基于eBPF与LSTM的DDoS攻击检测系统  被引量：3

作　　者：昌武洋 付雄[1] 王俊昌[1] CHANG Wuyang;FU Xiong;WANG Junchang(School of Computer,Nanjing University of Posts and Telecommunications,Nanjing 210000,China)

机构地区：[1]南京邮电大学计算机学院,南京210000

出　　处：《重庆工商大学学报（自然科学版）》2023年第2期36-43,共8页Journal of Chongqing Technology and Business University:Natural Science Edition

摘　　要：针对网络异常流量检测中的DDoS攻击检测,以往的基于深度学习的解决方案都是在脱离系统实体的数据集上构建模型和优化参数,提出并实现一种使用Linux内核观测技术eBPF(extended Berkeley Packet Filter)与深度学习技术结合的基于网络流量特征分析的网络异常流量检测系统。系统采用eBPF直接从Linux内核网络栈最底层高效地采集网络流量特征数据,然后使用基于长短记忆网络LSTM(Long Short Term Memory)构建的深度学习系统检测网络异常流量。在具体实现中,系统首先通过Linux内核网络栈最底层XDP(eXpress Data Path)中的eBPF程序挂载点采集网络流量特征数据。之后,使用LSTM构建神经网络模型和预测分类。将系统应用于一个仿真实验网络环境得出的实验结果表明,系统的识别精确度达到97.9%,同时,在使用该系统的情况下,网络中的TCP与UDP通信的吞吐率仅平均下降8.53%。结果表明:系统对网络通信影响较低,同时也实现了较好的检测效果,具有可用性,为网络异常流量检测提供了一种新的解决方法。For DDoS attack detection in abnormal network traffic detection,previous deep learning-based solutions construct models and optimize parameters on datasets separated from system entities.This paper proposed and implemented a network anomaly traffic detection system based on network traffic characteristic analysis that combined Linux kernel observation technology eBPF(extended Berkeley Packet Filter)with deep learning technology.The system used eBPF to efficiently collect network traffic feature data directly from the bottom layer of the Linux kernel network stack,and then used a deep learning system based on the Long Short Term Memory(LSTM)to detect abnormal network traffic.In the specific implementation,the system first collected network traffic characteristic data through the eBPF program mount point in the bottom XDP(eXpress Data Path)of the Linux kernel network stack.LSTM was used to build neural network model and predict classification.The experimental results obtained by applying the system to a simulated experimental network environment showed that the recognition accuracy of the system reached 97.9%.At the same time,in the case of using this system,the throughput rate of TCP and UDP communication in the network dropped by only 8.53%on average.The results show that the system has a low impact on network communication,achieves better detection results,has the availability,and provides a new solution for abnormal network traffic detection.

关 键 词：攻击检测 Linux内核观测技术 长短记忆网络 深度学习 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]