CN111447182B - Method for defending link flooding attack and method for simulating link flooding attack - Google Patents
Method for defending link flooding attack and method for simulating link flooding attack Download PDFInfo
- Publication number
- CN111447182B CN111447182B CN202010148633.2A CN202010148633A CN111447182B CN 111447182 B CN111447182 B CN 111447182B CN 202010148633 A CN202010148633 A CN 202010148633A CN 111447182 B CN111447182 B CN 111447182B
- Authority
- CN
- China
- Prior art keywords
- defending
- defense
- attack
- determining
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the invention provides a method for defending link flooding attack and a method for simulating link flooding attack, wherein the method for defending link flooding attack comprises the following steps: determining a corresponding defending party revenue function when the defending party adopts various defending strategies, wherein the defending party revenue function is related to the attack flow intensity; calculating the attack flow intensity based on the observed total flow of the link entrance; determining a defense strategy based on a defense party revenue function and the attack traffic intensity; wherein the defense strategy comprises the steps of non-defense, rerouting and flow cleaning. In the defense method for the link flooding attack, provided by the embodiment of the invention, the defender calculates the attack flow intensity through the total flow of the link entrance, determines the defending strategy according to the defending party revenue function and the attack flow intensity, comprehensively considers the attack condition of the attacking party and the expected revenue structure of the defending party, avoids the problem of uncertainty of decision caused by incomplete information, ensures the profit maximization of the defending party, and improves the scientificity of the decision and the robustness of the defense method.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method for defending against a link flooding attack and a method for simulating a link flooding attack.
Background
With the rapid development of emerging technologies such as mobile internet and internet of things, network attack modes launched by the technologies also appear, wherein distributed denial of service (DDoS) attacks are the main attack forms which pose significant threats to network security. In recent years, DDoS attacks show increasingly more and more fissured from the aspects of attack quantity and attack strength, and the proportion of internet malicious traffic is continuously increased. Among the numerous DDOS attacks, the Link Flooding Attack (LFA) is the most hidden and difficult to fight.
Currently, in order to combat link flooding attacks, Traffic Engineering (TE) is still mainly used, and mitigation of LFA attacks is achieved through dredging and cleaning of congested Traffic, where Traffic dredging is mainly implemented in a rerouting manner, and Traffic cleaning is implemented based on a zombie node detection technology. In actual LFA countermeasure, it is often difficult for an LFA countermeasure strategy based on traffic engineering to obtain a large cost benefit, and it is difficult to ensure the applicability and robustness of the LFA countermeasure strategy under incomplete information conditions.
Disclosure of Invention
Embodiments of the present invention provide a method for network attack and defense of link flooding attack that overcomes or at least partially solves the above problems.
In a first aspect, an embodiment of the present invention provides a method for defending against a link flooding attack, including: determining a corresponding anti-defending party revenue function when the anti-defending party adopts various anti-defending strategies, wherein the anti-defending party revenue function is related to the attack traffic intensity; calculating the attack traffic intensity based on the observed total link entry traffic; determining a defense strategy based on the defense revenue function and the attack traffic intensity; wherein the defending strategy comprises defending, rerouting and traffic cleaning.
In some embodiments, the determining the defensive party revenue function when the defensive party adopts various defensive strategies comprises: determining that the defending party takes out defending time, and determining the income function u of the defending party2(ai,I),aiFor the attack traffic intensity, I represents that defense is not taken; determining the revenue function u of the defender when the defender takes the rerouting2(aiR), R represents rerouting; determining the income function u of the defender when the defender adopts flow cleaning2(aiS), S represents flow cleaning; the determining a defense strategy based on the defense revenue function and the attack traffic intensity comprises: based on the attack traffic intensity aiPairwise comparison of defensive-side gain function u2(aiI), defend-against-the-house revenue function u2(aiR) and a defender's profit function u2(aiAnd S), selecting a defense strategy corresponding to the maximum defense party revenue function.
In some embodiments, the determining is based on the attack traffic strength aiPairwise comparison of defensive-side gain function u2(aiI), defend-against-the-house revenue function u2(aiR) and a defender's profit function u2(aiAnd S), selecting a defense strategy corresponding to the maximum defense income function, wherein the defense strategy comprises the following steps: based on the anti-Watcher revenue function u2(aiI) and the defending-against-the-house-gain function u2(aiR), determining a first decision factor gRI(ii) a Based on the anti-Watcher revenue function u2(aiR) and the defending-party-gain function u2(aiS), determining a second decision factor gRS(ii) a Based on the anti-Watcher revenue function u2(aiI) and the defending-against-the-house-gain function u2(aiS), determining a third decision factor gIS(ii) a Wherein the first decision factor gRIThe second decision factor gRSAnd the third decision factor gISWith the attack traffic intensity aiCorrelation; based on the attack traffic intensity aiThe first decision factor gRIThe second decision factor gRSAnd the third decision factor gISAnd determining a defense strategy.
In some embodiments of the present invention, the,
u2(ai,S)=φiGd-(φi+ai)Cs
wherein phi isiFor normal traffic load on the ith link, biFor the ith link total bandwidth, WiRerouting of bandwidth, a, for the ith linkiFor attack traffic on the ith link, GdAverage value of normal traffic load; crCost for rerouting; csCost for flow cleaning;
the attack traffic intensity a based oniThe first decision factor gRIThe second decision factor gRSAnd the third decision factor gISAnd determining a defense strategy, which comprises the following steps: determining ai≤bi-φiThe defense strategy is to be defending; determination of bi-φi<ai≤bi+Wi-φiAnd g isRIThe defense strategy is equal to or more than 0, and the defense strategy is rerouting; otherwise bi-φi<ai≤bi+Wi-φiAnd g isRIIf the current time is less than 0, the defense strategy is not defended; determining ai≥bi+Wi-φiWhen g isRI< 0 and gISIf < 0, the defending strategy is flow cleaning, if gRI< 0 and gISThe defense strategy is greater than or equal to 0, and the defense strategy is non-defense; determining ai≥bi+Wi-φiWhen g isRINot less than 0gRSIf < 0, the defending strategy is flow cleaning, if gRINot less than 0gRSAnd the defense strategy is equal to or more than 0, and the defense strategy is rerouting.
In a second aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method for defending against a link flooding attack as described in any one of the above methods when executing the program.
In a third aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method for defending against a link flooding attack as described in any one of the above methods.
In a fourth aspect, an embodiment of the present invention provides a method for simulating a link flooding attack, including: determining an aggressor revenue function when a defender adopts various defending strategies, wherein the aggressor revenue function is related to the attack traffic intensity executed by the aggressor; obtaining a link payload estimate based on prior information; determining alternative attack traffic intensity corresponding to various defense strategies adopted by the aggressor on the defense based on the aggressor revenue function and the link payload estimation; wherein the defending strategy comprises defending and rerouting; and determining an attack strategy according to the defense method of the link flooding attack and the alternative attack traffic intensity.
In some embodiments, the determining the aggressor revenue function when the defender takes various defending strategies includes: determining whether the defending party takes the defense time or not, and determining the income function u of the attacking party1(ai,I),aiFor the attack traffic intensity, I represents that defense is not taken; determining the income function u of the aggressor when the defender takes the rerouting1(aiR), R represents rerouting; the determining, based on the aggressor revenue function and the link payload, that the aggressor takes the alternative attack traffic intensity corresponding to each defense strategy at the defense, includes: the income function u of the attack party is used1(aiAnd I) the attack traffic intensity a when taking the maximum valueiAs alternative attack traffic intensity
Alternative attack traffic strength
Corresponding to the defending party adopting the defending failure; the income function u of the attack party is used1(aiAnd R) the attack traffic intensity a when taking the maximum valueiAs alternative attack traffic intensity
Alternative attack traffic strength
And the defender adopts rerouting correspondence.
In some embodiments, the determining, based on the aggressor revenue function and the link payload, that the aggressor adopts, at the defender, alternative attack traffic strengths corresponding to various defending policies includes: if it is
Verifying attack traffic strength as FaWhen the defending party is out of defense, u1(FaIf I) > 0, the attack traffic intensity F is selectedaExecution of an attack, FaIs the maximum attack traffic that an attacker can launch.
In some embodiments of the present invention, the,
wherein phi isiFor normal traffic load on the ith link, biFor the ith link total bandwidth, WiRerouting of bandwidth, a, for the ith linkiFor attack traffic on the ith link, CaCost required to initiate traffic for an aggressor, GaBlocking normal traffic for an aggressor would average the available revenue.
According to the defense method of the link flooding attack and the link flooding attack simulation method provided by the embodiment of the invention, in the defense method of the link flooding attack, the defending party calculates the attack flow intensity through the total flow of the link entrance, and determines the defending strategy according to the defending party revenue function and the attack flow intensity, and comprehensively considers the attacking condition of the attacking party and the defending party expected revenue structure, so that the problem of decision uncertainty caused by incomplete information is avoided, the defending party revenue maximization is ensured, and the scientificity of the decision and the robustness of the defense method are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is an LFA attack and defense gaming model of an embodiment of the present invention;
FIG. 2 is a flow chart of a link flooding defense method according to an embodiment of the present invention;
FIG. 3 is a block diagram of an LFA anti-daemon policy selection decision tree according to an embodiment of the invention;
fig. 4 is a flowchart of a link flooding attack simulation method according to an embodiment of the present invention;
fig. 5 is an attack decision flow in the link flooding attack simulation method according to the embodiment of the present invention;
fig. 6 is an experimental result diagram of the link flooding defense method according to the embodiment of the present invention;
fig. 7 is an experimental result diagram of a link flooding attack simulation method according to an embodiment of the present invention;
fig. 8 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention carries out strategy analysis based on an extended Bayesian game model, and the model principle is shown in figure 1. In the figure, we are directed to a single link liAttack-defense game problem, assume liTotal bandwidth of the link is bi(in Gbps), aggressor passes through pair link liInjection strength of aiMalicious traffic in units of Gbps, attempting to congest liTo make the normal traffic generate packet loss and achieve the purpose of attack, wherein FaIs the maximum attack traffic that an attacker can launch. a isi0 represents that the attacker does not attack li。
The following describes a method for defending against a link flooding attack and a method for simulating a link flooding attack according to an embodiment of the present invention with reference to fig. 1 to 8.
As shown in fig. 1 and fig. 2, the method for defending against a link flooding attack according to the embodiment of the present invention includes step S100, step S200, and step S300.
And S100, determining a corresponding revenue function of the defender when the defender adopts various defending strategies, wherein the revenue function of the defender is related to the attack traffic intensity. Wherein the defense strategy comprises the steps of non-defense, rerouting and flow cleaning.
It can be understood that the defender can preset various defending strategies in advance to resist link flooding attacks of different situations. Meanwhile, the defender can predict the corresponding income and expenditure cost when adopting various defending strategies, and finally determine the income function corresponding to the various defending strategies, wherein the income function of the defender is related to the attack traffic intensity.
For example, in FIG. 1, the aggressor pair links liAttack traffic intensity of ai(in Gbps) traffic strength a against aggressor attackiDifferent from (d), the defense strategy that the defender can adopt is recorded asiAnd assume diIt can represent 3 kinds of defense strategies, i.e. no defense (denoted by I), rerouting (denoted by R) and traffic flushing (denoted by S). Average gain of normal traffic load is Gdmeta/Gbps; when rerouting, the corresponding cost is Crmeta/Gbps; the corresponding cost is C when the flow is cleanedsmeta/Gbps. Assuming that the defending strategy adopted by the defender is rerouting, the revenue function of the defender at the moment represents that the attack traffic intensity is aiThe defending strategy of the defender is the income condition of the defender during rerouting.
And step S200, calculating the attack flow intensity based on the observed total link entrance flow.
It should be noted that, in the following description,in practical application, the defending party and the attacking party have information asymmetry, and the defending party cannot generally know the attack traffic intensity of the attacking party, so that in the related technology, it is impossible to make a defending strategy according to the defending party income and the attacking party information. In the defense method for the link flooding attack provided by the embodiment, the link attack flow intensity can be calculated only through the total flow of the link entrance, so that the defense strategy can be formulated according to the income of a defense party. Specifically, when the defending party makes the defending strategy, the attacking party acts first, and under the condition of incomplete information, the defending party acquires the link liTotal ingress traffic of, since the defender knows the link liThe normal flow can be subtracted from the total inlet flow to calculate the attack side link liAttack traffic intensity of aiAnd finally, a defense strategy is formulated based on the attack flow intensity of the attacking party, so that the defending party fully considers the real-time attack condition of the attacking party, the scientificity of the defending strategy of the defending party is ensured, and the problem of decision uncertainty caused by incomplete information is avoided.
For example, when the link liHas a normal traffic size of 5Gbps when link l is observediWhen the total inlet flow of the node is 8Gbps, the attack flow strength of the attacking party on the link is the value obtained by subtracting the normal flow from the total inlet flow of 8Gbps by the defending party, and at the moment, the attack flow strength of the attacking party is 3 Gbps.
It should be noted that, in practical application, the links l at different time pointsiThe total inlet flow of (a) is a dynamically changing state. When the attack flow intensity of an attacking party is calculated, a link l in the current time period is obtainediThe method comprises the steps of obtaining a plurality of sampling values of the inlet total flow and a plurality of corresponding normal flow values, respectively calculating the mean value of the sampling values and the mean value of the normal flows, and finally obtaining an estimation value of the attack flow strength of an attack party on a link by subtracting the mean value of the normal flows from the mean value of the inlet total flow of the defense party. The attack flow intensity is estimated through the average value of the total flow of the defender inlet and the average value of the normal flow, and the stability and the practicability of the defender defending strategy are ensured.
And S300, determining a defense strategy based on a defense party revenue function and the attack traffic intensity.
It can be understood that after the defender obtains the attack traffic intensity, the defender can further determine an optimal defending strategy by combining with a defending party revenue function, so that the defending party revenue maximization is ensured while the link flooding attack defense is realized.
For example, the attack traffic is a1,u2(a1And I) represents the attack traffic as a1The defending strategy is the income when I; u. of2(a1R) represents the attack traffic as a1The defending strategy is the income when R; u. of2(a1S) represents an attack traffic of a1The defense strategy is the profit when S. When u is2(a1,R)>u2(a1,I)>u2(a1And S), selecting a defense strategy R corresponding to the highest income for defense.
In practical use, the defense strategy of the defense party in the above embodiment is not limited to 3 situations of non-defense, rerouting and traffic cleaning, and the composition of the defense strategy can be adjusted adaptively according to the actual situation of the link flooding attack, that is, the strategies other than non-defense, rerouting and traffic cleaning are adopted, which is not specifically limited in this embodiment.
In the embodiment, the situation that information asymmetry exists between the defending party and the attacking party is considered, when the defending party makes a defending strategy, the attacking party acts first, the defending party calculates the attack flow intensity through the total flow of the link inlet, and the defending strategy is made based on the attack flow intensity, so that the influence of the attacking party on the attacking information is considered, the problem of decision uncertainty caused by incomplete information is avoided, the change of the attack flow intensity of an attacker can be better adapted, and the defending strategy can be flexibly adjusted. In addition, when the defending party selects the defending strategy, the attacking flow of the attacking party and the expected income structure of the defending party are comprehensively considered, the defending cost and the normal service flow cost change are dynamically adapted, the robustness of the defending method of the link flooding attack is improved, the optimality and the stability of the defending method are ensured, and the scientificity of the decision is enhanced.
In the defense method for the link flooding attack, provided by the embodiment of the invention, the defender calculates the attack flow intensity through the total flow of the link entrance, determines the defending strategy according to the defending party revenue function and the attack flow intensity, comprehensively considers the attack condition of the attacking party and the expected revenue structure of the defending party, avoids the problem of uncertainty of decision caused by incomplete information, ensures the profit maximization of the defending party, and improves the scientificity of the decision and the robustness of the defense method.
In some embodiments, as shown in FIG. 2, determining the defender revenue function when the defender takes various defending strategies includes: determining whether the defending party is to adopt the defending time, wherein the defending income function is u2(ai,I),aiFor the attack traffic intensity, I means no defense; determining the profit function u of the defender when the defender takes the rerouting2(aiR), R represents rerouting; determining the income function u of the defender when the defender adopts the flow cleaning2(aiAnd S), S represents flow cleaning.
It should be noted that, when the defenders adopt different defending strategies, the revenues of the defenders are different, and meanwhile, the revenues function of the defenders is related to the attack traffic intensity. When the defense strategy is determined according to the defense income function, the defense income is maximized according to the actual attack condition, and the scientificity of decision is improved.
It will be appreciated that u is used2(0,di) Representing a defender's gain function, phiiIndicating normal flow loading.
When a isiWhen 0, the defense gain function is:
u2(0,I)=φiGd
u2(0,R)=φiGd
u2(0,S)=φi(Gd-Cs)
in the formula, I represents the non-defense; r represents rerouting; s represents flow cleaning; u. of2(0, I) represents the attack traffic aiThe defense strategy is 0, and the defense strategy is a defense income function when the defense strategy is I; u. of2(0, R) represents the attack traffic ai0, defense policyA little R time defense revenue function; u. of2(0, S) represents the attack traffic aiIf the strategy is 0, the defense strategy is an S-hour defense income function; phi is aiNormal traffic load on the ith link; gdAverage value of normal traffic load; csThe cost of the flow purge.
When a isi> 0 and diIf I, the defender revenue function is:
in the formula, aiAttack traffic on the ith link; i represents the non-defense; u. of2(aiAnd I) represents the attack traffic as aiThe defense strategy is a defense income function when the defense strategy is I; biThe total bandwidth of the ith link; phi is aiNormal traffic load on the ith link; gdIs the average value of the normal traffic load.
When a isi> 0 and diR, the defense gain function is:
in the formula, aiAttack traffic on the ith link; r represents rerouting; u. of2(aiR) represents the attack traffic as aiThe defense strategy is a defense-defending-party gain function at R hour; biThe total bandwidth of the ith link; wiRerouting the bandwidth for the ith link; phi is aiNormal traffic load on the ith link; crCost for rerouting; gdIs the average value of the normal traffic load.
When a isi> 0 and diIf S, the defense gain function is:
u2(ai,S)=φiGd-(φi+ai)Cs
in the formula, aiOn the ith linkAttack traffic; s represents flow cleaning; u. of2(aiS) represents an attack traffic of aiThe defense strategy is a defense income function when S is used; csCost for flow cleaning; phi is aiNormal traffic load on the ith link; gdIs the average value of the normal traffic load.
In step S300, determining a defense strategy based on the defense revenue function and the attack traffic intensity includes: based on attack traffic intensity aiPairwise comparison of defensive-side gain function u2(aiI), defend-against-the-house revenue function u2(aiR) and a defender's profit function u2(aiAnd S), selecting a defense strategy corresponding to the maximum defense party revenue function.
It can be understood that, when determining the defense strategy, if the attack traffic intensity is aiThen, u is calculated in combination with the anti-Watcher revenue function2(ai,R)、u2(aiS) and u2(aiAnd I) selecting a defense strategy corresponding to the maximum gain function by the defense party according to the calculation result to defend.
In actual use, u is calculated according to the anti-guardian income function2(ai,R)-u2(aiI) when ai>bi-φiAnd is
In time, the defense strategy I is strictly superior to R, otherwise R is superior to I.
It will be appreciated that u is calculated according to the defender's revenue function2(ai,R)-u2(aiS), the cost of traffic flushing must be greater than the rerouting cost, C), since traffic flushing must first be rerouteds>Cr. For bi-φi<ai≤bi+Wi-φi,u2(ai,R)-u2(aiS) > 0 is always true, and the defense strategy R is superior to S; when a isi>bi+Wi-φiAnd is
The defense strategy R is superior to S.
It should be noted that u is calculated according to the defender's profit function2(ai,I)-u2(aiS), when ai>bi-φiAnd is
When the strategy is established, the defense strategy I is superior to S.
For example, when the i link total bandwidth b of the target linki10Gbps, ith link reroutes bandwidth WiAverage value of normal traffic load G at 20Gbpsd2000 yuan/GB, rerouting cost C r40 yuan/GB, flow cleaning cost CsSetting the normal flow load phi of the link as 100 yuan/GBiAttack traffic a at 5Gbpsi10Gbps, theni-φi<ai<bi-φi+WiAnd the corresponding, if any,
u2(ai,R)=φiGd-(ai+φi-bi)Cr,u1(ai,S)=-aiCaif the defending function u2(aiAnd R) is the maximum, the defense strategy adopted by the defense party is rerouting.
According to the defense method for the link flooding attack, the yield of the defender is calculated according to the yield function of the defender and the attack flow intensity, the corresponding defending method when the yield is maximum is selected for defense, the yield maximization of the defender is realized, and the practicability of the defending method is ensured.
In some embodiments, as shown in FIG. 2, based on the attack traffic intensity aiPairwise comparison of defensive-side gain function u2(aiI), defend-against-the-house revenue function u2(aiR) and a defender's profit function u2(aiAnd S), selecting a defense strategy corresponding to the maximum defense income function, wherein the defense strategy comprises the following steps: revenue function u based on defending2(aiI) and a defender's profit function u2(aiR), determining a first decision factor gRI(ii) a Revenue function u based on defending2(aiR) and a defender's profit function u2(aiS), determining a second decision factor gRS(ii) a Revenue function u based on defending2(aiI) and a defender's profit function u2(aiS), determining a third decision factor gIS(ii) a Wherein the first decision factor gRIA second decision factor gRSAnd a third decision factor gISAnd attack traffic intensity aiAnd (4) correlating.
In actual use, according to the defending party gain function u2(aiI) and u2(aiR), determining a first decision factor gRI(ii) a Revenue function u based on defending2(aiR) and u2(aiS), determining a second decision factor gRS(ii) a Revenue function u based on defending2(aiI) and u2(aiS), determining a third decision factor gIS. Due to the first decision factor gRIA second decision factor gRSAnd a third decision factor gISAnd attack traffic intensity aiIs correlated, so according to the attack traffic intensity of the aggressor aiUsing a first decision factor gRIA second decision factor gRSAnd a third decision factor gISAnd selecting an optimal defense method of the link flooding attack.
In FIG. 3, based on the attack traffic intensity aiA first decision factor gRIA second decision factor gRSAnd a third decision factor gISAnd determining a defense strategy.
It can be understood that when the attack traffic intensity of an attacking party is aiIn time, the anti-defending party information and the attack traffic intensity a are combinediCalculating a first decision factor gRIA second decision factor gRSAnd a third decision factor gISAccording to gRI、gRSAnd gISThe positive and negative of (2) determine the defense strategy.
The anti-party-keeping information comprises a network topology structure and the total bandwidth b of the ith linkiIth link rerouting bandwidth WiLink liNormal flow load on
Attack-block revenue function u1(ai,di) And a defender's profit function u2(ai,di) Wherein the link liUpper normal flow load phiiIs private information of the defending party, and phi is more than or equal to 0i≤bi。
According to the defense method for the link flooding attack, the first decision factor, the second decision factor and the third decision factor are determined according to the revenue function of the defender, and the corresponding defense strategy is selected by determining the negativity of the first decision factor, the second decision factor and the third decision factor, so that the decision process is simplified, and the defense efficiency of the link flooding attack is improved.
In some embodiments, as shown in fig. 2 and 3, in the method for defending against link flooding attacks,
u2(ai,S)=φiGd-(φi+ai)Cs
wherein phi isiFor normal traffic load on the ith link, biFor the ith link total bandwidth, WiRerouting of bandwidth, a, for the ith linkiFor attack traffic on the ith link, GdAverage value of normal traffic load; crTo heavy roadThe cost of the device; csThe cost of the flow purge.
