Distributed denial of service (DDoS) attacks are the most common means of cyberattacks against infrastructure, and detection is the first step in combating them. The current DDoS detection mainly uses the improvement or fusion of machine learning and deep learning methods to improve classification performance. However, most classifiers are trained with statistical flow features as input, ignoring topological connection changes. This one-sidedness affects the detection accuracy and cannot provide a basis for the distribution of attack sources for defense deployment. In this study, we propose a topological and flow feature-based deep learning method (GLD-Net), which simultaneously extracts flow and topological features from time-series flow data and exploits graph attention network (GAT) to mine correlations between non-Euclidean features to fuse flow and topological features. The long short-term memory (LSTM) network connected behind GAT obtains the node neighborhood relationship, and the fully connected layer is utilized to achieve feature dimension reduction and traffic type mapping. Experiments on the NSL-KDD2009 and CIC-IDS2017 datasets show that the detection accuracy of the GLD-Net method for two classifications (normal and DDoS flow) and three classifications (normal, fast DDoS flow, and slow DDoS flow) reaches 0.993 and 0.942, respectively. Compared with the existing DDoS attack detection methods, its average improvement is 0.11 and 0.081, respectively. In addition, the correlation coefficient between the detection accuracy of attack flow and the four source distribution indicators ranges from 0.7 to 0.83, which lays a foundation for the inference of attack source distribution. Notably, we are the first to fuse topology and flow features and achieve high-performance DDoS attack intrusion detection through graph-style neural networks. This study has important implications for related research and development of network security systems in other fields.
Existing correlation processing strategies make up for the defect that most evaluation algorithms do not consider the independence between indicators. However, these solutions may change the indicator system’s internal connection, affecting the final evaluation result’s interpretability and accuracy. Besides, traditional independent analysis methods cannot accurately describe the complex multivariate correlation based on the linear relationship. Aimed at these problems, we propose an indicators correlation elimination algorithm based on the feedforward neural network and Taylor expansion (NNTE). Firstly, we propose a generalized n-power correlation and a feedforward neural network to express the relationship between indicators quantitatively. Secondly, the low-order Taylor expression expanded at every sample is pointed to eliminate nonlinear relationships. Finally, to control the expansions’ accuracy, the layer-by-layer stripping method is presented to reduce the dimensionality of the correlations among multiple indicators gradually. This procedure continues to iterate until there are all simple two-dimensional correlations, eliminating multiple variables’ correlations. To compare the elimination efficiency, the ranking accuracy is proposed to measure the distance of the resulting sequence to the benchmark sequence. Under Cleveland and KDD99 two datasets, the ranking accuracy of the NNTE method is 71.64% and 96.41%, respectively. Compared with other seven common elimination methods, our proposed method’s average increase is 13.67% and 25.13%, respectively.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.