Journal of Computer Applications ›› 2020, Vol. 40 ›› Issue (10): 2973-2979.DOI: 10.11772/j.issn.1001-9081.2020020172

• Cyber security • Previous Articles     Next Articles

Slow HTTP DoS attack detection method based on one-dimensional convolutional neural network

CHEN Yi1,2, ZHANG Meijing1,2, XU Fajian1,2   

  1. 1. Department of Computer and Information Security Management, Fujian Police College, Fuzhou Fujian 350007, China;
    2. Institute of Cyber Security and Electronic Material Evidence, Fujian Police College, Fuzhou Fujian 350007, China
  • Received:2020-02-20 Revised:2020-04-27 Online:2020-10-10 Published:2020-05-18
  • Supported by:
    This work is partially supported by the Surface Program of Natural Science Foundation of Fujian Province (2017J01514), the Youth Foundation of Humanities and Social Sciences of Ministry of Education (17YJC630213), the Education and Scientific Research Project for Young and Middle-aged Teachers in Fujian Province (JAT190440).

基于一维卷积神经网络的HTTP慢速DoS攻击检测方法

陈旖1,2, 张美璟1,2, 许发见1,2   

  1. 1. 福建警察学院 计算机与信息安全管理系, 福州 350007;
    2. 福建警察学院 网络安全与电子物证研究所, 福州 350007
  • 通讯作者: 陈旖
  • 作者简介:陈旖(1991-),男,福建福州人,助教,硕士,CCF会员,主要研究方向:网络安全、数据挖掘;张美璟(1981-),男,福建福鼎人,副教授,博士,CCF会员,主要研究方向:信息融合、数据挖据、决策分析;许发见(1974-),男,福建南平人,副教授,硕士,主要研究方向:信息安全、电子数据取证。
  • 基金资助:
    福建省自然科学基金面上项目(2017J01514);教育部人文社科研究青年基金资助项目(17YJC630213);福建省中青年教师教育科研项目(JAT190440)。

Abstract: In order to solve the problem that the accuracy of Slow HTTP Denial of Service (SHDoS) attack traffic detection decreases when the attack frequency changes, a method of SHDoS attack traffic detection method based on one-dimensional Convolutional Neural Network (CNN) was proposed. First, the message sampling and data stream extraction were performed on three types of SHDoS attack traffic under multiple attack frequencies by the method. Then, a data stream conversion algorithm was designed to convert the collected attack data streams into one-dimensional sequences and remove the duplicated sequences. Finally, a one-dimensional CNN was used to construct a classification model. The model was used to extract sequence fragments through the convolution kernels, and the local patterns of attack samples were learned from fragments. Therefore, the model would have the ability to detect attack traffic with multiple attack frequencies. Experimental results show that, compared with the classification models based on Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM) network, and Bidirectional LSTM (Bi-LSTM) network respectively, the proposed model has advantages in detection performance on unknown frequency samples, and has the accuracy and precision reached 96.76% and 94.13% respectively on the validation set. It can be seen that the proposed method can meet the needs of detecting SHDoS traffic with different attack frequencies.

Key words: Slow HTTP Denial of Service (SHDoS) attack, malicious traffic detection, Convolutional Neural Network (CNN), deep learning, traffic classification

摘要: 为解决HTTP慢速拒绝服务(SHDoS)攻击流量检测在攻击频率变化时出现的准确率降低的问题,提出一种基于一维卷积神经网络(CNN)的SHDoS攻击流量检测方法。首先,该方法在多种攻击频率下对三种类型的SHDoS攻击流量进行报文采样和数据流提取;之后,设计了一种数据流转换算法,将采集的攻击数据流转换为一维序列并进行去重;最后,使用一维CNN构建分类模型,该模型通过卷积核来提取序列片段,并从片段中学习攻击样本的局部模式,从而使模型对多种攻击频率的数据流都具备检测能力。实验结果显示,与基于循环神经网络(RNN)、长短期记忆(LSTM)网络及双向长短期记忆(Bi-LSTM)网络构建的分类模型相比,该模型对未知攻击频率的样本同样具有较好的检测能力,在验证集上的检测准确率和精确率分别达到了96.76%和94.13%。结果表明所提方法能够满足对不同攻击频率的SHDoS流量进行检测的需求。

关键词: 慢速HTTP拒绝服务攻击, 恶意流量检测, 卷积神经网络, 深度学习, 流量分类

CLC Number: