基于统计的物联网分布式拒绝服务攻击检测

doi:10.13229/j.cnki.jdxbgxb20190448

摘要/Abstract

摘要：

针对物联网大规模分布式拒绝服务攻击检测难题，基于Docker虚拟化容器技术搭建了物联网流量仿真平台，通过模拟Mirai僵尸网络和执行命令产生4种不同的攻击流量。人工执行与物联网实验箱自动产生正常流量。对原始流量进行统计分析生成包级和秒级两种不同等级的物联网流量数据集。提出了分段HURST指数、滑动窗口熵和滑动窗口置信区间3种统计指标和分析方法，并制定了攻击检测规则。实验结果表明:基于滑动窗口均值置信区间的异常流量检测方法可达72.11%的准确率。

关键词: 统计分析, 异常流量检测, 分布式拒绝服务, 攻击模拟, 物联网仿真

Abstract:

To solve the problem of large-scale Distributed Denial of Service (DDoS) attack detection in Internet of Things (IoT) simulation environment, the Docker virtualized container technology is used to construct the IoT traffic simulation platform. First, four different types of attack traffic are generated by simulating Mirai botnet and executing commands, and normal traffic is generated by manual click and IoT experiment box auto execution. Then, statistical analysis is carried out on the original traffic to generate two different levels of datasets: packet-level and second-level. Third, three statistical analysis methods and indicators are proposed, including segmented HURST exponent, sliding-window based entropy and sliding-window based confidence interval. Finally, the DDoS attack traffic detection rules are generated by the training dataset. The experimental results show that the sliding-window based confidence interval abnormal traffic detection method can achieve an accuracy of 72.11%.

Key words: statistical analysis, abnormal traffic detection, distributed denial of service, attack simulation, internet of things simulation

中图分类号:

TP309

陈红松,陈京九. 基于统计的物联网分布式拒绝服务攻击检测[J]. 吉林大学学报(工学版), 2020, 50(5): 1894-1904.

Hong-song CHEN,Jing-jiu CHEN. Statistical based distributed denial of service attack detection research in internet of things[J]. Journal of Jilin University(Engineering and Technology Edition), 2020, 50(5): 1894-1904.

图/表 18

图1

图2

表1

图3

表2

表3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

图15

参考文献 16

1	Kolias C, Kambourakis G, Stavrou A, et al. DDoS in the IoT: mirai and other botnets[J]. Computer, 2017, 50(7): 80-84.
2	Hilton S. Dyn analysis summary of friday october 21 attack Dyn[EB/OL]. [2016-10-01].
3	Sahi A, Lai D, Li Y, et al. An efficient DDoS TCP flood attack detection and prevention system in a cloud environment[J]. IEEE Access, 2017（5）: 6036-6048.
4	Gurulakshmi K, Nesarani A. Analysis of IoT bots against DDOS attack using machine learning algorithm[C]∥2018 2nd International Conference on Trends in Electronics and Informatics(ICOEI), Tirunelveli, 2018: 1052-1057.
5	Doshi R, Apthorpe N, Feamster N. Machine learning DDoS detection for consumer internet of things devices[C]∥2018 IEEE Security and Privacy Workshops(SPW), San Francisco, CA, 2018: 29-35.
6	Özçelik M, Chalabianloo N, Gür G. Software-Defined edge defense against IoT-based DDoS[C]∥2017 IEEE International Conference on Computer and Information Technology(CIT), Helsinki, 2017: 308-313.
7	Mishra A, Dixit A. Resolving threats in IoT: ID spoofing to DDoS[C]∥2018 9th International Conference on Computing, Communication and Networking Technologies(ICCCNT), Bangalore, 2018: 1-7.
8	Ben S N, Biondi F, Bontchev V, et al. Detection of mirai by syntactic and behavioral analysis[C]∥2018 IEEE 29th International Symposium on Software Reliability Engineering(ISSRE), Memphis, TN, USA, 2018: 224-235.
9	Agrawal N, Tapaswi S. Low rate cloud DDoS attack defense method based on power spectral density analysis[J]. Information Processing Letters, 2018, 138: 44-50.
10	Hirakawa T, Ogura K, Bista B B, et al. A defense method against distributed slow HTTP DoS attack[C]∥2016 19th International Conference on Network-Based Information Systems(NBiS), Ostrava, 2016: 152-158.
11	Muraleedharan N, Janet B. Behaviour analysis of HTTP based slow denial of service attack[C]∥2017 International Conference on Wireless Communications, Signal Processing and Networking(WiSPNET), Chennai, 2017: 1851-1856.
12	Ahmed M E, Ullah S, Kim H. Statistical application fingerprinting for DDoS attack mitigation[J]. IEEE Transactions on Information Forensics and Security, 2019, 14(6): 1471-1484.
13	Kolias C, Kambourakis G, Stavrou A, et al. Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset[J]. IEEE Communications Surveys & Tutorials, 2016, 18(1): 184-208.
14	Charles E. KDD Cup 1999: computer network intrusion detection[EB/OL]. [1999-09-01].
15	李金明, 王汝传. 基于Hurst参数的DoS/DDoS攻击实时检测技术研究[J]. 计算机工程与应用, 2007, 43(6): 20-23.
	Li Jin-ming, Wang Ru-chuan. DoS/DDoS attack detection based on Hurst parameter[J]. Computer Engineering and Applications, 2007, 43(6): 20-23.
16	徐江平. 基于统计分析的分布式流量异常检测应用研究[D]. 成都：电子科技大学通信与信息工程学院, 2015.
	Xu Jiang-ping. Research on distributed traffic anomaly detection based on statistical analysis[D]. Chengdu: School of Communication and Information Engineering, University of Electronic Science and Technology of China, 2015.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

攻击名称	攻击流量生成工具	Docker 数量	时间/s	频次/(次·s^-1)
TCP ACK 泛洪攻击	Mirai僵尸网络模拟软件	20	10	30
TCP SYN 泛洪攻击	Mirai僵尸网络模拟软件	20	10	30
HTTP GET 泛洪攻击	Mirai僵尸网络模拟软件	20	120	3
慢速HTTP 头部攻击	SlowHTTPTest 工具模拟	20	120	3

项目	训练集样本		测试集样本
项目	个数	采集时间/s	个数	采集时间/s
慢速HTTP头部攻击	325	879	263	707
TCP SYN泛洪攻击	126	181	64	185
TCP ACK泛洪攻击	66	239	78	262
HTTP GET泛洪攻击	215	364	157	375
人工模拟	510	1616	386	1715
IoT实验箱	551	1344	451	1006

数据集	训练集正常样本数	训练集异常样本数	测试集正常样本数	测试集异常样本数
包级	23 136	122 236	31 428	122 958
秒级	1 061	732	837	562

[1]	王天皓, 王忠福, 王雨蒙, 杨开宇, 高印寒, 马喜来. 基于混沌多项式展开法的线束串扰统计模型[J]. 吉林大学学报(工学版), 2017, 47(5): 1568-1576.
[2]	李洪萍，裴玉龙，杨中良 . 快速路自由流速度及其影响因素 [J]. 吉林大学学报(工学版), 2007, 37(04): 772-776.