ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

### 基于改进AP聚类算法的自学习应用层DDoS检测方法

1. (信息工程大学 郑州 450001) (河南省信息安全重点实验室 郑州 450001) (liuzihao199307@126.com)
• 出版日期: 2018-06-01
• 基金资助:
国家“八六三”高技术研究发展计划基金项目(2012AA7117058)；河南省基础与前沿技术研究计划项目(142300413201)

### Adaptive App-DDoS Detection Method Based on Improved AP Algorithm

Liu Zihao, Zhang Bin, Zhu Ning, Tang Huilin

1. (Information Engineering University, Zhengzhou 450001) (Henan Key Laboratory of Information Security, Zhengzhou 450001)
• Online: 2018-06-01

Abstract: As it is complicated for training samples and difficult for updating models in behavior-based application layer DDoS detection methods, an adaptive App-DDoS detection method based on improved affinity propagation (IAP) algorithm is proposed. Firstly, to optimize the affinity propagation algorithm, we previously divide the dataset into several parts utilizing the limited priori knowledge, and merge the similar clusters for enhancing the ability of processing large amount of data. Besides, the abnormal clusters cleaning mechanism is introduced so as to avoid their interference for the detection results. Secondly, some user behavior attributes are given to represent behavior features, and the improved AP algorithm is applied to efficiently clustering the proposed attributes, as a result, improving the detection rate for abnormal users. Then by evaluating the quality of clusters with Silhouette index in real-time, a self-updating learning mechanism is put forward to support the resistance of analyzing the distribution of normal users’ attributions, which further reduces the false positive rate and increases the detection rate. The experimental results on real dataset, ClerkNet-Http, show that the proposed method is more effective and more accurate compared with the conventional AP algorithm and KMPCA algorithm, as well as can update clusters by itself in the process of detection.