CN106357641A - Method and device for defending interest flooding attacks in information centric network - Google Patents
Method and device for defending interest flooding attacks in information centric network Download PDFInfo
- Publication number
- CN106357641A CN106357641A CN201610829821.5A CN201610829821A CN106357641A CN 106357641 A CN106357641 A CN 106357641A CN 201610829821 A CN201610829821 A CN 201610829821A CN 106357641 A CN106357641 A CN 106357641A
- Authority
- CN
- China
- Prior art keywords
- prefix
- entropy
- attack
- interest bag
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and device for defending interest flooding attacks in an information centric network and relates to the field of network security. The method includes: statistically counting the entropy of the names of interest packets received by a router in the information centric network after different moments according to a preset window; using a cumulative sum algorithm to process the obtained entropy to obtain the accumulative values of the entropy at different moments; judging whether the accumulative values are smaller than a preset attack detecting threshold or not, if not, judging that interest flooding attacks are detected, and using a prefix determining algorithm based on relative entropy to search the prefix set of the names of the interest packets so as to obtain attack prefixes; generating data packets containing the attack prefixes according to the attack prefixes, and transmitting the data packets to the access router where an attacker is located according to the router information of the interest packets, containing the attack prefixes, recorded in the pending interest table of the router so as to allow the access router to perform corresponding access limitation on the received interest packets according to the attack prefixes in the data packets.
Description
Technical field
A kind of the present invention relates to network safety filed, in particular it relates to interest bag flood attack in content center network
Defence method and device.
Background technology
The tcp/ip network architecture shows its practicality in the development of the Internet decades, especially in the face of all
The how new technique of upper and lower layer and seem more stable during new opplication.However, with the development of the Internet, the shifting to network for the user
The demand of the services such as dynamic property, content distribution and safety constantly increases, and gradually exposes existing network to mobility, content
Distribution and the problem of safety support.In order to tackle these new services, academia proposes a kind of new network rack
Structure content center network (information centric network, icn).As an instantiation model of icn, order
Name data network (named data networking, ndn) is applied to content distribution, and great competing in Future network architectures
Strive power.Ndn already has accounted for the demand of safety at the beginning of design, along with it has banned host identification using content, permissible
Avoid polytype attack in existing network.Ndn network can reduce multiple distributed denial of service popular now
(distributed denial of service, ddos) attacks, and for example, bandwidth exhaustion type, reflection-type are attacked and prefix is robbed
Hold type black hole etc. to attack.However, ndn network has also caused the distinctive ddos of new ndn to attack, it is called interest bag flood attack
(interest flooding attacks, ifa).Because, in ndn network, interest bag is obtaining meeting before packet meets
It is recorded in the interest table undetermined (pending interest table, pit) of intermediate router, attacker can send greatly
The storage resource to exhaust intermediate router for the false interest bag of amount.The promoter of this attack requires no knowledge about entire content
Distribution, the performance of impact ndn network that but can be serious.Therefore, how effectively resisting ifa and attacking is worth us to pay much attention to.
In ndn network, existing ifa remission method is mainly based upon statistics (the hereinafter referred to as pit- of pit abnormality
Based method), for example, the destruction of mobile equilibrium (in ndn network, an interest bag at most corresponds to a packet), interest bag
Overtime speed of Service Efficiency or pit entry etc..Fig. 1 is the schematic diagram that ifa attacks.As shown in Figure 1 it is assumed that each router
Pit multipotency accommodates 4 interest bag records, and validated user and attacker can send the request of interest bag to content source and (attack
The malice interest bag that person sends typically no corresponding data at content source).4 interest bags sending when validated user and attacking
When the malice interest bag that the person of hitting -2 sends reaches router node d simultaneously, d can abandon an interest bag, equally, for router
Node f and g, the impact of person -1 under attack and attacker -3, also can abandon an interest bag respectively.In the case of the worst, close
The final only one of which of interest bag that method user sends reaches content source, and content source returns a normal packet, so legal
User will be severely impacted.Using the ifa remission method being counted based on pit abnormality, with pit entry time-out speed
It is assumed that overtime rate value is 3 as a example (the overtime number of pit entry in the unit interval), router node g is due to forwarded 3
Malice interest bag reaches the overtime speed of setting at first, sends ifa and attacks early warning, is then judged super according to overtime pit entry
When prefix, then the interest bag comprising this prefix is processed.
Pit-based method depends on the statistics of pit abnormality, and leads to the abnormal factor of pit relatively more, example
As, normal network fluctuation, network congestion, link failure and under attack etc., only it is difficult to sentence from the anomaly statistics of pit
Determine whether network is attacked, not to mention how defensive attack.If producing wrong report to attacking, by the request of normal users
It is considered as query-attack and takes restriction, user can be caused with immeasurable loss.If additionally, only attack is being detected
Node malice interest bag is limited, whole downstream network be will also result in very big impact.
Content of the invention
It is an object of the invention to provide the defence method of interest bag flood attack and device in a kind of content center network.
Wherein, methods described is based on accumulation entropy and ifa attack is detected, after successfully detecting that ifa attacks, using based on relative entropy
Prefix decision method, recall mechanism in conjunction with interest bag and carry out the defence of ifa attack, not only increase the accuracy of ifa detection,
And also assures that the effectiveness of defensive measure.
To achieve these goals, the present invention provides a kind of defender of interest bag flood attack in content center network
Method.Methods described includes:
The interest bag that in described content center network, router arrives in different reception is counted according to default window
The entropy of name;
Using accumulation and algorithm, the entropy that obtains of statistics is processed, obtain described entropy in not in the same time accumulative
Value;
Judge whether described aggregate-value is less than default attack detecting threshold value, if it is not, described interest bag flooding is then detected
Attack, and the prefix sets of the name to described interest bag make a look up using the prefix decision algorithm based on relative entropy, obtain
Attack prefix;
The packet carrying described attack prefix is generated according to described prefix of attacking, and undetermined according to described router
In interest table, described packet is sent and is located to attacker by the routing iinformation with the described interest bag attacking prefix of record
Couple in router so that the attack prefix that described couple in router carries according to described packet is entered to the interest bag receiving
Row limits into process, accordingly thus realizing the defence of described interest bag flood attack.
Alternatively, in the described described content center network of statistics according to default window, router arrives in different reception
The name of interest bag entropy, comprising:
The interest that in described content center network, router arrives in different reception is obtained according to below equation (1) statistics
The entropy of the name of bag:
Wherein, m represents the m kind name of interest bag in preset window, piIn expression m kind name, any one name i goes out
Existing probability, h represents described entropy.
Alternatively, described using accumulation and algorithm, the entropy that obtains of statistics is processed, obtain described entropy in difference
The aggregate-value in moment, comprising:
Described entropy is obtained in not aggregate-value in the same time according to below equation (2):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, yn-1Represent the aggregate-value in the n-1 moment for the described entropy, zn
=xn- θ, xnRepresent the entropy obtaining in moment n statistics, θ represents e (xn) the upper bound, e (xn) represent and unite within the given δ t time
Count the entropy sequence { x obtainingnEntropy average, for x > 0, x+=x, otherwise x+=0.
Alternatively, described judge that whether described aggregate-value is less than default attack detecting threshold value, comprising:
Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, dn(yn) represent in moment n to ynDetection function value,
Th represents described default attack detecting threshold value, if dn(yn)=0 then it represents that described entropy the n moment aggregate-value ynLess than institute
State default attack detecting threshold value th, be not detected by described interest bag flood attack;If dn(yn)=1 is then it represents that described entropy
Aggregate-value y in the n momentnNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.
Alternatively, the prefix sets of the described name using the prefix decision algorithm based on relative entropy to described interest bag are entered
Row is searched, and obtains attacking prefix, comprising:
Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as
In distribution p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q;
Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q;
The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new of described prefix sets
The relative entropy kld_i of prefix distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and phase
Difference to entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets;
Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.
Alternatively, methods described also includes:
Search front l higher value corresponding index respectively in described set kldset, and respectively obtained according to described index
Corresponding attack prefix.
Correspondingly, the present invention also provides a kind of defence installation of interest bag flood attack in content center network.Described dress
Put including:
Statistic unit, for according to default window count described content center network in router in different reception
The entropy of the name of interest bag arriving;
Processing unit, for processing using the entropy that accumulation and algorithm obtain to statistics, obtains described entropy not
Aggregate-value in the same time;
Judging unit, for judging whether described aggregate-value is less than default attack detecting threshold value, if it is not, then detect institute
State interest bag flood attack, and the prefix sets of the name to described interest bag are entered using the prefix decision algorithm based on relative entropy
Row is searched, and obtains attacking prefix;
Transmitting element, for generating, according to described prefix of attacking, the packet carrying described attack prefix, and according to institute
Described packet is sent out by the routing iinformation with the described interest bag attacking prefix stating record in the interest table undetermined of router
Deliver to the couple in router at attacker place, so that the attack prefix pair that described couple in router carries according to described packet
The interest bag receiving is limited into process, accordingly thus realizing the defence of described interest bag flood attack.
Alternatively, described processing unit, specifically for:
Described entropy is obtained in not aggregate-value in the same time according to below equation (2):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, yn-1Represent the aggregate-value in the n-1 moment for the described entropy, zn
=xn- θ, xnRepresent the entropy obtaining in moment n statistics, θ represents e (xn) the upper bound, e (xn) represent and unite within the given δ t time
Count the entropy sequence { x obtainingnEntropy average, for x > 0, x+=x, otherwise x+=0.
Alternatively, described judging unit, specifically for:
Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, dn(yn) represent in moment n to ynDetection function value,
Th represents described default attack detecting threshold value, if dn(yn)=0 then it represents that described entropy the n moment aggregate-value ynLess than institute
State default attack detecting threshold value th, be not detected by described interest bag flood attack;If dn(yn)=1 is then it represents that described entropy
Aggregate-value y in the n momentnNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.
Alternatively, described judging unit, is additionally operable to:
Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as
In distribution p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q;
Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q;
The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new of described prefix sets
The relative entropy kld_i of prefix distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and phase
Difference to entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets;
Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.
As shown from the above technical solution, do not connect in the same time according to router in default window statistical content central site network
The entropy of the name of interest bag receiving, then, is processed using the entropy that accumulation and algorithm obtain to statistics, obtains entropy
In not aggregate-value in the same time;And judge whether aggregate-value is less than default attack detecting threshold value, if it is not, interest bag is then detected
Flood attack, and using the prefix decision algorithm based on relative entropy, the prefix sets of the name to interest bag make a look up, and obtain
Attack prefix;Finally, generated according to attack prefix and carry the packet attacking prefix, and the interest table undetermined according to router
The routing iinformation with the interest bag attacking prefix of middle record sends data packets to the couple in router at attacker place, with
Couple in router is limited into process to the interest bag receiving accordingly according to the attack prefix that packet carries, thus real
The defence of existing interest bag flood attack, can not only improve the accuracy of ifa detection, reduce the occurrence of report by mistake, Er Qie
Effective defensive measure can be provided in time, the impact that minimizing ifa brings to network is it is ensured that network can be after attack is detected
User provides normal service.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing having required use in technology description is briefly described.It should be evident that drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, acceptable
Other accompanying drawings are obtained according to these figures.
