臺灣博碩士論文加值系統

網路已成為現代生活中不可或缺的基礎設施,對個人、商業和社會的各個層
面都產生了深遠的影響。網路的發展對於個人到企業都提供了極大的機會,卻也
因為它的普及帶來了新的挑戰,如隱私和網絡安全問題。網路安全是一個不斷
衍伸且極為重要的議題,而分散式阻斷服務攻擊(Distributed Denial-of-Service,
DDoS)是一種常見並具破壞性的網路攻擊形式。DDoS 攻擊導致目標網站或服
務形成癱瘓,對個人和企業皆造成重大損失,包括業務中斷、損害聲譽進而喪失
客戶信任等影響。為了應對 DDoS 攻擊,不同程度的安全措施被提出,包括網路
防火牆、入侵檢測系統、DDoS 防護服務和流量分析工具等。此外,更有以內容
傳遞網路(Content Delivery Network, CDN)的服務,分散流量和提供額外保護
的新興做法被提出。
而深度學習的出現,為 DDoS 防禦提供了新的可能性和觀點,有別於傳統的
防禦手段,深度學習能更靈活的調整防火牆規則、流量臨界值和分散節點分配
等。因此,許多深度學習的 DDoS 檢測模型被提出,在論文中這些方法也達到令
人滿意的效果。然而,深度學習的 DDoS 檢測模型卻也不是十全十美,深度學習
模型的訓練方式,造成模型容易陷入開集識別(Open-Set Recognition, OSR)問
題的陷阱中。開集識別的主要目標是確保模型不僅能識別已知類別的樣本,同時
識別並拒絕未知類別的樣本。傳統的深度學習識別任務通常是閉集識別,即模型
在測試時僅能識別訓練過的樣本特徵。然而,在現實的識別任務中,經常會遇到
未訓練的樣本特徵,而開集識別模型則有能力將未訓練的樣本識別出來。
本研究提出了一種新穎的方法,以應對開集識別的 DDoS 攻擊檢測,該方
法結合了卷積神經網路(Convolutional Neural Network, CNN)與互反點學習
(Reciprocal Points Learning, RPL)。互反點學習是一種基於開集識別的深度學習
方法,有別於傳統的深度學習分類問題,在訓練階段,互反點學習量化卷積神經
網路輸出的深度特徵,並將特徵點之間的關係以距離的方式呈現,透過計算已知
類別中心的互反點,提高模型對已知類別深度特徵的聚集度的同時,也加大深度
特徵與已知類互反點的距離。此方法能有效的將未知 DDoS 攻擊特徵限制在指定
的範圍內,有效的將已知與未知 DDoS 攻擊的界限劃分出來,並針對 DDoS 攻擊
加以防禦或阻擋。實驗結果顯示,使用互反點學習的未知 DDoS 攻擊偵測模型,
在 Accuracy, Precision, Recall, F1 等評估指標最佳可達到 98% 以上的防禦率。

The internet has become a critical infrastructure in modern life, profoundly im-
pacting various personal, business, and societal aspects. The development of the in-
ternet has provided significant opportunities for individuals and businesses, while its
widespread use has also brought new challenges, such as privacy and cyber security is-
sues. Internet security is an evolving and fundamental issue, and Distributed Denial-
of-Service (DDoS) attacks are a common and disruptive form of cyberattack. DDoS
attacks result in the target website or service being overwhelmed, causing significant
losses for individuals and businesses, including business interruptions, damage to rep-
utation, and a loss of customer trust. Various security measures are proposed to
combat DDoS attacks, including firewall rules, intrusion detection systems, DDoS
protection services, and traffic analysis tools. Additionally, emerging practices such
as Content Delivery Network (CDN) services have been introduced to disperse traffic
and provide additional protection.
Deep learning has provided new possibilities and perspectives for DDoS defense.
Unlike traditional defense methods, deep learning can flexibly adjust firewall rules,
traffic thresholds, and distributed node allocation. As a result, many deep learning
DDoS detection models have been proposed, and these methods have achieved satis-
factory results in research papers. Nevertheless, deep learning DDoS detection mod-
els have challenges. The training approach of deep learning models makes them sus-
ceptible to the trap of Open-Set Recognition (OSR) problems. The primary goal of
OSR is to ensure that the model can recognize samples from known classes and iden-
tify and reject samples from unknown classes. Traditional deep learning recognition
tasks are usually closed-set recognition, meaning that the model can only recognize
samples with features it has been trained on during testing. Regardless, in real-world
recognition tasks, we often encounter samples with untrained features, and open-set
recognition models have the ability to identify these untrained samples.
This research presents a novel approach to address open-set recognition in DDoS
attack detection, which merges Convolutional Neural Networks (CNN) with Recip-
rocal Points Learning (RPL). RPL is a deep learning method based on open-set recog-
nition. Unlike traditional deep learning classification problems, during the training
phase, RPL quantifies the output of the features by the convolutional neural network,
and represents the relationships between embedded features in a distance-based man-
ner. Calculating reciprocal points within known class centers enhances the model’s
aggregation of embedded features from known classes, while expanding the distance
between deep features and reciprocal points. This method effectively constrains un-
known DDoS attack features within a specified range, differentiates between known
and unknown DDoS attacks, and provides defense or blocking measures against
DDoS attacks. Experimental results show that the unknown DDoS attack detec-
tion model using Reciprocal Points Learning achieves a defense rate of over 98% in
various evaluation metrics.

摘要 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation of the Research . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Research Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1 DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 The Structure of Internet . . . . . . . . . . . . . . . . . . . . . 7
2.1.2 Common DDoS Attacks Types . . . . . . . . . . . . . . . . . 8
2.2 DDoS Protection and Mitigation . . . . . . . . . . . . . . . . . . . . 12
2.2.1 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 The Canadian Institute for Cybersecurity . . . . . . . . . . . . . . . . 13
2.3.1 CICFlowmeter . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 CICIDS 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.3 CICDDoS 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4 Machine Learning in DDoS Detection . . . . . . . . . . . . . . . . . 17
2.4.1 Boosting Method . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.2 Convolution Neural Network Method . . . . . . . . . . . . . 18
2.5 Unknown DDoS Detection . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.1 Open-Set Recognition . . . . . . . . . . . . . . . . . . . . . . 20
2.5.2 Open-Set Recognition in Unknown DDoS Detection . . . . . 22
2.6 Incremental Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1 The Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 The Unknown DDoS Attacks Detection System . . . . . . . . . . . . 26
3.3 CICIDS 2017 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3.1 Data Normalization . . . . . . . . . . . . . . . . . . . . . . . 32
3.3.2 Features Selection . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4 Training Model for Unkown DDoS Attacks Detection . . . . . . . . 36
3.4.1 Convolutional Neural Network Model . . . . . . . . . . . . . 36
3.4.2 Loss function for Open-Set Recognition . . . . . . . . . . . . 37
3.4.3 Reciprocal Points Learning . . . . . . . . . . . . . . . . . . . 39
3.4.4 Unknown DDoS Attacks Detection Method . . . . . . . . . . 41
3.5 Incremental Learning for Unknown DDoS Attacks Detection . . . . 43
4. Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.1 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.1.1 Experimantal Environment . . . . . . . . . . . . . . . . . . . 44
4.1.2 Training Hyperparameter . . . . . . . . . . . . . . . . . . . . 44
4.2 Validation Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.3 The Result of Known DDoS Attack Detection . . . . . . . . . . . . . 49
4.4 The Limitation of Close-Set Classification . . . . . . . . . . . . . . . 50
4.5 The Result of Unknown DDoS Attacks Detection . . . . . . . . . . . 53
4.5.1 Reciprocal Points Learning on Unknown DDoS Attacks Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.5.2 Incremental Learning . . . . . . . . . . . . . . . . . . . . . . 58
4.6 Comparison with Others Results . . . . . . . . . . . . . . . . . . . . . 61
5. Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.1 Thesis summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.3 Futeure Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

[1] O. Yoachimik and J. Pacheco, DDoS threat report for 2023 Q3, Web Page,
2023. [Online]. Available: https://blog.cloudflare.com/ddos-threatreport-2023-q3/.
[2] MSRC, Microsoft Response to Distributed Denial of Service (DDoS) Attacks
against HTTP/2, Web Page, 2023. [Online]. Available: https://msrc.microsoft.
com/blog/2023/10/microsoft-response-to-distributed-denial-ofservice-ddos-attacks-against-http/2/.
[3] G. Bourzikas, HTTP/2 Zero-Day vulnerability results in record-breaking DDoS
attacks, Web Page, 2023. [Online]. Available: https://blog.cloudflare.
com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/.
[4] G. Cloud, How it works: The novel HTTP/2 ‘Rapid Reset’DDoS attack,
Web Page, 2023. [Online]. Available: https://cloud.google.com/blog/
products/identity-security/how-it-works-the-novel-http2-rapidreset-ddos-attack.
[5] CVE, CVE-2023-44487, Web Page, 2023. [Online]. Available: https://www.
cve.org/CVERecord?id=CVE-2023-44487.
[6] Cloudflare, What is a DDoS attack? Web Page, 2023. [Online]. Available: https:
//www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/.
[7] Nginx, What Is Load Balancing? Web Page, 2023. [Online]. Available: https:
//www.nginx.com/resources/glossary/load-balancing/.
[8] Q. Zhou and D. Pezaros, “Evaluation of Machine Learning Classifiers for ZeroDay Intrusion Detection–An Analysis on CIC-AWS-2018 dataset,” arXiv preprint
arXiv:1905.03685, 2019.
[9] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a
new intrusion detection dataset and intrusion traffic characterization.,” International Conference on Information Systems Security and Privacy (ICISSp),
vol. 1, pp. 108–116, 2018.
[10] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing
realistic distributed denial of service (DDoS) attack dataset and taxonomy,”
in 2019 International Carnahan Conference on Security Technology (ICCST),
IEEE, 2019, pp. 1–8.
[11] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense
mechanisms,” ACM SIGCOMM Computer Communication Review, vol. 34,
no. 2, pp. 39–53, 2004.
[12] A. Asosheh and N. Ramezani, “A comprehensive taxonomy of DDOS attacks
and defense mechanism applying in a smart classification,” WSEAS Transactions on Computers, vol. 7, no. 4, pp. 281–290, 2008.
[13] A. Bansal and S. Kaur, “Extreme gradient boosting based tuning for classification in intrusion detection systems,” in Advances in Computing and Data
Sciences: Second International Conference, ICACDS 2018, Dehradun, India,
April 20-21, 2018, Revised Selected Papers, Part I 2, Springer, 2018, pp. 372–
380.
[14] T. Chen and C. Guestrin, “Xgboost: A scalable tree boosting system,” in Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, 2016, pp. 785–794.
[15] J. Kim, Y. Shin, E. Choi, et al., “An intrusion detection model based on a
convolutional neural network,” Journal of Multimedia Information System,
vol. 6, no. 4, pp. 165–172, 2019.
[16] J. Kim, J. Kim, H. Kim, M. Shim, and E. Choi, “CNN-based network intrusion
detection against denial-of-service attacks,” Electronics, vol. 9, no. 6, p. 916,
2020.
[17] J. Hu, C. Liu, and Y. Cui, “An improved CNN approach for network intrusion
detection system,” Int. J. Netw. Secur, vol. 23, no. 4, pp. 569–575, 2021.
[18] C. Elkan, “Results of the KDD’99 classifier learning,” Acm Sigkdd Explorations Newsletter, vol. 1, no. 2, pp. 63–64, 2000.
[19] L. Liu, G. Engelen, T. Lynar, D. Essam, and W. Joosen, “Error prevalence in
nids datasets: A case study on cic-ids-2017 and cse-cic-ids-2018,” in 2022 IEEE
Conference on Communications and Network Security (CNS), IEEE, 2022,
pp. 254–262.
[20] L. Dhanabal and S. Shantharajah, “A study on NSL-KDD dataset for intrusion detection system based on classification algorithms,” International journal of advanced research in computer and communication engineering, vol. 4,
no. 6, pp. 446–452, 2015.
[21] J. Yang, K. Zhou, Y. Li, and Z. Liu, “Generalized out-of-distribution detection: A survey,” arXiv preprint arXiv:2110.11334, 2021.
[22] W. J. Scheirer, L. P. Jain, and T. E. Boult, “Probability models for open set
recognition,” IEEE transactions on pattern analysis and machine intelligence,
vol. 36, no. 11, pp. 2317–2324, 2014.
[23] P. Perera and V. M. Patel, “Deep transfer learning for multiple class novelty
detection,” in Proceedings of the IEEE/CVF conference on computer vision
and pattern recognition, 2019, pp. 11 544–11 552.
[24] Z. Ge, S. Demyanov, Z. Chen, and R. Garnavi, “Generative openmax for
multi-class open set classification,” arXiv preprint arXiv:1707.07418, 2017.
[25] R. Yoshihashi, W. Shao, R. Kawakami, S. You, M. Iida, and T. Naemura,
“Classification-reconstruction learning for open-set recognition,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 4016–4025.
[26] A. Cao, Y. Luo, and D. Klabjan, “Open-set recognition with gaussian mixture
variational autoencoders,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, 2021, pp. 6877–6884.
[27] H. Zhang and V. M. Patel, “Sparse representation-based open set recognition,”
IEEE transactions on pattern analysis and machine intelligence, vol. 39, no. 8,
pp. 1690–1696, 2016.
[28] P. Oza and V. M. Patel, “C2ae: Class conditioned auto-encoder for open-set
recognition,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 2307–2316.
[29] C.-S. Shieh, W.-W. Lin, T.-T. Nguyen, C.-H. Chen, M.-F. Horng, and D. Miu,
“Detection of unknown ddos attacks with deep learning and gaussian mixture
model,” Applied Sciences, vol. 11, no. 11, p. 5213, 2021.
[30] C.-S. Shieh, T.-T. Nguyen, C.-Y. Chen, and M.-F. Horng, “Detection of Unknown DDoS Attack Using Reconstruct Error and One-Class SVM Featuring
Stochastic Gradient Descent,” Mathematics, vol. 11, no. 1, p. 108, 2022.
[31] C.-S. Shieh, T.-T. Nguyen, W.-W. Lin, et al., “Detection of adversarial ddos
attacks using generative adversarial networks with dual discriminators,” Symmetry, vol. 14, no. 1, p. 66, 2022.
[32] C.-S. Shieh, T.-T. Nguyen, W.-W. Lin, W. K. Lai, M.-F. Horng, and D. Miu,
“Detection of adversarial ddos attacks using symmetric defense generative adversarial networks,” Electronics, vol. 11, no. 13, p. 1977, 2022.
[33] C.-S. Shieh, T.-T. Nguyen, and M.-F. Horng, “Detection of Unknown DDoS
Attack Using Convolutional Neural Networks Featuring Geometrical Metric,” Mathematics, vol. 11, no. 9, p. 2145, 2023.
[34] E. Mahdavi, A. Fanian, A. Mirzaei, and Z. Taghiyarrenani, “ITL-IDS: Incremental transfer learning for intrusion detection systems,” Knowledge-Based
Systems, vol. 253, p. 109 542, 2022.
[35] G. Chen, L. Qiao, Y. Shi, et al., “Learning open set network with discriminative
reciprocal points,” in Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part III 16, Springer,
2020, pp. 507–522.
[36] G. Chen, P. Peng, X. Wang, and Y. Tian, “Adversarial reciprocal points learning for open set recognition,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 11, pp. 8065–8081, 2021.
[37] 陳羣岳, “使用重構誤差與單類支援向量機之未知分散式阻斷服務攻擊偵測,”
Thesis, 2022. [Online]. Available: https://hdl.handle.net/11296/jzrwhr.
[38] 高皓, “基於 fuzzy c-means 開集識別技術之未知 ddos 攻擊偵測,” Thesis,
2023. [Online]. Available: https://hdl.handle.net/11296/646sd5.
[39] 阮青俊, “植基於深度學習與開集識別技術之未知及對抗式 ddos 攻擊偵測,”
Thesis, 2023. [Online]. Available: https://hdl.handle.net/11296/jv38tx