中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
网络拥塞控制及DDoS攻击防范策略研究
作者: 王秀利
答辩日期: 2007-06-05
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 拥塞控制 ; 主动队列管理 ; 微粒群优化 ; 资源调节 ; 分布式拒绝服务
其他题名: Research on Network Congestion Control and Defense Strategy against DDoS Attacks
摘要: 随着网络中有限的资源被越来越多的用户所共享使用,网络拥塞问题变得更加严重。因此,拥塞控制对网络的稳定运行至关重要,然而,即使所有的链路和数据流都采用了拥塞控制机制,仍然可能会发生持续的拥塞,原因之一是拒绝服务攻击。 本文主要研究网络拥塞控制及DDoS(Distributed Denial of Service)攻击防范策略,主要取得了以下创新性研究成果: (1) 网络拥塞控制属于计算机科学、优化理论和控制理论等学科的交叉领域。拥塞控制算法设计的关键问题是如何生成反馈信息以及如何对反馈信息进行响应。本文在系统分析目前拥塞控制算法的基础上,针对现有算法存在的问题,将优化理论和控制理论应用到网络拥塞控制中,从不同的研究角度出发,提出了三种新的主动队列管理(Active Queue Management, AQM)算法: ① 针对PI(Proportional-Integral)算法反应速度慢的问题,本文提出了一种新的基于D稳定域和ITAE(Integral of Time-weighted Absolute Error)准则的主动队列管理算法DITAE-PID(Proportional-Integral-Differential)。在复平面上设定一组理想的D稳定域,通过数值优化算法求出控制器的参数,使得闭环系统的所有特征根都在D稳定域内,以降低排队延时,提高有效吞吐量。DITAE-PID的优点是能够提前预测并能有效控制拥塞,比PI控制器快,动态性能好,在稳定状态下不存在稳态误差; ② 针对现有算法在大时滞网络环境下性能较差的问题,本文分析了基于流体流理论的TCP/AQM模型,并对其进行了改进,改进的TCP/AQM模型包含了被简化模型忽略的时滞环节。基于改进的模型提出了大时滞网络环境下的主动队列管理算法,它的优点是在大时滞网络环境中表现较优,具有更好的鲁棒性和抗干扰能力,当网络环境改变时仍能体现出良好的性能; ③ 网络拥塞控制的实质是优化问题。从全局优化的角度出发,本文把微粒群优化(Particle Swarm Optimization, PSO)与控制系统设计相结合,提出了PSO-PID主动队列管理算法。通过模拟群体智能和动物觅食的动态行为使代表PID控制器参数的微粒逐渐向最优区域移动,最后获得最佳的控制器参数。它的优点是简单快速、稳定时间短、超调量小、鲁棒性好。 (2) 针对现有DDoS攻击防范方法只能防范某种特定攻击的问题,本文提出了一种基于拥塞控制和资源调节的攻击防范策略,该策略由路由器端和被攻击目标端配合实施。路由器端采用基于改进ACC(Improved Aggregate-based Congestion Control)算法的回推,主要防范带宽耗尽型攻击;被攻击目标端采用资源调节,主要防范资源耗尽型攻击。该策略的优点是分布式检测和过滤,能够有效防范包括带宽耗尽型和资源耗尽型在内的几乎所有的DDoS攻击。 另外,为了验证新算法的性能,本文对NS2网络模拟器进行了功能扩充。
英文摘要: Network has become severely congested with the restricted resource shared by more and more users. Thus, congestion control plays a very important role in keeping the stability of the Internet. However, even when all links and all flows are using congestion control, persistent congestion can still occur. One reason of this is Denial of Service (DoS) attacks. In this thesis, network congestion control and defense strategy against Distributed Denial of Service (DDoS) attacks are studied. The main original research works are as follows: (1) Network congestion control is an interdisciplinary field including computer science, optimization theory, and control theory. The feedback control strategy plays a pivotal role in designing algorithms. To solve the problem of the existed algorithms, optimization and control theory are applied to the design of Active Queue Management (AQM) algorithm, and three novel AQM algorithms are proposed from different viewpoints: ① To solve the problem of slow response in Proportional-Integral (PI) algorithm, DITAE-PID algorithm is proposed by applying a novel optimization method to design Proportional-Integral-Differential (PID) controller with D-stable regions based on Integral of Time-weighted Absolute Error (ITAE) performance criteria. A set of desired D-stable regions in the complex plane is first specified and then a numerical optimization algorithm based on ITAE performance is run to find the controller parameters such that all the roots of the closed-loop system are within the specified regions. DITAE-PID can detect and control the congestion effectively and predictively. Compared with the PI algorithm, DITAE-PID improves the dynamic response and eliminates the steady-state error. ② To solve the problem of bad performance of the current algorithms in large delay network, a dynamic TCP/AQM model based on fluid flow theory is analyzed and improved. The improved model includes the delay term ignored by the previous simplified version. Based on the improved mode, a novel AQM algorithm is proposed. It is indeed more efficient and robust in large delay network. Moreover, it can achieve desired performance in various network scenarios. ③ The essential of congestion control is optimization. Based on the improved TCP/AQM model, a novel algorithm applying Particle Swarm Optimization (PSO) to tune efficiently the PID controller parameters is proposed. The particles representing controller parameters move to the optimal region through simulation of colony intelligence in order to search the optimal controller parameters. The advantage of the PSO-PID is its relative simplicity, robustness, and stable convergence characteristic with good computational efficiency. (2) To solve the problem of invalidation of the existed defense methods against the common DDoS attacks, a novel defense strategy against DDoS attacks based on congestion control and resource regulation is proposed. Router cooperates with victim in implementing the defense strategy. Pushback based on the Improved Aggregate-based Congestion Control (IACC) algorithm is applied in router in order to defend bandwidth consumption attacks. Resource regulation is applied in victim in order to defend resource consumption attacks. Through distributed detection and filter, the novel strategy can effectively defend against the common DDoS attacks including the bandwidth consumption and resource consumption attacks. In addition, the function of Network Simulator (NS2) is extended to validate the novel algorithms.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6950
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200418015029021王秀利_paper.pdf(1183KB)----限制开放-- 联系获取全文

Recommended Citation:
王秀利. 网络拥塞控制及DDoS攻击防范策略研究[D]. 软件研究所. 中国科学院软件研究所. 2007-06-05.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[王秀利]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[王秀利]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace