CN109120630B - SDN network DDoS attack detection method based on BP neural network optimization - Google Patents

SDN network DDoS attack detection method based on BP neural network optimization Download PDF

Info

Publication number
CN109120630B
CN109120630B CN201811019356.4A CN201811019356A CN109120630B CN 109120630 B CN109120630 B CN 109120630B CN 201811019356 A CN201811019356 A CN 201811019356A CN 109120630 B CN109120630 B CN 109120630B
Authority
CN
China
Prior art keywords
neural network
flow
value
particle
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811019356.4A
Other languages
Chinese (zh)
Other versions
CN109120630A (en
Inventor
路雪
韩德志
俞云萍
王军
毕坤
潘楠楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Maritime University
Original Assignee
Shanghai Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Maritime University filed Critical Shanghai Maritime University
Priority to CN201811019356.4A priority Critical patent/CN109120630B/en
Publication of CN109120630A publication Critical patent/CN109120630A/en
Application granted granted Critical
Publication of CN109120630B publication Critical patent/CN109120630B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an SDN network DDoS attack detection method based on an optimized BP neural network, which can comprehensively extract six characteristic values related to DDoS in a flow table under an SDN network environment, a source IP address speed-increasing GSIP, a change ADF of flow survival time, a convection ratio PPF, a port speed-increasing GSP, a flow table item rate RFE and a flow matching success rate RFM; the load of the SDN is reduced by setting a trigger threshold, the BP neural network is optimized by the particle swarm algorithm, the characteristic of global optimization of the particle swarm algorithm is utilized, the mean square error of the BP neural network is selected as a fitness function of the particle swarm algorithm, and the value with the best fitness value is selected as the threshold and the weight of the BP neural network, so that the problems that the convergence speed is low when the BP neural network solves the optimal solution, the BP neural network falls into the local optimal solution and the detection precision is improved are avoided.

Description

SDN network DDoS attack detection method based on BP neural network optimization
Technical Field
The invention relates to a DDoS attack detection technology, in particular to an SDN network DDoS attack detection method based on an optimized BP neural network.
Background
Distributed Denial of Service (DDoS) attacks are one of the major threats faced by the current internet. A DDoS attack initiator first collects a large number of puppet machines by using the bugs of an internet user, and then cooperatively schedules the puppet machines to forge data at the same time, and sends an illegal request to cause paralysis of a target host. This causes leakage of personal information of a large number of users, which brings economic loss to a plurality of enterprises. The existing DDoS attack detection mainly aims at the architecture of the traditional network, and the software defined network is a novel network architecture which appears at present, so that the separation of a network control plane and a data plane is realized, and certain advantages are achieved in the aspects of programmability, hardware universality and management control. However, because the control plane and the data plane are decoupled, when a connection failure occurs between a switch and a controller, the network loses control, so that the controller security is one of security guarantees of the whole SDN network, a DDoS attack is one of threats to the controller security, and it is crucial to detect an accurate DDoS attack to the SDN security.
In the existing method, although a large number of effective DDoS attack detection methods are provided, the comprehensiveness of judgment is insufficient only by using the interactive characteristics of network flows, or the convergence speed of a detection model is low, the training time is long, the used algorithm does not obtain the optimal solution, and the accuracy of a detection result is low.
Disclosure of Invention
Aiming at the defects of the existing attack detection method, the invention provides the SDN DDoS attack detection method based on the optimized BP neural network, which can more comprehensively extract the characteristic values in the flow table under the SDN network environment, optimize the BP neural network by the particle swarm algorithm by setting the SDN network with less triggering threshold, avoid the problems that the convergence speed is low when the BP neural network solves the optimal solution, the partial optimal solution is trapped, and improve the detection precision.
The technical scheme of the invention provides an SDN network DDoS attack detection method based on an optimized BP neural network, which comprises the following steps:
step 1, a flow table collecting module in a Software Defined Network (SDN) controller periodically sends a flow table request to an OpenFlow switch, the OpenFlow switch sends flow table information to a feature extraction module in the SDN controller through a secure channel, and the periodic acquisition time interval is T;
the OpenFlow switch is responsible for forwarding a data packet according to a flow table in an SDN network and comprises the flow table, a secure channel for communication of an SDN controller and the OpenFlow switch and an OpenFlow protocol;
step 2, a feature extraction module in the SDN controller performs data analysis processing on the acquired flow table information, extracts the flow table information and converts the flow table information into six pieces of one-dimensional feature information related to DDoS attack, so as to form a six-tuple sample feature sequence S ", including: a source IP address speed-up GSIP, a change ADF of flow survival time, a convection ratio PPF, a port speed-up GSP, a flow table entry rate RFE and a flow matching success rate RFM;
step 3, initializing parameters of the BP neural network algorithm, and taking weights and thresholds between an input layer and a hidden layer and between the hidden layer and an output layer as optimization targets of the particle swarm algorithm;
step 4, initializing parameters of the particle swarm algorithm, calculating a fitness value, obtaining an individual optimal position and a global optimal position of the particle, and meeting the condition that the number of times k of iteration of the particle is equal to k max Outputting a global optimal position;
step 5, the BP neural network optimized by the particle swarm receives training samples and conducts repeated training to obtain an optimal model finally used for DDoS attack detection;
step 6, the SDN controller sets a trigger threshold, and once any one characteristic value in a data flow characteristic sequence S 'collected in real time exceeds the trigger threshold, the data flow characteristic sequence S' is regarded as a suspected attack point, a BP neural network optimized through particle swarm is activated to carry out DDoS attack detection on a data flow data packet in real time;
and 7, if the detection result is DDoS attack, an attack detection module in the SDN controller sends an attack warning to the SDN controller, the SDN controller sends an instruction to the firewall to change the configuration of the firewall, and simultaneously instructs the OpenFlow switch to change the relevant configuration of flow items and discard an attack data packet.
Further, the specific process of step 3 is as follows:
3-1 initializing weights and thresholds between an input layer and a hidden layer and between the hidden layer and an output layer;
3-2 in the BP neural network, the input training sample vector X ═ X 1 ,x 2 ,...,x n ) The number of neurons in the input layer, hidden layer and output layer is n and p respectivelyQ, the output value of the hidden layer neuron is calculated by equation (1):
Figure BDA0001786939240000031
wherein, w ij Is the weight value of the ith neuron of the input layer and the jth neuron of the hidden layer, theta j A threshold for the jth neuron of the hidden layer;
the output values of the output layer neurons are calculated by equation (2):
Figure BDA0001786939240000032
wherein v is jt Is the weight, r, of the jth neuron of the hidden layer and the tth neuron of the output layer t Threshold for output layer tth neuron;
where f (x) is the excitation function between neurons, as shown in equation (3) below:
Figure BDA0001786939240000033
3-3 for each training sample, calculating the mean square error between the actual output value and the expected output value, as shown in equation (4):
Figure BDA0001786939240000034
wherein
Figure BDA0001786939240000035
In order to output the desired output value of the layer,
Figure BDA0001786939240000036
k represents the k training sample as the actual output value of the output layer;
3-4 according to the mean square error, adjusting the weight and threshold between the input layer and the hidden layer, and between the hidden layer and the output layer according to the following formula (5) and formula (6).
Figure BDA0001786939240000041
Figure BDA0001786939240000042
Wherein eta is a given learning rate during training;
3-5, calculating new weight values and new threshold values between the input layer and the hidden layer and between the hidden layer and the output layer through the previous step;
3-6, repeating the steps, and training by using a BP neural network algorithm until the error of the output result reaches a set limit precision value.
Further, the specific process of step 4 is as follows:
4-1 initializing population size M, dimension D of each particle, randomly generating position X of initial particle i =(x i1 ,x i2 ,...,x iD ) T (i ═ 1,2,3.. M) and speed V i =(v i1 ,v i2 ,...,v iD ) T In the iterative process, ensuring x is equal to x min ,x max ]And v ∈ [ v ] min ,v max ]Setting the maximum number of iterations k max And a termination condition;
4-2 calculating the fitness value F of each particle according to the fitness function F (x) i (x) Storing the position and the fitness of each particle in the optimal position of each individual, and storing the positions and the fitness of all the individuals with the optimal fitness in the global optimal position;
wherein, the individual optimal position of the ith particle is recorded as P i =(P i1 ,P i2 ,P i3 ,...,P iD ) T The global optimal position of all particles is denoted as P g =(P g1 ,P g2 ,P g3 ,...,P gD ) T
4-3, judging whether the termination condition is met, if not, updating the speed and the position of the particle by using the following formula (7) and formula (8);
Figure BDA0001786939240000043
where k denotes the kth iteration of the current iteration, w is the inertial weight, c 1 Is a local acceleration factor, c 2 Is a global acceleration factor, r 1 ,r 2 Is [0,1 ]]A random number in the interval, j ═ 1,2,. D;
Figure BDA0001786939240000051
when the speed and the position of the particle are updated each time, the value of each parameter is determined by using the following formula (9):
w k =[(w 0 -w 1 )cos(πk/k max )+(w 0 +w 1 )]/2
Figure BDA0001786939240000052
Figure BDA0001786939240000053
wherein, w 0 、w 1 Respectively representing the initial value and the final value of w; c. C 10 、c 11 Respectively represent c 1 The starting value and the ending value of (a); c. C 20 、c 21 Respectively represent c 2 The calculation of the parameters ensures that the optimal solution can be quickly solved in the iterative process without trapping in local search;
4-4 recalculating the fitness value of each particle;
4-5 updating the individual optimum position P of each particle according to the fitness function using the following equations (10) and (11) i =(P i1 ,P i2 ,P i3 ,...,P iD ) T And a global optimum position P g =(P g1 ,P g2 ,P g3 ,...,P gD ) T
Figure BDA0001786939240000054
Figure BDA0001786939240000055
4-6 repeating the steps until the number k of the particle iterations is equal to k max Output the global optimum position p g
Further, the specific process of step 5 is as follows:
5-1, in a data training module in an SDN controller, a BP neural network optimized by particle swarm receives a training sample, and the number of neurons of an input layer, a hidden layer and an output layer of the BP neural network is determined;
5-2, initializing a BP neural network structure, and determining related parameters of the BP neural network and a particle swarm algorithm;
the BP neural network adopts a three-layer neural network structure, and the dimension D of particles in the particle swarm algorithm is shown in a formula (12):
D=D in D h +D h D out +D h +D out (12)
wherein D is in 、D h 、D out The number of the neurons of the input layer, the hidden layer and the output layer respectively;
5-3 randomly generating the position and velocity of the initial particles;
5-4 training a BP neural network, taking the mean square error between an actual output value and an expected output value as a fitness function of a particle swarm algorithm, and calculating the fitness value of each particle as shown in a formula (13);
Figure BDA0001786939240000061
wherein
Figure BDA0001786939240000062
In order to output the desired output value of the layer,
Figure BDA0001786939240000063
for the actual output value of the output layer, D out The number of neurons in the output layer;
5-5 obtaining the individual optimal position P of each particle i And global optimum position P of all particles g
5-6 updating the velocity and position of each particle according to equation (7) and equation (8);
5-7, judging whether the particle swarm algorithm termination condition is met, if so, stopping iteration, storing the result, turning to the next step, and otherwise, turning to the step 4;
5-8, taking the obtained global optimal value as a weight and a threshold of the BP neural network;
5-9 training with BP neural network algorithm until the error of output result reaches the limit precision value.
Further, the specific process of step 6 is as follows:
6-1, setting an attack detection module of the SDN controller:
TriStrgy (GSIP, ADF, PPF, GSP, PFE, RFM) is used as a trigger strategy to trigger a threshold;
the 6-2SDN controller sets the alarm to be 0, when any one characteristic value in the S' exceeds a threshold value, the characteristic value is considered as a suspected attack point, the alarm is set to be 1, and a BP neural network detection method for particle swarm optimization is activated;
and 6-3, carrying out DDoS attack detection on the data stream in real time by the BP neural network optimized by the particle swarm.
Further, the specific process of step 7 is as follows:
7-1, if the detection result is a DDoS attack, setting an alarm equal to 2 by an attack detection module of the SDN controller, and sending an attack warning to the SDN controller;
and the 7-2SDN controller sends an instruction to the firewall to change the configuration of the firewall, and simultaneously instructs an OpenFlow switch to change the relevant configuration of flow items, and discards the attack data flow packet.
Compared with the prior art, the invention has the following advantages:
the invention provides an SDN network DDoS attack detection method based on an optimized BP neural network, which can comprehensively extract six characteristic values related to DDoS in a flow table under an SDN network environment, reduce the load of the SDN network by setting a trigger threshold, optimize the BP neural network by using a particle swarm algorithm, select the mean square error of the BP neural network as a fitness function of the particle swarm algorithm by using the global optimization characteristic of the particle swarm algorithm, select the value with the best fitness value as the threshold and the weight of the BP neural network, avoid the problem that the BP neural network is slow in convergence speed when solving the optimal solution, falls into the local optimal solution, and improve the detection precision.
Drawings
FIG. 1 is a schematic flow chart of an attack detection method of the present invention;
FIG. 2 is a flow chart of the particle swarm optimization-based BP neural network algorithm of the present invention;
FIG. 3 is a diagram of the BP neural network structure according to the present invention.
Detailed Description
The technical solution of the present invention is explained in detail below, but the protection scope of the present invention is not limited to the embodiments.
The present invention will be further described with reference to the following examples and the accompanying drawings.
As shown in fig. 1, a method for detecting DDoS attack of SDN network based on BP-optimized neural network includes the following steps:
step 1, a flow table collecting module in a software defined network (sdn) controller periodically sends a flow table request to an OpenFlow switch, and periodically obtains a time interval T (for example, T is 3 seconds); and the OpenFlow switch sends the flow table information to a feature extraction module in the SDN controller through a secure channel.
The OpenFlow switch is responsible for forwarding data packets according to a flow table in an SDN network and comprises the flow table, a DN controller and a secure channel for communication of the OpenFlow switch, and an OpenFlow protocol.
And 2, performing data analysis processing on the acquired flow table information by using a feature extraction module in the SDN controller, analyzing the change of the network flow distribution characteristic in unit time, extracting the flow table information, converting the flow table information into six pieces of one-dimensional feature information related to DDoS attack, and forming a six-tuple sample feature sequence S'.
And 3, initializing parameters of the BP neural network algorithm, and taking the weight and the threshold between the input layer and the hidden layer and between the hidden layer and the output layer as optimization targets of the particle swarm algorithm.
Step 4, initializing parameters of the particle swarm algorithm, calculating a fitness value, obtaining an individual optimal position and a global optimal position of the particle, and meeting the condition that the number of times k of iteration of the particle is equal to k max And outputting the global optimal position.
And 5, receiving the training sample by the BP neural network optimized by the particle swarm and repeatedly training to obtain an optimal model finally used for DDoS attack detection.
And 6, setting a trigger threshold value by the SDN controller, and activating BP neural network real-time data flow optimized by particle swarm to carry out DDoS attack detection once any characteristic value in a sample characteristic sequence S' collected in real time exceeds the trigger threshold value and is regarded as a suspected attack point.
And 7, if the detection result is DDoS attack, an attack detection module in the SDN controller sends an attack warning to the SDN controller, the SDN controller sends an instruction to the firewall to change the configuration of the firewall, and simultaneously instructs the OpenFlow switch to change the relevant configuration of flow items and discard an attack data packet.
The hexatomic group sample feature sequence S ″ described in step 2 includes: source IP address speed-up GSIP, change in flow lifetime ADF, flow ratio PPF, port speed-up GSP, flow table entry rate RFE, flow matching success rate RFM.
The source IP address speed-up GSIP is the increased number of source IP addresses per unit time:
Figure BDA0001786939240000081
wherein Q is IP The number of source IP addresses is, T is sampling time interval, in DDoS attack, a large number of data packets are sent by forging the source IP addresses, and the source IP addresses can be fastAnd (4) increasing.
The change ADF of the flow survival time is the relative change degree of the survival duration of the flow specification in unit time:
Figure BDA0001786939240000082
wherein, T dur For stream lifetime, T fow Is the total time of the stream. In the flow table entry, a large number of abnormal flows may cause the flow lifetime to be reduced.
The flow comparison PPF, i.e. the ratio of flow table to total flow:
Figure BDA0001786939240000083
wherein, F pair For the number of interactive flows in the network, F sum For the total number of flows, in a DDoS attack, a forged source IP address cannot provide normal service.
Port speed increase GSP, the rate of increase of the number of attack source ports per unit time:
Figure BDA0001786939240000091
wherein S is port Is an increasing number of source ports.
Flow entry rate RFE, i.e. the rate of increase of the flow entry per unit time:
Figure BDA0001786939240000092
wherein S is flow When a DDoS attack occurs, the SDN controller may quickly generate a large number of flow table information requests for the total number of flow table entries.
The flow matching success rate RFM is a ratio of the successfully matched packet flow in the flow to the total amount:
Figure BDA0001786939240000093
wherein M is packet For the number of successfully matched packets, S packet Is the total number of data packets. When DDoS attacks occur, the success rate of matching of data packets may decrease.
As shown in fig. 2, the particle swarm optimization-based BP neural network algorithm flow is as follows:
1. in a data training module in an SDN controller, a BP neural network optimized by particle swarm receives a training sample, an input layer of the BP neural network is determined to be 6, the number of hidden layers can be changed, the number of neurons in an output layer is 1, and normal attack or abnormal attack is performed during output,
the output value of the hidden layer neuron is calculated by equation (1):
Figure BDA0001786939240000094
wherein, w ij Is the weight value of the ith neuron of the input layer and the jth neuron of the hidden layer, theta j Is the threshold of the jth neuron of the hidden layer.
The output values of the output layer neurons are calculated by equation (2):
Figure BDA0001786939240000095
wherein v is jt Is the weight, r, of the jth neuron of the hidden layer and the tth neuron of the output layer t Threshold for output layer tth neuron;
where f (x) is the excitation function between neurons, as shown in equation (3) below:
Figure BDA0001786939240000096
2. initializing a BP neural network structure, and determining related parameters of the BP neural network and a particle swarm algorithm;
as shown in fig. 3, a three-layer neural network structure is adopted, each individual particle includes a connection weight between an input layer and a hidden layer, between the hidden layer and an output layer, and a threshold between the output layer and the hidden layer, and a dimension D of the particle is shown in formula (12):
D=D in D h +D h D out +D h +D out (12)
wherein D is in 、D h 、D out The number of the neurons of the input layer, the hidden layer and the output layer is respectively.
3. Randomly generating the position X of the initial particle i =(x i1 ,x i2 ,...,x iD ) T (i ═ 1,2,3.. n) and velocity V i =(v i1 ,v i2 ,...,v iD )。
4. Training a BP neural network, taking the mean square error between an actual output value and an expected output value as a fitness function of a particle swarm algorithm, and calculating the fitness value of each particle as shown in a formula (13);
Figure BDA0001786939240000101
wherein
Figure BDA0001786939240000102
In order to output the desired output value of the layer,
Figure BDA0001786939240000103
is the actual output value of the output layer.
5. Obtaining the individual optimal position P of each particle i And global optimum position P of all particles g
6. Updating the velocity and position of each particle according to equation (7) and equation (8);
Figure BDA0001786939240000104
Figure BDA0001786939240000105
wherein k represents the kth iteration of the current iteration, and the maximum iteration number k is set max 300, w is an inertial weight set to 1, c 1 For local acceleration factor set to 1.4, c 2 For global acceleration factor set to 1.6, r 1 ,r 2 Is [0,1 ]]Following in intervalMachine number, j ═ 1,2,. D;
wherein, when the speed and the position of the particle are updated each time, the value of each parameter is determined by the formula (9):
w k =[(w 0 -w 1 )cos(πk/k max )+(w 0 +w 1 )]/2
Figure BDA0001786939240000106
Figure BDA0001786939240000107
wherein, w 0 =1、w 1 =0.1;c 10 =2.5、c 11 =1.25;c 20 =0.5、c 21 The calculation of the parameters ensures that the optimal solution can be quickly solved in the iterative process without trapping in local search as 2.5.
7. Judging whether the particle swarm algorithm termination condition is met, if yes, turning to the next step, otherwise, turning to the step 4 and updating the P according to a formula (10) and a formula (11) i =(P i1 ,P i2 ,P i3 ,...,P iD ) T And P g =(P g1 ,P g2 ,P g3 ,...,P gD ) T Repeating the iteration operation;
Figure BDA0001786939240000111
Figure BDA0001786939240000112
8. and taking the obtained global optimal value as a weight value and a threshold value of the BP neural network.
9. And training by using a BP neural network algorithm until the error of an output result reaches a limited precision value.
The specific implementation process of the step 6 is as follows:
attack detection Module setup for SDN controllers
TriStrgy (GSIP, ADF, PPF, GSP, PFE, RFM) is used as a trigger strategy to trigger a threshold;
6-2, an attack detection module of the SDN controller sets alarm to be 0, when any one characteristic value in S' exceeds a threshold value, the detected point is considered as a suspected attack point, the alarm is set to be 1, and a BP neural network detection method for particle swarm optimization is activated;
and 6-3, carrying out DDoS attack detection on the data stream in real time by the BP neural network optimized by the particle swarm.
Further, the trigger threshold is selected according to a characteristic value of an abnormal training sample, and the specific process is as follows: counting each characteristic value, carrying out normalization processing on each characteristic value, counting the interval of each characteristic value, and selecting a point closest to a diagonal on a PR curve from the interval as a trigger threshold;
the PR curve depicts the relation between the precision ratio and the recall ratio, the precision ratio is the proportion of data with DDoS attack in all data with DDoS attack as the prediction result, and the recall ratio is the proportion of data with DDoS attack as the prediction result and the real result in all data with DDoS attack as the detection result.
The specific implementation process of the step 7 is as follows:
7-1, if the detection result is a DDoS attack, setting an alarm equal to 2 by an attack detection module of the SDN controller, and sending an attack warning to the SDN controller;
7-2, the SDN controller sends an instruction to the firewall to change the configuration of the firewall, and simultaneously instructs an OpenFlow switch to change the relevant configuration of flow items, and an attack data flow packet is discarded.
In summary, the invention reduces the network load by extracting the relevant attributes of the SDN network traffic and setting the trigger threshold; meanwhile, DDoS attack detection is carried out by adopting the BP neural network optimized by the particle swarm, and the method has the advantage of high attack detection accuracy.
While the present invention has been described in detail with reference to the preferred embodiments, it should be understood that the above description should not be taken as limiting the invention. Various modifications and alterations to this invention will become apparent to those skilled in the art upon reading the foregoing description. Accordingly, the scope of the invention should be determined from the following claims.

Claims (6)

1. An SDN network DDoS attack detection method based on an optimized BP neural network is characterized by comprising the following steps:
step 1, a flow table collection module in an SDN controller periodically sends a flow table request to an OpenFlow switch, and the OpenFlow switch sends flow table information to a feature extraction module in the SDN controller through a secure channel;
the OpenFlow switch forwards a data packet in an SDN network according to a flow table, and the OpenFlow switch comprises the flow table, a secure channel for communication of an SDN controller and the OpenFlow switch, and an OpenFlow protocol;
step 2, a feature extraction module in the SDN controller performs data analysis processing on the acquired flow table information, extracts the flow table information and converts the flow table information into six pieces of one-dimensional feature information related to DDoS attack to form a six-tuple sample feature sequence S', which comprises the following steps: a source IP address speed-up GSIP, a change ADF of flow survival time, a convection ratio PPF, a port speed-up GSP, a flow table entry rate RFE and a flow matching success rate RFM;
step 3, initializing parameters of the BP neural network algorithm, and taking weights and thresholds between an input layer and a hidden layer and between the hidden layer and an output layer as optimization targets of the particle swarm algorithm;
the step 3 further comprises the following processes:
3-1 initializing weights and thresholds between an input layer and a hidden layer and between the hidden layer and an output layer;
3-2 in the BP neural network, the input training sample vector X ═ X 1 ,x 2 ,...,x n ) The number of neurons of the input layer, the hidden layer and the output layer is n, p and q respectively, and the output value of the neurons of the hidden layer is calculated by the formula (1):
Figure FDF0000017143510000011
wherein, w ij Is the weight value of the ith neuron of the input layer and the jth neuron of the hidden layer, theta j A threshold for the jth neuron of the hidden layer;
the output values of the output layer neurons are calculated by equation (2):
Figure FDF0000017143510000021
wherein v is jt Is the weight, r, of the jth neuron of the hidden layer and the tth neuron of the output layer t Threshold for output layer tth neuron;
where f (x) is the excitation function between neurons, as shown in equation (3) below:
Figure FDF0000017143510000022
3-3 for each training sample, calculating the mean square error between the actual output value and the expected output value, as shown in equation (4):
Figure FDF0000017143510000023
wherein
Figure FDF0000017143510000024
In order to output the desired output value of the layer,
Figure FDF0000017143510000025
k represents the k training sample as the actual output value of the output layer;
3-4, according to the mean square error, adjusting the weight and the threshold between the input layer and the hidden layer, and between the hidden layer and the output layer according to the following formula (5) and formula (6);
Figure FDF0000017143510000031
Figure FDF0000017143510000032
wherein eta is a given learning rate during training;
3-5, calculating new weight values and new threshold values between the input layer and the hidden layer and between the hidden layer and the output layer through the previous step;
3-6, repeating the steps, and training by using a BP neural network algorithm until the error of an output result reaches a limited precision value;
step 4, initializing parameters of the particle swarm algorithm, calculating a fitness value, obtaining an individual optimal position and a global optimal position of the particle, and meeting the condition that the number of times k of iteration of the particle is equal to k max Output the global optimum position p g
The step 4 further comprises the following processes:
4-1 initializing population size M, dimension D of each particle, randomly generating position X of initial particle i =(x i1 ,x i2 ,...,x iD ) T (i ═ 1,2,3.. M) and speed V i =(v i1 ,v i2 ,...,v iD ) T In the iterative process, ensuring x is equal to x min ,x max ]And v ∈ [ v ] min ,v max ]Setting the maximum number of iterations k max And a termination condition;
4-2 calculating the fitness value F of each particle according to the fitness function F (x) i (x) Storing the position and fitness of each particle in the individual optimal position P i All P are i The position and the fitness of the individual with the optimal medium fitness are stored in the position P g A global optimal position;
wherein, the individual optimal position of the ith particle is recorded as P i =(P i1 ,P i2 ,P i3 ,...,P iD ) T The global optimal position of all particles is denoted as P g =(P g1 ,P g2 ,P g3 ,...,P gD ) T
4-3, judging whether the termination condition is met, if not, updating the speed and the position of the particle by using the following formula (7) and formula (8);
Figure FDF0000017143510000041
where k denotes the kth iteration of the current iteration, w is the inertial weight, c 1 Is a local acceleration factor, c 2 Is a global acceleration factor, r 1 ,r 2 Is [0,1 ]]A random number in the interval, j ═ 1,2,. D;
Figure FDF0000017143510000042
when the speed and the position of the particle are updated each time, the value of each parameter is determined by using the following formula (9):
Figure FDF0000017143510000043
wherein, w 0 、w 1 Respectively representing the initial value and the final value of w; c. C 10 、c 11 Respectively represent c 1 The starting value and the ending value of (a); c. C 20 、c 21 Respectively represent c 2 The calculation of the parameters ensures that the optimal solution can be quickly solved in the iterative process without trapping in local search;
4-4 recalculating the fitness value of each particle;
4-5 according to the fitness function F (x), updating the individual optimal position P of each particle by using the following formula (10) and formula (11) i =(P i1 ,P i2 ,P i3 ,...,P iD ) T And a global optimum position P g =(P g1 ,P g2 ,P g3 ,...,P gD ) T
Figure FDF0000017143510000044
Figure FDF0000017143510000045
4-6 repeating the steps until the number k of the particle iterations is equal to k max Output the global optimum position p g
Step 5, the BP neural network optimized by the particle swarm receives training samples and conducts repeated training to obtain an optimal model finally used for DDoS attack detection;
the step 5 further comprises the following processes:
5-1, in a data training module in an SDN controller, a BP neural network optimized by particle swarm receives a training sample, and the number of neurons of an input layer, a hidden layer and an output layer of the BP neural network is determined;
5-2, initializing a BP neural network structure, and determining related parameters of the BP neural network and a particle swarm algorithm;
the BP neural network adopts a three-layer neural network structure, and the dimension D of particles in the particle swarm algorithm is shown in a formula (12):
D=D in D h +D h D out +D h +D out (12)
wherein D is in 、D h 、D out The number of the neurons of the input layer, the hidden layer and the output layer respectively;
5-3 randomly generating the position and velocity of the initial particles;
5-4 training a BP neural network, taking the mean square error between an actual output value and an expected output value as a fitness function of a particle swarm algorithm, and calculating the fitness value of each particle as shown in a formula (13):
Figure FDF0000017143510000051
wherein
Figure FDF0000017143510000052
In order to output the desired output value of the layer,
Figure FDF0000017143510000053
for the actual output value of the output layer, D out The number of neurons in the output layer;
5-5 determining the individual optimal position P of each particle i And global optimum position P of all particles g
5-6 updating the velocity and position of each particle according to equation (7) and equation (8);
5-7 judging whether the particle swarm algorithm termination condition is met, if so, storing the result, turning to the next step, otherwise, turning to the step 4, and updating the P according to a formula (10) and a formula (11) g And P i Repeating the iteration operation;
5-8, taking the obtained global optimal value as a weight and a threshold of the BP neural network;
5-9, training by using a BP neural network algorithm until the error of an output result reaches a limited precision value;
step 6, the SDN controller sets a trigger threshold, and once any one characteristic value in a data flow characteristic sequence S 'collected in real time exceeds the trigger threshold, the data flow characteristic sequence S' is regarded as a suspected attack point, and a BP neural network optimized through particle swarm is activated to carry out DDoS attack detection on a data flow data packet in real time;
and 7, if the detection result is DDoS attack, sending an attack warning to the SDN controller, sending an instruction to the firewall by the SDN controller to change the configuration of the firewall, simultaneously commanding the OpenFlow switch to change the relevant configuration of flow items, and discarding an attack data packet.
2. The method for detecting the DDoS attack of the SDN network based on the optimized BP neural network of claim 1, wherein:
in the step 1, a flow table collection module inside the SDN controller periodically sends a flow table request to the OpenFlow switch, and the periodic acquisition time interval T is 3 seconds.
3. The SDN network DDoS attack detection method based on the optimized particle swarm optimization BP neural network according to claim 1, characterized in that: in the six-element group sample feature sequence of step 2,
the source IP address speed-up GSIP is the increased number of source IP addresses per unit time:
Figure FDF0000017143510000061
wherein Q is IP Is the source IP number, T is the sampling time interval;
the change in flow lifetime ADF is the relative change degree of lifetime per unit time of the flow specification:
Figure FDF0000017143510000071
wherein, T dur For stream lifetime, T fow Is the total time of the stream;
the flow comparison PPF is the ratio of the flow table comparison flow to the total flow:
Figure FDF0000017143510000072
wherein, F pair For the number of interactive flows in the network, F sum Is the total number of streams;
port acceleration GSP, the rate of increase of the number of attack source ports per unit time:
Figure FDF0000017143510000073
wherein S is port An increased number of source ports for the attack;
flow entry rate RFE, which is the rate of increase of a flow entry per unit time:
Figure FDF0000017143510000074
wherein S is flow Is the total number of flow table entries;
the flow matching success rate RFM is a ratio of the successfully matched data packet flow in the flow to the total amount:
Figure FDF0000017143510000075
wherein, M packet For the number of successfully matched packets, S packet Is the total number of data packets.
4. The DDoS attack detection method based on the particle swarm optimization BP neural network in the SDN environment according to claim 1, characterized in that: the step 6 further comprises the following processes:
6-1, attack detection module setup of SDN controller
TriStrgy (GSIP, ADF, PPF, GSP, PFE, RFM) is used as a trigger strategy to trigger a threshold;
6-2, setting alarm to be 0 by the SDN controller, when any one characteristic value in the S' exceeds a threshold value, considering the characteristic value as a suspected attack point, setting alarm to be 1, and activating a particle swarm optimization BP neural network detection method;
6-3, carrying out DDoS attack detection on the data stream in real time by the BP neural network optimized by the particle swarm.
5. The method for detecting the DDoS attack of the SDN network based on the optimized BP neural network of claim 1, wherein: the step 7 further comprises the following processes:
7-1, if the detection result is a DDoS attack, setting alarm to be 2 by an attack detection module of the SDN controller, and sending an attack warning to the SDN controller;
7-2, the SDN controller sends an instruction to the firewall to change the configuration of the firewall, and simultaneously instructs an OpenFlow switch to change the relevant configuration of flow items, and discards an attack data flow data packet.
6. The method for detecting DDoS attack in SDN based on BP neural network optimization according to any one of claims 1-5, wherein:
the trigger threshold is selected according to the characteristic value of the abnormal training sample, and the selection process comprises the following steps:
counting each characteristic value, carrying out normalization processing on each characteristic value, counting the interval of each characteristic value, and selecting a point closest to a diagonal on a PR curve from the interval as a trigger threshold;
the PR curve depicts the relation between the precision ratio and the recall ratio, the precision ratio is the proportion of data with DDoS attack in all data with DDoS attack as the prediction result, and the recall ratio is the proportion of data with DDoS attack as the prediction result and the real result in all data with DDoS attack as the detection result.
CN201811019356.4A 2018-09-03 2018-09-03 SDN network DDoS attack detection method based on BP neural network optimization Active CN109120630B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811019356.4A CN109120630B (en) 2018-09-03 2018-09-03 SDN network DDoS attack detection method based on BP neural network optimization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811019356.4A CN109120630B (en) 2018-09-03 2018-09-03 SDN network DDoS attack detection method based on BP neural network optimization

Publications (2)

Publication Number Publication Date
CN109120630A CN109120630A (en) 2019-01-01
CN109120630B true CN109120630B (en) 2022-08-02

Family

ID=64860502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811019356.4A Active CN109120630B (en) 2018-09-03 2018-09-03 SDN network DDoS attack detection method based on BP neural network optimization

Country Status (1)

Country Link
CN (1) CN109120630B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110011983B (en) * 2019-03-19 2021-02-19 中国民航大学 Flow table characteristic-based denial of service attack detection method
CN110082717A (en) * 2019-04-30 2019-08-02 上海海事大学 A kind of underwater wireless sensor node positioning method
CN110489972A (en) * 2019-06-26 2019-11-22 中电万维信息技术有限责任公司 The safety evaluation method and relevant device of electronic government affairs system
CN110460880B (en) * 2019-08-09 2021-08-31 东北大学 Industrial wireless streaming media self-adaptive transmission method based on particle swarm and neural network
CN110535723B (en) * 2019-08-27 2021-01-19 西安交通大学 Message anomaly detection method adopting deep learning in SDN
CN111294342A (en) * 2020-01-17 2020-06-16 深圳供电局有限公司 Method and system for detecting DDos attack in software defined network
CN111740950A (en) * 2020-05-13 2020-10-02 南京邮电大学 SDN environment DDoS attack detection and defense method
CN111917781A (en) * 2020-08-05 2020-11-10 湖南匡楚科技有限公司 Intelligent internal malicious behavior network attack identification method and electronic equipment
CN112087339A (en) * 2020-09-16 2020-12-15 江苏省未来网络创新研究院 Novel network prediction algorithm based on SDN
CN112653687B (en) * 2020-12-17 2022-04-01 贵州大学 SDN network feature extraction method for differential evolution in DDoS detection environment
CN112738049B (en) * 2020-12-23 2023-04-07 国网河北省电力有限公司电力科学研究院 Scanning strategy adjusting method and device, electronic equipment and storage medium
CN112651369A (en) * 2020-12-31 2021-04-13 南京视察者智能科技有限公司 Method and device for identifying pedestrians in monitoring scene
CN113192569B (en) * 2021-05-11 2024-05-28 南京工程学院 Harmful gas monitoring method based on improved particle swarm and error feedback neural network
CN114745174A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Access verification system and method for power grid equipment
CN114978667B (en) * 2022-05-17 2024-02-09 安捷光通科技成都有限公司 SDN network DDoS attack detection method based on graph neural network
CN115941322B (en) * 2022-12-07 2024-05-24 中国平安财产保险股份有限公司 Attack detection method, device, equipment and storage medium based on artificial intelligence
CN116827690A (en) * 2023-08-29 2023-09-29 天津市亿人科技发展有限公司 DDoS attack and cloud WAF defense method based on distribution type

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection
CN104050505A (en) * 2013-03-11 2014-09-17 江南大学 Multilayer-perceptron training method based on bee colony algorithm with learning factor
CN106023195A (en) * 2016-05-18 2016-10-12 河南师范大学 BP neural network image segmentation method and device based on adaptive genetic algorithm
CN106657107A (en) * 2016-12-30 2017-05-10 南京邮电大学 Self-adaptively started ddos defense method and system based on trust value in SDN
CN108123931A (en) * 2017-11-29 2018-06-05 浙江工商大学 Ddos attack defence installation and method in a kind of software defined network
CN108259498A (en) * 2018-01-24 2018-07-06 湖南科技学院 A kind of intrusion detection method and its system of the BP algorithm based on artificial bee colony optimization
CN108718297A (en) * 2018-04-27 2018-10-30 广州西麦科技股份有限公司 Ddos attack detection method, device, controller and medium based on BP neural network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection
CN104050505A (en) * 2013-03-11 2014-09-17 江南大学 Multilayer-perceptron training method based on bee colony algorithm with learning factor
CN106023195A (en) * 2016-05-18 2016-10-12 河南师范大学 BP neural network image segmentation method and device based on adaptive genetic algorithm
CN106657107A (en) * 2016-12-30 2017-05-10 南京邮电大学 Self-adaptively started ddos defense method and system based on trust value in SDN
CN108123931A (en) * 2017-11-29 2018-06-05 浙江工商大学 Ddos attack defence installation and method in a kind of software defined network
CN108259498A (en) * 2018-01-24 2018-07-06 湖南科技学院 A kind of intrusion detection method and its system of the BP algorithm based on artificial bee colony optimization
CN108718297A (en) * 2018-04-27 2018-10-30 广州西麦科技股份有限公司 Ddos attack detection method, device, controller and medium based on BP neural network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SDN下基于深度学习混合模型的DDoS攻击检测与防御;李传煌等;《通信学报》;20180731;第39卷(第7期);正文第3节 *
SDN环境下基于BP神经网络的DDoS攻击检测方法;王晓瑞等;《计算机应用研究》;20180331;第35卷(第3期);正文第1-3节 *

Also Published As

Publication number Publication date
CN109120630A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
CN109120630B (en) SDN network DDoS attack detection method based on BP neural network optimization
CN108282497B (en) DDoS attack detection method for SDN control plane
CN111817982B (en) Encrypted flow identification method for category imbalance
CN109951444B (en) Encrypted anonymous network traffic identification method
CN106657107B (en) Adaptive starting ddos defense method and system based on trust value in SDN
CN110011983B (en) Flow table characteristic-based denial of service attack detection method
CN107370752B (en) Efficient remote control Trojan detection method
CN108848095A (en) The detection of server ddos attack and defence method under SDN environment based on double entropys
US20090282478A1 (en) Method and apparatus for processing network attack
CN112995202A (en) SDN-based DDoS attack detection method
CN107040517A (en) A kind of cognitive intrusion detection method towards cloud computing environment
CN107483473B (en) Low-speed denial of service attack data flow detection method in cloud environment
CN111385145B (en) Encryption flow identification method based on ensemble learning
CN109040113B (en) Distributed denial of service attack detection method and device based on multi-core learning
CN111600876B (en) Slow denial of service attack detection method based on MFOPA algorithm
CN114615093A (en) Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning
CN113364787B (en) Botnet flow detection method based on parallel neural network
CN111294342A (en) Method and system for detecting DDos attack in software defined network
CN110351303B (en) DDoS feature extraction method and device
CN111600877A (en) LDoS attack detection method based on MF-Ada algorithm
CN113630420A (en) SDN-based DDoS attack detection method
CN108141377B (en) Early classification of network flows
CN113298125B (en) Internet of things equipment flow abnormity detection method and device based on feature selection and storage medium
Nguyen A scheme for building a dataset for intrusion detection systems
CN115766140A (en) Distributed denial of service (DDoS) attack detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant