The proliferation of Internet of Things(IoT)rapidly increases the possiblities of Simple Service Discovery Protocol(SSDP)reflection attacks.Most DDoS attack defence strategies deploy only to a certain type of devices ...The proliferation of Internet of Things(IoT)rapidly increases the possiblities of Simple Service Discovery Protocol(SSDP)reflection attacks.Most DDoS attack defence strategies deploy only to a certain type of devices in the attack chain,and need to detect attacks in advance,and the detection of DDoS attacks often uses heavy algorithms consuming lots of computing resources.This paper proposes a comprehensive DDoS attack defence approach which combines broad learning and a set of defence strategies against SSDP attacks,called Broad Learning based Comprehensive Defence(BLCD).The defence strategies work along the attack chain,starting from attack sources to victims.It defends against attacks without detecting attacks or identifying the roles of IoT devices in SSDP reflection attacks.BLCD also detects suspicious traffic at bots,service providers and victims by using broad learning,and the detection results are used as the basis for automatically deploying defence strategies which can significantly reduce DDoS packets.For evaluations,we thoroughly analyze attack traffic when deploying BLCD to different defence locations.Experiments show that BLCD can reduce the number of packets received at the victim to 39 without affecting the standard SSDP service,and detect malicious packets with an accuracy of 99.99%.展开更多
Software defined networking(SDN)has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security ...Software defined networking(SDN)has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security issues have also been introduced along with the benefits,which put an obstruction to the deployment of SDN.One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture,especially the hardware switches lied in the data plane.In this paper,we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks:1)data-to-control plane saturation attack which exhausts resources of all SDN components,including control plane,data plane,and the in-between downlink channel and 2)control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way.Finally,we propose the corresponding defense frameworks to mitigate such attacks.展开更多
In this paper, the limitation of the GNY logic about its inabilityto detect the reflection attacks against some authentication protocols is given. Animprovement is proposed which takes into account the possible multip...In this paper, the limitation of the GNY logic about its inabilityto detect the reflection attacks against some authentication protocols is given. Animprovement is proposed which takes into account the possible multiple instances(principals) of the same identity in the model.展开更多
基金The work presented in this paper is supported by the Shandong Provincial Natural Science Foundation(No.ZR2020MF04)National Natural Science Foundation of China(No.62072469)+2 种基金the Fundamental Research Funds for the Central Universities(19CX05027B,19CX05003A-11)West Coast Artificial Intelligence Technology Innovation Center(2019-1-5,2019-1-6)the Opening Project of Shanghai Trusted Industrial Control Platform(TICPSH202003015-ZC).
文摘The proliferation of Internet of Things(IoT)rapidly increases the possiblities of Simple Service Discovery Protocol(SSDP)reflection attacks.Most DDoS attack defence strategies deploy only to a certain type of devices in the attack chain,and need to detect attacks in advance,and the detection of DDoS attacks often uses heavy algorithms consuming lots of computing resources.This paper proposes a comprehensive DDoS attack defence approach which combines broad learning and a set of defence strategies against SSDP attacks,called Broad Learning based Comprehensive Defence(BLCD).The defence strategies work along the attack chain,starting from attack sources to victims.It defends against attacks without detecting attacks or identifying the roles of IoT devices in SSDP reflection attacks.BLCD also detects suspicious traffic at bots,service providers and victims by using broad learning,and the detection results are used as the basis for automatically deploying defence strategies which can significantly reduce DDoS packets.For evaluations,we thoroughly analyze attack traffic when deploying BLCD to different defence locations.Experiments show that BLCD can reduce the number of packets received at the victim to 39 without affecting the standard SSDP service,and detect malicious packets with an accuracy of 99.99%.
基金supported in part by the National Key R&D Program of China under Grant No.2017YFB0801701the National Science Foundation of China under Grant No.61472213CERNET Innovation Project(NGII20160123)
文摘Software defined networking(SDN)has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security issues have also been introduced along with the benefits,which put an obstruction to the deployment of SDN.One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture,especially the hardware switches lied in the data plane.In this paper,we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks:1)data-to-control plane saturation attack which exhausts resources of all SDN components,including control plane,data plane,and the in-between downlink channel and 2)control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way.Finally,we propose the corresponding defense frameworks to mitigate such attacks.
文摘In this paper, the limitation of the GNY logic about its inabilityto detect the reflection attacks against some authentication protocols is given. Animprovement is proposed which takes into account the possible multiple instances(principals) of the same identity in the model.
