{"title":"基于防火墙性能分析的网络挑战识别策略","authors":"Andrés F. Ocampo, N. Gaviria","doi":"10.1109/CCST.2013.6922069","DOIUrl":null,"url":null,"abstract":"In this papper, we study a resource starvation challenge caused by low rate DoS (Denial of Service)-DDoS (Distributed DoS) attacks targeting the last-matching rules of the firewall's security policy. Our onset challenge detection mechanisms considers a CPU utilization threshold to keep track of firewall processing performance. In this way, when this threshold is reached, an initial alarm of the occurrence of an attack is triggered. Such a methodology enable to deploy an strategy of impact mitigation. Initial remediation actions against challenges are then considered once the detection part is performed, it includes the temporary swap of the most likely last-rule matched, in order to improve the system performance. We evaluate our strategy through simulations performed in Network Simulator 2, results show the performance of this scheme when subjected to normal traffic flows as well as DoS and DDoS attack flows.","PeriodicalId":243791,"journal":{"name":"2013 47th International Carnahan Conference on Security Technology (ICCST)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A network challenge identification strategy based on firewall performance analysis\",\"authors\":\"Andrés F. Ocampo, N. Gaviria\",\"doi\":\"10.1109/CCST.2013.6922069\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this papper, we study a resource starvation challenge caused by low rate DoS (Denial of Service)-DDoS (Distributed DoS) attacks targeting the last-matching rules of the firewall's security policy. Our onset challenge detection mechanisms considers a CPU utilization threshold to keep track of firewall processing performance. In this way, when this threshold is reached, an initial alarm of the occurrence of an attack is triggered. Such a methodology enable to deploy an strategy of impact mitigation. Initial remediation actions against challenges are then considered once the detection part is performed, it includes the temporary swap of the most likely last-rule matched, in order to improve the system performance. We evaluate our strategy through simulations performed in Network Simulator 2, results show the performance of this scheme when subjected to normal traffic flows as well as DoS and DDoS attack flows.\",\"PeriodicalId\":243791,\"journal\":{\"name\":\"2013 47th International Carnahan Conference on Security Technology (ICCST)\",\"volume\":\"2 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 47th International Carnahan Conference on Security Technology (ICCST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CCST.2013.6922069\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 47th International Carnahan Conference on Security Technology (ICCST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCST.2013.6922069","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
摘要
本文研究了针对防火墙安全策略最后匹配规则的低速率DoS (Denial of Service)-DDoS (Distributed DoS)攻击所造成的资源饥饿挑战。我们的启动挑战检测机制考虑CPU利用率阈值来跟踪防火墙处理性能。这样,当达到该阈值时,就会触发攻击发生的初始告警。这种方法有助于部署减轻影响的战略。一旦执行检测部分,就会考虑针对挑战的初始补救措施,它包括最可能匹配的最后规则的临时交换,以提高系统性能。我们通过在Network Simulator 2中进行的仿真来评估我们的策略,结果显示了该方案在受到正常流量以及DoS和DDoS攻击流时的性能。
A network challenge identification strategy based on firewall performance analysis
In this papper, we study a resource starvation challenge caused by low rate DoS (Denial of Service)-DDoS (Distributed DoS) attacks targeting the last-matching rules of the firewall's security policy. Our onset challenge detection mechanisms considers a CPU utilization threshold to keep track of firewall processing performance. In this way, when this threshold is reached, an initial alarm of the occurrence of an attack is triggered. Such a methodology enable to deploy an strategy of impact mitigation. Initial remediation actions against challenges are then considered once the detection part is performed, it includes the temporary swap of the most likely last-rule matched, in order to improve the system performance. We evaluate our strategy through simulations performed in Network Simulator 2, results show the performance of this scheme when subjected to normal traffic flows as well as DoS and DDoS attack flows.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
