Distributed denial of service (DDoS) attacks are the most common means of cyberattacks against infrastructure, and detection is the first step in combating them. The current DDoS detection mainly uses the improvement or fusion of machine learning and deep learning methods to improve classification performance. However, most classifiers are trained with statistical flow features as input, ignoring topological connection changes. This one-sidedness affects the detection accuracy and cannot provide a basis for the distribution of attack sources for defense deployment. In this study, we propose a topological and flow feature-based deep learning method (GLD-Net), which simultaneously extracts flow and topological features from time-series flow data and exploits graph attention network (GAT) to mine correlations between non-Euclidean features to fuse flow and topological features. The long short-term memory (LSTM) network connected behind GAT obtains the node neighborhood relationship, and the fully connected layer is utilized to achieve feature dimension reduction and traffic type mapping. Experiments on the NSL-KDD2009 and CIC-IDS2017 datasets show that the detection accuracy of the GLD-Net method for two classifications (normal and DDoS flow) and three classifications (normal, fast DDoS flow, and slow DDoS flow) reaches 0.993 and 0.942, respectively. Compared with the existing DDoS attack detection methods, its average improvement is 0.11 and 0.081, respectively. In addition, the correlation coefficient between the detection accuracy of attack flow and the four source distribution indicators ranges from 0.7 to 0.83, which lays a foundation for the inference of attack source distribution. Notably, we are the first to fuse topology and flow features and achieve high-performance DDoS attack intrusion detection through graph-style neural networks. This study has important implications for related research and development of network security systems in other fields.
In this paper, we present improved meet-in-the-middle key-recovery attacks on six-round and seven-round Feistel constructions separately. The attacks are based on Guo et al.'s work which appends one round to the five-round distinguisher to attack the six-round Feistel construction through the meet-in-themiddle method. The proposed method stores only target sequences instead of all the possible sequences, which reduces the memory complexity from 2 (3/4)n blocks to 2 (n/2) blocks. A new key-recovery attack method on the seven-round Feistel construction is proposed by appending one another round after a five-round distinguisher. What is more, is that we propose a new method called the impossible-differential pairs sieve technique which reduces the data complexity from 2 n chosen plaintexts to 3 × 2 n−2 chosen plaintexts so that the attack complexity is lower than the exhaustive attack. The time complexity is equivalent to about 3 × 2 n−2 encryptions, and the memory complexity is optimized to 2 (3/4)n blocks of 2 (n/2) bits. To the best of our knowledge, it is the first known generic key-recovery attack on the seven-round Feistel construction with a lower attack complexity when compared with the exhaustive attack. INDEX TERMS Meet-in-the-middle, key-recovery attack, 7-round Feistel constructions.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.