大规模网络下面向复杂DoS攻击的可扩展性增强的高效防御方法研究

The sophisticated Denial-of-Service (DoS) attack poses a novel severe threat to the security in the Internet. In the large scale networks, due to the new characteristics of sophisticated DoS attacks (e.g., the multiple attack vectors, the various stealth means, the loose management pattern, the large-sized attack scale), the existing approaches for defending against DoS attacks cannot be applicable for such upgraded attack, which may cause the severe loss of leigitimate service requests, the higher false negative rate in attack flow filtering and the serious network performance degradation along with the extention of defense scale. Hence, it is imperative to find a novel defense approach for sophisticated DoS attacks to improve the efficiency and scalability in the practical application. The study focuses on the two key scientific problems, i.e., the high-efficiency and scalability of sophisticated DoS defense. By studying the key approaches, such as the hierarchical anti-spoofing alliance construction approach based on egress filtering, the precise rate-limiting threshold selection algorithm based on attack-defense game model, the precise intra-domain single packet IP traceback approach based on adaptive parameter estimation, the scalable attack flow blocking approach based on the filtering resource optimization, the study proposes a scalable and efficient approach for defending against sophisticated DoS attacks in large scale networks. The proposed approach can provide important theoretical foundation and technical support for improving the construction of Internet security cooperative defense platform, and thus to meet the requirements of both the victim and internet service provider.

复杂拒绝服务（简称复杂DoS）攻击是一种极具威胁的新型攻击。在大规模网络环境中，由于对复杂DoS攻击的攻击向量多样、隐身手段多变、管理模式松散、攻击规模庞大等新增特征准备不足，导致已有防御方法在抵抗复杂DoS攻击时存在攻击漏报率高、正常请求难以保障、网络性能随防御规模增大而损害严重等问题。因此，需要研究一种新的旨在提升高效性和可扩展性的面向复杂DoS攻击的防御方法。本项目围绕复杂DoS防御的高效性和可扩展性两个关键科学问题，通过对：1）层次化的基于出口边界过滤的反匿名联盟构建；2）高精度的基于攻防博弈模型的限速阈值选取；3）精确的基于自适应参数估计的域内单包溯源；4）可扩展的基于过滤资源优化的攻击流阻断等核心算法的研究，提出一种大规模网络下面向复杂DoS攻击的可扩展性增强的高效防御方法，为深化和完善网络安全协同防御平台提供重要理论依据和技术支持，使它能同时满足受害者和网络服务提供商的需求。

由于复杂拒绝服务（简称复杂DoS）的攻击向量多样、隐身手段多变、管理模式松散、攻击规模庞大等特征，它的防御方法比较其他常规网络攻击的防御方法而言，具有不可比拟的复杂性。面向复杂DoS的网络安全协同防御系统不仅要满足受害者的需求，在不影响正常服务请求的条件下清洗掉所有攻击流，还要顾虑网络服务提供商（Internet Service Provider，简称ISP）的服务质量，使网络传输性能不因防御系统的广泛部署而明显地降低。因此，高效性和可扩展性就成为网络安全协同防御系统研究的关键内容之一。研究项目借助轻量、已商业化的防御平台，通过设计层次化反匿名联盟构建方法、基于博弈模型的防御阈值选取算法、低存储、高精度的单包溯源方法、基于过滤资源优化的攻击流阻断方法，解决了传统方法在抵抗复杂DoS攻击时带来的正常请求难以保障、攻击漏报率高、网络性能随防御规模扩大而损害严重等问题，提出了一套面向复杂DoS攻击的可扩展性增强的高效防御方法。研究项目同时向云审计安全协议、区块链的智能合约安全检测和隐私保护策略、机会网络的安全路由策略等相关研究领域进行了研究扩展，也取得了一定的成果。

内容获取失败，请点击重试