Research On DDoS Attack Detection Method Based On Deep Learning

Since the end of the 20th century,the Internet has developed rapidly with the support of a large number of technologies.Therefore,users can share files,communicate in real time,and also you can perform tasks collaboratively in different places by sharing computing resources.However,the growing number of Internet resources has led to many potential attacks.Among them,attacks can take many forms,including attacks on the physical IT(Information Technology)environment,attacks using application weaknesses,and attacks through third-party applications.Distribute Denial of Service(DDoS)attack uses a cluster of multiple computers to perform coordinated attacks,which leads to a network that cannot be self-reliant and paralyzes,and seriously threatens network security in the military,medical,and commercial fields.At present,DDoS attack detection mainly includes three methods based on statistical learning,machine learning,and deep learning.However,the detection process relies on artificially set thresholds or attack traffic characteristics,which makes it unable to be used in constantly changing DDoS attack scenarios.Therefore,this paper directly learns the attack traffic characteristics from the original traffic and proposes a DDoS attack traffic detection method based on deep learning.The main work is as follows:(1)Based on the DDoS attack method in the real network environment,this paper proposes a new data flow preprocessing method by analyzing the trend of data flow.Firstly,the data traffic is divided by session slicing method,then the packets in the same data stream are sampled according to a fixed time window,and finally the packet byte array format is generated as the input of the classification model of this article.(2)Due to the characteristics of short-time burstiness of the traffic during the attack,the manually designed traffic characteristics cannot accurately characterize the characteristics of the attack traffic.Therefore,this paper proposes a CNN-BiLSTM classification model of benign and malignant traffic,which can automatically learn the spatiotemporal characteristics of attack traffic directly from the original data traffic.Spatio-temporal features include spatial feature extraction module and temporal feature extraction module.The spatial feature extraction module uses the convolutional neural network CNN to learn the local area features of the data packets in a fixed time window;the temporal feature extraction module uses the bidirectional long and short-term memory network BiLSTM for bidirectional context information extraction to learn the attack behavior of the data packets between the fixed time windows feature.Finally,the DDoS attack traffic and the benign traffic are distinguished based on two modules.This paper verifies the classification performance of the model on three public DDoS attack data sets and compares and analyzes it with other deep learning methods.The results show that the model has good classification performance and can be applied to DDoS attack detection.(3)Aiming at the problem of low classification accuracy and high false alarm rate in the DDoS attack detection classification task,this paper adds the attention mechanism to the temporal feature extraction module of CNN-BiLSTM model,CNN-Att BiLSTM.And compares the classification results based on the extracted packet features.The degree of contribution is assigned corresponding weights,and the limited attention resources are focused on high-value information to improve detection performance.By analyzing the classification performance of the model in three public data sets,the results show that the CNN-BiLSTM model with the attention mechanism can effectively improve the classification accuracy of benign and malignant traffic.