Internet Security Mechanism Based On Dynamic Path Identification

Denial-of-Service(DoS) attacks, especially Distributed-Denial-of-Service attacks (DDoS) are becoming the threats to network security. Due to the deficiencies in the original development of TCP/IP protocol, openness of the Internet, and the distributed features of attackers, the prevention and elimination of such attacks are very difficult. Therefore, how to defend against the Internet DoS attacks have played a critical role in the area of network security. Relative researches were developed in this paper to tackle the problem in this field. Our main contributions are summarized as follows:Based on static path identification technology, a dynamic path identification scheme, RFPi, was presented. A router generates the marking with a dynamic length according to the TTL value of current packet. The presented scheme achieves the most effective utilization of the identification field, and has a better scalability of deployment.In order to improve the distinction performance of malicious and legitimate packets, a multi-stage learning and filtering method was adopted in this paper. Under the premise of the implementation of Pi, the multi-stage learning and filtering program can recognize the mixed packets for another study. After several stages of study, the multi-stage studying and filtering method possess a better effect to differentiate malicious and legitimate packets.Attacks often disguised IP source address by IP spoofing, which make defense difficult. In this paper, it was proposed to use a database of history-based IP address and Pi values (IPPiD) to reinforce defense systems. And how to deploy the systems and set parameters were also described. The statistical analysis method was applied to optimize the systems of characteristic values and marking values. And IPPiD not only saves searching time and storage space, but also reduces the response time to attacks. Finally, a great number of actual Internet topology data were used to validate the presented schemes. The experimental results show that the acceptance ratio gap of the multi-stage studying and filtering methods increased 10% to 15% compared with the two-stage studying and filtering program. Meanwhile, the RFPi schemes can identify and filter malicious packets effectively, and achieved better defense performance compared with the previous similar schemes.