Design And Implementation Of Application Layer DDoS Attack Detection Based On Integrated Learning

Distributed Denial of Service(DDoS)attacks have low operational thresholds and various attack methods,which bring significant risks to service providers such as customer loss and property loss.Compared with network-layer DDoS attacks,application-layer DDoS attacks simulate the normal access behavior of users and have characteristic features that are difficult to detect.In addition,the current detection technology has the problem of the single detection type,so a multiclass classification detection scheme for application-layer DDoS attacks is required,which can detect application-layer DDoS attacks contained in traffic with high accuracy and indicate the specific type.Based on the National Key Research and Development Program Subject "Identity-based Trusted Protocol and Malicious Communication Behavior Monitoring Method"(No.2018YFA0701604),this dissertation designs and implements an application-layer DDoS attack detection mechanism based on ensemble learning,which can improve the Malicious Detection Capability(DC)by an order of magnitude.The designed detection mechanism includes data set generation module,data set preprocessing module,offline training module and online detection module,which can detect multiple types of application-layer DDoS attacks,including four mainstream application-layer DDoS attacks: HTTP-Flood,HTTP-Post,HTTP-Get and CC attack.The main work of this dissertation is as follows:(1)Establish application-layer DDoS attack data sets and effective feature sets.In the established experimental environment,5G legitimate traffic and different types of application-layer DDoS attack traffic are simulated,so that the data set generation module can extract feature information at the traffic entrance and generate data sets for multi-type application-layer DDoS attacks,solving the problem that the current latest data sets do not refine attack types.After analysing feature distribution,attack principle and feature engineering,the features of different types of application-layer DDoS attacks are selected,and 47-dimensional effective features are obtained to reduce time overhead.(2)Implement offline training and online detection.The tree-based machine learning model is suitable for the data set in this dissertation that has many numerical features.Stacking integrates multiple machine learning models,uses the Multiclass classification model to perform a fine-grained perception of attack traffic,indicates the specific types of DDoS attacks at the application layer,and improves the accuracy and generalization of the detection model.By deploying the trained Stacking model at the gateway,the attack traffic at the gateway is identified and its specific type is indicated.Provide a network behavior knowledge base interface,save the detection results and feed them back to the network behavior knowledge base module for the subsequent design of the network behavior knowledge base framework and assist the detection module to adjust the strategy.(3)Build a prototype system to verify the feasibility and effectiveness of the proposed detection mechanism.Compare multiple common indicators and introduce Malicious Detection Rate(DR)and Malicious Detection Capability as new indicators for algorithm evaluation to measure the effectiveness of the detection mechanism.The experimental results show that the detection mechanism proposed in this dissertation can flexibly provide fine-grained traffic classification for different types of application-layer DDoS attack traffic,and effectively detect four mainstream application-layer DDoS attacks.Under the best sliding window,the detection mechanism can detect and tag the suspicious traffic effectively,the Malicious Detection Rate can be increased to 99% and the Malicious Detection Capability can reach 99,and the Malicious Detection Capability of application-layer DDoS attacks can be improved tenfold.