基于流量行为的DDoS检测系统

针对传统攻击检测算法不能实时识别攻击源和受害者的问题,基于对单用户流量行为的分析,设计实现一种实时的DDoS洪流攻击检测和防御系统。通过周期性地检测每个用户发送和接收的流量,判断其是否满足TCP和UDP协议行为的时间同步性,从而有效识别攻击者、受害者和正常用户,并且实时过滤攻击流量和转发正常流量。测试结果表明,该系统能够在攻击早期实时地检测出攻击者并过滤其流量,防御效果明显。     

基于自治域边界反馈的分布式DDoS防御方法

给出一种基于自治域边界反馈的DDoS防御方法,实现在自治域边界接近攻击源端阻挡入侵流量。在攻击时,通过在被攻击端测量攻击流量并向边界路由器提供反馈,使得自治域边界处能有效地过滤恶意流量。实验表明,该方法可有效保证合法流量的存活率,保护被攻击机不被DDoS攻击干扰。     

IPv6下基于改进的SPIE源追踪方案

源追踪技术提供对真实攻击来源的有效追踪,有利于实时阻断、隔离DDoS等网络攻击。目前的源追踪方法大多是使用IPv4包头中很少使用的16位标识域保存经过的路由器信息,不适用于IPv6环境。本文提出一种IPv6下基于改进的SPIE源追踪方案。该方法利用路由器,使用Bloom filters数据结构保存转发的数据包的摘要,减少了耗费的存储空间,同时时保护了数据包的机密性;它不但适合DDoS攻击的源追踪,还能进行单个数据包的源追踪。     

基于路由器的DDoS攻击防御系统的设计

针对分布式拒绝服务攻击设计了一种基于路由器的DDoS攻击防御系统。它具有检测响应及时的优点。不但能保护受害者以及合法用户的请求，还能在受害者遭受攻击时保护攻击源与受害者之间的网络带宽资源，从而改善网络性能。模拟实验验证了系统中检测控制方法的有效性。     

基于数据包标记的伪造IP DDoS攻击防御

提出一种基于数据包标记的伪造IP DDoS攻击防御方案,该方案在IP数据包中嵌入一个路径相关的16位标识,通过检测标识计数器临界值判断是否发生了DDoS攻击,对伪造地址的IP数据包进行过滤,达到对DDoS攻击进行有效防御的目的。仿真实验表明,该方案对于伪造的IP数据包具有较高的识别率。     

一种改进的DDoS攻击综合防御系统*

为了在IPv4网络下进一步提高防御DDoS攻击的实时性,提出DDoS防御系统的构想,将客户端防御系统与自适应包标记有效地结合起来,既可以检测防御DDoS攻击,又可以进行追踪攻击源;同时提出一个新的标记方案,该方案利用了TTL域和改进的自适应包标记的方法。与其他标记方法相比,其具有灵活性好、误报率低、计算量小的优点。经验证该系统用较少的数据包即可重构攻击路径,在最大限度上降低了攻击造成的损失。     

基于模糊聚类的DDoS攻击防御模型

在决策领域,模糊方法往往更加合理,同时能够提供更多的决策信息.针对常见的DDoS攻击,在分析DDoS攻击包特点的基础上,提出一种基于模糊模式识别的攻击防御模型,该模型建立两个模糊集,计算两个模糊集的模糊相似度,判断当前数据包是否正常,从而实现异常数据包的过滤.经实验证明,该方法能有效的过滤DDoS攻击包,同时具有较好的自适应性和自学习性.     

一种IPv6环境下DDoS实时检测方法

DDoS攻击是当今网络包括下一代网络IPv6中最严重的威胁之一,提出一种基于流量自相似的IPv6的实时检测方法。分别采用改进的WinPcap实现流数据的实时捕获和监测,和将Whittle ML方法首次应用于DDoS攻击检测。针对Hurst估值方法的选择和引入DDoS攻击流的网络进行对比仿真实验,结果表明:Hurst估值相对误差,Whittle ML方法比小波变换减少0.07%;检测到攻击的误差只有0.042%,准确性达99.6%;增强了DDoS攻击检测的成功率和敏感度。     

基于边界网关的自适应DDoS攻击防御策略

传统基于主机的防御无法应对分布式拒绝服务(DDoS)攻击对整个自治系统的冲击.提出了双过滤并行净化网络方案、基于自治系统的自适应概率包标记方案和基于源地址验证的单播反向路径转发策略,形成了基于边界网关的DDoS攻击防御体系,提高了包标记方案的效率,简化了防御部署.实验验证了该防御体系的有效性.     

IPv6网络中基于MF-DL的DDoS攻击快速防御机制

当前,分布式拒绝服务(Distributed Denial of Service,DDoS)攻击是互联网面临的十分严峻的安全威胁之一.IPv6网络考虑了IPv4网络中的诸多安全问题,但它对DDoS攻击仍未能起到很好的防护作用.针对IPv6网络中DDoS攻击的防御问题,本文设计了一种基于MF-DL(Membership Function and Deep Learning)的DDoS快速防御机制.该防御机制以MF-DL检测机制为核心,辅以响应机制等实现对DDoS攻击的防御功能.在检测机制中,首先使用基于隶属度函数的预检测方法,实现对网络流量数据的轻量级异常检测;接着通过基于深度学习方法中神经网络模型的深度检测,实现在异常发生后对流量进行高精度分类.在响应机制中,利用Anti-Fre响应算法实现对请求访问的IP地址进行信誉等级划分,进而实现流量定向阻断并恢复系统性能.最后,分别基于经典入侵检测数据集和校园网的模拟攻击数据集对本文提出的防御机制进行了实验.结果显示,本文提出的防御机制相比于三种对比算法,检测准确率可提高6.2％,误报率和漏报率可降低6.75％、8.46％,且能够有效处理攻击并恢复部分系统性能.     

Monitoring the macroscopic effect of DDoS flooding attacks

Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such monitoring enables DDoS attack detection without any traffic observation in the victim network.     

IPv6中的DoS/DDoS攻击流量突发检测算法

IPv6下的安全体系结构IPSec对IPv6网络的安全起到了一定的作用,但是它对某些特殊攻击的防范,例如泛洪DoS/DDoS攻击,却无能为力。该文通过对IPv6中泛洪DoS/DDoS攻击发生时的流量特征的分析,对基于网络流量突发变化的DoS/DDoS攻击检测算法在IPv6下的应用进行研究,分别用Matlab和NS-2对算法进行有效性和可行性验证。结果表明,突发流量检测算法在IPv6环境中运行良好。     

检测使用Web反射器的攻击

攻击者在大规模DDoS网络攻击中使用反射器向受害者发送洪水包,Web服务器被攻击者利用为TCP反射器不仅加剧了网络攻击的程度,也消耗了正常Web服务资源。分析了Web反射器所在网络的入出口流量特点,以及攻击者利用Web反射器发起攻击时的数据包特性,利用流入和流出反射器网络TCP数据包的特性,通过对网络流量的异常统计检测和实时在线分析来检测Web反射器。模拟实验表明,可以检测出利用Web服务器进行的大规模DRDoS攻击。     

Feature Selection for Detecting ICMPv6-Based DDoS Attacks Using Binary Flower Pollination Algorithm

Internet Protocol version 6 (IPv6) is the latest version of IP that goal to host 3.4 × 10³⁸ unique IP addresses of devices in the network. IPv6 has introduced new features like Neighbour Discovery Protocol (NDP) and Address Auto-configuration Scheme. IPv6 needed several protocols like the Address Auto-configuration Scheme and Internet Control Message Protocol (ICMPv6). IPv6 is vulnerable to numerous attacks like Denial of Service (DoS) and Distributed Denial of Service (DDoS) which is one of the most dangerous attacks executed through ICMPv6 messages that impose security and financial implications. Therefore, an Intrusion Detection System (IDS) is a monitoring system of the security of a network that detects suspicious activities and deals with a massive amount of data comprised of repetitive and inappropriate features which affect the detection rate. A feature selection (FS) technique helps to reduce the computation time and complexity by selecting the optimum subset of features. This paper proposes a method for detecting DDoS flooding attacks (FA) based on ICMPv6 messages using a Binary Flower Pollination Algorithm (BFPA-FA). The proposed method (BFPA-FA) employs FS technology with a support vector machine (SVM) to identify the most relevant, influential features. Moreover, The ICMPv6-DDoS dataset was used to demonstrate the effectiveness of the proposed method through different attack scenarios. The results show that the proposed method BFPA-FA achieved the best accuracy rate (97.96%) for the ICMPv6 DDoS detection with a reduced number of features (9) to half the total (19) features. The proven proposed method BFPA-FA is effective in the ICMPv6 DDoS attacks via IDS.     

Distributed Denial of Service (DDoS) detection by traffic pattern analysis

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.     

IPv6隧道代理机制中的DDoS攻击安全性分析

DDoS攻击是当今IPv4网络上最严重的威胁之一,IPv6网络在安全性方面的设计十分优越,但由IPv4过渡到IPv6网络还需要一些转换机制,本文对转换机制中存在的安全问题进行了介绍,并着重分析了TunnelBroker(隧道代理)机制下的DDoS攻击。     

IPv6的DoS／DDoS攻击及防御

IPv6无疑要比IPv4更加安全,但其本身就不是认证加密所能解决,而且就目前来看IPsec的大规模应用还有许多问题需要解决。本文详细分析了IPv6网络的DoS／DDoS攻击并针对IPV6可能面临的各种形式的拒绝服务攻击展开了讨论。