CN102387158A - Packet filtering method for preventing DDoS attack in cloud environment - Google Patents

Packet filtering method for preventing DDoS attack in cloud environment Download PDF

Info

Publication number
CN102387158A
CN102387158A CN2011104074208A CN201110407420A CN102387158A CN 102387158 A CN102387158 A CN 102387158A CN 2011104074208 A CN2011104074208 A CN 2011104074208A CN 201110407420 A CN201110407420 A CN 201110407420A CN 102387158 A CN102387158 A CN 102387158A
Authority
CN
China
Prior art keywords
packet
attribute
value
frequency values
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2011104074208A
Other languages
Chinese (zh)
Inventor
陈齐
林文敏
窦万春
王崇骏
姜�远
戴超
詹德川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN2011104074208A priority Critical patent/CN102387158A/en
Publication of CN102387158A publication Critical patent/CN102387158A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a packet filtering method for preventing DDoS (Distributed Denial of Service) attack in the cloud environment. The method comprises the following steps: a gateway is in charge of collecting a data packet in a network layer at the time interval of t in the non-attack stage, then attribute pairs in the data packet are extracted, the emergence frequency of each attribute pair in the data packet is calculated, and the frequency values of all the attribute pairs form a attribute-pair-to-frequency-value database recorded as a reference database; and in the attack stage, the attribute pairs in each data packet passing through the gateway are extracted at first, the frequency values corresponding to the attribute pairs are read from the reference database, then the weighted sum of the frequency values of all the attribute pairs in the packet is calculated and obtained, the weighted sum is recorded as the confidence level of the data packet, and finally, the confidence level of the data packet and the preset confidence level threshold value are compared, if the confidence level value of the data packet is larger than or equal to the threshold value, the data packet is legal and can pass through the gateway, otherwise, the data packet is filtered.

Description

Prevent the packet filter method of ddos attack under a kind of cloud environment
Technical field
The present invention relates to computer software technical field, prevent the packet filter method of ddos attack under particularly a kind of cloud environment.
Background technology
The development of cloud computing makes people realize the dream that provides as a kind of communal facility calculating, and this dream is called commercial reality gradually.Simultaneously, the development of cloud computing makes IT industry that huge variation take place, and is embodied in: the resource of cloud computing had both referred to the application program that provides with method of service through the Internet, also referred to be used to provide in data center the hardware and the systems soft ware of these services.Therefore, cloud computing can provide the computational resource that seems unlimited, thereby makes the user can obtain resource needed as required.
In the cloud computing development in several years in the past, obtained the extensive attention of academia and industrial quarters, and obtained one and another success.In soft project and commercial application field, the cloud computing technology demonstrates ubiquitous and significant advantage.Yet along with the development of cloud computing, it is more and more severeer that the safety problem in the cloud computing also seems, especially ddos attack (Distributed Denial-of-Service, distributed refusal is attacked) is the topmost threat in the cloud security problem.Ddos attack is the one type of attack pattern that on traditional DoS attack basis, produces.DDoS is through organizing some zombie attack machines; Send a large amount of requests to destination server, make the server excess load, block a certain user access server; Block certain service and particular system or individual's communication, promptly through network over loading being disturbed even blocking normal network communication.
In order to tackle ddos attack, academia has carried out big quantity research from different angles to the strategy of tackling ddos attack.Wherein, topmost three branch into: attack investigation (attack detection), (attack traceback) reviewed in attaching filtering (attack filtering) and attack.Wherein, the research of attaching filtering mainly comprises three aspects: the attack that source point sends (source-initiated), and based on the attack (path-based) in path, and the attack (victim-initiated) of sending by the machine of being injured.Here the present invention mainly pays close attention to the third attack pattern, the attack of promptly being sent by the machine of being injured.Attack about victim-initiated, a lot of relevant researchs have been arranged.Wherein, Most typical is PacketScore method (the IEEE Trans.Dependable and Secure Computing that Y.Kim proposes in " PacketScore:A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks "; Vol.3; No.2, pp.141-155,2006).In the PacketScore method, at first the distribution situation of attribute in TCP head and the IP head in the statistical data packet uses bayesian theory to give a mark as packet then, according to the score of packet, thus whether the abandoning of determination data bag.People such as P.E.Ayres have done some improvement on the basis of PacketScore; The ALPi that improves one's methods of PacketScore has promptly been proposed in " ALPi:ADDoS Defense System forHigh-Speed Networks "; (IEEE J.Selected Areas Comm., vol.24, no.10; Pp.1864-1876,2006).In " Defense against Spoofed IP Traffic Using Hop-Count Filtering, ", people such as H.Wang have proposed HCF (Hop-Count Filtering) method (IEEE/ACM Trans.Networking; Vol.15; No.1, pp.40-53,2007).HCF be according to source IP address with packet ttl value attribute between relation be foundation, come packet is filtered.People such as Y.Xie are at " Monitoring the Application-Layer DDoS Attacks for Popular Websites, " (IEEE/ACM Trans.Networking, vol.17; No.1; Pp.15-25,2009) and " A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors " (IEEE/ACM Trans.Networking, vol.17; No.1; Pp.54-65,2009) proposed according to associated attributes in the packet in, i.e. the popularity of document and user's the association of browsing between the custom comes the attack detecting bag.
Along with the develop rapidly of the Internet and cloud computing technology, individual or enterprise all hope to integrate existing resource, to realize value-added service.Yet because the dynamic of network environment and uncertainty, particularly when the behavior of some malicious attack took place, the fail safe of resource was uncertain in the cloud environment.Therefore, the fail safe that improves under the cloud computing environment is very important to the application under the cloud computing environment.And in various security threats, ddos attack is the most frequent and severe, and in the method for reply ddos attack, the response that has is slower, and the treatment effeciency that has is lower, and the configuration that is not easy that has is implemented.
Summary of the invention
Goal of the invention: technical problem to be solved by this invention is the deficiency to prior art, and the packet filter method that prevents ddos attack under a kind of cloud environment is provided.
Among the present invention, prevent the packet filter method of ddos attack under a kind of cloud environment, comprise no phase of the attack and two parts of phase of the attack are arranged: at no phase of the attack, gateway is carried out following steps:
Step 11, every at a distance from a period t, collect packet through gateway;
Step 12; All properties in the extracted data bag is right; Calculate the frequency values of each attribute, be designated as
Figure BDA0000118031430000022
frequency values
Figure BDA0000118031430000023
and be in number of times that attribute occurs in packet
Figure BDA0000118031430000024
and the period t ratio through the packet sum of gateway to
Figure BDA0000118031430000021
;
Step 13: generate the database of attribute to frequency values:
Figure BDA0000118031430000025
is right greater than all properties of frequency threshold minConf to frequency values; Value that all properties is right and frequency values storage thereof get into database, and this database is designated as with reference to the storehouse; The attribute that is less than or equal to frequency threshold minConf for frequency values is right, does not then store;
Phase of the attack is being arranged, and gateway is carried out following steps:
Step 21, it is right to extract through all properties in each packet of gateway;
Step 22 from reference to reading this attribute the storehouse to frequency value corresponding, if right with reference to there not being corresponding attribute in the storehouse, then replaces the right frequency values of this attribute with frequency threshold minConf;
Step 23, the weighted sum of the right frequency values of all properties in the calculated data bag, note is made the confidence value of packet;
Step 24; The confidence value of comparing data bag and confidence level threshold value minScore; If the packet confidence value is less than confidence level threshold value minScore; Then be judged to be the invalid data bag and abandon, if the packet confidence value more than or equal to confidence level threshold value minScore, then is judged to be legal data packet and let it pass through gateway.
Among the present invention, no phase of the attack refers in period t, and the quantity of data packets through gateway has phase of the attack less than bag number threshold value minNum, refers in period t, and the quantity of data packets through gateway is more than or equal to bag number threshold value minNum.
Among the present invention, described attribute is right 15 attributes that are combined in twos arbitrarily that refer to 6 attributes in the packet are right, wherein 1≤i 1≤6,1≤i 2≤6; 6 attributes in the said packet refer to the attribute that packet comprised in the network layer, promptly are encapsulated in the attribute in IP stem and the TCP stem, comprising: data packet length, packet ttl value, protocol name, source IP address, sign and purpose IP address.
Among the present invention, the right frequency of attribute is an attribute to the ratio of the packet sum through gateway in number of times that in packet, occurs and the period t, and the right frequency values of said attribute adopts computes:
Conf ( A i 1 = a i 1 , j 1 , A i 2 = a i 2 , j 2 ) = N ( A i 1 = a i 1 , j 1 , A i 2 = a i 2 , j 2 ) N n ,
Wherein,
Figure BDA0000118031430000033
It is interior through in the packet of gateway to be illustrated in period t, comprises the right value of attribute and does
Figure BDA0000118031430000034
The number of packet, N nPass through the number of the packet of gateway in the expression period t;
Figure BDA0000118031430000035
I in the expression packet 1Individual attribute, wherein 1≤i 1≤6,
Figure BDA0000118031430000036
I in the expression packet 2Individual attribute, wherein 1≤i 2≤6,6 is total number of attribute in the packet,
Figure BDA0000118031430000037
It is attribute
Figure BDA0000118031430000038
J 1Plant value, It is attribute
Figure BDA00001180314300000310
J 2Plant value, wherein
Figure BDA00001180314300000311
Figure BDA00001180314300000312
Wherein
Figure BDA00001180314300000313
Refer to attribute
Figure BDA00001180314300000314
But the number of all values,
Figure BDA0000118031430000041
Refer to attribute
Figure BDA0000118031430000042
But the number of all values.
Among the present invention, upgrade according to right value and the frequency values of attribute that different no phase of the attacks calculates with reference to the storehouse, update rule is: replace little frequency values with big frequency values.
Among the present invention, the confidence value Score of packet (p) adopts computes:
Score ( p ) = Σw ( A i 1 , A i 2 ) × conf ( A i 1 = p ( i 1 ) , A i 2 = p ( i 2 ) ) ,
That the credibility of the packet by the frequency value for all attributes according to its weight
Figure BDA0000118031430000045
weighted summation;
Wherein, p representes packet,
Figure BDA0000118031430000046
For attribute right
Figure BDA0000118031430000047
Weights, all properties is 1 to the weight sum, and frequency values
Figure BDA0000118031430000048
With frequency values
Figure BDA0000118031430000049
Identical; Frequency values For attribute right
Figure BDA00001180314300000411
The frequency values that in packet, occurs, p (i 1) attribute among the expression packet p
Figure BDA00001180314300000412
Value, p (i 2) attribute among the expression packet p
Figure BDA00001180314300000413
Value.
Among the present invention, the weight fail safe decision right that attribute is right, and the right fail safe length decision shared of attribute according to property value according to attribute; Be that the right weight of the long attribute of property value length is right greater than the short attribute of property value length.
Description of drawings
Below in conjunction with accompanying drawing and embodiment the present invention is done specifying further, above-mentioned and/or otherwise advantage of the present invention will become apparent.
Fig. 1 applied logic figure based on the confidence level packet filter method of the present invention;
Fig. 2 is embodiments of the invention figure.
Fig. 3 is the present invention and the performance comparison of PacketScore method under different attack strengths.
Fig. 4 is the present invention and the time of implementation contrast of PacketScore method under different attack strengths.
Embodiment:
As shown in Figure 1, the invention discloses a kind of packet filter method based on confidence level, be used to tackle the ddos attack under the cloud computing environment.This method comprises two stages: no phase of the attack with phase of the attack arranged.
