CN109194608B - DDoS attack and flash congestion event detection method based on flow - Google Patents
DDoS attack and flash congestion event detection method based on flow Download PDFInfo
- Publication number
- CN109194608B CN109194608B CN201810795131.1A CN201810795131A CN109194608B CN 109194608 B CN109194608 B CN 109194608B CN 201810795131 A CN201810795131 A CN 201810795131A CN 109194608 B CN109194608 B CN 109194608B
- Authority
- CN
- China
- Prior art keywords
- flow
- entropy
- flash
- ddos attack
- flow table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a DDoS attack and flash congestion event detection method based on flow, and the applied flow detection method combines the improvement based on Shannon entropy and generalized entropy-entropy and stream multidimensional features, the method comprising: by analyzing the characteristics of various types of DDoS attacks and flash congestion events, various types of DDoS attack and flash congestion event flow are created; the created flow generates flow table information unique to the SDN in the SDN network; introducing improvement based on Shannon entropy and generalized entropyEntropy, which increases the information distance between different data, and is beneficial to discovering the attack behavior as early as possible; by acquiring multidimensional data of a flow table in a switch, such as protocol type, flow survival time, Shannon entropy, generalized entropy and the like of source/destination IP,Entropy, etc., for feature extraction; classifying different types of DDoS attack flow, flash congestion event flow and normal flow, namely multi-classification, and comparing the detection accuracy rates of classification methods such as SVM, KNN and the like; regulating-adjustable parameters of entropyAnd the value of the number alpha is combined with the optimal classifier to obtain the optimal multi-classification accuracy. The invention utilizes and combines the unique flow table function of the SDN networkEntropy, which can be detected in time when an attack occurs, and reduces the false alarm rate of a flash congestion event.
Description
Technical Field
The invention discloses a DDoS (distributed denial of service) attack and flash congestion event detection method based on flow in an SDN (software defined network), belonging to the technical field of computer security.
Background
With the development of SDN, security is increasingly emphasized. Due to the characteristics of centralized management and programmability of the SDN, an attacker can easily use security holes of the attacker to carry out DDoS attack. Since the SDN is globally managed by the centralized controller, the switch may default to forward a data packet that does not match in the flow table to the controller, and then the controller sends the flow rule to the switch of the IP. If an attacker sends a large number of packets from multiple IPs, these packets will be forwarded to the controller. This traffic will consume all the available resources of the controller and make the access of legitimate users unavailable. In addition, an attacker can exploit the same attack to heavily tie up the table capacity of the switch to weaken the system. When the switch receives a large number of spoofed messages, the memory of the switch is completely occupied. Also, the switch-controller link may become unavailable due to congestion of malicious traffic. All these issues make SDN vulnerable to DDoS attacks, and therefore DDoS defense is an important research topic for SDN.
At present, in addition to DDoS attacks, another type of network traffic is becoming increasingly popular among security researchers and also results in denial of service to legitimate users of Web services, called a flash-congesting event (flash-congesting event).
A flash congestion event is similar to a high-speed DDoS attack, with thousands of legitimate users attempting to access a particular computing resource at the same time. The sudden increase in legitimate traffic is mainly due to public or emergency events occurring around the world, such as the holding of a cup in the world, the change of a leader in a country, etc., and these large traffic events can cause the response of the network service to be untimely, and therefore, immediate action is required. A flash congestion event is not a DDoS attack but is easily mistaken for a series of DDoS attacks. This situation highlights the severity of the problem. DDoS attacks and flash congestion events (which have many common points, such as the increase of source IP traffic in a short period of time, the change in traffic size, the response delay of a network server, etc., and the differences in parameters between them are small.
In the SDN, corresponding flow characteristics can be effectively extracted from unique flow table information, malicious flow can be effectively detected and early warned, DDoS attacks and congestion flash events can be correctly distinguished, malicious flow can be timely found in the early stage of the attacks, and the safety of the SDN network is protected.
Disclosure of Invention
The invention aims to: aiming at the defects in the prior art, a DDoS (distributed denial of service) attack and flash congestion event detection method based on flow is provided, the characteristics of a flow table are extracted, and various types of DDoS attacks and flash congestion events can be effectively detected.
In order to achieve the above purposes, the invention provides a DDoS attack and flash congestion event detection method based on flow, which combines phi-entropy and flow multidimensional characteristics improved based on Shannon entropy and generalized entropy, and creates various types of DDoS attack and flash congestion event flow by analyzing various types of DDoS attack and flash congestion event characteristics; the created flow generates flow table information unique to the SDN in the SDN network; phi-entropy improved based on Shannon entropy and generalized entropy is introduced, and information distance between different data is increased to find attack behaviors; extracting features by acquiring multidimensional data of a flow table in a switch; classifying different types of DDoS attack flow, flash congestion event flow and normal flow, namely multi-classification, and comparing the detection accuracy rates of classification methods such as SVM, KNN and the like; and adjusting the value of the adjustable parameter alpha of phi-entropy to obtain the optimal multi-classification accuracy.
The improved phi-entropy based on shannon entropy and generalized entropy is a new information theoretical measurement proposed by Behal et al in 2017, and the proposed measurement standard can cause more information sensitive distances between legal traffic and attack traffic for detecting mild changes in network traffic compared with the existing shannon entropy and generalized entropy which are mainly used. The expression is as follows:
further, the method comprises the following steps:
step 1, building a topological structure on a Mininet platform, wherein the topological structure comprises an SDN controller, an OpenFlow switch, a source host and a target host cluster; the source host computer simulates a message sending network end, and the target host computer group simulates a message receiving network end;
step 2, the message sending network end accesses the message receiving network end, wherein the access includes malicious access, namely multi-type DDoS attack, normal access and normal access of abnormal sudden congestion events;
step 3, when the flow passes through the OpenFlow switch, the flow tables are searched and matched to correspondingly process the flow; if the matching is successful, the switch processes the data packet according to the rule; if the data Packet does not find the flow table item matched with the data Packet when reaching the switch, a Packet _ in message is sent to the controller, and the controller can set a corresponding strategy to send a corresponding flow table to the switch; meanwhile, when an attack occurs, most of attack flows are new flows, and a large number of flow table entries can be generated; the multi-dimensional data of the flow table in the switch comprises a protocol type, a source IP address, a destination IP address, the number of bytes of a packet, flow survival time and the number of the flow table. The characteristics are main reference data selected by analyzing the characteristics of various flows;
step 4, collecting the generated flow table by using a built-in statistical information collection function specific to the SDN;
step 5, the controller collects key data of the collected flow table at regular time and extracts features to obtain main classification feature values;
step 6, classifying the extracted features by using various classifiers to obtain an optimal classifier; adjusting parameters of the extracted features to obtain an optimal classification result;
and 7, the controller issues a corresponding rule flow table to the switch according to the rule deployed in the controller, and the switch forwards the rule according to the flow table. When one OpenFlow switch detects abnormal flow, the whole network is in an unsafe state.
Further, the multi-type DDoS attack includes a plurality of common attack types, such as SYN Flood, UDP Flood, ACK Flood, Connection Flood, and the like. And different types of DDoS attacks are analyzed, so that the attack characteristics are refined.
And respectively injecting various flows into the SDN, wherein the multi-type DDoS attack and flash congestion event flows are constructed according to the characteristics of any one of the common flow beating tools Hping, Nping or Scapy, or data flow is imported by using an existing flow data set.
Furthermore, the DDoS attacks and the flash congestion events of various types have the characteristics of the size of the flow within a fixed time of 2s (the network is easy to be paralyzed if the time is too long, and the attacks are not easy to detect if the time is too short), the degree of randomness dispersion of the source IP, the size of the data packet and the duration of the flow.
Further, the unique flow table in the SDN is the most basic basis for the SDN switch to process the data packet, and each flow table item is composed of three parts: the system comprises a Header field for data packet matching, Counters for counting the number of matched data packets, and Actions for showing how the matched data packets are processed, wherein the Header field is a Header field;
the header field contains 12 tuples, and the characteristics of a source IP address, a destination IP address, a source port number, a destination port number and a protocol type of the data packet are mainly utilized, namely flow characteristics are extracted from the header field of the flow table packet.
Further, after the features are extracted, main classification feature values are obtained, and the main classification feature values mainly comprise a flow average byte number, a flow average survival time, a flow table average growth speed, a source IP entropy and a target IP entropy which are extracted respectively based on phi-entropy and Shannon or generalized entropy.
Furthermore, the flow multi-classification is compared by classification methods such as SVM and KNN, wherein the extracted features are classified by using Shannon entropy or generalized entropy and using different classifiers to obtain the optimal classification method with the optimal detection rate.
Furthermore, when the value of the adjustable parameter alpha for adjusting the phi-entropy approaches to 0, the phi-entropy is equal to the shannon entropy, namely the phi-entropy at the moment is very close to the shannon entropy;
by adjusting the parameter alpha, the provided measuring method can amplify objects more sensitively and more greatly, so that the measuring method can be more effectively applied to DDoS attack and flash congestion event detection, and the accuracy of DDoS attack and flash congestion event detection is improved to a greater extent by combining with an optimal classification method.
Compared with the prior art, the invention adopting the technical scheme has the following technical effects: the implementation manner of the DDoS attack and flash congestion event detection method based on the flow in the SDN provided by the embodiment of the invention mainly comprises the following steps: 1. flow table data of different types of flow are acquired by using flow table characteristics issued by an SDN; 2. extracting the characteristics of the flow table data to acquire the characteristics related to various DDoS attacks and flash congestion events; 3. training and multi-classifying various data characteristics to obtain classification accuracy and an optimal classifier; 4. introduction ofThe entropy is obtained by adjusting the alpha value of the parameter to obtain partial optimal characteristic values, and is classified by combining an optimal classifier, so that the detection accuracy can be improved to a certain extent, and abnormal behaviors can be found in time at the initial stage.
Drawings
The invention will be further described with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of the detection method of the present invention.
Fig. 2 is a block flow diagram of the present invention.
Detailed Description
For a more intuitive and clear illustration of the objects and advantages of the present invention, the present invention will be described in detail below with reference to the accompanying drawings in which embodiments of the present invention are shown. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
Referring to fig. 1, the present embodiment provides a flow-based DDoS attack and congestion flash event detection method in SDN, where the applied flow detection method combines shannon entropy and generalized entropy improvementEntropy and stream multi-dimensional features, the method comprising:
firstly, a topological structure is built on a Mininet platform and comprises an SDN controller, an OpenFlow switch, a source host and a target host cluster, wherein the source host simulates a message sending network end, and the target host cluster simulates a message receiving network end. When different data streams are created or imported in the SDN network, a flow field obtained by analyzing a flow table generated in the SDN network is used as an input of flow characteristics, and a time interval for obtaining a flow matching field must be moderate, because too long an interval causes network paralysis before a DDoS attack is found, and too short an interval causes overload of a controller; secondly, analyzing according to unique flow table characteristics of the SDN network, acquiring key characteristic information in the flow table for integration, such as protocol type, flow table duration, source IP dispersion of the same target IP, flow table growth speed and the like, and selecting corresponding characteristics for detection according to different DDoS attack types and flash congestion events; then, on the basis of characteristic extraction based on Shannon entropy or generalized entropy, different classifiers are used for multi-classification of characteristics, and an optimal classifier is obtained according to the detection accuracy; finally utilizeThe entropy is used as the dispersion measurement of certain characteristics, the information distance of data with different concentration degrees can be effectively increased, and then the optimal classifier is used for classification, so that the detection accuracy is improved.
The message sending network end accesses the message receiving network end, including malicious access (multi-type DDoS attack), normal access and abnormal (flash congestion event) normal access
When a flow passes through an OpenFlow switch, the flow table is searched for a match to process the flow accordingly. If the matching is successful, the switch knows how to process the data packet; if the data Packet arrives at the switch and no flow table item matched with the data Packet is found, a Packet _ in message is sent to the controller, and the controller can set a corresponding strategy to send a corresponding flow table to the switch. When the attack occurs, the attack flow is basically a new flow, so that a large number of flow table entries are generated;
collecting the generated flow table by using a built-in statistical information collection function specific to the SDN;
the controller collects key data of the collected flow table at regular time, and the key data mainly comprises a protocol type, a source IP address, a target IP address, the number of bytes of a packet, flow survival time and the number of the flow table;
the controller extracts the characteristics of the collected key data to obtain main classification characteristic values which mainly comprise the number of leveling average bytes, the leveling average survival time, the flow table average growth speed and are respectively based onEntropy, source IP entropy and target IP entropy extracted by Shannon or generalized entropy;
classifying the extracted features (based on the Shannon/generalized entropy) by using various classifiers to obtain an optimal classifier;
for the extracted features (based on)Entropy) to obtain an optimal classification result by adjusting parameters.
Through the rules deployed in the controller, the controller issues the corresponding rule flow table to the switch, and the switch forwards the rules according to the flow table. When one OpenFlow switch detects abnormal flow, the whole network is in an unsafe state. Moreover, the method also effectively distinguishes DDoS attack and flash congestion events, and reduces the false alarm rate.
Referring to fig. 2, the present embodiment provides a flow-based DDoS attack and congestion flash event detection method in an SDN, which includes the following processes:
s0: and respectively injecting various flows into the SDN network. The flow of the multi-type DDoS attack and flash congestion events can be led into the SDN by using common flow beating tools Hping, Nping, Scapy and the like or by downloading authoritative flow data on the network;
s1: and regularly collecting and storing the generated flow tables by using a built-in statistical information collection function specific to the SDN. Flow table collection intervals must be moderate, too long an interval may cause network disruption before a DDoS attack is discovered, and too short an interval may overload the controller.
S2: obtaining key data of a flow table generated in each period of time, namely required key fields;
s3: and integrating the acquired key fields to extract key characteristic values. One is data integration based on shannon/generalized entropy, and the other is data integration based on shannon/generalized entropyAnd (4) data integration of entropy.
S4: firstly, features acquired by data integration based on Shannon/generalized entropy are used, and various classifiers are used for training and classifying the features.
S5: three parameters TPR (true case rate), FPT (false case rate) and F1 are used to evaluate the classification result of the classifier and obtain the best classifier.
S6: using the result of step S3The entropy data is integrated to obtain characteristics to carry out parameter adjustment test, namely, alpha is adjusted, and information distance between different types of data is enlarged. And (5) combining the optimal classifier obtained in the step (S5) to classify.
Through the process, the DDoS attack and the flash congestion event can be accurately detected.
From the above, in the SDN provided by the embodiment of the present invention, the flow-based DDoS attack and congestion flash event detection method obtains various types of features related to DDoS attack and congestion flash events by obtaining flow table data of different types of flows to perform feature extraction, performs training and multi-classification on various types of data features to obtain an optimal classifier, and introducesThe entropy is obtained by adjusting parameters to obtain partial optimal characteristic values and is classified by combining an optimal classifier, so that the detection rate degree is improved, and abnormal behaviors can be found in time at the initial stage.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments.
Finally, it should be noted that: the foregoing is only a preferred embodiment of the present invention, and it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements should be considered as the protection scope of the present invention.
Claims (5)
1. A DDoS attack and flash congestion event detection method based on flow is characterized in that: the DDoS attack and flash congestion event detection method based on the flow combines phi-entropy based on Shannon entropy and generalized entropy improvement and flow multidimensional characteristics, and creates DDoS attack and flash congestion event flow by analyzing the characteristics of the DDoS attack and flash congestion event; the created flow generates flow table information unique to the SDN in the SDN network; introducing improvement based on Shannon entropy and generalized entropyφEntropy, increasing the information distance between different data to discover aggressive behavior; extracting features by acquiring multidimensional data of a flow table in a switch; attack DDoSClassifying the flow, the sudden congestion event flow and the normal flow, and at least comparing the detection accuracy of the SVM and KNN classification method; adjusting the value of the adjustable parameter of phi-entropy to obtain the optimal multi-classification accuracy;
the method comprises the following steps:
step 1, building a topological structure on a Mininet platform, wherein the topological structure comprises an SDN controller, an OpenFlow switch, a source host and a target host cluster; the source host computer simulates a message sending network end, and the target host computer group simulates a message receiving network end;
step 2, the message sending network end accesses the message receiving network end, wherein the access includes malicious access, namely multi-type DDoS attack, normal access and normal access of abnormal sudden congestion events;
step 3, when the flow passes through the OpenFlow switch, the flow tables are searched and matched to correspondingly process the flow; if the matching is successful, the switch processes the data packet according to the rule; if the data Packet does not find the flow table item matched with the data Packet when reaching the switch, a Packet _ in message is sent to the controller, and the controller can set a corresponding strategy to send a corresponding flow table to the switch; meanwhile, when an attack occurs, most of attack flows are new flows, and a large number of flow table entries can be generated;
step 4, collecting the generated flow table by using a built-in statistical information collection function specific to the SDN;
step 5, the controller collects key data of the collected flow table at regular time and extracts features to obtain classification feature values, wherein the classification feature values comprise a flow table average growth speed, a flow table average number of bytes and a flow table average survival time, and a source IP entropy and a target IP entropy which are extracted respectively based on phi-entropy and Shannon or generalized entropy;
step 6, classifying the extracted features by using various classifiers, and adjusting parameters of the extracted features to obtain an optimal classification result;
step 7, the controller issues a corresponding rule flow table to the switch according to the rules deployed in the controller, and the switch forwards the rules according to the flow table; when one OpenFlow switch detects abnormal flow, the whole network is in an unsafe state.
2. The method of claim 1 for detecting a flow-based DDoS attack and flash congestion event, wherein: and respectively injecting various flows into the SDN, wherein the multi-type DDoS attack and flash congestion event flows are constructed according to the characteristics of any one of the common flow beating tools Hping, Nping or Scapy, or data flow is imported by using an existing flow data set.
3. The method of claim 1 for detecting a flow-based DDoS attack and flash congestion event, wherein: the DDoS attack and the flash congestion event respectively have the characteristics of the size of the flow within a fixed time of 2s, the size of the randomness dispersion degree of a source IP, the size of a data packet and the duration of the flow, the network paralysis is easy to occur if the time is too long, and the attack is not easy to detect if the time is too short.
4. The method of claim 1 for detecting a flow-based DDoS attack and flash congestion event, wherein: the unique flow table in the SDN is the most basic basis for the SDN switch to process data packets, and each flow table item consists of three parts: the system comprises a Header field for data packet matching, Counters for counting the number of matched data packets, and Actions for showing how the matched data packets are processed, wherein the Header field is a Header field;
the header field contains 12 tuples, and the characteristics of a source IP address, a destination IP address, a source port number, a destination port number and a protocol type of the data packet are mainly utilized, namely flow characteristics are extracted from the header field of the flow table packet.
5. The method of claim 1 for detecting a flow-based DDoS attack and flash congestion event, wherein: when the value of the adjustable parameter for adjusting the phi-entropy approaches to 0, the phi-entropy at the moment is extremely close to the Shannon entropy;
by adjusting the parameters, the provided measuring method can amplify objects more sensitively and more effectively, so that the measuring method can be more effectively applied to DDoS attack and flash congestion event detection, and the accuracy of DDoS attack and flash congestion event detection is improved to a greater extent by combining with an optimal classification method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810795131.1A CN109194608B (en) | 2018-07-19 | 2018-07-19 | DDoS attack and flash congestion event detection method based on flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810795131.1A CN109194608B (en) | 2018-07-19 | 2018-07-19 | DDoS attack and flash congestion event detection method based on flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109194608A CN109194608A (en) | 2019-01-11 |
CN109194608B true CN109194608B (en) | 2022-02-11 |
Family
ID=64936358
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810795131.1A Active CN109194608B (en) | 2018-07-19 | 2018-07-19 | DDoS attack and flash congestion event detection method based on flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109194608B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111756719B (en) * | 2020-06-17 | 2022-06-24 | 哈尔滨工业大学 | DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture |
CN113114671B (en) * | 2021-04-12 | 2023-03-24 | 常熟市国瑞科技股份有限公司 | Cloud data security identification and classification method |
CN113242225B (en) * | 2021-04-30 | 2021-12-31 | 北京理工大学 | DDoS attack detection method based on Riemann manifold structure of stream data |
CN115225353B (en) * | 2022-07-04 | 2024-05-03 | 安徽大学 | Attack detection method considering both DoS/DDoS flooding and slow HTTP DoS |
CN116232777B (en) * | 2023-05-10 | 2023-07-18 | 北京交通大学 | DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202336A (en) * | 2014-09-22 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | DDoS attack detection method based on information entropy |
CN106131027A (en) * | 2016-07-19 | 2016-11-16 | 北京工业大学 | A kind of exception flow of network based on software defined network detection system of defense |
CN106561016A (en) * | 2015-11-19 | 2017-04-12 | 国网智能电网研究院 | DDoS attack detection device and method for SDN controller based on entropy |
CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
CN108183917A (en) * | 2018-01-16 | 2018-06-19 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative detection method based on software defined network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008052291A2 (en) * | 2006-11-03 | 2008-05-08 | Intelliguard I.T. Pty Ltd | System and process for detecting anomalous network traffic |
-
2018
- 2018-07-19 CN CN201810795131.1A patent/CN109194608B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202336A (en) * | 2014-09-22 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | DDoS attack detection method based on information entropy |
CN106561016A (en) * | 2015-11-19 | 2017-04-12 | 国网智能电网研究院 | DDoS attack detection device and method for SDN controller based on entropy |
CN106131027A (en) * | 2016-07-19 | 2016-11-16 | 北京工业大学 | A kind of exception flow of network based on software defined network detection system of defense |
CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
CN108183917A (en) * | 2018-01-16 | 2018-06-19 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative detection method based on software defined network |
Non-Patent Citations (3)
Title |
---|
An information divergence based approach to detect flooding DDoS attacks and Flash Crowds;Kaur,G et al;《PROCEEDINGS OF THE 2017 3RD INTERNATIONAL CONFERENCE ON APPLIED AND THEORETICAL COMPUTING AND COMMUNICATION TECHNOLOGY (ICATCCT)》;20171223;全文 * |
Detection of DDoS attacks and flash events using novel information theory metrics;Sunny Behal et al;《COMPUTER NETWORKS》;20170222;第116卷;全文 * |
Detection of spoofed and non-spoofed DDoS attacks and discriminating them from flash crowds;Gera,J at al;《EURASIP Journal on Information Security》;20180716;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN109194608A (en) | 2019-01-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109194608B (en) | DDoS attack and flash congestion event detection method based on flow | |
CN109005157B (en) | DDoS attack detection and defense method and system in software defined network | |
JP6001689B2 (en) | Log analysis apparatus, information processing method, and program | |
US8650646B2 (en) | System and method for optimization of security traffic monitoring | |
Zhang et al. | Real-time distributed-random-forest-based network intrusion detection system using Apache spark | |
CN107018084B (en) | DDOS attack defense network security method based on SDN framework | |
CN110225037B (en) | DDoS attack detection method and device | |
CN107370752B (en) | Efficient remote control Trojan detection method | |
CN113206860B (en) | DRDoS attack detection method based on machine learning and feature selection | |
CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
CN112839017B (en) | Network attack detection method and device, equipment and storage medium thereof | |
CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
Guozi et al. | DDoS attacks and flash event detection based on flow characteristics in SDN | |
CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
CN106603326A (en) | NetFlow sampling processing method based on abnormity feedback | |
CN108667804B (en) | DDoS attack detection and protection method and system based on SDN architecture | |
Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
US11848959B2 (en) | Method for detecting and defending DDoS attack in SDN environment | |
CN112953910B (en) | DDoS attack detection method based on software defined network | |
KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
Patil et al. | Software Defined Network: DDoS Attack Detection | |
CN117118738A (en) | DDoS attack risk quantification defense method and system in software defined network | |
Little et al. | Spectral clustering technique for classifying network attacks | |
KR101573413B1 (en) | Apparatus and method for detecting intrusion using principal component analysis | |
TWI666568B (en) | Method of Netflow-Based Session Detection for P2P Botnet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |