一种基于流量控制技术的分布式DDOS攻击检测框架研究

DDOS攻击是当前网络安全的最大威胁之一。将分布式检测技术与流量控制技术相结合提出了一种D＆SFC（Distributed and Simple Flow Control）DDOS攻击检测框架,即具有简单流量控制功能的分布式DDOS检测框架。其特点是利用多层次的结构,结合包过滤及带宽控制技术,在网络拓扑的不同节点上实现网络流量的简单控制,在进行DDOS攻击检测的同时降低了攻击数据包对网络性能的影响。     

浅析基于网络协议的异常流量识别技术

本文提出构建基于网络协议的异常流量识别模型,结合网络协议分析、网络入侵检测技术等对网络数据层进行解析,通过对频繁IP 地址进行聚集发现网络中的异常流量IP 地址集合,统计出异常数据包。通过DDOS攻击实验结果分析得出,该模型具有较高的识别能力,并且在处理效率和计算强度方面都有很好的表现。     

基于相似系数的DDOS攻击检测研究

针对服务器的DDOS攻击,在分析流量基础上,提出一种利用相似系数检测DDOS攻击的算法。该算法以单位时间的数据量作为计算项,统计实验数据值,通过与阈值的比较检测DDOS攻击。此算法具有在线检测、实时性强的特点,对插入式DDOS攻击检测尤其有效。实验表明,在阈值参数取值适当的情况下,DDOS攻击的检测准确率有较高的提升。     

分布式网络主动防御系统研究

针对DDOS和蠕虫的特点,提出了一种NeTraMet和QOS相结合的主动防御机制,实现对DDOS和蠕虫经济高效的防治.在蠕虫检测上考虑了无特征蠕虫和有特征蠕虫两种情况;一般基于流量的DDOS检测方法预警时,网络实际已经受到一定程度的攻击而且发生阻塞,为了能够更早预警DDOS攻击,提高网络生存性,在DDOS检测中提出了可疑流量线,当流量达到可疑流量和攻击流量之间时,就启动防御机制,利用路由器的QOS功能,尽量减少攻击流的消耗带宽,维持网络正常服务.最后在NS2中进行模拟验证.     

基于网络处理器的多维统计异常检测系统

基于网络处理器开发的网络设备能够很好地解决灵活性和高性能之间的矛盾.基于网络处理器IXP2400自身的特点,设计了多维异常检测系统.该系统可以有效地检测和防御DDOS攻击.根据TCP/IP协议簇,对数据包进行多维解析,统计以及异常标记.仿真和硬件实验的验证数据表明,该系统能准确无误地按照设计目标一一分解数据包,并标记出异常值,从而为后续的网络安全的研究和防御工作提供可靠的数据保证.     

DDOS攻击方式和防护方法的研究

DDoS攻击仍旧是现在网络上主要的一类攻击手段,并且呈现上升趋势。本文先介绍了DDOS攻击的现状,然后对大流量冲击型和应用层资源消耗型这两种主要的攻击方式做了分析,然后提出了通过合理配置、防火墙、基于流量模型自学习的攻击检测方法和基于云计算服务等实现DDOS攻击防护。     

僵尸网络中的变种SYN Flood攻击检测模型

根据由僵尸网络引发的DDOS变种攻击,提出了一种在基于攻击源端的SYN Flood测试模型。部署在攻击源的方法可以在检测到DDOS攻击后及时的过滤攻击数据,最大程度的降低了攻击对整个Internet带来的危害。文中针对目前最新的DDOS变种攻击特点,利用自适应阈值与计数式多状态布鲁姆过滤器相结合的方法对SYN&ACK网络数据包进行过滤和监测,并对过滤器的更新机制进行了改进。分析表明,该方法可以有效地解决僵尸网络带来的问题。     

DDOS攻击分析及其防范策略

分布式拒绝服务（DDOS）攻击防御是网络安全领域的长期重要课题。近年来,随着Internet业务与广播电视日渐融合,广电网络成为DDOS攻击新目标,因此DDOS攻击防御亦成为广电网络安全新课题。本文以流行最为广泛的SYN Flooding攻击为重点研究对象,基于DDOS攻击原理及攻击方式分析,提出DDOS攻击识别方法;从服务器、网络设备及安全设备等方面,重点阐述以预防为主确保网络安全的攻击防御策略、防御措施及处理方法。     

DDoS攻击的检测与溯源探析

分布式拒绝服务攻击是当前流行的网络攻击手段之一,影响力巨大。本文主要探讨了DDoS攻击的检测方法和IP溯源技术,重点分析3种DDoS检测方法:流量、日志、数据包分析法,提出了运用数据包切片标记实现对伪造IP攻击溯源的方法。通过搭建分布式DDoS攻击实验环境,综合应用流量监控、日志分析和数据包切片标记的方法实现了对DDoS的IP溯源。通过反复实验测试,证明方法的可行性、准确率可达90%。     

基于OCSVM的DDOS攻击实时检测模型

为了提高DDOS攻击检测器的准确率,解决因离线训练分类器而导致的样本标注困难,分类器不能随流量模式变化而更新的问题,提出了一种DDOS攻击的实时检测模型。该模型以One-class SVM做分类器,可减少标注样本的时间。使用主动学习机制,能主动挑选最有利于分类器性能提高的样本进行训练。以拥塞控制理论为基础,通过对分类结果进行主动错误识别和纠正,使学习机可以随流量变化更新其状态。实验结果表明,该模型有较好的分类准确性,通过错误纠正功能可以提高检测率,可用于实时检测DDOS攻击。     

报文RPR环网选路表方法

弹性分组环技术是一种优化的、用于光纤环型拓扑的、并具有强壮和高效特点的技术。弹性分组环网能够承载多种业务,包括对抖动和时延敏感的如话音和视频流量、以太网和 IP 业务等。该文提出了报文RPR (Resilient Packet Rings)环网的选路表方法及设计方案,该方法成功地解决了数以10万计路由表项的更新、复杂RPR拓扑库的震荡、高成本硬件存储空间和CPU开销的难题。     

一种改进的基于WinPcap的快速抓包方法*

根据WinPcap的抓包原理和高速网络环境对网络抓包性能的要求,提出了一种改进的快速抓包方法－FHW法,并且在VC++ 6.0编译器中实现了该方法。试验结果表明,在高流量网络环境中,与传统的抓包方法相比,FHW法能显著地提高抓包性能、降低丢包率。     

基于时间压缩的流量加速回放方法

随着网络流量的激增，在虚拟环境下对流量进行回放面临着许多问题。为了满足回放过程中流量完整性和准确性的需求，提出了一种基于时间压缩的流量加速回放方法，实现了在虚拟环境下对真实网络流量的加速回放。该方法优先将时间间隔集合中最大的时间间隔进行压缩，对间隔较小的时间减少压缩，从而减少时间压缩造成的单位时间流量猛增现象，进而降低流量的丢包率。从丢包率、时间间隔误差、相似度3方面对其效果进行衡量。实验表明，与等比压缩方法相比，该方法在相似度上表现较差，但有着较低的丢包率和时间间隔误差。     

An SVM-based machine learning method for accurate internet traffic classification

Accurate and timely traffic classification is critical in network security monitoring and traffic engineering. Traditional methods based on port numbers and protocols have proven to be ineffective in terms of dynamic port allocation and packet encapsulation. The signature matching methods, on the other hand, require a known signature set and processing of packet payload, can only handle the signatures of a limited number of IP packets in real-time. A machine learning method based on SVM (supporting vector machine) is proposed in this paper for accurate Internet traffic classification. The method classifies the Internet traffic into broad application categories according to the network flow parameters obtained from the packet headers. An optimized feature set is obtained via multiple classifier selection methods. Experimental results using traffic from campus backbone show that an accuracy of 99.42% is achieved with the regular biased training and testing samples. An accuracy of 97.17% is achieved when un-biased training and testing samples are used with the same feature set. Furthermore, as all the feature parameters are computable from the packet headers, the proposed method is also applicable to encrypted network traffic.     

MPLS VPN技术在WLAN接入分组域中的应用与研究

以WLAN为代表的无线局域网技术,已成为蜂窝网络数据流量的有效分流手段.通过WLAN访问运营商的分组域业务以成为研究的热点.MPLS VPN为利用多协议标签交换技术组建的虚拟专用网,管理维护简单,安全性高且支持QoS和流量工程.负载均衡是MPLS流量工程的一项重要应用,本文通过MPLS VPN在WLAN接入分组域组网中的应用,给出了VPN的组网方式,同时提出了基于多LSP的网络优化方案,建立了相应的优化模型并研究了在实际网络中流量分配的方式.     

Traffic modeling, prediction, and congestion control for high-speednetworks: a fuzzy AR approach

In this study, a fuzzy autoregressive (fuzzy-AR) model is proposed to describe the traffic characteristics of high-speed networks. The fuzzy-AR model approximates a nonlinear time-variant process with a combination of several linear local AR processes using a fuzzy clustering method. We propose that the use of this fuzzy-AR model has greater potential for congestion control of packet network traffic. The parameter estimation problem in fuzzy-AR modeling is treated by a clustering algorithm developed from actual traffic data in high-speed networks. Based on the adaptive AR-prediction model and queueing theory, a simple congestion control scheme is proposed to provide an efficient traffic management for high-speed networks. Finally, using the actual Ethernet-LAN packet traffic data, several examples are given to demonstrate the validity of this proposed method for high-speed network traffic control     

Adaptive network-traffic balancing on multi-core software networking devices

Software networking devices running on commercial-off-the-shelf hardware offer more flexibility and less performance than high-end, dedicated, networking devices. However, this lack of performance can be compensated, to some extent, by multi-core processors that can manage network packets in parallel. In order to efficiently utilize multi-core architectures, the processing load and the network traffic must be properly balanced to optimize the inter-core communication. Here, we analyze the traffic distribution on a per-packet and per-flow basis and verify the performance of the Linux Bridge networking device. A new, adaptive, traffic-distribution method is proposed, which combines packet-based and flow-based traffic distributions. The method was experimentally validated by two test cases – the “worst-case” scenario, with one dominant flow, and the “backbone-link” scenario, with a large number of flows that have a similar packet rate. In the case of one dominant flow, the performance in traffic throughput is improved by a factor of 2.8 by engaging four processing cores. In the case of a large number of traffic flows, the performance remains similar to the existing flow-based methods.     

基于行为模型的IP Forwarding异常检测方法

通过研究网络流动态特征,基于路由变化、流变化和包延迟,以及IP报文头信息（例如TTL、源/目的地址、报文长度和路由器时间戳）建立网络行为模型,通过高性能测量和在线分析网络流和路由信息对初始网络异常产生实时报警,实现了IP forwarding网络异常的有效检测和识别。定义了网络行为模型的五种功能模块,通过关联空间和时间状态信息检测识别网络异常为大范围监测网络提供强大支持。     

BitTorrent packet traffic features over IPv6 and IPv4

At present, BitTorrent protocol packets constitute a large part of peer-to-peer application traffic on the Internet. Due to the increasing amount of BitTorrent traffic, it has become inevitable to take into account its effects on network management. Generally, studies on BitTorrent traffic measurement have involved analysis with packets transmitted via IPv4 protocol. However, with several facilities provided by IPv6 protocol, its traffic volume in operational networks is increasing day by day. New features of IPv6 enhance packet processing speeds over routers, switches and end systems. We consider that traffic features and packet traffic characteristics are likely to be affected with increasing amount of IPv6 protocol traffic. Therefore, it becomes significant to explore IPv6 packet traffic characteristics and application traffic features over IPv6. In this study, we investigate the IPv6 BitTorrent packet traffic characteristics in terms of autocorrelation, power spectral density and self similarity of packet size and packet interarrival time. We also perform distribution modeling for IPv4 and IPv6 BitTorrent packet traffic. With these models, efficient packet traffic traces are generated for network simulation studies. A detailed comparison is performed to determine differences between IPv4 and IPv6 BitTorrent packet traffic.     

基于人工免疫的工业认知无线网络路由机制

工业互联网（industrial Internet）已成为第四次工业革命的代表技术.根据工业网络数据传输服务的需求,以及针对工业无线网络拓扑相对稳定、流量规律变化等特点,提出了一种基于人工免疫系统（artificial immune system,简称AIS）的工业认知无线网络路由机制,包含基于链路质量的域内静态路由算法和基于多路径的域间动态路由算法,以实现工业网络的可靠路由.根据人工免疫系统特点,将工业网络的拓扑结构进行区域划分：提出了基于链路质量的域内静态路由算法,采用软硬件结合的方式监视网络链路,并根据移动窗口指数加权平均法计算链路丢包率;提出了基于多路径的域间动态路由算法,根据模式距离对节点的流量周期进行预测,防止节点因流量过大而导致丢包.基于OMNET++仿真平台进行仿真实验,结果表明,所提出的路由机制在应对突发流量时与组合定向地理路由算法相比,丢包率及网络开销分别降低1倍;应对链路失效的情况时与图路由算法相比丢包率降低4倍.