Junjiang He, Wenbo Fang, Xiaolong Lan, Geying Yang, Ziyu Chen, Yang Chen, Tao Li, Jiangchuan Chen
{"title":"基于改进型随机森林的高效防御系统可抵御应用层 DDoS 攻击","authors":"Junjiang He, Wenbo Fang, Xiaolong Lan, Geying Yang, Ziyu Chen, Yang Chen, Tao Li, Jiangchuan Chen","doi":"10.1155/2024/9044391","DOIUrl":null,"url":null,"abstract":"<div>\n <p>Application-layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application-layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application-layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application-layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application-layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.</p>\n </div>","PeriodicalId":14089,"journal":{"name":"International Journal of Intelligent Systems","volume":"2024 1","pages":""},"PeriodicalIF":5.0000,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1155/2024/9044391","citationCount":"0","resultStr":"{\"title\":\"Efficient Based on Improved Random Forest Defense System Against Application-Layer DDoS Attacks\",\"authors\":\"Junjiang He, Wenbo Fang, Xiaolong Lan, Geying Yang, Ziyu Chen, Yang Chen, Tao Li, Jiangchuan Chen\",\"doi\":\"10.1155/2024/9044391\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div>\\n <p>Application-layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application-layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application-layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application-layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application-layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.</p>\\n </div>\",\"PeriodicalId\":14089,\"journal\":{\"name\":\"International Journal of Intelligent Systems\",\"volume\":\"2024 1\",\"pages\":\"\"},\"PeriodicalIF\":5.0000,\"publicationDate\":\"2024-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://onlinelibrary.wiley.com/doi/epdf/10.1155/2024/9044391\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Intelligent Systems\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://onlinelibrary.wiley.com/doi/10.1155/2024/9044391\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Intelligent Systems","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1155/2024/9044391","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}
引用次数: 0
摘要
应用层分布式拒绝服务(DDoS)攻击已成为网络服务器安全的主要威胁。由于应用层 DDoS 攻击具有较强的隐蔽性和较高的真实性,单纯依靠判断客户端真实性的入侵检测技术无法准确检测出此类攻击。此外,应用层 DDoS 攻击具有周期性和重复性的特点,攻击目标会在短时间内突然出现。在本研究中,我们提出了一种基于改进随机森林的高效应用层 DDoS 检测系统。首先,对网络日志进行预处理,提取用户会话特征。随后,我们提出了基于分离和聚合的会话识别(SISA)方法,以准确捕捉用户会话。最后,我们提出了一种基于特征加权的改进型随机森林分类算法,以解决特征数量增加导致随机森林算法计算时间延长的问题,而且随着特征维度的增加,可能会出现没有子特征与待分类类别相关的情况。更重要的是,我们将请求源 IP 与威胁情报库中的恶意 IP 进行比较,以应对应用层 DDoS 攻击的周期性和重复性。我们对公开的网络日志数据集和实验室的威胁情报数据库以及在实验室环境中模拟生成的攻击日志数据集进行了综合实验。实验结果表明,所提出的检测系统能将误报率和误报率控制在合理范围内,进一步提高了检测效率,检测率达到 99.85%。在二次攻击检测实验中,我们提出的检测方法在更短的时间内实现了更高的检测率。
Efficient Based on Improved Random Forest Defense System Against Application-Layer DDoS Attacks
Application-layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application-layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application-layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application-layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application-layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.
期刊介绍:
The International Journal of Intelligent Systems serves as a forum for individuals interested in tapping into the vast theories based on intelligent systems construction. With its peer-reviewed format, the journal explores several fascinating editorials written by today''s experts in the field. Because new developments are being introduced each day, there''s much to be learned — examination, analysis creation, information retrieval, man–computer interactions, and more. The International Journal of Intelligent Systems uses charts and illustrations to demonstrate these ground-breaking issues, and encourages readers to share their thoughts and experiences.