IPv6中一种基于卷积的DDoS攻击两阶段防御机制  被引量：2

作　　者：王郁夫 王兴伟 易波 黄敏[2] WANG Yu-Fu;WANG Xing-Wei;YI Bo;HUANG Min(School of Computer Science and Engineering,Northeastern University,Shenyang 110819,China;College of Information Science and Engineering,Northeastern University,Shenyang 110819,China)

机构地区：[1]东北大学计算机科学与工程学院,辽宁沈阳110819 [2]东北大学信息科学与工程学院,辽宁沈阳110819

出　　处：《软件学报》2024年第5期2522-2542,共21页Journal of Software

基　　金：国家自然科学基金(62032013,62002055)。

摘　　要：针对IPv6快速普及背景下分布式拒绝服务(DDoS)攻击威胁不断增长的现状,提出一种两阶段的DDoS攻击防御机制,包括初期实时监控DDoS攻击发生的预检测阶段,以及告警后精准过滤DDoS攻击流量的深度检测阶段.首先,分析IPv6报文格式并解析PCAP流量捕获文件中的16进制头部字段作为样本元素.其次,在预检测阶段,引入轻量化二值卷积神经网络(BCNN),设计一种二维流量矩阵作为模型输入,整体感知网络在混杂DDoS流量后出现的恶意态势作为告警DDoS发生的证据.告警后,深度检测阶段介入,引入一维卷积神经网络(1DCNN)具体区分混杂的DDoS报文,从而下发阻断策略.在实验中,自建IPv6-LAN拓扑并基于NAT 4to6技术重放CIC-DDoS2019公开集生成纯IPv6-DDoS流量源测试.结果证明,所提机制提升针对DDoS攻击的响应速度、准确度和攻击流量过滤效率,当DDoS流量出现仅占总网络6%和10%时,BCNN就能以90.9%和96.4%的准确度感知到DDoS攻击的发生,同时1DCNN能够以99.4%准确率区分DDoS报文并过滤.Aiming at the growing threat of distributed denial of service(DDoS)attacks under the rapid popularization of IPv6,this study proposes a two-stage DDoS defense mechanism,including a pre-detection stage to real-time monitor the early appearance of DDoS attacks and a deep-detection stage to accurately filter DDoS traffic after an alarm.First,the IPv6 traffic format is analyzed and the hexadecimal header fields are extracted from PCAP capture files as detection elements.Then,in the pre-detection stage,a lightweight binary convolutional neural network(BCNN)model is introduced and a two-dimensional traffic matrix is designed as model input,which can sensitively perceive the malicious situation caused by mixed DDoS traffic in the network as evidence of DDoS occurrence.After the alarm,the deep-detection stage will intervene with a one-dimensional convolutional neural network(1DCNN)model,which can specifically distinguish the mixed DDoS packets with one-dimensional packet vector as input to issue blocking policies.In the experiment,an IPv6-LAN topology is built and the proposed pure IPv6-DDoS traffic is generated by replaying the CIC-DDoS2019 public set through NAT 4to6.The results show that the proposed mechanism can effectively improve response speed,detection accuracy,and traffic filtering efficiency in DDoS defense.When DDoS traffic only takes 6%and 10%of the total network,BCNN can perceive the occurrence of DDoS with 90.9%and 96.4%accuracy,and the 1DCNN model can distinguish mixed DDoS packets with 99.4%accuracy at the same time.

关 键 词：DDOS防御 两阶段 DDoS攻击监控 DDoS流量过滤 BCNN和1DCNN IPV6 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]