Efficient DDoS detection and defense method and system suitable for industrial internet of things
By employing a caching mechanism combining LRU and RB ring buffers and the EMA exponential smoothing method in the Industrial Internet of Things (IIoT), along with a high-performance random forest classification model, the shortcomings of traditional DDoS detection methods in terms of detection speed, resource consumption, and adaptability are addressed. This enables efficient identification and defense against multiple types of DDoS attacks and is suitable for resource-constrained industrial equipment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ZHEJIANG UNIV
- Filing Date
- 2025-09-10
- Publication Date
- 2026-07-10
AI Technical Summary
Traditional DDoS detection methods suffer from slow detection speed, high resource consumption, poor adaptability, and difficulty in engineering application in the Industrial Internet of Things, making it difficult to effectively cope with complex and ever-changing attack patterns.
A caching mechanism combining LRU and RB circular buffers is adopted, and EMA exponential smoothing is used to dynamically update the features of quintuples and triples. Feature extraction and classification are performed through a high-performance random forest classification model. Combined with fragment field integrity verification and packet feature information conflict determination, a fused feature set is formed and feature filtering is performed to optimize the input dimension of the classification model.
It enables real-time and efficient feature extraction and updating of high-concurrency data streams in the Industrial Internet of Things, significantly improving the identification accuracy and robustness of multiple types of DDoS attacks, reducing system power consumption, adapting to rapid migration and expansion in different industrial scenarios, and meeting the deployment needs of resource-constrained environments.
Smart Images

Figure CN121077771B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and in particular to an efficient DDoS (Distributed Denial of Service) detection and defense method and system suitable for industrial Internet of Things (IoT) environments. Background Technology
[0002] The rapid development of the Industrial Internet of Things (IIoT) has brought about highly automated industrial systems, but it has also exposed these systems to new security challenges, especially DDoS attacks. DDoS attacks send massive amounts of malicious traffic to target devices, exhausting their resources and disrupting services, thereby threatening the reliability and security of industrial systems. Against this backdrop, traditional DDoS detection methods, which rely on static rules and predefined features, are increasingly showing their inadequacy in adapting to complex attack environments.
[0003] First, these traditional methods suffer from a significant disadvantage in detection speed. Industrial IoT scenarios demand extremely low latency and real-time performance, while static rule-based detection methods often lag behind changes in attacks, failing to quickly identify and respond to threats. Furthermore, with the diversification and hybridization of attack patterns, traditional methods frequently exhibit high false positive and false negative rates when facing complex attacks, making it difficult to effectively guarantee system security.
[0004] Secondly, high resource consumption also restricts the application of traditional detection algorithms. Industrial equipment is typically resource-constrained, and complex detection algorithms require substantial computational resources, making them difficult to deploy practically in these devices. Although recent research combining data-driven models with traditional methods has brought some breakthroughs in this field, these solutions still face bottlenecks in practical applications. Feature extraction efficiency is low, and model inputs often contain a large amount of redundant data, limiting detection efficiency. Furthermore, the complexity of classification algorithms, such as deep neural networks or support vector machines, and their high computational overhead contradict the low-latency requirements of industrial environments.
[0005] Furthermore, current solutions generally suffer from shortcomings in engineering applications, lacking modular design and making efficient migration and reuse difficult. The diversity and complexity of the Industrial Internet of Things (IIoT) require detection systems to be highly adaptable, but many existing methods are difficult to deploy and have limited application scope.
[0006] Therefore, the Industrial Internet of Things (IIoT) urgently needs a new DDoS detection method and system. This system needs to combine efficient statistical feature extraction and optimized classification algorithms to improve detection accuracy while also meeting the requirements for low latency and engineering deployment. By improving the system's real-time performance, adaptability, and modularity, such a solution can not only effectively cope with complex and ever-changing attack patterns but also achieve widespread application in real-world industrial scenarios, truly safeguarding the security of the IIoT. Summary of the Invention
[0007] In view of this, the present invention provides an efficient DDoS detection and defense method and system suitable for industrial Internet of Things, which overcomes the limitations of traditional methods in terms of real-time performance, adaptability and engineering application, and can achieve efficient detection and defense against multiple types of DDoS attacks.
