﻿ 基于攻防博弈和随机Petri网的DDoS攻防对抗评估
 计算机系统应用  2019, Vol. 28 Issue (1): 25-31 PDF

1. 海军航空大学, 烟台 264001;
2. 解放军第107医院, 烟台 264001

DDoS Attack and Defense Confrontation Evaluation Based on Attack and Defense Game and Stochastic Petri Net
LI Cheng-Yu1, QI Yu-Dong1, WANG Xiao-Hong2, SI Wei-Chao1
1. Naval Aeronautical University, Yantai 264001, China;
2. 107th Hospital of the People’s Liberation Army, Yantai 264001, China
Foundation item: Key Research and Development Program of Shandong Province (2016YJS02A01)
Abstract: In order to effectively evaluate DDoS attack and defense behavior to defend against DDoS attacks, this study first analyzed the current research status of DDoS attack and defense evaluation, and then established DDoS attack and defense behavior confrontation net based on stochastic Petri net. The attack and defense steady state probability is used as the basis for the evaluation of attack and defense behavior. The solution of attack and defense game strategy based on the attack and defense game theory were proposed. In the end, we carried out the stability analysis of the DDoS attack and defense behavior confrontation net, and comprehensively considered the factors of attack and defense behavior gain and attack and defense behavior intensity to simulate and evaluate. The evaluation results show that the method is more reasonable and pertinent.
Key words: attack and defense game theory     stochastic Petri net     steady state probability     DDoS attack and defense confrontation     evaluation

1 引言

2 基于随机Petri网的DDoS攻防行为对抗网

2.1 相关定义

 $\begin{array}{l}{\pi ^{{a}}}{\rm{ = }}\left( {{\pi _1}^{{a}},{\pi _2}^{{a}}, \cdots ,{\pi _n}^{{a}}} \right){\pi _1}^{{a}}{\rm{ + }}{\pi _2}^{{a}}{\rm{ + }} \cdots {\rm{ + }}{\pi _n}^{{a}}{\rm{ = }}1\\{\pi ^d}{\rm{ = }}\left( {{\pi _1}^d,{\pi _2}^d, \cdots ,{\pi _n}^d} \right){\pi _1}^d{\rm{ + }}{\pi _2}^d{\rm{ + }} \cdots {\rm{ + }}{\pi _n}^d{\rm{ = }}1\end{array}$

(1) N={Na, Nd}, Na代表攻击方, Nd代表防御方;

(2) $P = P1 \cup P2 \cup \cdots \cup Pn$ 为库所集合, 表示攻防双方可能所处的状态;

(3) T=A $\cup$ D为攻防行为集合, A={a1, a2,…, an}表示攻击行为集合; D={d1, d2,…, dm}表示防御行为集合;

(4) F $\in$ I $\cup$ O为弧的集合, 其中I $\subseteq$ P $\times$ T, O $\subseteq$ T $\times$ P, 同时P $\cap$ T= $\varphi$ P $\cup$ T $\ne$ $\varphi$ , 其中表示空集合;

(5) $\pi$ : T $\to$ [0, 1], 表示瞬间变迁的选择概率即攻击行为或者防御行为的选择概率;

(6) $\lambda$ ={ $\lambda$ 1, $\lambda$ 2,…, $\lambda$ n}, 表示攻防行为强度;

(7) R: T $\to$ {R1, R2,…, Rn}表示攻击或防御行为执行后带来的收益;

2.2 DDoS攻防行为描述

2.2.1 攻击行为

(1) TCP连接洪水攻击

TCP连接洪水攻击是在TCP连接创建阶段对服务器资源进行攻击的. 攻击者可以利用大量受控主机, 通过快速建立大量恶意的TCP连接占满被攻击服务器的连接表, 使目标无法接受新的TCP连接请求, 从而达到拒绝服务攻击的目的.

(2) SYN洪水攻击[7]

SYN洪水攻击是最经典的一种拒绝服务攻击方式, 攻击者利用大受控主机发送大量的TCP SYN报文, 使服务器打开大量的半开连接, 占满服务器的连接表, 从而影响正常用户与服务器建立会话, 造成拒绝服务.

(3) Sockstress攻击

Sockstress攻击是一种慢速攻击TCP连接的方法. 在TCP传输数据时, 先将数据包临时存储在接收缓冲区中, 该缓冲区的大小是由TCP窗口表示的. 如果TCP窗口大小为0, 则表示该缓冲区已被填满, 发送端停止发送数据, 直到接收端窗口发生更新. Sockstress攻击就是利用该原理长时间维持TCP连接, 以达到拒绝服务攻击的目的.

2.2.2 防御行为

(1) 攻击的治理[8,9]

(2) 攻击的缓解[10]

2.3 DDoS攻防行为对抗网

 图 1 攻击行为Petri网

 图 2 防御行为Petri网

 图 3 DDoS攻防对抗网

DDoS攻防对抗网中库所及变迁具体含义如表1表2所示.

3 基于攻防博弈的DDoS攻防策略求解方法

${U^{{a}}}\left( {{{{a}}_{{i}}},{d_j}} \right)$ 表示攻击方采取行为ai, 防御方采取行为dj时攻击方的收益函数, ${U^{{d}}}\left( {{d_j},{a_i}} \right)$ 表示攻击方采取行为ai, 防御方采取行为dj时防御方的收益函数, 具体求解公式如下:

 $\begin{array}{l}{U^{{a}}}({a_i},{b_j}) = R_{{i}}^{{a}} - R_{{j}}^{{b}}\\{U^{{d}}}({b_j},{a_i}) = R_j^b - R_i^a\end{array}$

 $E\left( {{\pi ^{{a}}},{\pi ^{{d}}}} \right){\rm{ = }}\sum\limits_{\forall {{{a}}_{{i}}} \in A} {\sum\limits_{\forall {{{d}}_{{i}}} \in D} {{\pi _i}^{{a}}{\pi _j}^{{d}}{U^a}\left( {{a_i},{d_i}} \right)} }$

(1) $E\left( {{\pi ^a}^{\rm{*}},{\pi ^{b*}}} \right) \geqslant E\left( {{\pi ^a},{\pi ^{b*}}} \right)$

(2) $E\left( {{\pi ^a}^{\rm{*}},{\pi ^{b*}}} \right) \geqslant E\left( {{\pi ^a}^{\rm{*}},{\pi ^b}} \right)$

(1) 输入攻防双方所有攻防行为收益:

 $R_1^{{a}},R_2^{{a}}, \cdots ,R_{{n}}^{{a}}$
 $R_1^d,R_2^d, \cdots ,R_{{m}}^d$

(2) 根据攻防行为收益函数 ${U^{{a}}}({a_i},{b_j})$ ${U^{{d}}}({b_j},{a_i})$ 求得攻防行为博弈矩阵B:

 ${\bf B}{\rm{ = }}\left[ {\begin{array}{*{20}{c}}{\left( {{U^{{a}}}({a_1},{b_1}),{U^{{d}}}({b_1},{a_1})} \right)} & {\left( {{U^{{a}}}({a_1},{b_2}),{U^{{d}}}({b_2},{a_1})} \right)} & \cdots & {\left( {{U^{{a}}}({a_1},{b_{{m}}}),{U^{{d}}}({b_{{m}}},{a_1})} \right)}\\{\left( {{U^{{a}}}({a_2},{b_1}),{U^{{d}}}({b_1},{a_2})} \right)} & {\left( {{U^{{a}}}({a_2},{b_2}),{U^{{d}}}({b_2},{a_2})} \right)} & \cdots & {\left( {{U^{{a}}}({a_2},{b_{{m}}}),{U^{{d}}}({b_{{m}}},{a_2})} \right)}\\ \vdots & \vdots & {} & \vdots \\{\left( {{U^{{a}}}({a_{{n}}},{b_1}),{U^{{d}}}({b_1},{a_{{n}}})} \right)} & {\left( {{U^{{a}}}({a_{{n}}},{b_2}),{U^{{d}}}({b_2},{a_{{n}}})} \right)} & \cdots & {\left( {{U^{{a}}}({a_{{n}}},{b_{{m}}}),{U^{{d}}}({b_{{m}}},{a_{{n}}})} \right)}\end{array}} \right]$

(3) 将得到的攻防行为博弈矩阵输入Gambit软件中, 利用Gambit软件中Qre工具计算攻防策略纳什均衡.

(4) 输出DDoS攻防对抗行为攻防策略纳什均衡 $({\pi ^a}^ * ,{\pi ^{b * }})$ .

4 稳态分析与仿真评估 4.1 稳态分析

 图 4 同构的马尔可夫链

4.2 仿真评估

 图 5 攻防策略纳什均衡计算结果

 ${\pi ^a}^ * = (0.0612,0.2180,0.7278)$
 ${\pi ^{b * }} = (0.3333,0.6667)$

 $\begin{array}{l}p\left( {{S3}} \right) = 0.0545;p\left( {{S2}} \right) = 0.09706;p\left( {{S1}} \right) = 0.06481\\p\left( {{S{12}}} \right) = 0.00908;p\left( {{S{11}}} \right) = 0.06481\\p\left( {{S9}} \right) = 0.03235;p\left( {{S{10}}} \right) = 0.12943\\p\left( {{S8}} \right) = 0.32405;p\left( {{S7}} \right) = 0.21605\end{array}$
 ${\pi _{{{t}}1}}{\rm{ = }}\frac{{p\left( {{S3}} \right)}}{{p\left( {{S3}} \right){\rm{ + }}p\left( {{S2}} \right){\rm{ + }}p\left( {{S1}} \right)}}$
 ${\pi _{{{t2}}}}{\rm{ = }}\frac{{p\left( {{S2}} \right)}}{{p\left( {{S3}} \right){\rm{ + }}p\left( {{S2}} \right){\rm{ + }}p\left( {{S1}} \right)}}$
 ${\pi _{{{t3}}}}{\rm{ = }}\frac{{p\left( {{S1}} \right)}}{{p\left( {{S3}} \right){\rm{ + }}p\left( {{S2}} \right){\rm{ + }}p\left( {{S1}} \right)}}$
 ${\pi _{{{t7}}}}{\rm{ = }}\frac{{p\left( {{S{12}}} \right)}}{{p\left( {{S{12}}} \right){\rm{ + }}p\left( {{S{11}}} \right)}}$
 ${\pi _{{{t8}}}}{\rm{ = }}\frac{{p\left( {{S{11}}} \right)}}{{p\left( {{S{12}}} \right){\rm{ + }}p\left( {{S{11}}} \right)}}$
 ${\pi _{{{t9}}}}{\rm{ = }}\frac{{p\left( {{S9}} \right)}}{{p\left( {{S9}} \right){\rm{ + }}p\left( {{S{10}}} \right)}}$
 ${\pi _{{{t10}}}}{\rm{ = }}\frac{{p\left( {{S{10}}} \right)}}{{p\left( {{S9}} \right){\rm{ + }}p\left( {{S{10}}} \right)}}$
 ${\pi _{{{t11}}}}{\rm{ = }}\frac{{p\left( {{S8}} \right)}}{{p\left( {{S8}} \right){\rm{ + }}p\left( {{S7}} \right)}}$
 ${\pi _{{{t12}}}}{\rm{ = }}\frac{{p\left( {{S{10}}} \right)}}{{p\left( {{S9}} \right){\rm{ + }}p\left( {{S{10}}} \right)}}$

 ${\pi ^{a'}} = (0.2519,0.4486,0.2995)$

 ${\pi ^{d'}} = (0.1111,0.8889)$
 ${\pi ^{d''}} = (0.2000,0.8000)$
 ${\pi ^{d'''}} = (0.6000,0.4000)$

 ${\pi ^a}^ * = (0.0612,0.2180,0.7278)$
 ${\pi ^{d * }} = (0.3333,0.6667)$

5 结束语

 [1] 鲍旭华, 洪海, 曹志华. 破坏之王: DDoS攻击与防范深度剖析. 北京: 机械工业出版社, 2014. [2] Mölsä JVE. A taxonomy of criteria for evaluating defence mechanisms against flooding DoS attacks. Blyth A. EC2ND 2005. London: Springer, 2006. 13–22. [3] Meadows C. A cost-based framework for analysis of denial of service in networks. Journal of Computer Security, 2001, 9(1-2): 143-164. DOI:10.3233/JCS-2001-91-206 [4] 黄亮, 冯登国, 连一峰, 等. 一种基于多属性决策的DDoS防护措施遴选方法. 软件学报, 2015, 26(7): 1742-1756. DOI:10.13328/j.cnki.jos.004673 [5] 石盼, 连一峰. 基于战略博弈的DDoS攻防绩效评估方法. 计算机工程, 2009, 35(3): 195-198. DOI:10.3969/j.issn.1000-3428.2009.03.066 [6] 林闯. 随机Petri网和系统性能评价. 北京: 清华大学出版社, 2000. [7] Jalan R, Kamat G, Szeto RWL. Mitigating TCP SYN DDoS attacks using TCP reset. US, 20180034848. [2018-02-01]. [8] 庄建儿. 浅析网络DDoS攻击与治理. 通讯世界, 2015(1): 33-34. DOI:10.3969/j.issn.1006-4222.2015.01.021 [9] 何亨, 胡艳, 郑良汉, 等. 云环境中基于SDN的高效DDoS攻击检测与防御方案. 通信学报, 2018, 39(4): 2018068. [10] 刘航, 曹建新, 张新建. 流量清洗系统在防御DDoS攻击中的应用. 科技信息, 2010(20): 249. DOI:10.3969/j.issn.1673-1328.2010.20.251 [11] German R, Kelling C, Zimmermann A, et al. TimeNET-a toolkit for evaluating non-Markovian stochastic Petri nets. Proceedings of the 6th International Workshop on Petri Nets and Performance Models. Durham, NC, USA. 1995. 210-211. [12] 张尚韬. 基于不完全信息静态博弈的DDoS防御机制评估方法研究. 佛山科学技术学院学报(自然科学版), 2017, 35(6): 12-16.