应用层网关攻击检测和性能优化策略研究

发布时间：2018-03-11 16:43

本文选题：应用层网关　切入点：云计算　出处：《中国科学技术大学》2014年博士论文　论文类型：学位论文

【摘要】：云计算和移动互联网的结合为应用服务提供商带来了巨大商机,但同时也使得应用服务提供商面临许多重大的挑战。应用层网关作为边缘网关设备位于数据中心和外部网络之间,其集成了一系列核心的网络技术,为应用服务提供商提供具有高性能、高安全性和可扩展性的应用交付服务。在实际应用中,应用层网关仍然面临着诸多挑战。首先,面对当前爆炸性增长的用户规模和数据流量,应用层网关面临着如何为应用服务提供商降低用户访问延迟的难题。其次,在当前复杂的网络环境中,应用服务提供商往往会遭受各种分布式拒绝服务攻击(DDoS)。应用层网关如何能够有效地针对基于HTTP协议的应用层DDoS攻击进行检测,是亟需解决的问题。同时,当面对庞大的用户访问规模和数据流量时,单一的应用层网关是无法承载如此大规模的负载的。因此在这种场景下,应用层网关如何对应用服务器集群进行可扩展的负载均衡是具有重要研究意义的。本文针对上述应用层网关的攻击检测和性能优化问题进行了研究。本文相应的主要研究内容和创新点如下所示： 1.提出一种基于PLSA预测模型的web缓存算法针对当前的web缓存算法在缓存替换策略中没有考虑用户的兴趣和访问行为模式的情况,提出了一种基于概率潜语义分析(PLSA)预测模型的web缓存算法。首先本文引进文本检索领域的PLSA预测模型,通过训练web访问日志来建立描述用户访问行为和兴趣的PLSA预测模型。然后利用建立的PLSA预测模型对NGRAM-GDSF缓存算法进行扩展,引入表征用户兴趣度的未来访问频率因子,作为web对象未来频率的一个预测。实验结果显示,当缓存为内存的0.1%时,与NGRAM-GDSF缓存算法相比,PN-GRAM缓存算法的命中率和byte命中率分别提升了3.01%和1.43%,而IPN-GRAM算法的命中率和byte命中率则提升了5.88%和3.13%。 2.提出一种基于用户行为的应用层DDoS攻击检测算法针对Flash crowds事件发生时应用层分布式拒绝服务攻击的检测问题,提出了一种基于用户行为挖掘的应用层分布式拒绝服务攻击检测算法。首先利用隐半markov模型(HsMM)来对用户访问行为的动态变化过程进行建模,获得对应正常用户访问行为的模型参数λ＝(Q,π,A,B,P)。然后在进行攻击检测时,将观测的数据与获得的隐半markov模型进行拟合,计算对应的平均信息熵。通过比较观测数据对应拟合模型参数获得的信息熵和正常用户访问时的信息熵的偏离,来进行攻击检测。同时利用聚类来降低模型训练时的数据集维度。通过实验和仿真,验证了算法的可行性和有效性。当阈值设定为-2.7时,DR约为97%,而FNR约为2%。 3.提出一种可扩展的大规模web服务器集群负载均衡策略针对在用户规模和数据量过于庞大时,单一的应用层网关无法承载用户请求负载的情况,提出了一种可扩展的大规模web服务器集群负载均衡策略。该策略利用了现有的多路径路由协议和分布式系统技术,将负载均衡的功能划分为三层,由对应的服务器和路由器来实现对应的功能,可以动态的扩展二级负载均衡服务器,从而使得服务器集群的负载均衡具有高扩展性。对于每个虚拟IP,都有多条路径可达,利用Mean-variance数学模型来获得最优的路径权值向量并为每条路径分配权值。实验结果表明,采用本文提出的策略的多路径系统获得较为平稳的延迟抖动率。同时与单路径系统相比,多路径系统的数据包丢失率随着系统流量的增加其增长速度相对缓慢,在相同负载情况下,单路径系统的数据包丢失率为76.81%,而多路径系统的数据包丢失率仅为54.38%。
[Abstract]:With the combination of cloud computing and mobile Internet has brought great opportunities for application service providers, but also makes the application service providers are facing many serious challenges. The application layer gateway as the edge gateway equipment in the data center and the external network, which integrates a series of core network technology, providing high performance application service provider, high the safety and scalability of the application delivery service.
In practical application, the application layer gateway is still facing many challenges. First of all, in the face of the user scale and the data flow of the explosive growth of the application layer gateway to face a difficult for application service providers to reduce user access latency. Secondly, in the current complex network environment, the application service provider will often suffer from a variety of distributed denial service attack (DDoS). The application layer gateway effectively for application layer DDoS attack detection based on HTTP protocol, it is urgent to solve the problem. At the same time, when facing the huge scale of user access and data flow, application layer gateway single is not carrying such a large load. So in this scene next, the application layer gateway to application server cluster load balancing is scalable with important research significance. Based on the application layer gateway attack The problem of attack detection and performance optimization is studied. The main contents and innovation points of this paper are as follows:
1. a web caching algorithm based on PLSA prediction model is proposed
According to the Web algorithm in the buffer cache replacement strategy does not consider the user's interests and access behavior model, propose a semantic analysis based on probabilistic latent (PLSA) web buffer algorithm prediction model. Firstly, the introduction of text retrieval PLSA prediction model, the access log by training the web to set up a user access behavior and in the PLSA prediction model. PLSA prediction model using extensions to the NGRAM-GDSF cache algorithm are introduced to characterize the interest of users in the future access frequency factor, as a predictor of future web object frequency. Experimental results show that when the cache memory for the 0.1%, compared with the NGRAM-GDSF caching algorithm, PN-GRAM caching algorithm the hit rate and hit rate of byte were improved by 3.01% and 1.43%, while the IPN-GRAM algorithm byte hit rate and hit rate is improved by 5.88% and 3.13%.
2. an application layer DDoS attack detection algorithm based on user behavior
Aiming at the problem of detecting the Flash crowds event occurs when the application layer distributed denial of service attacks, this paper proposes a model for mining user behavior based on application layer DDoS attack detection algorithm. Firstly using hidden semi Markov model (HsMM) to dynamic user access behavior change process modeling, model parameter to obtain the corresponding normal User Access Act = (Q, A, B, PI, P). Then in the attack detection, the observed data and obtain the hidden semi Markov model fitting, the average information entropy is calculated. By comparing the data from the information entropy to obtain the corresponding model parameters and the normal user access information entropy, to attack detection. At the same time using clustering to reduce the dimension of model training data set. Through simulation and experiment verify the feasibility and effectiveness of the algorithm. When the threshold is set to -2.7, DR It's about 97%, and FNR is about 2%.
3. a scalable load balancing strategy for large scale web server cluster
In the user scale and the amount of data is too large, the application layer gateway single user request cannot bear the load, proposes a scalable large-scale web server cluster load balancing strategy. This strategy utilizes the existing system technology of multi path routing protocol and distributed load balancing function, divided into three layers and by the corresponding servers and routers to realize the corresponding function, two level load balancing server dynamic expansion, so that the load balancing cluster with high scalability. For each virtual IP, there are multiple paths reachable, using Mean-variance model to obtain the optimal path weight vector and weights for each path. The experimental results show that using multi path system this paper puts forward the strategy of obtaining rate jitter delay relatively stable. At the same time compared with the single path system, multi-channel The packet loss rate of the path system increases slowly with the increase of the system traffic. Under the same load, the packet loss rate of the single path system is 76.81%, while the packet loss rate of the multipath system is only 54.38%..

【学位授予单位】：中国科学技术大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】