基于Bloom Filter的大规模异常TCP连接参数再现方法

微信服务号

微信订阅号

2025年5月14日 20:45 星期三

首页 > 过刊浏览>2006年第17卷第3期 >434-444

基于Bloom Filter的大规模异常TCP连接参数再现方法
DOI:
                        
                    
CSTR:
                        
                    
作者:
                        龚俭龚俭
东南大学计算机科学与工程系,江苏,南京,210096;江苏省计算机网络重点实验室,江苏,南京,210096
在期刊界中查找
在百度中查找
在本站中查找
彭艳兵彭艳兵
东南大学计算机科学与工程系,江苏,南京,210096;江苏省计算机网络重点实验室,江苏,南京,210096
在期刊界中查找
在百度中查找
在本站中查找
杨望杨望
东南大学计算机科学与工程系,江苏,南京,210096;江苏省计算机网络重点实验室,江苏,南京,210096
在期刊界中查找
在百度中查找
在本站中查找
刘卫江刘卫江
东南大学计算机科学与工程系,江苏,南京,210096;江苏省计算机网络重点实验室,江苏,南京,210096
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:Supported by the National Grand Fundamental Research 973 Program ofChina under Grant No.2003CB314804(国家重点基础研究发展规划(973));the Key Project of Chinese Ministry of Education of China under Grant No.105084(教育部科学技术重点研究项目);the Jiangsu Provincial Key Laboratory of Network andInformation Security under Grant No.BM2003201(江苏省网络与信息安全重点实验室)

Reconstructing the Parameter for Massive Abnormal TCP Connections with Bloom Filter

Author:

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [24]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

提出由TCP连接的唯一性导出的TCP数量平衡性测度及其经验范围可用于检测TCP连接的大规模异常,如DDoS、扫描等.使用带哈希增强算法的Bloom Filter Reproduction(BFR)方法对TCP连接大规模异常的参数进行快速再现,如IP地址、端口的分布等,使得在检测过程中无须维护TCP五元组的信息.实验结果表明,该方法能够以较少的资源占用和较高的准确性来揭示网络流量中混杂的多种异常现象.

关键词:大规模连接异常;异常入侵检测;参数恢复;Bloom Filter;TCP

Abstract:

The large scaled TCP abnormal behavior, such as DDoS, scanning etc., can be detected by some metrics and their experimental values derived by the uniqueness of TCP connections. An algorithm named Bloom Filter Reproduction (BFR) is proposed to reconstruct the original parameters in large scaled TCP abnormal behaviors pithily by enhanced simple hash functions. Without maintaining the TCP information of 96bits’ 5-tuple, the BFR algorithm can reconstruct the abnormal parameters such as IP address or their aggregation timely during the detection process. The experiments show that BFR can disclose several abnormal behaviors mixed in network traffic at the same time with high precision and low overhead.

Key words:massive abnormal connections;abnormality intrusion detecting;parameter recovery;Bloom Filter;TCP

参考文献

[1]Feinstein L,Schnackenberg D,BalupariR,Kindred D.DDoS tolerant networks.In:Proc.of the DARPA Information Survivability Conf.and Exposition.2003.73-75.

[2]Chen SG,Chow R.A new perspective in defending against DDoS.In:Proc.of the 10th IEEE Int'l Workshop on Future Trends of Distributed Computing Systems (FTDCS).2004.186-190.

[3]Wang HN,Zhang DL,Kang GS.Detecting SYN flooding attacks.Proc.of the INFOCOM 2002.IEEE,2002,3(23-27):1530-1539.

[4]Wang HN,Zhang DL,Kang GS.SYN-dog:Sniffing SYN flooding sources.In:Proc.of the 22nd Int'l Conf.on Distributed Computing Systems (ICDCS 2002).2002.421-428.

[5]Ohsita Y,Ata S,Murata M.Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically.In:IEEE GlobeCom.IEEE Communications Society,2004.2043-2049.

[6]Bloom B.Space/Time trade-offs in hash coding with allowable errors.Communications of the ACM,1970,13(7):422-426.

[7]Kumar K,Xu J,Jia W,Spatschek O,Li L.Space-Code bloom filter for efficient per-flow traffic measurement.In:Proc.of the INFOCOM 2004.Vol 3,New York:ACM Press,2004.1762-1773.

[8]Nicolas H,Darryl V.Inverting sampled traffic.In:Proc.of the 3rd ACM SIGCOMM Conf.on Internet Measurement.2003.222-233.

[9]Kumar A,Sung M,Xu J,Wang J.Data streaming algorithms for efficient and accurate estimation of flow size distribution.In:ACM Sigmetrics.New York:ACM Press,2004.177-188.

[10]Postel J.Transmission control protocol,RFC793.Internet Society,1981.

[11]Koloniari K,Pitoura E.Bloom filters for hierarchical data.In:Proc.of the 5th Int'l Workshop on Distributed Data and Structures (WDAS).2003.

[12]Bernard C,Joe K,Ronitt R,Ayellet T.The bloomier filter:An efficient data structure for static support lookup tables.In:Proc.of the 15th Annual ACM-SIAM Symp.on Discrete Algorithms Table of Contents.Philadelphia:Society for Industrial and Applied Mathematics,2004.30-39.

[13]Little MC,Speirs NA,Shrivastava SK.Using bloom filters to speed-up name lookup in distributed systems.The Computer Journal,2002,45(6):645-652.

[14]Chin-Chen C,Tian-Fu L,Jyh-Jong L.Partition search filter and its performance analysis.Journal of Systems and Software,1999,47(1):35-43.

[15]Sarang D,Praveen K,David ET.Longest prefix matching using bloom filters.In:Proc.of the Conf.on SIGCOMM.New York:ACM Press,2003.201-212.

[16]Andrei B,Michael M.Network applications of bloom filters:A survey.Internet Mathematics,2003,1(4):485-509.

[17]Kohler E,Li JY,Paxson V,Shenker S.Observed structure of addresses in IP traffic.In:Internet Measurement Workshop 2002.New York:ACM Press,2002.253-266.

[18]http://tracer.csl.sony.co.jp/mawi/

[19]http://tracer.csl.sony.co.jp/mawi/samplepoint-B/20050107/200501070000.html

[20]Angiulli F,Pizzuti C.Outlier mining in large high-dimensional data sets.IEEE Trans.on Knowledge and Data Engineering,2005,17(2):203-215.

[21]Wen J,Anthony KHT,Jiawei H.Mining top-n local outliers in large databases.In:ACM SIGKDD Int'l Conf.on Knowledge Discovery and Data Mining.San Francisco,New York:ACM Press,2001.293-298.

[22]http://pma.nlanr.net/Traces/long/belll.html

[23]Kumar A,Jun X,Li L,Jia W.Space-Code bloom filter for efficient traffic flow measurement.In:Proc.of the 3rd ACM SIGCOMM Conf.on Intemet Measurement.New York:ACM Press,2003.167-172.

[24]Schweller R,Gupta A,Parsons E,Chen Y.Reversible sketches for efficient and accurate change detection over network data streams.In:Proc.of the ACM SIGCOMM Internet Measurement Conf.(IMC).New York:ACM Press,2004.207-212.

引用本文

龚俭,彭艳兵,杨望,刘卫江.基于Bloom Filter的大规模异常TCP连接参数再现方法.软件学报,2006,17(3):434-444

复制

文章指标

点击次数:4651
下载次数: 5736
HTML阅读次数: 0
引用次数: 0

历史

收稿日期:2005-04-21
最后修改日期:2005-10-08
录用日期:
在线发布日期:
出版日期:

微信服务号

微信订阅号

引用本文

相关视频

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

相关视频

分享

微信扫一扫：分享

文章指标

历史

文章二维码