CN106534133A - Deep learning based DDOS defensive device and method in SDN - Google Patents
Deep learning based DDOS defensive device and method in SDN Download PDFInfo
- Publication number
- CN106534133A CN106534133A CN201611027774.9A CN201611027774A CN106534133A CN 106534133 A CN106534133 A CN 106534133A CN 201611027774 A CN201611027774 A CN 201611027774A CN 106534133 A CN106534133 A CN 106534133A
- Authority
- CN
- China
- Prior art keywords
- deep learning
- module
- flow table
- ddos
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a deep learning based DDOS defensive device and method in SDN. The device comprises a feature extraction module, a deep learning DDOS detection module, a Model Updater module, an information statistics module and a flow table generation module. The feature extraction module extracts features of an input data packet in the system to construct a feature matrix, processed features are input to the deep learning DDOS detection module, and the deep learning DDOS detection module uses a learned model to determine whether the input data packet in the present system is an attack packet. According to the invention, deep learning is used to detect the data packet input to the system, and compared with a traditional DDOS attack invasion detection method, the detection efficiency and the accuracy are improved greatly.
Description
Technical field
The present invention relates to network communication technology field, and in particular to the DDOS defence dresses in a kind of SDN based on deep learning
Put and method.
Background technology
Along with developing rapidly for global IT application process, system architecture and net of the attacker in network using network
The security breaches that server system in network is present, or the personal information of the network user is stolen, or destruction proper network environment, or
The normal interactive communication of destination host, network environment is prevented just to meet with increasingly serious safety problem challenge.With mutual in recent years
The explosive growth that on-line customer's number is presented, new network application, such as social networks, high definition Online Video, and
The appearance of the service mode of novelty, such as cloud computing, big data, all proposes new demand, traditional net to legacy network
Network architectural framework also engenders bottleneck in the development of the aspects such as the controllability of network, extensibility and security, and some are new
The network architecture of type is suggested in this context in succession.
2006, Clean Slate seminars of Stanford Univ USA proposed software defined network (Software
Defined Network, SDN) concept.Software defined network (Software Defined Networking, SDN) conduct
A kind of new network architecture, is separated with datum plane with control plane, the spy of centralized Control and software programmable
Levy, be to solve the bottleneck that current legacy network faces, research and development network new application and Future Internet new technology provide one
Plant the solution of novelty.SDN new network architectural frameworks, its design philosophy determine which is possessed data and is separated with control
With two main features of centralized Control, wherein, centralized Control is mainly entered to network data forwarding rule using software controller
Row centralized management, therefore, in SDN architectural framework, as the control of centralization is managed, allow computer network data to turn
More quickness and high efficiency is sent out, by the connection of escape way between controller and forwarding unit, SDN is also enhanced to a certain degree
The security of framework.However, from the perspective of from another angle, it is detached just because of SDN architectural framework centralized Control and forwarding
Feature, thus allow the target of attack of attacker also to allow SDN architectural framework to become more fragile definitely, to a certain degree.
The concept of OpenFlow technologies is proposed by Nick professors McKeown from Stanford University earliest, is entered
Development for many years, with formulation and the popularization of OpenFlow consensus standards, OpenFlow agreements have become SDN body at present
One of southbound interface agreement of the main flow of system structure.However, while SDN is reformed in terms of network architecture is brought, also existing
New challenge is brought in terms of security defensive system.
Distributed denial of service attack (Distributed Denial of Service, DDoS) is then based on refusal clothes
A kind of Denial of Service attack mode of special shape that business is produced on the basis of attacking (Denial of Service, DoS), it
A kind of distributed, collaborative Large-scale automatic attack mode is used, it is than larger station that main target of attack is aimed at
The website of point, such as commercial company, search engine or government department.As DDoS only needs to one different from DoS attack
Computer terminal and a modem are it is achieved that the attack of DDoS is then to one using a collection of controlled machine
Fixed station is launched a offensive simultaneously, and such attack breaks with tremendous force, and makes us being difficult to guard against, with higher destructiveness.It is new in SDN
In the type network architecture, for SDN architectural framework Data Control separate, centralized Control the characteristics of, SDN architectural framework pair
The defence of ddos attack is also a problem for needing to consider.
2006, the educational circles authority in machine learning field, the professor Geoffrey Hinton of University of Toronto with
His student Ruslan Salakhutdinov are in the top academic journals in the world《Science》On delivered an article, open depth
Degree study is in academia and the tide of industrial quarters.Depth learning technology can pass through the nonlinear network knot for learning a kind of deep layer
Structure, realizes approaching complicated function, to characterize the distributed expression of input data, and has shown powerful from minority sample
The ability of this focusing study data set substantive characteristics.The essence of depth learning technology, is a kind of with a large amount of hiding by building
The machine learning model of layer, and the training data by magnanimity, learn the more useful feature of object, so as to reach final energy
Lift the purpose of classification or forecasting accuracy.This benefit with a large amount of hidden layers of depth learning technology, can be by using
Less parameter come represent complexity function object.Due to these features of deep learning, in recent years, depth learning technology
It is more and more extensive with field.
Defence DDOS attack is an important prerequisite for ensureing network security under SDN frameworks, therefore the present invention is by SDN and depth
Degree study is combined, it is proposed that the DDOS defence methods in a kind of SDN based on deep learning.The method using deep learning detect into
Entering, whether the packet in system is bag to be attacked while responding.Depth DDoS defense module independently of OpenFlow, so
The module also alleviates the operation load of OpenFlow switches to a certain extent.
The content of the invention
The characteristics of Denial of Service attack is mainly based upon OpenFlow agreements in existing SDN is being implemented.
Network attack detection is a kind of very important protected network safe practice, is the premise of defending against network attacks.Network attack is examined
Data acquisition unit is disposed in survey first in a network, and the packet to collecting is parsed afterwards, and finding attack signature is carried out
Match somebody with somebody, be considered not conforming to judicial act after the match is successful, this behavior is responded.In intruding detection system, in capture network
Packet, whether wherein there is the feature of certain attack by analysis, matching, needs take more time and system money
Source, detection efficiency are low, and rate of failing to report rate of false alarm is high
Instant invention overcomes not enough above, it is proposed that the DDOS defence installations and method in a kind of SDN based on deep learning.
Present invention utilizes in characteristic extracting module extraction system input data bag feature, construction feature matrix, then will process after
Feature be input to deep learning DDOS detection module, deep learning DDOS detection module using the model judgement for succeed in school currently
Whether the packet being input in system is to attack bag.Present invention utilizes deep learning is detected to the packet into system, phase
Than in traditional DDOS attack intrusion detection method, having very big lifting on detection efficiency, accuracy rate.
DDOS defence installations in a kind of SDN of the present invention based on deep learning, including characteristic extracting module (Features
Extraction), deep learning DDoS detection module (Deep Learning DDoS Detector), model modification module
(Model Updater), Information Statistics module (Information Statistics) and flow table generation module (Flow Table
Generator), wherein:
1) characteristic extracting module (Features Extraction):To all packets into OpenFlow switches
Feature extraction is carried out, structure meets deep learning DDoS detection module (Deep Learning DDoS Detector) input will
The eigenmatrix asked;
2) deep learning DDoS detection module (Deep Learning DDoS Detector):Using the depth for having trained
Degree learning model learns to the feature after characteristic extracting module (Features Extraction) process, and detection is current
Whether the packet being input in OpenFlow switches is to attack bag;
3) Information Statistics module (Information Statistics):The feature of the attack bag to detecting is carried
Take, and the frequency that these features occur is counted;
4) flow table generation module (Flow Table Generator):According to Information Statistics module (Information
Statistics) the result of characteristic statisticses, it is determined that can all kinds of attack bags be carried out with the flow table item and its priority of discard processing,
And they are issued to into OpenFlow switches;
5) model modification module (Model Updater):To deep learning DDoS detection module (Deep Learning
DDoS Detector) deep learning model be updated.
