CN106357641A - Method and device for defending interest flooding attacks in information centric network - Google Patents

Abstract

The invention provides a method and device for defending interest flooding attacks in an information centric network and relates to the field of network security. The method includes: statistically counting the entropy of the names of interest packets received by a router in the information centric network after different moments according to a preset window; using a cumulative sum algorithm to process the obtained entropy to obtain the accumulative values of the entropy at different moments; judging whether the accumulative values are smaller than a preset attack detecting threshold or not, if not, judging that interest flooding attacks are detected, and using a prefix determining algorithm based on relative entropy to search the prefix set of the names of the interest packets so as to obtain attack prefixes; generating data packets containing the attack prefixes according to the attack prefixes, and transmitting the data packets to the access router where an attacker is located according to the router information of the interest packets, containing the attack prefixes, recorded in the pending interest table of the router so as to allow the access router to perform corresponding access limitation on the received interest packets according to the attack prefixes in the data packets.

Description

The defence method of interest bag flood attack and device in a kind of content center network

Technical field

A kind of the present invention relates to network safety filed, in particular it relates to interest bag flood attack in content center network Defence method and device.

Background technology

The tcp/ip network architecture shows its practicality in the development of the Internet decades, especially in the face of all The how new technique of upper and lower layer and seem more stable during new opplication.However, with the development of the Internet, the shifting to network for the user The demand of the services such as dynamic property, content distribution and safety constantly increases, and gradually exposes existing network to mobility, content Distribution and the problem of safety support.In order to tackle these new services, academia proposes a kind of new network rack Structure content center network (information centric network, icn).As an instantiation model of icn, order Name data network (named data networking, ndn) is applied to content distribution, and great competing in Future network architectures Strive power.Ndn already has accounted for the demand of safety at the beginning of design, along with it has banned host identification using content, permissible Avoid polytype attack in existing network.Ndn network can reduce multiple distributed denial of service popular now (distributed denial of service, ddos) attacks, and for example, bandwidth exhaustion type, reflection-type are attacked and prefix is robbed Hold type black hole etc. to attack.However, ndn network has also caused the distinctive ddos of new ndn to attack, it is called interest bag flood attack (interest flooding attacks, ifa).Because, in ndn network, interest bag is obtaining meeting before packet meets It is recorded in the interest table undetermined (pending interest table, pit) of intermediate router, attacker can send greatly The storage resource to exhaust intermediate router for the false interest bag of amount.The promoter of this attack requires no knowledge about entire content Distribution, the performance of impact ndn network that but can be serious.Therefore, how effectively resisting ifa and attacking is worth us to pay much attention to.

In ndn network, existing ifa remission method is mainly based upon statistics (the hereinafter referred to as pit- of pit abnormality Based method), for example, the destruction of mobile equilibrium (in ndn network, an interest bag at most corresponds to a packet), interest bag Overtime speed of Service Efficiency or pit entry etc..Fig. 1 is the schematic diagram that ifa attacks.As shown in Figure 1 it is assumed that each router Pit multipotency accommodates 4 interest bag records, and validated user and attacker can send the request of interest bag to content source and (attack The malice interest bag that person sends typically no corresponding data at content source).4 interest bags sending when validated user and attacking When the malice interest bag that the person of hitting -2 sends reaches router node d simultaneously, d can abandon an interest bag, equally, for router Node f and g, the impact of person -1 under attack and attacker -3, also can abandon an interest bag respectively.In the case of the worst, close The final only one of which of interest bag that method user sends reaches content source, and content source returns a normal packet, so legal User will be severely impacted.Using the ifa remission method being counted based on pit abnormality, with pit entry time-out speed It is assumed that overtime rate value is 3 as a example (the overtime number of pit entry in the unit interval), router node g is due to forwarded 3 Malice interest bag reaches the overtime speed of setting at first, sends ifa and attacks early warning, is then judged super according to overtime pit entry When prefix, then the interest bag comprising this prefix is processed.

Pit-based method depends on the statistics of pit abnormality, and leads to the abnormal factor of pit relatively more, example As, normal network fluctuation, network congestion, link failure and under attack etc., only it is difficult to sentence from the anomaly statistics of pit Determine whether network is attacked, not to mention how defensive attack.If producing wrong report to attacking, by the request of normal users It is considered as query-attack and takes restriction, user can be caused with immeasurable loss.If additionally, only attack is being detected Node malice interest bag is limited, whole downstream network be will also result in very big impact.

Content of the invention

It is an object of the invention to provide the defence method of interest bag flood attack and device in a kind of content center network. Wherein, methods described is based on accumulation entropy and ifa attack is detected, after successfully detecting that ifa attacks, using based on relative entropy Prefix decision method, recall mechanism in conjunction with interest bag and carry out the defence of ifa attack, not only increase the accuracy of ifa detection, And also assures that the effectiveness of defensive measure.

To achieve these goals, the present invention provides a kind of defender of interest bag flood attack in content center network Method.Methods described includes:

The interest bag that in described content center network, router arrives in different reception is counted according to default window The entropy of name；

Using accumulation and algorithm, the entropy that obtains of statistics is processed, obtain described entropy in not in the same time accumulative Value；

Judge whether described aggregate-value is less than default attack detecting threshold value, if it is not, described interest bag flooding is then detected Attack, and the prefix sets of the name to described interest bag make a look up using the prefix decision algorithm based on relative entropy, obtain Attack prefix；

The packet carrying described attack prefix is generated according to described prefix of attacking, and undetermined according to described router In interest table, described packet is sent and is located to attacker by the routing iinformation with the described interest bag attacking prefix of record Couple in router so that the attack prefix that described couple in router carries according to described packet is entered to the interest bag receiving Row limits into process, accordingly thus realizing the defence of described interest bag flood attack.

Alternatively, in the described described content center network of statistics according to default window, router arrives in different reception The name of interest bag entropy, comprising:

The interest that in described content center network, router arrives in different reception is obtained according to below equation (1) statistics The entropy of the name of bag:

$h=-\underset{i}{\overset{m}{\σ}}{p}_i\·{\log }_2{p}_i---\left(1\right)$

Wherein, m represents the m kind name of interest bag in preset window, p_iIn expression m kind name, any one name i goes out Existing probability, h represents described entropy.

Alternatively, described using accumulation and algorithm, the entropy that obtains of statistics is processed, obtain described entropy in difference The aggregate-value in moment, comprising:

Described entropy is obtained in not aggregate-value in the same time according to below equation (2):

$\left\{\begin{array}{c}{y}_n={(y_{n-1}+z_n)}^{+},n>0\\ y_n=0,n=0\end{array}\right.---\left(2\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, y_n-1Represent the aggregate-value in the n-1 moment for the described entropy, z_n =x_n- θ, x_nRepresent the entropy obtaining in moment n statistics, θ represents e (x_n) the upper bound, e (x_n) represent and unite within the given δ t time Count the entropy sequence { x obtaining_nEntropy average, for x > 0, x⁺=x, otherwise x⁺=0.

Alternatively, described judge that whether described aggregate-value is less than default attack detecting threshold value, comprising:

Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):

$d_n\left(y_n\right)=\left\{\begin{array}{c}0,y_n<th\\ 1,y_n\&greaterequal;th\end{array}\right.---\left(3\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, d_n(y_n) represent in moment n to y_nDetection function value, Th represents described default attack detecting threshold value, if d_n(y_n)=0 then it represents that described entropy the n moment aggregate-value y_nLess than institute State default attack detecting threshold value th, be not detected by described interest bag flood attack；If d_n(y_n)=1 is then it represents that described entropy Aggregate-value y in the n moment_nNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.

Alternatively, the prefix sets of the described name using the prefix decision algorithm based on relative entropy to described interest bag are entered Row is searched, and obtains attacking prefix, comprising:

Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as In distribution p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q；

Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q；

The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new of described prefix sets The relative entropy kld_i of prefix distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and phase Difference to entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets；

Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.

Alternatively, methods described also includes:

Search front l higher value corresponding index respectively in described set kldset, and respectively obtained according to described index Corresponding attack prefix.

Correspondingly, the present invention also provides a kind of defence installation of interest bag flood attack in content center network.Described dress Put including:

Statistic unit, for according to default window count described content center network in router in different reception The entropy of the name of interest bag arriving；

Processing unit, for processing using the entropy that accumulation and algorithm obtain to statistics, obtains described entropy not Aggregate-value in the same time；

Judging unit, for judging whether described aggregate-value is less than default attack detecting threshold value, if it is not, then detect institute State interest bag flood attack, and the prefix sets of the name to described interest bag are entered using the prefix decision algorithm based on relative entropy Row is searched, and obtains attacking prefix；

Transmitting element, for generating, according to described prefix of attacking, the packet carrying described attack prefix, and according to institute Described packet is sent out by the routing iinformation with the described interest bag attacking prefix stating record in the interest table undetermined of router Deliver to the couple in router at attacker place, so that the attack prefix pair that described couple in router carries according to described packet The interest bag receiving is limited into process, accordingly thus realizing the defence of described interest bag flood attack.

Alternatively, described processing unit, specifically for:

Described entropy is obtained in not aggregate-value in the same time according to below equation (2):

$\left\{\begin{array}{c}{y}_n={(y_{n-1}+z_n)}^{+},n>0\\ y_n=0,n=0\end{array}\right.---\left(2\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, y_n-1Represent the aggregate-value in the n-1 moment for the described entropy, z_n =x_n- θ, x_nRepresent the entropy obtaining in moment n statistics, θ represents e (x_n) the upper bound, e (x_n) represent and unite within the given δ t time Count the entropy sequence { x obtaining_nEntropy average, for x > 0, x⁺=x, otherwise x⁺=0.

Alternatively, described judging unit, specifically for:

Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):

$d_n\left(y_n\right)=\left\{\begin{array}{c}0,y_n<th\\ 1,y_n\&greaterequal;th\end{array}\right.---\left(3\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, d_n(y_n) represent in moment n to y_nDetection function value, Th represents described default attack detecting threshold value, if d_n(y_n)=0 then it represents that described entropy the n moment aggregate-value y_nLess than institute State default attack detecting threshold value th, be not detected by described interest bag flood attack；If d_n(y_n)=1 is then it represents that described entropy Aggregate-value y in the n moment_nNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.

Alternatively, described judging unit, is additionally operable to:

Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as In distribution p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q；

Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q；

The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new of described prefix sets The relative entropy kld_i of prefix distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and phase Difference to entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets；

Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.

As shown from the above technical solution, do not connect in the same time according to router in default window statistical content central site network The entropy of the name of interest bag receiving, then, is processed using the entropy that accumulation and algorithm obtain to statistics, obtains entropy In not aggregate-value in the same time；And judge whether aggregate-value is less than default attack detecting threshold value, if it is not, interest bag is then detected Flood attack, and using the prefix decision algorithm based on relative entropy, the prefix sets of the name to interest bag make a look up, and obtain Attack prefix；Finally, generated according to attack prefix and carry the packet attacking prefix, and the interest table undetermined according to router The routing iinformation with the interest bag attacking prefix of middle record sends data packets to the couple in router at attacker place, with Couple in router is limited into process to the interest bag receiving accordingly according to the attack prefix that packet carries, thus real The defence of existing interest bag flood attack, can not only improve the accuracy of ifa detection, reduce the occurrence of report by mistake, Er Qie Effective defensive measure can be provided in time, the impact that minimizing ifa brings to network is it is ensured that network can be after attack is detected User provides normal service.

Brief description

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing having required use in technology description is briefly described.It should be evident that drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, acceptable Other accompanying drawings are obtained according to these figures.

Fig. 1 is the schematic diagram that ifa attacks；

Fig. 2 is the flow process of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides Figure；

Fig. 3 is the schematic diagram of the ifa defensive measure that one embodiment of the invention provides；

Fig. 4 is the emulation of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides Topological diagram；

Fig. 5 is the contrast schematic diagram when detecting that ifa attacks for the method being provided using pit-based method and the present invention；

Fig. 6 is the contrast schematic diagram when defending ifa to attack for the method being provided using pit-based method and the present invention；

Fig. 7 is the structure of the defence installation of interest bag flood attack in the content center network that one embodiment of the invention provides Schematic diagram.

Specific embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work Embodiment, broadly falls into the scope of protection of the invention.

Fig. 2 is the flow process of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides Figure.As shown in Fig. 2 the defence method of interest bag flood attack includes in the content center network of one embodiment of the invention offer:

In step s101, according to router in the default window described content center network of statistics in different reception The entropy of the name of interest bag arriving.

Specifically, this step includes: obtains in described content center network router not according to below equation (1) statistics The entropy of the name of interest bag receiving in the same time:

$h=-\underset{i}{\overset{m}{\&sigma;}}{p}_i\&centerdot;{\log }_2{p}_i---\left(1\right)$

Wherein, m represents the m kind name of interest bag in preset window, p_iIn expression m kind name, any one name i goes out Existing probability, h represents described entropy.

Wherein, entropy is otherwise known as comentropy in the communications field, for representing the randomness of event.It is assumed that validated user is one In the section time, the request of content is obeyed with fixing distribution (for example, zipf distribution), applicant to count road using said method The randomness of the name of interest bag being received by device node.Specifically, this step is using the distribution of user's request under normal circumstances This characteristic more stable, thus carries out statistic mixed-state to the entropy attribute of request distribution on the router.

For the router in content center network, per second can receive substantial amounts of interest bag, one can be previously set Window w, enters line slip and calculates, so can be obtained by statistics entropy not in the same time to the interest bag receiving.Due to network It is dynamic change, the entropy of statistics also can float in a stable scope, and we can simply arrange a threshold value To detect ifa attack.But, even proper network also has and instantaneously significantly fluctuates, in order to ensure the reliability detecting, Shen Ask someone using the algorithm based on accumulation sum, statistics entropy will to be processed.

Then, in step s102, processed using the entropy that accumulation and algorithm obtain to statistics, obtain described entropy In not aggregate-value in the same time.

Specifically, this step includes: obtains described entropy in not aggregate-value in the same time according to below equation (2):

$\left\{\begin{array}{c}{y}_n={(y_{n-1}+z_n)}^{+},n>0\\ y_n=0,n=0\end{array}\right.---\left(2\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, y_n-1Represent the aggregate-value in the n-1 moment for the described entropy, z_n =x_n- θ, x_nRepresent the entropy obtaining in moment n statistics, θ represents e (x_n) the upper bound, e (x_n) represent and unite within the given δ t time Count the entropy sequence { x obtaining_nEntropy average, for x > 0, x⁺=x, otherwise x⁺=0.

More specifically, accumulation and algorithm are instantiation algorithms of detection of change-point, have relatively low time delay and higher Accuracy in detection.Applicant is processed to the entropy of statistics using this algorithm.In actual applications, concrete grammar is as follows:

Applicant defines x first_nRepresent that the entropy sequence counting in the entropy in moment n statistics, given δ t time is {x_n, e (x_n) represent count the entropy sequence { x obtaining within the given δ t time_nEntropy average, represent e (x with θ_n) upper Boundary.Tectonic sequence z_n=x_n- θ, the average of network this sequence under normal circumstances is negative.Y is defined according to above formula (2)_n.So y_nZ just can be represented_nOn the occasion of cumulative.Introduce θ value to be zeroed also for by aggregate-value under normal circumstances, it is to avoid normal fluctuation Accumulation in time.

More specifically, after attacking initiation, count entropy x_nCan increase sharply and more than θ, cause z_nIt is changed on the occasion of y_n Constantly add up, be finally reached attack detecting threshold value, and when network occurs fluctuation in short-term, x also can occur_nCan increase sharply And more than θ, cause z_nIt is changed on the occasion of y_nConstantly add up.However, disappearing with fluctuation, in y_nDo not reach the attack threshold value of setting When will be superimposed with the z of negative value_n, gradually it is pulled 0 value.Therefore, it can avoid normal network fluctuation well.

And then, in step s103, judge whether described aggregate-value is less than default attack detecting threshold value.

Specifically, this step includes: judges whether described aggregate-value is less than default attack detecting according to below equation (3) Threshold value:

$d_n\left(y_n\right)=\left\{\begin{array}{c}0,y_n<th\\ 1,y_n\&greaterequal;th\end{array}\right.---\left(3\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, d_n(y_n) represent in moment n to y_nDetection function value, Th represents described default attack detecting threshold value, if d_n(y_n)=0 then it represents that described entropy the n moment aggregate-value y_nLess than institute State default attack detecting threshold value th, be not detected by described interest bag flood attack；If d_n(y_n)=1 is then it represents that described entropy Aggregate-value y in the n moment_nNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.

Pit-based method is easily caused the erroneous judgement of attack, in order to solve this problem, can adopt said method step S101-s103, selects the name of the interest bag that router is received to carry out entropy statistics, then the entropy of statistics is accumulated And algorithm, attack it is believed that ifa is detected after threshold value is attacked in the detection that accumulated value reaches setting.Wherein, said method step Rapid s101-s103 may be summarized to be the ifa attack detection method based on accumulation entropy in a particular embodiment.By the party Method, router can detect that the ifa of presence attacks in time, can avoid the erroneous judgement to legal user's request simultaneously, also may be used To avoid the impact to attack detecting for the network normal fluctuation.

Then, in step s104, in the case of judging that described aggregate-value is not less than default attack detecting threshold value, then Described interest bag flood attack is detected, and before the name to described interest bag for the prefix decision algorithm based on relative entropy for the employing Sew set to make a look up, obtain attacking prefix.

Specifically, this step includes: arranges in described prefix sets each prefix and attacks described interest bag flooding is detected Prefix before hitting is distributed as distribution p, and in described prefix sets each prefix when described interest bag flood attack is detected Prefix be distributed as be distributed q；Described distribution p is calculated according to described distribution p and described distribution q relative with described distribution q Entropy kld；By the prefix distribution p of prefix in described prefix sets replace with prefix distribution q, obtain described prefix sets new before The relative entropy kld_i of sew distribution p ', and calculate new prefix distribution p ' and described distribution q, with calculate relative entropy kld_i with relative The difference of entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets；Look into Look for the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.This step is attacked in ifa After hitting early warning, attack prefix can be found out with maximum of probability, thus conveniently taking the precautionary measures.

Wherein, relative entropy is otherwise known as kl distance, for representing the difference between same two kinds of distributions of variable.For same Two kinds of distribution p of one variable and q, their relative entropy is defined as:

$d\left(p\right|\left|q\right)=\underset{i\&element;i}{\&sigma;}p\left(i\right)\&centerdot;log\frac{p\left(i\right)}{q\left(i\right)}---\left(4\right)$

Wherein, i is one of variable gross space i element.In above-mentioned definition, need to arrange 0 log (0/0)=0, 0 log (0/q)=0, and 0 log (p/0)=∞, that is, for element i, if p (i) > 0 and q (i)=0, d (p | | q) =∞, relative entropy has nonnegativity, only when p and q is with being distributed, d (p | | q)=0；The difference of p and q is bigger, the value of d (p | | q) Also bigger.

More specifically it is assumed that two distributions of the name prefix of the interest bag of router records are respectively p and q, work as inspection When measuring ifa attack, the prefix that might as well set now is distributed as p, and the prefix of a period of time is distributed q slightly before, then p and q is identical (because detection has certain retardance, first attack interest bag and are detected by two different distributions of name prefix Difficulty is too big).Specific algorithm is as follows:

Input: prefix sets prefixset；Attack detecting moment prefix distribution p；Prefix before the attack detecting moment is divided Cloth q.Output: attack prefix prefix.Relative program is as follows:

1. initialize kldset=null

2.kld=d (p | | q)

3.for each i∈prefixset do

4.p '=p

5.p ' (i)=q (i)

6.kld_i=d (p ' | | q)

7. δ d=| kld_i-kld |

8. δ d is added kldset

9.end for

10. find out maximum corresponding index k in kldset

11.prefix=prefixset (k)

Specifically: the relative entropy 1, calculating p and q is recorded as kld；2nd, for each prefix i in prefix sets, by p I () replaces with q (i) and obtains p ', the relative entropy calculating p ' and q is designated as kld_i, and calculates the size of kld_i and kld difference, adds It is added in set kldset, until all prefixes in traversal prefix sets；3rd, the maximum found out in set kldset is corresponding Index k, attack prefix is prefixset (k).Due to multiple prefixes may be had to attack, take front l higher value corresponding if necessary Index, finds out corresponding prefix respectively.Preferably, methods described also includes: searches front l higher value in described set kldset Corresponding index respectively, and corresponding attack prefix is respectively obtained according to described index.

Finally, in step s105, the packet carrying described attack prefix is generated according to described prefix of attacking, and root According in the interest table undetermined of described router record there is the routing iinformation of the described interest bag attacking prefix by described data Bag sends the couple in router being located to attacker, so that before the attack that carried according to described packet of described couple in router Sew and the interest bag receiving is limited accordingly into process, thus realizing the defence of described interest bag flood attack.

Because ndn network is a kind of network of complete equity, the control of centralization seems less practical, also increases simultaneously The danger attacked, adopts distributed defence method for this applicant.Initiate and detect on certain router when ifa attacks After out, this router can execute the prefix decision algorithm based on relative entropy, finds out attack prefix.Because forwarding router all can Pit records forwarded over but also do not meet and have not timed out interest bag (namely have attack prefix interest bag), road Carry above-mentioned attack prefix by device by a kind of packet of specific format of construction to be easy to return to attack along reverse path The couple in router that person is located.Couple in router does the inspection of specific format after receiving described packet to packet.? In the case that the form of packet meets the requirements, couple in router extracts the attack prefix that packet carries, to receipt of subsequent Interest bag request limited accordingly into process.Fig. 3 is the schematic diagram of the ifa defensive measure that one embodiment of the invention provides. As shown in Figure 3 it is assumed that router i detects interest bag flood attack, and determine attack prefix, by constructing special data Bag, passes to couple in router b, c and h by attacking prefix, by couple in router, the interest bag request of receipt of subsequent is carried out corresponding Limit enter process.

For verifying the concrete effect of technical solution of the present invention, illustrated by emulation in a particular embodiment.Fig. 4 It is the emulation topological diagram of the defence method of interest bag flood attack in the content center network that one embodiment of the invention provides.As figure Shown in 4, validated user by router r1 can ask in content source prefix be "/root/good " content, and attacker by Router r2, r3 and r4 can send the content that malice interest bag asks prefix to be "/root/evil " in content source, but It is due to the content of the not corresponding "/root/evil " prefix of content source, just will not do any response.Validated user sends interest The speed of bag request is 200/second, and the speed that attacker sends the request of interest bag is 20/second, and setting detection is attacked threshold value and is 100, it is to compare with pit-based method, pit time-out rate-valve value is set to 40/second.Overall simulation time is 0～300 Second, attack the persistent period for 200～250 seconds.

Fig. 5 is the contrast schematic diagram when detecting that ifa attacks for the method being provided using pit-based method and the present invention. As shown in figure 5, when using pit-based method, pit time-out speed (the pit expiration of router r1 and r6 Rate) all reached the threshold value 40 of setting, that is, this two routers all detect interest bag flood attack.But, can by Fig. 4 Know that the only validated user that router r1 accesses, and not attacker thus create erroneous judgement using pit-based method. When providing the ifa attack detection method based on accumulation entropy using the present invention, only router r1 detects ifa and attacks. It should be noted that Fig. 5 taking router r1 and r6 is as a example contrasted.

Fig. 6 is the contrast schematic diagram when defending ifa to attack for the method being provided using pit-based method and the present invention. As shown in fig. 6, give overall simulation time in 0～300 second between 150～300 seconds the pit of router r1, r2, r5 and r6 big Little change.Wherein, solid line (' rl ') represents pit-based method, and dotted line (' ce ') represents the content center net that the present invention provides The defence method of interest bag flood attack in network.When as seen from the figure, using pit-based method, access validated user Router r1 takes to the interest bag receiving and limits into measure, lead to forward interest bag quantity reduce, pit size drastically under Fall, equally, also takes for the router r2 accessing attacker and limits into measure accordingly, and declining also occurs in pit size.So And, the method that the present invention is provided, router r1 is normal to forward the interest bag request receiving validated user, and pit size is protected Hold constant, and router r2 has then done to the attack interest bag receiving and limited into strategy, declining occurs in pit size.Corresponding pit Size variation can also be verified on router r5 and router r6.

Compared with prior art, the present embodiment, while ifa attack detecting and defence, considers and multiple may lead to The factor of wrong report, and point out when detection is attacked, in prior art, be susceptible to erroneous judgement and validated user is taken at mistake Reason situation.The present embodiment, using distribution this characteristic more stable of the request of user interest bag under normal circumstances, is thus routeing On device, statistic mixed-state is carried out to the entropy attribute of interest bag request distribution.After attack is detected, being calculated by relative entropy can The attack prefix of energy, then passes through to construct the access road that the attack determining prefix information is passed to attacker place by packet By device, fundamentally limit and attack interest bag to the threat of network it is ensured that normal network service.

For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but this area Technical staff should know, the embodiment of the present invention is not limited by described sequence of movement, because implementing according to the present invention Example, some steps can be carried out using other orders or simultaneously.Secondly, those skilled in the art also should know, description Described in embodiment belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.

Fig. 7 is the structure of the defence installation of interest bag flood attack in the content center network that one embodiment of the invention provides Schematic diagram.As shown in fig. 7, one embodiment of the invention provide content center network in interest bag flood attack defence installation bag Include:

Statistic unit 201, for according to default window count described content center network in router not in the same time The entropy of the name of interest bag receiving；

Processing unit 202, for being processed using the entropy that accumulation and algorithm obtain to statistics, is obtained described entropy and exists Not aggregate-value in the same time；

Judging unit 203, for judging whether described aggregate-value is less than default attack detecting threshold value, if it is not, then detect To described interest bag flood attack, and the prefix set of the name to described interest bag for the prefix decision algorithm based on relative entropy for the employing Conjunction makes a look up, and obtains attacking prefix；

Transmitting element 204, for the packet carrying described attack prefix is generated according to described prefix of attacking, and according to In the interest table undetermined of described router, record has the routing iinformation of the described interest bag attacking prefix by described packet Send the couple in router being located to attacker, so that the attack prefix that described couple in router carries according to described packet The interest bag receiving is limited accordingly into process, thus realizing the defence of described interest bag flood attack.

In the present invention one optional embodiment, described processing unit 202, specifically for:

Described entropy is obtained in not aggregate-value in the same time according to below equation (2):

$\left\{\begin{array}{c}{y}_n={(y_{n-1}+z_n)}^{+},n>0\\ y_n=0,n=0\end{array}\right.---\left(2\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, y_n-1Represent the aggregate-value in the n-1 moment for the described entropy, z_n =x_n- θ, x_nRepresent the entropy obtaining in moment n statistics, θ represents e (x_n) the upper bound, e (x_n) represent and unite within the given δ t time Count the entropy sequence { x obtaining_nEntropy average, for x > 0, x⁺=x, otherwise x⁺=0.

In the present invention one optional embodiment, described judging unit 203, specifically for:

Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):

$d_n\left(y_n\right)=\left\{\begin{array}{c}0,y_n<th\\ 1,y_n\&greaterequal;th\end{array}\right.---\left(3\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, d_n(y_n) represent in moment n to y_nDetection function value, Th represents described default attack detecting threshold value, if d_n(y_n)=0 then it represents that described entropy the n moment aggregate-value y_nLess than institute State default attack detecting threshold value th, be not detected by described interest bag flood attack；If d_n(y_n)=1 is then it represents that described entropy Aggregate-value y in the n moment_nNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.

In the present invention one optional embodiment, described judging unit 203, it is additionally operable to:

Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as In distribution p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q；

Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q；

The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new of described prefix sets The relative entropy kld_i of prefix distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and phase Difference to entropy kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets；

Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.

Also relate in the defence installation of interest bag flood attack in the content center network that one embodiment of the invention is provided And detail one embodiment of the invention provide content center network in interest bag flood attack defence method in It is described in detail, will not be described here.Interest bag flooding in the content center network that one embodiment of the invention is provided The defence installation attacked may be disposed in the router of content center network.

The interest that the present embodiment arrives in different reception according to router in default window statistical content central site network The entropy of the name of bag, then, is processed using the entropy that accumulation and algorithm obtain to statistics, obtains entropy not in the same time Aggregate-value；And judge whether aggregate-value is less than default attack detecting threshold value, if it is not, interest bag flood attack is then detected, And the prefix sets of the name to interest bag make a look up using the prefix decision algorithm based on relative entropy, obtain attacking prefix； Finally, generated according to attack prefix and carry the packet attacking prefix, and according to record in the interest table undetermined of router The routing iinformation with the interest bag attacking prefix sends data packets to the couple in router at attacker place, so that accessing Router is limited into process to the interest bag receiving accordingly according to the attack prefix that packet carries, thus realizing interest bag The defence of flood attack, can not only improve the accuracy of ifa detection, reduce the occurrence of report by mistake, and attack detecting Effective defensive measure can be provided in time, the impact that minimizing ifa brings to network is it is ensured that network can provide the user after hitting Normal service.

It should be noted that in all parts of the system of the present invention, according to its function to be realized to therein Part has carried out logical partitioning, but, the present invention is not only restricted to this, can as needed all parts be repartitioned or Person combines, for example, it is possible to some unit constructions are single part, or can be further broken into more some parts Subassembly.

The all parts embodiment of the present invention can be realized with hardware, or to run on one or more processor Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (dsp) are realizing some or all portions in system according to embodiments of the present invention The some or all functions of part.The present invention is also implemented as a part for executing method as described herein or complete The equipment in portion or program of device (for example, computer program and computer program).Such program realizing the present invention Can store on a computer-readable medium, or can have the form of one or more signal.Such signal is permissible Download from internet website and obtain, or provide on carrier signal, or provided with any other form.

It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware including some different elements and by means of properly programmed computer Existing.If in the unit claim listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Embodiment of above is only suitable to the present invention is described, and not limitation of the present invention, common about technical field Technical staff, without departing from the spirit and scope of the present invention, can also make a variety of changes and modification, therefore all Equivalent technical scheme falls within scope of the invention, and the scope of patent protection of the present invention should be defined by the claims.

Claims (10)

1. in a kind of content center network the defence method of interest bag flood attack it is characterised in that methods described includes:

Count the name of the interest bag that router arrives in different reception in described content center network according to default window Entropy；

Processed using the entropy that accumulation and algorithm obtain to statistics, obtain described entropy in not aggregate-value in the same time；

Judge whether described aggregate-value is less than default attack detecting threshold value, if it is not, described interest bag flood attack is then detected, And using the prefix decision algorithm based on relative entropy, the prefix sets of the name to described interest bag make a look up, before being attacked Sew；

The packet carrying described attack prefix is generated according to described prefix of attacking, and the interest undetermined according to described router In table, the routing iinformation with the described interest bag attacking prefix of record sends described packet to connecing that attacker is located Enter router, so that described couple in router carries out phase according to the attack prefix that described packet carries to the interest bag receiving The limit answered enters to process, thus realizing the defence of described interest bag flood attack.

2. in content center network according to claim 1 the defence method of interest bag flood attack it is characterised in that institute State and the name of the interest bag that router arrives in different reception in described content center network is counted according to default window Entropy, comprising:

The interest bag that in described content center network, router arrives in different reception is obtained according to below equation (1) statistics The entropy of name:

$h=-\underset{i}{\overset{m}{\&sigma;}}{p}_i\&centerdot;{\log }_2{p}_i---\left(1\right)$

Wherein, m represents the m kind name of interest bag in preset window, p_iRepresent that the appearance of any one name i in m kind name is general Rate, h represents described entropy.

3. in content center network according to claim 1 the defence method of interest bag flood attack it is characterised in that institute State the entropy using accumulation and algorithm obtain to statistics to process, obtain described entropy in not aggregate-value in the same time, comprising:

Described entropy is obtained in not aggregate-value in the same time according to below equation (2):

$\{\begin{array}{c}{y}_n={(y_{n-1}+z_n)}^{+},n>0\\ y_n=0,n=0\end{array}---\left(2\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, y_n-1Represent the aggregate-value in the n-1 moment for the described entropy, z_n= x_n- θ, x_nRepresent the entropy obtaining in moment n statistics, θ represents e (x_n) the upper bound, e (x_n) represent statistics within the given δ t time Entropy sequence { the x obtaining_nEntropy average, for x > 0, x⁺=x, otherwise x⁺=0.

4. in content center network according to claim 3 the defence method of interest bag flood attack it is characterised in that institute State and judge whether described aggregate-value is less than default attack detecting threshold value, comprising:

Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):

$d_n\left(y_n\right)=\left\{\begin{array}{c}0,y_n<th\\ 1,y_n\&greaterequal;th\end{array}\right.---\left(3\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, d_n(y_n) represent in moment n to y_nDetection function value, th represents Described default attack detecting threshold value, if d_n(y_n)=0 then it represents that described entropy the n moment aggregate-value y_nDefault less than described Attack detecting threshold value th, be not detected by described interest bag flood attack；If d_n(y_n)=1 is then it represents that described entropy is in n The aggregate-value y carving_nNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.

5. in content center network according to claim 1 the defence method of interest bag flood attack it is characterised in that institute The prefix sets stating the name to described interest bag using the prefix decision algorithm based on relative entropy make a look up, before being attacked Sew, comprising:

Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as being distributed In p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q；

Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q；

The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new prefix of described prefix sets The relative entropy kld_i of distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and relative entropy The difference of kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets；

Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.

6. in the content center network stated according to claim 5, the defence method of interest bag flood attack is it is characterised in that described Method also includes:

Search front l higher value corresponding index respectively in described set kldset, and correspondence is respectively obtained according to described index Attack prefix.

7. in a kind of content center network the defence installation of interest bag flood attack it is characterised in that described device includes:

Statistic unit, for counting what router in described content center network arrived in different reception according to default window The entropy of the name of interest bag；

Processing unit, for processing using the entropy that accumulation and algorithm obtain to statistics, obtains described entropy in difference The aggregate-value carved；

Judging unit, for judging whether described aggregate-value is less than default attack detecting threshold value, if it is not, then detect described emerging Interesting bag flood attack, and the prefix sets of the name to described interest bag are looked into using the prefix decision algorithm based on relative entropy Look for, obtain attacking prefix；

Transmitting element, for generating, according to described prefix of attacking, the packet carrying described attack prefix, and according to described road By in the interest table undetermined of device record have described attack prefix interest bag routing iinformation by described packet send to The couple in router that attacker is located, so that the attack prefix that described couple in router carries according to described packet is to reception Interest bag limited into process accordingly, thus realizing the defence of described interest bag flood attack.

8. in content center network according to claim 7 the defence installation of interest bag flood attack it is characterised in that institute State processing unit, specifically for:

Described entropy is obtained in not aggregate-value in the same time according to below equation (2):

$\{\begin{array}{c}{y}_n={(y_{n-1}+z_n)}^{+},n>0\\ y_n=0,n=0\end{array}---\left(2\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, y_n-1Represent the aggregate-value in the n-1 moment for the described entropy, z_n= x_n- θ, x_nRepresent the entropy obtaining in moment n statistics, θ represents e (x_n) the upper bound, e (x_n) represent statistics within the given δ t time Entropy sequence { the x obtaining_nEntropy average, for x > 0, x⁺=x, otherwise x⁺=0.

9. in content center network according to claim 8 the defence installation of interest bag flood attack it is characterised in that institute State judging unit, specifically for:

Judge described aggregate-value whether less than default attack detecting threshold value according to below equation (3):

$d_n\left(y_n\right)=\left\{\begin{array}{c}0,y_n<th\\ 1,y_n\&greaterequal;th\end{array}\right.---\left(3\right)$

Wherein, y_nRepresent the aggregate-value in the n moment for the described entropy, d_n(y_n) represent in moment n to y_nDetection function value, th represents Described default attack detecting threshold value, if d_n(y_n)=0 then it represents that described entropy the n moment aggregate-value y_nDefault less than described Attack detecting threshold value th, be not detected by described interest bag flood attack；If d_n(y_n)=1 is then it represents that described entropy is in n The aggregate-value y carving_nNot less than described default attack detecting threshold value th, described interest bag flood attack is detected.

10. in content center network according to claim 7 interest bag flood attack defence installation it is characterised in that Described judging unit, is additionally operable to:

Arrange prefix before described interest bag flood attack is detected for each prefix in described prefix sets to be distributed as being distributed In p, and described prefix sets, the prefix when described interest bag flood attack is detected for each prefix is distributed as being distributed q；

Described distribution p and the relative entropy kld of described distribution q are calculated according to described distribution p and described distribution q；

The prefix distribution p of prefix in described prefix sets is replaced with prefix distribution q, obtains the new prefix of described prefix sets The relative entropy kld_i of distribution p ', and calculate new prefix distribution p ' and described distribution q, to calculate relative entropy kld_i and relative entropy The difference of kld, and this difference is added in set kldset, until traveling through each prefix in described prefix sets；

Search the corresponding index of maximum in described set kldset, and obtain attacking prefix according to described index.