基于令牌桶阵列的DDoS流量过滤被引量：1

DDoS mitigation based on token bucket arrays

导出

摘要为了提高分布式拒绝服务攻击(DDoS)流量过滤的性能,同时保证过滤的正确率,提出一种基于Poisson流随机分解模型的分类方法。该方法根据报文特征对流量进行分解后,基于2类流量的流速比随机判定报文的类别。设计了一个基于令牌桶阵列(TBA)的实现方案,不需要实时估计攻击流的参数,有效提高了过滤的性能。理论推导表明:Poisson流随机分解模型的理论错误率上限为最大后验概率判决法错误率上限的2倍,TBA在过滤突发性强的攻击报文时错误率会进一步下降。实验结果表明:TBA的过滤效果和NB(naive Bayes)方法相当,过滤突发性攻击流时错误率低于NB方法。 A classification scheme based on the random decomposition of Poisson processes was introduced to reduce filter complexity while maintaining accuracy when filtering distributed denial of service（DDoS） packets.The traffic was decomposed into sub-flows based on the packet features,with packets in each sub-flow randomly discriminated based on the intensity ratio for two classes in the sub-flow.A practical system based on the token bucket array（TBA） was developed which increased the performance by removing real-time parameter estimation of the attacking traffic.The error probability is proven to be less than twice that of the maximum a posteriori（MAP） criterion and decreases when confronting burst attacking traffic.Tests demonstrate the effectiveness of the system especially for filtering burst DDoS traffic.

作者戴世冬段海新李星

机构地区清华大学电子工程系清华大学信息网络工程研究中心

出处《清华大学学报（自然科学版）》 EI CAS CSCD 北大核心 2011年第1期141-144,共4页 Journal of Tsinghua University(Science and Technology)

基金国家"九七三"重点基础研究项目(2009CB320505)

关键词计算机网络安全分布式拒绝服务攻击 Poisson流分解令牌桶阵列 Markov调制Poisson过程 network security distributed denial of service decomposition of Poisson process token bucket array Markov-modulated Poisson process

分类号 TP393.08 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献12

1Nazario J. Measuring Politically Motivated Denial of Service Attacks [EB/OL]. (2009-09-24) http://caislab, kaist, ac. kr/77ddos/Jose, html.
2徐恪,徐明伟,吴建平.分布式拒绝服务攻击研究综述[J].小型微型计算机系统,2004,25(3):337-346. 被引量：33
3闫巧,吴建平,江勇.网络攻击源追踪技术的分类和展望[J].清华大学学报（自然科学版）,2005,45(4):497-500. 被引量：15
4Yaar A, Adrian P, Dawn S. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defent [J]. IEEE Journal on Selected Areas in Communications, 2006, 24(10) : 1853 - 1863.
5Wang H N, Jin C, Shin K. Defense against spoofed IP traffic using hop-count filtering [J].IEEE Transactions On Networking, 2007, 15(1): 40-53.
6Peng T, Leckie C, Kotagiri R. Protection from distributed denial of service attacks using history based IP filtering [C]// Proceedings of IEEE International Conference on Communications. Weisman, AK: IEEE Press, 2003: 482-486.
7Wu Zhijun,Duan Haixin,Li Xing.AN APPROACH OF DEFENDING AGAINST DDOS ATTACK[J].Journal of Electronics(China),2006,23(1):148-153. 被引量：1
8Kim Y, Lau W, Chuah M, et al. PacketScore: A statistics-based packet filtering scheme against distributed denial-of-service attacks [J]. IEEE Transactions on Dependable and Secure Computing, 2006, 3(2) : 141 - 155.
9Li Q, Chang E, Chan M. On the effectiveness of DDoS attacks on statistical filtering [C]// Proceedings of IEEE INFOCOM. Freeman, FL: IEEE Press, 2005: 1373-1383.
10MAWI. MAWI Working Group Traffic Archive [EB/OL]. (2010-01 12) http://mawi, wide. ad. jp/mawi/.

二级参考文献57

1[1]Kent S, Atkinson R. Security architecture for the internet protocol[S]. RFC2401, Nov. 1998.
2[2]Harkins D, Carrel D. The internet key exchange(IKE)[S]. RFC2409, Nov. 1998.
3[3]Moore D, Voelker G and Savage S. Inferring internet denial-of-service activity[C]. In Proceeding of 10th USENIX Security Symposium, 2001.
4[4]Computer emergency response team[EB/OL]. Results of Distributed Systems Intruder Tools Workshop. http://www.cert.org/reports/dist-workshop-final.html, Nov. 1999.
5[5][EB/OL].http://arbornetworks.com/
6[6][EB/OL].http://www.astanetworks.com/products/vantage/
7[7][EB/OL].http://www.entercept.com/products/
8[8][EB/OL].http://www.mazunetworks.com/solutions/product-overview.html
9[9]Rocky K C Chang. Defending against flooding-based distributed denial-of-service attacks: a tutorial[J]. IEEE Communications Magazine, October 2002.
10[10]Jon Postel. Transmission control protocol[S]. RFC793, September 1981.

共引文献44

1钟金,窦万峰,朱恩霞.基于源的DDoS攻击的检测与防御技术[J].计算机应用与软件,2005,22(10):26-27. 被引量：3
2忽海娜,程明.基于包过滤的DDoS防御系统[J].天津理工大学学报,2005,21(5):37-39. 被引量：2
3吴姗姗,李俊.基于移动agent的DDoS攻击协同防范技术研究[J].计算机技术与发展,2006,16(4):230-233.
4张千里,李星.保持前缀地址随机化的混合算法[J].清华大学学报（自然科学版）,2006,46(10):1723-1726.
5赵渡,荆一楠,王雪平,于建华.MANET中分布式拒绝服务攻击研究综述[J].计算机工程与应用,2007,43(5):116-119. 被引量：1
6黄巍.基于跳数统计有效防御利用IP欺骗的DDoS攻击[J].福建电脑,2007,23(5):107-108.
7忽海娜,赵艳杰.减弱DDoS攻击的策略研究[J].计算机与现代化,2007(6):87-89. 被引量：1
8毛韶阳,李肯立.一种改进的DDoS攻击源端快速检测算法[J].湖南科技学院学报,2007,28(9):84-86. 被引量：1
9陆垂伟,成俊,倪波,郑实.基于DoS/DDoS攻击的防御策略研究[J].黄石理工学院学报,2007,23(4):38-40. 被引量：2
10周建华,史伟奇,徐联华.一种用于网络取证分析的入侵源追踪方法[J].微计算机应用,2008,29(5):27-30. 被引量：1

同被引文献15

1YU S,TIAN Y,GUO S,et al. Can We Beat DDoS Attacks in Clouds? [ J]. IEEE Transactions on Parallel & Distributed Systems,2014,25(9) :2245 -2254.
2DU P, NAKAO A. DDoS Defense Deployment with Network Egress and Ingress Filtering[ C ]// Communications ( ICC ), 2010 IEEE Interna- tional Conference on. IEEE ,2010 : 1 - 6.
3LEE F Y, SHIEH S. Defending against spoofed DDoS attacks with path fingerprint[ J ]. Computers & Security ,2005,24 (7) :571 - 586.
4WANG Y, SUN IL An IP - Traceback - based Packet Filtering Scheme for Eliminating DDoS Attacks[ J]. Journal of Networks ,2014,9 ( 4 ) : 19 -21.
5DUAN Z, YUAN X, CHANDRASHEKAR J. Controlling IP Spoofing through Interdomain Packet Filters [ J ]. Dependable & Secure Compu- ting IEEE Transactions on ,2008,5 ( 1 ) :22 - 36.
6KIM Y, LAU W C, CHUAH M C, et al. PacketScore : a statistics - based packet filtering scheme against distributed denial - of - service attacks [ J]. IEEE Transactions on Dependable & Secure Computing, 2006,3 (2) :141 -155.
7SHAMSOLMOALI P, ZAREAPOOR M. Statistical -based filtering sys- tem against DDOS attacks in cloud computing[ C ]//Advances in Com- puting, Communications and Informatics (ICACCI,2014 International Conference on. IEEE ,2014 :1234 - 1239.
8AYRES P E,SUN I-I,CHAO H J. et al. ,"ALPi:A DDoS Defense Sys- tem for High -Speed Networks [ J ]. IEEE Journal on Selected Areas in Communications ,2006,24 ( 10 ) : 1864 - 1876.
9YU S, ZHOU W, JIA W, et al. Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient[ J]. Parallel & Distrib- uted Systems IEEE Transactions on,2012,23 (6) :1073 -1080.
10WEI CHEN DIT - YAN YEUNG. Defending Against TCP SYN Flood- ing Attacks Under Different Types of IP Spoofing[ C ]//Mobile Commu- nications and Learning Technologies, Conference on Networking, Confer- ence on Systems, International Conference on. IEEE Computer Society, 2006 : 38.

引证文献1

1王小玲,易发胜.一种利用源地址信息的DDoS防御系统的设计与实现[J].西南民族大学学报（自然科学版）,2015,41(4):462-467. 被引量：1

二级引证文献1

1高发桂.一种基于Windows的通用外设管控系统[J].湖北民族学院学报（自然科学版）,2017,35(4):429-433. 被引量：1

1许军.浅谈CISCO路由器的安全配置[J].淮阴工学院学报,2003,12(3):32-34. 被引量：1
2王冬梅,张素青,王硕.IP城域网网络安全分析及流量过滤技术[J].信息通信,2014,27(10):253-254. 被引量：2
3陆庆,周世杰,秦志光,吴春江.对等网络流量检测技术[J].电子科技大学学报,2007,36(6):1333-1337. 被引量：9
4白帆,罗进文,王喆.访问控制列表的配置与实现[J].电脑知识与技术,2009,5(8):6133-6134. 被引量：4
5周世杰,秦志光,吴春江.对等网络流量检测技术研究[J].中兴通讯技术,2007,13(5):14-18. 被引量：10
6李保珲,徐克付,张鹏,郭莉.pTrace:一种面向可控云计算的DDoS攻击源控制技术[J].计算机研究与发展,2015,52(10):2212-2223. 被引量：6
7张丽果.基于布隆过滤器的字符串模糊匹配算法的FPGA实现[J].电子设计工程,2013,21(9):95-98. 被引量：2
8董雷刚,刘国华,崔晓微,张东明,金晓丹.基于共享策略的k-支配轮廓体的求解算法[J].小型微型计算机系统,2009,30(6):1072-1076. 被引量：3
9耿技,马新新.对等网络泛洪DDoS攻击的防御机制[J].电子科技大学学报,2009,38(6):987-992. 被引量：3
10周箴毅,胡福乔.基于背景建模的动态场景目标检测[J].计算机工程,2008,34(24):203-205. 被引量：4

清华大学学报（自然科学版）

2011年第1期

浏览历史

内容加载中请稍等...

基于令牌桶阵列的DDoS流量过滤被引量：1

参考文献12

二级参考文献57

共引文献44

同被引文献15

引证文献1

二级引证文献1

相关作者

相关机构

相关主题

浏览历史

基于令牌桶阵列的DDoS流量过滤 被引量：1

参考文献12

二级参考文献57

共引文献44

同被引文献15

引证文献1

二级引证文献1

相关作者

相关机构

相关主题

浏览历史

基于令牌桶阵列的DDoS流量过滤被引量：1