移动IPv6网络中的DoS攻击

介绍了移动IPv6协议的工作原理,分析总结了移动IPv6网络中三种主要的DoS攻击。针对NS-2环境提出了一套模拟移动IPv6中DoS攻击的具体实现方案。经过对仿真实验结果分析表明,DoS攻击对移动IPv6网络性能造成很大的影响。     

Security distributed state estimation for nonlinear networked systems against DoS attacks

This paper is concerned with security distributed state estimation for nonlinear networked systems against denial‐of‐service attacks. By taking the effects of resource constraints into consideration, an event‐triggered scheme and a quantization mechanism are employed to alleviate the burden of network. A mathematical model of distributed state estimation is constructed for nonlinear networked systems against denial‐of‐service attacks. Sufficient conditions ensuring the exponential stability of the estimation error systems are obtained by utilizing the Lyapunov stability theory. The explicit expressions of the designed state estimators are acquired in terms of the linear matrix inequalities. Finally, a numerical example is used to testify the feasibility of the proposed method.     

A Markovian jump system approach to consensus of heterogeneous multiagent systems with partially unknown and uncertain attack strategies

The problem of robust leader‐following consensus of heterogeneous multiagent systems subject to deny‐of‐service attacks is investigated, where attack strategies are partially unknown and uncertain to defender. A Markovian jump system approach is proposed, that is, capable of describing the occurrence of different attack strategies, and the occurring probability of each attack strategy is represented by the transition probability of the Markovian jump model. Then, sufficient conditions are derived such that the output tracking performance can be guaranteed. In order to design the controller gains, some slack matrices are introduced, which can provide some design freedom. Finally, it is shown that the controller design results can be applied to the multivehicle position‐tracking system. The simulation results reveal that the consensus performance is much better if one has more statistics information on attacks.     

网络模拟工具在网络安全试验中的应用

目前,网络安全攻防试验存在资源耗费大、配置不灵活、无法在实际网络环境中开展等缺陷,导致网络安全攻防技术无法得到有效验证。而网络模拟技术可以以极低的成本实现对复杂环境的再现与分析,可以很好解决上述网络安全试验问题。本文重点对网络模拟工具在安全试验中的应用展开了研究和试验,在研究了常用网络模拟软件的基础上,基于NS2模拟器开展了DoS攻击试验,对试验效果和结果进行了研究和分析。     

基于OPNET的数字化变电站DoS攻击建模与仿真研究

针对智能变电站通信网络面临后果中最为严重的拒绝服务攻击(DoS)类型,首先对数字化变电站的周期性、随机性、突发性等不同特性的数据流进行了建模,随后给出了基于SYN-flood攻击原理的数字化变电站DoS攻击建模,并详细介绍了基于OPNET的仿真模块设计及实现方案;搭建了变电站星型网络站控层服务器遭受SYN-flood的攻击仿真场景,并针对变电站常见的10Base T、100Base T两种链路宽带场景进行了仿真。仿真结果展示了DoS攻击前后的站控层服务器主要性能特性以及后果,即导致服务器CPU持续处于高利用率状态;TCP连接延时增加;链路吞吐量增加以消耗链路带宽等,从而揭示DoS攻击企图达到服务器无法响应正常的业务请求即拒绝服务的目的。     

SSL协议拒绝服务攻击及其对策研究

SSL协议是电子商务中常用的一种安全电子交易协议,对信息传输起到了加密和认证的作用。该文针对最新的SSL服务器DoS工具,分析了SSL协议存在的拒绝服务漏洞,讨论了建立一个SSL连接服务端所消耗计算资源远多于客户端的原因,并提出了几种解决方案,以缓解攻击带来的危害,其中基于连接限制的解决方案可有效缓解此类问题。     

Dynamic event-based consensus of multi-agent systems with secure mode resilient to DoS attack

In this article, the resilient leaderless consensus problem for a multi-agent system (MAS) under denial-of-service(DoS) attack is investigated. The DoS attack is carried out with multiple strategies. The sufficient condition for MASs achieving consensus under multi-mode DoS attack is developed. In order to actively alleviate the influence caused by the DoS attack, the MAS switches between normal and secure modes. Once a DoS attack occurs, the agents will switch into the secure mode with a lower open-loop divergence rate. A dynamic event-based consensus protocol is proposed, driving the MAS achieve consensus while saving communication resources effectively. Moreover, rigorous proof analysis demonstrates the Zeno-free property of the developed dynamic event-triggered mechanism. Finally, a numerical simulation is provided to illustrate the effectiveness of the proposed theoretical results.     

TPAAD: Two-phase authentication system for denial of service attack detection and mitigation using machine learning in software-defined network

Software-defined networking (SDN) has received considerable attention and adoption owing to its inherent advantages, such as enhanced scalability, increased adaptability, and the ability to exercise centralized control. However, the control plane of the system is vulnerable to denial-of-service (DoS) attacks, which are a primary focus for attackers. These attacks have the potential to result in substantial delays and packet loss. In this study, we present a novel system called Two-Phase Authentication for Attack Detection that aims to enhance the security of SDN by mitigating DoS attacks. The methodology utilized in our study involves the implementation of packet filtration and machine learning classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Instead of completely deactivating the host, the emphasis lies on preventing harmful communication. Support vector machine and K-nearest neighbours algorithms were utilized for efficient detection on the CICDoS 2017 dataset. The deployed model was utilized within an environment designed for the identification of threats in SDN. Based on the observations of the banned queue, our system allows a host to reconnect when it is no longer contributing to malicious traffic. The experiments were run on a VMware Ubuntu, and an SDN environment was created using Mininet and the RYU controller. The results of the tests demonstrated enhanced performance in various aspects, including the reduction of false positives, the minimization of central processing unit utilization and control channel bandwidth consumption, the improvement of packet delivery ratio, and the decrease in the number of flow requests submitted to the controller. These results confirm that our Two-Phase Authentication for Attack Detection architecture identifies and mitigates SDN DoS attacks with low overhead.     

WLAN环境下拒绝服务攻击问题研究

文章探讨了WLAN环境下的拒绝服务(DoS,Denial of Service)攻击问题,提出了一种通过修改短帧隙(SIFS,Short Inter Frame Space)进行DoS攻击的方法,实验表明这种攻击具有较高的攻击效率。同时,对最近出现的一种针对物理层的攻击进行了具体的实验,分析了其攻击机理及危害程度。最后,结合现有协议提出了一些解决方案及安全建议,用以增强无线局域网抵抗攻击的能力。     

一种分块包标记的IP追踪方案

DDoS攻击以其高发性、高破坏力和难以防范的特点,近年来成为互联网的主要安全威胁之一．研究者们提出了多种对抗DDoS攻击的方法．：乓中,Savage等人提出的概率包标记方案以其易于实施、消耗资源小等优点,引起人们的重视．然而概率包标记方案存在两个明显缺陷：多攻击路径重构时的高误报率和高计算复杂度．在概率包标记的基础上,提出了一种分块包标记方案,该方案与概率包标记方案相比具有较低的误报率和较低的计算复杂度,因而具有更高的实际应用意义．