CN110474927B - DDoS attack defense method based on intelligent non-contact internet security service - Google Patents
DDoS attack defense method based on intelligent non-contact internet security service Download PDFInfo
- Publication number
- CN110474927B CN110474927B CN201910900256.0A CN201910900256A CN110474927B CN 110474927 B CN110474927 B CN 110474927B CN 201910900256 A CN201910900256 A CN 201910900256A CN 110474927 B CN110474927 B CN 110474927B
- Authority
- CN
- China
- Prior art keywords
- classifier
- traffic
- user
- isp
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1432—Metric aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1432—Metric aspects
- H04L12/1435—Metric aspects volume-based
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a DDoS attack defense method based on intelligent non-contact internet security service. And the ISP embeds the classifier for filtering DDoS attack traffic into an intelligent contract and issues the intelligent contract to the Ethernet block chain. The user purchases some type of traffic filtering service and pays for it. After the ISP receives sufficient payment, the contract is enabled and the classifier begins filtering traffic that is not needed by the user. If the ISP fails to block any unwanted traffic that the user purchases that is covered by the classifier, the user can proceed with payment reclamation by providing a trusted data structure. The invention can ensure that the user definitely agrees to what types of network traffic and the price thereof should be filtered, and can effectively filter a large amount of attack traffic without influencing the effective traffic, thereby effectively resisting DDoS attack.
Description
Technical Field
The invention relates to a DDoS attack defense method based on intelligent non-contact internet security service, and belongs to the field of communication.
Background
The internet provides an open environment in which any host can communicate with any other host. Traditionally, security services are deployed within each host, rather than within the network, allowing each host to specify its own security policy on an end-to-end basis.
The internet end systems are at risk of being overwhelmed by a number of attacks, as the internet does not enforce any flow control requirements other than end hosts. Among them, Distributed Denial of Service (DDoS) attacks are a common means for attacking servers. Currently, users can only rely on their network service providers (ISPs) to block attack traffic. However, there are at least two key challenges to be solved. First, legislation in networks requires ISPs to direct network traffic without making decisions about the content. This agnostic standpoint treats all network packets as identical, transferring all traffic (good and bad) to the end customers of the ISP. Without any form of agreement with the customer, the ISP cannot shape the network traffic even to thwart the attack. Second, while some ISPs consider keeping distance from traditional roles by providing security services to their customers, with the dramatic increase in the number and capacity of botnets, ISPs are increasingly difficult to accurately distinguish legitimate traffic under complex attacks. In addition, users and ISPs are also susceptible to disputes when network traffic is not forwarded correctly.
Disclosure of Invention
The invention aims to provide a DDoS attack defense method based on intelligent non-contact internet security service, so as to overcome the defects that in the prior art, an ISP (internet service provider) cannot shape network traffic and can not accurately distinguish legal traffic under complex attack.
In order to achieve the purpose, the invention adopts the following technical scheme:
a DDoS attack defense method based on intelligent non-contact Internet security service comprises the following steps:
the ISP embeds classifiers used for filtering DDoS attack traffic into intelligent contracts and issues the intelligent contracts onto an Ethernet block chain, wherein each intelligent contract comprises a classifier commitment module, a pricing storage module and a payment receiving module, the classifier commitment module is used for storing commitments of each classifier, the pricing storage module is used for storing prices of each type of filtering service determined by the commitments of the classifiers, and the payment receiving module is used for storing ISP addresses to receive payment;
the user chooses to buy a certain type of flow filtering service according to the promise of the classifier in the classifier promise module, and pays the payment according to the price in the pricing storage module;
after the payment receiving module receives sufficient payment, the classifier corresponding to the traffic filtering service purchased by the user automatically starts filtering the traffic not needed by the user.
Further, the commitment of each classifier specifically means that, for the classifier f, the commitment is calculated as H (f | | N), where H is a secure hash function and N is an encrypted random number, i.e., a secret random sequence shared by the user and the ISP.
Further, the intelligent contracts allow the ISP and the user to agree on a price for each type of filtering service as determined by the classifier commitments and store the prices in the pricing storage module.
Further, the intelligent contract also comprises a price judging module, wherein the price judging module is used for judging whether the amount paid by the user is less than the price of the filter service to be purchased, and if so, the intelligent contract returns the payment amount of the user; if not, the excess payment that exceeds the price is returned to the user.
Further, the DDoS attack defense method based on the intelligent non-contact internet security service further comprises the following steps:
monitoring all the flows provided by the ISP to the user and filtered by the classifier by using a trusted flow charging module, and generating a trusted and authenticated data structure by calculation; if the ISP fails to block any unwanted traffic covered by the classifier purchased by the user, the user proceeds to reclaim payment by providing the trusted and authenticated data structure.
Further, the trusted traffic billing module is deployed downstream of the ISP border router.
Further, the specific method for monitoring the traffic by the trusted traffic charging module is as follows: for each arriving packet flow P, the trusted flow charging module calculates which classifier P can classify to, if P matches one classifier, it is counted as an invalid packet, and simultaneously the trusted flow charging module calculates an output invalid flow distribution D; if P can match with a plurality of classifiers, only recording as the cost of one classifier, and recording P as an invalid packet, at this time, the trusted traffic charging module updates the invalid traffic distribution D stored thereon, and the updated invalid traffic distribution D is used as the charging standard.
Further, the generation method of the trusted and authenticated data structure is as follows: setting a preset threshold value for the invalid flow distribution D, and judging whether the invalid flow distribution D is higher than the preset threshold value: if yes, calculating and generating the trusted and authenticated data structure; otherwise, no calculation is performed.
Further, the trusted traffic billing module calculates which Classifier P can classify into using a computer Classifier function that includes all Classifier calculation algorithms agreed upon by the user and the ISP.
Further, the intelligent contract allows the ISP and the user to agree on the filtering rules for common reflection/amplification DDoS attacks.
The invention has the following beneficial technical effects:
the classifier is embedded into the intelligent contract on the block chain, the intelligent contract can ensure that a user definitely agrees to what types of network traffic should be filtered, the classifier filters the unnecessary traffic according to the intelligent contract, the classifier does not influence the effective traffic, namely, the traffic monitoring and analyzing system of the user is not influenced, but a large amount of DDoS attack traffic can be effectively filtered, and therefore defense against DDoS attack is achieved. Meanwhile, through trusted flow charging software trusted by both sides, corresponding payment can be recovered when the ISP cannot prevent any unnecessary flow covered by the classifier purchased by the user, and disputes between the user and the ISP when the network flow is not correctly forwarded are avoided.
Drawings
Fig. 1 is a schematic flowchart of a DDoS attack defense method based on intelligent non-contact internet security service according to an embodiment of the present invention;
FIG. 2 is a formalization of pseudo code for an intelligent contract;
FIG. 3 is a flow diagram of a trusted traffic billing algorithm;
fig. 4 is a formalization of pseudo-code of a trusted traffic charging algorithm.
Detailed Description
The invention is further described with reference to specific examples. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
As shown in fig. 1, an embodiment of the present invention provides a DDoS attack defense method based on an intelligent non-contact internet security service, which specifically includes the following steps:
1) compiling intelligent contracts
The ISP embeds a classifier for filtering DDoS attack traffic into an intelligent contract and issues the intelligent contract to an Ethernet block chain, wherein the intelligent contract comprises a classifier commitment module (data classifierCommission), a pricing storage module (data ServicePrice), a payment receiving module (data ISP), a signature authentication module (data PublicKey) and the like.
The data classifiercommission is a data structure for storing classifiers that stores a commitment for each classifier to avoid revealing the actual classifier. For classifier f, its commitment is computed as H (f | | | N), where H is a secure hash function (e.g., SHA 256) and N is an encrypted random number, i.e., a secret random sequence shared by the user and ISP. Thus, even if the smart contracts are stored publicly on blockchains, these classifiers (which may reveal proprietary policies) are kept secret.
The data ServicePrice is used to store the price for each type of filtering service determined by the classifier commitment. To achieve flexible pricing, the contracts of the present invention allow ISPs and users to agree on a specific price (measured by the bits in the Etherns) for each type of filtering service as promised by the classifier. Pricing information is stored in the data ServicePrice.
The data ISP stores the ISP address to receive payments, while the data PublicKey is used to authenticate signatures.
In addition, smart contracts allow ISPs and users to agree on the filtering rules of common reflection/amplification DDoS attacks.
2) Purchasing filtering services
Users interact with contracts by submitting signature data, called transactions, to the underlying peer-to-peer network. Each function defined in the intelligent contact is an entry point for execution. Contract code is executed whenever a message is received from a user or other contract. In the present invention, to Purchase a certain type of filtering Service, a user sends a message specifying a Filter Service Purchase as an entry point. At the same time, the user needs to prepare enough payment (called msg. value) to successfully invoke the contract. Once the contract is invoked, the ISP (called ISP).
The intelligent contract also comprises a price judging module, and when the amount paid by the user is less than the price of the filter service to be purchased, the amount paid is returned to the user; if not, the contract is successfully invoked and excess payment exceeding the price is returned to the user to avoid user fund loss.
3) Classifier begins to filter flow
After the contract is successfully invoked, a classifier corresponding to the traffic filtering service purchased by the user automatically begins filtering traffic that is not needed by the user.
4) Payment recovery
If the ISP fails to block any unwanted traffic that the user purchases that is covered by the classifier, the user may reclaim their payment. In particular, the intelligent contacts of the present invention define an entry point recycle through which the user can recycle his or her payments based on unwanted traffic received. To invoke Reclaim, the user needs to provide a trusted and authenticated data structure, which is essentially undisputable evidence that for a given classifier f, the ISP has delivered to the user unwanted traffic in this class. Finally, the intelligent contract of the present invention calculates the Reclaim amount using the Reclaim Value function and returns it to the user. The Reclaim Value function is also used to support the recycling of payments according to flexible pricing, which enables a pre-agreed pricing model between the user and the ISP.
The Trusted Traffic Accounting Module (TTAM) can be used as a Trusted and authenticated data source of the intelligent contract. TTAM can indicate that the ISP is providing traffic to the user that is not needed. The challenge in its design is to ensure that neither party is able to counterfeit such information. One option is for the ISP to mark authenticators (e.g., their signatures) on each packet it transmits, and the user can later use these authenticators as a hard proof of the reclaimed payment. Another option proposed by the present invention is to reply to software trusted by both parties to perform traffic charging.
Fig. 3 shows the flow of the trusted traffic charging algorithm. TTAM is deployed downstream of ISP border routers to monitor all traffic that the ISP provides to the users. Note that TTAM only processes traffic that has been filtered by the ISP classifier, i.e., traffic that is to be delivered to the user. For each arriving packet P, TTAM uses the computer Classifier function to calculate which Classifier it can classify into. The computer Classifier function includes all Classifier computation algorithms agreed upon by the user and the ISP. If P matches a classifier, it is counted as an unwanted packet, i.e. invalid traffic, and the output invalid traffic distribution D is calculated; if P can match with multiple classifiers, only recording the cost of one classifier to avoid ISP and user capital loss caused by repeated calculation of cost, and recording P as an invalid group, then TTAM updates invalid flow distribution D stored in TTAM, and the updated invalid flow distribution D is used as the charging standard.
A predetermined threshold is set for the invalid traffic distribution D and once the traffic is above the predetermined threshold, TTAM computes to generate an authentic and authenticated data structure, i.e., an auth data structure. The method specifically comprises the following steps: firstly, creating a new authentication information A, when the invalid flow distribution D is higher than a preset threshold value, storing the information in the invalid flow distribution D output by the TTAM into the authentication information A, thereby obtaining an auth data structure, then clearing the D, and creating an authentication information A when the D is higher than the threshold flow next time.
The authentication information A is created by the TTAM according to user identity verification information V input by the user to the TTAM, an encrypted random number N used in a classifier commitment scheme and a classifier commitment F purchased by the user, and the authentication information A is an array which is used for calling the intelligent contract and stores identity verification.
The auth data structure contains a list of attributes including auth.classifier (a commitment of a classifier purchased by a user), auth.volume (invalid traffic received by a user that is not filtered out), auth.time (a timestamp), auth.view (user authentication information) and auth.signature (a digital signature generated randomly based on the four attributes of auth.classifer, auth.volume, auth.time and auth) that are used by a Reclaim Value function defined in a smart contract to calculate a recycling amount, which is used to set the expiration time of the auth data structure, which is a user that is destined to use this auth data structure for payment recycling, in order to ensure that no third party can generate a valid auth data structure. The auth.timestamp, auth.view and auth.signature are used by the Verify function defined in the intelligent contract of the present invention to invoke the intelligent contract.
Fig. 2 is a formalization of pseudo code of the intelligent contract of the embodiment of the present invention in the algorithm 1, and is an algorithm description of the intelligent contract of the embodiment of the present invention in practical application, which enables the algorithm to be understood more easily. Fig. 4 is a pseudocode formalization of a trusted traffic billing algorithm, which is also helpful for understanding embodiments of the present invention.
The present invention has been disclosed in terms of the preferred embodiment, but is not intended to be limited to the embodiment, and all technical solutions obtained by substituting or converting equivalents thereof fall within the scope of the present invention.
Claims (8)
1. A DDoS attack defense method based on intelligent non-contact Internet security service is characterized by comprising the following steps:
the ISP embeds classifiers used for filtering DDoS attack traffic into intelligent contracts and issues the intelligent contracts onto an Ethernet block chain, wherein each intelligent contract comprises a classifier commitment module, a pricing storage module and a payment receiving module, the classifier commitment module is used for storing commitments of each classifier, the pricing storage module is used for storing prices of each type of filtering service determined by the commitments of the classifiers, and the payment receiving module is used for storing ISP addresses to receive payment;
the user chooses to buy a certain type of flow filtering service according to the promise of the classifier in the classifier promise module, and pays the payment according to the price in the pricing storage module;
after the payment receiving module receives enough payment, a classifier corresponding to the traffic filtering service purchased by the user automatically starts to filter the traffic which is not needed by the user;
monitoring all the flows provided by the ISP to the user and filtered by the classifier by using a trusted flow charging module, and calculating the flows to generate a trusted and authenticated data structure; if the ISP fails to prevent any unwanted traffic covered by the classifier purchased by the user, the user proceeds to a payment recovery by providing the trusted and authenticated data structure;
the specific method for monitoring the flow by the trusted flow charging module is as follows: for each arriving packet flow P, the trusted flow charging module calculates which classifier P can classify to, if P matches one classifier, it is counted as an invalid packet, and simultaneously the trusted flow charging module calculates an output invalid flow distribution D; if P can match with a plurality of classifiers, only recording as the cost of one classifier, and simultaneously recording P as an invalid packet, at this time, the trusted traffic charging module updates the invalid traffic distribution D stored thereon, and takes the updated invalid traffic distribution D as the charging standard.
2. The DDoS attack defense method based on intelligent non-contact internet security service of claim 1, characterized in that the commitment of each classifier is specifically that for the classifier f, the commitment is calculated as H (f | | N), wherein H is a secure hash function, and N is a secret random sequence shared by the user and the ISP.
3. A method for defending against DDoS attacks based on intelligent non-contact internet security services according to claim 1, characterized in that said intelligent contracts allow ISPs and users to agree on the price of each type of filtering service promised by a classifier and to store said price in a pricing storage module.
4. The DDoS attack defense method based on intelligent non-contact internet security service, according to claim 1, characterized in that the intelligent contract further comprises a price judging module, the price judging module is used for judging whether the amount paid by the user is less than the price of the filter service to be purchased, if yes, the intelligent contract returns the payment amount of the user; if not, the excess payment that exceeds the price is returned to the user.
5. The method of claim 1, wherein the trusted traffic billing module is deployed downstream of an ISP border router.
6. The DDoS attack defense method based on the intelligent non-contact internet security service, according to claim 1, characterized in that the trusted and authenticated data structure is generated by: setting a preset threshold value for the invalid flow distribution D, and judging whether the invalid flow distribution D is higher than the preset threshold value: if yes, calculating and generating the trusted and authenticated data structure; otherwise, no calculation is performed.
7. The DDoS attack defense method based on intelligent non-contact internet security service of claim 1, characterized in that a trusted traffic billing module uses a computer Classifier function to calculate which Classifier P can be classified into, wherein the computer Classifier function comprises all Classifier calculation algorithms agreed by users and ISP.
8. The method of claim 1, wherein the intelligent contract allows the ISP and the user to agree on filtering rules for common reflected/amplified DDoS attacks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910900256.0A CN110474927B (en) | 2019-09-23 | 2019-09-23 | DDoS attack defense method based on intelligent non-contact internet security service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910900256.0A CN110474927B (en) | 2019-09-23 | 2019-09-23 | DDoS attack defense method based on intelligent non-contact internet security service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110474927A CN110474927A (en) | 2019-11-19 |
| CN110474927B true CN110474927B (en) | 2022-04-05 |
Family
ID=68516667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910900256.0A Active CN110474927B (en) | 2019-09-23 | 2019-09-23 | DDoS attack defense method based on intelligent non-contact internet security service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110474927B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221113B (en) * | 2021-05-28 | 2021-10-01 | 东北林业大学 | Distributed machine learning and block chain-based internet of things DDoS detection and defense method, detection device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
| CN109729074A (en) * | 2018-12-11 | 2019-05-07 | 深圳市汇星数字技术有限公司 | A kind of encryption of audio data and reciprocity storage method and system |
| CN110113328A (en) * | 2019-04-28 | 2019-08-09 | 武汉理工大学 | A kind of software definition opportunistic network DDoS defence method based on block chain |
-
2019
- 2019-09-23 CN CN201910900256.0A patent/CN110474927B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
| CN109729074A (en) * | 2018-12-11 | 2019-05-07 | 深圳市汇星数字技术有限公司 | A kind of encryption of audio data and reciprocity storage method and system |
| CN110113328A (en) * | 2019-04-28 | 2019-08-09 | 武汉理工大学 | A kind of software definition opportunistic network DDoS defence method based on block chain |
Non-Patent Citations (3)
| Title |
|---|
| A Blockchain based Online Trading System for DDoS Mitigation Services;Xue Yang 等;《 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications》;20190321;全文 * |
| DynaShield: A Cost-Effective DDoS Defense Architecture;Shengbao Zheng 等;《SIGCOMM Posters and Demos ’18: ACM SIGCOMM 2018 Conference Posters and Demos》;20180825;全文 * |
| Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention Services;Zhuotao Liu 等;《 IEEE Transactions on Information Forensics and Security》;20180917;第VII章B节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110474927A (en) | 2019-11-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Saad et al. | Exploring the attack surface of blockchain: A comprehensive survey | |
| Pourvahab et al. | An efficient forensics architecture in software-defined networking-IoT using blockchain technology | |
| Saad et al. | Exploring the attack surface of blockchain: A systematic overview | |
| CN113239382B (en) | Trusted identity model based on blockchain intelligent contract | |
| CN109670801B (en) | Digital encryption money transfer method for block chain | |
| Yeh et al. | SOChain: a privacy-preserving DDoS data exchange service over SOC consortium blockchain | |
| WO2016202952A1 (en) | Digital token exchange system | |
| CN110612547A (en) | System and method for information protection | |
| CN109245894B (en) | Distributed cloud storage system based on intelligent contracts | |
| CN110930153B (en) | Block chain privacy data management method and system based on hidden third party account | |
| CN111815322A (en) | Distributed payment method with selectable privacy service based on Ether house | |
| CN115801260B (en) | Block chain-assisted collaborative attack and defense game method in untrusted network environment | |
| CN111260348B (en) | Fair payment system based on intelligent contract in Internet of vehicles and working method thereof | |
| Mohammed | A hybrid framework for securing data transmission in Internet of Things (IoTs) environment using blockchain approach | |
| CN110474927B (en) | DDoS attack defense method based on intelligent non-contact internet security service | |
| CN111833062B (en) | Credibility verification system for digital asset data packet | |
| CN116319072B (en) | Authentication and hierarchical access control integrated method based on blockchain technology | |
| Wang et al. | Detect triangle attack on blockchain by trace analysis | |
| CN111490977A (en) | DAG block chain-based ARP spoofing attack prevention method and platform terminal | |
| Lu et al. | STOP: A service oriented internet purification against link flooding attacks | |
| Döpmann et al. | Onion Pass: Token-Based Denial-of-Service Protection for Tor Onion Services | |
| Youssef et al. | A resilient micro-payment infrastructure: an approach based on blockchain technology | |
| Chakraborty et al. | Bankrupting DoS Attackers Despite Uncertainty | |
| KR102198266B1 (en) | Bitcoin exchange with blockchain analysis device for intrusion detection | |
| CN116629862A (en) | Efficient and privacy-protected asynchronous payment method based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |