分布式拒绝服务攻击检测与响应技术研究
|
摘要
分布式拒绝服务(Distributed Denial of Service, DDoS)攻击是Internet面临的最严重安全威胁之一。与传统攻击手段相比,DDoS攻击具有隐蔽性强、强度大、攻击源分散、持续时间长等特点,尚缺乏切实有效的防御机制。目前,DDoS攻击的频繁程度与危害性逐年增加,网络安全形势日益严峻。因此,探索应对DDoS攻击的有效防御手段,具有重要的研究价值和广阔的应用前景。
DDoS攻击的应对措施主要包含检测、响应、溯源与预防四类。其中,检测与响应是最基本的防御手段,也是当前研究的核心问题。本文在归纳总结现有工作的基础上,重点针对检测和响应两大基础问题展开研究,主要研究成果如下:
1.提出一种多阶段的DDoS攻击早期检测方法。
在靠近攻击源的位置对DDoS攻击进行早期检测,能够有效提高攻击预警能力。然而,攻击初期的流量具有明显的隐蔽性,可识别度低,这种情况下如何有效检测DDoS攻击是一个挑战性问题。论文首先建立DDoS攻击模型,分析攻击早期流量特征。在此基础上,融合多种基本流量属性,提出网络流量状态和联合偏离率两种复合流量属性,解决了单一属性可检测性差和多维属性计算复杂度高的矛盾。基于复合流量属性,提出一种多阶段的DDoS攻击早期检测方法MADOP,将检测过程分为网络流量状态预测、细粒度流量奇异点检测和可疑目的地址提取三个阶段,逐步精化DDoS攻击的时空特征。通过合理设置各阶段检测目标,MADOP有效提高早期检测效费比,优化利用资源。实验结果表明,MADOP对攻击流量比例小、异常不明显的DDoS攻击,具有较高的敏感度。攻击流量仅占总体流量5%时,MADOP就能准确检测异常并定位攻击发起时间,受害者识别的准确度达96%。MADOP对慢速拒绝服务攻击也有很好的检测效果。
2.提出一种基于分布式概要数据结构的DDoS攻击检测方法。
由于DDoS攻击源分散,检测这种攻击存在信息统计开销大和全局异常关联困难等问题。论文提出一种基于分布式概要数据结构的流量信息统计组织技术,该技术采用新型哈希函数BitHash,显式关联IP地址与哈希值,支持基于目的IP的流量统计和基于哈希值的反向地址重构,一方面避免保存数据流状态信息,减少计算和存储开销;另一方面通过概要数据的分布化计算、处理和存储,适应DDoS攻击源分散的特点,全面统计全局范围的流量特性。基于分布式概要数据结构,论文设计了DDoS攻击分布式检测方法FLOW,提出基于BitHash和PCA的局部异常检测机制,以及面向全局检测的异常消息传递与预处理算法、基于异常爆发期的决策算法和轻量级地址重构算法等核心技术。仿真结果表明,FLOW能够准确检测DDoS攻击,受害者识别结果能有效辅助过滤恶意流量。利用地址重构结果过滤报文,误报率不超过3%。理论分析显示,FLOW的整体性能开销优于现有方法,特别是存储开销方面,节省了近70%的空间。
3.提出一种基于包标记的分布式DDoS攻击检测机制。
现有分布式检测方法普遍通过融合控制平面的异常警报检测DDoS攻击,存在全局检测过分依赖局部检测结果、检测效果受限于局部检测准确度等问题。论文提出在数据平面进行DDoS协同检测的新思路,设计了基于包标记的分布式DDoS攻击检测机制VicSifter。VicSifter将攻击嫌疑流量抽象为检测视图,利用基于概要数据结构的流量筛子,逐跳剔除上游节点检测视图中的正常流量,最后在全局异常流量基础上判定攻击。针对检测视图的高效传递与精简问题,设计了基于包标记的检测视图传递机制和流量精简算法。针对攻击诊断和受害者识别问题,提出基于流量异常环模型和全局异常度的全局决策算法。实验结果表明,VicSifter能够有效检测DDoS攻击并识别受害者,同时具备节点负载小、可扩展性强等特点。通过流量精简,VicSifter迅速将嫌疑目的IP数量减小到原来的2%,3跳之内即可将检测视图精简到仅包含访问攻击受害者的流量。VicSifter采用带内传输方式,不会加剧网络拥塞状况。
4.提出基于异常流量演化模式的非均衡速率限制机制。
速率限制是DDoS攻击响应的主要技术之一。由于缺乏对聚合流的细粒度划分和对异常聚合流的有效判定,现有速率限制机制对正常流量的错误抑制问题突出。为此,论文提出基于异常流量演化模式的基本非均衡速率限制机制BaURL,根据流量传播的聚散特点判定聚合流的异常性,并依此将聚合流划分为不同优先级集合,施加不同程度的流量抑制,重点限制异常流的带宽分配,从而减少速率限制对正常流量的影响。结合BaURL和细粒度聚合流划分方法,提出基于BitHash的细粒度非均衡速率限制机制FiURL和基于协同的非均衡速率限制机制CoURL,实现对聚合流速率限制的精细化控制。最后,提出基于报文重定向的防御互助组机制,有效解决了基于聚合流的速率限制可能造成的正常用户饿死问题。实验结果表明,上述机制能够显著降低速率限制机制对正常流量的损害,通过调整参数FiURL能够将过滤掉的正常流量控制在10%以下,CoURL对聚合流的精细抑制可达到单个目的IP流的层次。
Distributed Denial of Service (DDoS) attack is one of the most serious securitythreats to Internet. Compared with traditional attacks, DDoS attack has several signif-icant features including low-profile attack flow, great attack intensity, dispersive attacksources, long duration, and so on. So far, no practical countermeasure against DDoSattacks is available. As frequency and damage of DDoS attacks increase year by year,security situation of network becomes more and more severe. Therefore, it has an impor-tant research value and a wide application prospect to explore effective countermeasuresagainst DDoS attacks.
DDoS defense has four research areas, detection, reaction, traceback and prevention.As the basic defenses for DDoS attack, DDoS detection and reaction are the key problemsin current researches. In this thesis, we performed an in-depth study on DDoS detectionandreactionissuesonthebasisofacomprehensivesurveyofpresentresearchesonDDoSattack and defense. The major contributions are as follows,
1. Propose a multistage method for early DDoS detection.
Early DDoS detection can effectively enhance the ability of early attack warning.Since attack traffic keeps a low profile and cannot be easily recognized at early stageof DDoS attacks, it is very hard to achieve early DDoS detection. This paper presents aDDoSmodeltotheoreticallyanalyzelowprofilefeatureofDDoSattacks. Thentwocom-plex features, Network Traffic State (NTS) and Joint Deviation Rate (JDR), are definedby merging basic traffic features, which successfully solve the contradiction between thedifficulty in detecting the anomaly of signal feature and high computation cost of multidi-mensional features. Based on the two features, a Multistage Anomaly Detection methodforlOw-Profileattack traffic(MADOP) is proposedtodetectDDoS attacksatearlystage.Through three stages, including network traffic state prediction, fine-grained singularitydetection, and suspicious IP extraction, MADOP refines the spatial-temporal character-istics of DDoS attacks in a stepwise way. By designating reasonable goals for differentdetection stages, MADOP effectively raises the efficiency-cost ratio of early DDoS de-tection, as well as optimizes resource usage of detection devices. MADOP can accuratelydetect anomaly and locate the start time of attacks even when attack traffic only consti- tutes5%of total traffic, with96%successfully identified victims. MADOP also showsgreat quality in low-rate DDoS detection.
2. Propose a split-sketch-based collaborative DDoS detection scheme.
DDoS attacks have distributed attack sources. Detecting such attacks suffers fromhigh statistic consumption as well as difficult correlation of global anomalies. This thesisproposes a split-sketch-based technique to summarize and organize network traffic. Thistechnique adopts a new hash function, BitHash, which explicitly connects hash value andthe input IP. As a result, the technique can summarize traffic based on destination IPsand then reversely construct input IPs through hash values. This technique, on one hand,avoidskeepingper-IPstates. Ontheotherhand,itefficientlyrespondstodispersiveDDoSattack sources by computing, processing and storing sketch distributedly. Based on splitsketch, this paper proposes a collaborative DDoS detection mechanism called FLOW.FLOW includes several key technologies, including an anomaly detection method usingBitHash and Principal Component Analysis (PCA), a special messaging and preprocess-ing mechanism, a decision algorithm based on burst period of anomaly, and a lightweightIP reconstruction algorithm. Simulation results show that the results of FLOW greatlycontribute to attack traffic filtering during DDoS reaction with false positive rate of lessthan3%. FLOW outperforms other methods with the similar capability in performanceexpenses, especially in space requirement.
3. Propose a packet-marking-based collaborative DDoS detection mechanism.
Traditional collaborative methods detect DDoS attacks by fusing alerts in controlplane. Problems exist in such methods including global detection’s overdependence onlocalresults, aswellasfinaldecisionbeingsubjecttotheaccuracyoflocaldetection. Thisthesis presents a novel idea of achieving collaborative DDoS detection through data planeand proposes a packet-marking-based distributed DDoS detection mechanism, VicSifter.VicSifter regards suspect network traffic as an abstract detection view, uses sketch-basedtraffic sifter to gradually eliminate normal traffic from detection view, and makes finaldecision on the basis of global abnormal traffic. To pass detection view between collab-orative nodes, VicSifter adopts a packet-marking-based transmission mechanism and atraffic reduction algorithm. Also, for the purpose of attack diagnosis and victim identifi-cation, a highly efficient global detection algorithm based on traffic anomaly circle andglobal anomaly degree is presented. Simulation results show that VicSifter can accuratelydetect DDoS attacks and identify victims. It has remarkable features of low consumption and great scalability. Through traffic reduction, VicSifter rapidly reduces suspect desti-nation IPs to2%. The detection view only contains packets destined for victims after3hops. Using in-band transmission, VicSifter does not aggravate network congestion.
4. Propose a series of uneven rate limiting mechanisms on the basis of evolvingpattern of abnormal traffic.
Rate limiting is one of the major techniques for DDoS reaction. But the existing ratelimiting mechanisms may wrongly damage normal traffic for lack of fine-grained traf-fic aggregating methods and effective methods to judge abnormal aggregates. In viewof the above questions, this thesis proposes a Basic Uneven Rate Limiting mechanism(BaURL) using Evolving Pattern of Abnormal Traffic (EPAT). By evaluating the abnor-mality of traffic aggregates, BaURL divides them into different priority sets and endowsdifferent levels of suppressing intensity, thus significantly reducing unintentional damageto normal traffic. Combing BaURL and fine-grained traffic aggregating method, a Fine-grained URL (FiURL) mechanism based on BitHash, and a collaborative URL (CoURL)mechanism are proposed to achieve elaborate control in aggregate-based rate limiting. Toconquer the poor client problem that commonly occurs in aggregate-based rate limitingmechanisms, a possible solution using packet redirection is presented and named Mutual-aid team. Simulation results prove that all the four mechanisms and Mutual-Aid Team(MAT) help to effectively limit collateral damage to normal traffic. Through parameteradjustment, the normal traffic filtered by FiURL can be reduced to less than10%, whilethe elaborate control in aggregate of CoURL could achieve the level of single destinationIP stream.
DDoS攻击的应对措施主要包含检测、响应、溯源与预防四类。其中,检测与响应是最基本的防御手段,也是当前研究的核心问题。本文在归纳总结现有工作的基础上,重点针对检测和响应两大基础问题展开研究,主要研究成果如下:
1.提出一种多阶段的DDoS攻击早期检测方法。
在靠近攻击源的位置对DDoS攻击进行早期检测,能够有效提高攻击预警能力。然而,攻击初期的流量具有明显的隐蔽性,可识别度低,这种情况下如何有效检测DDoS攻击是一个挑战性问题。论文首先建立DDoS攻击模型,分析攻击早期流量特征。在此基础上,融合多种基本流量属性,提出网络流量状态和联合偏离率两种复合流量属性,解决了单一属性可检测性差和多维属性计算复杂度高的矛盾。基于复合流量属性,提出一种多阶段的DDoS攻击早期检测方法MADOP,将检测过程分为网络流量状态预测、细粒度流量奇异点检测和可疑目的地址提取三个阶段,逐步精化DDoS攻击的时空特征。通过合理设置各阶段检测目标,MADOP有效提高早期检测效费比,优化利用资源。实验结果表明,MADOP对攻击流量比例小、异常不明显的DDoS攻击,具有较高的敏感度。攻击流量仅占总体流量5%时,MADOP就能准确检测异常并定位攻击发起时间,受害者识别的准确度达96%。MADOP对慢速拒绝服务攻击也有很好的检测效果。
2.提出一种基于分布式概要数据结构的DDoS攻击检测方法。
由于DDoS攻击源分散,检测这种攻击存在信息统计开销大和全局异常关联困难等问题。论文提出一种基于分布式概要数据结构的流量信息统计组织技术,该技术采用新型哈希函数BitHash,显式关联IP地址与哈希值,支持基于目的IP的流量统计和基于哈希值的反向地址重构,一方面避免保存数据流状态信息,减少计算和存储开销;另一方面通过概要数据的分布化计算、处理和存储,适应DDoS攻击源分散的特点,全面统计全局范围的流量特性。基于分布式概要数据结构,论文设计了DDoS攻击分布式检测方法FLOW,提出基于BitHash和PCA的局部异常检测机制,以及面向全局检测的异常消息传递与预处理算法、基于异常爆发期的决策算法和轻量级地址重构算法等核心技术。仿真结果表明,FLOW能够准确检测DDoS攻击,受害者识别结果能有效辅助过滤恶意流量。利用地址重构结果过滤报文,误报率不超过3%。理论分析显示,FLOW的整体性能开销优于现有方法,特别是存储开销方面,节省了近70%的空间。
3.提出一种基于包标记的分布式DDoS攻击检测机制。
现有分布式检测方法普遍通过融合控制平面的异常警报检测DDoS攻击,存在全局检测过分依赖局部检测结果、检测效果受限于局部检测准确度等问题。论文提出在数据平面进行DDoS协同检测的新思路,设计了基于包标记的分布式DDoS攻击检测机制VicSifter。VicSifter将攻击嫌疑流量抽象为检测视图,利用基于概要数据结构的流量筛子,逐跳剔除上游节点检测视图中的正常流量,最后在全局异常流量基础上判定攻击。针对检测视图的高效传递与精简问题,设计了基于包标记的检测视图传递机制和流量精简算法。针对攻击诊断和受害者识别问题,提出基于流量异常环模型和全局异常度的全局决策算法。实验结果表明,VicSifter能够有效检测DDoS攻击并识别受害者,同时具备节点负载小、可扩展性强等特点。通过流量精简,VicSifter迅速将嫌疑目的IP数量减小到原来的2%,3跳之内即可将检测视图精简到仅包含访问攻击受害者的流量。VicSifter采用带内传输方式,不会加剧网络拥塞状况。
4.提出基于异常流量演化模式的非均衡速率限制机制。
速率限制是DDoS攻击响应的主要技术之一。由于缺乏对聚合流的细粒度划分和对异常聚合流的有效判定,现有速率限制机制对正常流量的错误抑制问题突出。为此,论文提出基于异常流量演化模式的基本非均衡速率限制机制BaURL,根据流量传播的聚散特点判定聚合流的异常性,并依此将聚合流划分为不同优先级集合,施加不同程度的流量抑制,重点限制异常流的带宽分配,从而减少速率限制对正常流量的影响。结合BaURL和细粒度聚合流划分方法,提出基于BitHash的细粒度非均衡速率限制机制FiURL和基于协同的非均衡速率限制机制CoURL,实现对聚合流速率限制的精细化控制。最后,提出基于报文重定向的防御互助组机制,有效解决了基于聚合流的速率限制可能造成的正常用户饿死问题。实验结果表明,上述机制能够显著降低速率限制机制对正常流量的损害,通过调整参数FiURL能够将过滤掉的正常流量控制在10%以下,CoURL对聚合流的精细抑制可达到单个目的IP流的层次。
Distributed Denial of Service (DDoS) attack is one of the most serious securitythreats to Internet. Compared with traditional attacks, DDoS attack has several signif-icant features including low-profile attack flow, great attack intensity, dispersive attacksources, long duration, and so on. So far, no practical countermeasure against DDoSattacks is available. As frequency and damage of DDoS attacks increase year by year,security situation of network becomes more and more severe. Therefore, it has an impor-tant research value and a wide application prospect to explore effective countermeasuresagainst DDoS attacks.
DDoS defense has four research areas, detection, reaction, traceback and prevention.As the basic defenses for DDoS attack, DDoS detection and reaction are the key problemsin current researches. In this thesis, we performed an in-depth study on DDoS detectionandreactionissuesonthebasisofacomprehensivesurveyofpresentresearchesonDDoSattack and defense. The major contributions are as follows,
1. Propose a multistage method for early DDoS detection.
Early DDoS detection can effectively enhance the ability of early attack warning.Since attack traffic keeps a low profile and cannot be easily recognized at early stageof DDoS attacks, it is very hard to achieve early DDoS detection. This paper presents aDDoSmodeltotheoreticallyanalyzelowprofilefeatureofDDoSattacks. Thentwocom-plex features, Network Traffic State (NTS) and Joint Deviation Rate (JDR), are definedby merging basic traffic features, which successfully solve the contradiction between thedifficulty in detecting the anomaly of signal feature and high computation cost of multidi-mensional features. Based on the two features, a Multistage Anomaly Detection methodforlOw-Profileattack traffic(MADOP) is proposedtodetectDDoS attacksatearlystage.Through three stages, including network traffic state prediction, fine-grained singularitydetection, and suspicious IP extraction, MADOP refines the spatial-temporal character-istics of DDoS attacks in a stepwise way. By designating reasonable goals for differentdetection stages, MADOP effectively raises the efficiency-cost ratio of early DDoS de-tection, as well as optimizes resource usage of detection devices. MADOP can accuratelydetect anomaly and locate the start time of attacks even when attack traffic only consti- tutes5%of total traffic, with96%successfully identified victims. MADOP also showsgreat quality in low-rate DDoS detection.
2. Propose a split-sketch-based collaborative DDoS detection scheme.
DDoS attacks have distributed attack sources. Detecting such attacks suffers fromhigh statistic consumption as well as difficult correlation of global anomalies. This thesisproposes a split-sketch-based technique to summarize and organize network traffic. Thistechnique adopts a new hash function, BitHash, which explicitly connects hash value andthe input IP. As a result, the technique can summarize traffic based on destination IPsand then reversely construct input IPs through hash values. This technique, on one hand,avoidskeepingper-IPstates. Ontheotherhand,itefficientlyrespondstodispersiveDDoSattack sources by computing, processing and storing sketch distributedly. Based on splitsketch, this paper proposes a collaborative DDoS detection mechanism called FLOW.FLOW includes several key technologies, including an anomaly detection method usingBitHash and Principal Component Analysis (PCA), a special messaging and preprocess-ing mechanism, a decision algorithm based on burst period of anomaly, and a lightweightIP reconstruction algorithm. Simulation results show that the results of FLOW greatlycontribute to attack traffic filtering during DDoS reaction with false positive rate of lessthan3%. FLOW outperforms other methods with the similar capability in performanceexpenses, especially in space requirement.
3. Propose a packet-marking-based collaborative DDoS detection mechanism.
Traditional collaborative methods detect DDoS attacks by fusing alerts in controlplane. Problems exist in such methods including global detection’s overdependence onlocalresults, aswellasfinaldecisionbeingsubjecttotheaccuracyoflocaldetection. Thisthesis presents a novel idea of achieving collaborative DDoS detection through data planeand proposes a packet-marking-based distributed DDoS detection mechanism, VicSifter.VicSifter regards suspect network traffic as an abstract detection view, uses sketch-basedtraffic sifter to gradually eliminate normal traffic from detection view, and makes finaldecision on the basis of global abnormal traffic. To pass detection view between collab-orative nodes, VicSifter adopts a packet-marking-based transmission mechanism and atraffic reduction algorithm. Also, for the purpose of attack diagnosis and victim identifi-cation, a highly efficient global detection algorithm based on traffic anomaly circle andglobal anomaly degree is presented. Simulation results show that VicSifter can accuratelydetect DDoS attacks and identify victims. It has remarkable features of low consumption and great scalability. Through traffic reduction, VicSifter rapidly reduces suspect desti-nation IPs to2%. The detection view only contains packets destined for victims after3hops. Using in-band transmission, VicSifter does not aggravate network congestion.
4. Propose a series of uneven rate limiting mechanisms on the basis of evolvingpattern of abnormal traffic.
Rate limiting is one of the major techniques for DDoS reaction. But the existing ratelimiting mechanisms may wrongly damage normal traffic for lack of fine-grained traf-fic aggregating methods and effective methods to judge abnormal aggregates. In viewof the above questions, this thesis proposes a Basic Uneven Rate Limiting mechanism(BaURL) using Evolving Pattern of Abnormal Traffic (EPAT). By evaluating the abnor-mality of traffic aggregates, BaURL divides them into different priority sets and endowsdifferent levels of suppressing intensity, thus significantly reducing unintentional damageto normal traffic. Combing BaURL and fine-grained traffic aggregating method, a Fine-grained URL (FiURL) mechanism based on BitHash, and a collaborative URL (CoURL)mechanism are proposed to achieve elaborate control in aggregate-based rate limiting. Toconquer the poor client problem that commonly occurs in aggregate-based rate limitingmechanisms, a possible solution using packet redirection is presented and named Mutual-aid team. Simulation results prove that all the four mechanisms and Mutual-Aid Team(MAT) help to effectively limit collateral damage to normal traffic. Through parameteradjustment, the normal traffic filtered by FiURL can be reduced to less than10%, whilethe elaborate control in aggregate of CoURL could achieve the level of single destinationIP stream.
引文
[1] Annual Security Report. CISCO. http://www.cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf, Dec2009.
[2] Worldwide Infrastructure Security Report. Arbor Networks.http://www.arbornetworks.com/en/research.html,2011.
[3]诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究与进展[J].软件学报,2008,19(3):702-715.
[4] Arora K, Kumar K, Sachdeva M. Impact Analysis of Recent DDoS Attacks [J].International Journal on Computer Science and Engineering.2011,3:877–883.
[5] StanifordS,PaxsonV,WeaverN.HowtoOwntheInternetinYourSpareTime[C].//Proceedings of the11th USENIX Security Symposium. Berkeley, CA, USA,2002:149–167.
[6] Distributed Denial of Service (DDoS) Attacks/tools [EB/OL].http://staff.washington.edu/dittrich/misc/ddos/, Mar.2013.
[7]2012年我国互联网网络安全态势综述.国家互联网应急中心(CNCERT).http://www.cert.org.cn/, Mar.2013.
[8] Computer Security Institute. The12thannual computer crime and securitysurvey [EB/OL]. http://www.sis.pitt.edu/jjoshi/courses/IS2150/Fall09/CSIFBI2007.pdf,2007.
[9] Sachdeva M, Singh G, Kumar K, et al. A Comprehensive Survey of DistributedDefense Techniques against DDoS Attacks [J]. IJCSNS International Journal ofComputer Science and Network Security. Dec.,2009,9(12):7–15.
[10] Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mech-anisms countering the DoS and DDoS problems [J]. ACM Comput. Surv.2007,39(1).
[11] Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanism-s [J]. SIGCOMM Comput. Commun. Rev.2004,34(2):39–53.
[12] Shields C. What do we mean by Network Denial of Service?[C].//Proceedingsof the2002IEEE Workshop on Information Assurance and Security. United StatesMilitary Academy,2002:17–19.
[13] Paxson V. An analysis of using reflectors for distributed denial-of-service attack-s [J]. SIGCOMM Comput. Commun. Rev.2001,31(3):38–47.
[14] DNS放大攻击原理解析. http://www.2cto.com/Article/201104/89362.html.
[15]田俊峰,张喆,赵卫东.基于误用和异常技术相结合的入侵检测系统的设计与研究[J].电子与信息学报,2006,28:2162–2166.
[16] Gil T M, Poletto M. MULTOPS: a data-structure for bandwidth attack detec-tion [C].//Proceedings of the10th conference on USENIX Security Symposium.Berkeley, CA, USA,2001:23–38.
[17] AbdelsayedS,GlimsholtD,LeckieC,etal.Anefficientfilterfordenial-of-servicebandwidth attacks [C].//IEEE Global Telecommunications Conference (GLOBE-COM).2003:1353–1357.
[18] Mirkovic J, Reiher P. D-WARD: a source-end defense against flooding denial-of-service attacks [J]. IEEE Transactions on Dependable and Secure Computing.2005,2(3):216–232.
[19]赵继俊,胡志雕,张健.基于流连接信息熵的DDoS攻击检测算法[J].小型微型计算机系统,2007,33:58–61.
[20] Liu H, Kim M S. Real-Time Detection of Stealthy DDoS Attacks Using Time-Series Decomposition [C].//2010IEEE International Conference on Communi-cations (ICC). May,2010:1–6.
[21] Wang H, Zhang D, Shin K G. Detecting SYN flooding attacks [C].//Proceedingsof Twenty-First Annual Joint Conference of the IEEE Computer and Communica-tions Societies. June2002:1530–1539.
[22] Wang H, Zhang D, Shin K G. Change-Point Monitoring for Detection of DoS At-tacks[J].IEEETransactionsonDependableandSecureComputing.2004,1:2004.
[23] Sun C, Fan J, Liu B. A Robust Scheme to Detect SYN Flooding Attacks [C].//Second International Conference on Communications and Networking in China(CHINACOM). Aug.2007:397–401.
[24] Cabrera J B D, Lewis L, Qin X, et al. Proactive detection of distributed denial ofservice attacks using MIB traffic variables-a feasibility study [C].//Proceedingsof2001IEEE/IFIPInternational SymposiumonIntegratedNetworkManagement.2001:609–622.
[25] Leland W, Taqqu M, Willinger W, et al. On the self-similar nature of Ethernettraffic [J]. IEEE/ACM Transactions on Networking.1994,2(1):1–15.
[26] AbryP,BaraniukR,FlandrinP,etal.Multiscalenatureofnetworktraffic[J].IEEESignal Processing Magazine.2002,19(3):28–46.
[27]陈惠民,蔡弘,李衍达.自相似业务:基于多分辨率采样和小波分析的Hurst系数估计方法[J].电子学报,1998,26:88–93.
[28]吴援明,黄际彦,李乐民,程婷.自相似业务流HURST参数小波检测法的研究[J].信号处理,2006,22:353–355.
[29]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27:5–10.
[30]罗光春,林夏,卢显良,张骏.一种新型的基于网络流量自相似性的DDoS入侵诊测方法[J].计算机科学,2003,30:54–59.
[31]任勋益,王汝传,王海艳,李金明.基于自相似检测DDOS攻击的小波选择[J].南京航空航天大学学报,2007,39:588–562.
[32] LiM,ZhaoW.RepresentationofaStochasticTrafficBound[J].IEEETransactionson Parallel and Distributed Systems.2010,21(9):1368–1372.
[33] Li M. An approach to reliably identifying signs of DDOS Flood attacks based onLRD traffic pattern recognition [J]. Computers&security.2004,23:549–558.
[34] Li M. Change trend of averaged Hurst parameter oftraffic under DDOS flood at-tacks [J]. Computers&security.2006,25(3):213–220.
[35]罗光春,卢显良.一种针对DDoS攻击的新型防护机制研究[J].计算机科学,2003,33:101—104.
[36] Li Y, Liu G, Li H, et al. Wavelet-based analysis of hurst parameter estimationfor self-similar traffic [C].//2002IEEE International Conference on Acoustics,Speech, and Signal Processing (ICASSP). May2002:2061–2064.
[37] Lu L F, Huang M L, Orgun M, et al. An Improved Wavelet Analysis Method forDetecting DDoS Attacks [C].//4th International Conference on Network and Sys-tem Security (NSS). Sept.2010:318–322.
[38] Guo D, Wang X, Zhang J. Fast real-time Hurst parameter estimation via adap-tive wavelet lifting [J]. IEEE Transactions on Vehicular Technology.2004,53(4):1266–1273.
[39] Cheng X, Xie K, Wang D. Estimation of Network Traffic Hurst Parameter Us-ing HHT and Wavelet Transform [C].//5th International Conference on WirelessCommunications, Networking and Mobile Computing (WiCom). Sept.2009:1–4.
[40]顾俊佳,李宁.网络DDoS攻击流的小波分析与检测[J].计算机工程与应用,2006,42:127–130.
[41] Feinstein L, Schnackenberg D, Balupari R, et al. Statistical approaches to DDoSattack detection and response [C].//Proceedings of DARPA Information Surviv-ability Conference and Exposition. Apr.2003,1:303–314.
[42] Oshima S, Hirakawa A, Nakashima T, et al. DoS/DDoS Detection Scheme UsingStatisticalMethodBasedontheDestinationPortNumber[C].//FifthInternationalConference on Intelligent Information Hiding and Multimedia Signal Processing.Sept.2009:206–209.
[43]赵英,倪铮.正态分布与分布式拒绝服务攻击的主动防御[J].计算机技术与发展,2006,16:237–239,243.
[44]魏向荣,李之棠. DDoS的协方差检测模型[J].通信学报,2006,27:72–75.
[45] Jin S, Yeung D. A covariance analysis model for DDoS attack detection [C].//IEEE International Conference on Communications.2004,4:1882–1886.
[46] Soule A, Salamatian K, Taft N. Combining filtering and statistical methods foranomaly detection [C].//Proceedings of the5th ACM SIGCOMM conference onInternet Measurement. Berkeley, CA, USA,2005:31–41.
[47] Hussain A, Heidemann J, Papadopoulos C. A Framework for Classifying Denialof Service Attacks [C].//Proceedings of ACM SIGCOMM.2003:99–110.
[48] Amit K, Stephen B. Multiscale nature of network traffic [J]. Journal of Networkand Systems Management.2006,14(1):69–80.
[49] Siaterlis C, Maglaris V. One step ahead to multisensor data fusion for DDoS de-tection [J]. J. Comput. Secur.2005,13(5):779–806.
[50] Siaterlis C, Maglaris V. Detecting Incoming and Outgoing DDoS Attacks at theEdge Using a Single Set of Network Characteristics [C].//Proceedings of the10thIEEE Symposium on Computers and Communications. Washington, DC, USA,2005:469–475.
[51] Chen Y, Hwang K, Ku W-S. Collaborative Detection of DDoS Attacks over Multi-ple Network Domains [J]. IEEE Transactions on Parallel and Distributed Systems.2007,18(12):1649–1662.
[52] Basseville M, Nikiforov I V. Detection of Abrupt Changes-Theory and Applica-tion [M]. Prentice-Hall, Inc.,1993.
[53] Brodsky B, Darkhovsky B. Nonparametric Methods in Change Point Problems[M]. Kluwer Academic Publishers,1993.
[54] PengT,LeckieC,RamamohanaraoK.Protectionfromdistributeddenialofserviceattacks using history-based IP filtering [C].//IEEE International Conference onCommunications.2003,1:482–486.
[55] JinC,WangH,ShinKG.Hop-countfiltering:aneffectivedefenseagainstspoofedDDoS traffic [C].//Proceedings of the10th ACM conference on Computer andcommunications security. New York, NY, USA,2003:30–41.
[56] Templeton S J, Levitt K E. Detecting Spoofed Packets [C].//The DARPA Infon-nation Survibability Conference and Exposition (DISCEX).2003:164–175.
[57] Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies [C].//Proceedings of the2004conference on Applications, technologies, architec-tures, and protocols for computer communications. New York, NY, USA,2004:219–230.
[58] Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distribu-tions [C].//Proceedings of the2005conference on Applications, technologies,architectures, and protocols for computer communications. New York, NY, USA,2005:217–228.
[59]柳祎,付枫,孙鑫.基于全局网络PCA的DDoS攻击检测方法[J].计算机应用研究,2012,29:2205–2207.
[60]张志勇,胡光岷,姚兴苗.基于全局流量相关的DDoS分布式检测机制与算法[J].小型微型计算机系统,2006,27:136–141.
[61]黄靖,杨树堂,陆松年.一种基于流量控制技术的分布式DDoS攻击检测框架研究[J].小型微型计算机系统,2008,25:6–7.
[62]田晓朋,邬家炜,陈孝全.基于DDoS攻击的检测防御模型的研究[J].小型微型计算机系统,2009,31:14–16.
[63]苏衡,鞠九滨,李文君. MDCI:一个分布式检测DDoS攻击的方法[J].小型微型计算机系统,2006,27:58–61.
[64] Gamer T. A Collaborative Attack Detection and its Challenges in the Future Inter-net.
[65] YuS, Zhou W.Entropy-Based Collaborative Detection of DDOS Attacks on Com-munityNetworks[C].//SixthAnnualIEEEInternationalConferenceonPervasiveComputing and Communications (PerCom).2008:566–571.
[66] Wan K, Chang R. Engineering of a global defense infrastructure for DDoS attack-s [C].//10th IEEE International Conference on Networks.2002:419–427.
[67] Zhou Z, Xie D, Xiong W. A Novel Distributed Detection Scheme against DDoSAttack [J]. Journal of Networks.2009:921–927.
[68] Chen Y, Hwang K. Collaborative Change Detection of DDoS Attacks on Com-munity and ISP Networks [C].//International Symposium on Collaborative Tech-nologies and Systems.2006:401–410.
[69]周再红,谢冬青,熊伟等.一种基于带权CAT的DDoS分布式检测方法[J].密码应用,2006,27:545–551.
[70] Robinson M, Mirkovic J, Michel S, et al. DefCOM: defensive cooperative overlaymesh [C].//Proceedings of DARPA Information Survivability Conference andExposition. April2003,2:101–102.
[71] Ferguson P, Senie D. Network Ingress Filtering: Defeating Denial of Service At-tacks which employ IP Source Address Spoofing [Z]. United States,2000.
[72] Ferguson P, Senie D. Network Ingress Filtering: Defeating Denial of Service At-tacks which employ IP Source Address Spoofing [Z]. United States,1998.
[73] Kim M, Chae K. Detection and Identification Mechanism against Spoofed Traf-fic Using Distributed Agents [C].//Computational Science and Its Applications(ICCSA).2004:673–682.
[74] Park K, Lee H. On the effectiveness of route-based packet filtering for distributedDoS attack prevention in power-law internets [J]. SIGCOMM Comput. Commun.Rev.2001,31(4):15–26.
[75] Yaar A, Perrig A, Song D. Pi: a path identification mechanism to defend againstDDoS attacks [C].//Symposium on Security and Privacy.2003:93–107.
[76] Yaar A, Perrig A, Song D. StackPi: New Packet Marking and Filtering Mecha-nisms for DDoS and IP Spoofing Defense [J]. IEEE Journal on Selected Areas inCommunications.2006,24(10):1853–1863.
[77] Lee G, Lim H, Hong M, et al. A dynamic path identification mechanism to de-fendagainstDDoSattacks[C].//Proceedingsofthe2005internationalconferenceon Information Networking: convergence in broadband and mobile networking.Berlin, Heidelberg,2005:806–813.
[78] Lee F-Y, Shieh S. Defending against spoofed DDoS attacks with path finger-print [J]. Computers&Security.2005,24(7):571–586.
[79] Chen E, Itoh M. A whitelist approach to protect SIP servers from flooding attack-s [C].//2010IEEE International Workshop Technical Committee on Communi-cations Quality and Reliability (CQR). June2010:1–6.
[80] Yoon M. Using whitelisting to mitigate DDoS attacks on critical Internet sites [J].IEEE Communications Magazine. July,48(7):110–115.
[81] Goldstein M, Lampert C, Reif M, et al. Bayes Optimal DDoS Mitigation by Adap-tive History-Based IP Filtering [C].//Seventh International Conference on Net-working (ICN). April2008:174–179.
[82] Pack G, Yoon J, Collins E, et al. On Filtering of DDoS Attacks Based on SourceAddress Prefixes [C].//Securecomm and Workshops.2006,1:1–12.
[83] Soldo F, Markopoulou A, Argyraki K. Optimal Filtering of Source Address Pre-fixes: Models and Algorithms [C].//IEEE INFOCOM. April2009:2446–2454.
[84] Liu H, Sun Y, Kim M S. Fine-Grained DDoS Detection Scheme Based on Bidi-rectional Count Sketch [C].//Proceedings of20th International Conference onComputer Communications and Networks (ICCCN).2011:1–6.
[85] LemonJ.ResistingSYNfloodDoSattackswithaSYNcache[C].//Proceedingsofthe BSD Conference2002on BSD Conference. Berkeley, CA, USA,2002:10–16.
[86]邹波. Cookie思想在TCP与SCIP中的应用[J].电脑知识与技术,2006,12:142–165.
[87] Liu H, Sun Y, Valgenti V, et al. TrustGuard: A flow-level reputation-based DDoSdefense system [C].//IEEE Consumer Communications and Networking Confer-ence (CCNC). Jan.2011:287–291.
[88]郭睿,常桂然,孙宝京,巩翰云.基于图灵测试的HTTP DDoS防范技术研究[J].计算机研究与发展,2006,43:349–353.
[89] Argyraki K, Cheriton D R. Scalable network-layer defense against inter-net bandwidth-flooding attacks [J]. IEEE/ACM Trans. Netw.2009,17(4):1284–1297.
[90] Liu X, Yang X, Lu Y. To filter or to authorize: network-layer DoS defense againstmultimillion-node botnets [C].//Proceedings of the ACM SIGCOMM2008con-ference on Data communication. New York, NY, USA,2008:195–206.
[91] Abadi M, Burrows M, Manasse M, et al. Moderately hard, memory-bound func-tions [J]. ACM Trans. Internet Technol.2005,5(2):299–327.
[92] Walfish M, Vutukuru M, Balakrishnan H, et al. DDoS defense by offense [C].//Proceedings of the2006conference on Applications, technologies, architec-tures, and protocols for computer communications. New York, NY, USA,2006:303–314.
[93] Aura T, Nikander P, Leiwo J. DOS-Resistant Authentication with Client Puz-zles [C].//The8th International Workshop on Security Protocols. London, UK,2001:170–177.
[94] Groza B, Warinschi B. Revisiting difficulty notions for client puzzles and dos re-silience [C].//Proceedings of the15th international conference on InformationSecurity. Berlin, Heidelberg,2012:39–54.
[95] Waters B, Juels A, Halderman J A, et al. New client puzzle outsourcing techniquesfor DoS resistance [C].//Proceedings of the11th ACM conference on Computerand communications security. New York, NY, USA,2004:246–256.
[96] Khanna S, Venkatesh S S, Fatemieh O, et al. Adaptive selective verification: anefficient adaptive countermeasure to thwart DoS attacks [J]. IEEE/ACM Trans.Netw.2012,20(3):715–728.
[97] Mahajan R, Bellovin S M, Floyd S, et al. Controlling high bandwidth aggregatesin the network [J]. SIGCOMM Comput. Commun. Rev.2002,32(3):62–73.
[98] Nguyen T H, Doan C T, Nguyen V Q, et al. Distributed defense of distributed DoSusing pushback and communicate mechanism [C].//International Conference onAdvanced Technologies for Communications (ATC). Aug.2011:178–182.
[99] Wang X. Mitigation of DDoS Attacks through Pushback and Resource Regula-tion [C].//International Conference on MultiMedia and Information Technology(MMIT). Dec.2008:225–228.
[100] Mehta M, Thapar K, Oikonomou G C, et al. Combining Speak-Up with DefCOMfor Improved DDoS Defense [C].//IEEE International Conference on Communi-cations (ICC).2008:1708–1714.
[101] ChenR,ParkJ-M.Attackdiagnosis:throttlingdistributeddenial-of-serviceattacksclose to the attack sources [C].//Proceedings of14th International Conference onComputer Communications and Networks (ICCC). Oct.2005:275–280.
[102] Yau D, Lui J-S, Liang F. Defending against distributed denial-of-service attackswith max-min fair server-centric router throttles [C].//Tenth IEEE InternationalWorkshop on Quality of Service.2002:35–44.
[103] Zhou Y, Sethu H. On achieving fairness in the joint allocation of processing andbandwidth resources: principles and algorithms [J]. IEEE/ACM Transactions onNetworking. Oct.2005,13(5):1054–1067.
[104] Burch H. Tracing Anonymous Packets to Their Approximate Source[C].//Proceedings of the14th USENIX conference on System administration. Berkeley,CA, USA,2000:319–328.
[105] Stone R. Centertrack: an IP overlay network for tracking DoS floods [C].//Proceedings of the9th conference on USENIX Security Symposium. Berkeley,CA, USA,2000,9:15–15.
[106] Wen L, Jianping W, Ke X. Overlay logging: an IP traceback scheme in MPLSnetwork [C].//Proceedings of the4th international conference on Networking.Berlin, Heidelberg,2005,2:75–82.
[107] Bellovin S T. ICMP Traceback Messages [Z]. Internet Draft: draft-bellovin-itrace-00.txt. Mar.2000.
[108] Dan A M, Usc/isi D M, Felix S, et al. On Design and Evaluation of “Intention-Drive” ICMP Traceback [C].//Proceedings of IEEE International Conference onComputer Communications and Networks.2001.
[109] Snoeren A C, Partridge C, Sanchez L A, et al. Hash-based IP traceback [C].//Proceedingsofthe2001conferenceonApplications,technologies,architectures,and protocols for computer communications. New York, NY, USA,2001:3–14.
[110] Sung M, Xu J, Li J, et al. Large-scale IP traceback in high-speed internet: practi-cal techniques and information-theoretic foundation [J]. IEEE/ACM Trans. Netw.2008,16(6):1253–1266.
[111] Savage S, Wetherall D, Karlin A, et al. Practical network support for IP trace-back [C].//Proceedings of the conference on Applications, Technologies, Archi-tectures,andProtocolsforComputerCommunication.NewYork,NY,USA,2000:295–306.
[112] Liu J, Lee Z-J, Chung Y-C. Dynamic probabilistic packet marking for efficient IPtraceback [J]. Comput. Netw.2007,51(3):866–882.
[113] Song D X, Perrig A. Advanced and authenticated marking schemes for IP trace-back [C].//Proceedings of Twentieth Annual Joint Conference of the IEEE Com-puter and Communications Societies.2001,2:878–886.
[114] Goodrich M T. Probabilistic packet marking for large-scale IP traceback [J].IEEE/ACM Trans. Netw.2008,16(1):15–24.
[115] Goodrich M T. Efficient packet marking for large-scale IP traceback [C].//Proceedings of the9th ACM conference on Computer and communications se-curity. New York, NY, USA,2002:117–126.
[116] Ma M. Tabu Marking Scheme for IP Traceback [C].//Proceedings of the19thIEEE International Parallel and Distributed Processing Symposium (IPDPS).Washington, DC, USA,2005,18:292–300.
[117] Belenky A, Ansari N. On deterministic packet marking [J]. Comput. Netw.2007,51(10):2677–2700.
[118] Lin I, Lee T-H. NISp1-03: Robust and Scalable Deterministic Packet Mark-ing Scheme for IP Traceback [C].//Global Telecommunications Conference(GLOBECOM). Dec.2006:1–6.
[119] Lee T-H, Huang T-Y, Lin I. A deterministic packet marking scheme for tracingmultiple Internet attackers [C].//IEEE International Conference on Communica-tions (ICC). May2005,2:850–854.
[120] Dong Q, Adler M, Banerjee S, et al. Efficient probabilistic packet marking [C].//13th IEEE International Conference on Network Protocols (ICNP).2005:367–377.
[121] Yang M-H, Yang M-C. RIHT: A Novel Hybrid IP Traceback Scheme [J]. IEEETransactions on Information Forensics and Security.2012,7(2):789–797.
[122] Al-Duwairi B, Govindarasu M. Novel Hybrid Schemes Employing Packet Mark-ing and Logging for IP Traceback [J]. IEEE Trans. Parallel Distrib. Syst.2006,17(5):403–418.
[123] MalligaS,TamilarasiA.Aproposalfornewmarkingschemewithitsperformanceevaluation for IP traceback [J]. WSEAS Trans. Comp. Res.2008,3(4):259–272.
[124] Vincent S, Raja J I J. A survey of IP traceback mechanisms to overcome denial-of-service attacks [C].//Proceedings of the12th international conference on Net-working, VLSI and signal processing. Stevens Point, Wisconsin, USA,2010:93–98.
[125] Karasawa T, Soshi M, Miyaji A. A novel hybrid IP traceback scheme with packetcounters [C].//Proceedings of the5th international conference on Internet andDistributed Computing Systems. Berlin, Heidelberg,2012:71–84.
[126]程军.追踪DDoS攻击的始作俑者-分布式拒绝服务攻击的路由追踪技术[J].计算机安全,2004,6:74–75.
[127]李金明,王汝传.基于包标记的DoS(DDoS)攻击源追踪技术[J].信息网络安全,2004,12:38–41.
[128]李大伟. IP追踪中的包标记技术综述[J].甘肃科技,2007,23:97–100.
[129] Anderson T, Roscoe T, Wetherall D. Preventing Internet denial-of-service withcapabilities [J]. SIGCOMM Comput. Commun. Rev.2004,34(1):39–44.
[130] Yaar A, Perrig A, Song D. SIFF: a stateless Internet flow filter to mitigate DDoSflooding attacks [C].//Proceedings of IEEE Symposium on Security and Privacy.May2004:130–143.
[131] Yang X, Wetherall D, Anderson T. TVA: a DoS-limiting network architecture [J].IEEE/ACM Trans. Netw.2008,16(6):1267–1280.
[132] Parno B, Wendlandt D, Shi E, et al. Portcullis: protecting connection setup fromdenial-of-capability attacks [C].//Proceedings of the2007conference on Appli-cations, technologies, architectures, and protocols for computer communications.New York, NY, USA,2007:289–300.
[133] Xuan D, Chellappan S, Wang X, et al. Analyzing the Secure Overlay ServicesArchitecture under Intelligent DDoS Attacks [C].//Proceedings of the24th In-ternational Conference on Distributed Computing Systems (ICDCS). Washington,DC, USA,2004:408–417.
[134] Keromytis A D, Misra V, Rubenstein D. SOS: secure overlay services [C].//Pro-ceedings of the2002conference on Applications, technologies, architectures, andprotocols for computer communications. New York, NY, USA,2002:61–72.
[135] Andersen D G. Mayday: distributed filtering for internet services [C].//Proceed-ings of the4th conference on USENIX Symposium on Internet Technologies andSystems. Berkeley, CA, USA,2003,4:3–3.
[136] Stavrou A, Cook D L, Morein W G, et al. WebSOS: an overlay-based system forprotecting web servers from denial of service attacks [J]. Comput. Netw.2005,48(5):781–807.
[137] LakshminarayananK,AdkinsD,PerrigA,etal.TamingIPpacketfloodingattack-s [J]. SIGCOMM Comput. Commun. Rev.2004,34(1):45–50.
[138] Stavrou A, Keromytis A D. Countering DoS attacks with stateless multipath over-lays [C].//Proceedings of the12th ACM conference on Computer and communi-cations security. New York, NY, USA,2005:249–259.
[139] Markov Chains: An Addison-wesley Product [Z]. Pearson Education. Inc,2003.
[140]孙延奎.小波分析及其应用[M].1st ed.北京:机械工程出版社,2005.
[141] Rivest R. The MD5Message-Digest Algorithm.1992. http://tools.ietf.org/html/rfc1321.txt.
[142] Eastlake D, Jones P. US Secure Hash Algorithm1(SHA1).2001.http://www.ietf.org/rfc/rfc3174.txt.
[143] Deza E, Deza M M. Encyclopedia of Distances [M].2nd ed. Reading, MA:Springer Verlag,2009.
[144] Jackson J E, Mudholkar G S. Control Procedures for Residuals Associated withPrincipal Component Analysis. Technometrics,[J]. Technometrics.1979,21(3):341–349.
[145] Liu H, Sun Y, Kim M S. A Scalable DDoS Detection Framework with VictimPinpoint Capability [J]. Journal of Communications.2011,6(9):660–670.
[146] Li X, Bian F, Crovella M, et al. Detection and identification of network anomaliesusingsketchsubspaces[C].//Proceedingsofthe6thACMSIGCOMMconferenceon Internet measurement. New York, NY, USA,2006:147–152.
[147] Schweller R, Li Z, Chen Y, et al. Reversible sketches: enabling monitoring andanalysis over high-speed data streams [J]. IEEE/ACM Trans. Netw.2007,15(5):1059–1072.
[148] Dean D, Franklin M, Stubblefield A. An algebraic approach to IP traceback [J].ACM Trans. Inf. Syst. Secur.2002,5(2):119–137.
[149] Chou J, Lin B, Sen S, et al. Proactive surge protection: a defense mechanism forbandwidth-based attacks [C].//Proceedings of the17th conference on Securitysymposium. Berkeley, CA, USA,2008:123–138.
[150] Lee F-Y, Shieh S, Shieh J-T, et al. A Source-End Defense System Against DDoSAttacks [C].//Computer Security in the21st Century.2003:31–35.
[2] Worldwide Infrastructure Security Report. Arbor Networks.http://www.arbornetworks.com/en/research.html,2011.
[3]诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究与进展[J].软件学报,2008,19(3):702-715.
[4] Arora K, Kumar K, Sachdeva M. Impact Analysis of Recent DDoS Attacks [J].International Journal on Computer Science and Engineering.2011,3:877–883.
[5] StanifordS,PaxsonV,WeaverN.HowtoOwntheInternetinYourSpareTime[C].//Proceedings of the11th USENIX Security Symposium. Berkeley, CA, USA,2002:149–167.
[6] Distributed Denial of Service (DDoS) Attacks/tools [EB/OL].http://staff.washington.edu/dittrich/misc/ddos/, Mar.2013.
[7]2012年我国互联网网络安全态势综述.国家互联网应急中心(CNCERT).http://www.cert.org.cn/, Mar.2013.
[8] Computer Security Institute. The12thannual computer crime and securitysurvey [EB/OL]. http://www.sis.pitt.edu/jjoshi/courses/IS2150/Fall09/CSIFBI2007.pdf,2007.
[9] Sachdeva M, Singh G, Kumar K, et al. A Comprehensive Survey of DistributedDefense Techniques against DDoS Attacks [J]. IJCSNS International Journal ofComputer Science and Network Security. Dec.,2009,9(12):7–15.
[10] Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mech-anisms countering the DoS and DDoS problems [J]. ACM Comput. Surv.2007,39(1).
[11] Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanism-s [J]. SIGCOMM Comput. Commun. Rev.2004,34(2):39–53.
[12] Shields C. What do we mean by Network Denial of Service?[C].//Proceedingsof the2002IEEE Workshop on Information Assurance and Security. United StatesMilitary Academy,2002:17–19.
[13] Paxson V. An analysis of using reflectors for distributed denial-of-service attack-s [J]. SIGCOMM Comput. Commun. Rev.2001,31(3):38–47.
[14] DNS放大攻击原理解析. http://www.2cto.com/Article/201104/89362.html.
[15]田俊峰,张喆,赵卫东.基于误用和异常技术相结合的入侵检测系统的设计与研究[J].电子与信息学报,2006,28:2162–2166.
[16] Gil T M, Poletto M. MULTOPS: a data-structure for bandwidth attack detec-tion [C].//Proceedings of the10th conference on USENIX Security Symposium.Berkeley, CA, USA,2001:23–38.
[17] AbdelsayedS,GlimsholtD,LeckieC,etal.Anefficientfilterfordenial-of-servicebandwidth attacks [C].//IEEE Global Telecommunications Conference (GLOBE-COM).2003:1353–1357.
[18] Mirkovic J, Reiher P. D-WARD: a source-end defense against flooding denial-of-service attacks [J]. IEEE Transactions on Dependable and Secure Computing.2005,2(3):216–232.
[19]赵继俊,胡志雕,张健.基于流连接信息熵的DDoS攻击检测算法[J].小型微型计算机系统,2007,33:58–61.
[20] Liu H, Kim M S. Real-Time Detection of Stealthy DDoS Attacks Using Time-Series Decomposition [C].//2010IEEE International Conference on Communi-cations (ICC). May,2010:1–6.
[21] Wang H, Zhang D, Shin K G. Detecting SYN flooding attacks [C].//Proceedingsof Twenty-First Annual Joint Conference of the IEEE Computer and Communica-tions Societies. June2002:1530–1539.
[22] Wang H, Zhang D, Shin K G. Change-Point Monitoring for Detection of DoS At-tacks[J].IEEETransactionsonDependableandSecureComputing.2004,1:2004.
[23] Sun C, Fan J, Liu B. A Robust Scheme to Detect SYN Flooding Attacks [C].//Second International Conference on Communications and Networking in China(CHINACOM). Aug.2007:397–401.
[24] Cabrera J B D, Lewis L, Qin X, et al. Proactive detection of distributed denial ofservice attacks using MIB traffic variables-a feasibility study [C].//Proceedingsof2001IEEE/IFIPInternational SymposiumonIntegratedNetworkManagement.2001:609–622.
[25] Leland W, Taqqu M, Willinger W, et al. On the self-similar nature of Ethernettraffic [J]. IEEE/ACM Transactions on Networking.1994,2(1):1–15.
[26] AbryP,BaraniukR,FlandrinP,etal.Multiscalenatureofnetworktraffic[J].IEEESignal Processing Magazine.2002,19(3):28–46.
[27]陈惠民,蔡弘,李衍达.自相似业务:基于多分辨率采样和小波分析的Hurst系数估计方法[J].电子学报,1998,26:88–93.
[28]吴援明,黄际彦,李乐民,程婷.自相似业务流HURST参数小波检测法的研究[J].信号处理,2006,22:353–355.
[29]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27:5–10.
[30]罗光春,林夏,卢显良,张骏.一种新型的基于网络流量自相似性的DDoS入侵诊测方法[J].计算机科学,2003,30:54–59.
[31]任勋益,王汝传,王海艳,李金明.基于自相似检测DDOS攻击的小波选择[J].南京航空航天大学学报,2007,39:588–562.
[32] LiM,ZhaoW.RepresentationofaStochasticTrafficBound[J].IEEETransactionson Parallel and Distributed Systems.2010,21(9):1368–1372.
[33] Li M. An approach to reliably identifying signs of DDOS Flood attacks based onLRD traffic pattern recognition [J]. Computers&security.2004,23:549–558.
[34] Li M. Change trend of averaged Hurst parameter oftraffic under DDOS flood at-tacks [J]. Computers&security.2006,25(3):213–220.
[35]罗光春,卢显良.一种针对DDoS攻击的新型防护机制研究[J].计算机科学,2003,33:101—104.
[36] Li Y, Liu G, Li H, et al. Wavelet-based analysis of hurst parameter estimationfor self-similar traffic [C].//2002IEEE International Conference on Acoustics,Speech, and Signal Processing (ICASSP). May2002:2061–2064.
[37] Lu L F, Huang M L, Orgun M, et al. An Improved Wavelet Analysis Method forDetecting DDoS Attacks [C].//4th International Conference on Network and Sys-tem Security (NSS). Sept.2010:318–322.
[38] Guo D, Wang X, Zhang J. Fast real-time Hurst parameter estimation via adap-tive wavelet lifting [J]. IEEE Transactions on Vehicular Technology.2004,53(4):1266–1273.
[39] Cheng X, Xie K, Wang D. Estimation of Network Traffic Hurst Parameter Us-ing HHT and Wavelet Transform [C].//5th International Conference on WirelessCommunications, Networking and Mobile Computing (WiCom). Sept.2009:1–4.
[40]顾俊佳,李宁.网络DDoS攻击流的小波分析与检测[J].计算机工程与应用,2006,42:127–130.
[41] Feinstein L, Schnackenberg D, Balupari R, et al. Statistical approaches to DDoSattack detection and response [C].//Proceedings of DARPA Information Surviv-ability Conference and Exposition. Apr.2003,1:303–314.
[42] Oshima S, Hirakawa A, Nakashima T, et al. DoS/DDoS Detection Scheme UsingStatisticalMethodBasedontheDestinationPortNumber[C].//FifthInternationalConference on Intelligent Information Hiding and Multimedia Signal Processing.Sept.2009:206–209.
[43]赵英,倪铮.正态分布与分布式拒绝服务攻击的主动防御[J].计算机技术与发展,2006,16:237–239,243.
[44]魏向荣,李之棠. DDoS的协方差检测模型[J].通信学报,2006,27:72–75.
[45] Jin S, Yeung D. A covariance analysis model for DDoS attack detection [C].//IEEE International Conference on Communications.2004,4:1882–1886.
[46] Soule A, Salamatian K, Taft N. Combining filtering and statistical methods foranomaly detection [C].//Proceedings of the5th ACM SIGCOMM conference onInternet Measurement. Berkeley, CA, USA,2005:31–41.
[47] Hussain A, Heidemann J, Papadopoulos C. A Framework for Classifying Denialof Service Attacks [C].//Proceedings of ACM SIGCOMM.2003:99–110.
[48] Amit K, Stephen B. Multiscale nature of network traffic [J]. Journal of Networkand Systems Management.2006,14(1):69–80.
[49] Siaterlis C, Maglaris V. One step ahead to multisensor data fusion for DDoS de-tection [J]. J. Comput. Secur.2005,13(5):779–806.
[50] Siaterlis C, Maglaris V. Detecting Incoming and Outgoing DDoS Attacks at theEdge Using a Single Set of Network Characteristics [C].//Proceedings of the10thIEEE Symposium on Computers and Communications. Washington, DC, USA,2005:469–475.
[51] Chen Y, Hwang K, Ku W-S. Collaborative Detection of DDoS Attacks over Multi-ple Network Domains [J]. IEEE Transactions on Parallel and Distributed Systems.2007,18(12):1649–1662.
[52] Basseville M, Nikiforov I V. Detection of Abrupt Changes-Theory and Applica-tion [M]. Prentice-Hall, Inc.,1993.
[53] Brodsky B, Darkhovsky B. Nonparametric Methods in Change Point Problems[M]. Kluwer Academic Publishers,1993.
[54] PengT,LeckieC,RamamohanaraoK.Protectionfromdistributeddenialofserviceattacks using history-based IP filtering [C].//IEEE International Conference onCommunications.2003,1:482–486.
[55] JinC,WangH,ShinKG.Hop-countfiltering:aneffectivedefenseagainstspoofedDDoS traffic [C].//Proceedings of the10th ACM conference on Computer andcommunications security. New York, NY, USA,2003:30–41.
[56] Templeton S J, Levitt K E. Detecting Spoofed Packets [C].//The DARPA Infon-nation Survibability Conference and Exposition (DISCEX).2003:164–175.
[57] Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies [C].//Proceedings of the2004conference on Applications, technologies, architec-tures, and protocols for computer communications. New York, NY, USA,2004:219–230.
[58] Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distribu-tions [C].//Proceedings of the2005conference on Applications, technologies,architectures, and protocols for computer communications. New York, NY, USA,2005:217–228.
[59]柳祎,付枫,孙鑫.基于全局网络PCA的DDoS攻击检测方法[J].计算机应用研究,2012,29:2205–2207.
[60]张志勇,胡光岷,姚兴苗.基于全局流量相关的DDoS分布式检测机制与算法[J].小型微型计算机系统,2006,27:136–141.
[61]黄靖,杨树堂,陆松年.一种基于流量控制技术的分布式DDoS攻击检测框架研究[J].小型微型计算机系统,2008,25:6–7.
[62]田晓朋,邬家炜,陈孝全.基于DDoS攻击的检测防御模型的研究[J].小型微型计算机系统,2009,31:14–16.
[63]苏衡,鞠九滨,李文君. MDCI:一个分布式检测DDoS攻击的方法[J].小型微型计算机系统,2006,27:58–61.
[64] Gamer T. A Collaborative Attack Detection and its Challenges in the Future Inter-net.
[65] YuS, Zhou W.Entropy-Based Collaborative Detection of DDOS Attacks on Com-munityNetworks[C].//SixthAnnualIEEEInternationalConferenceonPervasiveComputing and Communications (PerCom).2008:566–571.
[66] Wan K, Chang R. Engineering of a global defense infrastructure for DDoS attack-s [C].//10th IEEE International Conference on Networks.2002:419–427.
[67] Zhou Z, Xie D, Xiong W. A Novel Distributed Detection Scheme against DDoSAttack [J]. Journal of Networks.2009:921–927.
[68] Chen Y, Hwang K. Collaborative Change Detection of DDoS Attacks on Com-munity and ISP Networks [C].//International Symposium on Collaborative Tech-nologies and Systems.2006:401–410.
[69]周再红,谢冬青,熊伟等.一种基于带权CAT的DDoS分布式检测方法[J].密码应用,2006,27:545–551.
[70] Robinson M, Mirkovic J, Michel S, et al. DefCOM: defensive cooperative overlaymesh [C].//Proceedings of DARPA Information Survivability Conference andExposition. April2003,2:101–102.
[71] Ferguson P, Senie D. Network Ingress Filtering: Defeating Denial of Service At-tacks which employ IP Source Address Spoofing [Z]. United States,2000.
[72] Ferguson P, Senie D. Network Ingress Filtering: Defeating Denial of Service At-tacks which employ IP Source Address Spoofing [Z]. United States,1998.
[73] Kim M, Chae K. Detection and Identification Mechanism against Spoofed Traf-fic Using Distributed Agents [C].//Computational Science and Its Applications(ICCSA).2004:673–682.
[74] Park K, Lee H. On the effectiveness of route-based packet filtering for distributedDoS attack prevention in power-law internets [J]. SIGCOMM Comput. Commun.Rev.2001,31(4):15–26.
[75] Yaar A, Perrig A, Song D. Pi: a path identification mechanism to defend againstDDoS attacks [C].//Symposium on Security and Privacy.2003:93–107.
[76] Yaar A, Perrig A, Song D. StackPi: New Packet Marking and Filtering Mecha-nisms for DDoS and IP Spoofing Defense [J]. IEEE Journal on Selected Areas inCommunications.2006,24(10):1853–1863.
[77] Lee G, Lim H, Hong M, et al. A dynamic path identification mechanism to de-fendagainstDDoSattacks[C].//Proceedingsofthe2005internationalconferenceon Information Networking: convergence in broadband and mobile networking.Berlin, Heidelberg,2005:806–813.
[78] Lee F-Y, Shieh S. Defending against spoofed DDoS attacks with path finger-print [J]. Computers&Security.2005,24(7):571–586.
[79] Chen E, Itoh M. A whitelist approach to protect SIP servers from flooding attack-s [C].//2010IEEE International Workshop Technical Committee on Communi-cations Quality and Reliability (CQR). June2010:1–6.
[80] Yoon M. Using whitelisting to mitigate DDoS attacks on critical Internet sites [J].IEEE Communications Magazine. July,48(7):110–115.
[81] Goldstein M, Lampert C, Reif M, et al. Bayes Optimal DDoS Mitigation by Adap-tive History-Based IP Filtering [C].//Seventh International Conference on Net-working (ICN). April2008:174–179.
[82] Pack G, Yoon J, Collins E, et al. On Filtering of DDoS Attacks Based on SourceAddress Prefixes [C].//Securecomm and Workshops.2006,1:1–12.
[83] Soldo F, Markopoulou A, Argyraki K. Optimal Filtering of Source Address Pre-fixes: Models and Algorithms [C].//IEEE INFOCOM. April2009:2446–2454.
[84] Liu H, Sun Y, Kim M S. Fine-Grained DDoS Detection Scheme Based on Bidi-rectional Count Sketch [C].//Proceedings of20th International Conference onComputer Communications and Networks (ICCCN).2011:1–6.
[85] LemonJ.ResistingSYNfloodDoSattackswithaSYNcache[C].//Proceedingsofthe BSD Conference2002on BSD Conference. Berkeley, CA, USA,2002:10–16.
[86]邹波. Cookie思想在TCP与SCIP中的应用[J].电脑知识与技术,2006,12:142–165.
[87] Liu H, Sun Y, Valgenti V, et al. TrustGuard: A flow-level reputation-based DDoSdefense system [C].//IEEE Consumer Communications and Networking Confer-ence (CCNC). Jan.2011:287–291.
[88]郭睿,常桂然,孙宝京,巩翰云.基于图灵测试的HTTP DDoS防范技术研究[J].计算机研究与发展,2006,43:349–353.
[89] Argyraki K, Cheriton D R. Scalable network-layer defense against inter-net bandwidth-flooding attacks [J]. IEEE/ACM Trans. Netw.2009,17(4):1284–1297.
[90] Liu X, Yang X, Lu Y. To filter or to authorize: network-layer DoS defense againstmultimillion-node botnets [C].//Proceedings of the ACM SIGCOMM2008con-ference on Data communication. New York, NY, USA,2008:195–206.
[91] Abadi M, Burrows M, Manasse M, et al. Moderately hard, memory-bound func-tions [J]. ACM Trans. Internet Technol.2005,5(2):299–327.
[92] Walfish M, Vutukuru M, Balakrishnan H, et al. DDoS defense by offense [C].//Proceedings of the2006conference on Applications, technologies, architec-tures, and protocols for computer communications. New York, NY, USA,2006:303–314.
[93] Aura T, Nikander P, Leiwo J. DOS-Resistant Authentication with Client Puz-zles [C].//The8th International Workshop on Security Protocols. London, UK,2001:170–177.
[94] Groza B, Warinschi B. Revisiting difficulty notions for client puzzles and dos re-silience [C].//Proceedings of the15th international conference on InformationSecurity. Berlin, Heidelberg,2012:39–54.
[95] Waters B, Juels A, Halderman J A, et al. New client puzzle outsourcing techniquesfor DoS resistance [C].//Proceedings of the11th ACM conference on Computerand communications security. New York, NY, USA,2004:246–256.
[96] Khanna S, Venkatesh S S, Fatemieh O, et al. Adaptive selective verification: anefficient adaptive countermeasure to thwart DoS attacks [J]. IEEE/ACM Trans.Netw.2012,20(3):715–728.
[97] Mahajan R, Bellovin S M, Floyd S, et al. Controlling high bandwidth aggregatesin the network [J]. SIGCOMM Comput. Commun. Rev.2002,32(3):62–73.
[98] Nguyen T H, Doan C T, Nguyen V Q, et al. Distributed defense of distributed DoSusing pushback and communicate mechanism [C].//International Conference onAdvanced Technologies for Communications (ATC). Aug.2011:178–182.
[99] Wang X. Mitigation of DDoS Attacks through Pushback and Resource Regula-tion [C].//International Conference on MultiMedia and Information Technology(MMIT). Dec.2008:225–228.
[100] Mehta M, Thapar K, Oikonomou G C, et al. Combining Speak-Up with DefCOMfor Improved DDoS Defense [C].//IEEE International Conference on Communi-cations (ICC).2008:1708–1714.
[101] ChenR,ParkJ-M.Attackdiagnosis:throttlingdistributeddenial-of-serviceattacksclose to the attack sources [C].//Proceedings of14th International Conference onComputer Communications and Networks (ICCC). Oct.2005:275–280.
[102] Yau D, Lui J-S, Liang F. Defending against distributed denial-of-service attackswith max-min fair server-centric router throttles [C].//Tenth IEEE InternationalWorkshop on Quality of Service.2002:35–44.
[103] Zhou Y, Sethu H. On achieving fairness in the joint allocation of processing andbandwidth resources: principles and algorithms [J]. IEEE/ACM Transactions onNetworking. Oct.2005,13(5):1054–1067.
[104] Burch H. Tracing Anonymous Packets to Their Approximate Source[C].//Proceedings of the14th USENIX conference on System administration. Berkeley,CA, USA,2000:319–328.
[105] Stone R. Centertrack: an IP overlay network for tracking DoS floods [C].//Proceedings of the9th conference on USENIX Security Symposium. Berkeley,CA, USA,2000,9:15–15.
[106] Wen L, Jianping W, Ke X. Overlay logging: an IP traceback scheme in MPLSnetwork [C].//Proceedings of the4th international conference on Networking.Berlin, Heidelberg,2005,2:75–82.
[107] Bellovin S T. ICMP Traceback Messages [Z]. Internet Draft: draft-bellovin-itrace-00.txt. Mar.2000.
[108] Dan A M, Usc/isi D M, Felix S, et al. On Design and Evaluation of “Intention-Drive” ICMP Traceback [C].//Proceedings of IEEE International Conference onComputer Communications and Networks.2001.
[109] Snoeren A C, Partridge C, Sanchez L A, et al. Hash-based IP traceback [C].//Proceedingsofthe2001conferenceonApplications,technologies,architectures,and protocols for computer communications. New York, NY, USA,2001:3–14.
[110] Sung M, Xu J, Li J, et al. Large-scale IP traceback in high-speed internet: practi-cal techniques and information-theoretic foundation [J]. IEEE/ACM Trans. Netw.2008,16(6):1253–1266.
[111] Savage S, Wetherall D, Karlin A, et al. Practical network support for IP trace-back [C].//Proceedings of the conference on Applications, Technologies, Archi-tectures,andProtocolsforComputerCommunication.NewYork,NY,USA,2000:295–306.
[112] Liu J, Lee Z-J, Chung Y-C. Dynamic probabilistic packet marking for efficient IPtraceback [J]. Comput. Netw.2007,51(3):866–882.
[113] Song D X, Perrig A. Advanced and authenticated marking schemes for IP trace-back [C].//Proceedings of Twentieth Annual Joint Conference of the IEEE Com-puter and Communications Societies.2001,2:878–886.
[114] Goodrich M T. Probabilistic packet marking for large-scale IP traceback [J].IEEE/ACM Trans. Netw.2008,16(1):15–24.
[115] Goodrich M T. Efficient packet marking for large-scale IP traceback [C].//Proceedings of the9th ACM conference on Computer and communications se-curity. New York, NY, USA,2002:117–126.
[116] Ma M. Tabu Marking Scheme for IP Traceback [C].//Proceedings of the19thIEEE International Parallel and Distributed Processing Symposium (IPDPS).Washington, DC, USA,2005,18:292–300.
[117] Belenky A, Ansari N. On deterministic packet marking [J]. Comput. Netw.2007,51(10):2677–2700.
[118] Lin I, Lee T-H. NISp1-03: Robust and Scalable Deterministic Packet Mark-ing Scheme for IP Traceback [C].//Global Telecommunications Conference(GLOBECOM). Dec.2006:1–6.
[119] Lee T-H, Huang T-Y, Lin I. A deterministic packet marking scheme for tracingmultiple Internet attackers [C].//IEEE International Conference on Communica-tions (ICC). May2005,2:850–854.
[120] Dong Q, Adler M, Banerjee S, et al. Efficient probabilistic packet marking [C].//13th IEEE International Conference on Network Protocols (ICNP).2005:367–377.
[121] Yang M-H, Yang M-C. RIHT: A Novel Hybrid IP Traceback Scheme [J]. IEEETransactions on Information Forensics and Security.2012,7(2):789–797.
[122] Al-Duwairi B, Govindarasu M. Novel Hybrid Schemes Employing Packet Mark-ing and Logging for IP Traceback [J]. IEEE Trans. Parallel Distrib. Syst.2006,17(5):403–418.
[123] MalligaS,TamilarasiA.Aproposalfornewmarkingschemewithitsperformanceevaluation for IP traceback [J]. WSEAS Trans. Comp. Res.2008,3(4):259–272.
[124] Vincent S, Raja J I J. A survey of IP traceback mechanisms to overcome denial-of-service attacks [C].//Proceedings of the12th international conference on Net-working, VLSI and signal processing. Stevens Point, Wisconsin, USA,2010:93–98.
[125] Karasawa T, Soshi M, Miyaji A. A novel hybrid IP traceback scheme with packetcounters [C].//Proceedings of the5th international conference on Internet andDistributed Computing Systems. Berlin, Heidelberg,2012:71–84.
[126]程军.追踪DDoS攻击的始作俑者-分布式拒绝服务攻击的路由追踪技术[J].计算机安全,2004,6:74–75.
[127]李金明,王汝传.基于包标记的DoS(DDoS)攻击源追踪技术[J].信息网络安全,2004,12:38–41.
[128]李大伟. IP追踪中的包标记技术综述[J].甘肃科技,2007,23:97–100.
[129] Anderson T, Roscoe T, Wetherall D. Preventing Internet denial-of-service withcapabilities [J]. SIGCOMM Comput. Commun. Rev.2004,34(1):39–44.
[130] Yaar A, Perrig A, Song D. SIFF: a stateless Internet flow filter to mitigate DDoSflooding attacks [C].//Proceedings of IEEE Symposium on Security and Privacy.May2004:130–143.
[131] Yang X, Wetherall D, Anderson T. TVA: a DoS-limiting network architecture [J].IEEE/ACM Trans. Netw.2008,16(6):1267–1280.
[132] Parno B, Wendlandt D, Shi E, et al. Portcullis: protecting connection setup fromdenial-of-capability attacks [C].//Proceedings of the2007conference on Appli-cations, technologies, architectures, and protocols for computer communications.New York, NY, USA,2007:289–300.
[133] Xuan D, Chellappan S, Wang X, et al. Analyzing the Secure Overlay ServicesArchitecture under Intelligent DDoS Attacks [C].//Proceedings of the24th In-ternational Conference on Distributed Computing Systems (ICDCS). Washington,DC, USA,2004:408–417.
[134] Keromytis A D, Misra V, Rubenstein D. SOS: secure overlay services [C].//Pro-ceedings of the2002conference on Applications, technologies, architectures, andprotocols for computer communications. New York, NY, USA,2002:61–72.
[135] Andersen D G. Mayday: distributed filtering for internet services [C].//Proceed-ings of the4th conference on USENIX Symposium on Internet Technologies andSystems. Berkeley, CA, USA,2003,4:3–3.
[136] Stavrou A, Cook D L, Morein W G, et al. WebSOS: an overlay-based system forprotecting web servers from denial of service attacks [J]. Comput. Netw.2005,48(5):781–807.
[137] LakshminarayananK,AdkinsD,PerrigA,etal.TamingIPpacketfloodingattack-s [J]. SIGCOMM Comput. Commun. Rev.2004,34(1):45–50.
[138] Stavrou A, Keromytis A D. Countering DoS attacks with stateless multipath over-lays [C].//Proceedings of the12th ACM conference on Computer and communi-cations security. New York, NY, USA,2005:249–259.
[139] Markov Chains: An Addison-wesley Product [Z]. Pearson Education. Inc,2003.
[140]孙延奎.小波分析及其应用[M].1st ed.北京:机械工程出版社,2005.
[141] Rivest R. The MD5Message-Digest Algorithm.1992. http://tools.ietf.org/html/rfc1321.txt.
[142] Eastlake D, Jones P. US Secure Hash Algorithm1(SHA1).2001.http://www.ietf.org/rfc/rfc3174.txt.
[143] Deza E, Deza M M. Encyclopedia of Distances [M].2nd ed. Reading, MA:Springer Verlag,2009.
[144] Jackson J E, Mudholkar G S. Control Procedures for Residuals Associated withPrincipal Component Analysis. Technometrics,[J]. Technometrics.1979,21(3):341–349.
[145] Liu H, Sun Y, Kim M S. A Scalable DDoS Detection Framework with VictimPinpoint Capability [J]. Journal of Communications.2011,6(9):660–670.
[146] Li X, Bian F, Crovella M, et al. Detection and identification of network anomaliesusingsketchsubspaces[C].//Proceedingsofthe6thACMSIGCOMMconferenceon Internet measurement. New York, NY, USA,2006:147–152.
[147] Schweller R, Li Z, Chen Y, et al. Reversible sketches: enabling monitoring andanalysis over high-speed data streams [J]. IEEE/ACM Trans. Netw.2007,15(5):1059–1072.
[148] Dean D, Franklin M, Stubblefield A. An algebraic approach to IP traceback [J].ACM Trans. Inf. Syst. Secur.2002,5(2):119–137.
[149] Chou J, Lin B, Sen S, et al. Proactive surge protection: a defense mechanism forbandwidth-based attacks [C].//Proceedings of the17th conference on Securitysymposium. Berkeley, CA, USA,2008:123–138.
[150] Lee F-Y, Shieh S, Shieh J-T, et al. A Source-End Defense System Against DDoSAttacks [C].//Computer Security in the21st Century.2003:31–35.