ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2018, Vol. 55 ›› Issue (6): 1236-1246.doi: 10.7544/issn1000-1239.2018.20170124

• 信息安全 • 上一篇    下一篇



  1. (信息工程大学 郑州 450001) (河南省信息安全重点实验室 郑州 450001) (
  • 出版日期: 2018-06-01
  • 基金资助: 

Adaptive App-DDoS Detection Method Based on Improved AP Algorithm

Liu Zihao, Zhang Bin, Zhu Ning, Tang Huilin   

  1. (Information Engineering University, Zhengzhou 450001) (Henan Key Laboratory of Information Security, Zhengzhou 450001)
  • Online: 2018-06-01

摘要: 针对基于用户行为的应用层DDoS检测算法中样本训练过程繁琐以及模型更新困难2个难点,提出一种基于改进AP聚类算法的自学习应用层DDoS检测方法.首先对近邻传播聚类算法改进优化:在利用少量先验知识对数据集进行预分类的基础上,结合同类簇合并机制解决样本大小敏感问题,同时引入异类簇清除机制排除特殊类簇对检测结果所造成的干扰;其次给出用户行为属性表征用户行为特征,利用IAP聚类算法实现用户行为有效聚类,提高检测精度;然后引入Silhouette指标实时监控类簇质量,设计类簇自学习更新机制,进一步降低误检率、提高检测率,并支持检测类簇的动态抗解析.实验结果表明:与传统AP聚类、KMPCA算法相比,所提方法具有较高的运行效率和较好的检测性能,并具有一定的自主优化能力.

关键词: 应用层DDoS, 检测方法, 行为特征, 改进AP聚类算法, 自学习

Abstract: As it is complicated for training samples and difficult for updating models in behavior-based application layer DDoS detection methods, an adaptive App-DDoS detection method based on improved affinity propagation (IAP) algorithm is proposed. Firstly, to optimize the affinity propagation algorithm, we previously divide the dataset into several parts utilizing the limited priori knowledge, and merge the similar clusters for enhancing the ability of processing large amount of data. Besides, the abnormal clusters cleaning mechanism is introduced so as to avoid their interference for the detection results. Secondly, some user behavior attributes are given to represent behavior features, and the improved AP algorithm is applied to efficiently clustering the proposed attributes, as a result, improving the detection rate for abnormal users. Then by evaluating the quality of clusters with Silhouette index in real-time, a self-updating learning mechanism is put forward to support the resistance of analyzing the distribution of normal users’ attributions, which further reduces the false positive rate and increases the detection rate. The experimental results on real dataset, ClerkNet-Http, show that the proposed method is more effective and more accurate compared with the conventional AP algorithm and KMPCA algorithm, as well as can update clusters by itself in the process of detection.

Key words: application layer DDoS, detection method, behavior feature, improved affinity propagation (IAP) algorithm, self-updating