CN108718297A - Ddos attack detection method, device, controller and medium based on BP neural network - Google Patents

Ddos attack detection method, device, controller and medium based on BP neural network Download PDF

Info

Publication number
CN108718297A
CN108718297A CN201810395789.3A CN201810395789A CN108718297A CN 108718297 A CN108718297 A CN 108718297A CN 201810395789 A CN201810395789 A CN 201810395789A CN 108718297 A CN108718297 A CN 108718297A
Authority
CN
China
Prior art keywords
neural network
ddos attack
flow table
attack detection
network model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810395789.3A
Other languages
Chinese (zh)
Inventor
熊常春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Vcmy Technology Co Ltd
Original Assignee
Guangzhou Vcmy Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Vcmy Technology Co Ltd filed Critical Guangzhou Vcmy Technology Co Ltd
Priority to CN201810395789.3A priority Critical patent/CN108718297A/en
Publication of CN108718297A publication Critical patent/CN108718297A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

Ddos attack detection method, device, SDN clouds net controller and computer readable storage medium, the method that the invention discloses a kind of based on BP neural network include the following steps:Periodically flow table is sent to interchanger and collect request, to collect the latest network flow table information that the interchanger is sent;At least one characteristic element needed for ddos attack detection is calculated according to the latest network flow table information of collection;When detecting that the characteristic value of any one of characteristic element is more than default characteristic threshold value, BP neural network model is activated;According to the arrangement regulation of valid data and attack data that the BP neural network model and the BP neural network model training obtain, ddos attack detection is carried out at least one characteristic element, to export the testing result of ddos attack detection, the ddos attack efficiently and accurately detected in SDN environment is realized.

Description

Ddos attack detection method, device, controller and medium based on BP neural network
Technical field
The present invention relates to field of communication technology more particularly to a kind of ddos attack detection method based on BP neural network, Device, SDN clouds net controller and computer readable storage medium.
Background technology
SDN (software define network) is a kind of novel network architecture, and it is flat to realize network-control The separation in face and data plane.Compared with traditional network architecture, SDN is in programmability, hardware versatility and management control There is mode processed etc. apparent advantage, control plane to be mainly made of controller, and controller is responsible for connecting bottom exchange Equipment and upper layer application;Data plane is realized by interchanger, is mainly responsible for the high speed forward of data.
With the extensive use of SDN, the safety problem of SDN causes extensive concern, in SDN architectures, because Control plane is mutually decoupled with data plane, once the connection failure between interchanger and controller, whole network will be out of hand, Therefore the safety of controller is the key that one of entire SDN network safety guarantee.One of chief threat of controller secure is point Cloth refusal service (distributed denial ofservice, DDoS) attack, ddos attack refers to that attacker passes through puppet Puppet host consumes the computing resource of target of attack, prevents destination host from providing service for validated user, in ddos attack, attacks The person of hitting invades the part host in SDN first, by inputting the invalid network flow largely forged into network, eventually leads to control Device resource exhaustion processed, and cause legal data packet that can not complete to forward, it is unauthorized access of the security from attacks person to interchanger, Controller is avoided illegally to be controlled by attacker, how rapidly and accurately to detect ddos attack is that the research of the security fields SDN urgently solves Certainly the problem of.
Invention content
In view of the above-mentioned problems, the purpose of the present invention is to provide a kind of ddos attack detection side based on BP neural network Method, device, SDN clouds net controller and computer readable storage medium effectively detect the ddos attack in SDN environment.
In a first aspect, an embodiment of the present invention provides a kind of ddos attack detection method based on BP neural network, described Ddos attack detection method based on BP neural network is executed by SDN clouds net controller, is included the following steps:
Periodically flow table is sent to interchanger and collect request, to collect the latest network flow table information that the interchanger is sent;
At least one characteristic element needed for ddos attack detection is calculated according to the latest network flow table information of collection;
When detecting that the characteristic value of any one of characteristic element is more than default characteristic threshold value, BP neural network mould is activated Type;
The valid data and attack number obtained according to the BP neural network model and the BP neural network model training According to arrangement regulation, ddos attack detection is carried out at least one characteristic element, to export the detection knot of ddos attack detection Fruit.
In the first realization method of first aspect, the latest network flow table information include eth_dst, eth_src, eth_type、vlan_vid、vlan_pcp、ip_dscp、ip_ecn、ip_proto、ipv4_src、ipv4_dst、tcp_src、 tcp_dst、tcp_flags、udp_src、udp_dst、sctp_src、sctp_dst、icmpv4_type、icmpv4_code、 arp_op、arp_spa、arp_tpa、arp_sha、arp_tha、ipv6_src、ipv6_dst、ipv6_flabel、icmpv6_ type、icmpv6_code、ipv6_nd_target、ipv6_nd_sll、ipv6_nd_tll、mpls_label、mpls_tc、 Information corresponding to each flow table item of mpls_bos, pbb_isid, ipv6_exthdr and pbb_uca.
According to the first realization method of first aspect, in second of realization method of first aspect, the characteristic element Including stream packet number mean value, comparison stream, port enhancing, source IP enhancing, flow table item rate, flow table successful match rate;Wherein, if it is described Stream packet number mean value is APF,Wherein xjIt is the number of data packet in j streams in a certain time interval, M is The number of all data packets in the time interval;If comparison stream is PPF, PPF=(2 × p-f)/f;Wherein, p is interactive stream Logarithm, f are the sums of stream.
In the third realization method of first aspect, further include:
When the testing result is attack, warning of launching a offensive;Wherein, attack warning is for making controller to anti- Wall with flues sends configuration change directive and issues flow table change directive to the interchanger, and abandons Attacking Packets;The configuration Change directive is for making fire wall change configuration to reduce attack traffic;The flow table change directive is for making the interchanger more Change the setting of flow table occurrence so that the interchanger stops receiving ddos attack data packet.
According to the one of the above realization method of first aspect, in the 4th kind of realization method of first aspect, the detection As a result include normal and attack.
According to the 4th of first aspect the kind of realization method, in the 5th kind of realization method of first aspect, the BP nerves Network model includes input layer, at least one hidden layer and output layer;
In the training process of the BP neural network model, if the output of the hidden layer is Hj,Wherein, if the node number of input layer is n, 1≤i≤n;
If the output of the output layer is Ok,Wherein, the node number of the hidden layer be l, 1 ≤j≤l;
If error is E,Wherein, if the node number of the output layer is m, 1≤k≤m, YkFor Desired output remembers ek=Yk-Ok, then
The weight of the input layer to the hidden layer updates:Wherein, learn Efficiency is η;
The weight of the hidden layer to the output layer updates:wjk=wjk+ηHjek
The biasing of the input layer to the hidden layer updates:
The biasing of the hidden layer to the output layer updates:bk=bk+ηek
Excitation function is Sigmoid functions:
It is described according to institute in the 6th kind of realization method of first aspect according to the 5th of first aspect the kind of realization method The arrangement regulation of valid data and attack data that BP neural network model and the BP neural network model training obtain is stated, it is right At least one characteristic element carries out ddos attack detection, to export the testing result of ddos attack detection, specially:
According to the arrangement regulation of valid data and attack data that BP neural network training obtains, at least one by described in A characteristic element is inputted by input layer in the BP neural network model;
