CN106357661B - A kind of distributed refusal service attack defending method based on interchanger rotation - Google Patents
A kind of distributed refusal service attack defending method based on interchanger rotation Download PDFInfo
- Publication number
- CN106357661B CN106357661B CN201610867684.4A CN201610867684A CN106357661B CN 106357661 B CN106357661 B CN 106357661B CN 201610867684 A CN201610867684 A CN 201610867684A CN 106357661 B CN106357661 B CN 106357661B
- Authority
- CN
- China
- Prior art keywords
- interchanger
- rotation
- attacker
- layer switch
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of distributed refusal service attack defending methods based on interchanger rotation, overcome in the prior art, the insufficient problem of distributed denial of service attack attacker's isolating power.1) invention, which contains, to be acted on behalf of layer switch and receives network packet, judge whether network flow generates exception;2) exception is not generated, then is forwarded according to next address in data packet header by hiding layer switch;Exception is generated, then is executed " 3) ";3) layer switch starting interchanger rotation engine processing all-network flow is acted on behalf of;4) attacker's number possibility predication is carried out according to " user-interchanger " connection;5) attacker's screening is carried out by interchanger rotation process;6) if attacker is isolated by complete screening, rotation process terminates;Otherwise it continues to execute " 5) ".The technology realizes the dynamic mapping of " user-interchanger " connection with greedy algorithm, isolates attacker by mostly rotation.
Description
Technical field
The present invention relates to a kind of network attack defence methods, refuse more particularly, to a kind of distribution based on interchanger rotation
Exhausted service attack defence method.
Background technique
Distributed denial of service attack is a kind of attack technology derived by Denial of Service attack.Attacker is by a large amount of
Compromised slave is launched a offensive to target, the one-to-one attack pattern of Denial of Service attack is extended to many-one, therefore endanger more
Greatly and it is more difficult to take precautions against.Ddos attack is difficult to the root eliminated in its design defect in traditional network: the original intention of network design is to protect
Card communicates end to end, it is of interest that realizes QoS (Quality of Service) by transmitting terminal and receiving end, stablizes biography
Defeated, safety assurance etc. causes network both ends very complicated, and network itself is relatively easy, is merely responsible for data forwarding.Therefore, net
There is malicious act in any one end at network both ends, can all damage to other side, and network itself does not have the task of traffic management
And ability.In terms of being in particular in following four:
(1) network security high dependency.Safety height relies between network element in network, therefore even if promotes victim
System, but since, there are still other fragile nodes, ddos attack still is able to success in network.This problem is solved, is needed
The security system of the whole network is established, is eliminated " wooden barrel short slab ".
(2) finiteness of Internet resources.Entity in network, such as host, server, bandwidth resource have the upper limit, this
Also attack basis is provided for ddos attack.
(3) the not equity of information and resource.Only in moneys such as information, the services of end node storage network in traditional network
Source, the acquired Limited information of network itself, such as local topology.In the case of this resource is not reciprocity, attacker can be with
Under the premise of network " non-perception ", peer node sends prior data bank.
(4) responsibility is without legal.It, can not be to this if IP Spoofing attack allows attacker to distort attack
Class behavior is qualitative, and similar also has reflection attack, such as smurf.
(4) dispersibility managed.The method that the differences such as structure, the demand of traditional network make network use distributed management
Whole network is managed, both limited by localized network strategy, management dispersion cannot achieve effective defence for the behavior of network.
Based on the defect of above four aspects, researcher has done various effort and has been attacked with solving distributed denial of service
The problem hit successively proposes different defence methods.It can be mainly divided into traffic filtering, ability control, three type of load migration
Type.
Defence method based on traffic filtering arranges a large amount of filter in a network, in such a way that traffic filtering is blocked
Fight attack.But this method be assuming that attack traffic and normal discharge are realized under the premise of having apparent difference,
Currently generally start no longer to be applicable in the environment of distributed denial of service attack using Botnet.
