CN102123136A - Method for identifying DDoS (distributed denial of service) attack flow - Google Patents
Method for identifying DDoS (distributed denial of service) attack flow Download PDFInfo
- Publication number
- CN102123136A CN102123136A CN2010106058046A CN201010605804A CN102123136A CN 102123136 A CN102123136 A CN 102123136A CN 2010106058046 A CN2010106058046 A CN 2010106058046A CN 201010605804 A CN201010605804 A CN 201010605804A CN 102123136 A CN102123136 A CN 102123136A
- Authority
- CN
- China
- Prior art keywords
- tree
- router
- attack
- polymerization
- bag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method for identifying DDoS (distributed denial of service) attack flow. In the method, a distributed three-level architecture is adopted. The method comprises: carrying out source-end host detection until achieving the number change of arrival target address packets by setting an aggregation tree server in each autonomous system; once a suspicious situation is found, sending an alarm packet to a router connected with the source-end host; detecting whether attack or attack spreading exists, simultaneously determining the number of attacked hosts according to the number of received local alarm packets, and sending the alarm packet containing a weight as the number of hosts to the local aggregation tree server after the attack is detected; constructing a weighted aggregation tree sub-tree by each aggregation tree server according to the alarm packet; and constructing the whole weighted aggregation domain-tree by the suffered-terminal aggregation tree server to identify DDoS attack flow according to set conditions. The experiments show that by utilizing the method, the processing and storage cost of the DDoS attack suffered-terminal can be greatly reduced, and the attack situation of the source-end host connected with the router end is also considered at the router end, therefore, a large amount of undetected attacks due to fewer router can be prevented.
Description
Technical field
The invention belongs to filed of network information security, be specifically related to a kind of distributed ddos attack stream recognition method based on the polymerization tree structure.
Background technology
Ddos attack adopts the main frame of hundreds of platform even several thousand distributions concomitantly single or multiple targets to be attacked usually, consumes the resource of destination host or objective network, provides service thereby disturb or stop fully for validated user.Ddos attack starts to follow the trail of easily the characteristics of difficulty because of it, caused the extensive generation of ddos attack, become the serious threat on the present network, the economic loss that it caused ranked second the position in the loss that the diverse network safety problem causes, and is only second to primary computer virus.
Defence for ddos attack under the present environment roughly is divided into: based on the defence method in advance of DDoS detection, based on defence method in the thing of mitigation strategy, based on the defence method afterwards of DDoS tracking.
The statistical nature model of in advance defending common flow Network Based based on DDoS detects detects ddos attack by various metrics.Then implement the DDoS defence based on various security means usually based on defence method in the thing of mitigation strategy.Mean of defense generally comprises: router filters, is provided with that IP broadcast is invalid, the application safety patch, close untapped service, carry out intrusion detection etc.This defence method is that by hand mode is carried out, and needs the user that certain awareness of safety and security protection experience are arranged, and a large amount of the Internet new hands for increase every year are difficult to carry out this defence method.
Based on the defence method of following the trail of, be when attacking generation or after attacking generation, reappear attack path or seat offence source effectively.The ddos attack person adopts the source IP address of personation usually and makes tracking become very difficult.In order to find out the attack source, the ddos attack person of deterrence and punishment malice, a series of method for tracing has been proposed, comprise daily record method, ICMP method, pushback method, centertrack method, ingress filtering method, input adjustment method, controlledly flood method, packet marking method etc., but the whole bag of tricks all has its corresponding shortcoming.
The method of daily record is in the transmission course of packet, and router is noted the information of packet.The end of being injured compares attack packets feature and the information in the router that extracts, recover to the one-level level attack packets the router of process, find the attack source at last, but log information can take the system resource of router, and needing database to support the integrated of log information and analysis, the burden of router is heavier.To this, A.C.Snoeren has proposed a kind of IP method for tracing based on summary, this method requirement, all routers are all preserved the summary of the partial information of its packet of transmitting, and this summary comprises preceding 8 byte datas in field constant in the IP head and the data load.In order further to save memory space, adopted the very BloomFilter of space-efficient, and summary has been stored in the mode of bitmap, but owing to the memory cycle of router is very short, therefore requiring to follow the trail of inquiry must carry out in the short period, and this is difficult to accomplish when flood attack takes place.
The ICMP method, what propose the earliest is a kind of I-Trace mechanism of Bellovin, its basic thought is that router is with the bag sampling of certain probability (1/20k) to process, produce ICMP message, message content comprises: be sampled the IP head of bag, a last node of transmitting bag, next node, time and to the authentication information of this bag, then this ICMP bag be sent to and be sampled and wrap same destination address.For a large amount of attack packets, will produce sufficient IcMP packet of samples, the node of being attacked just can construct attack path according to these packet of samples.Because the probability that ICMP message is sent is very little, need thousands of message could reduce attack path, to ddos attack, because flow disperses the intimate inefficacy of this method.At the location of DDoS reflection attack, Barros improves the ICMP method, and router is also sending to source host when destination host sends ICMP message.Abundant ICMP information may do not produced for fear of small probability sampling router near the place, attack source, A.Mankin has proposed the ICMP mechanism that purpose drives, introducing intension-bit in the routing table of router and in transmitting, be that 1 objective network that is illustrated in this table need receive ICMP message, reduce the network traffics burden, but needed to change routing facilities.The packet that the ICMPCaddie message technology makes iCaddie message follow this message of generation is all the time also collected the identity information of router on the way, can tackle ddos attack preferably, but the linear increase of computing cost.The ICMP technology of implicating long-pending path, allow router produce iTrace-CP message with certain probability, if certain packet and its iTrace-CP message all arrive same router, produce new iTrace-CP message by this router, and enclose the IP of oneself, this technique computes, storage, network overhead are all little than iTrace, are applied to after the improvement in the Ad-hoc network.
Pushback is a kind of active defensive measure based on router.Each router adds to detect to be controlled and preferential packet loss function, finds rascal as much as possible under the situation that does not hinder those good bags, and solution DDOS attacks the congestion problems that causes.All used for the resource that makes router, also need to notify upstream router to abandon attack packets, and this class bag needs router can carry out feature description exactly by rational data flow.The enforcement of this method needs large-scale router feature support.
Centerback is an overlay network, links to each other with border router by the virtual connected mode of physics chain, IP tunnel or the second layer.The advantage of this scheme is that it can not only be followed the trail of, and can also play the effect of attacking or alleviating the attack dynamics of taking precautions against by abandoning aggressive packet; Can be ineffective when on the other hand, router is broken.If the assailant has not only controlled the main frame that is used to attack, and controlled its border router, then these border routers can not be routed to tracking network with attacking packet, thereby making to follow the trail of lost efficacy, because of a little, except that tracking network, the safety of border router is vital, and will guarantee that the safety of all border routers is the comparison difficulty.
Ingress filtering is on the border router of network, by configuration router, the message from inside is checked, if the source address of message is unreasonable, then it is filtered.Ingress filtering can resist IP spoofing effectively, filters out most of ddos attack message in the source, simultaneously the source of pursuit attack message is more prone to.But require router can distinguish normal and abnormal address, there is time enough to go to check the source address of each packet, its resultant effect depends on this technology deployment degree on the router in network, and unfortunately, present most router does not all adopt this strategy.
Controlled flooding is a kind of tracking based on link test, do not need the configuration and the function of existing route device are done any change.Utilize the network topology that generates in advance, the router that may be positioned on the attack path is sent sudden flow, observe influence ddos attack stream.Be affected if find the attack data flow of receiving, then explanation has the data flow of attack to pass through this connection.Utilize existing network topology structure information, can test all links of its upstream, find out the data flow that to be which bar link transmission attack, repeat this process to upper level router more then, up to finding the attack source from the router of the most approaching machine of being injured.This method be except must carrying out when attack taking place, thereby has outside the very strong time restriction, and itself has also constituted Denial of Service attack.When single attack source, this method is for distributed attack, poor effect.
Packet marking method is a kind of method for tracing of studying at most at present.By propositions such as Savage, basic thought is to sentence certain probability filling part routing information in the packet of process at router the earliest.When the end of being injured was received a large amount of attack packets, the end of being injured was collected the routing information in the packet, reconstructed path complete, attack packet process.This method does not need the cooperation between the ISP, has lower administrative burden, less load, fail safe preferably.Because the plurality of advantages of Savage scheme makes this scheme enjoy the concern in tracking field after putting forward always.Various countries DDoS researcher has carried out a lot of further research on this basis.The tagging scheme that comprises senior authentication, the instant polygon IP tagging scheme of probability, Huffman encoding scheme, based on the tagging scheme of autonomous system numbering, probability flowing water bag tagging scheme, self adaptation bag tagging scheme, based on the bag tagging scheme of weight, quick the Internet tracing scheme etc.
These defence methods are deployed in the end of being injured mostly, because on network node near the end of being injured, it is very big to attack data traffic, DDoS still can be by blocking network even the system of defense self outside the system of defense, so the end administration that is injured can not realize effective defence of ddos attack and response fast.
Summary of the invention
The objective of the invention is deficiency, propose a kind of distributed ddos attack stream recognition method, realized the collaborative detection of cross-domain ddos attack based on the polymerization tree structure at existing DDoS defense technique.Its objective is and utilize distributed network structure, rely on the cooperation between the polymerization tree server of setting up in the autonomous territory of network, realize the detection and Identification of ddos attack stream.
Before providing technical solution of the present invention, earlier following basic conception is described.
The CUSUM detection algorithm: the CUSUM detection algorithm is a kind of detection method of non-definite model.Its essence is a kind of stochastic Process Analysis method, carry out the Traffic Anomaly detection by the sequence of differences that detects between network traffics sequence and the desired value.This method has the advantage of a lot of other sequences and nonparametric detection algorithm.Simultaneously, the algorithm computation amount is very little, can satisfy the requirement that detects in real time fully.Change some detection problem for wide area, CUSUM is near optimum detection algorithm.
Threshold T m, β: source end main frame, router send the threshold value of the bag of reporting to the police in each autonomous territory.Surpass preset threshold, source end main frame, the router polymerization tree server in autonomous territory sends the bag of reporting to the police, and confirms to detect attack stream at source end main frame and router side.
Cum rights polymerization tree: every limit (i in the polymerization tree, j) corresponding weight w (i is all arranged, j), w (i, j) value is the attack source number of the arrival target that connected of i router through router j, because send the bag of reporting to the police to the router that is connected when the attack source detects suspicious situation in the monitoring window, so router can be determined the attack source number that it connects according to the number of this kind warning bag of being received.Polymerization tree server is in the monitoring window in the territory, and based on the warning bag of each router of being received, the polymerization of structure cum rights is set.
Threshold value γ: polymerization tree server is judged the threshold value of ddos attack stream in each autonomous territory.Behind the autonomous territory polymerization tree server constructs overall situation cum rights polymerization domain tree, the weights of computational fields tree surpass preset threshold, judge that this autonomous territory has suffered ddos attack.
The object of the present invention is achieved like this: adopt distributed architecture, as shown in Figure 1.Method is set up a polymerization tree server in each autonomous territory, will detect task distribution to source end main frame, intradomain router, each territory polymerization tree server.
At first, in a monitoring period, source end host computer using CUSUM algorithm detects based on the variation that arrives destination address bag quantity, finds that suspicious situation promptly sends warning and wraps the router that is attached thereto; Then, whether intradomain router exists attack and whether propagates attack based on the change-detection of super stream, simultaneously, router is to attack the weights of main frame number as corresponding sides between this router and upstream router, determine to attack the main frame number based on this locality of the receiving bag number of reporting to the police, attack the back and send that to comprise weights be that local domain polymerization tree server is wrapped in the warning of main frame number detecting.Each territory polymerization tree server is according to the bag structure cum rights polymerization tree tree of reporting to the police, calculate the weights of subtree, and weights are sent to the polymerization tree server in the end territory, place that is injured together with domain name, the end server constructs of being injured overall situation cum rights polymerization domain tree, three grades of polymerization domains that are successfully constructed are set as shown in Figure 2, and the end polymerization domain tree server of being injured of top layer calculates the weights of overall cum rights polymerization domain tree, i.e. the subtree sum of each territory transmission, surpass threshold value, then be identified as ddos attack has taken place.
The present invention has following beneficial effect with respect to prior art:
The present invention handles the identification of ddos attack stream and is distributed in main frames at different levels, router and polymerization tree server, can alleviate processing and storage overhead that ddos attack is injured and is held greatly, and considered the attack condition of the source end main frame that it connected in router side, avoided a large amount of attacks that the minority router takes place down by the situation of omission.
Description of drawings
Fig. 1 is for realizing a kind of distributed ddos attack flow identification system configuration diagram of the method for the invention.
Fig. 2 is for realizing a kind of polymerization domain tree structure diagram of the method for the invention.
Fig. 3 is the flow chart of a kind of distributed ddos attack stream recognition method of the present invention.
Embodiment
Further specify below in conjunction with 3 pairs of realizations of the present invention of accompanying drawing, specifically comprise following steps:
(1) end host machine attack in source detects.Source end host computer using CUSUM algorithm detects based on the variation that arrives destination address bag quantity, finds that suspicious situation promptly sends warning and wraps the router that is attached thereto.
The CUSUM algorithm will be by source end main frame the product of number-of-packet and size detect as detecting index, changes in flow rate slowly, abnormal information and end main frame place, the unconspicuous source of attack signature carry out the ddos attack detection.If x
M, nArrive destination address D in the representative time n
mThe product of number-of-packet and size, MaxEx is that network does not have x under the attack condition
M, nThe maximum of expectation is calculated y
M, n=max (0, y
M, n-1+ x
M, n-MaxEx), and n=1,2 ..., m=1,2 ..., y
M, nWith y
M, nThreshold T m compares, if y
M, n>Tm then sends the bag of reporting to the police to the router node. and the bag of reporting to the police is five-tuple:
<source host, destination host, source port, target port, protocol type 〉
(2) router side attack detecting.Adopt the CUSUM algorithm to detect the variation of the super stream in router place.The bag that arrives port i in the unit interval tm is counted x (tm) as observation sequence, and the average of bag is
S (tm) for the bag number of entry port i in the unit interval tm with respect to the departing from of mean value,
When s>β, β is the router thresholding, thinks that then there is suspicious ddos attack in the router place.
(3) router side is attacked the detection of propagating.Inflow flow i by measurement port i
InThe stream deviation value and the outflow flow i of port i
OutThe ratio D of stream deviation value determine that router side attacks propagation condition.If y (tm) is for leaving the bag number of port i in the unit interval tm, the average that then leaves the bag number of port i in the unit interval tm is
If SD
Out(tm) for the bag number that leaves port i in the unit interval tm with respect to the departing from of mean value,
The ratio that then departs from may be defined as
D=SD
out(tm)/SD
in(tm)
When D>1, current router propagate in addition amplification attack to downstream router.This moment, router sent the bag of reporting to the police to local polymerization tree server:
<router id, stream ID, upstream router ID, downstream router ID, the attack source number that router connects 〉
(4) structure cum rights polymerization tree tree.Router is determined the attack source number that it connects according to the number of the warning bag of being received.Polymerization tree server is in the monitoring window in the territory, and based on the warning bag of each router of being received, the polymerization of structure cum rights is set by tree.
The concrete grammar of structure cum rights polymerization tree tree is: polymerization tree server is 0 node from DN_ID, and this knot is with its root node as the polymerization tree, and the tree of structure is stored among the CAT_Tree (d) by level, and d is a level.From CAT_Tree (0), in the bag of reporting to the police, search all DN_ID and be 0 node, and insert among the CAT_Tree (1), to each node among the CAT_Tree (1),, corresponding node is deposited among the CAT_Tree (2) according to said method, the rest may be inferred, is empty up to CAT_Tree (d).Export CAT_Tree (n) at last.
(5) detection of overall polymerization domain tree.After each autonomous territory polymerization domain server is finished cum rights polymerization domain subtree structure, calculate the weights H of each subtree, sending reports to the police wraps the end polymerization domain server of being injured, and the bag of reporting to the police is tlv triple:
<this AS territory number, AS territory, downstream number, the weights of polymerization tree tree 〉
Be injured end polymerization domain server according to the warning bag of receiving, construct overall cum rights polymerization domain tree, promptly constructing with the end territory that is injured is root node, and other each territories are child node, to be connected to the limit between the territory, the tree of sideband weights.Building method is: from the end territory that is injured, each territory in the end territory that is injured is added as its child node, again from this child node, all territory nodes of this child node are added as the child node of this child node, the rest may be inferred, disposes up to all territory nodes.Behind the overall cum rights polymerization domain tree of the end structure of being injured, computational fields is set each limit weights H sum, when H>γ, judges that the end of being injured has suffered ddos attack.
Claims (1)
1. distributed ddos attack stream recognition method, this method is made up of following steps:
(1) end host machine attack in source detects: source end host computer using CUSUM algorithm, detect based on the variation that arrives destination address bag quantity, and find that suspicious situation promptly sends warning and wraps the router that is attached thereto; If x
M, nArrive destination address D in the representative time n
mThe product of number-of-packet and size, MaxEx is that network does not have x under the attack condition
M, nThe maximum of expectation is calculated y
M, n=max (0, y
M, n-1+ x
M, n-MaxEx), and n=1,2 ..., m=1,2 ..., y
M, nWith y
M, nThreshold T m compares, if y
M, n>Tm then sends the bag of reporting to the police to the router node, and the bag of reporting to the police is five-tuple: source host, destination host, source port, target port, protocol type;
(2) router side attack detecting: adopt the CUSUM algorithm to detect the variation of the super stream in router place. as observation sequence, s is bag number the departing from respect to mean value of entry port i in the unit interval with the bag number that arrives port i in the unit interval; When s>β, β is the router thresholding, thinks that then there is suspicious ddos attack in the router place;
(3) the router side detection of attack propagating: the stream deviation value of the inflow flow by measurement port is determined router side attack propagation condition with the ratio D of the stream deviation value of the outflow flow of port; When D>1, current router propagate in addition amplification attack to downstream router; This moment, router sent the bag of reporting to the police to local polymerization tree server: router id, stream ID, upstream router ID, downstream router ID, the attack source number that router connects;
(4) structure of cum rights polymerization tree tree: router is determined the attack source number that it connects according to the number of the warning bag of being received; Polymerization tree server is in the monitoring window in the territory, warning bag based on each router of being received, structure cum rights polymerization tree tree: building method is as follows: polymerization tree server is 0 node from DN_ID, this knot is with its root node as the polymerization tree, the tree of structure is stored among the CAT_Tree (d) by level, and d is a level; From CAT_Tree (0), in the bag of reporting to the police, search all DN_ID and be 0 node, and insert among the CAT_Tree (1), to each node among the CAT_Tree (1),, corresponding node is deposited among the CAT_Tree (2) according to said method, the rest may be inferred, is empty up to CAT_Tree (d); Export CAT_Tree (n) at last.
(5) detection of overall cum rights polymerization domain tree: after each autonomous territory polymerization tree server is finished cum rights polymerization tree tree structure, calculate the weights H of each subtree, send to report to the police and to wrap the end polymerization tree server of being injured, the bag of reporting to the police is tlv triple: this AS territory number, AS territory, downstream number, the weights of polymerization tree tree; Be injured end polymerization tree server according to the warning bag of receiving, construct overall cum rights polymerization domain tree, promptly constructing with the end territory that is injured is root node, and other each territories are child node, to be connected to the limit between the territory, the tree of sideband weights; Behind the overall cum rights polymerization domain tree of the end structure of being injured, the weights of computational fields tree, promptly each limit weights H sum is set in the territory, when H>γ, judges that the end of being injured has suffered ddos attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106058046A CN102123136A (en) | 2010-12-26 | 2010-12-26 | Method for identifying DDoS (distributed denial of service) attack flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106058046A CN102123136A (en) | 2010-12-26 | 2010-12-26 | Method for identifying DDoS (distributed denial of service) attack flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102123136A true CN102123136A (en) | 2011-07-13 |
Family
ID=44251591
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010106058046A Pending CN102123136A (en) | 2010-12-26 | 2010-12-26 | Method for identifying DDoS (distributed denial of service) attack flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102123136A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102238047A (en) * | 2011-07-15 | 2011-11-09 | 山东大学 | Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group |
| CN106452975A (en) * | 2016-11-18 | 2017-02-22 | 上海斐讯数据通信技术有限公司 | Method and system for testing router |
| CN106953830A (en) * | 2016-01-06 | 2017-07-14 | 中国移动通信集团福建有限公司 | DNS security means of defence, device and DNS |
| CN108920542A (en) * | 2018-06-13 | 2018-11-30 | 苏州涅瓦信息科技有限公司 | A kind of distributed memory big data processing system and its data processing method |
| CN109257445A (en) * | 2018-11-12 | 2019-01-22 | 郑州昂视信息科技有限公司 | A kind of Web service dynamic dispatching method and dynamic scheduling system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
-
2010
- 2010-12-26 CN CN2010106058046A patent/CN102123136A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
Non-Patent Citations (2)
| Title |
|---|
| 周再红等: "一种基于带权CAT的DDoS分布式检测方法", 《武汉大学学报(理学版)》, vol. 54, no. 5, 31 October 2008 (2008-10-31), pages 627 - 630 * |
| 曾纪霞等: "一种IPv6环境下DDoS实时检测方法", 《微计算机信息》, vol. 26, no. 23, 30 June 2010 (2010-06-30), pages 54 - 56 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102238047A (en) * | 2011-07-15 | 2011-11-09 | 山东大学 | Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group |
| CN102238047B (en) * | 2011-07-15 | 2013-10-16 | 山东大学 | Denial-of-service attack detection method based on external connection behaviors of Web communication group |
| CN106953830A (en) * | 2016-01-06 | 2017-07-14 | 中国移动通信集团福建有限公司 | DNS security means of defence, device and DNS |
| CN106452975A (en) * | 2016-11-18 | 2017-02-22 | 上海斐讯数据通信技术有限公司 | Method and system for testing router |
| CN106452975B (en) * | 2016-11-18 | 2019-10-11 | 上海斐讯数据通信技术有限公司 | A kind of method and system of test router |
| CN108920542A (en) * | 2018-06-13 | 2018-11-30 | 苏州涅瓦信息科技有限公司 | A kind of distributed memory big data processing system and its data processing method |
| CN108920542B (en) * | 2018-06-13 | 2021-07-20 | 苏州涅瓦信息科技有限公司 | Distributed memory big data processing system and data processing method thereof |
| CN109257445A (en) * | 2018-11-12 | 2019-01-22 | 郑州昂视信息科技有限公司 | A kind of Web service dynamic dispatching method and dynamic scheduling system |
| CN109257445B (en) * | 2018-11-12 | 2021-05-07 | 郑州昂视信息科技有限公司 | Dynamic scheduling method and dynamic scheduling system for Web service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
| CN106357673A (en) | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system | |
| CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
| CN104539625B (en) | A kind of network security protection system and its method of work based on software definition | |
| CN103023924B (en) | The ddos attack means of defence of the cloud distribution platform of content-based distributing network and system | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| CN102438025B (en) | Indirect distributed denial of service attack defense method and system based on Web agency | |
| CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
| CN106161333A (en) | DDOS attack means of defence based on SDN, Apparatus and system | |
| CN106561016A (en) | DDoS attack detection device and method for SDN controller based on entropy | |
| Ahmed et al. | Filtration model for the detection of malicious traffic in large-scale networks | |
| Hirayama et al. | Fast target link flooding attack detection scheme by analyzing traceroute packets flow | |
| CN101572701A (en) | Security gateway system for resisting DDoS attack for DNS service | |
| CN109391599A (en) | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis | |
| CN102790778A (en) | DDos (distributed denial of service) attack defensive system based on network trap | |
| CN102123136A (en) | Method for identifying DDoS (distributed denial of service) attack flow | |
| CN106357641A (en) | Method and device for defending interest flooding attacks in information centric network | |
| Cui et al. | TDDAD: Time-based detection and defense scheme against DDoS attack on SDN controller | |
| CN109510843A (en) | A kind of mobile target defence method of the SND of Crossfire link flood attack | |
| CN105187437A (en) | Centralized detection system of SDN denial of service attack | |
| CN106027497A (en) | DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM | |
| CN107181760A (en) | A kind of distributed nearly threat source attack blocking-up method and its device | |
| CN105337957A (en) | SDN network DDoS and DLDoS distributed space-time detection system | |
| CN105871773A (en) | DDoS filtering method based on SDN network architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110713 |