The rapid development of the Internet provides sufficient attack entrances for massive malicious terminals, which makes it extremely challenging to effectively trace the path of DDoS attacks. Traditional solutions mainly trace distributed denial of service (DDoS) attacks by adding tags to data packet headers or querying logs, which increases the cost of tagging. There are also some works that implement attack tracking based on the network-wide perspective and centralized control of SDN, but these methods are difficult to deploy on a large scale. In order to solve this problem, we propose a DDoS attack path tracing system (AT-GCN) based on attack traceability knowledge base and graph convolutional network (GCN). We first propose the construction process of the attack traceability knowledge base, and design the intra-domain attack graph and the traceability algorithm recommendation graph to solve the problems of DDoS attack path traceability and optimal traceability solution recommendation. On this basis, we propose a GCN-based intra-domain attack traceability scheme, and design a subgraph sampling algorithm Tracing-Sample adapted to intra-domain DDoS attack traceability, aiming to efficiently use the graph structure in the knowledge base to reproduce DDoS attack paths. Additionally, we recommend the traceability algorithm based on user-based collaborative filtering (UBCF), and dynamically recommend the best traceability algorithm according to the different requirements of administrators for traceability performance. Compared with other GCN algorithms, the results show that the recall of the AT-GCN system is increased by 7.3% on average, and the FPR is reduced by 5.7% on average at the expense of the memory usage rate. Under different scale topologies, the recall of the AT-GCN system can be stabilized at 95%.
Read full abstract