应用层DDoS攻击检测算法研究及实现
|
摘要
分布式拒绝服务攻击(DDoS),一直是互联网业务提供者-Web服务器所面临的最为严重的威胁之一。传统基于网络层或传输层的DDoS攻击方式已经被日益成熟的网络防护技术(防火墙、入侵检测技术等)很好地检测,同时计算模式的变化使得更多的服务通过Web进行交互,这加速了DDoS攻击方式向应用层发展。发生在应用层的DDoS攻击通常采用真实IP地址作为攻击节点,利用应用层协议的漏洞,向目标服务器发送大量基于HTTP合法协议的攻击请求,可轻松穿越网络防护系统,这无疑使它成为当前Web服务器急需解决的安全问题。
然而目前大部分的研究成果是对网络层或传输层DDoS攻击进行检测,已经不适合基于应用层DDoS攻击的检测。已有的应用层DDoS攻击检测方法也主要针对基于HTTP协议的洪式攻击检测,通过对HTTP请求的流量特征或协议特征进行统计分析来实现攻击检测,这对于采用正常速率攻击请求的非对称攻击方式则是无效的。由于正常用户的页面浏览过程具有连续性与集中性,所以本文以应用层“用户点击行为”为观测角度实现应用层非对称和突发流量背景下的应用层DDoS攻击检测。研究思路:(1)从服务器端采集的大量HTTP请求中识别出用户点击行为;(2)以用户点击为基础,采用用户点击序列的随机游走模型对应用层洪式、非对称DDoS攻击进行识别;(3)通过用户点击活跃度的皮尔逊相关系数建模实现突发流量背景下的应用层DDoS攻击检测;(4)通过基于多核的并行化软件架构实现攻击检测算法。主要研究内容:
1.在用户访问网站过程中,浏览器会自动产生大量的HTTP请求,造成了从服务器端得到的请求中识别出真实用户点击的困难。为此,本文提出了一种基于隐半马尔科夫模型的方法从服务器端采集的海量HTTP请求中识别出用户点击。针对不同网站所采用的网站架构与内嵌元素的差异性,利用K-means聚类算法进行网站对象聚类,提高识别方法的实用性。
2.针对应用层洪式非对称DDoS攻击,本文提出基于随机游走模型的检测方法。该方法基于不同时间间隔的用户点击序列的相似性,利用训练数据建立用户点击序列模型;而后通过用户所点击页面构造随机游走图,以当前观测周期内用户点击转移概率作为初始概率分布向量,通过训练模型中的转移概率作为邻接矩阵进行随机游走过程训练,从而得到稳定的转移概率向量。反复训练预测得到用户下一观测周期内的点击序列,根据其与采集得到的用户点击序列相似度比较来判断请求序列的合法性。由于网站页面数量庞大,本文通过聚类算法根据页面流行度、链接深度与用户忠诚度对页面进行聚类,简化随机游走图的构造。
3.在网络突发流量背景下,由于突发流所带来的海量数据给服务器带来大量的资源消耗,此时即使少量的攻击数据都会给受害者服务器带来致命打击。这令隐藏于突发流中的应用层DDoS攻击检测困难重重,在有效的准确性基础上如何提高算法的实时性更是检测成败的关键。本文根据用户点击的变化构造用户请求序列,通过计算观测序列的相关系数相对于正常用户数据训练模型的变化来确定其正常程度,实现攻击者的识别。
4.网络攻击流量增长迅速,10Gbps已经广泛用于接入网链路,这给需要实时处理海量网络数据的网络攻击检测算法实现带来困难。为此本文提出了一种基于通用多核处理器平台的可用于实现网络安全检测算法的并行化架构,它将具有相似属性的数据包被分配至相同处理器核,减少多核之间的通信;利用分块的方式将独立数据分配给不同线程,提高线程的并行效率。
通过实际采集的运营商数据与构建真实网络实验环境对攻击检测算法的准确性与实用性进行检验,实验结果表明本文所提出的方法可以有效检测出正常流与突发流背景下针对网站的应用层分布式拒绝攻击。检测方法可部署在运营商Internet数据中心(IDC)机房,实现对其下托管Web服务器的实时保护,同时也为研究未来互联网中的Web应用安全设计提供借鉴。
The Distributed Denial of Service (DDoS) attack has emerged as one of the mostserious threat to the Internet service provider-Web Server. The traditional network layerand transport layer DDoS attacks have been fully detected through the growing networkprotection methods (such as firewall, intrusion detection, etc.), and the changes ofcomputing model encourage more services interacting on the Web, which accelerate thedevelopment of the DDoS attacks to the application layer. Since the application layerDDoS attack usually adopt the real IP addresses as attacking node, use thevulnerabilities of the application layer protocol, and sends a large number of legitimaterequests based on HTTP protocol which can easily pass through the network protectionsystem to the victim server, so it has become the security issue need to be resolved forthe Web Server.
However, the most researches were focused on the network layer or transport layerDDoS attack detection, which make them no longer suitable for the application layerDDoS attack detection. The existing application layer DDoS attack detection methodsaim at the HTTP flooding attacks, and detect the attacks through the statistical analysisof flow characteristics or fields of the HTTP requests, which are invalid to theasymmetric attack with normal rate of requests. Due to the contiuity and concentrationof normal user’s page browsing, this paper adopt application layer “user click behavior”as the observation angle to achieve the application layer asymmetric DDoS attacks andthe application layer DDoS attacks under flash crowds. The main ideas are as:(1)Identify the user click behavior from the huge HTTP requests on the server side.(2)Based on the user click sequence, identify the application layer asymmetric DDoSattacks through the random walk model, and detect the application layer DDoS attacksunder flash-crowd through the changes on the correlation coefficient of user clicksequence.(4) Improve the efficiency and practicality of proposed method through theprarallel architecture based on multi-core processors. The research contents are:
1. The user browsing will generate a large number of Webpage clicks, such oneclick would trigger the browser automatically issuing a series of HTTP requests to theweb server. Therefore, it is difficult to identify click requests belonged to a user fromthe measured large number of HTTP requests when more users clicking. For this reason,this paper proposes a hidden semi-Markov (HsMM) model based method to identify user click behavior from huge requests at the server side, and adopts the K-meansclustering algorithm to improve the appicability for eliminating the disparity in thearchitecture and embeded objects of different Web sites.
2. To address the application layer low rate and asymmetric DDoS attack, thispaper proposed a novel detecting method based on random walk model of user clicksequence in different period. First, use the training data to establish the user click model;then, constructs random walk graph from the pages that user clicks and repeat therandom walk process with the transfer probability of user click sequence in formerobservation period as the initial probability distribution vector and the ransferprobability of user click sequence in training data as the adjacent matrix; last, get thestable transition probability vector when the random walk process convergenced. Thesimilarity between user click sequences that forecasted through random walk model andcaptured in next period is used to identify the abnormal requests. Owing to thedifference of the structure, user browsing habit and page type among different web sites,these three parameters user access loyalty, link depth and link popularity are used tosimplify the types of web pages which are applied to construct the random walk graph.
3. Since the web server will been suffering from the impact of massive userrequests and exhaust its resources under the flash crowd, even small amounts of attackrequests may bring a fatal blow to it at this time. This makes the application layer DDoSattack detection hidden in flash crowd in trouble, the key of detection is how to improvethe efficiency on the basis of the accuracy of the algorithm. This paper a user clicksequence based attack detection method, which uses the number of user click toconstruct the user click sequence, and identifies the attack click sequence by comparingthe correlation coefficient of the observation user click sequence to the legitimate userclick model.
4. With the bandwidth growth of access network link, the network attack traffic hasincreased rapidly, which give difficult to implement the network attack detectionalgorithms which needs to process massive packets in real-time. In this respect, thispaper proposes a customized parallel architecture for implementing the network securitydetection algorithm using commodity multi-core processor which now broadlyimplemented in personal computer. The packets are dispatched with similar propertiesto same core and partitioned into several parts, which allows threads maintained in eachcore for concurrent execution.
Experiments based on real network data collected from China telecom IDC and campus network evaluate the accuracy and efficiency of proposed method, and show itis valid for detecting the application layer DDoS attack under normal and flash crowd.The proposed methods not only can be deployed in the IDC for real-time protecting thevariety of Web Server, but also can provide a reference for web security design of futurenetwork.
然而目前大部分的研究成果是对网络层或传输层DDoS攻击进行检测,已经不适合基于应用层DDoS攻击的检测。已有的应用层DDoS攻击检测方法也主要针对基于HTTP协议的洪式攻击检测,通过对HTTP请求的流量特征或协议特征进行统计分析来实现攻击检测,这对于采用正常速率攻击请求的非对称攻击方式则是无效的。由于正常用户的页面浏览过程具有连续性与集中性,所以本文以应用层“用户点击行为”为观测角度实现应用层非对称和突发流量背景下的应用层DDoS攻击检测。研究思路:(1)从服务器端采集的大量HTTP请求中识别出用户点击行为;(2)以用户点击为基础,采用用户点击序列的随机游走模型对应用层洪式、非对称DDoS攻击进行识别;(3)通过用户点击活跃度的皮尔逊相关系数建模实现突发流量背景下的应用层DDoS攻击检测;(4)通过基于多核的并行化软件架构实现攻击检测算法。主要研究内容:
1.在用户访问网站过程中,浏览器会自动产生大量的HTTP请求,造成了从服务器端得到的请求中识别出真实用户点击的困难。为此,本文提出了一种基于隐半马尔科夫模型的方法从服务器端采集的海量HTTP请求中识别出用户点击。针对不同网站所采用的网站架构与内嵌元素的差异性,利用K-means聚类算法进行网站对象聚类,提高识别方法的实用性。
2.针对应用层洪式非对称DDoS攻击,本文提出基于随机游走模型的检测方法。该方法基于不同时间间隔的用户点击序列的相似性,利用训练数据建立用户点击序列模型;而后通过用户所点击页面构造随机游走图,以当前观测周期内用户点击转移概率作为初始概率分布向量,通过训练模型中的转移概率作为邻接矩阵进行随机游走过程训练,从而得到稳定的转移概率向量。反复训练预测得到用户下一观测周期内的点击序列,根据其与采集得到的用户点击序列相似度比较来判断请求序列的合法性。由于网站页面数量庞大,本文通过聚类算法根据页面流行度、链接深度与用户忠诚度对页面进行聚类,简化随机游走图的构造。
3.在网络突发流量背景下,由于突发流所带来的海量数据给服务器带来大量的资源消耗,此时即使少量的攻击数据都会给受害者服务器带来致命打击。这令隐藏于突发流中的应用层DDoS攻击检测困难重重,在有效的准确性基础上如何提高算法的实时性更是检测成败的关键。本文根据用户点击的变化构造用户请求序列,通过计算观测序列的相关系数相对于正常用户数据训练模型的变化来确定其正常程度,实现攻击者的识别。
4.网络攻击流量增长迅速,10Gbps已经广泛用于接入网链路,这给需要实时处理海量网络数据的网络攻击检测算法实现带来困难。为此本文提出了一种基于通用多核处理器平台的可用于实现网络安全检测算法的并行化架构,它将具有相似属性的数据包被分配至相同处理器核,减少多核之间的通信;利用分块的方式将独立数据分配给不同线程,提高线程的并行效率。
通过实际采集的运营商数据与构建真实网络实验环境对攻击检测算法的准确性与实用性进行检验,实验结果表明本文所提出的方法可以有效检测出正常流与突发流背景下针对网站的应用层分布式拒绝攻击。检测方法可部署在运营商Internet数据中心(IDC)机房,实现对其下托管Web服务器的实时保护,同时也为研究未来互联网中的Web应用安全设计提供借鉴。
The Distributed Denial of Service (DDoS) attack has emerged as one of the mostserious threat to the Internet service provider-Web Server. The traditional network layerand transport layer DDoS attacks have been fully detected through the growing networkprotection methods (such as firewall, intrusion detection, etc.), and the changes ofcomputing model encourage more services interacting on the Web, which accelerate thedevelopment of the DDoS attacks to the application layer. Since the application layerDDoS attack usually adopt the real IP addresses as attacking node, use thevulnerabilities of the application layer protocol, and sends a large number of legitimaterequests based on HTTP protocol which can easily pass through the network protectionsystem to the victim server, so it has become the security issue need to be resolved forthe Web Server.
However, the most researches were focused on the network layer or transport layerDDoS attack detection, which make them no longer suitable for the application layerDDoS attack detection. The existing application layer DDoS attack detection methodsaim at the HTTP flooding attacks, and detect the attacks through the statistical analysisof flow characteristics or fields of the HTTP requests, which are invalid to theasymmetric attack with normal rate of requests. Due to the contiuity and concentrationof normal user’s page browsing, this paper adopt application layer “user click behavior”as the observation angle to achieve the application layer asymmetric DDoS attacks andthe application layer DDoS attacks under flash crowds. The main ideas are as:(1)Identify the user click behavior from the huge HTTP requests on the server side.(2)Based on the user click sequence, identify the application layer asymmetric DDoSattacks through the random walk model, and detect the application layer DDoS attacksunder flash-crowd through the changes on the correlation coefficient of user clicksequence.(4) Improve the efficiency and practicality of proposed method through theprarallel architecture based on multi-core processors. The research contents are:
1. The user browsing will generate a large number of Webpage clicks, such oneclick would trigger the browser automatically issuing a series of HTTP requests to theweb server. Therefore, it is difficult to identify click requests belonged to a user fromthe measured large number of HTTP requests when more users clicking. For this reason,this paper proposes a hidden semi-Markov (HsMM) model based method to identify user click behavior from huge requests at the server side, and adopts the K-meansclustering algorithm to improve the appicability for eliminating the disparity in thearchitecture and embeded objects of different Web sites.
2. To address the application layer low rate and asymmetric DDoS attack, thispaper proposed a novel detecting method based on random walk model of user clicksequence in different period. First, use the training data to establish the user click model;then, constructs random walk graph from the pages that user clicks and repeat therandom walk process with the transfer probability of user click sequence in formerobservation period as the initial probability distribution vector and the ransferprobability of user click sequence in training data as the adjacent matrix; last, get thestable transition probability vector when the random walk process convergenced. Thesimilarity between user click sequences that forecasted through random walk model andcaptured in next period is used to identify the abnormal requests. Owing to thedifference of the structure, user browsing habit and page type among different web sites,these three parameters user access loyalty, link depth and link popularity are used tosimplify the types of web pages which are applied to construct the random walk graph.
3. Since the web server will been suffering from the impact of massive userrequests and exhaust its resources under the flash crowd, even small amounts of attackrequests may bring a fatal blow to it at this time. This makes the application layer DDoSattack detection hidden in flash crowd in trouble, the key of detection is how to improvethe efficiency on the basis of the accuracy of the algorithm. This paper a user clicksequence based attack detection method, which uses the number of user click toconstruct the user click sequence, and identifies the attack click sequence by comparingthe correlation coefficient of the observation user click sequence to the legitimate userclick model.
4. With the bandwidth growth of access network link, the network attack traffic hasincreased rapidly, which give difficult to implement the network attack detectionalgorithms which needs to process massive packets in real-time. In this respect, thispaper proposes a customized parallel architecture for implementing the network securitydetection algorithm using commodity multi-core processor which now broadlyimplemented in personal computer. The packets are dispatched with similar propertiesto same core and partitioned into several parts, which allows threads maintained in eachcore for concurrent execution.
Experiments based on real network data collected from China telecom IDC and campus network evaluate the accuracy and efficiency of proposed method, and show itis valid for detecting the application layer DDoS attack under normal and flash crowd.The proposed methods not only can be deployed in the IDC for real-time protecting thevariety of Web Server, but also can provide a reference for web security design of futurenetwork.
引文
[1]陈晓莉.哈佛研究:DDoS被作为威胁言论自由的武器[EB/OL]. http://www.ithome.com.tw/itadm/article.php?c=65183.2010.12.
[2]黄彦叶.中华电信2009年每天平均发生3.7次DDoS攻击[EB/OL].http://www.ithome.com.tw/itadm/article.php?c=58913.2010.1.
[3]京华时报.首例黑客DDoS攻击案告破,多款网游遭遇攻击[EB/OL].http://tech.sina.com.cn/i/2007-07-25/05331634702.shtml.2007.7.
[4]百度百科.暴风门事件[EB/OL]. http://baike.baidu.com/view/2499230.html?fromTaglist.2009.6.
[5] Arbor Networks. Network Infrastructure Security Report[EB/OL]. http://www.arbornetworks.com/report. Feb.2011.
[6] FBI. Http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/fbi2006.pdf,2006.
[7] Symantec. Symantec Internet Security Threat Report[EB/OL].Online: Http://www.symantec.com.2010.
[8] CERT[EB/OL]. Http://www.cert.org/stats/.2008.
[9] J. Mirkovie, P. Reiher. A Taxonomy of DDoS Attack and DDoS Defense mechanism[C].ACM SIGCOMM Computer Communications Review,2004,34(2):39-54.
[10] Tao Peng, Pchristopher Leckie. Survey of Network-Based Defense Mechanisms Counteringthe DoS and DDoS Problems [J]. ACM Computer. Survey.39(1): Article No3.(2007). ISSN:0360-0300.
[11]徐恪,徐明伟,吴建平.分布式拒绝服务攻击研究综述[J].小型微型计算机系统.2004,25(003):337-346.
[12] Simon Liu. Surviving Distributed Denial-of-Service Attacks[J]. IT Professional. Vol.11, no.5,Sept.-Oct.2009:51-53.
[13] Haining Wang, Danlu Zhang, Kang G. Shin. Detecting SYN Flooding Attacks[C].Proceedings of IEEE INFOCOM. New York. June2002.
[14] S. Ranjan, R. Swaminathan, M. Uysal, et a1. DDoS-Resilient Scheduling to CounterApplication Layer Attacks under Imperfect Detection[C]. Proceedings of IEEE INFOCOM,Barcelona, Spain, April2006: l-13.
[15] A.Kuzmanovic, E.Knightly. Low-rate TCP-targeted denial of service attacks[C](The shrewvs. the mice and elephants). ACM SIGCOM. Aug.2003:75–86.
[16] X. Luo, R. Chang. On a New Class of Pulsing Denial of service Attacks and the Defense[C].Network and Distributed System Security Symposium.2005:2-5.
[17] A.Kuzmanovic, E.Knightly. Low-Rate TCP-Targeted Denial of Service Attacks and CounterStrategies[J]. IEEE/ACM TRANSACTIONS ON NETWORKING. Vol.14, No.4, August2006:683-696.
[18] Gabriel M, Jesús E, and Pedro G.. Mathematical Model for Low-Rate DoS Attacks againstApplication Servers[J]. IEEE TRANSACTIONS ON INFORMATION FORENSICS ANDSECURITY, Vol.4, No.3, Sep.2009:519-529.
[19] S. Kandula et al. Botz-4.Sale: Surviving Organized DDoS Attacks That Mimic FlashCrowds[C]. Proc.2nd Symp. Networked Systems Design and Implementation,2005.
[20]严芬,王佳佳,赵金. DDoS攻击检测综述[J].计算机应用研究,2008,25(4):966-969.
[21]康健,李强,张原.基于Multi-stream Combined隐马尔科夫模型源端检测DDoS攻击[J].计算机应用,2007,27(8):1884-1887.
[22]陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务攻击检测方法[J].计算机学报,2006,29(8):1392-1400.
[23] S.Malliga, A.Tamilarasi and M.Janani. Filtering spoofed traffic at source end for defendingagainst DoS/DDoS attacks[C]. Proc. ICCCn2008, St. Thomas, VI, Dec.2008.
[24] Jelena Mirkovic, PeterReiher. D-WARD: A Source-End Defense Against FloodingDenial-of-Service Attacks[J]. IEEE Transactions on Dependable and Secure Computing, Vol2, No.3, Sept.2005:216-232.
[25] S. Meenakshi, S.K. Srivatsa. A Distributed Framework with less False Positive Ratio AgainstDistributed Denial of Service Attack[J]. Information Technology Journal, Vol6, No.8,2007:1139-1145.
[26] Kai Bu, Zhixin Sun. A Method Based on AMHI for DDoS Attacks Detection and Defense[C].Proc. ICYCS2008, Hunan, Nov.2008.
[27]严芬,陈轶群,黄皓.使用补偿非参数CUSUM方法检测DDoS攻击[J].通信学报,2008,29(6):126-132.
[28] Bin Xiaoa, Wei Chen and Yanxiang He. An autonomous defense against SYN floodingattacks: Detect and throttle attacks at the victim side independently[J]. Journal of Parallel andDistributed Computing,2008(68):456-470.
[29] Jieren Cheng, Jianping Yin, Yun Liu, et al. DDoS Attack Detection Using IP Address FeatureInteraction[C]. Proc. INCOS’09, Nov.2009.
[30] Haining Wang, Cheng Jin and Kang G. Shin. Defense Against Spoofed IP Traffic UsingHop-Count Filtering[J]. IEEE/ACM Transactions on Networking, Vol.15, No.1, Feb.2007:40-53.
[31]周再红,谢冬青,熊伟等.一种基于带权CAT的DDOS分布式检测方法[J].武汉大学学报(理学版),2008,54(5):626-630.
[32]田俊峰,朱宏涛,孙冬冬等.基于用户信誉值防御DDoS攻击的协同模型[J].通信学报,2009,30(3):12-20.
[33] M.Farahmand, A.Azarfar, A.Jafari, et al. A Multivariate Adaptive Method for Detecting ARPAnomaly in Local Area Networks[C]. Proc. ICSNC’06, Tahiti, Oct.2006.
[34]张洁,武装,陆倜.一种改进的ARP协议欺骗检测方法[J].计算机科学,2008,35(3):52-54.
[35]孙知信,任志广,杨熙等.基于多层检测的网络安全防范系统[J].通信学报,2007,28(7):61-69.
[36] Yann Labit and Johan Mazel. HIDDEN: Hausdorff distance based Intrusion Detectionapproach Dedicated to Networks[C]. Proc. ICIMP’08, Bucharest, July2008.
[37] HyunGon Kim. Protection against Packet Fragmentation Attacks at6LoWPAN AdaptationLayer[C]. Proc. ICHIT’08, Daejeon, Aug.2008.
[38] J.Udhayan and R.Anitha. Demystifying and Rate Limiting ICMP hosted DoS/DDoSFlooding Attacks with Attack Productivity Analysis[C]. Proc. IACC2009, Patiala, March2009.
[39]胡鸿,袁津生,郭敏哲.基于TCP缓存的DDoS攻击检测算法[J].计算机工程,2009,35(16):112-114.
[40] Ning Chen, Xiao-Su Chen, Bing Xiong, et al. An Anomaly Detection and Analysis Methodfor Network Traffic Based on Correlation Coefficient Matrix[C]. Proc.SCALCOM-EMBEDDEDCOM’09, Dalian, Sept.2009.
[41] Xu Rui, Ma Wen-li and Zheng Wen-ling. Defending Against UDP Flooding by NegativeSelection Algorithm based on Eigenvalue Sets[C]. Proc. IAS’09, Xi'an, Aug.2009.
[42] LIANG J., NAOUMOV N., ROSS K.W. The index poisoning attack in P2P file sharingsystems[C]. Proc. INFOCOM’06,2006.
[43] ATHANASOPOULOS E., ANAGNOSTAKIS K., MARKATOS E. Misusing unstructuredP2P systems to perform DoS attacks: the network that never forgets[C]. Proc. ACNS’06,2006.
[44] Lada A. Adamic and Bernardo A. Huberman. Power-Law Distribution of the World WideWeb [J]. Science24March2000: Vol.287, no.5461.
[45] J. Han, M. Kambe. Data Mining: Concepts and Techniques[M]. Morgan Kafmann,2006.
[46] Chuan Xu, Mei Wang, Hong Tang. Analysis on User Click Behavior in the Mobile Internet[J].International Journal of Digital Content Technology and its Applications, Vol.5, No.6,2011:16~23.
[47] L. Breslau, P. Cao, L. Fan, G. Phillips, and S. Shenker. Web caching and zipf-likedistributions: Evidence and implications[C]. In Proceedings of the INFOCOM,1999:126–134.
[48] M. Hefeeda and O. Saleh. Traffic modeling and proportional partial caching for peer-to-peersystems[J]. IEEE/ACM Transactions on Networking, VOL.16, NO.6,2008:1447–1460.
[49] M. E. Crovella and A. Bestavros. Self-similarity in world wide web traffic: evidence andpossible causes[J]. IEEE/ACM Transactions on Networking, VOL.5, NO.6,1997:835–846.
[50] B. A. Huberman, P. L. T. Pirolli, J. E. Pitkow, and R. M. Lukose. Strong regularities in worldwide web surfing[J]. Science, VOL.280, NO.3,1998.
[51] J.Srivastava, R.Cooley, M.Deshpande and P-T.Tan. Web usage mining: discovery andapplications of usage patterns from Web data[C]. SIGKDD Explorations, vol.1, no.2, Jan:2000:1-12.
[52] Olfa Nasraoui, Maha Soliman, Esin Saka, and et al. a Web Usage Mining Framework forMining Evolving User Profiles in Dynamic Web Sites[J]. IEEE Transactions on Knowledgeand Data Engineering, Vol.20, No.2, Feb.2008:202-215.
[53] G. Xu, Y. Zhang, and Y. Xun. Modeling User Behaviour for Web Recommendation UsingLDA Model[C]. Proc. IEEE/WIC/ACM Int’l Conf. Web Intelligence and Intelligent AgentTechnology,2008:529-532.
[54] Yi Xie and Shun-Zheng Yu. Anomaly Detection based on web Users’ Browsing Behaviors[J].Journal of Software,2007,18(4):967-977.
[55] Doru Tanasa and Brigitte Trousse. Advanced Data Preprocessing for Intersites Web UsageMining[J]. IEEE Intelligent Systems, Vol.19, No.2, Mar-Apr.2004:59-65.
[56] Suneetha, K. R. and D. R. Krishnamoorthi. Identifying User Behavior by Analyzing WebServer Access Log File[J]. IJCSNS International Journal of Computer Science and NetworkSecurity, VOL.9, No.4, April2009.
[57] Yongjian Fu, Kanwalpreet Sandhu and Ming-Yi Shih. A Generalization-Based Approach toClustering of Web Usage Sessions[J]. Lecture Notes in Computer Science, Volume1836/2000,2000:21-38.
[58] Bianco.A., Mardente.G., Mellia.M., et al. Web User-Session Inference by Means ofClustering Techniques[J]. IEEE/ACM Transactions on Networking, Vol.17, No.2,2009:405-416.
[59] Nuzman.C, Saniee.I, Sweldens.W, et al. A compound model for TCP connection arrivals forLAN and WAN applications[J]. Computer Networks, Vol.40, No.3,2002:319-337.
[60] Shun-Zheng Yu. Hidden semi-Markov models[J]. Artificial Intelligence,172(2010), page:215-243.
[61] Hartigan, J. A. and Wong, M. A.(1979). Algorithm136. A k-means clustering algorithm[M].Applied Statistics28:100.
[62] Li-Fei Chen, Qing-Shan Jiang, and Sheng-Rui Wang. A Hierarchical Method for Determiningthe Number of Clusters[J]. Journal of Software, Vol.19, No.1, January2008:6272.
[63] Zhixiang Chen, Ada Wai-Chee Fu and Chi-Hung Tong. Optimal Algorithms for finding userweb access session from very large web logs[J]. Journal of World Wide Web: Internet andInformation Systems, Vol.6, Springer,2003:259-279.
[64] G. Arumugam and S. Suguna. Optimal Algorithms for Generation of User Session SequencesUsing Server Side Web User Logs[C]. Proc. N2S '09, Paris, France,24.26June2009:1-6.
[65] Michael Walfish, Mythili Vutuku, Hari BaIabshnan, et al. DDoS Defense by Offense[C]. InProc. SIGCOMM '06, Pisa, Italy, Sept.2006.
[66] Supranamaya Ranjan, Ram Swaminathan, Mustafa Uysal, et al. DDoS-Shield:DDOS-Resilient Scheduling to Counter Application Laye Attacks[J]. IEEE/ACMTransactions on Networking, Vol17, No.1, Feb.2009:26-39.
[67] KHATTAB S., GOBRIEL S., MELHEM R., MOSSE D. Live baiting for service-level DoSattackers[C]. Proc. INFOCOM’08,2008.
[68] YU J., LI Z., CHEN H., CHEN X. A Detection and offense mechanism to defend againstapplication layer DDoS attacks[C]. Proc. ICNS’07,2007.
[69] YEN W., LEE M.: A framework for defending application layer DDoS attacks using an AIapproach[C]. Proc. IASTED Int. Conf. on Artifical Intelligence and Applications,2007.
[70] SRIVATSA M., IYENGAR A., YIN J., LIU L. Mitigating application-level denial of serviceattacks on web servers: a client-transparent approach[J], ACM Trans. Web,2008,18(12):1649–1662.
[71] Yu J, Fang C, Lu L, Li Z. Mitigating application layer distributed denial of service attacks viaeffective trust management[J]. IET Communications, Vol.4, No.16,2010:1952-1962.
[72] XIE Y., YU S.: Monitoring the application-layer DDoS attacks for popular websites[J],IEEE/ACM Trans. Net w.2009,17(1):15–25.
[73] XIE Y., YU S. A large-scale hidden semi-Markov model for anomaly detection on userbrowsing behaviors[J]. IEEE/ACM Trans. Netw.2009,17(1):54–65.
[74] Ying Xuan, Incheol Shin, My T. Thai, Taieb Znati. Detecting Application Denial-of-ServiceAttacks: A Group-Testing-Based Approach[J]. IEEE Trans. Parallel Distribution. System.2010,21(8):1203-1216.
[75] L. Page, S. Brin, R. Motwani, and T. Winograd. The PageRank Citation Ranking: BringingOrder to the Web[C]. Technical report, Stanford Digital Library Technologies Project,1998.
[76] J. Shi and J. Malik, Normalized cuts and image segmentation[C], CVPR,1997.
[77] Meila, M., and Xu, L. Multiway cuts and spectral clustering[J]. U. Washington Tech Report,2003.
[78] M. Meila and J. Shi. A random walks view of spectral segmentation[EB/OL]. In AI andStatistics (AISTATS),2001. http://citeseer.ist.psu.edu/meila01random.html.
[79] Ng, Jordan, and Weiss, On spectral clustering: Analysis and an algorithm[C], NIPS,2001.
[80] Dhillon, Co-clustering documents and words using Bipartite Spectral Graph Partitioning[J].Proceedings of the Seventh ACM SIGKDD International Conference on KnowledgeDiscovery and Data Mining (KDD), August26-29,2001, San Francisco, California, USA.
[81] J. Kleinberg. Authoritative sources in a hyperlinked environment[C]. Proc.9th ACM-SIAMSymposium on Discrete Algorithms,1998. Extended version in Journal of the ACM46(1999).
[82] G. Erkan and D. Radev. LexRank: Graph-based Lexical Centrality as Salience in TextSummarization[J]. In Journal of Artificial Intelligence Research,22,2004:457-479.
[83] R. Mihalcea and P. Tarau. TextRank: Bringing Order into Texts[C]. In Proceedings ofEmpirical Methods in Natural Language Processing. ACL,2006:404-411.
[84] S. Hassan and C. Banea. Random-Walk Term Weighting for Improved Text Classification[C].In Proceedings of TextGraphs:2nd Workshop on Graph Based Methods for NaturalLanguage Processing, ACL,2006:53-60.
[85] Ding Lifen, Chen Zhiwu, Chen Zhenfeng. Simulation and Research on the ControlParameters of Genetic Algorithm[J]. Science&Technology Information,2007,36(1):618-621.
[86]郑伟,王朝坤,刘璋等.一种基于随机游走模型的多标签分类算法[J].计算机学报,2010, Vol.33, No.8.
[87] Zhang L, Wu J, Zhuang Y, et a1. Review-oriented metadata enrichment: A case study[C].Proceedings of JCDL, Austin, TX, USA,2009:173-182.
[88] Salto G. Automatic text processing: the transformation, Analysis, and Retrieval ofinformation by computer[J]. Addison Wesley Publ. Comp,1989.
[89]业宁,李威,梁作鹏等.一种Web用户行为聚类算法[J].小型微型计算机系统,2004, Vol.25, No.7.
[90] Jaeyeon Jung, Balachander, Michael Rabinovich. Flash Crowds and Denial of ServiceAttacks: Characterization and Implications for CDNs and Web Sites[C]. Proceedings of theWorld Wide Web Conference. Honolulu, Hawaii. May2002.
[91] G. Carl, G. Kesidis, R.R. Brooks, and S. Rai. Denial-of-Service Attack DetectionTechniques[J]. IEEE Internet Computing, Vol.10, No.1, January2006:82-89.
[92] Z. Duan, X. Yuan and J. Chandrashekar. Controlling IP Spoofing through Inter domainPacket Filters[C]. IEEE Trans. on Dependable and Secure Computing, Vol.5, No.1,January-March2008:22-36.
[93] C.M. Cheng, H.T. Kung and K.S. Tan. Use of Spectral Analysis in Defense against DoSAttacks[C]. IEEE Global Communications Conference,2002:2143-2148.
[94] K. Lu, D. Wu, J. Fan, S. Todorovic and A. Nucci. Robust and efficient detection ofDDoS attacks for large-scale internet[J]. Computer Networks, Vol.51, September2007:5036-5056.
[95] Y. Chen and K. H wang. Collaborative detection and filtering of shrew DDoS attacks usingspectral analysis[J]. Journal of Parallel and Distributed Computing, Vol.66, No.9, AcademicPress, Orlando, September2006:1137-1151.
[96] Shui Yu, Theerasak Thapngam, Jianwen Liu, Su Wei and Wanlei Zhou. Discriminating DDoSFlows from Flash Crowds Using Information Distance[C]. Third International Conference onNetwork and System Security, Australia,2009:351-356.
[97] Georgios Oikonomou and Jelena Mirkovic. Modeling Human Behavior for Defense againstFlash-Crowd Attacks[C]. Proc. ICC’09, Dresden, June2009.
[98]谢逸.应用层HTTP攻击检测关键技术研究[D].中山大学,2008.
[99] Mark Meiss, John Duncan, Bruno G.. What's in a Session: Tracking Individual Behavior onthe Web[C]. HT '09Proceedings of the20th ACM conference,2009.
[100] S. A. Krashakov, A. B. Teslyuk, L. N. Shchur. On the universality of rank distributions ofwebsite popularity[J]. Computer Networks, vol.50,2006:1769-1780.
[101] MA.Rajab, J.Zarfoss, F.Monrose, A.Terzis. A Multifaceted Approach to Understanding theBotnet Phenomenon[C]. In Proceedings of the6th ACM SIGCOMM conference on Internetmeasurement, October2006:41-52.
[102] R.G.Clegg, M.S.Withall, and A.W.Moor. Challenges in the capture and dissemination ofmeasurements from high-speed networks[J]. IET Communications, vol.3, no.6,2009:957-966.
[103] Schonwalder, Jurgen Marinov, and Vladislav. On the Impact of Security Protocols on thePerformance of SNMP[C]. Network and Service Management, IEEE TRANSACTIONS, vol.8, no.1,2011:52-64.
[104] C. Estan, K. Keys, D. Moore, and G. Varghese. Building a Better NetFlow[C]. ACMSIGCOMM,2004:245-256.
[105] Libpcap-PFRING Homepage[EB/OL]. http://www.ntop.org/PF_RING.html.2008.7.
[106] N. Duffield, C. Lund, and M. Thorup. Flow sampling under hard resource constraints[C]. InProceedings of ACM SIGMETRICS-Performance,2004:85-96.
[107] Nicholas Weaver, Vern Paxson, and Jose M. Gonzalez. An FPGA-based accelerator fornetwork intrusion prevention[C]. In Proceedings of the ACM Symposium on FieldProgrammable Gate Arrays,2007:199-206.
[108] Faisal Khan, Lihua Yuan, Chen-Nee Chuah and Soheil Ghiasi. A programmable architecturefor scalable and real-time network traffic measurements[C]. In Proceedings of the4thACM/IEEE Symposium on Architectures for Networking and Communications Systems,2008:109-118.
[109] Xiang Wang, Yaxuan Qi, Yibo Xue and Jun Li. Towards High-Performance NetworkIntrusion Prevention System on Multi-core Network Service Processor[C]. In Proceedings ofthe15th IEEE International Conference on Parallel and Distributed System,2009:220-227.
[110] Fei He, Yaxuan Qi, Yibo Xue and Jun Li. YACA: Yet Another Cluster-based Architecture forNetwork Intrusion Prevention[C]. In Proceedings of IEEE GLOBECOM,2010:1-5.
[111] Wen-Yew Liang, Chi-Yu Weng, Yen-Lin Chen and Che Wun Chiou. Design of a Parallel FaceDetection Algorithm for Distributed Low Cost IP-based Surveillance Systems[J]. JCIT, Vol.6,No.2,2011:306-318.
[112] Vern Paxson, Robin Sommer, and Nicholas Weaver. An Architecture for ExploitingMulti-Core Processors to Parallelize Network Intrusion Prevention[C]. In Proceedings ofIEEE Sarnoff Symposium,2007:1-7.
[113] Y. X. Qi, B. Xu, F. He, B. H. Yang. J. M. Yu and J. Li. Towards High Performance Flow-levelPacket Processing on Multi-core Network Processors[C]. Proc. of ACM/IEEE Symposiumon Architectures for Networking and Communications Systems,2007.
[114] Yongheng Chen, Wanli Zuo, Fengling He, Kerui Chen. Optimization Strategy of ParallelQuery Processing Based on Multi-core Architecture[J]. JCIT, Vol.5, No.8,2010:21-25.
[115] Alaa M. Al-Obaidi, Sai Peck Lee. A Concurrent Multithreaded Scheduling Model for SolvingFibonacci Series on Multicore Architecture[J]. IJACT, Vol.3, No.2,2011:24-37.
[116] Intel Xeon Processor[EB/OL]. http://www.intel.com/products/server/processors.
[117] Intel10Gigabit XF Server Adapters[EB/OL].http://www.intel.com/products/server/adapters/10-gbe-xfsr-adapters/10-gbe-xfsr-adapters-overview.htm.
[118] Loris Degioanni, Mario Baldi, Fulvio Risso, and Gianluca Varenni. Profiling andOptimization of Software-Based Network-Analysis Applications[C]. Proceedings of the15thSymposium on Computer Architecture and High Performance Computing (SBAC-PAD),2003.
[119] N. Cascarano, A. Este, F. Gringoli, F. Risso, L. Salgarelli. An Experimental Evaluation of theComputational Cost of a DPI Traffic Classifier[C]. IEEE GLOBECOM2009, November2009.
[120] http://ita.ee.lbl.gov/html/contrib/WorldCup.html [EB/OL]
[2]黄彦叶.中华电信2009年每天平均发生3.7次DDoS攻击[EB/OL].http://www.ithome.com.tw/itadm/article.php?c=58913.2010.1.
[3]京华时报.首例黑客DDoS攻击案告破,多款网游遭遇攻击[EB/OL].http://tech.sina.com.cn/i/2007-07-25/05331634702.shtml.2007.7.
[4]百度百科.暴风门事件[EB/OL]. http://baike.baidu.com/view/2499230.html?fromTaglist.2009.6.
[5] Arbor Networks. Network Infrastructure Security Report[EB/OL]. http://www.arbornetworks.com/report. Feb.2011.
[6] FBI. Http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/fbi2006.pdf,2006.
[7] Symantec. Symantec Internet Security Threat Report[EB/OL].Online: Http://www.symantec.com.2010.
[8] CERT[EB/OL]. Http://www.cert.org/stats/.2008.
[9] J. Mirkovie, P. Reiher. A Taxonomy of DDoS Attack and DDoS Defense mechanism[C].ACM SIGCOMM Computer Communications Review,2004,34(2):39-54.
[10] Tao Peng, Pchristopher Leckie. Survey of Network-Based Defense Mechanisms Counteringthe DoS and DDoS Problems [J]. ACM Computer. Survey.39(1): Article No3.(2007). ISSN:0360-0300.
[11]徐恪,徐明伟,吴建平.分布式拒绝服务攻击研究综述[J].小型微型计算机系统.2004,25(003):337-346.
[12] Simon Liu. Surviving Distributed Denial-of-Service Attacks[J]. IT Professional. Vol.11, no.5,Sept.-Oct.2009:51-53.
[13] Haining Wang, Danlu Zhang, Kang G. Shin. Detecting SYN Flooding Attacks[C].Proceedings of IEEE INFOCOM. New York. June2002.
[14] S. Ranjan, R. Swaminathan, M. Uysal, et a1. DDoS-Resilient Scheduling to CounterApplication Layer Attacks under Imperfect Detection[C]. Proceedings of IEEE INFOCOM,Barcelona, Spain, April2006: l-13.
[15] A.Kuzmanovic, E.Knightly. Low-rate TCP-targeted denial of service attacks[C](The shrewvs. the mice and elephants). ACM SIGCOM. Aug.2003:75–86.
[16] X. Luo, R. Chang. On a New Class of Pulsing Denial of service Attacks and the Defense[C].Network and Distributed System Security Symposium.2005:2-5.
[17] A.Kuzmanovic, E.Knightly. Low-Rate TCP-Targeted Denial of Service Attacks and CounterStrategies[J]. IEEE/ACM TRANSACTIONS ON NETWORKING. Vol.14, No.4, August2006:683-696.
[18] Gabriel M, Jesús E, and Pedro G.. Mathematical Model for Low-Rate DoS Attacks againstApplication Servers[J]. IEEE TRANSACTIONS ON INFORMATION FORENSICS ANDSECURITY, Vol.4, No.3, Sep.2009:519-529.
[19] S. Kandula et al. Botz-4.Sale: Surviving Organized DDoS Attacks That Mimic FlashCrowds[C]. Proc.2nd Symp. Networked Systems Design and Implementation,2005.
[20]严芬,王佳佳,赵金. DDoS攻击检测综述[J].计算机应用研究,2008,25(4):966-969.
[21]康健,李强,张原.基于Multi-stream Combined隐马尔科夫模型源端检测DDoS攻击[J].计算机应用,2007,27(8):1884-1887.
[22]陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务攻击检测方法[J].计算机学报,2006,29(8):1392-1400.
[23] S.Malliga, A.Tamilarasi and M.Janani. Filtering spoofed traffic at source end for defendingagainst DoS/DDoS attacks[C]. Proc. ICCCn2008, St. Thomas, VI, Dec.2008.
[24] Jelena Mirkovic, PeterReiher. D-WARD: A Source-End Defense Against FloodingDenial-of-Service Attacks[J]. IEEE Transactions on Dependable and Secure Computing, Vol2, No.3, Sept.2005:216-232.
[25] S. Meenakshi, S.K. Srivatsa. A Distributed Framework with less False Positive Ratio AgainstDistributed Denial of Service Attack[J]. Information Technology Journal, Vol6, No.8,2007:1139-1145.
[26] Kai Bu, Zhixin Sun. A Method Based on AMHI for DDoS Attacks Detection and Defense[C].Proc. ICYCS2008, Hunan, Nov.2008.
[27]严芬,陈轶群,黄皓.使用补偿非参数CUSUM方法检测DDoS攻击[J].通信学报,2008,29(6):126-132.
[28] Bin Xiaoa, Wei Chen and Yanxiang He. An autonomous defense against SYN floodingattacks: Detect and throttle attacks at the victim side independently[J]. Journal of Parallel andDistributed Computing,2008(68):456-470.
[29] Jieren Cheng, Jianping Yin, Yun Liu, et al. DDoS Attack Detection Using IP Address FeatureInteraction[C]. Proc. INCOS’09, Nov.2009.
[30] Haining Wang, Cheng Jin and Kang G. Shin. Defense Against Spoofed IP Traffic UsingHop-Count Filtering[J]. IEEE/ACM Transactions on Networking, Vol.15, No.1, Feb.2007:40-53.
[31]周再红,谢冬青,熊伟等.一种基于带权CAT的DDOS分布式检测方法[J].武汉大学学报(理学版),2008,54(5):626-630.
[32]田俊峰,朱宏涛,孙冬冬等.基于用户信誉值防御DDoS攻击的协同模型[J].通信学报,2009,30(3):12-20.
[33] M.Farahmand, A.Azarfar, A.Jafari, et al. A Multivariate Adaptive Method for Detecting ARPAnomaly in Local Area Networks[C]. Proc. ICSNC’06, Tahiti, Oct.2006.
[34]张洁,武装,陆倜.一种改进的ARP协议欺骗检测方法[J].计算机科学,2008,35(3):52-54.
[35]孙知信,任志广,杨熙等.基于多层检测的网络安全防范系统[J].通信学报,2007,28(7):61-69.
[36] Yann Labit and Johan Mazel. HIDDEN: Hausdorff distance based Intrusion Detectionapproach Dedicated to Networks[C]. Proc. ICIMP’08, Bucharest, July2008.
[37] HyunGon Kim. Protection against Packet Fragmentation Attacks at6LoWPAN AdaptationLayer[C]. Proc. ICHIT’08, Daejeon, Aug.2008.
[38] J.Udhayan and R.Anitha. Demystifying and Rate Limiting ICMP hosted DoS/DDoSFlooding Attacks with Attack Productivity Analysis[C]. Proc. IACC2009, Patiala, March2009.
[39]胡鸿,袁津生,郭敏哲.基于TCP缓存的DDoS攻击检测算法[J].计算机工程,2009,35(16):112-114.
[40] Ning Chen, Xiao-Su Chen, Bing Xiong, et al. An Anomaly Detection and Analysis Methodfor Network Traffic Based on Correlation Coefficient Matrix[C]. Proc.SCALCOM-EMBEDDEDCOM’09, Dalian, Sept.2009.
[41] Xu Rui, Ma Wen-li and Zheng Wen-ling. Defending Against UDP Flooding by NegativeSelection Algorithm based on Eigenvalue Sets[C]. Proc. IAS’09, Xi'an, Aug.2009.
[42] LIANG J., NAOUMOV N., ROSS K.W. The index poisoning attack in P2P file sharingsystems[C]. Proc. INFOCOM’06,2006.
[43] ATHANASOPOULOS E., ANAGNOSTAKIS K., MARKATOS E. Misusing unstructuredP2P systems to perform DoS attacks: the network that never forgets[C]. Proc. ACNS’06,2006.
[44] Lada A. Adamic and Bernardo A. Huberman. Power-Law Distribution of the World WideWeb [J]. Science24March2000: Vol.287, no.5461.
[45] J. Han, M. Kambe. Data Mining: Concepts and Techniques[M]. Morgan Kafmann,2006.
[46] Chuan Xu, Mei Wang, Hong Tang. Analysis on User Click Behavior in the Mobile Internet[J].International Journal of Digital Content Technology and its Applications, Vol.5, No.6,2011:16~23.
[47] L. Breslau, P. Cao, L. Fan, G. Phillips, and S. Shenker. Web caching and zipf-likedistributions: Evidence and implications[C]. In Proceedings of the INFOCOM,1999:126–134.
[48] M. Hefeeda and O. Saleh. Traffic modeling and proportional partial caching for peer-to-peersystems[J]. IEEE/ACM Transactions on Networking, VOL.16, NO.6,2008:1447–1460.
[49] M. E. Crovella and A. Bestavros. Self-similarity in world wide web traffic: evidence andpossible causes[J]. IEEE/ACM Transactions on Networking, VOL.5, NO.6,1997:835–846.
[50] B. A. Huberman, P. L. T. Pirolli, J. E. Pitkow, and R. M. Lukose. Strong regularities in worldwide web surfing[J]. Science, VOL.280, NO.3,1998.
[51] J.Srivastava, R.Cooley, M.Deshpande and P-T.Tan. Web usage mining: discovery andapplications of usage patterns from Web data[C]. SIGKDD Explorations, vol.1, no.2, Jan:2000:1-12.
[52] Olfa Nasraoui, Maha Soliman, Esin Saka, and et al. a Web Usage Mining Framework forMining Evolving User Profiles in Dynamic Web Sites[J]. IEEE Transactions on Knowledgeand Data Engineering, Vol.20, No.2, Feb.2008:202-215.
[53] G. Xu, Y. Zhang, and Y. Xun. Modeling User Behaviour for Web Recommendation UsingLDA Model[C]. Proc. IEEE/WIC/ACM Int’l Conf. Web Intelligence and Intelligent AgentTechnology,2008:529-532.
[54] Yi Xie and Shun-Zheng Yu. Anomaly Detection based on web Users’ Browsing Behaviors[J].Journal of Software,2007,18(4):967-977.
[55] Doru Tanasa and Brigitte Trousse. Advanced Data Preprocessing for Intersites Web UsageMining[J]. IEEE Intelligent Systems, Vol.19, No.2, Mar-Apr.2004:59-65.
[56] Suneetha, K. R. and D. R. Krishnamoorthi. Identifying User Behavior by Analyzing WebServer Access Log File[J]. IJCSNS International Journal of Computer Science and NetworkSecurity, VOL.9, No.4, April2009.
[57] Yongjian Fu, Kanwalpreet Sandhu and Ming-Yi Shih. A Generalization-Based Approach toClustering of Web Usage Sessions[J]. Lecture Notes in Computer Science, Volume1836/2000,2000:21-38.
[58] Bianco.A., Mardente.G., Mellia.M., et al. Web User-Session Inference by Means ofClustering Techniques[J]. IEEE/ACM Transactions on Networking, Vol.17, No.2,2009:405-416.
[59] Nuzman.C, Saniee.I, Sweldens.W, et al. A compound model for TCP connection arrivals forLAN and WAN applications[J]. Computer Networks, Vol.40, No.3,2002:319-337.
[60] Shun-Zheng Yu. Hidden semi-Markov models[J]. Artificial Intelligence,172(2010), page:215-243.
[61] Hartigan, J. A. and Wong, M. A.(1979). Algorithm136. A k-means clustering algorithm[M].Applied Statistics28:100.
[62] Li-Fei Chen, Qing-Shan Jiang, and Sheng-Rui Wang. A Hierarchical Method for Determiningthe Number of Clusters[J]. Journal of Software, Vol.19, No.1, January2008:6272.
[63] Zhixiang Chen, Ada Wai-Chee Fu and Chi-Hung Tong. Optimal Algorithms for finding userweb access session from very large web logs[J]. Journal of World Wide Web: Internet andInformation Systems, Vol.6, Springer,2003:259-279.
[64] G. Arumugam and S. Suguna. Optimal Algorithms for Generation of User Session SequencesUsing Server Side Web User Logs[C]. Proc. N2S '09, Paris, France,24.26June2009:1-6.
[65] Michael Walfish, Mythili Vutuku, Hari BaIabshnan, et al. DDoS Defense by Offense[C]. InProc. SIGCOMM '06, Pisa, Italy, Sept.2006.
[66] Supranamaya Ranjan, Ram Swaminathan, Mustafa Uysal, et al. DDoS-Shield:DDOS-Resilient Scheduling to Counter Application Laye Attacks[J]. IEEE/ACMTransactions on Networking, Vol17, No.1, Feb.2009:26-39.
[67] KHATTAB S., GOBRIEL S., MELHEM R., MOSSE D. Live baiting for service-level DoSattackers[C]. Proc. INFOCOM’08,2008.
[68] YU J., LI Z., CHEN H., CHEN X. A Detection and offense mechanism to defend againstapplication layer DDoS attacks[C]. Proc. ICNS’07,2007.
[69] YEN W., LEE M.: A framework for defending application layer DDoS attacks using an AIapproach[C]. Proc. IASTED Int. Conf. on Artifical Intelligence and Applications,2007.
[70] SRIVATSA M., IYENGAR A., YIN J., LIU L. Mitigating application-level denial of serviceattacks on web servers: a client-transparent approach[J], ACM Trans. Web,2008,18(12):1649–1662.
[71] Yu J, Fang C, Lu L, Li Z. Mitigating application layer distributed denial of service attacks viaeffective trust management[J]. IET Communications, Vol.4, No.16,2010:1952-1962.
[72] XIE Y., YU S.: Monitoring the application-layer DDoS attacks for popular websites[J],IEEE/ACM Trans. Net w.2009,17(1):15–25.
[73] XIE Y., YU S. A large-scale hidden semi-Markov model for anomaly detection on userbrowsing behaviors[J]. IEEE/ACM Trans. Netw.2009,17(1):54–65.
[74] Ying Xuan, Incheol Shin, My T. Thai, Taieb Znati. Detecting Application Denial-of-ServiceAttacks: A Group-Testing-Based Approach[J]. IEEE Trans. Parallel Distribution. System.2010,21(8):1203-1216.
[75] L. Page, S. Brin, R. Motwani, and T. Winograd. The PageRank Citation Ranking: BringingOrder to the Web[C]. Technical report, Stanford Digital Library Technologies Project,1998.
[76] J. Shi and J. Malik, Normalized cuts and image segmentation[C], CVPR,1997.
[77] Meila, M., and Xu, L. Multiway cuts and spectral clustering[J]. U. Washington Tech Report,2003.
[78] M. Meila and J. Shi. A random walks view of spectral segmentation[EB/OL]. In AI andStatistics (AISTATS),2001. http://citeseer.ist.psu.edu/meila01random.html.
[79] Ng, Jordan, and Weiss, On spectral clustering: Analysis and an algorithm[C], NIPS,2001.
[80] Dhillon, Co-clustering documents and words using Bipartite Spectral Graph Partitioning[J].Proceedings of the Seventh ACM SIGKDD International Conference on KnowledgeDiscovery and Data Mining (KDD), August26-29,2001, San Francisco, California, USA.
[81] J. Kleinberg. Authoritative sources in a hyperlinked environment[C]. Proc.9th ACM-SIAMSymposium on Discrete Algorithms,1998. Extended version in Journal of the ACM46(1999).
[82] G. Erkan and D. Radev. LexRank: Graph-based Lexical Centrality as Salience in TextSummarization[J]. In Journal of Artificial Intelligence Research,22,2004:457-479.
[83] R. Mihalcea and P. Tarau. TextRank: Bringing Order into Texts[C]. In Proceedings ofEmpirical Methods in Natural Language Processing. ACL,2006:404-411.
[84] S. Hassan and C. Banea. Random-Walk Term Weighting for Improved Text Classification[C].In Proceedings of TextGraphs:2nd Workshop on Graph Based Methods for NaturalLanguage Processing, ACL,2006:53-60.
[85] Ding Lifen, Chen Zhiwu, Chen Zhenfeng. Simulation and Research on the ControlParameters of Genetic Algorithm[J]. Science&Technology Information,2007,36(1):618-621.
[86]郑伟,王朝坤,刘璋等.一种基于随机游走模型的多标签分类算法[J].计算机学报,2010, Vol.33, No.8.
[87] Zhang L, Wu J, Zhuang Y, et a1. Review-oriented metadata enrichment: A case study[C].Proceedings of JCDL, Austin, TX, USA,2009:173-182.
[88] Salto G. Automatic text processing: the transformation, Analysis, and Retrieval ofinformation by computer[J]. Addison Wesley Publ. Comp,1989.
[89]业宁,李威,梁作鹏等.一种Web用户行为聚类算法[J].小型微型计算机系统,2004, Vol.25, No.7.
[90] Jaeyeon Jung, Balachander, Michael Rabinovich. Flash Crowds and Denial of ServiceAttacks: Characterization and Implications for CDNs and Web Sites[C]. Proceedings of theWorld Wide Web Conference. Honolulu, Hawaii. May2002.
[91] G. Carl, G. Kesidis, R.R. Brooks, and S. Rai. Denial-of-Service Attack DetectionTechniques[J]. IEEE Internet Computing, Vol.10, No.1, January2006:82-89.
[92] Z. Duan, X. Yuan and J. Chandrashekar. Controlling IP Spoofing through Inter domainPacket Filters[C]. IEEE Trans. on Dependable and Secure Computing, Vol.5, No.1,January-March2008:22-36.
[93] C.M. Cheng, H.T. Kung and K.S. Tan. Use of Spectral Analysis in Defense against DoSAttacks[C]. IEEE Global Communications Conference,2002:2143-2148.
[94] K. Lu, D. Wu, J. Fan, S. Todorovic and A. Nucci. Robust and efficient detection ofDDoS attacks for large-scale internet[J]. Computer Networks, Vol.51, September2007:5036-5056.
[95] Y. Chen and K. H wang. Collaborative detection and filtering of shrew DDoS attacks usingspectral analysis[J]. Journal of Parallel and Distributed Computing, Vol.66, No.9, AcademicPress, Orlando, September2006:1137-1151.
[96] Shui Yu, Theerasak Thapngam, Jianwen Liu, Su Wei and Wanlei Zhou. Discriminating DDoSFlows from Flash Crowds Using Information Distance[C]. Third International Conference onNetwork and System Security, Australia,2009:351-356.
[97] Georgios Oikonomou and Jelena Mirkovic. Modeling Human Behavior for Defense againstFlash-Crowd Attacks[C]. Proc. ICC’09, Dresden, June2009.
[98]谢逸.应用层HTTP攻击检测关键技术研究[D].中山大学,2008.
[99] Mark Meiss, John Duncan, Bruno G.. What's in a Session: Tracking Individual Behavior onthe Web[C]. HT '09Proceedings of the20th ACM conference,2009.
[100] S. A. Krashakov, A. B. Teslyuk, L. N. Shchur. On the universality of rank distributions ofwebsite popularity[J]. Computer Networks, vol.50,2006:1769-1780.
[101] MA.Rajab, J.Zarfoss, F.Monrose, A.Terzis. A Multifaceted Approach to Understanding theBotnet Phenomenon[C]. In Proceedings of the6th ACM SIGCOMM conference on Internetmeasurement, October2006:41-52.
[102] R.G.Clegg, M.S.Withall, and A.W.Moor. Challenges in the capture and dissemination ofmeasurements from high-speed networks[J]. IET Communications, vol.3, no.6,2009:957-966.
[103] Schonwalder, Jurgen Marinov, and Vladislav. On the Impact of Security Protocols on thePerformance of SNMP[C]. Network and Service Management, IEEE TRANSACTIONS, vol.8, no.1,2011:52-64.
[104] C. Estan, K. Keys, D. Moore, and G. Varghese. Building a Better NetFlow[C]. ACMSIGCOMM,2004:245-256.
[105] Libpcap-PFRING Homepage[EB/OL]. http://www.ntop.org/PF_RING.html.2008.7.
[106] N. Duffield, C. Lund, and M. Thorup. Flow sampling under hard resource constraints[C]. InProceedings of ACM SIGMETRICS-Performance,2004:85-96.
[107] Nicholas Weaver, Vern Paxson, and Jose M. Gonzalez. An FPGA-based accelerator fornetwork intrusion prevention[C]. In Proceedings of the ACM Symposium on FieldProgrammable Gate Arrays,2007:199-206.
[108] Faisal Khan, Lihua Yuan, Chen-Nee Chuah and Soheil Ghiasi. A programmable architecturefor scalable and real-time network traffic measurements[C]. In Proceedings of the4thACM/IEEE Symposium on Architectures for Networking and Communications Systems,2008:109-118.
[109] Xiang Wang, Yaxuan Qi, Yibo Xue and Jun Li. Towards High-Performance NetworkIntrusion Prevention System on Multi-core Network Service Processor[C]. In Proceedings ofthe15th IEEE International Conference on Parallel and Distributed System,2009:220-227.
[110] Fei He, Yaxuan Qi, Yibo Xue and Jun Li. YACA: Yet Another Cluster-based Architecture forNetwork Intrusion Prevention[C]. In Proceedings of IEEE GLOBECOM,2010:1-5.
[111] Wen-Yew Liang, Chi-Yu Weng, Yen-Lin Chen and Che Wun Chiou. Design of a Parallel FaceDetection Algorithm for Distributed Low Cost IP-based Surveillance Systems[J]. JCIT, Vol.6,No.2,2011:306-318.
[112] Vern Paxson, Robin Sommer, and Nicholas Weaver. An Architecture for ExploitingMulti-Core Processors to Parallelize Network Intrusion Prevention[C]. In Proceedings ofIEEE Sarnoff Symposium,2007:1-7.
[113] Y. X. Qi, B. Xu, F. He, B. H. Yang. J. M. Yu and J. Li. Towards High Performance Flow-levelPacket Processing on Multi-core Network Processors[C]. Proc. of ACM/IEEE Symposiumon Architectures for Networking and Communications Systems,2007.
[114] Yongheng Chen, Wanli Zuo, Fengling He, Kerui Chen. Optimization Strategy of ParallelQuery Processing Based on Multi-core Architecture[J]. JCIT, Vol.5, No.8,2010:21-25.
[115] Alaa M. Al-Obaidi, Sai Peck Lee. A Concurrent Multithreaded Scheduling Model for SolvingFibonacci Series on Multicore Architecture[J]. IJACT, Vol.3, No.2,2011:24-37.
[116] Intel Xeon Processor[EB/OL]. http://www.intel.com/products/server/processors.
[117] Intel10Gigabit XF Server Adapters[EB/OL].http://www.intel.com/products/server/adapters/10-gbe-xfsr-adapters/10-gbe-xfsr-adapters-overview.htm.
[118] Loris Degioanni, Mario Baldi, Fulvio Risso, and Gianluca Varenni. Profiling andOptimization of Software-Based Network-Analysis Applications[C]. Proceedings of the15thSymposium on Computer Architecture and High Performance Computing (SBAC-PAD),2003.
[119] N. Cascarano, A. Este, F. Gringoli, F. Risso, L. Salgarelli. An Experimental Evaluation of theComputational Cost of a DPI Traffic Classifier[C]. IEEE GLOBECOM2009, November2009.
[120] http://ita.ee.lbl.gov/html/contrib/WorldCup.html [EB/OL]