本篇論文針對網路錯誤與網路威脅，提出一個統合式系統框架的解決方案，此系統框架可以同時解決這兩種問題。而且問題的性質可分為兩大類，第一類為無人為意圖情況下所發生的網路錯誤問題，另一類為軟體潛在弱點被人為蓄意攻擊的問題。
因此，我們提出了兩種方法去解決此問題，並且可以同時對抗拒絕存取服務攻擊 (denial of service attack)，網路服務品質攻擊 (quality of service attack) 和網路服務品質錯誤點 (quality of service fault) 的情況。而且對於分散式拒絕存取服務 (distributed denial of service) 透過此系統框架也可以有效偵測異常流量與確認攻擊路徑。此系統框架可經由ant colony system-based的方法快速地過濾異常封包和確認攻擊者來源，達到降低網路威脅的傷害和有效防範的目的。
此外，此系統框架針對在軟體定義網路 (software defined networking) 環境下，也運用spectrum-based軟體錯誤定位方法，此方法可以很精確地診斷出網路環境中的錯誤點，以及多重QoS fault的問題。最後，實驗結果證明所提出的方法能夠有效率，並且準確的找出攻擊來源和錯誤點。

In our work, we propose a unified framework to combine security faults and threats into a generalized behavior. That is, one is the unintended activity to trigger network faults and the other is the manual attack to trigger potential software vulnerability. We therefore propose two methods for dealing with spectrum-based software fault localization method for diagnosing network faults and multiple QoS fault cases. We also propose a network threat fast filtering and identification system by ant agent system to defend against DoS attack, QoS attack and QoS fault cases and an ant colony system for distributed detection and identification of DDoS attacks. As a result, the unified model has better performance than other methods in efficiency and effectiveness from our experiments.

Contents
摘要 i
Abstract ii
誌謝 iii
List of Figures vii
List of Tables ix
Chapter 1 Introduction 1
1.1 Anomaly Traffic Detection and Attack Path Identification Problem 1
1.2 System Design and Analysis Countermeasure to Low-Rate Distributed Denial of Service Problem 4
1.3 Software Fault Localization Technique Solving Network Fault Localization Problem 5
1.4 Problem Assumptions and System Architecture 6
1.5 Contributions 9
1.6 Organization 10
Chapter 2 Related Work 11
2.1 UTFACO to DoS and QoS 11
2.1.1 Traditional methods and meta-heuristic technique for DoS 11
2.1 2 QoS fault and QoS attack 13
2.2 Traceback techniques analysis to LDDoS attack 14
2.3 SFL methods to NFL 15
2.4 Summary 17
Chapter 3 A Unified Ant Agent Framework for Solving DoS and QoS Problems 20
3.1 UTFACO Framework 20
3.1.1 Background 20
3.1.2 Notation 21
3.1.3 Network Parameter Filter 22
3.1.4 QoS Fault Filter 22
3.1.5 State Transition Rule 23
3.1.6 Global and Local Updating Rules 24
3.1.7 Termination Condition 25
3.1.8 Advanced Counting BF 26
3.1.9 Hard Computing and Convergence 27
3.1.10 UTFACO Framework Flow 29
3.2. Experimental Design and Analysis 33
3.2.1 Measurement Indices 34
3.2.2 General Experiment 35
3.2.3 Experiment for Traffic Volume Increases 36
3.2.4 Comparison between Attack Source Identification Techniques 37
3.2.5 Efficiency of UTFACO with BF under DoS Attack 42
3.2.6 QoS Fault Experiment 43
3.2.7 QoS Attack Experiment 44
3.2.8 Theoretical Deduction and Discussion 45
3.2.8.1 Network Topology Analysis of the Minimum Flow, PPM, and ACO Methods 45
3.2.8.2 Extended Problem to DDoS Attack 48
Chapter 4 LDDoS Attack Detection by Using Ant Colony Optimization Algorithms 49
4.1. DDIACS Framework 49
4.1.1 Proposed Framework for Resolving an LDDoS Attack 49
4.1.2 Notations 51
4.1.3 Information Heuristic 52
4.1.4 State Transition Rule 53
4.1.5 Global and Local Searching Rule 54
4.1.6 Candidate List and Termination Condition 55
4.1.7 Backward and Forward Search 55
4.1.8 Complexity Analysis of the DDIACS Framework and Comparison Algorithms 58
4.2. System Design and Analysis 62
4.2.1 Design of the Experiment 62
4.2.2 Assumptions in Experimental Designs 63
4.2.3 Measurements 64
4.2.4 DDIACS Framework under an LDDoS Attack 64
4.2.5 DDIACS Framework Comparison with the other Algorithms 66
4.2.6 Parameter Design and Analysis 67
Chapter 5 Diagnosing SDN Network Problems by Using Spectrum-based Fault Localization Techniques 71
5.1 SSFL System Architecture 71
5.2 MUTFACO and MFMF Algorithms 74
5.2.1 MUTFACO 74
5.2.2 MFMF 78
5.2.3 Complexity Validation for MUTFACO and MFMF 80
5.2.4 Features of MUTFACO 81
5.3 Experimental Design and Analysis 81
5.3.1 System Implementation 83
5.3.2 Assumptions of Four Scenarios 83
5.3.3 NFL Experimental Environment 85
5.3.4 Multiple Faults Experiment 89
5.3.5 Service Application Layer of the SDN Experiment 90
Chapter 6 Conclusions 93
Bibliography 95

List of Figures
Fig. 1. Network topology of the attacker (fault), router (immediate router), victim (start router), and sender (end router). 7
Fig. 2. Unified network diagnosis framework. 8
Fig. 3. The system scope and layer approach to network threats and network faults. 9
Fig. 4. Network parameter filter flow. 22
Fig. 5. Route-based termination filter. 26
Fig. 6. Counting BF. 27
Fig. 7. The three cases of network topology function. 29
Fig. 8. Pseudo code for the UTFACO with BF and UTFACO without BF framework. 33
Fig. 9. Detection and identification procedures of the DDIACS framework. 50
Fig. 10. DDIACS framework in the LDDoS Problem. 50
Fig. 11. Manipulation procedure of the BFS method. 56
Fig. 12. Time complexity of the BFS method in best and worst cases. 57
Fig. 13. Time analysis of the PPM algorithm. 59
Fig. 14. Time analysis of the DDIACS framework. 60
Fig. 15. Pseudo codes of the DDIACS framework. 61
Fig. 16. SSFL system architecture. 71
Fig. 17. The function flow of MUTFACO method. 75
Fig. 18. Pseudo code for the MUTFACO algorithm. 80
Fig. 19. Pseudo code for the multiple fault minimum flow algorithm. 80
Fig. 20. Network experiment environment on ODL-SDN. 82
Fig. 21. Spanning tree case. 84
Fig. 22. The fit curves for MUTFACO and MFMF. Circle dot line represents the MUTFACO method and star dot line represents the MFMF method. 89
Fig. 23. SDN L2_forwarding service application with coverage and execution results for each test case. 92

List of Tables
Table 1. The comparison of UTFACO, DDIACS and SSFL with other methods to problem-solving. 18
Table 2. The comparison of UTF framework with other methods to pros and cons. 19
Table 3. Parameters of the UTFACO framework. 21
Table 4. Simulation parameters for router. 33
Table 5. Results of UTFACO with network topology parameter filter with significant traffic flow. 35
Table 6. Effects of various traffic volume increases on DoSIA. 36
Table 7. Effects of various traffic volume increases on DoSIB. 37
Table 8. Effects of various traffic volume increases on DoSIC. 37
Table 9. Effects of various traffic volume increases on DoSID. 37
Table 10. Effects of various traffic volume increases on DoSIE. 37
Table 11. Effects of various traffic volume increases on DoSIF. 37
Table 12. Parameters q0, β, ρ and α. 37
Table 13. Variance in traffic volume increases. 37
Table 14. Detection accuracy relationship between traffic increase and marking probability for epzx. 39
Table 15. Detection accuracy relationship between traffic increase and marking probability for epcv. 39
Table 16. Detection accuracy relationship between traffic increase and marking probability for epbn. 39
Table 17. Detection accuracy relationship between traffic increase and marking probability for epqw. 39
Table 18. Detection accuracy relationship between traffic increase and marking probability for eper. 39
Table 19. Detection accuracy relationship between traffic increase and marking probability for epty. 39
Table 20. Mean and deviation of accuracy comparison with the PPM approach. 40
Table 21. Relationship between traffic increase and AS parameters for fwmn. 40
Table 22. Relationship between traffic increase and AS parameters for fwbv. 40
Table 23. Relationship between traffic increase and AS parameters for fwcx. 40
Table 24. Relationship between traffic increase and AS parameters for fwza. 40
Table 25. Relationship between traffic increase and AS parameters for fwlk. 40
Table 26. Relationship between traffic increase and AS parameters for fwjh. 41
Table 27. Comparison between UTFACO and other attack source identification techniques. 42
Table 28. Comparison of UTFACO and UTFACO with the BF for the alpha experiment. 42
Table 29. Comparison of UTFACO and UTFACO with the BF for the beta experiment. 42
Table 30. Comparison of UTFACO and UTFACO with the BF for the gamma experiment. 43
Table 31. Comparison of UTFACO and UTFACO with the BF for the delta experiment. 43
Table 32. Comparison of UTFACO and UTFACO with the BF for the epsilon experiment. 43
Table 33. Comparison of UTFACO and UTFACO with the BF for the digamma experiment 43
Table 34. Results of the QoS fault localization for QFA. 44
Table 35. Results of the QoS fault localization for QFB. 44
Table 36. Results of the QoS fault localization for QFC. 44
Table 37. Results of the QoS fault localization for QFD. 44
Table 38. Results of the QoS attack for QAA. 45
Table 39. Results of the QoS attack for QAB. 45
Table 40. Results of the QoS attack for QAC. 45
Table 41. Results of the QoS attack for QAD. 45
Table 42. Parameters of the DDIACS framework. 52
Table 43. Complexity analysis for the DDIACS framework and the other algorithms. 60
Table 44. Simulation parameters for router. 63
Table 45. DDIACS runs on by ESC. 65
Table 46. DDIACS runs on by EFR. 65
Table 47. DDIACS runs on by ETR. 65
Table 48. DDIACS runs on by EFO. 65
Table 49. DDIACS runs on by EFV. 65
Table 50. DDIACS runs on by ESX. 65
Table 51. DR and AR comparison in different experiments. 65
Table 52. Comparison of the DDIACS framework and RACS. 66
Table 53. Comparison of the DDIACS framework and AS. 67
Table 54. DR to ATI. 68
Table 55. DR to ARV. 68
Table 56. DR to ARDR. 68
Table 57. DR to ARSR. 68
Table 58. DR to NI. 68
Table 59. DR to NA. 68
Table 60. DR to Istop. 68
Table 61. DR to ATI. 68
Table 62. AR to ARV. 69
Table 63. AR to ARDR. 69
Table 64. AR to ARSR. 69
Table 65. AR to NI. 69
Table 66. AR to NA. 69
Table 67. AR to Istop. 69
Table 68. Parameters of the MUTFACO method. 75
Table 69. Coefficient comparison methods to suspicious rank list for single fault. 86
Table 70. Coefficient comparison methods to suspicious rank list for multiple faults. 87
Table 71. SFL for network fault localization of 4 bugs. 88
Table 72. MUTFACO method comparison with multiple fault minimum flow method 88
(numbers of faults are ten). 88
Table 73. MUTFACO method comparison with multiple fault minimum flow method 88
(numbers of faults are twenty). 88
Table 74. MUTFACO method comparison with multiple fault minimum flow method 88
(numbers of faults are fifty). 88
Table 75. MUTFACO method comparison with multiple fault minimum flow method 88
(numbers of faults are hundred). 88
Table 76. MUTFACO method comparison with multiple fault minimum flow method 88
(numbers of faults are five hundred). 88
Table 77. Comparisons between SFL and NFL. 91
Table 78. Service application layer to NFL on SDN. 92

[1] S. Tritilanunt, T. Salakit, and P. Achwacheewanthomkul, "IP traceback system for denial-of-service attacks," in Proceedings of the IEEE International Conference on Information Science, Electronics and Electrical Engineering, Sapporo, 2014, pp. 1868-1871.
[2] U. Tupakula and V. Varadharajan, "Securing mobile devices from DoS attacks," in Proceedings of the IEEE 16th International Conference on Computational Science and Engineering, Sydney, NSW, 2013, pp. 34-41.
[3] M. Alenezi and M. J. Reed, "Traceback of DoS over autonomous systems," International Journal of Network Security & Its Applications, Vol. 5, pp. 131-142, 2013.
[4] B. Liu, J. Bi, and X. Yang, "FaaS: filtering IP spoofing traffic as a service," in Proceedings of the ACM SIGCOMM, NY, USA, 2012, pp. 113-114.
[5] D. Wei and N. Ansari, "Implementing IP traceback in the internet – an ISP perspective," in Proceedings of the 3th Workshop on Information Assurance United States Military Academy, 2002, pp. 326-332.
[6] H.-H. Chen and W. Yang, "The Design and implementation of a practical meta-heuristic for the detection and identification of denial-of-service attack using hybrid approach," in Proceedings of the IEEE 2th International Conference on Machine Learning and Computing (ICMLC 2010), Bangalore, India, 2010, pp. 47-51.
[7] M. Dorigo and L. M. Gambardella, "Ant colony system: a cooperative learning approach to the traveling salesman problem," IEEE Transactions on Evolutionary Computation, Vol. 1, pp. 53-66, 1997.
[8] H. Jiang, Q. Yu, and Y. Huang, "An improved ant colony algorithm for urban transit network optimization," in Proceedings of the 6th International Conference on Natural Computation, Yantai, Shandong, 2010, pp. 2739-2743.
[9] D. Yan, Y. L. Wang, S. Su, and F. C. Yang, "An efficient collaborative traceback scheme based on packet digests logging," in Proceedings of the 10th International Conference on Computer Information Technology, Bradford, 2010, pp. 2811-2815.
[10] S. M. Bellovin, ICMP traceback messages, http://tools.ietf.org/html/draft-ietf-itrace-04.
[11] H. Guerid, A. Serhrouchni, M. Achemlal, and K. Mitting, "A novel traceback approach for direct and reflected ICMP attacks," in Proceedings of Conference on Network and Information Systems Security, La Rochelle, 2011, pp. 1-5.
[12] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Network support for IP traceback," IEEE/ACM Transactions on Networking, Vol. 9, pp. 226-237, 2001.
[13] A. Shevtekarand N. Ansari, "Do low rate DoS attacks affect QoS sensitive VoIP traffic," in Proceedings of the IEEE International Conference on Communications, Istanbul, 2006, pp. 2153-2158.
[14] G. H. Lai, C. M. Chen, B. C. Jeng, and W. Chao, "Ant-based IP traceback," Expert Systems with Application, Vol. 34, pp. 3071-3080, 2008.
[15] B. H. Bloom, "Space/time trade-offs in hash coding with allowable errors," Communications of the ACM, Vol. 13, pp. 422-426, 1970.
[16] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer, "Single-packet IP traceback," IEEE/ACM Transactions on Networking, Vol. 10, pp. 721-734, 2002.
[17] A. Shevtekar and N. Ansari, "Is it congestion or a DDoS attack?" IEEE Communications Letters, Vol. 13, pp. 546-548, 2009.
[18] W. Zhijun, M. Lan, W. Minghua, Y. Meng, and W. Lu, "Research on time synchronization and flow aggregation in LDDoS attack based on cross-correlation," in Proceedings of the 11th International Conference on Trust, Security and Privacy in Computing and Communications, Liverpool, 2012, pp. 25-32.
[19] H. Aljifri, "IP traceback: a new denial-of-service deterrent?" IEEE Security & Privacy, Vol. 1, pp. 24-31, 2003.
[20] M. Dorigo, V. Maniezzo, and A. Colorni, "Ant system: optimization by a colony of cooperating agents," IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics, Vol. 26, pp. 29-41, 1996.
[21] P. Wang, T. C. Wang, P. T. Kuo, and C. P. Wang, "An analysis model of botnet tracking based on ant colony optimization algorithm," in Proceedings of the 6th International Conference on Networking Computing and Advanced Information Management, Seoul, 2010, pp. 606-611.
[22] M. Hamedi-Hamzehkolaieand M. J. Shamani, "Ant colony traceback for low rate DoS attack," International Journal of Computer Applications, Special Issue on Computational Intelligence & Information Security, pp. 22-26, 2012.
[23] N. Arumugan and C. Venkatesh, "Ant system algorithm based IP traceback method to detect dential of service attack on data network," Australian Journal of Basic and Applied Sciences, Vol. 7, pp. 732-741, 2013.
[24] D. Juneja and N. Arora, "An ant based frameworks for preventing DDoS attack in wireless sensor networks," International Journal of Advancements in Technology, Vol. 1, pp. 34-44, 2010.
[25] Massachusetts Institute Technology, MIT 2000 DARPA intrusion detection evaluation data set, MIT Lincoln Laboratory, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html.
[26] KDDCup99 Data, Cost-based modeling and evaluation for data mining with application to fraud and intrusion detection, from MIT Lincoln Laboratory dataset, http://kdd.ics.uci.edu/databases/kddcup99/task.html.
[27] S. T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks," IEEE Communications Surveys & Tutorials, Vol. 15, pp. 2046-2069, 2013.
[28] X. Zhang, Z. Zhou, and G. Hasker, "Network fault localization with small TCB," in Proceedings of the 19th International Conference on Network Protocols, 2011, pp. 143-154.
[29] B. Patil, S. Kinger, and V. K. Pathak, "Probe station placement algorithm for probe set reduction in network fault localization," in Proceedings of the International Conference on Information System and Computer Networks, Singapore, 2013, pp. 164-169.
[30] A. Johnsson and C. Meirosu, "Towards automatic network fault localization in real time using probabilistic inference," in Proceedings of the IEEE International Symposium on Integrated Network Management, Ghent, 2013, pp. 1393-1398.
[31] T. Inoue, T. Mano, K. Mizutani, S. -I. Minato, and O. Akashi, "Rethinking packet classification for global network view of software-defined networking," in Proceedings of the 22th International Conference on Network Protocols, Raleigh, NC, 2014, pp. 296-307.
[32] W. E. Wong and Y. Ui, "BP neural network-based effective fault localization," International Journal of Software Engineering and Knowledge Engineering, Vol. 19, pp. 573-597, 2009.
[33] W. E. Wong and V. Debroy, "A survey of software fault localization," Technical Report UTDCS-45-09, University of Texas at Dallas, 2009.
[34] W. E. Wong, T. Wei, Y. Qi, and L. Zhao, "A crosstab-based statistical method for effective fault localization," in Proceedings of the International Conference on Software Testing, Verification and Validation, Lillehammer, 2008, pp. 42-51.
[35] H. Cleveand A. Zeller, "Locating causes of program failures," in Proceedings of the IEEE 27th International Conference on Software Engineering, 2005, pp. 342-351.
[36] M. Renieris and S.P. Reiss, "Fault localization with nearest neighbor queries," in Proceedings of the IEEE Automated Software Engineering, 2003, pp. 30-39.
[37] M.A. Feckoand M. Steinder, "Combinatorial designs in multiple faults localization for battlefield networks," in Proceedings of the Military Communication Conference, 2001, pp. 938-942.
[38] L. Chunfang, L. Lianzhong, and L. Xiangyu, "Software networks of Java class and application in fault localization," in Proceedings of the 2th International Conference on Intelligent System Design and Engineering Application, Sanya, Hainan, 2012, pp. 1117-1120.
[39] K. Park and H. Lee, "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets," in Proceedings of ACM SIGCOMM, San Diego, California, USA, 2001, pp. 15-26.
[40] E. Toth, Z. Hornak, and G. Toth, "Protection system against overload and distributed denial of service attacks," in Proceedings of the 3th International Conference on Dependability of Computer Systems, Szklarska Poreba, 2008, pp. 195-202.
[41] M. Abliz, "Internet denial of service attacks and defense mechanisms," Technical Report, Department of Computer Science, University of Pittsburgh, 2011.
[42] R. Stone, "Centertrack: an IP overlay network for tracking DoS floods," in Proceedings of the USENIX Security Symposium, CA, USA, 2000, pp. 199-212.
[43] Y. Bhavani, V. Janaki, and R. Sridevi, "IP traceback through modified probabilistic packet marking algorithm," in Proceedings of Region 10 Conference on TENCON, Xi'an, 2013, pp. 1-5.
[44] S. Fowler, S. Zeadally, and N. Chilamkurti, "Impact of denial of service solutions on network quality of service," Security and Communication Networks, Vol. 4, pp. 1089-1103, 2011.
[45] A. Garga nd A. L. N. Reddy, "Mitigation of DoS attacks through QoS regulation," in Proceedings of the IEEE International Workshop on Quality of Service, 2002, pp. 45-53.
[46] E. Fulp, Z. Fu, D. S. Reeves, S. F. Wu, and X. Zhang, "Preventing denial of service attacks on quality of service," in Proceedings of the IEEE DARPA Information Survivability Conference on Exposition II, Anaheim, CA, 2001, pp. 159-172.
[47] L. Mchale, J. Casey, P. V. Gratz, and A. Sprintson, "Stochastic pre-classification for SDN data plane matching," in Proceedings of the IEEE 22nd International Conference on Network Protocols, Washington, DC, USA, 2014, pp. 596-602.
[48] P. Qwezarski, "On the impact of DoS attacks on internet traffic characteristics and QoS," in Proceedings of the IEEE 14th International Conference on Computer Communications and Networks, 2005, pp. 269-274.
[49] E. Chemeritskiy and R. Smelansky, "On QoS management in SDN by multipath routing," in Proceedings of the IEEE International Science and Technology Conference, Moscow, 2014, pp. 1-6.
[50] N. Yaakob, I. Khalil, H. Kumarage, M. Atiquzzaman, and Z. Tari, "By-passing infected areas in wireless sensor networks using BPR," IEEE Transactions on Computers, Vol. 64, pp. 1594-1606, 2015.
[51] A. Belghith, S. B. H. Said, B. Cousin, and S. Lahoud, "QoS fault detection and localization mechanisms (FDLM) in multi-domain networks adapted to export methods," in Proceedings of the IEEE 14th International Conference on Advanced Communication Technology, PyeongChang, 2012, pp. 848-853.
[52] G. Wang, Y. QIAO, X. QIU, and L. MENG, "An improved network performance anomaly detection and localization algorithm," in Proceddings of the IEEE 14th Asia-Pacific Network Operations and Management Symposium, Seoul, 2012, pp. 1-4.
[53] P. Barford, N. Duffield, A. Ron, and J. Sommers, "Network performance anomaly detection and localization," in Proceedings of the IEEE INFOCOM, Rio de Janeiro, 2009, pp. 1377-1385.
[54] X. Chen, J. Zhang, Y. Xiang, and W. Zhou, "Traffic identification in semi-known network environment," in Proceddings of the IEEE 16th International Conference on Computational Science and Engineering, Sydney, NSW, 2013, pp. 572-579.
[55] K. V. M. Naidu, D. Panigrahi, and R. Rastogi, "Detecting anomalies using end-to-end path measurements," in Proceedings of the IEEE INFOCOM, 2008, Phoenix, AZ, 2008, pp. 16-20.
[56] B. Sonkoly, F. Nemeth, L. Csikor, L. Gulyas, and A. Gulyas, "SDN based testbeds for evaluating and promoting multipath TCP," in Proceedings of the IEEE International Conference on Communications, Sydney, NSW, 2014, pp. 3044-3050.
[57] M. Dorigo, V. Maniezzo, and A. Colorni, "Ant system: an autocatalytic optimizing process," Technical Report, Department of Electronical Information, Politecnico di Milano, 1991.
[58] M. T. Goodrich, "Probabilistic packet marking for large-scale IP traceback," IEEE/ACM Transactions on Networking, Vol. 16, pp. 15-24, 2008.
[59] P. Sattari, M. Gjoka, and A. Markopoulou, "A Network Coding Approach to IP Traceback," in Proceedings of the International Conference on Networking Coding, Toronto, ON, 2010, pp. 1-6.
[60] H. Aqrawaland J. R. Horqan, "Dynamic program slicing," in Proceedings of ACM SIGPLAN Conference on Programming language design and implementation, New York, NY, USA, 1990, pp. 246-256.
[61] M. Weiser, "Program slicing," in Proceedings of the ACM 5th International Conference on Software Engineering, NJ, USA, 1981, pp. 439-449.
[62] S. -S. Choi, S. -H. Cha, and C. C. Tappert, "A survey of binary similarity and distance measures," Journal of Systemics, Cybernetics and Informatics, Vol. 8, pp. 43-48, 2010.
[63] O. N. Fundation, Openflow. http://www.openflow.org.
[64] M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford. A NICE way to test openflow applications, in Proceedings of the ACM 9th USENIX conference on Networked Systems Design and Implementation, Berkeley, CA, USA, 2012, pp. 127-140.
[65] N. Handigol, B. Heller, V. Jeyakumar, D. Mazieres, and N. Mckeown, Where is the debugger for software-defined network, in Proceedings of the first workshop on Hot topics in software defined networks, NY, USA, 2012, pp. 55-60.
[66] W. E. Wong, V. Debroy, G. Ruizhi, and L. Yihao, "The DStar method for effective software fault localization," IEEE Transactions on Reliability, Vol. 63, pp. 290-308, 2013.
[67] R. Abreu, P. Zoeteweij, R. Golsteijn, and A. J. C. V. Gemund, "A practical evaluation of spectrum-based fault localization," Journal of Systems and Software, Vol. 82, pp. 1780-1792, 2009.
[68] J. A. Jones and M. J. Harrold, "Empirical evaluation of the tarantula automatic fault-localization technique," in Proceedings of the IEEE 20th International Conference on Automated Software Engineering, NY, USA, 2005, pp. 273-282.
[69] L. Naish, H. J. Lee, and K. Ramamohanarao, "A model for spectra-based software diagnosis," ACM Transactions on Software Engineering Methodology, Vol. 20, pp. 1-37, 2011.
[70] A. M. Rao, S. Varadarajan, and M. N. G. Prasad, "Cross-layer based QOS routing protocol analysis based on nodes for 802.16 WIMAX networks," International Journal of Advances in Engineering and Technology, Vol. 1, pp. 290-298, 2011.
[71] M. Hamedid-Hamzehkolaie, R. Sanei, C. Chen, and X. Tian, "Bee-based IP traceback," in Proceedings of the 11th International Conference on Fuzzy Systems and Knowledge Discovery, Xiamen, 2014, pp. 968-972.
[72] G. Mahalakshmi and P. Subathra, "A survey on prevention approaches for denial of sleep attacks in wireless networks," Journal of Emerging Technologies in Web Intelligence, Vol. 6, pp. 106-110, 2014.
[73] L. A. Wuand W. Q. Fan, "A parameter model of genetic algorithm regulating ant colony algorithm," in Proceedings of the 9th International Conference on e-Business Engineering, Hangzhou, 2012, pp. 50-54.
[74] M. Dorigo, E. Bonabeau, and G. Theraulaz, "Ant algorithms and stigmergy," Future Generation Computer Systems, Vol. 16, pp. 851-871, 2000.
[75] L. M. Gambardellaand M. Dorigo, "Ant-Q: a reinforcement learning approach to the traveling salesman problem," in Proceedings of the 12th International Conference on Machine Learning, 1995, pp. 252-260.
[76] L. Fan, P. Cao, J. Almeida, and A. Z. Broder, "Summary cache: a scalable widearea web cache sharing protocol," IEEE/ACM Transactions on Networking, Vol. 8, pp. 281-293, 2000.
[77] L. A. Zadeh, "Fuzzy logic, neural networks, and soft computing," in Proceedings of IEEE International Workshop Neuro Fuzzy Control, NY, USA, 1993, pp. 1-3.
[78] H. R. Dhasianand P. Balasubramanian, "Survey of data affirmation techniques using soft computing in wireless sensor networks," IET Information Security, Vol. 7, pp. 336-342, 2013.
[79] A. M. Wildberger, "Overview of exploratory research in soft computing applications to power systems at the electric power research institute," in Proceedings of the International Conference on Systems, Man and Cybernetics, Vancouver, BC, 1995, pp. 2007-2012.
[80] Q. Zhu, Z. Yizhi, and X. Chuiyi, "Research and survey of low-rate denial of service attacks," in Proceedings of the 13th International Conference on Advanced Communication Technology, Seoul, 2011, pp. 1195-1198.
[81] C. Zhang, Z. Cai, W. Chen, X. Luo, and J. Yin, "Flow level detection and filtering of low-rate DDoS," Computer Networks, Vol. 56, pp. 3417-3431, 2012.
[82] H.-H. Chen and S.-K. Huang, "A Multi-Agent Intelligence Hybrid System Technique for Detection and Defense of DDoS Attacks," in Proceedings of the IOS International Computer Symposium (ICS 2014), Taichung, Taiwan, 2014, pp. 125-139.
[83] P. Shinde and S. Guntupalli, "Early DoS attack detection using smoothend time-series and wavelet analysis," in Proceedings of the 3th International Symposium on Information Assurance and Security, 2007, pp. 215-220.
[84] A. Boneh and M. Hofri, "The coupon-collector problem revisited - a survey of engineering problems and computational methods," Stochastic Models, Vol. 13, pp. 39-66, 1997.
[85] W. Feller, An Introduction to Probability Theory and Its Applications, Wiley, 1966.
[86] M. Effros, "PPM performance with BWT complexity: a fast and effective data compression algorithm," in Proceedngs of IEEE, Vol. 88, 2000, pp. 1703-1712.
[87] M. H. Yangand M. C. Yang, "RIHT: A novel hybrid IP traceback scheme," IEEE Transactions on Information Forensics and Security, Vol. 7, pp. 789-797, 2002.
[88] J. Sommers, V. Yegneswaran, and P. Barford, "A framework for malicious workload generation," in Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, NY, USA, 2004, pp. 82-87.
[89] L. P. Swiler, C. Phillips, D. Ellis, and S. Chakerian, "Computer-attack graph generation tool," in Proceedings of the IEEE DARPA Information Survuvability Conference and Exposition II, Anaheim, CA, 2001, pp. 307-321.
[90] H. -H. Chen, H. -L. Lu, S. -K. Huang, R. Gao, and W. E. Wong, "Diagnosing SDN Network Problems by Using Spectrum-based Fault Localization Techniques," in Proceedings of the IEEE International Conference on Software Quality, Reliability & Security (QRS 2015), Vancouver, Canada, 2015, pp. 121-127.
[91] P. Kazemian, G. Varghese, and N. Mckeown, "Header space analysis: static checking for networks," in Proceedings of the 9th Conference on Networked Systems Design and Implementation, Berkeley, CA, USA, 2012, pp. 1-14.
[92] A. M. Koushika and S. T. Selvi, "Load valancing using software defined networking in cloud environment," in Proceedings of the International Conference on Recent Trends in Information Technology, Chennai, 2014, pp. 1-8.
[93] Minimum-cost flow, https://en.wikipedia.org/wiki/Minimum-cost_flow_problem.
[94] R. Durairajan, J. Sommers, and P. Barford, "Controller-agnostic SDN Debugging," in Proceedings of the ACM 10th International Conference on Emerging Networking Experiments and Technologies, NY, USA, 2014, pp. 227-234.
[95] K. Agarwal, E. Rozner, C. Dixon, and J. Carter, "SDN traceroute: tracing SDN forwarding without changing network behavior," in Proceedings of the ACM 3th workshop on Hot topics in software defined networking, NY, USA, 2014, pp. 45-150.
[96] H. -H. Chen, C. -H. Lee, and S. -K. Huang, "A Unified Ant Agent Framework for Solving DoS and QoS Problems," Journal of Information Science and Engineering, 2016. (accepted, SCI)
[97] H. -H. Chen and S. -K. Huang, "LDDoS Attack Detection by Using Ant Colony Optimization Algorithms," Journal of Information Science and Engineering, Vol. 32, pp. 995-1020, 2015. (SCI)
[98] H. -H. Chen, H. -L. Lu, S. -K. Huang, R. Gao, and W. E. Wong, "Diagnosing Software Defined Network by Using Software Fault Localization Methods," submitted to Journal of Systems and Software, 2016. (SCI)
[99] H. -H. Chen, D. -Q. Zheng, and S. -K. Huang, "Automatic Defense by Fault Localization and Dynamic Patch," submitted to IEEE International Conference on Software Quality, Reliability & Security (QRS 2016), Vienna, Austria, 2016.
[100] Y. -D. Lin, F. -Z. Liao, H. -H. Chen, S. -K. Huang and Y. -C. Lai, "Browser Fuzzing by Scheduled Mutation and Generation of Document Object Models," to be submitted to Journal of Systems and Software, 2016. (SCI)