基于多模态深度神经网络的应用层DDoS攻击检测模型  被引量：15

作　　者：周奕涛 张斌[1,2] 刘自豪 ZHOU Yi-tao;ZHANG Bin;LIU Zi-hao(SSF Information Engineering University,Zhengzhou,Henan 450001,China;Key Laboratory of Information Security,Zhengzhou,Henan 450001,China;No.61660 Troop,Beijing 100080,China)

机构地区：[1]战略支援部队信息工程大学,河南郑州450001 [2]河南省信息安全重点实验室,河南郑州450001 [3]61660部队,北京100080

出　　处：《电子学报》2022年第2期508-512,共5页Acta Electronica Sinica

基　　金：信息保障技术重点实验室开放基金(No.KJ-15-109);信息工程大学新兴科研方向培育基金(No.2016604703);信息工程大学科研项目(No.2019f3303)。

摘　　要：为进一步提升应用层DDoS攻击检测准确率,提出一种将流量与用户行为特征相结合且模型参数可高效更新的应用层DDoS攻击检测模型.为统一处理流量与用户行为特征的异源数据,利用多模态深度(Multimodal Deep Learning,MDL)神经网络从数据流量与网页日志中提取流量与用户行为深层特征后输入汇聚深度神经网络进行检测.为减少MDL神经网络参数更新时的灾难性遗忘现象,在模型参数更新过程中基于弹性权重保持(Elastic Weight Consolidation,EWC)算法为重要模型参数增加惩罚项,保持对初始训练数据集检测准确率的同时,提升对新数据集的检测性能.最后,基于K-Means算法获得模型初始训练数据集聚类,并筛选出新数据集中聚类外数据进行模型参数更新,防止EWC算法因数据相关性过高而失效.实验表明,所提应用层DDoS检测模型检测准确率可达98.2%,且相对MLP_Whole方法模型参数更新性能较好.To further improve the accuracy of application-layer DDoS attack detection, an application-layer DDoS attack detection model is proposed to combine traffic and user behavior features and to update model parameters efficiently.To integrate the heterogeneous data of traffic and user behavior characteristics, a multimodal deep learning(MDL) neural network is applied to extract the deep features of traffic and user behavior, which are employed for detection. To alleviate catastrophic forgetting in the update process of the MDL neural network, a penalty item is added to the important parameters based on the elastic weight consolidation(EWC) algorithm. The detection performance on the new dataset is improved while maintaining the detection accuracy of the initial training dataset. Based on the K-Means algorithm, the clusters of the initial training dataset are calculated. To prevent the EWC algorithm from failing due to high data correlation, the data outside the clusters are used to update model parameters. Experiments show that the detection accuracy of the proposed application layer DDoS detection model reaches98.2%, and it has better model update performance than the MLP_Whole method.

关 键 词：应用层DDoS攻击 攻击检测模型 多模态深度神经网络 弹性权重保持算法 参数更新 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]