US 12,381,909 B2
Method for detecting slow HTTP DoS in backbone network
Hua Wu, Nanjing (CN); Jinfeng Chen, Nanjing (CN); Guang Cheng, Nanjing (CN); and Xiaoyan Hu, Nanjing (CN)
Assigned to SOUTHEAST UNIVERSITY, Nanjing (CN)
Appl. No. 18/548,937
Filed by SOUTHEAST UNIVERSITY, Nanjing (CN)
PCT Filed Jun. 26, 2023, PCT No. PCT/CN2023/102350
§ 371(c)(1), (2) Date Sep. 5, 2023,
PCT Pub. No. WO2024/174432, PCT Pub. Date Aug. 29, 2024.
Claims priority of application No. 202310137086.1 (CN), filed on Feb. 20, 2023.
Prior Publication US 2025/0023910 A1, Jan. 16, 2025
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1458 (2013.01) 8 Claims
OG exemplary drawing
 
1. A method for detecting slow HTTP denial of service (DoS) in a backbone network, comprising the following steps:
step (1): obtaining a public backbone network dataset and attack dataset, and extracting traffic information therefrom; systematically sampling traffic according to specific scenario requirements and a rate of 1/n to obtain sampled traffic, wherein n is a constant;
step (2): analyzing a principle of slow HTTP DoS (SHD) attacks, extracting several unidirectional traffic features that reflect overall characteristics of the attacks, extending specific unidirectional traffic features from original features according to differences in different types of SHD attacks, so as to build a feature group for each type of SHD attack;
step (3): extracting and storing the features described in step (2) on the basis of the sampled traffic according to different attack types by using a FarmHash function, Bitmaps, and a custom Count-min Sketch data structure, wherein the custom Sketch structure is configured to reduce storage overhead;
step (4): labeling the features according to an actual type of traffic to form a labeled feature vector, the label comprising three types of attack traffic and normal traffic;
step (5): selecting a machine learning algorithm with lower complexity in order to further improve a processing speed, and inputting the feature vector obtained in step (4) into the machine learning algorithm for training to obtain detection models for the three types of SHD attacks;
step (6): capturing real-time traffic from real backbone network nodes, and performing traffic sampling and feature obtaining operations separately according to the processes in steps (1) and (3), wherein the features here are still obtained from unidirectional traffic; and
step (7): inputting unlabeled feature vectors generated in real time into the three attack traffic models obtained in step (5), correspondingly labeling the feature vectors according to output of the models to identify traffic types, and carrying out subsequent defense work according to the generated results.