基于多维观测特征的MF-HMM模型识别新型LDoS驱动的高分散低速率QoS侵犯

中文摘要: 针对新型LDoS驱动的高分散低速率QoS侵犯，提出一种新颖的基于网络微观和宏观多维特征的识别方法。在网络微观方面，加权计算了反应TCP包头内部微观变化的Flag控制位，以及计算了反应LDoS固有周期特性的 I-I-P3元组的功率谱密度PSD特征；在网络宏观方面，引入反应网络发送流和确认流比值变化的 R特征，共同构成多维观测序列，采用多维隐马尔科夫混合模型multi-stream fused HMM（MF-HMM）自动识别QoS侵犯。同时，应用Kaufman算法动态调整阈值。大量实验表明,提出的方法有效降低了识别的误报率和漏报率，特别针对新型LDoS驱动的高分散低速率QoS侵犯，在复杂网络背景流量下依然具有很高的识别率。
Abstract:To detect new high-distributed low-rate QoS violation driven by LDoS attack and guarantee high network QoS,a novel recognition scheme was proposed with the consideration of multiple network features in both macro and micro aspects.At micro-level feature, the weighted sum of FLAG control bits was used to describe an internal micro-change in TCP package header.Meanwhile,the power spectral density(PSD) feature of I-I-P triple was calculated in order to reflect the inherent periodicity of LDoS Attack;at macro-level feature, R feature was introduced to mark the change in ratio of sent_flow and received_flow. Multi-dimensional observation state sequences can be constituted with these features that further form multi-stream fused hidden Markov model (MF-HMM).MF-HMM was applied to automatically recognize QoS violation.In addition,Kaufman algorithm was used to dynamically adjust and upgrade threshold value.Experiments showed that the approach effectively reduces the false-positive rate and false-negative rate in recognition.Moreover,it has an especially high recognition rate for new high-distributed low-rate QoS violation driven by LDoS even in complexity background network traffic.