CN109040131A - A kind of LDoS attack detection method under SDN environment - Google Patents

A kind of LDoS attack detection method under SDN environment Download PDF

Info

Publication number
CN109040131A
CN109040131A CN201811117493.1A CN201811117493A CN109040131A CN 109040131 A CN109040131 A CN 109040131A CN 201811117493 A CN201811117493 A CN 201811117493A CN 109040131 A CN109040131 A CN 109040131A
Authority
CN
China
Prior art keywords
attack
port
stream
doubtful
interchanger
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811117493.1A
Other languages
Chinese (zh)
Other versions
CN109040131B (en
Inventor
高镇
周蕾
冷俊儒
李�根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN201811117493.1A priority Critical patent/CN109040131B/en
Publication of CN109040131A publication Critical patent/CN109040131A/en
Application granted granted Critical
Publication of CN109040131B publication Critical patent/CN109040131B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to the LDoS attack detection methods under a kind of SDN environment, including the following steps: doubtful interchanger under attack is positioned according to the difference Del of the data packet of the data packet and outflow that flow into the respective switch unit time in SDN network;For doubtful interchanger under attack, the inflow port of attack traffic is navigated to by the traffic statistics of its each port;Flow information, the source Mac of seat offence stream, purpose Mac information, to find attack stream are individually counted to every stream for flowing into the port.

Description

A kind of LDoS attack detection method under SDN environment
Technical field
The present invention relates to the LDoS attack detection methods under a kind of SDN environment.
Background technique
It is novel that the one kind for being occurred in recent years is attacked in low rate refusal service (Low-rateDenial Of Service) Network attack mode.It utilizes the loophole of the adaptation mechanism in network, such as the congestion control mechanism in Transmission Control Protocol, routing The queue management mechanism etc. of device.It uses periodic high-speed short-time pulse so that network constantly stable state with it is non- It is converted between stable state, the serious performance for reducing network.Since LDoS attack flow is periodic high-speed pulse in short-term, and Attack end keeps silent status within the most of the time, therefore the average flow rate of LDoS attack is very low, very with normal discharge difference Small, this considerably increases detection difficulties.Low rate refusal service (LDoS) attack is a kind of novel network attack mode, no It is same as traditional ddos attack, attack traffic is periodic high-speed pulse in short-term, attack low with attack traffic Mean Speed The features such as effect harmfulness is big, detection difficulty is big.Compared with traditional DoS attack, which has 3 outstanding features:
● target of attack is various adaptation mechanisms, attack caused by reaction and adjustment be it is legal, this meeting is so that aggrieved End is had no to discover by stage long term attacks;
● attack traffic is similar with many true data flow characteristics, and therefore, the attack concealment is very good;
● the low single attack source of intrusion scene can start once to attack, and the data volume for needing to send is much smaller than Flood DoS attack.
For traditional network architecture, researchers propose many LDoS attack detection methods, are broadly divided into frequency domain inspection It surveys and two kinds of tim e- domain detection.In terms of frequency domain detection, currently, main method favorably uses power spectral density (PSD, power Spectrumdensity) detection method, wavelet transform DWT analytic approach, auto-correlation (autocorrelation) analytic approach etc.; In terms of tim e- domain detection, mainly there is the time window detection method etc. of professor's Wu Zhijun proposition of Civil Aviation University of China.
It is also concentrated mainly in traditional network architecture for the detection research of LDoS attack at present, for the emerging net such as SDN The research of LDoS attack detection under network framework is also seldom.SDN network has control and forwarding point compared to traditional network architecture The features such as programmable from, network behavior, this provides new idea and method for the detection of LDoS attack.The invention proposes one The method that kind detects LDoS attack under SDN environment.
Summary of the invention
In view of the above-mentioned problems, the features such as present invention may be programmed using SDN control and forward separating, network behavior.It proposes A kind of LDoS attack detection method under SDN environment.It is main the excellent of global monitoring to be carried out to network using SDN controller Gesture realizes the monitoring to each port of interchanger or every flow flowed, and these work are all that Openflow agreement is supported , it is not required to additional physical equipment and goes to realize.By the real time monitoring to port flow, it can be found that the abnormal flow of port, Then it by carrying out individual flow analysis to all streams for flowing through the port, and then can be found that attack traffic, completes LDoS The detection of attack.In order to achieve the above object, the present invention adopts the following technical scheme that:
A kind of LDoS attack detection method under SDN environment, including the following steps:
1) according to the difference of the data packet of the data packet and outflow flowed into the respective switch unit time in SDN network Del positions doubtful interchanger under attack;
2) it is directed to doubtful interchanger under attack, navigates to attack traffic by the traffic statistics of its each port Inflow port;
3) every that flows into the port is flowed and individually counts flow information, the source Mac of seat offence stream, purpose Mac information, To find attack stream.
The method of step (2) can be such that one threshold value s of setting, to each port of doubtful interchanger under attack Rate is sampled, sampling period T, when the sampled value that sampling obtains whenever port is greater than s, records t at the time of at this timeiIf For the n of setting, there are tn-tn-1=tn-1-tn-2=... ..=t2-t1, then determine that this port has periodically attack arteries and veins Punching.
The invention adopts the above technical scheme, which has the following advantages:
(1) the present invention is based on the detections that SDN network framework carries out abnormal flow, are based on end using OpenFlow protocol realization The traffic statistics of mouth or stream do not need additional physical equipment and carry out;The statistical analysis of flow, will not normal stream amount generation shadow It rings.
(2) present invention carries out the detection of abnormal flow using SDN framework, and can use SDN can carry out list to every stream The advantage of only traffic statistics, finds the source Mac of attack traffic, the information such as purpose Mac quickly.
(3) present invention can be realized by way of issuing flow table to attack in time once detecting attack traffic Defence, it is simple and fast.
Detailed description of the invention
Fig. 1 is LDoS overhaul flow chart.
Specific embodiment
(1) doubtful interchanger under attack is positioned by analyzing Delt value.Wherein Delt=in_package-out_ package,
In_package is the data packet number for the unit time flowing into interchanger, and out_package is outflow interchanger The quantity of data packet, under normal circumstances, the difference of the two should very little, i.e. a kind of shape of the inflow with outflow in relative equilibrium State.When in short-term, high-speed LDoS attack traffic flow is fashionable, and a large amount of data packet, which pours in exchange opportunity, causes the value of Delt sharply to increase Greatly, thus can using the value as prejudge interchanger whether by LDoS attack condition.
(2) analysis that port flow is carried out to the doubtful interchanger under attack navigated in step (1), navigates to doubtful Like port under attack.The specific steps are;A threshold value s is set, each port speed of the interchanger is sampled, is adopted The sample period is T, when the sampled value that sampling obtains whenever port is greater than s, records t at the time of at this timeiIf existing for the n of setting tn-tn-1=tn-1-tn-2=... ..=t2-t1, then determine that this port has periodically attack pulse.
(3) flow table of doubtful interchanger under fire is analyzed, to its independent Statistical Rate of each stream, judgement side Method is similar in step (2), to find attack stream.Since the exception of reduction of fractions to a common denominator analysis port flow in step (2) is found The inflow port of attack traffic, therefore only need to analyze flow table that InPort is doubtful attacked port when analyzing flow table i.e. It can.
(4) if then discovery attack stream, the source MAC address information of extracting attack stream are on the defensive by issuing flow table.

Claims (2)

1. the LDoS attack detection method under a kind of SDN environment, including the following steps:
1) according to the difference Del of the data packet of the data packet and outflow flowed into the respective switch unit time in SDN network come Position doubtful interchanger under attack.
2) it is directed to doubtful interchanger under attack, the stream of attack traffic is navigated to by the traffic statistics of its each port Inbound port.
3) every that flows into the port is flowed and individually counts flow information, the source Mac of seat offence stream, purpose Mac information, thus Find attack stream.
2. attack detection method according to claim 1, which is characterized in that the method for step (2) is as follows: one threshold of setting Value s samples each port speed of doubtful interchanger under attack, sampling period T, obtains whenever port samples Sampled value be greater than s when, record at this time at the time of tiIf there are t for the n of settingn-tn-1=tn-1-tn-2=... ..=t2- t1, then determine that this port has periodically attack pulse.
CN201811117493.1A 2018-09-20 2018-09-20 LDoS attack detection method in SDN environment Active CN109040131B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811117493.1A CN109040131B (en) 2018-09-20 2018-09-20 LDoS attack detection method in SDN environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811117493.1A CN109040131B (en) 2018-09-20 2018-09-20 LDoS attack detection method in SDN environment

Publications (2)

Publication Number Publication Date
CN109040131A true CN109040131A (en) 2018-12-18
CN109040131B CN109040131B (en) 2021-04-27

Family

ID=64617970

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811117493.1A Active CN109040131B (en) 2018-09-20 2018-09-20 LDoS attack detection method in SDN environment

Country Status (1)

Country Link
CN (1) CN109040131B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637202A (en) * 2020-12-22 2021-04-09 贵州大学 LDoS attack detection method based on integrated wavelet transform in SDN environment
CN112788058A (en) * 2021-01-28 2021-05-11 湖南大学 LDoS attack detection and mitigation scheme based on SDN controller
CN112910889A (en) * 2021-01-29 2021-06-04 湖南大学 LDoS attack detection and mitigation scheme based on FGD-FM in SDN

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457489A (en) * 2010-10-26 2012-05-16 中国民航大学 Attacking, detecting and defending module for LDoS (Low-rate Denial of Service)
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN103546465A (en) * 2013-10-15 2014-01-29 北京交通大学长三角研究院 Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method
CN103746965A (en) * 2013-12-19 2014-04-23 柳州职业技术学院 Low-bitrate denial of service attack method based on data flow
CN104378380A (en) * 2014-11-26 2015-02-25 南京晓庄学院 System and method for identifying and preventing DDoS attacks on basis of SDN framework
CN106572107A (en) * 2016-11-07 2017-04-19 北京科技大学 Software defined network-oriented DDoS attack defense system and method
WO2017067577A1 (en) * 2015-10-20 2017-04-27 Huawei Technologies Co., Ltd. Direct replying actions in sdn switches
CN106657107A (en) * 2016-12-30 2017-05-10 南京邮电大学 Self-adaptively started ddos defense method and system based on trust value in SDN
CN108199898A (en) * 2018-01-12 2018-06-22 中国民航大学 A kind of method for enhancing LDoS attack efficiency

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457489A (en) * 2010-10-26 2012-05-16 中国民航大学 Attacking, detecting and defending module for LDoS (Low-rate Denial of Service)
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN103546465A (en) * 2013-10-15 2014-01-29 北京交通大学长三角研究院 Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method
CN103746965A (en) * 2013-12-19 2014-04-23 柳州职业技术学院 Low-bitrate denial of service attack method based on data flow
CN104378380A (en) * 2014-11-26 2015-02-25 南京晓庄学院 System and method for identifying and preventing DDoS attacks on basis of SDN framework
WO2017067577A1 (en) * 2015-10-20 2017-04-27 Huawei Technologies Co., Ltd. Direct replying actions in sdn switches
CN106572107A (en) * 2016-11-07 2017-04-19 北京科技大学 Software defined network-oriented DDoS attack defense system and method
CN106657107A (en) * 2016-12-30 2017-05-10 南京邮电大学 Self-adaptively started ddos defense method and system based on trust value in SDN
CN108199898A (en) * 2018-01-12 2018-06-22 中国民航大学 A kind of method for enhancing LDoS attack efficiency

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
吴志军,曾化龙,岳猛.: ""基于时间窗统计的LDoS攻击检测方法的研究"", 《通信学报》 *
张永: ""DDoS检测控制系统的设计与实现 "", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
曾卫: ""低速率拒绝服务攻击的一种检测方法"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
李锦玲: "应用层分布式拒绝服务攻击的异常检测算法研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
梁缘: ""基于控制与数据分离的映射系统DDoS攻击防御机制设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
胡小龙: ""面向SDN控制器的DDoS攻击检测与防御技术研究 "", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637202A (en) * 2020-12-22 2021-04-09 贵州大学 LDoS attack detection method based on integrated wavelet transform in SDN environment
CN112637202B (en) * 2020-12-22 2022-08-12 贵州大学 LDoS attack detection method based on integrated wavelet transform in SDN environment
CN112788058A (en) * 2021-01-28 2021-05-11 湖南大学 LDoS attack detection and mitigation scheme based on SDN controller
CN112910889A (en) * 2021-01-29 2021-06-04 湖南大学 LDoS attack detection and mitigation scheme based on FGD-FM in SDN
CN112910889B (en) * 2021-01-29 2022-05-13 湖南大学 LDoS attack detection and mitigation method based on FGD-FM in SDN

Also Published As

Publication number Publication date
CN109040131B (en) 2021-04-27

Similar Documents

Publication Publication Date Title
Mori et al. Identifying elephant flows through periodically sampled packets
Hu et al. FADM: DDoS flooding attack detection and mitigation system in software-defined networking
CN109040131A (en) A kind of LDoS attack detection method under SDN environment
Rasley et al. Planck: Millisecond-scale monitoring and control for commodity networks
CN106357673B (en) A kind of multi-tenant cloud computing system ddos attack detection method and system
US8644151B2 (en) Processing packet flows
Zhang et al. Flow level detection and filtering of low-rate DDoS
US10097464B1 (en) Sampling based on large flow detection for network visibility monitoring
CN106230819B (en) A kind of DDoS detection method based on stream sampling
CN111490975A (en) Distributed denial of service DDoS attack tracing system and method based on software defined network
US9979624B1 (en) Large flow detection for network visibility monitoring
US10574546B2 (en) Network monitoring using selective mirroring
Lu et al. ElephantTrap: A low cost device for identifying large flows
JP2005277804A (en) Information relaying apparatus
US10536360B1 (en) Counters for large flow detection
CN110225037B (en) DDoS attack detection method and device
Afaq et al. Large flows detection, marking, and mitigation based on sFlow standard in SDN
CN103139166A (en) Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN103444132A (en) Network system, and switching method
US10003515B1 (en) Network visibility monitoring
Wang et al. A bandwidth-efficient int system for tracking the rules matched by the packets of a flow
KR20140051776A (en) Apparatus for network monitoring based on flow and network monitoring system
JP2006164038A (en) Method for coping with dos attack or ddos attack, network device and analysis device
CN106817268B (en) DDOS attack detection method and system
RU2728948C1 (en) Method for early detection of occurrence moment of poisson's teletraffic overload

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant