分布式拒绝服务攻击检测与响应研究
摘要
网络在人类社会生活中的应用越来越广泛,但是由于黑客攻击事件层出不穷,网络安全问题逐渐成为网络服务和应用进一步发展所需解决的关键问题。分布式拒绝服务(DDoS)攻击是近年来网络上流行的、导致巨大经济损失的攻击之一,并成为目前网络安全界研究的热点。因此,研究拒绝服务攻击及其对策是极为重要的。
本文详细剖析了分布式拒绝服务攻击的攻击原理;并对现有的攻击手段做了全面深入的研究、分类;对现有的防护措施分三个阶段进行了全面研究和评价,并将攻击的检测、响应技术作为了研究重点。
本文针对在实验中发现的TCP FLOOD攻击的显著特征,即攻击发生时通过路由器的新IP数据流呈现急剧增加,结合统计学理论提出了基于流连接信息熵时间序列分析的检测算法。重点介绍了流连接的相关性概念、用信息熵来衡量数据包的多样性、利用非参数累计和算法进行攻击检测的概念与方法。同时,依据数据包的可靠性将到达的数据包划分为不同的优先级队列,对其实施区分服务的响应策略。此外,本文提出了防御DDoS攻击的检测响应模型,介绍了模型部分组件的功能,阐述了该模型的优点和不足,并提出下一步的工作。
实验结果表明,本文提出的检测方法能够以较高的精确度及时地检测出DDoS攻击行为。本文提出的防御模型对分布式拒绝服务攻击的检测、响应相关研究具有一定的借鉴意义。
With the development of network application, the network is more and more important in human's life. However, the hacker attack events emerge one after another incessantly, the network security problem becomes the key problem gradually which the network service and its application further develops must solve. Distributed Denial of Service (DDoS) attack is one usual type of attacks in the network, which has caused huge economic loss in the recent years. Research on them has become a hotspot in network security fields. So, doing research on DDoS attack and its countermeasures is not only a challenge but also very important.
By proposing some taxonomies, the attack mechanism of DDoS attacks is analyzed in detail and classification of DDoS attacks means are given. Then, the research and estimations of the counter measures in existence are made in detail, and the research pays more attention to the detection and response technology.
Regarding remarkable characteristics of TCP FLOOD attack found in experiment, namely the increasing trend which is presented by the number of new IP flows passing the Router. Combining with probability theory in statistics, the Flow Connection Entropy (FCE) time series analysis is proposed. It uses non-parametric CUSUM algorithm to complete the detection task of DDoS attacks. At the same time, According to the reliability of packets, we make different priority queues, then implement different policies. We also describe our detection-response prototype. This model composed of some system modules deployed among the victim-network. Through the analysis of it, elaborated this model merit and the insufficiency, and proposed the next step of work.
The experiment demonstrates this model can detect DDoS attack as early as possible with high detection accuracy. The Detection and defense scheme of DDoS proposed by this paper can be used for a reference to the related works.
本文详细剖析了分布式拒绝服务攻击的攻击原理;并对现有的攻击手段做了全面深入的研究、分类;对现有的防护措施分三个阶段进行了全面研究和评价,并将攻击的检测、响应技术作为了研究重点。
本文针对在实验中发现的TCP FLOOD攻击的显著特征,即攻击发生时通过路由器的新IP数据流呈现急剧增加,结合统计学理论提出了基于流连接信息熵时间序列分析的检测算法。重点介绍了流连接的相关性概念、用信息熵来衡量数据包的多样性、利用非参数累计和算法进行攻击检测的概念与方法。同时,依据数据包的可靠性将到达的数据包划分为不同的优先级队列,对其实施区分服务的响应策略。此外,本文提出了防御DDoS攻击的检测响应模型,介绍了模型部分组件的功能,阐述了该模型的优点和不足,并提出下一步的工作。
实验结果表明,本文提出的检测方法能够以较高的精确度及时地检测出DDoS攻击行为。本文提出的防御模型对分布式拒绝服务攻击的检测、响应相关研究具有一定的借鉴意义。
With the development of network application, the network is more and more important in human's life. However, the hacker attack events emerge one after another incessantly, the network security problem becomes the key problem gradually which the network service and its application further develops must solve. Distributed Denial of Service (DDoS) attack is one usual type of attacks in the network, which has caused huge economic loss in the recent years. Research on them has become a hotspot in network security fields. So, doing research on DDoS attack and its countermeasures is not only a challenge but also very important.
