CN109040131A - A kind of LDoS attack detection method under SDN environment - Google Patents
A kind of LDoS attack detection method under SDN environment Download PDFInfo
- Publication number
- CN109040131A CN109040131A CN201811117493.1A CN201811117493A CN109040131A CN 109040131 A CN109040131 A CN 109040131A CN 201811117493 A CN201811117493 A CN 201811117493A CN 109040131 A CN109040131 A CN 109040131A
- Authority
- CN
- China
- Prior art keywords
- attack
- port
- stream
- doubtful
- interchanger
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to the LDoS attack detection methods under a kind of SDN environment, including the following steps: doubtful interchanger under attack is positioned according to the difference Del of the data packet of the data packet and outflow that flow into the respective switch unit time in SDN network;For doubtful interchanger under attack, the inflow port of attack traffic is navigated to by the traffic statistics of its each port;Flow information, the source Mac of seat offence stream, purpose Mac information, to find attack stream are individually counted to every stream for flowing into the port.
Description
Technical field
The present invention relates to the LDoS attack detection methods under a kind of SDN environment.
Background technique
It is novel that the one kind for being occurred in recent years is attacked in low rate refusal service (Low-rateDenial Of Service)
Network attack mode.It utilizes the loophole of the adaptation mechanism in network, such as the congestion control mechanism in Transmission Control Protocol, routing
The queue management mechanism etc. of device.It uses periodic high-speed short-time pulse so that network constantly stable state with it is non-
It is converted between stable state, the serious performance for reducing network.Since LDoS attack flow is periodic high-speed pulse in short-term, and
Attack end keeps silent status within the most of the time, therefore the average flow rate of LDoS attack is very low, very with normal discharge difference
Small, this considerably increases detection difficulties.Low rate refusal service (LDoS) attack is a kind of novel network attack mode, no
It is same as traditional ddos attack, attack traffic is periodic high-speed pulse in short-term, attack low with attack traffic Mean Speed
The features such as effect harmfulness is big, detection difficulty is big.Compared with traditional DoS attack, which has 3 outstanding features:
● target of attack is various adaptation mechanisms, attack caused by reaction and adjustment be it is legal, this meeting is so that aggrieved
End is had no to discover by stage long term attacks;
● attack traffic is similar with many true data flow characteristics, and therefore, the attack concealment is very good;
● the low single attack source of intrusion scene can start once to attack, and the data volume for needing to send is much smaller than
Flood DoS attack.
For traditional network architecture, researchers propose many LDoS attack detection methods, are broadly divided into frequency domain inspection
It surveys and two kinds of tim e- domain detection.In terms of frequency domain detection, currently, main method favorably uses power spectral density (PSD, power
Spectrumdensity) detection method, wavelet transform DWT analytic approach, auto-correlation (autocorrelation) analytic approach etc.;
In terms of tim e- domain detection, mainly there is the time window detection method etc. of professor's Wu Zhijun proposition of Civil Aviation University of China.
It is also concentrated mainly in traditional network architecture for the detection research of LDoS attack at present, for the emerging net such as SDN
The research of LDoS attack detection under network framework is also seldom.SDN network has control and forwarding point compared to traditional network architecture
The features such as programmable from, network behavior, this provides new idea and method for the detection of LDoS attack.The invention proposes one
The method that kind detects LDoS attack under SDN environment.
Summary of the invention
In view of the above-mentioned problems, the features such as present invention may be programmed using SDN control and forward separating, network behavior.It proposes
A kind of LDoS attack detection method under SDN environment.It is main the excellent of global monitoring to be carried out to network using SDN controller
Gesture realizes the monitoring to each port of interchanger or every flow flowed, and these work are all that Openflow agreement is supported
, it is not required to additional physical equipment and goes to realize.By the real time monitoring to port flow, it can be found that the abnormal flow of port,
Then it by carrying out individual flow analysis to all streams for flowing through the port, and then can be found that attack traffic, completes LDoS
The detection of attack.In order to achieve the above object, the present invention adopts the following technical scheme that:
A kind of LDoS attack detection method under SDN environment, including the following steps:
1) according to the difference of the data packet of the data packet and outflow flowed into the respective switch unit time in SDN network
Del positions doubtful interchanger under attack;
2) it is directed to doubtful interchanger under attack, navigates to attack traffic by the traffic statistics of its each port
Inflow port;
3) every that flows into the port is flowed and individually counts flow information, the source Mac of seat offence stream, purpose Mac information,
To find attack stream.
The method of step (2) can be such that one threshold value s of setting, to each port of doubtful interchanger under attack
Rate is sampled, sampling period T, when the sampled value that sampling obtains whenever port is greater than s, records t at the time of at this timeiIf
For the n of setting, there are tn-tn-1=tn-1-tn-2=... ..=t2-t1, then determine that this port has periodically attack arteries and veins
Punching.
The invention adopts the above technical scheme, which has the following advantages:
(1) the present invention is based on the detections that SDN network framework carries out abnormal flow, are based on end using OpenFlow protocol realization
The traffic statistics of mouth or stream do not need additional physical equipment and carry out;The statistical analysis of flow, will not normal stream amount generation shadow
It rings.
