CN106921666A - A kind of ddos attack system of defense and method based on Synergy - Google Patents
A kind of ddos attack system of defense and method based on Synergy Download PDFInfo
- Publication number
- CN106921666A CN106921666A CN201710128028.7A CN201710128028A CN106921666A CN 106921666 A CN106921666 A CN 106921666A CN 201710128028 A CN201710128028 A CN 201710128028A CN 106921666 A CN106921666 A CN 106921666A
- Authority
- CN
- China
- Prior art keywords
- module
- flow
- abnormal
- cleaning equipment
- interchanger
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The present invention relates to a kind of ddos attack system of defense based on Synergy, it is applied particularly to SDN, including controller and setting cleaning equipment on switches, the controller is used to be monitored the port of the whole network interchanger, and the network traffics of the interchanger abnormal that then will be monitored are drawn to cleaning equipment;The cleaning equipment is used to that the network traffics for receiving to be analyzed and cleaned, and the result based on analysis provides Prevention-Security strategy to controller;Controller is based on Prevention-Security strategy and configures interchanger, so as to alleviate to attack.
Description
Technical field
The present invention relates to network safety filed, system is defendd more particularly, to a kind of ddos attack based on Synergy
System and method.
Background technology
Fast development and good application with computer science and technology, change in cyberspace constantly changing and
Affect the life style of people.Because people are to the dependence more and more higher of internet, many passes are related on the internet
In enterprise, individual, even national security information, therefore Network Security Issues are always the important class in technology evolution
Topic.
At present in many method of network attack that internet is present, distributed denial of service attack (Distributed
Denial of Service Attack, abbreviation DDoS) it is attack method most common, that destructive power is very strong.Distribution refusal clothes
Business is attacked and comes from Botnet mostly, cooperates with start Denial of Service attack to one or more targets each other.Due to ddos attack
Method is simple, disguised strong, so as to get so far, can also completely defend this attack without any means.
Software defined network (SDN) is a kind of new transmission via net framework, is decoupled by by key-course and data Layer, is carried
Supply to control the centrality of network.Because in SDN, all-network depends on Single Controller, the controller holds very much
Easily turn into the target of ddos attack so that the new network is faced with new Network Security Issues.Because controller has net
Network overall situation management and control ability, rapid deployment ability and intelligent scheduling ability, can realize the fast monitored of abnormal flow and have
Effect cleaning, therefore a kind of good method is provided to defending DDoS (Distributed Denial of Service) attacks.
The ddos attack defence method based on SDN framework for proposing both at home and abroad at present, is applied to SDN controllers mostly
On, performed intrusion detection using methods such as mathematical statistics or neutral nets.When detecting abnormal, using recall algorithm or
The methods such as mark determine attack source, and controller blocks attack source by way of issuing flow table.The spy of this kind of defence method
Point is to concentrate on SDN controllers intrusion detection and attack defending so that the accuracy of intrusion detection is depended on controller
The accuracy of algorithm, the robustness of whole system of defense also relies on the security of controller itself.Therefore, how to make full use of
Controller and controller is depended on not too much, the robustness for how lifting whole system of defense is design ddos attack defence system
System needs one of problem of concern.
The content of the invention
The present invention proposes a kind of ddos attack system of defense based on Synergy, and the system is by the monitoring during defence
Separated with decision making function, controller is responsible for monitoring, the responsible decision-making of cleaning equipment group.Whole system of defense is set to rely on not too much
In controller, while can make full use of controller resource, the robustness of whole system of defense is lifted.
To realize above goal of the invention, the technical scheme of use is:
A kind of ddos attack system of defense based on Synergy, is applied particularly to SDN, including controller and setting
Cleaning equipment on switches, the controller is used to be monitored the port of the whole network interchanger, then will monitor
The network traffics of interchanger abnormal are drawn to cleaning equipment;The cleaning equipment is used to carry out the network traffics for receiving
Analysis and cleaning, and the result based on analysis provides Prevention-Security strategy to controller;Controller is matched somebody with somebody based on Prevention-Security strategy
Interchanger is put, so as to alleviate to attack.
Preferably, the controller includes entering bag statistical module, flow statistical module, flow table configuration mould positioned at key-course
Block and device management module, and defence policies configuration module positioned at application layer, interactive maintenance module and logger module;
Wherein enter bag statistical module carries out statistical analysis for the Packet-In bags to being sent to controller, and based on analysis
Result determine to be subject to the interchanger abnormal of false IP address ddos attack and the ddos attack for controller;
The flow statistical module is used to carry out real-time monitoring to the port flow of respective switch in SDN, then
Result based on monitoring determines the interchanger abnormal of the ddos attack initiated by Botnet;
Flow table configuration module is used to issue flow table in designated switch, realizes that abnormal network traffics are drawn to cleaning
Equipment;
Device management module is used to manage the cleaning equipment in SDN, records the status information of cleaning equipment;
The defence policies configuration module is used to be interacted with cleaning equipment, receives the Prevention-Security from cleaning equipment
Strategy, is then based on Prevention-Security strategy configuration interchanger;
The interactive maintenance module is used for providing visualization interface for keeper;
The logger module is used to for the log information that system of defense is produced to upload to database.
Preferably, the cleaning equipment is matched somebody with somebody including flow collection module, traffic classification module, flow processing module and strategy
Put module;
Wherein flow collection module is used to monitor the network port of cleaning equipment, the network traffics number to being sent to cleaning equipment
Cached according to bag;
The network traffics that the traffic classification module is used for periodically to caching carry out classification and Detection, obtain it and attack class
Type;
The flow processing module is used to reject the abnormal flow in network traffics according to attack type, then by normal stream
Amount is back in network;
Tactful configuration module is used to be drawn after carrying out comprehensive analysis to the statistical distribution situation of attack type and abnormal flow
Prevention-Security strategy, and it is sent to the defence policies configuration module of controller.
Preferably, it is described enter bag statistical module it is determined that by the interchanger abnormal of false IP address ddos attack
When, the Packet-In bags for being sent to controller are counted first by the entropy statistical method based on purpose IP address, work as inspection
When measuring entropy less than predetermined threshold value, the port of accounting rate maximum in the interchanger that maximum contribution rate is provided is chosen as abnormal end
Mouthful;
It is described enter bag statistical module it is determined that by the ddos attack for controller interchanger abnormal when, pass through
Detect that the renewal rate of the MAC-IP binding tables of each switch ports themselves determines abnormal, when certain interchanger port more
When new speed exceedes scheduled rate, then it is defined as abnormal.
Preferably, the flow statistical module determines abnormal end by detecting the flow bandwidth of each port of interchanger
Mouthful, when the flow bandwidth of switch ports themselves has exceeded the threshold value of setting, and fail to be reduced in the early warning duration of setting pre-
If below threshold value, then the port is defined as into abnormal.
Preferably, the flow table configuration module realizes the traction of abnormal network traffics by way of issuing flow table;
When cleaning equipment and abnormal belong to same interchanger, flow table configuration module directly issues Flow_Mod to the interchanger
Message carries out local port forwarding;When cleaning equipment and abnormal adhere to different interchangers separately, flow table configuration module is according to opening up
Flutter the optimal path that information obtains from abnormal to cleaning equipment based on dijkstra's algorithm;After optimal path is obtained, stream
The QinQ technologies that table configuration module is supported by Openflow1.1 agreements, VLAN is added at abnormal to network traffics
Tag;The network traffics for matching the VLAN Tag are forwarded on the interchanger that optimal path is related to, finally in cleaning equipment port
The VLAN Tag are removed, flow lead is realized.
Preferably, the traffic classification module periodically extracts network flow data bag from caching and carries out feature point
Analysis, obtains feature tuple, feature tuple is input in trained BP neural network and is classified, and draws ddos attack class
Type.
Preferably, the tactful configuration module is sent Prevention-Security strategy by SSL channels to the defence plan of controller
Omit configuration module.
Meanwhile, present invention also offers a kind of method for being applied to system above, its concrete scheme is as follows:
Step 1:Controller is carried out in real time by entering bag statistical module and flow statistical module to the port of the whole network interchanger
Monitoring, searches and confirms to be subject to the abnormal of ddos attack;
Step 2:After confirming abnormal, controller passes through flow table configuration module and device management module, by abnormal
Network traffics be drawn to cleaning equipment;
Step 3:Cleaning equipment receives the network traffics from abnormal by flow collection module;
Step 4:Cleaning equipment periodically obtains network traffics by traffic classification module from flow collection module, and
By obtaining ddos attack type after classification and Detection;
Step 5:According to attack type, the flow that the flow processing module in cleaning equipment will meet the attack type is picked
Remove, and remaining normal discharge is back in network;
Step 6:The tactful configuration module combination attack type of cleaning equipment and the statistical distribution situation of abnormal flow are carried out
Analysis, draws Prevention-Security strategy and is sent to the defence policies configuration module of controller;
Step 7:Defence policies configuration module receive cleaning equipment offer Prevention-Security strategy after according to Prevention-Security
Strategy configuration interchanger, while being drawn to the related flow table item of cleaning equipment in removing interchanger, and uploads daily record to database;
Step 8:Cleaning equipment is cleaned according to Prevention-Security strategy to the network traffics of further cache, until all streams
Amount is disposed, and notification controller updates device management module afterwards.
Compared with prior art, the beneficial effects of the invention are as follows:
1. the system of defense that the present invention is provided, can make full use of the resource of controller, and effectively mitigate controller
Burden.The system realizes the defence to ddos attack by the cooperative cooperating of controller and cleaning equipment group, core be by
Monitoring and decision making function during defence are separated, on the controller using the method for mathematical statistics to the port of interchanger
It is monitored, and the detection and Prevention-Security strategic decision-making smaller to network traffics fine granularity then transfers to cleaning equipment to complete.
This mode causes controller centralized services in monitoring function, and need not consume resource for decision making function.
2. the system of defense that the present invention is provided, with stronger security and robustness.Security be embodied in controller with
The cooperative cooperating of cleaning equipment, the backflow of normal discharge is may insure due to cleaning equipment, therefore can reduce the mistake of controller
Alert rate, makes whole system security not to be too dependent on the accuracy of detection algorithm on controller.Robustness is embodied in this hair
In the defence method of bright proposition, controller primarily ensure itself can normal table work, matching purge device cluster, it is ensured that itself
Will not run quickly routed because of Large Scale DDoS Attack.
Brief description of the drawings
Fig. 1 is the schematic diagram of controller.
Fig. 2 is the schematic diagram of cleaning equipment.
Fig. 3 is the topological diagram of SDN.
Fig. 4 is the flow chart of method.
Specific embodiment
Accompanying drawing being for illustration only property explanation, it is impossible to be interpreted as the limitation to this patent;
Below in conjunction with drawings and Examples, the present invention is further elaborated.
Embodiment 1
The invention provides a kind of ddos attack system of defense based on Synergy, the system architecture is main by two parts
Composition:SDN controllers and cleaning equipment group.
As shown in figure 1, SDN controllers include the module positioned at key-course, and the REST API provided using controller
Interface is located at the module of application layer.Module wherein positioned at key-course mainly includes:Enter bag statistical module, flow statistical module,
Flow table configuration module and device management module.And the module for being located at application layer mainly includes:Defence policies configuration module, interaction pipe
Reason module and logger module.
In SDN controller key-courses, wherein enter bag statistical module being united for the Packet-In bags to being sent to controller
Meter analysis, and the result based on analysis determines to be subject to false IP address ddos attack and the ddos attack for controller to exchange
Machine abnormal;Flow statistical module is used to carry out real-time monitoring, Ran Houji to the port flow of respective switch in SDN
The interchanger abnormal of the ddos attack for determining to be initiated by Botnet in the result of monitoring;Under flow table configuration module is used for
Hair flow table is drawn to cleaning equipment in designated switch, realizing abnormal network traffics, and blocking attack source function;
Device management module is used to manage all cleaning equipments in network, records the status information of all cleaning equipments.
In SDN controller application layers, defence policies configuration module is used to be interacted with cleaning equipment, receives and carrys out self-cleaning
The Prevention-Security strategy of equipment, is then based on Prevention-Security strategy configuration interchanger;Interactive maintenance module is used to provide visualization
Interface uses for keeper;Logger module is used to for the log information that system of defense is produced to upload to database.
As shown in Fig. 2 single cleaning equipment mainly includes in cleaning equipment group:Flow collection module, traffic classification module,
Flow processing module and tactful configuration module.Wherein flow collection module is used to monitor the network port of cleaning equipment, to being sent to
The network flow data bag of cleaning equipment is cached;The network traffics that traffic classification module is used for periodically to caching are carried out
Classification and Detection, obtains its attack type;Flow processing module is used to reject the abnormal flow in network traffics according to attack type,
Then normal discharge is back in network;Tactful configuration module is used for the statistical distribution situation to attack type and abnormal flow
Prevention-Security strategy is drawn after carrying out comprehensive analysis, and is sent to the defence policies configuration module of controller.
Aspect is realized in technology, the system that the present invention is provided relates generally to flow monitoring, flow lead and abnormal flow point
Class, specifically:
1) flow monitoring:SDN controllers by entering bag statistical module and flow statistical module local area network in interchanger
Port flow carries out real-time monitoring.It is mainly used in defending three kinds of ddos attacks:Using the ddos attack of false IP address, for control
The ddos attack that the ddos attack and Botnet of device processed are initiated.
SDN controllers defend the ddos attack using false IP address by entering bag statistical module.Due to such DDoS
What the false IP address that attack is used was randomly generated mostly, therefore matching is easy in a switch less than corresponding flow table
, at this moment the packet is sent to controller by exchange opportunity by Packet-In bags.Enter bag statistical module using this feature,
Statistical analysis is carried out to the Packet-In bags for being sent to controller using the entropy statistical method based on purpose IP address.For window
Mouth width is the packet set of W, and its entropy computing formula is expressed as follows:
Wherein, N is the number of different purpose IP address in packet set, piFor the packet of same purpose IP address is total
Number accounts for the ratio of all packet sums.
When entering bag statistical module and detecting entropy less than predetermined threshold value, the maximum purpose IP ground of accounting weight can be obtained
Location, is denoted as IPmax.Abnormal flow port is locked by calculating the contribution rate of each switch ports themselves, for same interchanger,
Its contribution rate computing formula is as follows:
Wherein, i is switch ports themselves number, PiPurpose IP address are IP in all packets sent for the portmaxNumber
According to the shared ratio of bag.
When detecting abnormal, enter accounting rate during bag statistical module typically chooses the interchanger for providing maximum contribution rate maximum
Port numbers as abnormal flow port, and notify that the port flow is drawn to cleaning equipment by flow table configuration module.
SDN controllers defend the ddos attack for controller by entering bag statistical module.Due to such ddos attack
Purpose is intended to increase the burden of controller, therefore can manufacture a large amount of false data bags and force interchanger to match less than flow table item, from
And a large amount of Packet-In bags are sent to controller.This kind of Packet-In bags purpose and source IP address are almost what is randomly generated,
Therefore enter bag statistical module not to be analyzed Packet-In bags directly, but by detecting the MAC-IP of each switch ports themselves
The renewal rate of binding table judges whether to attack.In MAC-IP binding tables each entry contain interchanger Dpid,
The IP address of switch ports themselves number Port, host MAC address and main frame, specific form is:{Dpid:Port:
MACAddress:IPAddress}.The renewal rate of MAC-IP binding tables is expressed as:
V=vchange+vadd
Wherein vchangeFor certain switch ports themselves IP address changes speed, v in special time taddFor new in special time t
MAC-IP formation speed.
When certain switch ports themselves renewal rate exceedes scheduled rate, it is preferred that the port flow is drawn into cleaning
Equipment, optionally, shields the port or limits the port bandwidth.
SDN controllers defend the ddos attack that Botnet is initiated by flow statistical module.Due in Botnet
It is mostly that normal users are controlled by attacker in the case of ignorant or aspiration and turn into puppet's machine, is formed in a short time
Extensive flow is sent to target of attack.Therefore flow statistical module is counted by controller to the flow table in respective switch
Analysis, calculates each port flow bandwidth on interchanger, and specific formula for calculation is as follows:
Wherein, Δ t is the time interval of each acquisition interchanger flow table of controller setting, CtIt is interchanger Single port
In the data packet byte number that moment t sends.
When certain switch ports themselves flow bandwidth in time interval Δ t has exceeded setting in monitoring control devices to network
Threshold value, in order to prevent wrong early warning, in the early warning duration t of settingalarmIt is interior, if flow bandwidth fail to be reduced to predetermined threshold value with
Under, then the port is judged to abnormal flow port, and notify that the port flow is drawn to cleaning equipment by flow table configuration module.
2) flow lead:Flow table configuration module realizes that abnormal flow draws by way of issuing flow table on SDN controllers.
When same interchanger belonging to cleaning equipment and abnormal flow port, controller directly issues Flow_Mod and disappears to the interchanger
Breath carries out local port forwarding;When cleaning equipment and abnormal flow port adhere to different interchangers separately, flow table configuration module according to
Topology information, the optimal path from abnormal flow port to cleaning equipment is obtained based on dijkstra's algorithm.Obtaining optimal road
Behind footpath, the QinQ technologies that controller is supported by Openflow1.1 agreements are added in abnormal flow port to network traffics
VLAN Tag, forward the network traffics for matching the VLAN Tag, finally in cleaning equipment on the interchanger that optimal path is related to
Port removes the VLAN Tag, realizes flow lead.
3) abnormal flow classification:Traffic classification module is classified by BP neural network to network traffics in cleaning equipment
Detection., it is necessary to carry out learning training to BP neural network model before classification and Detection is carried out, training sample mostlys come from reality
Substantial amounts of network flow data (including proper network flow and Abnormal network traffic) in internet.After training is completed, flow
Sort module periodically can extract packet from caching and carry out signature analysis, obtain feature tuple, and this feature tuple is one
The ddos attack type that detects as needed of group and the representative characteristic value elected, are input to BP by feature tuple afterwards
Neutral net, output result is the attack type of network traffics.
As shown in figure 3, the network topological diagram of the embodiment of the present invention.It is a SDN shown in figure, wherein C is SDN controls
Device processed;S1, S2, S3, S4, S5 are the interchangers for supporting OpenFlow1.1 agreements;Q1, Q2, Q3 are to dispose cleaning in a network
Equipment.
As shown in figure 4, a kind of ddos attack defence method based on Synergy that the present invention is provided, may be used in conjunction with the embodiments
It is specifically divided into following 8 steps:
Step 1:Attacker initiates ddos attack, and SDN controllers are played a game by entering bag statistical module and flow statistical module
The port flow of interchanger carries out real-time monitoring in the net of domain, searches and confirm the abnormal flow source of ddos attack behavior.According to
The target that attacker initiates ddos attack is different with means, and SDN controllers use different monitoring modes:
1) attacker initiates ddos attack using false IP address to target H.When network traffics reach interchanger S3, by
The false IP address used in such attack is randomly generated mostly, therefore matching is easy in interchanger S3 less than corresponding
Flow table item.In this case, interchanger S3 can be sent to controller in the form of Packet-In bags.Due to these Packet-
The purpose IP address of In bags are excessively concentrated, therefore controller enters bag statistical module and detect entropy that predetermined threshold value can be less than.It is this
In the case of, according to purpose IP address, controller can learn that interchanger S3 has maximum contribution rate, in interchanger S3, No. 1 end
Mouthful account for the largest percentage, therefore controller is using No. 1 port of interchanger S3 as abnormal flow port.
2) attacker initiates ddos attack for controller C.Because such ddos attack purpose is intended to increase controller
Bearing, therefore can manufacture a large amount of false data bags forces interchanger to match less than flow table item, so as to send a large amount of Packet-In bags
To controller.Because MAC-IP addresses, to all randomly generating, for controller, will be considered that in these false data bags
It is the new main frame for adding and is learnt.In this case, controller enters bag statistical module can detect No. 1 end of interchanger S3
The MAC-IP binding table renewal rates of mouth have exceeded scheduled rate, therefore controller as abnormal flow port.
3) attacker initiates ddos attack by Botnet to target H.Because puppet's network can be formed in a short time
No. 1 port flow that the flow statistical module of largely flux and flow direction targets of attack, therefore controller can detect interchanger S3 is measured
The phenomenon now increased sharply.In order to prevent wrong early warning, controller from being detected that flow bandwidth is not extensive after waiting a bit of time again
Arrive normal level again, therefore controller is using No. 1 port of interchanger S3 as abnormal flow port.
Step 2:After confirming abnormal flow source, flow table configuration module reality by way of issuing flow table on SDN controllers
Existing abnormal flow traction.The status information of all cleaning equipments in store network in the device management module of controller,
In the present embodiment, initial state information is:
DPID | PORT | STATE |
00:00:00:00:00:00:00:01(s1) | 3 | NONE |
00:00:00:00:00:00:00:03(s3) | 4 | NONE |
00:00:00:00:00:00:00:04(s4) | 4 | NONE |
Controller detects No. 1 port of interchanger S3 for behind abnormal flow port, controller passes through device management module
Can learn in No. 4 ports of interchanger S3 there is the cleaning equipment in idle condition, i.e. Q1.Therefore, controller is directly to friendship
The S3 that changes planes issues Flow_Mod message and directly carries out port forwarding, and specific Flow_Mod message formats are as follows:
{“switch”:”00:00:00:00:00:00:00:03 ", " cookie ":" 0 ", " in_port ":" 1 ",
“active”:" true ", " actions ":" output=4 "
Now, cleaning equipment status information table is updated in device management module:
DPID | PORT | STATE |
00:00:00:00:00:00:00:01(s1) | 3 | NONE |
00:00:00:00:00:00:00:03(s3) | 4 | {″00:00:00:00:00:00:00:03″:″1″} |
00:00:00:00:00:00:00:04(s4) | 4 | NONE |
If cleaning equipment Q1 is not at idle condition, controller is cleaned according in topology information and device management module
Status information of equipment table, the optimal path from abnormal flow port to cleaning equipment is obtained based on dijkstra's algorithm.In this reality
Apply in example, the optimal path is S3 (1)-> S3 (3)-> S4 (1)-> S4 (4).
After optimal path is obtained, the QinQ technologies that controller is supported by Openflow1.1 agreements, to being related on path
Interchanger send Flow_Mod message, abnormal flow is drawn to cleaning equipment.Specific Flow_Mod message formats are as follows:
Configuration S3:
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,
“active”:”true”,“actions”:" push_vlan=123, output=3 "
Configuration S4:
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“eth_vlan_vid”:”
123”,“active”:”true”,“actions”:" pop_vlan, output=4 "
Step 3:Cleaning equipment Q1 receives No. 1 network traffics of port from interchanger S3 by flow collection module;
Step 4:Traffic classification module periodically extracts packet from caching and carries out signature analysis in cleaning equipment Q1,
The feature tuple that will be obtained is input in the BP neural network for passing through training, draws ddos attack type;
Step 5:According to attack type, flow processing module can will meet the flow of the attack type and pick in cleaning equipment
Remove, remaining normal discharge is back in network.In the present embodiment, cleaning equipment Q1 will be normal discharge from interchanger S3's
No. 4 ports are back in network.
Step 6:Tactful configuration module can combine the statistical distribution situation of attack type and abnormal flow in cleaning equipment, point
Analysis draws Prevention-Security strategy.Prevention-Security strategy contains interchanger DPID where cleaning equipment, and switch ports themselves number is attacked
Type, defense mechanism and defence object, specific form is { Dpid:Port:Type:Way:Object }, one in the present embodiment
Possible Prevention-Security strategy pattern is as follows:
{”00:00:00:00:00:00:00:03”:“4“:SynFlood:Drop_IP:{“172.18.216.23”,”
172.18.216.45”}}
Represent that the cleaning equipment positioned at No. 4 ports of interchanger S3 detects attack type for Syn flood attacks, it is proposed that hand over
It is the data packet discarding of 172.18.216.23 and 172.18.216.45 to change planes IP address.
The defence policies that be sent to for Prevention-Security strategy by SSL channels in controller application layer by cleaning equipment configure mould
Block;
Step 7:Controller is received after the security strategy of cleaning equipment offer, according to device management module, Ke Yizhi
Road cleaning equipment Q1 is just in No. 1 port flow of processing switch S3.Therefore interchanger S3, root can be configured according to security strategy
According to the Prevention-Security strategy pattern provided in step 6, controller issues flow table blocking attack source, specific Flow_ to interchanger S3
Mod message formats are as follows:
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“ipv4_
src”:”17 2.18.216.23”,“active”:”true”,“actions”:”drop”}
{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“ipv4_
src”:”17 2.18.216.45”,“active”:”true”,“actions”:”drop”}
The related flow table item of cleaning equipment is drawn in removing interchanger simultaneously, and uploads daily record to database.
Step 8:Since it is known that attack type, cleaning equipment will be according to Prevention-Security strategy to further cache stream
Amount is cleaned, until all flows are disposed.After all flows are disposed, cleaning equipment is used and Prevention-Security plan
Slightly same form sends WORK_DONE and instructs to controller.Specific pattern is as follows in the present embodiment:
{”00:00:00:00:00:00:00:03”:“4“:WORK_DONE:NONE:NONE}
Controller updates device management module after the instruction is received, and the state of cleaning equipment Q1 is set into the free time.
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not right
The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description
To make other changes in different forms.There is no need and unable to be exhaustive to all of implementation method.It is all this
Any modification, equivalent and improvement made within the spirit and principle of invention etc., should be included in the claims in the present invention
Protection domain within.
Claims (9)
1. a kind of ddos attack system of defense based on Synergy, is applied particularly to SDN, it is characterised in that:Including control
Device processed and setting cleaning equipment on switches, the controller are used to be monitored the port of the whole network interchanger, then
The network traffics of the interchanger abnormal that will be monitored are drawn to cleaning equipment;The cleaning equipment is used for the net to receiving
Network flow is analyzed and cleans, and the result based on analysis provides Prevention-Security strategy to controller;Controller is based on safety
Defence policies configure interchanger, so as to alleviate to attack.
2. the ddos attack system of defense based on Synergy according to claim 1, it is characterised in that:The controller
Including entering bag statistical module, flow statistical module, flow table configuration module and device management module positioned at key-course, and it is located at
The defence policies configuration module of application layer, interactive maintenance module and logger module;
Wherein enter bag statistical module carries out statistical analysis, and the knot based on analysis for the Packet-In bags to being sent to controller
Fruit determines to be subject to the interchanger abnormal of false IP address ddos attack and the ddos attack for controller;
The flow statistical module is used to carry out real-time monitoring to the port flow of respective switch in SDN, is then based on
The result of monitoring determines the interchanger abnormal of the ddos attack initiated by Botnet;
Flow table configuration module is used to issue flow table in designated switch, realizes that abnormal network traffics are drawn to cleaning and set
It is standby;
Device management module is used to manage the cleaning equipment in SDN, records the status information of cleaning equipment;
The defence policies configuration module is used to be interacted with cleaning equipment, receives the Prevention-Security plan from cleaning equipment
Slightly, it is then based on Prevention-Security strategy configuration interchanger;
The interactive maintenance module is used for providing visualization interface for keeper;
The logger module is used to for the log information that system of defense is produced to upload to database.
3. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:The cleaning sets
It is standby to include flow collection module, traffic classification module, flow processing module and tactful configuration module;
Wherein flow collection module is used to monitor the network port of cleaning equipment, the network flow data bag to being sent to cleaning equipment
Cached;
The network traffics that the traffic classification module is used for periodically to caching carry out classification and Detection, obtain its attack type;
The flow processing module is used to reject the abnormal flow in network traffics according to attack type, then returns normal discharge
In flowing to network;
Tactful configuration module is used to draw safety after carrying out comprehensive analysis to the statistical distribution situation of attack type and abnormal flow
Defence policies, and it is sent to the defence policies configuration module of controller.
4. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:It is described to enter to wrap system
Meter module it is determined that by false IP address ddos attack interchanger abnormal when, first by based on purpose IP address
Entropy statistical method is counted to the Packet-In bags for being sent to controller, when entropy is detected less than predetermined threshold value, is chosen
The port of accounting rate maximum in the interchanger of maximum contribution rate is provided as abnormal;
It is described enter bag statistical module it is determined that by the ddos attack for controller interchanger abnormal when, by detection
The renewal rate of the MAC-IP binding tables of each switch ports themselves determines abnormal, when the renewal speed of the port of certain interchanger
When rate exceedes scheduled rate, then it is defined as abnormal.
5. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:The flow system
Meter module determines abnormal by detecting the flow bandwidth of each port of interchanger, when the flow bandwidth of switch ports themselves surpasses
The threshold value of setting is crossed, and has failed to be reduced to below predetermined threshold value in the early warning duration of setting, be then defined as the port
Abnormal.
6. the ddos attack system of defense based on Synergy according to claim 2, it is characterised in that:The flow table is matched somebody with somebody
Put the traction that module realizes abnormal network traffics by way of issuing flow table;When cleaning equipment and abnormal belong to same
During one interchanger, directly issue Flow_Mod message to the interchanger carries out local port forwarding to flow table configuration module;When clear
Wash equipment and when abnormal adheres to different interchangers separately, flow table configuration module is obtained according to topology information based on dijkstra's algorithm
Optimal path from abnormal to cleaning equipment;After optimal path is obtained, flow table configuration module is assisted by Openflow1.1
The QinQ technologies supported are discussed, network traffics addition VLAN Tag are given at abnormal;On the interchanger that optimal path is related to
Forwarding matches the network traffics of the VLAN Tag, finally removes the VLAN Tag in cleaning equipment port, realizes that flow leads
Draw.
7. the ddos attack system of defense based on Synergy according to claim 3, it is characterised in that:The flow point
Generic module periodically extracts network flow data bag from caching and carries out signature analysis, feature tuple is obtained, by feature tuple
It is input in trained BP neural network and is classified, draws ddos attack type.
8. the ddos attack system of defense based on Synergy according to claim 3, it is characterised in that:The strategy is matched somebody with somebody
Module is put to send Prevention-Security strategy by SSL channels to the defence policies configuration module of controller.
9. a kind of method of system according to claim 3, it is characterised in that:Comprise the following steps:
Step 1:Controller carries out real-time monitoring by entering bag statistical module and flow statistical module to the port of the whole network interchanger,
Search and confirm the abnormal by ddos attack;
Step 2:After confirming abnormal, controller passes through flow table configuration module and device management module, by the net of abnormal
Network flow lead is to cleaning equipment;
Step 3:Cleaning equipment receives the network traffics from abnormal by flow collection module;
Step 4:Cleaning equipment periodically obtains network traffics by traffic classification module from flow collection module, and passes through
Ddos attack type is obtained after classification and Detection;
Step 5:According to attack type, the flow that the flow processing module in cleaning equipment will meet the attack type is rejected, and
Remaining normal discharge is back in network;
Step 6:The tactful configuration module combination attack type of cleaning equipment and the statistical distribution situation of abnormal flow are analyzed,
Draw Prevention-Security strategy and be sent to the defence policies configuration module of controller;
Step 7:Defence policies configuration module receive cleaning equipment offer Prevention-Security strategy after according to Prevention-Security strategy
Configuration interchanger, while being drawn to the related flow table item of cleaning equipment in removing interchanger, and uploads daily record to database;
Step 8:Cleaning equipment is cleaned according to Prevention-Security strategy to the network traffics of further cache, until at all flows
Reason is finished, and notification controller updates device management module afterwards.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710128028.7A CN106921666B (en) | 2017-03-06 | 2017-03-06 | DDoS attack defense system and method based on cooperative theory |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710128028.7A CN106921666B (en) | 2017-03-06 | 2017-03-06 | DDoS attack defense system and method based on cooperative theory |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106921666A true CN106921666A (en) | 2017-07-04 |
CN106921666B CN106921666B (en) | 2020-10-02 |
Family
ID=59462052
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710128028.7A Active CN106921666B (en) | 2017-03-06 | 2017-03-06 | DDoS attack defense system and method based on cooperative theory |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106921666B (en) |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107682342A (en) * | 2017-10-17 | 2018-02-09 | 盛科网络(苏州)有限公司 | A kind of method and system of the DDoS flow leads based on openflow |
CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
CN108011894A (en) * | 2017-12-26 | 2018-05-08 | 陈晶 | Botnet detecting system and method under a kind of software defined network |
CN108053068A (en) * | 2017-12-13 | 2018-05-18 | 南京大学 | The method that mankind attacker cooperation behavior modeled and formulated corresponding Defending Policy |
CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
CN108259367A (en) * | 2018-01-11 | 2018-07-06 | 重庆邮电大学 | A kind of Flow Policy method for customizing of the service-aware based on software defined network |
CN108282497A (en) * | 2018-04-28 | 2018-07-13 | 电子科技大学 | For the ddos attack detection method of SDN control planes |
CN108322463A (en) * | 2018-01-31 | 2018-07-24 | 平安科技(深圳)有限公司 | Ddos attack detection method, device, computer equipment and storage medium |
CN108366065A (en) * | 2018-02-11 | 2018-08-03 | 中国联合网络通信集团有限公司 | Attack detection method and SDN switch |
CN108429761A (en) * | 2018-04-10 | 2018-08-21 | 北京交通大学 | Resource adaptation resolution server ddos attack detects defence method in wisdom contract network |
CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
CN109194608A (en) * | 2018-07-19 | 2019-01-11 | 南京邮电大学 | Event detecting method is gathered around in a kind of ddos attack based on stream and sudden strain of a muscle |
CN109547257A (en) * | 2018-12-05 | 2019-03-29 | 深圳前海微众银行股份有限公司 | Method for controlling network flow, device, equipment, system and storage medium |
CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
CN110149321A (en) * | 2019-05-06 | 2019-08-20 | 长沙市智为信息技术有限公司 | A kind of detection and defence method and device applied to DDOS attack in SDN network |
CN110225022A (en) * | 2019-06-05 | 2019-09-10 | 东南大学 | A kind of ddos attack detection scheme of SDN flow table driving |
CN110225037A (en) * | 2019-06-12 | 2019-09-10 | 广东工业大学 | A kind of ddos attack detection method and device |
CN110336801A (en) * | 2019-06-20 | 2019-10-15 | 杭州安恒信息技术股份有限公司 | A kind of method of anti-DDoS equipment selection |
CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
CN110830474A (en) * | 2019-11-08 | 2020-02-21 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
CN111224970A (en) * | 2019-12-31 | 2020-06-02 | 中移(杭州)信息技术有限公司 | SDN network system, network attack defense method, device and storage medium |
CN111935063A (en) * | 2020-05-28 | 2020-11-13 | 国网电力科学研究院有限公司 | System and method for monitoring abnormal network access behavior of terminal equipment |
CN112055956A (en) * | 2018-02-23 | 2020-12-08 | 诺基亚技术有限公司 | Network security |
CN112153006A (en) * | 2020-08-26 | 2020-12-29 | 广东网堤信息安全技术有限公司 | DDoS attack protection method based on network boundary |
TWI723517B (en) * | 2019-08-26 | 2021-04-01 | 新加坡商鴻運科股份有限公司 | Method for preventing distributed denial of service attack and related equipment |
CN113315744A (en) * | 2020-07-21 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Programmable switch, flow statistic method, defense method and message processing method |
CN113630398A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾科技股份有限公司 | Joint anti-attack method, client and system in network security |
CN114115068A (en) * | 2021-12-03 | 2022-03-01 | 东南大学 | Heterogeneous redundancy defense strategy issuing method of endogenous security switch |
CN116893663A (en) * | 2023-09-07 | 2023-10-17 | 之江实验室 | Main control abnormality detection method and device, storage medium and electronic equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130329734A1 (en) * | 2012-06-11 | 2013-12-12 | Radware, Ltd. | Techniques for providing value-added services in sdn-based networks |
CN104468636A (en) * | 2015-01-09 | 2015-03-25 | 李忠 | SDN structure for DDoS threatening filtering and link reallocating and working method |
CN104601482A (en) * | 2013-10-30 | 2015-05-06 | 中兴通讯股份有限公司 | Traffic cleaning method and device |
CN104767762A (en) * | 2015-04-28 | 2015-07-08 | 亚信科技(南京)有限公司 | Safety protection system |
CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
CN105516129A (en) * | 2015-12-04 | 2016-04-20 | 重庆邮电大学 | Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology |
CN106161333A (en) * | 2015-03-24 | 2016-11-23 | 华为技术有限公司 | DDOS attack means of defence based on SDN, Apparatus and system |
-
2017
- 2017-03-06 CN CN201710128028.7A patent/CN106921666B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130329734A1 (en) * | 2012-06-11 | 2013-12-12 | Radware, Ltd. | Techniques for providing value-added services in sdn-based networks |
CN104601482A (en) * | 2013-10-30 | 2015-05-06 | 中兴通讯股份有限公司 | Traffic cleaning method and device |
CN104468636A (en) * | 2015-01-09 | 2015-03-25 | 李忠 | SDN structure for DDoS threatening filtering and link reallocating and working method |
CN106161333A (en) * | 2015-03-24 | 2016-11-23 | 华为技术有限公司 | DDOS attack means of defence based on SDN, Apparatus and system |
CN104767762A (en) * | 2015-04-28 | 2015-07-08 | 亚信科技(南京)有限公司 | Safety protection system |
CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
CN105516129A (en) * | 2015-12-04 | 2016-04-20 | 重庆邮电大学 | Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology |
Cited By (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107682342B (en) * | 2017-10-17 | 2020-03-10 | 盛科网络(苏州)有限公司 | Method and system for DDoS (distributed denial of service) flow traction based on openflow |
CN107682342A (en) * | 2017-10-17 | 2018-02-09 | 盛科网络(苏州)有限公司 | A kind of method and system of the DDoS flow leads based on openflow |
CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
CN108053068A (en) * | 2017-12-13 | 2018-05-18 | 南京大学 | The method that mankind attacker cooperation behavior modeled and formulated corresponding Defending Policy |
CN108011894A (en) * | 2017-12-26 | 2018-05-08 | 陈晶 | Botnet detecting system and method under a kind of software defined network |
CN108259367B (en) * | 2018-01-11 | 2022-02-22 | 重庆邮电大学 | Service-aware flow strategy customization method based on software defined network |
CN108259367A (en) * | 2018-01-11 | 2018-07-06 | 重庆邮电大学 | A kind of Flow Policy method for customizing of the service-aware based on software defined network |
CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
CN108322463A (en) * | 2018-01-31 | 2018-07-24 | 平安科技(深圳)有限公司 | Ddos attack detection method, device, computer equipment and storage medium |
CN108366065A (en) * | 2018-02-11 | 2018-08-03 | 中国联合网络通信集团有限公司 | Attack detection method and SDN switch |
CN112055956A (en) * | 2018-02-23 | 2020-12-08 | 诺基亚技术有限公司 | Network security |
US11888878B2 (en) | 2018-02-23 | 2024-01-30 | Nokia Technologies Oy | Network security |
CN108429761A (en) * | 2018-04-10 | 2018-08-21 | 北京交通大学 | Resource adaptation resolution server ddos attack detects defence method in wisdom contract network |
CN108429761B (en) * | 2018-04-10 | 2020-06-16 | 北京交通大学 | DDoS attack detection and defense method for resource adaptation analysis server in intelligent cooperative network |
CN108282497A (en) * | 2018-04-28 | 2018-07-13 | 电子科技大学 | For the ddos attack detection method of SDN control planes |
CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
CN109005157B (en) * | 2018-07-09 | 2020-07-10 | 华中科技大学 | DDoS attack detection and defense method and system in software defined network |
CN109194608A (en) * | 2018-07-19 | 2019-01-11 | 南京邮电大学 | Event detecting method is gathered around in a kind of ddos attack based on stream and sudden strain of a muscle |
CN109194608B (en) * | 2018-07-19 | 2022-02-11 | 南京邮电大学 | DDoS attack and flash congestion event detection method based on flow |
CN109547257B (en) * | 2018-12-05 | 2022-08-12 | 深圳前海微众银行股份有限公司 | Network flow control method, device, equipment, system and storage medium |
CN109547257A (en) * | 2018-12-05 | 2019-03-29 | 深圳前海微众银行股份有限公司 | Method for controlling network flow, device, equipment, system and storage medium |
CN109818964B (en) * | 2019-02-01 | 2021-12-07 | 长沙市智为信息技术有限公司 | DDoS attack detection method, device, equipment and storage medium |
CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
CN110149321A (en) * | 2019-05-06 | 2019-08-20 | 长沙市智为信息技术有限公司 | A kind of detection and defence method and device applied to DDOS attack in SDN network |
CN110225022A (en) * | 2019-06-05 | 2019-09-10 | 东南大学 | A kind of ddos attack detection scheme of SDN flow table driving |
CN110225037B (en) * | 2019-06-12 | 2021-11-30 | 广东工业大学 | DDoS attack detection method and device |
CN110225037A (en) * | 2019-06-12 | 2019-09-10 | 广东工业大学 | A kind of ddos attack detection method and device |
CN110336801A (en) * | 2019-06-20 | 2019-10-15 | 杭州安恒信息技术股份有限公司 | A kind of method of anti-DDoS equipment selection |
CN110336801B (en) * | 2019-06-20 | 2021-07-06 | 杭州安恒信息技术股份有限公司 | Method for selecting anti-DDoS (distributed denial of service) equipment |
CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
TWI723517B (en) * | 2019-08-26 | 2021-04-01 | 新加坡商鴻運科股份有限公司 | Method for preventing distributed denial of service attack and related equipment |
CN110830474B (en) * | 2019-11-08 | 2021-04-06 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
CN110830474A (en) * | 2019-11-08 | 2020-02-21 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
CN111224970A (en) * | 2019-12-31 | 2020-06-02 | 中移(杭州)信息技术有限公司 | SDN network system, network attack defense method, device and storage medium |
CN111935063A (en) * | 2020-05-28 | 2020-11-13 | 国网电力科学研究院有限公司 | System and method for monitoring abnormal network access behavior of terminal equipment |
CN111935063B (en) * | 2020-05-28 | 2023-11-21 | 国网电力科学研究院有限公司 | Abnormal network access behavior monitoring system and method for terminal equipment |
CN113315744A (en) * | 2020-07-21 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Programmable switch, flow statistic method, defense method and message processing method |
CN112153006A (en) * | 2020-08-26 | 2020-12-29 | 广东网堤信息安全技术有限公司 | DDoS attack protection method based on network boundary |
CN113630398A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾科技股份有限公司 | Joint anti-attack method, client and system in network security |
CN113630398B (en) * | 2021-07-28 | 2023-02-21 | 上海纽盾科技股份有限公司 | Joint anti-attack method, client and system in network security |
CN114115068A (en) * | 2021-12-03 | 2022-03-01 | 东南大学 | Heterogeneous redundancy defense strategy issuing method of endogenous security switch |
CN116893663A (en) * | 2023-09-07 | 2023-10-17 | 之江实验室 | Main control abnormality detection method and device, storage medium and electronic equipment |
CN116893663B (en) * | 2023-09-07 | 2024-01-09 | 之江实验室 | Main control abnormality detection method and device, storage medium and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106921666B (en) | 2020-10-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106921666A (en) | A kind of ddos attack system of defense and method based on Synergy | |
Wang et al. | An entropy-based distributed DDoS detection mechanism in software-defined networking | |
CN104539625B (en) | A kind of network security protection system and its method of work based on software definition | |
CN108063765B (en) | SDN system suitable for solving network security | |
CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
CN105493450B (en) | The method and system of service exception in dynamic detection network | |
CN105282169B (en) | Ddos attack method for early warning based on SDN controller threshold values and its system | |
US9166990B2 (en) | Distributed denial-of-service signature transmission | |
CN105187437B (en) | A kind of centralized detecting system of SDN network Denial of Service attack | |
CN108289104A (en) | A kind of industry SDN network ddos attack detection with alleviate method | |
CN106961387B (en) | Link type DDoS defense method and system based on forwarding path self-migration | |
CN104618377B (en) | Botnet detecting system and detection method based on NetFlow | |
CN108683682A (en) | A kind of ddos attack detection and defence method and system based on software defined network | |
CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
CN108429761A (en) | Resource adaptation resolution server ddos attack detects defence method in wisdom contract network | |
CN106559407A (en) | A kind of Network traffic anomaly monitor system based on SDN | |
CN101018156A (en) | Method, device and system for preventing the broadband rejection service attack | |
CN104468636A (en) | SDN structure for DDoS threatening filtering and link reallocating and working method | |
CN106027497A (en) | DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM | |
Ahmed et al. | Filtration model for the detection of malicious traffic in large-scale networks | |
CN113992539B (en) | Network security dynamic route hopping method and system | |
CN105337957A (en) | SDN network DDoS and DLDoS distributed space-time detection system | |
Song et al. | Flow-based statistical aggregation schemes for network anomaly detection | |
CN105871773A (en) | DDoS filtering method based on SDN network architecture | |
Jiang et al. | Bsd-guard: a collaborative blockchain-based approach for detection and mitigation of sdn-targeted ddos attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |