This paper presents a mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-att...This paper presents a mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. The SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average (EWMA) method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.展开更多
LDoS (Low-rate Denial of Service) attack, exploiting the flaws in the congestion avoidance mechanism of TCP protocol,is periodic, stealthy, and with high efficiency. Since BGP uses TCP as a transport protocol, it is...LDoS (Low-rate Denial of Service) attack, exploiting the flaws in the congestion avoidance mechanism of TCP protocol,is periodic, stealthy, and with high efficiency. Since BGP uses TCP as a transport protocol, it is subject to LDoS attacks as well. LDoS attacks can cause table reset, route flapping of BGP protocol. A deliberately constructed distributed low-rate DOS attacks can even generate surge of updates throughout the Internet. In this paper, we investigate the promotion of attack efficiency of this novel attack, and then propose an attack model to simulate the LDoS attack. Experiments prove that this attack model can exponentially lower the attack costs and improve the attack effect.展开更多
Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in ...Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoS- resistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.展开更多
基金TheNationalHighTechnologyResearchandDevelopmentProgramofChina(863Program) (No .2 0 0 2AA14 5 0 90 )
文摘This paper presents a mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. The SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average (EWMA) method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.
文摘LDoS (Low-rate Denial of Service) attack, exploiting the flaws in the congestion avoidance mechanism of TCP protocol,is periodic, stealthy, and with high efficiency. Since BGP uses TCP as a transport protocol, it is subject to LDoS attacks as well. LDoS attacks can cause table reset, route flapping of BGP protocol. A deliberately constructed distributed low-rate DOS attacks can even generate surge of updates throughout the Internet. In this paper, we investigate the promotion of attack efficiency of this novel attack, and then propose an attack model to simulate the LDoS attack. Experiments prove that this attack model can exponentially lower the attack costs and improve the attack effect.
基金This work is supported by National Natural Science Foundation of China under contract 60902008.
文摘Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoS- resistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.