[0008] According to a first aspect of the present invention, a DDoS detection and defense method suitable for the Industrial Internet of Things is provided, comprising:
[0009] Obtain the network packet data to be detected;
[0010] From the network packet data to be detected, using source IP, destination IP, source port, destination port and protocol type as a 5-tuple, statistical features such as the lifespan of the 5-tuple network flow, packet size, forward and reverse packet ratio, packet transmission interval, data containing instructions, and protocol type changes are extracted to obtain the first feature set;
[0011] From the network packet data to be detected, using source IP, source port, and protocol type as triples, statistical features such as the network flow lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data containing instructions, and protocol type changes are extracted to obtain the second feature set;
[0012] Perform fragmentation field integrity verification and packet feature information conflict determination on the detected network packet data to obtain a packet feature verification feature set;
[0013] The first feature set, the second feature set, and the packet feature verification feature set are merged to form a fused feature set;
[0014] The fused feature set is filtered to obtain the target feature set;
[0015] The target feature set is input into a random forest classification model to obtain a classification result, which indicates whether the network traffic is a DDoS attack and its attack type.
[0016] Based on the classification results, output defense commands.
[0017] According to a second aspect of the present invention, a DDoS detection and defense device suitable for industrial Internet of Things is provided, comprising:
[0018] The acquisition module is used to acquire network packet data to be detected;
[0019] The first feature set module is used to extract statistical features from the network packet data to be detected, using source IP, destination IP, source port, destination port and protocol type as a five-tuple, such as the survival time of the five-tuple network flow, packet size, ratio of forward and reverse packets, packet transmission interval, data containing instructions and protocol type changes, to obtain the first feature set;
[0020] The second feature set module is used to extract statistical features from the network packet data to be detected, using source IP, source port, and protocol type as triples, such as the network flow's lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data containing instructions, and protocol type changes, to obtain the second feature set.
[0021] The packet feature verification feature set module is used to perform fragmentation field integrity verification and packet feature information conflict determination on the detected network packet data to obtain the packet feature verification feature set.
[0022] The feature set fusion module is used to fuse the first feature set, the second feature set and the packet feature verification feature set to form a fused feature set;
[0023] The target feature set module is used to perform feature filtering on the fused feature set to obtain the target feature set;
[0024] The classification module is used to input the target feature set into a random forest classification model to obtain a classification result, which indicates whether the network traffic is a DDoS attack and its attack type.
[0025] The defense output module is used to output defense commands based on the classification results.
[0026] According to a third aspect of the present invention, an electronic device is provided, including one or more processors and a memory; when a program stored in the memory is executed by the processor, the processor causes the processor to implement the method described in the first aspect.
[0027] According to a fourth aspect of the present invention, a computer-readable storage medium is provided having computer instructions stored thereon, which, when executed by a processor, cause the processor to perform the method described in the first aspect.
[0028] The technical solutions provided by the embodiments of this application may include the following beneficial effects:
[0029] This application adopts a caching mechanism based on LRU and circular buffer RB, and combines EMA exponential smoothing to dynamically update the features of quintuples and triplets. This overcomes the problems of lag in statistical feature updates and low memory management efficiency in traditional methods, thereby realizing real-time and efficient feature extraction and updating of high-concurrency data streams in the Industrial Internet of Things.
[0030] The system performs verification on the integrity of network fragmentation fields and uses a five-tuple conflict determination method to specifically identify teardrop and land attacks. This overcomes the blind spot of conventional detection being unable to identify complex fragmentation collaborative attacks, thereby significantly improving the system's accuracy and robustness in identifying multiple types of DDoS attacks.
[0031] By performing feature filtering on the fused feature set to obtain the target feature set, the problem of excessive redundant features leading to model overfitting and heavy computational burden is overcome. This optimizes the input dimension of the classification model and improves detection efficiency and prediction accuracy.
[0032] By adopting a high-performance random forest classification model as the core detection engine, the limitations of deep learning solutions, such as computational complexity and large response latency, are overcome. Thus, in the industrial IoT environment with high bandwidth, low latency and low computing power, a detection rate of no less than 800 ns / s is achieved, while ensuring an accuracy, precision, recall and F1 score of over 99%.
