| Increasingly fierce in recent years,the application layer DDoS attack,although the current aimed at the application layer DDoS attack detection has made certain progress,but the existing work due to the characteristics of selection bias and randomness,can only detect one or several specific types of attacks,can not be mixed in a variety of application layer DDoS attack in maintaining high detection rate.In addition,known to the existing application layer DDoS attack detection methods are deployed in the target server,attack traffic need to enter the room entrance to trigger the testing and cleaning,when attack traffic exceeds the maximum bandwidth of the target host computer room entrance,the entrance to the network congestion will happen lead to random packet loss,business interruption and other serious consequences.In order to solve the above problem,this paper proposes a close attack source deploy application layer DDoS attack detection method,the method is based on RF-SVM detection model,because the objectivity and comprehensiveness to feature selection in the mixture of a variety of application layer DDoS attack keep high detection rate,at the same time through the nodes will detect forward deployed in recent attack sources,This ensures that the target host does not break down due to DDoS attacks.Specifically,the research contents of this paper mainly include:(1)This paper firstly studies the common detection methods in the application layer DDoS attack detection field,and proposes a detection model based on RF-SVM to solve the problems of one-sided and random feature selection in the current method.In this model,the feature importance assessment algorithm based on random forest is used to evaluate and sort the feature importance of the mixed attack composed of DDoS at various application layers.In combination with the feature dimension reduction algorithm FDRFIE presented in this paper,the objectivity and comprehensiveness of feature selection are guaranteed.(2)Secondly,aiming at the problem that the existing detection methods cannot guarantee the security of the target host,this paper proposes an application layer DDoS attack detection system deployed near the attack source.This system uses the RF-SVM detection model to constitute detection nodes,which are deployed in each network segment near the attack source.Each node is responsible for the detection of DDoS attacks in this network segment.Due to the strong distribution of DDoS attacks at the application layer,the detection nodes on a single network segment may not have enough attack traffic samples to train the model so that the model has a high accuracy.Therefore,the filtered traffic of the nodes may still contain a large number of attack traffic.In this paper,the problem of missing attack traffic in detection nodes is alleviated by adding an reinforcement learning mechanism based on SVM confidence.Through this system,attacks can be detected and filtered by detection nodes deployed near the attack source at the beginning of occurrence,preventing attack traffic from reaching the target host.(3)Finally,this paper analyzes the proposed model and system through the DDoS attack part of CSE-CIC-IDS2018 intrusion detection dataset.The experimental results show that the detection model based on RF-SVM can maintain high accuracy in the mixed attack composed of DDoS at multiple application layers,with the average accuracy up to 85.6%,and the highest accuracy up to 94.6%.In order to safeguard the safety aspects of the target host,in this paper,the recent attack source deployment of the application layer DDoS attack detection system can in some parts of the model precision is less than by reinforcement learning mechanism to improve the system under the condition of interception rate,and filtering the highest 90.88%attack at attack source traffic,greatly reduces the target host load pressure,It is proved that the system is practical and effective. |
PDF Full Text Request