CN104158800A - Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) - Google Patents

Abstract

The invention provides a detection method suitable for realizing DDoS (Distributed Denial of Service) attack with a modularized concept in a software defined network (SDN) environment. The detection method comprises the following steps: selecting six key attributes such as Apf, Abf, Adf, PPf, GSf and GDP of network flow on an SDN controller to form a six-element group; realizing DDoS attack detection in the SDN environment by adopting a KNN (K-Nearest Neighbor) algorithm. Through the adoption of the method, the DDoS flow detection of a plurality of SDN exchangers in an efficient SDN environment can be realized, while the system false alarm rate is reduced.

Description

The detecting method of distributed denial of service attacking of a kind of software-oriented define grid

Technical field

The present invention is that one is applicable to software defined network (Software Defined Network, be abbreviated as SDN) in environment, on SDN controller, choose the determinant attribute of network traffics and adopt K arest neighbors (K-Nearest Neighbor, be abbreviated as KNN) algorithm realizes distributed denial of service attack in SDN environment (Distributed Denial ofService, is abbreviated as DDoS) attack detecting.This technology belongs to computer network field.

Background technology

In legacy network, control to flow and forwarding all depend on the network equipment and realize, and integrated and the tightly coupled operating system of traffic performance and specialized hardware in equipment, these operating systems and specialized hardware are all each producer oneself exploitation and design, lack flexibility and autgmentability, hindered further developing of network.The generation of SDN concept and correlation technique is just in order to overcome above shortcoming.

SDN is a kind of novel network architecture, and design concept is that the control plane of network is separated with data retransmission aspect, and realizes able to programmeization control.SDN framework is divided into three layers conventionally, and the superiors are application layer, comprises different business and application; Key-course is mainly responsible for the layout of deal with data resource, maintaining network topology, information state etc.; Infrastructure layer is responsible for the data processing based on stream table, forwards and state collection.In SDN, the network equipment is only responsible for simple data retransmission, can adopt general hardware; The operating system of being originally responsible for controlling will become independently network operating system, be responsible for the adaptation of different business characteristic by it, and communication between network operating system and traffic performance and hardware device can realize by programming.

Openflow technology has tentatively realized the thought of SDN, and Openflow technology is realized by Openflow switch and Openflow controller.Openflow switch is shown (flow table) by stream and is wrapped and search and forward, and is data retransmission plane; Openflow controller is responsible for the configuration of Openflow switch upper reaches table, is control plane.Controller is the core of Openflow technology, between controller and switch, can pass through Openflow agreement, realizes inquiry, interpolation, the deletion of switch stream table, the statistics of switch stream and bag etc.

Openflow controller has the control of network, can check the information of this network, so can be to ddos attack flow examinations and the processing of network.

Denial of Service attack (Denial of Service, is abbreviated as DoS) refer to one or more attack sources by data falsification, send illegal request and flood normal service, to such an extent as to legitimate request is left in the basket, and causes service quality to decline.This attack, conventionally by consume network bandwidth and host resource, makes network or main frame exceed peak load, thereby service cannot be normally provided.DDoS, refers to and utilizes distributed attack pattern, controls some main frames offensive attack simultaneously that can start Denial of Service attack on network, manufactures a large amount of packet target approach network or main frame, causes the paralysis of destination host or network.The threshold of ddos attack of today is very low, and assailant does not need to utilize any hacker's the support just can be by attacking software offensive attack, and more famous attack tool has Trinoo, TFN, Stacheldraht, TFN2K.

KNN algorithm is the classic algorithm in data mining, also be often used in classification, this algorithm is a given data set first, then for the example of new input, concentrate and find K the example the most contiguous with this example at training data, the majority of this K example belongs to certain class, just this input example is categorized in this class.

Summary of the invention

Technical problem: the detecting method of distributed denial of service attacking that the object of this invention is to provide a kind of software-oriented define grid, by choosing the determinant attribute in network traffics, compare with the result set of initial training, reach the object that detects ddos attack in software defined network, can realize the analysis of efficient flow determinant attribute and attack detecting by this method.

Technical scheme: method of the present invention adopts SDN controller stream table analysis and KNN algorithm, completes the detection of abnormal flow.When flow enters SDN switch, first check the stream table on switch, have occurrence to carry out corresponding action, such as forwarding operation; If there is no the list item of coupling, message is sent to SDN controller, generate stream table and send to switch by SDN controller.SDN controller can also obtain the stream table information on switch at any time, and by analysis stream table information, we can learn in this period of network whether suffer ddos attack.

The method comprises following concrete steps:

The detecting step of the distributed denial of service attack of software-oriented define grid is as follows:

1) stream table collection module regularly sends stream table to software defined network SDN switches all in network by software defined network SDN controller and obtains message and obtain stream table information, stream table information exchange is crossed safe lane and is sent to controller, and it is 3 seconds that the time interval of regularly obtaining is set;

2) one hexa-atomic group of the stream table information composition that characteristic extracting module analysis obtains, each switch has one hexa-atomic group, and by switch, ID carrys out identification; Hexa-atomic group that chooses comprises: the message in average each stream is counted Apf, the byte number Abf in average each stream, the duration Adf of average each stream list item, the ratio PPf of interactive stream, the speedup GSf of nonreciprocal stream, the speedup GDP of different port;

3) to decide the flow in this period be normal discharge or distributed denial of service attack ddos attack flow to hexa-atomic group in sort module analytical characteristic extraction module; Sort module is used KNN algorithm to carry out the classification of flow to hexa-atomic group in characteristic extracting module, first use respectively normal discharge and the DDoS flow of some groups to train sort module, several sample points are obtained, then obtain a nearest K neighbour to hexa-atomic group that detects flow, if DDoS flow point is more than normal discharge point in K neighbours, think that flow is DDoS flow, otherwise, think that this flow point is normal discharge; When new sample point is asked to nearest K neighbours, the distance metric of use is mahalanobis distance, i hexa-atomic group with individual hexa-atomic group of j between mahalanobis distance D _ijcalculate with following formula

$D(X_i-X_j)=\sqrt{{(\mathrm{Xi}-\mathrm{Xj})}^T{S}^{-1}(\mathrm{Xi}-\mathrm{Xj})}$

Wherein, S trains the covariance matrix of hexa-atomic group early stage, and T represents transposition.

Beneficial effect: the inventive method adopts modular construction, comprehensively extracts the determinant attribute of SDN framework down-off, uses K nearest neighbor algorithm to the determinant attribute data analysis extracting, and has higher discrimination and the lower alert rate of mistake.

Brief description of the drawings

Fig. 1 is detection procedure.

Embodiment

The step that ddos attack based on SDN controller detects is as follows:

(1) stream table collection module regularly sends stream table to SDN switches all in network by SDN controller and obtains message and obtain stream table information, and stream table information exchange is crossed safe lane and sent to controller.

(2) one hexa-atomic group of the stream table information composition that characteristic extracting module analysis obtains.Each switch has one hexa-atomic group, and by switch, ID carrys out identification.

(3) to decide the flow in this period be normal discharge or ddos attack flow to hexa-atomic group in sort module analytical characteristic extraction module.

The time interval of further, regularly obtaining flow information, we were made as 3 seconds.

Further, hexa-atomic group that we choose comprises Apf (the message number in average each stream), Abf (byte number in average each stream), Adf (duration of average each stream list item), PPf (ratio of interactive stream), GSf (speedup of nonreciprocal stream), GDP (speedup of different port).

Further, our sort module is used KNN algorithm to carry out the classification of flow to hexa-atomic group in characteristic extracting module, we first use respectively normal discharge and the DDoS flow of some groups to train sort module, several points are obtained, then obtain a nearest K neighbour to hexa-atomic group that detects flow, if DDoS flow point is more than normal discharge point in K neighbours, we think that this flow is DDoS flow, otherwise we think that this flow point is normal discharge.

Further, we select mahalanobis distance K neighbours' distance metric standard, the mahalanobis distance D between i hexa-atomic group and j hexa-atomic group _ijcalculate with following formula

$D(X_i-X_j)=\sqrt{{(\mathrm{Xi}-\mathrm{Xj})}^T{S}^{-1}(\mathrm{Xi}-\mathrm{Xj})}$

Wherein, S trains the covariance matrix of hexa-atomic group early stage, and T is transposition.

Fig. 1 is the handling process detecting, and is divided into three modules, is respectively stream table collection module, characteristic extracting module, sort module.Stream table collection module is responsible for the collection of SDN switch upper reaches table, and characteristic extracting module is responsible for analysis and the extraction work of convection current table determinant attribute, and the data that sort module is responsible for characteristic extracting module to provide are classified.

The detecting method of distributed denial of service attacking of software-oriented define grid, is included in following concrete steps:

(1) stream table collection module regularly sends stream table to SDN switches all in network by SDN controller and obtains message and obtain stream table information, and stream table information exchange is crossed safe lane and sent to controller, and we arrange the time interval of regularly obtaining is 3 seconds.

(2) one hexa-atomic group of the stream table information composition that characteristic extracting module analysis obtains.Each switch has one hexa-atomic group, and by switch, ID carrys out identification.Hexa-atomic group that we choose comprises Apf (the message number in average each stream), Abf (byte number in average each stream), Adf (duration of average each stream list item), PPf (ratio of interactive stream), GSf (speedup of nonreciprocal stream), GDP (speedup of different port).

Wherein, for Apf, Abf, ADf chooses, we utilize the concept of median, first carry out ascending sort according to message number, byte number and duration respectively by every in stream table, suppose that X is message number or byte number or the duration in each stream, n is the number of stream list item, and median md (X) is:

$\mathrm{md}\left(X\right)=\left\{\begin{array}{cc}X((n+1)/2)& n\mathrm{mod}2=1\\ \frac{X(n/2)+X((n+1)/2)}{2}& n\mathrm{mod}2=0\end{array}\right.$

PPf is the important indicator of weighing interactive stream.Suppose to have stream 1 and stream 2, we are defined as follows interactive stream: the source IP address of stream 1 equates with the destination address of stream 3; Stream 1 destination address equals to flow 3 source address; Stream 1 is identical with the agreement that stream 3 uses.DDos attacks and uses IP spoofing can cause the ratio of nonreciprocal stream significantly to rise, and Pair_flow_num is the logarithm of interactive stream, and flow_num is the sum of stream.It is as follows that we calculate the formula of interactive stream ratio:

$\mathrm{PPf}=\frac{2*\mathrm{Pair}\_\mathrm{flow}\_\mathrm{num}}{\mathrm{flow}\_\mathrm{num}}$

GSf refers to the speedup of nonreciprocal stream, and when DDos commence firing, the number of nonreciprocal stream can significantly increase, and interval is that we get the time delay that stream table is set, and it is as follows that we calculate the formula of speedup of nonreciprocal stream:

$\mathrm{GSf}=\frac{\mathrm{flow}\_\mathrm{num}-(2*\mathrm{Pair}\_\mathrm{flow}\_\mathrm{num})}{\mathrm{interval}}$

GDP refers to the speedup of different port, and when ddos attack, the selection of port is also random, so the speedup of port is also very large.

$\mathrm{GDP}=\frac{\mathrm{port}\_\mathrm{num}}{\mathrm{interval}}$

(3) to decide the flow in this period be normal discharge or ddos attack flow to hexa-atomic group in sort module analytical characteristic extraction module.Our sort module is used KNN algorithm to carry out the classification of flow to hexa-atomic group in characteristic extracting module, we first use respectively normal discharge and the DDoS flow of some groups to train sort module, several sample points are obtained, then obtain a nearest K neighbour to hexa-atomic group that detects flow, if DDoS flow point is more than normal discharge point in K neighbours, we think that flow is DDoS flow, otherwise we think that this flow point is normal discharge.When new sample point is asked to nearest K neighbours, the distance metric of use is mahalanobis distance, i hexa-atomic group with individual hexa-atomic group of j between mahalanobis distance D _ijcalculate with following formula:

$D(X_i-X_j)=\sqrt{{(\mathrm{Xi}-\mathrm{Xj})}^T{S}^{-1}(\mathrm{Xi}-\mathrm{Xj})}$

Wherein, S trains the covariance matrix of hexa-atomic group early stage, and T represents transposition.

Claims (1)

1. a detecting method of distributed denial of service attacking for software-oriented define grid, is characterized in that the method comprises following concrete steps:

The detecting step of the distributed denial of service attack of software-oriented define grid is as follows:

1) stream table collection module regularly sends stream table to software defined network SDN switches all in network by software defined network SDN controller and obtains message and obtain stream table information, stream table information exchange is crossed safe lane and is sent to controller, and it is 3 seconds that the time interval of regularly obtaining is set;

2) one hexa-atomic group of the stream table information composition that characteristic extracting module analysis obtains, each switch has one hexa-atomic group, and by switch, ID carrys out identification; Hexa-atomic group that chooses comprises: the message in average each stream is counted Apf, the byte number Abf in average each stream, the duration Adf of average each stream list item, the ratio PPf of interactive stream, the speedup GSf of nonreciprocal stream, the speedup GDP of different port;

3) to decide the flow in this period be normal discharge or distributed denial of service attack ddos attack flow to hexa-atomic group in sort module analytical characteristic extraction module; Sort module is used KNN algorithm to carry out the classification of flow to hexa-atomic group in characteristic extracting module, first use respectively normal discharge and the DDoS flow of some groups to train sort module, several sample points are obtained, then obtain a nearest K neighbour to hexa-atomic group that detects flow, if DDoS flow point is more than normal discharge point in K neighbours, think that flow is DDoS flow, otherwise, think that this flow point is normal discharge; When new sample point is asked to nearest K neighbours, the distance metric of use is mahalanobis distance, i hexa-atomic group with individual hexa-atomic group of j between mahalanobis distance D _ijcalculate with following formula

$D(X_i-X_j)=\sqrt{{(\mathrm{Xi}-\mathrm{Xj})}^T{S}^{-1}(\mathrm{Xi}-\mathrm{Xj})}$

Wherein, S trains the covariance matrix of hexa-atomic group early stage, and T represents transposition.