一种复合式DDoS攻击检测和防御模型的研究
|
摘要
近年来,分布式拒绝服务攻击(DDoS, Distributed Denial of Service)严重影响着Internet安全,给Internet的应用和发展带来了极大危害。目前,网络流量的自相似性、时间序列分析和IP包过滤等已经成为DDoS攻击检测和防御中重要的策略和技术。但是,当这些策略和技术单独使用时,DDoS攻击检测和防御效果并不十分理想。原因在于,网络流量的自相似性和时间序列分析仅能检测DDoS攻击,检测结果有延迟、误报和漏报现象,即使检测到DDoS攻击也不能防御。虽然IP包过滤技术能较好防御DDoS攻击,但该技术中使用的数据量非常大,查询和更新数据需要占用大量系统资源(如CPU和内存等),增加了系统开销,且仅使用IP包过滤技术无法检测DDoS攻击。
首先,论文以网络流量、TCP/IP协议为依据对DDoS攻击进行了分类,并对两种分类方法中的DDoS攻击类型做了简单的分析。此外,还分析了以网络流量为分类依据的各DDoS攻击类型的检测和防御策略,并对这些策略进行了比较。
然后,论文结合时间序列分析和IP包过滤技术的优点,并对这两种技术进行了改进,提出一种复合式的DDoS攻击检测和防御模型。模型中的检测模块以时间序列分析为基础,定义了一个时间序列PDD(Port to Port Data Density),用非参数检验法检验时间序列PDD的平稳性特征。根据检验结果,论文使用在线分析能力较强、计算量较小的非平稳时间序列AAR模型处理时间序列PDD。非参数CUSUM算法使用AAR模型处理后的时间序列检测DDoS攻击,针对检测结果中可能出现的误报和漏报,论文提出了一种检测修正算法,修正非参数CUSUM算法的检测结果。模型中的防御模块以改进后的动态IP包过滤技术为基础防御DDoS攻击,论文所使用的动态IP包过滤技术,在一定程度上解决了数据量大、查询和更新数据占用系统资源较多等缺点。为了辅助动态IP包过滤技术防御DDoS攻击,防御模块中加入了DDoS攻击(或网络拥塞)预检技术。此外,网络噪声对检测结果会造成一定的影响,因此模型中引入了小波滤波技术,滤去部分网络噪声。
最后,论文在Linux环境下,以NS2网络模拟器为测试平台,测试了模型中部分模块的功能,并对测试结果进行了分析。
During these years, distributed denials of service (DDoS) attacks have done great harm to the application and the development of Internet. Currently, the self-similarity of network traffic, time series analysis and IP packet filtering have been the important strategies and technologies of DDoS attacks detection and defense. But these strategies and technologies are used individually; whereas the results of DDoS detection and defense are not ideal, the reason lies in that self-similarity of network traffic and time series analysis only can detect DDoS attacks, but they can’t defend DDoS attacks. There are delayed detection, false alarm and omission alarm in the detecting results. Although the traditional IP packets filtering technology can defend DDoS attacks well, it is used in a great number of data, querying and updating data require a lot of system resources, such as CPU and memory, etc., and IP packet filtering technology used single can not detect DDoS attacks.
First, in this paper, DDoS attacks are classified based on the network tranfic and TCP/IP protocols. The types of DDoS attacks are analyzed simplely. In addition, the strategies of DDoS attacks detection and defense are analyzed and compared.
Secondly, a complex model of DDoS attacks detection and defense is proposed based on the advantages of time series analysis and IP packet filtering technology. A time sequence PDD (Port to Port Data Density) is defined, and the stationary feature of PDD is tested by non-parameter testing. According to the testing results, we deal with time series PDD by using non-stationary time series AAR (additive autoregressive) model. Online analysis of AAR model is well, and the computation of AAR model is small. The time sequence produced by AAR model is used to detect DDoS attacks by non-parameter CUSUM algorithm. Because of the false alarm and omission alarm from detection, a revising algorithm is proposed to revise the results of detection. The defense module of the model is used to defend DDoS attacks based on the dynamic IP packet filtering technology, and the problems containing great number of data, querying and updating data requiring many system resources are solved. To assist dynamic IP packet filtering technology so as to defend DDoS attacks or avoid network congestion, a pre-detection algorithm is proposed. In addition, the noise of network will affect the results of detection; we introduce Wavelet to filter the partial noise in the model.
Finally, we test the function of partial modules in NS2 which run on Linux (Red Hat 9.0), and analyze the results of testing.
首先,论文以网络流量、TCP/IP协议为依据对DDoS攻击进行了分类,并对两种分类方法中的DDoS攻击类型做了简单的分析。此外,还分析了以网络流量为分类依据的各DDoS攻击类型的检测和防御策略,并对这些策略进行了比较。
然后,论文结合时间序列分析和IP包过滤技术的优点,并对这两种技术进行了改进,提出一种复合式的DDoS攻击检测和防御模型。模型中的检测模块以时间序列分析为基础,定义了一个时间序列PDD(Port to Port Data Density),用非参数检验法检验时间序列PDD的平稳性特征。根据检验结果,论文使用在线分析能力较强、计算量较小的非平稳时间序列AAR模型处理时间序列PDD。非参数CUSUM算法使用AAR模型处理后的时间序列检测DDoS攻击,针对检测结果中可能出现的误报和漏报,论文提出了一种检测修正算法,修正非参数CUSUM算法的检测结果。模型中的防御模块以改进后的动态IP包过滤技术为基础防御DDoS攻击,论文所使用的动态IP包过滤技术,在一定程度上解决了数据量大、查询和更新数据占用系统资源较多等缺点。为了辅助动态IP包过滤技术防御DDoS攻击,防御模块中加入了DDoS攻击(或网络拥塞)预检技术。此外,网络噪声对检测结果会造成一定的影响,因此模型中引入了小波滤波技术,滤去部分网络噪声。
最后,论文在Linux环境下,以NS2网络模拟器为测试平台,测试了模型中部分模块的功能,并对测试结果进行了分析。
During these years, distributed denials of service (DDoS) attacks have done great harm to the application and the development of Internet. Currently, the self-similarity of network traffic, time series analysis and IP packet filtering have been the important strategies and technologies of DDoS attacks detection and defense. But these strategies and technologies are used individually; whereas the results of DDoS detection and defense are not ideal, the reason lies in that self-similarity of network traffic and time series analysis only can detect DDoS attacks, but they can’t defend DDoS attacks. There are delayed detection, false alarm and omission alarm in the detecting results. Although the traditional IP packets filtering technology can defend DDoS attacks well, it is used in a great number of data, querying and updating data require a lot of system resources, such as CPU and memory, etc., and IP packet filtering technology used single can not detect DDoS attacks.
First, in this paper, DDoS attacks are classified based on the network tranfic and TCP/IP protocols. The types of DDoS attacks are analyzed simplely. In addition, the strategies of DDoS attacks detection and defense are analyzed and compared.
Secondly, a complex model of DDoS attacks detection and defense is proposed based on the advantages of time series analysis and IP packet filtering technology. A time sequence PDD (Port to Port Data Density) is defined, and the stationary feature of PDD is tested by non-parameter testing. According to the testing results, we deal with time series PDD by using non-stationary time series AAR (additive autoregressive) model. Online analysis of AAR model is well, and the computation of AAR model is small. The time sequence produced by AAR model is used to detect DDoS attacks by non-parameter CUSUM algorithm. Because of the false alarm and omission alarm from detection, a revising algorithm is proposed to revise the results of detection. The defense module of the model is used to defend DDoS attacks based on the dynamic IP packet filtering technology, and the problems containing great number of data, querying and updating data requiring many system resources are solved. To assist dynamic IP packet filtering technology so as to defend DDoS attacks or avoid network congestion, a pre-detection algorithm is proposed. In addition, the noise of network will affect the results of detection; we introduce Wavelet to filter the partial noise in the model.
Finally, we test the function of partial modules in NS2 which run on Linux (Red Hat 9.0), and analyze the results of testing.
引文
[1] Ouligeris C, Mitrokotsa A. DDoS attacks and defense mechanisms: classification and state-of-the-art[J].Computer Networks, 2004(44):643–666.
[2] Li-Chiou Chen, Thomas A. Longstaff, Kathieen M. Carley.Charterization of defense mechanisms against distributed denial of service attacks[J].Computer & Security, 2004,(23):665-678.
[3] Mirkovic J, Reiher P. A Taxonomy of DDoS Attack and DDoS defense echanisms[J].ACM SIGCOMM Computer Communications Review, 2004,34(2):39-54.
[4] 孟江涛,冯登国,薛锐等.分布式拒绝服务攻击的原理与防范[J].中国科学院研究生院学 报,2004,21(1):90-94.
[5] Jain R,Routhier S A. Packet trains-measurements and a new model for computernetwork traffic[J].IEEE Journal on Selected Areas in Communication,1986,4(6):986-995.
[6] Paxson V,Floyd S. Wide-area traffic:the failure of Poisson modeling[J]. IEEE/ACM Transactions on Networking.1995,3(3):226-244.
[7] 薛丽军.分布式拒绝服务(DDoS)攻击检测与防护[D].电子科技大学,2003:4.
[8] Peng T,Leckie C,Ramamohanarao K.Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring[EB/OL]. http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf.
[9] Kuzmanovic A., Knightly E. Low-Rate TCP -Targeted Denial of Service Attacks (The Shrew vs.the Mice and Elephants)[C].in Proc. ACM. SIGCOMM 2003, 2003:75-86.
[10] M Guirguis,A Bestavros,I Matta,et al.Reduction of quality (RoQ) attacks on Internet end-systems[C].The 24th Annual Joint Conf of the IEEE Computer and Communications Societies (INFOCOM2005),Miami,Florida,2005
[11] Luo X., Chang R. K. C., On a New Class of Pulsing Denial-of-Service Attacks and.the Defense[C].Network and Distributed System Security Symposium (NDSS'05), San. Diego, CA., 2005.
[12] Yu-Kwong Kwok, Rohit Tripathi, Yu Chen, Kai Hwang.HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks[C]. ICCNMC 2005: 423-432.
[13] Crovella M,Bestavros A.Self-similarity in World Wide Web traffic:evidence and possible causes[C].IEEE/ACM Transactions on Networking,1997,5(6):835-846.
[14] Hengstler S, Sand S, Costa A H. Adaptive Autoregressive Modeling For Time-Frequency Analysis[C]. Proceedings of the Third International Conference on Information, Communications & Signal Processing (ICICS 2001), 2001.
[15] Dill S.,Kumar R.,etc.Self-Similarity in The Web[C].Procedings of the 27th VLDBConference,Roma,Italy,2001.
[16] Huang J. Z.,Yang L..Identification of non-linear additive autoregressive models[J]. Royal Statistical Society,2004:463-477.
[17] 王欣,方滨兴.Hurst 参数变化在网络流量异常检测中的应用[J].哈尔滨工业大学学 报,2005,37(9):1046-1049.
[18] 李美村,贺忠.网络流量自相似特性的研究与探讨[J].计算机工程,2005, 31(15):115-117.
[19] 何晶,李仁发,喻飞等.校园网流量自相似性研究[J].计算机工程与应用,2004,2:7-9.
[20] 第文军,薛丽军,蒋士奇.运用网络流量自相似分析的网络流量异常检测[J].兵工自动 化,2003,22(6):28-31.
[21] Takada H.H., Hofmann U..Application and Analysis of Cumulative Sum to Detect Highly Distributed Denial of Service Attacks using different Attack Traffic Patterns[R].Technical Report, INTERMON Project, 2004.
[22] 孙知信,唐益慰,程媛.基于改进CUSUM算法的路由器异常流量检测[J].软件学报,2005, 16(12):2117-2123.
[23] 程 军,林白,芦建芝.基于非参数CUSUM算法的SYN Flooding 攻击检测[J].计算机工 程,2006,32(2):159-161.
[24] Li Q.M.,Chang E.C.,Chan M.C..On the Effectiveness of DDoS Attacks on Statistical Filtering[C]. IEEE INFOCOM, Miami, FL, USA, 2005.
[25] Abdelsayed S.,Glimsholt D.,Leckie C.,Ryan S.,Shami S..An efficient filter for denial-of-service bandwidth attacks[C].Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM'03),2003(3):1353~1357.
[26] Peng T,Leckie C,Ramahohanarao K.Protection from Distributed Denial of Service Attack Using History-based IP Filtering[J].Communications,2003(1):482-486.
[27] Wang C., Wu C. , Irwin J. D.. Using an Identity-Based Dynamic Access Control Filter (IDF) to Defend Against DoS Attacks[C]. IEEE Wireless Communications and Networking Conference, 2004.
[28] Yaar A., Perrig A., Dawn Xiaodong Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks[C].Proc. 2004 IEEE Symp. Security and Privacy. Oakland: IEEE Computer Society Press, 2004:130-147.
[29] HU Yen hung,CHOI Hongsik,HYEONG Ah choi.Packet filtering to defend flooding-based DDoS attacks[Internet denial-of-service attacks][C]. Advances in Wired and Wireless Communication,2004:39-42.
[30] Shigang Chen, Yong Tang, Wenliang Du. Stateful DDoS Attacks and Targeted Filtering[J]. Journal of Network and Computer Applications, Special Issue on Distributed Denial of Service and Intrusion Detection, 2005/2006.
[31] Andersen, D.G. Mayday: Distributed Filtering for Internet Services[C]. in 4th Usenix Symposium on Internet Technologies and Systems. 2003.
[32] Henry Y X, Lee C J. A source address filtering firewall to defend against denial of service attacks[C]. Proceedings of IEEE 60th VehicularTechnology Conference,2004.
[33] Park K., Lee H..On the effectiveness of routebased packet filtering for distributed DoS attack prevention in PowerLaw internets[J].presented at the ACM SIGCOMM, San Diego, CA, 2001.
[34] 吕铭,胡恒一,夏春和.一种基于网络对称性的DDOS主动防御算法DSDA[J].计算机工程与 设计,2005,26(3):639-643.
[35] 姚淑萍,胡昌振.基于负载预测的分布式拒绝服务攻击检测方法研究[J].科技导报, 2005,23(9):11-13.
[36] 周东清,张海锋,张绍武等.基于HMM的分布式拒绝服务攻击检测方法[J].计算机发展与 研究,2005,42(9):1594-1599.
[37] 苏衡,鞠九滨.多管理域合作检测DDoS攻击的一个方法[J]. 北京航空航天大学学报, 2004,30(11):1106-1110.
[38] 蒋平.基于小波神经网络的DDoS攻击检测及防范[J].计算机工程与应用, 2006(3):116-119.
[39] Yang G., Gerla M., Sanadidi M. Y. Defense against low rate TCP-targeted denial-of-service attacks[C]. Proceedings of ISCC, 2004.
[40] Haibin Sun, John C.S.Lui, David K.Y.Yau. Defending Against Low-rate TCP Attacks:Dynamic Detection and Protection[C]. Proceedings of ICNP’04, 2004.
[41] 母军臣,甘志华,许洪云.基于动态包过滤的 RoQ 攻击防御策略[J].电脑知识与技术, 2007,1(6):1532-1533.
[42] Shevtekar A., Anantharam K., Ansari N.. Low Rate TCP. Denial-of-Service Attack Detection at Edge Routers[C]. IEEE. Communications Letters, April 2005.
[43] Guirguis M., Bestavros A., Matta I..Bandwidth Stealing via Link Targeted RoQ. Attacks[C].Proc. 2nd IASTED International Conference on Communication and Computer. Networks, 2004.
