Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Bin TONG,Zhi-guang QIN,Wei-feng JIA,Jian-wei SONG

DOI: https://doi.org/10.3969/j.issn.1001-0548.2008.04.029

2008-01-01

Abstract:According to the characteristics of DoS/DDoS attack, a defense model adopting data-mining technology is proposed. Based on real-time sample traffic, this model extracts trusted IP list by association analysis to filter, and evaluates packets' danger degree by adopting bayes algorithm. This model makes up disadvantages of traditional filtering based on trusted source IP, and effectively differentiates normal traffic and abnormal traffic. Experimental datum proves this model can launch real-time and effective defense against DoS/DDoS attack.

肖军,云晓春,张永铮

DOI: https://doi.org/10.3724/sp.j.1016.2010.01713

2010-01-01

Chinese Journal of Computers

Abstract:Mitigating Distributed Denial-of-Service(DDoS)attacks becomes more challenging with increasing available resources and techniques for attackers.Current network-layer security devices fail to counter application-layer DDoS(App-DDoS)attacks for the normal traffic feature on the network layer.In this paper,to handle App-DDoS attacks,a novel defense model is proposed.App-DDoS attack is divided into 5 types based on the attack URL generating way.Based on the differences between normal sessions and attack sessions,the paper proposes the session behavior suspicion parameters and the session suspicion model,which can be used to differentiate normal sessions from App-DDoS sessions accurately.The model is combined with 3 forwarding policies,including First-Come First-Serve(FCFS),Low Suspicion First(LSF)and Round Robin respectively to defend against 5 types of App-DDoS attacks.Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate,and FCFS and Round Robin perform better than LSF on the normal request response delay.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Zhen Han,Wei Wang,Changyun Wen,Lei Wang

DOI: https://doi.org/10.1109/tii.2024.3393142

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:This article focuses on the distributed adaptive consensus control problem for nonlinear systems with unknown parameters and denial-of-service (DoS) attacks. The communication channels among subsystems are directed and DoS attacks are executed on subsystems to jam the communication transmission. Besides, only part of these subsystems can access states of the desired reference system. To actively alleviate attack effects on the consensus performance, a distributed adaptive consensus control scheme with an active-defense mechanism is proposed. The active-defense mechanism consists of an attack-detection algorithm and a switching strategy. The distributed adaptive consensus controller is designed with normalized damping terms in control inputs and parameter update laws. In the presence of DoS attacks, a stability condition is derived based on the designed control scheme, which guarantees that the consensus errors are globally uniformly bounded under arbitrary switching dwell-time. Experimental results are provided to validate the effectiveness of the proposed control scheme with the active-defense mechanism.

TungNgai Miu,Chenxu Wang,Daniel Xiapu Luo,Jinhe Wang

DOI: https://doi.org/10.1007/978-3-319-59608-2_42

2016-01-01

Abstract:Application layer distributed denial of service (App-layer DDoS) attacks are becoming a severe threat to the security of web servers. In this paper, we model user browsing activity in order to detect abnormal requests. User access patterns are analyzed to detect anomaly at the session level. The likelihood of a browsing session is then calculated to distinguish abnormal behaviors from normal ones. We evaluate our methods based on a real dataset collected from a commercial website that suffered from actual DDoS attacks. The experimental results validate the effectiveness of the proposed methods.

楼润瑜,王备战,王伟

2010-01-01

Abstract:In order to defend the attacks caused by DDOS and worms(or vicious codes) in large scale network,a general,solid,in-depth and distributed active cooperation defense model is presented.A set of achievable methods ranging from systemic architecture,function mechanisms and algorithm descriptions are given.The model,which is demonstrated by the system architecture,function modules and active cooperation defense to stop the attacks,is the integrated and systemic model.It integrates several role security technologies,such as IDS,firework and honeynet,and achieves a complete set of functional mechanisms for active cooperation defense.By the cooperation from the security components within inside and outside the autonomous system(AS),we realize the active cooperation defense which involves the multi-level defense range from network boundary level,kernel level,sub-network level to host level.As a result,the presented model not only can achieve effectively security defense in the large scale network,but also can have the good generality and scalability.

Shi Jingyan,Wu Kun,Zeng Qingkai,Lü Zhijun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.010

2006-01-01

Abstract:The existing methods for DDoS attacks prevention usually require the protected system to analyze the attack stream to find out the attackers.But the attack stream is easy to be hidden in the common stream,which makes all of these methods inefficient.A prevention method based on interaction activity is proposed under these circumstances.During the period of attacks,server communicats with the suspicious clients to determine the attackers.The prevention method is combined with the application environment,and a prevention model is established which consists of system monitor,attacker identification,access control and so on.Then the model is deployed in Apache Web server to testify the high performance of the method.

Pei Daquan,Ma Jin,Lu Songnian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.11.006

2008-01-01

Abstract:The mechanism of TCP based DoS attack is analyzed,and then a DDOS prevention model based on traffic self-similarity is pro- posed.The model first calculates the Hurst parameter of traffic by wavelet method,and then it decides whether the system is suffering DoS at- tack or not.When attack is asserted,connection trust domain is employed to respond to the situation.The model is able to serve the trusted connection even when the system is under DDOS attack.

P. Dorey,C. Dunning,A. Millican-Slater,R. Tateo

DOI: https://doi.org/10.48550/arXiv.hep-th/0309054

2003-09-04

Abstract:We review some surprising links which have been discovered in the last few years between the theory of certain ordinary differential equations, and particular integrable lattice models and quantum field theories in two dimensions. An application of this correspondence to a problem in non-Hermitian (PT-symmetric) quantum mechanics is also discussed.

High Energy Physics - Theory

Yin Qin,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.055

2006-01-01

Abstract:DDoS attacks in the Internet have produced new challenges to network and system security. Many mecha- nisms have been designed to address this problem in recent years. This paper surveys these techniques and analyses them.

ZHAO Dong-ping,ZHENG Wei-bin,ZHANG De-yun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.035

2005-01-01

Abstract:To address the problem of application-level web security,an adaptive intrusion detection system is proposed,which is embedded directly in the Web server.In order to define all the valid requests for anomaly detection and misuse detection,the techniques which observe the clients' access behavior relevancy and adjust their personal policies dynamically are employed.The experiments indicate that the proposed system can not only confirm the valid request but also defend the new attack behavior and detect the old attack event.Based on the proposed method,the detecting rate is over 95.8% under common attack scanning.

Qingtao Wu,Ruijuan Zheng,Jiexin Pu,Shibao Sun

DOI: https://doi.org/10.1109/ical.2009.5262668

2009-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of Internet services and resources. We present an adaptive control mechanism that utilizes the Shewhart's control charts based-on network connection to aid in handling DDoS attacks. This mechanism is designed to prevent incoming traffic from exceeding a given threshold, while allowing as much incoming, legitimate traffic as possible. In addition, this mechanism focuses on requiring less demanding modifications to external routers and networks than other published distributed response mechanisms that impact the effect of DDoS attacks. The experimental results show the effectiveness of our scheme in early mitigating DDoS attacks.

Lei He,Quan Ren,Bolin Ma,Weili Zhang,Jiangxing Wu

DOI: https://doi.org/10.23919/jcc.2021.00.011

2022-01-01

China Communications

Abstract:With the rapid development of information technology, the cyberspace security problem is increasingly serious. Kinds of dynamic defense technology have emerged such as moving target defense and mimic defense. This paper aims to describe the architecture and analyze the performance of Cyberspace Mimic DNS based on generalized stochastic Petri net. We propose a general method of anti-attacking analysis. For general attack and special attack model, the available probability, escaped probability and non-special awareness probability are adopted to quantitatively analyze the system performance. And we expand the GSPN model to adjust to engineering practice by specifying randomness of different output vectors. The result shows that the proposed method is effective, and Mimic system has high anti-attacking performance. To deal with the special attack, we can integrate the traditional defense mechanism in engineering practice. Besides, we analyze the performance of mimic DNSframework based on multi-ruling proxy and input-output desperation, the results represent we can use multi ruling or high-speed cache servers to achieve the consistent cost of delay, throughput compared with single authorized DNS, it can effectively solve 10% to 20% performance loss caused by general ruling proxy.

Wu Zhijun,Duan Haixin,Li Xing

DOI: https://doi.org/10.1007/s11767-005-0027-8

2006-01-01

Journal of Electronics (China)

Abstract:An approach of defending against Distributed Denial of Service (DDoS) attack based on flow model and flow detection is presented. The proposed approach can protect targets from DDoS attacking, and allow targets to provide good service to legitimate traffic under DDoS attacking, with fast reaction. This approach adopts the technique of dynamic comb filter, yields a low level of false positives of less than 1.5%, drops similar percentage of good traffic, about 1%, and passes neglectable percentage of attack bandwidth to the victim, less than 1.5%. The prototype of commercial product, D-fighter, is developed by implementing this proposed approach on Intel network processor platform IXP1200.

Zeng Xiao-hui,Peng Xuan-ge,Li Man-hua,Xu Hong-qi,Jin Shi-yao

DOI: https://doi.org/10.1109/icrccs.2009.15

2009-01-01

Abstract:Aiming at the shortage of existing DDoS attacks defense system, this paper puts forward an effective approach against DDoS attacks based on the three-way handshake process, and the key point lies in discarding the aggressive first handshake requests which consume a lot of system resources; thus it ensures that the new normal network request can be dealt with. An efficient defense system against DDoS attacks is designed, and the experiment results show our approach can improve the whole system’s protection capability against DDoS attacks; what’s more, the system can still keep receiving new network requests.

Xin Wang,Xiaobo Ma,Jiahao Peng,Jianfeng Li,Lei Xue,Wenjun Hu,Li Feng

DOI: https://doi.org/10.1109/access.2021.3131503

IF: 3.9

2021-01-01

IEEE Access

Abstract:The emerging link flooding attacks (LFAs) are one type of attacks that attract significant attention in both academia and industry against the routing infrastructure. The attack traffic flows originating from bots (e.g., compromised IoT devices) are deliberately aggregated at upstream critical links and grow intensified, gradually making a network connected to the critical links disconnected. Although LFAs are far more sophisticated than traditional DDoS attacks, whether such sophistication comes without a downside has never been investigated. In this paper, by modeling link flooding attacks and defenses, we tackle a series of questions concerning the practical issues of LFAs. Specifically, from the perspective of attacks, we advance a novel notion of strike precision, and reveal that LFAs may exhibit attack interference (i.e., unexpectedly interfere the connectivity of innocent networks) which might undermine the stealthiness and persistence of LFAs. From the perspective of defenses, we make the first step to study attack intention, i.e., inversely inferring the target network to disconnect based on the identified links under attack. Furthermore, we consider a strong defender who employs traffic engineering to mitigate LFAs, and formulate the game-theoretic interactions between attackers and defenders. The experiment results show that attack interference is pervasive, and our proposed SPAH flooding strategy can substantially lower attack interference and increase strike precision. Moreover, we demonstrate that LFAs can be effectively mitigated based on traffic engineering from a game-theoretic perspective, wherein the defender can adopt non-cooperative measurement techniques to achieve light-weight and multi-protocol-based robust probe deployment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yi Shi,Xinyu Yang

DOI: https://doi.org/10.1007/11596981_54

2005-01-01

Abstract:Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In this paper, we propose a novel global defense architecture to protect the entire Internet from DDoS attacks. This architecture includes all the three parts of defense during the DDoS attack: detection, filtering and traceback, and we use different agents distributed in routers or hosts to fulfill these tasks. The superiority of the architecture that makes it more effective includes: (i) the attack detection algorithm as well as attack filtering and traceback algorithm are both network traffic-based algorithms; (ii) our traceback algorithm itself also can mitigate the effects of the attacks. Our proposed scheme is implemented through simulations of detecting and defending SYN Flooding attack, which is an example of DDoS attack. The results show that such architecture is much effective because the performance of detection algorithm and traceback algorithm are both better.