Please wait a minute...
J4  2010, Vol. 44 Issue (2): 265-270    DOI: 10.3785/j.issn.1008-973X.2010.02.010
计算机技术﹑电信技术     
基于支持向量机和多资源最大最小公平的DDoS防御
魏蔚, 董亚波, 鲁东明
(浙江大学 计算机科学与技术学院, 浙江 杭州 310027)
Multi-resource max-min fairness and support vector machine based DDoS defense
WEI Wei, DONG Ya-bo, LU Dong-ming
(College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China)
 全文: PDF  HTML
摘要:

采用分布式过滤的方法防御分布式拒绝服务(DDoS)攻击,通过将分布式防御合作限定在互联网自治域(AS)内,为应对选取了合适的网络范围,且考虑了带宽和受害机处理能力这2类资源及其相互作用.基于支持向量机(SVM)的多资源最大最小公平(SMMF)算法,根据受害端流量情况动态调整自治域边界的过滤器参数,保证了多资源最大最小公平,以达到较优的防御效果.模拟实验表明,该算法在具一般性的攻击场景下能有效抑制攻击流量,且在已有方法失效的情况下仍能保证合法流量吞吐量维持在正常水平.在路由器上实现了该过滤器,结果表明,即使安装上千个过滤器也只需极少量的内存,且仍能保证路由器的正常吞吐率.

Abstract:

Distributed denial of service (DDoS) attack was defended by distributed filtering. Distributed defense was restricted inside autonomous system (AS), which was a suitable bound for defense. Both bandwidth and processing capability of victim were considered. The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine (SVM)-based multi-resource max-min fairness (SMMF) algorithm. Then SMMF achieved multi-resource max-min fairness and was much effective. Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail. A realization of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

出版日期: 2010-03-09
:  TP 393.08  
基金资助:

国家“863”高技术研究发展计划资助项目(2008AA01Z416);浙江省科技计划资助项目(2007C21034);新世纪优秀人才计划资助项目(NCET-04-0535).

通讯作者: 董亚波,男,副教授.     E-mail: dongyb@zju.edu.cn
作者简介: 魏蔚(1983—),男,河南固始人,博士生,从事网络安全技术研究.
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章  

引用本文:

魏蔚, 董亚波, 鲁东明. 基于支持向量机和多资源最大最小公平的DDoS防御[J]. J4, 2010, 44(2): 265-270.

WEI Wei, DONG E-Bei, LU Dong-Meng. Multi-resource max-min fairness and support vector machine based DDoS defense. J4, 2010, 44(2): 265-270.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2010.02.010        http://www.zjujournals.com/eng/CN/Y2010/V44/I2/265

[1]  WAN K K K, CHANG R K C. Engineering of a global defense infrastructure for ddos attacks [C] // Proceedings of 10th IEEE International Conference on Networks. Pairs: IEEE, 2002: 419427.
[2] MAHAJAN R, BELLOVIN S. M, FLOYD S, et al. Controlling high bandwidth aggregates in the network [J]. Computer Communication Review, 2002, 32(3): 6273.
[3] KEROMYTIS A D, MISRA V, RUBENSTEIN D. SOS: secure overlay services [J]. Computer Communication Review, 2002, 32(4): 6172.
[4] YAAR A, PERRIG A, SONG D. Pi: a path identification mechanism to defend against ddos attacks [C] // Proceedings of Symposium on Security and Privacy. San Diego: IEEE, 2003: 93107.
[5] YANG X W, WETHERALL D, ANDERSON T. A DoS limiting network architecture [J]. Computer Communication Review, 2005, 35(4): 241252.
[6] DUAN Z, YUAN X, CHANDRASHEKAR J. Constructing inter-domain packet filters to control IP spoofing based on BGP updates [C] // Proceedings of IEEE Infocom. Barcelona: IEEE, 2006: 112.
[7] PARK K, LEE H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets [J]. Computer Communication Review, 2001, 31(4): 1526.
[8] CHEN S, SONG Q. Perimeter-based defense against high bandwidth DDoS attacks [J]. IEEE Transactions on Parallel and Distributed Systems, 2005, 16(6): 526537.
[9] YAU D K Y, LUI J C S. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles [J]. IEEE/ACM Transactions on Networking, 2005, 13(1): 2942.
[10] JAFFE J. Bottleneck flow control [J]. IEEE Transactions on Communications, 1981, 29(7): 954962.
[11] KELLY F. Charging and rate control for elastic traffic [J]. Europen Transactions on Telecommunications, 1997, 8(1): 3337.
[12] CAO Z, ZEGURA E W. Utility max-min: an application-oriented bandwidth allocation scheme [C] // Proceedings of IEEE Infocom. New York: IEEE, 1999: 793801.
[13] ZHOU Y, SETHU H. On achieving fairness in the joint allocation of processing and bandwidth resources: principles and algorithms [J]. IEEE/ACM Transactions on Networking, 2005, 13(4): 10541067.
[14] HSU C W, LIN C J. A comparison of methods for multi-class support vector machines [J]. IEEE Transactions on Neural Networks, 2002, 13(2): 415425.
[15] PAPPU P, WOLF T. Scheduling processing resources in programmable routers [C] // Proceedings of IEEE Infocom. New York: IEEE, 2002: 104112.

[1] 徐昶, 寿黎但, 陈刚, 胡天磊. 一种基于闪存的数据库复合存储模型[J]. J4, 2012, 46(2): 294-300.
[2] 吴羽, 盛振华, 寿黎但, 陈刚. TrigSigs:一种有效的非结构化记录关联合并算法[J]. J4, 2010, 44(12): 2284-2290.
[3] 寿黎但, 廖定柏, 徐昶, 陈刚. PWLRU: 一种面向闪存数据库的缓冲区存取算法[J]. J4, 2010, 44(12): 2257-2262.
[4] 皮俊波, 陈珂, 陈刚, 董金祥. 基于用户兴趣模型两段式排序的隐私保护方法[J]. J4, 2010, 44(9): 1659-1665.