基于TCP时频域特征的低速率拒绝服务攻击检测方法  

作　　者：王家豪 方智阳 王俊峰[1] WANG Jia-Hao;FANG Zhi-Yang;WANG Jun-Feng(College of Computer Science,Sichuan University,Chengdu 610065,China;School of Cyber Science and Engineering,Sichuan University,Chengdu 610065,China)

机构地区：[1]四川大学计算机学院,成都610065 [2]四川大学网络空间安全学院,成都610065

出　　处：《四川大学学报（自然科学版）》2024年第3期172-181,共10页Journal of Sichuan University(Natural Science Edition)

基　　金：国家重点研发计划(2019QY1400);国家自然科学基金(U2133208);四川省青年科技创新研究团队(2022JDTD0014)。

摘　　要：低速率拒绝服务(LDoS)攻击是DoS攻击的特殊变体,其可以利用TCP协议中的自适应机制来降低客户端和服务器的连接质量.由于攻击速率低且隐蔽,使用传统的DoS防御机制不能有效识别LDoS.本文提出了一种基于TCP流量的时频域特征和改进Stacking算法的LDoS攻击检测方法(TF-Stacking),分析了正常流量和包含LDoS攻击的流量在时域和频域上表现出的差异,构建网络流量特征集,用于流量数据的特征计算,以从网络流量数据中提取最有用的信息,减少网络数据规模.同时,改进Stacking算法来缓解元模型样本权重的不平衡问题,用于流量分类.本文在NS3仿真平台上进行了实验来评估TF-Stacking方法的性能,实验结果表明,TF-Stacking检测准确率达到了98.07%,且仅有1.55%的漏报率,可以有效检测LDoS攻击.Low-rate Denial of Service(LDoS)attacks are a special variant of DoS attacks,which can utilize adaptive mechanisms in TCP to reduce the connection quality between clients and servers.Due to the low attack rate and stealthiness,traditional DoS defense mechanisms cannot effectively identify LDoS attacks.This paper proposes a LDoS attack detection method(TF-Stacking)based on the time-frequency domain characteristics of TCP traffic and the improved Stacking algorithm.This model constructs a network traffic feature set by analyzing the differences between normal traffic and traffic containing LDoS attacks in the time domain and frequency domain,which is used for feature calculation of traffic data,extracts the most useful information from network traffic data,and reduces the network data scale.Additionally,the improved Stacking algorithm could alleviate the imbalanced weight problem of meta-model samples for traffic classification.A series of experiments is conducted on the NS3 simulation platform to evaluate the performance of the proposed method.The experimental results show that the detection accuracy of TF Stacking reaches 98.07%,with only a 1.55%false negative rate,which can effectively detect LDoS attacks.

关 键 词：统计特征 集成学习 STACKING 攻击检测 

分 类 号：TP391.1[自动化与计算机技术—计算机应用技术]