It should be noted that, when the attacking party is on the ith link, the attack traffic aiWhen the value is more than 0, aiming at different defense strategies I, R and S, the corresponding revenue function of the attack party is u2(ai,I)、u2(aiR) and u2(aiAnd S), the flexibility and the accuracy of the defensive strategy selection are ensured.
It can be understood that when the attack traffic of the aggressor on the ith link is 0, i.e. aiWhen 0, for any defensive strategy diPreventing a Fair-Shake function u2(0,di) The following were used:
u2(0,I)=φiGd
u2(0,R)=φiGd
u2(0,I)=φi(Gd-Cs)
in a method for defending against link flooding attacks, a first decision factor gRIA second decision factor gRSAnd a third decision factor gISCan be expressed as:
based on attack traffic intensity aiA first decision factor gRIA second decision factor gRSAnd a third decision factor gISAnd determining a defense strategy.
It should be noted that, when the attacking party is on the ith link, the attack traffic aiWhen > 0, a first decision factor gRIAccording to u2(aiI) and u2(aiR) is obtained; second decision factor gRSAccording to u2(aiR) and u2(aiS) obtaining, a third decision factor gISAccording to u2(aiI) and u2(aiAnd S) obtaining.
In actual use, the decision tree selected by the defense strategy is determined according to the first decision factor, the second decision factor and the third decision factor, as shown in fig. 3.
In FIG. 3, when a is determinedi≤bi-φiThe defense strategy is to be defending; determination of bi-φi<ai≤bi+Wi-φiAnd g isRIThe defense strategy is equal to or more than 0, and the defense strategy is rerouting; otherwise bi-φi<ai≤bi+Wi-φiAnd g isRIIf the sum is less than 0, the defense strategy is not defended; when determining ai≥bi+Wi-φiWhen g is presentRI< 0 and gISIf < 0, the defense strategy is flow cleaning, if gRI< 0 and gISThe defense strategy is greater than or equal to 0, and the defense strategy is non-defense; determining ai≥bi+Wi-φiWhen g isRINot less than 0gRSIf < 0, the defense strategy is flow cleaning, if gRINot less than 0gRSAnd the defense strategy is equal to or more than 0, and the heavy route.
According to the defense method for the link flooding attack, provided by the embodiment of the invention, the accuracy and flexibility of the selection of the defense strategies are ensured by determining the revenue functions corresponding to the defense strategies. Meanwhile, corresponding decision factors are determined based on the revenue functions, the complexity of decision selection is reduced, and the defense efficiency of the link flooding attack is improved.
In the link flooding defense method provided by the invention, a target link bandwidth b is assumedi10Gbps, spare link bandwidth Wi20Gbps, normal traffic average value Gd2000 yuan/GB, rerouting cost C r40 yuan/GB, flow cleaning cost CsThe cost of malicious traffic launch is C100 yuan/GBaThe gain that an attacker can obtain by blocking normal traffic is G, 20 yuan/Gbpsa1500 yuan/GB.
Setting the normal flow load of the link to phiiOrder attack traffic a 5GbpsiFrom 0Gbps to 100Gbps, with 10Gbps increments of aiSimulating attack lasting 1 second, adopting the method of the invention to defend the result of the defending strategy selection, and calculating the defending party income, each ai1000 simulations were performed and the results averaged.
The experimental results are shown in fig. 6, and the control strategies selected in the figure are respectively: (1) simple rerouting strategy: once link congestion is discovered, a rerouting strategy is implemented. (2) And (3) according to the situation cleaning strategy: when the packet loss rate reaches or exceeds a certain threshold, the flow cleaning is performed (the threshold value set in the experiment is 50%). Experimental results show that the strategy selection method provided by the invention realizes the optimal defense profit under various flow attack strengths.
Fig. 8 illustrates a physical structure diagram of an electronic device, and as shown in fig. 8, the electronic device may include: a processor (processor)810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. The processor 810 may invoke logic instructions in the memory 830 to perform a method of defending against a link flooding attack, the method comprising: determining a corresponding defending party revenue function when the defending party adopts various defending strategies, wherein the defending party revenue function is related to the attack flow intensity; calculating the attack flow intensity based on the observed total flow of the link entrance; determining a defense strategy based on a defense party revenue function and the attack traffic intensity; wherein the defense strategy comprises the steps of non-defense, rerouting and flow cleaning.
It should be noted that, when being implemented specifically, the electronic device in this embodiment may be a server, a PC, or other devices, as long as the structure includes the processor 810, the communication interface 820, the memory 830, and the communication bus 840 shown in fig. 8, where the processor 810, the communication interface 820, and the memory 830 complete mutual communication through the communication bus 840, and the processor 810 may call the logic instructions in the memory 830 to execute the above method. The embodiment does not limit the specific implementation form of the electronic device.
In addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Further, an embodiment of the present invention discloses a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the method for defending against link flooding attack provided by the above method embodiments, including: determining a corresponding defending party revenue function when the defending party adopts various defending strategies, wherein the defending party revenue function is related to the attack flow intensity; calculating the attack flow intensity based on the observed total flow of the link entrance; determining a defense strategy based on a defense party revenue function and the attack traffic intensity; wherein the defense strategy comprises the steps of non-defense, rerouting and flow cleaning.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the method for defending against a link flooding attack provided in the foregoing embodiments, where the method includes: determining a corresponding defending party revenue function when the defending party adopts various defending strategies, wherein the defending party revenue function is related to the attack flow intensity; calculating the attack flow intensity based on the observed total flow of the link entrance; determining a defense strategy based on a defense party revenue function and the attack traffic intensity; wherein the defense strategy comprises the steps of non-defense, rerouting and flow cleaning.
The present invention also provides a link flooding attack simulation method, as shown in fig. 4 and 5, the link flooding attack simulation method includes steps 100, 200, 300, and 400.
And step 100, determining an aggressor revenue function when the defender adopts various defending strategies, wherein the aggressor revenue function is related to the attack traffic intensity executed by the aggressor.
It will be appreciated that the aggressor revenue function is not the same for different defensive strategies. If the intensity of the attack flow is aiIt means that when the defense strategy has 3 cases of no defense (denoted by I), heavy routing (denoted by R) and flow cleaning (denoted by S), the defense strategy is no defense, and the income function of the attacking party is u1(aiI); when the defense strategy is rerouting, the income function of the attacking party is u1(aiR); when the defense strategy is flow cleaning, the income function of the attack party is u1(ai,S)。
It should be noted that the attacking party may perform privacy information on the defending party, i.e. the payload phi of the link, according to the prior informationiPerforming estimation to obtain an estimated value
For the single game problem, a maximum likelihood estimation method is adopted, and the mean value of the distribution is taken as phiiAn estimated value of (d); for the problem of repeated games, an attacking party can learn under the condition that a defending party strategy is not accurately predicted by observing the game result of the previous round and deducing based on Bayes, and continuously optimize the phiiTo obtain more accurate
It should be noted that the income function of the attacking party is a convex function related to the attack traffic, and under the condition that the defending party selects the strategy of I (defending not) or R (rerouting), the income function of the attacking party has unique maximum value points respectively, and it is assumed that the attack traffic corresponding to the extreme value points is respectively the attack traffic corresponding to the extreme value points
And
obtaining link l at the aggressoriAfter the estimation of the payload, corresponding values are calculated based on the estimation of the payload
And
then
And
and respectively adopting the alternative attack traffic intensity corresponding to the I and R defense strategies for the defender.
And step 400, determining an attack strategy according to the defense method of the link flooding attack and the alternative attack traffic intensity.
It should be noted that, as shown in fig. 5, after the attacker obtains the candidate attack traffic strength, the attacker simulates a decision process of the defender. When it is adopted
When attacking, the defender can adopt the I strategy to defend or not, and
if true, then
Is a feasible attack decision; otherwise, continue predicting when it should be adopted
When attacking, whether the defender adopts the strategy R to defend or not, and
if true, then
And forming a feasible attack decision, otherwise, the attacking party does not attack.
In the link flooding attack simulation method provided by the embodiment of the invention, an attacking party firstly estimates the normal load of a target link by using prior knowledge, estimates the attack flow strength aiming at different defense strategies of a defending party, and determines a final attack strategy by predicting the defending process of the defending party. Therefore, attack flow intensity decision is carried out in a targeted manner, and the problem of decision uncertainty caused by incomplete information is avoided. Meanwhile, based on a Bayesian Nash equilibrium strategy, the optimality and stability of decision results are ensured.
In some embodiments, as shown in FIG. 4, determining the aggressor revenue function for which the defensive party is to take various defensive strategies includes: determining whether defense is in place or not, and advancing income function u of attack1(ai,I),aiFor the attack traffic intensity, I means no defense; determining the income function u of an attacking party when a defending party takes a rerouting1(aiAnd R), R represents rerouting.
It is understood that the non-guard against the defenderWith the defense strategy, the income functions of the attacking party are different, namely the income function u of the attacking party is obtained when the defending party adopts the defense while1(aiI); attack-side income function u when defending-side takes rerouting1(aiR). The attacking party obtains the specific income of the attacking party through the corresponding income function according to the defending strategy adopted by the defending party, so that the attacking strategy is determined by calculating the income function, and the income maximization of the attacking party is ensured.
Based on the income function of the attacking party and the effective load of the link, determining that the attacking party adopts alternative attack flow intensity corresponding to various defending strategies on the defending party, wherein the alternative attack flow intensity comprises the following steps: will make the aggressor gain function u1(aiI) attack traffic intensity a at maximumiAs alternative attack traffic intensity
Alternative attack traffic strength
Adopting the defense with the defending party; will make the aggressor gain function u1(aiAnd R) attack traffic intensity a at maximumiAs alternative attack traffic intensity
Alternative attack traffic strength
And the defender adopts rerouting correspondence.
As can be appreciated, the aggressor revenue function u1(aiI) maximum value, the corresponding attack traffic intensity a at that timeiAs
As the income function u of the aggressor1(aiR) maximum value, the corresponding attack traffic intensity aiAs
In actual use, if the defender estimates the link payload as
Will be provided with
Substitution of u1(aiObtained by
Will be provided with
Substitution of u1(aiR) is obtained
Then
And
and respectively adopting the alternative attack traffic intensity corresponding to the I and R defense strategies for the defender.
In the link flooding attack simulation method provided by the embodiment of the invention, different defense strategies are adopted for the defenders, the attacking party provides corresponding revenue functions, and the attack flow intensity is estimated by combining the estimation value of the link effective load, so that the maximization of the decision benefit of the attacking party is ensured, and the scientificity of the attack strategy selection of the attacking party is improved.
In some embodiments, as shown in fig. 4, in the link flooding attack simulation method, verifying the candidate attack traffic strength includes: if it is
Verifying attack traffic strength as FaWhen the defending party is out of defense, u1(FaIf I) > 0, the attack traffic intensity F is selectedaExecution of an attack, FaIs the maximum that an attacker can launchAttack traffic.
It will be appreciated that when the defender is not defended, the attacker may alternatively have attack traffic strengths of
If the attack traffic intensity of the attacker candidate exceeds the maximum attack traffic that the attacker can launch, i.e. the attacker candidate is selected as the target candidate
And u is1(FaIf I) > 0, the attacker will attack the traffic intensity FaAnd attacking the target link. The method ensures the maximum income of the attacking party and improves the practicability of the attacking strategy of the attacking party.
In some embodiments, as shown in fig. 4, in the link flooding attack simulation method, the revenue function of the attacking party is:
wherein phi isiFor normal traffic load on the ith link, biFor the ith link total bandwidth, WiRerouting of bandwidth, a, for the ith linkiFor attack traffic on the ith link, CaCost required to initiate traffic for an aggressor, GaBlocking normal traffic for an aggressor would average the available revenue.
It should be noted that, when the attack traffic intensity of the attacking party is 0, i.e. aiWhen 0, the income function u of the attack1(0,di) 0 and arbitrary defense strategy d against defendersiBoth are true.
In the link flooding attack simulation method provided by the invention, a target link bandwidth b is assumedi10Gbps, spare link bandwidth Wi20Gbps, normal traffic average value Gd2000 yuan/GB, rerouting cost C r40 yuan/GB, flow cleaning cost CsThe cost of malicious traffic launch is C100 yuan/GBaThe gain that an attacker can obtain by blocking normal traffic is G, 20 yuan/Gbpsa1500 yuan/GB.
Make the normal flow load of the link phiiThe method increases from 1Gbps to 10Gbps, increases 1Gbps every time, and verifies the attack effect in different parameter estimation modes. Suppose that the attacking party knows phiiObey [0, 10]According to which 3 estimation strategies are used to respectively align phiiPerforming an estimation based on the estimated value
And (3) carrying out attack decision:
(1) maximum likelihood estimation of
(2) Random guess [0, 10 ]]The above arbitrary values are continuously guessed 5 times, and the average value is taken as
(3) Starting with maximum likelihood estimation, the estimation value is continuously improved by repeated game Bayesian learning
The experimental results are shown in fig. 7, the maximum likelihood estimation strategy is better than the random guess in most cases (in average sense), and the bayes learning strategy achieves the optimal attack gain.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (4)
1. A method for defending against link flooding attacks is characterized by comprising the following steps:
determining a corresponding anti-defending party revenue function when the anti-defending party adopts various anti-defending strategies, wherein the anti-defending party revenue function is related to the attack traffic intensity;
calculating the attack traffic intensity based on the observed total link entry traffic;
determining a defense strategy based on the defense revenue function and the attack traffic intensity; wherein the defending strategy comprises defending, rerouting and flow cleaning;
the determining of the revenue function of the defender when the defender adopts various defending strategies comprises the following steps:
determining that the defending party takes out defending time, and determining the income function u of the defending party2(ai,I),aiFor the attack traffic intensity, I represents that defense is not taken;
determining the revenue function u of the defender when the defender takes the rerouting2(aiR), R represents rerouting;
determining the income function u of the defender when the defender adopts flow cleaning2(aiS), S represents flow cleaning;
the determining a defense strategy based on the defense revenue function and the attack traffic intensity comprises:
based on the attack traffic intensity aiPairwise comparison of defensive-side gain function u2(aiI), defend-against-the-house revenue function u2(aiR) and a defender's profit function u2(aiS), selecting a defense strategy corresponding to the maximum defense income function;
the attack traffic intensity a based oniPairwise comparison of defensive-side gain function u2(aiI), defend-against-the-house revenue function u2(aiR) and a defender's profit function u2(aiAnd S), selecting a defense strategy corresponding to the maximum defense income function, wherein the defense strategy comprises the following steps:
based on the anti-Watcher revenue function u2(aiI) and the defending-against-the-house-gain function u2(aiR), determining a first decision factor gRI;
Based on the anti-Watcher revenue function u2(aiR) and the defending-party-gain function u2(aiS), determining a second decision factor gRS;
Based on the anti-Watcher revenue function u2(aiI) and the defending-against-the-house-gain function u2(aiS), determining a third decision factor gIS;
Wherein the first decision factor gRIThe second decision factor gRSAnd the third decision factor gISWith the attack traffic intensity aiCorrelation;
based on the attack traffic intensity aiThe first decision factor gRIThe second decision factor gRSAnd the third decision factor gISDetermining a defense strategy;
wherein the content of the first and second substances,
u2(ai,S)=φiGd-(φi+ai)Cs,
wherein phi isiFor normal traffic load on the ith link, biFor the ith link total bandwidth, WiRerouting of bandwidth, a, for the ith linkiFor attack traffic on the ith link, GdAverage value of normal traffic load; crCost for rerouting; csCost for flow cleaning;
the attack traffic intensity a based oniThe first decision factor gRIThe second decision factor gRSAnd the third decision factor gISAnd determining a defense strategy, which comprises the following steps:
determining ai≤bi-φiThe defense strategy is to be defending;
determination of bi-φi<ai≤bi+Wi-φiAnd g isRIThe defense strategy is equal to or more than 0, and the defense strategy is rerouting; otherwise bi-φi<ai≤bi+Wi-φiAnd g isRIIf the current time is less than 0, the defense strategy is not defended;
determining ai≥bi+Wi-φiWhen g isRI< 0 and gISIf < 0, the defending strategy is flow cleaning, if gRI< 0 and gISThe defense strategy is greater than or equal to 0, and the defense strategy is non-defense;
determining ai≥bi+Wi-φiWhen g isRINot less than 0gRSIf < 0, the defending strategy is flow cleaning, if gRINot less than 0gRSAnd the defense strategy is equal to or more than 0, and the defense strategy is rerouting.
2. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method for defending against link flooding attacks as set forth in claim 1 are implemented when the program is executed by the processor.
3. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for defending against a link flooding attack as claimed in claim 1.
