Abstract:
As it is complicated for training samples and difficult for updating models in behavior-based application layer DDoS detection methods, an adaptive App-DDoS detection method based on improved affinity propagation (IAP) algorithm is proposed. Firstly, to optimize the affinity propagation algorithm, we previously divide the dataset into several parts utilizing the limited priori knowledge, and merge the similar clusters for enhancing the ability of processing large amount of data. Besides, the abnormal clusters cleaning mechanism is introduced so as to avoid their interference for the detection results. Secondly, some user behavior attributes are given to represent behavior features, and the improved AP algorithm is applied to efficiently clustering the proposed attributes, as a result, improving the detection rate for abnormal users. Then by evaluating the quality of clusters with Silhouette index in real-time, a self-updating learning mechanism is put forward to support the resistance of analyzing the distribution of normal users’ attributions, which further reduces the false positive rate and increases the detection rate. The experimental results on real dataset, ClerkNet-Http, show that the proposed method is more effective and more accurate compared with the conventional AP algorithm and KMPCA algorithm, as well as can update clusters by itself in the process of detection.