基于聚集算法的DDoS数据流检测和处理

提出了一种应用于路由器的嵌入式DDoS（分布式拒绝服务攻击）防御算法.针对DDoS攻击的本质特征,对IP数据流进行轻量级协议分析,把IP数据流分为TCP、UDP和ICMP（网间控制报文协议）数据流,分别建立相应的聚集模式,根据该模式来检测DDoS聚集所占资源,采取相应的抑制措施过滤攻击数据包,从而保证合法数据流的正常转发.仿真试验证明该方法能准确地检测到DDoS攻击,处理效果很好.     

一种基于资源感知的小流量DDoS攻击防御方法

分布式拒绝服务攻击（DDoS）对网络具有极大的破坏性,严重影响现网的正常运营。虽然现网已经部署针对DDoS的流量清洗系统,然而小流量的攻击较洪水型攻击更难以被感知,进而不能得到有效的清洗。本文分析了网络中小流量DDoS攻击的原理和防御现状,并提出一种基于资源感知的小流量DDoS攻击防御方法。     

IDC如何防范DDoS

由数万台计算机同时发起的分布式拒绝服务攻击能够在短时间内耗尽城域网甚至骨干网的带宽,从而造成局部的互联网崩溃。要想有效防止DDoS攻击造成的网络拥塞的恶劣影响,就要从异常流量检测、异常流量清洗、联动及自动联动等几方面进行分析研究。     

基于流量强度的DDoS攻击源追踪快速算法

DDoS攻击以其破坏力大、易实施、难检测、难追踪等特点,而成为网络攻击中难处理的问题之一。攻击源追踪技术是阻断攻击源、追踪相关责任、提供法律证据的必要手段。基于网络拓扑理论和路由器流量特性原理以及可编程式路由器的体系结构,提出了一种追踪DDoS攻击源的分布式快速算法,该算法可以准确、协调、高效地判断路由器的数据流量值,受害者可以根据流量强度推断出恶意攻击数据流的来源,从而快速追溯和定位DDoS攻击源。     

DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service,DDoS）网络攻击知识库研究不足的问题,提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建,包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类;网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模,并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling,DOTS）协议搭建分布式知识库,实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明,DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量,并具备分布式知识库间的知识更新和推理功能,表现出良好的可扩展性。     

基于流媒体服务DDoS攻击防范研究

分布式拒绝服务（Distributed Deny of Service,DDoS）攻击是目前最难解决的网络安全问题之一。在研究RTSP（Real-Time Streaming Protocol）协议漏洞基础上,提出一种有效防御流媒体服务DDoS攻击防御方案。该方案基于时间方差图法（Variance-TimePlots,VTP）,计算自相似参数Hurst值,利用正常网络流量符合自相似模型的特性来进行DDoS攻击检测,并综合采用黑白名单技术对流量进行处理。最后通过MATLAB仿真工具进行了模拟实验,并对结果进行了分析,在协议分析基础上能合理控制流量,使得DDoS攻击检测准确率、实时性高,目标流媒体服务器带宽和资源得到了有效保护。     

SDN环境下基于LightGBM的DDoS流量分类

软件定义网络(SDN)以其高度的网络可编程性和灵活性,通过将控制平面与数据平面解耦,克服了传统网络中存在的问题,近年来成为一种新的网络结构。但由于控制器是SDN的核心部分,因此更容易发生攻击,尤其是分布式拒绝服务攻击(DDoS),已经成为SDN环境的最大安全威胁。分布式拒绝服务(DDoS)攻击会使SDN控制器和交换机流表过载,导致网络性能下降,甚至瘫痪整个网络。检测攻击速度快、精度高,误报率低是解决DDoS攻击的关键。为此,我们通过公开的入侵检测数据集IDS2018,使用LightGBM算法训练DDoS分类模型,实现对正常流量和DDoS攻击流量的分类。对比XGBoost算法,改进后的LightGBM算法分类效果更好。使用虚拟环境Mininet构建SDN拓扑,使用Ryu作为SDN控制器。模拟DDoS攻击并通过sFlow RT收集攻击流量,利用训练好的DDoS流量分类模型进行检测,模型五折交叉验证AUC达到0.81。     

迪普科技入围中国移动DDoS集采

日前,中国移动DDoS设备集中采购结果公布,凭借多年来在异常流量清洗领域的深厚积淀,迪普科技成为仅有的两家入围厂商之一。这是在中国电信DDoS设备集中采购取得第一名之后,迪普科技在运营商异常流量清洗市场取得的又一重大突破,凸显了迪普科技异常流量清洗产品在业界的领先地位。目前,防御DDoS攻击最有效的方法是在现有网络出口处部署DDoS防御设备,在攻击流量威胁到用户网络之前将其阻隔在外。为确保网络的正常使用以及业务顺利的开展,近年来,运营商愈加重视DDoS防御设备的采购及部署。继中国电信集团对DDoS设备进行集采后,中国移动集团也于2014年底启动了DDoS设备的集中采购。此次集中采购将决定2015年全年中国移动所有DDoS设     

基于XGBoost的DDoS攻击流量过滤算法

分布式拒绝服务（Distributed Denial of Service,DDoS）攻击是当今网络空间安全的主要威胁之一。现有DDo S攻击检测算法虽然能够准确告警,但无法响应攻击。提出了一种基于XGBoost的流量过滤算法,使用攻击检测生成流量样本标签,训练机器学习模型,实现过滤规则的实时更新。仿真实验结果表明,该方法可以有效过滤异常流量。     

一种DDoS攻击的检测算法

对于骨干网中存在的DDoS攻击,由于背景流量巨大,且分布式指向受害者的多个攻击流尚未汇聚,因此难以进行有效的检测。为了解决该问题,本文提出一种基于全局流量异常相关分析的检测方法,根据攻击流引起流量之间相关性的变化,采用主成份分析提取多条流量中的潜在异常部分之间的相关性,并将相关性变化程度作为攻击检测测度。实验结果证明了测度的可用性,能够克服骨干网中DDoS攻击流幅值相对低且不易检测的困难,同现有的全局流量检测方法相比,该方法能够取得更高的检测率。     

Monitoring the Application-Layer DDoS Attacks for Popular Websites

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.      

An approach of defending against DDoS attack

An approach of defending against Distributed Denial of Service （DDoS） attack based on flow model and flow detection is presented. The proposed approach can protect targets from DDoS attacking, and allow targets to provide good service to legitimate traffic under DDoS attacking, with fast reaction. This approach adopts the technique of dynamic comb filter, yields a low level of false positives of less than 1.5%, drops similar percentage of good traffic, about 1%, and passes neglectable percentage of attack bandwidth to the victim, less than 1.5%. The prototype of commercial product, D-fighter, is developed by implementing this proposed approach on Intel network processor platform IXP1200.     

分布式DNS反射DDoS攻击检测及控制技术

分布式DNS反射DDoS攻击已经成为拒绝服务攻击的主要形式之一,传统的基于网络流量统计分析和网络流量控制技术已经不能满足防护需求。提出了基于生存时间值（TTL）智能研判的DNS反射攻击检测技术,能够准确发现伪造源IP地址分组;基于多系统融合的伪造源地址溯源阻断技术,从源头上阻断攻击流量流入网络。     

Research on DDoS detection in multi-tenant cloud based on entropy change

An attacker compromised a number of VMs in the cloud to form his own network to launch a powerful distrib-uted denial of service (DDoS) attack.DDoS attack is a serious threat to multi-tenant cloud.It is difficult to detect which VM in the cloud are compromised and what is the attack target,especially when the VM in the cloud is the victim.A DDoS detection method was presented suitable for multi-tenant cloud environment by identifying the malicious VM at-tack sources first and then the victims.A distributed detection framework was proposed.The distributed agent detects the suspicious VM which generate the potential DDoS attack traffic flows on the source side.A central server confirms the real attack flows.The feasibility and effectiveness of the proposed detection method are verified by experiments in the multi-tenant cloud environment.     

