應(yīng)用層泛洪流量清洗系統(tǒng)設(shè)計與實現(xiàn)
發(fā)布時間:2018-08-20 18:37
【摘要】:隨著網(wǎng)絡(luò)技術(shù)的發(fā)展,網(wǎng)絡(luò)正在從資訊、社交甚至支付等諸多方面影響著人們的溝通、工作和生活方式。與此同時,網(wǎng)絡(luò)設(shè)備性能的飛躍,使得網(wǎng)絡(luò)攻擊成本隨之大幅降低,攻擊者可以通過低廉的代價發(fā)動網(wǎng)絡(luò)攻擊,卻可能極具破壞力。泛洪流量攻擊是占據(jù)攻擊比例最高且仍在持續(xù)上升的典型網(wǎng)絡(luò)攻擊。論文旨在基于現(xiàn)有的TCP/IP層泛洪流量清洗策略的基礎(chǔ)上,實現(xiàn)同時能夠防御應(yīng)用層泛洪流量攻擊的流量清洗系統(tǒng)。 泛洪流量攻擊,其本質(zhì)是攻擊者通過發(fā)送大量的虛假請求,消耗網(wǎng)絡(luò)帶寬和網(wǎng)絡(luò)服務(wù)資源,從而導(dǎo)致服務(wù)器拒絕正常的服務(wù)請求,阻礙了正常業(yè)務(wù)的處理。攻擊者通過網(wǎng)絡(luò)中的傀儡主機實施攻擊。由于傀儡主機數(shù)量龐大且分布廣泛,導(dǎo)致泛洪流量攻擊具有隱蔽性強、規(guī)模大的特點,防范難度大。 本文實現(xiàn)的應(yīng)用層泛洪流量清洗系統(tǒng)中,針對泛洪流量攻擊的特點,將泛洪流量攻擊中的攻擊報文分為網(wǎng)絡(luò)低層(網(wǎng)絡(luò)互聯(lián)層和網(wǎng)絡(luò)傳輸層)以及網(wǎng)絡(luò)高層(網(wǎng)絡(luò)應(yīng)用層)報文,并施以不同的防御策略。對于網(wǎng)絡(luò)低層報文,按照TCP/IP協(xié)議標(biāo)準(zhǔn),可通過直接檢查報文頭部信息的方式,驗證報文的合法性。而對于網(wǎng)絡(luò)高層報文,,需要分析報文內(nèi)容,推測報文的行為目的,進而判定攻擊的發(fā)生。因此,應(yīng)用層泛洪流量清洗系統(tǒng)主要分為四個組件:流量監(jiān)控與統(tǒng)計,異常流量分析,流量清洗平臺以及告警日志管理。將網(wǎng)絡(luò)流量以會話區(qū)分進行監(jiān)控,當(dāng)攻擊發(fā)生時,啟動流量牽引將會話上的攻擊流量引至清洗平臺。針對網(wǎng)絡(luò)低層報文采用了半連接數(shù)限制和網(wǎng)絡(luò)代理機制屏蔽虛假請求,針對網(wǎng)絡(luò)應(yīng)用層報文引入線性分類算法檢測攻擊報文。最后,將正常報文回注到原網(wǎng)絡(luò)中,整個清洗過程對于服務(wù)器和客戶端均是透明的。 經(jīng)測試驗證,系統(tǒng)能夠正確識別應(yīng)用層泛洪流量攻擊且性能達到預(yù)期目標(biāo)。對于攻擊的檢測率達到100%,即只要攻擊發(fā)生,系統(tǒng)均能識別并能夠正確過濾掉攻擊報文,并且誤檢率未超過5%。性能方面能夠初步滿足千萬級會話的要求。
[Abstract]:With the development of network technology, the network is affecting people's communication, work and life style from many aspects, such as information, social intercourse and even payment. At the same time, with the rapid development of network equipment, the cost of network attack is greatly reduced, and the attacker can launch network attack at low cost, but it may be extremely destructive. Flooding attack is a typical network attack that occupies the highest proportion of attacks and is still on the rise. The purpose of this paper is to implement a flow cleaning system based on the existing flood flow cleaning strategy of TCP/IP layer, which can defend the flood flow attack in the application layer at the same time. The essence of flooding attack is that by sending a large number of false requests, the attacker consumes network bandwidth and network service resources, which leads to the server refusing the normal service request and hinders the processing of normal business. Attackers attack via puppet hosts on the network. Due to the large number and wide distribution of puppet hosts, flood flooding attacks have the characteristics of strong concealment and large scale, and are difficult to prevent. In the application layer flooding flow cleaning system, aiming at the characteristics of flooding flow attack, The attack packets in flood traffic attack are divided into low layer (network interconnection layer and network transport layer) and high layer (network application layer), and different defense strategies are applied. According to the standard of TCP/IP protocol, the validity of the message can be verified by checking the header information directly. For the network high-level message, it is necessary to analyze the message content, speculate the behavior purpose of the message, and then determine the occurrence of the attack. Therefore, the application layer flooding flow cleaning system is mainly divided into four components: flow monitoring and statistics, abnormal flow analysis, flow cleaning platform and alarm log management. The network traffic is monitored by session differentiation, and when the attack occurs, the attack traffic on the session is led to the cleaning platform by starting the traffic traction. In this paper, the half-connection number restriction and the network agent mechanism are used to shield false requests for the low-level network packets, and a linear classification algorithm is introduced to detect attack packets for the network application layer packets. Finally, the normal message is injected back to the original network, and the whole cleaning process is transparent to both the server and the client. The test results show that the system can correctly identify the flood flow attack in the application layer and achieve the desired performance. The detection rate of the attack is 100%, that is, as long as the attack occurs, the system can recognize and filter the attack message correctly, and the false detection rate is not more than 5%. Performance can initially meet the requirements of tens of millions of sessions.
【學(xué)位授予單位】:哈爾濱工業(yè)大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
[Abstract]:With the development of network technology, the network is affecting people's communication, work and life style from many aspects, such as information, social intercourse and even payment. At the same time, with the rapid development of network equipment, the cost of network attack is greatly reduced, and the attacker can launch network attack at low cost, but it may be extremely destructive. Flooding attack is a typical network attack that occupies the highest proportion of attacks and is still on the rise. The purpose of this paper is to implement a flow cleaning system based on the existing flood flow cleaning strategy of TCP/IP layer, which can defend the flood flow attack in the application layer at the same time. The essence of flooding attack is that by sending a large number of false requests, the attacker consumes network bandwidth and network service resources, which leads to the server refusing the normal service request and hinders the processing of normal business. Attackers attack via puppet hosts on the network. Due to the large number and wide distribution of puppet hosts, flood flooding attacks have the characteristics of strong concealment and large scale, and are difficult to prevent. In the application layer flooding flow cleaning system, aiming at the characteristics of flooding flow attack, The attack packets in flood traffic attack are divided into low layer (network interconnection layer and network transport layer) and high layer (network application layer), and different defense strategies are applied. According to the standard of TCP/IP protocol, the validity of the message can be verified by checking the header information directly. For the network high-level message, it is necessary to analyze the message content, speculate the behavior purpose of the message, and then determine the occurrence of the attack. Therefore, the application layer flooding flow cleaning system is mainly divided into four components: flow monitoring and statistics, abnormal flow analysis, flow cleaning platform and alarm log management. The network traffic is monitored by session differentiation, and when the attack occurs, the attack traffic on the session is led to the cleaning platform by starting the traffic traction. In this paper, the half-connection number restriction and the network agent mechanism are used to shield false requests for the low-level network packets, and a linear classification algorithm is introduced to detect attack packets for the network application layer packets. Finally, the normal message is injected back to the original network, and the whole cleaning process is transparent to both the server and the client. The test results show that the system can correctly identify the flood flow attack in the application layer and achieve the desired performance. The detection rate of the attack is 100%, that is, as long as the attack occurs, the system can recognize and filter the attack message correctly, and the false detection rate is not more than 5%. Performance can initially meet the requirements of tens of millions of sessions.
【學(xué)位授予單位】:哈爾濱工業(yè)大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
【參考文獻】
相關(guān)期刊論文 前10條
1 劉勇;香麗蕓;;基于網(wǎng)絡(luò)異常流量判斷DoS/DDoS攻擊的檢測算法[J];吉林大學(xué)學(xué)報(信息科學(xué)版);2008年03期
2 陳偉;羅緒成;秦志光;;用活動IP表和ICMP報文防御IP欺騙DDoS攻擊[J];電子科技大學(xué)學(xué)報;2007年06期
3 童彬;秦志光;賈偉峰;宋健偉;;采用數(shù)據(jù)挖掘的拒絕服務(wù)攻擊防御模型[J];電子科技大學(xué)學(xué)報;2008年04期
4 李銀錦;劉玉;;一種基于流量清洗的DDoS攻擊防御系統(tǒng)[J];電腦知識與技術(shù);2010年35期
5 李金明;王汝傳;;基于VTP方法的DDoS攻擊實時檢測技術(shù)研究[J];電子學(xué)報;2007年04期
6 謝逸;余順爭;;應(yīng)用層洪泛攻擊的異常檢測[J];計算機科學(xué);2007年08期
7 張著英;黃玉龍;王翰虎;;一個高效的KNN分類算法[J];計算機科學(xué);2008年03期
8 蔡瑋s
本文編號:2194614
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2194614.html
最近更新
教材專著
