一种IPv6环境下DDoS实时检测方法

DDoS攻击是当今网络包括下一代网络IPv6中最严重的威胁之一,提出一种基于流量自相似的IPv6的实时检测方法。分别采用改进的WinPcap实现流数据的实时捕获和监测,和将Whittle ML方法首次应用于DDoS攻击检测。针对Hurst估值方法的选择和引入DDoS攻击流的网络进行对比仿真实验,结果表明:Hurst估值相对误差,Whittle ML方法比小波变换减少0.07%;检测到攻击的误差只有0.042%,准确性达99.6%;增强了DDoS攻击检测的成功率和敏感度。     

基于无线局域网的DDoS攻击技术探究

随着信息技术的发展,无线局域网在计算机网络中逐步规模应用,同时也成为极有吸引力的攻击目标。     

基于IAD的防DDoS攻击的实现

DDoS攻击是威胁因特网安全的重要手段,本文提出了一种基于IP地址数据库的实用方法来有效防御DDoS攻击,边界路由器保存所有以往在网络上出现的合法IP地址的记录,当边界路由器业务量过载时,利用这一记录来决定是否接受输入的IP包。     

Perimeter-based defense against high bandwidth DDoS attacks

Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. To make the problem worse, attack traffic is often indistinguishable from normal traffic. As various attack tools become widely available and require minimum knowledge to operate, automated antiDDoS systems become increasingly important. Many current solutions are either excessively expensive or require universal deployment across many administrative domains. This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the antiDDoS service to their customers. These mechanisms rely completely on the edge routers to cooperatively identify the flooding sources and establish rate-limit filters to block the attack traffic. The system does not require any support from routers outside or inside of the ISP, which not only makes it locally deployable, but also avoids the stress on the ISP core routers. We also study a new problem of perimeter-based IP traceback and provide three solutions. We demonstrate analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic. Even when 40 percent of all customer networks attack, the survival ratio for traffic from the other customer networks is still close to 100 percent.     

网络服务DDoS攻击主动防御框架

为高效保护在线网络服务,提出一种基于动目标防御的主动防御框架,其通过周期性地重组网络服务系统中接入用户和反向代理服务器之间的网络连接来保证系统的安全性,这就是所谓的"洗牌".通过这种方式,恶意用户难以对系统进行分布式拒绝服务(DDoS)攻击,但动目标防御也带来了巨大的资源消耗,阻碍了其大规模的应用与推广.为解决上述问题,提出一种面向在线网络服务DDoS攻击的智能化主动防御框架DQ-MOTAG,将深度强化学习与动目标防御进行结合.设计一个算法生成每个洗牌周期的最优持续时间,指导后续的洗牌过程.进行一系列实验验证DQ-MOTAG与现有方法相比,在防御性能、误封率和网络源消耗等方面具有明显的优越性.     

Rule-based detection technique for ICMPv6 anomalous behaviour

The rapid growth of the Internet in the past few years has revealed the limitation of address space in the current Internet Protocol (IP), namely IPv4. Essentially, the increasing demand and consumption of IP addresses have led to the anticipated exhaustion of IPv4 addresses. In order to address this concern, the Internet Protocol version 6 (IPv6) has been developed to provide a sufficient address space. IPv6 is shipped with a new protocol, namely, the neighbour discovery protocol (NDP) which has vulnerabilities that can be used by attackers to launch attacks on IPv6 networks. Such vulnerabilities include the lack of exchange message authentication of NDP. Attacks targeting ICMPv6 protocol display ICMPv6 anomalies. As such, this paper proposes a rule-based technique for detecting ICMPv6 anomalous behaviours that negatively affect the network performance. The effectiveness of this technique is demonstrated by using substantial datasets obtained from the National Advance IPv6 Centre of Excellence (NAv6) laboratory. The experimental results have proved that the proposed technique is capable of detecting ICMPv6 anomalous behaviour s with a detection accuracy rate of 92%.

     

基于路由器的DDoS攻击防御系统的设计

针对分布式拒绝服务攻击设计了一种基于路由器的DDoS攻击防御系统。它具有检测响应及时的优点。不但能保护受害者以及合法用户的请求,还能在受害者遭受攻击时保护攻击源与受害者之间的网络带宽资源,从而改善网络性能。模拟实验验证了系统中检测控制方法的有效性。     

Monitoring the macroscopic effect of DDoS flooding attacks

Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such monitoring enables DDoS attack detection without any traffic observation in the victim network.     

Detection of DDoS attacks using optimized traffic matrix

Distributed Denial of Service (DDoS) attacks have been increasing with the growth of computer and network infrastructures in Ubiquitous computing. DDoS attacks generating mass traffic deplete network bandwidth and/or system resources. It is therefore significant to detect DDoS attacks in their early stage. Our previous approach used a traffic matrix to detect DDoS attacks quickly and accurately. However, it could not find out to tune up parameters of the traffic matrix including (i) size of traffic matrix, (ii) time based window size, and (iii) a threshold value of variance from packets information with respect to various monitored environments and DDoS attacks. Moreover, the time based window size led to computational overheads when DDoS attacks did not occur. To cope with it, we propose an enhanced DDoS attacks detection approach by optimizing the parameters of the traffic matrix using a Genetic Algorithm (GA) to maximize the detection rates. Furthermore, we improve the traffic matrix building operation by (i) reforming the hash function to decrease hash collisions and (ii) replacing the time based window size with a packet based window size to reduce the computational overheads. We perform experiments with DARPA 2000 LLDOS 1.0, LBL-PKT-4 of Lawrence Berkeley Laboratory and generated attack datasets. The experimental results show the feasibility of our approach in terms of detection accuracy and speed.     

基于TTCN的ICMPv6的一致性测试

基于TTCN的协议的一致性测试是保证协议实现正确的重要方法.在介绍ICMPv6协议和TTCN标准的基础上,构建了一种基于TTCN标准的一致性测试系统.介绍了该测试系统的架构与工作原理,同时给出了ICMPv6一致性测试的方法和步骤,并在测试平台上执行了测试套.     

基于ICMPv6的IPv6路由欺骗研究

阐述IPv6下网络协议欺骗的一般原理,详细分析了ICMPv6协议及其存在的漏洞.对基于ICMPv6协议的路由欺骗原理及方法进行了深入的讨论,并提出了ICMPv6重定向差错欺骗和ICMPv6路由通告欺骗的具体实现方法.     

一种自定义动态密钥预防DDoS攻击的算法

DDoS攻击表现形式有多种,主要造成后果是导致Web服务器无法提供网络服务,最终造成一系列损失。针对通过某一网页端口进行的DDosS攻击,提出了一种预防算法,自定义动态密钥,并采用自定义算法调用,动态改变被攻击端口处的文件名。该算法使得攻击者无法通过加密后的文件来得到原文件名称,从而达到预防此种DDoS攻击的目的。实验证明,此算法有效。     

改进的基于认证的DDoS源追踪方案

利用基于双钥序列的消息认证码理论,以自适应概率包标记和高级包标记Ⅱ为基础,针对当前危害甚大的拒绝服务攻击,提出了一种改进的基于认证的DDoS源IP追踪方案.以自适应概率为基础,既达到了较高的追踪收敛率,又能最大限度地降低攻击者伪造数据包的余地.采用基于双钥序列的HMAC算法,对标记信息进行认证,防止攻击者修改已有的标记信息,达到较高的安全性和抗干扰性.     

A hybrid machine learning approach for detecting unprecedented DDoS attacks

Service availability plays a vital role on computer networks, against which Distributed Denial of Service (DDoS) attacks are an increasingly growing threat each year. Machine learning (ML) is a promising approach widely used for DDoS detection, which obtains satisfactory results for pre-known attacks. However, they are almost incapable of detecting unknown malicious traffic. This paper proposes a novel method combining both supervised and unsupervised algorithms. First, a clustering algorithm separates the anomalous traffic from the normal data using several flow-based features. Then, using certain statistical measures, a classification algorithm is used to label the clusters. Employing a big data processing framework, we evaluate the proposed method by training on the CICIDS2017 dataset and testing on a different set of attacks provided in the more up-to-date CICDDoS2019. The results demonstrate that the Positive Likelihood Ratio (LR+) of our method is approximately 198% higher than the ML classification algorithms.

     

An approach for detecting and preventing DDoS attacks in campus

Nowadays, Denial of Service (DoS) attacks have become a major security threat to networks and the Internet. Therefore, even a naive hacker can launch a large-scale DoS attack to the victim from providing Internet services. This article deals with the evaluation of the Snort IDS in terms of packet processing performance and detection. This work describes the aspect involved in building campus network security system and then evaluates the campus network security risks and threats, mainly analyses the attacks DoS and DDoS, and puts forward new approach for Snort campus network security solutions. The objective is to analyze the functional advantages of the solution, deployment and configuration of the open source based on Snort intrusion detection system. The evaluation metrics are defined using Snort namely comparison between basic rules with new ones, available bandwidth, CPU loading and memory usage.     

基于熵参数的DDoS攻击检测算法研究

分布拒绝服务攻击(DDoS)通过很多代理产生大量的数据包,在很短的时间内就能耗尽受害者的计算和通信资源.通过研究和分析几种基于对DDoS攻击阶段分类的检测办法,得出基于聚类分析的算法是比较有效的,然而这种算法存在冗余.根据熵的特性对这种基于聚类分析的早期检测算法做了优化,对相关变量进行了关键变量的提取,并通过实验对其进行了分析,实验结果表明,对该算法的优化有效的提高了基于聚类分析的DDoS攻击检测方法的效率.