一种SDN中基于熵值计算的异常流量检测方法

摘要：软件定义网络（software defined networking,SDN）是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。     

Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks

Distributed are common threats in many networks, where attackers attempt to make victim servers unavailable to other users by flooding them with worthless requests. These attacks cannot be easily stopped by firewalls, since they forge lots of connections to victims with various IP addresses. The paper aims to exploit the software‐defined networking (SDN) technique to defend against DDoS attacks. However, the controller has to handle lots of connections launched by DDoS attacks, which burdens it with a heavy load and degrades SDN's performance. Therefore, the paper proposes an efficient and low‐cost DDoS defense (ELD) mechanism for SDN. It adopts a nested reverse‐exponential data storage scheme to help the controller efficiently record the information of packets in the limited memory. Once there are many packets with high IP variability sent to a certain server and this situation lasts for a while, then a DDoS attack is likely happening. In this case, the controller asks switches to block malicious connections by installing flow rules. Experimental results verify that the ELD mechanism rapidly recognizes protocol‐based DDoS attacks and stops them in time, including TCP SYN flood, UDP flood, and ICMP flood, and also greatly reduces the overhead for the controller to defend against attacks. Moreover, ELD can distinguish DDoS flows from legitimate ones with similar features such as elephant flows and impulse flows, thereby eliminating false alarms.     

DDoS attack detection method based on conditional entropy and GHSOM in SDN

Software defined networking (SDN) simplifies the network architecture,while the controller is also faced with a security threat of “single point of failure”.Attackers can send a large number of forged data flows that do not exist in the flow tables of the switches,affecting the normal performance of the network.In order to detect the existence of this kind of attack,the DDoS attack detection method based on conditional entropy and GHSOM in SDN (MBCE&G) was presented.Firstly,according to the phased features of DDoS,the damaged switch in the network was located to find the suspect attack flows.Then,according to the diversity characteristics of the suspected attack flow,the quaternion feature vector was extracted in the form of conditional entropy,as the input features of the neural network for more accurate analysis.Finally,the experimental environment was built to complete the verification.The experimental results show that MBCE&G detection method can effectively detect DDoS attacks in SDN network.     

一种新的DDoS攻击检测算法

为了准确及时的进行DDoS攻击检测,提出了一种新的DDoS攻击检测算法。该算法在基于传统的小波分析检测DDoS攻击的基础上融入了主成分分析法和小波分析法中DDoS检测方法,并根据该算法设计相应的模型和算法来检测 DDoS 攻击,并且引入信息论中的信息熵对源IP地址的分散程度进行度量,根据初始阶段Hurst指数及熵值的变化自适应地设定阈值以检测攻击的发生。实验结果表明,该方法大幅度的提高了DDoS检测的速度。     

Entropy Based Adaptive Flow Aggregation

Internet traffic flow measurement is vitally important for network management, accounting and performance studies. Cisco's NetFlow is a widely deployed flow measurement solution that uses a configurable static sampling rate to control processor and memory usage on the router and the amount of reporting flow records generated. But during flooding attacks the memory and network bandwidth consumed by flow records can increase beyond what is available. Currently available countermeasures have their own problems: 1) reject new flows when the cache is full - some legitimate new flows will not be counted; 2) export not-terminated flows to make room for new ones - this will exhaust the export bandwidth; and 3) adapt the sampling rate to traffic rate - this will reduce the overall accuracy of accounting, including legitimate flows. In this paper, we propose an entropy based adaptive flow aggregation algorithm. Relying on information-theoretic techniques, the algorithm efficiently identifies the clusters of attack flows in real time and aggregates those large number of short attack flows into a few metaflows. Compared to currently available solutions, our solution not only alleviates the problem in memory and export bandwidth, but also significantly improves the accuracy of legitimate flows. Finally, we evaluate our system using both synthetic trace file and real trace files from the Internet.