关联规则挖掘结合简化粒子群优化的哈希回溯追踪协议

针对源路径隔离引擎(source path isolation engine,SPIE)不能回溯追踪早期经过路由器的攻击数据包问题,提出了一种IP回溯追踪协议(IP trace-back protocol,ITP),该协议根据压缩哈希表、Sinkhole路由算法和基于网络取证的数据挖掘技术抵抗网络攻击.其中包含简化粒子群优化(simplified particle swarm optimization,SPSO)关联算法的分析管理器(attack analysis manager,AAM)通过分析来自Sinkhole路由器和入侵检测系统(intrusion detection systems,IDS)的攻击包的关联性生成攻击模式和攻击包规则,并将该结果通知系统管理器,Sinkhole路由器和IDS通过数据挖掘技术分析攻击包之间的关联性.通过比较SPIE,概率包标记(probabilistic packet marking,PPM)和iTrace的性能可以看出,ITP不仅能实时追踪后向攻击,而且能定期使用压缩哈希表(compressed hash table,CHT)完成追踪任务.因此,在抵抗DoS攻击方面,ITP性能优于SPIE,PPM和iTrace,此外,在回溯执行时间方面,相同跳跃数下,ITP比iTrace低2-3 s.

Hash IP trace-back protocol based on association rule mining and simplified particle swarm optimization

As the Source Path Isolation Engine (SPIE) can not track attack-packet which passes the router early, an IP Trace-back Protocol (ITP) is proposed, which uses compression hash table, sinkhole routing algorithm and data mining technology based on network forensics to resist network attack. The (AAM) which includes simplified particle swarm optimization (SPSO) generates an attack mode and attack packets rules by analyzing correlations from Sinkhole routers and IDS attack packets. And the results are notified to the system manager. The correlation of attack packets are analyzed by Sinkhole router and IDS and data mining. Compared with the performance of SPIE, PPM and iTrace, ITP not only track after attack by the hash table in real time, but also can finish track task by Compression Hash Table (CHT). Thus, in terms of resistance to Dos attacks, ITP outperforms SPIE, PPM and iTrace. Also in the aspect of trace-back execution time, the time of ITP is lower than that of iTrace by 2 3 seconds in the case of the same jump number.