簡易檢索 / 詳目顯示

回結果列表
研究生: 張振宏
Chang, Chen-hong
論文名稱: 利用統計式模糊流量控制防止分散式阻斷服務攻擊
A Statistics-based Fuzzy Flow Control Scheme for DDoS Defense
指導教授: 林輝堂
Lin, Hui-tang
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 電腦與通信工程研究所
Institute of Computer & Communication Engineering
論文出版年: 2007
畢業學年度: 95
語文別: 中文
論文頁數: 58
中文關鍵詞: 模糊控制分散式阻斷服務攻擊流量控制
外文關鍵詞: Fuzzy Control, Distributed Denial of Service, Flow Control
相關次數: 點閱:62下載:2
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 分散式阻斷服務攻擊(Distributed Denial of Service,簡稱DDoS)的興起對網際網路的效能帶來了嚴重的威脅,而近年來以統計為基礎的防禦機制被提出並廣泛的被使用以抵抗DDoS攻擊,傳統統計式防禦機制可減少人為的介入來達成DDoS的偵測與防禦,但其最大的挑戰在於如何在網路攻擊存在的情況下建立適合的正常行為模式,因此本論文提出了一個以統計的方法為基礎結合模糊控制(Fuzzy Control)的資料流區分方法,此方法改進傳統統計式DDoS防禦機制中需要事先建立正常封包行為模式或統計資料才能比對的缺點,並提供線上(on-line)且即時(real-time)的流量管理機制,能在DDoS攻擊發生時提供動態的調整。模擬數據結果說明了本論文提出的SFFC機制能有效的抑制DDoS攻擊資料流並減少因誤判而對正常資料流產生的影響。

    The proliferation of Distributed Denial-of-Service (DDoS) attack in Internet has led to a severely threat to network performance. In general, the statistics-based DDoS detection approach is deemed as a countermeasure against the DDoS attack without invoking human intervention. However, such approaches need a prepared clean baseline profiles for DDoS traffic differentiation. Accordingly, this study proposes a statistics-based DDoS detection and reaction scheme based on fuzzy flow control to mitigate the damage of DDoS attacks. The major advantage of the proposed scheme is that it eliminates the requirement of clean baseline profiles thus provides an on-line real-time mechanism for traffic flow management. The numerical results reveal that the proposed SFFC scheme regulates the irresponsible flows while remaining fair to other active flows in terms of its bandwidth consumption.

    中文摘要 i 英文摘要 ii 誌謝 iii 目錄 iv 表目錄 vi 圖目錄 vii 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機 2 1.3 研究目的 2 1.4 論文架構 3 第二章 相關研究與文獻探討 4 2.1 DoS攻擊與DDoS攻擊 4 2.1.1 DoS攻擊 4 2.1.2 DDoS攻擊 5 2.2 DDoS攻擊與防禦的分類 7 2.2.1 DDoS攻擊的分類 7 2.2.2 DDoS防禦方式的分類 8 2.2.3 DDoS防禦系統實作 11 2.2.4 DDoS防禦機制 16 2.2.5 DDoS防禦部署位置 19 2.3 DDoS防禦所面臨的挑戰 20 2.4 模糊控制理論簡介 22 第三章 系統架構與演算法 25 3.1 統計式模糊流量控制防禦方法 25 3.2 系統架構 26 3.3 SFFC機制的運作流程 27 3.4 合法資料流與攻擊資料流的辨別 28 3.4.1 伺服器負載臨界值 29 3.4.2 高負載數據模型與低負載數據模型 29 3.4.3 封包屬性符合度 31 3.4.4 處理能力的損耗 32 3.4.5 攻擊指標 32 3.4.6 資料流區別流程 33 3.5 模糊資料流流量控制 34 第四章 實驗模擬與結果分析 42 4.1 網路模擬工具QualNet簡介 42 4.2 實驗模擬環境與參數設定 43 4.3 實驗結果與數據分析 44 4.3.1 過載保護與攻擊偵測 44 4.3.2 不同攻擊程度的影響 49 4.3.3 流量對資料流區別的影響 51 第五章 結論 53 參考文獻 55

    [1] S. Axelsson, “Intrusion Detection Systems: A Survey and Taxonomy”, Technical Report 99-15, Department of Computer Engineering, Chalmers University, Mar. 2000.
    [2] J. Barlow and W. Thrower, “TFN2k- An Analysis”, http://packetstormsecurity.org/distributed/TFN2k_Analysis-1.3.txt.
    [3] R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial”, IEEE Communications Magazine, pp. 42-51, Oct. 2002.
    [4] D. Dittrich, “The DoS Project’s trinoo distributed denial of service attack tool”, http://staff.washington.edu/dittrich/misc/trinoo.analysis.
    [5] D. Dittrich, “The Tribe Flood Network Distributed denial of service attack tool”, http://staff.washington.edu/dittrich/misc/tfn.analysis.txt.
    [6] D. Dittrich, G. Weaver, S. Dietrich and N. Long, “The mstream distributed denial of service attack tool”, http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.
    [7] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing”, RFC 2827, May. 2000.
    [8] L. Feinstein, D. Schnackenberg, R. Balupari and D. Kindred, “Statistical Approaches to DDoS Attack Detection and Response”, Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 303-314, Apr. 2003.
    [9] A. Garg and A. L. Reddy, “Mitigation of DoS Attacks through QoS regulation”, 10th IEEE International Workshop on Quality of Service, pp. 45-53, May 2002.
    [10] A. Ghosh, L. Wong, G. D. Crescenzo, and R. Talpade, “InFilter: Predictive Ingress Filtering to Detect Spoofed IP Traffic”, 25th IEEE International Conference on Distributed Computing Systems Workshops, pp. 99-106, Jun. 2005.
    [11] J. Ioannidis and S. Bellovin, “Implementing Pushback: Router-Based Defense against DDoS Attacks”, Proceedings of the Network and Distributed System Security Symposium, Feb. 2002.
    [12] Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, “PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks”, IEEE Transactions on Dependable and Secure Computing, Vol. 3, Issue 2, pp.141-155, April-June 2006.
    [13] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “SAVE: Source Address Validity Enforcement Protocol”, IEEE Proceedings of INFOCOM, pp. 1557-1566, Jun. 2002.
    [14] Q. Li, E. C. Chang and M. C. Chan, “On the Effectiveness of DDoS Attacks on Statistical Filtering”, Proceedings of IEEE INFOCOM, pp.1373-1383, Mar. 2004.
    [15] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”, ACM SIGCOMM Computer Communications Review, Vol. 34, Issue 2, pp. 39-54, Apr. 2004.
    [16] J. Mirkovic and P. Reiher, “D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks”, IEEE Transactions on Dependable and Secure Computing. Vol. 2, Issue 3, pp. 216-232, July-Sept 2005.
    [17] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack”, Proceedings of IEEE INFOCOM, pp. 338-347, Apr. 2001.
    [18] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-law Internets”, Proceedings of ACM SIGCOMM, August 2001.
    [19] T. Peng, C. Leckie, and K. Ramamohanarao, “Protection from Distributed Denial of Service Attacks Using History-based IP Filtering”, IEEE International Conference on Communications, Vol. 1, pp. 482-486, May 2003.
    [20] T. Peng, C. Leckie, K. Ramamohanarao, “Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems”, ACM Computing Surveys, Vol. 39, Issue 1, Apr. 2007.
    [21] QualNet Simulator Home, http://www.scalable-networks.com/.
    [22] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, ”Network Support for IP Traceback”, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, Jun. 2001.
    [23] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, “Hash-Based IP Traceback”, Proceedings of ACM SIGCOMM, Aug. 2001.
    [24] Sourcefire, “Snort: The Open Source Network Intrusion Detection System”.
    [25] D.X. Song and A. Perrig, ”Advanced and Authenticated Marking Schemes for IP Traceback”, Proceedings of IEEE INFOCOM, pp. 878-886, 2001.
    [26] P. E. Verissimo, N. F. Neves and M. P. Correia, “Intrusion-Tolerant Architectures: Concepts and Design”, Univ. of Lisboa, Faculty of Sciences.
    [27] Hardaker W., D. Kindred, R. Ostrenga, D. Sterne, and R. Thomas, “Justification and Requirement for a National DDoS Defense Technology Evaluation Facility”, Network Associates Laboratories for DARPA, Jul. 2002.
    [28] H. Wang, D. Zhang, K. G. Shin, “Change-Point Monitoring for the Detection of DoS Attacks”, IEEE Transactions on Dependable and Secure Computing, Vol. 1, Issue 4, pp. 193-208, Oct-Dec 2004.
    [29] 台灣電腦網路危機處理暨協調中心, “IDS偵測網路攻擊方法之改進”, 2005年1月, http://www.cert.org.tw/document/column/show.php?key=85.
    [30] 台灣電腦網路危機處理暨協調中心, ”DDoS與DoS的發展與分類”, 2005年4月, http://www.cert.org.tw/document/column/show.php?key=88.
    [31] 台灣電腦網路危機處理暨協調中心, ”誘捕系統”, 2006年2月, http://www.cert.org.tw/document/column/show.php?key=98.
    [32] 台灣電腦網路危機處理暨協調中心, ”入侵防禦系統簡介”, 2006年4月, http://www.cert.org.tw/document/column/show.php?key=100.
    [33] 王欽輝、侯志陞, “FUZZY工學”, 全華科技圖書公司, 1992年12月.
    [34] 財團法人國家實驗研究院科技政策研究與資訊中心, “資通安全專輯之十四:網路攻防實驗教材”, Jun. 2005.
    [35] 張得隆、洪兆慶, “Fuzzy產品基礎與實例”, 全華科技圖書公司, 1995年6月.

    下載圖示 校內:2010-07-19公開
    校外:2010-07-19公開
    QR CODE