Design And Implementaion Of A Decision-Based Network Attack Blocking System

The astonishing growth and success of the Internet has changed the traditional basic services such as banking, transportation, medicine, education and national defense. Nowadays, these services are gradually replaced by cheaper and more effective applications based on the Internet. In the modern age, the world is highly dependent on the Internet, and the Internet is considered to be the global information society’s major infrastructure. Therefore, the availability of the services of the Internet is a key factor for the social economic growth. However, the Internet architecture has inherent weaknesses, and its infrastructure and services offer the possibility of attack. Denial of service attack is one of such attack, which becomes a huge threat to the network security.This paper designs and implements a decision-based network attack blocking system against denial of service attack, which aims at improving blocking accuracy and the security of the large-scale network, reducing the protection cost, and improving the overall defense capability. This paper summarizes the characteristics of denial of service attack, analyzes the advantages and defects of some existing defense mechanisms to figure out the difficulties and challenges of the system design, and further divides system functional requirements into the attack responding aspect and the attack blocking aspect. Based on the requirement division, the system is divided into an automatic responding and dec is ion-making subsystem and a distributed filtering subsystem. The automatic response and decision-making subsystem is used to accomplish the invasion response task. Based on the intrusion detection technology and the traceback technology, the subsystem is able to assess an intrusion event, and select the set of blocking nodes through topological analysis and cost-performance evaluation. The distributed filtering subsystem adopts a centralized filtering-router management mechanism and an adaptive packet-filtering method, which can ensure a secure, fast and efficient implementation of the blocking strategy. These two subsystems closely cooperate to accomplish the task of defeating the denial of service attack. Finally, we deploy the system into a testing network, simulate the attack environment and verify the overall defense capability of the implemented system.