| In recent years,as defense systems and detection methods based on DDOS attacks on the network layer have become more and more perfect,it has been difficult for attackers to launch attacks on users from the network layer,and DDOS attacks based on the application layer including the HTTP protocol have emerged..Compared with traditional DDOS attacks,it consumes less traffic and can be disguised as legal traffic to evade detection,thus becoming the mainstream form of DDOS attacks.At present,known attack detection methods can be divided into three categories according to detection methods: methods based on statistical analysis,methods based on machine learning,and methods based on detection system architecture.These methods basically detect DDOS attacks at a certain application layer,and cannot detect multiple forms of attacks.For application layer DDOS attacks,this paper proposes a method called SV-DB(combining SVM and DBSCAN algorithm)to detect multiple application layer DDOS attacks.The detection process is divided into four stages: data analysis and feature selection stage,Traffic verification stage,attack detection stage and model verification stage.In the flow verification stage,the SVM classifier is used to classify and verify the network traffic based on the timing characteristics,and filter out abnormal traffic.In the attack detection phase,the DBSCAN algorithm is used to further detect the filtered abnormal traffic based on the application layer DDOS attack characteristics.In the model verification stage,the cross-validation is used to calculate the evaluation index and evaluate the model’s effect,and the grid search is used to optimize the parameters.Finally,the most suitable parameters are selected to construct the ideal model.This paper uses the CIC DoS dataset(2017)simulation data set for model training and testing.Experiments show that this method can effectively detect abnormal traffic packets and multiple application layer DDOS attacks in the data set. |
PDF Full Text Request