基于HMM时间序列预测和混沌模型的DDoS攻击检测方法  被引量：4

作　　者：董哲 唐湘滟[1] 程杰仁[1,2] 张晨 林福生 DONG Zhe;TANG Xiang-yan;CHENG Jie-ren;ZHANG Chen;LIN Fu-sheng(College of Information Science and Technology,Hainan University,Haikou 570228;State Key Laboratory of Marine Resource Utilization in South China Sea,Hainan University,Haikou 570228,China)

机构地区：[1]海南大学信息科学技术学院,海南海口570228 [2]南海海洋资源利用国家重点实验室,海南海口570228

出　　处：《计算机工程与科学》2018年第12期2164-2172,共9页Computer Engineering & Science

基　　金：海南省自然科学基金(617048;2018CXTD333);国家自然科学基金(61762033;61702539);湖南省自然科学基金(2018JJ3611);浙江省公益技术应用社会发展项目(LGF18F020019);海南大学博士启动基金(kyqd1328);海南大学青年基金(qnjj14444);南海海洋资源利用国家重点实验室资助

摘　　要：分布式拒绝服务(DDoS)攻击是网络环境中最具破坏力的攻击方式之一,现有基于机器学习的攻击检测方法往往直接将某时刻的特征值代入分类器进行分类,没有考虑相邻时刻特征之间的联系,因而导致误报率和漏报率较高。提出一种基于隐马尔科夫模型HMM时间序列预测和混沌模型的DDoS攻击检测方法。针对大规模攻击网络流量的突发性,定义网络流量加权特征NTWF和网络流平均速率NFAR二元组来描述网络流量的特点;然后采用层次聚类算法对训练集进行分类,以获取隐层状态HLS序列,利用NTWF序列和HLS序列对HMM进行监督学习获得状态转移矩阵和混淆矩阵,以预测NTWF序列;最后通过混沌模型分析NTWF序列的预测误差,结合基于NFAR的规则来识别攻击行为。实验结果表明,与同类方法相比,所提方法具有较低的误报率和漏报率。The distributed denial of service(DDoS)attack is one of the most destructive attacks in the network environment.Existing attack detection algorithms based on machine learning often use the eigenvalues of a time to be classified to perform classification.However,the correlation with the features of its adjacent time is not taken into account.The false positive rate and false negative rate therefore are high.We propose a DDoS attack detection method based on hidden Markov model(HMM)time series prediction and chaos model.Aiming at the burstiness of mass attack traffic,we firstly define the network traffic weighted features(NTWF)and network flow average rate(NFAR)to describe the features of network traffic.Then,we use the hierarchical clustering algorithm to classify training sets to get the hidden layer state(HLS)sequences.We employ the NTWF sequence and HLS sequence to conduct supervised learning of the HMM,and predict the NTWF sequence by the state transition matrix and confusion matrix obtained before.Finally,we analyze the prediction error of NTWF sequences by the chaotic model,which is combined with the NFAR-based rules,to distinguish attack behavior.Experimental results show that compared with similar methods,the propose method has lower false positive rate and false negative rate.

关 键 词：分布式拒绝服务 攻击检测 隐马尔科夫模型 混沌分析 时间序列 

分 类 号：TP393.081[自动化与计算机技术—计算机应用技术]