| 基于令牌桶阵列的DDoS流量过滤 |
| |
| 引用本文: | 戴世冬,段海新,李星.基于令牌桶阵列的DDoS流量过滤[J].清华大学学报(自然科学版),2011(1):141-144. |
| |
| 作者姓名: | 戴世冬 段海新 李星 |
| |
| 作者单位: | 清华大学电子工程系;清华大学信息网络工程研究中心; |
| |
| 基金项目: | 国家“九七三”重点基础研究项目(2009CB320505) |
| |
| 摘 要: | 为了提高分布式拒绝服务攻击(DDoS)流量过滤的性能,同时保证过滤的正确率,提出一种基于Poisson流随机分解模型的分类方法。该方法根据报文特征对流量进行分解后,基于2类流量的流速比随机判定报文的类别。设计了一个基于令牌桶阵列(TBA)的实现方案,不需要实时估计攻击流的参数,有效提高了过滤的性能。理论推导表明:Poisson流随机分解模型的理论错误率上限为最大后验概率判决法错误率上限的2倍,TBA在过滤突发性强的攻击报文时错误率会进一步下降。实验结果表明:TBA的过滤效果和NB(naive Bayes)方法相当,过滤突发性攻击流时错误率低于NB方法。
|
| 关 键 词: | 计算机网络安全 分布式拒绝服务攻击 Poisson流分解 令牌桶阵列 Markov调制Poisson过程 |
DDoS mitigation based on token bucket arrays |
| |
| DAI Shidong,DUAN Haixin,LI Xing.DDoS mitigation based on token bucket arrays[J].Journal of Tsinghua University(Science and Technology),2011(1):141-144. |
| |
| Authors: | DAI Shidong DUAN Haixin LI Xing |
| |
| Institution: | DAI Shidong1,DUAN Haixin2,LI Xing1(1.Department of Electronic Engineering,Tsinghua University,Beijing 100084,China,2.Network Research Center,China) |
| |
| Abstract: | A classification scheme based on the random decomposition of Poisson processes was introduced to reduce filter complexity while maintaining accuracy when filtering distributed denial of service(DDoS) packets.The traffic was decomposed into sub-flows based on the packet features,with packets in each sub-flow randomly discriminated based on the intensity ratio for two classes in the sub-flow.A practical system based on the token bucket array(TBA) was developed which increased the performance by removing real-... |
| |
| Keywords: | network security distributed denial of service decomposition of Poisson process token bucket array Markov-modulated Poisson process |
| 本文献已被 CNKI 等数据库收录! |