By proposing some taxonomies, the attack mechanism of DDoS attacks is analyzed in detail and classification of DDoS attacks means are given. Then, the research and estimations of the counter measures in existence are made in detail, and the research pays more attention to the detection and response technology.
Regarding remarkable characteristics of TCP FLOOD attack found in experiment, namely the increasing trend which is presented by the number of new IP flows passing the Router. Combining with probability theory in statistics, the Flow Connection Entropy (FCE) time series analysis is proposed. It uses non-parametric CUSUM algorithm to complete the detection task of DDoS attacks. At the same time, According to the reliability of packets, we make different priority queues, then implement different policies. We also describe our detection-response prototype. This model composed of some system modules deployed among the victim-network. Through the analysis of it, elaborated this model merit and the insufficiency, and proposed the next step of work.
The experiment demonstrates this model can detect DDoS attack as early as possible with high detection accuracy. The Detection and defense scheme of DDoS proposed by this paper can be used for a reference to the related works.
引文
[1] Staff. AGC, ARPA. There for kids at Sunshine Acres. Association across the Southwest honor their outstanding members and two Arizona Associations step to aid children. Southwest Contractor, Feb 2004, 66(2): 53-56
[2] Sung M, Xu J. IP Traceback-based Intelligent Packet Filtering: A Novel Technique for. Defending Against Internet DDoS Attacks. IEEE Trans Parallel and Distributed Systems, 14(9): 861-872
[3] 国家计算机网络应急技术处理协调中心.计算机应急响应与互联网应急体系.http://www.cert.org.cn/articles/statistic/common/2005031822164.html, 2005.03.18
[4] 国家计算机网络应急技术处理协调中心.CNNCERT/CC2004年网络安全工作报告. http://www.cert.org.cn/upload/2004CNCERTCCAnnualReport_Chinese.pdf 2005-3
[5] Lemon J. Resisting SYN flooding attacks with a SYN cache. Proceedings of USENIX Symposium on Internet Technologies and Systems'97, Berkeley, CA: USENIX Assoc, 1997. 89-97
[6] Gil T, Poletter M. MULTOPS: A Data-Structure for Bandwidth Attack Detection. In: 10th USENIX Security Symposium, Washington, D. C., USA, Aug. 2001
[7] Samuel, David and Leckie. An Efficient Filter For Denial of Service Bandwidth Attacks. GLOBECOM2003, pp. 1353-1357, 2003
[8] Rudolf B. Blazek, Hongjoong Kim. A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch-sequential change-point detection methods. Proceedings IEEE Workshop on Information Assurance and Security June 2001, pp. 220-226
[9] Kulkarni A. B., Bush S. F., Evans S. C.. Detecting distributed denial-of-service attacks using kolmogorov complexity metrics. GECRD: Technical Report 2001CRD 176, 2001
[10] Zhang, Manikopoulos. Detecting Denial-of-service Attacks through Feature Cross-Correlation. IEEE INFOCOM 2004
[11] Peng Tao, Leckie and Ramamohanarao. Protection from Distributed Denial of Service Attack Using History-based IP Filtering. In Proceedings of the IEEE International Conference on Communications(ICC 2003), 11-15, May 2003,Anchorage, Alaska, USA, pp. 482-486
[12] Hussain, Heidemann and Papadopoulos. A Framework for Classifying Denial of Service Attacks. SIGCOMM'03, August 25-29, 2003
[13] 薛丽军,第文军,将世奇.一种新的网络流量异常检测方法.燃起涡轮试验研究,2003,3(16):45-49
[14] Cheng, Kung, Tan. Use of Spectral Analysis in Defense against DoS Attacks. IEEE, INFOCOM 2002, pp. 2143-2148
[15] Branch, Bivens, Chan. Denial of Service Intrusion Detection Using Time Dependent Deterministic Finite Automata. In: Proc. Graduate Research Conference, Troy, NY, 2002, pp.45-51
[16] Bonifacio, J.M., Cansian, A.M.. Neural Networks Applied in Intrusion Detection Systems. IEEE International Conference on Neural Networks, USA, 1998,pp.205-210
[17] J.Ryan, M.J.LIN, R.Miikkulainen. Intrusion Detection with Neural Networks, Advances in Neural Information Proceeding Systems 10, M.Jordan et al., Eds., Cambridge, MA:MIT Press, 1998,pp.943-949
[18] Mukkamala S, Janoski G, Sung AH. Intrusion detection using support vector machines and neural networks. In: Proc. of the IEEE Int'l Joint Conf. on Neural Networks. 2002. 1702-1707
[19] Bivens. Network-Based Intrusion Detection Using Neural Networks. Artificial Neural Networks in Engineering Nov. 10-13, ST.Louis, Missouri, 2002
[20] Gavrilis, Ioannis, and Evangelos. Feature Selection for Robust Detection of Distributed Denial of Service Attacks Using Genetic Algorithms. GA.Vouros and T.Panayiotopoulos(EDS.):SETN 2004,LNAI 3025,pp.276-281,2004
[21] Lee W.stolfo S. Data Mining Approaches for Intrusion Detection. In Proceedings of the Seventh USENIX Security Symposium(Secruity'98),San Antanio,TX, 1998
[22] 牛建强,曹元大.基于数据挖掘的CIDF协同交换.计算机工程,2003,29(14):35-36
[23] Sterner Djahandari and Wilson. Autonomic Response to Distributed Denial of Service Attacks. RAID 2001,LNCS 2212,2001,pp. 134-149
[24] Schnackenberg and Djahandari. Cooperative Intrusion Traceback and Response Architecture (CITRA). Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX Ⅱ'01),2001, pp.73-75
[25] Karnouskos. Dealing with Denial-of-Service Attacks in Agent-enabled Active and Programmable Infrastructures. COMPSAC 2001:445-450
[26] Udaya Kiran Tupakula, Vijay Varadharajan. A Practical Method to Counteract Denial of Service Attacks. Proceedings of the twenty-fifth Australasian computer science conforence in research and practice in information technology. 2003.204-275
[27] Bellovin, Leech and Taylor. ICMP Traceback messages. IETF Internet Draft"draft-ietf-itrace-04.Txt", Work in progress, 2003
[28] Stefan Savage, David Wetherall,et al. Practical Network Support for IP Traceback. In ACM SIGCOMM, Stockholm, Sweden, 2000, 295-306
[29] D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proc. IEEE INFOCOM, vol. 2, Apr. 2001, pp.878-886
[30] Snoeren A C, Partridge C, Sanchez L A, et al. Hash-Based IP traceback. In:Proc. of the ACM SIGCOMM 2001 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, Aug. 2001
[31] Drew Dean, Matt Franklin, and Adam Stubblefield. An Algebraic Approach to IP Traceback. ACM Trans. Information and System Security,2002,5(2): 119-137
[32] Chert and Lee. An IP Traceback Technique against Denial-of-Service Attacks. In: Proceedings of the 19th annual computer security applications conference(ACSAC2003)
[33] Kim, Ju-yeon merat. Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking. GLOBECOM 2003, pp. 1363-1367
[34] R. K. C. Chang. Defending against flooding-based distributed denial of service attacks: a tutorial IEEE Communications Magazine, vol.40, no.10, Oct.2002, pp.42-51
[35] H. Michael, D. Angelos and A. Keromytis. A Secure PLAN. Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science Springer-Verlag, June 1999, pp.307-314
[36] F. Lau, S. H. Rubin, M. H. Smith, and LJ. Trajkovic. Distributed denial of service attacks, In Proceedings of 2000 IEEE International Conference on Systems, Man, and Cybernetics, October 2000, pp.2275-2280
[37] 冯登国.拒绝服务攻击对策及网络追踪的研究:[博士学位论文].北京:中国科学院软件研究所博士论文,2004,6
[38] Cheng Jin, Raining Wang, et al. Hop-Count Filtering: An Effective Defense Against Spoofed Traffic, Conference on Computer and Communications Security, Washington D.C., USA
[39] Bloom B. Space/Time trade-offs in hash coding with allowable errors. Communications of the ACM, 1970, 13(7):422-426
[40] 蔡弘,陈惠民,李衍达.一种新型的通信网络突发业务建模方法—自相似业务.通信学报,1997,18(11):51-59
[41] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. 2000 ACM SIGCOMM Conference, Aug. 2000.
[42] Drew Dean, Matt Franklin, and Adam Stubblefield, An Algebraic Approach to IP Traceback. ACM Transactions on Information and System Security, Vol.5 No.2, May 2002, pp. 119-137
[43] Alex C. Snoeren, et al. Hash-Based IP Traceback. In: Proceedings of the ACM SIGCOMM 2001,August 27-31,2001,San Diego,California, USA,pp3-14
[44] Feinstein L, Schnackenberg D, Balupari R, Kindred, D. Statistical approaches to DDoS attack detection and response. In: Proc. of the DARPA Information Survivability Conf. and Exposition. 2003. 303-314
[45] 孙钦东,张德运等.基于时频分析的分布式拒绝服务攻击的自动监测.西安交通大学学报,2004,38(12):1247~1250
[46] Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In Proceedings of the Third International IFIP-TC6 Networking Conference (Networking 2004), 9-14 May 2004, Athens, Greece, pp. 771-782
[47] 林白,李鸥,刘庆卫.基于序贯变化监测的DDoS攻击检测方法.计算机工程,2005,31(9):135-137
[48] B. E. Brodsky and B. S. Darkhovsky. Non-parametric Methods in Change-point Problems. Kluwer Academic Publishers, 1993
[49] Haining Wang, Danlu Zhang, and Kang G. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE Infocom'2002, June 2002
[50] 孙知信,唐益慰,程媛.基于改进CUSUM算法的路由器异常流量检测.软件学报,2005,16(12):2117~2123
[51] MIT Lincoln Laboratory. 2000 DARPA intrusion detection scenario specific data sets. http://www.ll.mit.edu/IST/, 2003-10-21.
[52] 苏衡,鞠九滨,李文君.MDCI:一个分布式检测DDoS攻击的方法.小型微型计算机系统,2006,27(1):58~61
[53] T.J.Ott, T.V.Lakshman, and L.Wong, SRED: Stabilized RED. Proc. IEEE INFOCOM'99,1999
[54] R. Pan, B. Prabhakar, K. Psounis. CHOKe, a Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation. In Proceedings of the IEEE INFOCOM, 2: 942-951, March 2000
[55] 陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务攻击检测方法.计算机学报,2006,29(8):1392~1400
[2] Sung M, Xu J. IP Traceback-based Intelligent Packet Filtering: A Novel Technique for. Defending Against Internet DDoS Attacks. IEEE Trans Parallel and Distributed Systems, 14(9): 861-872
[3] 国家计算机网络应急技术处理协调中心.计算机应急响应与互联网应急体系.http://www.cert.org.cn/articles/statistic/common/2005031822164.html, 2005.03.18
[4] 国家计算机网络应急技术处理协调中心.CNNCERT/CC2004年网络安全工作报告. http://www.cert.org.cn/upload/2004CNCERTCCAnnualReport_Chinese.pdf 2005-3
[5] Lemon J. Resisting SYN flooding attacks with a SYN cache. Proceedings of USENIX Symposium on Internet Technologies and Systems'97, Berkeley, CA: USENIX Assoc, 1997. 89-97
[6] Gil T, Poletter M. MULTOPS: A Data-Structure for Bandwidth Attack Detection. In: 10th USENIX Security Symposium, Washington, D. C., USA, Aug. 2001
[7] Samuel, David and Leckie. An Efficient Filter For Denial of Service Bandwidth Attacks. GLOBECOM2003, pp. 1353-1357, 2003
[8] Rudolf B. Blazek, Hongjoong Kim. A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch-sequential change-point detection methods. Proceedings IEEE Workshop on Information Assurance and Security June 2001, pp. 220-226
[9] Kulkarni A. B., Bush S. F., Evans S. C.. Detecting distributed denial-of-service attacks using kolmogorov complexity metrics. GECRD: Technical Report 2001CRD 176, 2001
[10] Zhang, Manikopoulos. Detecting Denial-of-service Attacks through Feature Cross-Correlation. IEEE INFOCOM 2004
