论文字数:8599,页数:38
有开题报告,任务书 此份为英文写作
摘
要
拒绝服务攻击(Denial of Service,
DoS)是指阻止合法用户使用正常网络服务的攻击。近年来,拒绝服务攻击事件层出不穷,常常中断一些xx站点与服务器的正常服务,扰乱正常网络行为,造成巨大经济损失。
已有的基于统计的DoS攻击检测技术无法适应实时检测要求;基于误用的入侵检测系统如Snort未考虑DoS攻击的特点,无法达到{zh0}的检测性能。
本文提出了一种基于特征匹配的DoS攻击检测技术。通过分析几种典型的DoS攻击例如
Smurf和SYN Flooding与几种流行的DoS攻击工具例如Tribal Flood
Network和Trin00,提取DoS攻击特征,并将这些特征表示成与Snort相兼容的形式。本文分析了两种入侵检测中的模式匹配算法:Boyer-Moore
算法与Aho-Corasick算法,并结合DoS攻击的特点,提出了AC
算法的一种改进算法——反向AC算法,实验表明反向AC算法有更高的匹配性能,但需消耗更多内存。
本文设计并实现了DoS攻击检测系统原型,并采用DARPA
2000入侵检测评估数据集对系统进行评估。评估结果表明,原型达到98%的检测率与20%的误警率。本文的未来工作是提取更完整的DoS攻击特征,降低原型的误警率。
关键词: 入侵检测;拒绝服务攻击;特征匹配
A DoS Attack Detection Technology Based on Signature
Matching
Abstract
DoS attacks prevent legitimate user of network
from using normal network services. In recent years, DoS attacks
emerge in endlessly. They break off the services of some famous
sites and network servers; interrupt the normal network behavior,
result in great financial loss.
Currently, Statistic based DoS attack detection
approaches are not adopted for the real-time detection. Misuse
based Intrusion Detection Systems such as Snort are designed
without considering the characteristic of DoS attack, thus they can
not achieve the best performances.
This paper develops a DoS attack detection
technology based on signature matching. By analyzing different
kinds of DoS attacks such as Smurf and SYN Flooding, and various
DoS attack tools such as Tribal Flood Network and Trin00, we
extract the attack signatures of DoS. Then these signatures are
expressed according to the forms compatible with Snort. We analyze
two pattern matching algorithms: Boyer-Moore algorithm and
Aho-Corasick algorithm. Then, combining with the characteristics of
DoS attacks, we propose an improved algorithm on AC algorithm,
named Reversed AC algorithm. Our experimental results show that the
Reversed AC algorithm has better performance and consumes a bit
more memories.
We design and implement our system prototype and
conduct some experiments with DARPA 2000 intrusion evaluation
dataset. Our experimental results show that our prototype has
detection rate with 98% and false alarm rate with 20%. Our future
work is to extract more complete DoS attack signatures to decrease
the false alarm rate of our prototype.
Key Words: Intrusion Detection; Denial of
Service; Signature Matching
Contents
1 Introduction 1
1.1 Background 1
1.2 Related Work 1
1.3 Research Content and
Scope 2
1.4 Paper Structure 3
2 DoS Attacks Overview 4
2.1 Typical DoS Attacks 4
2.1.1 ICMP Flooding 4
2.1.2 TCP Flooding 4
2.1.3 UDP Flooding 5
2.1.4 Summary 5
2.2 Popular DoS Attacks
Tools 5
2.2.1 Tribal Flood
Network 6
2.2.2 Trin00 6
2.2.3 TFN2K 6
2.2.4 Stacheldraht 6
2.3 DoS Attack Signature
Extracting 6
2.3.1 Signature
Construction 6
2.3.2 Signature
Extracting 8
2.3.3 Signatures
Expression 9
3 Pattern Matching
Algorithms 10
3.1 Boyer-Moore
Algorithm 10
3.2 Aho-Corasick
Algorithm 11
3.3 Improvement of Aho-Corasick
Algorithm 12
3.4 Performance Analysis 15
4 System Prototype Design and
Implementation 17
4.1 System Architecture 17
4.2 System Prototype Design and
Implementation 18
4.2.1 Packet Capture 18
4.2.2 Packet Decode 19
4.2.3 Signature Engine 20
4.2.4 Detection Engine 22
4.2.5 Visual Alert 23
5 Experimental
Evaluation 26
5.1 Detection Rate 26
5.2 False Alarm Rate 27
5.3 Performance 28
5.4 Summary 28
6 Conclusion 30
Acknowledgements 31
References 32
以上为本篇论文部分内容,有需要完整论文的网友可参阅 <<>> 也可直接通过QQ:136775125联系.更多相关论文请点击查找.