[0033] This invention boasts high adaptability and reusability. Its modular architecture supports rapid migration and expansion to different industrial scenarios, adapting to complex attack patterns including teardrop attacks and land attacks, and meeting detection needs across various scenarios. Furthermore, this system fully considers resource consumption in engineering applications, employing optimized feature processing techniques and efficient classification algorithms. While maintaining high detection accuracy and real-time performance, it significantly reduces system power consumption, making it suitable for deployment in resource-constrained industrial IoT devices. The solution provided by this invention can offer strong technical support for cybersecurity in fields such as industrial automation, smart grids, and intelligent manufacturing. Attached Figure Description
[0034] Figure 1 This is a flowchart illustrating a DDoS detection and defense method suitable for the Industrial Internet of Things, according to an exemplary embodiment.
[0035] Figure 2 This is a logical diagram illustrating the LRU (Least Recently Used) and RB (Ring Buffer) caching mechanism according to an exemplary embodiment.
[0036] Figure 3 This is a diagram illustrating the classification test results according to an exemplary embodiment.
[0037] Figure 4 This is a block diagram illustrating a DDoS detection and defense system suitable for the Industrial Internet of Things, according to an exemplary embodiment. Detailed Implementation
[0038] This application relates to a network traffic attack detection method based on feature extraction and optimization, and its implementation. To more clearly illustrate the embodiments of this invention, the following description is in conjunction with the appendix. Figure 1 Please provide a detailed explanation.
[0039] Figure 1 This is a flowchart illustrating a DDoS detection and defense method suitable for the Industrial Internet of Things, according to an exemplary embodiment. Figure 1 As shown, the method may include the following steps:
[0040] S1: Obtain network packet data to be detected;
[0041] Specifically, due to the high concurrency of network data packets and the high real-time requirements for DDoS attack identification, this invention employs a DPDK module to extract scattered key information from the original Ethernet frames and organize it into structured features for rapid use by subsequent forwarding, filtering, metering, monitoring, or machine learning logic. It also extracts corresponding features such as timestamps, packet sizes, protocol types, and payload sizes. This design accurately acquires basic data, ensuring the reliability of subsequent feature extraction.
[0042] S2: From the network packet data to be detected, using source IP, destination IP, source port, destination port, and protocol type as a 5-tuple, extract statistical features of the network flow's lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data inclusion instructions, and protocol type changes to obtain the first feature set; this step includes the following sub-steps:
[0043] S21: Perform classification statistics based on the five-tuple of source IP, destination IP, source port, destination port and protocol type, and search for the statistical characteristics of the five-tuple in the RING_LRU caching mechanism. The statistical characteristics include lifespan, packet size, forward and reverse packet ratio, packet sending interval, data inclusion instruction, and protocol type change.
[0044] Specifically, since attack identification schemes based on single data packets lack reliability, it is necessary to statistically analyze them into network flow characteristics with certain time-domain information. This primarily involves extracting statistical features from the traffic, including source IP, destination IP, source port, destination port, and protocol type. These features comprehensively describe the core attributes of each traffic stream and form the basis for attack detection. To improve extraction efficiency, an LRU (Least Recently Used) and RB (Ring Buffer) caching mechanism is introduced to dynamically store recently accessed features. When new traffic arrives, the module automatically updates the cache, evicting the least recently used features. This mechanism significantly reduces memory overhead while minimizing computational redundancy.
[0045] Figure 2 This is a logical diagram illustrating the LRU (Least Recently Used) and RB (Ring Buffer) caching mechanism according to an exemplary embodiment. In this caching mechanism, whenever a new network stream arrives, it is first quickly written into the Ring Buffer—this structure can handle massive amounts of new streams with a fixed and extremely low time overhead, and uses the natural "rotation" of pointers to automatically evict older streams. To avoid mistakenly deleting frequently accessed but long-lived "hot" streams, we introduce a doubly linked list cache based on Least Recently Used (LRU) in addition to the Ring Buffer: only when a stream is accessed multiple times in the Ring Buffer and exceeds a preset inactivity time threshold will it be "degraded" and moved into the LRU cache, ensuring that subsequent updates to it remain efficient; while for streams that are consistently accessed infrequently or have already ended, they will be directly overwritten or deleted when the ring buffer pointer rotates back, thus eliminating the need for additional cleanup overhead. This design balances the ultimate write performance for new streams with the fine-grained management of active streams through the LRU strategy. This improves the system's accuracy in tracking hot streams and automatically reclaims resources on inactive streams, ensuring high efficiency and stability in overall processing.
[0046] Figure 2 It includes several sub-processes, as described below:
[0047] Hash indexes (Hash_table) are used to create indexes based on unique keys of a stream (such as quintuples / triples); they receive key-value mappings returned by the circular buffer and the LRU buffer to enable fast location and lookup.
[0048] The stream information writing section is used to receive newly arrived network stream information and, according to the writing strategy, first put it into the current write position of the circular buffer; at the same time, it updates the corresponding entry in the hash index table.
[0049] The circular buffer management section (RING_BUFFER) is used to maintain a fixed-size circular queue, which is used cyclically in sequence (e.g., 0 to 7); it controls the direction of queue growth and the movement of the write pointer; and it temporarily stores and quickly evicts short-lived or low-activity streams.
[0050] The short-lived stream recording section (short-lived stream 1, short-lived stream 2, etc.) is used to record information about newly created or short-lived streams that have only been accessed a few times within the circular buffer; when this interval is overwritten by the next round of writing, inactive streams are automatically deleted.
[0051] The inactive stream overwrite deletion function is used to overwrite and clear streams that have not been accessed for a long time when the write pointer rolls back in the circular buffer, in order to free up space.
[0052] The timeout-based degradation function is used to degrade or migrate short-lived streams from the circular buffer to the long-lived stream buffer, or to directly evict them, when a short-lived stream is not accessed again within the timeout threshold.
[0053] The multiple access update function is used to monitor the re-access events of a stream; when a stream is detected to have been accessed multiple times, it is triggered to migrate / promote from the circular buffer to the LRU buffer, and the corresponding access count and timestamp are updated.
[0054] The LRU buffer management section (LRU_BUFFER) is used to store stream records that are determined to be long-term active or require continuous monitoring; it maintains the list order using the Least Recently Used (LRU) policy and supports moving nodes to maintain the "most recently accessed first" update order.
[0055] The long-running stream linked list (long-running stream 1, long-running stream 2, long-running stream 3, long-running stream 4, ...) is used to organize long-running stream records in the form of a linked list; each time it is accessed, the corresponding node is moved to the head of the linked list to maintain the order of updates; when space is insufficient, the least visited stream is removed from the tail of the linked list.
[0056] S22: The statistical features are dynamically updated using the EMA exponential smoothing method to obtain the first feature set;
[0057] Specifically, to further improve the data stream feature extraction rate, we adopted the EMA exponential smoothing method. By updating statistical features in real time, we improved the adaptability to dynamic traffic changes and dynamically calculated the statistical features of relevant data streams, obtaining the first feature set; the calculation formula is as follows:
[0058]
[0059] in Smoothing coefficient , For time t Values, Let be the observation value at time t. For time t-1 Value selection. This method ensures a rapid response to sudden traffic spikes and improves detection accuracy.
[0060] S3: From the network packet data to be detected, using source IP, source port, and protocol type as triples, extract statistical features of the network flow's lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data inclusion instructions, and protocol type changes to obtain a second feature set; this step includes the following sub-steps:
[0061] S31: Based on the five-tuple of source IP, source port, and protocol type, search for the statistical characteristics of the three-tuple in the RING_LRU cache mechanism; the statistical characteristics include lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data inclusion instruction, and protocol type change;
[0062] Specifically, because some attacks frequently change IPs, feature extraction from the same source IP becomes less meaningful. While the source IPs of these attacks vary, the targets remain the same. To address these attacks, we extracted network flow feature information based solely on the source and target. This extraction also employs a RING_LRU caching mechanism to optimize the feature extraction process, automatically updating the cache when new traffic arrives and evicting the least recently used entries. This design is the same as S21.
[0063] S32: The statistical features are dynamically updated using the EMA exponential smoothing method to obtain the second feature set;
[0064] Specifically, to further improve the data stream feature extraction rate, this part also incorporates the EMA exponential smoothing method. By updating statistical features in real time, a second feature set is obtained, simultaneously improving adaptability to dynamic traffic changes. The EMA exponential smoothing method ensures that the feature update frequency matches the sensitivity to real-time traffic changes, thus enabling rapid response to sudden traffic anomalies. The calculation formula is the same as in S22.
[0065] S4: Perform fragmentation field integrity verification and packet feature information conflict determination on the detected network packet data to obtain a packet feature verification feature set; this step includes the following sub-steps:
[0066] S41: Perform fragmentation field integrity verification on the detected network packet data, and extract the feature information of the fragmented packets in response to TearDrop attacks;
[0067] Specifically, network attacks are diverse, ranging from DDoS attacks that rely on sheer volume to other attacks that exploit vulnerabilities in the protocol itself. To counter these attacks, we identify fragmented data with abnormal offsets or malicious overlaps by verifying the integrity of the IP fragmentation field and the offset of fragmented packets (i.e., the characteristic information of fragmented packets). This verification enhances the detection capability of fragmentation attacks such as TearDrop attacks and effectively reduces the false negative rate.
[0068] S42: Perform packet feature information conflict determination on the detected network packet data to extract feature information for identifying LandAttack attacks;
[0069] Specifically, for some simple attacks, such as LandAttack attacks, the principle is mainly to send data packets with the same IP address and port to cause machine confusion. We can directly perform verification and filtering. By detecting whether there are conflicts in the five-tuple characteristics (source IP and destination IP, source port and destination port), and combining this with the abnormal frequency of data packets within the time window, we can determine the attack behavior.
[0070] S43: Merge the above feature information to obtain the package feature verification feature set;
[0071] For some complex attacks, it is often necessary to extract packet features for more detailed subsequent review. At the same time, these features can be flexibly combined to adapt to the needs of different application scenarios. The previous data flow features complement each other to enhance the reliability of the system.
[0072] S5: Merge the first feature set, the second feature set, and the packet feature verification feature set to form a fused feature set;
[0073] Specifically, the first feature set, the second feature set, and the packet feature verification feature set are fused together, and highly correlated features are arranged together, such as the statistical features of the sending time intervals belonging to the same five-tuple are spliced together. The principle of locality is used to further accelerate the inference time of the model, resulting in a fused feature set to be input to the model, totaling 426 features.
[0074] S6: Perform feature filtering on the fused feature set to obtain the target feature set; this step includes the following sub-steps:
[0075] S61: Calculate the Pearson correlation coefficient for the fused feature set and delete redundant features with a correlation coefficient greater than a preset threshold;
[0076] Specifically, due to the large number of extracted features, the insufficient computing power of industrial equipment, and the high timeliness of DDoS attack identification, feature filtering is necessary to improve speed. We first calculate the Pearson correlation coefficient between features to generate a correlation matrix, which is used to identify highly redundant features. For features with a correlation coefficient higher than a set threshold (e.g., 0.9), we retain one and delete the rest to reduce feature dimensionality. This operation helps the system filter out irrelevant features, reducing system complexity without affecting system capabilities.
[0077] S62: Score the importance of the Random Forest algorithm and select the target feature set based on the score;
[0078] Specifically, in the initially screened feature set, the importance of features is evaluated using the random forest algorithm. Multiple decision trees are generated through random sampling, and the importance of each feature is scored and ranked. The top 50 features are selected as the final input. Testing showed that reducing the feature dimension from over 460 to 50 reduced the model's computational complexity by more than 70%, while improving classification accuracy by approximately 5%–10%. The feature filtering module aims to further refine high-quality features through algorithm optimization, providing more reliable input data for subsequent classification models. This includes setting: 2–10 trees; tree depth of 5–8 layers. The classification rate of the random forest classification model is no less than 800 ns / feature.
[0079] Considering the testing of various machine learning models, including Random Forest, XGBoost, LightGBM, KNN, and SVM, and supporting flexible switching between different algorithms to adapt to various detection needs, the final module of this invention selected the Random Forest algorithm, which has the best overall performance. Taking Random Forest as an example, this model is based on the ensemble of multiple decision trees, exhibiting high robustness and classification accuracy. Applications in industrial IoT environments show that its classification rate can reach 800 ns / class, fully meeting the performance requirements of real-time detection.
