介绍 |
| 分布式拒绝服务(DDoS)发作到互联网带来了巨大的危险,和许多防御deviceshave提出战争问题。攻击者反对stantlyadjust工具为了避免这些安全系统,和研究人员在修改他们的方法去控制新的攻击。DDoS领域正迅速成为越来越多的多方面的,和已经达到的地步是有问题的森林植物。一方面,这delaysan DDoSmarvel的理解。各种ofrecognized攻击创建问题spaceis巨大的邮票,和很难旅行和地址。另一方面,当前的防御系统组织各种计划来应对这个问题,它是有问题的理解他们的相似之处和变化,衡量他们的效率和成本,保证把他们比作每个额外的。提出了一种分类的DDoS攻击和aclassification DDoS防御系统。组成,他们结构DDoSarena和促进全球的问题和答案的空间。通过设置分开和highlightingcrucial特性的攻击和保护机制,而抽象的详细变化,这些分类可以提起人员响应许多重要的问题:什么是不同的DDoS攻击?为什么DDoS是一个问题的问题来处理呢?Whatbouts已经被现有的处理有效地防御计划吗? What attacks still continue unaddressed and why?Given two protection mechanisms, A and B, how wouldthey perform if bout C occurred? What are theirsusceptibilities? Can they complement each additional andhow? Are there someplacement points that are better right for A than B and vice versa?² How can I donate to the DDoSfield?The proposed classifications are complete in the followingintelligence: the attack taxonomy covers known bouts and alsothose which have not hitherto appeared but are truthful potential threats that would touch current defense devices;the defense system classification covers not only published methods but also some commercial methods that are sufficiently documented to beexamined. Along with classification, we provide illustrative examples of existing mechanisms. We do not right that these classifications are as detailed aslikely. Many classes could be alienated into several deeperheights. Also, new attack and protection mechanisms are likelyto seem, thus adding new lessons to the ones we propose.Our goalmouth was to select several significant features of attackand defense devices that might help researchers designgroundbreaking solutions, and to use these topographies as classification criteria. It was also significant not to confuse thebooklover with a too intricate and detailed organization. It isour hope that our work will be additional extended by additionalresearchers.We also do not claim that classes gulf attacks and defenses in anhigh-class manner, i.e. that an example of anattack or a specific defense system must be secret intoa single class based on a given standard. It is possible foranbout or defense to be comprised of numerous mechanisms, each of them fitting to a different class.The complexity and width of the proposed classifications are notsuitable for a old-style numbering of headings { numbers would rapidly become too elaborate to follow. We thereforepresent a customized marking (numbering) of subsetheadings in Sections 3 and 5. Each organization criterionis marked shortening its name. Attack classes below thiscriterion are marked by the standardcontraction and an number, connected by a sprint. To indicate depth ofaexact criterion or a class in the classification, the completemark of a subset is generated by traversing the classifications depicted in Figure 1 and Figure 2, from root to thething in question, concatenating heights with a colon. |
LITERETURE调查 |
| 拒绝服务攻击是由一个品牌explicitattempt防止真正使用服务[14]。Adispersed拒绝服务攻击组织多个攻击实体达到这一目标。本文只关注DDoSbouts计算机王国,犯下导致猎物aimportance接收恶意循环和遭受一些损失。一个经常锻炼方法进行DDoS攻击是攻击者发送一个包流avictim;这条小溪吃一些关键资源,因此版本不可用猎物的合法的客户。额外的常见的方法是攻击者发送一个fewmalformed包混淆一个应用程序或程序在受害人机制,迫使其冻结或重启。2002年9月有anstart攻击加载互联网基础设施,而不是指导特定的受害者[5]。另一个可能的方式拒绝serviceis破坏机器在猎物网络和consumesome关键储备,合法客户samenetwork不能获得一些内部或外部设施。Thislist远未彻底。肯定有numerousother方式否认设施在互联网上,一些我们无法预测的,这些只会暴露afterthey战战兢兢的在一个大的攻击。是什么让DDoSbouts可能吗?当前的互联网设计重点在触摸数据包从源到目标的有效性。这个项目遵循的端到端示例:中间网络提供最低限度,最好运用数据包转发服务,欢送到发送方和耳机的部署先进的程序来实现所需的服务质量等设施,保证可靠和健壮的运输或安全。 Theend-to-end example pushes the complexity to end crowds,leaving the intermediate network humble and optimized for pack forwarding. There is one unlucky implication.If one party in twoway message (sender or receiver)disobeys, it can do arbitrary injury to its peer. No onein the middle network will step in and stop it,sinceInternet is not intended to police traffic. One importanceof this policy is the attendance of IP spoofing 1. AdditionalareDDoS attacks. The Internet project raises several securitysubjects concerning chances for DDoSattacks.Internet security is extremely interdependent. DDoSattacksareusually launched from schemes that are subvertedfinished security-related negotiations. Regardless of howwell tenable the prey system may be, its vulnerabilitytoDDoS attacks be contingent on the state of safety in the rest ofthe worldwide Internet [21].Internet capitals are limited. Each Internet object (host,network, service) has incomplete resources that can be spent by too many users.Intellect and resources are not collocated. An end-to-end message paradigm led to storing greatest of the intelligence wanted for service assurances with end hosts, warning the amount of dispensation in the intermediate networkso that packs could be forwarded rapidly and at minimalcost. At the similar time, a desire for large amount led tothe design of high bandwidth trails in the middlenetwork, while the end networks capitalized in only as muchbandwidth as they supposed they might need. Thus, hateful clients can misuse the plentiful resources of the unknowing intermediate network for distribution of numerous messagesto a less provisioned prey.Accountability is not compulsory. IP spoofing gives assailantsa powerful mechanism to seepage accountability for their movements, and sometimes even the incomes to perpetrate attacks(re°ector attacks2 [59], such as the Smurf bout [10]). |
系统架构 |
| statistical-based方法总结正常网络行为,然后循环,背离通常被标记为异常。这个方法是用来学习网络循环原型在一个特定的网络。通过检查网络流通和处理信息与多方面的统计程序,这系统寻找违规行为建立了正常的网络流通模式。所有包都有不规则分数如果不规则分数高于一定阈值,入侵信贷系统将生成一个警告。 |
 |
| 这种方法有一个数量的补偿。它能够检测新的隐藏攻击拒绝设施攻击、蠕虫或蠕虫。它也能够注意到低强度慢一步攻击。这种方法的另一个主要优点是,它比基于法律可能更容易维护方法,因为我们不需要维护和更新任何最好的签名。的基本问题与这种类型的方法是选择合适的边缘值。假乐观和假坏问题发生由于这种价值。如果值设置低比关系的假阳性高潮如果值设置太高不能验证意味着不真实的负异常行为增加。 |
实现 |
答:异常检测 |
| 这两个主要注意到基于网络的攻击的常用方法是基于签名的发现和基于异常的发现。基于特征码的检测方法信托识别攻击的检测模式识别可恶的行为。虽然它们精确,他们必须保持最新的与现在的攻击是活泼好动的。任何一次不签名或设计数据库因此不会被注意到。这个弱点可以背负创造不同形式的一个攻击。Anomaly-based发现依靠统计数据的检查和演示,偏离常规活动。的一大补偿基于签名的发作,如果正确使用,是才华横溢的检测差异发作甚至全新的发作。然而,这也可能导致在正常运动存在恶意的标准。 |
b .异常发现的基于网络的攻击: |
| 不规则检测澄清克鲁格尔和豇豆属[19]工作的个性需求。中心主要是检测发作相关的各种数据输入,通过分析各种特性allrequest请求的路径。与每个请求的URI(减去域名)拆开成三个部分。追踪,包括资源的路径和计划,控制和它们的值。一个程序在此设置,也称储备,是用餐的最后的分享事先URI参数的路径开始。只有HTTP GET需要web服务员指示success1回复代码生成的。该数据集是额外减少删除任何要求不包括任何查询限制。 |
c谱图: |
| 歌等。[20]描述了一个方案,这是平行检查单独的HTTP请求,但操作在低水平上。主要的区别是,HTTP GET和HTTP POST供应检查和整个请求路径包括查询参数被视为一个单独的对象。POST请求,包含POST数据太的上诉机构使用。它使用一组字格和马尔可夫手铐来计算一个不规则分数为这个特定的请求。给定的线扫描和概率是小心继承发生在这个字符串的字符。它使用期望最大化和最好的设置考虑到gram-size和马尔可夫链的数量在锻炼阶段使用。光谱图方案测试web服务器使用实际数据从两个大学很平静的一个月。这些服务员包含各种计算机科学部分的作品和个人主页的学者。这两个可以刺激攻击者的目标。平静的数据执行标准化协议连线,删除空白和统计,将所有的字体转换为小写。 A manual review of the data ensures that the dataset does not cover attacks of any caring. Finally all identical requests are removed to stop creating a bias towards needs that occur more frequently than others. The subsequent dataset was then used to train the perfect. The attack-data includes distant le inclusion attacks, JavaScript and XSS, attacks, SQL injection and many sole shell code examples. The results were general pretty good, with excellent results in detecting larvae, shell code attacks, SQL and XSS attacks. |
d .检测异常和未知的中断与计划: |
| 采用神经网络注意到恶意活动是未来Ghosh et al。[21]。创建一个返回传播网络包含的节点数量可变的贡献,从8到83年与125年孤独的隐层凸起和一个输出节点代表积极或消极的假设输入。输入数据集可预测的一线数据,本文的贡献的数据打印程序。假定输入数据的相似之处。像之前的系统,神经网络之前必须熟练使用。实验是在二进制执行不同的情况:- >黑盒试验,作者只使用数据传递到包,没有录取程序基础或状态。白盒测试- >,除了黑盒试验中使用的数据,他们使用内部程序状态数据,这是孤独的在录取时可用包的源代码。 |
e .基于流程的入侵检测 |
| 所有到目前为止采取的方法依靠的obtainability机密单个请求或网络包的详细信息。有限的情况下,大量的信息在请求或最大的流量是加密不会提供这些程序需要的数据。Sperotto[22]重点网络入侵的发现与基于网络的中断检测,通过观察SSH和DNS数据。由于SSH通信编码,它是不可能看着anspectator来检测异常行为的有效载荷。经验包在一个时间边缘被组合在一起建立在属性力量的共同点,如IP演讲、端口和协议形成的运动。这些流已经确定自己的属性,无论单独的数据包的有效载荷内容,包括运动每秒,每个额外的包,每秒字节和数量的数据包流。在这种情况下,每秒流动能力是用来把运动划分为良性的或恶意的。组成的一个完美的两个州是建立基于马尔可夫手铐。两种状态显示哪个活动,SSH循环是观察者,或懒惰。数据集由实际大学二十后采集的交通网络。 Only kind traffic is used to train the perfect. Based on this skilled model, threshold values can be allocated to traffic flows. Organization of the flows is done founded on these values, where movements exceeding a certain verge are marked as malicious. After exercise the model, two synthetic and two unique data sets are used for testing. The original data is network circulation captured from the University of Twenty network. Every of these data sets covers both hateful and normal traffic; the hateful data is manually branded for the datasets covering real network traffic. The consequences varied between the artificial and original data sets, where the consequences were significantly better for the artificial data sets. As before mentioned, there is always a skill of between a good discovery rate and a low false positive rate. |
结论 |
| 本文获得了解算术异常识别的网络流通。这里研究了aarithmetical方法分析网络流量知道正常的交付网络流量行为。本文还审议洪水袭击。大部分的洪水袭击了教育是新型的洪水发作更神秘而导致拒绝设施更纯的影响,比如攻击低利率DoSbouts品牌。本文还讨论了一种技术来识别网络流量中的违规行为,基于α-stable完美和统计理论测试。 |
引用 |
- http://www.cert.or
- m·李。一种方法基于上值得信任地识别海量DDOS攻击的迹象交通模式的信贷。电脑与安全,23(7):549 - 558年,2004年。
- C.S. Sastry Rawat和A.K. Pujari。网络流通分析使用奇异值分解和多尺度改变。InformationSciences 177(23): 5275 - 5291年,2007年。
- Rohani第一,硕士Maarof Selamat。IncessantLoSS检测使用迭代模型和MLS窗口建立在索斯的方法。国际会议将在计算机和通信工程,吉隆坡,马来西亚,2000年5月
- H.Hajji。算术分析网络流量的自适应检测责任。IEEE神经网络,16(5):1053 - 1063年,2005年9月。
- j·d·Brutlag。异常行为检测时间系列的网络监控。丽莎的00:分钟14 USENIX大会onSystem管理,页139 - 146,伯克利分校,美国,2000年。
- d .林康和美国Sallent。在线非平稳分工分形与小波网络流量改变和Log-likelihood-based人物。信号,3375:110 - 123年,2005年
- c . Douligeris和Mitrokotsa。DDoSbouts和防御机制:组织和国家- - -艺术。计算机网络,44(5):643 - 666年,2004年。
- p . Garcia-Teodoro j . Diaz-Verdejo和g . Macia -费尔南德斯。Anomaly-based网络中断检测:技术方案和挑战。电脑与安全,28(1 - 2):18-28,2009年。
- 诉a SIRIS和f . PAPAGALOU。应用程序异常检测算法的检测syn洪水攻击。IEEEGlobal电信研讨会论文集(GLOBECOM 04),第4卷,页2050 - 2054,达拉斯,美国,2004年
|
菜单