[44] Chen Y.,Kwok Y.K.,Hwang K..Filtering Shrew DDoS Attacks Using A New Frequency Domain Approach[C]. In Proc. IEEE LCN Workshop on Network Security, 2005.
[45] Guirguis M., Bestavros A., Matta I..Exploiting the transients of adaptation for RoQ attacks on internet resources[C].in The 12th IEEE International Conference on Network Protocols (ICNP’04), 2004.
[46] Cheng Jin, Haining Wang, Kang G.Shin. Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic[J]. ACM Conference on Computer and Communications Security (CCS)'2003,2003.
[47] 母军臣,朱长江.基于概率 TTL 终值的 IP 欺骗 DDoS 防御策略[J].河南大学学报:自然科 学版,2006,36(4):96-99.
[48] Stevens W.R.TCP/IP 协议详解[M].范建华等译.北京:机械工业出版社,2000:84-88.
[49] Comer D.E.用 TCP/IP 进行网际互连:第一卷 原理、协议与结构[M].林瑶等译.北京:电 子工业出版社,2003:175-202.
[50] 张树京,齐立心.时间序列简明教程[M].北京:北方交通大学出版社,2003:3-5.
[51] Schlogl A,Robert s S J,Furt Scheller G P.A .criterion for adaptiveautoregressive models[C]. Proceedings of the 22nd Annual International Conference of the IEEE Engineering in Medicine and Biology Society, 2000:1581-1582.
[52] 张卓奎,陈慧婵.随即过程[M].西安:西安电子科技大学出版社,2003:291-298.
[53] 潘泉,张磊,孟晋丽等.小波滤波方法及应用[M].北京:清华大学出版社,2005:58-60.
[54] 徐晨,赵瑞珍,甘小冰.小波分析应用算法[M].北京:科学出版社,2004:104-111.
[55] Donoho D L. De-noising by soft-thresholding[C]. IEEE Trans. On IT.. 1995.5,41(3):613-627.
[56] 徐雷鸣,庞博,赵耀.NS 与网络模拟[M].北京:人民邮电出版社,2003:1.
[57] 孙钦东,张德运,高鹏.基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报, 2005,28(5):767-773.
[2] Li-Chiou Chen, Thomas A. Longstaff, Kathieen M. Carley.Charterization of defense mechanisms against distributed denial of service attacks[J].Computer & Security, 2004,(23):665-678.
[3] Mirkovic J, Reiher P. A Taxonomy of DDoS Attack and DDoS defense echanisms[J].ACM SIGCOMM Computer Communications Review, 2004,34(2):39-54.
[4] 孟江涛,冯登国,薛锐等.分布式拒绝服务攻击的原理与防范[J].中国科学院研究生院学 报,2004,21(1):90-94.
[5] Jain R,Routhier S A. Packet trains-measurements and a new model for computernetwork traffic[J].IEEE Journal on Selected Areas in Communication,1986,4(6):986-995.
[6] Paxson V,Floyd S. Wide-area traffic:the failure of Poisson modeling[J]. IEEE/ACM Transactions on Networking.1995,3(3):226-244.
[7] 薛丽军.分布式拒绝服务(DDoS)攻击检测与防护[D].电子科技大学,2003:4.
[8] Peng T,Leckie C,Ramamohanarao K.Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring[EB/OL]. http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf.
[9] Kuzmanovic A., Knightly E. Low-Rate TCP -Targeted Denial of Service Attacks (The Shrew vs.the Mice and Elephants)[C].in Proc. ACM. SIGCOMM 2003, 2003:75-86.
[10] M Guirguis,A Bestavros,I Matta,et al.Reduction of quality (RoQ) attacks on Internet end-systems[C].The 24th Annual Joint Conf of the IEEE Computer and Communications Societies (INFOCOM2005),Miami,Florida,2005
[11] Luo X., Chang R. K. C., On a New Class of Pulsing Denial-of-Service Attacks and.the Defense[C].Network and Distributed System Security Symposium (NDSS'05), San. Diego, CA., 2005.
[12] Yu-Kwong Kwok, Rohit Tripathi, Yu Chen, Kai Hwang.HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks[C]. ICCNMC 2005: 423-432.
[13] Crovella M,Bestavros A.Self-similarity in World Wide Web traffic:evidence and possible causes[C].IEEE/ACM Transactions on Networking,1997,5(6):835-846.
[14] Hengstler S, Sand S, Costa A H. Adaptive Autoregressive Modeling For Time-Frequency Analysis[C]. Proceedings of the Third International Conference on Information, Communications & Signal Processing (ICICS 2001), 2001.
[15] Dill S.,Kumar R.,etc.Self-Similarity in The Web[C].Procedings of the 27th VLDBConference,Roma,Italy,2001.
[16] Huang J. Z.,Yang L..Identification of non-linear additive autoregressive models[J]. Royal Statistical Society,2004:463-477.
[17] 王欣,方滨兴.Hurst 参数变化在网络流量异常检测中的应用[J].哈尔滨工业大学学 报,2005,37(9):1046-1049.
[18] 李美村,贺忠.网络流量自相似特性的研究与探讨[J].计算机工程,2005, 31(15):115-117.
[19] 何晶,李仁发,喻飞等.校园网流量自相似性研究[J].计算机工程与应用,2004,2:7-9.
[20] 第文军,薛丽军,蒋士奇.运用网络流量自相似分析的网络流量异常检测[J].兵工自动 化,2003,22(6):28-31.
[21] Takada H.H., Hofmann U..Application and Analysis of Cumulative Sum to Detect Highly Distributed Denial of Service Attacks using different Attack Traffic Patterns[R].Technical Report, INTERMON Project, 2004.
[22] 孙知信,唐益慰,程媛.基于改进CUSUM算法的路由器异常流量检测[J].软件学报,2005, 16(12):2117-2123.
[23] 程 军,林白,芦建芝.基于非参数CUSUM算法的SYN Flooding 攻击检测[J].计算机工 程,2006,32(2):159-161.
[24] Li Q.M.,Chang E.C.,Chan M.C..On the Effectiveness of DDoS Attacks on Statistical Filtering[C]. IEEE INFOCOM, Miami, FL, USA, 2005.
[25] Abdelsayed S.,Glimsholt D.,Leckie C.,Ryan S.,Shami S..An efficient filter for denial-of-service bandwidth attacks[C].Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM'03),2003(3):1353~1357.
[26] Peng T,Leckie C,Ramahohanarao K.Protection from Distributed Denial of Service Attack Using History-based IP Filtering[J].Communications,2003(1):482-486.
[27] Wang C., Wu C. , Irwin J. D.. Using an Identity-Based Dynamic Access Control Filter (IDF) to Defend Against DoS Attacks[C]. IEEE Wireless Communications and Networking Conference, 2004.
[28] Yaar A., Perrig A., Dawn Xiaodong Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks[C].Proc. 2004 IEEE Symp. Security and Privacy. Oakland: IEEE Computer Society Press, 2004:130-147.
[29] HU Yen hung,CHOI Hongsik,HYEONG Ah choi.Packet filtering to defend flooding-based DDoS attacks[Internet denial-of-service attacks][C]. Advances in Wired and Wireless Communication,2004:39-42.
[30] Shigang Chen, Yong Tang, Wenliang Du. Stateful DDoS Attacks and Targeted Filtering[J]. Journal of Network and Computer Applications, Special Issue on Distributed Denial of Service and Intrusion Detection, 2005/2006.
[31] Andersen, D.G. Mayday: Distributed Filtering for Internet Services[C]. in 4th Usenix Symposium on Internet Technologies and Systems. 2003.
[32] Henry Y X, Lee C J. A source address filtering firewall to defend against denial of service attacks[C]. Proceedings of IEEE 60th VehicularTechnology Conference,2004.
[33] Park K., Lee H..On the effectiveness of routebased packet filtering for distributed DoS attack prevention in PowerLaw internets[J].presented at the ACM SIGCOMM, San Diego, CA, 2001.
[34] 吕铭,胡恒一,夏春和.一种基于网络对称性的DDOS主动防御算法DSDA[J].计算机工程与 设计,2005,26(3):639-643.
[35] 姚淑萍,胡昌振.基于负载预测的分布式拒绝服务攻击检测方法研究[J].科技导报, 2005,23(9):11-13.
[36] 周东清,张海锋,张绍武等.基于HMM的分布式拒绝服务攻击检测方法[J].计算机发展与 研究,2005,42(9):1594-1599.
[37] 苏衡,鞠九滨.多管理域合作检测DDoS攻击的一个方法[J]. 北京航空航天大学学报, 2004,30(11):1106-1110.
[38] 蒋平.基于小波神经网络的DDoS攻击检测及防范[J].计算机工程与应用, 2006(3):116-119.
[39] Yang G., Gerla M., Sanadidi M. Y. Defense against low rate TCP-targeted denial-of-service attacks[C]. Proceedings of ISCC, 2004.
[40] Haibin Sun, John C.S.Lui, David K.Y.Yau. Defending Against Low-rate TCP Attacks:Dynamic Detection and Protection[C]. Proceedings of ICNP’04, 2004.
[41] 母军臣,甘志华,许洪云.基于动态包过滤的 RoQ 攻击防御策略[J].电脑知识与技术, 2007,1(6):1532-1533.
[42] Shevtekar A., Anantharam K., Ansari N.. Low Rate TCP. Denial-of-Service Attack Detection at Edge Routers[C]. IEEE. Communications Letters, April 2005.
[43] Guirguis M., Bestavros A., Matta I..Bandwidth Stealing via Link Targeted RoQ. Attacks[C].Proc. 2nd IASTED International Conference on Communication and Computer. Networks, 2004.
[44] Chen Y.,Kwok Y.K.,Hwang K..Filtering Shrew DDoS Attacks Using A New Frequency Domain Approach[C]. In Proc. IEEE LCN Workshop on Network Security, 2005.
[45] Guirguis M., Bestavros A., Matta I..Exploiting the transients of adaptation for RoQ attacks on internet resources[C].in The 12th IEEE International Conference on Network Protocols (ICNP’04), 2004.
[46] Cheng Jin, Haining Wang, Kang G.Shin. Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic[J]. ACM Conference on Computer and Communications Security (CCS)'2003,2003.
[47] 母军臣,朱长江.基于概率 TTL 终值的 IP 欺骗 DDoS 防御策略[J].河南大学学报:自然科 学版,2006,36(4):96-99.
[48] Stevens W.R.TCP/IP 协议详解[M].范建华等译.北京:机械工业出版社,2000:84-88.
[49] Comer D.E.用 TCP/IP 进行网际互连:第一卷 原理、协议与结构[M].林瑶等译.北京:电 子工业出版社,2003:175-202.
[50] 张树京,齐立心.时间序列简明教程[M].北京:北方交通大学出版社,2003:3-5.
[51] Schlogl A,Robert s S J,Furt Scheller G P.A .criterion for adaptiveautoregressive models[C]. Proceedings of the 22nd Annual International Conference of the IEEE Engineering in Medicine and Biology Society, 2000:1581-1582.
[52] 张卓奎,陈慧婵.随即过程[M].西安:西安电子科技大学出版社,2003:291-298.
[53] 潘泉,张磊,孟晋丽等.小波滤波方法及应用[M].北京:清华大学出版社,2005:58-60.
[54] 徐晨,赵瑞珍,甘小冰.小波分析应用算法[M].北京:科学出版社,2004:104-111.
[55] Donoho D L. De-noising by soft-thresholding[C]. IEEE Trans. On IT.. 1995.5,41(3):613-627.
[56] 徐雷鸣,庞博,赵耀.NS 与网络模拟[M].北京:人民邮电出版社,2003:1.
[57] 孙钦东,张德运,高鹏.基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报, 2005,28(5):767-773.