[0080] This application combines Pearson correlation coefficient and random forest algorithm to perform dual screening of the fused feature set, overcoming the problems of model overfitting and heavy computational burden caused by too many redundant features, thereby optimizing the input dimension of the classification model and improving detection efficiency and prediction accuracy.
[0081] S7: Input the target feature set into the random forest classification model to obtain the classification result, which indicates whether the network traffic is a DDoS attack and its attack type;
[0082] Specifically, such as Figure 3 As shown, Figure 3This is a confusion matrix showing the classification test results of a random forest classification model on the public dataset CICDDoS2019, according to an exemplary embodiment. The horizontal axis represents the predicted label, and the vertical axis represents the true label. As can be seen from the figure, the diagonal cells are the darkest and have the largest values, indicating that most samples of each category are correctly classified, and the model's overall performance is stable. The overall accuracy is close to 99% (approximately 203k correct samples on the diagonal, accounting for approximately 205k of the total samples).
[0083] The misclassifications were mainly concentrated in a few categories: approximately 952 entries of `tcp_syn_randip_port` were misclassified as Benign, and about 494 were misclassified as `tcp_rst_flood_rand`, indicating that these two traffic types share some similar statistical characteristics (e.g., burst packet volume and port distribution). 447 entries of `icmp_flood_rand` were misclassified as BigICMP; both belong to ICMP flooding and have similar packet type / length distributions. A small number of samples of `tcp_ack_flood_rand` and `udp_flood_rand` were also classified as Benign. The occasional misclassification of Benign samples as attack types (e.g., only 1 entry of `udp_flood_rand`) indicates an extremely low false positive rate.
[0084] Further analysis reveals (using recall as an example): most categories have a recall rate >99.9%, such as benign, land, tcp_fin_flood_rand, and tcp_rst_flood_rand. The relatively lower recall rates are for icmp_flood_rand (~97%) and tcp_syn_randip_port (~95.9%), which is consistent with the confusion phenomenon mentioned above.
[0085] This demonstrates that the model possesses a high ability to identify most DDoS attack types, with errors concentrated among floods of similar protocols or types. Further improvements could be made to severely misclassified categories by adding more discriminative features (such as finer-grained time window statistics, packet header field comparison, and command payload features) or employing cost-sensitive training strategies to reduce the risk of misclassification to Benign. The above results are merely illustrative experimental performance and may vary depending on different dataset distributions, feature selections, and model parameter adjustments. When deploying the model in a real-world environment, continuous optimization and parameter tuning are necessary, taking into account business traffic characteristics and real-time feedback. S8: Output defense commands based on the classification results;
[0086] Specifically, the attack detection and feedback module records the IP addresses and port information of previously identified DDoS attack traffic in a blacklist; the system will output defense commands and automatically avoid visitor records in the blacklist to prevent further attack actions.
[0087] Table 1 shows the identification time for different attacks:
[0088]
[0089] As shown in Table 1, the industrial IoT DDoS detection system exhibits excellent performance at the nanosecond level during testing, with an overall average identification latency ranging from 814.8 ns (normal traffic) to 1449.0 ns (TCP_RST attack). Specifically, model classification takes 337.2 ns to 850.8 ns, feature selection takes 211.8 ns to 361.2 ns, and feature extraction takes 113.4 ns to 250.8 ns, indicating that the entire identification process can be completed within 1.5 μs. In terms of recognition accuracy, normal traffic reached 100%, ICMP_FLOOD was 96.96%, BIG_ICMP, LAND, TCP_SYN, and TCP_RST all reached 99.99%, UDP and TCP_ACK were 99.67% and 99.39% respectively, and the overall accuracy was above 97%. While maintaining ultra-low latency, the system still maintained near-perfect classification performance, with only slightly lower accuracy for ICMP_FLOOD and TCP_ACK. Features or model parameters can be further optimized for these two types of traffic to achieve more balanced high-performance detection.
[0090] In a simulated industrial IoT scenario, the random forest classification model demonstrated extremely high precision, recall, and F1 score (all reaching 99%) for DDoS attack detection. Figure 3 The confusion matrix analysis shows that the misclassification rate is close to zero among various attacks (such as UDP flood, SYN flood, HTTP flood, etc.), especially demonstrating excellent distinguishing ability in similar attack patterns (such as TCP ACK flood and TCP SYN flood).
[0091] Meanwhile, the classification results exhibit millisecond-level response speeds and excellent real-time performance, enabling rapid feature extraction and classification. This facilitates quick output of detection results to the system console, triggering appropriate defense strategies. Actual test results demonstrate that the classification accuracy for multi-category DDoS attacks significantly outperforms traditional methods, while also featuring low resource consumption, making it suitable for deployment in resource-constrained industrial equipment. It possesses high scalability, allowing for the addition of new feature extraction methods or classification algorithms to adapt to different industrial scenarios. It is widely applied in industrial automation networks, smart grids, and intelligent manufacturing, providing stable and reliable technical protection for industrial network security.
[0092] Figure 4 This is a block diagram illustrating a DDoS detection and defense system suitable for the Industrial Internet of Things (IIoT) according to an exemplary embodiment. The system includes:
[0093] Module 1 is used to acquire network packet data to be detected;
[0094] The first feature set module 2 is used to extract statistical features from the network packet data to be detected, using source IP, destination IP, source port, destination port and protocol type as a five-tuple, such as the survival time of the five-tuple network flow, packet size, forward and reverse packet ratio, packet sending interval, data containing instructions and protocol type changes, to obtain the first feature set;
[0095] The second feature set module 3 is used to extract statistical features from the network packet data to be detected, using source IP, source port, and protocol type as triples, such as the survival time of the triple network flow, packet size, ratio of forward and reverse packets, packet transmission interval, data containing instructions, and protocol type changes, to obtain the second feature set.
[0096] Packet feature verification feature set module 4 is used to perform fragmentation field integrity verification and packet feature information conflict determination on the detected network packet data to obtain packet feature verification feature set;
[0097] The feature set fusion module 5 is used to fuse the first feature set, the second feature set and the packet feature verification feature set to form a fused feature set;
[0098] The target feature set module 6 is used to perform feature filtering on the fused feature set to obtain the target feature set;
[0099] Classification module 7 is used to input the target feature set into a random forest classification model to obtain a classification result, wherein the classification result indicates whether the network traffic is a DDoS attack and its attack type;
[0100] Defense output module 8 is used to output defense commands based on the classification results.
[0101] The above descriptions are merely several embodiments of this application and are not intended to limit the scope of protection of this application. The modules and their functions described in this application can be adjusted and optimized according to actual needs. For example, some modules can be selected for implementation according to a specific scenario, and the interaction methods between modules can also be improved. After reading this specification, those skilled in the art can modify or transform this application without creative effort, based on actual needs.
[0102] Furthermore, this application can also be implemented in the form of an electronic device, a computer-readable storage medium, etc. For example, this application provides an electronic device including one or more processors and a memory for storing one or more programs. When these programs are executed by one or more processors, the electronic device enables the electronic device to implement the network traffic attack detection method based on feature extraction and optimization as described above. Further, this application also provides a computer-readable storage medium storing computer instructions that can be executed by a processor to implement the network traffic attack detection method as described above.
[0103] This application aims to cover all variations, uses, or adaptations that follow the basic principles of this application and include conventional techniques and known methods in this art. The descriptions and drawings in this specification and accompanying drawings are for illustrative purposes only and should not be construed as limiting the scope of this application. The scope of protection of this application is defined by the appended claims and their equivalents.
Claims
1. A DDoS detection and defense method suitable for the Industrial Internet of Things, characterized in that, include: S1: Obtain network packet data to be detected; S2: Extract statistical features from the network packet data to be detected, using source IP, destination IP, source port, destination port and protocol type as a 5-tuple, including network flow lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data containing instructions, and protocol type changes, to obtain the first feature set; Search for the statistical characteristics of the quintuple in the RING_LRU cache mechanism; S3: Extract statistical features from the network packet data to be detected, using source IP, source port, and protocol type as triples, including network flow lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data containing instructions, and protocol type changes, to obtain a second feature set; Search for the statistical characteristics of the triples in the RING_LRU cache mechanism; S4: Perform fragmentation field integrity verification and packet feature information conflict determination on the detected network packet data to obtain a packet feature verification feature set; Specifically, it includes: S41: Performing fragmentation field integrity verification on the detected network packet data, and extracting fragmentation packet feature information for TearDrop attack; S42: Performing packet feature information conflict determination on the detected network packet data, and extracting feature information to identify LandAttack attack; S43: Merging the above feature information to obtain packet feature verification feature set; S5: Merge the first feature set, the second feature set, and the packet feature verification feature set to form a fused feature set; S6: Perform feature filtering on the fused feature set to obtain the target feature set; S7: Input the target feature set into the random forest classification model to obtain the classification result, which indicates whether the network traffic is a DDoS attack and its attack type; S8: Output defense instructions based on the classification results.
2. The method according to claim 1, characterized in that, S2 includes: S21: Perform classification and statistics based on the five-tuple of source IP, destination IP, source port, destination port and protocol type, and search for the statistical characteristics of the five-tuple in the RING_LRU caching mechanism. The statistical characteristics include lifespan, packet size, forward and reverse packet ratio, packet sending interval, data inclusion instruction, and protocol type change. S22: The statistical features are dynamically updated using the EMA exponential smoothing method to obtain the first feature set.
3. The method according to claim 1, characterized in that, S3 includes: S31: Based on the five-tuple of source IP, source port, and protocol type, search for the statistical characteristics of the three-tuple in the RING_LRU cache mechanism; the statistical characteristics include lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data inclusion instruction, and protocol type change; S32: The statistical features are dynamically updated using the EMA exponential smoothing method to obtain the second feature set.
4. The method according to claim 1, characterized in that, S6 includes: S61: Calculate the Pearson correlation coefficient for the fused feature set and delete redundant features with a correlation coefficient greater than a preset threshold; S62: Score the importance of the random forest algorithm and select the target feature set based on the score.
5. The method according to claim 1, characterized in that, The classification rate of the random forest classification model is no less than 800 ns / class.
6. A DDoS detection and defense device suitable for the Industrial Internet of Things, characterized in that, include: The acquisition module is used to acquire network packet data to be detected; The first feature set module is used to extract statistical features from the network packet data to be detected, using source IP, destination IP, source port, destination port and protocol type as a five-tuple, such as the survival time of the five-tuple network flow, packet size, ratio of forward and reverse packets, packet transmission interval, data containing instructions and protocol type changes, to obtain the first feature set; Search for the statistical characteristics of the quintuple in the RING_LRU cache mechanism; The second feature set module is used to extract statistical features from the network packet data to be detected, using source IP, source port, and protocol type as triples, such as the network flow's lifespan, packet size, forward and reverse packet ratio, packet transmission interval, data containing instructions, and protocol type changes, to obtain the second feature set. Search for the statistical characteristics of the triples in the RING_LRU cache mechanism; The packet feature verification feature set module is used to perform fragmentation field integrity verification and packet feature information conflict determination on the detected network packet data to obtain a packet feature verification feature set; specifically, it includes: performing fragmentation field integrity verification on the detected network packet data, extracting fragmented packet feature information for TearDrop attacks; performing packet feature information conflict determination on the detected network packet data, extracting feature information for identifying LandAttack attacks; and fusing the above feature information to obtain the packet feature verification feature set; The feature set fusion module is used to fuse the first feature set, the second feature set and the packet feature verification feature set to form a fused feature set; The target feature set module is used to perform feature filtering on the fused feature set to obtain the target feature set; The classification module is used to input the target feature set into the random forest classification model to obtain the classification result, which indicates whether the network traffic is a DDoS attack and its attack type; The defense output module is used to output defense commands based on the classification results.
7. An electronic device, characterized in that, It includes one or more processors and a memory; when a program stored in the memory is executed by the processor, the processor causes the processor to implement the method of any one of claims 1 to 5.
8. A computer-readable storage medium having stored thereon computer instructions that, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 5.