Feature calculation is carried out to the characteristic element by the hidden layer of the BP neural network model;
The result of feature calculation is exported by the output layer of the BP neural network model, with according to the feature calculation Result judge whether there is ddos attack.
Second aspect, the ddos attack detection device based on BP neural network that an embodiment of the present invention provides a kind of, including:
Flow table collection module collects request for periodically sending flow table to interchanger, to collect the interchanger transmission Latest network flow table information;
Characteristic element computing module, for being calculated needed for ddos attack detection according to the latest network flow table information of collection At least one characteristic element;
BP neural network model active module detects that the characteristic value of any one of characteristic element is more than default for working as When characteristic threshold value, BP neural network model is activated;
Attack detection module, for what is obtained according to the BP neural network model and the BP neural network model training The arrangement regulation of valid data and attack data carries out ddos attack detection, to export DDoS at least one characteristic element The testing result of attack detecting.
In the first realization method of second aspect, the latest network flow table information include eth_dst, eth_src, eth_type、vlan_vid、vlan_pcp、ip_dscp、ip_ecn、ip_proto、ipv4_src、ipv4_dst、tcp_src、 tcp_dst、tcp_flags、udp_src、udp_dst、sctp_src、sctp_dst、icmpv4_type、icmpv4_code、 arp_op、arp_spa、arp_tpa、arp_sha、arp_tha、ipv6_src、ipv6_dst、ipv6_flabel、icmpv6_ type、icmpv6_code、ipv6_nd_target、ipv6_nd_sll、ipv6_nd_tll、mpls_label、mpls_tc、 Information corresponding to each flow table item of mpls_bos, pbb_isid, ipv6_exthdr and pbb_uca.
According to the first realization method of second aspect, in second of realization method of second aspect, the characteristic element Including stream packet number mean value, comparison stream, port enhancing, source IP enhancing, flow table item rate, flow table successful match rate;Wherein, if it is described Stream packet number mean value is S1,Wherein xjBe in a certain time interval j stream in data packet number, when M is this Between be spaced in all data packets number;If comparison stream is S2, S2=(2 × p-f)/f;Wherein, p is the logarithm of interactive stream, and f is The sum of stream.
In the third realization method of second aspect, further include:
Processing module is attacked, is used for when the testing result is attack, warning of launching a offensive;Wherein, the attack police It accuses for making controller send configuration change directive to fire wall and issuing flow table change directive to the interchanger, and abandons Attacking Packets;The configuration change directive is for making fire wall change configuration to reduce attack traffic;The flow table change refers to It enables for making the interchanger change flow table occurrence setting.
According to the one of the above realization method of second aspect, in the 4th kind of realization method of second aspect, the detection As a result include normal and attack.
According to the 4th of second aspect the kind of realization method, in the 5th kind of realization method of second aspect, the BP nerves Network model includes input layer, at least one hidden layer and output layer;
In the training process of the BP neural network model, if the output of the hidden layer is Hj,Wherein, if the node number of input layer is n, 1≤i≤n;
If the output of the output layer is Ok,Wherein, the node number of the hidden layer be l, 1 ≤j≤l;
If error is E,Wherein, if the node number of the output layer is m, 1≤k≤m, YkFor Desired output remembers ek=Yk-Ok, then
The weight of the input layer to the hidden layer updates:Wherein, learn Efficiency is η;
The weight of the hidden layer to the output layer updates:wjk=wjk+ηHjek
The biasing of the input layer to the hidden layer updates:
The biasing of the hidden layer to the output layer updates:bk=bk+ηek
Excitation function is Sigmoid functions:
According to the 5th of second aspect the kind of realization method, in the 6th kind of realization method of second aspect, the attack inspection Module is surveyed, specially:
Input unit, valid data and the arrangement of attack data for being obtained according to BP neural network training are advised Rule, at least one characteristic element is inputted by input layer in the BP neural network model;
Hidden layer computing unit carries out feature for the hidden layer by the BP neural network model to the characteristic element It calculates;
Output unit exports the result of feature calculation for the output layer by the BP neural network model, with root Ddos attack is judged whether there is according to the result of the feature calculation.
The third aspect an embodiment of the present invention provides a kind of SDN clouds net controller, including processor, memory and is deposited Storage is in the memory and is configured as the computer program executed by the processor, and the processor executes the calculating The ddos attack detection method based on BP neural network as described in any one of above-mentioned is realized when machine program.
Fourth aspect, an embodiment of the present invention provides a kind of computer readable storage mediums, which is characterized in that the calculating Machine readable storage medium storing program for executing includes the computer program of storage, wherein controls the computer when the computer program is run Equipment where readable storage medium storing program for executing execute it is any one of above-mentioned described in the ddos attack detection method based on BP neural network.
The ddos attack detection method that an embodiment of the present invention provides a kind of based on BP neural network, device, SDN cloud network controls Device and computer readable storage medium processed, and have the advantages that:
Request is collected by periodically sending flow table to interchanger, is believed with collecting the latest network flow table that the interchanger is sent Then breath calculates at least one characteristic element needed for ddos attack detection according to the latest network flow table information of collection, when When detecting that the characteristic value of any one of characteristic element is more than default characteristic threshold value, BP neural network model is activated, according to institute The arrangement regulation of valid data and attack data that BP neural network model and the BP neural network model training obtain is stated, it is right At least one characteristic element carries out ddos attack detection, to export the testing result of ddos attack detection, extracts and divides comprehensively The determinant attribute of SDN framework down-offs is analysed, the ddos attack in SDN environment is effectively detected, testing result is more accurate, it is ensured that base In the normal operation of the system of SDN.
Description of the drawings
In order to illustrate more clearly of technical scheme of the present invention, attached drawing needed in embodiment will be made below Simply introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, general for this field For logical technical staff, without creative efforts, other drawings may also be obtained based on these drawings.
Fig. 1 is the flow signal for the ddos attack detection method based on BP neural network that first embodiment of the invention provides Figure.
Fig. 2 is the structural representation for the ddos attack detection device based on BP neural network that third embodiment of the invention provides Figure.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, first embodiment of the invention provides a kind of ddos attack detection method based on BP neural network, It can be executed by SDN clouds net controller, and be included the following steps:
S11 periodically sends flow table to interchanger and collects request, is believed with collecting the latest network flow table that the interchanger is sent Breath.
In embodiments of the present invention, the BP neural network model includes input layer, at least one hidden layer and output layer; In the training process of the BP neural network model, if the output of the hidden layer is Hj,Its In, if the node number of input layer is n, 1≤i≤n;If the output of the output layer is Ok,Wherein, The node number of the hidden layer is l, 1≤j≤l;If error is E,Wherein, if the output layer Node number be m, 1≤k≤m, YkFor desired output, e is rememberedk=Yk-Ok, thenThe input layer is to described hidden Weight update containing layer:Wherein, learning efficiency η;The hidden layer is to described defeated Go out the weight update of layer:wjk=wjk+ηHjek;The biasing of the input layer to the hidden layer updates:The biasing of the hidden layer to the output layer updates:bk=bk+ηek;Excitation function For Sigmoid functions:
In embodiments of the present invention, it collects flow table information mainly to realize by OpenFlow agreements, the SDN clouds network control Device processed periodically sends flow table to interchanger and collects request, and the interchanger replys the stream that the SDN clouds net controller is periodically sent Table collects request, is returned from the latest network flow table information within the period, the latest network flow table information includes eth_ dst、eth_src、eth_type、vlan_vid、vlan_pcp、ip_dscp、ip_ecn、ip_proto、ipv4_src、ipv4_ dst、tcp_src、tcp_dst、tcp_flags、udp_src、udp_dst、sctp_src、sctp_dst、icmpv4_type、 icmpv4_code、arp_op、arp_spa、arp_tpa、arp_sha、arp_tha、ipv6_src、ipv6_dst、ipv6_ flabel、icmpv6_type、icmpv6_code、ipv6_nd_target、ipv6_nd_sll、ipv6_nd_tll、mpls_ Information corresponding to each flow table item of label, mpls_tc, mpls_bos, pbb_isid, ipv6_exthdr and pbb_uca.
S12 calculates at least one feature needed for ddos attack detection according to the latest network flow table information of collection Member.
In embodiments of the present invention, the SDN clouds net controller is according to the latest network flow table information of collection, from receipts Eth_dst, eth_src, eth_type, vlan_vid, vlan_pcp, ip_dscp, ip_ecn, ip_proto, ipv4_ of collection src、ipv4_dst、tcp_src、tcp_dst、tcp_flags、udp_src、udp_dst、sctp_src、sctp_dst、 icmpv4_type、icmpv4_code、arp_op、arp_spa、arp_tpa、arp_sha、arp_tha、ipv6_src、ipv6_ dst、ipv6_flabel、icmpv6_type、icmpv6_code、ipv6_nd_target、ipv6_nd_sll、ipv6_nd_ It is carried in 40 characteristic values of tll, mpls_label, mpls_tc, mpls_bos, pbb_isid, ipv6_exthdr and pbb_uca It takes and calculates ddos attack and detect required 6 characteristic elements, to realize that fast accurate detects ddos attack, the characteristic element packet Stream packet number mean value, comparison stream, port enhancing, source IP enhancing, flow table item rate and flow table successful match rate are included, it below should for selection 6 illustrate as characteristic element:
Flow packet number mean value:Normal condition and it is under attack when stream packet number be different.In attack be typically continuously, It is randomly generated false IP, so the formation speed of stream is accelerated, and each stream reduces packet amount;If the stream packet number mean value is APF,Wherein xj be in a certain time interval j stream in data packet number, M be in the time interval own The number of data packet.
Comparison stream:Stream under normal condition is in order to obtain or provide service, so having interactivity;In attack state Down because being the source IP address forged, normal service can not be provided;If comparison stream is PPF, PPF=(2 × p-f)/f; Wherein, p is the logarithm of interactive stream, and f is the sum of stream.
Port enhances:Network is in normal condition lower port speedup and stablizes relatively;Port can be generated when ddos attack at random Number, so the speedup of port can significantly increase when attacking generation.
Source IP enhances:The primary challenge feature of DDoS is exactly source IP deception, forges source IP address and sends a large amount of data packet. The speedup of source IP address can be dramatically increased in the set time when this characteristic to attack, it is possible to make source IP speedup For one of the attribute of attack signature.
Flow table item rate:When attack occurs, the request for being directed to particular host in network will be increased, lead to the related host Flow table item request number also increased within the set time, therefore characterize attack attribute by flow table item rate.
Flow table successful match rate:When data packet reaches OpenFlow interchangers, OpenFlow interchangers will all be held Row is searched and matching operation, it is related to the quantity newly flowed.When flow table is overflowed and most of streams are newly to flow, successful match rate It will drastically reduce.
S13 activates BP nerve nets when detecting that the characteristic value of any one of characteristic element is more than default characteristic threshold value Network model.
In embodiments of the present invention, the terminal device is by the characteristic value of the stream feature of extraction and corresponding stream characteristic threshold value It is compared, when detecting that the characteristic value of stream feature of extraction is more than corresponding stream characteristic threshold value, activates BP neural network mould Type, BP neural network have complete a theoretical system and study mechanism, and the main thought of algorithm is by cycles just It is adjusted to propagating with reversed, constantly corrects interneuronal weights, when error meets required precision, stopped study, realize money The comprehensive utilization in source, only in trigger condition, just activation BP neural network model carries out ddos attack detection, avoids frequent The wasting of resources caused by being directly over BP neural network model and memory loss.
S14, the valid data obtained according to the BP neural network model and the BP neural network model training with attack The arrangement regulation for hitting data carries out ddos attack detection, to export the inspection of ddos attack detection at least one characteristic element Survey result.
In embodiments of the present invention, the SDN clouds net controller trains the legal number obtained according to the BP neural network According to the arrangement regulation with attack data, at least one characteristic element is inputted into the BP neural network model by input layer In, feature calculation is carried out to the characteristic element by the hidden layer of the BP neural network model, passes through the BP neural network The output layer of model exports the result of feature calculation, to judge whether there is ddos attack according to the result of the feature calculation, Training of the BP neural network model Jing Guo sample characteristics member obtain valid data and attack the arrangement regulation of data, and by the conjunction Method data and the arrangement regulation of attack data are stored in the trained BP neural network, are activating the BP neural network After model, SDN clouds net controller enhances the obtained stream packet number mean value, comparison stream, port, source IP enhances, flow table item In rate and flow table successful match rate input BP neural network model, after being calculated by the hidden layer of BP neural network model, The testing result of ddos attack detection, the detection knot of the ddos attack detection are exported by the output layer of BP neural network model Fruit includes normal or attack.
In conclusion first embodiment of the invention provides a kind of ddos attack detection method based on BP neural network, Request is collected by periodically sending flow table to interchanger, to collect the latest network flow table information that the interchanger is sent, then At least one characteristic element needed for ddos attack detection is calculated according to the latest network flow table information of collection, when detection is taken office When the characteristic value for a characteristic element of anticipating is more than default characteristic threshold value, BP neural network model is activated, according to BP nerves The arrangement regulation of valid data that network model and the BP neural network training pattern obtain and attack data, to it is described at least One characteristic element carries out ddos attack detection, to export the testing result of ddos attack detection, extracts and analyze comprehensively SDN frameworks The determinant attribute of down-off effectively detects the ddos attack in SDN environment, and testing result is more accurate, it is ensured that it is based on SDN is The normal operation of system.
In order to facilitate the understanding of the present invention, some currently preferred embodiments of the present invention will be done and will further be retouched below It states.
Second embodiment of the invention:
On the basis of first embodiment of the invention, further include:
When the testing result is attack, warning of launching a offensive;Wherein, attack warning is for making controller to anti- Wall with flues sends configuration change directive and issues flow table change directive to the interchanger, and abandons Attacking Packets;The configuration Change directive is for making fire wall change configuration to reduce attack traffic;The flow table change directive is for making the interchanger more Change the setting of flow table occurrence so that the interchanger stops receiving ddos attack data packet.
In embodiments of the present invention, when testing result is attack, the SDN clouds net controller issues configuration change directive extremely Fire wall reduces attack traffic so that the fire wall changes firewall configuration, while issuing flow table change directive to exchange Machine, so that interchanger change flow table occurrence setting, and flow table rate is controlled by meter tables, abandon Attacking Packets.
Referring to Fig. 2, third embodiment of the invention provides a kind of ddos attack detection device based on BP neural network, Including:
Flow table collection module 11 is collected request for periodically sending flow table to interchanger, is sent with collecting the interchanger Latest network flow table information.
Characteristic element computing module 12 detects institute for calculating ddos attack according to the latest network flow table information of collection At least one characteristic element needed.
BP neural network model active module 13 detects that the characteristic value of any one of characteristic element is more than pre- for working as If when characteristic threshold value, activating BP neural network model.
Attack detection module 14, for training the conjunction obtained according to the BP neural network model and the BP neural network The arrangement regulation of method data and attack data carries out ddos attack detection at least one characteristic element, is attacked with exporting DDoS Hit the testing result of detection.
In the first realization method of 3rd embodiment, the latest network flow table information includes eth_dst, eth_ src、eth_type、vlan_vid、vlan_pcp、ip_dscp、ip_ecn、ip_proto、ipv4_src、ipv4_dst、tcp_ src、tcp_dst、tcp_flags、udp_src、udp_dst、sctp_src、sctp_dst、icmpv4_type、icmpv4_ code、arp_op、arp_spa、arp_tpa、arp_sha、arp_tha、ipv6_src、ipv6_dst、ipv6_flabel、 icmpv6_type、icmpv6_code、ipv6_nd_target、ipv6_nd_sll、ipv6_nd_tll、mpls_label、 Information corresponding to each flow table item of mpls_tc, mpls_bos, pbb_isid, ipv6_exthdr and pbb_uca.
The first realization method according to third embodiment, in second of realization method of 3rd embodiment, the spy Sign member includes stream packet number mean value, comparison stream, port enhancing, source IP enhancing, flow table item rate, flow table successful match rate;Wherein, if The stream packet number mean value is S1,Wherein xjIt is the number of data packet in j streams in a certain time interval, M is The number of all data packets in the time interval;If comparison stream is S2, S2=(2 × p-f)/f;Wherein, p is pair of interactive stream Number, f are the sums of stream.
In the third realization method of 3rd embodiment, further include:
Processing module is attacked, is used for when the testing result is attack, warning of launching a offensive;Wherein, the attack police It accuses for making controller send configuration change directive to fire wall and issuing flow table change directive to the interchanger, and abandons Attacking Packets;The configuration change directive is for making fire wall change configuration to reduce attack traffic;The flow table change refers to It enables for making the interchanger change flow table occurrence setting.
One of the above realization method according to third embodiment, it is described in the 4th kind of realization method of 3rd embodiment Testing result includes normal and attack.
4th kind of realization method according to third embodiment, in the 5th kind of realization method of 3rd embodiment, the BP Neural network model includes input layer, at least one hidden layer and output layer.
In the training process of the BP neural network model, if the output of the hidden layer is Hj,Wherein, if the node number of input layer is n, 1≤i≤n.
If the output of the output layer is Ok,Wherein, the node number of the hidden layer be l, 1 ≤j≤l。
If error is E,Wherein, if the node number of the output layer is m, 1≤k≤m, YkFor Desired output remembers ek=Yk-Ok, then
The weight of the input layer to the hidden layer updates:Wherein, learn Efficiency is η.
The weight of the hidden layer to the output layer updates:wjk=wjk+ηHjek
The biasing of the input layer to the hidden layer updates:
The biasing of the hidden layer to the output layer updates:bk=bk+ηek
Excitation function is Sigmoid functions:
5th kind of realization method according to third embodiment, it is described to attack in the 6th kind of realization method of 3rd embodiment Detection module 14 is hit, specially:
Input unit, valid data and the arrangement of attack data for being obtained according to BP neural network training are advised Rule, at least one characteristic element is inputted by input layer in the BP neural network model.
Hidden layer computing unit carries out feature for the hidden layer by the BP neural network model to the characteristic element It calculates.
Output unit exports the result of feature calculation for the output layer by the BP neural network model, with root Ddos attack is judged whether there is according to the result of the feature calculation.
A kind of SDN clouds net controller of fourth embodiment of the invention.The SDN cloud net controllers of the embodiment include:Processing Device, memory and it is stored in the computer program that can be run in the memory and on the processor, such as based on BP The ddos attack of neural network detects program.The processor is realized above-mentioned each based on BP god when executing the computer program Step in ddos attack detection method embodiment through network, such as step S11 shown in FIG. 1.Alternatively, the processor is held The function of each module/unit in above-mentioned each device embodiment, such as flow table collection module are realized when the row computer program.
Illustratively, the computer program can be divided into one or more module/units, one or more A module/unit is stored in the memory, and is executed by the processor, to complete the present invention.It is one or more A module/unit can be the series of computation machine program instruction section that can complete specific function, and the instruction segment is for describing institute State implementation procedure of the computer program in the SDN clouds net controller.
The SDN clouds net controller may include, but be not limited only to, processor, memory.Those skilled in the art can manage Solution, above-mentioned component is only the example of SDN cloud net controllers, does not constitute the restriction to SDN cloud net controllers, may include ratio Above-mentioned more or fewer components either combine certain components or different components, such as the SDN clouds net controller is also May include input-output equipment, network access equipment, bus etc..
Alleged processor can be central processing unit (Central Processing Unit, CPU), can also be it His general processor, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor Deng the processor is the control centre of the SDN clouds net controller, utilizes various interfaces and the entire SDN clouds net of connection The various pieces of controller.
The memory can be used for storing the computer program and/or module, and the processor is by running or executing Computer program in the memory and/or module are stored, and calls the data being stored in memory, described in realization The various functions of SDN cloud net controllers.The memory can include mainly storing program area and storage data field, wherein storage It program area can storage program area, the application program etc. needed at least one function;Storage data field can be stored according to BP nerves Network model uses created data (such as flow table etc.) etc..In addition, memory may include high random access storage Device can also include nonvolatile memory, such as hard disk, memory, plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card), at least one magnetic disk storage Part, flush memory device or other volatile solid-state parts.
Wherein, if module/unit that the SDN clouds net controller integrates is realized in the form of SFU software functional unit and makees It is independent product sale or in use, can be stored in a computer read/write memory medium.Based on this understanding, The present invention realizes all or part of flow in above-described embodiment method, can also be instructed by computer program relevant hard Part is completed, and the computer program can be stored in a computer readable storage medium, which is being handled When device executes, it can be achieved that the step of above-mentioned each embodiment of the method.Wherein, the computer program includes computer program generation Code, the computer program code can be source code form, object identification code form, executable file or certain intermediate forms Deng.The computer-readable medium may include:Any entity or device, record of the computer program code can be carried It is medium, USB flash disk, mobile hard disk, magnetic disc, CD, computer storage, read-only memory (ROM, Read-OnlyMemory), random Access memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It needs It is noted that the content that the computer-readable medium includes can be wanted according to legislation and patent practice in jurisdiction It asks and carries out increase and decrease appropriate, such as in certain jurisdictions, do not include according to legislation and patent practice, computer-readable medium Electric carrier signal and telecommunication signal.
It should be noted that the apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separated, and the component shown as unit can be or can also It is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actual It needs that some or all of module therein is selected to achieve the purpose of the solution of this embodiment.In addition, device provided by the invention In embodiment attached drawing, the connection relation between module indicates there is communication connection between them, specifically can be implemented as one or A plurality of communication bus or signal wire.Those of ordinary skill in the art are without creative efforts, you can to understand And implement.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also considered as Protection scope of the present invention.

Claims (10)

1. a kind of ddos attack detection method based on BP neural network, which is characterized in that described based on BP neural network Ddos attack detection method is executed by SDN clouds net controller, is included the following steps:
Periodically flow table is sent to interchanger and collect request, to collect the latest network flow table information that the interchanger is sent;
At least one characteristic element needed for ddos attack detection is calculated according to the latest network flow table information of collection;
When detecting that the characteristic value of any one of characteristic element is more than default characteristic threshold value, BP neural network model is activated;
The valid data and attack data obtained according to the BP neural network model and the BP neural network model training Arrangement regulation carries out ddos attack detection, to export the testing result of ddos attack detection at least one characteristic element.
2. the ddos attack detection method according to claim 1 based on BP neural network, which is characterized in that described newest Network flow table information includes eth_dst, eth_src, eth_type, vlan_vid, vlan_pcp, ip_dscp, ip_ecn, ip_ proto、ipv4_src、ipv4_dst、tcp_src、tcp_dst、tcp_flags、udp_src、udp_dst、sctp_src、 sctp_dst、icmpv4_type、icmpv4_code、arp_op、arp_spa、arp_tpa、arp_sha、arp_tha、ipv6_ src、ipv6_dst、ipv6_flabel、icmpv6_type、icmpv6_code、ipv6_nd_target、ipv6_nd_sll、 Each stream of ipv6_nd_tll, mpls_label, mpls_tc, mpls_bos, pbb_isid, ipv6_exthdr and pbb_uca Information corresponding to list item.
3. the ddos attack detection method according to claim 2 based on BP neural network, which is characterized in that the feature Member includes stream packet number mean value, comparison stream, port enhancing, source IP enhancing, flow table item rate, flow table successful match rate;Wherein, if institute It is S to state stream packet number mean value1,Wherein xjBe in a certain time interval j stream in data packet number, M is this The number of all data packets in time interval;If comparison stream is S2, S2=(2 × p-f)/f;Wherein, p is the logarithm of interactive stream, f It is the sum of stream.
4. the ddos attack detection method according to claim 1 based on BP neural network, which is characterized in that further include:
When the testing result is attack, warning of launching a offensive;Wherein, the attack warning is for making controller to fire wall It sends configuration change directive and issues flow table change directive to the interchanger, and abandon Attacking Packets;The configuration change Instruction is for making fire wall change configuration to reduce attack traffic;The flow table change directive is for making the interchanger change stream Table occurrence is arranged so that the interchanger stops receiving ddos attack data packet.
5. the ddos attack detection method according to any one of claims 1 to 4, based on BP neural network, feature exist In the testing result includes normal and attack.
6. the ddos attack detection method according to claim 5 based on BP neural network, which is characterized in that the BP god Include input layer, at least one hidden layer and output layer through network model;
In the training process of the BP neural network model, if the output of the hidden layer is Hj, Wherein, if the node number of input layer is n, 1≤i≤n;
If the output of the output layer is Ok,Wherein, the node number of the hidden layer is l, 1≤j ≤l;
If error is E,Wherein, if the node number of the output layer is m, 1≤k≤m, YkIt is expected E is remembered in outputk=Yk-Ok, then
The weight of the input layer to the hidden layer updates:Wherein, learning efficiency For η;
The weight of the hidden layer to the output layer updates:wjk=wjk+ηHjek
The biasing of the input layer to the hidden layer updates:
The biasing of the hidden layer to the output layer updates:bk=bk+ηek
Excitation function is Sigmoid functions:
7. the ddos attack detection method according to claim 6 based on BP neural network, which is characterized in that the basis The arrangement regulation of the valid data that the BP neural network model and the BP neural network model training obtain and attack data, Ddos attack detection is carried out at least one characteristic element, to export the testing result of ddos attack detection, specially:
According to the arrangement regulation of valid data and attack data that BP neural network training obtains, by least one spy Sign member is inputted by input layer in the BP neural network model;
Feature calculation is carried out to the characteristic element by the hidden layer of the BP neural network model;
The result of feature calculation is exported by the output layer of the BP neural network model, with according to the knot of the feature calculation Fruit judges whether there is ddos attack.
8. a kind of ddos attack detection device based on BP neural network, which is characterized in that including:
Flow table collection module collects request for periodically sending flow table to interchanger, to collect the newest of the interchanger transmission Network flow table information;
Characteristic element computing module, for being calculated needed for ddos attack detection extremely according to the latest network flow table information of collection A few characteristic element;
BP neural network model active module detects that the characteristic value of any one of characteristic element is more than default feature for working as When threshold value, BP neural network model is activated;
Attack detection module, it is legal for being obtained according to the BP neural network model and the BP neural network model training The arrangement regulation of data and attack data carries out ddos attack detection, to export ddos attack at least one characteristic element The testing result of detection.
9. a kind of SDN clouds net controller, including processor, memory and it is stored in the memory and is configured as by institute The computer program of processor execution is stated, the processor is realized when executing the computer program as appointed in claim 1 to 7 The ddos attack detection method based on BP neural network described in meaning one.
10. a kind of computer readable storage medium, which is characterized in that the computer readable storage medium includes the calculating of storage Machine program, wherein equipment where controlling the computer readable storage medium when the computer program is run is executed as weighed Profit requires the ddos attack detection method based on BP neural network described in any one of 1 to 7.
CN201810395789.3A 2018-04-27 2018-04-27 Ddos attack detection method, device, controller and medium based on BP neural network Pending CN108718297A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810395789.3A CN108718297A (en) 2018-04-27 2018-04-27 Ddos attack detection method, device, controller and medium based on BP neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810395789.3A CN108718297A (en) 2018-04-27 2018-04-27 Ddos attack detection method, device, controller and medium based on BP neural network

Publications (1)

Publication Number Publication Date
CN108718297A true CN108718297A (en) 2018-10-30

Family

ID=63899327

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810395789.3A Pending CN108718297A (en) 2018-04-27 2018-04-27 Ddos attack detection method, device, controller and medium based on BP neural network

Country Status (1)

Country Link
CN (1) CN108718297A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120630A (en) * 2018-09-03 2019-01-01 上海海事大学 A kind of SDN network ddos attack detection method based on Optimized BP Neural Network
CN110118926A (en) * 2019-05-27 2019-08-13 电子科技大学 PCB based on Electromagnetic Environmental Effect distorts intelligent detecting method
CN110784481A (en) * 2019-11-04 2020-02-11 重庆邮电大学 DDoS detection method and system based on neural network in SDN network
CN112565296A (en) * 2020-12-24 2021-03-26 深信服科技股份有限公司 Security protection method and device, electronic equipment and storage medium
CN113268735A (en) * 2021-04-30 2021-08-17 国网河北省电力有限公司信息通信分公司 Distributed denial of service attack detection method, device, equipment and storage medium
CN115396363A (en) * 2022-08-24 2022-11-25 桂林电子科技大学 Flow classification method and system under SDN network environment
CN116827690A (en) * 2023-08-29 2023-09-29 天津市亿人科技发展有限公司 DDoS attack and cloud WAF defense method based on distribution type

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110261710A1 (en) * 2008-09-26 2011-10-27 Nsfocus Information Technology (Beijing) Co., Ltd. Analysis apparatus and method for abnormal network traffic
CN107194625A (en) * 2017-07-25 2017-09-22 国家电网公司 Wind power plant based on neutral net abandons wind-powered electricity generation amount appraisal procedure

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110261710A1 (en) * 2008-09-26 2011-10-27 Nsfocus Information Technology (Beijing) Co., Ltd. Analysis apparatus and method for abnormal network traffic
CN107194625A (en) * 2017-07-25 2017-09-22 国家电网公司 Wind power plant based on neutral net abandons wind-powered electricity generation amount appraisal procedure

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王晓瑞等: ""SDN 环境下基于BP 神经网络的DDoS 攻击检测方法"", 《计算机应用研究》 *
魏爽: ""基于 BP 神经网络的嘴型分类算法"", 《电子科技》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120630A (en) * 2018-09-03 2019-01-01 上海海事大学 A kind of SDN network ddos attack detection method based on Optimized BP Neural Network
CN109120630B (en) * 2018-09-03 2022-08-02 上海海事大学 SDN network DDoS attack detection method based on BP neural network optimization
CN110118926A (en) * 2019-05-27 2019-08-13 电子科技大学 PCB based on Electromagnetic Environmental Effect distorts intelligent detecting method
CN110784481A (en) * 2019-11-04 2020-02-11 重庆邮电大学 DDoS detection method and system based on neural network in SDN network
CN110784481B (en) * 2019-11-04 2021-09-07 重庆邮电大学 DDoS detection method and system based on neural network in SDN network
CN112565296A (en) * 2020-12-24 2021-03-26 深信服科技股份有限公司 Security protection method and device, electronic equipment and storage medium
CN113268735A (en) * 2021-04-30 2021-08-17 国网河北省电力有限公司信息通信分公司 Distributed denial of service attack detection method, device, equipment and storage medium
CN113268735B (en) * 2021-04-30 2022-10-14 国网河北省电力有限公司信息通信分公司 Distributed denial of service attack detection method, device, equipment and storage medium
CN115396363A (en) * 2022-08-24 2022-11-25 桂林电子科技大学 Flow classification method and system under SDN network environment
CN115396363B (en) * 2022-08-24 2023-07-25 桂林电子科技大学 Flow classification method and system in SDN network environment
CN116827690A (en) * 2023-08-29 2023-09-29 天津市亿人科技发展有限公司 DDoS attack and cloud WAF defense method based on distribution type

Similar Documents

Publication Publication Date Title
CN108718297A (en) Ddos attack detection method, device, controller and medium based on BP neural network
CN106572107B (en) A kind of software-oriented defines the ddos attack system of defense and method of network
Zhijun et al. Low-rate DDoS attack detection based on factorization machine in software defined network
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
CN105429963B (en) Intrusion detection analysis method based on Modbus/Tcp
US20180109557A1 (en) SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS USING ARTIFICIAL INTELLIGENCE AND CONTROLLER INCLUDED IN THE SAME
CN102801738B (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
Xuan et al. Detecting application denial-of-service attacks: A group-testing-based approach
CN107196930B (en) The method of computer network abnormality detection
CN111859400A (en) Risk assessment method, apparatus, computer system, and medium
CN107483458A (en) The recognition methods of network attack and device, computer-readable recording medium
CN107135093A (en) A kind of Internet of Things intrusion detection method and detecting system based on finite automata
Xu et al. An SDNFV-based DDoS defense technology for smart cities
CN106534133B (en) DDOS defence installation and method based on deep learning in a kind of SDN
CN109617931A (en) A kind of the ddos attack defence method and system of defense of SDN controller
CN107360145A (en) A kind of multinode honey pot system and its data analysing method
CN109617878A (en) A kind of construction method and system, computer readable storage medium of honey net
CN109257326A (en) The method, apparatus and storage medium and electronic equipment for defending data flow to attack
CN103780501B (en) Peer-to-peer network traffic identification method of inseparable-wavelet support vector machine
CN109194684A (en) A kind of method, apparatus and calculating equipment of simulation Denial of Service attack
CN113660209B (en) DDoS attack detection system based on sketch and federal learning and application
CN108429731A (en) Anti-attack method, device and electronic equipment
CN108574668A (en) A kind of ddos attack peak flow prediction technique based on machine learning
CN108011894A (en) Botnet detecting system and method under a kind of software defined network
CN107241338A (en) Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181030

RJ01 Rejection of invention patent application after publication