[go: up one dir, main page]

CN119172155B - DDoS attack defense method based on recognition model - Google Patents

DDoS attack defense method based on recognition model Download PDF

Info

Publication number
CN119172155B
CN119172155B CN202411377435.8A CN202411377435A CN119172155B CN 119172155 B CN119172155 B CN 119172155B CN 202411377435 A CN202411377435 A CN 202411377435A CN 119172155 B CN119172155 B CN 119172155B
Authority
CN
China
Prior art keywords
data
attack
model
preset
recognition model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411377435.8A
Other languages
Chinese (zh)
Other versions
CN119172155A (en
Inventor
曾捷
徐晨
杨一帆
但玉然
杨圣辉
刘兆钰
卜祥元
安建平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN202411377435.8A priority Critical patent/CN119172155B/en
Publication of CN119172155A publication Critical patent/CN119172155A/en
Application granted granted Critical
Publication of CN119172155B publication Critical patent/CN119172155B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Evolutionary Biology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及数字信息的传输技术领域,特别涉及一种基于识别模型的DDoS攻击防御方法,其中,方法包括:获取来自目标数据源的训练数据,并进行模型训练,得到初始攻击识别模型;利用服务器对初始攻击识别模型进行调试,得到调试结果;在预设时长内,判断调试结果是否满足预设正常报警条件,如果调试结果满足预设正常报警条件,则将初始攻击识别模型作为实际攻击识别模型,否则,基于调试结果重新训练初始攻击识别模型,直至满足预设迭代停止条件,得到实际攻击识别模型,以利用所述实际攻击识别模型进行DDoS攻击识别。由此,解决了相关技术中,构建成本较高,无法有效缓解服务器压力,且实施难度大,不利于推广应用等技术问题。

The present invention relates to the field of digital information transmission technology, and in particular to a DDoS attack defense method based on an identification model, wherein the method comprises: obtaining training data from a target data source, and performing model training to obtain an initial attack identification model; using a server to debug the initial attack identification model to obtain a debugging result; within a preset time period, judging whether the debugging result meets a preset normal alarm condition, if the debugging result meets the preset normal alarm condition, the initial attack identification model is used as an actual attack identification model, otherwise, the initial attack identification model is retrained based on the debugging result until a preset iteration stop condition is met, and an actual attack identification model is obtained, so as to use the actual attack identification model to perform DDoS attack identification. Thus, the technical problems in the related technology such as high construction cost, inability to effectively relieve server pressure, high implementation difficulty, and inconvenience for promotion and application are solved.

Description

DDoS attack defense method based on recognition model
Technical Field
The invention relates to the technical field of digital information transmission, in particular to a DDoS attack defense method based on an identification model.
Background
Distributed denial of service attacks (DDoS) are a group of actions that can be initiated simultaneously by hundreds or even thousands of hosts that have been hacked and installed with an attack process. The network attack is carried out by adopting deception and disguised strategies by utilizing network protocols and some defects of an operating system, a large number of disguised service request data packets which cannot identify sources are sent to a target host through hundreds or thousands of attack proxy hosts, and the service requested by the data packets often consumes a large amount of system resources or network bandwidth, so that the system or the network is not overloaded, and normal network service is stopped being provided due to paralysis. The direct manifestation of DDoS attack includes network blocking, system downtime, slow response, etc., can not process normal request, affect normal user access, cause economic loss, even possibly invaded by hacker to steal data when attacked, jeopardize information security.
At present, the distributed denial of service attack DDoS is used as an attack with simple starting cost and large hazard, occupies server resources through a large number of invalid accesses, causes server paralysis, cannot process normal requests, influences normal user accesses, and is difficult to perfectly defend.
In the related technology, aiming at different attack characteristics of DDoS, a plurality of defense methods are born, a boundary filtering method focuses on removing fake messages, but a message source address checking function is required to be globally deployed, implementation difficulty is high, a rate limiting method limits data combination of a rate problem, but a flow broadband required to be limited is calculated to occupy excessive server resources, so that resource utilization rate is low, an attack source tracking method can solve the problem from an attack source, but labor cost is high and network congestion is caused, a sampling method has low coverage rate and low efficiency in the whole network range, a dynamic security association method is combined with the attack source tracking method, and a plurality of node personnel work simultaneously, so that efficiency is high, but establishment of security association and information authentication can have great influence on a router, and managers are required to mutually cooperate, so that implementation difficulty is high.
In summary, in the related art, the construction cost is high, the server pressure cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated, and improvement is needed.
Disclosure of Invention
The invention provides a DDoS attack defense method based on an identification model, which aims to solve the technical problems that in the related art, the construction cost is high, the server pressure cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated, and the like.
An embodiment of the first aspect of the invention provides a DDoS attack defense method based on an identification model, which comprises the following steps of obtaining training data from a target data source, carrying out model training by utilizing the training data to obtain an initial attack identification model, accessing the initial attack identification model into a corresponding server to debug the initial attack identification model by utilizing the server to obtain a debugging result, and judging whether the debugging result meets a preset normal alarm condition within a preset duration, wherein if the debugging result meets the preset normal alarm condition, the initial attack identification model is used as an actual attack identification model to carry out DDoS attack identification by utilizing the actual attack identification model, otherwise, retraining the initial attack identification model based on the debugging result until a preset iteration stop condition is met to obtain the actual attack identification model, and carrying out DDoS attack identification by utilizing the actual attack identification model.
Optionally, in one embodiment of the present invention, the acquiring training data from a target data source includes intercepting actual data meeting a preset data condition from the target server as the training data, and/or initiating a plurality of simulated DDoS attacks on the target server, and intercepting simulated data meeting the preset data condition from the target server as the training data.
Optionally, before training the model by using the training data, the method further comprises the steps of intercepting the training data into a plurality of time slices with preset lengths, cleaning the time slices to obtain cleaned effective time slices, based on the data in the effective time slices, labeling each effective time slice to obtain an effective time slice suffering from a DDoS attack label and an effective time slice not suffering from a DDoS attack, grouping the effective time slices to obtain a first group of data meeting preset DDoS attack characteristic significance conditions and a second group of data not meeting the preset DDoS attack characteristic significance conditions, scrambling all the effective time slices in the first group of data and the second group of data, randomly combining the effective time slices in the first group of data to obtain a plurality of first random time slice pairs, and randomly combining the effective time slices in the second group of data to obtain a plurality of second random time slices.
Optionally, in one embodiment of the present invention, the training data is used for performing model training to obtain an initial attack recognition model, including constructing a preliminary model, and using the preliminary model to identify status codes of a first random time slice pair in the first set of data one by one to obtain a preliminary recognition model, where the status codes are obtained by a tag corresponding to each valid time slice in the first random time slice pair, inputting the second set of data into the preliminary recognition model, calculating a correct rate of the preliminary recognition model, and determining whether the correct rate is greater than or equal to a preset threshold, if the correct rate is greater than or equal to the preset threshold, using the preliminary recognition model as the initial attack recognition model, and if the correct rate is less than the preset threshold, repeating the recognition process of the first set of data by using the second set of data until the correct rate is greater than or equal to the preset threshold, to obtain the initial attack recognition model.
Optionally, in an embodiment of the present invention, retraining the initial attack recognition model based on the debugging result until a preset iteration stop condition is satisfied, to obtain the actual attack recognition model, so as to perform the DDoS attack recognition by using the actual attack recognition model, including obtaining new training data and performing model training by using the new training data when the debugging result is an unidentified DDoS attack, judging whether the identified DDoS attack is correct when the debugging result is an unidentified DDoS attack, if yes, performing multiple times of debugging on the initial attack recognition model within the preset duration until each debugging result is an unidentified DDoS attack, to obtain the actual recognition model, otherwise, adjusting parameters of the initial recognition model, retraining the initial recognition model by using a time slice satisfying a preset similar condition until the initial recognition model is obtained, and performing debugging on the initial attack recognition model again.
The DDoS attack defending device based on the recognition model comprises an acquisition module, a training module, a debugging module and a recognition module, wherein the acquisition module is used for acquiring training data from a target data source, the training module is used for carrying out model training by utilizing the training data to obtain an initial attack recognition model, the debugging module is used for accessing the initial attack recognition model into a corresponding server to debug the initial attack recognition model by utilizing the server to obtain a debugging result, the recognition module is used for judging whether the debugging result meets a preset normal alarm condition or not within a preset duration, the initial attack recognition model is used as an actual attack recognition model to carry out DDoS attack recognition by utilizing the actual attack recognition model if the debugging result meets the preset normal alarm condition, and otherwise, the initial attack recognition model is retrained based on the debugging result until a preset iteration stop condition is met to obtain the actual attack recognition model to carry out DDoS attack recognition by utilizing the actual attack recognition model.
Optionally, in one embodiment of the present invention, the acquiring module includes a first intercepting unit configured to intercept actual data meeting a preset data condition from the target server as the training data, and/or a second intercepting unit configured to initiate a multiple-time DDoS attack on the target server, and intercept analog data meeting the preset data condition from the target server as the training data.
Optionally, in one embodiment of the present invention, the method further includes a processing module configured to intercept the training data into a plurality of time slices with a preset length, and clean the time slices to obtain cleaned valid time slices, a tag module configured to tag each of the valid time slices based on data in the valid time slices to obtain valid time slices that are being subjected to DDoS attack tags and valid time slices that are not being subjected to DDoS attack, a grouping module configured to group the valid time slices to obtain a first set of data that satisfy a preset DDoS attack feature significance condition and a second set of data that do not satisfy the preset DDoS attack feature significance condition, and a combining module configured to shuffle all valid time slices in the first set of data and the second set of data, randomly combine valid time slices in the first set of data to obtain a plurality of first random time slice pairs, and randomly combine valid time slices in the second set of data to obtain a plurality of random time slice pairs.
Optionally, in one embodiment of the present invention, the training module includes a building unit configured to build a preliminary model and identify status codes of a first random time slice pair in the first set of data one by using the preliminary model to obtain a preliminary identification model, where the status codes are obtained by using labels corresponding to each valid time slice in the first random time slice pair, a calculating unit configured to input the second set of data into the preliminary identification model, calculate a correct rate of the preliminary identification model, and determine whether the correct rate is greater than or equal to a preset threshold, a first determining unit configured to use the preliminary identification model as the initial attack identification model if the correct rate is greater than or equal to the preset threshold, and a second determining unit configured to repeat an identification process of the first set of data by using the second set of data if the correct rate is less than the preset threshold until the correct rate is greater than or equal to the preset threshold, so as to obtain the initial attack identification model.
Optionally, in one embodiment of the present invention, the identification module includes a first training unit, configured to obtain new training data and perform model training by using the new training data to obtain a new initial attack identification model when the debug result is that the DDoS attack is not recognized, and a second training unit, configured to determine whether the recognized DDoS attack is correct or not when the debug result is that the DDoS attack is not recognized, and if the DDoS attack is recognized correctly, perform multiple times of debugging on the initial attack identification model within the preset duration until each debug result is that the DDoS attack is not recognized, to obtain the actual attack identification model, otherwise, adjust parameters of the initial identification model, and re-train the initial identification model by using a time slice satisfying a preset similar condition until the initial attack identification model is obtained, and debug the initial attack identification model again.
An embodiment of a third aspect of the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor executes the program to implement a DDoS attack defense method based on an identification model as described in the above embodiment.
A fourth aspect of the present invention provides a computer-readable storage medium storing computer instructions for causing the computer to perform a DDoS attack defense method based on the recognition model as described in the above embodiment.
A fifth aspect of the present invention embodiment provides a computer program product comprising a computer program which, when executed, is adapted to implement a DDoS attack defense method based on an identification model as described above.
According to the embodiment of the invention, the training data from the target data source can be utilized to carry out model training to obtain an initial attack recognition model, the server is utilized to debug the initial attack recognition model to obtain a debugging result, so that whether the debugging result meets the preset normal alarm condition is judged within the preset time length, if the debugging result meets the preset normal alarm condition, the initial attack recognition model is used as an actual attack recognition model, otherwise, the initial attack recognition model is retrained based on the debugging result until the preset iteration stop condition is met, the actual attack recognition model is obtained, the DDoS attack recognition is carried out by utilizing the actual attack recognition model, the characteristics of sensitivity of the model to data change are utilized in the defense process, DDoS attacks are recognized by analyzing the characteristics of initiating intervals, time change trends, space distribution rules, request characteristics and the like in a short time, so as to discriminate suspicious requests before the data enter the server, and meanwhile, continuous learning and real-time correction can be carried out after the data are put into use, so that the economic and manpower costs are reduced, and the popularization and application are facilitated. Therefore, the technical problems that in the related technology, the construction cost is high, the pressure of a server cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated and the like are solved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
Fig. 1 is a flowchart of a DDoS attack defending method based on an identification model according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a time slice pair generation principle according to one embodiment of the present invention;
FIG. 3 is a schematic diagram of a model training principle according to one embodiment of the present invention;
FIG. 4 is a schematic diagram of a debugging principle according to one embodiment of the present invention;
FIG. 5 is a flow chart of a DDoS attack defense method based on an identification model according to an embodiment of the present invention;
Fig. 6 is a schematic structural diagram of a DDoS attack defending device based on an identification model according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
The following describes a DDoS attack defense method based on an identification model according to an embodiment of the present invention with reference to the accompanying drawings. Aiming at the technical problems that in the related technology mentioned in the background technology, the construction cost is higher, the server pressure cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated, and the like, the invention provides a DDoS attack defending method based on an identification model, in the method, training data from a target data source can be utilized for model training to obtain an initial attack identification model, the server is utilized for debugging the initial attack identification model to obtain a debugging result, so that whether the debugging result meets a preset normal alarm condition is judged within a preset time period, if the debugging result meets the preset normal alarm condition, the initial attack identification model is used as an actual attack identification model, otherwise, retraining an initial attack recognition model based on a debugging result until a preset iteration stop condition is met to obtain an actual attack recognition model, carrying out DDoS attack recognition by utilizing the actual attack recognition model, combining machine learning and DDoS defense, and in the defense process, recognizing DDoS attack by analyzing changes of a request initiation interval, a time change trend, a space distribution rule, request inclusion characteristics and the like in a short time by utilizing the characteristic of sensitivity of the model, so as to discriminate the suspicious request before the data enter a server, and simultaneously carrying out continuous learning and real-time correction after the data enter the server, thereby reducing economic and manpower costs and being convenient for popularization and application. Therefore, the technical problems that in the related technology, the construction cost is high, the pressure of a server cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated and the like are solved.
Specifically, fig. 1 is a schematic flow chart of a DDoS attack defending method based on an identification model according to an embodiment of the present invention.
As shown in fig. 1, the DDoS attack defense method based on the recognition model includes the following steps:
in step S101, training data from a target data source is acquired.
It can be understood that the preliminary model needs to be built by data with obvious characteristics, and the actual data contains various influencing factors, so that the data does not have obvious characteristics.
The data types can include request total amount change trend, request initiation frequency, spatial distribution and request inclusion characteristics. The spatial distribution can be quantified through IP addresses and geographic longitude and latitude.
Optionally, in one embodiment of the invention, acquiring training data from the target data source includes intercepting actual data meeting preset data conditions from the target server as training data, and/or initiating multiple simulated DDoS attacks on the target server, intercepting simulated data meeting preset data conditions from the target server as training data.
In the actual implementation process, as shown in fig. 2, the actual data meeting the preset data conditions in the embodiment of the present invention, that is, the training data may be from the actual data and the manually generated data.
The manual generation data can be used for launching DDoS attack simulating reality for many times by related technicians through different ports, and intercepting corresponding data from a server side to be used as training data. The preset data conditions may be set by those skilled in the art according to actual situations, and are not particularly limited herein.
In step S102, model training is performed using the training data to obtain an initial attack recognition model.
Further, the embodiment of the invention can train the initial attack recognition model by utilizing training data.
Optionally, before training the model by using training data, the method further comprises the steps of intercepting the training data into time slices with a plurality of preset lengths, cleaning the time slices to obtain cleaned effective time slices, labeling each effective time slice based on data in the effective time slices to obtain an effective time slice which is subjected to DDoS attack labels and an effective time slice which is not subjected to DDoS attack, grouping the effective time slices to obtain a first group of data which meets the preset DDoS attack characteristic significance condition and a second group of data which does not meet the preset DDoS attack characteristic significance condition, disturbing all the effective time slices in the first group of data and the second group of data, randomly combining the effective time slices in the first group of data to obtain a plurality of first random time slice pairs, and randomly combining the effective time slices in the second group of data to obtain a plurality of second random time slice pairs.
Prior to model training, as shown in fig. 2, embodiments of the present invention may preprocess training data.
According to the embodiment of the invention, training data can be corresponding to each other in time, so that four data including request total quantity change trend, request initiation frequency, spatial distribution and request inclusion characteristics are ensured to be concurrent, and the obtained data is intercepted into time slices with moderate lengths to wait for screening.
The training data is cleaned, the outlier time slices are deleted and each time slice is labeled with (there is) or (there is not) a DDoS attack.
The training data is divided into two groups, wherein the first group of data is data with obvious DDoS attack characteristics, and the second group of data is data without obvious DDoS attack characteristics.
And combining the two groups of data after random scrambling for multiple times, so as to obtain a plurality of pairwise combined time slice pairs, namely a first random time slice pair and a second random time slice pair.
Optionally, in one embodiment of the invention, training data is utilized to perform model training to obtain an initial attack recognition model, the method comprises the steps of constructing the initial model, utilizing the initial model to identify state codes of a first random time slice pair in a first group of data one by one to obtain the initial recognition model, wherein the state codes are obtained by labels corresponding to each effective time slice in the first random time slice pair, inputting a second group of data into the initial recognition model, calculating the accuracy of the initial recognition model, judging whether the accuracy is larger than or equal to a preset threshold, taking the initial recognition model as the initial attack recognition model if the accuracy is larger than or equal to the preset threshold, and repeating the recognition process of the first group of data by utilizing the second group of data until the accuracy is larger than or equal to the preset threshold if the accuracy is smaller than the preset threshold to obtain the initial attack recognition model.
In the actual implementation process, as shown in fig. 3, the embodiment of the present invention may first use a first random time slice pair in a first set of data (obvious set) to train, where according to the labels corresponding to two time slices included in a single time slice pair, the following four status codes may be set:
(1) None-none set to 0
(2) With or without being set to-1
(3) None-have set to 1
(4) Some are set to 1
The preliminary model is trained by carrying out multi-round learning on the identification of the four state codes, so that the preliminary model has the basic DDoS attack identification function, and the preliminary identification model is obtained.
And testing and optimizing the preliminary identification model by using the second group of data. And measuring the recognition effect of the preliminary recognition model by taking the recognition accuracy as a standard. If the result is lower than gamma (such as 90%), repeating the first data training process by using the second data set, optimizing the model to achieve a higher recognition rate, and taking the preliminary recognition model as an initial attack recognition model after the higher recognition rate is achieved.
In step S103, the initial attack recognition model is accessed to a corresponding server, so that the initial attack recognition model is debugged by the server, and a debugging result is obtained.
In some embodiments, the initial attack recognition model may be accessed to a corresponding server to debug, and a corresponding debug result may be obtained.
In step S104, judging whether the debug result meets the preset normal alarm condition within the preset time period, wherein if the debug result meets the preset normal alarm condition, the initial attack recognition model is used as the actual attack recognition model to perform DDoS attack recognition by using the actual attack recognition model, otherwise, the initial attack recognition model is retrained based on the debug result until the preset iteration stop condition is met, and the actual attack recognition model is obtained to perform DDoS attack recognition by using the actual attack recognition model.
Further, when the embodiment of the invention is debugged, various conditions such as missed alarm, false alarm and false alarm-free conditions can be met.
As shown in fig. 4, the embodiment of the present invention may determine whether the debug result meets the preset normal alarm condition, that is, determine that there is no unidentified DDoS attack, and repeatedly debug for a period of time under the premise that the identified DDoS attack is correct, and determine that the debug result meets the preset normal alarm condition when determining that the debug result meets the above premise, which indicates that the present situation is no false alarm, and then the initial attack recognition model may be put into use as the actual attack recognition model.
In contrast, if the debugging result does not meet the preset normal alarm condition, the current possible false alarm state is indicated, and at this time, the embodiment of the invention can carry out model training again according to the debugging result until the preset iteration stop condition is met, and an actual attack recognition model is obtained, wherein the false alarm state can comprise a false alarm state or a false alarm state.
The preset time period may be set by a person skilled in the art according to actual situations, and is not particularly limited herein.
Optionally, in one embodiment of the present invention, retraining the initial attack recognition model based on the debugging result until a preset iteration stop condition is satisfied to obtain an actual attack recognition model, so as to perform DDoS attack recognition by using the actual attack recognition model, including obtaining new training data and performing model training by using the new training data to obtain a new initial attack recognition model in the case that the debugging result is an unidentified DDoS attack, judging whether the identified DDoS attack is correct in the case that the debugging result is not an unidentified DDoS attack, if the DDoS attack recognition is correct, performing multiple times of debugging on the initial attack recognition model in a preset duration until each debugging result is an unidentified DDoS attack, so as to obtain an actual attack recognition model, otherwise, adjusting parameters of the initial recognition model, and performing new training on the initial recognition model by using a time slice satisfying a preset similar condition until the initial attack recognition model is obtained, and debugging is performed again on the initial attack recognition model.
Specifically, as shown in fig. 4, in the embodiment of the present invention, when the debug result is that the DDoS attack is not recognized, it is determined that the current state is in a missed alert state, and at this time, a related technician may manually complement the model to obtain new attack data, repeat the first set of data training process, and optimize the model. The model parameter can be adjusted and comprises two parts, namely different characteristic duty ratios and iteration times in the wheel. The different characteristics in the wheel can comprise four parts of request total amount change trend, request initiation frequency, spatial distribution and request inclusion characteristics. The adjustment can be performed according to the data type of the false alarm, if it is determined that a certain part of the data is excessively high in duty ratio to cause the model to be recognized incorrectly, a balance value can be found through multiple rounds of adjustment, so that the adjustment of parameters is realized.
And when the debugging result is that the DDoS attack is not unidentified and the DDoS attack is not recognized correctly, determining that the DDoS attack is currently in a false alarm state, at the moment, adjusting model parameters, searching similar time slice pairs in a database, modifying labels and state codes of the similar time slice pairs, and retraining. The preset database is a database for storing the first group of data and the second group of data, and can be used for updating and maintaining a new data set after being put into use. The judgment of the similar time slice pairs can be obtained by four values of request total amount change trend, request initiation frequency, spatial distribution and request inclusion characteristics, for example, four data of a certain training time slice pair are similar to the false alarm time slice pair and have about 5% of the vertical difference (the time slice pair can be properly enlarged), and the similar time slice pair corresponding to the time slice pair used by the current debugging of the model can be obtained.
When the debugging result is that the unidentified DDoS attack is not received and the DDoS attack identification is correct, repeatedly debugging and observing for a period of time are carried out, and when the fact that the debugging result is not received and the unidentified DDoS attack is determined, the condition that the current condition is in no false alarm is indicated, and the initial attack identification model can be used as an actual attack identification model.
Referring to fig. 2 to 5, an operation principle of a DDoS attack defending method based on an identification model according to an embodiment of the present invention will be described in detail.
As shown in fig. 5, an embodiment of the present invention may include the steps of:
Step S501, data acquisition and processing required by training a model. The initial model is established by data with obvious characteristics, and the training data contains a plurality of influencing factors, so that the data does not have obvious characteristics. The training data can be intercepted from the available data of the actual server, the manually generated data can be initiated by related technicians through different ports to simulate real DDoS attacks for many times, and corresponding data can be intercepted from the server side to serve as a data source.
As shown in FIG. 2, the training data types include request total amount change trend, request initiation frequency, spatial distribution, request inclusion characteristics. The spatial distribution can be quantified by IP address, geographic longitude and latitude. The embodiment of the invention can correspond the training data according to time, and ensure that four data occur simultaneously. The embodiment of the invention can intercept the training data into time slices with moderate length to wait for screening.
After the training data is acquired, the training data is cleaned, the abnormal time slices are deleted, and each time slice is marked with a label (with or without a DDoS attack).
The data are divided into two groups, the first group is the data with obvious DDoS attack characteristics, and the second group is the data without obvious DDoS attack characteristics. And combining the two groups of data after random scrambling for multiple times, so as to obtain a plurality of pairwise combined time slice pairs.
Step S502, training a model. As shown in fig. 3, the embodiment of the present invention may first use a first random time slice pair in a first set of data (explicit set) for training, where, according to the labels corresponding to two time slices included in a single time slice pair, the following four status codes may be set:
(1) None-none set to 0
(2) With or without being set to-1
(3) None-have set to 1
(4) Some are set to 1
The preliminary model is trained by carrying out multi-round learning on the identification of the four state codes, so that the preliminary model has the basic DDoS attack identification function, and the preliminary identification model is obtained.
And testing and optimizing the preliminary identification model by using the second group of data. And measuring the recognition effect of the preliminary recognition model by taking the recognition accuracy as a standard. If the result is lower than gamma (such as 90%), repeating the first data training process by using the second data set, optimizing the model to achieve a higher recognition rate, and taking the preliminary recognition model as an initial attack recognition model after the higher recognition rate is achieved.
Step S503, corresponding website access debugging and application. As shown in fig. 4, the embodiment of the present invention may debug the model by accessing the corresponding server, and may have the following three cases:
(1) And (3) missing alarm, namely unidentified DDoS attack exists.
And manually supplementing the model by related technicians to acquire new attack data, repeating the first group of data training process, and optimizing the model.
(2) False alarm, namely the identified DDoS attack error.
And (3) adjusting model parameters, searching similar time slice pairs in a database, modifying labels and state codes of the similar time slice pairs, and retraining.
(3) And (3) no false alarm condition, namely no identification error occurs in a short time.
Can be repeatedly observed for a period of time, and can be put into use if the problems in (1) and (2) do not occur.
According to the DDoS attack defense method based on the recognition model, training data from a target data source can be utilized to conduct model training to obtain an initial attack recognition model, a server is utilized to debug the initial attack recognition model to obtain a debugging result, whether the debugging result meets a preset normal alarm condition or not is judged within a preset duration, if the debugging result meets the preset normal alarm condition, the initial attack recognition model is used as an actual attack recognition model, otherwise, the initial attack recognition model is retrained based on the debugging result until a preset iteration stop condition is met, the actual attack recognition model is obtained, DDoS attack recognition is conducted by utilizing the actual attack recognition model, machine learning and DDoS defense are combined, in the defense process, the DDoS attack is recognized by utilizing the characteristic that the model is sensitive to data change in a short time period through analysis of request initiation interval, time change trend, space distribution rule, request inclusion feature and the like, discrimination is conducted before data enter the server, suspicious requests are intercepted, continuous learning and real-time correction can be conducted after the suspicious requests are put into use, and therefore economic and labor cost and popularization and application are reduced. Therefore, the technical problems that in the related technology, the construction cost is high, the pressure of a server cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated and the like are solved.
Next, a DDoS attack defending device based on an identification model according to an embodiment of the present invention will be described with reference to the accompanying drawings.
Fig. 6 is a block diagram of a DDoS attack defending device based on an identification model according to an embodiment of the present invention.
As shown in fig. 6, the DDoS attack defending device 10 based on the recognition model includes an acquisition module 100, a training module 200, a debugging module 300, and a recognition module 400.
Specifically, the acquiring module 100 is configured to acquire training data from a target data source.
The training module 200 is configured to perform model training by using training data, so as to obtain an initial attack recognition model.
The debugging module 300 is configured to access the initial attack recognition model to a corresponding server, so as to debug the initial attack recognition model by using the server, and obtain a debugging result.
The identifying module 400 is configured to determine whether the debug result meets a preset normal alarm condition within a preset duration, wherein if the debug result meets the preset normal alarm condition, the initial attack identifying model is used as an actual attack identifying model to perform DDoS attack identification by using the actual attack identifying model, otherwise, the initial attack identifying model is retrained based on the debug result until the preset iteration stop condition is met, so as to obtain the actual attack identifying model, and the actual attack identifying model is used to perform DDoS attack identification.
Optionally, in one embodiment of the present invention, the obtaining module 100 includes a first interception unit and/or a second interception unit.
The first intercepting unit is used for intercepting actual data meeting preset data conditions from the target server and taking the actual data as training data.
The second intercepting unit is used for initiating the DDoS attack to the target server for multiple times, and intercepting the simulation data meeting the preset data conditions from the target server to serve as training data.
Optionally, in one embodiment of the present invention, a DDoS attack defense apparatus 10 based on the identification model further includes a processing module, a tag module, a grouping module, and a combining module.
The processing module is used for intercepting training data into a plurality of time slices with preset lengths, and cleaning the time slices to obtain cleaned effective time slices.
And the tag module is used for carrying out tags on each effective time slice based on the data in the effective time slices to obtain the effective time slices which are subjected to DDoS attack tags and the effective time slices which are not subjected to DDoS attack.
The grouping module is used for grouping the effective time slices to obtain a first group of data meeting the preset DDoS attack characteristic significance condition and a second group of data not meeting the preset DDoS attack characteristic significance condition.
The combination module is used for disturbing all the effective time slices in the first group of data and the second group of data, carrying out random combination on the effective time slices in the first group of data to obtain a plurality of first random time slice pairs, and carrying out random combination on the effective time slices in the second group of data to obtain a plurality of second random time slice pairs.
Alternatively, in one embodiment of the invention, training module 200 includes a building unit, a computing unit, a first determining unit, and a second determining unit.
The construction unit is used for constructing a preliminary model, and utilizing the preliminary model to identify the state codes of the first random time slice pairs in the first group of data one by one to obtain a preliminary identification model, wherein the state codes are obtained by labels corresponding to each effective time slice in the first random time slice pairs.
And the calculating unit is used for inputting the second group of data into the preliminary identification model, calculating the accuracy of the preliminary identification model and judging whether the accuracy is greater than or equal to a preset threshold value.
And the first determining unit is used for taking the preliminary recognition model as an initial attack recognition model under the condition that the accuracy rate is larger than or equal to a preset threshold value.
And the second determining unit is used for repeating the identification process of the first group of data by using the second group of data under the condition that the accuracy rate is smaller than the preset threshold value until the accuracy rate is larger than or equal to the preset threshold value, so as to obtain an initial attack identification model.
Alternatively, in one embodiment of the invention, the recognition module 400 includes a first training unit and a second training unit.
The first training unit is used for acquiring new training data under the condition that the debugging result is under unidentified DDoS attack, and performing model training by using the new training data to obtain a new initial attack identification model.
And the second training unit is used for judging whether the identified DDoS attack is correct or not under the condition that the debugging result is not subjected to the unidentified DDoS attack, if the DDoS attack is correct, debugging the initial attack identification model for a plurality of times within a preset time period until each debugging result is not subjected to the unidentified DDoS attack, obtaining an actual attack identification model, otherwise, adjusting parameters of the initial identification model, retraining the initial identification model by utilizing a time slice meeting preset similar conditions until the initial attack identification model is obtained, and debugging the initial attack identification model again.
It should be noted that the foregoing explanation of the embodiment of the DDoS attack defense method based on the identification model is also applicable to the DDoS attack defense device based on the identification model of the embodiment, and will not be repeated herein.
According to the DDoS attack defending device based on the identification model, training data from a target data source can be utilized to conduct model training to obtain an initial attack identification model, a server is utilized to debug the initial attack identification model to obtain a debugging result, whether the debugging result meets a preset normal alarm condition or not is judged within a preset duration, if the debugging result meets the preset normal alarm condition, the initial attack identification model is used as an actual attack identification model, otherwise, the initial attack identification model is retrained based on the debugging result until a preset iteration stop condition is met, the actual attack identification model is obtained, DDoS attack identification is conducted by utilizing the actual attack identification model, machine learning and DDoS defending are combined, in the defending process, DDoS attacks are identified by utilizing the characteristic that the model is sensitive to data change in a short time, through analysis of request initiation intervals, time change trends, space distribution rules, request inclusion characteristics and the like, discrimination is conducted before data enter the server, suspicious requests are intercepted, continuous learning and real-time correction can be conducted after the data enter the server, and therefore economic and manpower cost and popularization and application are reduced. Therefore, the technical problems that in the related technology, the construction cost is high, the pressure of a server cannot be effectively relieved, the implementation difficulty is high, popularization and application are not facilitated and the like are solved.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. The electronic device may include:
Memory 701, processor 702, and computer programs stored on memory 701 and executable on processor 702.
The processor 702 implements a DDoS attack defense method based on the recognition model provided in the above embodiment when executing a program.
Further, the electronic device further includes:
A communication interface 703 for communication between the memory 701 and the processor 702.
Memory 701 for storing a computer program executable on processor 702.
The memory 701 may include a high-speed RAM memory or may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory.
If the memory 701, the processor 702, and the communication interface 703 are implemented independently, the communication interface 703, the memory 701, and the processor 702 may be connected to each other through a bus and perform communication with each other. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (PERIPHERAL COMPONENT, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 7, but not only one bus or one type of bus.
Alternatively, in a specific implementation, if the memory 701, the processor 702, and the communication interface 703 are integrated on a chip, the memory 701, the processor 702, and the communication interface 703 may communicate with each other through internal interfaces.
The processor 702 may be a central processing unit (Central Processing Unit, abbreviated as CPU), or an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the invention.
The present embodiment also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a DDoS attack defense method based on an identification model as described above.
The embodiment of the invention also provides a computer program product, which comprises a computer program, wherein the computer program is used for realizing the DDoS attack defense method based on the identification model.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or N embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "N" means at least two, for example, two, three, etc., unless specifically defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order from that shown or discussed, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include an electrical connection (an electronic device) having one or more wires, a portable computer diskette (a magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the N steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. If implemented in hardware as in another embodiment, may be implemented using any one or combination of techniques known in the art, discrete logic circuits with logic gates for implementing logic functions on data signals, application specific integrated circuits with appropriate combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), etc.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (7)

1.一种基于识别模型的DDoS攻击防御方法,其特征在于,包括以下步骤:1. A DDoS attack defense method based on an identification model, characterized in that it comprises the following steps: 获取来自目标数据源的训练数据;Obtain training data from a target data source; 利用所述训练数据进行模型训练,得到初始攻击识别模型;Using the training data to perform model training to obtain an initial attack recognition model; 将所述初始攻击识别模型接入对应服务器,以利用所述服务器对所述初始攻击识别模型进行调试,得到调试结果;Connecting the initial attack identification model to a corresponding server, so as to use the server to debug the initial attack identification model and obtain a debugging result; 在预设时长内,判断所述调试结果是否满足预设正常报警条件,其中,如果所述调试结果满足所述预设正常报警条件,则将所述初始攻击识别模型作为实际攻击识别模型,以利用所述实际攻击识别模型进行DDoS攻击识别,否则,基于所述调试结果重新训练所述初始攻击识别模型,直至满足预设迭代停止条件,得到所述实际攻击识别模型,以利用所述实际攻击识别模型进行所述DDoS攻击识别;Within a preset time period, determining whether the debugging result satisfies a preset normal alarm condition, wherein if the debugging result satisfies the preset normal alarm condition, the initial attack recognition model is used as the actual attack recognition model, so as to use the actual attack recognition model to perform DDoS attack recognition; otherwise, the initial attack recognition model is retrained based on the debugging result until a preset iteration stop condition is met, so as to obtain the actual attack recognition model, so as to use the actual attack recognition model to perform DDoS attack recognition; 其中,在利用所述训练数据进行模型训练之前,还包括:将所述训练数据截取为多个预设长度的时间片,并对所述时间片进行清洗,得到清洗后的有效时间片;基于所述有效时间片中的数据,为每个所述有效时间片进行标签,得到正在遭受DDoS攻击标签的有效时间片和未遭受DDoS攻击的有效时间片;将所述有效时间片进行分组,得到满足预设DDoS攻击特征显著性条件的第一组数据和不满足所述预设DDoS攻击特征显著性条件的第二组数据;打乱所述第一组数据和所述第二组数据中全部的有效时间片,将所述第一组数据中的有效时间片进行随机组合,得到多个第一随机时间片对,将所述第二组数据中的有效时间片进行随机组合,得到多个第二随机时间片对;Before using the training data for model training, the method further includes: cutting the training data into multiple time slices of preset lengths, and cleaning the time slices to obtain cleaned valid time slices; labeling each of the valid time slices based on the data in the valid time slices to obtain valid time slices that are being subjected to DDoS attack labels and valid time slices that are not being subjected to DDoS attacks; grouping the valid time slices to obtain a first group of data that meets the preset DDoS attack feature significance condition and a second group of data that does not meet the preset DDoS attack feature significance condition; disrupting all valid time slices in the first group of data and the second group of data, randomly combining the valid time slices in the first group of data to obtain multiple first random time slice pairs, and randomly combining the valid time slices in the second group of data to obtain multiple second random time slice pairs; 其中,所述利用所述训练数据进行模型训练,得到初始攻击识别模型,包括:构建初步模型,并利用所述初步模型逐一识别所述第一组数据中的第一随机时间片对的状态码,得到初步识别模型,其中,所述状态码由所述第一随机时间片对中每个有效时间片对应的标签得到;将所述第二组数据输入至所述初步识别模型中,计算所述初步识别模型的正确率,并判断所述正确率是否大于或等于预设阈值;如果所述正确率大于或等于所述预设阈值,则将所述初步识别模型作为所述初始攻击识别模型;如果所述正确率小于所述预设阈值,则利用所述第二组数据重复所述第一组数据的识别过程,直至所述正确率大于或等于所述预设阈值,得到所述初始攻击识别模型。Among them, the use of the training data to perform model training to obtain an initial attack recognition model includes: constructing a preliminary model, and using the preliminary model to identify the status codes of the first random time slice pairs in the first group of data one by one, to obtain a preliminary recognition model, wherein the status code is obtained by the label corresponding to each valid time slice in the first random time slice pair; inputting the second group of data into the preliminary recognition model, calculating the accuracy of the preliminary recognition model, and judging whether the accuracy is greater than or equal to a preset threshold; if the accuracy is greater than or equal to the preset threshold, using the preliminary recognition model as the initial attack recognition model; if the accuracy is less than the preset threshold, repeating the recognition process of the first group of data using the second group of data until the accuracy is greater than or equal to the preset threshold, to obtain the initial attack recognition model. 2.根据权利要求1所述的一种基于识别模型的DDoS攻击防御方法,其特征在于,所述获取来自目标数据源的训练数据,包括:2. The DDoS attack defense method based on recognition model according to claim 1, characterized in that the step of obtaining training data from a target data source comprises: 从目标服务器中截取满足预设数据条件的实际数据,作为所述训练数据;Intercepting actual data that meets preset data conditions from the target server as the training data; 和/或,对所述目标服务器发起多次模拟DDoS攻击,从所述目标服务器中截取满足所述预设数据条件的模拟数据,作为所述训练数据。And/or, launching multiple simulated DDoS attacks on the target server, and intercepting simulated data that meets the preset data conditions from the target server as the training data. 3.根据权利要求1所述的一种基于识别模型的DDoS攻击防御方法,其特征在于,所述基于所述调试结果重新训练所述初始攻击识别模型,直至满足预设迭代停止条件,得到所述实际攻击识别模型,以利用所述实际攻击识别模型进行所述DDoS攻击识别,包括:3. A DDoS attack defense method based on recognition model according to claim 1, characterized in that the retraining of the initial attack recognition model based on the debugging result until a preset iteration stop condition is met to obtain the actual attack recognition model, and to use the actual attack recognition model to perform the DDoS attack recognition, comprises: 在所述调试结果为受到未识别的DDoS攻击的情况下,获取新的训练数据,并利用所述新的训练数据进行模型训练,得到新的初始攻击识别模型;When the debugging result is that the device is subjected to an unidentified DDoS attack, new training data is obtained, and model training is performed using the new training data to obtain a new initial attack recognition model; 在所述调试结果为未受到所述未识别的DDoS攻击的情况下,判断识别到的所述DDoS攻击是否正确,如果所述DDoS攻击识别正确,则在所述预设时长内,对所述初始攻击识别模型进行多次调试,直至每个调试结果均为未受到所述未识别的DDoS攻击,得到所述实际攻击识别模型,否则,调整所述初步识别模型的参数,并利用满足预设相似条件的时间片对重新训练所述初步识别模型,直至得到所述初始攻击识别模型,并重新对所述初始攻击识别模型进行调试。In the case where the debugging result is that the network is not subjected to the unidentified DDoS attack, it is determined whether the identified DDoS attack is correct; if the DDoS attack is identified correctly, the initial attack identification model is debugged multiple times within the preset time period until each debugging result is that the network is not subjected to the unidentified DDoS attack, and the actual attack identification model is obtained; otherwise, the parameters of the preliminary identification model are adjusted, and the preliminary identification model is retrained using a time slice that meets the preset similarity condition until the initial attack identification model is obtained, and the initial attack identification model is re-debugged. 4.一种基于识别模型的DDoS攻击防御装置,其特征在于,包括:4. A DDoS attack defense device based on a recognition model, characterized by comprising: 获取模块,用于获取来自目标数据源的训练数据;An acquisition module, used for acquiring training data from a target data source; 训练模块,用于利用所述训练数据进行模型训练,得到初始攻击识别模型;A training module, used to perform model training using the training data to obtain an initial attack recognition model; 调试模块,用于将所述初始攻击识别模型接入对应服务器,以利用所述服务器对所述初始攻击识别模型进行调试,得到调试结果;A debugging module, used to connect the initial attack identification model to a corresponding server, so as to use the server to debug the initial attack identification model and obtain a debugging result; 识别模块,用于在预设时长内,判断所述调试结果是否满足预设正常报警条件,其中,如果所述调试结果满足所述预设正常报警条件,则将所述初始攻击识别模型作为实际攻击识别模型,以利用所述实际攻击识别模型进行DDoS攻击识别,否则,基于所述调试结果重新训练所述初始攻击识别模型,直至满足预设迭代停止条件,得到所述实际攻击识别模型,以利用所述实际攻击识别模型进行所述DDoS攻击识别;An identification module, used to determine whether the debugging result meets a preset normal alarm condition within a preset time period, wherein if the debugging result meets the preset normal alarm condition, the initial attack identification model is used as the actual attack identification model to perform DDoS attack identification using the actual attack identification model; otherwise, the initial attack identification model is retrained based on the debugging result until a preset iteration stop condition is met, thereby obtaining the actual attack identification model to perform DDoS attack identification using the actual attack identification model; 处理模块,用于将所述训练数据截取为多个预设长度的时间片,并对所述时间片进行清洗,得到清洗后的有效时间片;A processing module, used for cutting the training data into a plurality of time slices of preset lengths, and cleaning the time slices to obtain effective time slices after cleaning; 标签模块,用于基于所述有效时间片中的数据,为每个所述有效时间片进行标签,得到正在遭受DDoS攻击标签的有效时间片和未遭受DDoS攻击的有效时间片;A label module, used for labeling each of the valid time slices based on the data in the valid time slices, to obtain the valid time slices that are suffering from DDoS attack labels and the valid time slices that are not suffering from DDoS attack; 分组模块,用于将所述有效时间片进行分组,得到满足预设DDoS攻击特征显著性条件的第一组数据和不满足所述预设DDoS攻击特征显著性条件的第二组数据;A grouping module, used for grouping the valid time slices to obtain a first group of data that meets a preset DDoS attack feature significance condition and a second group of data that does not meet the preset DDoS attack feature significance condition; 组合模块,用于打乱所述第一组数据和所述第二组数据中全部的有效时间片,将所述第一组数据中的有效时间片进行随机组合,得到多个第一随机时间片对,将所述第二组数据中的有效时间片进行随机组合,得到多个第二随机时间片对;a combining module, configured to shuffle all valid time slices in the first group of data and the second group of data, randomly combine the valid time slices in the first group of data to obtain a plurality of first random time slice pairs, and randomly combine the valid time slices in the second group of data to obtain a plurality of second random time slice pairs; 其中,所述训练模块包括:构建单元,用于构建初步模型,并利用所述初步模型逐一识别所述第一组数据中的第一随机时间片对的状态码,得到初步识别模型,其中,所述状态码由所述第一随机时间片对中每个有效时间片对应的标签得到;计算单元,用于将所述第二组数据输入至所述初步识别模型中,计算所述初步识别模型的正确率,并判断所述正确率是否大于或等于预设阈值;第一确定单元,用于在所述正确率大于或等于所述预设阈值的情况下,将所述初步识别模型作为所述初始攻击识别模型;第二确定单元,用于在所述正确率小于所述预设阈值的情况下,利用所述第二组数据重复所述第一组数据的识别过程,直至所述正确率大于或等于所述预设阈值,得到所述初始攻击识别模型。Among them, the training module includes: a construction unit, which is used to construct a preliminary model, and use the preliminary model to identify the status code of the first random time slice pair in the first group of data one by one, so as to obtain a preliminary recognition model, wherein the status code is obtained by the label corresponding to each valid time slice in the first random time slice pair; a calculation unit, which is used to input the second group of data into the preliminary recognition model, calculate the accuracy of the preliminary recognition model, and determine whether the accuracy is greater than or equal to a preset threshold; a first determination unit, which is used to use the preliminary recognition model as the initial attack recognition model when the accuracy is greater than or equal to the preset threshold; a second determination unit, which is used to use the second group of data to repeat the recognition process of the first group of data when the accuracy is less than the preset threshold, until the accuracy is greater than or equal to the preset threshold, so as to obtain the initial attack recognition model. 5.一种电子设备,其特征在于,包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序,以实现如权利要求1-3任一项所述的一种基于识别模型的DDoS攻击防御方法。5. An electronic device, characterized in that it comprises: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement a DDoS attack defense method based on an identification model as described in any one of claims 1 to 3. 6.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行,以用于实现如权利要求1-3任一项所述的一种基于识别模型的DDoS攻击防御方法。6. A computer-readable storage medium having a computer program stored thereon, characterized in that the program is executed by a processor to implement a DDoS attack defense method based on an identification model as described in any one of claims 1 to 3. 7.一种计算机程序产品,其特征在于,包括计算机程序,所述计算机程序被执行时,以用于实现如权利要求1-3任一项所述的一种基于识别模型的DDoS攻击防御方法。7. A computer program product, characterized in that it comprises a computer program, which, when executed, is used to implement a DDoS attack defense method based on an identification model as described in any one of claims 1 to 3.
CN202411377435.8A 2024-09-29 2024-09-29 DDoS attack defense method based on recognition model Active CN119172155B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411377435.8A CN119172155B (en) 2024-09-29 2024-09-29 DDoS attack defense method based on recognition model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411377435.8A CN119172155B (en) 2024-09-29 2024-09-29 DDoS attack defense method based on recognition model

Publications (2)

Publication Number Publication Date
CN119172155A CN119172155A (en) 2024-12-20
CN119172155B true CN119172155B (en) 2025-03-28

Family

ID=93885248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411377435.8A Active CN119172155B (en) 2024-09-29 2024-09-29 DDoS attack defense method based on recognition model

Country Status (1)

Country Link
CN (1) CN119172155B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118300836A (en) * 2024-04-01 2024-07-05 湖南森鹰智能科技有限公司 Training method of DDOS attack detection model, attack detection method and device
CN118612083A (en) * 2024-06-05 2024-09-06 广州大学 HTTP distributed denial of service attack detection model construction method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8291495B1 (en) * 2007-08-08 2012-10-16 Juniper Networks, Inc. Identifying applications for intrusion detection systems
CN117527352A (en) * 2023-11-08 2024-02-06 山西大学 DDoS attack defense method based on statistics and integrated self-encoder in SDN environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118300836A (en) * 2024-04-01 2024-07-05 湖南森鹰智能科技有限公司 Training method of DDOS attack detection model, attack detection method and device
CN118612083A (en) * 2024-06-05 2024-09-06 广州大学 HTTP distributed denial of service attack detection model construction method and device

Also Published As

Publication number Publication date
CN119172155A (en) 2024-12-20

Similar Documents

Publication Publication Date Title
US11070569B2 (en) Detecting outlier pairs of scanned ports
US11770397B2 (en) Malicious port scan detection using source profiles
CN112003870A (en) Network encryption traffic identification method and device based on deep learning
US20220046042A1 (en) Scanner probe detection
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
US11770396B2 (en) Port scan detection using destination profiles
US20220217162A1 (en) Malicious port scan detection using port profiles
CN116015800B (en) Scanner identification method, device, electronic device and storage medium
CN111541647A (en) Security detection method and device, storage medium and computer equipment
CN114785567A (en) Traffic identification method, device, equipment and medium
CN119862567A (en) Method, device and equipment for analyzing government enterprise gateway log based on artificial intelligence
CN110365673B (en) Method, server and system for isolating network attack plane
CN114363212B (en) Equipment detection method, device, equipment and storage medium
TWI777766B (en) System and method of malicious domain query behavior detection
CN115643044A (en) Data processing method, device, server and storage medium
CN119172155B (en) DDoS attack defense method based on recognition model
EP4044548B1 (en) Worm detection method and network device
CN113098852A (en) Log processing method and device
CN114884740B (en) AI-based intrusion protection response data processing method and server
CN115484081B (en) Host intrusion detection method, device, equipment and storage medium
CN116015844A (en) Data flow detection method, system and electronic equipment
JP7176630B2 (en) DETECTION DEVICE, DETECTION METHOD AND DETECTION PROGRAM
CN114866338A (en) Network security detection method and device and electronic equipment
CN113645191A (en) Method, device and equipment for determining suspicious host and computer readable storage medium
CN119449500B (en) Intelligent defense and detection methods for network vulnerabilities, computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant