Computer Engineering and Applications ›› 2019, Vol. 55 ›› Issue (20): 73-79.DOI: 10.3778/j.issn.1002-8331.1808-0246

Previous Articles     Next Articles

Detection of Application Layer DDoS Based on BP Neural Network

JING Hongfei, ZHANG Kun, CAI Bing, YU Longhua   

  1. 1.School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China
    2.Network Security Service, Jiangsu Sub Center of the National Internet Emergency Center, Nanjing 210003, China
  • Online:2019-10-15 Published:2019-10-14



  1. 1.南京理工大学 计算机科学与工程学院,南京 210094
    2.国家计算机网络应急技术处理协调中心江苏分中心 网络安全处,南京 210003

Abstract: CC(Challenge Collapsar) attack uses proxy servers or zombie hosts to send a large number of http requests to the server by simulating the user’s normal access to the page, causing server resources to be exhausted and implementing application layer DDoS. Some progress has been made in the detection of CC attacks. However, since the CC attack simulates the normal access of the user, the characteristics of the normal web page access are similar, which makes the attack identification difficult and high false positive rate. According to the characteristics of CC attack, combining packet rate, URL information entropy and URL conditional entropy, a CC attack detection algorithm based on BP neural network is put forward. Experimental results in the real network environment prove that the model can accurately identify normal traffic and CC attack traffic for small and medium-sized websites, and has relatively accurate detection results for large websites.

Key words: Challenge Collapsar(CC) attack, Distributed Denial-of-Service(DDoS), attack detection, neural network

摘要: CC(Challenge Collapsar)攻击通过模拟用户正常访问页面的行为,利用代理服务器或僵尸主机向服务器发送大量http请求,造成服务器资源耗尽,实现应用层DDoS。目前,对于CC攻击的检测已经取得了一些进展,但由于CC攻击模拟用户正常访问页面,与正常网页访问特征较为相似,导致攻击识别较为困难,且误报率较高。根据CC攻击的特点,结合包速率、URL信息熵、URL条件熵三种有效特征,提出一种基于误差逆向传播(Back Propagation,BP)神经网络的CC攻击检测算法。在真实网络环境中的实验结果证明,该模型对中、小型网站能准确地识别正常流量与CC攻击流量,对大型网站也有较为准确的检测结果。

关键词: CC攻击, 分布式拒绝服务(DDoS), 攻击检测, 神经网络