云计算中基于SAPA的DoS攻击防御方法

doi:10.11959/j.issn.1000-436x.2017079

通信学报 ›› 2017, Vol. 38 ›› Issue (4): 129-139.doi: 10.11959/j.issn.1000-436x.2017079

云计算中基于SAPA的DoS攻击防御方法

岳猛,李坤,吴志军

中国民航大学电子信息与自动化学院，天津 300300

修回日期:2017-02-16 出版日期:2017-04-01 发布日期:2017-07-20
作者简介:岳猛（1984-），男，河北沧州人，天津大学博士生，中国民航大学讲师，主要研究方向为网络安全、云计算。|李坤（1989-），男，新疆奎屯人，中国民航大学硕士生，主要研究方向为网络与信息安全。|吴志军（1965-），男，河南固始人，博士，中国民航大学教授、博士生导师，主要研究方向为网络与信息安全。
基金资助:
国家自然科学基金资助项目(61601467);国家自然科学基金资助项目(U1533107);国家自然科学基金资助项目(U1433105);中央高校基本科研业务费基金资助项目(3122016D005)

SAPA-based approach for defending DoS attacks in cloud computing

Meng YUE,Kun LI,Zhi-jun WU

School of Electronic Information and Automation,Civil Aviation University of China,Tianjin 300300,China

Revised:2017-02-16 Online:2017-04-01 Published:2017-07-20
Supported by:
The National Natural Science Foundation of China(61601467);The National Natural Science Foundation of China(U1533107);The National Natural Science Foundation of China(U1433105);Fundamental Research Funds for the Central Universities of CAUC(3122016D005)

摘要/Abstract

摘要：

拒绝服务（DoS,denial of service）攻击是云计算平台面临的主要安全威胁之一。安全访问路径算法（SAPA,security access path algorithm）通过节点路由表（NRT,node route table）合成安全路径，简化了传统安全覆盖网服务（SOS,secure overlay services）的角色节点，并采用周期性更新角色节点以及缓存安全访问路径的策略。SAPA更适用于云计算平台防御DoS攻击。基于云计算泛联路由架构，建立SAPA的数学模型并对其性能进行理论分析。通过OMNeT++实验平台测试SAPA的性能，并将实验场景扩展到Test-bed平台来评估SAPA对DoS攻击的防御效果。实验结果表明，相较于SOS方法，SAPA能够更有效地降低DoS攻击对通信成功率的影响，并保证足够小的访问延时。

关键词: 云计算, DoS攻击, 安全访问路径算法, 防御

Abstract:

Denial of service (DoS) attack was one of the major threats to cloud computing.Security access path algorithm (SAPA) used node route table (NRT) to compose security access path.It simplified role nodes of traditional secure overlay services (SOS),and periodically updated role nodes,and cached security access paths.Therefore,SAPA was more appropriate for cloud computing to defend DoS attacks.Based on the turn routing architecture of cloud computing,the mathematical model of SAPA was built and its performance was analyzed in theory.The performance of SAPA was tested in OMNeT++ experimental platform.Also,the Test-bed experiments were performed to evaluate the effectiveness of SAPA for defending DoS attack.Experimental results show that comparing with SOS,SAPA can degrade the impact of communication success rate caused by DoS attack effectively,and guarantees the access delay small enough.

Key words: cloud computing, DoS attack, secure access path algorithm, defense

中图分类号:

TP393.08

岳猛,李坤,吴志军. 云计算中基于SAPA的DoS攻击防御方法[J]. 通信学报, 2017, 38(4): 129-139.

Meng YUE,Kun LI,Zhi-jun WU. SAPA-based approach for defending DoS attacks in cloud computing[J]. Journal on Communications, 2017, 38(4): 129-139.

图/表 10

图1

图2

图3

图4

图5

图6

图7

图8

图9

表1

参考文献 19

[1]	CHANG R K C . Defending against flooding-based distributed denial-of-service attacks:a tutorial[J]. IEEE Communications Magazine, 2002,40(10): 42-51.
[2]	CHONKA A , XIANG Y , ZHOU W L ,et al. Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks[J]. Journal of Network and Computer Applications, 2011,34(4): 1097-1107.
[3]	YU S , TIAN Y H , GUO S ,et al. Can we beat DDoS attacks in clouds?[J]. IEEE Transactions on Parallel and Distributed Systems, 2014,25(9): 2245-2254.
[4]	GIRMA A , GARUBA M , LI J ,et al. Analysis of DDoS attacks and an introduction of a hybrid statistical model to detect ddos attacks on cloud computing environment[C]// 12th International Conference on Information Technology-New Generations. 2015: 212-217.
[5]	OSANAIYE O A , DLODLO M . TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment[C]// EUROCON 2015 International Conference on Computer as a Tool. 2015: 1-6.
[6]	LIU Z G , YIN X C , LEE H J . A new network flow grouping method for preventing periodic shrew DDoS attacks in cloud computing[C]// 2016 18th International Conference on Advanced Communication Technology (ICACT). 2016: 66-69.
[7]	韩志杰, 段晓阳 . 基于云计算平台的防御拒绝服务攻击方法[J]. 信息化研究, 2011,37(5): 67-69.
	HAN Z J , DUAN X Y . Defense strategy of denial of service attacks based on cloud computing platform[J]. Informatization Research, 2011,37(5): 67-69.
[8]	韩伟 . 基于 Hadoop 云计算平台下 DDoS 攻击防御研究[D]. 太原:太原科技大学, 2011.
	HAN W . DDoS attack defense research based on Hadoop cloud computing platform[D]. Taiyuan:Taiyuan University of Science and Technology, 2011.
[9]	吴志军, 崔奕, 岳猛 . 基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法[J]. 通信学报, 2015,36(1): 1-8.
	WU Z J , CUI Y , YUE M . VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms[J]. Journal on Communications, 2015,36(1): 1-8.
[10]	KEROMYTIS A D , MISRA V , RUBENSTEIN D . SOS:secure overlay services[C]// The 2002 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications. 2002.
[11]	KEROMYTIS A D , MISRA V , RUBENSTEIN D . SOS:an architecture for mitigating DDoS attacks[J]. IEEE Journal on Selected Areas in Communications, 2004,22(1): 176-187.
[12]	卢国强 . 云计算环境下的泛联路由平台[J]. 信息安全与技术, 2010(8): 106-108.
	LU G Q . Tum routing platform in cloud computing[J]. Information Security and Technology, 2010(8): 106-108.
[13]	STOICA I , MORRIS R,LIBEN-NOWELL D ,et al. Chord:a scalable peer-to-peer lookup protocol for internet applications[J]. IEEE/ACM Transactions on Networking, 2003,11(1): 17-32.
[14]	刘孟 . 云环境下 DDoS 攻击攻防体系及其关键技术研究[D]. 南京:南京大学, 2016.
	LIU M . Architecture of DDoS attacks defense in cloud environment and its key technology[D]. Nanjing:Nanjing University, 2016.
[15]	ZOLTAN F , PETER F , STEFAN L ,et al. Performance analysis of IPsec in mobile IPv6 scenarios[C]// The 16th IST Mobile and Wireless Communication Summit. 2007: 1-5.
[16]	KHALED S , KHALID E , RAOUF B . Performance modeling and analysis of network firewalls[J]. IEEE Transactions on Network and Service Management, 2012,9(1): 12-21.
[17]	LIU M , DOU W C , YU S ,et al. A decentralized cloud firewall framework with resources provisioning cost optimization[J]. IEEE Transactions on Parallel and Distributed Systems, 2015,26(3): 621-631.
[18]	MOREIN W G , STAVROU A , COOK D L ,et al. Using graphic turning tests to counter automated DDoS attacks against Web servers[C]// The 10th ACM Conference on Computer and Communications Security. 2003: 8-19.
[19]	ANGELOS S , DEBRA L C , WILLIAM G M ,et al. WebSOS:an overlay-based system for protecting Web servers from denial of service attacks[J]. Journal of Computer Networks, 2005,48(5): 781-807.

方法	无DoS攻击/（次·秒^-1）	有DoS攻击（/ 次·秒^-1）
SOS（OMNeT++）	4 667	3 209
SAPA（OMNeT++）	7 299	6 582
SOS（Test-bed）	4 459	3 071
SAPA（Test-bed）	7 024	6 344

云计算中基于SAPA的DoS攻击防御方法

SAPA-based approach for defending DoS attacks in cloud computing

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 19

相关文章 15

Metrics

推荐阅读 0

[1]	马玲, 樊漆亮, 许婷, 郭冠琛, 张圣林, 孙永谦, 张玉志. 基于强化学习的在线离线混部云环境下的调度框架[J]. 通信学报, 2023, 44(6): 90-102.
[2]	刘盈泽, 郭渊博, 方晨, 李勇飞, 陈庆礼. 基于有限理性的网络防御策略智能规划方法[J]. 通信学报, 2023, 44(5): 52-63.
[3]	周大成, 陈鸿昶, 何威振, 程国振, 扈红超. 基于深度强化学习的微服务多维动态防御策略研究[J]. 通信学报, 2023, 44(4): 50-63.
[4]	陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166.
[5]	张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44.
[6]	周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84.
[7]	贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245.
[8]	冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54.
[9]	陈晋音, 胡书隆, 邢长友, 张国敏. 面向智能渗透攻击的欺骗防御方法[J]. 通信学报, 2022, 43(10): 106-120.
[10]	杨毅宇, 周威, 赵尚儒, 刘聪, 张宇辉, 王鹤, 王文杰, 张玉清. 物联网安全研究综述：威胁、检测与防御[J]. 通信学报, 2021, 42(8): 188-205.
[11]	仝青, 郭云飞, 霍树民, 王亚文, 蔄羽佳, 张凯. 自适应的时空多样性联合调度策略设计[J]. 通信学报, 2021, 42(7): 12-24.
[12]	王化群, 刘哲, 何德彪, 李继国. 公有云中身份基多源IoT终端数据PDP方案[J]. 通信学报, 2021, 42(7): 52-60.
[13]	徐潇雨, 胡浩, 张红旗, 刘玉岭. 基于深度确定性策略梯度的随机路由防御方法[J]. 通信学报, 2021, 42(6): 41-51.
[14]	朱正彬, 刘勤让, 刘冬培, 王崇. 拟态多执行体调度算法研究进展[J]. 通信学报, 2021, 42(5): 179-190.
[15]	马博林, 张铮, 刘浩, 邬江兴. SQLMVED：基于多变体执行的SQL注入运行时防御系统[J]. 通信学报, 2021, 42(4): 127-138.