基于拥塞参与度的分布式低速率DoS攻击检测过滤方法

分布式低速率拒绝服务攻击(DLDoS)利用已有网络协议和网络服务中自适应机制的漏洞发起攻击,其攻击效率和隐蔽性比传统洪泛式分布式拒绝服务攻击(DDoS)高得多,更加难于检测和防御。本文对DLDoS攻击进行了建模和形式化,提出了基于拥塞参与度的DLDoS攻击检测过滤方法。实验分析表明,该方法能有效检测DLDoS攻击,并降低误报率。     

一种分布式拒绝服务攻击的检测模型

提出了一种实时检测网络是否受到DDoS攻击的新模型,解决了传统检测方法难以区分突变正常流量与异常流量的问题.结合网络正常流量的特点,提出了检测DDoS攻击的新度量和检测算法.该算法不仅结构简洁、运算速度快;而且能够充分利用已知信息,具有较强的抗干扰能力.实际检测结果表明,本模型可实现时DDoS攻击的实时检测.     

分布式拒绝服务攻击及防范方法研究

本文首先介绍了分布式拒绝服务攻击的发展现状,然后综合分析了分布式拒绝服务攻击防范方法中的检测和控制方法。     

一种轻量级的拒绝服务攻击检测方法

分布式拒绝服务攻击的原理简单,但危害严重．在攻击源端的检测方法有诸多优点,但也存在着挑战,如攻击源端攻击数据流量小,不易检测,不能使用服务商过多的资源等．文中针对这些特点提出了一种在攻击源端的轻量级方法．该方法使用Bloom Filter对网络数据进行提取,在此基础上使用变化点检测方法对数据进行分析,可以达到使用少量资源进行准确检测的目的．重放DARPA数据的实验表明,在使用相同存储开销的前提下,该方法与同类工作相比,检测结果更准确,计算资源消耗更少．     

一种基于Q学习的LDoS攻击实时防御机制及其CPN实现

针对低速率拒绝服务攻击具有隐蔽性高、难以检测和及时响应的特点,提出了一种基于Q学习的LDoS攻击实时防御机制.该机制以终端自适应控制系统为保护对象,周期性地提取网络攻击特征参数,将其作为Q学习模块的输入参数,由Q学习模块进行最优防御的选择,优选出来的防御措施交与系统端执行.防御措施基于动态服务资源分配,根据系统当前运行状态对服务资源进行动态调整,从而保障正常服务请求的响应率.最后使用着色Petri网结合BP神经网络对攻击和防御过程进行了建模和仿真,结果表明：该方法具有较好的实时性和较高的灵敏性,能够对LDoS攻击行为进行实时响应,显著提高了系统防御的自动化程度.     

基于小波能谱熵和隐半马尔可夫模型的LDoS攻击检测

低速率拒绝服务(low-rate denial of service,简称LDoS)攻击采用周期性发送短脉冲数据包的方式攻击云计算平台和大数据中心,导致连接用户的路由器丢包和数据链路传输性能下降.LDoS攻击流量平均速率很低,具有极强的隐蔽性,很难被检测到.在分析LDoS攻击流量的基础上,通过小波变换得到网络流量的小波能谱熵,并以此作为隐半马尔可夫模型(HSMM)的输入,设计采用HSMM网络模型的LDoS攻击判决分类器,提出了基于小波能谱熵和隐半马尔可夫模型的LDoS攻击检测方法.该检测方法在NS-2和Test-bed环境中分别进行了测试.实验结果表明,该方法具有较好的检测性能,通过假设检验得出检测率为96.81%.     

一种针对DDoS攻击的新型防护机制研究

本文提出了一种新型的基于网络流量自相似性的DDoS防护机制,给出了该机制的体系结构,其中包括攻击检测、路径定位、特征提取、生成响应策略、实时响应、处理结束等步骤.并在此基础上,对其数据结构和工作机制进行详细的分析和设计.实验证明此方法能够较好地对DDoS攻击加以检测和防护,比传统的基于特征匹配的DDoS入侵防护方法具有较好的性能.     

一种分布式拒绝服务攻击的检测方法

该文提出和实现了一种基于网络异常流量特征的检测模型。通过将多条链路或多个流的流量信号作为一个整体进行研究．构建了网络异常流量监控的系统模型。该模型包括了数据采集、分析、异常判断和警告等功能,并综合了异常信息融合及警告信息关联性分析技术。通过实验证明,该套系统模型对短时间段内的突爱流量能提供有效的检测和报警服务。     

一个分布式拒绝服务攻击检测系统的设计

根据拒绝服务武攻击与分布式拒绝服务攻击的特点,该文设汁并实现了一个针对这种攻击的检测响应系统,详细讨论了拒绝服务攻击的特征,通用的攻击检测算法以及攻击响应策略。实际应用表明,系统检测准确率高、结构清晰、配置灵活、运行开销小,能有效地检测和防御常见的拒绝服务式攻击。     

DDoS攻击检测综述

结合DDoS攻击检测方法的最新研究情况,对DDoS攻击检测技术进行系统分析和研究,对不同检测方法进行比较,讨论了当前该领域存在的问题及今后研究的方向。     

Collaborative Detection of DDoS Attacks over Multiple Network Domains

This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.     

Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks

We propose a cooperative intrusion detection framework focused on countering Distributed Denial-of-Service (DDoS) attacks through the introduction of a distributed overlay early-warning network. Our goal is to minimize the detection and reaction time and automate responses, while involving as many networks as possible along the attack path. The proposed approach relies on building a community of trusted partners that will cooperate by exchanging security information so that inclusion in the attack path is detected locally and without traceback procedures. The main building block is the Cooperative anti-DDoS Entity, a modular software system deployed in each participating network domain that supports secure message exchanges and local responses tailored to individual sites' policies. We discuss the operation and the implementation of a prototype, and we provide a survey of the methodologies against DDoS and compare our approach to related work.     

防御分布式拒绝服务攻击的入侵检测模型

本文通过对典型分布式扫描服务（DDoS)攻击的工具Trinoo的攻击特性分析，提出了三层检测DDoS的模型。该模型利用了IP和端口陷阱，特征字符串匹配和流量分析等有效的检测手段，通过三层检测，逐级跟踪，综合分析，从而比较准确地判断Trinoo的入侵，它改进了Snort检测中仅靠特征字符匹配进行判断的方法，从而降低了误报警率，同时该模型中分析和解决问题的思路对于防御其它攻击有着很重要的参考价值。     

Cooperative Detection Method for DDoS Attacks Based on Blockchain

Distributed Denial of Service (DDoS) attacks is always one of the major problems for service providers. Using blockchain to detect DDoS attacks is one of the current popular methods. However, the problems of high time overhead and cost exist in the most of the blockchain methods for detecting DDoS attacks. This paper proposes a blockchain-based collaborative detection method for DDoS attacks. First, the trained DDoS attack detection model is encrypted by the Intel Software Guard Extensions (SGX), which provides high security for uploading the DDoS attack detection model to the blockchain. Secondly, the service provider uploads the encrypted model to Inter Planetary File System (IPFS) and then a corresponding Content-ID (CID) is generated by IPFS which greatly saves the cost of uploading encrypted models to the blockchain. In addition, due to the small amount of model data, the time cost of uploading the DDoS attack detection model is greatly reduced. Finally, through the blockchain and smart contracts, the CID is distributed to other service providers, who can use the CID to download the corresponding DDoS attack detection model from IPFS. Blockchain provides a decentralized, trusted and tamper-proof environment for service providers. Besides, smart contracts and IPFS greatly improve the distribution efficiency of the model, while the distribution of CID greatly improves the efficiency of the transmission on the blockchain. In this way, the purpose of collaborative detection can be achieved, and the time cost of transmission on blockchain and IPFS can be considerably saved. We designed a blockchain-based DDoS attack collaborative detection framework to improve the data transmission efficiency on the blockchain, and use IPFS to greatly reduce the cost of the distribution model. In the experiment, compared with most blockchain-based method for DDoS attack detection, the proposed model using blockchain distribution shows the advantages of low cost and latency. The remote authentication mechanism of Intel SGX provides high security and integrity, and ensures the availability of distributed models.     

分布式端口反弹攻击及检测

分析了现有的DDoS攻击在通信时存在的一些缺点,并对当前流行的端口反弹技术进行了深入的研究,发现如果将两者结合起来形成一类新的攻击形式,其危害性相当严重。故提出了两者结合的模型——分布式端口反弹攻击模型,而且针对这类新的攻击方式的一些特点提出了基于连接(会话)记录的误用检测方法和基于用户行为的异常检测方法。     

具有协作代理功能的分布式入侵检测系统

入侵检测作为保护信息系统安全的一项重要技术,特别是在信息商业化的今天显的特别重要。文中在分析了传统的入侵检测系统的优缺点之后,在保留分布式层次结构的基础上,采用移动代理技术来克服信息采集节点地址固定,容易遭受入侵者攻击的缺点,并对代理间通信机制和数据共享加强了管理,从而增强了代理之间协同工作能力。针对系统误报率高的缺点进行了研究改进,从而减轻了管理员的负担,希望能对将来系统的研究改进提供一个借鉴模式。     

一种缓冲区溢出攻击的实时检测方法

根据攻击者通常通过修改函数返回地址或函数入口地址来改变程序流程的特点以及ELF文件的结构特点,在调用函数和函数调用返回时对某些特定信息进行处理,以检测出攻击行为。依靠动态程序监控平台pin提供的API函数来编写程序运行时监控工具,提出缓冲区溢出攻击实时检测的方法。实例分析表明该方法具有无需对现有的软、硬件系统进行修改的特点。     

一种轻量级的SYN Flooding攻击检测方法

提出了一种轻量级的源端DDoS攻击检测的有效方法.本方法基于Bloom Filter技术对数据包信息进行提取,然后使用变化点计算方法进行异常检测,不仅能够检测出SYN Flooding攻击的存在,而且能够避免因为正常拥塞引起的误报.重放DARPA数据实验表明,算法的检测结果与类似方法相比更精确,使用的计算资源很少.