ABSTRACT
With the rapid development of 5G technology, cyberspace security threats are
becoming more and more serious, and network attacks such as distributed denial of
service (DDoS) emerge one after another. Most of the traditional detection technologies
and countermeasures are only aimed at mitigating attack traffic, and cannot analyze
attacker behavior and record threat intelligence in a timely and effective manner,
making it difficult to combat complex network attacks. How to build a knowledge base
to collect DDoS attack multi-dimensional information and describe its malicious
behavior has become a key research direction in the field of network security.
Relying on the national key research and development project subject "identity-based
trusted protocol and malicious communication behavior monitoring method", this paper
proposes a method for constructing a knowledge base of malicious behavior of
distributed DDoS network attacks, and collects five types of traffic construction with a
total of 21 attack methods. Malicious traffic detection library, which analyzes the multi-
dimensional malicious behavior of attacks and builds a malicious traffic behavior
library. Based on DDoS Open Threat Signaling (DOTS) and blockchain technology, it
builds distributed knowledge transmission, knowledge reasoning and correlation query,
etc. The mechanism has verified that the accuracy and recall rate of the knowledge base
for online detection of DDoS attacks are both above 87%. The specific work is as
follows:
First, the overall framework of knowledge base construction is outlined, and a
malicious traffic detection library and malicious traffic behavior library are constructed
to complete five major DDoS attacks: botnet, application layer DDoS, slow DDoS,
distributed reflection DDoS and network/transport layer DDoS Traffic collection, as
well as feature dimension, time dimension and space dimension DDoS attack malicious
behavior description function; based on DOTS protocol and based on blockchain
technology, two distributed deployment schemes of knowledge bases are designed to
realize data transmission between knowledge bases; based on knowledge base storage
The data and structure of a variety of knowledge base graph association query,
knowledge reasoning, and distributed node update and other functions are designed.
Secondly, referring to the proposed knowledge base construction framework, the data
import of the malicious traffic detection library and the visualization of the detection
results are realized; the traffic behavior knowledge graph, the malicious behavior
VIP享7折,此内容立减5.97元 
