贵阳 550025;
2. 贵州大学计算机软件与理论研究所, 贵阳 550025

通讯作者: 万良
作者简介:马林进(1991-),男,浙江台州人,硕士研究生,主要研究方向:信息安全、模式识别、异常流量检测、分布式拒绝服务攻击检测;万良(1974-),男,贵州铜仁人,教授,博士,CCF会员,主要研究方向:信息安全、形式化方法、机器学习、智能家居;马绍菊(1991-),女,贵州毕节人,硕士研究生,CCF会员,主要研究方向:信息安全、App隐私保护;杨婷(1992-),女,贵州毕节人,硕士研究生,主要研究方向:信息安全、智能家居;易辉凡(1993-),男,贵州安顺人,硕士研究生,CCF会员,主要研究方向:信息安全、形式化方法。
基金资助:
贵州省科学基金资助项目（黔科合LH字[2014]7634号，黔科合J字[2011]2328号）。

Abstract

Abstract: The payload of Distribute Denial of Service (DDoS) attack changes drastically, the manual intervention of setting warning threshold relies on experience and the signature of abnormal traffic updates not timely, an improved DDoS attack detection algorithm based on Binary Stream Point Bag of Words (BSP-BoW) model was proposed. The Stream Point (SP) was extracted automatically from current network traffic data, the adaptive anomaly detection was carried out for different topology networks, and the labor cost was reduced by decreasing frequently updated feature set. Firstly, the mean clustering was carried out for the existing attack traffic and normal traffic to look for SP in the network traffic. Then, the original traffic was mapped to the corresponding SP for formalized expression by histogram. Finally, the DDoS was detected and classified by Euclidean distance. The experimental results on public database DARPA LLDOS1.0 show that, compared with Locally Weighted Learning (LWL), Support Vector Machine (SVM), Random Tree (RT), Logistic regression analysis (Logistic), Naive Bayes (NB), the proposed algorithm has higher recognition rate of abnormal network traffic. The proposed algorithm based on BoW model has the good recognition effect and generalization ability in abnormal network traffic recognition of denial of service attack, which is suitable for the deployment in the Small Medium Enterprise (SME) network traffic equipment.

Key words: Bag of Words (BoW), machine learning, clustering, Distributed Denial of Service (DDoS) attack, anomaly traffic detection, Stream Point (SP)

摘要： 针对分布式拒绝服务（DDoS）攻击有效荷载快速变化，人工干预需要依赖经验设定预警阈值以及异常流量特征码更新不及时等问题，提出一种基于二进制流量关键点词袋（BSP-BoW）模型的DDoS攻击检测算法。该算法可以自动从当前网络的流量数据中训练得到流量关键点（SP），针对不同拓扑网络进行自适应异常检测，减少频繁更新特征集带来的人工成本。首先，对已有的攻击流量和正常流量进行均值聚类，寻找网络流量中的SP；然后，将原有的流量转化映射到相应SP上使用直方图进行形式化表达；最后，通过欧氏距离进行DDoS攻击的分类检测。在公开数据库DARPA LLDOS1.0上的实验结果表明，所提算法的异常网络流量识别率优于现有的局部加权学习（LWL）、支持向量机（SVM）、随机树（Random Tree）、logistic回归分析（logistic）、贝叶斯（NB）等方法。所提的基于词袋聚类模型算法在拒绝服务攻击的异常流量识别中有很好的识别效果和泛化能力，适合部署在中小企业（SME）网络流量设备上。

关键词: 词袋, 机器学习, 聚类, 分布式拒绝服务攻击, 异常流量识别, 流量关键点

CLC Number:

TP393.08

MA Linjin, WAN Liang, MA Shaoju, YANG Ting, YI Huifan. Distributed denial of service attack recognition based on bag of words model[J]. Journal of Computer Applications, 2017, 37(6): 1644-1649.

马林进, 万良, 马绍菊, 杨婷, 易辉凡. 基于词袋模型的分布式拒绝服务攻击检测[J]. 计算机应用, 2017, 37(6): 1644-1649.

References

[1] SUN C H, FAN J D, LIU B. A robust scheme to detect SYN flooding attacks[C]//CHINACOM'07:Proceedings of the 2007 Second International Conference on Communications and Networking in China. Piscataway, NJ:IEEE, 2007:397-401.
[2] YU S, GUO S, STOJMENOVIC I. Can we beat legitimate cyber behavior mimicking attacks from botnets?[C]//INFOCOM'12:Proceedings of the 2012 31st Annual IEEE International Conference on Computer Communications. Piscataway, NJ:IEEE, 2012:2851-2855.
[3] 顾晓清,王洪元,倪彤光,等.基于时间序列分析的应用层 DDoS 攻击检测[J].计算机应用,2013,33(8):2228-2231.(GU X Q, WANG H Y, NI T G, et al Detection of application-layer DDoS attack based on time series analysis[J]. Journal of Computer Applications, 2013, 33(8):2228-2231.)
[4] LU L F, HUANG M L, ORGUN M A, et al. An improved wavelet analysis method for detecting DDoS attacks[C]//NSS'10:Proceedings of the 2010 4th International Conference on Network and System Security. Piscataway, NJ:IEEE, 2010:318-322.
[5] 许晓东,朱士瑞,孙亚民.基于分形特性的宏观网络流量异常分析[J].通信学报,2009,30(9):43-53.(XU X D, ZHU S Y, SUN Y M. Anomaly detection algorithm based on fractal characteristics of large-scale network traffic[J]. Journal on Communications, 2009, 30(9):43-53.)
[6] 冶晓隆,兰巨龙,郭通.基于主成分分析禁忌搜索和决策树分类的异常流量检测方法[J].计算机应用,2013,33(10):2846-2850.(YE X L, LAN J L, GUO T. Network anomaly detection method based on principle component analysis and tabu search and decision tree classification[J]. Journal of Computer Applications, 2013, 33(10):2846-2850.)
[7] LEE S M, KIM D S, LEE J H, et al. Detection of DDoS attacks using optimized traffic matrix[J]. Computers & Mathematics with Applications, 2012, 63(2):501-510.
[8] YASAMI Y, FARAHMAND M, ZARGARI V. An ARP-based anomaly detection algorithm using hidden Markov model in enterprise networks[C]//ICSNC 2007:Proceedings of the 2007 Second International Conference on Systems and Networks Communications. Piscataway, NJ:IEEE, 2007:69.
[9] 王宇,余顺争.网络流量的决策树分类[J].小型微型计算机系统,2009,30(11):2150-2156.(WANG Y, YU S Z. Internet traffic classification based on decision tree[J]. Journal of Chinese Computer Systems, 2009, 30(11):2150-2156.)
[10] 胡石,李光辉,卢文伟,等.基于神经网络的无线传感器网络异常数据检测方法[J].计算机科学,2014,41(11A):208-211.(HU S, LI G H, LU W W, et al. Outlier detection methods based on neural network in wireless sensor networks[J]. Computer Science, 2014, 41(11A):208-211.)
[11] 李向军,张华薇,郑思维,等.基于相对邻域熵的直推式网络异常检测算法[J].计算机工程,2015,41(8):132-139.(LI X J, ZHANG H W, ZHENG S W, et al. Transductive network anomaly detection algorithm based on relative neighborhood entropy[J]. Computer Engineering, 2015, 41(8):132-139.)
[12] SELIYA N, KHOSHGOFTAAR T M. Active learning with neural networks for intrusion detection[C]//IRI 2010:Proceedings of the 2010 IEEE International Conference on Information Reuse and Integration. Piscataway, NJ:IEEE, 2010:49-54.
[13] 王宇新,郭禾,何昌钦,等.用于图像场景分类的空间视觉词袋模型[J].计算机科学,2011,38(8):265-268.(WANG Y X, GUO H, HE C Q, et al. Bag of spatial visual words model for scene classification[J]. Computer Science, 2011, 38(8):265-268.)
[14] QIU Q, CAO Q X, ADACHI M. Filtering out background features from BoF representation by generating fuzzy signatures[C]//iFUZZY 2014:Proceedings of the 2014 International Conference on Fuzzy Theory and Its Applications. Piscataway, NJ:IEEE, 2014:14-18.
[15] MA L J, WANG H J. A new method for wood recognition based on blocked HLAC[C]//ICNC 2012:Proceedings of the 2012 Eighth International Conference on Natural Computation. Piscataway, NJ:IEEE, 2012:40-43.
[16] 吴夙慧,成颖,郑彦宁,等.K-means 算法研究综述[J].现代图书情报技术,2011,27(5):28-35.(WU S H, CHENG Y, ZHENG Y N, et al. Survey on K-means algorithm[J]. New Technology of Library and Information Service, 2011, 27(5):28-35.)

Distributed denial of service attack recognition based on bag of words model

基于词袋模型的分布式拒绝服务攻击检测

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

[1]	CHEN Hengheng, NI Zhiwei, ZHU Xuhui, JIN Yuanyuan, CHEN Qian. Differential privacy high-dimensional data publishing method via clustering analysis [J]. Journal of Computer Applications, 2021, 41(9): 2578-2585.
[2]	GUO Mian, ZHANG Jinyou. Computation offloading policy for machine learning in mobile edge computing environments [J]. Journal of Computer Applications, 2021, 41(9): 2639-2645.
[3]	MAO Mingze, CAO Ruihao, YAN Chungang. Semi-supervised classification algorithm based on weight diversity [J]. Journal of Computer Applications, 2021, 41(9): 2473-2480.
[4]	QIN Binbin, PENG Liangkang, LU Xiangming, QIAN Jiangbo. Research progress on driver distracted driving detection [J]. Journal of Computer Applications, 2021, 41(8): 2330-2337.
[5]	ZENG Xiangyin, ZHENG Bochuan, LIU Dan. Detection of left and right railway tracks based on deep convolutional neural network and clustering [J]. Journal of Computer Applications, 2021, 41(8): 2324-2329.
[6]	ZHU Cheng, ZHAO Xiaoqi, ZHAO Liping, JIAO Yuhong, ZHU Yafei, CHENG Jianying, ZHOU Wei, TAN Ying. Classification of functional magnetic resonance imaging data based on semi-supervised feature selection by spectral clustering [J]. Journal of Computer Applications, 2021, 41(8): 2288-2293.
[7]	DAI Yanran, DAI Guoqing, YUAN Yubo. Multi-face foreground extraction method based on skin color learning [J]. Journal of Computer Applications, 2021, 41(6): 1659-1666.
[8]	WANG Jiarui, TAN Guoping, ZHOU Siyuan. Clustered wireless federated learning algorithm in high-speed internet of vehicles scenes [J]. Journal of Computer Applications, 2021, 41(6): 1546-1550.
[9]	WANG Zhihe, CHANG Xiaoqing, DU Hui. Adaptive affinity propagation clustering algorithm based on universal gravitation [J]. Journal of Computer Applications, 2021, 41(5): 1337-1342.
[10]	LI Guorong, YE Jimin, ZHEN Yuanting. Time series clustering based on new robust similarity measure [J]. Journal of Computer Applications, 2021, 41(5): 1343-1347.
[11]	MA Jianhong, CAO Wenbin, LIU Yuangang, XIA Shuang. Patent clustering method based on functional effect [J]. Journal of Computer Applications, 2021, 41(5): 1361-1366.
[12]	LI Xingfeng, HUANG Yuqing, REN Zhenwen, LI Yihong. Robust multi-view clustering algorithm based on adaptive neighborhood [J]. Journal of Computer Applications, 2021, 41(4): 1093-1099.
[13]	LONG Chaoqi, JIANG Yu, XIE Yu. Improved wavelet clustering algorithm based on peak grid [J]. Journal of Computer Applications, 2021, 41(4): 1122-1127.
[14]	ZOU Zhiwen, QIN Cheng. Method of dynamically constructing spatial topic R-tree based on k-means++ [J]. Journal of Computer Applications, 2021, 41(3): 733-737.
[15]	JIANG Qianyu, WANG Fengying, JIA Lipeng. Malware detection method based on perceptual hash algorithm and feature fusion [J]. Journal of Computer Applications, 2021, 41(3): 780-785.