CN113411351A - DDoS attack elastic defense method based on NFV and deep learning - Google Patents

DDoS attack elastic defense method based on NFV and deep learning Download PDF

Info

Publication number
CN113411351A
CN113411351A CN202110868763.8A CN202110868763A CN113411351A CN 113411351 A CN113411351 A CN 113411351A CN 202110868763 A CN202110868763 A CN 202110868763A CN 113411351 A CN113411351 A CN 113411351A
Authority
CN
China
Prior art keywords
flow
detection
cleaning
attack
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110868763.8A
Other languages
Chinese (zh)
Other versions
CN113411351B (en
Inventor
孟相如
韩晓阳
康巧燕
孟庆微
翟东
阳勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Air Force Engineering University of PLA
Original Assignee
Air Force Engineering University of PLA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Air Force Engineering University of PLA filed Critical Air Force Engineering University of PLA
Publication of CN113411351A publication Critical patent/CN113411351A/en
Application granted granted Critical
Publication of CN113411351B publication Critical patent/CN113411351B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention relates to a DDoS attack elastic defense method based on NFV and deep learning, and belongs to the technical field of networks. Firstly, designing a two-stage flow detection cleaning device based on an information entropy and a convolutional neural network, wherein the detection efficiency is improved by using an information entropy method in an initial detection stage, and the detection precision is improved by using the convolutional neural network in a cleaning stage; secondly, the NFV technology is deployed in the form of SFC (service Function chain), and the traffic detection cleaning devices are deployed in a distributed manner at network traffic inflow nodes of each SFC, so as to avoid the problem of increase in link length and delay caused by centralized deployment of the traffic detection cleaning devices. And finally, designing an on-demand extension mechanism of the flow detection cleaning device, realizing rapid extension of resources and improving the capability of a network for coping with DDoS attacks.

Description

DDoS attack elastic defense method based on NFV and deep learning
Technical Field
The invention relates to an elastic defense method for DDoS (distributed defense of service) attack based on NFV (network Function visualization) and deep learning, which comprises two-stage flow detection and cleaning device design based on information entropy and convolutional neural network and an elastic expansion mechanism of a flow detection and cleaning device in NFV, and belongs to the technical field of networks.
Background
The document "Ihsan h.abdullqader, dequing Zou, Israa t.aziz, Bin Yuan, Weiqi dai.deployment of robust security scheme In SDN based 5G network over NFV enabled closed environment" proposes an HFANN method against the problem of DDoS attacks. The method detects DDoS attacks by using an entropy method in an SDN controller, and redirects suspicious data packets to virtualized flow cleaning equipment. In the virtualized flow cleaning equipment, suspicious flow is divided into legal flow and malicious flow through a hybrid fuzzy neural network, the legal flow is delivered to a user, and the malicious flow is directly discarded. The document 'Nurefsan Sentbas Bulbul and Mathias Fischer, SDN/NFV-based DDoS submission view pushback' provides a DDoS attack coping method based on SDN and NFV technologies, which is referred to as a pushback method for short. However, the HFANN method and pushback method have the following problems:
(1) the HFANN method and the pushback method respectively utilize a hybrid fuzzy neural network and a pushback mechanism to detect and wash the flow, and the detection and washing precision is improved.
(2) The HFANN method improves DDoS attack coping capability through resource sharing of different cleaning modules, the attack coping capability can only be expanded within a limited range, and resource sharing of different cleaning modules can cause overlong deployed virtual links and lower resource utilization rate.
(3) The pushback method has fixed processing capacity of a cleaning module, does not consider the expansion of a security module, and has poor elasticity capability of coping with DDoS attack. In order to ensure higher flow detection cleaning capability, a large amount of detection cleaning resource deployment must be deployed, and the resource utilization rate is lower.
Disclosure of Invention
Technical problem to be solved
Aiming at the problem that the defense capability of a DDoS attack coping method in the current NFV is weak, the invention provides a DDoS attack elastic defense method based on NFV and deep learning.
Technical scheme
A flow detection cleaning device is characterized by comprising a flow initial detection module and a basic cleaning module, wherein the flow initial detection module monitors the change of entropy of a data packet on line, and generates a flow cleaning request after DDoS attack is detected; and the flow primary inspection module is cleaned by a deep learning method, filters out malicious flow and delivers legal flow to a user.
Preferably: if the suspicious data packet arrives and exceeds the processing capacity of the basic cleaning module, the extended cleaning module is added behind the basic cleaning module.
A DDoS attack elastic defense method based on NFV and deep learning is characterized in that the flow detection cleaning device is deployed in a distributed mode at a network flow inflow node of each SFC, and the method comprises the following steps:
when the number of the data packets arriving in unit time exceeds a set threshold value T1, starting a flow initial detection module, and performing flow initial detection by using an entropy method; for a packet unit formed by M sampled data packets, if the entropy value does not exceed a threshold value T2, the packet unit is considered to have no malicious traffic, and the packet unit is directly delivered to a user as legal traffic; if the entropy value exceeds a threshold value T2, delivering the sampling data frame to a flow cleaning module for cleaning and filtering by using a convolutional neural network method, and determining a suspicious flow cleaning strategy according to the number of suspicious flow data packets; if the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, the flow cleaning resources are quickly deployed as required by considering the quick expansion, malicious flow is directly discarded by using the flow cleaning module, and the cleaned flow is delivered to a user.
Preferably: the model used by the convolutional neural network method sequentially comprises a convolutional layer, a pooling layer, a convolutional layer and 2 fully-connected layers, wherein the first layer of convolution selects 32 convolution kernels with the number of 5 × 5, the second layer of convolution and the third layer of convolution select 64 convolution kernels with the number of 3 × 3, the pooling layer selects the largest pooling with the number of 2 × 2, the first fully-connected layer comprises 128 neurons, and the second fully-connected layer comprises 64 neurons.
An evaluation method of DDoS attack elastic defense method based on NFV and deep learning is characterized in that three indexes of detection accuracy, missing report rate and false detection rate are adopted for evaluation;
the detection accuracy represents the percentage of the number of the attack packets actually in the data packets judged as the attack type by the detection model, and is represented as follows:
Figure BDA0003188287440000031
the missing report rate represents the percentage of the data packets of the attack types which can not be accurately identified by the detection model to the number of all attack type packets, and is represented as follows:
Figure BDA0003188287440000032
the false detection rate represents the percentage of the data packets that the detection model cannot accurately identify to the total number of the data packets, and can be expressed as:
Figure BDA0003188287440000033
wherein, TP is the number of samples with actual type of DDoS attack judged as DDoS attack by the classification model, TN is the number of samples with actual type of legal flow judged as legal flow by the classification model, FN is the number of samples with actual type of DDoS attack flow judged as legal flow, FP is the number of samples with actual type of legal flow judged as DDoS attack flow.
A computer system, comprising: one or more processors, a computer readable storage medium, for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a method for resilient defense against NFV and deep learning based DDoS attacks.
A computer-readable storage medium having stored thereon computer-executable instructions for implementing a method for resilient defense against DDoS attacks based on NFV and deep learning.
A computer program comprising computer executable instructions which when executed perform a method for resilient defense against DDoS attacks based on NFV and deep learning.
Advantageous effects
The invention provides a two-stage flow detection cleaning device based on information entropy and a convolutional neural network and a distributed deployment method for determining the flow detection cleaning device. Secondly, an elastic expansion mechanism of the flow detection cleaning device in the NFV is provided, the NFV technology is utilized to realize rapid resource expansion as required, and the elastic capability of the network for coping with DDoS attacks is improved.
DDoS attacks may cause a rapid increase in traffic, and if all incoming network traffic is detected, large resource consumption may be caused, and an increase in network delay may be unavoidable. When the attack traffic increases dramatically beyond the network processing capacity, it causes a severe degradation of the quality of service. The invention provides a two-stage flow detection cleaning device based on information entropy and a convolutional neural network and a distributed deployment method for determining the flow detection cleaning device. Firstly, designing a two-stage flow detection cleaning device based on an information entropy and a convolutional neural network, wherein the detection efficiency is improved by using an information entropy method in an initial detection stage, and the detection precision is improved by using the convolutional neural network in a cleaning stage; secondly, the NFV technology is deployed in the form of SFC (service Function chain), and the traffic detection cleaning devices are deployed in a distributed manner at network traffic inflow nodes of each SFC, so as to avoid the problem of increase in link length and delay caused by centralized deployment of the traffic detection cleaning devices. And finally, designing an on-demand extension mechanism of the flow detection cleaning device, realizing rapid extension of resources and improving the capability of a network for coping with DDoS attacks.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, wherein like reference numerals are used to designate like parts throughout.
FIG. 1 is a flow detection cleaning module workflow designed by the present invention.
FIG. 2 is a convolutional neural network model constructed by the present invention.
FIG. 3 is a graph showing comparison results of detection accuracy in the present invention.
FIG. 4 is a graph showing the comparison of the false-positive rate in the present invention.
FIG. 5 is a graph showing the comparison of false detection rates in the method of the present invention.
Fig. 6 is a graph showing the success rate of attack response in the method of the present invention.
FIG. 7 is a graph of the comparison of resource utilization in the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Referring to fig. 1 to 7, the specific implementation process is as follows:
1. flow detection cleaning device design
By using the NFV technology, a special virtual flow detection cleaning device is deployed in a distributed manner at the upstream of each SFC flow inflow node, and a flow detection cleaning method is optimized, so that the capability of a network for coping with DDoS attacks can be improved. The invention designs a two-stage flow detection cleaning device which is arranged at each SFC service flow entrance in front, improves the flow detection cleaning precision by utilizing a deep learning method and enhances the capability of a network to cope with DDoS attacks. The detection cleaning device comprises a flow initial detection module based on the information entropy, a basic cleaning module and an expansion cleaning module. The flow initial check module and the basic cleaning module based on the information entropy are basically configured, and the expansion cleaning module can be expanded and withdrawn temporarily, and the specific design is shown in fig. 1.
As shown in fig. 1, the flow detection and cleaning method in two stages has the following working flows: the flow detection module monitors the data packets on line in the initial detection stage, and when the number of the arriving data packets in unit time exceeds a set threshold value T1And starting the flow initial detection module, and performing flow initial detection by using an entropy method. For a packet unit formed by M data packets of a sample, if the entropy value does not exceed the threshold T2If the packet unit does not have malicious traffic, the packet unit is directly delivered to the user as legal traffic. If the entropy value exceeds the threshold value T2And delivering the sampled data frame to a flow cleaning module to perform cleaning and filtering by using a convolutional neural network method, and determining a suspicious flow cleaning strategy according to the number of suspicious flow data packets. If the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, the flow cleaning resources are quickly deployed as required by considering the quick expansion, malicious flow is directly discarded by using the flow cleaning module, and the cleaned flow is delivered to a user. The two-stage flow detection cleaning method can reduce the load of the flow detection cleaning device and shorten the network timeAnd the detection precision and the resource utilization rate are improved.
2. Information entropy-based flow initial detection method
The entropy is also called information entropy or shannon entropy, and can effectively reflect the uncertainty degree of the random variable. When the value of the random variable is uncertain, the entropy value is larger. Therefore, the change of the entropy value can effectively reflect the characteristic change of the data packet in the flow. We use the Shannon formula to calculate the entropy of the sample packet:
Figure BDA0003188287440000061
Figure BDA0003188287440000062
wherein, the data sample x ═ { x ═ xi(ii) a i-1, 2, …, N indicates that x has occurred at one sample i of the data samplesiNext, the process is carried out. p (x)i) Representing the probability that sample i occurs in the sample.
The source address IP and the destination address IP can better reflect the state of the flow, and because the flow detection cleaning device is distributed at the flow inflow node, the entropy change of the source IP address is selected and calculated to judge whether the flow contains the attack flow. The continuous data packets are divided into packet units according to a specific packet number (M), the entropy value of each packet unit is calculated, and the M value is selected according to the load condition of the network. Typically, the source IP address of traffic in the network should be relatively stable in a continuously collected data set. When a DDoS attack is encountered, the randomness of a source IP address can be increased, and the entropy value can be obviously changed. Therefore, after the source IP address entropy interval of normal network flow is obtained, the threshold value T can be set according to the interval2An interval. Reasonable selection of threshold T2The method can prevent higher false alarm rate and network time delay and reduce the load of the flow cleaning module.
When calculating the entropy value of the packet unit, firstly calculating the entropy values of the continuous M data packets in the first packet unit,if the entropy value of its source IP address exceeds the threshold T2If the network traffic is considered to be abnormal, the traffic cleaning module is started to clean the network traffic, and malicious traffic possibly existing in the network traffic is discarded and legal traffic is delivered to the user. Otherwise, the network flow is considered to be abnormal, the network flow is directly delivered to the user, and the entropy value of the next packet unit is calculated. The number of data packets M in a packet unit is chosen in relation to the load of the experimental network. If the value is too large, the change of the entropy value is not obvious, and the sensitivity of initial detection is reduced. On the contrary, if the value is too small, the variation range of the entropy value is too large, and the false alarm rate of the initial detection is high. In addition, when the value M is too large, the propagation delay of the packet in the network may be increased, and the service quality may be affected, so the value M should be selected reasonably according to the network load condition.
When the DDoS attack traffic proportion is low, the DDoS attack traffic proportion cannot be detected because the entropy value change of the packet unit is not obvious. The purpose of the initial check is to ensure normal operation of the network service, so that data packets attacked by DDoS may still exist in the delivered legal traffic, and when the entropy value of a packet unit does not exceed a threshold value, the packet unit is considered not to affect the normal network service. The processing mode can improve the detection efficiency, prevent higher false alarm rate and reduce the workload of the flow cleaning module.
3. Deep learning-based flow cleaning method
(1) Deep learning model
The DDoS attack flow with the entropy value exceeding the threshold value is cleaned by adopting a deep learning method, compared with a conventional classification method, the deep learning method can directly learn the original flow, and a more complex function is fitted through a multilayer neural network, so that the classification of the legal flow and the attack flow with higher precision is realized. At the present stage, deep learning is developed more maturely mainly in the image, voice and natural language processing fields, so the main idea of using deep learning for network traffic classification is to convert traffic into image or text information and process the traffic by using the existing mature framework and algorithm in the image or language processing field.
Convolutional neural networks are feedforward-type neural networks, typically comprising one or more convolutional layers, and are composed of one or more fully-connected layers in a standard multi-layer neural network. The invention preprocesses the flow into image form, processes by using convolution neural network, the convolution neural network model is shown in figure 2, which comprises 3 convolution layers, 2 pooling layers and 2 full-connection layers. The first layer of convolutions selected 32 5 x 5 convolution kernels, the second layer of convolutions and the third layer of convolutions selected 64 3 x 3 convolution kernels, the pooling layers each selected 2 x 2 max pooling, the first fully-connected layer contained 128 neurons, and the second fully-connected layer contained 64 neurons. Compared with a standard feedforward neural network with the same number of layers, the convolutional neural network model used by the invention can directly adopt original data as input, can effectively learn corresponding characteristics from a large number of samples, and avoids a complex characteristic extraction process. And the model has fewer neurons and parameters, and is simple to train and higher in detection accuracy.
Partial shallow layer flow characteristics of input imaging flow can be preliminarily extracted through the first convolution layer, and local key characteristics can be obtained through the action of the maximum pooling layer, so that partial parameters and primary characteristics are simplified, the phenomenon of overfitting is prevented, and the generalization capability of the model is improved. And then, each convolution and pooling layer can abstract more complicated high-dimensional characteristics from the characteristics extracted from the previous layer so as to more accurately distinguish different flows, and finally, the finally obtained multi-dimensional image characteristics are spread and unfolded through a full connection layer and input into softmax to form a classifier of legal flow and attack flow.
(2) Flow cleaning method
The deep learning-based flow cleaning method is a supervised learning method, and classification of legal flow and attack flow is realized in an off-line training and on-line classification mode, so that the attack flow is accurately cleaned and filtered.
Training process: the off-line training data set adopted by the invention comprises two parts of legal flow and DDoS attack flow, and the two types of flow are converted into an image form by a corresponding preprocessing method (intercepting part of original flow or primary characteristics). The traffic image and the marking information jointly form a training set, wherein the normal traffic is marked as 0, and the DDoS attack traffic is marked as 1. And inputting the marked legal and attack flow image training set into a convolutional neural network for off-line learning and training, obtaining a cost function of the model by comparing the predicted output of the model with the difference of actual marks, then carrying out reverse transmission on the cost function, further optimizing model parameters, and finally obtaining a converged neural network model, wherein the model is a classifier for obtaining legal flow and attack flow through off-line learning and training.
And (3) flow cleaning process: test data is converted into image flow through the same preprocessing method and input into a trained convolutional neural network, whether the test data is DDOS attack flow or not can be predicted and judged through analysis of the neural network, malicious attack flow is directly discarded, and legal flow is delivered to a user, so that a flow cleaning task is completed.
4. Elastic expansion mechanism of flow cleaning device
The current research assumes that the network capability of coping with DDoS attacks is fixed, and when the limited coping capability is exceeded, a cooperative mechanism or cloud service is considered to be utilized to introduce third party force for detection and cleaning, so that the problems of limited processing capability and user privacy safety exist, and the practical requirement is difficult to meet. The invention virtualizes and software the network flow cleaning function into a VNF (virtual network function), provides a special flow cleaning device for each SFC, and realizes flexible deployment and rapid expansion of the flow cleaning function by researching the rapid expansion mechanism of the VNF. After detecting that the DDoS attack is triggered, the initial inspection module generates a flow cleaning request, and an MANO (management and organization) orchestrator in the NFV framework makes a cleaning strategy in time according to the flow cleaning request. When the attack flow exceeds the load of the basic cleaning module, the fast expansion technology in the NFV is utilized to realize the fast expansion of the DDoS attack coping resources, and the resources are distributed to the flow cleaning module according to the needs. The method of VNF vertical expansion is preferentially considered for resource allocation, if the vertical expansion cannot meet the conditions, the VNF horizontal expansion method can be considered, the rapid expansion of the traffic cleaning module is completed on the adjacent nodes, the reached suspicious traffic is cleaned in time by a deep learning method, malicious traffic is filtered out, the legal traffic is delivered to users, and the normal operation of the service is ensured. The VNF vertical extension and horizontal extension methods can be deployed at a faster speed, so the service quality is less affected. The available resource of a basic cleaning module of the flow cleaning device is BFR, an extended cleaning module is AFR, and the available resource of a deployment node of the flow cleaning device is RA. The specific algorithm steps are as follows:
inputting: network traffic
And (3) outputting: flow cleaning strategy FS
Figure BDA0003188287440000091
Figure BDA0003188287440000101
Figure BDA0003188287440000111
And executing a flow cleaning task according to a flow cleaning strategy FS generated by the algorithm result, directly discarding the malicious flow, and delivering the legal flow to a user. If the attack flow is too large and the expansion of the expansion cleaning module is unsuccessful, the continuity of the service is ensured by reducing the service quality according to the service level agreement.
5. Performance evaluation and analysis
The invention utilizes matlab to simulate and sets two groups of experiments to compare and verify the method provided by the invention and the current latest two methods. The experiment verifies the flow detection cleaning method provided by the invention, and the experiment verifies the elastic expansion mechanism provided by the invention.
(1) Experimental Environment settings
The physical network topology and SFC topology used for the experiments were generated by a modified Salam network topology random generation algorithm. The invention assumes that the switch nodes and the server nodes of the physical network are in the same position, the number of the switch nodes and the server nodes is 100, and the connectivity between the nodes is 0.5. The available resources of the server node and the switch node are subjected to the even distribution with the parameter of [50-80], and the available resources of the link bandwidth among the switches are subjected to the even distribution with the parameter of [40-50 ]. The experiment takes the running of 10 time-sensitive SFCs as the background, the service carried by each SFC is different, the network service carried by each SFC is not changed, one SFC is selected for verification, a flow cleaning module is added for the service function chain according to the service requirement, and the module can be expanded rapidly along with the requirement.
The method selects 3 data sets shown in the table 1 to carry out simulation experiments, divides the data sets into a training set of 60 percent and a testing set of 40 percent according to the proportion, and also comprises other network attacks in the data sets. Experimental selection comparative experiments were performed with the HFANN method and pushback method. In order to eliminate random errors, the experiment is carried out for 10 times, different SFCs are selected for experimental verification each time, and finally the average value of the 10 experimental results is taken as the final result.
TABLE 1 data set for experiments
Figure BDA0003188287440000121
(2) Experiment one: deep learning-based flow cleaning method performance evaluation
In the experiment, the performance of the detection method provided by the invention is evaluated through three indexes of detection accuracy (accuracy), false negative rate (false negative rate) and detection error rate (detection error rate), and the performance analysis and comparison verification are carried out on the three methods under the condition that the initial value of the flow cleaning module is 20.
The detection accuracy (Acc) represents the percentage of the number of real attack packets in the data packets judged as attack type by the detection model, and can be expressed as:
Figure BDA0003188287440000122
the missing report rate (Fnr) represents the percentage of the data packets of the attack type that the detection model cannot accurately identify to the number of all attack type packets, and can be expressed as:
Figure BDA0003188287440000123
the false detection rate (Der) represents the percentage of data packets that the detection model cannot accurately identify to the total number of data packets, and can be expressed as:
Figure BDA0003188287440000124
wherein tp (true positive) is the number of DDoS attacks determined by the classification model, tn (true positive) is the number of samples of which the actual type is a legal traffic determined by the classification model, fn (false positive) is the number of samples of which the actual type is a DDoS attack traffic determined by the classification model, fp (false positive) is the number of samples of which the actual type is a legal traffic determined by the classification model, and fp (false positive) is the number of samples of which the actual type is a legal traffic determined by the classification model.
As can be seen from fig. 3, under the condition that the initial value of the flow cleaning module is 20, the detection accuracy of the pushback method in three data sets is 92.26%, 92.40% and 91.89%, respectively. The detection accuracy of the HFANN method was 94.25%, 93.54%, and 94.62% in the three data sets, respectively. The accuracy of detection by the DCNN method was 96.61%, 96.09% and 96.38% in the three datasets, respectively. It can be seen that under the condition that the initial value of the flow cleaning module is 20, the available resources of the flow cleaning module are sufficient, the detection accuracy of the three methods exceeds 90%, and the performance is good. Compared with other two methods, the DCNN method provided by the invention always keeps the optimal state and has better performance. This is because the DCNN method has the characteristics of local sensing and weight sharing. The local perception means that DCNN only perceives local pixels of an image, and then combines the local information at a higher layer to obtain all characterization information of the image, and the neural units at different layers adopt a local connection mode, and each neural unit only responds to a region in a receptive field. Such a local connected mode ensures that the learned spatial local mode of the convolution kernel has the strongest response to the input. The characteristic of weight sharing enables the DCNN model to be closer to a biological neural network, the complexity of the network model is reduced, and the number of weights is reduced. The two characteristics determine that the DCNN method can realize higher detection precision with less layer depth, and ensure that the DCNN method can better filter attack flow.
As can be seen from fig. 4, under the condition that the initial value of the flow cleaning module is 20, the false negative rate of the pushback method is 9.31%, 9.66% and 8.79% in the three data sets respectively. The HFANN method has a false negative rate of 5.69%, 6.39% and 6.60% in the three data sets, respectively. The missing report rate of the method provided by the invention in three data sets is respectively 2.48%, 2.03% and 1.96%, and compared with the other two methods, the method has the lowest missing report rate and the best performance. Due to the characteristics of local perception and weight sharing of the DCNN method, the network model can be closer to a biological neural network, the complexity of the model is reduced, the detection precision is improved, and then lower false negative rate is realized, malicious flow filtration is better realized, and the safety of network services is ensured.
As can be seen from fig. 5, under the condition that the initial value of the flow cleaning module is 20, the false detection rates of the pushback method in the three data sets are 8.54%, 7.96% and 8.35%, respectively. The false detection rates of the HFANN method in the three data sets are 4.60%, 5.34% and 4.83%, respectively. The false detection rate of the method provided by the invention in three data sets is respectively 4.36%, 4.59% and 3.98%, and compared with the other two methods, the false detection rate is the lowest and the performance is the best. This is due to the local sensing and weight sharing characteristics of the DCNN method. The network model can be closer to a biological neural network, the detection precision is higher, the false alarm rate is reduced as far as possible, malicious flow filtration is better realized, and the safety of network services is ensured.
(3) Experiment two: elastic expansion mechanism performance evaluation of flow cleaning device
Experiment the performance of the elastic expansion mechanism provided by the invention is verified and evaluated under the condition that the initial resource values of the flow cleaning module are respectively 5, 10 and 20, the three data sets in the table 1 are used as input to carry out simulation experiment, and the final result is calculated in a statistical manner.
The attack response success rate is a ratio of the number of times that attacks can be effectively responded to and the number of times that attacks occur. By changing the initial resource value of the flow cleaning module and comparing the attack response success rates of the three methods, the algorithm performance can be better reflected. In the case that the initial resource values of the traffic cleansing module are 5, 10 and 20, respectively, the attack of the three methods corresponds to the success rate pair as shown in fig. 6.
As shown in fig. 6, as the initial resource value of the traffic cleansing module increases, the attack response success rates of the three methods are all improved, which indicates that the three methods can ensure better performance under the condition of sufficient resources. Under the condition that the reserved resource is 5, the attack coping success rates of the pushback method, the HFANN method and the DCNN method are 76.31%, 84.29% and 90.48% respectively. In the case that the initial resource value of the traffic cleaning module is 10, the attack response success rates of the three methods are 83.25%, 90.89% and 92.31%, respectively. In the case of the initial resource value of 20 for the traffic cleansing module, the success rates of attack response of the three methods are 90.52%, 92.46% and 93.50, respectively. From the data, it can be seen that as the initial resource value of the flow cleaning module is continuously increased, the success rates of the three methods are continuously increased, and under the condition of sufficient resources, the success rates of attack response can reach more than 90%, and the performance difference is not large. However, in practical situations, due to resource limitation, it is difficult to ensure that sufficient available resources are deployed for each SFC, so the method of the present invention still maintains high performance under the condition of a small initial resource value of the traffic cleaning module, and the performance is superior to the other two methods.
The resource utilization rate refers to the ratio of the traffic cleaning resources used by each method to the actually occupied traffic cleaning resources under the condition of keeping the same attack response success rate. Since the success rate of the pushback and HFANN attacks is low under the conditions of the basic initial values of 5 and 10 of the traffic cleansing module, the present invention only discusses the comparison of the resource utilization rates of the three methods on the premise of keeping a high success rate (the initial resource value of the traffic cleansing module is 20), as shown in fig. 7.
As shown in fig. 7, the resource utilization rates of the pushback method, the HFANN method, and the DCNN method are 69.31%, 83.80%, and 91.18%, respectively, while maintaining a high success rate (above 90%). The reason is that the cleaning module of the pushback method is fixed, the expansion of the safety module is not considered, and a large amount of flow detection cleaning resources must be deployed to ensure higher cleaning capacity, so that the resource utilization rate is lower. The HFANN method is fixed in cleaning modules, attack response capability can be improved through resource sharing of different cleaning modules, and compared with a pushback method, the method can improve resource utilization rate to a certain extent, but the problem that the resource utilization rate is not high due to overlong links exists. The basic cleaning module of the DCNN method is small, can be temporarily expanded and released when needed, and has the highest resource utilization rate. Therefore, under the realistic condition of limited resources, the DCNN method realizes higher flow detection and cleaning performance with less resources, and can better guarantee the safety of network services.
Compared with other two DDoS attack coping methods, the DCNN method provided by the invention has higher detection and cleaning precision, stronger elasticity capability in the face of DDoS attack with dynamic flow change and more excellent overall performance.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications or substitutions can be easily made by those skilled in the art within the technical scope of the present disclosure.

Claims (8)

1. A flow detection cleaning device is characterized by comprising a flow initial detection module and a basic cleaning module, wherein the flow initial detection module monitors the change of entropy of a data packet on line, and generates a flow cleaning request after DDoS attack is detected; and the flow primary inspection module is cleaned by a deep learning method, filters out malicious flow and delivers legal flow to a user.
2. The flow sensing washer apparatus of claim 1, wherein: if the suspicious data packet arrives and exceeds the processing capacity of the basic cleaning module, the extended cleaning module is added behind the basic cleaning module.
3. An elastic defense method for DDoS attack based on NFV and deep learning, characterized in that the traffic detection cleaning device of claim 2 is deployed in a distributed manner at a network traffic inflow node of each SFC, and comprises the following steps:
when the number of the data packets arriving in unit time exceeds a set threshold value T1, starting a flow initial detection module, and performing flow initial detection by using an entropy method; for a packet unit formed by M sampled data packets, if the entropy value does not exceed a threshold value T2, the packet unit is considered to have no malicious traffic, and the packet unit is directly delivered to a user as legal traffic; if the entropy value exceeds a threshold value T2, delivering the sampling data frame to a flow cleaning module for cleaning and filtering by using a convolutional neural network method, and determining a suspicious flow cleaning strategy according to the number of suspicious flow data packets; if the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, the flow cleaning resources are quickly deployed as required by considering the quick expansion, malicious flow is directly discarded by using the flow cleaning module, and the cleaned flow is delivered to a user.
4. The method of claim 3, wherein the convolutional neural network method uses a model comprising convolutional layers, pooling layers, convolutional layers, and 2 fully-connected layers in sequence, the first layer convolution selects 32 5 × 5 convolutional kernels, the second layer convolution selects 64 3 × 3 convolutional kernels, the second layer convolution and the third layer convolution each select 2 × 2 maximal pooling, the first fully-connected layer comprises 128 neurons, and the second fully-connected layer comprises 64 neurons.
5. An evaluation method of DDoS attack elastic defense method based on NFV and deep learning of claim 3, characterized in that three indexes of detection accuracy, missing report rate and false detection rate are adopted for evaluation;
the detection accuracy represents the percentage of the number of the attack packets actually in the data packets judged as the attack type by the detection model, and is represented as follows:
Figure FDA0003188287430000021
the missing report rate represents the percentage of the data packets of the attack types which can not be accurately identified by the detection model to the number of all attack type packets, and is represented as follows:
Figure FDA0003188287430000022
the false detection rate represents the percentage of the data packets that the detection model cannot accurately identify to the total number of the data packets, and can be expressed as:
Figure FDA0003188287430000023
wherein, TP is the number of samples with actual type of DDoS attack judged as DDoS attack by the classification model, TN is the number of samples with actual type of legal flow judged as legal flow by the classification model, FN is the number of samples with actual type of DDoS attack flow judged as legal flow, FP is the number of samples with actual type of legal flow judged as DDoS attack flow.
6. A computer system, comprising: one or more processors, a computer readable storage medium, for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of claim 3.
7. A computer-readable storage medium having stored thereon computer-executable instructions for, when executed, implementing the method of claim 3.
8. A computer program comprising computer executable instructions which when executed perform the method of claim 3.
CN202110868763.8A 2021-06-07 2021-07-30 DDoS attack elastic defense method based on NFV and deep learning Active CN113411351B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110631664 2021-06-07
CN2021106316648 2021-06-07

Publications (2)

Publication Number Publication Date
CN113411351A true CN113411351A (en) 2021-09-17
CN113411351B CN113411351B (en) 2023-06-27

Family

ID=77688089

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110868763.8A Active CN113411351B (en) 2021-06-07 2021-07-30 DDoS attack elastic defense method based on NFV and deep learning

Country Status (1)

Country Link
CN (1) CN113411351B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834459A (en) * 2022-10-10 2023-03-21 大连海事大学 Dynamic cleaning system and method for link flooding attack flow
CN117278262A (en) * 2023-09-13 2023-12-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549792A (en) * 2015-09-22 2017-03-29 中国移动通信集团公司 A kind of method of the security control of VNF, apparatus and system
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment
CN109639449A (en) * 2017-10-09 2019-04-16 中兴通讯股份有限公司 Virtualize method, equipment and the medium of the automatic management of traffic mirroring strategy
CN110113435A (en) * 2019-05-27 2019-08-09 北京神州绿盟信息安全科技股份有限公司 A kind of method and apparatus of flow cleaning
CN110661781A (en) * 2019-08-22 2020-01-07 中科创达软件股份有限公司 DDoS attack detection method, device, electronic equipment and storage medium
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN111586018A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Flow cleaning method and device
US10764323B1 (en) * 2015-12-21 2020-09-01 Amdocs Development Limited System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549792A (en) * 2015-09-22 2017-03-29 中国移动通信集团公司 A kind of method of the security control of VNF, apparatus and system
US10764323B1 (en) * 2015-12-21 2020-09-01 Amdocs Development Limited System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack
CN109639449A (en) * 2017-10-09 2019-04-16 中兴通讯股份有限公司 Virtualize method, equipment and the medium of the automatic management of traffic mirroring strategy
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment
CN110113435A (en) * 2019-05-27 2019-08-09 北京神州绿盟信息安全科技股份有限公司 A kind of method and apparatus of flow cleaning
CN110661781A (en) * 2019-08-22 2020-01-07 中科创达软件股份有限公司 DDoS attack detection method, device, electronic equipment and storage medium
CN111586018A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Flow cleaning method and device
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
YUZE SU;XIANGRU MENG;: "《DDoS_Attack_Detection_Algorithm_Based_on_Hybrid_Traffic_Prediction_Model》", 《IEEE》 *
YUZE SU;XIANGRU MENG;: "《DDoS_Attack_Detection_Algorithm_Based_on_Hybrid_Traffic_Prediction_Model》", 《IEEE》, 10 December 2018 (2018-12-10) *
佟平: "《国家信息化与信息化工具》", 30 June 2017, pages: 222 - 223 *
张龙;王劲松;: "《SDN中基于信息熵与DNN的DDoS攻击检测模型》", 《计算机研究与发展》 *
张龙;王劲松;: "《SDN中基于信息熵与DNN的DDoS攻击检测模型》", 《计算机研究与发展》, 31 May 2019 (2019-05-31), pages 2 *
李传煌;吴艳等: "《 SDN下基于深度学习混合模型的DDoS攻击检测与防御》", 《通信学报》 *
李传煌;吴艳等: "《 SDN下基于深度学习混合模型的DDoS攻击检测与防御》", 《通信学报》, 31 July 2018 (2018-07-31), pages 4 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834459A (en) * 2022-10-10 2023-03-21 大连海事大学 Dynamic cleaning system and method for link flooding attack flow
CN115834459B (en) * 2022-10-10 2024-03-26 大连海事大学 Dynamic cleaning system and method for link flooding attack flow
CN117278262A (en) * 2023-09-13 2023-12-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network
CN117278262B (en) * 2023-09-13 2024-03-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network

Also Published As

Publication number Publication date
CN113411351B (en) 2023-06-27

Similar Documents

Publication Publication Date Title
CN109981691B (en) SDN controller-oriented real-time DDoS attack detection system and method
CN106657107B (en) Adaptive starting ddos defense method and system based on trust value in SDN
CN113411351B (en) DDoS attack elastic defense method based on NFV and deep learning
CN108898015B (en) Application layer dynamic intrusion detection system and detection method based on artificial intelligence
Ortet Lopes et al. Towards effective detection of recent DDoS attacks: A deep learning approach
CN101465760A (en) Method and system for detecting abnegation service aggression
CN107896217B (en) Multi-parameter cache pollution attack detection method in content-centric network
CN105933316B (en) The determination method and apparatus of network security level
CN113489619B (en) Network topology inference method and device based on time series analysis
CN113271318B (en) Network threat perception system and method
Haider et al. Deep learning based ensemble convolutional neural network solution for distributed denial of service detection in SDNs
CN114115068A (en) Heterogeneous redundancy defense strategy issuing method of endogenous security switch
CN111786967B (en) Defense method, system, node and storage medium for DDoS attack
Haghighat et al. SAWANT: smart window based anomaly detection using netflow traffic
CN111291078B (en) Domain name matching detection method and device
CN113162939A (en) Detection and defense system for DDoS (distributed denial of service) attack under SDN (software defined network) based on improved k-nearest neighbor algorithm
CN112235242A (en) C & C channel detection method and system
Huang et al. Learning cascading failure interactions by deep convolutional generative adversarial network
TWI780411B (en) Abnormal network traffic detection system and method based on long short-term memory model
CN111835750B (en) DDoS attack defense method based on ARIMA model in SDN
Kopylova et al. Mutual information applied to anomaly detection
Qamar et al. Detecting Distributed Denial of Service attacks using Recurrent Neural Network
CN110971471A (en) Power communication backbone network fault recovery method and device based on state perception
CN114915444B (en) DDoS attack detection method and device based on graph neural network
Roeling et al. Stochastic block models as an unsupervised approach to detect botnet-infected clusters in networked data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant