使用DK机制的动态地址分配安全认证方法

动态主机配置协议(dynamic host configuration protocol,DHCP)动态管理分配IP地址,提升地址的使用率,得到了广泛的使用,但是由于该协议安全机制薄弱,致使其潜在的安全漏洞如非法DHCP服务器、Mac地址伪装、重放攻击、Do S攻击等日益凸显。提出了基于DK机制的安全认证方法(security authentication model based on dynamic key,DK_SAM),该方法结合系统当前时间计算一次性密钥,并用该密钥Hash计算消息认证码,最终DHCP实体通过验证自定义Option180中的认证码达到安全认证的目的。实验表明,DK_SAM方法在保证安全特性的同时具有较高的性能。     

OPNET下WLAN拒绝服务攻击及仿真研究

本文研究了针对WLAN的拒绝服务攻击,总结了当前危害最为严重的几种攻击方式,分别为假冒合法MAC地址的攻击和向无线接入点AP发送大的延迟包的攻击.这几种攻击实现容易,防范困难,研究其攻击机制和防御方法具有重大的现实意义.文章还利用OPNET仿真软件对攻击手段和攻击效果进行了仿真.最后,根据攻击原理提出了自己的防御方法.     

面向AES密码芯片的DPA攻击技术研究

给出针对AES密码芯片的DPA攻击实现方法,并基于Atmel-AES平台使用DPA攻击技术分析得到AES的密钥。证实AES算法面对DPA攻击时的脆弱性,同时也证明对AES芯片抗DPA攻击进行研究的必要性。     

代理节点安全检测的MANET地址配置算法研究

为了提高移动自组织网络地址自动配置性能,提出了一种稳定安全的地址配置方案,核心思想是基于代理节点进行安全检测和地址配置。首先,按照地理位置对网络中的节点进行分组;然后,依据稳定性因子和信任度构建代理节点选择因子,从每一节点组合中选择一个代理节点;接着由代理节点和成员节点产生两组公钥/私钥对,用于加密和签名;最后,由代理节点进行地址配置,使用临时地址和永久地址对进行地址重复性检测,并在配置过程中通过加密和签名来抵御各种攻击。仿真实验结果表明,在受攻击的情况下,该方案的地址分配延迟和协议开销小,同时地址成功分配率高。     

基于源目的IP地址对数据库的防范DDos攻击策略

提出了一种基于源目的IP地址对数据库的防范分布式拒绝服务攻击(distributed denial of service attacks,简称DDos)攻击策略.该策略建立正常流量的源目的IP地址对数据库(source and destination IP address database,简称SDIAD),使用扩展的三维Bloom Filter表存储SDIAD,并采用改进的滑动窗口无参数CUSUM(cumulative sum)算法对新的源目的IP地址对进行累积分析,以快速准确地检测出DDos攻击.对于SDIAD的更新,采用延迟更新策略,以确保SDIAD的及时性、准确性和鲁棒性.实验表明,该防范DDos攻击策略主要应用于边缘路由器,无论是靠近攻击源端还是靠近受害者端,都能够有效地检测出DDos攻击,并且有很好的检测准确率.     

DDoS攻击和防御分类机制

DDoS(DistributedDenialofService)攻击是当今Internet面临的主要威胁之一,也是一个最严重的安全问题。虽然现在已经有许多防御机制来抵御各种不同的DDoS攻击,但功能都很分散,有的功能重复。通过对DoS/DDoS的研究,比较全面的整理了现在各种DoS/DDoS的攻、防机制,来达到更好的理解DDoS攻击,更高效全面的防御DDoS攻击的目的。并推荐了一个综合性的DDOS攻击和防御分类,提出通过发展DDoS攻击和防御的分类机制来结构化的解决DDoS问题。而且简要介绍了各种DDoS攻击和防御系统。     

动态链接库技术及其应用实例

本文探讨了动态链接库(DLL)文件的相关知识以及在VC++中的使用方法,并给出了一个实现机器网卡地址获取的具体实例。     

Windows平台下地址空间分布随机化技术研究及实现

使用不安全语言编写的程序容易受到诸如缓冲区溢出等攻击。这些攻击成功与否取决于对进程组件地址的分布是否熟悉。因此,防御内存攻击的一个对策就是随机化进程组件位置。地址空间分布随机化就是实现进程组件地址随机化的一个方法。分析了Windows Vista操作系统采用的地址空间分布随机化的优点与不足之处,并提出了在Windows XP操作系统上实现地址随机化的简易方案。     

网络地址跳变对扫描能力的影响评估

移动目标防御(Moving target defense)通过增加系统攻击表面的不确定性,为防御者提供了一种新的攻击防御策略。IP地址跳变是一种典型的网络层移动目标防御机制,它通过IP地址的不确定性,增加攻击者对攻击目标的定位难度。然而对于一个采用IP地址跳变机制的系统,判断其是否具备足够的抵御扫描攻击的能力,这与系统所具备的IP地址资源、采用的跳变方法以及相关跳变参数设定等因素有一定关系,需要建立适合的量化评估模型才能进行精确的评估。对经典的IP地址跳变机制进行梳理和分析,比较主机型和网关型IP地址跳变机制的优缺点。针对IP地址跳变机制的抗扫描能力提出量化评估模型,可用于评估特定IP地址跳变机制在不同参数组合情况下的抗扫描能力。     

概率分组标记(PPM)IP追踪的性能研究

论文研究以概率分组标记(PPM)IP追踪机制对拒绝服务攻击(DoS)的有效性,得到在攻击者试图隐蔽攻击路径条件下选取最优追踪标记概率。     

移动IPv6注册通信对端绑定更新的安全保护机制

移动IPv6提供很多安全特性,包括移动节点到家乡代理或通信对端在绑定更新的保护等。移动IPv6运用授权绑定实现对通信对端绑定更新的安全保护,返回路径可达过程协商产生授权绑定管理密钥。文章详细论述了移动IPv6对通信对端绑定更新的安全保护机制。     

Covariance-Matrix Modeling and Detecting Various Flooding Attacks

This paper presents a covariance-matrix modeling and detection approach to detecting various flooding attacks. Based on the investigation of correlativity changes of monitored network features during flooding attacks, this paper employs statistical covariance matrices to build a norm profile of normal activities in information systems and directly utilizes the changes of covariance matrices to detect various flooding attacks. The classification boundary is constrained by a threshold matrix, where each element evaluates the degree to which an observed covariance matrix is different from the norm profile in terms of the changes of correlation between the monitored network features represented by this element. Based on Chebyshev inequality theory, we give a practical (heuristic) approach to determining the threshold matrix. Furthermore, the result matrix obtained in the detection serves as the second-order features to characterize the detected flooding attack. The performance of the approach is examined by detecting Neptune and Smurf attacks-two common distributed Denial-of-Service flooding attacks. The evaluation results show that the detection approach can accurately differentiate the flooding attacks from the normal traffic. Moreover, we demonstrate that the system extracts a stable set of the second-order features for these two flooding attacks     

融合人体免疫防御机理的ICN安全路由机制

信息中心网络(ICN)引入网内缓存机制使路由器具有内容缓存功能,将网络由IP寻址改为内容名称寻址,旨在更好地为内容分发类应用提供服务。而兴趣洪泛攻击(IFA)会导致路由器资源耗尽,使其大量丢弃合法兴趣包,成为ICN的安全“克星”。结合人体免疫防御机理,提出两阶段ICN安全路由机制抵御兴趣洪泛攻击。在免疫时间内,通过免疫反馈及隔离策略完成非特异性免疫,防止路由器未决兴趣表(PIT)被恶意占用;但非特异性免疫不能缓解持续的IFA攻击,因此进一步通过回溯策略完成特异性免疫,形成免疫记忆,彻底阻断兴趣洪泛攻击。实验结果表明,提出的路由机制可有效抵御兴趣洪泛攻击,减少攻击造成的资源耗尽及无效计算,保证了网络性能。     

Collaborative Detection of DDoS Attacks over Multiple Network Domains

This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.     

An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks

A Wireless Sensor Network (WSN) consists of many low-cost, small devices. Usually, as they are deployed to an open and unprotected region, they are vulnerable to various types of attacks. In this research, a mechanism of Intrusion Detection System (IDS) created in a Cluster-based Wireless Sensor Network (CWSN) is proposed. The proposed IDS is an Integrated Intrusion Detection System (IIDS). It can provide the system to resist intrusions, and process in real-time by analyzing the attacks. The IIDS includes three individual IDSs: Intelligent Hybrid Intrusion Detection System (IHIDS), Hybrid Intrusion Detection System (HIDS) and misuse Intrusion Detection System. These are designed for the sink, cluster head and sensor node according to different capabilities and the probabilities of attacks these suffer from. The proposed IIDS consists of an anomaly and a misuse detection module. The goal is to raise the detection rate and lower the false positive rate through misuse detection and anomaly detection. Finally, a decision-making module is used to integrate the detected results and report the types of attacks.     

基于连接认证的低功耗蓝牙泛洪攻击防御方案

针对低功耗蓝牙易受泛洪攻击的问题,提出了一种连接认证模型,基于该模型设计了低功耗蓝牙泛洪攻击防御方案。方案结合HMAC(Hash-based Message Authentication Code)运算速度快与蓝牙通信同步性强的特点,设计检测模块判断通信状态,利用挑战应答的方式设计连接请求认证协议,在蓝牙协议运行前进行主从设备双向认证,过滤掉攻击报文,保证低功耗蓝牙连接建立的安全。安全性分析和实验结果表明,方案能够有效防御泛洪攻击,同时具有较小的存储和计算开销,适合应用于低功耗蓝牙中。     

Compiling network traffic into rules using soft computing methods for the detection of flooding attacks

The ability to dynamically collect and analyze network traffic and to accurately report the current network status is critical in the face of large-scale intrusions, and enables networks to continually function despite of traffic fluctuations. The paper presents a network traffic model that represents a specific network pattern and a methodology that compiles the network traffic into a set of rules using soft computing methods. This methodology based upon the network traffic model can be used to detect large-scale flooding attacks, for example, a distributed denial-of-service (DDoS) attack. We report experimental results that demonstrate the distinctive and predictive patterns of flooding attacks in simulated network settings, and show the potential of soft computing methods for the successful detection of large-scale flooding attacks.     

抵御SIP分布式洪泛攻击的入侵防御系统

针对SIP分布式洪泛攻击检测与防御的研究现状,结合基于IP的分布式洪泛攻击和SIP消息的特点,提出了一种面向SIP分布式洪泛攻击的两级防御分布式拒绝服务(DDoS)攻击体系结构(TDASDFA):一级防御子系统(FDS)和二级防御子系统(SDS)。FDS对SIP的信令流进行粗粒度检测与防御,旨在过滤非VoIP消息和丢弃超出指定速率的IP地址的SIP信令,保证服务的可用性;SDS利用一种基于安全级别设定的攻击减弱方法对SIP信令流进行细粒度检测,并过滤具有明显DoS攻击特征的恶意攻击和低流量攻击。FDS和SDS协同工作来实时检测网络状况,减弱SIP分布式洪泛攻击。实验结果表明,TDASDFA能实时地识别和防御SIP分布式洪泛攻击,并且在异常发生时有效地减弱SIP代理服务器/IMS服务器被攻击的可能性。     

应用层洪泛攻击的异常检测

从近年的发展趋势看, 分布式拒绝服务攻击已经从原来的低层逐渐向应用层发展, 它比传统的攻击更加有效且更具隐蔽性. 为检测利用合法应用层HTTP请求发动的洪泛攻击, 本文把应用层洪泛攻击视为一种异常的用户访问行为, 从用户浏览行为的角度实现攻击检测. 基于实际网络流的试验表明,该模型可以有效测量Web用户的访问行为正常度并实现应用层的DDoS洪泛攻击检测.     

内部网软件更新管理架构

在与外部环境物理隔离的内部网中,研究软件更新管理架构,并针对一个具体的内部网情况,详细阐述了软件更新的实施过程,保障了内部网的软件更新管理可靠有效的运行.