CN110224990A - A kind of intruding detection system based on software definition security architecture - Google Patents
A kind of intruding detection system based on software definition security architecture Download PDFInfo
- Publication number
- CN110224990A CN110224990A CN201910391719.5A CN201910391719A CN110224990A CN 110224990 A CN110224990 A CN 110224990A CN 201910391719 A CN201910391719 A CN 201910391719A CN 110224990 A CN110224990 A CN 110224990A
- Authority
- CN
- China
- Prior art keywords
- cloud
- data
- network
- detection
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses the intruding detection systems based on software definition security architecture, belong to filed of network information security, which includes client modules and cloud module;The cloud module includes cloud agency, intrusion detection engine, Expert Rules library, machine learning library and log database;The intrusion detection engine uses the feature detection techniques based on Snort and the abnormality detection technology based on machine learning.The software definition security architecture provides programmable control and global state monitoring to network, unified transparent access module is provided to lower abstract underlying security equipment, to upper extension north orientation security application, and cloud computing technology is played to elastic calculation, distributed computing, load balancing, the advantage of big data processing capacity, beyond the clouds by Expert Rules library, intrusion detection engine and related artificial intelligent measurement algorithm deployment, the intelligent measurement efficiency for improving system enhances the dynamic expansion ability of system and the capability of fast response to new security threat.
Description
Technical field
The application belongs to filed of network information security, and in particular, to the invasion inspection under a kind of software definition security architecture
Examining system and detection method.
Background technique
In recent years, as the rapid development of Internet technology, the continuous enlargement of network size, the continuous of network flow are climbed
It rises and the increasingly complex of network architecture, traditional network architecture is faced with increasingly stern challenge and test.With
This network environment complicated simultaneously also brings many network security problems, such as malware attacks, spoofing attack and distribution
Denial of Service attack etc..The network security problem to become increasingly conspicuous, gradually to traditional security system framework, service mode and technology
Means propose more stern challenge.On the one hand, along with the continuous development of the relevant technologies such as cloud computing and virtualization, network is answered
Become to become increasingly complex with demand, traditional network architecture occurs being difficult to extend the problems such as higher with configuration complexity.Not only such as
This, various virtualization technologies realize the rapid layout and flexibly allotment of Internet resources, and traditional network security system framework is gradually
It has too many difficulties to cope with, has been difficult to meet the needs of people.On the other hand, existing some Prevention-Security technologies (such as firewall, invasion
Detection system etc.) it is mostly deployed in the form of hardware device in local area network, function is relatively single, and flexibility is poor, and
Often respectively segmentation is independent for these safety equipments or software, can not carry out system in combination configuration, have Real-time defence ability weak, can
The poor disadvantage of scalability, it is difficult to adapt to dynamic business demand and carry out the online upgrading of security function.
Software defined network (SDN) is used as a kind of dynamic, can manage, economical and efficient and adaptable emerging framework, just
In the mode of thinking of remodeling network, and important support solution is provided for the evolution of the network information security, can pass through
The mode of software definition carries out global optimization to function of safety protection module, to realize the mesh of unified management and dynamic configuration
, i.e., software definition is safe (SDS).SDN has decoupled network-control and forwarding capability, so that network-control becomes directly to compile
Journey, and go out underlying infrastructure for application and network service abstraction.Control plane is isolated with data plane so that network management
Become to be more easier, provides the centralized control to network using controller, realize the monitoring of global state, neatly obtain and receive
Collect network activity information.By controller, network administrator quickly and easily can be formulated and be released in related data plane
The decision how first floor system (interchanger, router) handles flow realizes the integrated of different architecture, and network is promoted to answer
With the creation of program and service, to better adapt to the demand of user.SDN is managed and controlled by centralization, is realized dynamic
The Resource Distribution and Schedule of state optimizes the work such as network configuration, monitoring, management, scheduling, optimization.Therefore by SDN research achievement
It is introduced into a kind of development trend that existing network safety protection technique is the network information security, software definition safety (SDS) enhancing
The managerial ability of network, collaboration be horizontal and service quality, provides feasible solution to solve network security problem.
Intruding detection system (IDS) exempts from one of the key technology of malicious attack as protection network, it is intended to pass through collection
In network the flow information of key node and analyze all-network activity come realize detection rogue activity (including virus, worm and
Ddos attack etc.), and alarm measure is taken in time.IDS can accomplish to identify and detect in real time Network Intrusion behavior, extensive
Applied in traditional network.Existing IDS system and safety equipment are generally deployed in local area network, so that the cooperation of system
Property and linkage are poor.Problem as above can be then well solved by the IDS of software definition safety.In general, traditional IDS
Detection attack mode is realized based on Expert Rules library, and this results in the risks of high rate of false alarm and high rate of failing to report, while being difficult in real time
The network attack of new type is detected to adapt to network environment complicated and changeable.
Current most of intruding detection systems are all based on feature detection, once attacker slightly modifies known attack, change
The signature identification of known attack just can not detect any anomalous content using the method that feature detects.In view of traditional front IDS
Face the challenge and threat of increasingly sophisticated and isomery a large amount of network attacks, the drawbacks of in order to overcome traditional IDS and limitation, to
IDS introduces machine learning techniques.Since machine learning has good adaptive characteristic and mathematics robustness, various algorithms are such as
Neural network (Neural Network), support vector machines (Support Vector Machine), naive Bayesian (Naive
Bayes), decision tree (Decision Tree), random forest (Random Forest) scheduling algorithm have also been added to invasion successively
In detection technique.In recent years, research of the machine learning in conjunction with hot issue and application field is more and more, by right
In the study for having invasion data, machine learning algorithm is capable of detecting when novel unknown attack.And it is currently used based on feature
Detection method needs precisely to describe feature that intrusion target could be matched in the case where simultaneously predefined rule, can not achieve unknown attack
Identification and detection are hit, therefore the machine learning algorithm of stronger precision and more strong robustness will become necessarily becoming for intrusion detection development
Gesture and demand.
Summary of the invention
In view of the problems of the existing technology, the application proposes a kind of intrusion detection system based on software definition security architecture
System is advised expert using cloud computing to the ability of virtualization support, large-scale data processing, distributed computing and load balancing
Then library, intrusion detection engine and related artificial intelligent measurement algorithm deployment beyond the clouds, provide the deployment intrusion detection system on cloud
The solution of system.Operation and the processing load for not only reducing client, effectively increase system intelligent measurement efficiency and
To the capability of fast response of new security threat, the dynamic expansion ability and money of system are also enhanced using the deployment way of cloud environment
From adaptation allocative abilities.
This programme is achieved through the following technical solutions: a kind of intrusion detection system based on software definition security architecture
System, the intruding detection system includes SDN controller, client modules and cloud module;The client modules include visitor
Family end agency, communication transmission module and ingress-only packet sniffing module;The cloud module includes cloud agency, communications mould
Block, intrusion detection engine;The ingress-only packet sniffing module acquires network data and consigns to Client Agent, the client generation
Reason, which is encapsulated data and realized according to communication transmission module, will use cloud generation with cloud agent communication, the communication transmission module
Reason and the customized communication protocol of client.The cloud agency receives the data on flows sent from client modules, and will
Data on flows is sent into the intrusion detection engine detection, then the result of intrusion detection is returned to Client Agent, by described
SDN controller realizes quick response and Initiative Defense;The intrusion detection engine using based on Snort feature detection techniques and
Abnormality detection technology based on machine learning.
Further, the cloud module further includes Expert Rules library, machine learning library and log database, it is described enter
Invading detecting and alarm is to divide known attack and unknown attack by Expert Rules reservoir area.Feature detection techniques based on Snort are used for
The real-time detection of known attack;Unknown attack is admitted to training study in machine learning library, constructs new rule supplement expert in real time
Rule base, and data packet and testing result are recorded in log database.
Further, the abnormality detection technology utilize incremental learning method, according to sequence reach data traffic, into
The incremental training of row real-time detection is saved in sorter model, and the new flow sample of subsequent arrival can be by existing model certainly
Dynamic identification classification, whether be malicious traffic stream, sufficiently promote detection of classifier performance by constantly learning if distinguishing.
Further, the incremental learning method includes offline part and online part, and key step is respectively offline
Training pattern, off-line verification model, online incremental learning, the offline part use cloud log database historical data, institute
Stating online is partially based on real time new data sample.
Compared with prior art, this programme has the following beneficial effects: that (1) by intrusion detection engine Snort-IDS, draws
Enter correlation machine learning algorithm, designs and construct a machine learning library, and combine spy of the Snort based on Expert Rules library
Levy intrusion detection.Machine learning library is achieved in that as third side plug, by loading machine learning into Snort software
Plug-in unit, to realize cloud hybrid network intruding detection system framework;(2) it is complete, global collaborative complete to propose a function
It is more that whole intruding detection system, i.e. client capture network flow, cloud intrusion detection and data storage, result feedback and response etc.
A complete IDS mechanism link step unification and combined.One kind that the application proposes is expansible programmable based on software
The intruding detection system for defining security architecture realizes security application-SDN controller-peace by separating secure data with control
Automation collaborative and global view management between full underlying device, can neatly obtain and collecting network information, and send out in time
Now with identification anomalous event and behavior.Big number is played to realize intrusion detection as target based on software definition security architecture SDS
According to and cloud computing technology advantage, Expert Rules library, intrusion detection engine and related artificial intelligent measurement algorithm are deployed in cloud
End, not only effectively increases the intelligent measurement efficiency and security protection ability of system, also enhances the dynamic expansion ability of system
And resources allocation ability.
Detailed description of the invention
Fig. 1 is that the present invention is based on the intruding detection system frameworks of software definition safety;
Fig. 2 frame diagram of the present invention;
Fig. 3 flow chart of the present invention;
Fig. 4 cloud intrusion detection engine of the present invention;
Fig. 5 Attack Scenarios figure of the present invention;
Fig. 6 inventive algorithm emulates line chart;
Fig. 7 emulation testing time delay figure of the present invention.
Specific embodiment
A kind of intruding detection system based on software definition security architecture, the intrusion system include SDN controller, client
Module and cloud module.Client modules include Client Agent, communication transmission module and ingress-only packet sniffing module;Cloud
Module includes cloud agency, communication transmission module, intrusion detection engine, Expert Rules library, machine learning library and daily record data
Library.
The intruding detection system by client network traffic capture, cloud intrusion detection and data store, result feedback with
Response composition.Ingress-only packet sniffing module is responsible for acquiring network data and consigns to Client Agent first, and by Client Agent
The data encapsulated are realized according to communication transmission module and cloud agent communication is interactive.Cloud agency, which is responsible for receiving, comes from client
The data of end module acquisition, and data on flows feeding intrusion detection engine is detected, finally the result of intrusion detection is returned
Back to Client Agent, quick response and Initiative Defense are realized by SDN controller.
In order to improve system real-time detection efficiency and realize detection unknown attack, intrusion detection engine has used two kinds simultaneously
Intrusion Detection Technique, the feature detection techniques based on Snort and the abnormality detection technology based on machine learning, and it is arranged in calculating
Distributed associating detection is realized in the virtual machine instance of node operation.Intrusion detection engine is based on existing Expert Rules reservoir area and separates
Normal and abnormal flow, and training knowledge in machine learning library is then sent into the derivation attack that attack is attacked or had for new type
Not, to supplement Expert Rules library in real time, and data packet and testing result are recorded in the daily record data library module of cloud.
The system of intrusion detection (IDS) of the invention: cloud agency receives the data packet sent from client, is deployed in
Intrusion detection engine in calculate node carries out the detection of joint intrusion behavior to these network packets, and according to existing expert
Rule base is come to distinguish these flows be normal data packet or abnormal data packet.Expert Rules library is a kind of based on predefined rule
Method, by the volumes such as known intrusion behavior feature or attack code be rule set, if data traffic is matched to Expert Rules library
Certain feature, which is just judged as malicious traffic stream.It the network traffic data that will be captured while being sent to based on abnormal inspection
The machine learning algorithm library of survey is trained analysis and knowledge learning, if it find that being abnormal flow, and sums up regular and special
Family's rule base compares, if not including the rule in Expert Rules library, the new rule is added into Expert Rules library, thus real
When supplement Expert Rules library, and alarm log is recorded in log database and is backed up.The wherein exception inspection based on machine learning
Survey technology has used incremental learning method, by existing log database training sorter model, and when new samples reach
Realize incremental training, real-time streams attack detecting is realized in dynamic more new model configuration.
Embodiment
Below with regard to the design of OpenStack cloud platform and realization, the design of client and realization, the design in cloud and reality
Existing and client and cloud communication pipe design and realization, are described in detail with specific embodiment.
1, the design and realization of OpenStack cloud platform
This programme is using 1 master node, the OpenStack of 1 controller node and 2 compute nodes
Multinode builds mode, and controller node and compute node all provide block storage and network service, be deployed in union
On physical server.There are three to throw the net card cloud platform Network Programe Design, be respectively:
Eth0 (OpenStack cluster management network, CIDR 10.20.0.1/24), for managing clustered node;
Eth1 (outer net/floating IP network, CIDR 172.16.0.1/24), it is floating for cluster public network and offer virtual machine
Dynamic IP address;
Eth2 (management/storage/internal network, CIDR 192.168.1.0/24) is used for virtual machine internal communication network.
For the stability and validity for guaranteeing cloud environment, first by three node deployments in the same local area network, and protect
Card can mutually Ping lead to from each other, while the time zone of three hosts is arranged, and guarantee NTP time synchronization.Then in each section
Different Component services is disposed on point respectively.
After each node correctly configures good service, the interface that can be provided by Dashboard accesses cloud platform.
As shown in Figure 1.In logic, cloud space is divided are as follows:
1) large data center: the center devises two kinds of database, and one is log databases to go through for saving
History data and testing result, another kind are the Expert Rules libraries of rule-oriented.Database is all based on MySQL realization.In intelligence
Under the guidance and allotment of center algorithm, Expert Rules library can be with real-time update rule.
2) intelligent centre;Store correlation machine learning algorithm that intrusion detection engine is used and for formulating new rule
New Rule Generation Algorithm, unified interface are used for outside access.Machine learning algorithm include CNN, SVM, SOM, K-NN, GDBT,
AdaBoost etc..After new Rule Generation Algorithm mainly detects unknown attack mode according to machine learning algorithm, main feature is extracted
Such as source IP address, purpose IP address, source port, destination port, protocol type are compiled according to certain format as new rule.
3) control centre;The center aims at following purpose:
A) deployment cloud agency receives the data file uploaded from client and is stored in log database and backs up, cloud
End agency is also responsible for the communications service to outer network as window.
B) it provides and concentrates view and cluster management, the overall situation control cloud virtual resource (such as computing resource and Internet resources
Deng), the distributed associating that can be used to implement intrusion detection calculates;
C) message queue is transmitted between clustered node, and passes through the service of HTTPRESTful api interface for JSON format
Testing result is transferred to SDN controller.
D) intrusion detection engine of data traffic guide function central upper administration is neatly realized into intrusion behavior detection.
4) function center: the place of carrying out practically intrusion detection engine snort-IDS, i.e. virtual ID S, according to network state
Can be with the multiple snort-IDS of flexible arrangement with specific requirements, and respective algorithms can be transferred from intelligent centre and be trained study
And the renewal of knowledge.
2, the design and realization of client modules
Client modules include Client Agent and ingress-only packet sniffing module.Client modules by installation Tcpdump come
Capture data.Tcpdump can intercept and capture completely and provide the data packet transmitted in network to analysis, it support for network layer,
Agreement, host, network or the filtering of port.
In order to capture data packet, need the Network card setup of client modules to be promiscuous mode, to monitor institute on the network
Some network equipments.Sniff packet capturing is carried out to current network data using Tcpdump at this time, Client Agent uploads data packet journey
The flow file being collected is packaged by sequence needs, is sent to cloud agency by data compression and the conversion of Hex character stream, and
Cloud agency is waited to return to testing result.
Client modules can realize that timing packet capturing saves using Linux cron order, and specify every 1000 network connections
A tcpdump file is generated, setting starts the initial time STIME of packet capturing and terminates the termination time ETIME of packet capturing, will be every
The data packet of secondary capture is named as $ STIME- $ ETIME, and is stored temporarily in local with .pcap.gz compressed format.
3, the design and realization of cloud module
Cloud module includes cloud agency, Expert Rules library, log database, machine learning library and intrusion detection engine,
Specific cloud intrusion detection process is as shown in Figure 3.
1) design of cloud agency
Act on behalf of the master node for being deployed in OpenStack in cloud.Firstly, cloud agency receives according to communication module
Data on flows from client transmissions;Secondly, received flow file is transferred to cloud calculate node by cloud agency,
And the intrusion detection engine by disposing in calculate node realizes the detection of intrusion behavior, finally will test result and is returned by cloud agency
Back to Client Agent and SDN controller.
2) design of cloud Relational database
This programme major design two kinds of database, respectively the Expert Rules library and face of Feature Oriented beyond the clouds
To the log database of log.Both databases are all based on MySQL realization.Wherein Expert Rules library for storage rule table,
The record such as event table;Log database then backs up the network packet of capture, and intrusion detection engine is generated
Alarm log is recorded.
3) cloud intrusion detection engine and the design of machine learning library
Cloud intrusion detection engine realizes feature intrusion detection using open source invader-inspecting software Snort.Snort is one
The Network Intrusion Detection System of lightweight is rule-based Network Intrusion Detection System.It is searched using rule-based
Rope mechanism, specific implementation is to carry out the pattern match based on content with to data packet, to find intrusion behavior.
As shown in figure 4, Snort is mainly by 5 bases such as sniffer, decoder, preprocessor, detecting and alarm and warning output
This module composition, and output result is recorded in log database, detecting and alarm realizes invasion row according to Expert Rules library
For detection.During performing intrusion detection, the detection of data flow is invaded for convenience, and Snort uses modular design
Mode, user can on demand extend Snort, design third side plug.This programme is inserted in Snort platform using machine learning
Part, the plug-in unit can a variety of machine learning algorithms of Integrated Development, to construct machine learning library, to realize abnormality detection and generate new
Rule.
This programme is designed and is constructed a machine learning library based on the various machine learning algorithms introduced in existing IDS, added
Enter such as SVM, CNN, Random Forest, SOM, K-NN epidemic algorithms, the feature in conjunction with Snort based on Expert Rules library
Intrusion detection, being achieved in that as third side plug for machine learning library, is inserted by loading machine learning into Snort software
Part, to realize cloud hybrid network intruding detection system framework.
4, the design and realization of client and cloud communication pipe
Client Agent needs the data packet for acquiring client to be sent to cloud agency, while being also required to receive from cloud
Act on behalf of the result returned.Cloud agency not only needs to receive the data sended over from client and is also required to send invasion inspection simultaneously
The feedback result for surveying engine returns to Client Agent.So this is the operating mode of a full duplex, both sides are both client
It is also server end.
As shown in Fig. 2, Client Agent and cloud communication protocol are selected as http protocol.Communication means has mainly used two kinds
HTTP method, respectively GET and POST.System requests access to data resource by GET method, requests to take by POST mode
The main body of business device transmission information entity.Acquisition resource is acted on behalf of to cloud as Client Agent sends HTTP request.It sets first
Time interval T, so that timing automatic running script carries out packet capturing and real time data wraps biography.Specifically, Client Agent
It establishes socket with cloud agency to connect, Client Agent poll local folders, once there is new Tcpdump file generated, visitor
Family end agency then sends HTTP POST request, and the HTTP request that then makes an immediate response is acted on behalf of in cloud.The number that Client Agent will be captured
It compresses and encapsulates according to packet resource, acted on behalf of by the format transmission of JSON to cloud.Cloud agency receives data, continues to JSON number
According to being parsed, backup preservation is carried out to restore raw data packets and be stored in log database.
The software environment and development platform that the present invention tests: for client, hardware platform is 2.8 GHz Intel
Core i5, software platform are Mac OS X10.14.4;Cloud hardware platform is Intel (R) Core (TM) i7-7700 CPU@
3.60GHz, OpenStack software platform are Centos release6.5, Ubuntu release14.04, OpenStack edition
This number is liberty.The exploitation and translation and compiling environment being related to include PyCharm Community Edition 2017.2.3,
Python 3.6, Xcode version 10.2.1, Snort version 2.9.11.1.
By SOM, BP, CNN and the SOM&KNN scheduling algorithm of the machine learning developing plug toward Snort-IDS, and according to this
A little algorithms have carried out respective algorithms emulation testing under different Attack Scenarios, and four kinds of Attack Scenarios are respectively normal discharge mixing
Probe attack, normal discharge mixing DoS attack, normal discharge mixing U2R and R2L attack, Hybrid Attack.Experiment has used KDD
CUP99 data set is used for training pattern, and has carried out respective counts value one-hot processing to KDD99 data set, most by zero padding
Every 144 dimensional feature of data sample has been obtained eventually.In experiment by divide data set, obtain corresponding training set, verifying collection and
Test set, test set are used to randomly choose a new samples when each incremental learning.First in training SOM neural network, make
Use 10 × 10 as emulation layer weight matrix.Later, it using the weight map of SOM as the input of K-NN, then recalculates every
A sample finally selects preceding 3 triumphs neuron result to the Euclidean distance of every 100 neurons.Secondly, in training
When CNN neural network, level 2 volume lamination, 2 layers of pond layer and 2 layers of full articulamentum are realized, each input sample is finally obtained
23 dimension label vectors, wherein the corresponding subscript index value of maximum value corresponds to attack type.It is realized finally, as control group
SOM and BP algorithm.Fig. 6 gives four kinds of experimental results, shows the binary classification precision of algorithms of different.The result shows that for
The more attack type of sample size such as DOS in data set, Probe attack, algorithm detection efficiency with higher, and for sample
The U2R and R2L of this negligible amounts are attacked, and the effect of classifier is then not obvious.Generally speaking, the inspection of SOM and KNN hybrid algorithm
It is relatively excellent to survey efficiency, and the effect that CNN neural network detects real-time streams is poor, feasible solution is to increase to increase every time
The sample number etc. of amount study input.
It is tested followed by intruding detection system, mainly applies Denial of Service attack (DoS).Denial of Service attack
Referred to as flood attack, by occupying system resources or Internet resources, prevent computer or server be from handling legitimate request,
It is a kind of main network attack means.Attack Scenarios figure is as shown in figure 5, by simulation attack stream, for three kinds of attack modes,
Respectively TCP SYN flood attack, UDP flood attack and ICMP Ping flood attack have carried out corresponding system emulation testing, and
By the way that JSON format-detected result is returned to SDN controller, SDN controller issues flow table strategy and carries out Initiative Defense, thus real
The quick response and security protection of system are showed.The time delay figure of experiment is as shown in fig. 7, it is not difficult to find that from external attack to defence
Response time controlled in 10 to 20 seconds, and the stronger linkage coordination ability and the real-time detection for demonstrating system are horizontal.
Claims (4)
1. a kind of intruding detection system based on software definition security architecture, which is characterized in that the intruding detection system includes
SDN controller, client modules and cloud module;The client modules include Client Agent, communication transmission module with
And ingress-only packet sniffing module;The cloud module includes cloud agency, communication transmission module, intrusion detection engine;The data
Packet sniff module acquisition network data simultaneously consigns to Client Agent, and the Client Agent is encapsulated data and passed according to communication
Defeated module is realized and cloud agent communication, and the communication transmission module will be using cloud agency and the customized communication protocols of client
View.The cloud agency receives the data on flows sent from client modules, and data on flows is sent into the intrusion detection
Engine detection, then the result of intrusion detection is returned into Client Agent, quick response and master are realized by the SDN controller
Dynamic defence;The intrusion detection engine uses the feature detection techniques based on Snort and the abnormality detection skill based on machine learning
Art.
2. a kind of intruding detection system based on software definition security architecture according to claim 1, which is characterized in that institute
Stating cloud module further includes Expert Rules library, machine learning library and log database, and the intrusion detection engine is by special
Family divides known attack and unknown attack in regular reservoir area.Feature detection techniques based on Snort are used for the real-time detection of known attack;
Unknown attack is admitted in machine learning library training study, constructs new rule supplement Expert Rules library in real time, and by data packet and
Testing result is recorded in log database.
3. a kind of intruding detection system based on software definition security architecture according to claim 1, which is characterized in that institute
Abnormality detection technology is stated using incremental learning method, according to the data traffic that sequence reaches, the increment type being measured in real time
Training is saved in sorter model, and the new flow sample of subsequent arrival can be by having model automatic recognition classification, and whether differentiation
For malicious traffic stream.
4. the abnormality detection technology according to claim 3 based on machine learning, which is characterized in that the incremental learning
Method includes offline part and online part, and key step is respectively off-line training model, off-line verification model, online increment
It practises, the offline part uses cloud log database historical data, and the online part is based on real time new data sample.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910391719.5A CN110224990A (en) | 2019-07-17 | 2019-07-17 | A kind of intruding detection system based on software definition security architecture |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910391719.5A CN110224990A (en) | 2019-07-17 | 2019-07-17 | A kind of intruding detection system based on software definition security architecture |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110224990A true CN110224990A (en) | 2019-09-10 |
Family
ID=67820783
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910391719.5A Pending CN110224990A (en) | 2019-07-17 | 2019-07-17 | A kind of intruding detection system based on software definition security architecture |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110224990A (en) |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
CN110796243A (en) * | 2019-11-27 | 2020-02-14 | 重庆大学 | Continuous operation monitoring data simulation generation method and device |
CN110855651A (en) * | 2019-11-05 | 2020-02-28 | 中盈优创资讯科技有限公司 | Automatic generation method and system of access control strategy based on traffic driving |
CN110912753A (en) * | 2019-12-11 | 2020-03-24 | 中山大学 | Cloud security event real-time detection system and method based on machine learning |
CN111082992A (en) * | 2019-12-23 | 2020-04-28 | 超讯通信股份有限公司 | SDN network data packet identification method based on deep learning |
CN111131304A (en) * | 2019-12-31 | 2020-05-08 | 嘉兴学院 | Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system |
CN111191683A (en) * | 2019-12-13 | 2020-05-22 | 南京邮电大学 | Network security situation assessment method based on random forest and Bayesian network |
CN111404909A (en) * | 2020-03-10 | 2020-07-10 | 上海豌豆信息技术有限公司 | Security detection system and method based on log analysis |
CN111553386A (en) * | 2020-04-07 | 2020-08-18 | 哈尔滨工程大学 | AdaBoost and CNN-based intrusion detection method |
CN111628990A (en) * | 2020-05-22 | 2020-09-04 | 北京金山云网络技术有限公司 | Attack recognition method and device and server |
CN111917802A (en) * | 2020-08-19 | 2020-11-10 | 北京微步在线科技有限公司 | Intrusion detection rule test platform and test method |
CN112187752A (en) * | 2020-09-18 | 2021-01-05 | 湖北大学 | Intrusion detection classification method and device based on random forest |
CN112367290A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Endogenous safe WAF construction method |
CN113190837A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on file service system |
CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
CN113691562A (en) * | 2021-09-15 | 2021-11-23 | 神州网云(北京)信息技术有限公司 | Method for implementing rule engine for accurately identifying malicious network communication |
CN114124446A (en) * | 2021-10-12 | 2022-03-01 | 广西电网有限责任公司桂林供电局 | Intrusion detection system based on Snort engine and adopting logistic regression algorithm |
CN114168949A (en) * | 2021-12-21 | 2022-03-11 | 江西省锐华互联网科技有限公司 | Application software anomaly detection method and system applied to artificial intelligence |
CN114531287A (en) * | 2022-02-17 | 2022-05-24 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for detecting virtual resource acquisition behavior |
CN114679331A (en) * | 2022-04-11 | 2022-06-28 | 北京国联天成信息技术有限公司 | AI technology-based malicious code passive detection method and system |
CN114741149A (en) * | 2022-04-15 | 2022-07-12 | 北京因数健康科技有限公司 | Page switching method and device for single-page application, storage medium and electronic equipment |
CN114978604A (en) * | 2022-04-25 | 2022-08-30 | 西南大学 | Security gateway system for software defined service perception |
CN115022100A (en) * | 2022-08-10 | 2022-09-06 | 东南大学 | Internet of things intrusion detection method based on flow image and machine learning |
CN115086026A (en) * | 2022-06-14 | 2022-09-20 | 盐城工业职业技术学院 | Network security analysis system |
CN115176444A (en) * | 2020-02-11 | 2022-10-11 | 大陆汽车科技有限公司 | Intrusion and anomaly detection method based on edge calculation |
WO2022242415A1 (en) * | 2021-05-21 | 2022-11-24 | 浙江大学 | Rest interface specification packaging system based on network sniffing |
CN116319386A (en) * | 2023-05-17 | 2023-06-23 | 北京国信蓝盾科技有限公司 | Availability and fault prediction method and device, electronic equipment and medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160182541A1 (en) * | 2014-12-18 | 2016-06-23 | Gwangju Institute Of Science And Technology | Method for detecting intrusion in network |
CN105871787A (en) * | 2015-01-22 | 2016-08-17 | 中国移动通信集团公司 | Intrusion prevention method applied to cloud virtual network, device, network device and system |
CN106254330A (en) * | 2016-07-29 | 2016-12-21 | 中国电子科技集团公司第五十四研究所 | A kind of software defined network intrusion detection method based on BP neutral net |
CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
CN108270779A (en) * | 2017-12-29 | 2018-07-10 | 湖南优利泰克自动化系统有限公司 | A kind of automatic generation method of intruding detection system safety regulation |
-
2019
- 2019-07-17 CN CN201910391719.5A patent/CN110224990A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160182541A1 (en) * | 2014-12-18 | 2016-06-23 | Gwangju Institute Of Science And Technology | Method for detecting intrusion in network |
CN105871787A (en) * | 2015-01-22 | 2016-08-17 | 中国移动通信集团公司 | Intrusion prevention method applied to cloud virtual network, device, network device and system |
CN106254330A (en) * | 2016-07-29 | 2016-12-21 | 中国电子科技集团公司第五十四研究所 | A kind of software defined network intrusion detection method based on BP neutral net |
CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
CN108270779A (en) * | 2017-12-29 | 2018-07-10 | 湖南优利泰克自动化系统有限公司 | A kind of automatic generation method of intruding detection system safety regulation |
Non-Patent Citations (2)
Title |
---|
FAN YANG ET AL: "A Testb e d for Intelligent Softare Define d Se curity Framework", 《ACM TURING CELEBRATION CONFERENCE - CHINA (ACM TURC 2019)》 * |
吕秀华: "基于snort与免疫原理混合入侵检测系统模型设计", 《网络通讯及安全》 * |
Cited By (39)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110753064B (en) * | 2019-10-28 | 2021-05-07 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
WO2021082339A1 (en) * | 2019-10-28 | 2021-05-06 | 中国科学技术大学 | Machine learning and rule matching integrated security detection method and device |
CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
CN110855651B (en) * | 2019-11-05 | 2021-12-24 | 中盈优创资讯科技有限公司 | Automatic generation method and system of access control strategy based on traffic driving |
CN110855651A (en) * | 2019-11-05 | 2020-02-28 | 中盈优创资讯科技有限公司 | Automatic generation method and system of access control strategy based on traffic driving |
CN110796243A (en) * | 2019-11-27 | 2020-02-14 | 重庆大学 | Continuous operation monitoring data simulation generation method and device |
CN110912753A (en) * | 2019-12-11 | 2020-03-24 | 中山大学 | Cloud security event real-time detection system and method based on machine learning |
CN110912753B (en) * | 2019-12-11 | 2022-03-25 | 中山大学 | Cloud security event real-time detection system and method based on machine learning |
CN111191683A (en) * | 2019-12-13 | 2020-05-22 | 南京邮电大学 | Network security situation assessment method based on random forest and Bayesian network |
CN111191683B (en) * | 2019-12-13 | 2023-09-22 | 南京邮电大学 | Network security situation assessment method based on random forest and Bayesian network |
CN111082992A (en) * | 2019-12-23 | 2020-04-28 | 超讯通信股份有限公司 | SDN network data packet identification method based on deep learning |
CN111131304A (en) * | 2019-12-31 | 2020-05-08 | 嘉兴学院 | Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system |
CN111131304B (en) * | 2019-12-31 | 2022-01-11 | 嘉兴学院 | Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system |
CN115176444A (en) * | 2020-02-11 | 2022-10-11 | 大陆汽车科技有限公司 | Intrusion and anomaly detection method based on edge calculation |
CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
CN111404909B (en) * | 2020-03-10 | 2022-05-31 | 上海豌豆信息技术有限公司 | Safety detection system and method based on log analysis |
CN111404909A (en) * | 2020-03-10 | 2020-07-10 | 上海豌豆信息技术有限公司 | Security detection system and method based on log analysis |
CN111553386B (en) * | 2020-04-07 | 2022-05-20 | 哈尔滨工程大学 | AdaBoost and CNN-based intrusion detection method |
CN111553386A (en) * | 2020-04-07 | 2020-08-18 | 哈尔滨工程大学 | AdaBoost and CNN-based intrusion detection method |
CN111628990A (en) * | 2020-05-22 | 2020-09-04 | 北京金山云网络技术有限公司 | Attack recognition method and device and server |
CN111917802A (en) * | 2020-08-19 | 2020-11-10 | 北京微步在线科技有限公司 | Intrusion detection rule test platform and test method |
CN112367290A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Endogenous safe WAF construction method |
CN112187752A (en) * | 2020-09-18 | 2021-01-05 | 湖北大学 | Intrusion detection classification method and device based on random forest |
CN113190837A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on file service system |
WO2022242415A1 (en) * | 2021-05-21 | 2022-11-24 | 浙江大学 | Rest interface specification packaging system based on network sniffing |
CN113691562B (en) * | 2021-09-15 | 2024-04-23 | 神州网云(北京)信息技术有限公司 | Rule engine implementation method for accurately identifying malicious network communication |
CN113691562A (en) * | 2021-09-15 | 2021-11-23 | 神州网云(北京)信息技术有限公司 | Method for implementing rule engine for accurately identifying malicious network communication |
CN114124446A (en) * | 2021-10-12 | 2022-03-01 | 广西电网有限责任公司桂林供电局 | Intrusion detection system based on Snort engine and adopting logistic regression algorithm |
CN114168949A (en) * | 2021-12-21 | 2022-03-11 | 江西省锐华互联网科技有限公司 | Application software anomaly detection method and system applied to artificial intelligence |
CN114531287A (en) * | 2022-02-17 | 2022-05-24 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for detecting virtual resource acquisition behavior |
CN114679331A (en) * | 2022-04-11 | 2022-06-28 | 北京国联天成信息技术有限公司 | AI technology-based malicious code passive detection method and system |
CN114679331B (en) * | 2022-04-11 | 2024-02-02 | 北京国联天成信息技术有限公司 | AI technology-based malicious code passive detection method and system |
CN114741149A (en) * | 2022-04-15 | 2022-07-12 | 北京因数健康科技有限公司 | Page switching method and device for single-page application, storage medium and electronic equipment |
CN114741149B (en) * | 2022-04-15 | 2024-02-27 | 北京懿医云科技有限公司 | Page switching method and device for single-page application, storage medium and electronic equipment |
CN114978604A (en) * | 2022-04-25 | 2022-08-30 | 西南大学 | Security gateway system for software defined service perception |
CN115086026A (en) * | 2022-06-14 | 2022-09-20 | 盐城工业职业技术学院 | Network security analysis system |
CN115022100B (en) * | 2022-08-10 | 2022-11-01 | 东南大学 | Internet of things intrusion detection method based on flow image and machine learning |
CN115022100A (en) * | 2022-08-10 | 2022-09-06 | 东南大学 | Internet of things intrusion detection method based on flow image and machine learning |
CN116319386A (en) * | 2023-05-17 | 2023-06-23 | 北京国信蓝盾科技有限公司 | Availability and fault prediction method and device, electronic equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110224990A (en) | A kind of intruding detection system based on software definition security architecture | |
Yu et al. | An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks | |
CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
CN111510433B (en) | Internet of things malicious flow detection method based on fog computing platform | |
Karan et al. | Detection of DDoS attacks in software defined networks | |
CN107683597A (en) | Network behavior data collection and analysis for abnormality detection | |
Hofmann et al. | Online intrusion alert aggregation with generative data stream modeling | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
Su et al. | Detecting p2p botnet in software defined networks | |
Letteri et al. | Performance of Botnet Detection by Neural Networks in Software-Defined Networks. | |
Al Haddad et al. | A collaborative framework for intrusion detection (C-NIDS) in Cloud computing | |
Gumaste et al. | Detection of ddos attacks in openstack-based private cloud using apache spark | |
CN102801738A (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
Bhatt et al. | HADS: Hybrid anomaly detection system for IoT environments | |
Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
CN108833430B (en) | Topology protection method of software defined network | |
Xiao et al. | Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model | |
CN106899978A (en) | A kind of wireless network attack localization method | |
Cheetancheri et al. | A distributed host-based worm detection system | |
Ádám et al. | Artificial neural network based IDS | |
Wang et al. | Botnet detection using social graph analysis | |
Umamaheswari et al. | Honeypot TB-IDS: trace back model based intrusion detection system using knowledge based honeypot construction model | |
Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
Mohsin et al. | Performance evaluation of SDN DDoS attack detection and mitigation based random forest and K-nearest neighbors machine learning algorithms | |
Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190910 |