(2) present invention carries out the detection of abnormal flow using SDN framework, and can use SDN can carry out list to every stream
The advantage of only traffic statistics, finds the source Mac of attack traffic, the information such as purpose Mac quickly.
(3) present invention can be realized by way of issuing flow table to attack in time once detecting attack traffic
Defence, it is simple and fast.
Detailed description of the invention
Fig. 1 is LDoS overhaul flow chart.
Specific embodiment
(1) doubtful interchanger under attack is positioned by analyzing Delt value.Wherein Delt=in_package-out_
package,
In_package is the data packet number for the unit time flowing into interchanger, and out_package is outflow interchanger
The quantity of data packet, under normal circumstances, the difference of the two should very little, i.e. a kind of shape of the inflow with outflow in relative equilibrium
State.When in short-term, high-speed LDoS attack traffic flow is fashionable, and a large amount of data packet, which pours in exchange opportunity, causes the value of Delt sharply to increase
Greatly, thus can using the value as prejudge interchanger whether by LDoS attack condition.
(2) analysis that port flow is carried out to the doubtful interchanger under attack navigated in step (1), navigates to doubtful
Like port under attack.The specific steps are;A threshold value s is set, each port speed of the interchanger is sampled, is adopted
The sample period is T, when the sampled value that sampling obtains whenever port is greater than s, records t at the time of at this timeiIf existing for the n of setting
tn-tn-1=tn-1-tn-2=... ..=t2-t1, then determine that this port has periodically attack pulse.
(3) flow table of doubtful interchanger under fire is analyzed, to its independent Statistical Rate of each stream, judgement side
Method is similar in step (2), to find attack stream.Since the exception of reduction of fractions to a common denominator analysis port flow in step (2) is found
The inflow port of attack traffic, therefore only need to analyze flow table that InPort is doubtful attacked port when analyzing flow table i.e.
It can.
(4) if then discovery attack stream, the source MAC address information of extracting attack stream are on the defensive by issuing flow table.
Claims (2)
1. the LDoS attack detection method under a kind of SDN environment, including the following steps:
1) according to the difference Del of the data packet of the data packet and outflow flowed into the respective switch unit time in SDN network come
Position doubtful interchanger under attack.
2) it is directed to doubtful interchanger under attack, the stream of attack traffic is navigated to by the traffic statistics of its each port
Inbound port.
3) every that flows into the port is flowed and individually counts flow information, the source Mac of seat offence stream, purpose Mac information, thus
Find attack stream.
2. attack detection method according to claim 1, which is characterized in that the method for step (2) is as follows: one threshold of setting
Value s samples each port speed of doubtful interchanger under attack, sampling period T, obtains whenever port samples
Sampled value be greater than s when, record at this time at the time of tiIf there are t for the n of settingn-tn-1=tn-1-tn-2=... ..=t2-
t1, then determine that this port has periodically attack pulse.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811117493.1A CN109040131B (en) | 2018-09-20 | 2018-09-20 | LDoS attack detection method in SDN environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811117493.1A CN109040131B (en) | 2018-09-20 | 2018-09-20 | LDoS attack detection method in SDN environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040131A true CN109040131A (en) | 2018-12-18 |
CN109040131B CN109040131B (en) | 2021-04-27 |
Family
ID=64617970
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811117493.1A Active CN109040131B (en) | 2018-09-20 | 2018-09-20 | LDoS attack detection method in SDN environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040131B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112637202A (en) * | 2020-12-22 | 2021-04-09 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
CN112788058A (en) * | 2021-01-28 | 2021-05-11 | 湖南大学 | LDoS attack detection and mitigation scheme based on SDN controller |
CN112910889A (en) * | 2021-01-29 | 2021-06-04 | 湖南大学 | LDoS attack detection and mitigation scheme based on FGD-FM in SDN |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457489A (en) * | 2010-10-26 | 2012-05-16 | 中国民航大学 | Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) |
CN103139166A (en) * | 2011-11-30 | 2013-06-05 | 中国民航大学 | Low-rate denial of service (LDoS) attack detection method based on small signal detection theory |
CN103546465A (en) * | 2013-10-15 | 2014-01-29 | 北京交通大学长三角研究院 | Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method |
CN103746965A (en) * | 2013-12-19 | 2014-04-23 | 柳州职业技术学院 | Low-bitrate denial of service attack method based on data flow |
CN104378380A (en) * | 2014-11-26 | 2015-02-25 | 南京晓庄学院 | System and method for identifying and preventing DDoS attacks on basis of SDN framework |
CN106572107A (en) * | 2016-11-07 | 2017-04-19 | 北京科技大学 | Software defined network-oriented DDoS attack defense system and method |
WO2017067577A1 (en) * | 2015-10-20 | 2017-04-27 | Huawei Technologies Co., Ltd. | Direct replying actions in sdn switches |
CN106657107A (en) * | 2016-12-30 | 2017-05-10 | 南京邮电大学 | Self-adaptively started ddos defense method and system based on trust value in SDN |
CN108199898A (en) * | 2018-01-12 | 2018-06-22 | 中国民航大学 | A kind of method for enhancing LDoS attack efficiency |
-
2018
- 2018-09-20 CN CN201811117493.1A patent/CN109040131B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457489A (en) * | 2010-10-26 | 2012-05-16 | 中国民航大学 | Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) |
CN103139166A (en) * | 2011-11-30 | 2013-06-05 | 中国民航大学 | Low-rate denial of service (LDoS) attack detection method based on small signal detection theory |
CN103546465A (en) * | 2013-10-15 | 2014-01-29 | 北京交通大学长三角研究院 | Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method |
CN103746965A (en) * | 2013-12-19 | 2014-04-23 | 柳州职业技术学院 | Low-bitrate denial of service attack method based on data flow |
CN104378380A (en) * | 2014-11-26 | 2015-02-25 | 南京晓庄学院 | System and method for identifying and preventing DDoS attacks on basis of SDN framework |
WO2017067577A1 (en) * | 2015-10-20 | 2017-04-27 | Huawei Technologies Co., Ltd. | Direct replying actions in sdn switches |
CN106572107A (en) * | 2016-11-07 | 2017-04-19 | 北京科技大学 | Software defined network-oriented DDoS attack defense system and method |
CN106657107A (en) * | 2016-12-30 | 2017-05-10 | 南京邮电大学 | Self-adaptively started ddos defense method and system based on trust value in SDN |
CN108199898A (en) * | 2018-01-12 | 2018-06-22 | 中国民航大学 | A kind of method for enhancing LDoS attack efficiency |
Non-Patent Citations (6)
Title |
---|
吴志军,曾化龙,岳猛.: ""基于时间窗统计的LDoS攻击检测方法的研究"", 《通信学报》 * |
张永: ""DDoS检测控制系统的设计与实现 "", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
曾卫: ""低速率拒绝服务攻击的一种检测方法"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
李锦玲: "应用层分布式拒绝服务攻击的异常检测算法研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
梁缘: ""基于控制与数据分离的映射系统DDoS攻击防御机制设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
胡小龙: ""面向SDN控制器的DDoS攻击检测与防御技术研究 "", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112637202A (en) * | 2020-12-22 | 2021-04-09 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
CN112637202B (en) * | 2020-12-22 | 2022-08-12 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
CN112788058A (en) * | 2021-01-28 | 2021-05-11 | 湖南大学 | LDoS attack detection and mitigation scheme based on SDN controller |
CN112910889A (en) * | 2021-01-29 | 2021-06-04 | 湖南大学 | LDoS attack detection and mitigation scheme based on FGD-FM in SDN |
CN112910889B (en) * | 2021-01-29 | 2022-05-13 | 湖南大学 | LDoS attack detection and mitigation method based on FGD-FM in SDN |
Also Published As
Publication number | Publication date |
---|---|
CN109040131B (en) | 2021-04-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Mori et al. | Identifying elephant flows through periodically sampled packets | |
Hu et al. | FADM: DDoS flooding attack detection and mitigation system in software-defined networking | |
CN109040131A (en) | A kind of LDoS attack detection method under SDN environment | |
Rasley et al. | Planck: Millisecond-scale monitoring and control for commodity networks | |
CN106357673B (en) | A kind of multi-tenant cloud computing system ddos attack detection method and system | |
US8644151B2 (en) | Processing packet flows | |
Zhang et al. | Flow level detection and filtering of low-rate DDoS | |
US10097464B1 (en) | Sampling based on large flow detection for network visibility monitoring | |
CN106230819B (en) | A kind of DDoS detection method based on stream sampling | |
CN111490975A (en) | Distributed denial of service DDoS attack tracing system and method based on software defined network | |
US9979624B1 (en) | Large flow detection for network visibility monitoring | |
US10574546B2 (en) | Network monitoring using selective mirroring | |
Lu et al. | ElephantTrap: A low cost device for identifying large flows | |
JP2005277804A (en) | Information relaying apparatus | |
US10536360B1 (en) | Counters for large flow detection | |
CN110225037B (en) | DDoS attack detection method and device | |
Afaq et al. | Large flows detection, marking, and mitigation based on sFlow standard in SDN | |
CN103139166A (en) | Low-rate denial of service (LDoS) attack detection method based on small signal detection theory | |
CN103444132A (en) | Network system, and switching method | |
US10003515B1 (en) | Network visibility monitoring | |
Wang et al. | A bandwidth-efficient int system for tracking the rules matched by the packets of a flow | |
KR20140051776A (en) | Apparatus for network monitoring based on flow and network monitoring system | |
JP2006164038A (en) | Method for coping with dos attack or ddos attack, network device and analysis device | |
CN106817268B (en) | DDOS attack detection method and system | |
RU2728948C1 (en) | Method for early detection of occurrence moment of poisson's teletraffic overload |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |