Defending Application Layer DDoS Attacks via Multidimensional Parallelotope

/e Internet is more and more integrated into people’s life; because of the complexity and fragility of the network environment, network attack presents a more and more serious trend. Application Layer DDoS (AL-DDoS) attack is the most complex form of DDoS attack, which is hindering the availability for the legitimate users by taking up a large number of requests of web server. /e paper introduced the concept of behavior utility to portray the network. /e concept of attack and defense utility was defined by a specific property which was the manifestation of the network risk after the offset of attack and defense. In the utility model, traffic metrics were mapped to the multidimensional parallelotope in the Euclidean space to express as a diagonal matrix. To determine the threshold status, the defense strategies of load balancing and limiting the maximum number of connections were used with different attack scales. Finally, the attack and defense utility value was calculated to evaluate the network risk level. /e proposed method can master the capacity of network system against each attack means and the defense capability of network system. Its availability and accuracy are verified by comparing with the relevant works.


Introduction
With the rapid development of network technology, the field of network security is facing hacker attacks. e intensity of attacks is gradually increasing, and illegal attackers achieve improper goals. DDoS attacks are the main means. AL-DDoS attacks are different from traditional network layer DDoS attacks. It mainly uses existing protocol loopholes, such as HTTP and SMTP, and consumes existing network resources, so that the target server cannot provide conventional services. e intensity and accuracy of this attack are higher, and the threat to security is also greater. e number of attackers and the required attack traffic are much lower than traditional AL-DDoS attacks, which also means that AL-DDoS attacks are easier to launch, and attackers can accurately attack specific applications, so the attack threat is great. e measurement of network system security by most of today's methods cannot reach the stage of quantitative calculation. Most security measurement methods rely on a certain technology while relying on the human experience of experts to measure whether it is safe. ese methods are not accurate and objective enough, so people are always looking for a method that can quantitatively, dynamically, and objectively measure network security. Although the network is static, it is always changing. In order to measure attacks more accurately, a network security measurement method that can dynamically describe and warn attacks is needed. Boyer et al. [1] propose a network security evaluation framework based on D-S evidence theory, but this method has some problems such as large calculation. Ramaki et al. [2] propose a network security risk assessment method based on Bayesian network. Although this method has a strong capacity to process a large amount of data, it is inevitably affected by some subjective factors, so the method must be properly trained to obtain relevant parameter. In the paper of Mukherjee et al. [3], a new security metric based on attack graph, namely, attack difficulty, has been proposed which includes the position factor. Wen et al. [4] propose a network security situation prediction method based on the hidden Markov model. e change rules and trend changes were analyzed by describing the dependence of security conditions in different periods. Wang et al. [5] propose an improved base metric algorithm based on dependency relationship graph and CVSS, aiming at the problem that the existing network security measurement based on CVSS could not accurately measure the probability and the impact of network attack at the same time.
In order to find a way that can dynamically measure network security and does not rely on expert experience, this paper attempts to find performance metrics that can describe AL-DDoS attacks.
is paper analyzes the principles of attack and defense types, summarizes the characteristics of attack and defense targets, and proposes metrics for measurement. In order to evaluate the impact of AL-DDoS attacks, the parameters and calculation methods used in various technologies are analyzed to find better performance metrics to describe the impact of the attack. e main contributions are as follows: (1) is paper puts forward the definition of AL-DDoS attack and defense utility combined with the definition of related concepts from the perspective of sociology and network. It is the first time that the concept of utility combines with attack and defense to measure network security. (2) is paper selects 6 metrics and conducts a large number of simulation experiments combining type and intensity changes. e selected metrics can be used to do various experiments with different attack and defense effect. (3) is paper proposes a calculation model that uses the concept of hyperparallel to construct multidimensional space for utility calculation. e model can accurately represent the impact of the attack and quantitatively determine the impact value of the attack and defense utility. is paper verifies the credibility and accuracy of the calculation model.

DDOS Attack and Detection
Technology. DDoS attacks evolved from DoS attacks and are divided into network layer DDoS attacks and AL-DDoS attacks. e traditional network layer DDoS attack means that hackers invade and control a large number of puppet machines through various loopholes and then use puppet machines to attack the target server. AL-DDoS attack refers to the attacker sending a large number of requests from the victim computer to the database to disable the server [6]. AL-DDoS attacks are usually divided into two types: flooding attacks and slow attacks [7].
Currently, DDoS attacks occur frequently, so it is necessary to detect attacks in time. AL-DDoS attacks generate a large amount of request data in a short period of time. is attack method is similar to the behavior of a large number of users suddenly and normally accessing. erefore, this condition needs to be distinguished from normal access by a large number of users. e purpose of the AL-DDoS attack is to make the applications on the server unable to provide normal services to legitimate users and deny their access [8]. Intrusion Detection System (IDS) is one of the most effective detection and defense mechanisms for DDoS attacks [9]. IDS is an application-type system that monitors suspicious events in the network, generates reports, and forwards them to administrators for action. ere are many traditional IDS/ IPS technologies, such as feature-based detection methods and abnormal behavior-based detection methods [10].

AL-DDOS Attack Assessment
Method. Among current researches on DDoS attacks, most of them are based on the network layer, but there are few researches on the impact of AL-DDoS attacks [11]. e paper of Pallavi et al. [12] finds that over 45% of these applications do not implement measures to protect BLE data, and that cryptography is sometimes applied incorrectly in those that do. Application layer data is extremely vulnerable. e paper of Wei Zhou et al. [13] finds that smart home devices are vulnerable to attacks by network traffic interception. While bringing unprecedented convenience and accessibility, they also introduce various security hazards to users.
Kumar et al. [14] propose a method to measure the impact of AL-DDoS attacks on web server performance. e authors modify the Webtraf module in NS-2 to generate attack traffic to simulate legitimate user behavior. ey analyze the impact of different server processing strategies and queue lengths on the attack. In this method, Wang et al. [15] have developed a prototype of SkyShield and evaluated its effectiveness using real attack data collected from large web clusters. Experimental results show that SkyShield can quickly reduce malicious requests while having limited impact on legitimate users. In the method of Sahoo et al. [16], an information distance-based flow discriminator framework has been discussed, which can discriminate DDoS traffic during flash events in a software-defined network (SDN) environment, that is, legitimate traffic that looks similar. e information distance metric is used to describe the variations of traffic behavior of such events. e simulation results show that the information distance metric can effectively identify the DDoS traffic [17]. e paper of Jiahao Cao et al. [18] systematically studies the impacts of attack on various network applications in a real SDN test bed. Experiments show that the attack significantly degrades the performance of existing network applications and causes serious network anomalies, e.g., routing black hole, flow table resetting, and even network-wide DoS.
Procopiou et al. [19] propose ForChaos, a lightweight detection algorithm for IoT devices, which is based on forecasting and chaos theory to identify flooding and DDoS attacks. In NS-3, the detection algorithm is evaluated through a series of experiments in flooding and slow-rate DDoS attacks. Sardana et al. [20] propose an integrated honeypot framework for active detection, characterization, and redirection of DDoS attacks at the ISP level. e authors evaluate the impact of DDoS flood attack on effective throughput, average transaction failure interval time, and average response time as parameters under different operation modes and use the framework to defend against highrate DDoS attack by referring to impact value.
Most of the relevant studies rely on subjective empirical judgment and lack of objectivity and use fewer metrics, so the conclusions may be biased. In this paper, a measurement method of AL-DDoS attack and defense utility is proposed to calculate the effects of AL-DDoS attack. By comparing the simulation experiment data with the related technical data, the effectiveness, objectivity, and accuracy of the method are verified.

AL-DDOS Attack and Defense Utility and Calculation Model
Attack and defense behaviors are defined in the network: from the perspective of network objects and their interconnection, attack or defense behavior refers to a series of state changes caused by attacks or defense methods in the network. e network status change caused by the attack process can be described as an attack behavior. e weakening of the attack effect caused by the defensive means leading to the change of the network state can be defined as defensive behavior. e attack behavior is composed of five basic elements, among which the behavior subject is the attack initiator, that is, the hacker. e object of behavior is the target of attack, namely, the network system. e behavior environment is the network environment where the attack process is located. e behavior means are the resources used in the network when the attack is launched. e behavior result is the agreement degree between the expected attack result and the actual attack result during the attack. By analogy, the basic elements of defensive behavior are as follows. e behavior subject is the defensive measure. e behavior object is the target of defense, that is, the source of attack. e behavior environment refers to the network environment in the process of defense. e behavior means is the resource in the network when the defense measures are launched. e behavior result is the agreement degree between the expected defense result and the actual defense result after the attack process [21].
Based on the analysis of sociology and network behavior, attack and defense behavior have the following features: (1) Purpose: the occurrence of attack and defense behavior must be accompanied by purpose, in which the attack behavior will not affect the network for no reason, and the defense behavior will not work without being attacked. (2) Persistence: attack and defense behaviors each point to their own goals. Generally, attack and defense behavior will not terminate until the goal is completed. When attack and defense behaviors are in effect, they may change their behaviors due to the difficulty of achieving the goal, but attack and defense behaviors are persistent. (3) Variability: the mode of attack and defense behaviors may be gradually optimized with the continuous update of technology, and new technology may be used to achieve their goals.
Attack and defense behavior impact refers to the network status change caused by attack and defense behavior through a series of operations. Before a multitude of attack and defense behaviors function to the network system, the network status value needs to be set to S. e network status value after attack and defense behavior is set to S′, and the status value rate is used to calculate comprehensive attack and defense forces F AD � S ′ /S. Attack and defense behavior is shown in Figure 1.
As is shown in Figure 2, the essence of network system security is a balance between attack and defense. In a specific network scene, network attack and defense are regarded as behaviors, which can establish network system security judgments and identification of the behavior utility standards. e definition of attack and defense utility is as follows: Suppose the attack function is A, the defense function is D, and the combined attack and defense force is F AD � A − D (if F is greater than 0, it indicates that the defense function cannot resist the attack; if F is less than or equal to 0, the defense function can resist the current scale of attack).
After calculating the attack and defense force, the attack and defense utility is the sum of the effects caused by the attack and defense forces, which is used to represent the comprehensive effect of the network system after the combination of attack and defense in the process [22]. e attack and defense utility is shown in Figure 3.
By calculating the utility value of the attack and defense behavior of the network system, the effects of various AL-DDoS attack and defense methods can be accurately and objectively obtained. e calculated value of attack and defense utility can provide a more complete and objective evaluation standard for researchers in network security measurement field. e mathematical methods of evaluating attack and defense behavior are more objective and easy to compare with other methods.

Attack and Defense Utility Calculation Model.
When an attack occurs, the relevant metric status of the network will change. No single network metric can completely represent an attack. erefore, the network status can be obtained by combining the metric values according to the changes of various metrics in the network during the attack.
In this method, the metrics in the network are taken as dimensions in the n-dimensional space, and each metric corresponds to a vector in the space. e change of the metric means that the length of the vector will change. e AL-DDoS attack utility calculation model is divided into three steps: the first step is to determine the corresponding metric items according to the attack and defense features and map each metric to the n-dimensional parallelotope to calculate the parallel volume. e second step is to obtain the status value of the network system by the parallel volume. e third step is to calculate the change rate of the parallel volume according to the selection of threshold value and the calculation method of attack and defense utility and then compare the change rate with the threshold value to obtain the attack and defense utility value. Finally, the attack and defense utility value during the attack is obtained by calculating the average attack and defense value.
In this calculation method, the attack and defense effect should be compared with the threshold. e calculation method of threshold set is the calculation result of node status value by measuring the compound metric value without attack and defense effect. According to the average record, after an AL-DDoS attack, the average time for the defender to detect the attack is 1-5 hours. It is recommended to collect far more than the operation status of the server within 5 hours. rough the analysis of server data records, network analysis, application services, and other relevant indicators, the status value within 1-5 hours that is the most stable data fluctuation and relatively consistent with the legal access behavior track is selected as the threshold.
In the simulation, the attack strength is preset to 1, and the defense base strength is preset to 0. e current attack method and the effect of attack strength are obtained by calculating the change rate of the node status value caused by the attack effect. Under the condition that the initial value of node status is set to 0, that is, without adding defense measures, the attack effect is equal to the node status value. e calculation method of the defense effect can be derived in this way. Based on the variability of attack and defense behaviors, in order to ensure the universality of the calculation results of attack and defense effects, it is necessary to obtain the average attack effect within a certain period of time after the change of attack intensity is obtained by analyzing attack effect at each moment. In this way, the peak and minimum values of the attack effect are eliminated to fully describe the attack effect.
On the premise that the time span remains unchanged, the calculation method of attack and defense is shown in Table 1. Table 1 lists the change value of the attack effect caused by the change of the attack strength and the change amount of the defense effect caused by the accumulation of defense measures. e data in the table are abstract values. e attack and defense utility value can be used to describe the total attack on the network system during the attack and the total defense capability during the attack and defense. In AL-DDoS attacks, the attack traffic is not constant under normal circumstances, and the influence of network traffic is limited by many factors. erefore, the expression of the attack effect can obtain the attack size at a certain point, but it cannot reflect the impact of the attack in the entire attack process.
On the basis of threshold value, the size of the attack effect at each moment can be obtained, and then the attack utility can be used to illustrate the impact value caused by the attack type during the entire attack process. In other words, the utility is the sum of the effects and the cumulative amount of the attack effect changing with time. If the attack effect size is F, when setting and selecting the threshold, the attack effect is 0, and the attack effect is also 0. If an attack occurs, set t 1 attack effect to be F 1 , t 2 attack effect to be F 2 , and t n attack effect to be F n . Based on the threshold setting, the calculation method of attack utility E is e attack scale and intensity may change during the attack, but when the defense measures are attacked, it is  necessary to know whether the defense effect is constant. e defense effect can be obtained by comparing different attack effects. In this case, the average attack force will be calculated.

Utility Calculation Metric Selection.
It is important to select appropriate metric to measure and analyze the impact value of attacks. As for the selection of metrics, the existing metrics when calculating the impact of the current DDoS attack are as follows. Sardana et al. [20] select effective network throughput, average access failure time and average response time as metrics in the measurement method. Dantas et al. [23] use the volume of traffic as the measurement metric. In the calculation method of influence value based on user service quality, the selected metrics are successful transaction rate, average response time, number of connections, average service rate, and request rate. Comprehensive consideration of network traffic, hardware performance and other related indicators will be more suitable for analyzing the impact of DDoS attacks. 6 metrics were selected using the proposed metric selection [24].
(1) Network throughput rate: network throughput rate is used to describe the total number of data packets received and sent by the network card in the server during the attack. ese data packets not only include the packets generated by normal user access, but also calculate the packets generated by attackers. (2) TCP data segment transmission rate: AL-DDoS attacks may take advantage of the three-handshake mechanism of the TCP protocol to attack the server. e number of TCP segments is used to describe the number of TCP segments at any time during the attack.
(3) IP datagram transmission rate: in attack detection technology, IP datagrams are usually used to analyze the structure of datagram to detect the occurrence of attacks. Because of the nature of the TCP/IP protocol, it is essential to analyze the TCP data segment transmission rate and the IP datagram transmission rate.
(4) Transaction failure rate: when there are a large number of attacker requests in the server, the successful server accessing rate will be greatly affected due to bandwidth, server performance, and other factors. e failure rate is the ratio of the number of failed accesses to the total number of accesses at any time. According to the purposes and characteristics of AL-DDoS attacks, the access failure rate is the most important metric to detect attack. (5) Average traffic arrival time: the average traffic arrival time refers to the time it takes to successfully access the server. When an AL-DDoS attack occurs, the average server response time must increase. As the attack strength increases, access timeouts may occur. (6) Server CPU utilization: when an attack sends a large number of high-frequency service requests to the target server, the server will be busy providing response resources to the attacker, and the occupation of resources will inevitably affect the performance of the server hardware.

Network State Value Calculation.
Given the combination of the current attack size and defense effect, the server status value represents the server status at each moment. In the calculation process, the average value of server status at each moment in the entire attack and defense process is selected as the calculation result [25]. e specific calculation steps are as follows. e first step is to construct an n-dimensional matrix. In this calculation model, the values of the six metrics are, respectively, set as m 1 , m 2 , m 3 , m 4 , m 5 , m 6 . As mentioned above, each metric is a linearly independent vector in the n-dimensional Euclidean space V. erefore, six metrics are selected to map to the vector dimension in the six-dimensional space, and the vectors are expressed as erefore, the 6-dimensional matrix composed of these six vectors can be expressed as a diagonal matrix, namely, As is shown in Figure 4, this is a 4-dimensional parallelotope. e second step is to calculate the volume of parallelotope in 6-dimensional space. e volume of parallelotope composed of six vectors in six-dimensional Euclidean space is as follows:

Security and Communication Networks
where h 6  erefore, the network status value at a certain time t is the determinant of the diagonal matrix M. Set the network status value to S t , and the specific calculation method is S t � |M|. (5) e third step is to calculate the arithmetic average of the network status during the attack. During the duration of attack and defense effect of the network system, the network status value at each moment is, respectively, S t 1 , S t 2 , S t 3 , . . . , S t n . erefore, the arithmetic average of the network status is as follows:

Effect Calculation.
According to the calculation model of the status value, a part of the normal operation status of the network is selected and the status value S 0 is calculated. When an attack effect occurs, the change of network status value can be described by the attack effect. When the attack strength is X, the network status value is S i at time t i . en, the attack effect A Xt i is calculated as follows: e attack effect value is averaged to reasonably describe the attack force of attack type during the attack. e calculation method of average attack force is as follows: ere is a defense effect before the attack, but it is impossible to measure the defense effect. When the status value of the attacked system is obtained under the defense status of 0, the defense function is gradually added under the premise that the attack effect remains unchanged, and the defense effect is obtained through the system status value when each defense effect occurs.
If the attack intensity is X with no defense measures, the network status value is S 1 , then the attack effect at time t 1 can be set to A Xt 1 . If defense measures are added to the system at this time, the network status value is S 1 , the attack effect is changed to A Xt 1 , and the change value of attack effect is denoted as ΔA � A Xt 1 − A Xt 1 ′ . According to the formula, the calculation method of defense effect at time t 1 is expressed as e calculation method of the average defense force is as follows: 3.5. Utility Calculation. e attack and defense utility value represents the cumulative value of attack and defense effects. In the process of attack and defense, the role of attack and defense means changes at any time in practice. erefore, in the evaluation process, it is necessary to obtain the utility value of two kinds of effects in the whole process; that is, the utility value can represent the total amount of the attack and defense effects in the process.
According to the calculation results obtained in (7) and (9), if the attack duration is t, the attack intensity is X, and the defense intensity is Y, and the average attack force is denoted as A X , and the average defense force is D X , then the calculation methods of attack utility E A and defense utility E D are as follows: According to the calculation result of the attack and defense utility value, it can be concluded that the defense measures can resist a certain attack effect, and then the concept of defense efficiency is proposed. According to (11), when the defense is 0, it can be concluded that the attack utility value is E A at the certain time t. After adding defense measures to the current system, the attack utility is E A . en, the calculation method of defense efficiency D E is

Experiment Design.
According to the general attack methods and the application range of defense measures in the AL-DDoS attack types, HTTP/POST attack was selected as the attack type in the simulated attack and defense experiment, and load balancing and limiting the maximum number of connections were adopted as defense measures. Under the premise of using the same attack threads, 10, 20, and 30 attack nodes were selected to gradually increase the attack intensity. e program was designed for 10 combinations of attack and defense. e network topology of the attack and defense experiment is shown in Figure 5. e environment configuration is shown in Tables 2 and  3.
e specific implementation process is as follows. e first step is to set the combination of attack and defense scale. e specific design of 10 scales was as follows: without attack and defense effect, and 10, 20, and 30 attack nodes, respectively, in three defense modes: no defense, load balancing, and limiting the maximum number of connections. e second step is to collect experiment data. Performance monitoring tools JMeter and Spotlight are used to collect experiment data. According to the level of detail and accuracy of the tool, the experiment data were collected separately. In this simulated experiment, JMeter was used to collect three metrics, namely, server failure rate, average server access time, and peak server access traffic, while Spotlight was mainly responsible for collecting four metrics, namely, packet volume, TCP segment number, IP datagram number, and server CPU utilization. e third step is to analyze the experiment results. rough the proposed calculation model, the data collected by simulation experiment of attack and defense were calculated and the calculated results were obtained. e calculation results were compared with the existing technical results, and the rationality and correctness of the calculation results were analyzed.
It is aimed at calculating various utility values of attack and defense after the occurrence of AL-DDoS attack, so the main purpose of constructing the experiment environment is to simulate the actual AL-DDoS attack. In order to better simulate distributed attacks, 30 attack nodes were constructed in the simulation experiment, and one of the small servers deployed web applications as the target. e environment was divided into three subnets by IP, which were connected by switches, respectively, and the network topology is a star structure.

Effect Calculation Result.
According to the experiment steps, two defense methods were selected for comparison experiments, namely, load balancing and limiting the maximum number of database connections. Because load balancing defense refers to reduce server pressure through distributed deployment, the average defense effect should be calculated to evaluate its defense effect. As the attack intensity changes, the average of HTTP/POST attack effects on the network system of the current experiment is shown in Table 4.
When the number of load balancing distributed deployment machines is constant, the effect of HTTP/POST attack on the network system changes with the attack intensity. Particularly, the average defense effect of load balancing and limiting the maximum number of connections is shown in Table 4 with the change of attack intensity.

Utility Calculation Result.
According to the concept that the attack and defense utility is defined as 0 under the threshold status, the utility value and attack and defense efficiency under each combination can be calculated by using the calculation model of attack and defense utility. And the attack utility value under each attack intensity can be calculated.
Since at least 60 attack and defense data were continuously collected in this attack experiment, the time was set to 60.

Experiment Analysis.
e defense efficiency of load balancing and limiting the maximum number of connections in the combination of HTTP/POST attack intensity are shown in Figure 6.
According to Figure 6, when the attack intensity is small, the defense effect of load balancing is larger, and the defense effect of limiting the maximum number of connections is relatively negligible. As the attack strength increases, the defense utility of limiting the maximum number of connections increases exponentially, far exceeding the defense utility of load balancing. is shows that when the attack intensity is small, the load balancing defense effect is good, and limiting the maximum number of connections can resist large-scale DDoS attacks.
As is shown in Figures 6 and 7, when the attack intensity is 10 nodes, the maximum number of connections obviously exceeds the number of connections sent by the attacker, and the defense effect is close to 0. When the attack intensity is 20 nodes, it can be seen that the set maximum number of connections can resist some attacks. When the attack intensity is 30 attack nodes, it can be observed that the system can almost completely resist the current scale attacks. is also raises the question of how to set the number of connections. If the limit is set too high, the system may not be able to resist the current strength of the attack. If the limit is set too small, it will easily lead to congestion or overflow and other abnormal phenomena, affecting the normal operation of the system. erefore, we can judge how to set the maximum number of connections based on the existing Security and Communication Networks experiment data and analyze the calculation results of this experiment.

Experiment Comparison.
rough the study of the current AL-DDoS attack effect evaluation technology, a method is selected that Mirkovic [26] puts forward for the use of the user's quality of service (QoS) as a measure model. In the comparison technique, the author chooses the transaction failure rate as a measure of the QoS of various services. e author puts forward the method of calculating the amount of customer QoS degradation.
N is the QoS degradation, t is threshold, and d is the value greater than the threshold value. e value of QoS degradation N means that the service of transaction failure is N times the service that the user can tolerate. As calculated by the experiment data, the transaction threshold of failure rate is 0.075%. In order to show clearly, the attack utility is reduced by 10 14 times in the figure.
As is shown in Figure 8, the utility method is more effective to determine the impact of an attack. e calculation model comprehensively considers the metric values of the impact of various AL-DDoS attack on the network system. erefore, this method can obtain more comprehensive, accurate, and reasonable results compared with the existing methods.      accurately obtain the attack and defense impact value. is method has certain accuracy and objectivity and can judge the impact of attack and defense and the occurrence of potential attacks in real time.

Conclusion
Some factors are analyzed such as the characteristics of AL-DDoS attack and defense utility and the selection method of the existing indicators, and then the 6 metrics are selected. e attack and defense impact on the network itself and the impact on users are both considered, so as to accurately and objectively describe the network attack and defense behavior. For various network attacks, the metrics may be different, but traffic attacks also can use these metrics. Different models can be compared, so the method is objective.
Existing evaluation methods used to describe the measure results of the proposed concept lack theoretical support, while the concept of utility is used to describe the attack effect value. e concept of attack and defense utility is put forward by analyzing the characteristics of network behavior and combining traditional theory. e theoretical support makes the utility more reliable. At the same time, it is proposed to use hyperparallel volume to describe the network status. Based on this method, any number of indicators can be combined and calculated. Hyperparallel is used to map network space, which is an innovative attempt to network structure and interactive mathematical modeling. e measurement is based on some certain information such as traffic, so the conclusion is objective. For example, the role and defense efficiency of defense technology in the attack can be analyzed separately, the attack effect on the network at a certain time can be analyzed, the status value that can be used to describe the network can be obtained, the attack and defense efficiency value can be calculated, and finally the attack and defense utility value can be calculated.
is method is more objective and effective than traditional methods. is method has smaller deviation and higher accuracy compared with single or few index methods.
is method also provides a reference for various attack and defense methods. e use of mathematical methods to evaluate attack and defense behavior is more objective and easier to compare. More attack and defense methods can be used to conduct combined experiments on network systems for security evaluation against AL-DDoS attacks, so as to verify the utility of other attack and defense methods on the target network. ese 6 metrics are selected only for AL-DDoS attacks. ese metrics are mainly suitable for traffic attacks. For other types of attacks, the calculation model is suitable but the metrics may be different. In the experiment design, the attack strength change. Attack and defense types are limited.
ere are only three changes in attack strength. e subdivision of the experiment is not enough.
In future work, we may try other different types of datasets, change other metrics, and conduct attack and defense experiments. Attack and defense experiments with smaller gradient changes and more types will be designed.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest regarding the publication of this paper.