CN108833376A - Software-oriented defines the DoS attack detection method of network - Google Patents
Software-oriented defines the DoS attack detection method of network Download PDFInfo
- Publication number
- CN108833376A CN108833376A CN201810537828.9A CN201810537828A CN108833376A CN 108833376 A CN108833376 A CN 108833376A CN 201810537828 A CN201810537828 A CN 201810537828A CN 108833376 A CN108833376 A CN 108833376A
- Authority
- CN
- China
- Prior art keywords
- network
- software
- dos attack
- data
- stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The present invention relates to the DoS attack detection methods that software defined network technical field more particularly to software-oriented define network.The method includes:Scale is flowed with singleSSF, stream address speedupAGSWith flow table matching rateRSMDoS attack as software defined network detects feature, carries out feature extraction and calculating to collected historical traffic data;With linear function standardized method and mutation series method is standardized to the historical traffic data after feature extraction and calculating and normalized;It will standardize and normalized historical traffic data is as training dataset, and utilize the DoS attack traffic classification model of condition random field CRF algorithm building software defined network;Classified using the disaggregated model of generation to the real time monitoring data on flows of the DoS attack of software defined network, judges whether there is exception.The present invention can in real time classify to monitoring flow, exception be judged whether there is, to carry out attack detecting.
Description
Technical field
The present invention relates to the DoS attack detections that software defined network technical field more particularly to software-oriented define network
Method.
Background technique
As a kind of software-based network architecture and technology, software defined network (Software Defined
Network, SDN) control plane and data plane with loose coupling, it supports the network state of centralization to control, realizes bottom
Layer network facility is to the transparent of upper layer application.By its flexible software programmability, the automation of network can be greatly promoted
Ability is managed and controlled, the resource extent extension that effectively solution current network systems are faced is limited, networking flexibility is poor, is difficult to
The problems such as quickly meeting business demand.In recent years, there is pushing away for demand by the emerging service of representative by cloud computing, big data
Dynamic, technological development relevant to SDN, business innovation etc. are all grown rapidly, and in backbone network, data center, enterprise network
And the scenes such as mobile network have fairly large application.
However, although the centralized management mechanism of SDN and open programming interface increase network management, operation etc.
Flexibility, but completely new and bigger opportunity is also provided to network attack simultaneously.The control framework of especially its centralization makes
Network owns " wisdom " and all concentrates on the controller, once controller failure or service ability reduce, by extreme influence overall situation net
The performance of network.Currently, most commonly seen for SDN and effective attack is just derived from the DoS/DDoS attack of data plane, also known as
For SDN-DoS attack, such attack is by sending the data flow largely constructed meticulously, OpenFlow exchange opportunity to SDN network
It constantly sends and requests to controller due to can not find the flow entry to match with attack stream, to obtain new forward rule.Control
Device processed is also required to constantly respond the request of interchanger, formulates, issues respective rule, so that the storage resource of controller, calculating
Resource largely consumes, and the connection resource of controller and interchanger is largely occupied.
For traditional network architecture, researcher proposes a large amount of DoS attack detection method, and OpenFlow technology is main
It is that data forwarding is carried out based on stream, it is existing on a small quantity based on the attack detection method of stream at present.Such as:DoS based on IP stream interaction
Attack detection method constructs the DoS attack based on FIF time series using network interaction characteristics algorithm (FIF) and detects mould
Type can reduce background and drain off and disturb, and have lower rate of false alarm and rate of failing to report, but the interaction that this method has only used network flow is special
Sign, judgement it is comprehensive not enough.Detection method based on comentropy usually flows feature as reference feature using IP address etc., uses
The method that comentropy is combined with threshold value completes detection.Although the detection method based on comentropy is more flexibly, conveniently, threshold value
Determination and the distribution of multielement weight need expertise.Based on Self-organizing Maps (Self-organizing Maps, SOM)
The detection method of neural network carries out the detection of OpenFlow flow amount, but SOM algorithm the convergence speed using SOM neural network method
Slowly, the training time is long.
Summary of the invention
In view of the above-mentioned problems, the present invention provides the DoS attack detection method that software-oriented defines network.It can be in real time to prison
Flow control amount is classified, and exception is judged whether there is, and achievees the purpose that attack detecting.
To achieve the goals above, the present invention uses following technical scheme:
Software-oriented defines the DoS attack detection method of network, includes the following steps:
Step 1:Using single stream scale SSF, tri- statistical attributes of address speedup AGS and flow table matching rate RSM are flowed as software definition
The DoS attack of network detects feature, to the historical traffic data of the marking of the DoS attack of collected software defined network into
Row feature extraction and calculating;
Step 2:With the history stream of linear function standardized method and mutation series method to feature extraction and after calculating
Amount data are standardized and normalized, obtain standardization and normalized historical traffic data;
Step 3:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field CRF algorithm
The DoS attack traffic classification model of software defined network is constructed, the disaggregated model is single order CRF model;
Step 4:Using generation software defined network DoS attack traffic classification model to the DoS attack of software defined network
Real time monitoring data on flows classify, judge whether there is exception, achieve the purpose that attack detecting.
Further, before the step 1, further include:
Label is added to the historical traffic data of the DoS attack of collected software defined network, 0 is labeled as when normal, exception
When be labeled as 1.
Further, single stream scale SSF includes stream packet number and stream two property parameters of byte number, flows packet number mean value
ANPF and stream byte number mean value ABSF are respectively:
Wherein, FlowNum is the quantity for entering the stream towards software defined network in sample time, NPFiFor the data in stream i
Packet quantity, BSFiFor the byte number for flowing i.
Further, the stream address speedup AGS includes two property parameters of source IP speedup IPGS and port speedup PGS,
Source IP speedup IPGS and port speedup PGS are respectively:
IPGS=SrcIP_Num/interval
PGS=PortNum/interval
Wherein, SrcIP_Num is the quantity of the source IP occurred in sample time, and PortNum is the port occurred in sample time
Quantity, interval is sample time.
Further, the flow table matching rate RSM is:
RSM=MatchNum/FlowNum
Wherein, MatchNum is to enter in sample time towards software defined network and by the directly matched data flow of interchanger
Quantity, FlowNum are to enter the data flow sum towards software defined network in sample time.
Further, described to extract and be calculated as each history stream of the marking of the DoS attack of software defined network
Amount data are expressed as four-tuple<γ,ρ,λ,S>, wherein γ is single stream scale feature SSF that software-oriented defines network;ρ is face
To the stream address speedup feature AGS of software defined network;λ is the flow table successful match rate feature RSM that software-oriented defines network;
S is label.
Further, the step 2 includes:
Step 2.1:Historical traffic number using linear function standardized method, by initial data, i.e. feature extraction and after calculating
It is transformed into the range of [0,1] according to linearisation, realizes and the equal proportion of initial data is scaled, standardization formula is:
Wherein x ' is the data after standardization, and x is initial data, xmaxAnd xminThe respectively maximum value and minimum of raw data set
Value;Step 2.2:Using mutation series method, by single stream scale SSF and stream address speedup AGS, respectively normalizing is a parameter:
Normalizing operation is carried out using two property parameters of the cusp form normalizing formula to single stream scale feature SSF:
Wherein, ANPF ' and ABSF ' is respectively the ANPF and ABSF Jing Guo standardization;
Normalizing operation is carried out using two property parameters of cusp form normalizing formula convection current address speedup AGS:
Wherein, IPGS ' and PGS ' is respectively the IPGS and PGS Jing Guo standardization.
Further, the training dataset includes observation sequence
With flag sequence Y={ yi|yi∈{0,1},i∈N}。
Further, further include after the step 3:Using Maximum Likelihood Estimation Method to the DoS of software defined network
Attack traffic disaggregated model parameter is adjusted optimization.
Further, the step 4 includes:
Step 4.1:Single stream scale SSF is carried out to the real time monitoring data on flows of the DoS attack of software defined network, stream address increases
Fast AGS and flow table matching rate RSM feature extraction and calculating;
Step 4.2:It is described real-time to feature extraction and after calculating with linear function standardized method and mutation series method
Monitoring data on flows is standardized and normalized, obtains standardization and normalized real time monitoring data on flows;
Step 4.3:Standardization and normalized real time monitoring data on flows Input Software are defined to the DoS attack flow point of network
Class model carries out DoS attack differentiation using Viterbi algorithm:
Given CRF model P (Y | X) parameter and observation sequence X=(x1,x2,…,xn) under the conditions of, solve P (Y | X) it is maximum when it is defeated
Flag sequence outWherein, observation sequence X=(x1,x2,…,xn) the corresponding single stream of each data
The sequence of scale SSF, stream address speedup AGS and flow table matching rate RSM composition, i.e.,:Output tokenThe normal or abnormal judgement output of the network flow that network is defined for software-oriented.
Compared with prior art, the device have the advantages that:
1, the present invention is by having strong representational statistics with single stream scale, stream address speedup and flow table matching rate etc. three
Attribute detects feature as the DoS attack that software-oriented defines network, is capable of the operating status of accurate description software defined network.
2, integrated use linear function standardized method of the present invention and mutation series method are standardized each feature
Processing can effectively solve the problem that because of feature value range, testing result is biased to some feature caused by unit dimension is inconsistent
Problem.
3, the DoS attack traffic classification model of the invention for using single order CRF model to define network for software-oriented, Neng Goujian
Care for the performance and efficiency of the detection of software defined network DoS attack.
4, the present invention classifies to the monitoring flow acquired in real time using the disaggregated model generated, judges whether there is different
Often, achieve the purpose that attack detecting.The present invention can be under conditions of not having to modification communication protocol, and detection is appeared effectively in real time
It to the DoS attack of software defined network, can quantify, the safe condition that qualitatively aware software defines network, realize to software
Define the real-time accurate detection of network DoS attack.
Detailed description of the invention
Fig. 1 is the basic flow chart that the software-oriented of the embodiment of the present invention defines the DoS attack detection method of network.
Fig. 2 is the basic flow chart that the software-oriented of another embodiment of the present invention defines the DoS attack detection method of network.
Specific embodiment
With reference to the accompanying drawing with specific embodiment the present invention will be further explained explanation:
Embodiment one:
As shown in Figure 1, a kind of software-oriented of the invention defines the DoS attack detection method of network, include the following steps:
Step S101:Using single scale SSF, stream tri- statistical attributes of address speedup AGS and flow table matching rate RSM of flowing as soft
Part defines the DoS attack detection feature of network, to the historical traffic of the marking of the DoS attack of collected software defined network
Data carry out feature extraction and calculating;
Step S102:With linear function standardized method and mutation series method to feature extraction and calculate after described in
Historical traffic data is standardized and normalized, obtains standardization and normalized historical traffic data;
Step S103:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field
The DoS attack traffic classification model of algorithm building software defined network;
Step S104:Using generation software defined network DoS attack traffic classification model to software defined network
The real time monitoring data on flows of DoS attack is classified, and is judged whether there is exception, is achieved the purpose that attack detecting.
Embodiment two:
As shown in Fig. 2, another software-oriented of the invention defines the DoS attack detection method of network, including following step
Suddenly:
Step S201:Label is added to the historical traffic data of the DoS attack of collected software defined network, when normal
Labeled as 0,1 is labeled as when abnormal.
Step S202:Have with single stream scale SSF, stream address speedup AGS and flow table matching rate RSM tri- strong representational
Statistical attribute detects feature as the DoS attack of software defined network, to the DoS attack of collected software defined network plus
The historical traffic data of label carries out feature extraction and calculating;
Single stream scale SSF (Size of a Single Flow) description enters the big of each data flow of SDN network
It is small, including stream packet number and stream two property parameters of byte number, flow packet number mean value ANPF (average NPF) and stream byte number mean value
ABSF (average BPF) is respectively:
Wherein, FlowNum is the quantity for entering the stream of SDN in sample time, NPFiFor the data packet number in stream i, BSFiFor
Flow the byte number of i.
The stream address speedup AGS (Address Growing Speed) includes source IP speedup IPGS (source IP
Growing speed) and two property parameters of port speedup PGS (port generating speed), wherein IPGS refers to sampling
Enter the source IP quantity growth rate of the stream of SDN in time, PGS then refers to that the port number for entering the stream of SDN in sample time increases
Long speed.Source IP speedup IPGS and port speedup PGS are respectively:
IPGS=SrcIP_Num/interval
PGS=PortNum/interval
Wherein, SrcIP_Num is the quantity of the source IP occurred in sample time, and PortNum is the port occurred in sample time
Quantity, interval is sample time.
Flow table matching rate RSM (ratio of successful matching of flow table) describes sample time
The interior data flow into SDN is by the directly matched probability of interchanger flow table, the flow table matching rate RSM:
RSM=MatchNum/FlowNum
Wherein, MatchNum is the sample time to enter SDN and by the quantity of the directly matched data flow of interchanger, FlowNum
Enter the data flow sum of SDN for the sample time.
It is described to extract and be calculated as to indicate each historical traffic data of the marking of the DoS attack of software defined network
For four-tuple<γ,ρ,λ,S>, wherein γ is single stream scale feature SSF, γ={ ANPF, ABSF } of SDN;ρ is the stream of SDN
Location speedup feature AGS, ρ={ IPGS, PGS };λ is the flow table successful match rate feature RSM of SDN;S is label, and S is indicated just for 0
Often, S is that 1 expression is abnormal.
Step S203:After the standardized method of integrated use linear function and mutation series method are to feature extraction and calculating
The historical traffic data is standardized and normalized, obtains standardization and normalized historical traffic data.
The step S203 includes:
Step S2031:In view of the value range of each feature differs greatly, unit dimension is also different, and their values
The inconsistency of range obviously will lead to processing result and be more biased towards in the biggish feature of value range.In order to balance value range not
Consistent feature needs to be standardized each feature, and feature value is normalized into [0,1] section.Due to each
The quantization Distribution value of feature does not all have apparent probability density characteristics, standardizes (Min-Max using linear function thus
Scaling) method, the historical traffic data by initial data, i.e. feature extraction and after calculating are transformed into [0,1] with linearizing
Range is realized and is scaled to the equal proportion of initial data, that is to say, that needs to detect feature to the DoS attack of software defined network
Standardization is done respectively, and including the ANPF and ABPF in SSF, IPGS and PGS and RSM in AGS, standardization formula is:
Wherein x ' is the data after standardization, and x is initial data, xmaxAnd xminThe respectively maximum value and minimum of raw data set
Value;
Step S2032:Since SSF and AGS are the comprehensive characteristics comprising multiple subcharacters, mutation series method is utilized
(Catastrophe Progression Method) respectively normalizing is a ginseng by single stream scale SSF and stream address speedup AGS
Number:
Specific normalizing formula needs are selected according to the quantity of subcharacter, if a feature is only decomposed into two subcharacters,
Cusp form normalizing formula can be used;If a feature can be analyzed to three subcharacters, dove-tail form normalizing formula can be used.It is right
In singly flowing scale feature SSF, two subcharacters can be decomposed into, so using cusp form normalizing formula, and ANPF to towards
The representational of the DoS attack of software defined network is better than ABSF, so:
Wherein, ANPF ' and ABSF ' is respectively the ANPF and ABSF Jing Guo standardization;
For AGS, two subcharacters can be decomposed into, also use cusp form normalizing formula, and IPGS is to software-oriented
The representational of DoS attack for defining network is better than PGS, so:
Wherein, IPGS ' and PGS ' is respectively the IPGS and PGS Jing Guo standardization.
Step S204:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field
The DoS attack traffic classification model of (conditional random fields, CRF) algorithm building software defined network;It is described
Training dataset includes observation sequenceWith flag sequence Y={ yi|yi∈
{0,1},i∈N}.The performance and efficiency detected in order to balance, disaggregated model use single order CRF model (undirected in the form of single order chain
Figure be graph structure, set as unit of logarithm regression LR classifier potential function, with Ising/Potts model be definition two-position gesture
Function).
Step S205:Using Maximum Likelihood Estimation Method to the DoS attack traffic classification model parameter of software defined network into
Row adjusting and optimizing (compiles Probability Theory and Math Statistics (the 4th edition) referring to Qiu Yazheng, Ren Yeqing, Liu Cheng:Science Press,
2015.08.01:151-152).
Step S206:Using generation software defined network DoS attack traffic classification model to software defined network
The monitoring data on flows of DoS attack is classified, and is judged whether there is exception, is achieved the purpose that attack detecting.
The step S206 includes:
Step S2061:Single stream scale SSF, stream address are carried out to the monitoring data on flows of the DoS attack of software defined network
Speedup AGS and flow table matching rate RSM feature extraction and calculating;
Step S2062:With the institute of linear function standardized method and mutation series method to feature extraction and after calculating
It states monitoring data on flows to be standardized and normalized, obtains standardization and normalized monitoring data on flows;
Step S2063:Standardization and normalized monitoring data on flows Input Software are defined to the DoS attack flow of network
Disaggregated model carries out DoS attack differentiation using Viterbi algorithm:
DoS attack traffic classification model, i.e. CRF model P (Y | the X) parameter and observation sequence X=of given software defined network
(x1,x2,…,xn) under the conditions of, solve P (Y | X) it is maximum when output token sequenceWherein, P (Y |
It X) is conditional probability;Observation sequence X=(x1,x2,…,xn) the corresponding single stream scale SSF of each data, stream address speedup AGS
The sequence formed with flow table matching rate RSM, i.e.,:Output tokenFor
The normal or abnormal judgement output of SDN network flow.
Illustrated above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (10)
1. the DoS attack detection method that software-oriented defines network, which is characterized in that include the following steps:
Step 1:Using single stream scale SSF, tri- statistical attributes of address speedup AGS and flow table matching rate RSM are flowed as software definition
The DoS attack of network detects feature, to the historical traffic data of the marking of the DoS attack of collected software defined network into
Row feature extraction and calculating;
Step 2:With the history stream of linear function standardized method and mutation series method to feature extraction and after calculating
Amount data are standardized and normalized, obtain standardization and normalized historical traffic data;
Step 3:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field CRF algorithm
The DoS attack traffic classification model of software defined network is constructed, the disaggregated model is single order CRF model;
Step 4:Using generation software defined network DoS attack traffic classification model to the DoS attack of software defined network
Real time monitoring data on flows classify, judge whether there is exception, achieve the purpose that attack detecting.
2. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that described
Before step 1, further include:
Label is added to the historical traffic data of the DoS attack of collected software defined network, 0 is labeled as when normal, exception
When be labeled as 1.
3. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that the list
Stream scale SSF includes stream packet number and stream two property parameters of byte number, flows packet number mean value ANPF and byte number mean value ABSF points of stream
It is not:
Wherein, FlowNum is the quantity for entering the stream towards software defined network in sample time, NPFiFor the data packet in stream i
Quantity, BSFiFor the byte number for flowing i.
4. the DoS attack detection method that software-oriented according to claim 3 defines network, which is characterized in that the stream
Address speedup AGS includes two property parameters of source IP speedup IPGS and port speedup PGS, source IP speedup IPGS and port speedup
PGS is respectively:
IPGS=SrcIP_Num/interval
PGS=PortNum/interval
Wherein, SrcIP_Num is the quantity of the source IP occurred in sample time, and PortNum is the port occurred in sample time
Quantity, interval is sample time.
5. software-oriented according to claim 3 defines the DoS attack detection method of network, which is characterized in that the stream
Table matching rate RSM is:
RSM=MatchNum/FlowNum
Wherein, MatchNum is to enter in sample time towards software defined network and by the directly matched data flow of interchanger
Quantity, FlowNum are to enter the data flow sum towards software defined network in sample time.
6. the DoS attack detection method that software-oriented according to claim 1 or 2 defines network, which is characterized in that described
It extracts and is calculated as that each historical traffic data of the marking of the DoS attack of software defined network is expressed as four-tuple<γ,
ρ, λ, S>, wherein γ is single stream scale feature SSF that software-oriented defines network;ρ is the stream address that software-oriented defines network
Speedup feature AGS;λ is the flow table successful match rate feature RSM that software-oriented defines network;S is label.
7. defining the DoS attack detection method of network according to software-oriented as claimed in claim 3 to 5, which is characterized in that
The step 2 includes:
Step 2.1:Historical traffic number using linear function standardized method, by initial data, i.e. feature extraction and after calculating
It is transformed into the range of [0,1] according to linearisation, realizes and the equal proportion of initial data is scaled, standardization formula is:
Wherein x ' is the data after standardization, and x is initial data, xmaxAnd xminThe respectively maximum value and minimum of raw data set
Value;
Step 2.2:Using mutation series method, by single stream scale SSF and stream address speedup AGS, respectively normalizing is a parameter:
Normalizing operation is carried out using two property parameters of the cusp form normalizing formula to single stream scale feature SSF:
Wherein, ANPF ' and ABSF ' is respectively the ANPF and ABSF Jing Guo standardization;
Normalizing operation is carried out using two property parameters of cusp form normalizing formula convection current address speedup AGS:
Wherein, IPGS ' and PGS ' is respectively the IPGS and PGS Jing Guo standardization.
8. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that the instruction
Practicing data set includes observation sequenceWith flag sequence Y={ yi|yi∈
{0,1},i∈N}。
9. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that described
Further include after step 3:It is carried out using DoS attack traffic classification model parameter of the Maximum Likelihood Estimation Method to software defined network
Adjusting and optimizing.
10. the DoS attack detection method that software-oriented according to claim 8 defines network, which is characterized in that the step
Rapid 4 include:
Step 4.1:Single stream scale SSF is carried out to the real time monitoring data on flows of the DoS attack of software defined network, stream address increases
Fast AGS and flow table matching rate RSM feature extraction and calculating;
Step 4.2:It is described real-time to feature extraction and after calculating with linear function standardized method and mutation series method
Monitoring data on flows is standardized and normalized, obtains standardization and normalized real time monitoring data on flows;
Step 4.3:Standardization and normalized real time monitoring data on flows Input Software are defined to the DoS attack flow point of network
Class model carries out DoS attack differentiation using Viterbi algorithm:
Given CRF model P (Y | X) parameter and observation sequence X=(x1,x2,…,xn) under the conditions of, solve P (Y | X) it is maximum when it is defeated
Flag sequence outWherein, observation sequence X=(x1,x2,…,xn) the corresponding single stream of each data
The sequence of scale SSF, stream address speedup AGS and flow table matching rate RSM composition, i.e.,:Output tokenThe normal or abnormal judgement output of the network flow that network is defined for software-oriented.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810537828.9A CN108833376B (en) | 2018-05-30 | 2018-05-30 | DoS attack detection method for software defined network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810537828.9A CN108833376B (en) | 2018-05-30 | 2018-05-30 | DoS attack detection method for software defined network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108833376A true CN108833376A (en) | 2018-11-16 |
CN108833376B CN108833376B (en) | 2020-12-15 |
Family
ID=64146959
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810537828.9A Active CN108833376B (en) | 2018-05-30 | 2018-05-30 | DoS attack detection method for software defined network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108833376B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110011983A (en) * | 2019-03-19 | 2019-07-12 | 中国民航大学 | A kind of Denial of Service attack detection method based on flow table feature |
CN110210508A (en) * | 2018-12-06 | 2019-09-06 | 北京奇艺世纪科技有限公司 | Model generating method, anomalous traffic detection method, device, electronic equipment, computer readable storage medium |
CN110213280A (en) * | 2019-06-10 | 2019-09-06 | 湘潭大学 | Ddos attack detection method based on LDMDBF under a kind of SDN environment |
CN112995104A (en) * | 2019-12-16 | 2021-06-18 | 海信集团有限公司 | Communication equipment and network security prediction method |
CN113242211A (en) * | 2021-04-12 | 2021-08-10 | 北京航空航天大学 | Efficient DDoS attack detection method for software defined network |
CN114039780A (en) * | 2021-11-10 | 2022-02-11 | 湖南大学 | Low-speed DoS attack real-time response scheme based on flow coefficient |
CN115250193A (en) * | 2021-12-22 | 2022-10-28 | 长沙理工大学 | DoS attack detection method, device and medium for SDN network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140283051A1 (en) * | 2013-03-14 | 2014-09-18 | Radware, Ltd. | System and method thereof for mitigating denial of service attacks in virtual networks |
CN106911726A (en) * | 2017-05-02 | 2017-06-30 | 深圳大学 | A kind of ddos attack simulation of software defined network and attack detection method and device |
CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
CN107959690A (en) * | 2018-01-16 | 2018-04-24 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative defense method based on software defined network |
-
2018
- 2018-05-30 CN CN201810537828.9A patent/CN108833376B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140283051A1 (en) * | 2013-03-14 | 2014-09-18 | Radware, Ltd. | System and method thereof for mitigating denial of service attacks in virtual networks |
CN106911726A (en) * | 2017-05-02 | 2017-06-30 | 深圳大学 | A kind of ddos attack simulation of software defined network and attack detection method and device |
CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
CN107959690A (en) * | 2018-01-16 | 2018-04-24 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative defense method based on software defined network |
Non-Patent Citations (2)
Title |
---|
刘运等: ""基于条件随机场的DDoS攻击检测方法"", 《软件学报》 * |
陈世文: ""基于谱分析与统计机器学习的DDoS攻击检测技术研究"", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110210508A (en) * | 2018-12-06 | 2019-09-06 | 北京奇艺世纪科技有限公司 | Model generating method, anomalous traffic detection method, device, electronic equipment, computer readable storage medium |
CN110210508B (en) * | 2018-12-06 | 2021-11-09 | 北京奇艺世纪科技有限公司 | Model generation method, abnormal flow detection device, electronic device and computer-readable storage medium |
CN110011983A (en) * | 2019-03-19 | 2019-07-12 | 中国民航大学 | A kind of Denial of Service attack detection method based on flow table feature |
CN110011983B (en) * | 2019-03-19 | 2021-02-19 | 中国民航大学 | Flow table characteristic-based denial of service attack detection method |
CN110213280A (en) * | 2019-06-10 | 2019-09-06 | 湘潭大学 | Ddos attack detection method based on LDMDBF under a kind of SDN environment |
CN112995104A (en) * | 2019-12-16 | 2021-06-18 | 海信集团有限公司 | Communication equipment and network security prediction method |
CN112995104B (en) * | 2019-12-16 | 2022-05-20 | 海信集团有限公司 | Communication equipment and network security prediction method |
CN113242211A (en) * | 2021-04-12 | 2021-08-10 | 北京航空航天大学 | Efficient DDoS attack detection method for software defined network |
CN114039780A (en) * | 2021-11-10 | 2022-02-11 | 湖南大学 | Low-speed DoS attack real-time response scheme based on flow coefficient |
CN115250193A (en) * | 2021-12-22 | 2022-10-28 | 长沙理工大学 | DoS attack detection method, device and medium for SDN network |
CN115250193B (en) * | 2021-12-22 | 2024-02-23 | 长沙理工大学 | DoS attack detection method, device and medium for SDN network |
Also Published As
Publication number | Publication date |
---|---|
CN108833376B (en) | 2020-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108833376A (en) | Software-oriented defines the DoS attack detection method of network | |
WO2021068831A1 (en) | Service alert method and device, and storage medium | |
Auld et al. | Bayesian neural networks for internet traffic classification | |
CN110505179B (en) | Method and system for detecting network abnormal flow | |
CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
CN107786388B (en) | Anomaly detection system based on large-scale network flow data | |
CN111740950A (en) | SDN environment DDoS attack detection and defense method | |
CN107038167A (en) | Big data excavating analysis system and its analysis method based on model evaluation | |
CN108954680A (en) | A kind of air-conditioning energy consumption prediction technique based on operation data | |
CN109194498A (en) | A kind of network flow prediction method based on LSTM | |
CN111176953B (en) | Abnormality detection and model training method, computer equipment and storage medium | |
CN112528277A (en) | Hybrid intrusion detection method based on recurrent neural network | |
CN109981474A (en) | A kind of network flow fine grit classification system and method for application-oriented software | |
WO2015154484A1 (en) | Traffic data classification method and device | |
CN103973589B (en) | Network traffic classification method and device | |
CN110430224A (en) | A kind of communication network anomaly detection method based on random block models | |
WO2020020098A1 (en) | Network flow measurement method, network measurement device and control plane device | |
Pekár et al. | Adaptive aggregation of flow records | |
CN112699113B (en) | Industrial manufacturing process operation monitoring system driven by time sequence data stream | |
CN112149967B (en) | Power communication network vulnerability assessment method and system based on complex system theory | |
CN111526101A (en) | Machine learning-based dynamic traffic classification method for Internet of things | |
CN109951499A (en) | A kind of method for detecting abnormality based on network structure feature | |
CN111191720B (en) | Service scene identification method and device and electronic equipment | |
CN110365603A (en) | A kind of self adaptive network traffic classification method open based on 5G network capabilities | |
Min et al. | Online Internet traffic identification algorithm based on multistage classifier |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |