A Distribute DDOS Detection System Based On One-class SVM And Active Learning Technology

Due to the development of the network, we use the network more and more frequently. It has gone deep into every aspect of our lives,so network security has also been the people's attention.Distributed Denial of Service attack (DDOS) is a simple but effective attack method, It has caused a serious economic damage to the government and enterprises.DDOS attack can cause more greater damage than the denial of service attack (DOS),by controlling a large number of puppet machines to attack the network, it is more difficult to detect the attack.Detection of DDOS attacks has been the focus of the network security study.This paper discussed the technical principles of DDOS attacks,introduced some new attack technic.The traditional misuse detection mechanism can not effectively identify the DDOS attacks,because only part of the attack has a unique features,there are many ways to attack without a feature.So the method of detection based on attack signature is bad. Statistical analysis based on traffic anomaly is another way to detect DDOS, but it is difficult to set the threshold and can not updated the threshold dynamically after setting,so it reduces the effect of this method in the practical detection.In recent years, the machine learning method is introduced to the DDOS attack detection,it treat attack as a classification problem,make the detection system a kind of intelligent, the methods are neural network, data mining, etc. However,most method ignore the characteristics of DDOS attacks,the occurrence of attacks is relatively smaller than the normal network flow, obtain and lable the samples cost largely.Because the sample set is imbalance,we can tread it as one-class classification problem.Many machine learning methods train the machine on a limited sample set,it can't update the learning machine after the training is finished.so that will not fit in with such a real-time network streaming which changing sample set all the time, as for classification errors, the current implementation has no error identification mechanisms.In order to solve these problemes, this paper use the One class support vector machine (OCSVM),which is a kind of support vector machine (SVM), to detect the DDOS attack.It is an unsupervised learning algorithm, reducing the cost of labeling the sample, and the paradigm has a good performance. In order to reduce the training and testing time, we use the active learning approach. Take the initiative to select the most informative sample to join the training set,use the incremental learning algorithm to improve the learning efficiency,use the error identification and rectify mechanic to correct the classifier errors and update the machine model in real-time.Because DDOS is a collaborative attack, detection engines should be able to communicate with each other,therefore, I designed a secure protocol for communication between the detection engines,it can be used to build a distributed detection system..Experimental results show that the use of One class SVM can effectively detect DDOS attacks, active learning algorithm can reduce the learning machine training time and update the learning machine state initiatively,it can detect the DDOS attack effectively. The FIDXP protocol can safely and effectively exchange information between detection engines,it can enhance the overall security level of the network.