4. A method for simulating a link flooding attack, comprising:
determining an aggressor revenue function when a defender adopts various defending strategies, wherein the aggressor revenue function is related to the attack traffic intensity executed by the aggressor;
obtaining a link payload estimate based on prior information;
determining alternative attack traffic intensity corresponding to various defense strategies adopted by the aggressor on the defense based on the aggressor revenue function and the link payload estimation; wherein the defending strategy comprises defending and rerouting;
determining an attack strategy according to a defense method of the link flooding attack and the alternative attack flow intensity;
the step of determining the income function of the attacking party when the defending party adopts various defending strategies comprises the following steps:
determining whether the defending party takes the defense time or not, and determining the income function u of the attacking party1(ai,I),aiFor the attack traffic intensity, I represents that defense is not taken;
determining the income function u of the aggressor when the defender takes the rerouting1(aiR), R represents rerouting;
the determining, based on the aggressor revenue function and the link payload, that the aggressor takes the alternative attack traffic intensity corresponding to each defense strategy at the defense, includes:
the income function u of the attack party is used1(aiAnd I) the attack traffic intensity a when taking the maximum valueiAs alternative attack traffic intensity
Alternative attack traffic strength
Corresponding to the defending party adopting the defending failure;
the income function u of the attack party is used1(aiAnd R) the attack traffic intensity a when taking the maximum valueiAs alternative attack traffic intensity
Alternative attack traffic strength
Adopting rerouting correspondence with the defending party;
the determining, based on the aggressor revenue function and the link payload, that the aggressor takes the alternative attack traffic intensity corresponding to each defense strategy at the defense, includes:
if it is
Verifying attack traffic strength as FaWhen the defending party is out of defense, u1(FaIf I) > 0, the attack traffic intensity F is selectedaExecution of an attack, FaMaximum attack traffic that an attacker can launch;
wherein the content of the first and second substances,
wherein phi isiFor normal traffic load on the ith link, biFor the ith link total bandwidth, WiRerouting of bandwidth, a, for the ith linkiFor attack traffic on the ith link, CaCost required to initiate traffic for an aggressor, GaBlocking normal traffic for an aggressor would average the available revenue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148633.2A CN111447182B (en) | 2020-03-05 | 2020-03-05 | Method for defending link flooding attack and method for simulating link flooding attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148633.2A CN111447182B (en) | 2020-03-05 | 2020-03-05 | Method for defending link flooding attack and method for simulating link flooding attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111447182A CN111447182A (en) | 2020-07-24 |
| CN111447182B true CN111447182B (en) | 2021-01-01 |
Family
ID=71653135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010148633.2A Active CN111447182B (en) | 2020-03-05 | 2020-03-05 | Method for defending link flooding attack and method for simulating link flooding attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111447182B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114157446B (en) * | 2021-10-15 | 2023-03-28 | 西安交通大学 | Method, system, equipment and readable storage medium for resisting DDoS attack of backbone link |
| CN115834459B (en) * | 2022-10-10 | 2024-03-26 | 大连海事大学 | Dynamic cleaning system and method for link flooding attack flow |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107566387A (en) * | 2017-09-14 | 2018-01-09 | 中国人民解放军信息工程大学 | Cyber-defence action decision method based on attacking and defending evolutionary Game Analysis |
| CN110035066A (en) * | 2019-03-13 | 2019-07-19 | 中国科学院大学 | A kind of attacking and defending behavior quantitative estimation method and system based on game theory |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101808020B (en) * | 2010-04-19 | 2012-05-30 | 吉林大学 | Intrusion response decision-making method based on incomplete information dynamic game |
| US9471777B1 (en) * | 2012-02-24 | 2016-10-18 | Emc Corporation | Scheduling of defensive security actions in information processing systems |
| CN103152345B (en) * | 2013-03-07 | 2015-09-16 | 南京理工大学常熟研究院有限公司 | A kind of optimum attacking and defending decision-making technique of network security of attacking and defending game |
| CN106453379B (en) * | 2016-10-28 | 2018-10-16 | 华中科技大学 | The security strategy dynamic acquisition method of Process Control System based on attacking and defending game |
| CN107147670B (en) * | 2017-06-16 | 2019-12-06 | 福建中信网安信息科技有限公司 | APT (android Package) defense method based on game system |
-
2020
- 2020-03-05 CN CN202010148633.2A patent/CN111447182B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107566387A (en) * | 2017-09-14 | 2018-01-09 | 中国人民解放军信息工程大学 | Cyber-defence action decision method based on attacking and defending evolutionary Game Analysis |
| CN110035066A (en) * | 2019-03-13 | 2019-07-19 | 中国科学院大学 | A kind of attacking and defending behavior quantitative estimation method and system based on game theory |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111447182A (en) | 2020-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106936855B (en) | Network security defense decision-making determination method and device based on attack and defense differential game | |
| Liu et al. | Incentive-based modeling and inference of attacker intent, objectives, and strategies | |
| Spyridopoulos et al. | A game theoretic defence framework against DoS/DDoS cyber attacks | |
| CN111447182B (en) | Method for defending link flooding attack and method for simulating link flooding attack | |
| Shen et al. | Adaptive Markov game theoretic data fusion approach for cyber network defense | |
| KR102117696B1 (en) | Method and apparatus for security vulnerability quantification using game theory | |
| CN111045334B (en) | Active defense elastic sliding mode control method of information physical fusion system | |
| CN108898010A (en) | A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending | |
| Zhou et al. | Cost-effective moving target defense against DDoS attacks using trilateral game and multi-objective Markov decision processes | |
| CN111683080B (en) | System and method for dynamically predicting and repairing high-risk attack path | |
| CN110602062B (en) | Network active defense method and device based on reinforcement learning | |
| CN111064702A (en) | Active defense strategy selection method and device based on bidirectional signal game | |
| Lin et al. | Using signaling games to model the multi-step attack-defense scenarios on confidentiality | |
| CN107302517B (en) | LDoS attack detection method and device for Internet autonomous domain | |
| Shen et al. | A markov game theoretic data fusion approach for cyber situational awareness | |
| CN116319060A (en) | Intelligent self-evolution generation method for network threat treatment strategy based on DRL model | |
| CN115913731A (en) | Strategic honeypot deployment defense method based on intelligent penetration test | |
| Liu et al. | Deception Maze: A Stackelberg Game-Theoretic Defense Mechanism for Intranet Threats | |
| CN114095262B (en) | Network attack and defense deduction method and device, computing equipment and storage medium | |
| Dehkordi et al. | An effective node-removal method against P2P botnets | |
| CN108377238B (en) | Power information network security policy learning device and method based on attack and defense confrontation | |
| Yang et al. | An analytical model for DDoS attacks and defense | |
| Hassan et al. | Performance-aware malware epidemic confinement in large-scale iot networks | |
| Cotae et al. | A cybersecurity model for decision-making problems under uncertainty using game theory | |
| Ghafari et al. | SDN-based Deep Anomaly Detection for Securing Cloud Gaming Servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |