【作者】 叶茜；

【导师】 张基温；

【作者基本信息】 江南大学 ， 计算机应用技术， 2007， 硕士

【摘要】 网络在人类社会生活中的应用越来越广泛和重要,Internet已经把人们的学习、工作和生活紧密地联系在一起,但其中潜在的安全问题也越来越严峻,各种攻击手段层出不穷。其中拒绝服务攻击(DoS,Denial of Service)以其攻击范围广、隐蔽性强、简单有效、破坏性大和难以防御等特点成为最常见的网络攻击技术之一。尤其分布式拒绝服务攻击(DDoS,Distributed Denial of Service)其破坏性更大,严重威胁着Internet的安全,受到这种攻击的损失是无法计量的。为其建立有效的防御机制是当前维护网络安全的重要目标之一。首先研究了DoS攻击和DDoS攻击的技术原理、攻击手段以及典型的DDoS攻击工具,而后对DDoS攻击检测防御方法的研究现状进行了分析;在此基础上,采用攻击树分析方法,从整体性和系统性出发给出了DDoS攻击的攻击树模式,并使用Object-Z语言进行对其进行形式化描述,为DDoS攻击的分析、检测和防御提供参考;接着从ISP(InternetService Provider)域的角度,引入移动Agent技术和整合防御方法的思想,探索构建了基于移动Agent的DDoS防御模型,详细设计了防御模型中的移动Agent组成元件;移动Agent技术使防御模型本身也具有了一定的抗DDoS攻击能力,而整合监控、过滤、追踪等多种防御方法的思想避免了单一防御方法的局限性,同时也具有良好的可扩展性;随后采用逻辑推理的方法从理论上证明基于移动Agent的DDoS防御模型可以有效地防御分布式拒绝服务攻击,另外,编写的移动Agent原型程序验证了移动Agent技术在构建DDoS防御模型中的技术可行性。最后指出了以后研究工作的努力方向。更多还原

【Abstract】 The network is more and more widespread and important in the human society life. Work and life have been closely connected by Internet. However, with the development and popularity of Internet, network security has become a hot issue. And different kinds of means of attacks emerged endlessly, among which DoS (Denial of Service) attacks become one of the common network attack techniques by the characteristics, such as extensive area, strong concealment, simpleness and efficiency, hard to defense and great destroy, etc. Especially, DDoS (Distributed Denial of Service) attacks are greatly threatening Internet, since their greater destroy. The losing was immeasurable while under such attack. So it is a very important target in the network security field to establish more effective defense mechanism against DDoS attack.Firstly, the principle and means of Dos and DDoS attacks are analyzed, and the some kinds of DDoS attacks are discussed. The current situation of the research of the technology of detection, defense of DDoS attacks is studied. Attack tree is adopted to model the Distributed Denial of Service attack. Then, Object-Z language, a formal depict attack language, is used to depict the sub-term of the attack tree model in detail to guide the analysis, detection and defense of the DDoS attack. In succession, form the view of ISP (Internet Service Provider) domain, adopting the technology of mobile agent and the idea of integrated method, a DDoS defense model based on mobile agent is exploringly put forward. The elements of the mobile agent in defense model are designed in detail. The technology of mobile agent enable the defense model itself has the ability to defense DDoS attacks. And the idea of integrating flow monitoring, traffic filtering and traceback schemes breaks through the limitation of the single defense method. Subsequently, the definite ability against DDoS attacks of the model is proved by theories analyzing. Moreover, mobile agent programs are developed to prove the feasibility of using mobile agent in the model. Finally, the future research work is presented.更多还原