DDoS攻击流及其源端网络自适应检测算法的研究
|
摘要
以匀速DDoS攻击流的源端网络自适应检测算法研究为核心,重点讨论了与源端网络DDoS对抗有关的五个问题,即(ⅰ)DDoS攻防技术;(ⅱ)对TCP DDoS攻击流的行为建模;(ⅲ)针对匀速DDoS攻击流的源端网络自适应检测算法的设计;(ⅳ)不同发送方式下DDoS攻击流的破坏性;(ⅴ)源端网络中不同发送方式下DDoS攻击流的可检测性。
首先,系统地分析了DDoS攻击的分类、组织形式、典型的攻击方法以及其他攻击过程中涉及到的关键问题,提出“源端网络将成为未来DDoS攻防对抗的焦点”,并以集中式防御结构中的末端网络防御、中间网络防御和源端网络防御为主线,对当前的DDoS防御技术进行了分析。
其次,提出了一种新的攻击流发送方式——组群式脉冲发送,并以FCFS和SFQ这两种典型的调度方式为例,对匀速发送、迸发式脉冲发送和组群式脉冲发送下DDoS攻击流的攻击性能进行了讨论,重点研究了目标网络中调度方式的选择与配置对不同发送方式下DDoS攻击流破坏性的影响。仿真试验结果表明,在三种攻击流发送方式下,组群式脉冲攻击流不仅具有较强的破坏性,而且可以通过灵活的攻击配置来对抗目标网络调度方式对攻击流的抑制作用。
第三,建立了描述TCP DDoS攻击流破坏行为的数学模型。在攻击源数目和攻击源发送速率相同的情况下,利用该模型可以对匀速攻击流、迸发式脉冲攻击流和组群式脉冲攻击流三者之间的行为差异做出如下解释。(ⅰ)匀速攻击流和组群式脉冲攻击流对网络资源的占用均与时间无关,但二者相比,组群式脉冲攻击流的链路带宽占用率和资源占用函数值均低于匀速攻击流。(ⅱ)对于进发式脉冲攻击流而言,其链路带宽占用率、资源占用函数和网络资源占用增益函数均与时间有关,但其突发期间对网络资源的占用与匀速攻击流的情况接近。
第四,分析了当前国内外有关源端网络DDoS攻击流检测方法研究的发展现状和最新成果,重点关注了三类检测方法,即基于攻击特征匹配的攻击流检测、基于网络流量自相似性的攻击流检测和基于双向报文比的攻击流检测。提出了基于双向报文比统一构建源端网络TCP/UDP DDoS攻击流检测统计量的方法,并建立了相应的数学模型。
第五,提出了一种基于正态分布假设的自适应EWMA算法——A-EWMA算法,并就虚警概率、攻击期间的漏警概率、检测概率和检测时延等检测指标对其检测性能进行了理论分析。与传统的EWMA算法相比,A-EWMA算法具有以下三个典型特征。(ⅰ)根据对检测统计量序列统计特性的在线估计进行异常检测。(ⅱ)根据检测结果自动调整检测门限,增强了算法对网络流量状况的自适应性。(ⅲ)采用连续累计检测法降低突发网络异常对检测性能的干扰。针对SYN洪流攻击和UDP洪流攻击的仿真试验结果表明,(ⅰ)在遵循相同的有效检测确认标准的前提下,无论是针对SYN洪流攻击还是针对UDP洪流攻击,采用A-EWMA算法进行检测的结果均优于采用固定门限方法进行检测的结果;(ⅱ)与现有文献中针对同类攻击的检测结果相比,A-EWMA算法在检测性能方面也占有较大的优势;(ⅲ)采用A-EWMA算法对SYN洪流攻击的检测结果优于其对UDP洪流攻击的检测结果,但相对于固定门限检测而言,A-EWMA算法针对SYN洪流攻击和UDP洪流攻击的检测结果间的差异要更小一些。
第六,提出了一种非参量自适应CUSUM算法——A-CUSUM算法。该算法基于切比雪夫不等式解决了传统CUSUM算法中检测门限无法自适应设置的问题,并增加了在告警后实施异常终止监控的功能。同时,对该算法的虚警概率、异常发生期间的漏警概率、攻击起始/终止检测时延等检测性能指标进行了理论推导,给出了相应的表达式。比较了A-CUSUM算法与A-EWMA算法针对SYN洪流攻击和UDP洪流攻击的仿真试验结果,并建议利用A-CUSUM算法和A-EWMA算法对网络流量实施并行检测,以进一步提高防御系统对微弱DDoS攻击流的检测能力。
最后,以一种独立于具体检测算法的方式考察并比较了匀速攻击流、进发式脉冲攻击流和组群式脉冲攻击流在源端网络中的可检测性。仿真结果表明,在三种攻击流发送方式下,组群式脉冲攻击流具有较低的可检测性。
Five problems on source-end defense against DDoS attacks are discussed. Respectively,they are(ⅰ) DDoS attacks and defense,(ⅱ) TCP DDoS traffic modeling, (ⅲ) adaptive algorithms for source-end detection of constant rate DDoS traffic,(ⅳ) disruption caused by different DDoS traffic,and(ⅴ) detectability of different DDoS traffic.
Firstly,DDoS attacks are systematically discussed,including their classification, organization,some typical attacks and other problems involved in an attack.We conclude that countermeasures against DDoS attacks will be focused on their source-end networks.Analysis on current DDoS defense mechanisms is made following a line of victim-end defense,intermediate defense and source-end defense.
Secondly,a new kind of traffic transmitting policy named grouped pulsing transmission is proposed.Under the ground of two typical scheduling mechanisms, FCFS(First Come First Served) and SFQ(Start-time Fair Queuing),discussion is made on the disruption of constant rate traffic,pulsing traffic and grouped pulsing traffic,emphasized on the influence of scheduling mechanisms on these different DDoS traffic.Simulation results show that grouped pulsing traffic with flexible configurations can not only result in heavy disruption at the victims,but also decrease the efficacy of scheduling mechanisms in suppressing DDoS traffic.
Thirdly,a model is proposed for describing behavior of different TCP DDoS traffic.According to this model,explanation is made as follows on the behavior diversity of constant rate traffic,pulsing traffic and grouped pulsing traffic when the number of attacking machines and the transmission rate are equally configured.(ⅰ) Occupation on network resources by constant rate traffic and grouped pulsing traffic is independent of time.However,grouped pulsing traffic may result in less link bandwidth occupation ratio and resource occupation compared with constant rate traffic.(ⅱ) As far as pulsing traffic is concerned,the link bandwidth occupation ratio, function of resource occupation and plus function of resource occupation are all independent of time.However,the resource occupation by pulsing traffic during its pulsing time is similar with that of constant rate traffic.
Fourthly,development of source-end detection of DDoS traffic is analyzed, emphasized on three detection methods,namely,character matching,detection based on self-similarity of the traffic and detection based on two-way packets ratio.A generic detection statistic is constructed for source-end detection of TCP/UDP DDoS traffic based on the two-way packets ratio,and a model is established for it.
Fifthly,an adaptive algorithm named A-EWMA is proposed based on the assumption of normal distribution.Performance analysis is made in terms of probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay.Compared with the traditional EWMA algorithm, A-EWMA has three distinct characters,that is,(ⅰ) forming on-line estimations of the statistical characters of the detection statistic,(ⅱ) adjusting its detection threshold according to the variations of network traffic and the latest detection result,(ⅲ) decreasing disturbance of random abnormalities in the normal network traffic by consecutive cumulation of threshold violations.Simulations results on source-end detection of SYN flooding and UDP flooding show(ⅰ) A-EWMA excels methods with fixed threshold following the same valid detection confirmation rules,(ⅱ) A-EWMA excels the existing source-end detection algorithms in detecting the same kind of attacks,(ⅲ) A-EWMA works better in detecting SYN flooding than it does in detecting UDP flooding;However,the discrepancy in detecting SYN flooding and UDP flooding by A-EWMA is less than that by methods with fixed threshold.
Sixthly,a nonparametric adaptive CUSUM algorithm named A-CUSUM is proposed.In the traditional CUSUM algorithm,detection threshold can not be set adaptively,which is solved by A-CUSUM based on the Chebyshev inequality.In addition,a distinct function is added which can continue monitoring the anomaly for its possible end after an alarm is raised.Analytical results on probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay are deduced.By comparing the simulation results of A-CUSUM and A-EWMA in detecting SYN flooding and UDP flooding,we suggest adopting both algorithms in parallel anomaly detection of network traffic so as to further improve the detection of subtle DDoS traffic.
Lastly,comparisons on the detectability of constant rate traffic,pulsing traffic and grouped pulsing traffic in their source-end networks are made in a way independent of any detection algorithms.Simulation results show that grouped pulsing traffic excels the other two.
首先,系统地分析了DDoS攻击的分类、组织形式、典型的攻击方法以及其他攻击过程中涉及到的关键问题,提出“源端网络将成为未来DDoS攻防对抗的焦点”,并以集中式防御结构中的末端网络防御、中间网络防御和源端网络防御为主线,对当前的DDoS防御技术进行了分析。
其次,提出了一种新的攻击流发送方式——组群式脉冲发送,并以FCFS和SFQ这两种典型的调度方式为例,对匀速发送、迸发式脉冲发送和组群式脉冲发送下DDoS攻击流的攻击性能进行了讨论,重点研究了目标网络中调度方式的选择与配置对不同发送方式下DDoS攻击流破坏性的影响。仿真试验结果表明,在三种攻击流发送方式下,组群式脉冲攻击流不仅具有较强的破坏性,而且可以通过灵活的攻击配置来对抗目标网络调度方式对攻击流的抑制作用。
第三,建立了描述TCP DDoS攻击流破坏行为的数学模型。在攻击源数目和攻击源发送速率相同的情况下,利用该模型可以对匀速攻击流、迸发式脉冲攻击流和组群式脉冲攻击流三者之间的行为差异做出如下解释。(ⅰ)匀速攻击流和组群式脉冲攻击流对网络资源的占用均与时间无关,但二者相比,组群式脉冲攻击流的链路带宽占用率和资源占用函数值均低于匀速攻击流。(ⅱ)对于进发式脉冲攻击流而言,其链路带宽占用率、资源占用函数和网络资源占用增益函数均与时间有关,但其突发期间对网络资源的占用与匀速攻击流的情况接近。
第四,分析了当前国内外有关源端网络DDoS攻击流检测方法研究的发展现状和最新成果,重点关注了三类检测方法,即基于攻击特征匹配的攻击流检测、基于网络流量自相似性的攻击流检测和基于双向报文比的攻击流检测。提出了基于双向报文比统一构建源端网络TCP/UDP DDoS攻击流检测统计量的方法,并建立了相应的数学模型。
第五,提出了一种基于正态分布假设的自适应EWMA算法——A-EWMA算法,并就虚警概率、攻击期间的漏警概率、检测概率和检测时延等检测指标对其检测性能进行了理论分析。与传统的EWMA算法相比,A-EWMA算法具有以下三个典型特征。(ⅰ)根据对检测统计量序列统计特性的在线估计进行异常检测。(ⅱ)根据检测结果自动调整检测门限,增强了算法对网络流量状况的自适应性。(ⅲ)采用连续累计检测法降低突发网络异常对检测性能的干扰。针对SYN洪流攻击和UDP洪流攻击的仿真试验结果表明,(ⅰ)在遵循相同的有效检测确认标准的前提下,无论是针对SYN洪流攻击还是针对UDP洪流攻击,采用A-EWMA算法进行检测的结果均优于采用固定门限方法进行检测的结果;(ⅱ)与现有文献中针对同类攻击的检测结果相比,A-EWMA算法在检测性能方面也占有较大的优势;(ⅲ)采用A-EWMA算法对SYN洪流攻击的检测结果优于其对UDP洪流攻击的检测结果,但相对于固定门限检测而言,A-EWMA算法针对SYN洪流攻击和UDP洪流攻击的检测结果间的差异要更小一些。
第六,提出了一种非参量自适应CUSUM算法——A-CUSUM算法。该算法基于切比雪夫不等式解决了传统CUSUM算法中检测门限无法自适应设置的问题,并增加了在告警后实施异常终止监控的功能。同时,对该算法的虚警概率、异常发生期间的漏警概率、攻击起始/终止检测时延等检测性能指标进行了理论推导,给出了相应的表达式。比较了A-CUSUM算法与A-EWMA算法针对SYN洪流攻击和UDP洪流攻击的仿真试验结果,并建议利用A-CUSUM算法和A-EWMA算法对网络流量实施并行检测,以进一步提高防御系统对微弱DDoS攻击流的检测能力。
最后,以一种独立于具体检测算法的方式考察并比较了匀速攻击流、进发式脉冲攻击流和组群式脉冲攻击流在源端网络中的可检测性。仿真结果表明,在三种攻击流发送方式下,组群式脉冲攻击流具有较低的可检测性。
Five problems on source-end defense against DDoS attacks are discussed. Respectively,they are(ⅰ) DDoS attacks and defense,(ⅱ) TCP DDoS traffic modeling, (ⅲ) adaptive algorithms for source-end detection of constant rate DDoS traffic,(ⅳ) disruption caused by different DDoS traffic,and(ⅴ) detectability of different DDoS traffic.
Firstly,DDoS attacks are systematically discussed,including their classification, organization,some typical attacks and other problems involved in an attack.We conclude that countermeasures against DDoS attacks will be focused on their source-end networks.Analysis on current DDoS defense mechanisms is made following a line of victim-end defense,intermediate defense and source-end defense.
Secondly,a new kind of traffic transmitting policy named grouped pulsing transmission is proposed.Under the ground of two typical scheduling mechanisms, FCFS(First Come First Served) and SFQ(Start-time Fair Queuing),discussion is made on the disruption of constant rate traffic,pulsing traffic and grouped pulsing traffic,emphasized on the influence of scheduling mechanisms on these different DDoS traffic.Simulation results show that grouped pulsing traffic with flexible configurations can not only result in heavy disruption at the victims,but also decrease the efficacy of scheduling mechanisms in suppressing DDoS traffic.
Thirdly,a model is proposed for describing behavior of different TCP DDoS traffic.According to this model,explanation is made as follows on the behavior diversity of constant rate traffic,pulsing traffic and grouped pulsing traffic when the number of attacking machines and the transmission rate are equally configured.(ⅰ) Occupation on network resources by constant rate traffic and grouped pulsing traffic is independent of time.However,grouped pulsing traffic may result in less link bandwidth occupation ratio and resource occupation compared with constant rate traffic.(ⅱ) As far as pulsing traffic is concerned,the link bandwidth occupation ratio, function of resource occupation and plus function of resource occupation are all independent of time.However,the resource occupation by pulsing traffic during its pulsing time is similar with that of constant rate traffic.
Fourthly,development of source-end detection of DDoS traffic is analyzed, emphasized on three detection methods,namely,character matching,detection based on self-similarity of the traffic and detection based on two-way packets ratio.A generic detection statistic is constructed for source-end detection of TCP/UDP DDoS traffic based on the two-way packets ratio,and a model is established for it.
Fifthly,an adaptive algorithm named A-EWMA is proposed based on the assumption of normal distribution.Performance analysis is made in terms of probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay.Compared with the traditional EWMA algorithm, A-EWMA has three distinct characters,that is,(ⅰ) forming on-line estimations of the statistical characters of the detection statistic,(ⅱ) adjusting its detection threshold according to the variations of network traffic and the latest detection result,(ⅲ) decreasing disturbance of random abnormalities in the normal network traffic by consecutive cumulation of threshold violations.Simulations results on source-end detection of SYN flooding and UDP flooding show(ⅰ) A-EWMA excels methods with fixed threshold following the same valid detection confirmation rules,(ⅱ) A-EWMA excels the existing source-end detection algorithms in detecting the same kind of attacks,(ⅲ) A-EWMA works better in detecting SYN flooding than it does in detecting UDP flooding;However,the discrepancy in detecting SYN flooding and UDP flooding by A-EWMA is less than that by methods with fixed threshold.
Sixthly,a nonparametric adaptive CUSUM algorithm named A-CUSUM is proposed.In the traditional CUSUM algorithm,detection threshold can not be set adaptively,which is solved by A-CUSUM based on the Chebyshev inequality.In addition,a distinct function is added which can continue monitoring the anomaly for its possible end after an alarm is raised.Analytical results on probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay are deduced.By comparing the simulation results of A-CUSUM and A-EWMA in detecting SYN flooding and UDP flooding,we suggest adopting both algorithms in parallel anomaly detection of network traffic so as to further improve the detection of subtle DDoS traffic.
Lastly,comparisons on the detectability of constant rate traffic,pulsing traffic and grouped pulsing traffic in their source-end networks are made in a way independent of any detection algorithms.Simulation results show that grouped pulsing traffic excels the other two.
引文
[1]戴清民.计算机网络战综述.北京:解放军出版社,2001.
[2]爱德华.华尔兹.信息战原理与作战行动.北京:解放军出版社,2000.
[3]戴清民.网电一体战引论.北京:解放军出版社,2002.
[4]Dorothy E.Denning.信息战与信息安全.北京:电子工业出版社,2003.
[5]美国国防部.网络中心战.美国国防部呈交国会报告.2001.7.
[6]胡建伟,汤建龙.网络对抗原理.西安:西安电子科技大学出版社,2004.
[7]刘封,李志勇,陶然等.网络对抗.北京:国防工业出版社,2003.
[8]DoD Chief Information Officer(CIO) Guidance and Policy Memorandum(No.8-8001).Global Information Grid.March 31,2000.
[9]DoD Chief Information Officer(CIO) Guidance and Policy Memorandum(No.6-8510).Department of Defense Global Information Grid Information Assurance.June 16,2000.
[10]中国互联网络信息中心.第20次中国互联网络发展状况统计报告.http://www.cnnic.net.cn/uploadfiles/doc/2007/7/18/113843.doc
[11]程刚.网络间谍威胁中国安全.环球时报.2007.10.30.
[12]中国国家计算机网络应急技术处理协调中心.CNCERT/CC 2007年上半年网络安全工作报告.http://www.cert.org.cn/UserFiles/File/CNCERTCC200701.pdf.
[13]Yahoo on Trail of Site Hackers.http://www.wired.com/news/business/0,1367,34221,00.html
[14]Powerful Attack Cripples Internet.http://www.foxnews.com/story/0,2933,66438,00.html
[15]中国国家计算机网络应急技术处理协调中心.CNCERT/CC 2005年上半年网络安全工作报告.http://www.cert.org.cn/upload/2005CNCERTCCAnnualReport.pdf.
[16]新浪科技.新浪UC遭遇大规模黑客攻击.http://tech.sina.com.cn/i/2006-11-14/12071236202.shtml
[17]D.Moore,C.Shannon,Douglas J.Brown,et.al.Inferring Internet Denial of Service Activity.ACM Transactions on Computer Systems.2006,24(2). pp.115-139.
[18]SYMANTEC Inc.Internet Security Threat Report IX.2006.3http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_syma ntec_internet_security_threat_report_ix.pdf
[19]P.Ferguson and D.Senie.Network Ingress Filtering:Defeating Denial of Service Attacks which employs IP Source Address Spoofing.RFC 2267,Jan.1998.
[20]SANS Institute.Egress filtering v 0.2,2000.http://www.sans.org/y2k/egress.htm.
[21]R.Mahajan,Steven M.Bellovin,S.Floyd,et.al.Controlling High Bandwidth Aggregates in the Network(Extended Version).ACM SIGCOMM Computer Communication Review.2002,32(3).pp.62-73.
[22]S.Savage,D.Wetherall,A.Karlin,et.al.Practical network support for IP traceback.ACM SIGCOMM Computer Communication Review.2000,30(4).pp.295-306.
[23]Hal Burch and Bill Cheswick.Tracing anonymous packets to their approximate source.Proceedings of the USENIX Large Installation Systems Administration Conference.Berkeley:USENIX Assoc.,2000.pp.319-327.
[24]Bellovin.ICMP Traceback Messages.Technical report,AT&T.2000.http://www.ietf.org/internet-drafts/draft-bellovin-itrace-00.txt.
[25]R.K.C.Chang.Defending against flooding-based distributed denial-of-service attacks:a tutorial.IEEE Communications Magazine.2002,40(10).pp.42-51.
[26]中国IT认证实验室.拒绝服务专题报告.http://www.chinaitlab.com/www/special/ciwddos.asp
[27]Steve Gibson.The Distributed Reflection DoS Attack.http://grc.com/dos/drdos.htm
[28]V.Paxson.An Analysis of Using Reflectors for Distributed Denial of Service Attacks.ACM Computer Communication Review.2001,31(3).pp.38-47.
[29]黑客知识之CC攻击的思路及防范方法http://www.hacker.cn/Get/jczs/0713108403099850.shtml
[30]J.Mirkovic and P.Reiher.A taxonomy of DDoS attack and DDoS defense mechanisms.ACM SIGCOMM Computer Communication Review.2004,34(2).pp.39-53.
[31]D.Dittrich.The "stacheldraht" Distributed Denial of Service Attack Tool.http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
[32]S.Dietrich,Neil Long and D.Dittrich.Analyzing Distributed Denial of Service Tools:The Shaft Case.Proceedings of the USENIX Large Installation Systems Administration Conference.Berkeley:USENIX Assoc.,2000.pp.329-339.
[33]CERT Coordination Center.CERT Advisory CA-2001-20:Continuing Threats to Home Users.Carnegie Mellon Software Engineering Institute.http://www.cert.org/advisories/CA-2001-20.html.
[34]Bysin.Knight:C Source code.http://packetstormsecurity.nl/distributed/knight.c
[35]CERT Coordination Center.Trends in Denial of Service Attack Technology.http://www.nanog.org/mtg-0110/ppt/houle.ppt
[36]史美林,钱俊,许超.入侵检测系统数据集评测研究.计算机科学.2006,33(8).pp.1-8.
[37]J.Mirkovic.D-WARD:Source-End Defense Against Distributed Denial of Service Attacks.Los Angeles:University of California,2003.(博士论文)
[38]C.Papadopoulos,R.Lindell,J.Mehringer,et.al.Cossack:Coordinated Suppression of Simultaneous Attacks.Proceedings of DARPA Information Survivability Conference and Exposition(DISCEX Ⅲ).Washington:IEEE Computer Society,2003.pp.94-96.
[39]J.Mirkovic,M.Robinson,P.Reiher.Forming Alliance for DDoS Defenses.Proceedings of the New Security Paradigms Workshop(NSPW 2003).New York:ACM Press,2003.pp.11-18.
[40]Y.Bouzida,F.Cuppens,S.Gombault.Detecting and Reacting against Distributed Denial of Service Attacks.Proceedings of IEEE International Conference on Communications.Washington:IEEE Computer Society,2006.pp.2394-2400.
[41]Herve Debar,Marc Dacier,Andreas Wesp.Towards a taxonomy of intrusion detection systems.Computer Networks.1999,31(8).pp.805-822.
[42]Christoph L.Schuba,Ivan V.Krsul,Markus G.Kuhn,et al.Analysis of a denial of service attack on TCP.Proceedings of the 1997 IEEE Symposium on Security and Privacy.Washington:IEEE Computer Society,1997.pp.208-208.
[43]Kihong Park,Heejo Lee.On the effectiveness ofprobabilistic packet marking for IP traceback under denial of service attack.Proceedings of INFOCOM'2001.Washington:IEEE Computer Society,2001.pp.338-347.
[44]Chen-Mou Cheng,H.T.Kung and Koan-Sin Tan.Use of spectral analysis in defense against DoS attacks.Proceedings of the GLOBECOM'2002.Washington:IEEE Communication Society,2002.pp.2143-2148.
[45]P.Barford,J.Kline,D.Plonka,et al.A signal analysis of network traffic anomalies.Proceedings of the 2th ACM SIGCOMM Workshop on Internet Measurement. New York:ACM press,2002.pp.71-82.
[46]Vinay J.Ribeiro,Zhi-Li Zhang,Sue Moon,et al.Small-time scaling behaviors of Internet backbone traffic:an empirical study.Computer Networks:The International Journal of Computer and Telecommunications Networking.2005,48(3).pp.315-334.
[47]Craig Partridge,David Cousins,Alden W.Jackson,et al.Using signal processing to analyze wireless data traffic.Proceedings of the 1st ACM workshop on Wireless Security.New York:ACM press,2002.pp.67-76.
[48]David K.Y.Yau,John C.S.Lui,F.Liang,et.al.Defending against distributed denial of service attacks with max-min fair server-centric router throttles.IEEE/ACM Transactions on Networking.2005,13(1).pp.29-42.
[49]D.J.Bernstein and Eric Schenk.Linux Kernel SYN Cookies Firewall Project.http://www.bronzesoft.org/projects/scfw.
[50]Jonathan.Lemon.Resisting SYN flooding DoS attacks with a SYN cache.Proceedings of the BSDCon 2002.Berkeley:USENIX Assoc.,2002.pp.89-97.
[51]陈刚,杨波.基于SYN Cache/Cookie的防DoS攻击的改进方案.计算机工程.2005.11,31(21).PP.140-142.
[52]G.Iarmaccone,M.May,C.Diot.Aggregate traffic performance with active queue management and drop from tail.ACM SIGCOMM Computer Communication Review.2001,31(3).pp.4-13.
[53]L.Spitzner.The Honeynet Project:Trapping the Hackers.IEEE Security &Privacy.2003,1(2).pp.15-23.
[54]D.Dagom,X.Qin,G.Gu.Honeystat:local worm detection using honeypots.Proceedings of RAID 2004.Berlin:Springer,2004.pp.39-58.
[55]L.Spitzner.Honeypots:Tracking Hackers.Addison-Wesley.2002.
[56]徐洪智,李仁发,张彬连等.一种快速平衡任务的网格调度算法.系统与仿真学报.2007.6,19(11).pp.2437-2443.
[57]杨兴良,华蓓,高鹰.一种应用于Web服务器集群系统的IYRL分配算法.系统与仿真学报.2007.3,19(6).PP.1406-1409.
[58]Li De-Quan,Su Pu-Rui,Feng Deng-Guo.Notes on packet marking for IP traceback.Journal of Software,2004,15(2).pp.250-258.
[59]仲燕,孙知信.路由器防范拒绝服务攻击技术研究.南京邮电大学学报(自然科学版).2005.12,25(6).pp.90-94.
[60]Hu Yenhung,Choi Hongsik,Choi Hyeong.Packet Filtering to Defend Floodingbased DDoS Attacks.Advances in Wired and Wireless Communication.2004. pp.39-42.
[61]Thomer M.Gil and Massimiliano Poletto.MULTOPS:a data-structure for bandwidth attack detection.Proceedings of the 10th conference on USENIX Security Symposium.Berkeley:USENIX Assoc.,2001.pp.3-3.
[62]Cs3 Inc.MANANET DDoS white papers.http://www.cs30-inc.com/mananet.html.
[63]J.Mirkovic,G.Prier,P.Reiher.Source-End DDoS Defense.Proceedings of the 2nd International Symposium on Network Computing and Applications.Washington:IEEE Computer Society,2003.pp.171-178.
[64]陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务检测方法.计算机学报.2006,29(8).PP.1392-1400.
[65]P.Tao,Leckie Christopher,Ramamohanarao Kotagiri.Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring.Proceedings of Networking 2004.Berlin:Springer,2004.pp.771-782.
[66]H.N.Wang,D.L.Zhang,Kang G.Shin.Detecting SYN Flooding Attacks.Proceedings of INFOCOM'2002.Washington:IEEE Computer Society,2002.pp.1530-1539.
[67]王东琦,王长山,林延福.检测SYN洪水攻击的动态模型.现代电子技术.2004,(23).PP.107-110.
[68]林白,李鸥,赵桦.基于源端网络的SYN Flooding攻击双粒度检测.计算机工程.2005,31(10).PP.132-134.
[69]A.G.Tartakovsky,B.L.Rozovskii,R.B.Blaeka,et.al.Detection of Intrusions in Information Systems by Sequential Change-point Methods.Statistical Methodology.2006,3(3).pp.252-293.
[70]A.Lakhina,M.Crovella,C.Diot,Mining Anomalies Using Traffic Feature Distributions.ACM SIGCOMM Computer Communication Review.2005,35(4).pp.217-228.
[71]孙知信,唐益慰,程媛.基于改进CUSUM算法的路由器异常流量检测.软件学报.2005,16(12).pp.2117-2123.
[72]Vasilios A.Sifts,Fotini Papagalou.Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks.Proceedings of GLOBECOM'2004.Washington:IEEE Communication Society,2004.pp.2050-2054.
[73]N.Ye,S.Vilbert,and Q.Chen.Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data.IEEE Transactions on Reliability.2003,52(1).pp.75-82.
[74]Srinivas Mukkamala,Andrew H.Sung.Detecting Denial of Service Attacks Using Support Vector Machines.Proceedings of the 12th IEEE International Conference on Fuzzy Systems.Washington:IEEE Communication Society,2003.pp.1231-1236.
[75]Rudolf B.Blazek,Hongjoong Kim,Boris Rozovskii,et.al.A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch sequential change-point detection methods.IEEE Trancsactions on Signal Processing.2006,54(9).pp.3372-3382.
[76]Yu Gu,Andrew McCallum,Don Towsley.Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation.Proceedings of the Internet Measurement Conference 2005.Berkeley:USENIX Assoc.,2005.pp.345-350.
[77]刘育明.动态过程数据的多变量统计监控方法研究.杭州:浙江大学,2006.(博士论文)
[78]Beaumont-Gay Matt.A Comparison of SYN Flood Detection Algorithms.Proceedings of the second International Conference on Internet Monitoring and Protection.Washington:IEEE Communication Society,2007.pp.9-14.
[79]J.Xu,Wooyong Lee.Sustaining availability of Web services under distributed denial of service attacks.IEEE Transactions on Computers,2003,52(2).pp.195-208.
[80]Rik Farrow.The gathering DDoS storm.Network Magazine.2004,19(9).pp.54-55.
[81]Christos Douligeris,Aikaterini Mitrokotsa.DDoS attacks and defense mechanisms:Classification and state-of-the-art.Computer Networks.2004,44(5).pp.643-666.
[82]Wonjoo Park,Dongil Seo,Sungwon Sohn.The study about detection of traffic congestion attacks using MIB traffic variables.Proceedings of the 6th International Conference on Advanced Communication Technology:Broadband Convergence Network Infrastructure.Washington:IEEE Communication Society,2004.pp.199-202.
[83]Abraham Yaar,Adrian Perrig,Dawn Song.Pi:A path identification mechanism to defend against DDoS attacks.Proceedings of the 2003 IEEE Symposium on Security and Privacy.Washington:IEEE Computer Society,2003 pp 93-107.
[84]Cheng Jin,H.N.Wang,Kang G.Shin.Hop-count filtering:an effective defense against spoofed DDoS traffic.Proceedings of the 10th ACM conferenceon Computer and communications security.New York:ACM press,2003.pp.30-41.
[85]G.Koutepas,F.Stamatelopoulos,B.Maglaris.Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Aattacks.Journal of Network and Systems Management.2004,12(1).pp.73-94.
[86]Srikanth Kandula,Dina Katabi,Matthias Jacob,et.al.Botz-4-sale:surviving organized DDoS attacks that mimic flash crowds.Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation.Berkeley:USENIX Assoc.,2004.pp.287-300.
[87]Katerina Argyraki,David R.Cheriton.Active internet traffic filtering:real-time response to denial-of-service attacks.Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference.Berkeley:USENIX Assoc.,2005.pp.10-15.
[88]Udaya K.Tupakula,Vijay Varadharajan.Tracing DDoS Floods:An Automated Approach.Journal of Network and Systems Management.2004,12(1).pp.111-135.
[89]P.Huang,A.Feldmarm,W.Willinger.A nonintrusive,wavelet based approach to detecting network performance problems.Proceedings of ACM Internet Measurement Workshop.New York:ACM press,2001.pp.213-227.
[90]X.P.Luo,Rocky K.C.Chang.On a New Class of Pulsing Denial-of-Service Attacks and the Defense.Proceedings of Network and Distributed System Security Symposium(NDSS'05).San Diego:The Intemet Society.pp.38-56.
[91]Haibin Sun,J.C.S.Lui,D.K.Y.Yau.Defending against low-rate TCP attacks:dynamic detection and protection.Proceedings of the 12th IEEE International Conference on.Network Protocols(ICNP 2004).Washington:IEEE Computer Society,2004.pp.196-205.
[92]林闯,单志广,任丰原.计算机网络的服务质量(QoS).北京:清华大学出版社,2004.
[93]The network simulator—NS2,http://www.isi.edu/nsnam/ns/.
[94]Melvin J.Hinich,Robert E.Molyneux.Predicting information flows in network traffic.Journal of the American Society for Information Science and Technology.2002,54(2).pp.161-168.
[95]F.Lau,S.H.Rubin,M.H.Smith,et al.Distributed denial of service attacks.Proceedings of 2000 IEEE International Conference on Systems,Man,and Cybernetics(Vol.3).Washington:IEEE Computer Society,2000.pp.2275-2280.
[96]W.E.Leland,M.S.Taqqu,W.Willinger,et al.On the Self-Similar Nature of Ethernet Traffic.IEEE/ACM Transactions on Networking.1994,2(1).pp.1-15.
[97]V.Paxson,S.Floyd.Wide-area traffic:The failure of poisson modeling.IEEE/ACM Transactions on Networking.1995,3(3).pp.226-244.
[98]P.Abry,D.Veitch.Wavelet Analysis of Long-Range Dependence Traffic.IEEE Transactions on Information Theory.1998,44(1).pp.2-15.
[99]A.Feldmann,A.C.Gilbert,W.Willinger.Data networks as cascades:Investigating the multifractal nature of internet WAN traffic.ACM SIGCOMM Computer Communication Review.1998,28(4).pp.42-55.
[100]Kihong Park,W.Willinger.Self-Similar Network Traffic and Performance Evaluation(lst Edition).New York:John Wiley & Sons,Inc,2000.
[101]Y.Xiang,Y.Lin,W.L.Lei,et.al.Detecting DDoS attack based on network self-similarity.IEE Proceedings of Communications.2004,151(3).pp.292-295.
[102]Mohd Fo'ad Rohani,Mohd Aizaini Maarof,Ali Selamat,et.al.Uncovering Anomaly Traffic Based on Loss of Self-Similarity Behavior Using Second Order Statistical Model.International Journal of Computer Science and Network Security.2007,7(9).pp.116-122.
[103]M.Li.Change trend of averaged Hurst parameter of traffic under DDOS flood attacks.Computers & Security.2006,25(3).pp.213-220.
[104]林原.基于网络自相似性的DDOS攻击检测.成都:电子科技大学,2003.(硕士论文)
[105]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法.通信学报.2006,27(5).pp.6-11.
[106]蒋凌云,王汝传.基于流量自相似模型的SYN-Flood DDoS攻击防范.南京邮电大学学报(自然科学版).2007,27(2).pp.90-94.
[107]刘金明,王汝传.基于VTP方法的DDoS攻击实时检测技术研究.电子学报.2007,35(4).pp.791-796.
[108]Manfred Schroeder.Fractals,Chaos,Power Laws:Minutes from an Infinite Paradise.New York:W.H.Freeman,1992.
[109]W.C.Lau,A.Erramilli,J.L.Wang,et.al.Self-Similar Traffic Generation:The Random Midpoint Displacement Algorithm and Its Properties.Proceedings of IEEE ICC'95.Washington:IEEE Communication Society,1995.pp.466-472.
[110]汪小帆,卢俊国,王执铨.Internet业务流的自相似性—建模、分析与控制.控制与决策.2002,17(1).PP.1-5.
[111]W.Willinger,V.Paxson,M.S.Taqqu.Self-similarity and heavy tails:Structural modeling of network traffic.In:A Practical Guide to Heavy Tails:Statistical Techniques and Applications.Boston:Birkhauser,1998.pp.27-54.
[112]T.Karagiannis,M.Molle,M.Faloutsos,et.al.A nonstationary poisson view of Internet traffic.Proceedings of IEEE INFOCOM'2004.Washington:IEEE Computer Society,2004.pp.1558-1569.
[113]M.Taqqu,V.Teverovsky.On Estimating the Intensity of Long-Range Dependence in Finite and Infinite Variance Time Series.In:A Practical Guide to Heavy Tails:Statistical Techniques and Applications.Boston:Birkhauser,1998.pp.177-217.
[114]章淼.XINU的TCP实现中的一些问题.清华大学计算机系技术报告,1999.
[115]James M.Lucas,Michael S.Saccucci,Robert V.Baxley Jr.,et.al.Exponentially weighted moving average control schemes:properties and enhancements.Technometrics.1990,32(1).pp.1-29.
[116]项静恬,史久恩.非线性系统中数据处理的统计方法.北京:科学出版社,1997.
[117]B.E.Brodsky,B.S.Darkhovsky.Nonparametric Methods in Change-point Problems.Dordrecht,the Netherlands:Kluwer Academic Publishers.1993.
[118]M.Basseville,I.V.Nikiforov.Detection of Abrupt Changes:Theory and Applications.New Jersey:Prentice Hall,1993.
[2]爱德华.华尔兹.信息战原理与作战行动.北京:解放军出版社,2000.
[3]戴清民.网电一体战引论.北京:解放军出版社,2002.
[4]Dorothy E.Denning.信息战与信息安全.北京:电子工业出版社,2003.
[5]美国国防部.网络中心战.美国国防部呈交国会报告.2001.7.
[6]胡建伟,汤建龙.网络对抗原理.西安:西安电子科技大学出版社,2004.
[7]刘封,李志勇,陶然等.网络对抗.北京:国防工业出版社,2003.
[8]DoD Chief Information Officer(CIO) Guidance and Policy Memorandum(No.8-8001).Global Information Grid.March 31,2000.
[9]DoD Chief Information Officer(CIO) Guidance and Policy Memorandum(No.6-8510).Department of Defense Global Information Grid Information Assurance.June 16,2000.
[10]中国互联网络信息中心.第20次中国互联网络发展状况统计报告.http://www.cnnic.net.cn/uploadfiles/doc/2007/7/18/113843.doc
[11]程刚.网络间谍威胁中国安全.环球时报.2007.10.30.
[12]中国国家计算机网络应急技术处理协调中心.CNCERT/CC 2007年上半年网络安全工作报告.http://www.cert.org.cn/UserFiles/File/CNCERTCC200701.pdf.
[13]Yahoo on Trail of Site Hackers.http://www.wired.com/news/business/0,1367,34221,00.html
[14]Powerful Attack Cripples Internet.http://www.foxnews.com/story/0,2933,66438,00.html
[15]中国国家计算机网络应急技术处理协调中心.CNCERT/CC 2005年上半年网络安全工作报告.http://www.cert.org.cn/upload/2005CNCERTCCAnnualReport.pdf.
[16]新浪科技.新浪UC遭遇大规模黑客攻击.http://tech.sina.com.cn/i/2006-11-14/12071236202.shtml
[17]D.Moore,C.Shannon,Douglas J.Brown,et.al.Inferring Internet Denial of Service Activity.ACM Transactions on Computer Systems.2006,24(2). pp.115-139.
[18]SYMANTEC Inc.Internet Security Threat Report IX.2006.3http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_syma ntec_internet_security_threat_report_ix.pdf
[19]P.Ferguson and D.Senie.Network Ingress Filtering:Defeating Denial of Service Attacks which employs IP Source Address Spoofing.RFC 2267,Jan.1998.
[20]SANS Institute.Egress filtering v 0.2,2000.http://www.sans.org/y2k/egress.htm.
[21]R.Mahajan,Steven M.Bellovin,S.Floyd,et.al.Controlling High Bandwidth Aggregates in the Network(Extended Version).ACM SIGCOMM Computer Communication Review.2002,32(3).pp.62-73.
[22]S.Savage,D.Wetherall,A.Karlin,et.al.Practical network support for IP traceback.ACM SIGCOMM Computer Communication Review.2000,30(4).pp.295-306.
[23]Hal Burch and Bill Cheswick.Tracing anonymous packets to their approximate source.Proceedings of the USENIX Large Installation Systems Administration Conference.Berkeley:USENIX Assoc.,2000.pp.319-327.
[24]Bellovin.ICMP Traceback Messages.Technical report,AT&T.2000.http://www.ietf.org/internet-drafts/draft-bellovin-itrace-00.txt.
[25]R.K.C.Chang.Defending against flooding-based distributed denial-of-service attacks:a tutorial.IEEE Communications Magazine.2002,40(10).pp.42-51.
[26]中国IT认证实验室.拒绝服务专题报告.http://www.chinaitlab.com/www/special/ciwddos.asp
[27]Steve Gibson.The Distributed Reflection DoS Attack.http://grc.com/dos/drdos.htm
[28]V.Paxson.An Analysis of Using Reflectors for Distributed Denial of Service Attacks.ACM Computer Communication Review.2001,31(3).pp.38-47.
[29]黑客知识之CC攻击的思路及防范方法http://www.hacker.cn/Get/jczs/0713108403099850.shtml
[30]J.Mirkovic and P.Reiher.A taxonomy of DDoS attack and DDoS defense mechanisms.ACM SIGCOMM Computer Communication Review.2004,34(2).pp.39-53.
[31]D.Dittrich.The "stacheldraht" Distributed Denial of Service Attack Tool.http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
[32]S.Dietrich,Neil Long and D.Dittrich.Analyzing Distributed Denial of Service Tools:The Shaft Case.Proceedings of the USENIX Large Installation Systems Administration Conference.Berkeley:USENIX Assoc.,2000.pp.329-339.
[33]CERT Coordination Center.CERT Advisory CA-2001-20:Continuing Threats to Home Users.Carnegie Mellon Software Engineering Institute.http://www.cert.org/advisories/CA-2001-20.html.
[34]Bysin.Knight:C Source code.http://packetstormsecurity.nl/distributed/knight.c
[35]CERT Coordination Center.Trends in Denial of Service Attack Technology.http://www.nanog.org/mtg-0110/ppt/houle.ppt
[36]史美林,钱俊,许超.入侵检测系统数据集评测研究.计算机科学.2006,33(8).pp.1-8.
[37]J.Mirkovic.D-WARD:Source-End Defense Against Distributed Denial of Service Attacks.Los Angeles:University of California,2003.(博士论文)
[38]C.Papadopoulos,R.Lindell,J.Mehringer,et.al.Cossack:Coordinated Suppression of Simultaneous Attacks.Proceedings of DARPA Information Survivability Conference and Exposition(DISCEX Ⅲ).Washington:IEEE Computer Society,2003.pp.94-96.
[39]J.Mirkovic,M.Robinson,P.Reiher.Forming Alliance for DDoS Defenses.Proceedings of the New Security Paradigms Workshop(NSPW 2003).New York:ACM Press,2003.pp.11-18.
[40]Y.Bouzida,F.Cuppens,S.Gombault.Detecting and Reacting against Distributed Denial of Service Attacks.Proceedings of IEEE International Conference on Communications.Washington:IEEE Computer Society,2006.pp.2394-2400.
[41]Herve Debar,Marc Dacier,Andreas Wesp.Towards a taxonomy of intrusion detection systems.Computer Networks.1999,31(8).pp.805-822.
[42]Christoph L.Schuba,Ivan V.Krsul,Markus G.Kuhn,et al.Analysis of a denial of service attack on TCP.Proceedings of the 1997 IEEE Symposium on Security and Privacy.Washington:IEEE Computer Society,1997.pp.208-208.
[43]Kihong Park,Heejo Lee.On the effectiveness ofprobabilistic packet marking for IP traceback under denial of service attack.Proceedings of INFOCOM'2001.Washington:IEEE Computer Society,2001.pp.338-347.
[44]Chen-Mou Cheng,H.T.Kung and Koan-Sin Tan.Use of spectral analysis in defense against DoS attacks.Proceedings of the GLOBECOM'2002.Washington:IEEE Communication Society,2002.pp.2143-2148.
[45]P.Barford,J.Kline,D.Plonka,et al.A signal analysis of network traffic anomalies.Proceedings of the 2th ACM SIGCOMM Workshop on Internet Measurement. New York:ACM press,2002.pp.71-82.
[46]Vinay J.Ribeiro,Zhi-Li Zhang,Sue Moon,et al.Small-time scaling behaviors of Internet backbone traffic:an empirical study.Computer Networks:The International Journal of Computer and Telecommunications Networking.2005,48(3).pp.315-334.
[47]Craig Partridge,David Cousins,Alden W.Jackson,et al.Using signal processing to analyze wireless data traffic.Proceedings of the 1st ACM workshop on Wireless Security.New York:ACM press,2002.pp.67-76.
[48]David K.Y.Yau,John C.S.Lui,F.Liang,et.al.Defending against distributed denial of service attacks with max-min fair server-centric router throttles.IEEE/ACM Transactions on Networking.2005,13(1).pp.29-42.
[49]D.J.Bernstein and Eric Schenk.Linux Kernel SYN Cookies Firewall Project.http://www.bronzesoft.org/projects/scfw.
[50]Jonathan.Lemon.Resisting SYN flooding DoS attacks with a SYN cache.Proceedings of the BSDCon 2002.Berkeley:USENIX Assoc.,2002.pp.89-97.
[51]陈刚,杨波.基于SYN Cache/Cookie的防DoS攻击的改进方案.计算机工程.2005.11,31(21).PP.140-142.
[52]G.Iarmaccone,M.May,C.Diot.Aggregate traffic performance with active queue management and drop from tail.ACM SIGCOMM Computer Communication Review.2001,31(3).pp.4-13.
[53]L.Spitzner.The Honeynet Project:Trapping the Hackers.IEEE Security &Privacy.2003,1(2).pp.15-23.
[54]D.Dagom,X.Qin,G.Gu.Honeystat:local worm detection using honeypots.Proceedings of RAID 2004.Berlin:Springer,2004.pp.39-58.
[55]L.Spitzner.Honeypots:Tracking Hackers.Addison-Wesley.2002.
[56]徐洪智,李仁发,张彬连等.一种快速平衡任务的网格调度算法.系统与仿真学报.2007.6,19(11).pp.2437-2443.
[57]杨兴良,华蓓,高鹰.一种应用于Web服务器集群系统的IYRL分配算法.系统与仿真学报.2007.3,19(6).PP.1406-1409.
[58]Li De-Quan,Su Pu-Rui,Feng Deng-Guo.Notes on packet marking for IP traceback.Journal of Software,2004,15(2).pp.250-258.
[59]仲燕,孙知信.路由器防范拒绝服务攻击技术研究.南京邮电大学学报(自然科学版).2005.12,25(6).pp.90-94.
[60]Hu Yenhung,Choi Hongsik,Choi Hyeong.Packet Filtering to Defend Floodingbased DDoS Attacks.Advances in Wired and Wireless Communication.2004. pp.39-42.
[61]Thomer M.Gil and Massimiliano Poletto.MULTOPS:a data-structure for bandwidth attack detection.Proceedings of the 10th conference on USENIX Security Symposium.Berkeley:USENIX Assoc.,2001.pp.3-3.
[62]Cs3 Inc.MANANET DDoS white papers.http://www.cs30-inc.com/mananet.html.
[63]J.Mirkovic,G.Prier,P.Reiher.Source-End DDoS Defense.Proceedings of the 2nd International Symposium on Network Computing and Applications.Washington:IEEE Computer Society,2003.pp.171-178.
[64]陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务检测方法.计算机学报.2006,29(8).PP.1392-1400.
[65]P.Tao,Leckie Christopher,Ramamohanarao Kotagiri.Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring.Proceedings of Networking 2004.Berlin:Springer,2004.pp.771-782.
[66]H.N.Wang,D.L.Zhang,Kang G.Shin.Detecting SYN Flooding Attacks.Proceedings of INFOCOM'2002.Washington:IEEE Computer Society,2002.pp.1530-1539.
[67]王东琦,王长山,林延福.检测SYN洪水攻击的动态模型.现代电子技术.2004,(23).PP.107-110.
[68]林白,李鸥,赵桦.基于源端网络的SYN Flooding攻击双粒度检测.计算机工程.2005,31(10).PP.132-134.
[69]A.G.Tartakovsky,B.L.Rozovskii,R.B.Blaeka,et.al.Detection of Intrusions in Information Systems by Sequential Change-point Methods.Statistical Methodology.2006,3(3).pp.252-293.
[70]A.Lakhina,M.Crovella,C.Diot,Mining Anomalies Using Traffic Feature Distributions.ACM SIGCOMM Computer Communication Review.2005,35(4).pp.217-228.
[71]孙知信,唐益慰,程媛.基于改进CUSUM算法的路由器异常流量检测.软件学报.2005,16(12).pp.2117-2123.
[72]Vasilios A.Sifts,Fotini Papagalou.Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks.Proceedings of GLOBECOM'2004.Washington:IEEE Communication Society,2004.pp.2050-2054.
[73]N.Ye,S.Vilbert,and Q.Chen.Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data.IEEE Transactions on Reliability.2003,52(1).pp.75-82.
[74]Srinivas Mukkamala,Andrew H.Sung.Detecting Denial of Service Attacks Using Support Vector Machines.Proceedings of the 12th IEEE International Conference on Fuzzy Systems.Washington:IEEE Communication Society,2003.pp.1231-1236.
[75]Rudolf B.Blazek,Hongjoong Kim,Boris Rozovskii,et.al.A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch sequential change-point detection methods.IEEE Trancsactions on Signal Processing.2006,54(9).pp.3372-3382.
[76]Yu Gu,Andrew McCallum,Don Towsley.Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation.Proceedings of the Internet Measurement Conference 2005.Berkeley:USENIX Assoc.,2005.pp.345-350.
[77]刘育明.动态过程数据的多变量统计监控方法研究.杭州:浙江大学,2006.(博士论文)
[78]Beaumont-Gay Matt.A Comparison of SYN Flood Detection Algorithms.Proceedings of the second International Conference on Internet Monitoring and Protection.Washington:IEEE Communication Society,2007.pp.9-14.
[79]J.Xu,Wooyong Lee.Sustaining availability of Web services under distributed denial of service attacks.IEEE Transactions on Computers,2003,52(2).pp.195-208.
[80]Rik Farrow.The gathering DDoS storm.Network Magazine.2004,19(9).pp.54-55.
[81]Christos Douligeris,Aikaterini Mitrokotsa.DDoS attacks and defense mechanisms:Classification and state-of-the-art.Computer Networks.2004,44(5).pp.643-666.
[82]Wonjoo Park,Dongil Seo,Sungwon Sohn.The study about detection of traffic congestion attacks using MIB traffic variables.Proceedings of the 6th International Conference on Advanced Communication Technology:Broadband Convergence Network Infrastructure.Washington:IEEE Communication Society,2004.pp.199-202.
[83]Abraham Yaar,Adrian Perrig,Dawn Song.Pi:A path identification mechanism to defend against DDoS attacks.Proceedings of the 2003 IEEE Symposium on Security and Privacy.Washington:IEEE Computer Society,2003 pp 93-107.
[84]Cheng Jin,H.N.Wang,Kang G.Shin.Hop-count filtering:an effective defense against spoofed DDoS traffic.Proceedings of the 10th ACM conferenceon Computer and communications security.New York:ACM press,2003.pp.30-41.
[85]G.Koutepas,F.Stamatelopoulos,B.Maglaris.Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Aattacks.Journal of Network and Systems Management.2004,12(1).pp.73-94.
[86]Srikanth Kandula,Dina Katabi,Matthias Jacob,et.al.Botz-4-sale:surviving organized DDoS attacks that mimic flash crowds.Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation.Berkeley:USENIX Assoc.,2004.pp.287-300.
[87]Katerina Argyraki,David R.Cheriton.Active internet traffic filtering:real-time response to denial-of-service attacks.Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference.Berkeley:USENIX Assoc.,2005.pp.10-15.
[88]Udaya K.Tupakula,Vijay Varadharajan.Tracing DDoS Floods:An Automated Approach.Journal of Network and Systems Management.2004,12(1).pp.111-135.
[89]P.Huang,A.Feldmarm,W.Willinger.A nonintrusive,wavelet based approach to detecting network performance problems.Proceedings of ACM Internet Measurement Workshop.New York:ACM press,2001.pp.213-227.
[90]X.P.Luo,Rocky K.C.Chang.On a New Class of Pulsing Denial-of-Service Attacks and the Defense.Proceedings of Network and Distributed System Security Symposium(NDSS'05).San Diego:The Intemet Society.pp.38-56.
[91]Haibin Sun,J.C.S.Lui,D.K.Y.Yau.Defending against low-rate TCP attacks:dynamic detection and protection.Proceedings of the 12th IEEE International Conference on.Network Protocols(ICNP 2004).Washington:IEEE Computer Society,2004.pp.196-205.
[92]林闯,单志广,任丰原.计算机网络的服务质量(QoS).北京:清华大学出版社,2004.
[93]The network simulator—NS2,http://www.isi.edu/nsnam/ns/.
[94]Melvin J.Hinich,Robert E.Molyneux.Predicting information flows in network traffic.Journal of the American Society for Information Science and Technology.2002,54(2).pp.161-168.
[95]F.Lau,S.H.Rubin,M.H.Smith,et al.Distributed denial of service attacks.Proceedings of 2000 IEEE International Conference on Systems,Man,and Cybernetics(Vol.3).Washington:IEEE Computer Society,2000.pp.2275-2280.
[96]W.E.Leland,M.S.Taqqu,W.Willinger,et al.On the Self-Similar Nature of Ethernet Traffic.IEEE/ACM Transactions on Networking.1994,2(1).pp.1-15.
[97]V.Paxson,S.Floyd.Wide-area traffic:The failure of poisson modeling.IEEE/ACM Transactions on Networking.1995,3(3).pp.226-244.
[98]P.Abry,D.Veitch.Wavelet Analysis of Long-Range Dependence Traffic.IEEE Transactions on Information Theory.1998,44(1).pp.2-15.
[99]A.Feldmann,A.C.Gilbert,W.Willinger.Data networks as cascades:Investigating the multifractal nature of internet WAN traffic.ACM SIGCOMM Computer Communication Review.1998,28(4).pp.42-55.
[100]Kihong Park,W.Willinger.Self-Similar Network Traffic and Performance Evaluation(lst Edition).New York:John Wiley & Sons,Inc,2000.
[101]Y.Xiang,Y.Lin,W.L.Lei,et.al.Detecting DDoS attack based on network self-similarity.IEE Proceedings of Communications.2004,151(3).pp.292-295.
[102]Mohd Fo'ad Rohani,Mohd Aizaini Maarof,Ali Selamat,et.al.Uncovering Anomaly Traffic Based on Loss of Self-Similarity Behavior Using Second Order Statistical Model.International Journal of Computer Science and Network Security.2007,7(9).pp.116-122.
[103]M.Li.Change trend of averaged Hurst parameter of traffic under DDOS flood attacks.Computers & Security.2006,25(3).pp.213-220.
[104]林原.基于网络自相似性的DDOS攻击检测.成都:电子科技大学,2003.(硕士论文)
[105]任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法.通信学报.2006,27(5).pp.6-11.
[106]蒋凌云,王汝传.基于流量自相似模型的SYN-Flood DDoS攻击防范.南京邮电大学学报(自然科学版).2007,27(2).pp.90-94.
[107]刘金明,王汝传.基于VTP方法的DDoS攻击实时检测技术研究.电子学报.2007,35(4).pp.791-796.
[108]Manfred Schroeder.Fractals,Chaos,Power Laws:Minutes from an Infinite Paradise.New York:W.H.Freeman,1992.
[109]W.C.Lau,A.Erramilli,J.L.Wang,et.al.Self-Similar Traffic Generation:The Random Midpoint Displacement Algorithm and Its Properties.Proceedings of IEEE ICC'95.Washington:IEEE Communication Society,1995.pp.466-472.
[110]汪小帆,卢俊国,王执铨.Internet业务流的自相似性—建模、分析与控制.控制与决策.2002,17(1).PP.1-5.
[111]W.Willinger,V.Paxson,M.S.Taqqu.Self-similarity and heavy tails:Structural modeling of network traffic.In:A Practical Guide to Heavy Tails:Statistical Techniques and Applications.Boston:Birkhauser,1998.pp.27-54.
[112]T.Karagiannis,M.Molle,M.Faloutsos,et.al.A nonstationary poisson view of Internet traffic.Proceedings of IEEE INFOCOM'2004.Washington:IEEE Computer Society,2004.pp.1558-1569.
[113]M.Taqqu,V.Teverovsky.On Estimating the Intensity of Long-Range Dependence in Finite and Infinite Variance Time Series.In:A Practical Guide to Heavy Tails:Statistical Techniques and Applications.Boston:Birkhauser,1998.pp.177-217.
[114]章淼.XINU的TCP实现中的一些问题.清华大学计算机系技术报告,1999.
[115]James M.Lucas,Michael S.Saccucci,Robert V.Baxley Jr.,et.al.Exponentially weighted moving average control schemes:properties and enhancements.Technometrics.1990,32(1).pp.1-29.
[116]项静恬,史久恩.非线性系统中数据处理的统计方法.北京:科学出版社,1997.
[117]B.E.Brodsky,B.S.Darkhovsky.Nonparametric Methods in Change-point Problems.Dordrecht,the Netherlands:Kluwer Academic Publishers.1993.
[118]M.Basseville,I.V.Nikiforov.Detection of Abrupt Changes:Theory and Applications.New Jersey:Prentice Hall,1993.