Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks
碩士 === 國立臺灣科技大學 === 資訊管理系 === 103 === Network monitoring approaches have been popularly applied into networksproposed and developed throughout the years. However, the packet-based approach cannot easily be easily performed in at high-speeds networks, so . Therefore, researchers focusedstarted on inv...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | zh-TW |
| Published: |
2015
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/67987822495899340514 |
| id |
ndltd-TW-103NTUS5396091 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-103NTUS53960912016-11-06T04:19:40Z http://ndltd.ncl.edu.tw/handle/67987822495899340514 Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks 在發生洪水攻擊時保留可疑資料流的快取置換法 Shang-Ting Tsai 蔡尚庭 碩士 國立臺灣科技大學 資訊管理系 103 Network monitoring approaches have been popularly applied into networksproposed and developed throughout the years. However, the packet-based approach cannot easily be easily performed in at high-speeds networks, so . Therefore, researchers focusedstarted on investigating an alternative approaches, the such as flow-based approach. In a Within the typical architecture of typical flow monitoring, packets are aggregated into flows, which stored in a flow cache for , and then further analysis later. However, the flow cache size is limitedfixed. When network attacks such as flooding attacks is occur, such as flooding attacks. Fthe flow cache iswill easily overflowed, significantly reducing the accuracy of data analysis.. This results in flow data that is not expired consistently, which may impact the subsequent data analysis. The thesis We proposesd two flow cache replacements: SA-MRU (Size Aware-Most Recently Used) and SA-LRU (Size Aware-Least Recently Used) replacement polic, which y based on the observations of many network attacks’ flow characteristics. eEvict the most and the least recently used flow records, respectively. separately, They also give higher priorities for and give small flows (the number of packets ≤≦2) higher priority to reserve more. Maintaining the important flows on parts of intrusion detection. In the simulation, the data set used traffic contains background traffic and a SYN flooding DDoS attacks. As a result, The results show that SA-MRU and SA-LRU can decrease achieve up to 4%~5% lower false positives (FP) FP and 1%~2% false negatives (FN)lower FN, compared with Least Recently Used (than LRU) cache replacement. SA-MRU and SA-LRU can achieve similar performance, but the latter In the part of hit ratio, SA-LRU has a higher hit ratio performance than the formerSA-MRU. Yuan-Cheng Lai 賴源正 2015 學位論文 ; thesis 27 zh-TW |
| collection |
NDLTD |
| language |
zh-TW |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 國立臺灣科技大學 === 資訊管理系 === 103 === Network monitoring approaches have been popularly applied into networksproposed and developed throughout the years. However, the packet-based approach cannot easily be easily performed in at high-speeds networks, so . Therefore, researchers focusedstarted on investigating an alternative approaches, the such as flow-based approach. In a Within the typical architecture of typical flow monitoring, packets are aggregated into flows, which stored in a flow cache for , and then further analysis later. However, the flow cache size is limitedfixed. When network attacks such as flooding attacks is occur, such as flooding attacks. Fthe flow cache iswill easily overflowed, significantly reducing the accuracy of data analysis.. This results in flow data that is not expired consistently, which may impact the subsequent data analysis.
The thesis We proposesd two flow cache replacements: SA-MRU (Size Aware-Most Recently Used) and SA-LRU (Size Aware-Least Recently Used) replacement polic, which y based on the observations of many network attacks’ flow characteristics. eEvict the most and the least recently used flow records, respectively. separately, They also give higher priorities for and give small flows (the number of packets ≤≦2) higher priority to reserve more. Maintaining the important flows on parts of intrusion detection. In the simulation, the data set used traffic contains background traffic and a SYN flooding DDoS attacks. As a result, The results show that SA-MRU and SA-LRU can decrease achieve up to 4%~5% lower false positives (FP) FP and 1%~2% false negatives (FN)lower FN, compared with Least Recently Used (than LRU) cache replacement. SA-MRU and SA-LRU can achieve similar performance, but the latter In the part of hit ratio, SA-LRU has a higher hit ratio performance than the formerSA-MRU.
|
| author2 |
Yuan-Cheng Lai |
| author_facet |
Yuan-Cheng Lai Shang-Ting Tsai 蔡尚庭 |
| author |
Shang-Ting Tsai 蔡尚庭 |
| spellingShingle |
Shang-Ting Tsai 蔡尚庭 Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks |
| author_sort |
Shang-Ting Tsai |
| title |
Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks |
| title_short |
Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks |
| title_full |
Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks |
| title_fullStr |
Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks |
| title_full_unstemmed |
Maintaining Suspicious Flows using Cache Replacement under Flooding Attacks |
| title_sort |
maintaining suspicious flows using cache replacement under flooding attacks |
| publishDate |
2015 |
| url |
http://ndltd.ncl.edu.tw/handle/67987822495899340514 |
| work_keys_str_mv |
AT shangtingtsai maintainingsuspiciousflowsusingcachereplacementunderfloodingattacks AT càishàngtíng maintainingsuspiciousflowsusingcachereplacementunderfloodingattacks AT shangtingtsai zàifāshēnghóngshuǐgōngjīshíbǎoliúkěyízīliàoliúdekuàiqǔzhìhuànfǎ AT càishàngtíng zàifāshēnghóngshuǐgōngjīshíbǎoliúkěyízīliàoliúdekuàiqǔzhìhuànfǎ |
| _version_ |
1718391574785687552 |