基于Python爬虫技术的虚假数据溯源与过滤

针对现有网络虚假数据追踪与过滤方法中存在的追踪定位精度低、过滤覆盖范围小的问题,提出基于Python爬虫技术的虚假数据溯源与途中过滤.将虚假数据覆盖的网络划分为相同大小的网格,根据一定概率标记数据包;分析Python爬虫抓取过程,以适用多场景、界面可视化、负载均衡为系统设计目标,设计爬虫管理器、采集器与内嵌浏览器硬件设备;结合系统爬取数据流程描述各软件模块的协作方式;在系统中部署节点,建立协作关系区域,利用布隆过滤器生成数据包,通过共享密钥证明MAC是否合法,启动溯源过程;在溯源途中若节点不存在任何一个密钥,则将其过滤,完成虚假数据溯源与途中过滤.仿真结果证明,上述方对虚假数据的过滤效果较高,且对虚假数据溯源定位精度较高.     

基于Python爬虫技术的虚假数据溯源与过滤

针对现有网络虚假数据追踪与过滤方法中存在的追踪定位精度低、过滤覆盖范围小的问题,提出基于Python爬虫技术的虚假数据溯源与途中过滤.将虚假数据覆盖的网络划分为相同大小的网格,根据一定概率标记数据包;分析Python爬虫抓取过程,以适用多场景、界面可视化、负载均衡为系统设计目标,设计爬虫管理器、采集器与内嵌浏览器硬件设备;结合系统爬取数据流程描述各软件模块的协作方式;在系统中部署节点,建立协作关系区域,利用布隆过滤器生成数据包,通过共享密钥证明MAC是否合法,启动溯源过程;在溯源途中若节点不存在任何一个密钥,则将其过滤,完成虚假数据溯源与途中过滤.仿真结果证明,上述方对虚假数据的过滤效果较高,且对虚假数据溯源定位精度较高.     

面向网络取证的网络攻击追踪溯源技术分析

定位网络攻击事件源头然后进行有效电子证据的收集是网络取证的任务之一.定位网络攻击事件源头需要使用网络攻击追踪溯源技术.然而现有的网络攻击追踪溯源技术研究工作主要从防御的角度开展,以通过定位攻击源及时阻断攻击为主要目标,较少考虑网络取证的要求.这导致网络攻击追踪溯源过程中产生的大量有价值的数据无法成为有效电子证据在诉讼中被采用,因而无法充分发挥其在网络取证方面的价值.为此提出了一套取证能力评估指标用于评估网络攻击追踪溯源技术的取证能力,总结分析了最新的网络攻击追踪溯源技术,包括基于软件定义网络的追踪溯源技术,基于取证能力评估指标分析了其取证能力并针对不足之处提出了改进建议,最后提出了针对网络攻击追踪溯源场景的网络取证过程模型.该工作为面向网络取证的网络攻击追踪溯源技术的研究提供了参考.     

一种通用的互联网追踪溯源技术框架

近年来,应对网络威胁,学术界提出并发展了网络追踪溯源技术,产生了多种追踪溯源技术体制;然而,多数追踪溯源的技术研究主要集中在具体的溯源技术及算法上,对网络追踪溯源的技术框架研究较少.文章从协作网域和非协作网域两个方面分析追踪溯源技术,提出非协作网域追踪溯源体制,设计一种通用的互联网追踪溯源技术框架,将多种有效的追踪溯源技术或方法统一在该框架中,发挥各种的溯源技术的优势,实现全球互联网空间的追踪溯源能力,提高网络安全防护的主动性和有效性.     

基于区块链的RFID大数据安全溯源模型

近年来,区块链技术不断发展,受到了广泛重视,被普遍视为解决数据安全问题的重要工具。RFID大数据是物联网中重要数据的来源,对数据的安全性要求也非常高。数据溯源追踪是RFID物联网技术的重要应用领域之一,目前广泛应用于农牧产品原产地追溯、工业生产的原材料和零配件追溯,以及消费品防伪等方面。区块链在改善大数据溯源安全性方面 发挥着重要作用。文中提出了一种基于区块链技术的RFID大数据溯源安全模型,并在RFID大数据的追踪溯源过程中应用区块链技术,形成了多方参与且信息透明、共享、保真的溯源链;在RFID溯源物品的生产、加工、销售等多个环节建立区块链账本,建立起RFID大数据的溯源全程链式路径,路径直达终端使用者,从而实现RFID大数据的溯源安全管理。     

基于自治系统与动态概率包标记的DDoS攻击溯源优化方法

针对分布式拒绝服务(DDoS)攻击对于网络的严重威胁问题,提出基于自治系统(AS)与动态概率包标记(DPPM)的DDoS攻击溯源优化方法。在该方法中,设计了一种新的包标记方案,该方案设置两套标记,分别作为域标记和路由标记,用作域间溯源和域内溯源。域标记和路由标记过程同时进行,标记过程采用动态包标记的方法。最后,通过域间和域内的路径重构实现对攻击节点的快速溯源。实验结果表明该算法是高效、可行的,能为DDoS攻击的防范提供重要依据。     

网络攻击追踪溯源层次分析

近年来, 为了有效防御网络攻击, 人们提出了网络攻击追踪溯源技术, 用于追踪定位攻击源头。网络安全系统能在确定攻击源的基础上采取隔离或者其他手段限制网络攻击, 将网络攻击的危害降到最低。由于攻击追踪溯源技术能够为网络防御提供更加准确攻击源、路径等信息, 使得防御方能够实施针对性的防护策略, 其相关技术及研究得到了越来越多的关注与发展。介绍了追踪溯源四层次划分, 重点分析追踪溯源各层次问题, 并就相应技术及追踪过程进行了深入讨论, 以期对追踪溯源有一个全面的描述, 提高对网络攻击追踪溯源的认识。     

定向网络攻击追踪溯源层次化模型研究

定向网络攻击对网络空间安全构成了极大的威胁，甚至已经成为国家间网络对抗的一种主要形式。本文认为定向网络攻击难以避免，传统的以识别并阻断攻击为核心的防御体系不能很好地应对复杂先进的定向网络攻击，遂提出将追踪溯源作为威慑性防御手段。本文给出了定向网络攻击追踪溯源的形式化定义和分类；充分借鉴了网络欺骗等领域的研究成果，提出通过构建虚实结合的网络和系统环境，采用主被动相结合的方式，追踪溯源定向网络攻击；构建了包括网络服务、主机终端、文件数据、控制信道、行为特征和挖掘分析六个层次的定向网络攻击追踪溯源模型，并系统阐述了模型各层次的内涵及主要技术手段；以此模型为基础，建立了以"欺骗环境构建"、"多源线索提取"、"线索分析挖掘"为主线的追踪溯源纵深体系，多维度追踪溯源定向网络攻击；结合现有攻击模型、追踪溯源理论和典型溯源案例，论证了所建立的模型的有效性。     

基于AS协同的分布式拒绝服务攻击追踪机制研究

提出一种基于自治系统协同的分布式拒绝服务攻击的追踪算法.在该算法中,自治系统边界路由器把所在的AS信息以一定的概率对经过的数据包进行标记,受害者可通过数据包中所标记的路径信息重构出攻击路径,从而追踪到攻击源.带认证的标记方法有效地防止了攻击者伪造和篡改数据包中的路径信息.与其它追踪算法相比,该算法实现了快速实时追踪攻击源,有效地抑制了攻击流进入其它的网络,及时缓减了攻击带来的影响.     

无线传感器网络中基于邻居节点信息的溯源追踪策略

在无线传感器网络中,被俘获的恶意节点可以发动虚假数据注入攻击,即不断发布虚假数据耗尽网络资源,为应对此类型攻击需快速追踪定位到攻击节点,提出一种基于邻居节点信息的溯源追踪策略.在本策略中,每个节点保存两跳邻居节点信息,通过单向链密钥对发送数据包节点进行认证,避免了恶意节点伪造其他节点身份发送数据,相互通信的两个节点及其共同邻居节点记录接收到的数据包特征信息,当网络中存在虚假数据注入攻击时,因途中转发节点的邻居节点都存储有数据包的特征信息,Sink节点可以依据此类信息逐跳溯源追踪至攻击节点,因为利用了传感器节点的部分存储空间,本方法不需要收集大量攻击数据包便可定位攻击节点,同时,本方法的特性保证了溯源追踪过程不受路由变化的影响,更加健壮.理论分析和实验结果都表明该策略不仅能以较高的效率定位到恶意节点,而且能容忍路由的动态变化且能够应对合谋攻击.     

IPv6环境下网络溯源系统

随着IPv4地址资源的逐渐告罄,而部署IPv6又需要相当长的时间,因此当前和相当长时间内我国将处于IPv4和IPv6并存的网络现状。于此同时,网络中存在多种拒绝服务式攻击。本文旨在提出一种可面向IPv6网络环境的攻击溯源系统,系统采用基于网络层数据报文分析的网络溯源技术。在处理网络层五元组数据时,采用双重型BloomFilter可以显著提升溯源的准确率,并降低时间空间消耗。     

无线传感器网络途中过滤增强方案

在无线传感器网络中,节点被俘获后会向网络中注入大量虚假数据。为此,提出一种途中过滤增强方案。使用加密密钥和验证密钥防止途中节点篡改数据,采用安全性增强方案解决途中节点遭到破坏而无法传递和检测数据的问题,利用备份节点的密钥验证转发数据的正确性,由此过滤虚假数据,并引入MAX_FALSE参数,消除不完全虚假数据对基站接收数据的影响。仿真结果表明,与SEF、DEF、FIMA相比,该方案的过滤能力更强,能耗更少。     

Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks

IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.     

一种新的确定性包标记IP追踪算法的研究

目前的IP追踪都是基于反向完整路径追踪，反向完整路径追踪需要ISP的配合，而要取得所有的ISP的配合是一件困难的事情，在这这里提出一种新的基于确定性包标记技术的IP追踪算法，这种实现需要很少的带宽和处理的花费，可以追踪由单个数据包产生的DOS攻击，而且不需揭示网络拓扑的内在结构。     

Traceback in wireless sensor networks with packet marking and logging

In a hostile environment, sensor nodes may be compromised and then be used to launch various attacks. One severe attack is false data injection which is becoming a serious threat to wireless sensor networks. An attacker uses the compromised node to flood the network and exhaust network resources by injecting a large number of bogus packets. In this paper, we study how to locate the attack node using a framework of packet marking and packet logging. We propose a combined packet marking and logging scheme for traceback (CPMLT). In CPMLT, one packet can be marked by up to M nodes, each node marks a packet with certain probability. When one packet is marked by M nodes, the next marking node will log this packet. Through combining packet marking and logging, we can reconstruct the entire attack path to locate the attack node by collecting enough packets. In our simulation, CPMLT achieves fast traceback with little logging overhead.     

A fuzzy-based interleaved multi-hop authentication scheme in wireless sensor networks

In sensor networks, a compromised node can either generate fabricated reports with false votes or inject false votes into real reports, which causes severe damage such as false alarms, energy drain and information loss. An interleaved hop-by-hop authentication (IHA) scheme addresses the former attack by detecting and filtering false reports in a deterministic and hop-by-hop fashion. Unfortunately, in IHA, all en-route nodes must join to verify reports while only a few are necessary to the authentication procedure. In this paper, we propose a fuzzy-based interleaved multi-hop authentication scheme based on IHA. In our scheme, the fuzzy logic system only selects some nodes for verification based on the network characteristics. Moreover, we apply a voting method and a hash-based key assignment mechanism to improve network security. Through performance evaluation, the proposed scheme is found to save up to 13% of the energy consumption and to provide more network protection compared to IHA.     

Fast autonomous system traceback

Service-oriented computing (SOC) due to their distributed and lose coupled nature are very vulnerable to distributed denial of service (DDoS) attacks. IP spoofing makes it difficult for the victim to determine the packet's origin. There is a need for a mechanism that could enable real-time traceback of the origins of the attacks. In this paper, we propose a novel protocol, fast autonomous system traceback (FAST) to traceback to the attack originating autonomous systems (AS). The multifold advantages of FAST include reconstruction requires just around 5–10 packets and reconstruction takes just a few seconds. We validate the performance through extensive simulations over the datasets obtained from traceroute.     

An authentication scheme for locating compromised sensor nodes in WSNs

Wireless sensor networks have recently emerged as a promising computing model for many civilian and military applications. Sensor nodes in such a network are subject to varying forms of attacks since they are left unattended after deployment. Compromised nodes can, for example, tamper with legitimate reports or inject false reports in order to either distract the user from reaching the right decision or deplete the precious energy of relay nodes. Most of the current designs take the en-network detection approach: misbehaved nodes are detected by their neighboring watchdog nodes; false reports are detected and dropped by trusted en-route relay nodes, etc. However en-network designs are insufficient to defend collaborative attacks when many compromised nodes collude with each other in the network.In this paper we propose COOL, a COmpromised nOde Locator for detecting and locating compromised nodes once they misbehave in the network. It is based on the observation that for a well-behaved sensor node, the set of outgoing messages should be equal to the set of incoming and locally generated or dropped messages. However, comparing the message sets for different nodes is not enough to identify attacks as their sanity is unknown. We exploit a proven collision-resilient hashing scheme, termed incremental hashing, to sign the incoming, outgoing and locally generated/dropped message sets. The hash values are then sent to the sink for trusted comparisons. We discuss how to securely collect these hash values and then confidently locate compromised nodes. The scheme can also be combined with existing en-route false report filtering schemes to achieve both early false report dropping and accurate compromised nodes isolation. Through identifying and excluding compromised nodes, the COOL protocol prevents further damages from these nodes and forms a reliable and energy-conserving sensor network.     

An incrementally deployable path address scheme

The research community has proposed numerous network security solutions, each dealing with a specific problem such as address spoofing, denial-of-service attacks, denial-of-quality attacks, reflection attacks, viruses, or worms. However, due to the lack of fundamental support from the Internet, individual solutions often share little common ground in their design, which causes a practical problem: deploying all these vastly different solutions will add exceedingly high complexity to the Internet routers. In this paper, we propose a simple generic extension to the Internet, providing a new type of information, called path addresses, that simplify the design of security systems for packet filtering, fair resource allocation, packet classification, IP traceback, filter push-back, etc. IP addresses are owned by end hosts; path addresses are owned by the network core, which is beyond the reach of the hosts. We describe how to enhance the Internet protocols for path addresses that meet the uniqueness requirement, completeness requirement, safety requirement, and incrementally deployable requirement. We evaluate the performance of our scheme both analytically and by simulations, which show that, at small overhead, the false positive ratio and the false negative ratio can both be made negligibly small.     

A novel sequential watermark detection model for efficient traceback of secret network attack flows

Network watermarking schemes have been proposed to trace secret network attack flows transferred through stepping stones as well as anonymous channels. However, most existing network flow watermark detection techniques focus on a fixed sample size of network data to achieve the required accuracy. Irrespective of the uncertainty or information content of successive observations, such detection techniques will result in low efficiency of watermark detection. We herein propose a novel sequential watermark detection model (SWDM) supporting three sequential detectors for efficient traceback of network attack flows. By exploiting the sequential probability ratio test approach, we first propose the intuitive paired-intervals-based optimum watermark detector (POWD) and the single-interval-based optimum watermark detector (SOWD) under the assumption of known parameters of the observed attack flow. We then propose the sequential sign watermark detector (SSWD) that operates on two-level quantized observations for nonparametric watermark detection. Based on our SWDM model, a statistical analysis of sequential detectors, with no assumptions or limitations concerning the distribution of the timing of packets, proves their effectiveness despite traffic timing perturbations. The experiments using a large number of synthetically-generated SSH traffic flows demonstrate that there is a significant advantage in using our sequential watermark detectors based on the proposed SWDM model over the existing fixed sample size watermark detector (FSWD). Compared to the FSWD detector, the POWD detector achieves almost 28% savings in the average number of packets. Especially, given the required probability of detection errors, the SOWD detector and the SSWD detector can achieve almost 47% and 29% savings, respectively, in the average number of required packets, thus resulting in not only guaranteed rates of detection errors but also high efficiency of flow traceback.