Fig. 1 is the schematic diagram that ifa attacks;
Fig. 2 is the flow process of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides
Figure;
Fig. 3 is the schematic diagram of the ifa defensive measure that one embodiment of the invention provides;
Fig. 4 is the emulation of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides
Topological diagram;
Fig. 5 is the contrast schematic diagram when detecting that ifa attacks for the method being provided using pit-based method and the present invention;
Fig. 6 is the contrast schematic diagram when defending ifa to attack for the method being provided using pit-based method and the present invention;
Fig. 7 is the structure of the defence installation of interest bag flood attack in the content center network that one embodiment of the invention provides
Schematic diagram.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of protection of the invention.
Fig. 2 is the flow process of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides
Figure.As shown in Fig. 2 the defence method of interest bag flood attack includes in the content center network of one embodiment of the invention offer:
In step s101, according to router in the default window described content center network of statistics in different reception
The entropy of the name of interest bag arriving.
Specifically, this step includes: obtains in described content center network router not according to below equation (1) statistics
The entropy of the name of interest bag receiving in the same time:
Wherein, m represents the m kind name of interest bag in preset window, piIn expression m kind name, any one name i goes out
Existing probability, h represents described entropy.
Wherein, entropy is otherwise known as comentropy in the communications field, for representing the randomness of event.It is assumed that validated user is one
In the section time, the request of content is obeyed with fixing distribution (for example, zipf distribution), applicant to count road using said method
The randomness of the name of interest bag being received by device node.Specifically, this step is using the distribution of user's request under normal circumstances
This characteristic more stable, thus carries out statistic mixed-state to the entropy attribute of request distribution on the router.
For the router in content center network, per second can receive substantial amounts of interest bag, one can be previously set
Window w, enters line slip and calculates, so can be obtained by statistics entropy not in the same time to the interest bag receiving.Due to network
It is dynamic change, the entropy of statistics also can float in a stable scope, and we can simply arrange a threshold value
To detect ifa attack.But, even proper network also has and instantaneously significantly fluctuates, in order to ensure the reliability detecting, Shen
Ask someone using the algorithm based on accumulation sum, statistics entropy will to be processed.
Then, in step s102, processed using the entropy that accumulation and algorithm obtain to statistics, obtain described entropy
In not aggregate-value in the same time.
Specifically, this step includes: obtains described entropy in not aggregate-value in the same time according to below equation (2):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, yn-1Represent the aggregate-value in the n-1 moment for the described entropy, zn
=xn- θ, xnRepresent the entropy obtaining in moment n statistics, θ represents e (xn) the upper bound, e (xn) represent and unite within the given δ t time
Count the entropy sequence { x obtainingnEntropy average, for x > 0, x+=x, otherwise x+=0.
More specifically, accumulation and algorithm are instantiation algorithms of detection of change-point, have relatively low time delay and higher
Accuracy in detection.Applicant is processed to the entropy of statistics using this algorithm.In actual applications, concrete grammar is as follows:
Applicant defines x firstnRepresent that the entropy sequence counting in the entropy in moment n statistics, given δ t time is
{xn, e (xn) represent count the entropy sequence { x obtaining within the given δ t timenEntropy average, represent e (x with θn) upper
Boundary.Tectonic sequence zn=xn- θ, the average of network this sequence under normal circumstances is negative.Y is defined according to above formula (2)n.So
ynZ just can be representednOn the occasion of cumulative.Introduce θ value to be zeroed also for by aggregate-value under normal circumstances, it is to avoid normal fluctuation
Accumulation in time.
More specifically, after attacking initiation, count entropy xnCan increase sharply and more than θ, cause znIt is changed on the occasion of yn
Constantly add up, be finally reached attack detecting threshold value, and when network occurs fluctuation in short-term, x also can occurnCan increase sharply
And more than θ, cause znIt is changed on the occasion of ynConstantly add up.However, disappearing with fluctuation, in ynDo not reach the attack threshold value of setting
When will be superimposed with the z of negative valuen, gradually it is pulled 0 value.Therefore, it can avoid normal network fluctuation well.
And then, in step s103, judge whether described aggregate-value is less than default attack detecting threshold value.
Specifically, this step includes: judges whether described aggregate-value is less than default attack detecting according to below equation (3)
Threshold value:
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, dn(yn) represent in moment n to ynDetection function value,
Th represents described default attack detecting threshold value, if dn(yn)=0 then it represents that described entropy the n moment aggregate-value ynLess than institute
State default attack detecting threshold value th, be not detected by described interest bag flood attack;If dn(yn)=1 is then it represents that described entropy
Aggregate-value y in the n momentnNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.
Pit-based method is easily caused the erroneous judgement of attack, in order to solve this problem, can adopt said method step
S101-s103, selects the name of the interest bag that router is received to carry out entropy statistics, then the entropy of statistics is accumulated
And algorithm, attack it is believed that ifa is detected after threshold value is attacked in the detection that accumulated value reaches setting.Wherein, said method step
Rapid s101-s103 may be summarized to be the ifa attack detection method based on accumulation entropy in a particular embodiment.By the party
Method, router can detect that the ifa of presence attacks in time, can avoid the erroneous judgement to legal user's request simultaneously, also may be used
To avoid the impact to attack detecting for the network normal fluctuation.
Then, in step s104, in the case of judging that described aggregate-value is not less than default attack detecting threshold value, then
Described interest bag flood attack is detected, and before the name to described interest bag for the prefix decision algorithm based on relative entropy for the employing
Sew set to make a look up, obtain attacking prefix.
Specifically, this step includes: arranges in described prefix sets each prefix and attacks described interest bag flooding is detected
Prefix before hitting is distributed as distribution p, and in described prefix sets each prefix when described interest bag flood attack is detected
Prefix be distributed as be distributed q;Described distribution p is calculated according to described distribution p and described distribution q relative with described distribution q
Entropy kld;By the prefix distribution p of prefix in described prefix sets replace with prefix distribution q, obtain described prefix sets new before
The relative entropy kld_i of sew distribution p ', and calculate new prefix distribution p ' and described distribution q, with calculate relative entropy kld_i with relative
The difference of entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets;Look into
Look for the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.This step is attacked in ifa
After hitting early warning, attack prefix can be found out with maximum of probability, thus conveniently taking the precautionary measures.
Wherein, relative entropy is otherwise known as kl distance, for representing the difference between same two kinds of distributions of variable.For same
Two kinds of distribution p of one variable and q, their relative entropy is defined as:
Wherein, i is one of variable gross space i element.In above-mentioned definition, need to arrange 0 log (0/0)=0,
0 log (0/q)=0, and 0 log (p/0)=∞, that is, for element i, if p (i) > 0 and q (i)=0, d (p | | q)
=∞, relative entropy has nonnegativity, only when p and q is with being distributed, d (p | | q)=0;The difference of p and q is bigger, the value of d (p | | q)
Also bigger.
More specifically it is assumed that two distributions of the name prefix of the interest bag of router records are respectively p and q, work as inspection
When measuring ifa attack, the prefix that might as well set now is distributed as p, and the prefix of a period of time is distributed q slightly before, then p and q is identical
(because detection has certain retardance, first attack interest bag and are detected by two different distributions of name prefix
Difficulty is too big).Specific algorithm is as follows:
Input: prefix sets prefixset;Attack detecting moment prefix distribution p;Prefix before the attack detecting moment is divided
Cloth q.Output: attack prefix prefix.Relative program is as follows:
1. initialize kldset=null
2.kld=d (p | | q)
3.for each i∈prefixset do
4.p '=p
5.p ' (i)=q (i)
6.kld_i=d (p ' | | q)
7. δ d=| kld_i-kld |
8. δ d is added kldset
9.end for
10. find out maximum corresponding index k in kldset
11.prefix=prefixset (k)
Specifically: the relative entropy 1, calculating p and q is recorded as kld;2nd, for each prefix i in prefix sets, by p
I () replaces with q (i) and obtains p ', the relative entropy calculating p ' and q is designated as kld_i, and calculates the size of kld_i and kld difference, adds
It is added in set kldset, until all prefixes in traversal prefix sets;3rd, the maximum found out in set kldset is corresponding
Index k, attack prefix is prefixset (k).Due to multiple prefixes may be had to attack, take front l higher value corresponding if necessary
Index, finds out corresponding prefix respectively.Preferably, methods described also includes: searches front l higher value in described set kldset
Corresponding index respectively, and corresponding attack prefix is respectively obtained according to described index.
Finally, in step s105, the packet carrying described attack prefix is generated according to described prefix of attacking, and root
According in the interest table undetermined of described router record there is the routing iinformation of the described interest bag attacking prefix by described data
Bag sends the couple in router being located to attacker, so that before the attack that carried according to described packet of described couple in router
Sew and the interest bag receiving is limited accordingly into process, thus realizing the defence of described interest bag flood attack.
Because ndn network is a kind of network of complete equity, the control of centralization seems less practical, also increases simultaneously
The danger attacked, adopts distributed defence method for this applicant.Initiate and detect on certain router when ifa attacks
After out, this router can execute the prefix decision algorithm based on relative entropy, finds out attack prefix.Because forwarding router all can
Pit records forwarded over but also do not meet and have not timed out interest bag (namely have attack prefix interest bag), road
Carry above-mentioned attack prefix by device by a kind of packet of specific format of construction to be easy to return to attack along reverse path
The couple in router that person is located.Couple in router does the inspection of specific format after receiving described packet to packet.?
In the case that the form of packet meets the requirements, couple in router extracts the attack prefix that packet carries, to receipt of subsequent
Interest bag request limited accordingly into process.Fig. 3 is the schematic diagram of the ifa defensive measure that one embodiment of the invention provides.
As shown in Figure 3 it is assumed that router i detects interest bag flood attack, and determine attack prefix, by constructing special data
Bag, passes to couple in router b, c and h by attacking prefix, by couple in router, the interest bag request of receipt of subsequent is carried out corresponding
Limit enter process.
For verifying the concrete effect of technical solution of the present invention, illustrated by emulation in a particular embodiment.Fig. 4
It is the emulation topological diagram of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides.As figure
Shown in 4, validated user by router r1 can ask in content source prefix be "/root/good " content, and attacker by
Router r2, r3 and r4 can send the content that malice interest bag asks prefix to be "/root/evil " in content source, but
It is due to the content of the not corresponding "/root/evil " prefix of content source, just will not do any response.Validated user sends interest
The speed of bag request is 200/second, and the speed that attacker sends the request of interest bag is 20/second, and setting detection is attacked threshold value and is
100, it is to compare with pit-based method, pit time-out rate-valve value is set to 40/second.Overall simulation time is 0~300
Second, attack the persistent period for 200~250 seconds.
Fig. 5 is the contrast schematic diagram when detecting that ifa attacks for the method being provided using pit-based method and the present invention.
As shown in figure 5, when using pit-based method, pit time-out speed (the pit expiration of router r1 and r6
Rate) all reached the threshold value 40 of setting, that is, this two routers all detect interest bag flood attack.But, can by Fig. 4
Know that the only validated user that router r1 accesses, and not attacker thus create erroneous judgement using pit-based method.
When providing the ifa attack detection method based on accumulation entropy using the present invention, only router r1 detects ifa and attacks.
It should be noted that Fig. 5 taking router r1 and r6 is as a example contrasted.
Fig. 6 is the contrast schematic diagram when defending ifa to attack for the method being provided using pit-based method and the present invention.
As shown in fig. 6, give overall simulation time in 0~300 second between 150~300 seconds the pit of router r1, r2, r5 and r6 big
Little change.Wherein, solid line (' rl ') represents pit-based method, and dotted line (' ce ') represents the content center net that the present invention provides
The defence method of interest bag flood attack in network.When as seen from the figure, using pit-based method, access validated user
Router r1 takes to the interest bag receiving and limits into measure, lead to forward interest bag quantity reduce, pit size drastically under
Fall, equally, also takes for the router r2 accessing attacker and limits into measure accordingly, and declining also occurs in pit size.So
And, the method that the present invention is provided, router r1 is normal to forward the interest bag request receiving validated user, and pit size is protected
Hold constant, and router r2 has then done to the attack interest bag receiving and limited into strategy, declining occurs in pit size.Corresponding pit
Size variation can also be verified on router r5 and router r6.
Compared with prior art, the present embodiment, while ifa attack detecting and defence, considers and multiple may lead to
The factor of wrong report, and point out when detection is attacked, in prior art, be susceptible to erroneous judgement and validated user is taken at mistake
Reason situation.The present embodiment, using distribution this characteristic more stable of the request of user interest bag under normal circumstances, is thus routeing
On device, statistic mixed-state is carried out to the entropy attribute of interest bag request distribution.After attack is detected, being calculated by relative entropy can
The attack prefix of energy, then passes through to construct the access road that the attack determining prefix information is passed to attacker place by packet
By device, fundamentally limit and attack interest bag to the threat of network it is ensured that normal network service.
For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but this area
Technical staff should know, the embodiment of the present invention is not limited by described sequence of movement, because implementing according to the present invention
Example, some steps can be carried out using other orders or simultaneously.Secondly, those skilled in the art also should know, description
Described in embodiment belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.
Fig. 7 is the structure of the defence installation of interest bag flood attack in the content center network that one embodiment of the invention provides
Schematic diagram.As shown in fig. 7, one embodiment of the invention provide content center network in interest bag flood attack defence installation bag
Include:
Statistic unit 201, for according to default window count described content center network in router not in the same time
The entropy of the name of interest bag receiving;
Processing unit 202, for being processed using the entropy that accumulation and algorithm obtain to statistics, is obtained described entropy and exists
Not aggregate-value in the same time;
Judging unit 203, for judging whether described aggregate-value is less than default attack detecting threshold value, if it is not, then detect
To described interest bag flood attack, and the prefix set of the name to described interest bag for the prefix decision algorithm based on relative entropy for the employing
Conjunction makes a look up, and obtains attacking prefix;
Transmitting element 204, for the packet carrying described attack prefix is generated according to described prefix of attacking, and according to
In the interest table undetermined of described router, record has the routing iinformation of the described interest bag attacking prefix by described packet
Send the couple in router being located to attacker, so that the attack prefix that described couple in router carries according to described packet
The interest bag receiving is limited accordingly into process, thus realizing the defence of described interest bag flood attack.
In the present invention one optional embodiment, described processing unit 202, specifically for:
Described entropy is obtained in not aggregate-value in the same time according to below equation (2):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, yn-1Represent the aggregate-value in the n-1 moment for the described entropy, zn
=xn- θ, xnRepresent the entropy obtaining in moment n statistics, θ represents e (xn) the upper bound, e (xn) represent and unite within the given δ t time
Count the entropy sequence { x obtainingnEntropy average, for x > 0, x+=x, otherwise x+=0.
In the present invention one optional embodiment, described judging unit 203, specifically for:
Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, dn(yn) represent in moment n to ynDetection function value,
Th represents described default attack detecting threshold value, if dn(yn)=0 then it represents that described entropy the n moment aggregate-value ynLess than institute
State default attack detecting threshold value th, be not detected by described interest bag flood attack;If dn(yn)=1 is then it represents that described entropy
Aggregate-value y in the n momentnNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.
In the present invention one optional embodiment, described judging unit 203, it is additionally operable to:
Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as
In distribution p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q;
Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q;
The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new of described prefix sets
The relative entropy kld_i of prefix distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and phase
Difference to entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets;
Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.
Also relate in the defence installation of interest bag flood attack in the content center network that one embodiment of the invention is provided
And detail one embodiment of the invention provide content center network in interest bag flood attack defence method in
It is described in detail, will not be described here.Interest bag flooding in the content center network that one embodiment of the invention is provided
The defence installation attacked may be disposed in the router of content center network.
The interest that the present embodiment arrives in different reception according to router in default window statistical content central site network
The entropy of the name of bag, then, is processed using the entropy that accumulation and algorithm obtain to statistics, obtains entropy not in the same time
Aggregate-value;And judge whether aggregate-value is less than default attack detecting threshold value, if it is not, interest bag flood attack is then detected,
And the prefix sets of the name to interest bag make a look up using the prefix decision algorithm based on relative entropy, obtain attacking prefix;
Finally, generated according to attack prefix and carry the packet attacking prefix, and according to record in the interest table undetermined of router
The routing iinformation with the interest bag attacking prefix sends data packets to the couple in router at attacker place, so that accessing
Router is limited into process to the interest bag receiving accordingly according to the attack prefix that packet carries, thus realizing interest bag
The defence of flood attack, can not only improve the accuracy of ifa detection, reduce the occurrence of report by mistake, and attack detecting
Effective defensive measure can be provided in time, the impact that minimizing ifa brings to network is it is ensured that network can provide the user after hitting
Normal service.
It should be noted that in all parts of the system of the present invention, according to its function to be realized to therein
Part has carried out logical partitioning, but, the present invention is not only restricted to this, can as needed all parts be repartitioned or
Person combines, for example, it is possible to some unit constructions are single part, or can be further broken into more some parts
Subassembly.
The all parts embodiment of the present invention can be realized with hardware, or to run on one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (dsp) are realizing some or all portions in system according to embodiments of the present invention
The some or all functions of part.The present invention is also implemented as a part for executing method as described herein or complete
The equipment in portion or program of device (for example, computer program and computer program).Such program realizing the present invention
Can store on a computer-readable medium, or can have the form of one or more signal.Such signal is permissible
Download from internet website and obtain, or provide on carrier signal, or provided with any other form.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware including some different elements and by means of properly programmed computer
Existing.If in the unit claim listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
Embodiment of above is only suitable to the present invention is described, and not limitation of the present invention, common about technical field
Technical staff, without departing from the spirit and scope of the present invention, can also make a variety of changes and modification, therefore all
Equivalent technical scheme falls within scope of the invention, and the scope of patent protection of the present invention should be defined by the claims.
Claims (10)
1. in a kind of content center network the defence method of interest bag flood attack it is characterised in that methods described includes:
Count the name of the interest bag that router arrives in different reception in described content center network according to default window
Entropy;
Processed using the entropy that accumulation and algorithm obtain to statistics, obtain described entropy in not aggregate-value in the same time;
Judge whether described aggregate-value is less than default attack detecting threshold value, if it is not, described interest bag flood attack is then detected,
And using the prefix decision algorithm based on relative entropy, the prefix sets of the name to described interest bag make a look up, before being attacked
Sew;
The packet carrying described attack prefix is generated according to described prefix of attacking, and the interest undetermined according to described router
In table, the routing iinformation with the described interest bag attacking prefix of record sends described packet to connecing that attacker is located
Enter router, so that described couple in router carries out phase according to the attack prefix that described packet carries to the interest bag receiving
The limit answered enters to process, thus realizing the defence of described interest bag flood attack.
2. in content center network according to claim 1 the defence method of interest bag flood attack it is characterised in that institute
State and the name of the interest bag that router arrives in different reception in described content center network is counted according to default window
Entropy, comprising:
The interest bag that in described content center network, router arrives in different reception is obtained according to below equation (1) statistics
The entropy of name:
Wherein, m represents the m kind name of interest bag in preset window, piRepresent that the appearance of any one name i in m kind name is general
Rate, h represents described entropy.
3. in content center network according to claim 1 the defence method of interest bag flood attack it is characterised in that institute
State the entropy using accumulation and algorithm obtain to statistics to process, obtain described entropy in not aggregate-value in the same time, comprising:
Described entropy is obtained in not aggregate-value in the same time according to below equation (2):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, yn-1Represent the aggregate-value in the n-1 moment for the described entropy, zn=
xn- θ, xnRepresent the entropy obtaining in moment n statistics, θ represents e (xn) the upper bound, e (xn) represent statistics within the given δ t time
Entropy sequence { the x obtainingnEntropy average, for x > 0, x+=x, otherwise x+=0.
4. in content center network according to claim 3 the defence method of interest bag flood attack it is characterised in that institute
State and judge whether described aggregate-value is less than default attack detecting threshold value, comprising:
Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, dn(yn) represent in moment n to ynDetection function value, th represents
Described default attack detecting threshold value, if dn(yn)=0 then it represents that described entropy the n moment aggregate-value ynDefault less than described
Attack detecting threshold value th, be not detected by described interest bag flood attack;If dn(yn)=1 is then it represents that described entropy is in n
The aggregate-value y carvingnNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.
5. in content center network according to claim 1 the defence method of interest bag flood attack it is characterised in that institute
The prefix sets stating the name to described interest bag using the prefix decision algorithm based on relative entropy make a look up, before being attacked
Sew, comprising:
Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as being distributed
In p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q;
Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q;
The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new prefix of described prefix sets
The relative entropy kld_i of distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and relative entropy
The difference of kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets;
Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.
6. in the content center network stated according to claim 5, the defence method of interest bag flood attack is it is characterised in that described
Method also includes:
Search front l higher value corresponding index respectively in described set kldset, and correspondence is respectively obtained according to described index
Attack prefix.
7. in a kind of content center network the defence installation of interest bag flood attack it is characterised in that described device includes:
Statistic unit, for counting what router in described content center network arrived in different reception according to default window
The entropy of the name of interest bag;
Processing unit, for processing using the entropy that accumulation and algorithm obtain to statistics, obtains described entropy in difference
The aggregate-value carved;
Judging unit, for judging whether described aggregate-value is less than default attack detecting threshold value, if it is not, then detect described emerging
Interesting bag flood attack, and the prefix sets of the name to described interest bag are looked into using the prefix decision algorithm based on relative entropy
Look for, obtain attacking prefix;
Transmitting element, for generating, according to described prefix of attacking, the packet carrying described attack prefix, and according to described road
By in the interest table undetermined of device record have described attack prefix interest bag routing iinformation by described packet send to
The couple in router that attacker is located, so that the attack prefix that described couple in router carries according to described packet is to reception
Interest bag limited into process accordingly, thus realizing the defence of described interest bag flood attack.
8. in content center network according to claim 7 the defence installation of interest bag flood attack it is characterised in that institute
State processing unit, specifically for:
Described entropy is obtained in not aggregate-value in the same time according to below equation (2):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, yn-1Represent the aggregate-value in the n-1 moment for the described entropy, zn=
xn- θ, xnRepresent the entropy obtaining in moment n statistics, θ represents e (xn) the upper bound, e (xn) represent statistics within the given δ t time
Entropy sequence { the x obtainingnEntropy average, for x > 0, x+=x, otherwise x+=0.
9. in content center network according to claim 8 the defence installation of interest bag flood attack it is characterised in that institute
State judging unit, specifically for:
Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):
Wherein, ynRepresent the aggregate-value in the n moment for the described entropy, dn(yn) represent in moment n to ynDetection function value, th represents
Described default attack detecting threshold value, if dn(yn)=0 then it represents that described entropy the n moment aggregate-value ynDefault less than described
Attack detecting threshold value th, be not detected by described interest bag flood attack;If dn(yn)=1 is then it represents that described entropy is in n
The aggregate-value y carvingnNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.
10. in content center network according to claim 7 interest bag flood attack defence installation it is characterised in that
Described judging unit, is additionally operable to:
Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as being distributed
In p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q;
Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q;
The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new prefix of described prefix sets
The relative entropy kld_i of distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and relative entropy
The difference of kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets;
Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610829821.5A CN106357641B (en) | 2016-09-18 | 2016-09-18 | The defence method and device of interest packet flood attack in a kind of content center network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610829821.5A CN106357641B (en) | 2016-09-18 | 2016-09-18 | The defence method and device of interest packet flood attack in a kind of content center network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106357641A true CN106357641A (en) | 2017-01-25 |
CN106357641B CN106357641B (en) | 2019-10-22 |
Family
ID=57858007
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610829821.5A Active CN106357641B (en) | 2016-09-18 | 2016-09-18 | The defence method and device of interest packet flood attack in a kind of content center network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106357641B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107896217A (en) * | 2017-11-28 | 2018-04-10 | 重庆邮电大学 | The caching pollution attack detection method of multi-parameter in content center network |
CN107948138A (en) * | 2017-11-02 | 2018-04-20 | 东软集团股份有限公司 | It route detection method, device, readable storage medium storing program for executing and the electronic equipment of connection |
CN108234440A (en) * | 2017-09-28 | 2018-06-29 | 中国科学院信息工程研究所 | The detection method and device of low rate interest packet flood attack in content center network |
CN108347442A (en) * | 2018-02-09 | 2018-07-31 | 重庆邮电大学 | The method and system of interest packet extensive aggression are detected in content center network |
CN108712446A (en) * | 2018-06-19 | 2018-10-26 | 中国联合网络通信集团有限公司 | The defence method and device of interest packet flood attack in a kind of content center network |
CN109257390A (en) * | 2018-11-27 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | Detection method, device and the electronic equipment of CC attack |
CN110995592A (en) * | 2019-12-16 | 2020-04-10 | 北京信息科技大学 | Novel self-maintenance method and route forwarding method of undetermined interest table |
CN111628982A (en) * | 2020-05-22 | 2020-09-04 | 哈尔滨工程大学 | Flooding attack mitigation method based on credit degree and kini impurities |
CN113162894A (en) * | 2020-11-30 | 2021-07-23 | 长安大学 | Collusion interest flooding attack detection method facing vehicle-mounted named data network |
US11444961B2 (en) * | 2019-12-20 | 2022-09-13 | Intel Corporation | Active attack detection in autonomous vehicle networks |
US20230116642A1 (en) * | 2021-10-08 | 2023-04-13 | Electronics And Telecommunications Research Institute | Method and apparatus for countering ddos attacks in ndn network |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040037326A1 (en) * | 2002-08-21 | 2004-02-26 | D'souza Scott | Mitigating denial-of-service attacks using frequency domain techniques |
CN101378394A (en) * | 2008-09-26 | 2009-03-04 | 成都市华为赛门铁克科技有限公司 | Detection defense method for distributed reject service and network appliance |
CN102014109A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Flood attack prevention method and device |
US20140351929A1 (en) * | 2013-05-23 | 2014-11-27 | Palo Alto Research Center Incorporated | Method and system for mitigating interest flooding attacks in content-centric networks |
CN105119942A (en) * | 2015-09-16 | 2015-12-02 | 广东睿江科技有限公司 | Flood attack detection method |
-
2016
- 2016-09-18 CN CN201610829821.5A patent/CN106357641B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040037326A1 (en) * | 2002-08-21 | 2004-02-26 | D'souza Scott | Mitigating denial-of-service attacks using frequency domain techniques |
CN101378394A (en) * | 2008-09-26 | 2009-03-04 | 成都市华为赛门铁克科技有限公司 | Detection defense method for distributed reject service and network appliance |
CN102014109A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Flood attack prevention method and device |
US20140351929A1 (en) * | 2013-05-23 | 2014-11-27 | Palo Alto Research Center Incorporated | Method and system for mitigating interest flooding attacks in content-centric networks |
CN105119942A (en) * | 2015-09-16 | 2015-12-02 | 广东睿江科技有限公司 | Flood attack detection method |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108234440A (en) * | 2017-09-28 | 2018-06-29 | 中国科学院信息工程研究所 | The detection method and device of low rate interest packet flood attack in content center network |
CN108234440B (en) * | 2017-09-28 | 2019-10-22 | 中国科学院信息工程研究所 | The detection method and device of low rate interest packet flood attack in content center network |
CN107948138A (en) * | 2017-11-02 | 2018-04-20 | 东软集团股份有限公司 | It route detection method, device, readable storage medium storing program for executing and the electronic equipment of connection |
CN107948138B (en) * | 2017-11-02 | 2020-12-11 | 东软集团股份有限公司 | Detection method and device for route connection, readable storage medium and electronic equipment |
CN107896217B (en) * | 2017-11-28 | 2020-10-16 | 重庆邮电大学 | Multi-parameter cache pollution attack detection method in content-centric network |
CN107896217A (en) * | 2017-11-28 | 2018-04-10 | 重庆邮电大学 | The caching pollution attack detection method of multi-parameter in content center network |
CN108347442A (en) * | 2018-02-09 | 2018-07-31 | 重庆邮电大学 | The method and system of interest packet extensive aggression are detected in content center network |
CN108712446A (en) * | 2018-06-19 | 2018-10-26 | 中国联合网络通信集团有限公司 | The defence method and device of interest packet flood attack in a kind of content center network |
CN109257390B (en) * | 2018-11-27 | 2021-11-05 | 杭州安恒信息技术股份有限公司 | CC attack detection method and device and electronic equipment |
CN109257390A (en) * | 2018-11-27 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | Detection method, device and the electronic equipment of CC attack |
CN110995592A (en) * | 2019-12-16 | 2020-04-10 | 北京信息科技大学 | Novel self-maintenance method and route forwarding method of undetermined interest table |
US11444961B2 (en) * | 2019-12-20 | 2022-09-13 | Intel Corporation | Active attack detection in autonomous vehicle networks |
CN111628982A (en) * | 2020-05-22 | 2020-09-04 | 哈尔滨工程大学 | Flooding attack mitigation method based on credit degree and kini impurities |
CN111628982B (en) * | 2020-05-22 | 2022-03-18 | 哈尔滨工程大学 | Flooding attack mitigation method based on credit degree and kini impurities |
CN113162894A (en) * | 2020-11-30 | 2021-07-23 | 长安大学 | Collusion interest flooding attack detection method facing vehicle-mounted named data network |
CN113162894B (en) * | 2020-11-30 | 2023-08-22 | 深圳中富电路股份有限公司 | Collusion interest flooding attack detection method for vehicle-mounted named data networking |
US20230116642A1 (en) * | 2021-10-08 | 2023-04-13 | Electronics And Telecommunications Research Institute | Method and apparatus for countering ddos attacks in ndn network |
Also Published As
Publication number | Publication date |
---|---|
CN106357641B (en) | 2019-10-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106357641A (en) | Method and device for defending interest flooding attacks in information centric network | |
Liu et al. | DDoS attack detection scheme based on entropy and PSO-BP neural network in SDN | |
CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
Loukas et al. | Protection against denial of service attacks: A survey | |
CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
CN102438025B (en) | Indirect distributed denial of service attack defense method and system based on Web agency | |
CN102271068B (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
CN108683682A (en) | A kind of ddos attack detection and defence method and system based on software defined network | |
CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
CN106357673A (en) | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system | |
Hirayama et al. | Fast target link flooding attack detection scheme by analyzing traceroute packets flow | |
CN101572701A (en) | Security gateway system for resisting DDoS attack for DNS service | |
CN102638474B (en) | Application layer DDOS (distributed denial of service) attack and defense method | |
Seo et al. | APFS: adaptive probabilistic filter scheduling against distributed denial-of-service attacks | |
CN108347442B (en) | The method and system of interest packet extensive aggression are detected in content center network | |
CN110166480A (en) | A kind of analysis method and device of data packet | |
CN105871773A (en) | DDoS filtering method based on SDN network architecture | |
CN107864110A (en) | Botnet main control end detection method and device | |
Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
CN105323241A (en) | LDoS attack detection method in cloud computing based on available bandwidth Euclidean distance | |
CN105871772A (en) | Working method of SDN network architecture aimed at network attack | |
CN105871771A (en) | SDN network architecture aimed at DDoS network attack | |
Malliga et al. | A proposal for new marking scheme with its performance evaluation for IP traceback | |
CN107612876B (en) | Method for detecting service request packet flooding attack in intelligent cooperative network | |
Zhan et al. | Adaptive detection method for Packet-In message injection attack in SDN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |