网络攻击追踪技术性能分析

DoS攻击(拒绝服务攻击)和DDoS攻击(分布式拒绝服务攻击)IP追踪目前成为当今网络安全领域中最难解决的问题,IP追踪系统目的是在数据包源地址非真时识别出IP数据包源地址.对一些解决该问题最有前景的追踪技术进行了比较,以寻找更有效方法,并提出了一个新的IP追踪系统,该系统能够只用一个数据包就可以实现追踪而不需要受害者数据包.     

基于SYN的DDoS攻击的判定和过滤机制

介绍了基于SYN的分布式拒绝服务(Distributed Denial of Service, DDoS)的原理,提出基于数据包流量的检测方法及包过滤机制.通过计算当前瞬时流量与预测流量的偏离程度及半连接数量,判断主机是否受到攻击.攻击发生后.通过在SYN包中加入认证码进行过滤,降低分布式拒绝服务攻击的危害.     

拒绝服务攻击检测与防御研究

本文分析了常见的拒绝服务攻击的检测方法:基于流量的检测、基于源IP地址的检测和基于数据包属性的检测,并讨论了几种检测机制的优缺点.对于拒绝服务攻击的防御,着重分析了基于出口过滤的防御机制、基于数据包危险度的流量控制和IP回溯机制.     

DDoS攻击检测技术研究

分布式拒绝服务攻击是网络安全的重大威胁之一。传统的根据流量特征来检测拒绝服务攻击的方法,无法适用于分布式拒绝服务攻击的检测。文章介绍了一种基于CUSUM算法的检测技术,这种检测方法可以有效识别分布式拒绝服务攻击。     

基于TTL阈值分析的检测伪造数据包方法

在基于TTL分析的检测技术基础上提出了一种基于异常TTL 阈值分析的源地址伪造数据包检测方法,综合主动和被动两种检测技术,设计了一种有效的混合型源地址伪造数据包检测方法,同时用2500个正常数据包和2500个TTL值异常的伪造数据包来模拟遭受攻击,通过模拟实验结果对该方法的优缺点进行了分析,最后给出了该方法的优缺点并提出了改进策略.     

防御DDoS攻击的智能过滤模型

拒绝服务攻击(DoS)和分布式拒绝服务攻击(DDoS)已经成为网络最大的安全威胁之一,如何防御DDoS攻击已经引起了人们的广泛关注,然而关于在DDoS攻击发生时减轻攻击危害的这方面工作却很少。阐述了一种基于IP返回追踪的数据包智能过滤模型,能够在DDoS攻击正在发生时尽可能响应合法用户的请求,提高合法通信的吞吐量。     

DDoS攻击的检测与溯源探析

分布式拒绝服务攻击是当前流行的网络攻击手段之一,影响力巨大。本文主要探讨了DDoS攻击的检测方法和IP溯源技术,重点分析3种DDoS检测方法:流量、日志、数据包分析法,提出了运用数据包切片标记实现对伪造IP攻击溯源的方法。通过搭建分布式DDoS攻击实验环境,综合应用流量监控、日志分析和数据包切片标记的方法实现了对DDoS的IP溯源。通过反复实验测试,证明方法的可行性、准确率可达90%。     

一种基于历史信任数据的DDOS防御模型

分布式拒绝服务攻击给网络安全和网络服务质量带来了巨大的威胁。通过对分布式拒绝服务攻击原理及现有防御措施的分析,为了更有效防御这类攻击的发生,可以考虑在边界路由器上建立一种基于历史信任数据的源地址库的防御模型。该模型以历史信任数据库为依托,通过对异常IP包使用核心无状态公平排队算法进行源地址检测并对其处理结果做出相应的处理,可以有效、快速过滤掉异常的IP包数据,提前防止网络受到分布式拒绝服务攻击的侵害。     

基于TTL阈值分析的检测伪造数据包方法

在基于TTL分析的检测技术基础上提出了一种基于异常TTL阈值分析的源地址伪造数据包检测方法,综合主动和被动两种检测技术,设计了一种有效的混合型源地址伪造数据包检测方法,同时用2500个正常数据包和2500个TTL值异常的伪造数据包来模拟遭受攻击,通过模拟实验结果对该方法的优缺点进行了分析,最后给出了该方法的优缺点并提出了改进策略。     

一种基于历史信任数据的DDOS防御模型

分布式拒绝服务攻击给网络安全和网络服务质量带来了巨大的威胁。通过对分布式拒绝服务攻击原理及现有防御措施的分析，为了更有效防御这类攻击的发生，可以考虑在边界路由器上建立一种基于历史信任数据的源地址库的防御模型。该模型以历史信任数据库为依托，通过对异常咿包使用核心无状态公平排队算法进行源地址检测并对其处理结果做出相应的处理，可以有效、快速过滤掉异常的IP包数据，提前防止网络受到分布式拒绝服务攻击的侵害。     

Tracing DDoS Floods: An Automated Approach

We propose a Controller-Agent model that would greatly minimize distributed denial-of-service (DDoS) attacks on the Internet. We introduce a new packet marking technique and agent design that enables us to identify the approximate source of attack (nearest router) with a single packet even in the case of attacks with spoofed source addresses. Our model is invoked only during attack times, and is able to process the victims traffic separately without disturbing other traffic, it is also able to establish different attack signatures for different attacking sources and can prevent the attack traffic at the nearest router to the attacking system. It is simple in its implementation, it has fast response for any changes in attack traffic pattern, and can be incrementally deployed. Hence we believe that the model proposed in this paper seems to be a promising approach to prevent distributed denial-of-service attacks.     

神经网络和IP标记在DDoS攻击防御中的应用

DDoS(Distributed Denial of Service)攻击是在传统的DoS攻击上产生的新的网络攻击方式,是Internet面临的最严峻威胁之一,这种攻击带来巨大的网络资源消耗,影响正常的网络访问.DDoS具有分布式特征,攻击源隐蔽,而且该类攻击采用IP伪造技术,不易追踪和辨别.任何网络攻击都会产生异常流量,DDoS也不例外,分布式攻击导致这种现象更加明显.主要研究利用神经网络技术并借助IP标记辅助来甄别异常流量中的网络数据包,方法是:基于DDoS攻击总是通过多源头发起对单一目标攻击的特点,通过IP标记技术对路由器上网路包进行标记,获得反映网络流量的标记参数,作为神经网络的输入参数相量;再对BP神经网络进行训练,使其能识别DDoS攻击引起的异常流量;最后,训练成熟的神经网络即可在运行时有效地甄别并防御DDoS攻击,提高网络资源的使用效率.通过实验证明了神经网络技术防御DDoS攻击是可行和高效的.     

基于特征参数相关性的DDoS攻击检测算法

针对传统方法难以实时有效地检测分布式拒绝服务攻击(DDoS)的问题,通过DDoS攻击的基本特征分析,从理论上严格区分了DDoS攻击流和正常突发流,并且在此基础上提出了一种基于特征参数相关性的DDoS攻击检测算法.该算法能在早期检测出DDoS攻击流,而这时的DDoS攻击包特征并不明显,并且该算法能有效地区分DDoS攻击流和正常的突发流.实验结果表明了该算法的有效性和精确性.     

Enforcing a Source-end Cooperative Multilevel Defense Mechanism to Counter Flooding Attack

The exponential advancement in telecommunication embeds the Internet in every aspect of communication. Interconnections of networks all over the world impose monumental risks on the Internet. A Flooding Attack (FA) is one of the major intimidating risks on the Internet where legitimate users are prevented from accessing network services. Irrespective of the protective measures incorporated in the communication infrastructure, FA still persists due to the lack of global cooperation. Most of the existing mitigation is set up either at the traffic starting point or at the traffic ending point. Providing mitigation at one or the other end may not be a complete solution. To insist on better protection against flooding attacks, this work proposes a cooperative multilevel defense mechanism. The proposed cooperative multilevel defense mechanism consists of two-level of mitigation. In the first level, it is proposed to design a Threshold-based rate-limiting with a Spoofing Resistant Tag (TSRT), as a source end countermeasure for High-Rate Flooding Attacks (HRFA) and spoofing attacks. In the second level, the accent is to discriminate normal traffic after Distributed Denial of Service (DDoS) traffic and drop the DDoS traffic at the destination end. Flow Congruence-based Selective Pushback (FCSP), as a destination-initiated countermeasure for the Low Rate Flooding Attack (LRFA). The source and the destination cooperate to identify and block the attack. A key advantage of this cooperative mechanism is that it can distinguish and channel down the attack traffic nearer to the starting point of the attack. The presentation of the agreeable cooperative multilevel safeguard mechanism is approved through broad recreation in NS-2. The investigation and the exploratory outcomes show that the proposed plan can effectively identify and shield from the attack.     

基于主成分分析的网络流相关性研究

网络流量是由主机间的大量连接组成，并且包含各种各样的数据。大部分研究集中在整体流量的统计性质上，忽视了整体流量中不同网络流之间的微观关系。该文从微观的角度将整体流量进行分析，找出了基于源和目的IP地址的网络流之间的关系，研究了正常网络流和攻击网络流在相关性上的不同。     

Building an Identity Management Infrastructure for Today…and Tomorrow

ABSTRACT

The basis of denial of service (DoS)/distributed DoS (DDoS) attacks lies in overwhelming a victim's computer resources by flooding them with enormous traffic. This is done by compromising multiple systems that send a high volume of traffic. The traffic is often formulated in such a way that it consumes finite resources at abnormal rates either at victim or network level. In addition, spoofing of source addresses makes it difficult to combat such attacks. This paper adopts a twofold collaborative mechanism, wherein the intermediate routers are engaged in markings and the victim uses these markings for detecting and filtering the flooding attacks. The markings are used to distinguish the legitimate network traffic from the attack so as to enable the routers near the victim to filter the attack packets. The marked packets are also helpful to backtrack the true origin of the spoofed traffic, thus dropping them at the source rather than allowing them to traverse the network. To further aid in the detection of spoofed traffic, Time to Live (TTL) in the IP header is used. The mappings between the IP addresses and the markings along with the TTLs are used to find the spurious traffic. We provide numerical and simulated experimental results to show the effectiveness of the proposed system in distinguishing the legitimate traffic from the spoofed. We also give a statistical report showing the performance of our system.     

A router-based technique to mitigate reduction of quality (RoQ) attacks

We propose a router-based technique to mitigate the stealthy reduction of quality (RoQ) attacks at the routers in the Internet. The RoQ attacks have been shown to impair the QoS sensitive VoIP and the TCP traffic in the Internet. It is difficult to detect these attacks because of their low average rates. We also show that our generalized approach can detect these attacks even if they employ the source IP address spoofing, the destination IP address spoofing, and undefined periodicity to evade several router-based detection systems. The detection system operates in two phases: in phase 1, the presence of the RoQ attack is detected from the readily available per flow information at the routers, and in phase 2, the attack filtering algorithm drops the RoQ attack packets. Assuming that the attacker uses the source IP address and the destination IP address spoofing, we propose to detect the sudden increase in the traffic load of all the expired flows within a short period. In a network without RoQ attacks, we show that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. We further propose a simple filtering solution to drop the attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit. Our results show that we can successfully detect and mitigate RoQ attacks even with the source and destination IP addresses spoofed. The detection system is implemented in the ns2 simulator. In the simulations, we use the flowid field available in ns2 to implement per-flow logic, which is a combination of the source IP address, the destination IP address, the source port, and the destination port. We also discuss the real implementation of the proposed detection system.     

基于攻击特征的ARMA预测模型的DDoS攻击检测方法

分布式拒绝服务(DDoS)攻击检测是网络安全领域的研究热点。本文提出一个能综合反映DDoS攻击流的流量突发性、流非对称性、源IP地址分布性和目标IP地址集中性等多个本质特征的IP流特征(IFFV)算法,采用线性预测技术,为正常网络流的IFFV时间序列建立了简单高效的ARMA(2,1)预测模型,进而设计了一种基于IFFV预测模型的DDoS攻击检测方法(DDDP)。为了提高方法的检测准确度,提出了一种报警评估机制,减少预测误差或网络流噪声所带来的误报。实验结果表明,DDDP检测方法能够迅速、有效地检测DDoS攻击,降低误报率。     

Network traffic fusion and analysis against DDoS flooding attacks with a novel reversible sketch

Distributed Denial of Service (DDoS) flooding attacks are one of the typical attacks over the Internet. They aim to prevent normal users from accessing specific network resources. How to detect DDoS flooding attacks arises a significant and timely research topic. However, with the continuous increase of network scale, the continuous growth of network traffic brings great challenges to the detection of DDoS flooding attacks. Incomplete network traffic collection or non-real-time processing of big-volume network traffic will seriously affect the accuracy and efficiency of attack detection. Recently, sketch data structures are widely applied in high-speed networks to compress and fuse network traffic. But sketches suffer from a reversibility problem that it is difficult to reconstruct a set of keys that exhibit abnormal behavior due to the irreversibility of hash functions. In order to address the above challenges, in this paper, we first design a novel Chinese Remainder Theorem based Reversible Sketch (CRT-RS). CRT-RS is not only capable of compressing and fusing big-volume network traffic but also has the ability of reversely discovering the anomalous keys (e.g., the sources of malicious or unwanted traffic). Then, based on traffic records generated by CRT-RS, we propose a Modified Multi-chart Cumulative Sum (MM-CUSUM) algorithm that supports self-adaptive and protocol independent detection to detect DDoS flooding attacks. The performance of the proposed detection method is experimentally examined by two open source datasets. The experimental results show that the method can detect DDoS flooding attacks with efficiency, accuracy, adaptability, and protocol independability. Moreover, by comparing with other attack detection methods using sketch techniques, our method has quantifiable lower computation complexity when recovering the anomalous source addresses, which is the most important merit of the developed method.     

自适应分布式拒绝服务攻击的防御机制研究

该文提出了一种基于路由器协同的自适应分布式拒绝服务攻击的入侵检测和防御机制。该机制基于对链路拥塞的检测及丢包率的分析实现攻击检测并构造攻击特征，然后对符合攻击特征的包进行速率限制，同时将攻击特征与速率限制请求通过路由器之间的回溯追踪协议向攻击源方向逐跳传递，并在沿途经过的路由器上实施速率限制，在迅速缓解网络拥塞和抑制DDoS攻击的同时最大程度地保护了正常网络流的通信。该文还在网络仿真平台NS2上实现了该机制，实验结果表明该算法有效地实现了抑制攻击和保护正常网络流的预期目的。