基于特征匹配拒絕服務(wù)攻擊檢測(cè)技術(shù)(英語(yǔ)論文)
4.3萬(wàn)字符 38頁(yè)
包括開(kāi)題報(bào)告，任務(wù)書(shū)


摘 要
拒絕服務(wù)攻擊(Denial of Service, DoS)是指阻止合法用戶使用正常網(wǎng)絡(luò)服務(wù)的攻擊。近年來(lái)，拒絕服務(wù)攻擊事件層出不窮，常常中斷一些著名站點(diǎn)與服務(wù)器的正常服務(wù)，擾亂正常網(wǎng)絡(luò)行為，造成巨大經(jīng)濟(jì)損失。
已有的基于統(tǒng)計(jì)的DoS攻擊檢測(cè)技術(shù)無(wú)法適應(yīng)實(shí)時(shí)檢測(cè)要求；基于誤用的入侵檢測(cè)系統(tǒng)如Snort未考慮DoS攻擊的特點(diǎn)，無(wú)法達(dá)到最好的檢測(cè)性能。
本文提出了一種基于特征匹配的DoS攻擊檢測(cè)技術(shù)。通過(guò)分析幾種典型的DoS攻擊例如 Smurf和SYN Flooding與幾種流行的DoS攻擊工具例如Tribal Flood Network和Trin00，提取DoS攻擊特征，并將這些特征表示成與Snort相兼容的形式。本文分析了兩種入侵檢測(cè)中的模式匹配算法：Boyer-Moore 算法與Aho-Corasick算法，并結(jié)合DoS攻擊的特點(diǎn)，提出了AC 算法的一種改進(jìn)算法——反向AC算法，實(shí)驗(yàn)表明反向AC算法有更高的匹配性能，但需消耗更多內(nèi)存。
本文設(shè)計(jì)并實(shí)現(xiàn)了DoS攻擊檢測(cè)系統(tǒng)原型，并采用DARPA 2000入侵檢測(cè)評(píng)估數(shù)據(jù)集對(duì)系統(tǒng)進(jìn)行評(píng)估。評(píng)估結(jié)果表明，原型達(dá)到98%的檢測(cè)率與20%的誤警率。本文的未來(lái)工作是提取更完整的DoS攻擊特征，降低原型的誤警率。

關(guān)鍵詞: 入侵檢測(cè)；拒絕服務(wù)攻擊；特征匹配

A DoS Attack Detection Technology Based on Signature Matching

Abstract
DoS attacks prevent legitimate user of network from using normal network services. In recent years, DoS attacks emerge in endlessly. They break off the services of some famous sites and network servers; interrupt the normal network behavior, result in great financial loss.
Currently, Statistic based DoS attack detection approaches are not adopted for the real-time detection. Misuse based Intrusion Detection Systems such as Snort are designed without considering the characteristic of DoS attack, thus they can not achieve the best performances.
This paper develops a DoS attack detection technology based on signature matching. By analyzing different kinds of DoS attacks such as Smurf and SYN Flooding, and various DoS attack tools such as Tribal Flood Network and Trin00, we extract the attack signatures of DoS. Then these signatures are expressed according to the forms compatible with Snort. We analyze two pattern matching algorithms: Boyer-Moore algorithm and Aho-Corasick al-gorithm. Then, combining with the characteristics of DoS attacks, we propose an improved algorithm on AC algorithm, named Reversed AC algorithm. Our experimental results show that the Reversed AC algorithm has better performance and consumes a bit more memories.
We design and implement our system prototype and conduct some experiments with DARPA 2000 intrusion evaluation dataset. Our experimental results show that our prototype has detection rate with 98% and false alarm rate with 20%. Our future work is to extract more complete DoS attack signatures to decrease the false alarm rate of our prototype.

Key Words: Intrusion Detection; Denial of Service; Signature Matching

Contents
1 Introduction 1
1.1 Background 1
1.2 Related Work 1
1.3 Research Content and Scope 2
1.4 Paper Structure 3
2 DoS Attacks Overview 4
2.1 Typical DoS Attacks 4
2.1.1 ICMP Flooding 4
2.1.2 TCP Flooding 4
2.1.3 UDP Flooding 5
2.1.4 Summary 5
2.2 Popular DoS Attacks Tools 5
2.2.1 Tribal Flood Network 6
2.2.2 Trin00 6
2.2.3 TFN2K 6
2.2.4 Stacheldraht 6
2.3 DoS Attack Signature Extracting 6
2.3.1 Signature Construction 6
2.3.2 Signature Extracting 8
2.3.3 Signatures Expression 9
3 Pattern Matching Algorithms 10
3.1 Boyer-Moore Algorithm 10
3.2 Aho-Corasick Algorithm 11
3.3 Improvement of Aho-Corasick Algorithm 12
3.4 Performance Analysis 15
4 System Prototype Design and Implementation 17
4.1 System Architecture 17
4.2 System Prototype Design and Implementation 18
4.2.1 Packet Capture 18
4.2.2 Packet Decode 19
4.2.3 Signature Engine 20
4.2.4 Detection Engine 22
4.2.5 Visual Alert 23
5 Experimental Evaluation 26
5.1 Detection Rate 26
5.2 False Alarm Rate 27
5.3 Performance 28
5.4 Summary 28
6 Conclusion 30
Acknowledgements 31
References 32



References
[1] D. K. Angelos. SOS: secure overlay services in Proc [R]. Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications
[2] Readings in Intrusion Detection [EB/OL].
[3] A. Sundaram. A Introduction to Intrusion Detection
[4] T F Lunt. A survey of intrusion detection techniques [J]. Computers & Security
[5] M. Roesch. Snort: light weight intrusion detection for networks [A]. In: Proc of the 13th Systems Administration Conference, USENIX LISA