基于TCP缓存的DDoS攻击检测算法

由拒绝服务攻击（DOS）发展而来的分布式拒绝服务攻击（DDoS）已成为目前网络安全的主要威胁之一。从分析TCP缓存入手,提出一种基于缓冲区检测的DDoS检测算法。结合历史连接记录来对TCP缓存进行分析,生成特征向量,通过BP神经网络检测TCP缓存异常程度,根据异常程度判断是否发生攻击。实验结果表明,该算法能迅速准确地检测出DDoS攻击,有效阻止DDoS攻击的发生。     

基于重尾特性的SYN洪流检测方法

单独以SYN/TCP值判断网络是否发生SYN洪流攻击的检测效率较低,且SYN 洪流攻击不能模拟正常网络流量的重尾分布特性。该文提出将SYN/TCP的统计阈值和流量重尾特性相结合来检测SYN洪流攻击的方法,并用MIT的林肯实验室数据进行了实验。实验证明该方法简便、快捷、有效。     

基于统计特征的SYN Flood检测方法

SYN Flood是当前最流行的拒绝服务(DoS)与分布式拒绝服务(DDoS)攻击方式。从构造一个SYN攻击报文的角度分析,SYN Flood攻击会引起网络中基于IP地址、标志位、端口号、序列号的统计特征异常,因此提出一种基于统计特征的SYN Flood攻击检测的方法。该方法首先从半连接队列中获取半连接信息,从全连接队列中获取IP地址存入BloomFilter中,再分别提取其统计特征,最后使用LMBP神经网络得到检测结果。实验结果表明该算法与其他算法相比具有更好的检测效果。     

状态协议分析技术在TCP中的应用

入侵检测系统已经日益成为网络安全系统的重要组成部分,成为网络安全必不可少的的一部分。其核心技术就是针对攻击所采用的检测技术。就目前而言网络攻击以拒绝服务攻击居多,而拒绝服务攻击大多数都与TCP相关,因此,应根据TCP的有关特性设计出相应的检测方法。文中介绍了TCP报文的封装情况、TCP报文段格式规定和TCP连接中的“三次握手”协议。然后在此基础上,从状态协议分析的角度出发,对与TCP相关的“TCP SYN洪水”攻击进行描述,并提出了相应的解决办法。     

状态协议分析技术在TCP中的应用

入侵检测系统已经日益成为网络安全系统的重要组成部分，成为网络安全必不可少的的一部分。其核心技术就是针对攻击所采用的检测技术。就目前而言网络攻击以拒绝服务攻击居多，而拒绝服务攻击大多数都与TCP相关，因此，应根据TCP的有关特性设计出相应的检测方法。文中介绍了TCP报文的封装情况、TCP报文段格式规定和TCP连接中的“三次握手”协议。然后在此基础上，从状态协议分析的角度出发，对与TCP相关的“TCP SYN洪水”攻击进行描述，并提出了相应的解决办法。     

基于Linux平台的新的SYN Flood防御模型研究

SYN Flood是一种典型的拒绝服务攻击技术,它利用TCP协议的安全漏洞危害网络,目前还没有很好的办法彻底解决SYN Flood攻击问题。分析了3种现有的SYN Flood防御模型:SYN Cookie、SYN Gateway和SYN Proxy,提出了增强的SYN Proxy防御模型,研究了其相关的防御算法,并基于Linux平台进行了实现,最后对防御模型进行了测试。测试结果表明,增强的SYN Proxy模型能抵御高强度的SYN Flood攻击,较之现有的模型有更好的优越性。     

基于SYN Cookie下防分布式拒绝服务攻击算法的分析与实现

介绍了分布式拒绝服务（Distributed Denial of Service,DDoS）根据TCP/IP缺陷的攻击原理,在分析了数据包流量与系统资源使用率检测的基础上,提出了在SYN Cookie中引入RSA公钥加密过滤TCP/IP数据包的方法,用来检测与降低DDoS攻击的危害,该方法在实验中的测试阶段取得了较好的效果。     

浅议TCP SYN Flooding攻击

介绍了TCP协议建立连接的过程及存在的安全问题，以及由此而引起的TCP SYN Flooding(TCP SYN洪流)拒绝服务攻击，并介绍了几种简便有效的防范措施。     

防御TCP SYN Flood攻击的防火墙技术改进

以Linux系统防火墙为研究平台,针对DoS攻击中典型攻击方式TCP SYN Flood攻击进行分析研究,找出防火墙在防御这种攻击时的不足之处。通过在Linux的内核中添加改进后的算法模块实现改进,使防火墙在工作时功能得到完善。通过测试表明该改进在一定的范围内,可以有效地抵御TCP SYN Flood攻击。     

一种基于Patricia树的检测Syn Flood攻击的方法

分析TSynnood攻击的原理、攻击的方式及其基本特征。利用Patricia树进行SYN流量统计，并提出了改进的TCP连接状态检测。试验表明，该检测算法在占用很少系统资源的情况下，准确检测到Synflood攻击。     

Change-point monitoring for the detection of DoS attacks

This paper presents a simple and robust mechanism, called change-point monitoring (CPM), to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network protocol behavior and is an instance of the sequential change point detection. To make the detection mechanism insensitive to sites and traffic patterns, a nonparametric cumulative sum (CUSUM) method is applied, thus making the detection mechanism robust, more generally applicable, and its deployment much easier. CPM does not require per-flow state information and only introduces a few variables to record the protocol behaviors. The statelessness and low computation overhead of CPM make itself immune to any flooding attacks. As a case study, the efficacy of CPM is evaluated by detecting a SYN flooding attack - the most common DoS attack. The evaluation results show that CPM has short detection latency and high detection accuracy     

SYN Flooding攻击问题的分析

网络给全世界的人们带来了无限的生机的同时也带来了很多的困扰。由于多年来网络系统累积下了无数的漏洞,我们将面临的威胁与日剧增。DoS攻击是网络上最不安定的因素之一。SYN flooding攻击是DoS攻击的一种重要形式,SYN flooding是利用TCP协议3次握手时的漏洞对服务进行攻击。以SYN flooding攻击的实现为线索,对SYN flooding攻击的原理进行了深入剖析,提出了一个综合的、“内外兼休”的防御办法。     

SYN Flooding攻击原理与防御措施

SYN Flooding是最流行的DoS和DDoS攻击手段,文章分析了SYNHooding攻击原理,介绍了目前常用的检测及防御技术。     

SYN Flooding攻击原理与防御措施

SYN Flooding是最流行的DoS和DDoS攻击手段,文章分析了SYN Flooding攻击原理,介绍了目前常用的检测及防御技术。     

防御TCP拒绝服务攻击的改进方法

提出了对SYNProxy机制的改进方法,将哈希表和SYNcookie结合起来处理半连接表:在低强度攻击下采用哈希表,在高强度攻击下采用SYNCookie。在此基础上,采用位图优化哈希表算法。改进方法可以防御更大强度的攻击。改进方法已经应用在防火墙中,测试表明该方法可以防御高强度的TCP拒绝服务攻击。     

DoS Attack Detection Based on Deep Factorization Machine in SDN

Software-Defined Network (SDN) decouples the control plane of network devices from the data plane. While alleviating the problems presented in traditional network architectures, it also brings potential security risks, particularly network Denial-of-Service (DoS) attacks. While many research efforts have been devoted to identifying new features for DoS attack detection, detection methods are less accurate in detecting DoS attacks against client hosts due to the high stealth of such attacks. To solve this problem, a new method of DoS attack detection based on Deep Factorization Machine (DeepFM) is proposed in SDN. Firstly, we select the Growth Rate of Max Matched Packets (GRMMP) in SDN as detection feature. Then, the DeepFM algorithm is used to extract features from flow rules and classify them into dense and discrete features to detect DoS attacks. After training, the model can be used to infer whether SDN is under DoS attacks, and a DeepFM-based detection method for DoS attacks against client host is implemented. Simulation results show that our method can effectively detect DoS attacks in SDN. Compared with the K-Nearest Neighbor (K-NN), Artificial Neural Network (ANN) models, Support Vector Machine (SVM) and Random Forest models, our proposed method outperforms in accuracy, precision and F1 values.     

Ant-based IP traceback

The denial-of-service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.

In this paper, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function or processing a high volume of fine-grained data used by previous research, the proposed traceback approach uses flow level information to identify the origin of a DoS attack.

Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network.

The proposed method is evaluated through simulation on various network environments and two simulated real networks, NSFNET and DFN. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the networks.     

基于半连接列表的SYN泛洪攻击检测

针对攻击性极大的SYN泛洪攻击,提出一种检测方法。分析SYN 泛洪的攻击特征,在每个时间间隔,对服务器的半连接列表进行统计,计算出未确认的表项数目,采用补偿方法形成基于时间的统计序列,使用改进的变动和式累积检验(PCUSUM)算法进行检测。实验结果表明,该算法不仅能够实现快速检测,且与同类工作相比具有更低的误报率,检测结果更准确。     

在路由器上用SYN Cookie实现SYN Flood的防御

SYN Flood是目前流行的DDOS攻击手段,能够极为有效地攻击网站服务器,使得服务器资源耗尽而无法提供正常服务.由于利用了TCP/IP的协议漏洞,很难从根本上进行防范.给出一种在路由器上利用SYN Cookie机制实现对SYN Flood的防御,能够有效地保护服务器不受SYN Flood攻击,同时不会增加路由器的负担.