DDOS defence methods in a kind of SDN of the present invention based on deep learning, comprise the steps of:
1) input requirements according to deep learning DDoS detection module (Deep Learning DDoS Detector), it is special
Levying extraction module (Features Extraction) carries out feature extraction to all input data bags of OpenFlow switches,
Construction feature matrix, and export deep learning DDoS detection module (Deep Learning DDoS Detector);
2) deep learning DDoS detection module (Deep Learning DDoS Detector) is according to characteristic extracting module
Feature after (Features Extraction) process, using the deep learning model for having trained, detects current OpenFlow
Whether the packet being input in switch is to attack bag, if so, will then attack bag and hands to Information Statistics module
(Information Statistics), does not otherwise process;
3) Information Statistics module (Information Statistics) is right in the time interval cycle T that manager sets
All attack bags carry out characteristic statisticses, and the frequency occurred in bag is attacked according to all features determines the weights { W } of feature, and will
Correlated characteristic information and weights hand to flow table generation module (Flow Table Generator);
4) flow table generation module (Flow Table Generator) is according to Information Statistics module (Information
Weights { W } result of the individual features for Statistics) counting, produces and the packet with the category feature can be abandoned
The flow table item of operation, and the priority of these flow table items;
5) the new flow table item for producing is issued to OpenFlow friendships by flow table generation module (Flow Table Generator)
Change planes;
6) OpenFlow switches perform the flow table instruction that flow table generation module (Flow Table Generator) is issued,
Discarding is currently entering the packet of OpenFlow switches.
Further, described deep learning DDoS detection module (Deep Learning DDoS Detector), can be by
Model modification module (Module Updater) enters Mobile state renewal to its deep learning model.
Further, described model modification module (Module Updater) can receive gerentocratic model by network
More new command, and new model information is received by network be updated.
Further, the step 3) specifically include following sub-step:
3.1) package counting facility will be attacked to set to 0, resets timer, the cycle is T;
3.2) the packet feature extracted is according to respective total counter numerical ordering, if two-wheeled sequence in front and back is without change,
According to counter values frequency, determine individual features weights { W }, otherwise, jump to step 3.3);
3.3) frequency of each feature is determined according to new sequence, each profile counter numerical value is bigger, and frequency is bigger;
3.4) frequency is abandoned less than threshold value Q, the attack bag feature corresponding to the frequency, it is determined that the remaining feature for attacking bag
Quantity N;
3.5) according to the frequency { P } after statistics, the weights of the more big corresponding feature of frequency are bigger, according to
The weights size of each feature is determined successively, (wherein n=0 represents the weights of maximum feature, and ε is a positive number, takes 0,01),
Determine the weights { W } of feature.
Further, the step 4) specifically include following sub-step:
4.1) tcp source port corresponding to the characteristic item of bag, TCP destination interfaces, UDP are attacked in extracting Information Statistics module
Source port, UDP destination interfaces, IP source address, IP destination addresses determine flow table item;
4.2) the weights summation of the characteristic item corresponding to each attack bag, as a result maximum, corresponding flow table item is preferential
Level is maximum.
Further, the step 5) specifically include following sub-step:
5.1) timer reclocking, cycle are T, attack package counting facility and set to 0;
5.2) judge that the wheel attacks the tcp source port corresponding to the characteristic item of bag, TCP destination interfaces, UDP source ports, UDP
Whether destination interface, IP source address, IP destination addresses and flow table item priority are identical with the flow table item for issuing, if identical, do not do
Process, otherwise jump to step 5.3);
5.3) according to OpenFlow flow list item structure, respectively by the tcp source port corresponding to the characteristic item of attack bag, TCP
Destination interface, UDP source ports, UDP destination interfaces, IP source address, IP destination addresses are filled into flow table item matching domain;
5.4) behavior aggregate instruction is set to into Drop comprising modification behavior aggregate instruction in the instruction set of flow table item;
5.5) other fields of polishing flow table item, generate flow table.
Beneficial effects of the present invention are as follows:
(1) processing framework of the invention is designed using open-ended modularity, realizes the efficient detection threatened to DDoS
And sweetly disposition.
(2) each module obtains packet information and adopts independent Interface design, reduces the coupling relevance of intermodule.
(3) program data structure of each module using optimization, each resume module sub-process of careful segmentation, improves intermodule
High cohesion characteristic.
(4) it is portable, the various main flow controllers in compatible existing market, such as OpenDaylight, floodlight
Deng.
Description of the drawings
Fig. 1 be the embodiment of the present invention SDN in DDOS defence installation system architecture diagrams based on deep learning.
Fig. 2 be the embodiment of the present invention SDN in based on deep learning DDOS defence flow chart.
Fig. 3 is the packet characteristic statisticses flow chart of the Information Statistics module of the embodiment of the present invention.
Fig. 4 is that the flow table of the flow table generation module of the embodiment of the present invention produces flow chart.
Specific embodiment
At present, SDN architectural frameworks are used mostly OpenFlow agreements as key-course and the interface of data exchange layer communication,
Internet resources and addition new switch rule is changed in real time can.What OpenFlow agreements were relied on is controller and switch
Between safe lane, once safe lane occur DDOS attack, disconnect, then SDN architectural frameworks are just as lose control
Device processed and collapse and disintegrate, if there is DDOS attack between switch and controller, lose connection, then mean whole net
Network framework loses key-course, in this case, it is possible to cause whole network to be paralysed.In sum, study a kind of efficient, it is accurate
True DDoS Prevention-Security measures are extremely urgent.The invention provides the DDOS defence installations in a kind of SDN based on deep learning
And method, how DDOS attack is effectively defendd in being mainly used to solve the problems, such as SDN.Below in conjunction with the accompanying drawings and implement
Example, is further detailed to the present invention.
Device embodiment
A kind of embodiments in accordance with the present invention, there is provided the DDOS defence installations in SDN based on deep learning.Fig. 1 is SDN
In DDOS defence installation system architecture diagrams based on deep learning.The detection means is mainly included with lower module:Feature extraction mould
Block, deep learning DDoS detection module, model modification module, Information Statistics module and flow table generation module, below to the present invention
Modules in embodiment are described in detail.
1) characteristic extracting module:The module carries out feature extraction to all packets into OpenFlow switches, number
Pre-process according to feature and form conversion, structure meets the eigenmatrix of deep learning DDoS detection module input requirements, wherein wrapping
Containing packet_extract (ip_src, ip_dst, tcp_srcport, udp_srcport, tcp_dstport, udp_
Dstport, icmp_type) method, the method interface definition is as follows:
1.1)def packet_extract(ip_src,ip_dst,tcp_srcport,udp_srcport,tcp_
dstport,udp_dstport,icmp_type):
pass
return packet_extraction
Function:Extract the ip source addresses of input data, destination address, tcp source ports, destination interface, udp source ports, mesh
Port, icmp types the feature being converted into after corresponding extraction;
Parameter:Ip_src, source ip addresses, ip_dst, purpose ip address, tcp_srcport, source tcp ports, tcp_
Dstport, purpose tcp port, udp_srcport, source udp ports, udp_dst, purpose udp port, icmp_type, icmp
Type;
Return:Packet_extraction, the feature after extraction;
1.2)def ip_to_array(ip_str):
pass
return tmp_ip_array
Function:The ip addresses of character string type are converted into into the binary system array of 32 interim bits;
Parameter:Ip_str, the ip addresses of character string type;
Return:Tmp_ip_array, the binary system array of interim 32 bits;
1.3)def port_to_array(port_str):
pass
return tmp_port_array
Function:The port address of character string type is converted into into the binary system array of 16 interim bits;
Parameter:Port_str, the port address of character string type;
Return:Tmp_ip_array, the binary system array of interim 16 bits;
1.4)def str_list_to_array(str_list):
pass
return output_array.astype(float)
Function:Character string type array is converted into into the array of float types;
Parameter:Str_list, the array of character string type;
Return:Output_array.astype (float), float type array;
1.5)def normalize_array(array):
pass
return array.astype(float)
Function:Feature normalization after extraction is processed so as to meet deep learning DDOS detection module input requirements;
Parameter:Array, the feature array after extraction;
Return:Array.astype (float), the array of normalized float types;
2) deep learning DDoS detection module (Deep Learning DDoS Detector):Using the depth for having trained
Degree learning model learns to the feature after characteristic extracting module (Features Extraction) process, and detection is current
Whether the packet being input in OpenFlow switches is to attack bag, wherein comprising predictresult_processing
(predict_numpy) method, the method interface definition are as follows:
def predictresult_processing(predict_numpy):
pass
return attackpacket_feature
Function:According to the input of characteristic extracting module, learning training is preserved attacks bag feature;
Parameter:Predict_numpy, the array after characteristic extracting module process;
Return:Attackpacket_feature, attacks bag feature;
3) Information Statistics module (Information Statistics):The feature of the attack bag to detecting is carried
Take, and the frequency that these features occur is counted, wherein comprising inverse_packet (numpy_packets) method,
The method interface definition is as follows:
3.1)def inverse_packet(numpy_packets):
pass
return entry_feature
Function:Extraction is currently entering the packet feature of OpenFlow switches and is counted;
Parameter:Numpy_packets, advances into the packet of OpenFlow switches;
Return:Entry_feature, packet feature;
3.2)def count_feature(feature_list):
pass
return top_feature
Function:In the feature that statistics depth DDoS detection module is preserved, the feature of maximum weight;
Parameter:Feature_list, feature list;
Return:Top_feature, the feature of maximum weight;
3.3)def feature_statistics(attackpacket_feature):
pass
return result_feature
Function:The corresponding weights of feature of statistical attack bag;
Parameter:Attackpacket_feature, attacks the feature of bag;
Return:Result_feature, the weights of feature;
4) flow table generation module (Flow Table Generator):According to Information Statistics module (Information
Statistics) the result of characteristic statisticses, it is determined that can all kinds of attack bags be carried out with the flow table item and its priority of discard processing,
And they are issued to into OpenFlow switches;
5) mould model modification module (Model Updater):To deep learning DDoS detection module (Deep Learning
DDoS Detector) deep learning model be updated.
Embodiment of the method
A kind of embodiments in accordance with the present invention, there is provided the DDOS defence methods in SDN based on deep learning.Shown in Fig. 2
Be the embodiment of the present invention SDN in based on deep learning DDOS defence flow chart, Fig. 3 is the Information Statistics of the embodiment of the present invention
The packet characteristic statisticses flow chart of module, Fig. 4 are that the flow table of the flow table generation module of the embodiment of the present invention produces flow chart.This
In inventive embodiments, the DDOS defence methods in SDN based on deep learning are as follows:
1) input requirements according to deep learning DDoS detection module (Deep Learning DDoS Detector), it is special
Levying extraction module (Features Extraction) carries out feature extraction to all input data bags of OpenFlow switches,
Construction feature matrix, and export deep learning DDoS detection module (Deep Learning DDoS Detector);
2) deep learning DDoS detection module (Deep Learning DDoS Detector) is according to characteristic extracting module
Feature after (Features Extraction) process, using the deep learning model for having trained, detects current OpenFlow
Whether the packet being input in switch is to attack bag, if so, will then attack bag and hands to Information Statistics module
(Information Statistics), otherwise, does not process;
3) by model modification module (Model Updater), manager judges whether the accuracy rate of "current" model detection is low
In threshold value P (P=0.97), adjustment is if so, then updated to model, otherwise, is not processed;
4) Information Statistics module (Information Statistics) is right in the time interval cycle T that manager sets
All attack bags carry out characteristic statisticses, and the frequency occurred in bag is attacked according to all features determines the weights { W } of feature, and will
Correlated characteristic information and weights hand to flow table generation module (Flow Table Generator);
4.1) package counting facility will be attacked to set to 0, resets timer, the cycle is T;
4.2) the packet feature extracted is according to respective total counter numerical ordering, if two-wheeled sequence in front and back is without change,
According to counter values frequency, determine individual features weights { W }, otherwise, jump to step 4.3);
4.3) frequency of each feature is determined according to new sequence, each profile counter numerical value is bigger, and frequency is bigger;
4.4) frequency is abandoned less than threshold value Q (Q=0.04), the attack bag feature corresponding to the frequency, it is determined that residue is attacked
Hit feature quantity N of bag;
4.5) according to the frequency { P } after statistics, the weights of the more big corresponding feature of frequency are bigger, according toThe weights size of each feature is determined successively, and (wherein n=0 represents the power of maximum feature
Value, ε are a positive number, take 0,01), determine the weights { W } of feature;
5) flow table generation module (Flow Table Generator) is according to Information Statistics module (Information
Weights { W } result of the individual features for Statistics) counting, produces and the packet with the category feature can be abandoned
The flow table item of operation, and the priority of these flow table items;
5.1) tcp source port corresponding to the characteristic item of bag, TCP destination interfaces, UDP are attacked in extracting Information Statistics module
Source port, UDP destination interfaces, IP source address, IP destination addresses determine flow table item;
5.2) the weights summation of the characteristic item corresponding to each attack bag, as a result maximum, corresponding flow table item is preferential
Level is maximum;
6) the new flow table item for producing is issued to OpenFlow friendships by flow table generation module (Flow Table Generator)
Change planes;
6.1) timer reclocking, cycle are T, attack package counting facility and set to 0;
6.2) judge that the wheel attacks the tcp source port corresponding to the characteristic item of bag, TCP destination interfaces, UDP source ports, UDP
Whether destination interface, IP source address, IP destination addresses and flow table item priority are identical with the flow table item for issuing, if identical, do not do
Process, otherwise jump to step 6.3);
6.3) according to OpenFlow flow list item structure, respectively by the tcp source port corresponding to the characteristic item of attack bag, TCP
Destination interface, UDP source ports, UDP destination interfaces, IP source address, IP destination addresses are filled into flow table item matching domain;
6.4) behavior aggregate instruction is set to into Drop comprising modification behavior aggregate instruction in the instruction set of flow table item;
6.5) other fields of polishing flow table item, generate flow table;
7) OpenFlow switches perform the flow table instruction that flow table generation module (Flow Table Generator) is issued,
Discarding is currently entering the packet of OpenFlow switches.
Claims (7)
1. DDOS defence installations in a kind of SDN based on deep learning, it is characterised in that including characteristic extracting module
(Features Extraction), deep learning DDoS detection module (Deep Learning DDoS Detector), model
Update module (Model Updater), Information Statistics module (Information Statistics) and flow table generation module
(Flow Table Generator), wherein:
1) characteristic extracting module (Features Extraction):All packets into OpenFlow switches are carried out
Feature extraction, structure meet deep learning DDoS detection module (Deep Learning DDoS Detector) input requirements
Eigenmatrix;
2) deep learning DDoS detection module (Deep Learning DDoS Detector):Using the depth for having trained
Practise model to learn the feature after characteristic extracting module (Features Extraction) process, detection is current
Whether the packet being input in OpenFlow switches is to attack bag;
3) Information Statistics module (Information Statistics):The feature of the attack bag to detecting is extracted, and
The frequency that these features occur is counted;
4) flow table generation module (Flow Table Generator):According to Information Statistics module (Information
Statistics) the result of characteristic statisticses, it is determined that can all kinds of attack bags be carried out with the flow table item and its priority of discard processing,
And they are issued to into OpenFlow switches;
5) model modification module (Model Updater):To deep learning DDoS detection module (Deep Learning DDoS
Detector deep learning model) is updated.
2. DDOS defence methods in a kind of SDN based on deep learning, it is characterised in that comprise the steps of:
1) input requirements according to deep learning DDoS detection module (Deep Learning DDoS Detector), feature are carried
Delivery block (Features Extraction) carries out feature extraction to all input data bags of OpenFlow switches, builds
Eigenmatrix, and export deep learning DDoS detection module (Deep Learning DDoS Detector);
2) deep learning DDoS detection module (Deep Learning DDoS Detector) is according to characteristic extracting module
Feature after (Features Extraction) process, using the deep learning model for having trained, detects current OpenFlow
Whether the packet being input in switch is to attack bag, if so, will then attack bag and hands to Information Statistics module
(Information Statistics), does not otherwise process;
3) Information Statistics module (Information Statistics) in the time interval cycle T that manager sets to all
Attacking bag carries out characteristic statisticses, and according to all features, in bag is attacked, the frequency that occurs determines the weights { W } of feature, and by correlation
Characteristic information and weights hand to flow table generation module (Flow Table Generator);
4) flow table generation module (Flow Table Generator) is according to Information Statistics module (Information
Weights { W } result of the individual features for Statistics) counting, produces and the packet with the category feature can be abandoned
The flow table item of operation, and the priority of these flow table items;
5) the new flow table item for producing is issued to OpenFlow switches by flow table generation module (Flow Table Generator);
6) OpenFlow switches perform the flow table instruction that flow table generation module (Flow Table Generator) is issued, and abandon
It is currently entering the packet of OpenFlow switches.
3. DDOS defence methods in a kind of SDN according to claim 2 based on deep learning, it is characterised in that described
Deep learning DDoS detection module (Deep Learning DDoS Detector), can be by model modification module (Module
Updater) enter Mobile state renewal to its deep learning model.
4. DDOS defence methods in a kind of SDN according to claim 3 based on deep learning, it is characterised in that described
Model modification module (Module Updater) instruction of gerentocratic model modification can be received by network, and connect by network
Receive new model information to be updated.
5. DDOS defence methods in a kind of SDN according to claim 2 based on deep learning, it is characterised in that described
Step 3) specifically include following sub-step:
3.1) package counting facility will be attacked to set to 0, resets timer, the cycle is T;
3.2) the packet feature extracted is according to respective total counter numerical ordering, if two-wheeled sequence in front and back is no changing, according to
Counter values frequency, determines individual features weights { W }, otherwise, jumps to step 3.3);
3.3) frequency of each feature is determined according to new sequence, each profile counter numerical value is bigger, and frequency is bigger;
3.4) frequency is abandoned less than threshold value Q, the attack bag feature corresponding to the frequency, it is determined that the remaining feature quantity for attacking bag
N;
3.5) according to the frequency { P } after statistics, the weights of the more big corresponding feature of frequency are bigger, according to
The weights size of each feature is determined successively, (wherein n=0 represents the weights of maximum feature, and ε is a positive number, takes 0,01),
Determine the weights { W } of feature.
6. DDOS defence methods in a kind of SDN according to claim 2 based on deep learning, it is characterised in that described
Step 4) specifically include following sub-step:
4.1) tcp source port corresponding to the characteristic item of bag, TCP destination interfaces, UDP sources are attacked in extracting Information Statistics module
Mouthful, UDP destination interfaces, IP source address, IP destination addresses determine flow table item;
4.2) the weights summation of the characteristic item corresponding to each attack bag, as a result maximum, corresponding flow table item priority is most
Greatly.
7. DDOS defence methods in a kind of SDN according to claim 2 based on deep learning, it is characterised in that described
Step 5) specifically include following sub-step:
5.1) timer reclocking, cycle are T, attack package counting facility and set to 0;
5.2) judge that the wheel attacks the tcp source port corresponding to the characteristic item of bag, TCP destination interfaces, UDP source ports, UDP purposes
Whether port, IP source address, IP destination addresses and flow table item priority are identical with the flow table item for issuing, if identical, do not process,
Step 5.3 is jumped to otherwise);
5.3) according to OpenFlow flow list item structure, respectively by the tcp source port corresponding to the characteristic item of attack bag, TCP purposes
Port, UDP source ports, UDP destination interfaces, IP source address, IP destination addresses are filled into flow table item matching domain;
5.4) behavior aggregate instruction is set to into Drop comprising modification behavior aggregate instruction in the instruction set of flow table item;
5.5) other fields of polishing flow table item, generate flow table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611027774.9A CN106534133B (en) | 2016-11-17 | 2016-11-17 | DDOS defence installation and method based on deep learning in a kind of SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611027774.9A CN106534133B (en) | 2016-11-17 | 2016-11-17 | DDOS defence installation and method based on deep learning in a kind of SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534133A true CN106534133A (en) | 2017-03-22 |
| CN106534133B CN106534133B (en) | 2019-10-29 |
Family
ID=58352783
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611027774.9A Active CN106534133B (en) | 2016-11-17 | 2016-11-17 | DDOS defence installation and method based on deep learning in a kind of SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534133B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107122658A (en) * | 2017-05-08 | 2017-09-01 | 四川长虹电器股份有限公司 | Database system of defense and method with autolearn feature |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| CN109040113A (en) * | 2018-09-04 | 2018-12-18 | 海南大学 | Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning |
| CN109768981A (en) * | 2019-01-20 | 2019-05-17 | 北京工业大学 | A kind of network attack defence method and system under SDN framework based on machine learning |
| CN109831428A (en) * | 2019-01-29 | 2019-05-31 | 内蒙古大学 | SDN network attack detecting and the method and apparatus of defence |
| CN110247893A (en) * | 2019-05-10 | 2019-09-17 | 中国联合网络通信集团有限公司 | A kind of data transmission method and SDN controller |
| CN112653675A (en) * | 2020-12-12 | 2021-04-13 | 海南师范大学 | Intelligent intrusion detection method and device based on deep learning |
| CN113079158A (en) * | 2021-04-01 | 2021-07-06 | 南京微亚讯信息科技有限公司 | Network big data security protection method based on deep learning |
| CN113194071A (en) * | 2021-04-02 | 2021-07-30 | 华南理工大学 | Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801697A (en) * | 2011-12-20 | 2012-11-28 | 北京安天电子设备有限公司 | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) |
-
2016
- 2016-11-17 CN CN201611027774.9A patent/CN106534133B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801697A (en) * | 2011-12-20 | 2012-11-28 | 北京安天电子设备有限公司 | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) |
Non-Patent Citations (2)
| Title |
|---|
| STEFAN SEUFERT等: "Machine Learning for Automatic Defence against Distributed Denial of Service Attacks", 《2007 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS》 * |
| 张洋: "基于SDN的DDoS 攻击检测和防护机制研究", 《电子测试》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107122658A (en) * | 2017-05-08 | 2017-09-01 | 四川长虹电器股份有限公司 | Database system of defense and method with autolearn feature |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| CN109040113A (en) * | 2018-09-04 | 2018-12-18 | 海南大学 | Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning |
| CN109040113B (en) * | 2018-09-04 | 2021-03-19 | 海南大学 | Distributed denial of service attack detection method and device based on multi-core learning |
| CN109768981B (en) * | 2019-01-20 | 2021-02-02 | 北京工业大学 | Network attack defense method and system based on machine learning under SDN architecture |
| CN109768981A (en) * | 2019-01-20 | 2019-05-17 | 北京工业大学 | A kind of network attack defence method and system under SDN framework based on machine learning |
| CN109831428A (en) * | 2019-01-29 | 2019-05-31 | 内蒙古大学 | SDN network attack detecting and the method and apparatus of defence |
| CN109831428B (en) * | 2019-01-29 | 2021-04-20 | 内蒙古大学 | SDN network attack detection and defense method and device |
| CN110247893A (en) * | 2019-05-10 | 2019-09-17 | 中国联合网络通信集团有限公司 | A kind of data transmission method and SDN controller |
| CN110247893B (en) * | 2019-05-10 | 2021-07-13 | 中国联合网络通信集团有限公司 | Data transmission method and SDN controller |
| CN112653675A (en) * | 2020-12-12 | 2021-04-13 | 海南师范大学 | Intelligent intrusion detection method and device based on deep learning |
| CN113079158A (en) * | 2021-04-01 | 2021-07-06 | 南京微亚讯信息科技有限公司 | Network big data security protection method based on deep learning |
| CN113079158B (en) * | 2021-04-01 | 2022-01-11 | 南京微亚讯信息科技有限公司 | Network big data security protection method based on deep learning |
| CN113194071A (en) * | 2021-04-02 | 2021-07-30 | 华南理工大学 | Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534133B (en) | 2019-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534133B (en) | DDOS defence installation and method based on deep learning in a kind of SDN | |
| CN106572107B (en) | A kind of software-oriented defines the ddos attack system of defense and method of network | |
| Li et al. | Detection and defense of DDoS attack–based on deep learning in OpenFlow‐based SDN | |
| CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
| Paliwal et al. | Denial-of-service, probing & remote to user (R2L) attack detection using genetic algorithm | |
| CN106911669A (en) | A kind of DDOS detection methods based on deep learning | |
| CN103428224B (en) | A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks | |
| CN103095711B (en) | A kind of application layer ddos attack detection method for website and system of defense | |
| CN109558729B (en) | Intelligent defense system for network attack | |
| CN107196930B (en) | The method of computer network abnormality detection | |
| CN105306463B (en) | Modbus TCP intrusion detection methods based on support vector machines | |
| CN103457909B (en) | A kind of Botnet detection method and device | |
| CN107277039A (en) | A kind of network attack data analysis and intelligent processing method | |
| CN107360145A (en) | A kind of multinode honey pot system and its data analysing method | |
| CN105187437B (en) | A kind of centralized detecting system of SDN network Denial of Service attack | |
| CN108718297A (en) | Ddos attack detection method, device, controller and medium based on BP neural network | |
| CN104135490A (en) | Intrusion detection system (IDS) analysis method and intrusion detection system | |
| CN107370752A (en) | A kind of efficient remote control Trojan detection method | |
| CN112995202A (en) | SDN-based DDoS attack detection method | |
| CN108965210A (en) | Safety test platform based on scene-type attacking and defending simulation | |
| Jing-xin et al. | A network intrusion detection system based on the artificial neural networks | |
| CN113489694B (en) | Dynamic defense system for resisting large-flow attack in honey farm system | |
| Kim et al. | Poster: A pilot study on real-time fingerprinting for tor onion services | |
| Nguyen | A scheme for building a dataset for intrusion detection systems | |
| Jiang et al. | A highly efficient remote access Trojan detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |