【作者】 吴甜甜；

【导师】 刘卫江；

【作者基本信息】 大连海事大学 ， 计算机科学与技术， 2012， 硕士

【摘要】 超点是在一个测量区间内链接了大量源IP(宿IP)的宿IP(源IP),实时超点检测对网络安全和管理具有重要意义。网络中的许多安全事件,如分布式拒绝服务攻击(DDoS)、蠕虫病毒、端口扫描等都具有类似的行为特征,这些攻击的共同特点是源IP(宿IP)发送或接收到大量来自不同宿IP(源IP)的链接,这些事件都属于超点检测问题。尽管已有一些超点检测的算法,但它们存在内存空间消耗较大或测量精度不高的问题。本文提出了一种新的检测超点的算法SuperpointTrap,它最根本的特点是内存消耗少,可以在速度快容量小的内存中运行(如SRAM)。它的有效性来自于一个新的存储数据的结构Cache。对于每个流,在Cache中只用一个比特位来记录它的信息,这个比特所在行位置由此流的源IP确定,列位置由此流的目的IP确定。当Cache中存储的流数目超过阈值时,判定该主机为超点,输出该主机的源IP,并清空它所在Cache中的信息,这样方便存储后到的报文,而且还节省了内存空间。为了进一步降低算法的错误否定率,本文还提出了两种改进算法：P-SuperpointTrap算法和BF-SuperpointTrap算法,并对以上三种算法进行了理论分析。本文对这三种算法采用不同数据源的Trace进行实验。实验结果表明,SuperpointTrap超点检测算法不仅节省了内存空间,还可以准确、高效地检测出超点的信息。而且通过与SuperpointTrap进行结果对比,两种改进的算法也可以进一步地降低算法的错误否定率。更多还原

【Abstract】 A superpoint is a source IP (destination IP) that has communicated with a large number of distinct destinations (sources) during a measurement period. Detecting superpoints in real time is a meaningful work for network security and management. There has the similar behavioral characteristic in many network security incidents, e.g. distributed denial of service attacks (DDOS), worms and port scans. The common feature of these attacks is that the source IP (destination IP) will send or receive a larger number of links from distinct destinations (sources). All these source or destination IPs are the instances of superpoints.Although there have been some algorithms for detecting superpoints, they are not control the usage of the memory or do not deliver the desired accuracy. In this paper, we propose a new algorithm for detecting superpoints called as SuperpointTrap. The most essential advantage of SuperpointTrap is that it can work in tight memory space. Its accuracy and efficiency come from a new structure for data storage called Cache For each flow, Cache uses only one bit to record its information. The row and column of this bit are determined by the source IP and destination IP respectively. When the number of the flow in Cache is greater than the threshold, the host is considered as a superpoint. Then, this Superpoint’s information is exported and the corresponding information in Cache is cleared to facilitate the following packets and to effectively save the memory consumption. To further reduce the false negative rate (FNR), we also propose two improved algorithms:P-SuperpointTrap and BF-SuperpointTrap and analyze the above three algorithms.In this paper, we use different data sources to test our algorithms and adopt false positive rate (FPR) and false negative rate (FNR) as our evaluation metric. The experimental results show that SuperpointTrap can not only saves memory, but also accurately and efficiently detects the superpoints. By the experimental comparison of SuperpointTrap and two improved algorithms, the two improved algorithms can further reduce the false negative rate.更多还原