CN113067819A - Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol) - Google Patents

Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol) Download PDF

Info

Publication number
CN113067819A
CN113067819A CN202110292025.3A CN202110292025A CN113067819A CN 113067819 A CN113067819 A CN 113067819A CN 202110292025 A CN202110292025 A CN 202110292025A CN 113067819 A CN113067819 A CN 113067819A
Authority
CN
China
Prior art keywords
data
state
message
boundary data
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110292025.3A
Other languages
Chinese (zh)
Inventor
刘立坤
余翔湛
韦贤葵
史建焘
叶麟
葛蒙蒙
李精卫
石开宇
车佳臻
王久金
冯帅
赵跃
宋赟祖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN202110292025.3A priority Critical patent/CN113067819A/en
Publication of CN113067819A publication Critical patent/CN113067819A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An algorithm for distributed asynchronous parallel detection of MPTCP protocol multipath attack relates to the technical field of asynchronous parallel detection attack algorithms. The invention consists of three sub-algorithms; the three sub-algorithms correspond to three STATEs in a distributed asynchronous detection model STATE machine, namely, a Process _ PACKET, a Process _ STATE and an ac _ SCAN; wherein, the PROCESSS _ PACKET represents the STATE of the data message, the PROCESSS _ STATE represents the STATE of the STATE synchronous message, and the SCAN represents the scanning STATE; processing the data message by the corresponding process _ packet sub-algorithm; the process _ state sub-algorithm processes the state synchronization message; the ac _ scan sub-algorithm is an algorithmic automaton, scans boundary data, supports the scanning of input data from a designated automaton node, and specifically supports the scanning of the whole data message from an automaton root node and supports the scanning of the boundary data from the designated automaton node; the method solves the technical problems of poor system performance, CPU resource occupation, poor defense effect and poor processing performance of MPTCP multi-path attack detection in the prior art.

Description

Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol)
Technical Field
The invention relates to the technical field of asynchronous parallel detection attack algorithms, in particular to the technical field of distributed asynchronous parallel detection MPTCP protocol multi-path attacks.
Background
Some enterprises or organizations relieve monitoring pressure under large flow by deploying a plurality of network intrusion detection systems, but the network intrusion detection systems work independently and do not communicate with each other. Such a deployment provides a hotbed for multi-path transmission attacks. An attacker can cut the malicious features into a plurality of fragments and send the fragments out through different network paths so as to realize network penetration of the traditional intrusion detection system. Although multiple NIDS systems may be deployed, these devices are relatively independent, and no one device is able to fully cover network traffic to detect intrusion signatures. As an off-the-shelf tool, multipath tcp (mptcp) provides support for attackers to launch multipath transmission attacks. MultiPath TCP (MPTCP) the TCP extension suite (RFC6824) developed by the Internet Engineering Task Force (IETF) MultiPath TCP working group, whose purpose is to allow Transmission Control Protocol (TCP) connections to use multiple paths to maximize channel resource usage. MPTCP is an extension of TCP, and is TCP-compatible, and is implemented using a TCP option field that can split an original TCP connection into multiple sub-connections, each communicating in a separate path. MPTCP finds wide application in the wireless domain (e.g. 4G, WiFi), for example, in order to make users watch streaming video more smoothly, a mobile handset can use MPTCP to establish connection on 3G/4G and WiFi at the same time, and seamless handover is achieved.
The existing solution is a distributed synchronous detection scheme, that is, when multiple NIDS receive an MPTCP data packet, they analyze the data of their respective sub-connections, and perform synchronous detection according to the sequence of all the data of the sub-connections, during the detection, the global sending sequence number of their own data is synchronized among each NIDS, when one NIDS finds that the global sending sequence number of its own data is currently required to be scanned, it uses its own automaton to perform scanning detection, and broadcasts the latest automaton state to all other NIDS after the detection is completed, when the NIDS finds that the global sending sequence number of its own useful data is subsequent, and the sequence number currently required to be processed is in other NIDS, the NIDS enters a waiting state, waits for the broadcast synchronization content sent by other NIDS, and executes the scanning task until the sending sequence number of its own becomes the current one.
The existing distributed synchronous detection scheme has the problem of poor system performance because if the NIDS receives the MPTCP data message, the sending sequence number is not the current sequence number, waiting is executed to occupy CPU resources, and in addition, if malicious characteristics are in the message in the waiting process, the message is successfully sent to a target server, and defense cannot be implemented.
Disclosure of Invention
The present invention has been developed in order to solve the technical problems of the prior art synchronization method, and a brief summary of the present invention is provided below in order to provide a basic understanding of some aspects of the present invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to determine the key or critical elements of the present invention, nor is it intended to limit the scope of the present invention.
The technical scheme of the invention is as follows:
an algorithm for distributed asynchronous parallel detection of MPTCP protocol multipath attack comprises the following steps:
s1, starting an NIDS to enter an initial state, loading all features and establishing an algorithm automaton;
s2, the NIDS enters an idle state and waits for receiving a message, wherein the received message comprises two types, namely a data message and a state synchronization message;
s3, judging the type of the received message; when the type of the received message is a data message, the state machine jumps to a state of processing the data message; step S4 is executed; when the received message type is a state synchronization message, the state machine jumps to a state synchronization message processing state to execute step S5;
s4, after analyzing the data of the application layer, extracting boundary data; after the boundary data extraction is completed, the state machine jumps to a scanning state, the data of the whole message is scanned through the algorithm automaton, and after the scanning task is completed, the state machine returns to an idle state and waits for a new message to arrive;
s5, scanning a sending sequence number of the overall current state and the current state of the algorithm automaton; if the sending sequence number of the global current state is the same as the sending sequence number of the boundary data of the local NIDS, moving to a scanning state;
s6, scanning boundary data by an algorithm automaton; after the scanning task is finished, the state machine returns to an idle state and waits for a new message to arrive;
and S7, completing detection.
Preferably, the boundary data in step S4 is a data connection portion in two adjacent MPTCP data packets, and is composed of a tail portion of a previous data packet and a head portion of a next data packet, and both sides of the boundary data respectively account for 50%.
Preferably, the length of the boundary data in step S4 is related to the maximum length of all features, and the expression is as follows:
Ladj=2×(max L{signatures}-1)
wherein L isadjFor boundary data length, L { signaltube is a characteristic length.
Preferably, the data packet received by the NIDS is processed by a sub-algorithm process _ packet, and the specific step of scanning the data of the entire packet by the algorithmic automaton described in step S4 is as follows:
s4.1, scanning a data message; judging the type of a DATA message, wherein the DATA message comprises three types, namely START _ GLOBAL, END _ GLOBAL and DATA; when the mark of the data message is START _ GLOBAL, executing the step S4.2; when the mark of the data message is END _ GLOBAL, executing the step S4.3; step S4.4 is executed when the mark of the DATA message is DATA;
s4.2, extracting data message tail boundary data, scanning the tail boundary data from the root node, updating the global sequence number and the current state node after scanning, and broadcasting the global sequence number and the current state node of the algorithm automaton to all other NIDS;
s4.3, extracting data message header boundary data, acquiring a current state node from a received broadcast state, scanning the data message header boundary data from the node, and broadcasting the global sequence number and the current state node of the algorithm automaton to all other NIDS after the scanning is finished;
s4.4, extracting head boundary data and tail boundary data of the data message, and obtaining the head boundary data and the tail boundary data of the data message;
s4.5, judging the relation between the message serial number and the current global serial number; three relationships exist between the message sequence number and the current global sequence number, as follows:
(1) if the serial number of the currently received message is equal to the serial number in the synchronous state, scanning the head boundary data and the tail boundary data, updating the current global serial number and the current state node, and broadcasting the global serial number and the current state node of the algorithm automaton to all other NIDS;
(2) if the serial number of the currently received message is larger than the serial number in the synchronous state, adding the head boundary data, the tail boundary data and the message serial number into a boundary data linked list, traversing the linked list, and then searching whether the serial number of the data message in the boundary data linked list is equal to the current global serial number or not; when the message serial number is equal to the serial number in the synchronous state, scanning the head boundary data and the tail boundary data, deleting the boundary data from the linked list after scanning, broadcasting the global serial number and the current state node of the algorithm automaton to other NIDS, executing the step S4.1 no matter whether the global serial number is changed, and traversing the linked list again when the message serial number is not equal to the serial number in the synchronous state until the message serial number is equal to the serial number in the synchronous state;
(3) if the serial number of the currently received message is less than the serial number in the synchronous state, the data message is indicated to be processed on other NIDS, and the data message is directly discarded.
Preferably, in step S4.2, the global sequence number and the current state node of the algorithmic automaton are broadcasted to all other NIDSs, where each NIDS creates and maintains a state synchronization table for each MPTCP stream, and when the local state content is updated, other NIDSs are notified of synchronization update by broadcasting.
Preferably, the status synchronization content messages sent from other NIDS are processed by the sub-algorithm process _ state, and the step of scanning the sending sequence number of the global current status and the current status of the algorithmic automaton in step S5 is as follows:
s5.1, traversing a local boundary data list when receiving the state synchronization message; extracting a boundary data;
s5.2, judging the relation between the current global serial number and the boundary data serial number; there are three relationships between the current global sequence number and the boundary data sequence number, as follows:
(1) if the current global sequence number is greater than the sequence number of the boundary data, it indicates that the boundary data has been scanned in other NIDS, deletes the boundary data from the local boundary data linked list, and executes step S5.1;
(2) if the global sequence number is changed before and after traversal, updating the global sequence number and the current state node, and broadcasting the global sequence number and the current state node of the automaton to all other NIDS; step S5.1 is executed;
(3) if the current global sequence number is equal to the sequence number of the boundary data, executing a task of scanning the boundary data, deleting the boundary data from the local boundary data list after the scanning is finished, and executing the step S5.1;
s5.3, after traversing is finished, if the global sequence number is changed before and after traversing, updating the global sequence number and the current state node, and broadcasting the global sequence number and the current state node of the automaton to all other NIDS; step S5.1 is performed.
Preferably, the scanning of the input data by the algorithmic automaton is processed by the sub-algorithm ac _ scan, and the step of scanning the boundary data by the algorithmic automaton described in step S6 is as follows:
s6.1, setting the state node input by the algorithm as the current state node of the local algorithm automaton;
s6.2, traversing the data to be scanned character by character; after traversing is finished, the algorithm is terminated, and the current state node is returned;
s6.3, completing state skipping of the algorithm automata according to the scanned characters, and updating skipped nodes as current state nodes; if the current state node is matched successfully, outputting a result; step S6.2 is continued.
Preferably, in step S4.2, when the global sequence number is broadcasted, it is determined whether the stored sending sequence number is correct, and the determination condition is as follows:
p.seq>s.cur_state
wherein seq is the global sequence number in the data packet, cur _ state is the current scanning state of the AC automaton in the global scope, p is the data packet, and s is the NIDS local state synchronization packet.
The invention has the following beneficial effects: therefore, the distributed asynchronous detection algorithm solves the waiting problem of the synchronous method, increases the defense opportunity, improves the processing performance and improves the detection efficiency; in the distributed asynchronous detection scheme, each NIDS immediately performs detection after receiving the data packet, and only boundary data with smaller occupation ratio performs state synchronization, so that the detection efficiency is higher.
Drawings
FIG. 1 is a flow chart of the present invention for processing data messages;
FIG. 2 is a flow chart of the present invention for processing a state synchronization message;
FIG. 3 is a flow chart of the algorithmic automaton scanning boundary data of the present invention;
FIG. 4 is a schematic diagram of the present invention in comparison to the prior art detection timeline;
FIG. 5 is a schematic diagram of the inspection model state machine of the present invention;
FIG. 6 is a schematic diagram illustrating boundary data extraction according to the present invention;
FIG. 7 is a process _ packet pseudo-code diagram of a sub-algorithm;
FIG. 8 is a process _ state pseudo code diagram of the sub-algorithm;
fig. 9 shows a pseudo code diagram of the sub-algorithm ac _ scan.
Detailed Description
In order that the objects, aspects and advantages of the invention will become more apparent, the invention will be described by way of example only, and in connection with the accompanying drawings. It is to be understood that such description is merely illustrative and not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
The first embodiment is as follows: referring to fig. 1 to 6, an algorithm for distributed asynchronous parallel detection of MPTCP multipath attacks is performed asynchronously on each NIDS server in a state machine manner, and specifically includes the following steps:
step one, starting NIDS to enter an initial INIT state, loading all features and establishing an algorithm automaton;
step two, the NIDS enters an IDLE IDLE state and waits for receiving messages, and the received messages comprise two types of data messages and state synchronization messages;
step three, judging the type of the received message; when the type of the received message is a data message, the state machine jumps to a state of processing the data message; executing the step four; when the type of the received message is a state synchronous message, the state machine skips to a state synchronous message processing state to execute the step five;
the invention consists of three sub-algorithms; the three sub-algorithms correspond to three STATEs in a distributed asynchronous detection model STATE machine, namely, a Process _ PACKET, a Process _ STATE and an ac _ SCAN; wherein, the PROCESSS _ PACKET represents the STATE of the data message, the PROCESSS _ STATE represents the STATE of the STATE synchronous message, and the SCAN represents the scanning STATE; processing the data message by the corresponding process _ packet sub-algorithm; the process _ state sub-algorithm processes the state synchronization message; the ac _ scan sub-algorithm is an algorithmic automaton, scans boundary data, and supports scanning of input data from a designated automaton node, specifically supports scanning of the whole data message from an automaton root node and supports scanning of the boundary data from the designated automaton node.
Step four, after analyzing the data of the application layer, extracting boundary data; after the boundary data extraction is completed, the state machine jumps to a scanning state, the data message is scanned through the algorithm automaton, and after the scanning task is completed, the state machine returns to an idle state and waits for a new message to arrive;
the definition of the boundary data is as follows: the data connection part of two adjacent MPTCP data messages consists of the tail part of the previous data message and the head part of the next data message, and the two sides respectively account for 50 percent.
The method for extracting the boundary data comprises the following steps: the extraction of the boundary data in one data message comprises the extraction of the boundary data of the message head and the extraction of the boundary data of the message tail. The data of the boundary of the header of the message refers to data from a first character max L { signature } -1 of the message to a position (L { signature } represents a characteristic length); the data of the tail part boundary of the message refers to data of 1 character from the tail part max L { signature } (L { signature } of the message represents a characteristic length). Each NIDS establishes a linked list for storing boundary data, each node of the linked list represents a message boundary data, and the fields comprise a message sequence number, a message head boundary data and a message tail boundary data. After extracting boundary data from each message, if the sequence number of the message is greater than the global sequence number, a node for generating the boundary data of the message needs to be added into a boundary data linked list.
The length of the boundary data is related to the maximum length of all features, and the expression is as follows:
Ladj=2×(max L{signature}-1) (4-1)
in the formula, LadjIndicating the boundary data length, and L { signature } indicating a feature length.
Feature extraction is described with reference to fig. 6, assuming a maximum feature length of 4 in the feature set, each NIDS receives two messages, and the boundary data length is LadjThe data packets are sorted in ascending order of the sending sequence number, with the result being { p ═ 611,p21,p12,p22Thus, three boundary data { < p { [ n ] } can be obtained11,p21>,<p21,p12>,<p12,p22>}。
Referring to fig. 1, the fourth step of scanning the data packet through the algorithmic automaton includes the following specific steps:
step four, scanning a data message; judging the type of a DATA message, wherein the DATA message comprises three types, namely START _ GLOBAL, END _ GLOBAL and DATA; when the mark of the data message is START _ GLOBAL, executing the step four; when the mark of the data message is END _ GLOBAL, executing the fourth step and the third step; when the mark of the DATA message is DATA, executing the step four;
step two, extracting data message tail boundary data, scanning the tail boundary data from the root node, updating the global sequence number and the current state node after the scanning is finished, and broadcasting the global sequence number and the current state node of the algorithm automaton to all other NIDS; each NIDS creates and maintains a state synchronization table for each MPTCP stream, and when the content of the local state is updated, other NIDS are notified to be updated synchronously through broadcasting.
Step three, extracting data message head boundary data, acquiring a current state node from a received broadcast state, scanning the data message head boundary data from the node, and broadcasting the global sequence number and the current state node of the algorithm automata to all other NIDS after the scanning is finished;
extracting head boundary data and tail boundary data of the data message, and acquiring the head boundary data and the tail boundary data of the data message;
fifthly, judging the relation between the message serial number and the current global serial number; three relationships exist between the message sequence number and the current global sequence number, as follows:
(1) if the serial number of the currently received message is equal to the serial number in the synchronous state, scanning the head boundary data and the tail boundary data, updating the current global serial number and the current state node, broadcasting the global serial number and the current state node of the automatic algorithm machine to all other NIDS, and circularly executing the step four;
(2) if the serial number of the currently received message is larger than the serial number in the synchronous state, adding the head boundary data, the tail boundary data and the message serial number into a boundary data linked list, traversing the linked list, and then searching whether the serial number of the data message in the boundary data linked list is equal to the current global serial number or not; when the message serial number is equal to the serial number in the synchronous state, scanning the head boundary data and the tail boundary data, deleting the boundary data from the linked list after scanning, broadcasting the global serial number and the current state node of the algorithm automaton to other NIDS, executing the step S4.1 no matter whether the global serial number is changed, traversing the linked list again when the message serial number is not equal to the serial number in the synchronous state until the message serial number is equal to the serial number in the synchronous state, and circularly executing the step four;
referring to fig. 7, a pseudo code schematic diagram of a sub-algorithm process _ packet illustrates a process _ packet processing process of the sub-algorithm, the sub-algorithm process _ packet mainly processes a data packet received by the NIDS, and in the pseudo code algorithm, the 1 st line scans the whole data packet. Lines 2-6 represent the extraction of boundary data stored at the end of the START _ GLOBAL marked data packet, and the GLOBAL state machine scans the end from the root node. Lines 7-11 process the data message marked END _ GLOBAL. Line 13 begins processing the DATA message marked DATA, storing both the header and the trailer of the message as boundary DATA. Lines 14-17 are the judgment conditions for the boundary data. Lines 18-19, add boundary data to the list if the currently received packet sequence number is greater than the synchronization status sequence number. Lines 20-30, the adjacency list is traversed and all boundary data that satisfies the condition is scanned. In line 19, if there is a sequence number identical to the sequence number of the current packet, it indicates that the current packet is a retransmission packet and is directly discarded. Line 32, which indicates that the message may have errors, is discarded directly.
(3) If the serial number of the currently received message is less than the serial number in the synchronous state, the data message is processed on other NIDS, the data message is directly discarded, and the step four, the step one, is executed in a circulating way.
Scanning the sending sequence number of the global current state and the current state of the algorithm automaton; if the sending sequence number of the global current state is the same as the sending sequence number of the boundary data of the local NIDS, moving to a scanning state;
referring to fig. 2, the step of scanning the sending sequence number of the global current state and the current state of the algorithmic automaton in the step five is as follows:
step five, traversing a local boundary data linked list when receiving the state synchronization message; extracting a boundary data;
judging the relation between the current global serial number and the boundary data serial number; there are three relationships between the current global sequence number and the boundary data sequence number, as follows:
(1) if the current global sequence number is larger than the sequence number of the boundary data, the boundary data is scanned in other NIDS, the boundary data is deleted from the local boundary data linked list, and the step five is executed in a circulating way;
(2) if the global sequence number is changed before and after traversal, updating the global sequence number and the current state node, and broadcasting the global sequence number and the current state node of the automaton to all other NIDS; circularly executing the step five;
(3) if the current global serial number is equal to the serial number of the boundary data, executing a task of scanning the boundary data, deleting the boundary data from a local boundary data list after the scanning is finished, and circularly executing the step five;
step three, after traversing is finished, if the global serial number is changed before and after traversing, updating the global serial number and the current state node, and broadcasting the global serial number and the current state node of the automaton to all other NIDS; and step five and step one are executed.
The process _ state processing sub-algorithm, process _ state, is described with reference to the pseudo code schematic diagram of the sub-algorithm process _ state of fig. 8, which mainly processes state synchronization content messages sent from other NIDS. In the pseudo code sub algorithm, when state synchronization content is received, a local boundary data list is traversed, boundary data with the same sending sequence number as the current state is searched, and a scanning task is executed if the boundary data is found. Lines 3-5, if the current state send sequence number is greater than the boundary data send sequence number, this indicates that the boundary data has been scanned in other NIDS and the boundary data is discarded. And 6-11, when the received sending sequence number is equal to the boundary data, executing a boundary data scanning task, and if the received sending sequence number is not equal to the boundary data, waiting for the scanning result of the small boundary data of the sending sequence number on other NIDS, and enabling the local NIDS to enter an idle state. Lines 14-15 check the value of cur _ seq and if cur _ seq changes, immediately broadcast the new state content to other NIDS.
Sixthly, scanning boundary data by an algorithm automaton; after the scanning task is finished, the state machine returns to an idle state and waits for a new message to arrive;
referring to fig. 3, the step of scanning the boundary data by the algorithmic automaton described in step six is as follows:
setting the state node input by the algorithm as the current state node of the local algorithm automaton;
step two, traversing the data to be scanned character by character; after traversing is finished, the algorithm is terminated, and the current state node is returned;
step three, completing state skipping of the algorithm automata according to the scanned characters, and updating skipped nodes as current state nodes; if the current state node is matched successfully, outputting a result; and step six and step two are continuously executed.
The sub-algorithm ac _ scan processing procedure, which is mainly an algorithmic automaton scanning input data, is described with reference to the sub-algorithm ac _ scan pseudo-code schematic diagram of fig. 9. The sub-algorithm AC _ scan is an AC algorithm automaton, and the scanning of the data packet starts from the root node and the scanning of the boundary data starts from the specified state of the broadcast.
And step seven, finishing detection.
Each NIDS has a list for storing boundary data in a local packet, and since a TCP stream may have packet misordering and retransmission, it is necessary to ensure that a global sending sequence number is correct during storage, and the determination conditions are as follows:
p.seq>s.cur_state (5-5)
wherein seq is the global sequence number in the data packet, cur _ state is the current scanning state of the AC automaton in the global scope, and is the data packet, and is the NIDS local state synchronization packet.
Compared with the original NIDS, the distributed asynchronous detection scheme provided by the invention increases the detection of the boundary data, thereby increasing the system overhead, and the proportion of the boundary data in the total data is a factor influencing the system performance, and the performance influence degree is specifically evaluated.
Performance impact evaluation: assuming that there are packets of average length, the proportion of boundary data to total data is:
Figure BDA0002982585950000091
in the formula, LadjIndicating the boundary data length, n indicating the number of messages,
Figure BDA0002982585950000092
indicating the average length of the message data, padjRepresenting the proportion of boundary data to total data.
Assuming constant Ladj,padjAnd
Figure BDA0002982585950000093
is inversely proportional to
Figure BDA0002982585950000094
When not changed, padjAnd LadjIs in direct proportion. When L is smalleradjWhile
Figure BDA0002982585950000095
When larger, distributedThe asynchronous detection algorithm has less impact on NIDS system performance. After statistical analysis is performed on attack samples, it can be found that attack data generally appears in data messages with larger loads, namely LadjThe size of the composite material is small,
Figure BDA0002982585950000096
is larger, so padjThe value is small, generally not exceeding 10%, and according to the formula, the influence of the newly added boundary data detection on the performance of the original NIDS system is small.
Referring to fig. 4, the present invention provides a distributed asynchronous detection scheme and a distributed synchronous detection scheme, which greatly improve the detection efficiency of the multipath attack, in the distributed synchronous detection scheme, a data packet received by each NIDS needs to wait for a global sending sequence number to be the same as a current data packet sequence number before processing the data packet, otherwise, the data packet is in a waiting state. In the distributed asynchronous detection scheme, each NIDS immediately performs detection after receiving a data packet, and only boundary data occupying a smaller proportion performs state synchronization, so that the detection efficiency is higher.
The key point of the invention is MPTCP attack detection and distributed asynchronous parallel detection multi-path attack.
It should be noted that, in the above embodiments, as long as the technical solutions can be aligned and combined without contradiction, those skilled in the art can exhaust all possibilities according to the mathematical knowledge of the alignment and combination, and therefore, the present invention does not describe the technical solutions after alignment and combination one by one, but it should be understood that the technical solutions after alignment and combination have been disclosed by the present invention.
This embodiment is only illustrative of the patent and does not limit the scope of protection thereof, and those skilled in the art can make modifications to its part without departing from the spirit of the patent.

Claims (8)

1. An algorithm for distributed asynchronous parallel detection of MPTCP protocol multipath attack is characterized by comprising the following steps:
s1, starting an NIDS to enter an initial state, loading all features and establishing an algorithm automaton;
s2, the NIDS enters an idle state and waits for receiving a message, wherein the received message comprises two types, namely a data message and a state synchronization message;
s3, judging the type of the received message; when the type of the received message is a data message, the state machine jumps to a state of processing the data message; step S4 is executed; when the received message type is a state synchronization message, the state machine jumps to a state synchronization message processing state to execute step S5;
s4, after analyzing the data of the application layer, extracting boundary data; after the boundary data extraction is completed, the state machine jumps to a scanning state, the data message is scanned through the algorithm automaton, and after the scanning task is completed, the state machine returns to an idle state and waits for a new message to arrive;
s5, scanning a sending sequence number of the overall current state and the current state of the algorithm automaton; if the sending sequence number of the global current state is the same as the sending sequence number of the boundary data of the local NIDS, moving to a scanning state;
s6, scanning boundary data by an algorithm automaton; after the scanning task is finished, the state machine returns to an idle state and waits for a new message to arrive;
and S7, completing detection.
2. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 1, characterized in that: the boundary data in step S4 is a data connection portion in two adjacent MPTCP data packets, and is composed of a tail portion of a previous data packet and a head portion of a next data packet, and both sides of the boundary data respectively account for 50%.
3. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 2, characterized in that: the boundary data in step S4, whose length is related to the maximum length of all features, is expressed as follows:
Ladj=2×(max L{signatures}-1)
wherein L isadjFor the boundary data length, L { signature } is a feature length.
4. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 3, characterized in that: the data packet received by the NIDS is processed by the sub-algorithm process _ packet, and the specific step of scanning the data packet by the algorithmic automaton described in step S4 is as follows:
s4.1, scanning a data message; judging the type of a DATA message, wherein the DATA message comprises three types, namely START _ GLOBAL, END _ GLOBAL and DATA; when the mark of the data message is START _ GLOBAL, executing the step S4.2; when the mark of the data message is END _ GLOBAL, executing the step S4.3; step S4.4 is executed when the mark of the DATA message is DATA;
s4.2, extracting data message tail boundary data, scanning the tail boundary data from the root node, updating the global sequence number and the current state node after scanning, and broadcasting the global sequence number and the current state node of the algorithm automaton to all other NIDS;
s4.3, extracting data message header boundary data, acquiring a current state node from a received broadcast state, scanning the data message header boundary data from the node, and broadcasting the global sequence number and the current state node of the algorithm automaton to all other NIDS after the scanning is finished;
s4.4, extracting head boundary data and tail boundary data of the data message, and obtaining the head boundary data and the tail boundary data of the data message;
s4.5, judging the relation between the message serial number and the current global serial number; three relationships exist between the message sequence number and the current global sequence number, as follows:
(1) if the serial number of the currently received message is equal to the serial number in the synchronous state, scanning the head boundary data and the tail boundary data, updating the current global serial number and the current state node, and broadcasting the global serial number and the current state node of the algorithm automaton to all other NIDS;
(2) if the serial number of the currently received message is larger than the serial number in the synchronous state, adding the head boundary data, the tail boundary data and the message serial number into a boundary data linked list, traversing the linked list, and then searching whether the serial number of the data message in the boundary data linked list is equal to the current global serial number or not; when the message serial number is equal to the serial number in the synchronous state, scanning the head boundary data and the tail boundary data, deleting the boundary data from the linked list after scanning, broadcasting the global serial number and the current state node of the algorithm automaton to other NIDS, executing the step S4.1 no matter whether the global serial number is changed, and traversing the linked list again when the message serial number is not equal to the serial number in the synchronous state until the message serial number is equal to the serial number in the synchronous state;
(3) if the serial number of the currently received message is less than the serial number in the synchronous state, the data message is indicated to be processed on other NIDS, and the data message is directly discarded.
5. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 4, characterized in that: and S4.2, broadcasting the global sequence number and the current state node of the algorithmic automaton to all other NIDS, wherein each NIDS creates and maintains a state synchronization table for each MPTCP stream, and when the content of the local state is updated, other NIDS are notified to be updated synchronously through broadcasting.
6. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 5, characterized in that: the status synchronization content messages sent from other NIDS are processed by the sub-algorithm process _ state, and the step of scanning the sending sequence number of the global current status and the current status of the algorithmic automaton in step S5 is as follows:
s5.1, traversing a local boundary data linked list when receiving the state synchronization message; extracting a boundary data;
s5.2, judging the relation between the current global serial number and the boundary data serial number; there are three relationships between the current global sequence number and the boundary data sequence number, as follows:
(1) if the current global sequence number is greater than the sequence number of the boundary data, it indicates that the boundary data has been scanned in other NIDS, deletes the boundary data from the local boundary data linked list, and executes step S5.1;
(2) if the global sequence number is changed before and after traversal, updating the global sequence number and the current state node, and broadcasting the global sequence number and the current state node of the automaton to all other NIDS; step S5.1 is executed;
(3) if the current global sequence number is equal to the sequence number of the boundary data, executing a task of scanning the boundary data, deleting the boundary data from the local boundary data list after the scanning is finished, and executing the step S5.1;
s5.3, after traversing is finished, if the global sequence number is changed before and after traversing, updating the global sequence number and the current state node, and broadcasting the global sequence number and the current state node of the automaton to all other NIDS; step S5.1 is performed.
7. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 6, characterized in that: the input data is scanned by the algorithmic automaton and processed by the sub-algorithm ac _ scan, and the step of scanning the boundary data by the algorithmic automaton in step S6 is as follows:
s6.1, setting the state node input by the algorithm as the current state node of the local algorithm automaton;
s6.2, traversing the data to be scanned character by character; after traversing is finished, the algorithm is terminated, and the current state node is returned;
s6.3, completing state skipping of the algorithm automata according to the scanned characters, and updating skipped nodes as current state nodes; if the current state node is matched successfully, outputting a result; step S6.2 is continued.
8. The algorithm for distributed asynchronous parallel detection of multipath attacks according to claim 7, characterized in that: step S4.2, when the global sequence number is broadcasted, determining whether the stored sending sequence number is correct, where the determining conditions are as follows:
p.seq>s.cur_state
wherein seq is the global sequence number in the data packet, cur _ state is the current scanning state of the AC automaton in the global scope, p is the data packet, and s is the NIDS local state synchronization packet.
CN202110292025.3A 2021-03-18 2021-03-18 Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol) Withdrawn CN113067819A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110292025.3A CN113067819A (en) 2021-03-18 2021-03-18 Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110292025.3A CN113067819A (en) 2021-03-18 2021-03-18 Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol)

Publications (1)

Publication Number Publication Date
CN113067819A true CN113067819A (en) 2021-07-02

Family

ID=76562055

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110292025.3A Withdrawn CN113067819A (en) 2021-03-18 2021-03-18 Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol)

Country Status (1)

Country Link
CN (1) CN113067819A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117725026A (en) * 2023-08-14 2024-03-19 荣耀终端有限公司 Repeated file searching method and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102711099A (en) * 2012-06-20 2012-10-03 上海电机学院 Safety routing method and system capable of resisting interference attacks
CN109768952A (en) * 2018-10-29 2019-05-17 四川大学 A kind of industry control network anomaly detection method based on trust model
US20190245868A1 (en) * 2018-02-08 2019-08-08 Cisco Technology, Inc. Encrypted traffic analytics over a multi-path tcp connection
CN111201757A (en) * 2017-09-29 2020-05-26 芬基波尔有限责任公司 Network access node virtual structure dynamically configured on underlying network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102711099A (en) * 2012-06-20 2012-10-03 上海电机学院 Safety routing method and system capable of resisting interference attacks
CN111201757A (en) * 2017-09-29 2020-05-26 芬基波尔有限责任公司 Network access node virtual structure dynamically configured on underlying network
US20190245868A1 (en) * 2018-02-08 2019-08-08 Cisco Technology, Inc. Encrypted traffic analytics over a multi-path tcp connection
CN109768952A (en) * 2018-10-29 2019-05-17 四川大学 A kind of industry control network anomaly detection method based on trust model

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘立坤等: "No Way to Evade: Detecting Multi-Path", 《IEEE》 *
薛开平等: "基于MPTCP的多路径传输优化技术综述", 《计算机研究与发展》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117725026A (en) * 2023-08-14 2024-03-19 荣耀终端有限公司 Repeated file searching method and electronic equipment

Similar Documents

Publication Publication Date Title
CN104982013B (en) A kind of method, equipment and the system of business routing
CN111431758B (en) Cloud network equipment testing method and device, storage medium and computer equipment
US20140078907A1 (en) Systems and methods for content type classification
EP2166799A1 (en) Method and apparatus for implementing a virtual network
CN110708250A (en) Method for improving data forwarding performance, electronic equipment and storage medium
JP2008136012A (en) Traffic analyzing device and analyzing method
CN102185920A (en) Network-based downloading method and system, and terminal
CN112583936B (en) Method for recombining transmission conversation flow
US7522530B2 (en) Method for protocol recognition and analysis in data networks
CN111211980A (en) Transmission link management method, transmission link management device, electronic equipment and storage medium
CN112929281B (en) Message processing method, device and equipment of network equipment based on FPGA
CN113067819A (en) Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol)
CN115766591A (en) Fragmentation message flow rate limiting method, DPU fragmentation message forwarding method and device
CN105681265A (en) Unilateral transmission control protocol acceleration method and device
CN110855584B (en) Method and device for TCP out-of-order recombination
CN115225734A (en) Message processing method and network equipment
CN113810337A (en) Method, device and storage medium for network message duplicate removal
CN112995053A (en) Method and device for sending message
CN112165505B (en) Decentralized data processing method, electronic device and storage medium
CN101425978B (en) Method and device for preventing routing loop in autonomous system
CN117082054A (en) Data transmission method, device, system and medium
CN115277720B (en) Multicast group management method, device, equipment and storage medium
US20080212505A1 (en) Method and receiving apparatus for processing arq block in wibro system
CN115190056B (en) Method, device and equipment for identifying and analyzing programmable flow protocol
CN116566897A (en) Addressing routing method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210702

WW01 Invention patent application withdrawn after publication