因特网防御DoS攻击技术评述Ⅰ--攻击分类与特征·包过滤·攻击检测与防御

概述了因特网上DoS攻击的相应分类及基本特征，评述了包过滤、攻击检测及防御技术的最新成果．前一部分介绍了入口过滤、基于路由的过滤网和有效源地址强制协议．后一方面主要讨论了适合于检测攻击包的技术，介绍了新近提出的频谱分析方法和泛滥检测系统．简要评述了已有的防御SYN泛滥攻击的技术措施，介绍了Cisco的TCP拦截技术，提出了改进策略．     

一体化标识网络映射缓存DoS攻击防范方法研究

为了抵御一体化标识网络中接入路由器可能遭受的映射缓存DoS攻击,本文提出了一种基于双门限机制的映射缓存DoS攻击防范方法.该方法设计了一种基于迭代思想的谜题机制降低映射缓存中映射信息条目的增加速率,并采用了映射信息可信度算法识别和过滤映射缓存中恶意的映射信息条目.仿真实验与性能分析表明,该方法能够有效地抵御映射缓存DoS攻击,防止映射缓存溢出.     

内容中心网络的DoS攻击研究

“内容中心网络”(Content Centric Networking,CCN)是未来互联网架构体系群中极具前景的架构之一。CCN的核心思想在于内容命名,即用户不需要根据数据的地址而仅根据数据的名字来获取目标内容。在设计上,CCN是一种基于拉(pull-based)的网络,即用户为了获取相应的内容,必须向网络发送一个兴趣包(Interest)以便获取同名数据包(Data),也就是说CCN是一个用户驱动的网络。安全对任何一种网络架构来说,都是不容忽视的一个问题,其中,拒绝服务攻击(DoS)是TCP/IP网络中最为常见的攻击手法之一,这里研究了CCN中常见的DoS攻击,并提出了具有针对性的解决方案。     

抗DoS攻击的多用户传感器网络广播认证方案

在vBNN-IBS签名基础上提出了一种抗DoS攻击的多用户传感器网络广播认证方案DDA-MBAS,利用散列运算及用户信息进行虚假数据过滤。与现有的多用户传感器网络广播认证方案相比,DDA-MBAS在抵抗节点妥协攻击、主动攻击的基础上,以较低的能耗过滤虚假消息并有效地限制了妥协用户发起的DoS攻击及共谋攻击的安全威胁。     

Dynamic and adaptive detection method for flooding in wireless sensor networks

In recent years, wireless sensor networks (WSNs) have attracted an increasing attention in several fields. However, WSNs must be treated with significant challenges in their design due to their special characteristics such as limited energy, processing power, and data storage that make the energy consumption saving a real challenge. Also, regarding their distributed deployment in open radio frequency and lack of physical security, these networks are vulnerable and exposed to several attacks: passive eavesdropping, active attacks, and identity theft. In this paper, we propose a new method called accordion method to detect and apprehend denial of service attacks in WSNs. This approach is a dynamic and an adaptive method based on using clustering method which allows electing control nodes that analyze the traffic inside a cluster and send warnings to the cluster head whenever an abnormal behavior is suspected or detected. The proposed method relies on the analysis of the evolution of the threshold messages (alerts) sent in the cluster. The proposed method has been evaluated, and the obtained numerical results show its benefit compared with other detection methods.     

无线传感器网络安全技术综述

详细阐述了传感器网络安全现状、面临的安全挑战及其需要解决的安全问题。从密钥管理、安全路由、认证、入侵检测、DoS攻击、访问控制方面讨论传感器网络的各种安全技术，并进行综合对比。希望通过这些说明和对比，能够帮助研究者为特定传感器网络应用环境选择和设计安全解决方案。最后总结和讨论传感器网络安全技术的研究方向。     

Measurements of degree of sensitization (DoS) in aluminum alloys using EMAT ultrasound

Sensitization in 5XXX aluminum alloys is an insidious problem characterized by the gradual formation and growth of beta phase (Mg₂Al₃) at grain boundaries, which increases the susceptibility of alloys to intergranular corrosion (IGC) and intergranular stress-corrosion cracking (IGSCC). The degree of sensitization (DoS) is currently quantified by the ASTM G67 Nitric Acid Mass Loss Test, which is destructive and time consuming. A fast, reliable, and non-destructive method for rapid detection and the assessment of the condition of DoS in AA5XXX aluminum alloys in the field is highly desirable. In this paper, we describe a non-destructive method for measurements of DoS in aluminum alloys with an electromagnetic acoustic transducer (EMAT). AA5083 aluminum alloy samples were sensitized at 100 °C with processing times varying from 7 days to 30 days. The DoS of sensitized samples was first quantified with the ASTM 67 test in the laboratory. Both ultrasonic velocity and attenuation in sensitized specimens were then measured using EMAT and the results were correlated with the DoS data. We found that the longitudinal wave velocity was almost a constant, independent of the sensitization, which suggests that the longitudinal wave can be used to determine the sample thickness. The shear wave velocity and especially the shear wave attenuation are sensitive to DoS. Relationships between DoS and the shear velocity, as well as the shear attenuation have been established. Finally, we performed the data mining to evaluate and improve the accuracy in the measurements of DoS in aluminum alloys with EMAT.     

A non‐repudiable negotiation protocol for security service level agreements

Security service level agreements (SSLAs) provide a systematic way for end users at home or in the office to guarantee sufficient security level when doing business or exchanging sensitive personal or organizational data with an online service. In this paper, we propose an SSLA negotiation protocol that implements non‐repudiation with cryptographic identities and digital signatures and includes features that make it resistant to denial of service attacks. The basic version of the protocol does not rely on the use of a trusted third party, and it can be used for all kinds of simple negotiations. For the negotiation about SSLAs, the protocol provides an option to use an external knowledge base that may help the user in the selection of suitable security measures. We have implemented a prototype of the system, which uses JSON Web Signature for the message exchange and made some performance tests with it. The results show that the computational effort required by the cryptographic operations of the negotiation protocol remains at a reasonable level. Copyright © 2014 John Wiley & Sons, Ltd.     

Modeling denial‐of‐service against pending interest table in named data networking

Named data networking (NDN) has attracted much attention on the design for next generation Internet architecture. Although it embeds some security primitives in its original architecture, it may suffer from denial‐of‐service (DoS) attacks. In this paper, we model one representative type of NDN‐specific DoS attacks named DoS against pending interest table (PIT), or DoS‐PIT, which floods malicious Interests that request nonexistent content to bypass cached content at routers and to exhaust the memory resource for PIT, bringing in severe service degradation. In our proposed analytical model, the closed‐form expressions for the DoS probability for users suffering DoS‐PIT are derived, while considering several important factors of NDN networks such as PIT size, time‐to‐live of each PIT entry, popularity of content, and cache size. Moreover, extensive simulation experiments demonstrate the accuracy of the proposed model on evaluating the damage effect of DoS‐PIT. In addition, the proposed model can be chosen to guide designing effective countermeasures for DoS‐PIT (or attacks with similar way to harm NDN) by properly setting the values of some parameters (e.g., cache size) of each NDN router. Copyright © 2013 John Wiley & Sons, Ltd.     

僵尸网络对互联网安全的威胁和治理措施

僵尸网络是指控制者通过传播恶意代码感染、控制与互联网相连接的计算机,从而形成的控制者和大量被感染主机之间的一个可一对多控制的网络。它可以控制大量僵尸主机实现分布式拒绝服务攻击、垃圾邮件发送、信息窃取等攻击目的。僵尸网络成为目前互联网发展的严重威胁,需要从法规条例、技术研究与实践、宣传教育、国际合作等方面加强对僵尸网络的治理,保证互联网的健康发展。