CN108234440B - The detection method and device of low rate interest packet flood attack in content center network - Google Patents

The detection method and device of low rate interest packet flood attack in content center network Download PDF

Info

Publication number
CN108234440B
CN108234440B CN201710899496.4A CN201710899496A CN108234440B CN 108234440 B CN108234440 B CN 108234440B CN 201710899496 A CN201710899496 A CN 201710899496A CN 108234440 B CN108234440 B CN 108234440B
Authority
CN
China
Prior art keywords
time
interest packet
pit
attack
interest
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710899496.4A
Other languages
Chinese (zh)
Other versions
CN108234440A (en
Inventor
辛永辉
李杨
杨兴华
谭倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710899496.4A priority Critical patent/CN108234440B/en
Publication of CN108234440A publication Critical patent/CN108234440A/en
Application granted granted Critical
Publication of CN108234440B publication Critical patent/CN108234440B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The occurrence of present invention discloses a kind of detection method and device of low rate interest packet flood attack in content center network, can improve the accuracy of LIFA detection, reduce wrong report.The described method includes: S1, traffic sampling signal in content center network and wavelet mother function is utilized to calculate the wavelet coefficient d of each scale in selected scale setj,k, and utilize the wavelet coefficient dj,kReconstruct the low frequency part of the traffic sampling signal, wherein the wavelet decomposition number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than the set of the integer of J condition, dj,kIndicate the detailed information on scale j, translation k;S2, the mould of the low frequency part is compared with preset detection threshold value, if the mould is not less than the detection threshold value, it is determined that there is low rate interest packet flood attack out.

Description

The detection method and device of low rate interest packet flood attack in content center network
Technical field
The present invention relates to network safety fileds, and in particular to low rate interest packet flood attack in a kind of content center network Detection method and device.
Background technique
The TCP/IP network architecture shows its practicability in the development of internet decades, especially in face of all Seem more stable when the new technology and new opplication of more upper and lower layers.However as the development of internet, movement of the user to network Property, the services such as content distribution and safety demand constantly increase, and gradually expose existing network to mobility, content point The problem of hair and safety are supported.In order to cope with these novel services, academia proposes a kind of novel network rack Structure --- content center network (Information Centric Network, ICN).As an instantiation model of ICN, Data network (Named Data Networking, NDN) is named to be suitable for content distribution, and great in Future network architectures Competitiveness.NDN already have accounted for the demand of safety at the beginning of design, can along with it has banned host identification using content To avoid attacks a plurality of types of in existing network.NDN can reduce a variety of distributed denial of service of current prevalence (DistributedDenial of Service, DDoS) attack, such as the attack of bandwidth exhaustion type, reflection-type and prefix hijack The attack such as type black hole.However it has also caused the distinctive ddos attack of novel NDN, is called interest packet flood attack (InterestFlooding Attacks, IFA).Since in NDN network, interest packet can quilt before obtaining data packet and meeting It is recorded in the interest table undetermined (Pending Interest Table, PIT) of intermediate router, attacker can send largely False interest packet exhausts the storage resource of intermediate router, and the promoter of this attack requires no knowledge about point of entire content Cloth, but can the serious performance for influencing NDN network, corresponding detection defence method also obtained the extensive research of academia;So And, it is believed that with the help of conspiring server, attacker can also easily initiate interest packet flood attack, easily hide The detection method using PIT time-out class is kept away, and attacker can be by adjusting attack parameter, so that attack traffic is submerged in net In the flow of network itself, to hide the detection method based on changes in flow rate, our this attacks are referred to as low rate interest Bao Hong General attack (LowInterestFlooding Attacks, LIFA).From the aspects of attack effect, low rate interest packet flooding It is similar with traditional false class interest packet flood attack to attack the harm generated, however, from the aspects of harmfulness, this low rate Flood attack detection difficulty it is higher, harmfulness is bigger, it is therefore desirable to propose a kind of effective detection method to detect such attack It hits.
As shown in Figure 1, A, B, C are ICN router, the interest packet request that normal users issue is arrived by router A and C Up to content server, router A and C can be respectively that one PIT of interest packet creation of forwarded over different names enters during this Mouth record;When router receive normal interest packet request after, return to corresponding data packet immediately, when router C receive it is corresponding After data packet, according to PIT entry record, checking in the corresponding interest packet of the data packet is to forward to obtain from A, then turns data packet A is issued, data packet is also finally transmitted to normal users according to similar inquiry by same-router A, and router is in forwarded over number When reaching according to the life span of packet or PIT entrance, which can be destroyed by system, therefore in the case where no attack, The PIT resource of router is in a dynamic occupancy and release process.
As shown in Fig. 1 (a), in traditional false class IFA attack, IFA attacker is sent with given pace and is taken with content Business device has same prefix but name is the interest packet arbitrarily forged, and can guarantee be routed when these interest packets in this way Device B and C forwarding, after router C forwards these interest packets, due to can not receive corresponding content packet, on router C PIT resource is just largely occupied and cannot be discharged, and forwarding service can not be provided for the interest packet of subsequent arrival and is actively lost The interest packet (the interest packet sent including normal users and attacker) received is abandoned, to reduce the performance of network;When these quilts After time-out occurs for the PIT resource that malice interest packet occupies, PIT resource is released, and service can be provided for normal users, however Traditional IFA is a kind of flooding mode of duration, and the PIT resource being newly released can be continued to the attack interest packet reached and account for With, therefore under fire the space PIT of router is constantly in full state.
As shown in Fig. 1 (b), in low speed interest packet extensive aggression LIFA, attacker issues true interest packet and goes to request It is not the data packet that makes an immediate response positioned at the content conspired on server, and after conspiracy server receives the request of interest packet, and It is ability returned data packet when time-out will occur for the upper corresponding PIT entry record of router C, is occupied for a long time with this Router PIT resource, makes router that can not provide high speed, efficiently service on net for normal users, and serious person can injure The availability of network.Since such attack has true content to return, so not having substantially on the router directly attacked There is the PIT record of time-out, and has the PIT record of time-out on router A, but be not directly accessed attacker.Further, since on road After being occupied full by the PIT resource of device C, continues transmission attack interest packet and do not had too big meaning, LIFA attacker can stop Attack, wait the PIT resource of routers C and launch a offensive again when will be released, so that attack it is more efficient, while give net The attack traffic that network introduces is also smaller, so that the detection method based on traffic statistics class fails.
Existing IFA alleviates statistics (our letters in this motion that method is based primarily upon PIT abnormality in NDN network Referred to as PIT-based method) and abnormality detection based on traffic statistics characteristic (we are referred to as the side CUSUM in this motion Method), about the detection method of LIFA mainly according to the abnormality for being also PIT in NDN, also referred to as PIT- in this motion Based method.
PIT-based method: i.e. abnormality of the router according to PIT in NDN, the variation including PIT size, PIT The rate of overtime entry, interest packet Service Efficiency based on port etc..Since network has normal fluctuation, only according to PIT's Size variation is difficult to determine the presence of attack, therefore often comprehensive many indexes are detected, for example have used distribution respectively It is all that early warning is carried out to attack when the statistical indicator of PIT is beyond given threshold with the detection method of centralization.
CUSUM method: this method is to request to be distributed basicly stable premise based on user in network, in the regular hour or In person's spatial dimension, the name of the interest packet received is counted on NDN router, calculate corresponding entropy and with to Fixed threshold value (the general threshold value is also rule of thumb to set) makes the difference the increment for obtaining entropy, adds up to entropy production, if exceeding The threshold value of setting then determines the presence of attack, conversely, then existing without attack.
The shortcomings that PIT-based method, mainly includes two aspects that 1) this method depends on the statistics of PIT abnormality, And cause the factor of PIT exception relatively more, such as normal network fluctuation, network congestion, link failure and under attack etc. Deng, only be difficult to determine whether to be attacked from the anomaly statistics of PIT, needless to say how defensive attack.If produced to attack Raw wrong report, is also considered as query-attack for the request of normal users and takes restriction, immeasurable damage can be caused to user It loses;2) LIFA is attacked, on the first router attacked, there is no the PIT entries of time-out, therefore based on PIT time-out Detection method will fail, and for the router of downstream connection normal users, due to the road of the interest coating upstream of forwarding It is actively abandoned by device, so even being the entirely normal users of downstream router connection, it is obvious abnormal also to show PIT Statistical nature.
CUSUM method is due to being to receive the statistics of request distribution to router and carry out accumulative and algorithm to determine attack Presence or absence, therefore above-mentioned erroneous judgement situation can be avoided to a certain extent.In terms of mainly having two, 1) accumulative and algorithm itself Influence of the network fluctuation to testing result can be avoided to a certain extent;2) in CUSUM mainly receives router The distribution for holding request is counted, if the user of router connection is normal users, and the request of normal users has Fixed distribution, even if then upstream router has received attack, in the short time, since the content distribution of user's request does not occur Change, the router in downstream will not make the early warning of attack, therefore can avoid the injury to legitimate user from the side. However, this CUSUM method needs a regular time or spatial window to calculate the statistical nature of the request received, when When network is by LIFA, since the query-attack Mean Speed of LIFA is very low, it may not be embodied from the whole statistics spy of flow Out, therefore there is also higher omission factors.
Summary of the invention
In view of the shortcomings of the prior art and defect, the present invention provides low rate interest packet in a kind of content center network The detection method and device of flood attack.
On the one hand, the embodiment of the present invention proposes a kind of detection side of low rate interest packet flood attack in content center network Method, comprising:
S1, each ruler in selected scale set is calculated using traffic sampling signal in content center network and wavelet mother function The wavelet coefficient d of degreej,k, and utilize the wavelet coefficient dj,kReconstruct the low frequency part of the traffic sampling signal, wherein small The Wave Decomposition number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than the collection of the integer of J condition It closes, dj,kIndicate the detailed information on scale j, translation k;
S2, the mould of the low frequency part is compared with preset detection threshold value, if the mould is not less than the detection Threshold value, it is determined that there is low rate interest packet flood attack out.
Preferably, the S1, comprising:
Calculate the wavelet coefficient dj,k, calculation formula isWherein, X (n) adopts for flow Sample signal, ψj,kIt (n) is the compression that j times is carried out to the wavelet mother function, the translation of k unit obtains;
Utilize the wavelet coefficient dj,kCalculate details coefficients f of the traffic sampling signal on each scale jj(n), Calculation formula is
Details coefficients on calculated all scales are superimposed to obtain the low frequency part.
Preferably, the method also includes:
When determining the mould not less than the detection threshold value, preset pre-warning time t is updatedalarmFor the low frequency portion At the time of dividing corresponding, wherein in the pre-warning time talarmEarly warning is carried out when arrival;
At the first moment, the interest packet name S0 of all records in interest table (PIT) undetermined at this time is saved, at the second moment, The interest packet name S1 for saving all records in interest table (PIT) undetermined at this time, takes the intersection of S0 and S1, extracts the interest packet of intersection Name, wherein first moment is the pre-warning time talarm, second moment is the pre-warning time talarmWith it is past Return the sum of time delay RTT;
At the third moment, the interest packet name S2 of all records in interest table (PIT) undetermined at this time is saved, is taken in S2 to Dingxing The intersection of the interest packet name of the interest packet name and intersection of interesting table (PIT) record, obtains attack source characteristic set AttackSet, wherein the third moment is the pre-warning time talarmWhen recording time-out with the interest table (PIT) undetermined of default Between the sum of PET.
On the other hand, the embodiment of the present invention proposes a kind of detection of low rate interest packet flood attack in content center network Device, comprising:
Reconfiguration unit, for calculating selected scale collection using traffic sampling signal in content center network and wavelet mother function The wavelet coefficient d of each scale in conjunctionj,k, and utilize the wavelet coefficient dj,kReconstruct the low frequency portion of the traffic sampling signal Point, wherein the wavelet decomposition number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than J condition The set of integer, dj,kIndicate the detailed information on scale j, translation k;
Detection unit, for the mould of the low frequency part to be compared with preset detection threshold value, if the mould is not small In the detection threshold value, it is determined that there is low rate interest packet flood attack out.
Preferably, the reconfiguration unit, is specifically used for:
Calculate the wavelet coefficient dj,k, calculation formula isWherein, X (n) adopts for flow Sample signal, ψj,kIt (n) is the compression that j times is carried out to the wavelet mother function, the translation of k unit obtains;
Utilize the wavelet coefficient dj,kCalculate details coefficients f of the traffic sampling signal on each scale jj(n), Calculation formula is
Details coefficients on calculated all scales are superimposed to obtain the low frequency part.
Preferably, described device further include:
Updating unit, for updating preset pre-warning time when determining the mould not less than the detection threshold value talarmAt the time of correspondence for the low frequency part, wherein in the pre-warning time talarmEarly warning is carried out when arrival;
First processing units, for saving the interest packet name of all records in interest table (PIT) undetermined at this time at the first moment Word S0 saves the interest packet name S1 of all records in interest table (PIT) undetermined at this time, takes the intersection of S0 and S1 at the second moment, Extract the interest packet name of intersection, wherein first moment is the pre-warning time talarm, second moment is described pre- Alert time talarmThe sum of with round-trip delay RTT;
The second processing unit, for saving the interest packet name of all records in interest table (PIT) undetermined at this time at the third moment Word S2 takes the intersection of the interest packet name of the interest packet name and intersection of interest table (PIT) undetermined record in S2, is attacked Source characteristic set AttackSet, wherein the third moment is the pre-warning time talarmWith the interest table (PIT) undetermined of default Record the sum of time-out time PET.
The detection method and device of low rate interest packet flood attack in content center network provided in an embodiment of the present invention, Using this tool of wavelet analysis, the interest packet that router receives is analyzed, extracts the low frequency containing signal to attack point Amount, and by the way that the mould of low frequency component and detection threshold value are compared to detection low rate interest packet flood attack, with existing skill Art is compared, and this method can extract the attack traffic for the low rate being submerged in proper network, is avoided based on the equal primary system of flow Meter method can not detect the deficiency of small flow attacking, while judge problem by accident this method avoid PIT detection method bring is based on, Improve the accuracy of LIFA attack detecting.
Detailed description of the invention
Fig. 1 is attack diagram, and Fig. 1 (a) is IFA attack diagram;Fig. 1 (b) is LIFA attack diagram;
Fig. 2 is that the interest packet rate received on core router changes schematic diagram;
Fig. 3 is that normal discharge and attack traffic spectrum energy profiles versus scheme;
Fig. 4 is the process of one embodiment of detection method of low rate interest packet flood attack in the content of present invention central site network Schematic diagram;
Fig. 5 is the structure of one embodiment of detection device of low rate interest packet flood attack in the content of present invention central site network Schematic diagram;
Fig. 6 is China Telecom's backbone net topology (in August, 2010);
Fig. 7 is the variation schematic diagram that different type attacks PIT size on lower node " Beijing ";
Fig. 8 is the variation schematic diagram of LIFA attack condition lower node " Beijing " handling capacity;
Fig. 9 is low frequency signal Xa(n) modulus value changes schematic diagram;
The overtime number of variations schematic diagram of entropy and PIT record that Figure 10 is counted on before and after being LIFA.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical solution in the embodiment of the present invention is explicitly described, it is clear that described embodiment is the present invention A part of the embodiment, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not having Every other embodiment obtained under the premise of creative work is made, shall fall within the protection scope of the present invention.
Since network flow shows different characteristics vulnerable to the influence of the factors such as network environment, time scale, Long related such as under big time scale, corresponding packet procedures are the stationary process of a broad sense.In NDN network, due to by It is influenced to caching, PIT convergence etc., flow can also show new steady-state characteristic, however the periodical arteries and veins that LIFA attacker initiates Punching attack, can seriously destroy this characteristic, greatly inhibit the flow ingredient of metastable legitimate user.Therefore in LIFA feelings Under condition, it is difficult to maintain original steady state after the flow summation of attack traffic and legitimate user again.We are flat by ndnSIM The primary typical LIFA attack of platform simulation, at the same on core router every 100ms to the interest packet and content packet number received Mesh is sampled, wherein initiating LIFA from 50s, statistical result is as shown in Figure 2.
Before attack is initiated, the interest packet request rate that network receives is fluctuated in an a small range, and each statistical value is ( Value, variance and auto-correlation function etc.) process that substantially meets extended stationary, after LIFA, which is attacked, to initiate, router is received emerging Interesting packet number has apparent increase in a short time, is subsequently reduced to normal level hereinafter, and at some cycles, the performance of network It is also in the concussion in period.
The interest packet number received from time domain angle analysis network is difficult to distinguish this small size variation to be by network fluctuation Influence be still subject to attack.In view of LIFA is a kind of periodically pulsing attack, we analyze network by frequency domain Flow ingredient.As shown in figure 3, under normal circumstances, user sends the request of its content of interest at random, and can be past at one It returns and receives corresponding content in time delay (Round Trip Time, RTT), therefore network flow frequency spectrum should have in each frequency band Similar power spectral density (PSD);And when network is by LIFA, victim's router periodically, intermittently forward interest It wraps (can not forward interest packet is almost to be depleted due to PIT resource in each period).Therefore, the PSD of LIFA flow mainly collects In it is humorous in low frequency (attack cycle T is generally the maximum lifetime 4s, frequency 0.25Hz of PIT entry) and corresponding high order The part wave (4Hz, 8Hz ...).Although the average flow rate of LIFA is not significantly different with normal flow, we can be by small Wave analysis technology detects LIFA to extract this frequency domain character.
Referring to Fig. 4, the present embodiment discloses a kind of detection method of low rate interest packet flood attack in content center network, Include:
S1, each ruler in selected scale set is calculated using traffic sampling signal in content center network and wavelet mother function The wavelet coefficient d of degreej,k, and utilize the wavelet coefficient dj,kReconstruct the low frequency part of the traffic sampling signal, wherein small The Wave Decomposition number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than the collection of the integer of J condition It closes, dj,kIndicate the detailed information on scale j, translation k;
S2, the mould of the low frequency part is compared with preset detection threshold value, if the mould is not less than the detection Threshold value, it is determined that there is low rate interest packet flood attack out.
The detection method of low rate interest packet flood attack in the content of present invention central site network is described in detail below.
Small echo is a kind of waveform for having limit for length, rapid decay.(motherwavelet is also cried wavelet mother function ψ (t) Waveletbasefunction) there is stringent mathematical definition, it is necessary to the conditions such as meeting time-domain integration is 0, and frequency domain energy is limited. Wavelet analysis is mainly mainly to have continuous small by carrying out method of the wavelet transformation to carry out multiresolution analysis to existing signal Wave conversion and wavelet transform, and in real time sequencing procedure, two are often used into wavelet transform, i.e., with 2 Multiple is that scale stretches to obtain different wavelet functions.
It is assumed that pretreated signal function is f (t), giving wavelet mother function is ψ (t), and signal can be made J layers points by we Solution:
Wherein ψj,k(t) andRespectively wavelet function and scaling function, and dj,kFor wavelet coefficient, indicate scale j, Translate the detailed information on k;aJ,kFor approximation coefficient, indicate to approach information on scale J, translation k.Wherein wavelet coefficient dj,kIt can To be obtained by following formula:
Wavelet decomposition process in formula (1) is reversible, we can reconstruct original signal according to wavelet coefficient and exist Details coefficients on some scale j:
As above it is found that low frequency signal flow may be used as examining important indicator existing for LIFA.We are in particular dimensions Upper selection wavelet coefficient, rebuilds the specific frequency components of original signal.For example, we can carry out flow sampled signal X (n) J layers of wavelet decomposition, so as to obtain the wavelet coefficient and scale coefficient of each scale on from 1 to J.It is higher by selecting The wavelet coefficient of scale, we can reconstruct the low frequency part X of original signala(n).It, can be direct if LIFA attack occurs Influence isolated low frequency flow component | Xa(n) |, specifically as shown in algorithm 1.
The attack of the given data on flows packet X (n) sampled, the wavelet decomposition number of plies J, wavelet mother function ψ (t) and setting Detection threshold value Th, firstly, we initialize warning time talarm, and J layers of wavelet decomposition are carried out to X (n);Secondly, we are selecting Dimensioning setUpper reconstruction signal component Xj(n), it and by the corresponding component of all j is superimposed to obtain entire low The component X of frequencya(n);Finally, we are by Xa(n) mould | Xa(n) | with preset detection threshold value ThIt is compared, to detect LIFA Presence, update t if it existsalarmFor Xa(n) at the time of corresponding, threshold value ThIt is to be set based on experience, it is usually higher than normal level 1 times out.
When LIFA attack detecting algorithm detects LIFA attack, it is assumed that pre-warning time is talarm, due to being based on small wavelength-division The time delay of analysis is extremely short, generally in Millisecond hereinafter, so detection algorithm can immediately be examined after receiving attack interest packet on router It measures and, but in a large amount of interest packets received, how to efficiently differentiate out attack interest packet is relatively difficult thing.This In motion, it is proposed that a kind of method of attack source feature extraction, to identify to attack interest packet, for further defence Strategy provides help.
Since in NDN, the PIT record time-out time of default is 4 seconds, further according to time-out after PIT is recorded, and time-out occurs The feature that record provides Attacking Packets is late, has a large amount of normal user's requests at this time and is abandoned, meanwhile, According to the analysis of Section 4, legitimate user is easily also only determined as attacker only in accordance with the record of PIT time-out.Due in LIFA, The server of conspiracy generally can return to corresponding data packet when PIT is recorded time-out i.e., we can be by attack source spy The extraction of sign is divided into two stages.First stage, in talarmMoment saves the interest packet name S0 of all records in PIT, then In talarm+ RTT the moment saves the interest packet name S1 of all records in PIT at this time, takes S0 and S1 intersection, extract the emerging of them Interesting packet name can be tentatively added in the characteristic set AttackSet of attack source;Second stage, it is assumed that the PIT of default is recorded Time-out time is PET, in talarm+ PET/2 the moment saves the interest packet name S2 of all records in PIT, and PIT in S2 is taken to record Interest packet name and AttackSet intersection, obtain final attack source characteristic set AttackSet.
Referring to Fig. 5, the present embodiment discloses a kind of detection device of low rate interest packet flood attack in content center network, Include:
Reconfiguration unit 1, for calculating selected scale using traffic sampling signal in content center network and wavelet mother function The wavelet coefficient d of each scale in setj,k, and utilize the wavelet coefficient dj,kReconstruct the low frequency of the traffic sampling signal Part, wherein the wavelet decomposition number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than J condition Integer set, dj,kIndicate the detailed information on scale j, translation k;
In the present embodiment, the reconfiguration unit specifically can be used for:
Calculate the wavelet coefficient dj,k, calculation formula isWherein, X (n) adopts for flow Sample signal, ψj,kIt (n) is the compression that j times is carried out to the wavelet mother function, the translation of k unit obtains;
Utilize the wavelet coefficient dj,kCalculate details coefficients f of the traffic sampling signal on each scale jj(n), Calculation formula is
Details coefficients on calculated all scales are superimposed to obtain the low frequency part.
Detection unit 2, for the mould of the low frequency part to be compared with preset detection threshold value, if the mould is not small In the detection threshold value, it is determined that there is low rate interest packet flood attack out.
On the basis of aforementioned device embodiment, described device can also include following structure not shown in the figure:
Updating unit, for updating preset pre-warning time when determining the mould not less than the detection threshold value talarmAt the time of correspondence for the low frequency part, wherein in the pre-warning time talarmEarly warning is carried out when arrival;
First processing units, for saving the interest packet name of all records in interest table (PIT) undetermined at this time at the first moment Word S0 saves the interest packet name S1 of all records in interest table (PIT) undetermined at this time, takes the intersection of S0 and S1 at the second moment, Extract the interest packet name of intersection, wherein first moment is the pre-warning time talarm, second moment is described pre- Alert time talarmThe sum of with round-trip delay RTT;
The second processing unit, for saving the interest packet name of all records in interest table (PIT) undetermined at this time at the third moment Word S2 takes the intersection of the interest packet name of the interest packet name and intersection of interest table (PIT) undetermined record in S2, is attacked Source characteristic set AttackSet, wherein the third moment is the pre-warning time talarmWith the interest table (PIT) undetermined of default Record the sum of time-out time PET.
In the embodiment of the present invention, after attacking early warning, according to the interest package informatin recorded in PIT, using two-part Method extracts the feature of attack source, reduces the probability of miscarriage of justice to normal users.
For the specific effect for verifying this programme, this motion is illustrated by emulation.Emulation topology is as shown in fig. 6, normal The content prefix of user's request is "/root/good ", and zipf distribution, corresponding content server are obeyed in overall request distribution Content prefix positioned at " Beijing " node, and LIFA attacker request is "/root/collusive ", corresponding conspiracy clothes Business device is located at " Shenyang ".Each node installs a user program, normal users issue the rate of request be 50/ Second, we randomly select 15% node as LIFA attacker, and the request model of each attacker is (δ, τ, T), wherein attacking Hit rate be δ=10/second, the attack duration be τ=0.5 second, attack the period be T=5 seconds.Each router node PIT Be sized to 200, whole simulation time is 0~500 second, and the attack duration is 250~500 seconds.
Fig. 7 compared influence of the IFA and LIFA attack to NDN node " Beijing " PIT, before t=250 seconds, network In normal working condition, the PIT size of " Beijing " node maintains 150 or so, and fluctuation by a small margin, works as t=250 When the second, attacker starts to launch a offensive.In the case where LIFA attack, the PIT of NDN node is in periodically variation, maximum value 200 are almost reached to, since the period of attack is 5 seconds, and the time-out time of PIT default is 4 seconds, therefore, time-out occurs in PIT When, the LIFA attack package of next round does not reach also, therefore PIT resource is released, and the size of PIT can periodically be fallen after rise. As a comparison, we equally initiate IFA attack when t=250 seconds, and the PIT size observed and LIFA attack phase difference Less, therefore from the point of view of attack effect, LIFA can also cause the effect of similar IFA attack to network.Equally, this point also reflects Network throughput variation above, as shown in figure 8, when network by LIFA attack when, router node under fire is handled up Amount also can seriously affect the performance of network at periodic decline.
Fig. 9 gives the low frequency signal X counted on router node " Beijing " between 240 seconds to 270 secondsa(n) Modulus value variation, it can be seen that before LIFA attack occurs, Xa(n) modulus value is in small-scale dynamic change, first In a [250,255] second in attack period, pulse generation is attacked between 250 seconds to 250.5 seconds, nodal test to Xa(n) mould Value starts to increase, and is more than defined threshold value Th, when initiating in the second wheel attack period, X that nodal test arrivesa(n) modulus value is far super In the threshold value of setting.Between 250 seconds to 270 seconds, the attack pulse of totally 5 LIFA can be in Xa(n) directly anti-in modulus value It mirrors and, therefore, the LIFA detection scheme based on wavelet analysis can be very good the interest packet flood attack of detection low rate.Make For comparison, we use the CUSUM based on entropy and the detection scheme based on PIT time-out entry, as shown in Figure 10, by attack node The entropy of statistics presents lesser fluctuation and proper network fluctuation is not obvious with the periodically pulsing influence of LIFA Difference is primarily due to LIFA and only sends attack interest packet within the shorter period, network will not be caused from Mean Speed Flow obviously increases, in such cases, the accumulation of entropy and also always be 0, can't detect the generation of attack;Due to direct On router under fire, the interest packet even attacked also can receive corresponding content packet before PIT entry time-out, therefore The PIT time-out entry of statistics is also 0 always, and the detection method based on PIT time-out can not also detect LIFA.
We extract respectively attack detecting at the time of talarmAnd talarm+RTT、talarmIn+PET/2 moment PIT Interest packet name set S0, S1 and the S2 of all records.Since PIT can at most accommodate 200 PIT entry records, herein I Intercept part S0, S1 and S2 set in data, for illustrating the feature of attack source:
According to S0 and S1, we obtain the attack signature AttackSet=S0 ∩ S1 of first stage, then obtain second-order The attack signature AttackSet=AttackSet ∩ S2 of section.Since the record of normal request in PIT can be expired in a RTT Foot, therefore what S0 and S1 took that intersection obtains is the interest packet record not met in a RTT, that is, attack interest Packet, this is also verified in the record of S2.According to the name of interest packet in AttackSet, we can further be mentioned Take the features such as their common prefix "/root/collusive ".
Although the embodiments of the invention are described in conjunction with the attached drawings, but those skilled in the art can not depart from this hair Various modifications and variations are made in the case where bright spirit and scope, such modifications and variations are each fallen within by appended claims Within limited range.

Claims (4)

1. the detection method of low rate interest packet flood attack in a kind of content center network characterized by comprising
S1, each scale in selected scale set is calculated using traffic sampling signal in content center network and wavelet mother function Wavelet coefficient dj,k, and utilize the wavelet coefficient dj,kReconstruct the low frequency part of the traffic sampling signal, wherein small wavelength-division The solution number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than the set of the integer of J condition, dj,k Indicate the detailed information on scale j, translation k;
S2, the mould of the low frequency part is compared with preset detection threshold value, if the mould is not less than the detection threshold value, Then determine that there are low rate interest packet flood attacks;
The S1, comprising:
Calculate the wavelet coefficient dj,k, calculation formula isWherein, X (n) is traffic sampling letter Number, ψj,kIt (n) is the compression that j times is carried out to the wavelet mother function, the translation of k unit obtains;
Utilize the wavelet coefficient dj,kCalculate details coefficients f of the traffic sampling signal on each scale jj(n), it calculates public Formula is
Details coefficients on calculated all scales are superimposed to obtain the low frequency part.
2. the method according to claim 1, wherein further include:
When determining the mould not less than the detection threshold value, preset pre-warning time t is updatedalarmFor the low frequency part pair At the time of answering, wherein in the pre-warning time talarmEarly warning is carried out when arrival;
At the first moment, the interest packet name S0 of all records in interest table (PIT) undetermined at this time is saved, at the second moment, is saved At this time in interest table (PIT) undetermined all records interest packet name S1, take the intersection of S0 and S1, extract the interest packet name of intersection Word, wherein first moment is the pre-warning time talarm, second moment is the pre-warning time talarmWith it is round-trip The sum of time delay RTT;
At the third moment, the interest packet name S2 of all records in interest table (PIT) undetermined at this time is saved, interest table undetermined in S2 is taken The intersection of the interest packet name of the interest packet name and intersection of PIT record, obtains attack source characteristic set AttackSet, Wherein, the third moment is the pre-warning time talarmThe sum of time-out time PET is recorded with the interest table (PIT) undetermined of default.
3. the detection device of low rate interest packet flood attack in a kind of content center network characterized by comprising
Reconfiguration unit, for being calculated in selected scale set using traffic sampling signal in content center network and wavelet mother function The wavelet coefficient d of each scalej,k, and utilize the wavelet coefficient dj,kThe low frequency part of the traffic sampling signal is reconstructed, Wherein, the wavelet decomposition number of plies is J, and J is positive integer, and the scale collection is combined into satisfaction and is not less thanAnd it is less than the whole of J condition Several set, dj,kIndicate the detailed information on scale j, translation k;
Detection unit, for the mould of the low frequency part to be compared with preset detection threshold value, if the mould is not less than institute State detection threshold value, it is determined that there is low rate interest packet flood attack out;
The reconfiguration unit, is specifically used for:
Calculate the wavelet coefficient dj,k, calculation formula isWherein, X (n) is traffic sampling letter Number, ψj,kIt (n) is the compression that j times is carried out to the wavelet mother function, the translation of k unit obtains;
Utilize the wavelet coefficient dj,kCalculate details coefficients f of the traffic sampling signal on each scale jj(n), it calculates public Formula is
Details coefficients on calculated all scales are superimposed to obtain the low frequency part.
4. device according to claim 3, which is characterized in that further include:
Updating unit, for updating preset pre-warning time t when determining the mould not less than the detection threshold valuealarmFor At the time of the low frequency part corresponds to, wherein in the pre-warning time talarmEarly warning is carried out when arrival;
First processing units, for saving the interest packet name of all records in interest table (PIT) undetermined at this time at the first moment S0 saves the interest packet name S1 of all records in interest table (PIT) undetermined at this time, takes the intersection of S0 and S1, mention at the second moment Take the interest packet name of intersection, wherein first moment is the pre-warning time talarm, second moment is the early warning Time talarmThe sum of with round-trip delay RTT;
The second processing unit, for saving the interest packet name of all records in interest table (PIT) undetermined at this time at the third moment S2 takes the intersection of the interest packet name of the interest packet name and intersection of interest table (PIT) undetermined record in S2, obtains attack source Characteristic set AttackSet, wherein the third moment is the pre-warning time talarmRemember with the interest table (PIT) undetermined of default Record the sum of time-out time PET.
CN201710899496.4A 2017-09-28 2017-09-28 The detection method and device of low rate interest packet flood attack in content center network Active CN108234440B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710899496.4A CN108234440B (en) 2017-09-28 2017-09-28 The detection method and device of low rate interest packet flood attack in content center network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710899496.4A CN108234440B (en) 2017-09-28 2017-09-28 The detection method and device of low rate interest packet flood attack in content center network

Publications (2)

Publication Number Publication Date
CN108234440A CN108234440A (en) 2018-06-29
CN108234440B true CN108234440B (en) 2019-10-22

Family

ID=62654414

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710899496.4A Active CN108234440B (en) 2017-09-28 2017-09-28 The detection method and device of low rate interest packet flood attack in content center network

Country Status (1)

Country Link
CN (1) CN108234440B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166464B (en) * 2019-05-27 2021-10-15 北京信息科技大学 Method and system for detecting content-centric network interest flooding attack
CN113162894B (en) * 2020-11-30 2023-08-22 深圳中富电路股份有限公司 Collusion interest flooding attack detection method for vehicle-mounted named data networking

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6904459B1 (en) * 2000-03-14 2005-06-07 Microsoft Corporation Methods and systems for preventing socket flooding during denial of service attacks
CN101378394A (en) * 2008-09-26 2009-03-04 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance
CN101621425A (en) * 2009-05-21 2010-01-06 北京邮电大学 Method and device for detecting low-speed denial of service attack
CN106357641A (en) * 2016-09-18 2017-01-25 中国科学院信息工程研究所 Method and device for defending interest flooding attacks in information centric network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9185120B2 (en) * 2013-05-23 2015-11-10 Palo Alto Research Center Incorporated Method and system for mitigating interest flooding attacks in content-centric networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6904459B1 (en) * 2000-03-14 2005-06-07 Microsoft Corporation Methods and systems for preventing socket flooding during denial of service attacks
CN101378394A (en) * 2008-09-26 2009-03-04 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance
CN101621425A (en) * 2009-05-21 2010-01-06 北京邮电大学 Method and device for detecting low-speed denial of service attack
CN106357641A (en) * 2016-09-18 2017-01-25 中国科学院信息工程研究所 Method and device for defending interest flooding attacks in information centric network

Also Published As

Publication number Publication date
CN108234440A (en) 2018-06-29

Similar Documents

Publication Publication Date Title
Xie et al. Monitoring the application-layer DDoS attacks for popular websites
Chen et al. CBF: a packet filtering method for DDoS attack defense in cloud environment
CN102438025B (en) Indirect distributed denial of service attack defense method and system based on Web agency
Loukas et al. Likelihood ratios and recurrent random neural networks in detection of denial of service attacks
EP2661049B1 (en) System and method for malware detection
US20130081136A1 (en) Method and device for detecting flood attacks
CN106357641B (en) The defence method and device of interest packet flood attack in a kind of content center network
CN105245503B (en) Hidden Markov model detects LDoS attack method
CN104243408B (en) The method, apparatus and system of message are monitored in domain name resolution service DNS systems
CN105847283A (en) Information entropy variance analysis-based abnormal traffic detection method
Xie et al. A novel model for detecting application layer DDoS attacks
US20040257999A1 (en) Method and system for detecting and disabling sources of network packet flooding
CN106685984A (en) Network threat analysis system and method based on data pocket capture technology
CN108234440B (en) The detection method and device of low rate interest packet flood attack in content center network
Xin et al. Detection of collusive interest flooding attacks in named data networking using wavelet analysis
CN108683686A (en) A kind of Stochastic subspace name ddos attack detection method
CN108234516B (en) Method and device for detecting network flooding attack
Liu et al. Real-time diagnosis of network anomaly based on statistical traffic analysis
Wang et al. Detecting SYN flooding attacks based on traffic prediction
Prandl et al. An investigation of power law probability distributions for network anomaly detection
Yasami et al. An arp-based anomaly detection algorithm using hidden markov model in enterprise networks
CN107612876B (en) Method for detecting service request packet flooding attack in intelligent cooperative network
Bellaiche et al. SYN flooding attack detection based on entropy computing
CN109257384A (en) Application layer ddos attack recognition methods based on access rhythm matrix
CN109309679A (en) A kind of Network scan detection method and detection system based on TCP flow state

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant