The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-ofService(DoS) attacks.Two kinds of relevant schemes have been proposed as victimend filterin...The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-ofService(DoS) attacks.Two kinds of relevant schemes have been proposed as victimend filtering and source-end filtering.The first scheme prevents attack traffic from reaching the victim,but causes the huge loss of legitimate flows due to the scarce filters(termed as collateral damages);the other extreme scheme can obtain the sufficient filters,but severely degrades the network transmission performance due to the abused filtering routers.In this paper,we propose a router based packet filtering scheme,which provides relatively more filters while reducing the quantity of filtering routers.We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies.Our evaluation results show that compared to the previous work,our scheme just uses 20%of its filtering routers,but only increasing less than 15 percent of its collateral damage.展开更多
This paper is concerned with the estimation problem for discrete-time stochastic linear systems with possible single unit delay and multiple packet dropouts. Based on a proposed uncertain model in data transmission, a...This paper is concerned with the estimation problem for discrete-time stochastic linear systems with possible single unit delay and multiple packet dropouts. Based on a proposed uncertain model in data transmission, an optimal full-order filter for the state of the system is presented, which is shown to be of the form of employing the received outputs at the current and last time instants. The solution to the optimal filter is given in terms of a Riccati difference equation governed by two binary random variables. The optimal filter is reduced to the standard Kalman filter when there are no random delays and packet dropouts. The steady-state filter is also investigated. A sufficient condition for the existence of the steady-state filter is given. The asymptotic stability of the optimal filter is analyzed.展开更多
Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detecti...Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queues status. We use the Netfilter's technique, a framework inside the Linux 2.4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.展开更多
The growing trend of network virtualization results in a widespread adoption of virtual switches in virtualized environments. However, virtual switching is confronted with great performance challenges regarding packet...The growing trend of network virtualization results in a widespread adoption of virtual switches in virtualized environments. However, virtual switching is confronted with great performance challenges regarding packet classification especially in Open Flow-based software defined networks. This paper first takes an insight into packet classification in virtual Open Flow switching, and points out that its performance bottleneck is dominated by flow table traversals of multiple failed mask probing for each arrived packet. Then we are motivated to propose an efficient packet classification algorithm based on counting bloom filters. In particular, counting bloom filters are applied to predict the failures of flow table lookups with great possibilities, and bypass flow table traversals for failed mask probing. Finally, our proposed packet classification algorithm is evaluated with real network traffic traces by experiments. The experimental results indicate that our proposed algorithm outperforms the classical one in Open v Switch in terms of average search length, and contributes to promote virtual Open Flow switching performance.展开更多
In Wavelet Packets Based Multicarrier Multicode CDMA system, the multicode (MCD) part ensures the transmission for high speed and flexible data rate, the multicarrier (MC) part ensures the flexibility of handling mult...In Wavelet Packets Based Multicarrier Multicode CDMA system, the multicode (MCD) part ensures the transmission for high speed and flexible data rate, the multicarrier (MC) part ensures the flexibility of handling multiple data rates, and wavelet packets modulation technique contributes to the mitigation of the interference problems. The CDMA system can suppress a given amount of interference. In this paper, the receiver employs suppression filter (SF) to mitigate the effect of narrow-band jammer interference and diversity techniques to reduce multiple access interference. The framework for the system and the performance evaluation are presented in terms of bit error rate (BER) over a Nakagami fading channel. Also, we investigate how the performance is influenced by various parameters, such as the number of taps of the SF, the ratio of narrow-band interference bandwidth to the spread-spectrum bandwidth, the diversity order, the fading parameter and so on. Finally, the performance of the system is compared with the performance Sinusoidal (Sin) based MC/MCD CDMA system.展开更多
基金supported in part by the funding agencies of china:the Doctoral Fund of Northeastern University of Qinhuangdao(Grant No.XNB201410)the Fundamental Research Funds for the Central Universities(Grant No.N130323005)
文摘The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-ofService(DoS) attacks.Two kinds of relevant schemes have been proposed as victimend filtering and source-end filtering.The first scheme prevents attack traffic from reaching the victim,but causes the huge loss of legitimate flows due to the scarce filters(termed as collateral damages);the other extreme scheme can obtain the sufficient filters,but severely degrades the network transmission performance due to the abused filtering routers.In this paper,we propose a router based packet filtering scheme,which provides relatively more filters while reducing the quantity of filtering routers.We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies.Our evaluation results show that compared to the previous work,our scheme just uses 20%of its filtering routers,but only increasing less than 15 percent of its collateral damage.
基金supported by Agency for Science,Technology and Research Grant(SERC)(No.0521010037)Natural Science Foundation of China(No.60874062,60828006)NSFC-Guangdong Joint Foundation(No.U0735003)
文摘This paper is concerned with the estimation problem for discrete-time stochastic linear systems with possible single unit delay and multiple packet dropouts. Based on a proposed uncertain model in data transmission, an optimal full-order filter for the state of the system is presented, which is shown to be of the form of employing the received outputs at the current and last time instants. The solution to the optimal filter is given in terms of a Riccati difference equation governed by two binary random variables. The optimal filter is reduced to the standard Kalman filter when there are no random delays and packet dropouts. The steady-state filter is also investigated. A sufficient condition for the existence of the steady-state filter is given. The asymptotic stability of the optimal filter is analyzed.
基金Supported by the National Natural Science Foun-dation of China (60373075 ,60473055)
文摘Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queues status. We use the Netfilter's technique, a framework inside the Linux 2.4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.
基金supported in part by National Natural Science Foundation of China(61272148,61572525,61502056,and 61602525)Hunan Provincial Natural Science Foundation of China(2015JJ3010)Scientific Research Fund of Hunan Provincial Education Department(15B009,14C0285)
文摘The growing trend of network virtualization results in a widespread adoption of virtual switches in virtualized environments. However, virtual switching is confronted with great performance challenges regarding packet classification especially in Open Flow-based software defined networks. This paper first takes an insight into packet classification in virtual Open Flow switching, and points out that its performance bottleneck is dominated by flow table traversals of multiple failed mask probing for each arrived packet. Then we are motivated to propose an efficient packet classification algorithm based on counting bloom filters. In particular, counting bloom filters are applied to predict the failures of flow table lookups with great possibilities, and bypass flow table traversals for failed mask probing. Finally, our proposed packet classification algorithm is evaluated with real network traffic traces by experiments. The experimental results indicate that our proposed algorithm outperforms the classical one in Open v Switch in terms of average search length, and contributes to promote virtual Open Flow switching performance.
文摘In Wavelet Packets Based Multicarrier Multicode CDMA system, the multicode (MCD) part ensures the transmission for high speed and flexible data rate, the multicarrier (MC) part ensures the flexibility of handling multiple data rates, and wavelet packets modulation technique contributes to the mitigation of the interference problems. The CDMA system can suppress a given amount of interference. In this paper, the receiver employs suppression filter (SF) to mitigate the effect of narrow-band jammer interference and diversity techniques to reduce multiple access interference. The framework for the system and the performance evaluation are presented in terms of bit error rate (BER) over a Nakagami fading channel. Also, we investigate how the performance is influenced by various parameters, such as the number of taps of the SF, the ratio of narrow-band interference bandwidth to the spread-spectrum bandwidth, the diversity order, the fading parameter and so on. Finally, the performance of the system is compared with the performance Sinusoidal (Sin) based MC/MCD CDMA system.