ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2015, Vol. 52 ›› Issue (4): 813-822.doi: 10.7544/issn1000-1239.2015.20148347

所属专题: 2015大数据驱动的网络科学

• 网络技术 • 上一篇    下一篇

骨干网络中RoQ攻击的监测、定位和识别

文坤1,2, 杨家海1,2, 程凤娟3,尹辉3,王健峰1,2   

  1. 1(清华大学网络科学与网络空间研究院 北京 100084); 2(清华信息科学与技术国家实验室(清华大学) 北京 100084); 3(河南工业大学信息科学与工程学院 郑州 450001) (yang@cernet.edu.cn)
  • 出版日期: 2015-04-01
  • 基金资助: 
    基金项目:国家“九七三”重点基础研究发展计划基金项目(2012CB315806);国家自然科学基金项目(61170211);高等学校博士学科点专项科研基金项目(20110002110056,20130002110058)

MIL-RoQ: Monitoring, Identifying and Locating the RoQ Attack in Backbone Network

Wen Kun1,2,Yang Jiahai1,2,Cheng Fengjuan3,Yin Hui3, Wang Jianfeng1,2   

  1. 1(Institute for the Network Sciences and Cyberspace, Tsinghua University, Beijing 100084) ; 2(Tsinghua National Laboratory for Information Science and Technology (Tsinghua University), Beijing 100084); 3(College of Information Science and Engineering, Henan University of Technology, Zhengzhou 450001)
  • Online: 2015-04-01

摘要: 降质(reduction of quality, RoQ)攻击是一种非典型拒绝服务攻击,它利用TCP自适应机制的安全漏洞能够显著降低或抑制TCP服务质量,且具有很强的隐蔽性.现有的研究集中在针对单条网络链路上的攻击和检测.但是,RoQ攻击的对象并不局限于此,它既可以对单条链路发动攻击,也可以有选择的对多条链路(甚至整个网络)发起攻击,造成更大的危害,所以需要有一种能够从网络全局角度分析和识别的方法.为此,提出了一种基于骨干网络流量分析的异常监测、定位和识别的方法MIL-RoQ(monitoring, identifying and locating the RoQ attack in backbone network).主要使用主成分分析(principal component analysis, PCA)和频谱分析(spectrum analysis)技术对骨干流量进行流量建模分析,从全局角度监测网络流量变化情况,能够同时分析和判断多条链路的异常情况,并能准确识别出RoQ攻击.使用了CERNET骨干网络数据进行实验分析,结果表明该方法能够有效地定位和识别RoQ攻击;同时,攻击识别时只需要使用局部的流量数据,因而能显著降低计算量和复杂度.

关键词: 网络安全, 异常检测, RoQ攻击, 主成分分析, 频谱分析

Abstract: Reduction of quality (RoQ) attack is an atypical denial of service (DoS) attack, which exploits the vulnerability of TCP’s adaptive behavior that can seriously reduce or inhibit the throughput of TCP flows. While most of the defensive methods are studied on the single network access link (router), the RoQ attack can not only launch on the single network link, but also attack towards several links or even entire network, which causes more severe consequences. In order to obtain a global perspective from the network and identify the attack, in this paper we propose a traffic anomaly analysis method to monitor, identify and locate the RoQ attack in backbone network on the basis of principal component analysis (PCA) and spectrum analysis techniques. Experimental results demonstrate that our method can analyze and find anomalies in the traffic from several downstream links in backbone network, and also locate and identify the RoQ attacks accurately. Meanwhile, our method can significantly reduce the computation and complexity as it only needs to analyze local traffic data about anomalous links.

Key words: network security, anomaly detection, reduction of quality (RoQ) attack, principal component analysis (PCA), spectrum analysis

中图分类号: