| Packet marking was brought to reconstruct attack path in 1999 by Burch and Cheswick. Packet marking technology was divided into fixed probability packet marking and adaptive probability packet marking. Fixed probability packet marking technology and adaptive probability packet marking have some shortcomings: fixed packet marking is vulnerable in security and easy being attacked in transmission process; the router load is relative heavier when using fixed probability packet marking to fill ID field; The number of false positives will significantly increase and will affect the right path reconstruction if beyond a certain distance; ID field in IP header is easily covered by using adaptive probability packet marking technique also. In this thesis, because of some existing disadvantages of probability packet marking technique, two different types of probability packet marking technique were proposed and two corresponding coding techniques were presented in the light of drawbacks of PPM and APPM in the thesis. The primary work and achievements in this thesis are described as follows: Firstly,in this thesis, two kinds of coding scheme are proposed based on the AS technology. Border router encoding scheme and domain router encoding scheme are brought forward by different routers in the attack path, and border router encoding scheme can use ASN and IP address by different situation. The number of attack path reconstruction is reduced and the probability of discern the tampered packet is increased by using these scheme. However, some packets can't transmit normally because that the ID filed in the IP head was covered.Secondly, another encoding scheme utilizing the options in IP header is proposed because ID filed was covered. The drawback that the load of marking router is too heavy is reduced and the weak point of submerged ID field is eliminated by using this technology which trade space for time when reconstructing attack paths and marking the router.Thirdly, the convergence analysis and the number of false positives analysis was deduced based on the scheme proposed in thesis. The performance is improved in a certain extent. The load of reconstruction of attack paths is reduced, except that, because Import the AS, the complexity of reconstruction workload is reduced when attack path is divided into different part by different AS.Finally, a simulated experiment was performed based on the scheme proposed in the thesis. Experiments simulate the process of sending packet by encapsulating router node with c++ classes and processing data flow method. Every object of routers class is marked as border router or domain router. Different procedure was adopted according to the difference of router. Finally, the experiments show that the convergence property of path reconstruction and the load of marking router are superior to other packet marking scheme. |
PDF Full Text Request