應(yīng)用層泛洪流量清洗系統(tǒng)設(shè)計(jì)與實(shí)現(xiàn)
發(fā)布時(shí)間:2018-08-20 18:37
【摘要】:隨著網(wǎng)絡(luò)技術(shù)的發(fā)展,網(wǎng)絡(luò)正在從資訊、社交甚至支付等諸多方面影響著人們的溝通、工作和生活方式。與此同時(shí),網(wǎng)絡(luò)設(shè)備性能的飛躍,使得網(wǎng)絡(luò)攻擊成本隨之大幅降低,攻擊者可以通過低廉的代價(jià)發(fā)動(dòng)網(wǎng)絡(luò)攻擊,卻可能極具破壞力。泛洪流量攻擊是占據(jù)攻擊比例最高且仍在持續(xù)上升的典型網(wǎng)絡(luò)攻擊。論文旨在基于現(xiàn)有的TCP/IP層泛洪流量清洗策略的基礎(chǔ)上,實(shí)現(xiàn)同時(shí)能夠防御應(yīng)用層泛洪流量攻擊的流量清洗系統(tǒng)。 泛洪流量攻擊,其本質(zhì)是攻擊者通過發(fā)送大量的虛假請(qǐng)求,消耗網(wǎng)絡(luò)帶寬和網(wǎng)絡(luò)服務(wù)資源,從而導(dǎo)致服務(wù)器拒絕正常的服務(wù)請(qǐng)求,阻礙了正常業(yè)務(wù)的處理。攻擊者通過網(wǎng)絡(luò)中的傀儡主機(jī)實(shí)施攻擊。由于傀儡主機(jī)數(shù)量龐大且分布廣泛,導(dǎo)致泛洪流量攻擊具有隱蔽性強(qiáng)、規(guī)模大的特點(diǎn),防范難度大。 本文實(shí)現(xiàn)的應(yīng)用層泛洪流量清洗系統(tǒng)中,針對(duì)泛洪流量攻擊的特點(diǎn),將泛洪流量攻擊中的攻擊報(bào)文分為網(wǎng)絡(luò)低層(網(wǎng)絡(luò)互聯(lián)層和網(wǎng)絡(luò)傳輸層)以及網(wǎng)絡(luò)高層(網(wǎng)絡(luò)應(yīng)用層)報(bào)文,并施以不同的防御策略。對(duì)于網(wǎng)絡(luò)低層報(bào)文,按照TCP/IP協(xié)議標(biāo)準(zhǔn),可通過直接檢查報(bào)文頭部信息的方式,驗(yàn)證報(bào)文的合法性。而對(duì)于網(wǎng)絡(luò)高層報(bào)文,,需要分析報(bào)文內(nèi)容,推測(cè)報(bào)文的行為目的,進(jìn)而判定攻擊的發(fā)生。因此,應(yīng)用層泛洪流量清洗系統(tǒng)主要分為四個(gè)組件:流量監(jiān)控與統(tǒng)計(jì),異常流量分析,流量清洗平臺(tái)以及告警日志管理。將網(wǎng)絡(luò)流量以會(huì)話區(qū)分進(jìn)行監(jiān)控,當(dāng)攻擊發(fā)生時(shí),啟動(dòng)流量牽引將會(huì)話上的攻擊流量引至清洗平臺(tái)。針對(duì)網(wǎng)絡(luò)低層報(bào)文采用了半連接數(shù)限制和網(wǎng)絡(luò)代理機(jī)制屏蔽虛假請(qǐng)求,針對(duì)網(wǎng)絡(luò)應(yīng)用層報(bào)文引入線性分類算法檢測(cè)攻擊報(bào)文。最后,將正常報(bào)文回注到原網(wǎng)絡(luò)中,整個(gè)清洗過程對(duì)于服務(wù)器和客戶端均是透明的。 經(jīng)測(cè)試驗(yàn)證,系統(tǒng)能夠正確識(shí)別應(yīng)用層泛洪流量攻擊且性能達(dá)到預(yù)期目標(biāo)。對(duì)于攻擊的檢測(cè)率達(dá)到100%,即只要攻擊發(fā)生,系統(tǒng)均能識(shí)別并能夠正確過濾掉攻擊報(bào)文,并且誤檢率未超過5%。性能方面能夠初步滿足千萬級(jí)會(huì)話的要求。
[Abstract]:With the development of network technology, the network is affecting people's communication, work and life style from many aspects, such as information, social intercourse and even payment. At the same time, with the rapid development of network equipment, the cost of network attack is greatly reduced, and the attacker can launch network attack at low cost, but it may be extremely destructive. Flooding attack is a typical network attack that occupies the highest proportion of attacks and is still on the rise. The purpose of this paper is to implement a flow cleaning system based on the existing flood flow cleaning strategy of TCP/IP layer, which can defend the flood flow attack in the application layer at the same time. The essence of flooding attack is that by sending a large number of false requests, the attacker consumes network bandwidth and network service resources, which leads to the server refusing the normal service request and hinders the processing of normal business. Attackers attack via puppet hosts on the network. Due to the large number and wide distribution of puppet hosts, flood flooding attacks have the characteristics of strong concealment and large scale, and are difficult to prevent. In the application layer flooding flow cleaning system, aiming at the characteristics of flooding flow attack, The attack packets in flood traffic attack are divided into low layer (network interconnection layer and network transport layer) and high layer (network application layer), and different defense strategies are applied. According to the standard of TCP/IP protocol, the validity of the message can be verified by checking the header information directly. For the network high-level message, it is necessary to analyze the message content, speculate the behavior purpose of the message, and then determine the occurrence of the attack. Therefore, the application layer flooding flow cleaning system is mainly divided into four components: flow monitoring and statistics, abnormal flow analysis, flow cleaning platform and alarm log management. The network traffic is monitored by session differentiation, and when the attack occurs, the attack traffic on the session is led to the cleaning platform by starting the traffic traction. In this paper, the half-connection number restriction and the network agent mechanism are used to shield false requests for the low-level network packets, and a linear classification algorithm is introduced to detect attack packets for the network application layer packets. Finally, the normal message is injected back to the original network, and the whole cleaning process is transparent to both the server and the client. The test results show that the system can correctly identify the flood flow attack in the application layer and achieve the desired performance. The detection rate of the attack is 100%, that is, as long as the attack occurs, the system can recognize and filter the attack message correctly, and the false detection rate is not more than 5%. Performance can initially meet the requirements of tens of millions of sessions.
【學(xué)位授予單位】:哈爾濱工業(yè)大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
[Abstract]:With the development of network technology, the network is affecting people's communication, work and life style from many aspects, such as information, social intercourse and even payment. At the same time, with the rapid development of network equipment, the cost of network attack is greatly reduced, and the attacker can launch network attack at low cost, but it may be extremely destructive. Flooding attack is a typical network attack that occupies the highest proportion of attacks and is still on the rise. The purpose of this paper is to implement a flow cleaning system based on the existing flood flow cleaning strategy of TCP/IP layer, which can defend the flood flow attack in the application layer at the same time. The essence of flooding attack is that by sending a large number of false requests, the attacker consumes network bandwidth and network service resources, which leads to the server refusing the normal service request and hinders the processing of normal business. Attackers attack via puppet hosts on the network. Due to the large number and wide distribution of puppet hosts, flood flooding attacks have the characteristics of strong concealment and large scale, and are difficult to prevent. In the application layer flooding flow cleaning system, aiming at the characteristics of flooding flow attack, The attack packets in flood traffic attack are divided into low layer (network interconnection layer and network transport layer) and high layer (network application layer), and different defense strategies are applied. According to the standard of TCP/IP protocol, the validity of the message can be verified by checking the header information directly. For the network high-level message, it is necessary to analyze the message content, speculate the behavior purpose of the message, and then determine the occurrence of the attack. Therefore, the application layer flooding flow cleaning system is mainly divided into four components: flow monitoring and statistics, abnormal flow analysis, flow cleaning platform and alarm log management. The network traffic is monitored by session differentiation, and when the attack occurs, the attack traffic on the session is led to the cleaning platform by starting the traffic traction. In this paper, the half-connection number restriction and the network agent mechanism are used to shield false requests for the low-level network packets, and a linear classification algorithm is introduced to detect attack packets for the network application layer packets. Finally, the normal message is injected back to the original network, and the whole cleaning process is transparent to both the server and the client. The test results show that the system can correctly identify the flood flow attack in the application layer and achieve the desired performance. The detection rate of the attack is 100%, that is, as long as the attack occurs, the system can recognize and filter the attack message correctly, and the false detection rate is not more than 5%. Performance can initially meet the requirements of tens of millions of sessions.
【學(xué)位授予單位】:哈爾濱工業(yè)大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前10條
1 劉勇;香麗蕓;;基于網(wǎng)絡(luò)異常流量判斷DoS/DDoS攻擊的檢測(cè)算法[J];吉林大學(xué)學(xué)報(bào)(信息科學(xué)版);2008年03期
2 陳偉;羅緒成;秦志光;;用活動(dòng)IP表和ICMP報(bào)文防御IP欺騙DDoS攻擊[J];電子科技大學(xué)學(xué)報(bào);2007年06期
3 童彬;秦志光;賈偉峰;宋健偉;;采用數(shù)據(jù)挖掘的拒絕服務(wù)攻擊防御模型[J];電子科技大學(xué)學(xué)報(bào);2008年04期
4 李銀錦;劉玉;;一種基于流量清洗的DDoS攻擊防御系統(tǒng)[J];電腦知識(shí)與技術(shù);2010年35期
5 李金明;王汝傳;;基于VTP方法的DDoS攻擊實(shí)時(shí)檢測(cè)技術(shù)研究[J];電子學(xué)報(bào);2007年04期
6 謝逸;余順爭(zhēng);;應(yīng)用層洪泛攻擊的異常檢測(cè)[J];計(jì)算機(jī)科學(xué);2007年08期
7 張著英;黃玉龍;王翰虎;;一個(gè)高效的KNN分類算法[J];計(jì)算機(jī)科學(xué);2008年03期
8 蔡瑋s
本文編號(hào):2194614
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2194614.html
最近更新
教材專著
