CN110224990A - A kind of intruding detection system based on software definition security architecture - Google Patents

A kind of intruding detection system based on software definition security architecture Download PDF

Info

Publication number
CN110224990A
CN110224990A CN201910391719.5A CN201910391719A CN110224990A CN 110224990 A CN110224990 A CN 110224990A CN 201910391719 A CN201910391719 A CN 201910391719A CN 110224990 A CN110224990 A CN 110224990A
Authority
CN
China
Prior art keywords
cloud
data
network
detection
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910391719.5A
Other languages
Chinese (zh)
Inventor
张莎莎
李荣鹏
赵志峰
张宏纲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910391719.5A priority Critical patent/CN110224990A/en
Publication of CN110224990A publication Critical patent/CN110224990A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses the intruding detection systems based on software definition security architecture, belong to filed of network information security, which includes client modules and cloud module;The cloud module includes cloud agency, intrusion detection engine, Expert Rules library, machine learning library and log database;The intrusion detection engine uses the feature detection techniques based on Snort and the abnormality detection technology based on machine learning.The software definition security architecture provides programmable control and global state monitoring to network, unified transparent access module is provided to lower abstract underlying security equipment, to upper extension north orientation security application, and cloud computing technology is played to elastic calculation, distributed computing, load balancing, the advantage of big data processing capacity, beyond the clouds by Expert Rules library, intrusion detection engine and related artificial intelligent measurement algorithm deployment, the intelligent measurement efficiency for improving system enhances the dynamic expansion ability of system and the capability of fast response to new security threat.

Description

A kind of intruding detection system based on software definition security architecture
Technical field
The application belongs to filed of network information security, and in particular, to the invasion inspection under a kind of software definition security architecture Examining system and detection method.
Background technique
In recent years, as the rapid development of Internet technology, the continuous enlargement of network size, the continuous of network flow are climbed It rises and the increasingly complex of network architecture, traditional network architecture is faced with increasingly stern challenge and test.With This network environment complicated simultaneously also brings many network security problems, such as malware attacks, spoofing attack and distribution Denial of Service attack etc..The network security problem to become increasingly conspicuous, gradually to traditional security system framework, service mode and technology Means propose more stern challenge.On the one hand, along with the continuous development of the relevant technologies such as cloud computing and virtualization, network is answered Become to become increasingly complex with demand, traditional network architecture occurs being difficult to extend the problems such as higher with configuration complexity.Not only such as This, various virtualization technologies realize the rapid layout and flexibly allotment of Internet resources, and traditional network security system framework is gradually It has too many difficulties to cope with, has been difficult to meet the needs of people.On the other hand, existing some Prevention-Security technologies (such as firewall, invasion Detection system etc.) it is mostly deployed in the form of hardware device in local area network, function is relatively single, and flexibility is poor, and Often respectively segmentation is independent for these safety equipments or software, can not carry out system in combination configuration, have Real-time defence ability weak, can The poor disadvantage of scalability, it is difficult to adapt to dynamic business demand and carry out the online upgrading of security function.
Software defined network (SDN) is used as a kind of dynamic, can manage, economical and efficient and adaptable emerging framework, just In the mode of thinking of remodeling network, and important support solution is provided for the evolution of the network information security, can pass through The mode of software definition carries out global optimization to function of safety protection module, to realize the mesh of unified management and dynamic configuration , i.e., software definition is safe (SDS).SDN has decoupled network-control and forwarding capability, so that network-control becomes directly to compile Journey, and go out underlying infrastructure for application and network service abstraction.Control plane is isolated with data plane so that network management Become to be more easier, provides the centralized control to network using controller, realize the monitoring of global state, neatly obtain and receive Collect network activity information.By controller, network administrator quickly and easily can be formulated and be released in related data plane The decision how first floor system (interchanger, router) handles flow realizes the integrated of different architecture, and network is promoted to answer With the creation of program and service, to better adapt to the demand of user.SDN is managed and controlled by centralization, is realized dynamic The Resource Distribution and Schedule of state optimizes the work such as network configuration, monitoring, management, scheduling, optimization.Therefore by SDN research achievement It is introduced into a kind of development trend that existing network safety protection technique is the network information security, software definition safety (SDS) enhancing The managerial ability of network, collaboration be horizontal and service quality, provides feasible solution to solve network security problem.
Intruding detection system (IDS) exempts from one of the key technology of malicious attack as protection network, it is intended to pass through collection In network the flow information of key node and analyze all-network activity come realize detection rogue activity (including virus, worm and Ddos attack etc.), and alarm measure is taken in time.IDS can accomplish to identify and detect in real time Network Intrusion behavior, extensive Applied in traditional network.Existing IDS system and safety equipment are generally deployed in local area network, so that the cooperation of system Property and linkage are poor.Problem as above can be then well solved by the IDS of software definition safety.In general, traditional IDS Detection attack mode is realized based on Expert Rules library, and this results in the risks of high rate of false alarm and high rate of failing to report, while being difficult in real time The network attack of new type is detected to adapt to network environment complicated and changeable.
Current most of intruding detection systems are all based on feature detection, once attacker slightly modifies known attack, change The signature identification of known attack just can not detect any anomalous content using the method that feature detects.In view of traditional front IDS Face the challenge and threat of increasingly sophisticated and isomery a large amount of network attacks, the drawbacks of in order to overcome traditional IDS and limitation, to IDS introduces machine learning techniques.Since machine learning has good adaptive characteristic and mathematics robustness, various algorithms are such as Neural network (Neural Network), support vector machines (Support Vector Machine), naive Bayesian (Naive Bayes), decision tree (Decision Tree), random forest (Random Forest) scheduling algorithm have also been added to invasion successively In detection technique.In recent years, research of the machine learning in conjunction with hot issue and application field is more and more, by right In the study for having invasion data, machine learning algorithm is capable of detecting when novel unknown attack.And it is currently used based on feature Detection method needs precisely to describe feature that intrusion target could be matched in the case where simultaneously predefined rule, can not achieve unknown attack Identification and detection are hit, therefore the machine learning algorithm of stronger precision and more strong robustness will become necessarily becoming for intrusion detection development Gesture and demand.
Summary of the invention
In view of the problems of the existing technology, the application proposes a kind of intrusion detection system based on software definition security architecture System is advised expert using cloud computing to the ability of virtualization support, large-scale data processing, distributed computing and load balancing Then library, intrusion detection engine and related artificial intelligent measurement algorithm deployment beyond the clouds, provide the deployment intrusion detection system on cloud The solution of system.Operation and the processing load for not only reducing client, effectively increase system intelligent measurement efficiency and To the capability of fast response of new security threat, the dynamic expansion ability and money of system are also enhanced using the deployment way of cloud environment From adaptation allocative abilities.
This programme is achieved through the following technical solutions: a kind of intrusion detection system based on software definition security architecture System, the intruding detection system includes SDN controller, client modules and cloud module;The client modules include visitor Family end agency, communication transmission module and ingress-only packet sniffing module;The cloud module includes cloud agency, communications mould Block, intrusion detection engine;The ingress-only packet sniffing module acquires network data and consigns to Client Agent, the client generation Reason, which is encapsulated data and realized according to communication transmission module, will use cloud generation with cloud agent communication, the communication transmission module Reason and the customized communication protocol of client.The cloud agency receives the data on flows sent from client modules, and will Data on flows is sent into the intrusion detection engine detection, then the result of intrusion detection is returned to Client Agent, by described SDN controller realizes quick response and Initiative Defense;The intrusion detection engine using based on Snort feature detection techniques and Abnormality detection technology based on machine learning.
Further, the cloud module further includes Expert Rules library, machine learning library and log database, it is described enter Invading detecting and alarm is to divide known attack and unknown attack by Expert Rules reservoir area.Feature detection techniques based on Snort are used for The real-time detection of known attack;Unknown attack is admitted to training study in machine learning library, constructs new rule supplement expert in real time Rule base, and data packet and testing result are recorded in log database.
Further, the abnormality detection technology utilize incremental learning method, according to sequence reach data traffic, into The incremental training of row real-time detection is saved in sorter model, and the new flow sample of subsequent arrival can be by existing model certainly Dynamic identification classification, whether be malicious traffic stream, sufficiently promote detection of classifier performance by constantly learning if distinguishing.
Further, the incremental learning method includes offline part and online part, and key step is respectively offline Training pattern, off-line verification model, online incremental learning, the offline part use cloud log database historical data, institute Stating online is partially based on real time new data sample.
Compared with prior art, this programme has the following beneficial effects: that (1) by intrusion detection engine Snort-IDS, draws Enter correlation machine learning algorithm, designs and construct a machine learning library, and combine spy of the Snort based on Expert Rules library Levy intrusion detection.Machine learning library is achieved in that as third side plug, by loading machine learning into Snort software Plug-in unit, to realize cloud hybrid network intruding detection system framework;(2) it is complete, global collaborative complete to propose a function It is more that whole intruding detection system, i.e. client capture network flow, cloud intrusion detection and data storage, result feedback and response etc. A complete IDS mechanism link step unification and combined.One kind that the application proposes is expansible programmable based on software The intruding detection system for defining security architecture realizes security application-SDN controller-peace by separating secure data with control Automation collaborative and global view management between full underlying device, can neatly obtain and collecting network information, and send out in time Now with identification anomalous event and behavior.Big number is played to realize intrusion detection as target based on software definition security architecture SDS According to and cloud computing technology advantage, Expert Rules library, intrusion detection engine and related artificial intelligent measurement algorithm are deployed in cloud End, not only effectively increases the intelligent measurement efficiency and security protection ability of system, also enhances the dynamic expansion ability of system And resources allocation ability.
Detailed description of the invention
Fig. 1 is that the present invention is based on the intruding detection system frameworks of software definition safety;
Fig. 2 frame diagram of the present invention;
Fig. 3 flow chart of the present invention;
Fig. 4 cloud intrusion detection engine of the present invention;
Fig. 5 Attack Scenarios figure of the present invention;
Fig. 6 inventive algorithm emulates line chart;
Fig. 7 emulation testing time delay figure of the present invention.
Specific embodiment
A kind of intruding detection system based on software definition security architecture, the intrusion system include SDN controller, client Module and cloud module.Client modules include Client Agent, communication transmission module and ingress-only packet sniffing module;Cloud Module includes cloud agency, communication transmission module, intrusion detection engine, Expert Rules library, machine learning library and daily record data Library.
The intruding detection system by client network traffic capture, cloud intrusion detection and data store, result feedback with Response composition.Ingress-only packet sniffing module is responsible for acquiring network data and consigns to Client Agent first, and by Client Agent The data encapsulated are realized according to communication transmission module and cloud agent communication is interactive.Cloud agency, which is responsible for receiving, comes from client The data of end module acquisition, and data on flows feeding intrusion detection engine is detected, finally the result of intrusion detection is returned Back to Client Agent, quick response and Initiative Defense are realized by SDN controller.
In order to improve system real-time detection efficiency and realize detection unknown attack, intrusion detection engine has used two kinds simultaneously Intrusion Detection Technique, the feature detection techniques based on Snort and the abnormality detection technology based on machine learning, and it is arranged in calculating Distributed associating detection is realized in the virtual machine instance of node operation.Intrusion detection engine is based on existing Expert Rules reservoir area and separates Normal and abnormal flow, and training knowledge in machine learning library is then sent into the derivation attack that attack is attacked or had for new type Not, to supplement Expert Rules library in real time, and data packet and testing result are recorded in the daily record data library module of cloud.
The system of intrusion detection (IDS) of the invention: cloud agency receives the data packet sent from client, is deployed in Intrusion detection engine in calculate node carries out the detection of joint intrusion behavior to these network packets, and according to existing expert Rule base is come to distinguish these flows be normal data packet or abnormal data packet.Expert Rules library is a kind of based on predefined rule Method, by the volumes such as known intrusion behavior feature or attack code be rule set, if data traffic is matched to Expert Rules library Certain feature, which is just judged as malicious traffic stream.It the network traffic data that will be captured while being sent to based on abnormal inspection The machine learning algorithm library of survey is trained analysis and knowledge learning, if it find that being abnormal flow, and sums up regular and special Family's rule base compares, if not including the rule in Expert Rules library, the new rule is added into Expert Rules library, thus real When supplement Expert Rules library, and alarm log is recorded in log database and is backed up.The wherein exception inspection based on machine learning Survey technology has used incremental learning method, by existing log database training sorter model, and when new samples reach Realize incremental training, real-time streams attack detecting is realized in dynamic more new model configuration.
Embodiment
Below with regard to the design of OpenStack cloud platform and realization, the design of client and realization, the design in cloud and reality Existing and client and cloud communication pipe design and realization, are described in detail with specific embodiment.
1, the design and realization of OpenStack cloud platform
This programme is using 1 master node, the OpenStack of 1 controller node and 2 compute nodes Multinode builds mode, and controller node and compute node all provide block storage and network service, be deployed in union On physical server.There are three to throw the net card cloud platform Network Programe Design, be respectively:
Eth0 (OpenStack cluster management network, CIDR 10.20.0.1/24), for managing clustered node;
Eth1 (outer net/floating IP network, CIDR 172.16.0.1/24), it is floating for cluster public network and offer virtual machine Dynamic IP address;
Eth2 (management/storage/internal network, CIDR 192.168.1.0/24) is used for virtual machine internal communication network.
For the stability and validity for guaranteeing cloud environment, first by three node deployments in the same local area network, and protect Card can mutually Ping lead to from each other, while the time zone of three hosts is arranged, and guarantee NTP time synchronization.Then in each section Different Component services is disposed on point respectively.
After each node correctly configures good service, the interface that can be provided by Dashboard accesses cloud platform.
As shown in Figure 1.In logic, cloud space is divided are as follows:
1) large data center: the center devises two kinds of database, and one is log databases to go through for saving History data and testing result, another kind are the Expert Rules libraries of rule-oriented.Database is all based on MySQL realization.In intelligence Under the guidance and allotment of center algorithm, Expert Rules library can be with real-time update rule.
2) intelligent centre;Store correlation machine learning algorithm that intrusion detection engine is used and for formulating new rule New Rule Generation Algorithm, unified interface are used for outside access.Machine learning algorithm include CNN, SVM, SOM, K-NN, GDBT, AdaBoost etc..After new Rule Generation Algorithm mainly detects unknown attack mode according to machine learning algorithm, main feature is extracted Such as source IP address, purpose IP address, source port, destination port, protocol type are compiled according to certain format as new rule.
3) control centre;The center aims at following purpose:
A) deployment cloud agency receives the data file uploaded from client and is stored in log database and backs up, cloud End agency is also responsible for the communications service to outer network as window.
B) it provides and concentrates view and cluster management, the overall situation control cloud virtual resource (such as computing resource and Internet resources Deng), the distributed associating that can be used to implement intrusion detection calculates;
C) message queue is transmitted between clustered node, and passes through the service of HTTPRESTful api interface for JSON format Testing result is transferred to SDN controller.
D) intrusion detection engine of data traffic guide function central upper administration is neatly realized into intrusion behavior detection.
4) function center: the place of carrying out practically intrusion detection engine snort-IDS, i.e. virtual ID S, according to network state Can be with the multiple snort-IDS of flexible arrangement with specific requirements, and respective algorithms can be transferred from intelligent centre and be trained study And the renewal of knowledge.
2, the design and realization of client modules
Client modules include Client Agent and ingress-only packet sniffing module.Client modules by installation Tcpdump come Capture data.Tcpdump can intercept and capture completely and provide the data packet transmitted in network to analysis, it support for network layer, Agreement, host, network or the filtering of port.
In order to capture data packet, need the Network card setup of client modules to be promiscuous mode, to monitor institute on the network Some network equipments.Sniff packet capturing is carried out to current network data using Tcpdump at this time, Client Agent uploads data packet journey The flow file being collected is packaged by sequence needs, is sent to cloud agency by data compression and the conversion of Hex character stream, and Cloud agency is waited to return to testing result.
Client modules can realize that timing packet capturing saves using Linux cron order, and specify every 1000 network connections A tcpdump file is generated, setting starts the initial time STIME of packet capturing and terminates the termination time ETIME of packet capturing, will be every The data packet of secondary capture is named as $ STIME- $ ETIME, and is stored temporarily in local with .pcap.gz compressed format.
3, the design and realization of cloud module
Cloud module includes cloud agency, Expert Rules library, log database, machine learning library and intrusion detection engine, Specific cloud intrusion detection process is as shown in Figure 3.
1) design of cloud agency
Act on behalf of the master node for being deployed in OpenStack in cloud.Firstly, cloud agency receives according to communication module Data on flows from client transmissions;Secondly, received flow file is transferred to cloud calculate node by cloud agency, And the intrusion detection engine by disposing in calculate node realizes the detection of intrusion behavior, finally will test result and is returned by cloud agency Back to Client Agent and SDN controller.
2) design of cloud Relational database
This programme major design two kinds of database, respectively the Expert Rules library and face of Feature Oriented beyond the clouds To the log database of log.Both databases are all based on MySQL realization.Wherein Expert Rules library for storage rule table, The record such as event table;Log database then backs up the network packet of capture, and intrusion detection engine is generated Alarm log is recorded.
3) cloud intrusion detection engine and the design of machine learning library
Cloud intrusion detection engine realizes feature intrusion detection using open source invader-inspecting software Snort.Snort is one The Network Intrusion Detection System of lightweight is rule-based Network Intrusion Detection System.It is searched using rule-based Rope mechanism, specific implementation is to carry out the pattern match based on content with to data packet, to find intrusion behavior.
As shown in figure 4, Snort is mainly by 5 bases such as sniffer, decoder, preprocessor, detecting and alarm and warning output This module composition, and output result is recorded in log database, detecting and alarm realizes invasion row according to Expert Rules library For detection.During performing intrusion detection, the detection of data flow is invaded for convenience, and Snort uses modular design Mode, user can on demand extend Snort, design third side plug.This programme is inserted in Snort platform using machine learning Part, the plug-in unit can a variety of machine learning algorithms of Integrated Development, to construct machine learning library, to realize abnormality detection and generate new Rule.
This programme is designed and is constructed a machine learning library based on the various machine learning algorithms introduced in existing IDS, added Enter such as SVM, CNN, Random Forest, SOM, K-NN epidemic algorithms, the feature in conjunction with Snort based on Expert Rules library Intrusion detection, being achieved in that as third side plug for machine learning library, is inserted by loading machine learning into Snort software Part, to realize cloud hybrid network intruding detection system framework.
4, the design and realization of client and cloud communication pipe
Client Agent needs the data packet for acquiring client to be sent to cloud agency, while being also required to receive from cloud Act on behalf of the result returned.Cloud agency not only needs to receive the data sended over from client and is also required to send invasion inspection simultaneously The feedback result for surveying engine returns to Client Agent.So this is the operating mode of a full duplex, both sides are both client It is also server end.
As shown in Fig. 2, Client Agent and cloud communication protocol are selected as http protocol.Communication means has mainly used two kinds HTTP method, respectively GET and POST.System requests access to data resource by GET method, requests to take by POST mode The main body of business device transmission information entity.Acquisition resource is acted on behalf of to cloud as Client Agent sends HTTP request.It sets first Time interval T, so that timing automatic running script carries out packet capturing and real time data wraps biography.Specifically, Client Agent It establishes socket with cloud agency to connect, Client Agent poll local folders, once there is new Tcpdump file generated, visitor Family end agency then sends HTTP POST request, and the HTTP request that then makes an immediate response is acted on behalf of in cloud.The number that Client Agent will be captured It compresses and encapsulates according to packet resource, acted on behalf of by the format transmission of JSON to cloud.Cloud agency receives data, continues to JSON number According to being parsed, backup preservation is carried out to restore raw data packets and be stored in log database.
The software environment and development platform that the present invention tests: for client, hardware platform is 2.8 GHz Intel Core i5, software platform are Mac OS X10.14.4;Cloud hardware platform is Intel (R) Core (TM) i7-7700 CPU@ 3.60GHz, OpenStack software platform are Centos release6.5, Ubuntu release14.04, OpenStack edition This number is liberty.The exploitation and translation and compiling environment being related to include PyCharm Community Edition 2017.2.3, Python 3.6, Xcode version 10.2.1, Snort version 2.9.11.1.
By SOM, BP, CNN and the SOM&KNN scheduling algorithm of the machine learning developing plug toward Snort-IDS, and according to this A little algorithms have carried out respective algorithms emulation testing under different Attack Scenarios, and four kinds of Attack Scenarios are respectively normal discharge mixing Probe attack, normal discharge mixing DoS attack, normal discharge mixing U2R and R2L attack, Hybrid Attack.Experiment has used KDD CUP99 data set is used for training pattern, and has carried out respective counts value one-hot processing to KDD99 data set, most by zero padding Every 144 dimensional feature of data sample has been obtained eventually.In experiment by divide data set, obtain corresponding training set, verifying collection and Test set, test set are used to randomly choose a new samples when each incremental learning.First in training SOM neural network, make Use 10 × 10 as emulation layer weight matrix.Later, it using the weight map of SOM as the input of K-NN, then recalculates every A sample finally selects preceding 3 triumphs neuron result to the Euclidean distance of every 100 neurons.Secondly, in training When CNN neural network, level 2 volume lamination, 2 layers of pond layer and 2 layers of full articulamentum are realized, each input sample is finally obtained 23 dimension label vectors, wherein the corresponding subscript index value of maximum value corresponds to attack type.It is realized finally, as control group SOM and BP algorithm.Fig. 6 gives four kinds of experimental results, shows the binary classification precision of algorithms of different.The result shows that for The more attack type of sample size such as DOS in data set, Probe attack, algorithm detection efficiency with higher, and for sample The U2R and R2L of this negligible amounts are attacked, and the effect of classifier is then not obvious.Generally speaking, the inspection of SOM and KNN hybrid algorithm It is relatively excellent to survey efficiency, and the effect that CNN neural network detects real-time streams is poor, feasible solution is to increase to increase every time The sample number etc. of amount study input.
It is tested followed by intruding detection system, mainly applies Denial of Service attack (DoS).Denial of Service attack Referred to as flood attack, by occupying system resources or Internet resources, prevent computer or server be from handling legitimate request, It is a kind of main network attack means.Attack Scenarios figure is as shown in figure 5, by simulation attack stream, for three kinds of attack modes, Respectively TCP SYN flood attack, UDP flood attack and ICMP Ping flood attack have carried out corresponding system emulation testing, and By the way that JSON format-detected result is returned to SDN controller, SDN controller issues flow table strategy and carries out Initiative Defense, thus real The quick response and security protection of system are showed.The time delay figure of experiment is as shown in fig. 7, it is not difficult to find that from external attack to defence Response time controlled in 10 to 20 seconds, and the stronger linkage coordination ability and the real-time detection for demonstrating system are horizontal.

Claims (4)

1. a kind of intruding detection system based on software definition security architecture, which is characterized in that the intruding detection system includes SDN controller, client modules and cloud module;The client modules include Client Agent, communication transmission module with And ingress-only packet sniffing module;The cloud module includes cloud agency, communication transmission module, intrusion detection engine;The data Packet sniff module acquisition network data simultaneously consigns to Client Agent, and the Client Agent is encapsulated data and passed according to communication Defeated module is realized and cloud agent communication, and the communication transmission module will be using cloud agency and the customized communication protocols of client View.The cloud agency receives the data on flows sent from client modules, and data on flows is sent into the intrusion detection Engine detection, then the result of intrusion detection is returned into Client Agent, quick response and master are realized by the SDN controller Dynamic defence;The intrusion detection engine uses the feature detection techniques based on Snort and the abnormality detection skill based on machine learning Art.
2. a kind of intruding detection system based on software definition security architecture according to claim 1, which is characterized in that institute Stating cloud module further includes Expert Rules library, machine learning library and log database, and the intrusion detection engine is by special Family divides known attack and unknown attack in regular reservoir area.Feature detection techniques based on Snort are used for the real-time detection of known attack; Unknown attack is admitted in machine learning library training study, constructs new rule supplement Expert Rules library in real time, and by data packet and Testing result is recorded in log database.
3. a kind of intruding detection system based on software definition security architecture according to claim 1, which is characterized in that institute Abnormality detection technology is stated using incremental learning method, according to the data traffic that sequence reaches, the increment type being measured in real time Training is saved in sorter model, and the new flow sample of subsequent arrival can be by having model automatic recognition classification, and whether differentiation For malicious traffic stream.
4. the abnormality detection technology according to claim 3 based on machine learning, which is characterized in that the incremental learning Method includes offline part and online part, and key step is respectively off-line training model, off-line verification model, online increment It practises, the offline part uses cloud log database historical data, and the online part is based on real time new data sample.
CN201910391719.5A 2019-07-17 2019-07-17 A kind of intruding detection system based on software definition security architecture Pending CN110224990A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910391719.5A CN110224990A (en) 2019-07-17 2019-07-17 A kind of intruding detection system based on software definition security architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910391719.5A CN110224990A (en) 2019-07-17 2019-07-17 A kind of intruding detection system based on software definition security architecture

Publications (1)

Publication Number Publication Date
CN110224990A true CN110224990A (en) 2019-09-10

Family

ID=67820783

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910391719.5A Pending CN110224990A (en) 2019-07-17 2019-07-17 A kind of intruding detection system based on software definition security architecture

Country Status (1)

Country Link
CN (1) CN110224990A (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753064A (en) * 2019-10-28 2020-02-04 中国科学技术大学 Machine learning and rule matching fused security detection system
CN110796243A (en) * 2019-11-27 2020-02-14 重庆大学 Continuous operation monitoring data simulation generation method and device
CN110855651A (en) * 2019-11-05 2020-02-28 中盈优创资讯科技有限公司 Automatic generation method and system of access control strategy based on traffic driving
CN110912753A (en) * 2019-12-11 2020-03-24 中山大学 Cloud security event real-time detection system and method based on machine learning
CN111082992A (en) * 2019-12-23 2020-04-28 超讯通信股份有限公司 SDN network data packet identification method based on deep learning
CN111131304A (en) * 2019-12-31 2020-05-08 嘉兴学院 Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system
CN111191683A (en) * 2019-12-13 2020-05-22 南京邮电大学 Network security situation assessment method based on random forest and Bayesian network
CN111404909A (en) * 2020-03-10 2020-07-10 上海豌豆信息技术有限公司 Security detection system and method based on log analysis
CN111553386A (en) * 2020-04-07 2020-08-18 哈尔滨工程大学 AdaBoost and CNN-based intrusion detection method
CN111628990A (en) * 2020-05-22 2020-09-04 北京金山云网络技术有限公司 Attack recognition method and device and server
CN111917802A (en) * 2020-08-19 2020-11-10 北京微步在线科技有限公司 Intrusion detection rule test platform and test method
CN112187752A (en) * 2020-09-18 2021-01-05 湖北大学 Intrusion detection classification method and device based on random forest
CN112367290A (en) * 2020-09-11 2021-02-12 浙江大学 Endogenous safe WAF construction method
CN113190837A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on file service system
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment
CN113691562A (en) * 2021-09-15 2021-11-23 神州网云(北京)信息技术有限公司 Method for implementing rule engine for accurately identifying malicious network communication
CN114124446A (en) * 2021-10-12 2022-03-01 广西电网有限责任公司桂林供电局 Intrusion detection system based on Snort engine and adopting logistic regression algorithm
CN114168949A (en) * 2021-12-21 2022-03-11 江西省锐华互联网科技有限公司 Application software anomaly detection method and system applied to artificial intelligence
CN114531287A (en) * 2022-02-17 2022-05-24 恒安嘉新(北京)科技股份公司 Method, device, equipment and medium for detecting virtual resource acquisition behavior
CN114679331A (en) * 2022-04-11 2022-06-28 北京国联天成信息技术有限公司 AI technology-based malicious code passive detection method and system
CN114741149A (en) * 2022-04-15 2022-07-12 北京因数健康科技有限公司 Page switching method and device for single-page application, storage medium and electronic equipment
CN114978604A (en) * 2022-04-25 2022-08-30 西南大学 Security gateway system for software defined service perception
CN115022100A (en) * 2022-08-10 2022-09-06 东南大学 Internet of things intrusion detection method based on flow image and machine learning
CN115086026A (en) * 2022-06-14 2022-09-20 盐城工业职业技术学院 Network security analysis system
CN115176444A (en) * 2020-02-11 2022-10-11 大陆汽车科技有限公司 Intrusion and anomaly detection method based on edge calculation
WO2022242415A1 (en) * 2021-05-21 2022-11-24 浙江大学 Rest interface specification packaging system based on network sniffing
CN116319386A (en) * 2023-05-17 2023-06-23 北京国信蓝盾科技有限公司 Availability and fault prediction method and device, electronic equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160182541A1 (en) * 2014-12-18 2016-06-23 Gwangju Institute Of Science And Technology Method for detecting intrusion in network
CN105871787A (en) * 2015-01-22 2016-08-17 中国移动通信集团公司 Intrusion prevention method applied to cloud virtual network, device, network device and system
CN106254330A (en) * 2016-07-29 2016-12-21 中国电子科技集团公司第五十四研究所 A kind of software defined network intrusion detection method based on BP neutral net
CN108173708A (en) * 2017-12-18 2018-06-15 北京天融信网络安全技术有限公司 Anomalous traffic detection method, device and storage medium based on incremental learning
CN108270779A (en) * 2017-12-29 2018-07-10 湖南优利泰克自动化系统有限公司 A kind of automatic generation method of intruding detection system safety regulation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160182541A1 (en) * 2014-12-18 2016-06-23 Gwangju Institute Of Science And Technology Method for detecting intrusion in network
CN105871787A (en) * 2015-01-22 2016-08-17 中国移动通信集团公司 Intrusion prevention method applied to cloud virtual network, device, network device and system
CN106254330A (en) * 2016-07-29 2016-12-21 中国电子科技集团公司第五十四研究所 A kind of software defined network intrusion detection method based on BP neutral net
CN108173708A (en) * 2017-12-18 2018-06-15 北京天融信网络安全技术有限公司 Anomalous traffic detection method, device and storage medium based on incremental learning
CN108270779A (en) * 2017-12-29 2018-07-10 湖南优利泰克自动化系统有限公司 A kind of automatic generation method of intruding detection system safety regulation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FAN YANG ET AL: "A Testb e d for Intelligent Softare Define d Se curity Framework", 《ACM TURING CELEBRATION CONFERENCE - CHINA (ACM TURC 2019)》 *
吕秀华: "基于snort与免疫原理混合入侵检测系统模型设计", 《网络通讯及安全》 *

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753064B (en) * 2019-10-28 2021-05-07 中国科学技术大学 Machine learning and rule matching fused security detection system
WO2021082339A1 (en) * 2019-10-28 2021-05-06 中国科学技术大学 Machine learning and rule matching integrated security detection method and device
CN110753064A (en) * 2019-10-28 2020-02-04 中国科学技术大学 Machine learning and rule matching fused security detection system
CN110855651B (en) * 2019-11-05 2021-12-24 中盈优创资讯科技有限公司 Automatic generation method and system of access control strategy based on traffic driving
CN110855651A (en) * 2019-11-05 2020-02-28 中盈优创资讯科技有限公司 Automatic generation method and system of access control strategy based on traffic driving
CN110796243A (en) * 2019-11-27 2020-02-14 重庆大学 Continuous operation monitoring data simulation generation method and device
CN110912753A (en) * 2019-12-11 2020-03-24 中山大学 Cloud security event real-time detection system and method based on machine learning
CN110912753B (en) * 2019-12-11 2022-03-25 中山大学 Cloud security event real-time detection system and method based on machine learning
CN111191683A (en) * 2019-12-13 2020-05-22 南京邮电大学 Network security situation assessment method based on random forest and Bayesian network
CN111191683B (en) * 2019-12-13 2023-09-22 南京邮电大学 Network security situation assessment method based on random forest and Bayesian network
CN111082992A (en) * 2019-12-23 2020-04-28 超讯通信股份有限公司 SDN network data packet identification method based on deep learning
CN111131304A (en) * 2019-12-31 2020-05-08 嘉兴学院 Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system
CN111131304B (en) * 2019-12-31 2022-01-11 嘉兴学院 Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system
CN115176444A (en) * 2020-02-11 2022-10-11 大陆汽车科技有限公司 Intrusion and anomaly detection method based on edge calculation
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment
CN111404909B (en) * 2020-03-10 2022-05-31 上海豌豆信息技术有限公司 Safety detection system and method based on log analysis
CN111404909A (en) * 2020-03-10 2020-07-10 上海豌豆信息技术有限公司 Security detection system and method based on log analysis
CN111553386B (en) * 2020-04-07 2022-05-20 哈尔滨工程大学 AdaBoost and CNN-based intrusion detection method
CN111553386A (en) * 2020-04-07 2020-08-18 哈尔滨工程大学 AdaBoost and CNN-based intrusion detection method
CN111628990A (en) * 2020-05-22 2020-09-04 北京金山云网络技术有限公司 Attack recognition method and device and server
CN111917802A (en) * 2020-08-19 2020-11-10 北京微步在线科技有限公司 Intrusion detection rule test platform and test method
CN112367290A (en) * 2020-09-11 2021-02-12 浙江大学 Endogenous safe WAF construction method
CN112187752A (en) * 2020-09-18 2021-01-05 湖北大学 Intrusion detection classification method and device based on random forest
CN113190837A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on file service system
WO2022242415A1 (en) * 2021-05-21 2022-11-24 浙江大学 Rest interface specification packaging system based on network sniffing
CN113691562B (en) * 2021-09-15 2024-04-23 神州网云(北京)信息技术有限公司 Rule engine implementation method for accurately identifying malicious network communication
CN113691562A (en) * 2021-09-15 2021-11-23 神州网云(北京)信息技术有限公司 Method for implementing rule engine for accurately identifying malicious network communication
CN114124446A (en) * 2021-10-12 2022-03-01 广西电网有限责任公司桂林供电局 Intrusion detection system based on Snort engine and adopting logistic regression algorithm
CN114168949A (en) * 2021-12-21 2022-03-11 江西省锐华互联网科技有限公司 Application software anomaly detection method and system applied to artificial intelligence
CN114531287A (en) * 2022-02-17 2022-05-24 恒安嘉新(北京)科技股份公司 Method, device, equipment and medium for detecting virtual resource acquisition behavior
CN114679331A (en) * 2022-04-11 2022-06-28 北京国联天成信息技术有限公司 AI technology-based malicious code passive detection method and system
CN114679331B (en) * 2022-04-11 2024-02-02 北京国联天成信息技术有限公司 AI technology-based malicious code passive detection method and system
CN114741149A (en) * 2022-04-15 2022-07-12 北京因数健康科技有限公司 Page switching method and device for single-page application, storage medium and electronic equipment
CN114741149B (en) * 2022-04-15 2024-02-27 北京懿医云科技有限公司 Page switching method and device for single-page application, storage medium and electronic equipment
CN114978604A (en) * 2022-04-25 2022-08-30 西南大学 Security gateway system for software defined service perception
CN115086026A (en) * 2022-06-14 2022-09-20 盐城工业职业技术学院 Network security analysis system
CN115022100B (en) * 2022-08-10 2022-11-01 东南大学 Internet of things intrusion detection method based on flow image and machine learning
CN115022100A (en) * 2022-08-10 2022-09-06 东南大学 Internet of things intrusion detection method based on flow image and machine learning
CN116319386A (en) * 2023-05-17 2023-06-23 北京国信蓝盾科技有限公司 Availability and fault prediction method and device, electronic equipment and medium

Similar Documents

Publication Publication Date Title
CN110224990A (en) A kind of intruding detection system based on software definition security architecture
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
CN111510433B (en) Internet of things malicious flow detection method based on fog computing platform
Karan et al. Detection of DDoS attacks in software defined networks
CN107683597A (en) Network behavior data collection and analysis for abnormality detection
Hofmann et al. Online intrusion alert aggregation with generative data stream modeling
CN108289088A (en) Abnormal traffic detection system and method based on business model
Su et al. Detecting p2p botnet in software defined networks
Letteri et al. Performance of Botnet Detection by Neural Networks in Software-Defined Networks.
Al Haddad et al. A collaborative framework for intrusion detection (C-NIDS) in Cloud computing
Gumaste et al. Detection of ddos attacks in openstack-based private cloud using apache spark
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
Bhatt et al. HADS: Hybrid anomaly detection system for IoT environments
Janabi et al. Convolutional neural network based algorithm for early warning proactive system security in software defined networks
CN108833430B (en) Topology protection method of software defined network
Xiao et al. Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model
CN106899978A (en) A kind of wireless network attack localization method
Cheetancheri et al. A distributed host-based worm detection system
Ádám et al. Artificial neural network based IDS
Wang et al. Botnet detection using social graph analysis
Umamaheswari et al. Honeypot TB-IDS: trace back model based intrusion detection system using knowledge based honeypot construction model
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Mohsin et al. Performance evaluation of SDN DDoS attack detection and mitigation based random forest and K-nearest neighbors machine learning algorithms
Das et al. Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190910