[11] Peng Tao, Leckie and Ramamohanarao. Protection from Distributed Denial of Service Attack Using History-based IP Filtering. In Proceedings of the IEEE International Conference on Communications(ICC 2003), 11-15, May 2003,Anchorage, Alaska, USA, pp. 482-486
[12] Hussain, Heidemann and Papadopoulos. A Framework for Classifying Denial of Service Attacks. SIGCOMM'03, August 25-29, 2003
[13] 薛丽军,第文军,将世奇.一种新的网络流量异常检测方法.燃起涡轮试验研究,2003,3(16):45-49
[14] Cheng, Kung, Tan. Use of Spectral Analysis in Defense against DoS Attacks. IEEE, INFOCOM 2002, pp. 2143-2148
[15] Branch, Bivens, Chan. Denial of Service Intrusion Detection Using Time Dependent Deterministic Finite Automata. In: Proc. Graduate Research Conference, Troy, NY, 2002, pp.45-51
[16] Bonifacio, J.M., Cansian, A.M.. Neural Networks Applied in Intrusion Detection Systems. IEEE International Conference on Neural Networks, USA, 1998,pp.205-210
[17] J.Ryan, M.J.LIN, R.Miikkulainen. Intrusion Detection with Neural Networks, Advances in Neural Information Proceeding Systems 10, M.Jordan et al., Eds., Cambridge, MA:MIT Press, 1998,pp.943-949
[18] Mukkamala S, Janoski G, Sung AH. Intrusion detection using support vector machines and neural networks. In: Proc. of the IEEE Int'l Joint Conf. on Neural Networks. 2002. 1702-1707
[19] Bivens. Network-Based Intrusion Detection Using Neural Networks. Artificial Neural Networks in Engineering Nov. 10-13, ST.Louis, Missouri, 2002
[20] Gavrilis, Ioannis, and Evangelos. Feature Selection for Robust Detection of Distributed Denial of Service Attacks Using Genetic Algorithms. GA.Vouros and T.Panayiotopoulos(EDS.):SETN 2004,LNAI 3025,pp.276-281,2004
[21] Lee W.stolfo S. Data Mining Approaches for Intrusion Detection. In Proceedings of the Seventh USENIX Security Symposium(Secruity'98),San Antanio,TX, 1998
[22] 牛建强,曹元大.基于数据挖掘的CIDF协同交换.计算机工程,2003,29(14):35-36
[23] Sterner Djahandari and Wilson. Autonomic Response to Distributed Denial of Service Attacks. RAID 2001,LNCS 2212,2001,pp. 134-149
[24] Schnackenberg and Djahandari. Cooperative Intrusion Traceback and Response Architecture (CITRA). Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX Ⅱ'01),2001, pp.73-75
[25] Karnouskos. Dealing with Denial-of-Service Attacks in Agent-enabled Active and Programmable Infrastructures. COMPSAC 2001:445-450
[26] Udaya Kiran Tupakula, Vijay Varadharajan. A Practical Method to Counteract Denial of Service Attacks. Proceedings of the twenty-fifth Australasian computer science conforence in research and practice in information technology. 2003.204-275
[27] Bellovin, Leech and Taylor. ICMP Traceback messages. IETF Internet Draft"draft-ietf-itrace-04.Txt", Work in progress, 2003
[28] Stefan Savage, David Wetherall,et al. Practical Network Support for IP Traceback. In ACM SIGCOMM, Stockholm, Sweden, 2000, 295-306
[29] D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proc. IEEE INFOCOM, vol. 2, Apr. 2001, pp.878-886
[30] Snoeren A C, Partridge C, Sanchez L A, et al. Hash-Based IP traceback. In:Proc. of the ACM SIGCOMM 2001 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, Aug. 2001
[31] Drew Dean, Matt Franklin, and Adam Stubblefield. An Algebraic Approach to IP Traceback. ACM Trans. Information and System Security,2002,5(2): 119-137
[32] Chert and Lee. An IP Traceback Technique against Denial-of-Service Attacks. In: Proceedings of the 19th annual computer security applications conference(ACSAC2003)
[33] Kim, Ju-yeon merat. Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking. GLOBECOM 2003, pp. 1363-1367
[34] R. K. C. Chang. Defending against flooding-based distributed denial of service attacks: a tutorial IEEE Communications Magazine, vol.40, no.10, Oct.2002, pp.42-51
[35] H. Michael, D. Angelos and A. Keromytis. A Secure PLAN. Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science Springer-Verlag, June 1999, pp.307-314
[36] F. Lau, S. H. Rubin, M. H. Smith, and LJ. Trajkovic. Distributed denial of service attacks, In Proceedings of 2000 IEEE International Conference on Systems, Man, and Cybernetics, October 2000, pp.2275-2280
[37] 冯登国.拒绝服务攻击对策及网络追踪的研究:[博士学位论文].北京:中国科学院软件研究所博士论文,2004,6
[38] Cheng Jin, Raining Wang, et al. Hop-Count Filtering: An Effective Defense Against Spoofed Traffic, Conference on Computer and Communications Security, Washington D.C., USA
[39] Bloom B. Space/Time trade-offs in hash coding with allowable errors. Communications of the ACM, 1970, 13(7):422-426
[40] 蔡弘,陈惠民,李衍达.一种新型的通信网络突发业务建模方法—自相似业务.通信学报,1997,18(11):51-59
[41] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. 2000 ACM SIGCOMM Conference, Aug. 2000.
[42] Drew Dean, Matt Franklin, and Adam Stubblefield, An Algebraic Approach to IP Traceback. ACM Transactions on Information and System Security, Vol.5 No.2, May 2002, pp. 119-137
[43] Alex C. Snoeren, et al. Hash-Based IP Traceback. In: Proceedings of the ACM SIGCOMM 2001,August 27-31,2001,San Diego,California, USA,pp3-14
[44] Feinstein L, Schnackenberg D, Balupari R, Kindred, D. Statistical approaches to DDoS attack detection and response. In: Proc. of the DARPA Information Survivability Conf. and Exposition. 2003. 303-314
[45] 孙钦东,张德运等.基于时频分析的分布式拒绝服务攻击的自动监测.西安交通大学学报,2004,38(12):1247~1250
[46] Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In Proceedings of the Third International IFIP-TC6 Networking Conference (Networking 2004), 9-14 May 2004, Athens, Greece, pp. 771-782
[47] 林白,李鸥,刘庆卫.基于序贯变化监测的DDoS攻击检测方法.计算机工程,2005,31(9):135-137
[48] B. E. Brodsky and B. S. Darkhovsky. Non-parametric Methods in Change-point Problems. Kluwer Academic Publishers, 1993
[49] Haining Wang, Danlu Zhang, and Kang G. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE Infocom'2002, June 2002
[50] 孙知信,唐益慰,程媛.基于改进CUSUM算法的路由器异常流量检测.软件学报,2005,16(12):2117~2123
[51] MIT Lincoln Laboratory. 2000 DARPA intrusion detection scenario specific data sets. http://www.ll.mit.edu/IST/, 2003-10-21.
[52] 苏衡,鞠九滨,李文君.MDCI:一个分布式检测DDoS攻击的方法.小型微型计算机系统,2006,27(1):58~61
[53] T.J.Ott, T.V.Lakshman, and L.Wong, SRED: Stabilized RED. Proc. IEEE INFOCOM'99,1999
[54] R. Pan, B. Prabhakar, K. Psounis. CHOKe, a Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation. In Proceedings of the IEEE INFOCOM, 2: 942-951, March 2000
[55] 陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务攻击检测方法.计算机学报,2006,29(8):1392~1400