以封包標注為基礎之分散式阻絕服務攻擊封包過濾及阻塞之近似最佳化聯防策略

Chun-Wei FanChiang; 范姜竣韋

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/45391

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	林永松(Yeong-Sung Ling)
dc.contributor.author	Chun-Wei FanChiang	en
dc.contributor.author	范姜竣韋	zh_TW
dc.date.accessioned	2021-06-15T04:17:39Z	-
dc.date.available	2010-12-29
dc.date.copyright	2009-12-29
dc.date.issued	2009
dc.date.submitted	2009-12-12
dc.identifier.citation	References [1] D. McPherson, C. Labovitz, “Worldwide Infrastructure Security Report,” Vol. IV, Arbor Networks, 2008 [2] K.Y. Yau, F. Liang and C.S. Lui, ”On Defending Against Distributed Denial-of-Service Attacks with Server-centric Router Throttles,” CERIAS Tech Report, 2001. [3] W. Stallings, Cryptography and Network Security, 4th Edition, 2006. [4] R. Richardson, “2008 CSI/FBI Computer Crime and Security Survey,” Computer Security Institute, 2008 [5] K.E. Defrawy, A. Markopoulou and K. Argyraki, “Optimal Allocation of Filters Against DDoS Attacks,” Information Theory and Applications Workshop, pp.140-149, 2007. [6] S. Savage, D.Wetherall, A. Karlin, and T. Anderson, “Network support for IP traceback,” ACM/IEEE Trans. Networking, Vol. 9, No. 3, pp. 226–237, Jun. 2001. [7] A. Belenky, N. Ansari, “IP Trackback With Deterministic Packet Marking”, IEEE Communication Letters, Vol. 7, No. 4, Apr, 2003. [8] R. Shokri, A. Varshovi, H. Mohammadi, N. Yazdani, and B. Sadeghian, “DDPM: Dynamic Deterministic Packet Marking for IP Traceback,” IEEE International Conference on Networks, Vol. 2, pp.1-6, Sep, 2006. [9] J.M. Park, R. Marchany, R.L. Chen, “A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks,” IEEE Transactions on Parallel and Distributed Systems, Vol. 18, No. 5, pp. 577-588, May, 2007. [10] H. Lee and K. Park, “On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack,” in Proc. IEEE INFOCOM, pp. 338–347, Apr, 2001. [11] J Liu, Z-J Lee, and Y-C Chung, “Dynamic probabilistic packet marking for efficient IP traceback,” the 11th IEEE International Conference on Networks, pp. 475-480, Oct, 2003. [12] M. T. Goodrich, “Probabilistic Packet Marking for Large-Scale IP Traceback,” IEEE/ACM Transactions on Networking, Vol. 16, No. 1, Feb, 2008 [13] Information Sciences Institute University of Southern California, “Internet Protocol,” RFC791, Sep, 1981. [14] I. Stoica and H. Zhang, “Providing Guaranteed Services Without Per Flow Management,” in Proceedings of the 1999 ACM SIGCOMM Conference, pp. 81–94, Aug, 1999. [15] W. Richard Stevens, “TCP/IP Illustrated Vol. 1, The Protocols,” Addison-Wesley. [16] K.T. Law, C.S. Lui, K.Y. Yau, “An Effective Statistical Methodology to Trace Back DDoS Attackers,” IEEE Transactions on Parallel and Distributed Systems, Vol. 16, No. 9, Sep, 2005 [17] V.R. Westmark, “A Definition for Information System Survivability,” IEEE Proc.of the 37th Hawaii International Conference on System Sciences, Vol. 9, 2004 [18] R.J. Ellison, D.A. Fisher, R.C. Linger, H.F. Lipson, T.A. Longstaff, and N.R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, Software Engineering Institute, Carnegie Mellon University, Nov, 1997 (Revised: May 1999). [19] M.L. Fisher, “An Application Oriented Guide to Lagrangean Relaxation,” Interfaces, Vol. 15, No. 2, pp. 10-21, Apr, 1985. [20] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, Vol. 34, No. 2, pp. 39-54, Apr, 2004. [21] D. Magoni and J.J. Pansiot, “Analysis of the Autonomous System Network Topology,” ACM SIGCOMM Computer Communication Review, Vol. 31, No. 3, pp. 26-37, July, 2001. [22] M.L. Fisher, “The Lagrangean Relaxation Method for Solving Integer Programming Problems,” Management Science, Vol. 27, No. 1, pp. 1-18, Jan, 1981. [23] Z. Zeitlin, “Integer Allocation Problems of Min-Max Type with Quasiconvex Separable Functions,” Operations Research, Vol. 29, No. 1, pp. 207-211, Feb, 1981. [24] A.M. Geoffrion, “Lagrangean Relaxation and its Use in Integer Programming,” Mathematical Programming Study, Vol. 2, pp. 82-114, 1974.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/45391	-
dc.description.abstract	近年來，分散式阻絕服務攻擊成為網際網路服務最大的威脅之一，在分散式阻絕服務攻擊發生時，大量的惡意攻擊封包消耗絕大部分的網路頻寬與網路伺服器之資源，致使合法的使用者無法存取服務。對此類攻擊我們提出一個由網路服務提供者與應用服務提供者合作以封包標注為基礎結合封包過濾與封包阻塞之聯合防禦策略。藉由封包標注以觀察、紀錄網路的使用狀況，做為網路流量異常增加時的參考資訊；當攻擊發生時便可依此參考資訊採取封包過濾－在邊界路由器過濾攻擊流量；或利用封包阻塞策略－在防禦者端進行阻塞，緩解分散式阻絕服務攻擊。在本論文中，我們將防禦分散式阻絕服務攻擊之攻防情境轉換成一個雙層的數學規劃問題。在內層問題中，防禦者利用有限的防禦資源最大化受分散式阻絕服務攻擊之合法流量；在外層問題則描述攻擊者分配其有限的攻擊資源最小化合法流量。為求得此問題之最佳解，我們將採用以拉格蘭日鬆弛法為基礎的演算法處理內層問題，並利用次梯度法為基礎的演算法處理外層問題。	zh_TW
dc.description.abstract	In recent years, DDoS has become one of the acute threaten to the Internet. During the DDoS attack, huge amount of attack traffic not only heavily consumes the network bandwidth but seriously depletes the victim server’s key resource, which, for the legitimate user, leads to service inaccessibility. To defense against this type of attack, joint defense strategies are proposed, requiring the cooperation between the ISP and the ASP, which combine packet marking, packet filtering strategy and packet blocking policy. With packet marking the approximation of legitimate traffic of each time zone could be observed and recorded. Once the aggregate traffic increases abnormally, the amount of attack traffic can be calculated and a near optimal filtering and blocking strategy for defense can be developed. In the thesis, the DDoS attack-defense scenario is modeled as a two level mathematical programming problem. In the inner problem, the defender strategically utilizes the limited resource to maximize the legitimate traffic. In the outer problem, the attacker tries to allocate its attack resource to minimize the legitimate traffic. A Lagrangean relaxation-based algorithm is proposed to solve the inner problem, and a subgradient-based heuristic algorithm is proposed to solve the outer problem.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T04:17:39Z (GMT). No. of bitstreams: 1 ntu-98-R96725041-1.pdf: 4101089 bytes, checksum: 47fc0df36e9bdebb8d33e5777632e138 (MD5) Previous issue date: 2009	en
dc.description.tableofcontents	謝誌 I 論文摘要 III THESIS ABSTRACT V Table of Content VII List of Tables IX List of Figures XI Chapter 1.Introduction 1 1.1 Background 1 1.2 Motivation 7 1.3 Literature Survey 9 1.3.1 DDoS Attacks 9 1.3.2 Packet Marking Scheme 10 1.3.3 Survivability 13 1.4 Proposed Approach 16 1.5 Thesis Organization 18 Chapter 2 Problem Formulation of the ARACTS and the PPM-FRABS Models 19 2.1 Problem Description 19 2.2 Problem Formulation of the ARACTS Model 22 2.3 Problem Formulation of the PPM-FRABS Model 34 Chapter 3 Solution Approach 40 3.1 Solution Approach for the PPM-FRABS Model 40 3.1.1 Lagrangean Relaxation Method 40 3.1.2 Lagrangean Relaxation 44 3.1.3 The Dual Problem and Subgradient Method 51 3.1.4 Getting Primal Feasible Solutions 53 3.2 Solution Approach for the ARACTS Model 57 Chapter 4 Computational Results 61 4.1 Computational Experiments for the PPM-FRABS Model 61 4.1.1 Resource-Allocation Heuristic 61 4.1.2 Simple Algorithm 64 4.1.3 Experiment Environment 66 4.1.4 Experiment Results 68 4.1.5 Discussion of Results 75 4.2 Computational Experiments for the ARACTS Model 78 4.2.1 Counterpart Outer Heuristic for the ARACTS Model 78 4.2.2 Experiment Environment 81 4.2.3 Experiment Results 83 4.2.4 Discussion of Results 91 Chapter 5 Conclusion and Future Work 93 5.1 Conclusion 93 5.2 Future Work 95 References 97
dc.language.iso	en
dc.subject	封包標注	zh_TW
dc.subject	分散式阻絕服務攻擊	zh_TW
dc.subject	封包過濾	zh_TW
dc.subject	封包阻塞	zh_TW
dc.subject	數學規劃	zh_TW
dc.subject	最佳化	zh_TW
dc.subject	拉格蘭日鬆弛法	zh_TW
dc.subject	Distributed-Denial-of-Service (DDoS)	en
dc.subject	Blocking	en
dc.subject	Filtering	en
dc.subject	Optimization and Lagrangean Relaxation	en
dc.subject	Mathematical Programming	en
dc.subject	Packet Marking	en
dc.title	以封包標注為基礎之分散式阻絕服務攻擊封包過濾及阻塞之近似最佳化聯防策略	zh_TW
dc.title	Near-optimal Joint Defense Strategies against DDoS Attacks Based upon Packet Filtering and Blocking Enabled by Packet Marking Mechanism	en
dc.type	Thesis
dc.date.schoolyear	98-1
dc.description.degree	碩士
dc.contributor.oralexamcommittee	林盈達(Ying-Dar Lin),呂俊賢(Chun-Hsien Lu),鐘嘉德(Char-Dir Chung),傅新彬(Hsin-Pin Fu)
dc.subject.keyword	分散式阻絕服務攻擊,封包標注,封包過濾,封包阻塞,數學規劃,最佳化,拉格蘭日鬆弛法,	zh_TW
dc.subject.keyword	Distributed-Denial-of-Service (DDoS),Filtering,Blocking,Packet Marking,Mathematical Programming,Optimization and Lagrangean Relaxation,	en
dc.relation.page	100
dc.rights.note	有償授權
dc.date.accepted	2009-12-14
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-98-1.pdf 未授權公開取用	4 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。