应用层泛洪流量清洗系统设计与实现
发布时间:2018-08-20 18:37
【摘要】:随着网络技术的发展,网络正在从资讯、社交甚至支付等诸多方面影响着人们的沟通、工作和生活方式。与此同时,网络设备性能的飞跃,使得网络攻击成本随之大幅降低,攻击者可以通过低廉的代价发动网络攻击,却可能极具破坏力。泛洪流量攻击是占据攻击比例最高且仍在持续上升的典型网络攻击。论文旨在基于现有的TCP/IP层泛洪流量清洗策略的基础上,实现同时能够防御应用层泛洪流量攻击的流量清洗系统。 泛洪流量攻击,其本质是攻击者通过发送大量的虚假请求,消耗网络带宽和网络服务资源,从而导致服务器拒绝正常的服务请求,阻碍了正常业务的处理。攻击者通过网络中的傀儡主机实施攻击。由于傀儡主机数量庞大且分布广泛,导致泛洪流量攻击具有隐蔽性强、规模大的特点,防范难度大。 本文实现的应用层泛洪流量清洗系统中,针对泛洪流量攻击的特点,将泛洪流量攻击中的攻击报文分为网络低层(网络互联层和网络传输层)以及网络高层(网络应用层)报文,并施以不同的防御策略。对于网络低层报文,按照TCP/IP协议标准,可通过直接检查报文头部信息的方式,验证报文的合法性。而对于网络高层报文,,需要分析报文内容,推测报文的行为目的,进而判定攻击的发生。因此,应用层泛洪流量清洗系统主要分为四个组件:流量监控与统计,异常流量分析,流量清洗平台以及告警日志管理。将网络流量以会话区分进行监控,当攻击发生时,启动流量牵引将会话上的攻击流量引至清洗平台。针对网络低层报文采用了半连接数限制和网络代理机制屏蔽虚假请求,针对网络应用层报文引入线性分类算法检测攻击报文。最后,将正常报文回注到原网络中,整个清洗过程对于服务器和客户端均是透明的。 经测试验证,系统能够正确识别应用层泛洪流量攻击且性能达到预期目标。对于攻击的检测率达到100%,即只要攻击发生,系统均能识别并能够正确过滤掉攻击报文,并且误检率未超过5%。性能方面能够初步满足千万级会话的要求。
[Abstract]:With the development of network technology, the network is affecting people's communication, work and life style from many aspects, such as information, social intercourse and even payment. At the same time, with the rapid development of network equipment, the cost of network attack is greatly reduced, and the attacker can launch network attack at low cost, but it may be extremely destructive. Flooding attack is a typical network attack that occupies the highest proportion of attacks and is still on the rise. The purpose of this paper is to implement a flow cleaning system based on the existing flood flow cleaning strategy of TCP/IP layer, which can defend the flood flow attack in the application layer at the same time. The essence of flooding attack is that by sending a large number of false requests, the attacker consumes network bandwidth and network service resources, which leads to the server refusing the normal service request and hinders the processing of normal business. Attackers attack via puppet hosts on the network. Due to the large number and wide distribution of puppet hosts, flood flooding attacks have the characteristics of strong concealment and large scale, and are difficult to prevent. In the application layer flooding flow cleaning system, aiming at the characteristics of flooding flow attack, The attack packets in flood traffic attack are divided into low layer (network interconnection layer and network transport layer) and high layer (network application layer), and different defense strategies are applied. According to the standard of TCP/IP protocol, the validity of the message can be verified by checking the header information directly. For the network high-level message, it is necessary to analyze the message content, speculate the behavior purpose of the message, and then determine the occurrence of the attack. Therefore, the application layer flooding flow cleaning system is mainly divided into four components: flow monitoring and statistics, abnormal flow analysis, flow cleaning platform and alarm log management. The network traffic is monitored by session differentiation, and when the attack occurs, the attack traffic on the session is led to the cleaning platform by starting the traffic traction. In this paper, the half-connection number restriction and the network agent mechanism are used to shield false requests for the low-level network packets, and a linear classification algorithm is introduced to detect attack packets for the network application layer packets. Finally, the normal message is injected back to the original network, and the whole cleaning process is transparent to both the server and the client. The test results show that the system can correctly identify the flood flow attack in the application layer and achieve the desired performance. The detection rate of the attack is 100%, that is, as long as the attack occurs, the system can recognize and filter the attack message correctly, and the false detection rate is not more than 5%. Performance can initially meet the requirements of tens of millions of sessions.
【学位授予单位】:哈尔滨工业大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
[Abstract]:With the development of network technology, the network is affecting people's communication, work and life style from many aspects, such as information, social intercourse and even payment. At the same time, with the rapid development of network equipment, the cost of network attack is greatly reduced, and the attacker can launch network attack at low cost, but it may be extremely destructive. Flooding attack is a typical network attack that occupies the highest proportion of attacks and is still on the rise. The purpose of this paper is to implement a flow cleaning system based on the existing flood flow cleaning strategy of TCP/IP layer, which can defend the flood flow attack in the application layer at the same time. The essence of flooding attack is that by sending a large number of false requests, the attacker consumes network bandwidth and network service resources, which leads to the server refusing the normal service request and hinders the processing of normal business. Attackers attack via puppet hosts on the network. Due to the large number and wide distribution of puppet hosts, flood flooding attacks have the characteristics of strong concealment and large scale, and are difficult to prevent. In the application layer flooding flow cleaning system, aiming at the characteristics of flooding flow attack, The attack packets in flood traffic attack are divided into low layer (network interconnection layer and network transport layer) and high layer (network application layer), and different defense strategies are applied. According to the standard of TCP/IP protocol, the validity of the message can be verified by checking the header information directly. For the network high-level message, it is necessary to analyze the message content, speculate the behavior purpose of the message, and then determine the occurrence of the attack. Therefore, the application layer flooding flow cleaning system is mainly divided into four components: flow monitoring and statistics, abnormal flow analysis, flow cleaning platform and alarm log management. The network traffic is monitored by session differentiation, and when the attack occurs, the attack traffic on the session is led to the cleaning platform by starting the traffic traction. In this paper, the half-connection number restriction and the network agent mechanism are used to shield false requests for the low-level network packets, and a linear classification algorithm is introduced to detect attack packets for the network application layer packets. Finally, the normal message is injected back to the original network, and the whole cleaning process is transparent to both the server and the client. The test results show that the system can correctly identify the flood flow attack in the application layer and achieve the desired performance. The detection rate of the attack is 100%, that is, as long as the attack occurs, the system can recognize and filter the attack message correctly, and the false detection rate is not more than 5%. Performance can initially meet the requirements of tens of millions of sessions.
【学位授予单位】:哈尔滨工业大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 刘勇;香丽芸;;基于网络异常流量判断DoS/DDoS攻击的检测算法[J];吉林大学学报(信息科学版);2008年03期
2 陈伟;罗绪成;秦志光;;用活动IP表和ICMP报文防御IP欺骗DDoS攻击[J];电子科技大学学报;2007年06期
3 童彬;秦志光;贾伟峰;宋健伟;;采用数据挖掘的拒绝服务攻击防御模型[J];电子科技大学学报;2008年04期
4 李银锦;刘玉;;一种基于流量清洗的DDoS攻击防御系统[J];电脑知识与技术;2010年35期
5 李金明;王汝传;;基于VTP方法的DDoS攻击实时检测技术研究[J];电子学报;2007年04期
6 谢逸;余顺争;;应用层洪泛攻击的异常检测[J];计算机科学;2007年08期
7 张著英;黄玉龙;王翰虎;;一个高效的KNN分类算法[J];计算机科学;2008年03期
8 蔡玮s
本文编号:2194614
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2194614.html
