CN108833376A - Software-oriented defines the DoS attack detection method of network - Google Patents

Software-oriented defines the DoS attack detection method of network Download PDF

Info

Publication number
CN108833376A
CN108833376A CN201810537828.9A CN201810537828A CN108833376A CN 108833376 A CN108833376 A CN 108833376A CN 201810537828 A CN201810537828 A CN 201810537828A CN 108833376 A CN108833376 A CN 108833376A
Authority
CN
China
Prior art keywords
network
software
dos attack
data
stream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810537828.9A
Other languages
Chinese (zh)
Other versions
CN108833376B (en
Inventor
郭毅
许新忠
张连成
辜苛峻
燕菊维
钟华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201810537828.9A priority Critical patent/CN108833376B/en
Publication of CN108833376A publication Critical patent/CN108833376A/en
Application granted granted Critical
Publication of CN108833376B publication Critical patent/CN108833376B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The present invention relates to the DoS attack detection methods that software defined network technical field more particularly to software-oriented define network.The method includes:Scale is flowed with singleSSF, stream address speedupAGSWith flow table matching rateRSMDoS attack as software defined network detects feature, carries out feature extraction and calculating to collected historical traffic data;With linear function standardized method and mutation series method is standardized to the historical traffic data after feature extraction and calculating and normalized;It will standardize and normalized historical traffic data is as training dataset, and utilize the DoS attack traffic classification model of condition random field CRF algorithm building software defined network;Classified using the disaggregated model of generation to the real time monitoring data on flows of the DoS attack of software defined network, judges whether there is exception.The present invention can in real time classify to monitoring flow, exception be judged whether there is, to carry out attack detecting.

Description

Software-oriented defines the DoS attack detection method of network
Technical field
The present invention relates to the DoS attack detections that software defined network technical field more particularly to software-oriented define network Method.
Background technique
As a kind of software-based network architecture and technology, software defined network (Software Defined Network, SDN) control plane and data plane with loose coupling, it supports the network state of centralization to control, realizes bottom Layer network facility is to the transparent of upper layer application.By its flexible software programmability, the automation of network can be greatly promoted Ability is managed and controlled, the resource extent extension that effectively solution current network systems are faced is limited, networking flexibility is poor, is difficult to The problems such as quickly meeting business demand.In recent years, there is pushing away for demand by the emerging service of representative by cloud computing, big data Dynamic, technological development relevant to SDN, business innovation etc. are all grown rapidly, and in backbone network, data center, enterprise network And the scenes such as mobile network have fairly large application.
However, although the centralized management mechanism of SDN and open programming interface increase network management, operation etc. Flexibility, but completely new and bigger opportunity is also provided to network attack simultaneously.The control framework of especially its centralization makes Network owns " wisdom " and all concentrates on the controller, once controller failure or service ability reduce, by extreme influence overall situation net The performance of network.Currently, most commonly seen for SDN and effective attack is just derived from the DoS/DDoS attack of data plane, also known as For SDN-DoS attack, such attack is by sending the data flow largely constructed meticulously, OpenFlow exchange opportunity to SDN network It constantly sends and requests to controller due to can not find the flow entry to match with attack stream, to obtain new forward rule.Control Device processed is also required to constantly respond the request of interchanger, formulates, issues respective rule, so that the storage resource of controller, calculating Resource largely consumes, and the connection resource of controller and interchanger is largely occupied.
For traditional network architecture, researcher proposes a large amount of DoS attack detection method, and OpenFlow technology is main It is that data forwarding is carried out based on stream, it is existing on a small quantity based on the attack detection method of stream at present.Such as:DoS based on IP stream interaction Attack detection method constructs the DoS attack based on FIF time series using network interaction characteristics algorithm (FIF) and detects mould Type can reduce background and drain off and disturb, and have lower rate of false alarm and rate of failing to report, but the interaction that this method has only used network flow is special Sign, judgement it is comprehensive not enough.Detection method based on comentropy usually flows feature as reference feature using IP address etc., uses The method that comentropy is combined with threshold value completes detection.Although the detection method based on comentropy is more flexibly, conveniently, threshold value Determination and the distribution of multielement weight need expertise.Based on Self-organizing Maps (Self-organizing Maps, SOM) The detection method of neural network carries out the detection of OpenFlow flow amount, but SOM algorithm the convergence speed using SOM neural network method Slowly, the training time is long.
Summary of the invention
In view of the above-mentioned problems, the present invention provides the DoS attack detection method that software-oriented defines network.It can be in real time to prison Flow control amount is classified, and exception is judged whether there is, and achievees the purpose that attack detecting.
To achieve the goals above, the present invention uses following technical scheme:
Software-oriented defines the DoS attack detection method of network, includes the following steps:
Step 1:Using single stream scale SSF, tri- statistical attributes of address speedup AGS and flow table matching rate RSM are flowed as software definition The DoS attack of network detects feature, to the historical traffic data of the marking of the DoS attack of collected software defined network into Row feature extraction and calculating;
Step 2:With the history stream of linear function standardized method and mutation series method to feature extraction and after calculating Amount data are standardized and normalized, obtain standardization and normalized historical traffic data;
Step 3:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field CRF algorithm The DoS attack traffic classification model of software defined network is constructed, the disaggregated model is single order CRF model;
Step 4:Using generation software defined network DoS attack traffic classification model to the DoS attack of software defined network Real time monitoring data on flows classify, judge whether there is exception, achieve the purpose that attack detecting.
Further, before the step 1, further include:
Label is added to the historical traffic data of the DoS attack of collected software defined network, 0 is labeled as when normal, exception When be labeled as 1.
Further, single stream scale SSF includes stream packet number and stream two property parameters of byte number, flows packet number mean value ANPF and stream byte number mean value ABSF are respectively:
Wherein, FlowNum is the quantity for entering the stream towards software defined network in sample time, NPFiFor the data in stream i Packet quantity, BSFiFor the byte number for flowing i.
Further, the stream address speedup AGS includes two property parameters of source IP speedup IPGS and port speedup PGS, Source IP speedup IPGS and port speedup PGS are respectively:
IPGS=SrcIP_Num/interval
PGS=PortNum/interval
Wherein, SrcIP_Num is the quantity of the source IP occurred in sample time, and PortNum is the port occurred in sample time Quantity, interval is sample time.
Further, the flow table matching rate RSM is:
RSM=MatchNum/FlowNum
Wherein, MatchNum is to enter in sample time towards software defined network and by the directly matched data flow of interchanger Quantity, FlowNum are to enter the data flow sum towards software defined network in sample time.
Further, described to extract and be calculated as each history stream of the marking of the DoS attack of software defined network Amount data are expressed as four-tuple<γ,ρ,λ,S>, wherein γ is single stream scale feature SSF that software-oriented defines network;ρ is face To the stream address speedup feature AGS of software defined network;λ is the flow table successful match rate feature RSM that software-oriented defines network; S is label.
Further, the step 2 includes:
Step 2.1:Historical traffic number using linear function standardized method, by initial data, i.e. feature extraction and after calculating It is transformed into the range of [0,1] according to linearisation, realizes and the equal proportion of initial data is scaled, standardization formula is:
Wherein x ' is the data after standardization, and x is initial data, xmaxAnd xminThe respectively maximum value and minimum of raw data set Value;Step 2.2:Using mutation series method, by single stream scale SSF and stream address speedup AGS, respectively normalizing is a parameter:
Normalizing operation is carried out using two property parameters of the cusp form normalizing formula to single stream scale feature SSF:
Wherein, ANPF ' and ABSF ' is respectively the ANPF and ABSF Jing Guo standardization;
Normalizing operation is carried out using two property parameters of cusp form normalizing formula convection current address speedup AGS:
Wherein, IPGS ' and PGS ' is respectively the IPGS and PGS Jing Guo standardization.
Further, the training dataset includes observation sequence With flag sequence Y={ yi|yi∈{0,1},i∈N}。
Further, further include after the step 3:Using Maximum Likelihood Estimation Method to the DoS of software defined network Attack traffic disaggregated model parameter is adjusted optimization.
Further, the step 4 includes:
Step 4.1:Single stream scale SSF is carried out to the real time monitoring data on flows of the DoS attack of software defined network, stream address increases Fast AGS and flow table matching rate RSM feature extraction and calculating;
Step 4.2:It is described real-time to feature extraction and after calculating with linear function standardized method and mutation series method Monitoring data on flows is standardized and normalized, obtains standardization and normalized real time monitoring data on flows;
Step 4.3:Standardization and normalized real time monitoring data on flows Input Software are defined to the DoS attack flow point of network Class model carries out DoS attack differentiation using Viterbi algorithm:
Given CRF model P (Y | X) parameter and observation sequence X=(x1,x2,…,xn) under the conditions of, solve P (Y | X) it is maximum when it is defeated Flag sequence outWherein, observation sequence X=(x1,x2,…,xn) the corresponding single stream of each data The sequence of scale SSF, stream address speedup AGS and flow table matching rate RSM composition, i.e.,:Output tokenThe normal or abnormal judgement output of the network flow that network is defined for software-oriented.
Compared with prior art, the device have the advantages that:
1, the present invention is by having strong representational statistics with single stream scale, stream address speedup and flow table matching rate etc. three Attribute detects feature as the DoS attack that software-oriented defines network, is capable of the operating status of accurate description software defined network.
2, integrated use linear function standardized method of the present invention and mutation series method are standardized each feature Processing can effectively solve the problem that because of feature value range, testing result is biased to some feature caused by unit dimension is inconsistent Problem.
3, the DoS attack traffic classification model of the invention for using single order CRF model to define network for software-oriented, Neng Goujian Care for the performance and efficiency of the detection of software defined network DoS attack.
4, the present invention classifies to the monitoring flow acquired in real time using the disaggregated model generated, judges whether there is different Often, achieve the purpose that attack detecting.The present invention can be under conditions of not having to modification communication protocol, and detection is appeared effectively in real time It to the DoS attack of software defined network, can quantify, the safe condition that qualitatively aware software defines network, realize to software Define the real-time accurate detection of network DoS attack.
Detailed description of the invention
Fig. 1 is the basic flow chart that the software-oriented of the embodiment of the present invention defines the DoS attack detection method of network.
Fig. 2 is the basic flow chart that the software-oriented of another embodiment of the present invention defines the DoS attack detection method of network.
Specific embodiment
With reference to the accompanying drawing with specific embodiment the present invention will be further explained explanation:
Embodiment one:
As shown in Figure 1, a kind of software-oriented of the invention defines the DoS attack detection method of network, include the following steps:
Step S101:Using single scale SSF, stream tri- statistical attributes of address speedup AGS and flow table matching rate RSM of flowing as soft Part defines the DoS attack detection feature of network, to the historical traffic of the marking of the DoS attack of collected software defined network Data carry out feature extraction and calculating;
Step S102:With linear function standardized method and mutation series method to feature extraction and calculate after described in Historical traffic data is standardized and normalized, obtains standardization and normalized historical traffic data;
Step S103:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field The DoS attack traffic classification model of algorithm building software defined network;
Step S104:Using generation software defined network DoS attack traffic classification model to software defined network The real time monitoring data on flows of DoS attack is classified, and is judged whether there is exception, is achieved the purpose that attack detecting.
Embodiment two:
As shown in Fig. 2, another software-oriented of the invention defines the DoS attack detection method of network, including following step Suddenly:
Step S201:Label is added to the historical traffic data of the DoS attack of collected software defined network, when normal Labeled as 0,1 is labeled as when abnormal.
Step S202:Have with single stream scale SSF, stream address speedup AGS and flow table matching rate RSM tri- strong representational Statistical attribute detects feature as the DoS attack of software defined network, to the DoS attack of collected software defined network plus The historical traffic data of label carries out feature extraction and calculating;
Single stream scale SSF (Size of a Single Flow) description enters the big of each data flow of SDN network It is small, including stream packet number and stream two property parameters of byte number, flow packet number mean value ANPF (average NPF) and stream byte number mean value ABSF (average BPF) is respectively:
Wherein, FlowNum is the quantity for entering the stream of SDN in sample time, NPFiFor the data packet number in stream i, BSFiFor Flow the byte number of i.
The stream address speedup AGS (Address Growing Speed) includes source IP speedup IPGS (source IP Growing speed) and two property parameters of port speedup PGS (port generating speed), wherein IPGS refers to sampling Enter the source IP quantity growth rate of the stream of SDN in time, PGS then refers to that the port number for entering the stream of SDN in sample time increases Long speed.Source IP speedup IPGS and port speedup PGS are respectively:
IPGS=SrcIP_Num/interval
PGS=PortNum/interval
Wherein, SrcIP_Num is the quantity of the source IP occurred in sample time, and PortNum is the port occurred in sample time Quantity, interval is sample time.
Flow table matching rate RSM (ratio of successful matching of flow table) describes sample time The interior data flow into SDN is by the directly matched probability of interchanger flow table, the flow table matching rate RSM:
RSM=MatchNum/FlowNum
Wherein, MatchNum is the sample time to enter SDN and by the quantity of the directly matched data flow of interchanger, FlowNum Enter the data flow sum of SDN for the sample time.
It is described to extract and be calculated as to indicate each historical traffic data of the marking of the DoS attack of software defined network For four-tuple<γ,ρ,λ,S>, wherein γ is single stream scale feature SSF, γ={ ANPF, ABSF } of SDN;ρ is the stream of SDN Location speedup feature AGS, ρ={ IPGS, PGS };λ is the flow table successful match rate feature RSM of SDN;S is label, and S is indicated just for 0 Often, S is that 1 expression is abnormal.
Step S203:After the standardized method of integrated use linear function and mutation series method are to feature extraction and calculating The historical traffic data is standardized and normalized, obtains standardization and normalized historical traffic data.
The step S203 includes:
Step S2031:In view of the value range of each feature differs greatly, unit dimension is also different, and their values The inconsistency of range obviously will lead to processing result and be more biased towards in the biggish feature of value range.In order to balance value range not Consistent feature needs to be standardized each feature, and feature value is normalized into [0,1] section.Due to each The quantization Distribution value of feature does not all have apparent probability density characteristics, standardizes (Min-Max using linear function thus Scaling) method, the historical traffic data by initial data, i.e. feature extraction and after calculating are transformed into [0,1] with linearizing Range is realized and is scaled to the equal proportion of initial data, that is to say, that needs to detect feature to the DoS attack of software defined network Standardization is done respectively, and including the ANPF and ABPF in SSF, IPGS and PGS and RSM in AGS, standardization formula is:
Wherein x ' is the data after standardization, and x is initial data, xmaxAnd xminThe respectively maximum value and minimum of raw data set Value;
Step S2032:Since SSF and AGS are the comprehensive characteristics comprising multiple subcharacters, mutation series method is utilized (Catastrophe Progression Method) respectively normalizing is a ginseng by single stream scale SSF and stream address speedup AGS Number:
Specific normalizing formula needs are selected according to the quantity of subcharacter, if a feature is only decomposed into two subcharacters, Cusp form normalizing formula can be used;If a feature can be analyzed to three subcharacters, dove-tail form normalizing formula can be used.It is right In singly flowing scale feature SSF, two subcharacters can be decomposed into, so using cusp form normalizing formula, and ANPF to towards The representational of the DoS attack of software defined network is better than ABSF, so:
Wherein, ANPF ' and ABSF ' is respectively the ANPF and ABSF Jing Guo standardization;
For AGS, two subcharacters can be decomposed into, also use cusp form normalizing formula, and IPGS is to software-oriented The representational of DoS attack for defining network is better than PGS, so:
Wherein, IPGS ' and PGS ' is respectively the IPGS and PGS Jing Guo standardization.
Step S204:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field The DoS attack traffic classification model of (conditional random fields, CRF) algorithm building software defined network;It is described Training dataset includes observation sequenceWith flag sequence Y={ yi|yi∈ {0,1},i∈N}.The performance and efficiency detected in order to balance, disaggregated model use single order CRF model (undirected in the form of single order chain Figure be graph structure, set as unit of logarithm regression LR classifier potential function, with Ising/Potts model be definition two-position gesture Function).
Step S205:Using Maximum Likelihood Estimation Method to the DoS attack traffic classification model parameter of software defined network into Row adjusting and optimizing (compiles Probability Theory and Math Statistics (the 4th edition) referring to Qiu Yazheng, Ren Yeqing, Liu Cheng:Science Press, 2015.08.01:151-152).
Step S206:Using generation software defined network DoS attack traffic classification model to software defined network The monitoring data on flows of DoS attack is classified, and is judged whether there is exception, is achieved the purpose that attack detecting.
The step S206 includes:
Step S2061:Single stream scale SSF, stream address are carried out to the monitoring data on flows of the DoS attack of software defined network Speedup AGS and flow table matching rate RSM feature extraction and calculating;
Step S2062:With the institute of linear function standardized method and mutation series method to feature extraction and after calculating It states monitoring data on flows to be standardized and normalized, obtains standardization and normalized monitoring data on flows;
Step S2063:Standardization and normalized monitoring data on flows Input Software are defined to the DoS attack flow of network Disaggregated model carries out DoS attack differentiation using Viterbi algorithm:
DoS attack traffic classification model, i.e. CRF model P (Y | the X) parameter and observation sequence X=of given software defined network (x1,x2,…,xn) under the conditions of, solve P (Y | X) it is maximum when output token sequenceWherein, P (Y | It X) is conditional probability;Observation sequence X=(x1,x2,…,xn) the corresponding single stream scale SSF of each data, stream address speedup AGS The sequence formed with flow table matching rate RSM, i.e.,:Output tokenFor The normal or abnormal judgement output of SDN network flow.
Illustrated above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (10)

1. the DoS attack detection method that software-oriented defines network, which is characterized in that include the following steps:
Step 1:Using single stream scale SSF, tri- statistical attributes of address speedup AGS and flow table matching rate RSM are flowed as software definition The DoS attack of network detects feature, to the historical traffic data of the marking of the DoS attack of collected software defined network into Row feature extraction and calculating;
Step 2:With the history stream of linear function standardized method and mutation series method to feature extraction and after calculating Amount data are standardized and normalized, obtain standardization and normalized historical traffic data;
Step 3:It will standardize and normalized historical traffic data is as training dataset, and utilize condition random field CRF algorithm The DoS attack traffic classification model of software defined network is constructed, the disaggregated model is single order CRF model;
Step 4:Using generation software defined network DoS attack traffic classification model to the DoS attack of software defined network Real time monitoring data on flows classify, judge whether there is exception, achieve the purpose that attack detecting.
2. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that described Before step 1, further include:
Label is added to the historical traffic data of the DoS attack of collected software defined network, 0 is labeled as when normal, exception When be labeled as 1.
3. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that the list Stream scale SSF includes stream packet number and stream two property parameters of byte number, flows packet number mean value ANPF and byte number mean value ABSF points of stream It is not:
Wherein, FlowNum is the quantity for entering the stream towards software defined network in sample time, NPFiFor the data packet in stream i Quantity, BSFiFor the byte number for flowing i.
4. the DoS attack detection method that software-oriented according to claim 3 defines network, which is characterized in that the stream Address speedup AGS includes two property parameters of source IP speedup IPGS and port speedup PGS, source IP speedup IPGS and port speedup PGS is respectively:
IPGS=SrcIP_Num/interval
PGS=PortNum/interval
Wherein, SrcIP_Num is the quantity of the source IP occurred in sample time, and PortNum is the port occurred in sample time Quantity, interval is sample time.
5. software-oriented according to claim 3 defines the DoS attack detection method of network, which is characterized in that the stream Table matching rate RSM is:
RSM=MatchNum/FlowNum
Wherein, MatchNum is to enter in sample time towards software defined network and by the directly matched data flow of interchanger Quantity, FlowNum are to enter the data flow sum towards software defined network in sample time.
6. the DoS attack detection method that software-oriented according to claim 1 or 2 defines network, which is characterized in that described It extracts and is calculated as that each historical traffic data of the marking of the DoS attack of software defined network is expressed as four-tuple<γ, ρ, λ, S>, wherein γ is single stream scale feature SSF that software-oriented defines network;ρ is the stream address that software-oriented defines network Speedup feature AGS;λ is the flow table successful match rate feature RSM that software-oriented defines network;S is label.
7. defining the DoS attack detection method of network according to software-oriented as claimed in claim 3 to 5, which is characterized in that The step 2 includes:
Step 2.1:Historical traffic number using linear function standardized method, by initial data, i.e. feature extraction and after calculating It is transformed into the range of [0,1] according to linearisation, realizes and the equal proportion of initial data is scaled, standardization formula is:
Wherein x ' is the data after standardization, and x is initial data, xmaxAnd xminThe respectively maximum value and minimum of raw data set Value;
Step 2.2:Using mutation series method, by single stream scale SSF and stream address speedup AGS, respectively normalizing is a parameter:
Normalizing operation is carried out using two property parameters of the cusp form normalizing formula to single stream scale feature SSF:
Wherein, ANPF ' and ABSF ' is respectively the ANPF and ABSF Jing Guo standardization;
Normalizing operation is carried out using two property parameters of cusp form normalizing formula convection current address speedup AGS:
Wherein, IPGS ' and PGS ' is respectively the IPGS and PGS Jing Guo standardization.
8. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that the instruction Practicing data set includes observation sequenceWith flag sequence Y={ yi|yi∈ {0,1},i∈N}。
9. the DoS attack detection method that software-oriented according to claim 1 defines network, which is characterized in that described Further include after step 3:It is carried out using DoS attack traffic classification model parameter of the Maximum Likelihood Estimation Method to software defined network Adjusting and optimizing.
10. the DoS attack detection method that software-oriented according to claim 8 defines network, which is characterized in that the step Rapid 4 include:
Step 4.1:Single stream scale SSF is carried out to the real time monitoring data on flows of the DoS attack of software defined network, stream address increases Fast AGS and flow table matching rate RSM feature extraction and calculating;
Step 4.2:It is described real-time to feature extraction and after calculating with linear function standardized method and mutation series method Monitoring data on flows is standardized and normalized, obtains standardization and normalized real time monitoring data on flows;
Step 4.3:Standardization and normalized real time monitoring data on flows Input Software are defined to the DoS attack flow point of network Class model carries out DoS attack differentiation using Viterbi algorithm:
Given CRF model P (Y | X) parameter and observation sequence X=(x1,x2,…,xn) under the conditions of, solve P (Y | X) it is maximum when it is defeated Flag sequence outWherein, observation sequence X=(x1,x2,…,xn) the corresponding single stream of each data The sequence of scale SSF, stream address speedup AGS and flow table matching rate RSM composition, i.e.,:Output tokenThe normal or abnormal judgement output of the network flow that network is defined for software-oriented.
CN201810537828.9A 2018-05-30 2018-05-30 DoS attack detection method for software defined network Active CN108833376B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810537828.9A CN108833376B (en) 2018-05-30 2018-05-30 DoS attack detection method for software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810537828.9A CN108833376B (en) 2018-05-30 2018-05-30 DoS attack detection method for software defined network

Publications (2)

Publication Number Publication Date
CN108833376A true CN108833376A (en) 2018-11-16
CN108833376B CN108833376B (en) 2020-12-15

Family

ID=64146959

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810537828.9A Active CN108833376B (en) 2018-05-30 2018-05-30 DoS attack detection method for software defined network

Country Status (1)

Country Link
CN (1) CN108833376B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110011983A (en) * 2019-03-19 2019-07-12 中国民航大学 A kind of Denial of Service attack detection method based on flow table feature
CN110210508A (en) * 2018-12-06 2019-09-06 北京奇艺世纪科技有限公司 Model generating method, anomalous traffic detection method, device, electronic equipment, computer readable storage medium
CN110213280A (en) * 2019-06-10 2019-09-06 湘潭大学 Ddos attack detection method based on LDMDBF under a kind of SDN environment
CN112995104A (en) * 2019-12-16 2021-06-18 海信集团有限公司 Communication equipment and network security prediction method
CN113242211A (en) * 2021-04-12 2021-08-10 北京航空航天大学 Efficient DDoS attack detection method for software defined network
CN114039780A (en) * 2021-11-10 2022-02-11 湖南大学 Low-speed DoS attack real-time response scheme based on flow coefficient
CN115250193A (en) * 2021-12-22 2022-10-28 长沙理工大学 DoS attack detection method, device and medium for SDN network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140283051A1 (en) * 2013-03-14 2014-09-18 Radware, Ltd. System and method thereof for mitigating denial of service attacks in virtual networks
CN106911726A (en) * 2017-05-02 2017-06-30 深圳大学 A kind of ddos attack simulation of software defined network and attack detection method and device
CN107231384A (en) * 2017-08-10 2017-10-03 北京科技大学 A kind of ddos attack detection defence method cut into slices towards 5g networks and system
CN107959690A (en) * 2018-01-16 2018-04-24 中国人民解放军国防科技大学 DDoS attack cross-layer cooperative defense method based on software defined network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140283051A1 (en) * 2013-03-14 2014-09-18 Radware, Ltd. System and method thereof for mitigating denial of service attacks in virtual networks
CN106911726A (en) * 2017-05-02 2017-06-30 深圳大学 A kind of ddos attack simulation of software defined network and attack detection method and device
CN107231384A (en) * 2017-08-10 2017-10-03 北京科技大学 A kind of ddos attack detection defence method cut into slices towards 5g networks and system
CN107959690A (en) * 2018-01-16 2018-04-24 中国人民解放军国防科技大学 DDoS attack cross-layer cooperative defense method based on software defined network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘运等: ""基于条件随机场的DDoS攻击检测方法"", 《软件学报》 *
陈世文: ""基于谱分析与统计机器学习的DDoS攻击检测技术研究"", 《中国博士学位论文全文数据库 信息科技辑》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110210508A (en) * 2018-12-06 2019-09-06 北京奇艺世纪科技有限公司 Model generating method, anomalous traffic detection method, device, electronic equipment, computer readable storage medium
CN110210508B (en) * 2018-12-06 2021-11-09 北京奇艺世纪科技有限公司 Model generation method, abnormal flow detection device, electronic device and computer-readable storage medium
CN110011983A (en) * 2019-03-19 2019-07-12 中国民航大学 A kind of Denial of Service attack detection method based on flow table feature
CN110011983B (en) * 2019-03-19 2021-02-19 中国民航大学 Flow table characteristic-based denial of service attack detection method
CN110213280A (en) * 2019-06-10 2019-09-06 湘潭大学 Ddos attack detection method based on LDMDBF under a kind of SDN environment
CN112995104A (en) * 2019-12-16 2021-06-18 海信集团有限公司 Communication equipment and network security prediction method
CN112995104B (en) * 2019-12-16 2022-05-20 海信集团有限公司 Communication equipment and network security prediction method
CN113242211A (en) * 2021-04-12 2021-08-10 北京航空航天大学 Efficient DDoS attack detection method for software defined network
CN114039780A (en) * 2021-11-10 2022-02-11 湖南大学 Low-speed DoS attack real-time response scheme based on flow coefficient
CN115250193A (en) * 2021-12-22 2022-10-28 长沙理工大学 DoS attack detection method, device and medium for SDN network
CN115250193B (en) * 2021-12-22 2024-02-23 长沙理工大学 DoS attack detection method, device and medium for SDN network

Also Published As

Publication number Publication date
CN108833376B (en) 2020-12-15

Similar Documents

Publication Publication Date Title
CN108833376A (en) Software-oriented defines the DoS attack detection method of network
WO2021068831A1 (en) Service alert method and device, and storage medium
Auld et al. Bayesian neural networks for internet traffic classification
CN110505179B (en) Method and system for detecting network abnormal flow
CN108632269A (en) Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms
CN107786388B (en) Anomaly detection system based on large-scale network flow data
CN111740950A (en) SDN environment DDoS attack detection and defense method
CN107038167A (en) Big data excavating analysis system and its analysis method based on model evaluation
CN108954680A (en) A kind of air-conditioning energy consumption prediction technique based on operation data
CN109194498A (en) A kind of network flow prediction method based on LSTM
CN111176953B (en) Abnormality detection and model training method, computer equipment and storage medium
CN112528277A (en) Hybrid intrusion detection method based on recurrent neural network
CN109981474A (en) A kind of network flow fine grit classification system and method for application-oriented software
WO2015154484A1 (en) Traffic data classification method and device
CN103973589B (en) Network traffic classification method and device
CN110430224A (en) A kind of communication network anomaly detection method based on random block models
WO2020020098A1 (en) Network flow measurement method, network measurement device and control plane device
Pekár et al. Adaptive aggregation of flow records
CN112699113B (en) Industrial manufacturing process operation monitoring system driven by time sequence data stream
CN112149967B (en) Power communication network vulnerability assessment method and system based on complex system theory
CN111526101A (en) Machine learning-based dynamic traffic classification method for Internet of things
CN109951499A (en) A kind of method for detecting abnormality based on network structure feature
CN111191720B (en) Service scene identification method and device and electronic equipment
CN110365603A (en) A kind of self adaptive network traffic classification method open based on 5G network capabilities
Min et al. Online Internet traffic identification algorithm based on multistage classifier

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant