CN112653658A - DDoS attack detection method based on information entropy under SDN environment - Google Patents
DDoS attack detection method based on information entropy under SDN environment Download PDFInfo
- Publication number
- CN112653658A CN112653658A CN202010911737.4A CN202010911737A CN112653658A CN 112653658 A CN112653658 A CN 112653658A CN 202010911737 A CN202010911737 A CN 202010911737A CN 112653658 A CN112653658 A CN 112653658A
- Authority
- CN
- China
- Prior art keywords
- module
- main control
- detection method
- output end
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000004364 calculation method Methods 0.000 claims abstract description 19
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000008447 perception Effects 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 6
- 238000000034 method Methods 0.000 description 4
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a DDoS attack detection method based on information entropy in an SDN environment, which belongs to the technical field of network security and comprises a main control end, wherein the main control end comprises a detection algorithm module, a threshold setting module, a feature classification module, a path calculation module and a topology sensing module, the detection algorithm module is arranged in the main control end, the threshold setting module is arranged at the output end of the detection algorithm module, the feature classification module is arranged at the output end of the threshold setting module, and the path calculation module is arranged at the output end of the feature classification module; the invention ensures the accuracy of the value, improves the interception quality and ensures the detection effect by arranging the window setting module, the threshold setting module and the detection algorithm module are arranged in the main control end, the protection effect is ensured by calculating the entropy value of the data packet and comparing the entropy value with the preset threshold, the misjudgment is prevented, and the working quality is improved.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a DDoS attack detection method based on information entropy in an SDN environment.
Background
Distributed denial of service attacks can cause a plurality of computers to be attacked at the same time, so that the attacked target can not be used normally, the distributed denial of service attacks are already generated for a plurality of times, and a plurality of large websites can not be operated, thereby not only influencing the normal use of users, but also causing huge economic loss.
The prior art has the following problems:
when a computer is attacked by DDos, the detection can not be carried out in advance, the condition of error interception is easily caused by the accuracy of interception guarantee during the detection, the stability of data transmission is influenced, the safety of work is reduced, the working cost is increased, the attack source can not be determined in the detection process, the problem can not be eradicated from the source, and the processing cost is increased.
Disclosure of Invention
To solve the problems set forth in the background art described above. The invention provides a DDoS attack detection method based on information entropy in an SDN environment, which has the characteristic of good detection effect.
In order to achieve the purpose, the invention provides the following technical scheme: the DDoS attack detection method based on the information entropy under the SDN environment comprises a main control end, wherein the main control end comprises a detection algorithm module, a threshold setting module, a feature classification module, a path calculation module and a topology sensing module, the detection algorithm module is arranged inside the main control end, the threshold setting module is arranged at the output end of the detection algorithm module, the feature classification module is arranged at the output end of the threshold setting module, the path calculation module is arranged at the output end of the feature classification module, and the topology sensing module is arranged at the output end of the path calculation module.
Further, the main control end is internally provided with a data updating module.
Further, an edge switch is arranged on one side of the main control end and comprises a window setting module and a self-checking module, wherein the self-checking module is arranged inside the edge switch, and the window setting module is arranged on one side of the self-checking module.
Further, the output end of the window setting module is connected with the input end of the feature classification module.
Further, the input end of the edge switch is provided with an attack end, the output end of the main control end is provided with an agent end, and the output end of the agent end is provided with a victim host.
Compared with the prior art, the invention has the beneficial effects that:
the invention can set windows with different sizes and quantities in the edge switch by arranging the window setting module, and carries out classified quantitative transmission on the received data packets, thereby ensuring the accuracy of value taking, improving the interception quality and ensuring the detection effect;
the main control end is provided with a threshold value setting module and a detection algorithm module, the protection effect is ensured by calculating the entropy value of the data packet and comparing the entropy value with a preset threshold value, misjudgment is prevented, and the working quality is improved.
Drawings
FIG. 1 is a block diagram of the system of the present invention;
fig. 2 is a schematic view of the working process of the present invention.
In the figure: 1. an attack end; 2. an edge switch; 21. a window setting module; 22. a self-checking module; 3. a main control end; 31. a detection algorithm module; 32. a threshold setting module; 33. a feature classification module; 34. a path calculation module; 35. a topology awareness module; 36. a data update module; 4. an agent end; 5. the victim host.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-2, the present invention provides the following technical solutions: the DDoS attack detection method based on the information entropy under the SDN environment comprises a main control end 3, wherein the main control end 3 comprises a detection algorithm module 31, a threshold setting module 32, a feature classification module 33, a path calculation module 34 and a topology sensing module 35, the detection algorithm module 31 is arranged inside the main control end 3, the threshold setting module 32 is arranged at the output end of the detection algorithm module 31, the feature classification module 33 is arranged at the output end of the threshold setting module 32, the path calculation module 34 is arranged at the output end of the feature classification module 33, and the topology sensing module 35 is arranged at the output end of the path calculation module 34.
Further, a data updating module 36 is further disposed inside the main control terminal 3.
Further, one side of main control end 3 is provided with edge switch 2, and edge switch 2 includes window setting module 21 and self-checking module 22, and wherein, the inside of edge switch 2 is provided with self-checking module 22, and one side of self-checking module 22 is provided with window setting module 21.
Further, the output of the window setting module 21 is connected to the input of the feature classification module 33.
Further, an attack end 1 is arranged at the input end of the edge switch 2, an agent end 4 is arranged at the output end of the main control end 3, and a victim host 5 is arranged at the output end of the agent end 4.
Further, a DDoS attack detection method based on information entropy in an SDN environment, the detection method comprising:
firstly, when an attack end 1 attacks a victim host 5, a large number of data packets with the same destination address need to be transmitted to an edge switch 2 in advance, and the randomness of the network is reduced due to the same destination address;
when the data packet is transmitted to the edge switch 2, the window setting module 21 performs quantitative transmission on the data packet;
thirdly, the data packets transmitted in the window setting module 21 are classified through the characteristic classification module 33, entropy calculation is carried out through the detection algorithm module 31, then comparison is carried out with the threshold value in the threshold value setting module 32, and if the entropy is smaller than the threshold value, DDos attack is not detected;
when the entropy is greater than or equal to the threshold, it may be determined that the victim host 5 will be attacked by the DDos, and the path calculation module 34 and the topology awareness module 35 perform topology calculation to determine the source IP address and the source port of the packet.
The working principle and the using process of the invention are as follows: when the method is implemented, the edge switch 2 receives a large number of data packets with the same destination address, the data packets are quantitatively transmitted to the detection calculation module 31 through a preset window, the entropy value of the data packets is calculated, and then the entropy value is compared with a preset threshold value, so that the detection accuracy is ensured, the situation of misjudgment is prevented, the use quality is ensured, and the protection effect of the host computer is improved.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (6)
1. A DDoS attack detection method based on information entropy in an SDN environment comprises a main control end (3), and is characterized in that: the main control end (3) comprises a detection algorithm module (31), a threshold setting module (32), a feature classification module (33), a path calculation module (34) and a topology sensing module (35), wherein the detection algorithm module (31) is arranged inside the main control end (3), the threshold setting module (32) is arranged at the output end of the detection algorithm module (31), the feature classification module (33) is arranged at the output end of the threshold setting module (32), the path calculation module (34) is arranged at the output end of the feature classification module (33), and the topology sensing module (35) is arranged at the output end of the path calculation module (34).
2. The DDoS attack detection method based on information entropy in an SDN environment according to claim 1, characterized in that: and a data updating module (36) is also arranged in the main control end (3).
3. The DDoS attack detection method based on information entropy in an SDN environment according to claim 1, characterized in that: one side of master control end (3) is provided with marginal switch (2), marginal switch (2) are including window setting module (21) and self-checking module (22), wherein, the inside of marginal switch (2) is provided with self-checking module (22), one side of self-checking module (22) is provided with window setting module (21).
4. The DDoS attack detection method based on the information entropy under the SDN environment according to claim 3, characterized in that: the output end of the window setting module (21) is connected with the input end of the characteristic classification module (33).
5. The DDoS attack detection method based on the information entropy under the SDN environment according to claim 4, characterized in that: the input end of the edge switch (2) is provided with an attack end (1), the output end of the main control end (3) is provided with an agent end (4), and the output end of the agent end (4) is provided with a victim host (5).
6. The DDoS attack detection method based on the information entropy under the SDN environment according to any one of claims 1-5, characterized by comprising the following steps: the detection method comprises the following steps:
firstly, when an attack end (1) attacks a damaged host (5), a large number of data packets with the same destination address need to be transmitted to an edge switch (2) in advance, and the randomness of a network is reduced due to the fact that the destination addresses are the same;
when the data packet is transmitted to the edge switch (2), the window setting module (21) carries out quantitative transmission on the data packet;
thirdly, the data packets transmitted in the window setting module (21) are classified through a characteristic classification module (33), entropy calculation is carried out through a detection algorithm module (31), then comparison is carried out with a threshold value in a threshold value setting module (32), and if the entropy is smaller than the threshold value, DDos attack is not detected;
and fourthly, when the entropy value is larger than or equal to the threshold value, determining that the victim host (5) is attacked by DDos, performing topology calculation by the path calculation module (34) and the topology perception module (35), and determining the source IP address and the source port of the data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010911737.4A CN112653658A (en) | 2020-09-02 | 2020-09-02 | DDoS attack detection method based on information entropy under SDN environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010911737.4A CN112653658A (en) | 2020-09-02 | 2020-09-02 | DDoS attack detection method based on information entropy under SDN environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112653658A true CN112653658A (en) | 2021-04-13 |
Family
ID=75346117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010911737.4A Pending CN112653658A (en) | 2020-09-02 | 2020-09-02 | DDoS attack detection method based on information entropy under SDN environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112653658A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112702347A (en) * | 2020-12-24 | 2021-04-23 | 滨州学院 | SDN-based intrusion detection technology |
| CN114866350A (en) * | 2022-07-06 | 2022-08-05 | 南京明博互联网安全创新研究院有限公司 | SDN data plane low-rate attack detection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110107880A (en) * | 2010-03-26 | 2011-10-05 | 노기섭 | Ddos detection method using fast information entropy and adaptive moving average window detector |
| CN106561016A (en) * | 2015-11-19 | 2017-04-12 | 国网智能电网研究院 | DDoS attack detection device and method for SDN controller based on entropy |
| CN109302378A (en) * | 2018-07-13 | 2019-02-01 | 哈尔滨工程大学 | A kind of SDN network ddos attack detection method |
| CN110602109A (en) * | 2019-09-17 | 2019-12-20 | 东南大学 | Application layer DDoS attack detection and defense method based on multi-feature entropy |
-
2020
- 2020-09-02 CN CN202010911737.4A patent/CN112653658A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110107880A (en) * | 2010-03-26 | 2011-10-05 | 노기섭 | Ddos detection method using fast information entropy and adaptive moving average window detector |
| CN106561016A (en) * | 2015-11-19 | 2017-04-12 | 国网智能电网研究院 | DDoS attack detection device and method for SDN controller based on entropy |
| CN109302378A (en) * | 2018-07-13 | 2019-02-01 | 哈尔滨工程大学 | A kind of SDN network ddos attack detection method |
| CN110602109A (en) * | 2019-09-17 | 2019-12-20 | 东南大学 | Application layer DDoS attack detection and defense method based on multi-feature entropy |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112702347A (en) * | 2020-12-24 | 2021-04-23 | 滨州学院 | SDN-based intrusion detection technology |
| CN114866350A (en) * | 2022-07-06 | 2022-08-05 | 南京明博互联网安全创新研究院有限公司 | SDN data plane low-rate attack detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057404B2 (en) | Method and apparatus for defending against DNS attack, and storage medium | |
| CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| CN107209834B (en) | Malicious communication pattern extraction device, system and method thereof, and recording medium | |
| CN112653658A (en) | DDoS attack detection method based on information entropy under SDN environment | |
| CN112738107B (en) | Network security evaluation method, device, equipment and storage medium | |
| CN110247899B (en) | System and method for detecting and relieving ARP attack based on SDN cloud environment | |
| CN110071934B (en) | Local sensitivity counting abstract method and system for network anomaly detection | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| CN107426136B (en) | Network attack identification method and device | |
| CN110719270A (en) | FCM algorithm-based slow denial of service attack detection method | |
| Gharvirian et al. | Neural network based protection of software defined network controller against distributed denial of service attacks | |
| TWI677209B (en) | Domain name filtering method | |
| CN106603471A (en) | Firewall policy detection method and device | |
| CN110381082B (en) | Mininet-based attack detection method and device for power communication network | |
| KR20110107880A (en) | Ddos detection method using fast information entropy and adaptive moving average window detector | |
| KR100756462B1 (en) | Method for management a self-learning data in Intrusion prevention system and Method for handling a malicious traffic using the same | |
| CN113726775B (en) | Attack detection method, device, equipment and storage medium | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| CN114726579A (en) | Method, apparatus, device, storage medium and program product for defending against network attacks | |
| CN110830518B (en) | Traceability analysis method and device, electronic equipment and storage medium | |
| CN113032782A (en) | Virus transmission inhibition method | |
| CN114268458A (en) | Protection method of safety protection module for terminal public network safety communication | |
| CN113347186A (en) | Reflection attack detection method and device and electronic equipment | |
| CN111885092A (en) | DDoS attack detection method and processing method for edge nodes and SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210413 |
|
| RJ01 | Rejection of invention patent application after publication |