浏览全部资源
扫码关注微信
基于多层次特征的RoQ隐蔽攻击无监督检测方法
Unsupervised detection method of RoQ covert attacks based on multilayer features
- 通信学报 2022年43卷第9期 页码:224-239
- 作者机构:
1. 中国科学院计算机网络信息中心,北京 100083
2. 中国科学院大学计算机科学与技术学院,北京 100049
- 作者简介:
[ "赵静(1987- ),女,甘肃武威人,博士,中国科学院计算机网络信息中心高级工程师,主要研究方向为网络空间安全、信息安全、计算机网络等" ]
[ "李俊(1968- ),男,安徽桐城人,博士,中国科学院计算机网络信息中心副总工程师,主要研究方向为互联网体系结构、人工智能和大数据应用、互联网安全等" ]
[ "龙春(1979- ),男,湖北广水人,博士,中国科学院计算机网络信息中心正高级工程师,主要研究方向为智能动态网络安全保障、安全大数据挖掘与分析、云计算与移动互联网安全事件管控等" ]
[ "万巍(1982- ),男,湖北孝感人,博士,中国科学院计算机网络信息中心高级工程师,主要研究方向为基于人工智能的网络安全异常检测、安全大数据分析等" ]
[ "魏金侠(1987- ),女,河北秦皇岛人,博士,中国科学院计算机网络信息中心高级工程师,主要研究方向为网络安全大数据分析、网络安全威胁智能检测、基于人工智能的高隐蔽性大规模复杂网络攻击等" ]
[ "陈凯(1997- ),男,山东淄博人,中国科学院计算机网络信息中心硕士生,主要研究方向为网络空间安全、网络入侵检测" ]
- 基金信息:国家自然科学基金资助项目(61672490);中国科学院基金资助项目(CAS-WX2022GC-04);中国科学院“青年创新促进会”基金资助项目(2022170)
DOI:10.11959/j.issn.1000-436x.2022166
中图分类号: TP18-
网络出版日期:2022-09,
纸质出版日期:2022-09-25
- 稿件说明:
移动端阅览
赵静, 李俊, 龙春, 等. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022,43(9):224-239.
Jing ZHAO, Jun LI, Chun LONG, et al. Unsupervised detection method of RoQ covert attacks based on multilayer features[J]. Journal on communications, 2022, 43(9): 224-239.
赵静, 李俊, 龙春, 等. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022,43(9):224-239. DOI: 10.11959/j.issn.1000-436x.2022166.
Jing ZHAO, Jun LI, Chun LONG, et al. Unsupervised detection method of RoQ covert attacks based on multilayer features[J]. Journal on communications, 2022, 43(9): 224-239. DOI: 10.11959/j.issn.1000-436x.2022166.
摘要
针对 RoQ 攻击隐藏在海量背景流量中难以识别,且现有样本稀少无法提供大规模学习数据的问题,提出了在极少先验知识条件下基于多层次特征的 RoQ 隐蔽攻击无监督检测方法。首先,考虑到大部分正常流量会对后续结果产生干扰,基于流特征,研究了半监督谱聚类的流量筛选方法,实现被筛除的流量中正常样本比例接近 100%。其次,为了找到隐蔽攻击特征与正常流量之间的微小差异且不依赖于攻击样本,基于时序包特征,构造了基于n-Shapelet子序列的无监督检测模型,使用具有明显辨识度的局部特征来辨别微小差异,从而实现RoQ隐蔽攻击的检测。实验结果表明,在只有少量学习样本的情况下,所提方法与现有方法相比具有较高的精确率和召回率,对规避攻击具有稳健性。
Abstract
To solve the problems that RoQ covert attacks are hidden in overwhelming background traffic and difficult to identify
besides the existing samples are scarce and cannot provide large-scale learning data
an unsupervised detection method of RoQ covert attacks based on multilayer features was proposed under the condition of very little prior knowledge.First
considering that most normal flow might interfere with subsequent results
a classification method based on semi-supervised spectral clustering was studied by flow characteristics
so that the proportion of normal samples in the filtered traffic was close to 100%.Secondly
in order to distinguish the nuance between the hidden attack features and normal flow without relying on the attack samples
an unsupervised detection model based on the n-Shapelet subsequence was constructed by packet characteristics
and the subsequences with obvious difference were used
which enabled detection of RoQ convert attacks.Experimental results demonstrate that with only a small number of learning samples
the proposed method has higher precision and recall rate than existing methods
and is robust to evading attacks.
关键词
Keywords
references
GUIRGUIS M , THARP J , BESTAVROS A , et al . Assessment of vulnerability of content adaptation mechanisms to RoQ attacks [C]// Proceedings of the 8th International Conference on Networks . Piscataway:IEEE Press , 2009 : 445 - 450 .
GUIRGUIS M , BESTAVROS A , MATTA I . Exploiting the transients of adaptation for RoQ attacks on Internet resources [C]// Proceedings of the 12th IEEE International Conference on Network Protocols . Piscataway:IEEE Press , 2004 : 184 - 195 .
LUO X P , CHANG R K C . On a new class of pulsing denial-of-service attacks and the defense [C]// Proceedings of the NDSS Symposium 2005 . Piscataway:IEEE Press , 2005 : 1 - 19 .
GUIRGUIS M , BESTAVROS A , MATTA I , et al . Reduction of quality (RoQ) attacks on dynamic load balancers:vulnerability assessment and design tradeoffs [C]// Proceedings of the 26th IEEE International Conference on Computer Communications . Piscataway:IEEE Press , 2007 : 857 - 865 .
JAZI H H , GONZALEZ H , STAKHANOVA N , et al . Detecting HTTP-based application layer DoS attacks on Web servers in the presence of sampling [J]. Computer Networks , 2017 , 121 : 25 - 36 .
YUE M , WANG M X , WU Z J . Low-high burst:a double potency varying-RTT based full-buffer shrew attack model [J]. IEEE Transactions on Dependable and Secure Computing , 2019 , 18 ( 5 ): 2285 - 2300 .
VACCARI I , AIELLO M , CAMBIASO E . SlowITe,a novel denial of service attack affecting MQTT [J]. Sensors , 2020 , 20 ( 10 ): 2932 .
MERGET R , SOMOROVSKY J , AVIRAM N , et al . Scalable scanning and automatic classification of TLS padding oracle vulnerabilities [C]// Proceedings of the 28th USENIX Conference on Security Symposium . Berkeley:USENIX Association , 2019 : 1029 - 1046 .
CHEN Y , HWANG K . Collaborative detection and filtering of shrew DDoS attacks using spectral analysis [J]. Journal of Parallel and Distributed Computing , 2006 , 66 ( 9 ): 1137 - 1151 .
AGRAWAL N , TAPASWI S . Low rate cloud DDoS attack defense method based on power spectral density analysis [J]. Information Processing Letters , 2018 , 138 : 44 - 50 .
吴志军 , 裴宝崧 . 基于小信号检测模型的LDoS攻击检测方法的研究 [J]. 电子学报 , 2011 , 39 ( 6 ): 1456 - 1460 .
WU Z J , PEI B S . The detection of LDoS attack based on the model of small signal [J]. Acta Electronica Sinica , 2011 , 39 ( 6 ): 1456 - 1460 .
TANG D , CHEN K , CHEN X S , et al . A new detection method based on AEWMA algorithm for LDoS attacks [J]. Journal of Networks , 1969 , 9 ( 11 ): 2981 .
TANG D , DAI R , TANG L , et al . Low-rate DoS attack detection based on two-step cluster analysis [C]// Information and Communications Security . Berlin:Springer , 2018 : 92 - 104 .
TANG D , DAI R , TANG L , et al . Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis [J]. Human-Centric Computing and Information Sciences , 2020 , 10 ( 1 ): 1 - 20 .
WU Z J , ZHANG L Y , YUE M . Low-rate DoS attacks detection based on network multifractal [J]. IEEE Transactions on Dependable and Secure Computing , 2016 , 13 ( 5 ): 559 - 567 .
KOAY A , CHEN A , WELCH I , et al . A new multi classifier system using entropy-based features in DDoS attack detection [C]// Proceedings of 2018 International Conference on Information Networking (ICOIN) . Piscataway:IEEE Press , 2018 : 162 - 167 .
TANG D , ZHANG S Q , CHEN J W , et al . The detection of low-rate DoS attacks using the SADBSCAN algorithm [J]. Information Sciences , 2021 , 565 : 229 - 247 .
TANG D , TANG L , DAI R , et al . MF-Adaboost:LDoS attack detection based on multi-features and improved Adaboost [J]. Future Generation Computer Systems , 2020 , 106 : 347 - 359 .
吴志军 , 刘亮 , 岳猛 . 基于ANN与KPCA的LDoS攻击检测方法 [J]. 通信学报 , 2018 , 39 ( 5 ): 11 - 22 .
WU Z J , LIU L , YUE M . Detection method of LDoS attacks based on combination of ANN & KPCA [J]. Journal on Communications , 2018 , 39 ( 5 ): 11 - 22 .
LIU L , WANG H Y , WU Z J , et al . The detection method of low-rate DoS attack based on multi-feature fusion [J]. Digital Communications and Networks , 2020 , 6 ( 4 ): 504 - 513 .
WANG X , QIAN B Y , DAVIDSON I . On constrained spectral clustering and its applications [J]. Data Mining and Knowledge Discovery , 2014 , 28 ( 1 ): 1 - 30 .
CHEN F , YU R , LIU W M . Internet of things attack group identification model combined with spectral clustering [C]// Proceedings of 2021 IEEE 21st International Conference on Communication Technology . Piscataway:IEEE Press , 2021 : 778 - 782 .
YE L X , KEOGH E . Time series shapelets:a new primitive for data mining [C]// Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining . New York:ACM Press , 2009 : 947 - 956 .
ZAKARIA J , MUEEN A , KEOGH E . Clustering time series using unsupervised-shapelets [C]// Proceedings of 2012 IEEE 12th International Conference on Data Mining . Piscataway:IEEE Press , 2012 : 785 - 794 .
HILLS J , LINES J , BARANAUSKAS E , et al . Classification of time series by shapelet transformation [J]. Data Mining and Knowledge Discovery , 2014 , 28 ( 4 ): 851 - 881 .
HU W J , YANG Y , CHENG Z Q , et al . Time-series event prediction with evolutionary state graph [C]// Proceedings of the 14th ACM International Conference on Web Search and Data Mining . New York:ACM Press , 2021 : 580 - 588 .
MEDICO R , RUYSSINCK J , DESCHRIJVER D , et al . Learning multivariate shapelets with multi-layer neural networks for interpretable time-series classification [J]. Advances in Data Analysis and Classification , 2021 , 15 ( 4 ): 911 - 936 .
SHARAFALDIN I , LASHKARI A H , HAKAK S , et al . Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy [C]// Proceedings of 2019 International Carnahan Conference on Security Technology (ICCST) . Piscataway:IEEE Press , 2019 : 1 - 8 .
MONTAZERISHATOORI M , DAVIDSON L , KAUR G , et al . Detection of DoH tunnels using time-series classification of encrypted traffic [C]// Proceedings of 2020 IEEE International Conference on Dependable,Autonomic and Secure Computing,International Conference on Pervasive Intelligence and Computing,International Conference on Cloud and Big Data Computing,International Conference on Cyber Science and Technology Congress . Piscataway:IEEE Press , 2020 : 63 - 70 .
FENG X W , FU C P , LI Q , et al . Off-path TCP exploits of the mixed IPID assignment [C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2020 : 1323 - 1335 .
ZHANG Q , WU J , ZHANG P , et al . Salient subsequence learning for time series clustering [J]. IEEE Transactions on Pattern Analysis and Machine Intelligence , 2019 , 41 ( 9 ): 2193 - 2207 .
HINDY H , ATKINSON R , TACHTATZIS C , et al . Utilising deep learning techniques for effective zero-day attack detection [J]. Electronics , 2020 , 9 ( 10 ): 1684 .
FU C P , LI Q , SHEN M , et al . Realtime robust malicious traffic detection via frequency domain analysis [C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2021 : 3431 - 3446 .
0
浏览量
760
下载量
0
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答
鸿云智能
中文
- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:151733 今日访问量:2