The technique of IP traceback may effectively block DOS (Denial Of Service) and meet the requirement of the computer forensic, but its accuracy depends upon that condition that each node in the Internet must support I...The technique of IP traceback may effectively block DOS (Denial Of Service) and meet the requirement of the computer forensic, but its accuracy depends upon that condition that each node in the Internet must support IP packet marking or detected agents. So far, this requirement is not satisfied. On the basis of traditional traceroute,this paper investigates the efficiency of discovering path methods from aspects of the size and order of detecting packets, and the length of paths.It points out that the size of padding in probed packets has a slight effect on discovering latency, and the latency with the method of bulk sending receiving is much smaller than one with the traditional traceroute. Moreover, the loss rate of packets with the technique of TTL (Time To Live) which increases monotonously is less than that with the technique of TTL which decreases monotonously. Lastly,OS (Operating System) passive fingerprint is used as heuristic to predict the length of the discovered path so as to reduce disturbance in network traffic.展开更多
Due to constrained resources, DDoS attack is one of the biggest threats to MANET. IP traceback technique is useful to defend against such type of attacks, since it can identify the attack sources. Several types of tra...Due to constrained resources, DDoS attack is one of the biggest threats to MANET. IP traceback technique is useful to defend against such type of attacks, since it can identify the attack sources. Several types of traceback schemes have been proposed for wired networks. Among all the existing schemes, probabilistic packet marking (PPM) scheme might be the most promising scheme for MANET. However its performance in MANET is not as good as that in Internet. In this paper, a new scheme based on the codingtechnique (CT) is proposed for traceback in MANET. Furthermore, a new idea of Incremental traceback is raised to cope with the situation of incremental attack (ICT). We present the protocol design and conduct theoretical analysis of this scheme. Additionally, we conduct experiments to compare it with the traditional PPM scheme. The experimental results show that the new coding-based traceback scheme outperforms the PPM scheme in MANET.展开更多
In a hostile environment, sensor nodes may be compromised and then be used to launch various attacks. One severe attack is false data injection which is becoming a serious threat to wireless sensor networks. An attack...In a hostile environment, sensor nodes may be compromised and then be used to launch various attacks. One severe attack is false data injection which is becoming a serious threat to wireless sensor networks. An attacker uses the compromised node to flood the network and exhaust network resources by injecting a large number of bogus packets. In this paper, we study how to locate the attack node using a framework of packet marking and packet logging. We propose a combined packet marking and logging scheme for traceback (CPMLT). In CPMLT, one packet can be marked by up to M nodes, each node marks a packet with certain probability. When one packet is marked by M nodes, the next marking node will log this packet. Through combining packet marking and logging, we can reconstruct the entire attack path to locate the attack node by collecting enough packets. In our simulation, CPMLT achieves fast traceback with little logging overhead.展开更多
In the design and construction process of Next Generation Internet, it is important to identify the source of each IP packet forwarding accurately, especially for the support of precise fine-grained management,control...In the design and construction process of Next Generation Internet, it is important to identify the source of each IP packet forwarding accurately, especially for the support of precise fine-grained management,control, traceability and improving the trustworthiness of the Internet. This paper designed a scalable Network Identity(NID) scheme for the Internet users, proposed NIDTGA(Network Identity and Time Generated Address), an IPv6 address generation algorithm embedded NID and time information, then designed and implemented an IPv6 address generation and traceback system based on NIDTGA. The design of NIDTGA, which reflects the length, time and owner attributes of the IP address, can be a good support to ADN(Address Driven Network). At the same time, by embedding the key elements of user identity and time in the IPv6 address,and by taking into account both the traceability and privacy, NIDTGA can provide a technical basis for the establishment of the network trust mechanism, and achieve the traceability of security event.展开更多
A novel deterministic packet marking (DPM) for IP traceback against denial of service (DOS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In th...A novel deterministic packet marking (DPM) for IP traceback against denial of service (DOS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.展开更多
The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet control message protocol (ICMP) traceback (iTrace) methods, a packet track and t...The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet control message protocol (ICMP) traceback (iTrace) methods, a packet track and traceback mechanism is proposed, which features rapid response and high accuracy. In this scheme, routers apply packet marking scheme and send traceback messages, which enables the victim to design the path tree in peace time. During attack times the victim can trace attackers back within the path tree and perform rapid packet filtering using the marking in each packet. Traceback messages overcome Pi's limitation, wherein too much path information is lost in path identifiers; whereas path identifiers can be used to expedite the design of the path-tree, which reduces the high overhead in iTrace. Therefore, our scheme not only synthesizes the advantages but also compromises the disadvantages of the above two methods. Simulation results with NS-2 show the validity of our scheme.展开更多
攻击者溯源对于维护工业控制系统(Industrial Control System,ICS)安全十分重要。通过部署分布式工控蜜罐,收集工控恶意流量,提出基于CNN-LSTM的工控协议同源攻击检测方法,运用CNN和基于注意力机制的LSTM对数据包和流量特征进行学习,根...攻击者溯源对于维护工业控制系统(Industrial Control System,ICS)安全十分重要。通过部署分布式工控蜜罐,收集工控恶意流量,提出基于CNN-LSTM的工控协议同源攻击检测方法,运用CNN和基于注意力机制的LSTM对数据包和流量特征进行学习,根据BP反向传播算法对模型进行迭代寻优分类。模型相比较其他方法,具有更高的准确率和F值,对处理离线工控蜜罐数据具有相当的优势,准确率达到93.7%;找到包括Shodan、Cencys这类知名设备搜索引擎在内的10个组织,涉及到的IP节点超过200个。展开更多
文摘The technique of IP traceback may effectively block DOS (Denial Of Service) and meet the requirement of the computer forensic, but its accuracy depends upon that condition that each node in the Internet must support IP packet marking or detected agents. So far, this requirement is not satisfied. On the basis of traditional traceroute,this paper investigates the efficiency of discovering path methods from aspects of the size and order of detecting packets, and the length of paths.It points out that the size of padding in probed packets has a slight effect on discovering latency, and the latency with the method of bulk sending receiving is much smaller than one with the traditional traceroute. Moreover, the loss rate of packets with the technique of TTL (Time To Live) which increases monotonously is less than that with the technique of TTL which decreases monotonously. Lastly,OS (Operating System) passive fingerprint is used as heuristic to predict the length of the discovered path so as to reduce disturbance in network traffic.
文摘Due to constrained resources, DDoS attack is one of the biggest threats to MANET. IP traceback technique is useful to defend against such type of attacks, since it can identify the attack sources. Several types of traceback schemes have been proposed for wired networks. Among all the existing schemes, probabilistic packet marking (PPM) scheme might be the most promising scheme for MANET. However its performance in MANET is not as good as that in Internet. In this paper, a new scheme based on the codingtechnique (CT) is proposed for traceback in MANET. Furthermore, a new idea of Incremental traceback is raised to cope with the situation of incremental attack (ICT). We present the protocol design and conduct theoretical analysis of this scheme. Additionally, we conduct experiments to compare it with the traditional PPM scheme. The experimental results show that the new coding-based traceback scheme outperforms the PPM scheme in MANET.
文摘In a hostile environment, sensor nodes may be compromised and then be used to launch various attacks. One severe attack is false data injection which is becoming a serious threat to wireless sensor networks. An attacker uses the compromised node to flood the network and exhaust network resources by injecting a large number of bogus packets. In this paper, we study how to locate the attack node using a framework of packet marking and packet logging. We propose a combined packet marking and logging scheme for traceback (CPMLT). In CPMLT, one packet can be marked by up to M nodes, each node marks a packet with certain probability. When one packet is marked by M nodes, the next marking node will log this packet. Through combining packet marking and logging, we can reconstruct the entire attack path to locate the attack node by collecting enough packets. In our simulation, CPMLT achieves fast traceback with little logging overhead.
基金supported by National Natural Science Foundation of China(Grant No.NSFC61402257)National Basic Research Program of China(973 Program)(Grant Nos.2009CB320500+1 种基金2009CB320501)Tsinghua University Self-determined Project(No.2014z21051)
文摘In the design and construction process of Next Generation Internet, it is important to identify the source of each IP packet forwarding accurately, especially for the support of precise fine-grained management,control, traceability and improving the trustworthiness of the Internet. This paper designed a scalable Network Identity(NID) scheme for the Internet users, proposed NIDTGA(Network Identity and Time Generated Address), an IPv6 address generation algorithm embedded NID and time information, then designed and implemented an IPv6 address generation and traceback system based on NIDTGA. The design of NIDTGA, which reflects the length, time and owner attributes of the IP address, can be a good support to ADN(Address Driven Network). At the same time, by embedding the key elements of user identity and time in the IPv6 address,and by taking into account both the traceability and privacy, NIDTGA can provide a technical basis for the establishment of the network trust mechanism, and achieve the traceability of security event.
基金supported by the Hi-Tech Research and Development Program of China (2009AA01Z433)
文摘A novel deterministic packet marking (DPM) for IP traceback against denial of service (DOS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.
基金the National Natural Science Foundation of China (60273091)Blue Project in Nanjing University of Posts and Telecommunications (NY207118)
文摘The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet control message protocol (ICMP) traceback (iTrace) methods, a packet track and traceback mechanism is proposed, which features rapid response and high accuracy. In this scheme, routers apply packet marking scheme and send traceback messages, which enables the victim to design the path tree in peace time. During attack times the victim can trace attackers back within the path tree and perform rapid packet filtering using the marking in each packet. Traceback messages overcome Pi's limitation, wherein too much path information is lost in path identifiers; whereas path identifiers can be used to expedite the design of the path-tree, which reduces the high overhead in iTrace. Therefore, our scheme not only synthesizes the advantages but also compromises the disadvantages of the above two methods. Simulation results with NS-2 show the validity of our scheme.
文摘攻击者溯源对于维护工业控制系统(Industrial Control System,ICS)安全十分重要。通过部署分布式工控蜜罐,收集工控恶意流量,提出基于CNN-LSTM的工控协议同源攻击检测方法,运用CNN和基于注意力机制的LSTM对数据包和流量特征进行学习,根据BP反向传播算法对模型进行迭代寻优分类。模型相比较其他方法,具有更高的准确率和F值,对处理离线工控蜜罐数据具有相当的优势,准确率达到93.7%;找到包括Shodan、Cencys这类知名设备搜索引擎在内的10个组织,涉及到的IP节点超过200个。
