基于小波分析的DDOS入侵检测研究
|
摘要
DDoS(分布式拒绝服务)攻击是一种分布、协作的大规模攻击方式。通过联合或控制网络上若干主机同时发动DoS攻击,制造数以百万计的数据分组流入欲攻击的目标,大量消耗目标系统资源,从而造成合法用户无法获得服务。DDoS攻击给网络的正常运行带来了极大的危害,具有隐蔽性和分布性,难以进行检测和防范,这使得近年来研究DDoS攻击的检测与防范方法成为入侵检测领域的一个研究热点。本文主要基于流量的自相似性,利用小波方法来研究DDoS攻击的检测和防范。
本文首先概述了入侵检测相关技术的研究现状、采用的一般原理与方法,结合大量资料分析了DDoS方面的国内外研究进展。
其次,本文简要介绍了近年来理论界和工程界采用较多的一种方法――小波变换,其具有的多尺度分析特性可以对信号进行更为准确的分析。学术界的研究成果以及本文实测数据均表明:网络流量具有自相似性。利用小波方法分析自相似性可以取得很好的效果,本文推导了利用小波来分析网络流量的方法,作为本文的理论基础。
再次,本文描述了DoS攻击的一般步骤,对DoS攻击的机理进行了分析,尤其是结合TCP拥塞控制机制对弱DoS攻击机理进行了较为深入的研究。弱DoS攻击并不产生很大的总流量,因而难以用常规的流量控制手段加以遏制。为了比较好地检测到弱DoS攻击,本文设计了一种DDoS检测与防范模型。该模型采集IP包头获得流量信息;利用小波方法计算流量的Hurst参数,以是否超出阈值来判断是否遭受DoS攻击;采用数字滤波的方案对作为判决基准的Hurst参数对不同网络情况进行自适应;当认为受到攻击后,结合连接信任域来进行响应。实验表明:该模型可以检测到弱DoS攻击。
在DDoS检测模型的实现上,对性能要求较高的两项技术是流量采集和流量分析。本文先对现有流量采集技术进行了回顾,然后设计并应用了两种基于Linux系统的流量采集方案。在流量分析中,采用了一些技巧以提高效率。为了验证模型,本文采用了比较权威的MIT Lincoln Laboratory的DDoS攻击数据集进行实验。
最后,本文探讨了该DDoS检测模型的应用环境。描述了DDoS检测模型可能应用的网络环境;考虑到信息安全发展的趋势是各信息安全模块应该具有联动的功能,对DoS检测模型与防火墙系统、与安全审计系统的联动进行了一定的探讨。
DDoS(Distributed Denial of Service) is a kind of distributed and cooperated attack. It collaborates and controls a lot of hosts to commit DoS attack and produces millions of packets to the target system, exhausting the target system's resource, which make the legitimate user unable to obtain service. DDoS has caused disastrous loss to the network. But since the hideness and distributing it's hard to detect and prevent. In recently years it has become a hotspot to research on the detection and prevention of DDoS attack. In this thesis we base on the self-similarity of network traffic, try to research on the detection and prevention of DDoS attack using wavelet analysis.
In this thesis, we firstly give out a description about the status, the principle and method of intrusion detection. Then we analyze the status of research on DDoS. Wavelet analysis has become a popular method in theory and engineering field. Its multi-scale analytical capability enables us to do more accurate analysis on a signal. Furthermore, both research results and our experiment results show that network traffic satisfies the self-similarity characteristic. So we give out the algorithm to evaluate the self-similarity of network traffic by wavelet method, which is the theory basis of this thesis.
Secondly we describe the routines of DoS attack, analyze the mechanism of it, especially the mechanism of low-rate DoS attack from the point of TCP's congestion control. We design a DDoS detection and prevention model to deal with DDoS. The model gets the traffic information from the IP packet header, and calculates the Hurst parameter and decides whether the traffic is in normal state or not. The reference Hurst parameter is self-adaptered using a way like digital filter in signal processing. When attack is detected, the model uses connection-domain concept to prevent the target system. As is shown in the experiment the model can detect both high-rate DoS attack and low-rate DoS attack. Which is more, the target system can provide service to legitimate user to some extent even under DoS attack.
In the model traffic capturing and information extracting are mostly efficiency-required. We develop two methods to perform traffic capturing based on Linux. In traffic information extracting, it can achieve better performance if some tricks used.
At the end, we investigate the potential application environment of the DDoS detection and prevention model. Considering the trend of information security is that different security modules can interaction with each other, we investigate the interaction method of our model with firewall system and security audit system.
本文首先概述了入侵检测相关技术的研究现状、采用的一般原理与方法,结合大量资料分析了DDoS方面的国内外研究进展。
其次,本文简要介绍了近年来理论界和工程界采用较多的一种方法――小波变换,其具有的多尺度分析特性可以对信号进行更为准确的分析。学术界的研究成果以及本文实测数据均表明:网络流量具有自相似性。利用小波方法分析自相似性可以取得很好的效果,本文推导了利用小波来分析网络流量的方法,作为本文的理论基础。
再次,本文描述了DoS攻击的一般步骤,对DoS攻击的机理进行了分析,尤其是结合TCP拥塞控制机制对弱DoS攻击机理进行了较为深入的研究。弱DoS攻击并不产生很大的总流量,因而难以用常规的流量控制手段加以遏制。为了比较好地检测到弱DoS攻击,本文设计了一种DDoS检测与防范模型。该模型采集IP包头获得流量信息;利用小波方法计算流量的Hurst参数,以是否超出阈值来判断是否遭受DoS攻击;采用数字滤波的方案对作为判决基准的Hurst参数对不同网络情况进行自适应;当认为受到攻击后,结合连接信任域来进行响应。实验表明:该模型可以检测到弱DoS攻击。
在DDoS检测模型的实现上,对性能要求较高的两项技术是流量采集和流量分析。本文先对现有流量采集技术进行了回顾,然后设计并应用了两种基于Linux系统的流量采集方案。在流量分析中,采用了一些技巧以提高效率。为了验证模型,本文采用了比较权威的MIT Lincoln Laboratory的DDoS攻击数据集进行实验。
最后,本文探讨了该DDoS检测模型的应用环境。描述了DDoS检测模型可能应用的网络环境;考虑到信息安全发展的趋势是各信息安全模块应该具有联动的功能,对DoS检测模型与防火墙系统、与安全审计系统的联动进行了一定的探讨。
DDoS(Distributed Denial of Service) is a kind of distributed and cooperated attack. It collaborates and controls a lot of hosts to commit DoS attack and produces millions of packets to the target system, exhausting the target system's resource, which make the legitimate user unable to obtain service. DDoS has caused disastrous loss to the network. But since the hideness and distributing it's hard to detect and prevent. In recently years it has become a hotspot to research on the detection and prevention of DDoS attack. In this thesis we base on the self-similarity of network traffic, try to research on the detection and prevention of DDoS attack using wavelet analysis.
In this thesis, we firstly give out a description about the status, the principle and method of intrusion detection. Then we analyze the status of research on DDoS. Wavelet analysis has become a popular method in theory and engineering field. Its multi-scale analytical capability enables us to do more accurate analysis on a signal. Furthermore, both research results and our experiment results show that network traffic satisfies the self-similarity characteristic. So we give out the algorithm to evaluate the self-similarity of network traffic by wavelet method, which is the theory basis of this thesis.
Secondly we describe the routines of DoS attack, analyze the mechanism of it, especially the mechanism of low-rate DoS attack from the point of TCP's congestion control. We design a DDoS detection and prevention model to deal with DDoS. The model gets the traffic information from the IP packet header, and calculates the Hurst parameter and decides whether the traffic is in normal state or not. The reference Hurst parameter is self-adaptered using a way like digital filter in signal processing. When attack is detected, the model uses connection-domain concept to prevent the target system. As is shown in the experiment the model can detect both high-rate DoS attack and low-rate DoS attack. Which is more, the target system can provide service to legitimate user to some extent even under DoS attack.
In the model traffic capturing and information extracting are mostly efficiency-required. We develop two methods to perform traffic capturing based on Linux. In traffic information extracting, it can achieve better performance if some tricks used.
At the end, we investigate the potential application environment of the DDoS detection and prevention model. Considering the trend of information security is that different security modules can interaction with each other, we investigate the interaction method of our model with firewall system and security audit system.
引文
[1] Lau F, Rubin S. H, Smith M H. Distributed Denial of Service Attacks[A]. Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics[C]. Nashville, 2000.
[2] Denning D. Requirements and Model for IDES: A Real-time Intrusion Detection Expert System [C]. Technical Report, CSL, SRI Int, 1985.
[3] Porras P, Kemmerer R. Penetration. State Transition Analysis: A Rule-Based Intrusion Detection Approach [C]. In: Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, 1992.
[4] http://www.snort.org/
[5] C. Jason Coit, Stuart Staniford, Joseph McAlemey. “Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort” DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings.
[6] http://www.tripwire.com/
[7] http://www.ossec.net/
[8] Gregg, D.M.; Blackert, W.J.; Heinbuch, D.V.; Furnanage, D.; Assessing and quantifying denial of service attacks. Military Communications Conference, 2001. MILCOM 2001. Communications for Network-Centric Operations: Creating the Information Force. IEEE.
[9] Long, M.; Wu, C.-H.J.; Hung, J.Y.; Irwin, J.D.; Network security model for analyzing network-based control systems under denial of service attacks Industrial Electronics Society, 2004. IECON 2004. 30th Annual Conference of IEEE Volume 3, 2-6 Nov. 2004 Page(s):2739 - 2744 Vol. 3
[10] Yang Xiang, Wanlei Zhou. A defense system against DDOS attacks by large-scale IP traceback,Information Technology and Applications, 2005. ICITA 2005. Third International Conference on 4-7 July 2005.
[11] Mirkovic J., Arikan E., Songjie Wei, Fahmy S., Thomas R. Benchmarks for DDOS Defense Evaluation, Military Communications Conference, 2006. MILCOM 2006,23-25 Oct. 2006.
[12] P.Ferguson,D.Senie,Network ingress filtering: Defeating Denial of service attacks which employ IP source addresses spoofing, in:RFC2827,2001.
[13] K.Park, H.Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in powerlaw internets, in:Procedings of the ACM SIGCOMM_01 Conference on Application, Technologies, Archiectures, and Protocols for Computer Communicatins, ACM Press, New York, 2001
[14] T.Peng, C.Leckie, K,Ramamohanarao Protection from Distributed Denial of Service attack using history-based IP filtering, in: Proceedings of IEEE International Conference on Communications(ICC2003), Anchorage, AL, USA, 2003
[15] A,Keromytis, V.Misra, D.Rubenstein, SoS: secure oveylay services, in: Proceeding of the ACM SIGCOMM_02 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, ACM Press, New York, 2002
[16] X.Geng, A.B.Whinstion, Defeating Distributed Denial of Service attacks, IEEE IT Professional, 2000, 2(4)
[17] N.Weiler, Honeypots for Distributed Denial of Service, in: Proceedings of the Eleventh IEEE International Workshops Enabling Technologies: Infrastructure for Collaborative Enterprises 2002, Pitsburgh, PA, USA, June 2002
[18] R.R.Talpade, G.Kim, S.Khurana, NOMAD: Traffic based network monitoring framework for anomaly detection, in: Proceedings of the Fourth IEEE Symposium on Computers and Communications, 1998.
[19] J.B.D.Cabrera, L. Lewis, X.Qin, W.Lee, R.k.Prasanth, B.Ravichandran, R.K.Mehra, Proactive detection of Distributed Denial of Service Attacks using MIB traffic variables—a feasibility study, in: Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA, May 14-18, 2001.
[20] Y.Huang, J.M.Pullen, Countering Denial of Service attacks using congestion triggered packet sampling and filtering, in: Proceeding of the 10th International Conference on Computer Communications and Networks, 2001.
[21] 何慧,张宏莉. 一种基于相似度的 DDoS 攻击检测方法,通信学报,2004.
[22] 庄肖斌,芦康俊等. 一种基于流量统计的 DDoS 攻击检测方法,计算机工程, 2004,30.
[23] Christos Siaterlis, Basil Maglaris, Towards Multisensor Data Fusion for DoS detection, ACM Symosium on Applied Computing, 2004.
[24] Christos Douligeris, Aikaterini Mitrokostsa, DDoS attacks and defense mechanisms: classification and state-of-the-art. ELSEVIER 2004.
[25] Hal Burch, Bill Cheswick. Tracing Anonymous Packets to Their Approximate Source, in: Proceedings of USENIXLISA(New Orleans) Conference, 2000.
[26] Steve Bellovin, Marcus Leech and Tom Taylor, ICMP Traceback messages, IETF Internet Draft “draft-ietf-itrace-04.txt”, Feb 2003. Work in progress.
[27] A.Mankin et al, On Design and Evaluation of “Intention-Driven” ICMP Traceback, Proc, IEEE Intl Conf Computer Comm and Networks, IEEE CS Press, 2001.
[28] S.Savage, D.Wetherall, A.Karlin, T.Anderson, Network support for IP traceback, IEEE/ACM Transaction on Networking 9(3), 2001.
[29] D.X.Song, A.Perrig, Advanced and authenticated Marking Schemes for IP Traceback, in:Proceedings of IEEE INFOCOMM, Anchorage, AK, USA, 2001.
[30] U.K.Tupakula, V.Varadharajan, A Practical Mechod to Counteract Denial of Service Attacks, in: Proceedings of the 26th Australian Computer Conference in Research and Practice in Information Technology, ACM International Conference Proceeding Series, 2003.
[31] 李德全,苏璞睿,冯登国. 用于 IP 追踪德包标记的注记,软件学报,2004,15(2).
[32] 李德全,徐一丁等. IP 追踪中的自适应包标记,电子学报,2004,32(8).
[33] 刘利、苏德富、王国英. 一种基于随机边标记的有效识别攻击源位置的方法,计算机工程,2005,31(9)
[34] F.Kang, J.Maier, M.Weber, Protection Web Servers From Distributed Denial of Service attacks, in:Proceedings of the Tenth International Conference on World Wide Web, Hong Kong, May, 2001.
[35] J.Brustoloni, Protecting Electronic Commerce from Distributed Denial of Service Attacks, in: Proceedings of the 11th International World Wide Web Conference, ACM, Honolulu, HI,2002.
[36] S.M.Khattab, C.Sangpachatanaruk, R.Melhem, D.Mosse, T.Znati, Proactive Server Roaming for Mitigation Denial of Service Attacks, in: Proceedings of the 1st International Conference on Internatinal Technology: Research and Education(IRTE03), Newark, NJ, August 2003.
[37] A.Garg, A.L.Reddy, Mitigation Denial of Service Attacks Using QoS regulation, in: Proceedings of the 10th IEEE International Workshop on Quality of Service, 2002.
[38] A.Juels, J.Brainard, Client Puzzles: a Cryptographic Countermeasure against Connection Depletion Attacks, in: Proceedings of NDSS_99(Networks andDistributed Security Systems), San Diego, CA, USA, February 1999, Internet Society.
[39] J.loannidis, S.M.Bellovin, Implementing pushback: router-based defense against DDoS attacks, Proceedings of Network and Distributed System Security Symposium, NDSS_02, San Diego, CA, 2002.
[40] X.Wang, et al. Sleepy watermark tracing: an active network-based intrusion response framework, Proceedings of the 16th International Conference of Information Security(IFIP/SEC_01), Paris, France
[41] E.Y.Chen, AEGIS: an Active-network-powered defence mechanism against DDoS attacks, Proceedings of the Third International Working Conference on Active Networks(IWAN2001), Lecture Notes in Computer Science.
[42] 李水根, 吴纪桃. 分形与小波, 科学出版社 pp.175-176,2002.
[43] 李永利,刘贵忠,王海军.自相似数据流的 Hurst 参数小波求解法分析[J] 电子与信息学报,2003,25(1)
[44] K.Park, W. Willinger, Self-Similar Network Traffic And Performance Evaluation, John Wiley & Sons Inc, 2000
[45] M. Mellia, I. Stoica, and H. Zhang, TCP Model for Short Lived Flows. IEEE Communications Letters, Volume6, Issue 2, Feb. 2002 pp. 85–87.
[46] 范建华等译, W.Richard Stevens 著, “TCP/IP 详解”,机械工业出版社,卷一:协议 pp226-210, 2000
[47] Aleksandar Kuzmanovic, Edward W. Knightly. Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies. IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 14, NO. 4, AUGUST 2006
[48] MIT Lincoln laboratory, LLDDoS 1.0 Intrusion Detection Dataset, http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html,2005-11-18
[49] V.Paxson and M.Allman, Computing TCP’s retransmission timer. Internet RFC 2988, Nov.2000.
[50] 李建华,杨树堂,李铎锋等.远程大规模多用户并发控制防火墙系统的实现方法,中国,发明专利, CN200510030970.7
[51] 王宇平,杨树堂,陆松年.集成入侵检测引擎的增强型防火墙技术研究 计算机应用与软件, 2007/9
[2] Denning D. Requirements and Model for IDES: A Real-time Intrusion Detection Expert System [C]. Technical Report, CSL, SRI Int, 1985.
[3] Porras P, Kemmerer R. Penetration. State Transition Analysis: A Rule-Based Intrusion Detection Approach [C]. In: Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, 1992.
[4] http://www.snort.org/
[5] C. Jason Coit, Stuart Staniford, Joseph McAlemey. “Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort” DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings.
[6] http://www.tripwire.com/
[7] http://www.ossec.net/
[8] Gregg, D.M.; Blackert, W.J.; Heinbuch, D.V.; Furnanage, D.; Assessing and quantifying denial of service attacks. Military Communications Conference, 2001. MILCOM 2001. Communications for Network-Centric Operations: Creating the Information Force. IEEE.
[9] Long, M.; Wu, C.-H.J.; Hung, J.Y.; Irwin, J.D.; Network security model for analyzing network-based control systems under denial of service attacks Industrial Electronics Society, 2004. IECON 2004. 30th Annual Conference of IEEE Volume 3, 2-6 Nov. 2004 Page(s):2739 - 2744 Vol. 3
[10] Yang Xiang, Wanlei Zhou. A defense system against DDOS attacks by large-scale IP traceback,Information Technology and Applications, 2005. ICITA 2005. Third International Conference on 4-7 July 2005.
[11] Mirkovic J., Arikan E., Songjie Wei, Fahmy S., Thomas R. Benchmarks for DDOS Defense Evaluation, Military Communications Conference, 2006. MILCOM 2006,23-25 Oct. 2006.
[12] P.Ferguson,D.Senie,Network ingress filtering: Defeating Denial of service attacks which employ IP source addresses spoofing, in:RFC2827,2001.
[13] K.Park, H.Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in powerlaw internets, in:Procedings of the ACM SIGCOMM_01 Conference on Application, Technologies, Archiectures, and Protocols for Computer Communicatins, ACM Press, New York, 2001
[14] T.Peng, C.Leckie, K,Ramamohanarao Protection from Distributed Denial of Service attack using history-based IP filtering, in: Proceedings of IEEE International Conference on Communications(ICC2003), Anchorage, AL, USA, 2003
[15] A,Keromytis, V.Misra, D.Rubenstein, SoS: secure oveylay services, in: Proceeding of the ACM SIGCOMM_02 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, ACM Press, New York, 2002
[16] X.Geng, A.B.Whinstion, Defeating Distributed Denial of Service attacks, IEEE IT Professional, 2000, 2(4)
[17] N.Weiler, Honeypots for Distributed Denial of Service, in: Proceedings of the Eleventh IEEE International Workshops Enabling Technologies: Infrastructure for Collaborative Enterprises 2002, Pitsburgh, PA, USA, June 2002
[18] R.R.Talpade, G.Kim, S.Khurana, NOMAD: Traffic based network monitoring framework for anomaly detection, in: Proceedings of the Fourth IEEE Symposium on Computers and Communications, 1998.
[19] J.B.D.Cabrera, L. Lewis, X.Qin, W.Lee, R.k.Prasanth, B.Ravichandran, R.K.Mehra, Proactive detection of Distributed Denial of Service Attacks using MIB traffic variables—a feasibility study, in: Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA, May 14-18, 2001.
[20] Y.Huang, J.M.Pullen, Countering Denial of Service attacks using congestion triggered packet sampling and filtering, in: Proceeding of the 10th International Conference on Computer Communications and Networks, 2001.
[21] 何慧,张宏莉. 一种基于相似度的 DDoS 攻击检测方法,通信学报,2004.
[22] 庄肖斌,芦康俊等. 一种基于流量统计的 DDoS 攻击检测方法,计算机工程, 2004,30.
[23] Christos Siaterlis, Basil Maglaris, Towards Multisensor Data Fusion for DoS detection, ACM Symosium on Applied Computing, 2004.
[24] Christos Douligeris, Aikaterini Mitrokostsa, DDoS attacks and defense mechanisms: classification and state-of-the-art. ELSEVIER 2004.
[25] Hal Burch, Bill Cheswick. Tracing Anonymous Packets to Their Approximate Source, in: Proceedings of USENIXLISA(New Orleans) Conference, 2000.
[26] Steve Bellovin, Marcus Leech and Tom Taylor, ICMP Traceback messages, IETF Internet Draft “draft-ietf-itrace-04.txt”, Feb 2003. Work in progress.
[27] A.Mankin et al, On Design and Evaluation of “Intention-Driven” ICMP Traceback, Proc, IEEE Intl Conf Computer Comm and Networks, IEEE CS Press, 2001.
[28] S.Savage, D.Wetherall, A.Karlin, T.Anderson, Network support for IP traceback, IEEE/ACM Transaction on Networking 9(3), 2001.
[29] D.X.Song, A.Perrig, Advanced and authenticated Marking Schemes for IP Traceback, in:Proceedings of IEEE INFOCOMM, Anchorage, AK, USA, 2001.
[30] U.K.Tupakula, V.Varadharajan, A Practical Mechod to Counteract Denial of Service Attacks, in: Proceedings of the 26th Australian Computer Conference in Research and Practice in Information Technology, ACM International Conference Proceeding Series, 2003.
[31] 李德全,苏璞睿,冯登国. 用于 IP 追踪德包标记的注记,软件学报,2004,15(2).
[32] 李德全,徐一丁等. IP 追踪中的自适应包标记,电子学报,2004,32(8).
[33] 刘利、苏德富、王国英. 一种基于随机边标记的有效识别攻击源位置的方法,计算机工程,2005,31(9)
[34] F.Kang, J.Maier, M.Weber, Protection Web Servers From Distributed Denial of Service attacks, in:Proceedings of the Tenth International Conference on World Wide Web, Hong Kong, May, 2001.
[35] J.Brustoloni, Protecting Electronic Commerce from Distributed Denial of Service Attacks, in: Proceedings of the 11th International World Wide Web Conference, ACM, Honolulu, HI,2002.
[36] S.M.Khattab, C.Sangpachatanaruk, R.Melhem, D.Mosse, T.Znati, Proactive Server Roaming for Mitigation Denial of Service Attacks, in: Proceedings of the 1st International Conference on Internatinal Technology: Research and Education(IRTE03), Newark, NJ, August 2003.
[37] A.Garg, A.L.Reddy, Mitigation Denial of Service Attacks Using QoS regulation, in: Proceedings of the 10th IEEE International Workshop on Quality of Service, 2002.
[38] A.Juels, J.Brainard, Client Puzzles: a Cryptographic Countermeasure against Connection Depletion Attacks, in: Proceedings of NDSS_99(Networks andDistributed Security Systems), San Diego, CA, USA, February 1999, Internet Society.
[39] J.loannidis, S.M.Bellovin, Implementing pushback: router-based defense against DDoS attacks, Proceedings of Network and Distributed System Security Symposium, NDSS_02, San Diego, CA, 2002.
[40] X.Wang, et al. Sleepy watermark tracing: an active network-based intrusion response framework, Proceedings of the 16th International Conference of Information Security(IFIP/SEC_01), Paris, France
[41] E.Y.Chen, AEGIS: an Active-network-powered defence mechanism against DDoS attacks, Proceedings of the Third International Working Conference on Active Networks(IWAN2001), Lecture Notes in Computer Science.
[42] 李水根, 吴纪桃. 分形与小波, 科学出版社 pp.175-176,2002.
[43] 李永利,刘贵忠,王海军.自相似数据流的 Hurst 参数小波求解法分析[J] 电子与信息学报,2003,25(1)
[44] K.Park, W. Willinger, Self-Similar Network Traffic And Performance Evaluation, John Wiley & Sons Inc, 2000
[45] M. Mellia, I. Stoica, and H. Zhang, TCP Model for Short Lived Flows. IEEE Communications Letters, Volume6, Issue 2, Feb. 2002 pp. 85–87.
[46] 范建华等译, W.Richard Stevens 著, “TCP/IP 详解”,机械工业出版社,卷一:协议 pp226-210, 2000
[47] Aleksandar Kuzmanovic, Edward W. Knightly. Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies. IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 14, NO. 4, AUGUST 2006
[48] MIT Lincoln laboratory, LLDDoS 1.0 Intrusion Detection Dataset, http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html,2005-11-18
[49] V.Paxson and M.Allman, Computing TCP’s retransmission timer. Internet RFC 2988, Nov.2000.
[50] 李建华,杨树堂,李铎锋等.远程大规模多用户并发控制防火墙系统的实现方法,中国,发明专利, CN200510030970.7
[51] 王宇平,杨树堂,陆松年.集成入侵检测引擎的增强型防火墙技术研究 计算机应用与软件, 2007/9