Wherein, the difference in two stages is to confirm through the number of the packet through gateway in period t.No phase of the attack refers in period t, and the quantity of data packets through gateway is less than bag number threshold value minNum; Phase of the attack is arranged, refer in period t, the quantity of data packets through gateway is more than or equal to bag number threshold value minNnm.Particularly, responsible every at no phase of the attack at a distance from a period t by gateway, the packet in the collection network layer, then, the attribute that extracts in the packet is right, and is right for each attribute, calculates the frequency that it occurs in packet; The right frequency values of all properties forms the database of an attribute to frequency values, and this database is designated as: with reference to the storehouse.Phase of the attack is being arranged, and for each packet through gateway, the attribute that at first extracts in the bag is right, from reference to reading attribute the storehouse to pairing frequency values; All properties is to the weighted sum of frequency values in the bag through calculating then, and this and note are made the confidence level of packet; At last, the confidence level and the preset reliable degree threshold value minScore of packet compared,, can pass through gateway if the confidence value of packet then is legal packet greater than minScore; Otherwise, if the confidence value of packet then is filtered less than minScore.
At no phase of the attack, gateway is carried out following steps:
Step 11, every at a distance from a period t, the value of collecting the packet t through gateway is that the data-handling capacity by gateway determines that the data-handling capacity of gateway is strong more, the value of t is more little; The data-handling capacity of gateway more a little less than, the value of t is big more; Said period t can be set to 1s~1000s.
Step 12; All properties in the extracted data bag is right; Calculate the frequency values of each attribute, be designated as
Figure BDA0000118031430000052
frequency values
Figure BDA0000118031430000053
and be in number of times that attribute occurs in packet
Figure BDA0000118031430000054
and the period t ratio through the packet sum of gateway to
Figure BDA0000118031430000051
;
Step 13: generate the database of attribute to frequency values:
Figure BDA0000118031430000055
is right greater than all properties of frequency threshold minConf to frequency values; Value that all properties is right and frequency values storage thereof get into database, and this database is designated as with reference to the storehouse; The attribute that is less than or equal to frequency threshold minConf for frequency values is right, does not then store;
Phase of the attack is being arranged, and gateway is carried out following steps:
Step 21, it is right to extract through all properties in each packet of gateway;
Step 22 from reference to reading this attribute the storehouse to frequency value corresponding, if right with reference to there not being corresponding attribute in the storehouse, then replaces the right frequency values of this attribute with frequency threshold minConf;
Step 23, the weighted sum of the right frequency values of all properties in the calculated data bag, note is made the confidence value of packet;
Step 24; The confidence value of comparing data bag and confidence level threshold value minScore; If the packet confidence value is less than confidence level threshold value minScore; Then be judged to be the invalid data bag and abandon, if the packet confidence value more than or equal to confidence level threshold value minScore, then is judged to be legal data packet and let it pass through gateway.
Among the present invention, no phase of the attack refers in period t; Quantity of data packets through gateway has phase of the attack less than bag number threshold value minNum, refers in period t; Quantity of data packets through gateway is more than or equal to bag number threshold value minNum, and described number threshold value minNum sets according to the disposal ability of server, and the disposal ability of server is strong more; The value of minNum is big more, otherwise the value of minNum is just more little.For example, if the ability to bear of server is to handle 10^5 packet each second, so for the gateway of this server, if it is every at a distance from packet of collection in 1 second, then the present invention sets it to wrap number threshold value is minNum=10^5.
Among the present invention, confidence level threshold value minScore is the reference value of filtering data bag.For a packet, if its confidence value less than confidence level threshold value minScore, representes that then this packet is an attack packets, will be filtered; Otherwise this packet is believable packet, can pass through gateway.Among the present invention, the value of confidence level threshold value minScore is the numerical value that gateway carries out packet filtering, generally can be set at 0~1.
Among the present invention, described attribute is right 15 attributes that are combined in twos arbitrarily that refer to 6 attributes in the packet are right, wherein 1≤i 1≤6,1≤i 2≤6,6 is the number of attribute in the packet; 6 attributes in the said packet refer to the attribute that packet comprised in the network layer, promptly are encapsulated in the attribute in IP stem and the TCP stem, comprising: data packet length, packet ttl value, protocol name, source IP address, sign and purpose IP address.
Among the present invention, the right frequency of attribute is an attribute to the ratio of the packet sum through gateway in number of times that in packet, occurs and the period t, and the right frequency values of said attribute adopts computes:
Conf ( A i 1 = a i 1 , j 1 , A i 2 = a i 2 , j 2 ) = N ( A i 1 = a i 1 , j 1 , A i 2 = a i 2 , j 2 ) N n ,
Wherein,
Figure BDA0000118031430000063
It is interior through in the packet of gateway to be illustrated in period t, comprises the right value of attribute and does
Figure BDA0000118031430000064
The number of packet, N nPass through the number of the packet of gateway in the expression period t;
Figure BDA0000118031430000065
I in the expression packet 1Individual attribute,
Figure BDA0000118031430000066
I in the expression packet 2Individual attribute, wherein 1≤i 1≤6,1≤i 2≤6,6 is total number of attribute in the packet,
Figure BDA0000118031430000067
It is attribute
Figure BDA0000118031430000068
J 1Plant value,
Figure BDA0000118031430000069
It is attribute
Figure BDA00001180314300000610
J 2Plant value, wherein
Figure BDA00001180314300000611
Figure BDA00001180314300000612
Wherein
Figure BDA00001180314300000613
Refer to attribute
Figure BDA00001180314300000614
But the number of all values,
Figure BDA00001180314300000615
Refer to attribute
Figure BDA00001180314300000616
But the number of all values.Among the present invention; Said attribute to the database of the frequency values that occurs with reference to the storehouse; Said with reference to the right frequency values of the attribute in the storehouse along with the frequency values that calculates at different no phase of the attacks upgrades, concrete update rule is: with the big little frequency values of frequency values replacement.
Among the present invention, the confidence value Score of packet (p) adopts computes:
Score ( p ) = Σw ( A i 1 , A i 2 ) × conf ( A i 1 = p ( i 1 ) , A i 2 = p ( i 2 ) ) ,
That the credibility of the packet by the frequency value for all attributes
Figure BDA0000118031430000072
according to its weight
Figure BDA0000118031430000073
weighted summation;
Wherein, p representes packet,
Figure BDA0000118031430000074
For attribute right
Figure BDA0000118031430000075
Weights, all properties is 1 to the weight sum, and frequency values
Figure BDA0000118031430000076
With frequency values Identical; Frequency values
Figure BDA0000118031430000078
For attribute right
Figure BDA0000118031430000079
The frequency values that in packet, occurs, p (i 1) attribute among the expression packet p
Figure BDA00001180314300000710
Value, p (i 2) attribute among the expression packet p
Figure BDA00001180314300000711
Value.
Among the present invention, the right weight of attribute is that right fail safe decides according to attribute, and the right fail safe of attribute is to determine according to the shared length of property value; Be that the right weight of the long attribute of property value length is right greater than the short attribute of property value length.Here, attribute is that whether easy victim is guessed decision according to the right value of attribute to the height of fail safe.Such as, the length of source IP address is 32bit, flag bit length is 3bit, so the value of source IP address is guessed than the more difficult victim of value of flag bit.Therefore, source IP address and certain attribute A iThe right fail safe of attribute of combination will be higher than flag bit and A iThe right fail safe of attribute of combination, and, source IP address and certain attribute A iThe right weight of attribute of combination is with greater than flag position and A iThe right weight of attribute of combination.Here, the right weight span of attribute is [0,1], and the right weight sum of all properties is 1.The value of weight is high more, shows that the right fail safe of attribute is high more; Otherwise the right fail safe of declared attribute is low more.
Among the present invention, it may be noted that in the step 13 that it is right greater than the attribute of the prevision of minConf only to store those frequency values, reason is following: at no phase of the attack, if to each possible attribute to the in addition storage of frequency values, memory capacity will reach 15 * 2 so 32* 4 bits (15 attributes of 15 expressions are right, and 32 representation attributes are 32bit to the length of value, and the length of 4 expression frequency values is 4bit), i.e. 240G bit.This storage capacity requirement is difficult to be satisfied in reality.Therefore, in order to dwindle memory space, adopt the storage mode of similar iceberg-style here, it is right greater than the attribute of the threshold value minConf that is provided with in advance promptly only to store those frequency values
Compared with prior art, advantage of the present invention comprises: (1) has been reduced the memory space of data, thereby has been practiced thrift the required memory space of method through only storing the right frequency values of attribute bigger than frequency threshold; (2) through to the attribute in the packet to analyzing, solved single attribute and be prone to the shortcoming that victim is guessed, thereby improved the precision of packet filtering; (3) through memory attribute in advance to value, can in the process of packet filtering, the improving computational efficiency, thereby improve packet filtering efficient of generation with reference to the storehouse.
Embodiment
Explain that below the packet filter method based on confidence level that how to use the present invention to propose comes packet shown in Figure 2 is filtered, to determine whether abandoning of this packet.
In this embodiment, present embodiment establishes that gateway is every collects the packet of single pass gateway at a distance from 1min, and at no phase of the attack, gateway has been collected related data packets, has carried out the right extraction of attribute and the calculating of frequency values, and has generated with reference to the storehouse.Paying close attention to is in the present embodiment having phase of the attack, and how gateway filters packet.Calculate for ease, present embodiment setpoint frequency threshold value is minConf=0.0005, the confidence level threshold value minScore=0.05 of packet.
In this example, phase of the attack is being arranged, the step that gateway is carried out is following:
21. the attribute in the extraction packet is right:
From accompanying drawing 2, can see, comprise three property values in this packet: TTL numerical value, the IP agreement, TCP sign, other property values are empty.And the pairing property value of the attribute in the packet is: TTL=30, protocol value are 6 (being that the agreement that transport layer is taked is TCP), and the TCP flag bit is 2 (2 expression SYN).Therefore, all attributes are to being: (TTL, IP agreement), (TTL, TCP sign), (IP agreement, TCP sign).And, the right value of attribute be (TTL=30, IP=6), (TTL=30, TCP=2), (IP=6, TCP=2).
22.,, then replace the right frequency values of this attribute with frequency threshold minConf if with reference to there not being the corresponding property value record in the storehouse from reference to reading the right frequency values of this attribute the storehouse;
Through searching, can find that the right frequency values of attribute is respectively with reference to the record in the storehouse: Conf (TTL=30, TCP=2)=0.1, Conf (IP=6, TCP=2)=0.09.And, because (TTL=30, record IP=6) therefore, do not use the minConf=0.0005 that is provided with in advance as Conf (TTL=30, value IP=6) with reference to there being Conf in the storehouse.
23. all properties is to the weighted sum of frequency values in the calculated data bag, note is made the confidence value of packet;
In the present embodiment, the right weight of attribute is respectively: w (TTL, IP agreement)=5/9, w (TTL, TCP sign)=1/9, w (IP agreement, TCP sign)=3/9.So, through calculating in this packet the weighted sum of three attributes, can obtain frequency values, the confidence value of this packet is:
5 9 × 0.0005 + 1 9 × 01 + 3 9 × 0.09 = 0.0414 .
24. the confidence value of comparing data bag and confidence level threshold value minScore; If the packet confidence value is less than confidence level threshold value minScore; Then be judged to be the invalid data bag and abandon; If the packet confidence value more than or equal to confidence level threshold value minScore, then is judged to be legal data packet and let it pass through gateway.
According to preset reliable degree threshold value is 0.05, and the confidence value of this packet is 0.0414<0.05, so this packet is the invalid data bag, will be filtered.
Contrast with additive method:
Here, in order better to embody the advantage of present embodiment method, with comparing of present embodiment based on the packet filter method of confidence level and the PacketScore method of classics.
PacketScore is the packet filter method of classics; Compare with the packet filter method that present embodiment proposes based on confidence level; Be primarily characterized in that the PacketScore method is through the attribute in the extraction packet, and the frequency that attribute occurs in the calculated data bag; Come to compare, thereby the filtration of judgment data bag whether with frequency threshold.
Fig. 3 and Fig. 4 have provided the performance comparison analysis and the time of implementation contrast of two kinds of methods respectively.In Fig. 3, present embodiment considers that under different attack modes the performance of two kinds of packet filter methods relatively.Wherein, the general attack, TCP-SYN flood model is attacked, the SQL storm attack, Nominal attacks, and Hybrid Attack refers to 5 kinds of ddos attack patterns.The general attack refers to: the value of the attribute in the packet generates at random; TCP-SYN flood model is attacked the TCP flag bit that refers in the packet and is arranged to SYN, and length of data package is set to 40 bits, and other property value generates at random; The SQL storm attack refers in the packet, and the IP protocol value is set to UDP, and length of data package is between the 371-400 bit, and other property value generates at random; Nominal attacks and refers to, and supposes that the assailant can guess the value of single attribute, and each attribute in the packet all is that the property value of the no phase of the attack of reference generates at random; The attack mode of the packet that Hybrid Attack refers to is mixed by four kinds of attack modes recited above and forms.
Here, the size of present embodiment time window is set to 5s, and promptly gateway is every carries out the collection of a packet at a distance from 5s." attack strength " in the form is illustrated in the interior data packet number through gateway of 5s, and the data packet number through gateway in " 5 * " expression 5s is 5 * 10 4Individual." False Positive ratio " and " False Negative ratio " is respectively to weigh two indexs of filtering accuracy." False Positive ratio " refers to that method judges into the ratio of legal bag with attack packets, and " the False Negative ratio " method that refers to is judged into legal bag the ratio of attack packets.As can be seen from Figure 3, little based on the performance change of the packet filter method of confidence level under different attack strengths, and the performance change of PacketScore method is apparent in view.And under most of situation, the performance of two kinds of packet filter methods is more approaching.Under general attack condition, littler than PacketScore method based on " False Positive ratio " value of the method for confidence level, this is because for the assailant, the probability of the value of two attributes of the attribute centering of hitting it simultaneously is less; The advantage of PacketScore is that in the SQL storm attack, its " False Negative ratio " value is less, but its performance under the Hybrid Attack pattern is than the poor performance based on the confidence level method.In TCP-SYN flood model is attacked; Packet filter method based on confidence level is compared with the PacketScore method, poor-performing, and this is because in normal data packet; The TCP flag bit be the packet of SYN occur many; Based on the packet filter method of confidence level through the attribute in the contrast attack packets to frequency values with reference to the attribute in the storehouse to frequency values, can be wrong attack packets is judged into normal packet, perhaps the judgement with normal packet error becomes attack packets.But from the effect of filtering, it is effective filtering method that this method still can be regarded as.Under the Nominal attack condition, the PacketScore method is compared with the method for present embodiment, poor-performing, this be because, compare with two property values of the attribute centering of hitting it simultaneously, the property value of hitting it is easier.
In Fig. 4, present embodiment contrasted the time of implementation of two kinds of packet filter methods.Here, the window size of time also is set to 5s, from accompanying drawing 4, can see, compares with the PacketScore packet filter method, and shorter based on the time of implementation of the packet filter method of confidence level, the efficient of packet filtering is higher.
The invention provides a kind of thinking of the packet filter method based on confidence level; The method and the approach of concrete this technical scheme of realization are a lot, and the above only is a preferred implementation of the present invention, should be understood that; For those skilled in the art; Under the prerequisite that does not break away from the principle of the invention, can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.The all available prior art of each part not clear and definite in the present embodiment realizes.

Claims (7)

1. prevent the packet filter method of ddos attack under the cloud environment, it is characterized in that, comprise no phase of the attack and two parts of phase of the attack are arranged: at no phase of the attack, gateway execution following steps:
Step 11, every at a distance from a period t, collect packet through gateway;
Step 12; All properties in the extracted data bag is right; Calculate the frequency values of each attribute, be designated as
Figure FDA0000118031420000012
frequency values
Figure FDA0000118031420000013
and be in number of times that attribute occurs in packet
Figure FDA0000118031420000014
and the period t ratio through the packet sum of gateway to
Figure FDA0000118031420000011
;
Step 13: generate the database of attribute to frequency values:
Figure FDA0000118031420000015
is right greater than all properties of frequency threshold minConf to frequency values; Value that all properties is right and frequency values storage thereof get into database, and this database is designated as with reference to the storehouse; The attribute that is less than or equal to frequency threshold minConf for frequency values is right, does not then store;
Phase of the attack is being arranged, and gateway is carried out following steps:
Step 21, it is right to extract through all properties in each packet of gateway;
Step 22 from reference to reading each attribute the storehouse to frequency value corresponding, if right with reference to there not being corresponding attribute in the storehouse, then replaces the right frequency values of this attribute with frequency threshold minConf;
Step 23, the weighted sum of the right frequency values of all properties in the calculated data bag, note is made the confidence value of packet;
Step 24; The confidence value of comparing data bag and confidence level threshold value minScore; If the packet confidence value is less than confidence level threshold value minScore; Then be judged to be the invalid data bag and abandon, if the packet confidence value more than or equal to confidence level threshold value minScore, then is judged to be legal data packet and let it pass through gateway.
2. prevent the packet filter method of ddos attack under a kind of cloud environment according to claim 1; It is characterized in that no phase of the attack refers in period t; Quantity of data packets through gateway is less than bag number threshold value minNnm; Phase of the attack is arranged, refer in period t, the quantity of data packets through gateway is more than or equal to bag number threshold value minNnm.
3. prevent the packet filter method of ddos attack under a kind of cloud environment according to claim 2, it is characterized in that described attribute is right 15 attributes that are combined in twos arbitrarily that refer to 6 attributes in the packet are right, wherein 1≤i 1≤6,1≤i 2≤6; 6 attributes in the said packet refer to the attribute that packet comprised in the network layer: promptly be encapsulated in the attribute in IP stem and the TCP stem, comprise: data packet length, packet ttl value, protocol name, source IP address, sign and purpose IP address.
4. prevent the packet filter method of ddos attack under a kind of cloud environment according to claim 3, it is characterized in that the right frequency values of said attribute adopts computes:
Conf ( A i 1 = a i 1 , j 1 , A i 2 = a i 2 , j 2 ) = N ( A i 1 = a i 1 , j 1 , A i 2 = a i 2 , j 2 ) N n ,
Wherein,
Figure FDA0000118031420000022
It is interior through in the packet of gateway to be illustrated in period t, comprises the right value of attribute and does The number of packet, N nPass through the number of the packet of gateway in the expression period t;
Figure FDA0000118031420000024
I in the expression packet 1Individual attribute,
Figure FDA0000118031420000025
I in the expression packet 2Individual attribute, wherein 1≤i 1≤6,1≤i 2≤6,6 is total number of attribute in the packet,
Figure FDA0000118031420000026
It is attribute
Figure FDA0000118031420000027
J 1Plant value,
Figure FDA0000118031420000028
It is attribute
Figure FDA0000118031420000029
J 2Plant value, wherein
Figure FDA00001180314200000210
Figure FDA00001180314200000211
Wherein
Figure FDA00001180314200000212
Refer to attribute
Figure FDA00001180314200000213
But the number of all values, Refer to attribute
Figure FDA00001180314200000215
But the number of all values.
5. prevent the packet filter method of ddos attack under a kind of cloud environment according to claim 4; It is characterized in that; Said right value and the frequency values renewal of attribute that calculates according to different no phase of the attacks with reference to the storehouse, update rule is: replace little frequency values with big frequency values.
6. prevent the packet filter method of ddos attack under a kind of cloud environment according to claim 5, it is characterized in that the confidence value Score of packet (p) adopts computes:
Score ( p ) = Σw ( A i 1 , A i 2 ) × conf ( A i 1 = p ( i 1 ) , A i 2 = p ( i 2 ) ) ,
That the credibility of the packet by the frequency value for all attributes
Figure FDA00001180314200000217
according to its weight weighted summation;
Wherein, p representes packet,
Figure FDA00001180314200000219
For attribute right
Figure FDA00001180314200000220
Weights, all properties is 1 to the weight sum, and frequency values
Figure FDA00001180314200000221
With frequency values Identical; Frequency values
Figure FDA00001180314200000223
For attribute right
Figure FDA00001180314200000224
The frequency values that in packet, occurs, p (i 1) attribute among the expression packet p
Figure FDA00001180314200000225
Value, p (i 2) attribute among the expression packet p Value.
7. prevent the packet filter method of ddos attack under a kind of cloud environment according to claim 6, it is characterized in that, the weight fail safe decision right that attribute is right, and the right fail safe length decision shared of attribute according to property value according to attribute; Be that the right weight of the long attribute of property value length is right greater than the short attribute of property value length.
CN2011104074208A 2011-12-09 2011-12-09 Packet filtering method for preventing DDoS attack in cloud environment Pending CN102387158A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2011104074208A CN102387158A (en) 2011-12-09 2011-12-09 Packet filtering method for preventing DDoS attack in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011104074208A CN102387158A (en) 2011-12-09 2011-12-09 Packet filtering method for preventing DDoS attack in cloud environment

Publications (1)

Publication Number Publication Date
CN102387158A true CN102387158A (en) 2012-03-21

Family

ID=45826132

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011104074208A Pending CN102387158A (en) 2011-12-09 2011-12-09 Packet filtering method for preventing DDoS attack in cloud environment

Country Status (1)

Country Link
CN (1) CN102387158A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108449307A (en) * 2017-02-16 2018-08-24 上海行邑信息科技有限公司 A method of risk equipment for identification
US20220217157A1 (en) * 2018-04-16 2022-07-07 Akamai Technologies, Inc. Content delivery network (CDN) bot detection using primitive and compound feature sets

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101378394A (en) * 2008-09-26 2009-03-04 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101378394A (en) * 2008-09-26 2009-03-04 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MOOI CHOO CHUAH1 WING CHEONG LAU YOOHWAN KIM: "《communications,2004IEEE Int》", 24 June 2004, article "Transient performance of PacketScore for blocking DDoS attacks", pages: 1892-1896 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108449307A (en) * 2017-02-16 2018-08-24 上海行邑信息科技有限公司 A method of risk equipment for identification
CN108449307B (en) * 2017-02-16 2020-12-29 上海行邑信息科技有限公司 Method for identifying risk equipment
US20220217157A1 (en) * 2018-04-16 2022-07-07 Akamai Technologies, Inc. Content delivery network (CDN) bot detection using primitive and compound feature sets
US11777955B2 (en) * 2018-04-16 2023-10-03 Akamai Technologies, Inc. Content delivery network (CDN) bot detection using primitive and compound feature sets

Similar Documents

Publication Publication Date Title
Meng Intrusion detection in the era of IoT: Building trust via traffic filtering and sampling
Liu et al. Efficient DDoS attacks mitigation for stateful forwarding in Internet of Things
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
Chen et al. CBF: a packet filtering method for DDoS attack defense in cloud environment
CN101378394B (en) Detection defense method for distributed reject service and network appliance
Shamsolmoali et al. Statistical-based filtering system against DDOS attacks in cloud computing
CN106101104A (en) A kind of malice domain name detection method based on domain name mapping and system
CN104243408B (en) The method, apparatus and system of message are monitored in domain name resolution service DNS systems
CN106657025A (en) Network attack behavior detection method and device
Soe et al. Rule generation for signature based detection systems of cyber attacks in iot environments
CN103916379B (en) A kind of CC attack recognition method and system based on high frequency statistics
KR100615080B1 (en) A method for automatic generation of rule-based detection patterns about the bots and worms in the computer network
Manikumar et al. Blockchain based DDoS mitigation using machine learning techniques
Seo et al. APFS: adaptive probabilistic filter scheduling against distributed denial-of-service attacks
Meng et al. Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection
CN108683686A (en) A kind of Stochastic subspace name ddos attack detection method
CN101699787B (en) Worm detection method used for peer-to-peer network
Xing et al. Research on the defense against ARP spoofing attacks based on Winpcap
CN106375157A (en) Phase-space-reconstruction-based network flow correlation method
CN107623691A (en) A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm
CN101577644B (en) Peer-to-peer network application traffic identification method
CN107426159A (en) APT based on big data analysis monitors defence method
CN201937611U (en) Network attack source positioning and protection system
Shamsolmoali et al. C2DF: High rate DDOS filtering method in cloud computing
Stevanovic et al. Detecting bots using multi-level traffic analysis.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120321