Journal of Computer Applications ›› 2019, Vol. 39 ›› Issue (7): 1973-1978.DOI: 10.11772/j.issn.1001-9081.2019010017

• Cyber security • Previous Articles     Next Articles

Hidden semi-Markov model-based approach to detect DDoS attacks in application layer of SWIM system

MA Lan<sup>1</sup>, CUI Bohua<sup>2</sup>, LIU Xuan<sup>2</sup>, YUE Meng<sup>2</sup>, WU Zhijun<sup>2</sup>   

  1. 1. School of Air Traffic Management, Civil Aviation University of China, Tianjin 300300, China;
    2. School of Electronic Information and Automation, Civil Aviation University of China, Tianjin 300300, China
  • Received:2019-01-07 Revised:2019-03-05 Online:2019-07-10 Published:2019-04-15
  • Supported by:

    This work is partially supported by the National Science Foundation for Young Scientists of China (61601467), the Major Program of Natural Science Foundation of Tianjin (17JCZDJC30900), the Fundamental Research Funds for the Central Universities (3122018D007).

基于隐半马尔可夫模型的SWIM应用层DDoS攻击的检测方法

马兰1, 崔博花2, 刘轩2, 岳猛2, 吴志军2   

  1. 1. 中国民航大学 空中交通管理学院, 天津 300300;
    2. 中国民航大学 电子信息与自动化学院, 天津 300300
  • 通讯作者: 马兰
  • 作者简介:马兰(1966-),女,甘肃武威人,教授,博士,主要研究方向:空中交通管理信息与控制;崔博花(1992-),女,河北保定人,硕士研究生,主要研究方向:空中交通管理信息安全;刘轩(1992-),男,山东临沂人,硕士,主要研究方向:空中交通管理信息安全;岳猛(1984-),男,河北沧州人,副教授,博士,主要研究方向:云安全;吴志军(1965-),男,新疆库尔勒人,教授,博士,主要研究方向:网络与信息安全。
  • 基金资助:

    国家自然科学基金青年基金资助项目(61601467);天津市自然科学基金重点项目(17JCZDJC30900);中央高校基本科研业务费专项资金资助项目(3122018D007)。

Abstract:

Aiming at the problem that System Wide Information Management (SWIM) system is affected by Distributed Denial of Service (DDoS) attacks in the application layer, a detection approach of SWIM application layer DDoS attack based on Hidden Semi-Markov Model (HSMM) was proposed. Firstly, an improved forward-backward algorithm was adopted, and HSMM was used to establish dynamic anomaly detection model to dynamically track the browsing behaviors of normal SWIM users. Then, normal detection interval was obtained by learning and predicting normal SWIM user behaviors. Finally, access packet size and request time interval were extracted as features for modeling, and the model was trained to realize anomaly detection. The experimental results show that the detection rate of the proposed approach is 99.95% and 91.89% in the case of attack 1 and attack 2 respectively. Compared with the HSMM constructed by fast forward-backward algorithm, the detection rate is improved by 0.9%. It can be seen that the proposed approach can effectively detect the application layer DDoS attacks of SWIM system.

Key words: System Wide Information Management (SWIM), application-layer Distributed Denial of Service (DDoS), Hidden Semi-Markov Model (HSMM), SWIM user behavior, security analysis

摘要:

针对广域信息管理(SWIM)系统受到应用层分布式拒绝服务(DDoS)攻击的问题,提出了一种基于隐半马尔可夫模型(HSMM)的SWIM应用层DDoS攻击的检测方法。首先采用改进后的前向后向算法,利用HSMM建立动态异常检测模型动态地追踪正常SWIM用户的浏览行为;然后通过学习和预测正常SWIM用户行为得出正常检测区间;最后选取访问包的大小和请求时间间隔为特征进行建模,并训练模型进行异常检测。实验结果表明,所提方法在攻击1和攻击2情况下检测率分别为99.95%和91.89%,与快速前向后向算法构建的HSMM相比,检测率提升了0.9%。测试结果表明所提方法可以有效地检测SWIM系统应用层DDoS攻击。

关键词: 广域信息管理系统, 应用层分布式拒绝服务, 隐半马尔可夫模型, SWIM用户行为, 安全性分析

CLC Number: