DDoS Attack Detection Using IP Address Feature Interaction

Transcription

1 29 International Conference on Intelligent Networking and Collaborative Systems DDoS Attack Detection Using IP Address Feature Interaction Jieren Cheng, 2, Jianping Yin, Yun Liu, Zhiping Cai, and Chengkun Wu School of Computer, National University of Defense Technology, 473 Changsha, China 2 Department of Mathematics Xiangnan University, 423 Chenzhou, China cjr22@63.com Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. We argue that the difference of the goals, manners and results of the interaction behaviors of normal flows and attack flows, which show different characteristics on IP addresses and ports. IAI (IP Address Interaction Feature) algorithm is proposed based on the addresses interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated target addresses. The IAI is designed to describe the essential characteristics of network flow states. Furthermore, a support vector machine (SVM) classifier, which is trained by IAI time series from normal flow and attack flow, is applied to classify the state of current network flows and identify the DDoS attacks. The experiment results show that, IAI can reflect the different characteristics of DDoS attack flows and normal flows; the IAI-based detection scheme can distinguish between normal flows and abnormal flows with DDoS attack flows effectively, and help to identify fast and accurate attack flows when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources, and it has higher detection and lower false alarm rate compared with related works. Index Terms Network Security, Distributed Denial of Service, IP Address Interaction Feature, SVM classifier D I. INTRODUCTION DoS attack is one of the main threats to the Internet. DDoS attack employs many sources to send useless packets towards the target, consumes the available resources of the target, and prevents the target from providing normal services, as depicted in Fig.. DDoS attacks are easy to carry out, more harmful, hard to trace and defense, so it s a great threat. The detection of attacks is an important aspect of DDoS attack defense, and the detection results can affect the overall performance of attack defense. The attackers now tend to use actual source to perform DDoS attacks[] and can launch low-rate DDoS attacks by sending low rate and periodical attack flows [2-3], so it s very difficult to distinguish between normal flows and attack flows, thus a fast and accurate detection is very hard. DDoS attack traffic at the source is highly similar to legitimate traffic and the aggregation attack traffic close to the attack source is relatively small versus massive normal traffic, finally all these attack traffic flows centralize at the target that makes a DDoS attack. The closer the detection sensor gets to the attack source the better defense efficiency, at the same time, the more expensive and difficult to implement, the higher false positive rate and false negative rate. In this paper, we review the existing methods of DDoS attacks, and analyze the goals, manners, results of the interaction behaviors of DDoS attack flows and normal flows and their different characteristics on IP addresses and ports. We find that the number of source IP addresses with interaction behaviors is much larger than the number of source IP addresses without interaction behaviors for normal flows, but the number of source IP addresses without interaction behaviors is much larger than the number of source IP addresses with interaction behaviors for DDoS attack flows, which have abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses, concentrated target addresses. Hence, we give the definition of IF (Interaction Flow) and SH (Source Half Interaction Flow), and propose the IAI (IP Address Interaction Feature) algorithm, which combines the interaction feature of normal flow and multiple inherent features of DDoS attack flows. We establish an IAI-based DDoS detection method by SVM classifier to classify the state of current network flows and identify the DDoS attacks. We also demonstrate that our methods are particularly effective at identifying the abnormal phenomenon caused by DDoS attacks and the false positive rate and false negative rate are lower compared with related works when the detecting sensor is located close to the attacking source or the attacking traffic is hidden among a relatively large volume of normal flows. II. RELATED WORK Most current detection methods can be classified into two categories. Firstly, lots of methods established attack detection model based on a specific attack feature to identify an attack, whenever the current flow is detected and matches the attack detection model, it s considered as an attack flow. These methods can detect certain kinds of attack, thus improve the detection accuracy. However, DDoS attacks are adversarial and constantly evolving. Once a particular kind of attack is successfully detection, a slight variation is designed that bypasses the detection and still performs an effective attack. Hence, DDoS attack detection methods which are based on extracting an attack feature can not detect attack effectively. For example, for the scheme based on the abrupt traffic change [4-7], attacker can organize different sources and simulate normal flow to send out attack flow to hide the statistic characters of attack flow by different time, different types of flow, different size of packets and different sending rate; furthermore, the traffic offset can not distinguish DDoS attack flow from normal network congestion flow. For the scheme based on flow dissymmetry[8-2], real audio/video traffic are highly disproportional, where the monitored traffic from server to client is much higher than from client to server, /9 $ IEEE DOI.9/INCOS

2 alternately, the legitimate connections, which numerous hosts initiate with a popular destination address, is likely perceived as an attack signal. Since their premise is that edge networks are willing to act cooperatively, it is more expensive and difficult to implement. Moreover, attacker may use random spoofing source IP address, or send out the same amount of SYN packets and FIN/RST packets, for a large-scale DDoS attack, the attack traffic from each source network can be very small and unnoticed compared with legitimate traffic flows, thus detecting attack traffic accurately can be difficult or impossible at the source network. For the scheme based on distributed IP addresses [3,4], the closer the detection sensor gets to the attack source, the false positive rate and false negative rate are drastically higher. Secondly, the other ways established detection models based on normal flow feature, such as the similarity in average IP packet length and flow rate or the distribution of IP addresses and ports, whenever the current flow is detected and deviates from the detection model, it s classified as an attacking flow. These methods [5,6] can detect different kinds of attacks. However, it s very difficult to build a stable model for all normal flows. Moreover, the attackers can simulate the normal flows. Recently, the distributed collaborative detection methods and the detection methods based on multiple DDoS attack characteristics are emerging. The distributed collaborative methods [7,8] employ distributed sensors and detect the attacks effectively by collaboration and help to defense, but the deployment is difficult and the performance of the whole system relies on the ability of each sensor. Multiple characteristics based detection methods [9-2] can help to avoid the shortcoming of detection methods based on single attack characteristic. However, that the methods cannot separate attack flows from abnormal flows effectively affects the capability of the methods when the attacking traffic is hidden among a relatively large volume of normal flows. III. IP FLOW FEATURE ANALYSIS To improve the detection quality, the key problem is to extract the essential features of attack flows and separate the attack flows from the abnormal flows, and reduce the interference of normal network traffic. The common characteristics of normal flows and attack flows are they both have the flow interaction behavior, but their interaction behaviors show great difference on IP addresses and ports. Because normal flows are in the hope of obtaining or providing network services by network communication, and most source IP addresses have normal interaction behavior in a certain time interval, whereas the attack flows want to disrupt the network communication and services, thus most source IP addresses have abnormal interaction behavior. Definition. Assume the network flow F in a certain time period T is <(t,s,d,dp ),(t 2,s 2,d 2,dp 2 ),,(t n,s n, d n,dp n )>, where i=,2,,n t i, s i, d i, dp i mean the ith packet s timestamp, source IP address, destination IP address, destination port number. Classify the n packets, and the packets with the same source IP address and the same destination IP address are in the same class. Denote the class of packets with a source IP address A i as IPS(A i ) and the class of packets with a destination IP address A j as IPD(A j ). If there is a source IP address A i makes class IPS(A i ) and class IPD(A i ) non-empty, then IPS(A i ) is called an Interaction Flow (IF) and denoted as IF(A i ). If there is a source IP address A i makes class IPD(A i ) empty, then IPS(A i ) is called an Source Half Interaction Flow (SH and denoted as SH(A i ). Based on the above definition, in a certain time period T, IF are IP flows with interaction behaviors, and SH are IP flows without interaction behaviors. A. Normal flow characteristic The interaction purpose of normal flows is to get or provide service by network communication and most source IP addresses have interaction feature. The interaction mode of the source IP addresses and destination IP addresses in a certain time period T appears to be in one-to-one mode, one-to-many and many-to-one mode. In an ideal world, the result of characteristic statistics turns out to be: in a certain time period T the number M of all IFs is large; while the number S of source IP addresses of all SHs and the number D of destination IP addresses of all SHs will be relatively small, thus (S-D)/M. Network noises or other uncertainty may lead to a loss of packets, delay or dithering. Nevertheless, in time span T, the number of all the SHs is still small and the interaction mode is still not change, moreover, normal flow also obeys the TCP congestion control protocol and packets are sent in a non-congestion time to evade congestion, thus the value of (S-D)/M will have slight dithering in a small interval. B. Attack flow characteristic A typical DDoS attack employs many hosts (Zombie) to flood the target in a distributed and cooperative way, as depicted figure. In order to disrupt normal services and avoid being detection, Zombies will generate a large number of source IP addresses without interaction feature. The interaction mode of the source IP addresses and destination IP addresses turns out to be in many-to-one mode. The result characteristic statistics is: in a certain time period T, the number M of IFs is quite small (even smaller when random spoofing source IP addresses are used), if the attacker uses random port number, the number of destination port number Port(SH(A j )) will exceed the normal range, namely, Port(SH(A j ))>θ/ms θ is the threshold; DDoS attacks also have a distribution of source IP addresses (a large S), a concentration of destination IP address (a small D), an outburst in network traffic (in a time span T, S-D will be large). Moreover, the attack flows do not obey the TCP congestion control protocol and are unresponsive to congestion signals. In every time span T, making a large number of IP source addresses of attack flows with interaction feature at any detection location can be difficult or impossible. When the attack are very serious, the attack flows to the victim will concentrate at congestion time, in a time span T, D, S-D is 4

3 large constant, M, thus (S-D)/M. Fig.. Typical DDoS attack IV. IP ADDRESS INTERACTION FEATURE Based on the characteristics of normal flows and DDoS attack flows, a definition of IP address Interaction Feature is given below. Definition 2. Assume that in time span T, the network flow F is <(t,s,d,dp ),(t 2,s 2,d 2,dp 2 ),,(t n,s n,d n,dp n )>, where i=,2,,n t i, s i, d i, dp i mean the ith packet s timestamp, source IP address, destination IP address, destination port number. Classify these n packets, and obtain all the interaction flow IFs of network flow F as IF, IF 2,, IF m, the number of packets with a source IP address A i in IF i is denoted as sn i where i=,2,,m, the number of the packets of all the IFs is denoted as SN, the source half interaction flow SHs of network flow F as SH, SH 2,, SH s. Classify these s SHs so that the packets with the same destination IP address will be in the same class, denote the number of different source IP addresses as hn i, the class of packets with the same destination IP address A i as HSD(hn i, A i ). Assume all the HSD classes with hn i 2 are HSD, HSD 2,, HSD k, the number of different destination port number in class HSD i is denoted as Port(HSD i ), where i=,2,,k The SE (Interaction Flow Source Address Entropy) is defined as: m sni sni SE = log 2 ( ) () i = SN SN The IAI (IP Address Interaction Feature) is defined as: k f ( SE)( ( hni + over( Port( HSDi))) k) i = IAI F = (2) m + x x> x x/ Δt> θ Where f( x) = over( x) = t is x, x/ Δt θ, the sampling time period, θ is the threshold, which can be the maximum of Port(HSD i ) or a value specified by administrator according to experience in real applications. IAI algorithm separates the half interaction flow SHs and the interaction flow IFs by classified network flows and help to separate attack flows from abnormal flows, and then calculate their characteristic value respectively. Choosing many-to-one HSDs can make use of addresses many-to-one dissymmetry of DDoS attack flow and reduce the interference of SHs due to normal flows. When the attack flow is small, but the normal flows are relatively large, the detection quality is affected, so in equation (2), in order to reduce the interference of IF flows due to normal flows and improve the detection sensitivity of attack flows, SE is introduced and also reflects the distribution of the source IP addresses [3]. However, to prevent a small interaction flow (Se is smaller than ) disturbs the detection quality, f(se) is introduced. Furthermore, according to the conclusions in section 3, () When there is no attack, the number of SHs will be much less than the number of IFs, thus the value of IAI will be very small; (2) When the attack occurs and leads to a denial of service, the number of SHs is much larger than the number of IFs, thus the value of IAI is very large. Hence, IAI can reflect the characteristics of source IP addresses interaction of normal flows, as well as the source IP addresses half interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated destination IP address of DDoS attack flows. V. ATTACK DETECTION METHOD This paper extracts IAI time series from normal network flows and DDoS attack flows to describe their state change of network flows respectively, and establishes a DDoS attack detection model based on IAI by SVM classifier. A. Abnormal Detection Model Sample the network flow F with a period t, and calculate the IAI value after each sampling. A time series sample A can be obtained after sampling N times, A(N, t)={iai i,i=,2,,n}, in which N is the length of the series. When using the IAI time series to describe the characteristics of the state change of network flow F, the problem of attack detection actually becomes a problem of classifying the IAI time series. The SVM can be described as: N η = β iyk i ( ϕi, ϕ) + b (3) i = In which η is the classification result, β i is the Lagrange multipliers, y i is the classification type, y i { -,},K(ϕ i,ϕ) is the kernel function, b is the deviation factor, ϕ i is the classification training data sample, i=,2,,n, ϕ is a sample 5

4 to be determined. The optimal hyperplane that the SVM classifier establishes in higher dimensional characteristic space is: f ( ϕ) = sgn βi yik( ϕi, ϕ) + b (4) i SV Where b = βiyi( K( ϕr, ϕi) + K( ϕs, ϕi)), SV is the 2 i SV support vector ϕ r is any positive support vector ϕ s is any negative support vector. The coefficients can be obtained by quadratic programming: N N N minw ( β) = min βiβ jyiy jk ( ϕi, ϕ j) βi β β 2 (5) N i= i= j= i= s.t. β y =, β C( i =, 2,..., N) i i i in which,β is a vector formed by Lagrange multipliers β i, C is the parameter to price the misclassification. Solving the coefficients of SVM classifier is a typical constrained quadratic optimization problem, there are lots of sophisticated algorithms for solving this kind of problem. In the paper we use the SVM algorithm supposed by J. Platt [22] that can support large-scale data training set. We compared the experimental results from various kernel functions such as linear, ploy, gauss and tanh. The results show that the linear kernel function is the best one. Then the optimal value of the parameter C is obtained through Cross-validation method. B. Alarm Valuation Mechanism Considering that the network flow noise, congestion or some other factors might result in abnormal changes in IAI states of network flows besides the DDoS attack, we present a simple alarm evaluation mechanism based on the alarm frequency and time interval to decrease false alarm rate. It means taking place a DDoS attack in the network when the abnormal changes in IAI states occur frequently in a designed time interval. Hence, the system will only generate alarms when the Num(Num ) anomalies are detected in a designated time interval T( T ). For example, if T and Num, the system will immediately generate an alarm about DDoS attack when one anomaly of IAI states is detected in the current network flows. It is very important to assign the value of T and Num, because that larger T and Num can decrease the false alarm rate, but the time efficiency will be decrease too. Therefore, they need to be set dynamically according to the network security situations to detect DDoS attack. VI. EXPERIMENTS AND RESULTS The experiment used the normal flow data in 999 and DDoS flow data LLDoS2..2 in 2 from MIT Lincoln lab [23]. The normal flow samples were from normal flow data, and the attack flow samples were from DDoS flow data Time Sample Point(/.s) x Time Sample Point(/.s) x Time Sample Point(/.s) x Time Sample Point(/s) of Normal Traffic Time Sample Point(/.s) x 4 25 of Normal Traffic Time Sample Point(/.s) x 4 5 of Normal Traffic Time Sample Point(/.s) x 4 8 of Normal Traffic Time Sample Point(/s) Fig. 2. IAI time series of 999 normal flow When the sampling time period t was.s,.s,.s, s, the IAI time series and the corresponding size of normal traffic were obtained by multiple sampling and calculation depicted in figure 2; When the sampling time period t was.s,.s,.s, s, the IAI time series and the corresponding size of attack traffic were obtained by multiple sampling and calculation depicted in figure 3. From figure 2 & figure 3, we can see that, IAI time series are sensitive to attack flows and they can magnify the size of IFI of the attack flow using randomized destination ports in any attack flow, meanwhile, they are steady when the network flow is normal. As depicted in Fig 3, there are few IAIs which size is smaller than the size of attack traffic, and the main reasons are from two aspects: firstly, in a minor span t, sometimes there is only one attack packet. Secondly, due to the increment of t, the few normal flows responded become IFs. Thus the IAI can well reflect different state features of normal network flow and DDoS attack flow. 6

5 Time Sample Point(/.s) Time Sample Point(/.s) Time Sample Point(/.s) Time Sample Point(/s) of Attack Traff ic Time Sample Point(/.s) of Attack Traffic Time Sample Point(/.s) of Attack Traffic Time Sample Point(/.s) of Attack Traffic Time Sample Point(/s) Fig. 3. IAI time series of LLDoS2..2 network flow We compared our method with previous similar works, one of which is the (Entropy of Feature Distributions, EFD) method [3]. We carried out multiple groups of experiments, and the sampling time period t was set to.s, abnormal alarm time interval T was set to s, the number of anomalies Num was set to, then sample multiple times from the normal flow data, and calculate the IAI time series of normal flows; alternately, mix the normal flows with attack flows and obtain the IAI time series of abnormal flows. As depicted in Fig 4, the vertical axis represents the detection rate and the false positive rate, the horizontal axis represents the amount of normal flows divides the amount of attack flows. Use IAI, EFD methods based on SVM classifier to realize the detection respectively, the results are shown in Fig.4. As the background network flows increase, the detection rate of IAI method drop from % to 98%, the average detection rate is 99.2%, which demonstrate that IAI method can effectively identify the abnormal flows with DDoS attack flows, and is insensitive to large normal background flows, so it can help to realize the effective detection when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources. The main reasons for false negative are because of the network state shift caused by network random noise. The false alarm rate of IAI method increases from.% to.%, with an average false alarm rate.%. The results show that IAI method can accurately identify normal flow and will not lead to high false positive because of large normal flows. The main reasons for false positive are from two aspects: () The random network noise; (2) Network delay and packet lost. As illustrated in figure 4, with the increment of normal background network flows, the detection rate of EFD gradually decreases from 95.8% to 65.%, the false alarm rate increases from.% to 33.6%, the average detection rate of groups is 79.7% and the average false alarm rate is 2.5%. EFD is designed to extract distributed IP addresses features of DDoS attack using four-dimensional characteristic vector and calculate the features value without distinguishing the normal flows from attack flows. But IAI is designed to extract the source IP addresses interaction feature of normal flow and five inherent features of DDoS attack flow using one-dimensional characteristic vector and it can help to separate attack flows and normal flows effectively and calculate their characteristic values respectively so as to reduce the interference of normal flows effectively. For a large-scale DDoS attack, the closer the detection sensor gets to the attack source, the less the attack flows versus normal flows. By comparison, IAI method has a higher detection rate and lower false positive rate, which is more suitable for the detection when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources. % False Alarm Rate and Detection Rate False Alarm Rate of IAI Detection Rate of IAI False Alarm Rate of EFD Detection Rate of EFD Increase Multiple of Network Flow Fig. 4. False alarm rate and detection rate of different algorithm As discussed above, IAI can well reflect different essential characteristics of DDoS attack flow and normal flow, which is useful for distinguishing normal flows from DDoS attack flows. IAI method can effectively identify the abnormal flows caused by DDoS attacks, based on real-time calculation of the IAI value of network flows, it can realize a fast and effective detection when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources. Our method can be deployed on attack 7

6 source, media and terminal equipments. VII. CONCLUSIONS DDoS attacks can cause severe disruption to the stability of the Internet. In this paper, we have presented a novel IP Address Interaction Feature (IAI) algorithm, which is based on the source addresses interaction of normal flow and the source addresses half interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated target addresses of DDoS attack flow. Using the IAI feature and SVM, we also proposed a simple but effective DDoS detection method. This method uses the IAI time series to describe the state characteristics of network flows, and then a detection of DDoS attack flows is indeed a classification problem of IAI time series. Using the training samples obtained from the normal flows and attack flows to train SVM classifier, and then use them to classify the current network flows and detect DDoS attacks. Analysis and experiments show that: the IAI feature can well describe the source address interaction feature of normal flow and multiple inherent characteristics of DDoS attack flow; our method can effectively recognize the abnormal phenomenon caused by DDoS attack flows, and have lower false positive rate and false negative rate compared with related works when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources, and reduce the false positive rate. In the future, we will explore on how to use our method to defense the DDoS attacks. ACKNOWLEDGMENT This work is supported by National Science Foundation of China(69734, 66362, 6635), Scientific Research Fund of Hunan Provincial Education Department (7C78), the Foundation for the Author of National Excellent Doctoral Dissertation (27B4), Science Foundation of Hunan Provincial (6JJ335), and Application of Innovation Plan Fund of the Ministry of Public Security (27YYCXHNST72). REFERENCES [] Handley M. DoS-resistant Internet subgroup report. Internet Architecture WG. Tech Rep: Available online at mmary.pdf. 25. [2] Macia G, Diaz J, Garcia P. Evaluation of a low-rate DoS attack against application servers [J]. Computers & Security, 28, 27(7-8): [3] Kumar V, Jayalekshmy P, Patra G, et al. On Remote Exploitation of TCP Sender for Low-Rate Flooding Denial-of-Service Attack [J]. IEEE Communications Letters, 29, 3(): [4] Cheng C, Kung H, Tan K. Use of spectral analysis in defense against DoS attacks [C]. In Proceedings of IEEE GLOBECOM [5] Manikopoulos C, Papavassiliou S. Network intrusion and fault detection: A statistical anomaly approach [C]. IEEE Communications Magazine [6] Lakhina A, Crovella M, Diot C. Diagnosing Network-Wide Traffic Anomalies [C]. In Proceedings of ACM SIGCOMM, Portland, Oregon, USA, August 24. [7] Sanguk N, Gihyun J, Kyunghee C, ea al. Compiling network traffic into rules using soft computing methods for the detection of flooding attacks [J]. Applied Soft Computing [8] Gil T, Poletto M. MULTOPS: A data-structure for bandwidth attack detection. In Proceedings of the th USENIX Security Symposium. 2. [9] Abdelsayed S, Glimsholt D, Leckie C, et al. An efficient filter for denial-of service bandwidth attacks [C]. In Proceedings of the 46th IEEE GLOBECOM [] Wang H, Zhang D, Shin K. Detecting SYN flooding attacks [C]. In Proceedings of IEEE INFOCOM [] Mirkovic J, WANG M, REITHER P, et al. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM [2] Mirkovic J, and Reiher P. D-WARD: A Source-End Defense Against Flooding Denial-of-ServiceAttacks," IEEE Trans. on Dependable and SecureComputing, Vol. 2, No. 3, July 25, pp [3] Lakhina A, Crovella M, and Diot C. Mining Anomalies Using Traffic Feature Distributions [C]. In Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA, 25. [4] Peng T, Leckie C, Kotagiri R. Proactively detecting distributed denial of service attacks using source IP address monitoring [C]. In Proceedings of the Third International IFIP-TC6 Networking Conference, [5] Manikopoulos C, Papavassiliou S. Network intrusion and fault detection: A statistical anomaly approach [J]. IEEE Commun. Mag. 22.4(): [6] Forrest S, Hofmeyr S. Architecture for an artificial immune system [J]. Evolutionary Computation, (): [7] Chen Y, Hwang K, and Ku W. Collaborative Detection of DDoS Attacks over Multiple Network Domains [J]. IEEE Trans. on Parallel and Distributed Systems, 27. [8] Chenfeng V, Christopher L, Shanika K. Decentralized multi-dimensional alarm correlation for collaborative intrusion detection. Journal of Network and Computer Applications. 29. [9] Cheng J, Yin J, Liu Y, ea al. Detecting Distributed Denial of Service Attack Based on Address Correlation Value [J]. Journal of Computer Research and Development, 29. [2] Cheng J, Yin J, Liu Y, ea al. DDoS Attack Detection Method Based on Linear Prediction Model. [C]. In Proceedings of FAW, LNCS [2] Cheng J, Yin J, Wu C, ea al. DDoS Attack Detection Method Based on Linear Prediction Model. [C]. In Proceedings of ICIC, LNCS [22] Platt J. Sequential minimal optimization: A fast algorithm for training support vector machines. Microsoft Research, Tech Rep: MSR-TR-98-4, 998. [23] dex.html. Cheng Jieren, Received his M.S. degree in Computer Science from National University of Defense Technology (NUDT), China, in 25. Now he is a Ph.D. candidate of Computer Science in NUDT and student membership of CCF, His main research interests include network security and artificial intelligence. 8