软件定义网络DDoS联合检测系统

doi:10.16511/j.cnki.qhdxxb.2018.26.049

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(1121 KB)
输出: BibTeX | EndNote (RIS)

摘要分布式拒绝服务（distributed denial-of-service，DDoS）攻击已成为网络安全的最大威胁之一。传统的对抗方式如入侵检测、流量过滤和多重验证等，受限于静态的网络架构，存在明显的缺陷。软件定义网络（software-defined networking，SDN）作为一种新型动态网络体系，其数控分离、集中控制与动态可编程等特性颠覆了现有的网络架构，为对抗DDoS攻击提供了新的思路。现有基于SDN的DDoS防护方案处于研究的起步阶段，且存在较多问题。针对现有方案中检测周期过小将导致系统开销大的问题，该文提出由触发检测和深度检测相结合的DDoS联合检测方案，将低开销、粗粒度的触发检测算法与高精度、细粒度的深度检测算法相结合，在保障高检测精度的前提下降低了系统的复杂度；同时，在Mininet平台上实现了基于SDN的DDoS攻击检测系统，设计实验对系统进行测试和评估。实验结果表明：该系统具有开销小、检测准确率高的特性，实用价值较强。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	宋宇波
	杨慧文
	武威
	胡爱群
	高尚

关键词 ：分布式拒绝服务攻击, 软件定义网络, 异常检测, 集成学习

Abstract：Distributed denial-of-service (DDoS) attacks, which are becoming increasingly serious, have become one of the biggest threats to network security. Traditional defense mechanisms such as instruction detection, traffic filtering and multiple authentication are limited to static networks, which leads to obvious drawbacks. Software-defined networking (SDN) is a typical dynamic network that provides defenses against DDoS. The existing SDN-based DDoS protection solutions are still in development with many problems that need improvement. A DDoS detection scheme combined with trigger detection and in-depth detection is given here to shorten the detection period with low system overhead. A low-overhead, coarse-grained trigger detection algorithm is integrated with a precise, fine-grained, in-depth detection algorithm to reduce system complexity while ensuring high detection accuracy. An SDN DDoS detection system has been implemented on the Mininet platform to test and evaluate the system. The test show that the detection system has low system overhead, high detection accuracy, and strong practical value.

Key words： distributed denial-of-service attack software-defined networking anomaly detection ensemble learning

收稿日期: 2018-06-10 出版日期: 2019-01-16

基金资助:国家电网总部科技资助项目（SGGR0000XTJS1800079）

引用本文:

宋宇波, 杨慧文, 武威, 胡爱群, 高尚. 软件定义网络DDoS联合检测系统[J]. 清华大学学报（自然科学版）, 2019, 59(1): 28-35.
SONG Yubo, YANG Huiwen, WU Wei, HU Aiqun, GAO Shang. Joint DDoS detection system based on software-defined networking. Journal of Tsinghua University(Science and Technology), 2019, 59(1): 28-35.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.26.049 或 http://jst.tsinghuajournals.com/CN/Y2019/V59/I1/28

图１联合检测系统架构

表１流表项计数器信息

图２改进的 CUSUM 算法流程

表２表征网络流量变化的典型特征

图３ AdaBoost算法

表３表征网络流量变化的特征

图４胖树网络拓扑

表４４种实验类型

表５４种实验的检测精确度

图５攻击检测算法的归一化混淆矩阵

图６攻击检测算法的 ROC曲线

表６检测方案准确率对比

图７ AdaBoost算法与改进的 CUSUM 算法的 CPU占用率

图８基于滑动时间窗的特征构造对判决时间的影响

[1] DIXIT A, HAO F, MUKHERJEE S, et al. Towards an elastic distributed SDN controller[C]//Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. Hong Kong, China:ACM, 2013:7-12.
[2] GAO S, LI Z, XIAO B, et al. Security threats in the data plane of software-defined networks[J]. IEEE Network, 2018, 32(4):108-113.
[3] DAO N N, PARK J, PARK M, et al. A feasible method to combat against DDoS attack in SDN network[C]//Proceedings of 2015 International Conference on Information Networking. Siem Reap, Cambodia:IEEE, 2015:309-311.
[4] GIOTIS K, ARGYROPOULOS C, ANDROULIDAKIS G, et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments[J]. Computer Networks, 2014, 62:122-136.
[5] MOUSAVI S M, ST-HILAIRE M. Early detection of DDoS attacks against SDN controllers[C]//Proceedings of 2015 International Conference on Computing, Networking and Communications. Garden Grove, USA:IEEE, 2015:77-81.
[6] CONTI M, GANGWAL A, GAUR M S. A comprehensive and effective mechanism for DDoS detection in SDN[C]//Proceedings of 2017 IEEE International Conference on Wireless and Mobile Computing, Networking and Communications. Rome, Italy:IEEE, 2017:1-8.
[7] WANG X L, CHEN M, XING C Y, et al. Defending DDoS attacks in software-defined networking based on legitimate source and destination IP address database[J]. IEICE Transactions on Information and Systems, 2016, 99(4):850-859.
[8] BRAGA B R, MOTA M E, PASSITO P A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//Proceedings of the IEEE Local Computer Network Conference. Denver, USA:IEEE, 2010:408-415.
[9] 肖甫, 马俊青, 黄洵松, 等. SDN环境下基于KNN的DDoS攻击检测方法[J]. 南京邮电大学学报(自然科学版), 2015, 35(1):84-88. XIAO F, MA J Q, HUANG X S, et al. DDoS attack detection based on KNN in software defined networks[J]. Journal of Nanjing University of Posts and Telecommunications (Natural Science Edition), 2015, 35(1):84-88. (in Chinese)
[10] GAO S, LI Z, YAO Y, et al. Software-defined firewall:Enabling malware traffic detection and programmable security control[C]//Proceedings of the 2018 on Asia Conference on Computer and Communications Security. Songdo, Korea:ACM, 2018:413-424.
[11] 左青云, 陈鸣, 王秀磊, 等. 一种基于SDN的在线流量异常检测方法[J]. 西安电子科技大学学报(自然科学版), 2015, 42(1):155-160. ZUO Q Y, CHEN M, WANG X L, et al. Online traffic anomaly detection method for SDN[J]. Journal of Xidian University, 2015, 42(1):155-160. (in Chinese)
[12] XU Y, LIU Y. DDoS attack detection under SDN context[C]//Proceedings of the IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications. San Francisco, USA:IEEE, 2016:1-9.
[13] DA SILVA A S, WICKBOLDT J A, GRANVILLE L Z, et al. ATLANTIC:A framework for anomaly traffic detection, classification, and mitigation in SDN[C]//Proceedings of the NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium. Istanbul, Turkey:IEEE, 2016:27-35.
[14] NANDA S, ZAFARI F, DECUSATIS C, et al. Predicting network attack patterns in SDN using machine learning approach[C]//Proceedings of 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks. Palo Alto, USA:IEEE, 2016:167-172.
[15] GAO S, PENG Z, XIAO B, et al. FloodDefender:Protecting data and control plane resources under SDN-aimed DoS attacks[C]//Proceedings of INFOCOM 2017-IEEE Computer Communications Conference. Atlanta, USA:IEEE, 2017:1-9.
[16] BARKI L, SHIDLING A, METI N, et al. Detection of distributed denial of service attacks in software defined networks[C]//Proceedings of 2016 International Conference on Advances in Computing, Communications and Informatics. Jaipur, India:IEEE, 2016:2576-2581.

[1]	赵祺铭, 毕可鑫, 邱彤. 基于机器学习的乙烯裂解过程模型比较与集成[J]. 清华大学学报（自然科学版）, 2022, 62(9): 1450-1457.
[2]	平国楼, 曾婷玉, 叶晓俊. 基于评分迭代的无监督网络流量异常检测[J]. 清华大学学报（自然科学版）, 2022, 62(5): 819-824.
[3]	张庭, 陈智康, 刘斌. SDN流表更新的调度与快速响应[J]. 清华大学学报（自然科学版）, 2022, 62(5): 917-925.
[4]	高洋, 任望, 吴润浦, 王卫苹, 伊胜伟, 韩白静. 信息物理系统的攻击检测与安全状态估计[J]. 清华大学学报（自然科学版）, 2021, 61(11): 1234-1239.
[5]	王志国, 章毓晋. 监控视频异常检测：综述[J]. 清华大学学报（自然科学版）, 2020, 60(6): 518-529.
[6]	梁杰, 陈嘉豪, 张雪芹, 周悦, 林家骏. 基于独热编码和卷积神经网络的异常检测[J]. 清华大学学报（自然科学版）, 2019, 59(7): 523-529.
[7]	王开锋, 张琦, 刘畅, 杜亚珍, 陈宁宁, 高莺. 面向软件定义的铁路无线通信网络[J]. 清华大学学报（自然科学版）, 2019, 59(2): 142-147.
[8]	赵俊, 包丛笑, 李星. 软件定义网络中低成本流量数据采集算法[J]. 清华大学学报（自然科学版）, 2019, 59(2): 148-153.
[9]	谢丽霞, 丁颖. 链路洪泛攻击的SDN移动目标防御机制[J]. 清华大学学报（自然科学版）, 2019, 59(1): 36-43.
[10]	陈兴蜀, 陈佳昕, 赵丹丹, 金鑫. 基于虚拟机IO序列与Markov模型的异常行为检测[J]. 清华大学学报（自然科学版）, 2018, 58(4): 395-401,410.
[11]	贾凡, 严妍, 张家琪. 基于K-means聚类特征消减的网络异常检测[J]. 清华大学学报（自然科学版）, 2018, 58(2): 137-142.
[12]	赵俊, 包丛笑, 李星. 基于OpenFlow协议的覆盖网络路由器设计[J]. 清华大学学报（自然科学版）, 2018, 58(2): 164-169.
[13]	杨洋, 杨家海, 秦董洪. 数据中心网络多路径路由算法[J]. 清华大学学报（自然科学版）, 2016, 56(3): 262-268.
[14]	彭勇, 向憧, 张淼, 陈冬青, 高海辉, 谢丰, 戴忠华. 工业控制系统场景指纹及异常检测[J]. 清华大学学报（自然科学版）, 2016, 56(1): 14-21.
[15]	孙文琦, 李贺武, 吴建平. 软件定义网络中的快速移动性管理[J]. 清华大学学报（自然科学版）, 2015, 55(8): 900-905.

Viewed

Full text

Abstract

Cited

Shared

Discussed