CN106921666A - A kind of ddos attack system of defense and method based on Synergy - Google Patents

A kind of ddos attack system of defense and method based on Synergy Download PDF

Info

Publication number
CN106921666A
CN106921666A CN201710128028.7A CN201710128028A CN106921666A CN 106921666 A CN106921666 A CN 106921666A CN 201710128028 A CN201710128028 A CN 201710128028A CN 106921666 A CN106921666 A CN 106921666A
Authority
CN
China
Prior art keywords
module
flow
abnormal
cleaning equipment
interchanger
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710128028.7A
Other languages
Chinese (zh)
Other versions
CN106921666B (en
Inventor
黄以华
黄阳欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Sun Yat Sen University
Original Assignee
National Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Sun Yat Sen University filed Critical National Sun Yat Sen University
Priority to CN201710128028.7A priority Critical patent/CN106921666B/en
Publication of CN106921666A publication Critical patent/CN106921666A/en
Application granted granted Critical
Publication of CN106921666B publication Critical patent/CN106921666B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The present invention relates to a kind of ddos attack system of defense based on Synergy, it is applied particularly to SDN, including controller and setting cleaning equipment on switches, the controller is used to be monitored the port of the whole network interchanger, and the network traffics of the interchanger abnormal that then will be monitored are drawn to cleaning equipment;The cleaning equipment is used to that the network traffics for receiving to be analyzed and cleaned, and the result based on analysis provides Prevention-Security strategy to controller;Controller is based on Prevention-Security strategy and configures interchanger, so as to alleviate to attack.

Description

A kind of ddos attack system of defense and method based on Synergy
Technical field
The present invention relates to network safety filed, system is defendd more particularly, to a kind of ddos attack based on Synergy System and method.
Background technology
Fast development and good application with computer science and technology, change in cyberspace constantly changing and Affect the life style of people.Because people are to the dependence more and more higher of internet, many passes are related on the internet In enterprise, individual, even national security information, therefore Network Security Issues are always the important class in technology evolution Topic.
At present in many method of network attack that internet is present, distributed denial of service attack (Distributed Denial of Service Attack, abbreviation DDoS) it is attack method most common, that destructive power is very strong.Distribution refusal clothes Business is attacked and comes from Botnet mostly, cooperates with start Denial of Service attack to one or more targets each other.Due to ddos attack Method is simple, disguised strong, so as to get so far, can also completely defend this attack without any means.
Software defined network (SDN) is a kind of new transmission via net framework, is decoupled by by key-course and data Layer, is carried Supply to control the centrality of network.Because in SDN, all-network depends on Single Controller, the controller holds very much Easily turn into the target of ddos attack so that the new network is faced with new Network Security Issues.Because controller has net Network overall situation management and control ability, rapid deployment ability and intelligent scheduling ability, can realize the fast monitored of abnormal flow and have Effect cleaning, therefore a kind of good method is provided to defending DDoS (Distributed Denial of Service) attacks.
The ddos attack defence method based on SDN framework for proposing both at home and abroad at present, is applied to SDN controllers mostly On, performed intrusion detection using methods such as mathematical statistics or neutral nets.When detecting abnormal, using recall algorithm or The methods such as mark determine attack source, and controller blocks attack source by way of issuing flow table.The spy of this kind of defence method Point is to concentrate on SDN controllers intrusion detection and attack defending so that the accuracy of intrusion detection is depended on controller The accuracy of algorithm, the robustness of whole system of defense also relies on the security of controller itself.Therefore, how to make full use of Controller and controller is depended on not too much, the robustness for how lifting whole system of defense is design ddos attack defence system System needs one of problem of concern.
The content of the invention
The present invention proposes a kind of ddos attack system of defense based on Synergy, and the system is by the monitoring during defence Separated with decision making function, controller is responsible for monitoring, the responsible decision-making of cleaning equipment group.Whole system of defense is set to rely on not too much In controller, while can make full use of controller resource, the robustness of whole system of defense is lifted.
To realize above goal of the invention, the technical scheme of use is:
A kind of ddos attack system of defense based on Synergy, is applied particularly to SDN, including controller and setting Cleaning equipment on switches, the controller is used to be monitored the port of the whole network interchanger, then will monitor The network traffics of interchanger abnormal are drawn to cleaning equipment;The cleaning equipment is used to carry out the network traffics for receiving Analysis and cleaning, and the result based on analysis provides Prevention-Security strategy to controller;Controller is matched somebody with somebody based on Prevention-Security strategy Interchanger is put, so as to alleviate to attack.
Preferably, the controller includes entering bag statistical module, flow statistical module, flow table configuration mould positioned at key-course Block and device management module, and defence policies configuration module positioned at application layer, interactive maintenance module and logger module;
Wherein enter bag statistical module carries out statistical analysis for the Packet-In bags to being sent to controller, and based on analysis Result determine to be subject to the interchanger abnormal of false IP address ddos attack and the ddos attack for controller;
The flow statistical module is used to carry out real-time monitoring to the port flow of respective switch in SDN, then Result based on monitoring determines the interchanger abnormal of the ddos attack initiated by Botnet;
Flow table configuration module is used to issue flow table in designated switch, realizes that abnormal network traffics are drawn to cleaning Equipment;
Device management module is used to manage the cleaning equipment in SDN, records the status information of cleaning equipment;
The defence policies configuration module is used to be interacted with cleaning equipment, receives the Prevention-Security from cleaning equipment Strategy, is then based on Prevention-Security strategy configuration interchanger;
The interactive maintenance module is used for providing visualization interface for keeper;
The logger module is used to for the log information that system of defense is produced to upload to database.
Preferably, the cleaning equipment is matched somebody with somebody including flow collection module, traffic classification module, flow processing module and strategy Put module;
Wherein flow collection module is used to monitor the network port of cleaning equipment, the network traffics number to being sent to cleaning equipment Cached according to bag;
The network traffics that the traffic classification module is used for periodically to caching carry out classification and Detection, obtain it and attack class Type;
The flow processing module is used to reject the abnormal flow in network traffics according to attack type, then by normal stream Amount is back in network;
Tactful configuration module is used to be drawn after carrying out comprehensive analysis to the statistical distribution situation of attack type and abnormal flow Prevention-Security strategy, and it is sent to the defence policies configuration module of controller.
Preferably, it is described enter bag statistical module it is determined that by the interchanger abnormal of false IP address ddos attack When, the Packet-In bags for being sent to controller are counted first by the entropy statistical method based on purpose IP address, work as inspection When measuring entropy less than predetermined threshold value, the port of accounting rate maximum in the interchanger that maximum contribution rate is provided is chosen as abnormal end Mouthful;
It is described enter bag statistical module it is determined that by the ddos attack for controller interchanger abnormal when, pass through Detect that the renewal rate of the MAC-IP binding tables of each switch ports themselves determines abnormal, when certain interchanger port more When new speed exceedes scheduled rate, then it is defined as abnormal.
Preferably, the flow statistical module determines abnormal end by detecting the flow bandwidth of each port of interchanger Mouthful, when the flow bandwidth of switch ports themselves has exceeded the threshold value of setting, and fail to be reduced in the early warning duration of setting pre- If below threshold value, then the port is defined as into abnormal.
Preferably, the flow table configuration module realizes the traction of abnormal network traffics by way of issuing flow table; When cleaning equipment and abnormal belong to same interchanger, flow table configuration module directly issues Flow_Mod to the interchanger Message carries out local port forwarding;When cleaning equipment and abnormal adhere to different interchangers separately, flow table configuration module is according to opening up Flutter the optimal path that information obtains from abnormal to cleaning equipment based on dijkstra's algorithm;After optimal path is obtained, stream The QinQ technologies that table configuration module is supported by Openflow1.1 agreements, VLAN is added at abnormal to network traffics Tag;The network traffics for matching the VLAN Tag are forwarded on the interchanger that optimal path is related to, finally in cleaning equipment port The VLAN Tag are removed, flow lead is realized.
Preferably, the traffic classification module periodically extracts network flow data bag from caching and carries out feature point Analysis, obtains feature tuple, feature tuple is input in trained BP neural network and is classified, and draws ddos attack class Type.
Preferably, the tactful configuration module is sent Prevention-Security strategy by SSL channels to the defence plan of controller Omit configuration module.
Meanwhile, present invention also offers a kind of method for being applied to system above, its concrete scheme is as follows:
Step 1:Controller is carried out in real time by entering bag statistical module and flow statistical module to the port of the whole network interchanger Monitoring, searches and confirms to be subject to the abnormal of ddos attack;
Step 2:After confirming abnormal, controller passes through flow table configuration module and device management module, by abnormal Network traffics be drawn to cleaning equipment;
Step 3:Cleaning equipment receives the network traffics from abnormal by flow collection module;
Step 4:Cleaning equipment periodically obtains network traffics by traffic classification module from flow collection module, and By obtaining ddos attack type after classification and Detection;
Step 5:According to attack type, the flow that the flow processing module in cleaning equipment will meet the attack type is picked Remove, and remaining normal discharge is back in network;
Step 6:The tactful configuration module combination attack type of cleaning equipment and the statistical distribution situation of abnormal flow are carried out Analysis, draws Prevention-Security strategy and is sent to the defence policies configuration module of controller;
Step 7:Defence policies configuration module receive cleaning equipment offer Prevention-Security strategy after according to Prevention-Security Strategy configuration interchanger, while being drawn to the related flow table item of cleaning equipment in removing interchanger, and uploads daily record to database;
Step 8:Cleaning equipment is cleaned according to Prevention-Security strategy to the network traffics of further cache, until all streams Amount is disposed, and notification controller updates device management module afterwards.
Compared with prior art, the beneficial effects of the invention are as follows:
1. the system of defense that the present invention is provided, can make full use of the resource of controller, and effectively mitigate controller Burden.The system realizes the defence to ddos attack by the cooperative cooperating of controller and cleaning equipment group, core be by Monitoring and decision making function during defence are separated, on the controller using the method for mathematical statistics to the port of interchanger It is monitored, and the detection and Prevention-Security strategic decision-making smaller to network traffics fine granularity then transfers to cleaning equipment to complete. This mode causes controller centralized services in monitoring function, and need not consume resource for decision making function.
2. the system of defense that the present invention is provided, with stronger security and robustness.Security be embodied in controller with The cooperative cooperating of cleaning equipment, the backflow of normal discharge is may insure due to cleaning equipment, therefore can reduce the mistake of controller Alert rate, makes whole system security not to be too dependent on the accuracy of detection algorithm on controller.Robustness is embodied in this hair In the defence method of bright proposition, controller primarily ensure itself can normal table work, matching purge device cluster, it is ensured that itself Will not run quickly routed because of Large Scale DDoS Attack.
Brief description of the drawings
Fig. 1 is the schematic diagram of controller.
Fig. 2 is the schematic diagram of cleaning equipment.
Fig. 3 is the topological diagram of SDN.
Fig. 4 is the flow chart of method.
Specific embodiment
Accompanying drawing being for illustration only property explanation, it is impossible to be interpreted as the limitation to this patent;
Below in conjunction with drawings and Examples, the present invention is further elaborated.
Embodiment 1
The invention provides a kind of ddos attack system of defense based on Synergy, the system architecture is main by two parts Composition:SDN controllers and cleaning equipment group.
As shown in figure 1, SDN controllers include the module positioned at key-course, and the REST API provided using controller Interface is located at the module of application layer.Module wherein positioned at key-course mainly includes:Enter bag statistical module, flow statistical module, Flow table configuration module and device management module.And the module for being located at application layer mainly includes:Defence policies configuration module, interaction pipe Reason module and logger module.
In SDN controller key-courses, wherein enter bag statistical module being united for the Packet-In bags to being sent to controller Meter analysis, and the result based on analysis determines to be subject to false IP address ddos attack and the ddos attack for controller to exchange Machine abnormal;Flow statistical module is used to carry out real-time monitoring, Ran Houji to the port flow of respective switch in SDN The interchanger abnormal of the ddos attack for determining to be initiated by Botnet in the result of monitoring;Under flow table configuration module is used for Hair flow table is drawn to cleaning equipment in designated switch, realizing abnormal network traffics, and blocking attack source function; Device management module is used to manage all cleaning equipments in network, records the status information of all cleaning equipments.
In SDN controller application layers, defence policies configuration module is used to be interacted with cleaning equipment, receives and carrys out self-cleaning The Prevention-Security strategy of equipment, is then based on Prevention-Security strategy configuration interchanger;Interactive maintenance module is used to provide visualization Interface uses for keeper;Logger module is used to for the log information that system of defense is produced to upload to database.
As shown in Fig. 2 single cleaning equipment mainly includes in cleaning equipment group:Flow collection module, traffic classification module, Flow processing module and tactful configuration module.Wherein flow collection module is used to monitor the network port of cleaning equipment, to being sent to The network flow data bag of cleaning equipment is cached;The network traffics that traffic classification module is used for periodically to caching are carried out Classification and Detection, obtains its attack type;Flow processing module is used to reject the abnormal flow in network traffics according to attack type, Then normal discharge is back in network;Tactful configuration module is used for the statistical distribution situation to attack type and abnormal flow Prevention-Security strategy is drawn after carrying out comprehensive analysis, and is sent to the defence policies configuration module of controller.
Aspect is realized in technology, the system that the present invention is provided relates generally to flow monitoring, flow lead and abnormal flow point Class, specifically:
1) flow monitoring:SDN controllers by entering bag statistical module and flow statistical module local area network in interchanger Port flow carries out real-time monitoring.It is mainly used in defending three kinds of ddos attacks:Using the ddos attack of false IP address, for control The ddos attack that the ddos attack and Botnet of device processed are initiated.
SDN controllers defend the ddos attack using false IP address by entering bag statistical module.Due to such DDoS What the false IP address that attack is used was randomly generated mostly, therefore matching is easy in a switch less than corresponding flow table , at this moment the packet is sent to controller by exchange opportunity by Packet-In bags.Enter bag statistical module using this feature, Statistical analysis is carried out to the Packet-In bags for being sent to controller using the entropy statistical method based on purpose IP address.For window Mouth width is the packet set of W, and its entropy computing formula is expressed as follows:
Wherein, N is the number of different purpose IP address in packet set, piFor the packet of same purpose IP address is total Number accounts for the ratio of all packet sums.
When entering bag statistical module and detecting entropy less than predetermined threshold value, the maximum purpose IP ground of accounting weight can be obtained Location, is denoted as IPmax.Abnormal flow port is locked by calculating the contribution rate of each switch ports themselves, for same interchanger, Its contribution rate computing formula is as follows:
Wherein, i is switch ports themselves number, PiPurpose IP address are IP in all packets sent for the portmaxNumber According to the shared ratio of bag.
When detecting abnormal, enter accounting rate during bag statistical module typically chooses the interchanger for providing maximum contribution rate maximum Port numbers as abnormal flow port, and notify that the port flow is drawn to cleaning equipment by flow table configuration module.
SDN controllers defend the ddos attack for controller by entering bag statistical module.Due to such ddos attack Purpose is intended to increase the burden of controller, therefore can manufacture a large amount of false data bags and force interchanger to match less than flow table item, from And a large amount of Packet-In bags are sent to controller.This kind of Packet-In bags purpose and source IP address are almost what is randomly generated, Therefore enter bag statistical module not to be analyzed Packet-In bags directly, but by detecting the MAC-IP of each switch ports themselves The renewal rate of binding table judges whether to attack.In MAC-IP binding tables each entry contain interchanger Dpid, The IP address of switch ports themselves number Port, host MAC address and main frame, specific form is:{Dpid:Port: MACAddress:IPAddress}.The renewal rate of MAC-IP binding tables is expressed as:
V=vchange+vadd
Wherein vchangeFor certain switch ports themselves IP address changes speed, v in special time taddFor new in special time t MAC-IP formation speed.
When certain switch ports themselves renewal rate exceedes scheduled rate, it is preferred that the port flow is drawn into cleaning Equipment, optionally, shields the port or limits the port bandwidth.
SDN controllers defend the ddos attack that Botnet is initiated by flow statistical module.Due in Botnet It is mostly that normal users are controlled by attacker in the case of ignorant or aspiration and turn into puppet's machine, is formed in a short time Extensive flow is sent to target of attack.Therefore flow statistical module is counted by controller to the flow table in respective switch Analysis, calculates each port flow bandwidth on interchanger, and specific formula for calculation is as follows:
Wherein, Δ t is the time interval of each acquisition interchanger flow table of controller setting, CtIt is interchanger Single port In the data packet byte number that moment t sends.
When certain switch ports themselves flow bandwidth in time interval Δ t has exceeded setting in monitoring control devices to network Threshold value, in order to prevent wrong early warning, in the early warning duration t of settingalarmIt is interior, if flow bandwidth fail to be reduced to predetermined threshold value with Under, then the port is judged to abnormal flow port, and notify that the port flow is drawn to cleaning equipment by flow table configuration module.
2) flow lead:Flow table configuration module realizes that abnormal flow draws by way of issuing flow table on SDN controllers. When same interchanger belonging to cleaning equipment and abnormal flow port, controller directly issues Flow_Mod and disappears to the interchanger Breath carries out local port forwarding;When cleaning equipment and abnormal flow port adhere to different interchangers separately, flow table configuration module according to Topology information, the optimal path from abnormal flow port to cleaning equipment is obtained based on dijkstra's algorithm.Obtaining optimal road Behind footpath, the QinQ technologies that controller is supported by Openflow1.1 agreements are added in abnormal flow port to network traffics VLAN Tag, forward the network traffics for matching the VLAN Tag, finally in cleaning equipment on the interchanger that optimal path is related to Port removes the VLAN Tag, realizes flow lead.
3) abnormal flow classification:Traffic classification module is classified by BP neural network to network traffics in cleaning equipment Detection., it is necessary to carry out learning training to BP neural network model before classification and Detection is carried out, training sample mostlys come from reality Substantial amounts of network flow data (including proper network flow and Abnormal network traffic) in internet.After training is completed, flow Sort module periodically can extract packet from caching and carry out signature analysis, obtain feature tuple, and this feature tuple is one The ddos attack type that detects as needed of group and the representative characteristic value elected, are input to BP by feature tuple afterwards Neutral net, output result is the attack type of network traffics.
As shown in figure 3, the network topological diagram of the embodiment of the present invention.It is a SDN shown in figure, wherein C is SDN controls Device processed;S1, S2, S3, S4, S5 are the interchangers for supporting OpenFlow1.1 agreements;Q1, Q2, Q3 are to dispose cleaning in a network Equipment.
As shown in figure 4, a kind of ddos attack defence method based on Synergy that the present invention is provided, may be used in conjunction with the embodiments It is specifically divided into following 8 steps:
Step 1:Attacker initiates ddos attack, and SDN controllers are played a game by entering bag statistical module and flow statistical module The port flow of interchanger carries out real-time monitoring in the net of domain, searches and confirm the abnormal flow source of ddos attack behavior.According to The target that attacker initiates ddos attack is different with means, and SDN controllers use different monitoring modes:
1) attacker initiates ddos attack using false IP address to target H.When network traffics reach interchanger S3, by The false IP address used in such attack is randomly generated mostly, therefore matching is easy in interchanger S3 less than corresponding Flow table item.In this case, interchanger S3 can be sent to controller in the form of Packet-In bags.Due to these Packet- The purpose IP address of In bags are excessively concentrated, therefore controller enters bag statistical module and detect entropy that predetermined threshold value can be less than.It is this In the case of, according to purpose IP address, controller can learn that interchanger S3 has maximum contribution rate, in interchanger S3, No. 1 end Mouthful account for the largest percentage, therefore controller is using No. 1 port of interchanger S3 as abnormal flow port.
2) attacker initiates ddos attack for controller C.Because such ddos attack purpose is intended to increase controller Bearing, therefore can manufacture a large amount of false data bags forces interchanger to match less than flow table item, so as to send a large amount of Packet-In bags To controller.Because MAC-IP addresses, to all randomly generating, for controller, will be considered that in these false data bags It is the new main frame for adding and is learnt.In this case, controller enters bag statistical module can detect No. 1 end of interchanger S3 The MAC-IP binding table renewal rates of mouth have exceeded scheduled rate, therefore controller as abnormal flow port.
3) attacker initiates ddos attack by Botnet to target H.Because puppet's network can be formed in a short time No. 1 port flow that the flow statistical module of largely flux and flow direction targets of attack, therefore controller can detect interchanger S3 is measured The phenomenon now increased sharply.In order to prevent wrong early warning, controller from being detected that flow bandwidth is not extensive after waiting a bit of time again Arrive normal level again, therefore controller is using No. 1 port of interchanger S3 as abnormal flow port.
Step 2:After confirming abnormal flow source, flow table configuration module reality by way of issuing flow table on SDN controllers Existing abnormal flow traction.The status information of all cleaning equipments in store network in the device management module of controller, In the present embodiment, initial state information is:
DPID PORT STATE
00:00:00:00:00:00:00:01(s1) 3 NONE
00:00:00:00:00:00:00:03(s3) 4 NONE
00:00:00:00:00:00:00:04(s4) 4 NONE
Controller detects No. 1 port of interchanger S3 for behind abnormal flow port, controller passes through device management module Can learn in No. 4 ports of interchanger S3 there is the cleaning equipment in idle condition, i.e. Q1.Therefore, controller is directly to friendship The S3 that changes planes issues Flow_Mod message and directly carries out port forwarding, and specific Flow_Mod message formats are as follows:
{“switch”:”00:00:00:00:00:00:00:03 ", " cookie ":" 0 ", " in_port ":" 1 ", “active”:" true ", " actions ":" output=4 "
Now, cleaning equipment status information table is updated in device management module:
DPID PORT STATE
00:00:00:00:00:00:00:01(s1) 3 NONE
00:00:00:00:00:00:00:03(s3) 4 {″00:00:00:00:00:00:00:03″:″1″}
00:00:00:00:00:00:00:04(s4) 4 NONE
If cleaning equipment Q1 is not at idle condition, controller is cleaned according in topology information and device management module Status information of equipment table, the optimal path from abnormal flow port to cleaning equipment is obtained based on dijkstra's algorithm.In this reality Apply in example, the optimal path is S3 (1)-> S3 (3)-> S4 (1)-> S4 (4).
After optimal path is obtained, the QinQ technologies that controller is supported by Openflow1.1 agreements, to being related on path Interchanger send Flow_Mod message, abnormal flow is drawn to cleaning equipment.Specific Flow_Mod message formats are as follows:
Configuration S3:
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”, “active”:”true”,“actions”:" push_vlan=123, output=3 "
Configuration S4:
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“eth_vlan_vid”:” 123”,“active”:”true”,“actions”:" pop_vlan, output=4 "
Step 3:Cleaning equipment Q1 receives No. 1 network traffics of port from interchanger S3 by flow collection module;
Step 4:Traffic classification module periodically extracts packet from caching and carries out signature analysis in cleaning equipment Q1, The feature tuple that will be obtained is input in the BP neural network for passing through training, draws ddos attack type;
Step 5:According to attack type, flow processing module can will meet the flow of the attack type and pick in cleaning equipment Remove, remaining normal discharge is back in network.In the present embodiment, cleaning equipment Q1 will be normal discharge from interchanger S3's No. 4 ports are back in network.
Step 6:Tactful configuration module can combine the statistical distribution situation of attack type and abnormal flow in cleaning equipment, point Analysis draws Prevention-Security strategy.Prevention-Security strategy contains interchanger DPID where cleaning equipment, and switch ports themselves number is attacked Type, defense mechanism and defence object, specific form is { Dpid:Port:Type:Way:Object }, one in the present embodiment Possible Prevention-Security strategy pattern is as follows:
{”00:00:00:00:00:00:00:03”:“4“:SynFlood:Drop_IP:{“172.18.216.23”,” 172.18.216.45”}}
Represent that the cleaning equipment positioned at No. 4 ports of interchanger S3 detects attack type for Syn flood attacks, it is proposed that hand over It is the data packet discarding of 172.18.216.23 and 172.18.216.45 to change planes IP address.
The defence policies that be sent to for Prevention-Security strategy by SSL channels in controller application layer by cleaning equipment configure mould Block;
Step 7:Controller is received after the security strategy of cleaning equipment offer, according to device management module, Ke Yizhi Road cleaning equipment Q1 is just in No. 1 port flow of processing switch S3.Therefore interchanger S3, root can be configured according to security strategy According to the Prevention-Security strategy pattern provided in step 6, controller issues flow table blocking attack source, specific Flow_ to interchanger S3 Mod message formats are as follows:
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“ipv4_ src”:”17 2.18.216.23”,“active”:”true”,“actions”:”drop”}
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“ipv4_ src”:”17 2.18.216.45”,“active”:”true”,“actions”:”drop”}
The related flow table item of cleaning equipment is drawn in removing interchanger simultaneously, and uploads daily record to database.
Step 8:Since it is known that attack type, cleaning equipment will be according to Prevention-Security strategy to further cache stream Amount is cleaned, until all flows are disposed.After all flows are disposed, cleaning equipment is used and Prevention-Security plan Slightly same form sends WORK_DONE and instructs to controller.Specific pattern is as follows in the present embodiment:
{”00:00:00:00:00:00:00:03”:“4“:WORK_DONE:NONE:NONE}
Controller updates device management module after the instruction is received, and the state of cleaning equipment Q1 is set into the free time.
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not right The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description To make other changes in different forms.There is no need and unable to be exhaustive to all of implementation method.It is all this Any modification, equivalent and improvement made within the spirit and principle of invention etc., should be included in the claims in the present invention Protection domain within.

Claims (9)

1. a kind of ddos attack system of defense based on Synergy, is applied particularly to SDN, it is characterised in that:Including control Device processed and setting cleaning equipment on switches, the controller are used to be monitored the port of the whole network interchanger, then The network traffics of the interchanger abnormal that will be monitored are drawn to cleaning equipment;The cleaning equipment is used for the net to receiving Network flow is analyzed and cleans, and the result based on analysis provides Prevention-Security strategy to controller;Controller is based on safety Defence policies configure interchanger, so as to alleviate to attack.
2. the ddos attack system of defense based on Synergy according to claim 1, it is characterised in that:The controller Including entering bag statistical module, flow statistical module, flow table configuration module and device management module positioned at key-course, and it is located at The defence policies configuration module of application layer, interactive maintenance module and logger module;
Wherein enter bag statistical module carries out statistical analysis, and the knot based on analysis for the Packet-In bags to being sent to controller Fruit determines to be subject to the interchanger abnormal of false IP address ddos attack and the ddos attack for controller;
The flow statistical module is used to carry out real-time monitoring to the port flow of respective switch in SDN, is then based on The result of monitoring determines the interchanger abnormal of the ddos attack initiated by Botnet;
Flow table configuration module is used to issue flow table in designated switch, realizes that abnormal network traffics are drawn to cleaning and set It is standby;
Device management module is used to manage the cleaning equipment in SDN, records the status information of cleaning equipment;
The defence policies configuration module is used to be interacted with cleaning equipment, receives the Prevention-Security plan from cleaning equipment Slightly, it is then based on Prevention-Security strategy configuration interchanger;
The interactive maintenance module is used for providing visualization interface for keeper;
The logger module is used to for the log information that system of defense is produced to upload to database.
3. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:The cleaning sets It is standby to include flow collection module, traffic classification module, flow processing module and tactful configuration module;
Wherein flow collection module is used to monitor the network port of cleaning equipment, the network flow data bag to being sent to cleaning equipment Cached;
The network traffics that the traffic classification module is used for periodically to caching carry out classification and Detection, obtain its attack type;
The flow processing module is used to reject the abnormal flow in network traffics according to attack type, then returns normal discharge In flowing to network;
Tactful configuration module is used to draw safety after carrying out comprehensive analysis to the statistical distribution situation of attack type and abnormal flow Defence policies, and it is sent to the defence policies configuration module of controller.
4. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:It is described to enter to wrap system Meter module it is determined that by false IP address ddos attack interchanger abnormal when, first by based on purpose IP address Entropy statistical method is counted to the Packet-In bags for being sent to controller, when entropy is detected less than predetermined threshold value, is chosen The port of accounting rate maximum in the interchanger of maximum contribution rate is provided as abnormal;
It is described enter bag statistical module it is determined that by the ddos attack for controller interchanger abnormal when, by detection The renewal rate of the MAC-IP binding tables of each switch ports themselves determines abnormal, when the renewal speed of the port of certain interchanger When rate exceedes scheduled rate, then it is defined as abnormal.
5. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:The flow system Meter module determines abnormal by detecting the flow bandwidth of each port of interchanger, when the flow bandwidth of switch ports themselves surpasses The threshold value of setting is crossed, and has failed to be reduced to below predetermined threshold value in the early warning duration of setting, be then defined as the port Abnormal.
6. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:The flow table is matched somebody with somebody Put the traction that module realizes abnormal network traffics by way of issuing flow table;When cleaning equipment and abnormal belong to same During one interchanger, directly issue Flow_Mod message to the interchanger carries out local port forwarding to flow table configuration module;When clear Wash equipment and when abnormal adheres to different interchangers separately, flow table configuration module is obtained according to topology information based on dijkstra's algorithm Optimal path from abnormal to cleaning equipment;After optimal path is obtained, flow table configuration module is assisted by Openflow1.1 The QinQ technologies supported are discussed, network traffics addition VLAN Tag are given at abnormal;On the interchanger that optimal path is related to Forwarding matches the network traffics of the VLAN Tag, finally removes the VLAN Tag in cleaning equipment port, realizes that flow leads Draw.
7. the ddos attack system of defense based on Synergy according to claim 3, it is characterised in that:The flow point Generic module periodically extracts network flow data bag from caching and carries out signature analysis, feature tuple is obtained, by feature tuple It is input in trained BP neural network and is classified, draws ddos attack type.
8. the ddos attack system of defense based on Synergy according to claim 3, it is characterised in that:The strategy is matched somebody with somebody Module is put to send Prevention-Security strategy by SSL channels to the defence policies configuration module of controller.
9. a kind of method of system according to claim 3, it is characterised in that:Comprise the following steps:
Step 1:Controller carries out real-time monitoring by entering bag statistical module and flow statistical module to the port of the whole network interchanger, Search and confirm the abnormal by ddos attack;
Step 2:After confirming abnormal, controller passes through flow table configuration module and device management module, by the net of abnormal Network flow lead is to cleaning equipment;
Step 3:Cleaning equipment receives the network traffics from abnormal by flow collection module;
Step 4:Cleaning equipment periodically obtains network traffics by traffic classification module from flow collection module, and passes through Ddos attack type is obtained after classification and Detection;
Step 5:According to attack type, the flow that the flow processing module in cleaning equipment will meet the attack type is rejected, and Remaining normal discharge is back in network;
Step 6:The tactful configuration module combination attack type of cleaning equipment and the statistical distribution situation of abnormal flow are analyzed, Draw Prevention-Security strategy and be sent to the defence policies configuration module of controller;
Step 7:Defence policies configuration module receive cleaning equipment offer Prevention-Security strategy after according to Prevention-Security strategy Configuration interchanger, while being drawn to the related flow table item of cleaning equipment in removing interchanger, and uploads daily record to database;
Step 8:Cleaning equipment is cleaned according to Prevention-Security strategy to the network traffics of further cache, until at all flows Reason is finished, and notification controller updates device management module afterwards.
CN201710128028.7A 2017-03-06 2017-03-06 DDoS attack defense system and method based on cooperative theory Active CN106921666B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710128028.7A CN106921666B (en) 2017-03-06 2017-03-06 DDoS attack defense system and method based on cooperative theory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710128028.7A CN106921666B (en) 2017-03-06 2017-03-06 DDoS attack defense system and method based on cooperative theory

Publications (2)

Publication Number Publication Date
CN106921666A true CN106921666A (en) 2017-07-04
CN106921666B CN106921666B (en) 2020-10-02

Family

ID=59462052

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710128028.7A Active CN106921666B (en) 2017-03-06 2017-03-06 DDoS attack defense system and method based on cooperative theory

Country Status (1)

Country Link
CN (1) CN106921666B (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682342A (en) * 2017-10-17 2018-02-09 盛科网络(苏州)有限公司 A kind of method and system of the DDoS flow leads based on openflow
CN107968785A (en) * 2017-12-03 2018-04-27 浙江工商大学 A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers
CN108011894A (en) * 2017-12-26 2018-05-08 陈晶 Botnet detecting system and method under a kind of software defined network
CN108053068A (en) * 2017-12-13 2018-05-18 南京大学 The method that mankind attacker cooperation behavior modeled and formulated corresponding Defending Policy
CN108111542A (en) * 2018-01-30 2018-06-01 深圳大学 Internet of Things ddos attack defence method, device, equipment and medium based on SDN
CN108259367A (en) * 2018-01-11 2018-07-06 重庆邮电大学 A kind of Flow Policy method for customizing of the service-aware based on software defined network
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN108322463A (en) * 2018-01-31 2018-07-24 平安科技(深圳)有限公司 Ddos attack detection method, device, computer equipment and storage medium
CN108366065A (en) * 2018-02-11 2018-08-03 中国联合网络通信集团有限公司 Attack detection method and SDN switch
CN108429761A (en) * 2018-04-10 2018-08-21 北京交通大学 Resource adaptation resolution server ddos attack detects defence method in wisdom contract network
CN109005157A (en) * 2018-07-09 2018-12-14 华中科技大学 Ddos attack detection and defence method and system in a kind of software defined network
CN109194608A (en) * 2018-07-19 2019-01-11 南京邮电大学 Event detecting method is gathered around in a kind of ddos attack based on stream and sudden strain of a muscle
CN109547257A (en) * 2018-12-05 2019-03-29 深圳前海微众银行股份有限公司 Method for controlling network flow, device, equipment, system and storage medium
CN109818964A (en) * 2019-02-01 2019-05-28 长沙市智为信息技术有限公司 A kind of ddos attack detection method, device, equipment and storage medium
CN110149321A (en) * 2019-05-06 2019-08-20 长沙市智为信息技术有限公司 A kind of detection and defence method and device applied to DDOS attack in SDN network
CN110225022A (en) * 2019-06-05 2019-09-10 东南大学 A kind of ddos attack detection scheme of SDN flow table driving
CN110225037A (en) * 2019-06-12 2019-09-10 广东工业大学 A kind of ddos attack detection method and device
CN110336801A (en) * 2019-06-20 2019-10-15 杭州安恒信息技术股份有限公司 A kind of method of anti-DDoS equipment selection
CN110516444A (en) * 2019-07-23 2019-11-29 成都理工大学 Cross-terminal cross-version Root attack detecting and guard system based on kernel
CN110830474A (en) * 2019-11-08 2020-02-21 中盈优创资讯科技有限公司 Network attack protection system and method, and flow control device
CN111224970A (en) * 2019-12-31 2020-06-02 中移(杭州)信息技术有限公司 SDN network system, network attack defense method, device and storage medium
CN111935063A (en) * 2020-05-28 2020-11-13 国网电力科学研究院有限公司 System and method for monitoring abnormal network access behavior of terminal equipment
CN112055956A (en) * 2018-02-23 2020-12-08 诺基亚技术有限公司 Network security
CN112153006A (en) * 2020-08-26 2020-12-29 广东网堤信息安全技术有限公司 DDoS attack protection method based on network boundary
TWI723517B (en) * 2019-08-26 2021-04-01 新加坡商鴻運科股份有限公司 Method for preventing distributed denial of service attack and related equipment
CN113315744A (en) * 2020-07-21 2021-08-27 阿里巴巴集团控股有限公司 Programmable switch, flow statistic method, defense method and message processing method
CN113630398A (en) * 2021-07-28 2021-11-09 上海纽盾科技股份有限公司 Joint anti-attack method, client and system in network security
CN114115068A (en) * 2021-12-03 2022-03-01 东南大学 Heterogeneous redundancy defense strategy issuing method of endogenous security switch
CN116893663A (en) * 2023-09-07 2023-10-17 之江实验室 Main control abnormality detection method and device, storage medium and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130329734A1 (en) * 2012-06-11 2013-12-12 Radware, Ltd. Techniques for providing value-added services in sdn-based networks
CN104468636A (en) * 2015-01-09 2015-03-25 李忠 SDN structure for DDoS threatening filtering and link reallocating and working method
CN104601482A (en) * 2013-10-30 2015-05-06 中兴通讯股份有限公司 Traffic cleaning method and device
CN104767762A (en) * 2015-04-28 2015-07-08 亚信科技(南京)有限公司 Safety protection system
CN105282169A (en) * 2015-11-04 2016-01-27 中国电子科技集团公司第四十一研究所 DDoS attack warning method and system based on SDN controller threshold
CN105516129A (en) * 2015-12-04 2016-04-20 重庆邮电大学 Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology
CN106161333A (en) * 2015-03-24 2016-11-23 华为技术有限公司 DDOS attack means of defence based on SDN, Apparatus and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130329734A1 (en) * 2012-06-11 2013-12-12 Radware, Ltd. Techniques for providing value-added services in sdn-based networks
CN104601482A (en) * 2013-10-30 2015-05-06 中兴通讯股份有限公司 Traffic cleaning method and device
CN104468636A (en) * 2015-01-09 2015-03-25 李忠 SDN structure for DDoS threatening filtering and link reallocating and working method
CN106161333A (en) * 2015-03-24 2016-11-23 华为技术有限公司 DDOS attack means of defence based on SDN, Apparatus and system
CN104767762A (en) * 2015-04-28 2015-07-08 亚信科技(南京)有限公司 Safety protection system
CN105282169A (en) * 2015-11-04 2016-01-27 中国电子科技集团公司第四十一研究所 DDoS attack warning method and system based on SDN controller threshold
CN105516129A (en) * 2015-12-04 2016-04-20 重庆邮电大学 Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682342B (en) * 2017-10-17 2020-03-10 盛科网络(苏州)有限公司 Method and system for DDoS (distributed denial of service) flow traction based on openflow
CN107682342A (en) * 2017-10-17 2018-02-09 盛科网络(苏州)有限公司 A kind of method and system of the DDoS flow leads based on openflow
CN107968785A (en) * 2017-12-03 2018-04-27 浙江工商大学 A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers
CN108053068A (en) * 2017-12-13 2018-05-18 南京大学 The method that mankind attacker cooperation behavior modeled and formulated corresponding Defending Policy
CN108011894A (en) * 2017-12-26 2018-05-08 陈晶 Botnet detecting system and method under a kind of software defined network
CN108259367B (en) * 2018-01-11 2022-02-22 重庆邮电大学 Service-aware flow strategy customization method based on software defined network
CN108259367A (en) * 2018-01-11 2018-07-06 重庆邮电大学 A kind of Flow Policy method for customizing of the service-aware based on software defined network
CN108111542A (en) * 2018-01-30 2018-06-01 深圳大学 Internet of Things ddos attack defence method, device, equipment and medium based on SDN
CN108322463A (en) * 2018-01-31 2018-07-24 平安科技(深圳)有限公司 Ddos attack detection method, device, computer equipment and storage medium
CN108366065A (en) * 2018-02-11 2018-08-03 中国联合网络通信集团有限公司 Attack detection method and SDN switch
CN112055956A (en) * 2018-02-23 2020-12-08 诺基亚技术有限公司 Network security
US11888878B2 (en) 2018-02-23 2024-01-30 Nokia Technologies Oy Network security
CN108429761A (en) * 2018-04-10 2018-08-21 北京交通大学 Resource adaptation resolution server ddos attack detects defence method in wisdom contract network
CN108429761B (en) * 2018-04-10 2020-06-16 北京交通大学 DDoS attack detection and defense method for resource adaptation analysis server in intelligent cooperative network
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN109005157A (en) * 2018-07-09 2018-12-14 华中科技大学 Ddos attack detection and defence method and system in a kind of software defined network
CN109005157B (en) * 2018-07-09 2020-07-10 华中科技大学 DDoS attack detection and defense method and system in software defined network
CN109194608A (en) * 2018-07-19 2019-01-11 南京邮电大学 Event detecting method is gathered around in a kind of ddos attack based on stream and sudden strain of a muscle
CN109194608B (en) * 2018-07-19 2022-02-11 南京邮电大学 DDoS attack and flash congestion event detection method based on flow
CN109547257B (en) * 2018-12-05 2022-08-12 深圳前海微众银行股份有限公司 Network flow control method, device, equipment, system and storage medium
CN109547257A (en) * 2018-12-05 2019-03-29 深圳前海微众银行股份有限公司 Method for controlling network flow, device, equipment, system and storage medium
CN109818964B (en) * 2019-02-01 2021-12-07 长沙市智为信息技术有限公司 DDoS attack detection method, device, equipment and storage medium
CN109818964A (en) * 2019-02-01 2019-05-28 长沙市智为信息技术有限公司 A kind of ddos attack detection method, device, equipment and storage medium
CN110149321A (en) * 2019-05-06 2019-08-20 长沙市智为信息技术有限公司 A kind of detection and defence method and device applied to DDOS attack in SDN network
CN110225022A (en) * 2019-06-05 2019-09-10 东南大学 A kind of ddos attack detection scheme of SDN flow table driving
CN110225037B (en) * 2019-06-12 2021-11-30 广东工业大学 DDoS attack detection method and device
CN110225037A (en) * 2019-06-12 2019-09-10 广东工业大学 A kind of ddos attack detection method and device
CN110336801A (en) * 2019-06-20 2019-10-15 杭州安恒信息技术股份有限公司 A kind of method of anti-DDoS equipment selection
CN110336801B (en) * 2019-06-20 2021-07-06 杭州安恒信息技术股份有限公司 Method for selecting anti-DDoS (distributed denial of service) equipment
CN110516444A (en) * 2019-07-23 2019-11-29 成都理工大学 Cross-terminal cross-version Root attack detecting and guard system based on kernel
TWI723517B (en) * 2019-08-26 2021-04-01 新加坡商鴻運科股份有限公司 Method for preventing distributed denial of service attack and related equipment
CN110830474B (en) * 2019-11-08 2021-04-06 中盈优创资讯科技有限公司 Network attack protection system and method, and flow control device
CN110830474A (en) * 2019-11-08 2020-02-21 中盈优创资讯科技有限公司 Network attack protection system and method, and flow control device
CN111224970A (en) * 2019-12-31 2020-06-02 中移(杭州)信息技术有限公司 SDN network system, network attack defense method, device and storage medium
CN111935063A (en) * 2020-05-28 2020-11-13 国网电力科学研究院有限公司 System and method for monitoring abnormal network access behavior of terminal equipment
CN111935063B (en) * 2020-05-28 2023-11-21 国网电力科学研究院有限公司 Abnormal network access behavior monitoring system and method for terminal equipment
CN113315744A (en) * 2020-07-21 2021-08-27 阿里巴巴集团控股有限公司 Programmable switch, flow statistic method, defense method and message processing method
CN112153006A (en) * 2020-08-26 2020-12-29 广东网堤信息安全技术有限公司 DDoS attack protection method based on network boundary
CN113630398A (en) * 2021-07-28 2021-11-09 上海纽盾科技股份有限公司 Joint anti-attack method, client and system in network security
CN113630398B (en) * 2021-07-28 2023-02-21 上海纽盾科技股份有限公司 Joint anti-attack method, client and system in network security
CN114115068A (en) * 2021-12-03 2022-03-01 东南大学 Heterogeneous redundancy defense strategy issuing method of endogenous security switch
CN116893663A (en) * 2023-09-07 2023-10-17 之江实验室 Main control abnormality detection method and device, storage medium and electronic equipment
CN116893663B (en) * 2023-09-07 2024-01-09 之江实验室 Main control abnormality detection method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN106921666B (en) 2020-10-02

Similar Documents

Publication Publication Date Title
CN106921666A (en) A kind of ddos attack system of defense and method based on Synergy
Wang et al. An entropy-based distributed DDoS detection mechanism in software-defined networking
CN104539625B (en) A kind of network security protection system and its method of work based on software definition
CN108063765B (en) SDN system suitable for solving network security
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN105493450B (en) The method and system of service exception in dynamic detection network
CN105282169B (en) Ddos attack method for early warning based on SDN controller threshold values and its system
US9166990B2 (en) Distributed denial-of-service signature transmission
CN105187437B (en) A kind of centralized detecting system of SDN network Denial of Service attack
CN108289104A (en) A kind of industry SDN network ddos attack detection with alleviate method
CN106961387B (en) Link type DDoS defense method and system based on forwarding path self-migration
CN104618377B (en) Botnet detecting system and detection method based on NetFlow
CN108683682A (en) A kind of ddos attack detection and defence method and system based on software defined network
CN104539595B (en) It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN108429761A (en) Resource adaptation resolution server ddos attack detects defence method in wisdom contract network
CN106559407A (en) A kind of Network traffic anomaly monitor system based on SDN
CN101018156A (en) Method, device and system for preventing the broadband rejection service attack
CN104468636A (en) SDN structure for DDoS threatening filtering and link reallocating and working method
CN106027497A (en) DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM
Ahmed et al. Filtration model for the detection of malicious traffic in large-scale networks
CN113992539B (en) Network security dynamic route hopping method and system
CN105337957A (en) SDN network DDoS and DLDoS distributed space-time detection system
Song et al. Flow-based statistical aggregation schemes for network anomaly detection
CN105871773A (en) DDoS filtering method based on SDN network architecture
Jiang et al. Bsd-guard: a collaborative blockchain-based approach for detection and mitigation of sdn-targeted ddos attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant