DDoS攻击下RED算法的仿真研究

DDoS（分布式拒绝服务）攻击数据流在发生网络拥塞的情况下并不降低它们的发送速率,充满了路由器的缓冲区,剥夺其他正常数据流的带宽。基于这一网络行为,从拥塞控制的角度来研究DDoS攻击目标端的防御机制。然后在模拟DDoS攻击环境下,对基于路由器的拥塞控制算法RED（随机早期检测）进行了仿真实验研究。实验发现,在DDoS攻击下,一些数据量很大的攻击流会大量占用带宽,从而导致了各流量之间带宽分配的不公平性,据此对拥塞控制机制提出了进一步的改进。     

DDoS攻击下RED算法的仿真研究

DDoS（分布式拒绝服务）攻击数据流在发生网络拥塞的情况下并不降低它们的发送速率,充满了路由器的缓冲区,剥夺其他正常数据流的带宽。基于这一网络行为,从拥塞控制的角度来研究DDoS攻击目标端的防御机制。然后在模拟DDoS攻击环境下,对基于路由器的拥塞控制算法RED（随机早期检测）进行了仿真实验研究。实验发现,在DDoS攻击下,一些数据量很大的攻击流会大量占用带宽,从而导致了各流量之间带宽分配的不公平性,据此对拥塞控制机制提出了进一步的改进。     

基于聚类的拥塞控制机制研究及其改进

针对基于聚类的拥塞控制(ACC)机制在解决网络拥塞时造成非恶意数据流使用带宽减少的问题,提出增强的基于聚类的拥塞控制(EACC)机制。该机制使用目的地址和丢包率对DDoS恶意数据流进行识别,并通过减少恶意数据流的使用带宽解决网络拥塞问题。实验结果表明,EACC能解决ACC存在的问题,在尽快恢复网络正常工作的同时,保障了非恶意数据流的可用带宽。     

DDoS攻击模拟实验的设计与实现

DDoS攻击数据流在发生网络拥塞的情况下并不降低他们的发送速率,充满了路由器的缓冲区,剥夺其他正常数据流的带宽。基于这一网络行为,在网络仿真器NS中设计并实现了DDoS攻击模拟实验。     

DDoS攻击下高带宽聚类的控制

DDoS攻击理,网络拥塞既不是因为一个单一的数据流,也不是因为网络流量的突然增大造成的,而是由于一个精心设计的数据流的子集——聚类。基于这一特点,从拥塞控制的角度来研究DDoS攻击目标端的防御机制。将DcbS攻击流量和正常流量在聚类过程中分开,有效控制引起拥塞的高带宽的聚类,使攻击流量无法占用正常流量的资源,从而保护受害者的网络带宽资源。在仿真环境中验证了算法的有效性,对进一步认识DDoS攻击及其防御有很大的参考价值。     

DDoS攻击下高带宽聚类的控制

DDoS攻击下,网络拥塞既不是因为一个单一的数据流,也不是因为网络流量的突然增大造成的,而是由于一个精心设计的数据流的子集--聚类.基于这一特点,从拥塞控制的角度来研究CIDoS攻击目标端的防御机制.将DDoS攻击流量和正常流量在聚类过程中分开,有效控制引起拥塞的高带宽的聚类,使攻击流量无法占用正常流量的资源,从而保护受害者的网络带宽资源.在仿真环境中验证了算法的有效性,对进一步认识DDoS攻击及其防御有很大的参考价值.     

基于ISP网络的DDoS攻击防御方法研究

针对DDoS攻击在ISP网络中的行为特点,提出了一种基于ISP网络的DDoS攻击协作防御方法.该方法从流量信息中构造出攻击会聚树,并根据攻击会聚树找出攻击数据流在ISP网络中的源,在源头对攻击数据流进行控制,从而达到在ISP网络内防御DDoS攻击的目的.该方法克服了在整个网络中防御DDoS攻击耗资巨大的缺点.实验结果表明,该方法能够快速有效了实现对DDoS攻击的防御.     

基于移动Agent的分布式拥塞控制策略

提出一种基于移动Agent分布式的拥塞控制策略DCCMA。DCCMA策略通过将网络结点和端点相结合，直接提供拥塞检测和拥塞控制机制。与传统的Reno TCP相比，大大缩短了源端点的拥塞反应时间；另一方面，在UDP应用层对其发送速率加以控制，使之体现一定的TCP友好性，同时对具有恶意攻击的数据流(如UDP Flood和TCP Flood)和传统的没有拥塞控制机制的UDP数据流(如视频流)加以惩罚和限制，降低了恶意攻击数据流的危害。仿真实验验证了该策略的有效性。     

基于源端检测的DDoS防御机制

提出了一种新型的基于源端检测的DDoS防御机制。它能够比较精确地识别DDoS攻击数据流,对DDoS攻击进行有效地防御,同时不会对网络性能造成比较大的影响,不会影响用户对网络的正常使用。讨论了如何在Windows平台上的具体实现,给出了具体实验 分析。     

基于智能蜂群算法的DDoS攻击检测系统

随着大数据应用的普及,DDoS攻击日益严重并已成为主要的网络安全问题。针对大数据环境下的DDoS攻击检测问题,设计了一种融合聚类和智能蜂群算法(DFSABC_elite)的DDoS攻击检测系统。该系统将聚类算法与智能蜂群算法相结合来进行数据流分类,用流量特征分布熵与广义似然比较判别因子来检测DDoS攻击数据流的特征,从而实现了DDoS攻击数据流的高效检测。实验结果显示,该系统在类内紧密度、类间分离度、聚类准确率、算法耗时和DDoS检测准确率方面明显优于基于并行化K-means的普通蜂群算法和基于并行化K-means算法的DDoS检测方法。     

基于AIMD算法的分层多播拥塞控制

提出了一种基于AIMD算法的分层多播拥塞控制算法．算法借助AIMD算法具有的良好TCP兼容性和稳定性，采用慢增慢减的速率调节原则来防止TCP中速率减半策略所带来的速率振荡．为避免反馈处理带来的复杂性和可扩缩性问题，提出了无须反馈的收方至发方间往返时延估计方法．算法采用类似TCP的慢启动算法来提高链路的利用率和收敛速度．通过仿真评估得出，算法对TCP流、不同多播流均表现出理想的公平性，并有很高的带宽利用率和良好的稳定性．     

A network rate management protocol with TCP congestion control and fairness for all

Our study is motivated by the need to enable quality of service (QoS), congestion control and fair rate allocation for all end applications. We propose a new approach to address these needs which is different from the current practice whereby end applications pursue their own rate control using TCP. Our approach comprises a network rate management protocol (RMP) that controls the rate of all flows (at an aggregate level based on routes) subject to QoS requirements. The RMP control also facilitates a new TCP sliding-window congestion control based on the fair target rates computed by the RMP. Each non-TCP aggregate flow is policed by its respective edge router and each TCP flow adapts its window size as to achieve the RMP suggested fair target rate. The stability analysis of the new TCP congestion control is performed in a linearly scalable framework, which is less restrictive than a fluid model. We show that our proposed control is linearly scalable and establish its global asymptotic stability under arbitrary and variable information time lags, aka totally asynchronous conditions. The stability and the vitality of our control is verified by two means. One is a simulation of a network comprising 74 core links and up to 768 flows, each using its own access link. The simulation is also used to compare our control with the congestion control algorithms used in Fast, Vegas and Reno TCPs. The second verification means is an actual implementation of the control in the Linux kernel and its experimentation in a WAN testbed network comprising six routers and long haul links running UDP flows as well as CUBIC, N-RENO and C-TCP flows. Our experiments demonstrate that our approach can guarantee fair rates for all flows and QoS to premium flows.     

软件定义网络架构下基于流调度代价的数据中心网络拥塞控制路由算法

针对传统数据中心网络极易发生拥塞的问题,提出了在软件定义网络（SDN）的架构下设计基于流调度代价的拥塞控制路由算法加以解决。首先,进行拥塞链路上的大小流区分,并对所有大流的各条等价路径进行路径开销权重的计算,选择权重最小的路径作为可用调度路径;然后,使用调度后路径开销变化量和流占用带宽比例来共同定义流调度代价;最终选择调度代价最小的流进行调度。仿真结果表明,所提算法能在网络发生拥塞时降低了拥塞链路上的负荷,并且与仅进行流路径选择的拥塞控制算法相比,提高了链路利用率,减少了流传输时间,使得网络链路资源得到更好的利用。     

TCP及TCP-friendly拥塞控制策略讨论

自从20世纪80年代报道了第一次拥塞崩溃以来，TCP拥塞控制策略在不断地进行完善和改进，通过快速重传和快速恢复等机制使它能很好地对网络拥塞做出及时的响应。但是随着网络技术的发展，音频和视频等多媒体业务(如IP Phone、视频会议)在网上的应用越来越多，而这些应用采用的一般都是不提供拥塞控制的协议(如UDP)，因此如何对这些业务流进行拥塞控制，使它们能与TCP流一起公平地共享网络带宽，满足TCP-friendly要求变得越来越重要。该文先对TCP拥塞控制进行讨论，然后对TCP-friendly拥塞控制策略和以后的研究方向进行了讨论。     

调度和拥塞控制相结合的无线网络资源分配模型

研究了基于WLAN访问Internet的网络基站处流,提出了一种基于队列长度的调度方法和基于信道容量的拥塞控制模式,以达到网络资源的公平分配,并解决由于不恰当处理基站处堆积数据包而引起的弊端。在提出的资源分配模型中,调度算法根据各条流堆积的队列长度来随机地选择将要发送的数据分组;而拥塞控制模式中,将链路使用率作为拥塞指示,通过计算,平等地反馈给每一条流的发送端。发送端根据反馈到的拥塞信息来调整发送速率,以达到资源分配的公平性。仿真的结果表明：各条流能公平地共享无线网络的带宽。此算法的最大的优点在于基站不需要按照某种特定的公平性定义来选择数据包却能达到很高的公平性。     

Control of swarm behavior in crossing pedestrians based on temporal/spatial frequencies

In the densely-populated urban areas, pedestrian flows often cross each other and congestion is caused. The congestion makes us feel uncomfortable and sometimes leads to pedestrian accidents. To reduce the congestion or the risk of accidents, it is required to control the swarm behavior of pedestrian flows. This paper proposes modeling and controlling method of the crossing pedestrian flows. In the social/urban engineering, it is well known that the swarm behavior with a diagonal stripe pattern emerges in the crossing area of the flows. This is a self-organized phenomenon caused by the local collision avoidance effect of the pedestrians. To control the macroscopic behavior of the flows, we utilize this self-organized phenomenon. Firstly, we propose the continuum model of the crossing pedestrian flows. In the continuum model, the dynamic change of the congestion in the diagonal stripe pattern is simulated as the density. Secondly, the novel control method to improve average flow velocity is proposed based on the model. The proposed method utilizes the dynamic interaction between the diagonal stripe pattern and guides, who are moving in the flows. The authors derive the control algorithm through an analysis on the temporal and spatial frequencies of the crossing flows. The validity is verified with simulations using the continuum model. Moreover, we apply the proposed method to the particle model, assuming the actual pedestrians.     

Generic congestion control

The nowadays Internet architecture is mainly based on unicast communications and best-effort service. However, the development of the Internet encouraged emerging services that are sensitive to delay or packet loss, as it is the case for multimedia and group applications. The deployment of these applications should not compromise the proper transmission of TCP flows and would benefit significantly from flows that are responsive to congestion.We propose efficient congestion avoidance mechanism (ECAM)¹ as a generic framework for congestion control in the Internet, to address this lack and important need of congestion control in various situations that occurs in the Internet. ECAM is designed for uncontrolled unicast and multicast traffic and supports both reliable and unreliable best-effort flows. ECAM works not only for best-effort service, but supports as well the new differentiated services, where out of profile packets may experience congestion. Implementation problems are also discussed.     

基于双向压力模型的多源应用层组播拥塞控制方案

相比传统组播模式,多源应用层组播能用更少的网络资源实现多方交互式应用.但组播特性、应用层环境以及多源属性均会使得多源应用层组播的拥塞问题变得更加严重.因此,提出一种基于双向压力模型的多源应用层组播拥塞控制方案,该方案采用正反压的方式来避免组播流在节点上产生拥塞,并同时采用基于权重的缓冲转移策略来保证同一组内所有数据源的组播流在共享节点上公平地占用缓冲和带宽资源,并进一步讨论了环形拥塞问题的严重性和解决办法.PlanetLab实验网评测结果表明,该方案在实现多源应用层组播拥塞控制的同时,能够协调不同组播流的流量,实现其公平性和可扩展性.     

Research into two source-based control algorithms for Internet traffic flows

TCP and UDP are the major applications over the Internet, the characteristics of them lead to different network transmission behaviors. Two source-based mechanisms are proposed in this paper to regulate TCP and UDP flows. One is the congestion control mechanism, which uses TCP flows’ congestion signal to regulate the flows at the source node. The other is the time slot mechanism, which is a time-sharing application to control their flow transmission. Based on the priorities of flows, different bandwidth proportions are allocated and differential services are provided for flows. Several scenarios are simulated to observe the transmission operations of these two mechanisms. Simulation results show some insights into two mechanisms. Moreover, the several simulation parameters that may impact the performance of these two mechanisms are summarized.