一种基于Haar小波变换的低速率拒绝服务攻击检测方法

依据LDoS攻击周期性脉冲突发的特点,提出一种基于Haar小波特征提取的低速率拒绝服务攻击检测方法．该方法采用信号处理技术来分析网络流量提取特征指标,通过小波多尺度分析对网络流量综合诊断,较好地缓解了合法用户背景流量对攻击特征提取的干扰．NS-2仿真实验结果表明,该方法检测率高,消耗计算资源少,具有良好的理论研究和实用价值．     

基于时间窗统计的LDoS攻击检测方法的研究

在针对LDoS攻击流量的分析建模基础上,通过在时间域(time domain)上进行单位时间内异常(anomaly)脉冲的统计研究,揭示了在LDoS攻击期间,网络的正常流量下降很大的同时攻击流量出现短时间不规则的高脉冲等现象;提出了基于时间窗(time window)统计的LDoS攻击检测算法;并在搭建的实际网络环境中进行了测试,针对不同长度的采样时间做了大量的试验,结果表明该方法的检测率达到96%以上,漏报(漏警)率和误报(虚警)率均小于3%.     

一种新型拒绝服务攻击的研究

Shrew DDoS(Distributed Denial of Service)攻击是一种新型的DDoS攻击,也称低速率DDoS攻击。它是利用TCP超时重传机制的漏洞,通过估计合法TCP流的RTO(Retransmission timeout)作为低速率攻击发包的周期T,周期性的发送短脉冲,使得攻击流可以周期性地占用网络带宽,这样就会让合法的TCP流总是认为网络的负担很重,造成所有受其影响的TCP流进入超时重传状态,最终使得受害主机的吞吐量大幅度降低,从而达到攻击目的。由于其攻击速率低,可以躲避传统的高速率攻击防御机制。这种新型拒绝服务攻击具有隐蔽性好、效果明显的特点。     

基于卡尔曼滤波的LDDoS攻击检测方法

 低速率分布式拒绝服务LDDoS(Low-rate Distributed Denial of Service)攻击是一种新型的DDoS攻击.它利用TCP协议超时重传RTO(Retransmission Time Out)机制,向受害者发送周期性的脉冲(Pulse)攻击.LDDoS平均攻击速率较低,因此它能躲避传统的检测方法.本文针对LDDoS攻击提出了一种基于卡尔曼(Kalman)滤波的检测方法,采用一步预测与最优估算的误差值作为检测依据.通过模拟仿真和在实际网络环境中测试,得到89.6%的检测率.实验结果表明本文方法能有效地检测出LDDoS攻击.     

基于信号互相关的低速率拒绝服务攻击检测方法

低速率拒绝服务LDoS（Low-rate Denial of Service）攻击是一种基于TCP/IP协议漏洞,采用密集型周期性脉冲的攻击方式.本文针对分布式LDoS攻击脉冲到达目标端的时序关系,提出基于互相关的LDoS攻击检测方法.该方法通过计算构造的检测序列与采样得到的网络流量序列的相关性,得到相关序列,采用基于循环卷积的互相关算法来计算攻击脉冲经过不同传输通道在特定的攻击目标端的精确时间,利用无周期单脉冲预测技术估计LDoS攻击的周期参数,提取LDoS攻击的脉冲持续时间的相关性特征,并设计判决门限规则.实验结果表明基于信号互相关的LDoS攻击检测方法具有较好的检测性能.     

隐马尔科夫模型检测LDoS攻击方法的研究

针对低速率拒绝服务LDoS （Low-Rate Denial of Service）攻击具有平均速率低、隐蔽性强的特点,提出了一种基于隐马尔科夫模型的LDoS攻击检测方法。首先对网络状态建立隐马尔科夫模型,将归一化累计功率谱密度NCPSD（Normalized Cumulative Power Spectrum Density）方法的检测结果作为隐马尔科夫模型的观测值。利用前向算法得到不同观测值序列在该模型下的相似度作为检测依据。在NS 2中对本检测方法进行测试,实验结果表明本方法能够有效的检测LDoS攻击,与其他方法相比也具有更好的检测性能。通过假设检验得出检测率为99.96%。      

一种可靠检测低速率DDoS攻击的异常检测系统

随着DDoS攻击的发展,出现了一种新型攻击方式:低速率攻击.由于之前用于检测DDoS的入侵检测系统(IDS)多是建立在时入侵者的高速数据流统计检测的基础上,导致低速率攻击可以逃过这种高速率IDS.针对近年来出现的低速率DDoS攻击,提出了一种可靠的入侵检测系统.该系统可由用户设定到达流异常与否的识别概率和漏报概率,并能方便地延拓到分级服务网中.仿真实验结果证明,此系统能准确地分辨出低速率和正常的速率,能够用于低速率攻击的检测.     

基于小信号检测模型的LDoS攻击检测方法的研究

 低速率拒绝服务LDoS(Low-rate Denial of Service)是一种新型的面向TCP协议的DoS攻击方式.LDoS攻击的平均流量仅占正常流量的10-20%,具有明显的周期性小信号特征,隐蔽性强.因此,检测LDoS攻击成为网络安全研究的一个难点.本文采用数字信号处理DSP技术,基于小信号检测理论,提出一种基于小信号模型的LDoS攻击检测的方法.该方法通过构造特征值估算矩阵,对30秒时间内(3000个采样点)到达的数据包个数进行统计;将统计值与设定的判决特征值门限比较,作为判断有无LDoS攻击的依据.如果判定成立,则通过特征值估算矩阵可较精确地计算出LDoS攻击的周期值.在NS-2环境中的仿真实验结果表明本文方法具有较高的LDoS攻击检测率.     

基于小波分析的网络低速率DDoS攻击检测方法

为减少网络DDoS（分布式拒绝服务）攻击检测误报率,实现对网络DDoS攻击的精准检测,有针对性地调节网络的运行速率,文章设计一种基于小波分析的网络低速率DDoS攻击检测方法。提取DDoS攻击特征,布设异常攻击定位节点,识别异常波段进行同步处理,构建小波分析DDoS攻击检测模型。最终的测试结果表明,对比于传统攻击检测小组,文章设计的小波分析DDoS攻击检测小组误差较小,检测效率较高,具有一定的应用价值。     

基于IXP 1200平台的DDoS攻击防御研究

分布式拒绝服务攻击（DDoS）已经成为互联网最大的威胁之一.提出了一种基于Intel IXP1200网络处理器平台的DDoS防御系统的设计方案,并实际实现了一个防御系统D-Fighter.提出了解决DDoS攻击的两个关键技术：数据包认证和细微流量控制的原理和方法,并在D-Fighter中设计实现.经过实际网络测试环境的应用测试表明,D-Fighter达到了设计目标,对DDoS攻击的防御有较好的效果.     

Approach of detecting low-rate DoS attack based on combined features

LDoS (low-rate denial of service) attack is a kind of RoQ (reduction of quality) attack which has the characteristics of low average rate and strong concealment.These characteristics pose great threats to the security of cloud computing platform and big data center.Based on network traffic analysis,three intrinsic characteristics of LDoS attack flow were extracted to be a set of input to BP neural network,which is a classifier for LDoS attack detection.Hence,an approach of detecting LDoS attacks was proposed based on novel combined feature value.The proposed approach can speedily and accurately model the LDoS attack flows by the efficient self-organizing learning process of BP neural network,in which a proper decision-making indicator is set to detect LDoS attack in accuracy at the end of output.The proposed detection approach was tested in NS2 platform and verified in test-bed network environment by using the Linux TCP-kernel source code,which is a widely accepted LDoS attack generation tool.The detection probability derived from hypothesis testing is 96.68%.Compared with available researches,analysis results show that the performance of combined features detection is better than that of single feature,and has high computational efficiency.     

The detection method of low-rate DoS attack based on multi-feature fusion

As a new type of Denial of Service (DoS) attacks, the Low-rate Denial of Service (LDoS) attacks make the traditional method of detecting Distributed Denial of Service Attack (DDoS) attacks useless due to the characteristics of a low average rate and concealment. With features extracted from the network traffic, a new detection approach based on multi-feature fusion is proposed to solve the problem in this paper. An attack feature set containing the Acknowledge character(ACK) sequence number, the packet size, and the queue length is used to classify normal and LDoS attack traffics. Each feature is digitalized and preprocessed to fit the input of the K-Nearest Neighbor (KNN) classifier separately, and to obtain the decision contour matrix. Then a posteriori probability in the matrix is fused, and the fusion decision index D is used as the basis of detecting the LDoS attacks. Experiments proved that the detection rate of the multi-feature fusion algorithm is higher than those of the single-based detection method and other algorithms.     

A comparative study on flood DoS and low-rate DoS attacks

Denial of service (DoS) attacks is a serious threat for the Internet. DoS attacks can consume memory, Computer processing unit (CPU), and network bandwidths and damage or shut down the operation of the resource under attack. In this paper, based on the taxonomy of DoS attacks, two typical types of DoS—flood DoS (FDoS) and low-rate DoS (LDoS) attacks, are studied on their generation principle, mechanism utilization, signature, impacts, and defense mechanisms. Simulation results illustrate that 1) FDoS is easy to be launched but its signature is easy to be detected. 2) LDoS organizes an average small quantity of traffic and it is stealthier. Comparison of LDoS with FDoS shed light on the emerging new features of DoS attacks and can make the detection and defense mechanisms more efficient.     

Research on low-rate DDoS attack of SDN network in cloud environment

Aiming at the problems of low-rate DDoS attack detection accuracy in cloud SDN network and the lack of unified framework for data plane and control plane low-rate DDoS attack detection and defense,a unified framework for low-rate DDoS attack detection was proposed.First of all,the validity of the data plane DDoS attacks in low rate was analyzed,on the basis of combining with low-rate of DDoS attacks in the aspect of communications,frequency characteristics,extract the mean value,maximum value,deviation degree and average deviation,survival time of ten dimensions characteristics of five aspects,to achieve the low-rate of DDoS attack detection based on bayesian networks,issued by the controller after the relevant strategies to block the attack flow.Finally,in OpenStack cloud environment,the detection rate of low-rate DDoS attack reaches 99.3% and the CPU occupation rate is 9.04%.It can effectively detect and defend low-rate DDoS attacks.     

命名数据网络中的DoS/DDoS攻击研究综述

随着网络的发展,现行的网络结构出现了难以解决的问题。以内容为中心的网络重新设计了网络架构解决了这些问题,命名数据网络(Named Data Network,NDN)是现今典型的以内容为中心的网络,但它的发展也出现了新的安全问题。文中主要分析了传统的DoS/DDoS攻击对NDN网络的影响,对NDN网络中产生的新型DoS/DDoS攻击进行了剖析,并简述了其相应的解决方案。     

On the performance of low-rate wireless correlation-delay-shift-keying system

The performance of a correlation-delay-shift-keying (CDSK) system for low data-rate applications in wireless communications is studied in this paper. In the transmitter, the low-rate data modulates the chaotic spreading sequence by means of a CDSK modulator at baseband. By using a RF modulator, the baseband CDSK-modulated signal is up-converted into a RF passband signal which is then transmitted on the antenna. These modulators allow the transmitter to be able to adjust flexibly the chip period compared with bit duration and locate the transmitted signal at a desired or allocated RF band. The receiver performs in turn the corresponding RF and CDSK demodulations to recover the data. A wireless channel affected by noise, fading, multipath, and delay-spread in the context of low-rate and short-range transmission of the chaotic spread-spectrum signals is described. Schemes for the transmitter and receiver under the impact of the wireless channel are then developed. Bit-error-rate (BER) performance is analyzed with the use of both theoretical derivation and numerical integration. Simulated performance is shown in comparison with the corresponding analyzed ones, where the effect of the spreading factor, modulation delay, and the number of transmission paths on the BER is fully evaluated. Our findings show that the low-rate CDSK system can exploit the multipath nature of wireless channels for improving the BER performance.     

On remote exploitation of TCP sender for low-rate flooding denial-of-service attack

This letter shows a potentially harmful scenario named Induced-shrew attack in which a malicious TCP receiver remotely controls the transmission rate and pattern of a TCP sender to exploit it as a flood source for launching low-rate denial-of-service (DoS) attacks. Through simulation, proof-of concept implementation and experimentation in testbed and realworld Internet paths, we demonstrate that standard implementation of TCP senders can be exploited as flood sources for low-rate DoS attacks without compromising them. We describe the nature of the underlying vulnerability and discuss possible countermeasures against the induced-shrew.     

SIP代理服务器抗拒绝服务攻击自防御模型

通过对拒绝服务攻击的原理、类型、特征及SIP网络面对的典型DoS攻击的分析,结合Client Puzzle思想、DFA、远程联动、本机联动技术及SIP网络特点、SIP代理服务器工作原理,提出了SIP代理服务器抗拒绝服务攻击自防御模型,并设计相应的实验环境对该模型抵御DoS攻击的能力进行测试,实验结果证明该模型在增加代理服务器转发信令毫秒级的时间延迟下,可有效地抵御针对SIP代理服务器发起的DoS攻击,增强SIP系统服务的可用性.     

Recursive decoding and its performance for low-rate Reed-Muller codes

Recursive decoding techniques are considered for Reed-Muller (RM) codes of growing length n and fixed order r. An algorithm is designed that has complexity of order nlogn and corrects most error patterns of weight up to n(1/2-/spl epsiv/) given that /spl epsiv/ exceeds n/sup -1/2r/. This improves the asymptotic bounds known for decoding RM codes with nonexponential complexity. To evaluate decoding capability, we develop a probabilistic technique that disintegrates decoding into a sequence of recursive steps. Although dependent, subsequent outputs can be tightly evaluated under the assumption that all preceding decodings are correct. In turn, this allows us to employ second-order analysis and find the error weights for which the decoding error probability vanishes on the entire sequence of decoding steps as the code length n grows.     

Design of efficient lightweight strategies to combat DoS attack in delay tolerant network routing

Delay tolerant networks (DTNs) are characterized by delay and intermittent connectivity. Satisfactory network functioning in a DTN relies heavily on co-ordination among participating nodes. However, in practice, such co-ordination cannot be taken for granted due to possible misbehaviour by relay nodes. Routing in a DTN is, therefore, vulnerable to various attacks, which adversely affect network performance. Several strategies have been proposed in the literature to alleviate such vulnerabilities—they vary widely in terms of throughput, detection time, overhead etc. One key challenge is to arrive at a tradeoff between detection time and overhead. We observe that the existing table-based reactive strategies to combat Denial-of-service (DoS) attacks in DTN suffer from two major drawbacks: high overhead and slow detection. In this paper, we propose three secure, light-weight and time-efficient routing algorithms for detecting DoS attacks (Blackhole and Grey-hole attacks) in the Spray & Focus routing protocol. The proposed algorithms are based on use of a small fraction of privileged (trusted) nodes. The first strategy, called TN, outperforms the existing table-based strategy with 20–30 % lesser detection time, 20–25 % higher malicious node detection and negligible overhead. The other two strategies, CTN_MI and CTN_RF explore the novel idea that trusted nodes are able to utilize each others’ information/experience using their long range connectivity as and when available. Simulations performed using an enhanced ONE simulator reveals that investing in enabling connectivity among trusted nodes (as in CTN_RF) can have significant performance benefits.