| 摘要: | 隨著通訊科技不斷進步與創新,現代人類生活上已離不開電子通訊產品,不斷追求連網的便利及發展應用服務的商機,在物聯網興起後許多物品都實現了具備連網的能力,然而許多通訊裝置製造商並未重視其產品的安全性,數十億台物聯網週邊裝置潛藏安全漏洞,尤其近年來駭客頻頻利用韌體漏洞入侵多數監視器設備,對外發動分散式阻斷服務攻擊(DDoS),造成對互聯網的嚴重威脅,尤其近年來多數國內金融業、證券業及政府網站經常遭遇DDoS攻擊威脅,駭客藉此勒索受害者支付贖金否則癱瘓其交易系統運作,影響輕則造成系統短暫癱瘓,重則可能導致客戶信心流失而轉向至其他業者,將產生難以估計的損失,故資安的重要性已成為不可忽略的議題。
DDoS攻擊手法日新月異,攻擊流量規模也不斷創新高,目前主要的檢測技術趨勢都是關注在整體網路流量變化,但若碰到高頻率小封包的DDoS攻擊,從網路流量上是無法察覺出明顯異樣,導致使用基於流量的檢測技術無法偵測到DDoS攻擊發生,但實際已造成終端網路設備服務異常。
過去有部分研究使用傳統基於熵的方式來偵測DDoS攻擊,判斷式的閥值可分為固定及動態兩種方式,其中固定閥值需要隨著用戶使用情境而不斷進行人工調整,無法自適應網路使用狀況,而動態閥值需靠平均值及標準差等方式自適應更新閥值,在網路環境變動較大的環境容易造成誤判。
而本研究中主要利用熵值(Entropy)的特性,分析不同時間點的flow分佈,並提出了基於非監督式機器學習的方式,透過正常訓練集樣本去學習一個決策邊界,提供一個有效的Anomaly Detection模組,並改善傳統動態閥值DDoS偵測容易因網路環境變化,導致熵值震盪進而造成誤判的情形,以達到本研究嘗試改善偵測誤判率之目的。
;Along with swift development of science and communication technology, people are inseparable from electronic communication products nowadays, continuously pursuing the convenience of networking and business opportunities for developing application services. After the rise of the Internet of Things, many devices are able to connect to the Internet. However, many communication device manufacturers have not paid attention to the security of their products. Billions of IoT peripherals have hidden security loopholes. Hackers can steal data or launch distributed denial-of-service (DDoS) attacks through loopholes, cause serious threats to the Internet. Especially in recent years, financial and securities companies have encountered the threat of DDoS attacks. Hackers threaten companies to pay ransoms, otherwise they will paralyze the services. In the worst case, it may lead to the loss of customer confidence and transfer to other business competitors, resulting in inestimable losses. Therefore, the importance of information security has become an issue that cannot be ignored.
DDoS attack is getting stronger and the scale of traffic is increasing. The detection techniques are mainly focused on network flow. It is difficult to detect significant DDoS attacks by using traffic-based detection technology if encountering small packets and a high Packet rate. As a result, traffic-based detection technology cannot detect DDoS attacks, but it has actually caused abnormal service of terminal network equipment.
In the past, some researchers used the traditional entropy-based measure to detect DDoS attacks. The detection threshold was divided into fixed and dynamic. The fixed threshold needed to be adjusted according to user’s network scenarios, and couldn’t be adjusted automatically. The dynamic threshold requires to be adaptively updated by means and deviation, in the environment where the network traffic changed greatly, it was difficult to maintain the detection rate.
In this paper, the characteristics of Entropy are used to describe the flow distribution at different times. We propose a method based on unsupervised machine learning which learns a decision boundary through normal training dataset, provides an effective Anomaly Detection module. The purpose of this study is to improve detection rate and provide a feasible solution that can achieve a good accuracy DDoS detection method. |