Defence method based on ability control improves the passivity of above-mentioned traffic filtering, it is desirable that sender send data it
The preceding license for needing to obtain recipient, and different senders can the person of being received assign different priority.It is this to pass through limit
The method that recipient processed accesses resource is a kind of method of Initiative Defense, but on the one hand this method faces the difficulty that license is forged
Topic, on the other hand the processing capacity dependent on router in network, is limited to the performance of bottom physical facility.
For the limitation for breaking through physical facility, Security Officer forwards safely network using third party, such as Tor and SDN, completes stream
Amount detection, filtering and redirection function, while introducing redundant server reduction attack load.The core of this method is by negative
Migration is carried come when reducing the influence of attack, but facing the attack of greater flow, load migration ability will appear bottleneck.
Above-mentioned traffic filtering faces wrong report and fails to report unstable problem, and ability control is also only to migrate target of attack
Onto certificate server, front does not solve the problems, such as distributed denial of service attack, and there are traffic bottlenecks for load migration.This
Outside, the above method has not been changed the nature static of defence, and for attacker, static defence method can always be broken through or can be around
It crosses.
For the defect for solving above-mentioned static defence, researcher proposes the defence method of hiding middle layer, by attacking
Between the person of hitting and target deployment can the hidden layer of dynamic change carry out forwarding attack stream.Wang proposes the method for hiding agency a kind of
Fight distributed denial of service attack.But due to hide agency IP address be it is fixed, attacker can be by spying
Method obtains the address for hiding agency, so that defence method fails.And the method for hidden layer need to conventional network equipment into
Row third party upgrading, expense cost are larger.
Summary of the invention
The present invention overcomes in the prior art, the insufficient problem of distributed denial of service attack attacker's isolating power,
A kind of characteristic building OpenFlow interchanger wheel mold changing using software defined network network centralized control and dynamic management is provided
The distributed refusal service attack defending method based on interchanger rotation of type.
The technical solution of the invention is as follows, provides a kind of distribution based on interchanger rotation having follow steps and refuses
Exhausted service attack defence method: include the following steps:
Step 1) acts on behalf of layer switch and receives network packet, judges whether network flow generates exception;
If step 2) generation does not generate exception, according to next address in data packet header by hiding layer switch
It is forwarded;If flow generates exception, " step 3) " is executed;
Step 3) acts on behalf of layer switch starting interchanger rotation engine, and all-network flow is imported interchanger rotation engine
Processing;
Step 4) interchanger rotation engine carries out attacker's number possibility predication according to " user-interchanger " connection;
Step 5) interchanger rotation engine carries out attacker's screening by interchanger rotation process;
If step 6) attacker is isolated by complete screening, rotation process terminates;If do not filtered out completely,
It then continues to execute " step 5) ", until attacker is screened isolates completely.
In the step 1), the execution that layer switch is responsible for Network Attack detection and interchanger rotation process is acted on behalf of,
Transformation open source OpenFlow interchanger completes proxy switch function;It is examined by disposing flow detector on proxy switch
The variation of instantaneous flow is surveyed, if instantaneous flow variation is more than preset value, then it is assumed that network flow produces exception.
In the step 2), hiding layer switch is responsible for the forwarding of legal data packet, and the IP address for hiding layer switch is
It is private, prevent attacker from sending directionally to attack stream in the interchanger;Hiding layer switch is traditional network or SDN
It is responsible for the router or interchanger of data forwarding in network.
In the step 3), interchanger rotation engine by the Agent layer group of switches in step 1) at interchanger pond, by
SDN controller is responsible for scheduling according to round-robin.
In the step 4), attacker's possibility predication is theoretical estimated value, and attacker's number possibility predication is according to formulaIt completes, wherein NsumFor all numbers of users in current network, NAFor attack
Person's sum, S are to act on behalf of layer switch sum, SjIt is responsible for the number of users of forwarding for interchanger j, it is assumed that all to act on behalf of in layer switch
The number of switches that do not attacked is X, and when attacking generation, X=m, in primary specific attack, the value of X is handed over by acting on behalf of
The flow detector of middle deployment of changing planes is learnt.
In the step 5), the round-robin of the interchanger rotation invocation of procedure is the greedy round-robin after optimization, son
The time complexity of process is constant;Interchanger rotation engine calls interchanger round-robin complete by interchanger rotation process
It is isolated at the screening of attacker.
Compared with prior art, the present invention is based on the distributed refusal service attack defending method of interchanger rotation have with
Lower advantage: 1, proposing a kind of dynamic security method based on interchanger rotation, using software defined network network centralized control and
The characteristic of dynamic management constructs OpenFlow interchanger rotation model, realizes " user-interchanger " connection using greedy algorithm
Dynamic mapping isolates attacker by mostly rotation, while providing low latency persistent service to legitimate user.
2, the present invention proposes a kind of rotation model of OpenFlow interchanger, and distributed denial of service attack may be implemented
Defence and positioning, it is insufficient to can solve following two o'clock existing for current method: (1) it is currently directed in the defence method of DDoS, it is general
All over using the methods of static filtering, configuration, one side load too high, another aspect flexibility is poor, in face of novel distribution
Denial of Service attack generally requires the upgrading of whole network and underlying hardware;(2) the current attack localization method reverse based on packet
When can not realize the positioning of attacker during defence, and face the attack started using Botnet, location efficiency is too
It is low.
3, the present invention is based on the characteristics of software defined network centralized control and dynamic management to propose that a kind of service is continual
Distributed refusal service attack defending method.Current defence method often impacts Lawful access when to attack resistance,
The network access time for postponing visitor, even results in the access that Server Restart directly breaks all visitors.The present invention makes
Service is provided with controller control interchanger rotation, it is legal to what is isolated from attack stream under by attack context to may be implemented
Visitor continues offer service.
Detailed description of the invention
Fig. 1 is the flow chart of the distributed refusal service attack defending method the present invention is based on interchanger rotation;
Fig. 2 is interchanger rotation engine in the distributed refusal service attack defending method the present invention is based on interchanger rotation
Course of work schematic diagram;
Fig. 3 is the interchanger rotation model of the distributed refusal service attack defending method the present invention is based on interchanger rotation
Schematic diagram.
Specific embodiment
With reference to the accompanying drawings and detailed description to the present invention is based on the distributed denial of service attack of interchanger rotation
Defence method is described further: being included the following steps:
Step 1) acts on behalf of layer switch and receives network packet, judges whether network flow generates exception;
If step 2) generation does not generate exception, according to next address in data packet header by hiding layer switch
It is forwarded;If flow generates exception, " step 3) " is executed;
Step 3) acts on behalf of layer switch starting interchanger rotation engine, and all-network flow is imported interchanger rotation engine
Processing;
Step 4) interchanger rotation engine carries out attacker's number possibility predication according to " user-interchanger " connection;
Step 5) interchanger rotation engine carries out attacker's screening by interchanger rotation process;
If step 6) attacker is isolated by complete screening, rotation process terminates;If do not filtered out completely,
It then continues to execute " step 5) ", until attacker is screened isolates completely.
In the step 1), the execution that layer switch is responsible for Network Attack detection and interchanger rotation process is acted on behalf of,
Transformation open source OpenFlow interchanger completes proxy switch function;It is examined by disposing flow detector on proxy switch
The variation of instantaneous flow is surveyed, if instantaneous flow variation is more than preset value, then it is assumed that network flow produces exception.
In the step 2), hiding layer switch is responsible for the forwarding of legal data packet, and the IP address for hiding layer switch is
It is private, prevent attacker from sending directionally to attack stream in the interchanger;Hiding layer switch is traditional network or SDN
It is responsible for the router or interchanger of data forwarding in network.
Wherein it is all with to act on behalf of the user that layer switch is connected be attacker, legitimate traffic is not present, if all
With being isolated per family, then the ability of present invention isolation attacker can be assessed by the embodiment.
In the step 3), interchanger rotation engine by the Agent layer group of switches in step 1) at interchanger pond, by
SDN controller is responsible for scheduling according to round-robin.
In the step 4), attacker's possibility predication is theoretical estimated value, and attacker's number possibility predication is according to formulaIt completes, wherein NsumFor all numbers of users in current network, NAFor attack
Person's sum, S are to act on behalf of layer switch sum, SjIt is responsible for the number of users of forwarding for interchanger j, it is assumed that all to act on behalf of in layer switch
The number of switches that do not attacked is X, and when attacking generation, X=m, in primary specific attack, the value of X is handed over by acting on behalf of
The flow detector of middle deployment of changing planes is learnt.
In the step 5), the round-robin of the interchanger rotation invocation of procedure is the greedy round-robin after optimization, not
Algorithm complexity etc. is optimized.The time complexity of its subprocess is constant;Interchanger rotation engine passes through exchange wheel
Process is changed, interchanger round-robin is called to complete the screening isolation of attacker.
The rotation engine based on greedy algorithm is optimized in the present invention, by several levels again will be constant by time complexity
Grade.
Referring to FIG. 1 to FIG. 2.The distributed refusal service attack defending method based on interchanger rotation, comprising:
Step 1: when act on behalf of flow throughput detector in layer switch detect throughput be more than preset threshold value when,
Generate the warning message of exception of network traffic;
Step 2: executing associated script code generating abnormal acting on behalf of, start interchanger rotation engine in layer switch,
Attacker is isolated by the screening of rotation engine;
Step 3: checking whether act on behalf of layer switch has still in by attack state, if assert attacker without if
Isolation is completed, and attack stream is redirected to specific purpose address or discarding, reduces influence of the attack to network.
The following detailed description of Step 1: Step 2: the related content that step 3 is included:
(1) step 1:
Acting on behalf of layer switch detection exception of network traffic can be completed by disposing flow detector on proxy switch,
The variation of instantaneous flow is detected, if instantaneous flow variation is more than preset value, then it is assumed that network flow produces exception.
(2) step 2:
1) interchanger rotation model
Fig. 3 show interchanger rotation illustraton of model, and (User-1 to User-7, User-3 and User5 are 7 users in figure
Hiding attacker) data forwarding is completed by 3 proxy switch (S1, S2, S3) respectively, wherein and User-1,2,3 by S1
Forwarding, User-4,5 are forwarded by S2, User-6, and 7 are forwarded by S3.S1 and S2 is in by attack state, controller when attack generates
Enabling round-robin and dispatching other proxy switch is User-1, and 2,3,4,5 provide services, into first round rotation, User-1,
3,5 are forwarded by S4, User-2, and 4 are responsible for forwarding by S5.At this time due to S5 connection User-2,4, and S5 is not in by attack shape
State, therefore can be determined that User-2,4 be not attacker, and S4 is still within to be possible to by attack state, therefore User-1,3,5
It is attacker.By the rotation of next round, User-2,5 can be identified processing.
2) the interchanger round-robin based on greedy algorithm
NsumFor all numbers of users in current SDN network, NAFor attacker's sum, NsuSuspicious user when occurring for attack
Number, NsaAfter shuffling for a wheel, it is identified as the number of users of legitimate user (saved), NusStill suspicious use after shuffling for a wheel
Amount.Two equatioies as follows: N can be obtainedsum=NA+NsuAnd Nsu=Nsa+Nus.Objective function is E (Nsa) indicate that every wheel is shuffled middle quilt
It is identified as the desired value of the number of legitimate user, E (N can be madesa) maximum, and the lower algorithm of time complexity is required.
Fig. 3 is the interchanger round-robin realized using greedy algorithm, and algorithm GreedyShuffle is a recursive algorithm, is called
MaxSwitch () function obtains meeting formulaAllocation plan, k indicates the exchange of Agent layer
The number of users of machine connection, proxyAssign indicate the number for acting on behalf of layer switch needed when being allocated according to k value,
ProxRem, userRem, attackRem indicate remaining Agent layer number of switches.
3) interchanger round-robin optimizes
Algorithm GreedyShuffle is a recursive algorithm, and is easy to get time complexity Θ (Nsum·NA),
Work as NsumAnd NAWhen larger, complexity is too high, and calculation amount is too big.In this regard, using Stirling approximated equation hereinIn NA< < NsumWhen, it can obtainVariable x is introduced, and is madeThenTo the formula derivationIt knows as x=1, derivative 0, E (Sj) be maximized.In summaryTherefore the circulation in the MaxSwitch function of algorithm 1 can be saved, which will be 1, algorithm 1
Time complexity be reduced to Θ (NA)。
Step 3:
The main task of step 3 is to judge whether attacker's isolation is complete, on the one hand can pass through the inspection of proxy switch
Situation is surveyed to determine, on the other hand can be determined according to attacker's maximal possibility estimation model.
The present invention carries out pre-estimation using number of the maximal possibility estimation to attacker.Assuming that all act on behalf of in layer switch
The number of switches that do not attacked is X, and when attacking generation, X=m, in primary specific attack, the value of X is known (logical
Crossing the flow detector disposed in interchanger can learn whether the interchanger is attacked).Known to
Use set U={ u1,u2,...,umIndicate not by
Layer switch is acted on behalf of in attack, thenIndicate all summations for acting on behalf of layer switch that do not attacked,
Indicate the number of attacker, available following equation:
N can be derived according to above-mentioned two formulaATheoretical value, in step 3
Judgement according to this theoretical value i.e. can determine that whether attacker is isolated completely.
Claims (6)
1. a kind of distributed refusal service attack defending method based on interchanger rotation, it is characterized in that: including the following steps:
Step 1) acts on behalf of layer switch and receives network packet, judges whether network flow generates exception;
If step 2) does not generate exception, turned according to next address in data packet header by hiding layer switch
Hair;If flow generates exception, " step 3) " is executed;
Step 3) acts on behalf of layer switch starting interchanger rotation engine, and all-network flow is imported at interchanger rotation engine
Reason;
Step 4) interchanger rotation engine carries out attacker's number possibility predication according to " user-interchanger " connection;
Step 5) interchanger rotation engine carries out attacker's screening by interchanger rotation process, and the interchanger rotation process is
Refer to that interchanger rotation engine calling round-robin completes the process of the screening isolation of attacker;
If step 6) attacker is isolated by complete screening, rotation process terminates;If do not filtered out completely, after
It is continuous to execute " step 5) ", until attacker is screened isolates completely.
2. the distributed refusal service attack defending method according to claim 1 based on interchanger rotation, characterized in that
In the step 1), the execution that layer switch is responsible for Network Attack detection and interchanger rotation process, transformation open source are acted on behalf of
OpenFlow interchanger completes proxy switch function;Instantaneous stream is detected by disposing flow detector on proxy switch
The variation of amount, if instantaneous flow variation is more than preset value, then it is assumed that network flow produces exception.
3. the distributed refusal service attack defending method according to claim 1 based on interchanger rotation, characterized in that
In the step 2), hiding layer switch is responsible for the forwarding of legal data packet, hide layer switch IP address be it is private,
Prevent attacker from sending directionally to attack stream in the interchanger;Hiding layer switch is to bear in traditional network or SDN network
Blame the router or interchanger of data forwarding.
4. the distributed refusal service attack defending method according to claim 1 based on interchanger rotation, characterized in that
In the step 3), interchanger rotation engine by the Agent layer group of switches in step 1) at interchanger pond, by SDN controller
It is responsible for scheduling according to round-robin.
5. the distributed refusal service attack defending method according to claim 1 based on interchanger rotation, characterized in that
In the step 4), attacker's possibility predication is theoretical estimated value, and attacker's number possibility predication is according to formulaIt completes, wherein NsumFor all numbers of users in current network, NAIt is total for attacker
Number, S are to act on behalf of layer switch sum, SjIt is responsible for the number of users of forwarding, set U={ u for interchanger j1,u2,...,umIndicate not
That is attacked acts on behalf of layer switch, it is assumed that all number of switches that do not attacked in layer switch of acting on behalf of are X, are generated in attack
When, X=m, in primary specific attack, the value of X is learnt by the flow detector disposed in proxy switch.
6. according to right want 1 described in the distributed refusal service attack defending method based on interchanger rotation, characterized in that institute
It states in step 5), the round-robin of the interchanger rotation invocation of procedure is the greedy round-robin after optimization, the time of subprocess
Complexity is constant;Greedy round-robin after the optimization refers to the interchanger round-robin based on greedy algorithm;It is described greedy
Heart round-robin is for calculating user and acting on behalf of the allocation strategy between layer switch.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610867684.4A CN106357661B (en) | 2016-09-30 | 2016-09-30 | A kind of distributed refusal service attack defending method based on interchanger rotation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610867684.4A CN106357661B (en) | 2016-09-30 | 2016-09-30 | A kind of distributed refusal service attack defending method based on interchanger rotation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106357661A CN106357661A (en) | 2017-01-25 |
CN106357661B true CN106357661B (en) | 2019-09-06 |
Family
ID=57865698
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610867684.4A Active CN106357661B (en) | 2016-09-30 | 2016-09-30 | A kind of distributed refusal service attack defending method based on interchanger rotation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106357661B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111385235B (en) * | 2018-12-27 | 2022-08-26 | 北京卫达信息技术有限公司 | DDoS attack defense system and method based on dynamic transformation |
CN111935152B (en) * | 2020-08-11 | 2022-11-08 | 中国人民解放军战略支援部队信息工程大学 | Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller |
CN112383549A (en) * | 2020-11-13 | 2021-02-19 | 国网冀北电力有限公司张家口供电公司 | Dynamic defense method based on dichotomy |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104125214A (en) * | 2014-06-30 | 2014-10-29 | 北京邮电大学 | Security architecture system for realizing software definition security and security controller |
CN105100016A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | Cloud computing router platform DDoS attack defense method based on VHSAP |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140282891A1 (en) * | 2013-03-15 | 2014-09-18 | Stephen Frechette | Method and system for unique computer user identification for the defense against distributed denial of service attacks |
-
2016
- 2016-09-30 CN CN201610867684.4A patent/CN106357661B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105100016A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | Cloud computing router platform DDoS attack defense method based on VHSAP |
CN104125214A (en) * | 2014-06-30 | 2014-10-29 | 北京邮电大学 | Security architecture system for realizing software definition security and security controller |
Non-Patent Citations (1)
Title |
---|
"基于链路特征的DDoS攻击检测";孙红杰,方滨兴等;《通信学报》;20070228;第28卷(第2期);88-93页 * |
Also Published As
Publication number | Publication date |
---|---|
CN106357661A (en) | 2017-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
CN111431946A (en) | Mimicry router execution body scheduling method and mimicry router | |
Chapade et al. | Securing cloud servers against flooding based DDoS attacks | |
US9882904B2 (en) | System and method for filtering network traffic | |
CA2540802A1 (en) | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network | |
Chen et al. | DDoS defense for IoT: A Stackelberg game model-enabled collaborative framework | |
CN106357661B (en) | A kind of distributed refusal service attack defending method based on interchanger rotation | |
KR20100040792A (en) | A method for neutralizing the arp spoofing attack by using counterfeit mac addresses | |
CN113206858A (en) | Mobile target defense method based on internet of things DDoS attack | |
CN116471064A (en) | Network safety protection system, method and device based on active defense strategy | |
CN115051836B (en) | SDN-based APT attack dynamic defense method and system | |
RU2576488C1 (en) | METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS | |
CN114115068A (en) | Heterogeneous redundancy defense strategy issuing method of endogenous security switch | |
Feng et al. | Research on the active DDoS filtering algorithm based on IP flow | |
Wang et al. | Distributed denial of service attack defence simulation based on honeynet technology | |
Chen et al. | Preventing DRDoS attacks in 5G networks: a new source IP address validation approach | |
Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
Prasad et al. | Flooding attacks to internet threat monitors (ITM): modeling and counter measures using botnet and honeypots | |
Zhong et al. | Research on DDoS Attacks in IPv6 | |
Salim et al. | A client/server based mechanism to prevent ARP spoofing attacks | |
Pande et al. | Prevention mechanism on DDOS attacks by using multilevel filtering of distributed firewalls | |
AU2021102049A4 (en) | Method and system for defense against Distributed Denial-of-Service attack | |
Prasad et al. | An efficient flash crowd attack detection to internet threat monitors (itm) using honeypots | |
CN113872929B (en) | Web application safety protection method, system and server based on dynamic domain name | |
CN111431913B (en) | Router advertisement protection mechanism existence detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |