ASTVA: DDoS-limiting Architecture for Next Generation Internet

Security is an important consideration in next generation Internet, where Distributed Denial of Service (DDoS) attack is still a serious threat, especially when Internet of Things is taken into account. To defend against DDoS, capability based Traffic Validation Architecture (TVA) is an excellent candidate. However, there are some shortcomings which make it not so practical, e.g., it has large capability overhead and some DoS attacks could escape from it. To overcome these problems, we proposed the autonomic system based architecture: ASTVA, which created and verified capability using autonomic system as the basic defense unit. In ASTVA, two kinds of sub-capabilities were provided and serveral system security levels were given by mixing the two kinds of sub-capabilities; several key parameters were adjusted dynamically to enhance system flexibility; and an anti-shrew function was added to TVA to make it more robust against low-rate DoS attacks. Finally, we gave out several simulation tests and the results show that ASTVA is more robust and flexible than TVA and is more practical to real world security.