CN111800419A - DDoS attack detection system and method in SDN environment - Google Patents

Abstract

The invention belongs to the field of intrusion detection algorithms in an SDN (software defined network), and discloses a DDoS (distributed denial of service) attack detection system and a DDoS attack detection method in an SDN environment. In order to timely and effectively identify abnormal flow in a network and reduce consumption of network resources by DDoS attack, a DDoS attack defense system is designed by combining an MD-SAL framework. The system comprises an abnormality detection module, an anti-misjudgment module, a flow processing module, an abnormality storage module and an information checking module. The system can identify the flow abnormity in the network, timely alarms and informs the system to make corresponding defense measures, finally checks attack information according to the preset RPC values of source IP, target IP and the like, and realizes the accurate classification of suspicious flow based on the TDMC algorithm.

Description

DDoS attack detection system and method in SDN environment

Technical Field

The invention belongs to the field of intrusion detection algorithms in an SDN (software defined network), and particularly relates to a DDoS (distributed denial of service) attack detection system and method in an SDN environment.

Background

Nowadays, the development of Internet technology is changing day by day, the Internet technology brings great convenience to life, but at the same time, the Internet technology also faces very serious problems in the aspect of security, wherein DDoS attacks seriously threaten normal services of the Internet, DDoS is large-scale distributed cooperative attack initiated by a plurality of zombie hosts, is a main factor threatening the security of the Internet service, and simultaneously causes great security problems for the security operation of various large enterprises. Typical victims in this regard include large popular web sites like CNN, yahoo, and amazon, but more network companies are increasingly dependent on the stability, security, and availability of the internet environment, and they face significant losses if they are attacked by DDoS.

In a conventional network, a control plane and a data plane are distributed on each network device, and to implement adjustment of a traffic path, it is necessary to configure a corresponding traffic policy on a network element, but this is not safe, and some troublesome problems may occur for some special situations, for example, when adjusting traffic of a large network, not only the process is very troublesome, but also a fault which is difficult to imagine is relatively easy to occur; regarding the adjustment of the traffic, in addition to the above measures, the adjustment can be performed through the TE tunnel, but there are disadvantages that the TE tunnel is very complicated, the maintenance technology is difficult, and the maintenance cost is large. Moreover, the traditional network protocols are very complex, such as BGP, IGP, multicast protocol, MPLS, etc., and their number is increasing continuously. In addition to the standard protocol, the device manufacturers usually extend some proprietary protocols, so that not only the operation commands related to the devices are very messy, but also the devices manufactured by different manufacturers have unique operation interfaces, which causes many troubles for operation and maintenance. In a traditional network, equipment is managed in a closed manner, and the equipment implementation mechanisms of different manufacturers are different, so that the period for deploying a new function is possibly longer; and if the subsequent maintenance and upgrade of the equipment are needed, each piece of equipment needs to be operated independently, which undoubtedly greatly reduces the overall working efficiency. SDN is a completely new concept, and the trend in academic research is to provide a functional SDN infrastructure. Thus, it has been shown from recent research results that security is one of the most critical issues in software defined networks.

Software defined networking, SDN, as a new network architecture, has a great advantage over traditional networks. The controller of the SDN can manage the entire network using the controller since it has a function of a global topology, and the SDN can also separate a data plane from a control plane. Unlike traditional switches, SDN switches have control functions, in which their function is only to forward packets. In addition, because the SDN can perform unified centralized control on the data, the characteristic realizes the optimization management on network resources, thereby greatly improving the flexibility and controllability of the network. Programmable networks are now generally popular due to the nature of having an abstract view of the network, which in turn allows a good understanding of the operation of complex networks and improves the effectiveness of actions to be taken in the event of any potential threat. SDN represents an emerging centralized network architecture, whose forwarding elements are managed by a central unit called SDN controller, which is able to obtain traffic statistics from each switch, and take appropriate measures through the obtained traffic data, so as to prevent any malicious behavior or actions needed to unjustly use the network. Meanwhile, a programmable network protocol, namely an OpenFlow protocol, is used between the SDN controller and the switch, so that commands of the controller are forwarded to the switch supporting the OpenFlow protocol through the protocol. Although the use of a centralized controller may be more powerful, the controller itself has some drawbacks, namely, the possibility of a single point of failure, which makes the network using the centralized controller more vulnerable compared to the conventional network architecture. On the other hand, since OpenFlow is used for communication between enabled switches and controllers, this provides opportunities for a wide variety of attacks, such as denial of service (DOS), host location hijacking, and man-in-the-middle attacks. Therefore, the method has important significance for the research of abnormal flow detection in the SDN environment, and has a very wide application prospect.

Disclosure of Invention

In order to timely and effectively identify abnormal flow in a network and reduce consumption of network resources by DDoS attack, a DDoS attack defense system is designed by combining an MD-SAL framework. The system can identify the flow abnormity in the network, timely alarms and informs the system to make corresponding defense measures, finally checks attack information according to the preset RPC values of source IP, target IP and the like, and realizes the accurate classification of suspicious flow based on the TDMC algorithm.

The technical scheme of the invention is as follows:

a DDoS attack detection system in an SDN environment comprises an abnormality detection module, an anti-misjudgment module, a flow processing module, an abnormality storage module and an information checking module;

the system comprises an anomaly detection module, a data plane weight detection module and a control plane weight detection module, wherein the anomaly detection module is used for monitoring abnormal flow in a network and giving an alarm if the abnormal flow occurs, the weight detection performed by the data plane selects DDoS representative characteristics to judge the flow, when the new incoming flow characteristics exceed the allowable range of the flow during training, one of the anomaly conditions is met, and when the selected characteristics are met, the flow detected by the data plane weight detection module is considered to be abnormal; when the data plane detects abnormal flow, the heavyweight detection of the control plane is carried out, firstly, the data set of the specific characteristic set is trained, the algorithm is a random forest, and compared with other classification algorithms, the random forest is simpler to realize, is high in training speed and is easier to make into a parallelization method. Extracting the characteristics of abnormal flow information transmitted from a data plane, inputting the extracted characteristic set into a random forest for fine-grained classification, and analyzing the abnormal condition of the flow;

the misjudgment prevention module is used for reducing the false alarm rate, selecting the flow with a set proportion for redistribution aiming at the abnormal flow screened out by the abnormal detection module, wherein one part is used for forwarding the normal flow, and the other part is used for discarding the abnormal flow;

the flow processing module is used for respectively processing the classified flows, the normal flows are normally forwarded, and the abnormal flows are processed by issuing corresponding flow table rules;

the exception storage module records corresponding threat information into the DataStore through the DataBroker, and the user checks the threat information recorded in the DataStore through the RPC;

and the information viewing module is used for enabling an administrator to view the attack record at the webpage end, for example, the attack information aiming at the target IP can be called out by inputting the target IP.

If the flow processing module is a normal flow, the controller issues a flow table rule to the switch, performs related setting according to information in the original flow, returns the normal flow to the switch, matches the related rule in the switch, and forwards the normal flow according to the flow table rule, so far, the flow passes through the abnormality detection module, is marked as a suspicious flow, is finally divided into normal flows through the classifier, and finally reaches the destination host;

if the abnormal flow exists, in order to further improve the detection efficiency, a blacklist is set in the controller, secondary storage is carried out on the flow table rule of the abnormal flow, the abnormal flow is recorded in the abnormal blacklist, when the flow information enters the controller, the blacklist is matched firstly, if the abnormal flow information does not enter the controller, detection of the control plane weight-level algorithm of the abnormal detection module is carried out, meanwhile, the identified abnormal flow is recorded in the blacklist, if the corresponding flow table rule exists, the flow table rule is issued to the flow table, the flow is not detected any more, therefore, the work of the weight-level classification algorithm can be reduced, and the detection speed is improved.

The exception storage module is mainly used for storing the detected exception information so as to facilitate subsequent calling and checking; storing data through a DataStore in the MD-SAL, and interacting with the DataStore through a DataBroker, wherein the change of the data stored in the DataStore triggers an onDataChange () event, and responding to the change of the DataStore in the onDataChange (); the data is stored in the DataStore through a tree structure, before the data is stored, a storage model is firstly defined through yang language, yang is carried out according to a hierarchical structure when the data is organized, and finally a tree form is built;

RPC, i.e. remote procedure call, belongs to a unicast mode in message passing, and communicates between a message consumer and a provider in a unicast mode, and the message consumer sends a request message to the provider as a response in an asynchronous mode.

The method for detecting the DDoS attack in the SDN environment comprises the following steps:

(1) the flow entering the system is matched with the flow table rule in the flow table, if the matching is successful, the flow table is indicated to have the rule aiming at the flow, so the flow table rule is directly processed;

(2) and (3) entering an abnormal detection module for the flow which is not matched with the flow table rule, extracting flow characteristics by calculating a counter of the switch so as to carry out light-weight detection and analyze suspicious flow: training a range of a characteristic value of normal flow by using the normal flow, taking the range as a template for detecting abnormal flow in a lightweight stage, comparing the extracted characteristic value with the trained template, and when all characteristics are not in a specified range, determining the abnormal flow, otherwise, determining the normal flow, and directly carrying out normal forwarding without a heavyweight detection algorithm;

(3) if abnormal traffic cannot be identified in the step (2), the abnormal traffic is regarded as normal traffic, a flow table rule is issued to enable the abnormal traffic to be forwarded normally, and if suspicious traffic is identified, the suspicious traffic is matched with records in an abnormal blacklist, if the suspicious traffic exists in the abnormal blacklist, the flow is directly discarded, and if the suspicious traffic does not exist in the abnormal blacklist, the heavy-weight detection of a control plane is carried out;

(4) in the heavyweight detection stage, firstly extracting features, mainly extracting features of source IP acceleration, paired stream percentage, single flow increase, stream packet number median, stream duration median and port acceleration, and finally classifying by using a random forest;

(5) according to the classification result, the normal flow is issued to the flow table for normal forwarding, the abnormal flow is forwarded according to a set proportion, the rest is discarded, meanwhile, the information of the abnormal flow is stored in the DataStore, the subsequent remote calling is facilitated, and the abnormal blacklist is updated;

(6) and carrying out remote procedure call, using RPC to call and check the abnormal information at a webpage end provided by the controller, and calling through a source IP or a target IP according to a yang model defined in advance.

The invention has the beneficial effects that: the system has timeliness, once abnormal flow occurs in the network, the system can respond in time, the detection of the lightweight switch in the abnormal detection module can preliminarily divide suspicious flow so as to reduce the detection pressure of the heavyweight controller and improve the detection speed, and meanwhile, the detection stage of the heavyweight controller can be executed in parallel by using a random forest algorithm so as to improve the timeliness of the system; the system has high efficiency, and avoids repeated processing of the controller by using a blacklist mechanism aiming at the same attack IP, thereby improving the response efficiency of the whole system; the system has accuracy, the abnormal detection module can accurately identify abnormal flow through two-stage detection, and the false alarm rate of the system is reduced by utilizing a P rate forwarding mechanism; the system has operability and flexibility, only codes in corresponding modules need to be modified for different DDoS attacks, and partial interfaces are reserved in the design process to ensure future expansion.

Drawings

Fig. 1 is a diagram of DDoS attack anomaly detection system architecture.

FIG. 2 is a flow diagram of an anomaly detection module.

FIG. 3 is a flow chart of an anti-misjudgment module.

Fig. 4 is a flow diagram of a traffic handling module.

FIG. 5 is a data Broker reading and writing data from and to a DataStore.

Fig. 6 is a flow chart of a DDoS attack detection system.

Fig. 7 is a network topology test chart.

Fig. 8 is a relationship between TPR and sample size.

Fig. 9 is a relationship between accuracy and sample size.

Fig. 10 is a relationship between a false alarm rate and a sample size.

Detailed Description

Example (b):

the Mininet used in this embodiment is a virtual host required for creating a topology in a standard Linux environment, the experimental environment adopts ubuntu16.04, and the Mininet also supports OpenFlow switches, OpenFlow controllers and secure link networks, and supports SDN and OpenFlow custom topologies.

The invention uses the OpenDaylight switch controller as a controller module in the SDN environment, and the controller is realized based on Java language, so that before the design and development of corresponding modules, corresponding Java environments, namely environments such as jdk, maven and the like, need to be installed and configured in the Ubuntu16.04 environment, in addition, the apt needs to be updated before all software is installed, then the git is installed, and the openDaylight switch controller can be used as a tool in the subsequent installation.

Two hosts need to carry out TCP three-way handshake when communicating, all requests of a client end need to pass through a switch first, matching flow table rules are carried out in the switch, then no corresponding flow table rule exists in a flow table when the client end carries out handshake for the first time, so a Packet-in Packet needs to be sent to request a controller, all flows entering the switch can carry out early warning processing through lightweight class abnormity detection of a data plane, if the flows are normal flows, the flows are handed back to the switch to carry out normal forwarding flows, and if the flows are suspicious flows, the flows are handed to a heavyweight detection algorithm of a control plane to be processed.

And training a data set according to the extracted flow characteristics, wherein a random forest classification algorithm is used for a training model, normal flow and abnormal flow are trained through the random forest classification algorithm, then suspicious flow is sent to a characteristic extraction module by a detection module for characteristic extraction, after characteristic values are extracted, the random forest is finally used for classification in an abnormal detection module to obtain normal flow and abnormal flow, then the normal flow and the abnormal flow enter a flow processing module to be normally forwarded, and the abnormal flow is subjected to abnormal processing. When the abnormal flow is identified by the abnormal flow detection module, the abnormal flow information is stored and recorded in the abnormal flow storage module, an administrator can check attack information on a webpage end through the information checking module, the attack information can be inquired through a source IP address or a destination IP, and the administrator can specify when a yang model is defined through other modes.

The abnormal detection module is used for monitoring abnormal flow in a network, if abnormal occurs, alarming is carried out, the module is mainly divided into two parts, namely data plane lightweight detection and control plane heavyweight detection, the lightweight detection carried out by the data plane selects DDoS (distributed denial of service) representative characteristics for judging the flow, when the characteristics of the newly-incoming flow exceed the allowable range of the flow during training, one abnormal condition is met, and when the selected characteristics are met, the flows detected by the data plane can be considered to be abnormal.

After the data plane detects abnormal flow, the heavy-weight detection of the control plane is carried out, the flow is further analyzed, firstly, a data set of a specific characteristic set is trained, the algorithm is a random forest, and the random forest is compared with other classification algorithms, so that the realization is simple, the training speed is high, and the parallelization method is easy to make. And (3) extracting the characteristics of the abnormal flow information transmitted by the data plane, and inputting the extracted characteristic set into a random forest for fine-grained classification, so that the abnormal condition of the flow can be more accurately analyzed.

In the anomaly detection module, after the lightweight detection of the data plane and the heavyweight detection of the control plane, relatively high detection precision and resource utilization rate can be ensured, but some errors still exist, because in the heavyweight detection, the detected objects are flows and are in a state of a period of flow, when the flow in the period of time is detected to be abnormal, all the flows cannot be ensured to be abnormal, some normal flows can be mixed in the flows, and under normal conditions, the flows are difficult to pick out, so that after the abnormal flows and the normal flows are classified in a random forest, the abnormal flows are further processed, the classification precision can be further increased, in addition, for DDoS attack, continuous attack can be performed, but only the data in a period of time is detected, the flow items with the same flow as the current flow are possibly added at the next time, and repeated detection can be caused if no processing is carried out, so that in order to further improve the detection efficiency, a blacklist is added on the controller, the flow detected as abnormal is recorded, after the information of the next data packet is sent to the controller, the information is compared with the blacklist, the Action corresponding to the information is recorded in the blacklist and is called Drop, the flow is not detected any more, the work of a heavy classification algorithm can be reduced, and the detection speed is improved.

After the abnormal flow and the normal flow are classified well by the abnormal detection module, the normal flow and the abnormal flow can be processed respectively. If the normal flow exists, the controller issues a flow table rule to the switch, relevant setting is carried out according to information in the original flow, the normal flow is returned to the switch, the relevant rule is matched in the switch, forwarding is carried out according to the flow table rule, so far, the flow passes through the abnormality detection module, is marked into suspicious flow, is finally divided into normal flow through the classifier, and finally reaches the target host. Figure 4 shows a flow diagram of a traffic handling module.

As can be seen from fig. 4, for the processing of the abnormal flow, once the abnormal flow is classified into the abnormal flow, a specific flow table rule is used to process the abnormal flow, the abnormal flow is directly discarded, the action is represented in the flow table rule, as can be seen by the last module, it is very tedious to detect the last abnormal flow, if all the flows pass through the detection module to identify and analyze the whole flow, the time is very consumed, so the efficiency of the whole system is reduced, meanwhile, because the flow table rules all have the timeout time, and the flow table rule is cleared up after the timeout time, in order to fully utilize the detected result, the flow table rule for the abnormal flow can be stored secondarily, and recorded into the abnormal blacklist, when the flow information enters the controller, the blacklist is matched first, and if not, the heavy-weight algorithm is detected, meanwhile, the identified abnormal flow is recorded in a blacklist, and if a corresponding flow table rule exists, the flow table rule is issued to a flow table, so that heavy-weight algorithm detection is not needed, and the detection speed of DDoS attack is accelerated.

The exception storage module is mainly used for storing the detected exception information so as to facilitate subsequent calling and checking. Data is stored in the MD-SAL through the DataStore, interaction with the DataStore is realized through the DataBroker, a change of the data stored in the DataStore triggers an onDataChange () event, and the change of the DataStore is responded in the onDataChange (). Data is stored in the DataStore through a tree structure, before the data is stored, a storage model is defined through a yang language firstly, the foundation of an Opendataright architecture is the yang language, the premise that the data model is developed is also the yang language, state data and configuration operated by a netconf protocol can be modeled through the yang language, and remote procedure calls rpc and notification can also be modeled. yang proceeds in a hierarchical structure when organizing data, and finally builds a tree form.

TABLE 1 statements for exception storage and its role

And reading and writing data to the DataStore by using a DataBroker, and monitoring a data warehouse change event.

Firstly, a listener is registered, opendataright has 3 modes for monitoring events, DataChangeListener monitors the whole tree, and a change of any leaf node in the tree can cause the triggering of the event, and the DataTreeChangeListener can be positioned to a trunk in the tree more accurately than the previous listener.

DOMDataTreeChangeListener accesses the DataStore through DOMDataBroker, indexes and locates the data tree using QName.

If the data tree generates a change, the change is registered in the MD-SAL. Firstly creating a class for realizing a Data Change event, then transmitting a DataBroker parameter to an instance of the class for realizing the event, then adding a monitoring member variable of Data Change, and finally registering a corresponding path. If the modification of the data tree is required, the modification can be performed by put, merge, delete and the like.

RPC, i.e. remote procedure call, belongs to a unicast mode in message passing, and communicates between a message consumer and a provider in a unicast mode, and the message consumer sends a request message to the provider as a response in an asynchronous mode.

The creation process of RPC can be divided into 3 steps:

(1) and modeling the RPC by using a language, namely realizing the definition of the YANG file of the RPC, and compiling the subdirectory where the YANG file is located in the project.

First, a yang model is created and defined rpc in yang program, and a plurality of rpc can be defined, and the finally generated code corresponds to different functions according to different definitions.

(2) Completing RPC concrete implementation, i.e. selecting position, implementing Service interface

The method comprises the steps of realizing a declared interface, creating a realization class, and adding an RPC function to be realized, for example, realizing calling through a source IP address, or freely defining through a destination IP, a port number and the like, or simultaneously defining a plurality of RPC functions, so that switching can be performed among different functions, and only the source IP and the destination IP are defined as required to perform call attack recording.

(3) An RPC instance is created and the corresponding work of registration and closing is done.

The related classes are imported from the automatically generated service provision classes. The implementation class of RPC is also registered to the MD-SAL using the YANG-defined RPC model prior to registration in the service-providing class. Adding the registration of RPC of the main project file model in the related class function, and binding the realization class of class RPC to the realization of the main project class.

The invention aims at DDoS attacks which are of various types, and only codes need to be modified in corresponding modules aiming at different attacks, thereby realizing the operability and flexibility of the defense system. Therefore, in the design process, a corresponding program interface is reserved, and the expansion of new requirements in the future is ensured.

Under the SDN framework, the switch processes the new flow data through the flow table, when a data flow comes, the data flow is compared with the flow table entries in the flow table, if not, the controller is asked how to process the data flow, because the controller has the function of global topology, when an attacker launches an attack in the SDN environment, a large amount of forged data streams may be produced or a large amount of instantaneous data streams may be produced, at this time, Packet-in request messages may be sent to the controller due to lack of corresponding flow table rules in the switch, a large amount of Packet-in may occupy a large amount of resources of the controller, meanwhile, a great deal of Syn requests can generate great resource pressure on a server side, so that the attack effect of denial of service can be generated, and related applications are developed on OpenDaylight to detect and protect the type of attack.

In order to centrally monitor and operate the global network from the upper layers, the opendayright-based controller module is implemented by programming the system.

When the flow enters the system, the flow first enters the switch, a corresponding flow table is matched in the switch, if the corresponding flow table exists, the flow is forwarded according to the flow table rule, if the flow does not exist, the detection system is used for identifying and classifying, normal flow and abnormal flow are distinguished, the normal flow is forwarded normally, the abnormal flow is issued to discard the flow table, and the detailed description of the working flow of the embodiment is provided below

(1) And (3) sending abnormal attack flow, firstly sending DDoS attack by using hping3 to make the flow enter a system, and detecting the abnormal flow by using an abnormal detection system designed in the chapter.

(2) The flow entering the system is matched with the flow table rule in the flow table, if the matching is successful, the flow table is indicated to have the rule aiming at the flow, so the flow table rule is directly processed, the normal flow is forwarded, and the abnormal flow is directly discarded.

(3) And (4) entering the flow which is not matched with the flow table rule into an abnormal detection module, and extracting flow characteristics by calculating a switch counter so as to carry out light-weight detection and analyze suspicious flow. The method specifically comprises the steps of firstly training a range of a characteristic value of normal flow by using the normal flow, taking the range as a template for detecting abnormal flow in a lightweight stage, then comparing the extracted characteristic value with the trained template, and when all characteristics are not in a specified range, determining the characteristic value as abnormal flow, otherwise, determining the characteristic value as normal flow, and directly carrying out normal forwarding without a heavyweight detection algorithm.

(4) And regarding the abnormal flow which can not be identified in the first stage as normal flow, issuing a flow table rule for the flow to normally forward the abnormal flow, matching the flow table rule with records in an abnormal blacklist for the identified suspicious flow, directly discarding the flow if the abnormal flow exists in the abnormal blacklist, and performing heavy-weight detection on a control plane if the abnormal flow does not exist in the abnormal blacklist.

(5) In the heavyweight detection stage, firstly, extracting features, namely source IP acceleration, convection percentage, single flow increase, flow packet number median, flow duration median and port acceleration, and finally classifying by using a random forest.

(6) And according to the classification result, the normal flow is issued to the flow table for normal forwarding, the abnormal flow is forwarded according to a certain proportion, the rest is discarded, meanwhile, the information of the abnormal flow is stored in the DataStore, the subsequent remote call is facilitated, and the abnormal blacklist is updated.

(7) And carrying out remote procedure call, using RPC to call and view the abnormal information at a webpage end provided by the controller, and calling through a source IP or a destination IP and the like according to a yang model defined in advance.

The experimental test network structure of the present invention is shown in fig. 7. Under the topology, the main functions of the system are tested. The proposed two-stage DDoS attack detection algorithm with multi-plane coordination is compared with two existing classification algorithms for analysis. The three anomaly detection algorithms will be compared in terms of detection rate of anomaly detection and false alarm rate and accuracy.

(1) Detection rate TPR:

where TP represents the number of true anomalous flows contained in all traffic marked as anomalous, i.e., the number of correctly identified anomalous flows, and FN represents the number of anomalous flows contained in all traffic identified as normal. The TPR can be said to be the percentage of correctly classified abnormal traffic to the total number of abnormal traffic.

(2) Accuracy ACC:

where TN represents the number of normal streams contained in all traffic labeled normal streams, i.e., the correctly identified normal streams. FP represents the number of normal flows contained in all traffic identified as abnormal flows. ACC reflects the discriminatory power of the classifier, being the number of correctly classified samples as a percentage of the total number of samples.

(3) False alarm rate:

where FP represents the number of normal flows contained in all traffic identified as abnormal traffic and TN represents the number of normal flows contained in all traffic identified as normal, i.e., FPR is a percentage of the total number of correctly classified normal traffic.

A detection rate simulation graph of a two-stage DDoS attack detection algorithm (TDMC), a random forest algorithm (RF) and an SVM algorithm with multi-plane coordination is shown in fig. 8. The abscissa represents the size of the specimen subjected to the experiment, and the ordinate represents the value of the detection rate per one test performed on the specimen. The distinguishing distinction of the three algorithms has been indicated in the figures. As can be seen from fig. 8, when data containing abnormal traffic enters the network, the detection rates of the three algorithms all tend to increase with the increase of the number of samples, and it can be seen from the graph that the TDMC algorithm shows higher detection rates when tests are performed on different samples.

An accuracy simulation diagram of a two-stage DDoS attack detection algorithm (TDMC), a random forest algorithm (RF) and an SVM algorithm with multi-plane coordination is shown in fig. 9. The abscissa also represents the size of the sample subjected to the experiment, and the ordinate represents the value of the accuracy of the experiment. From the graph, when data containing abnormal traffic enters the network, the TDMC algorithm keeps higher accuracy as the number of samples increases.

A simulation diagram of false alarm rates of a two-stage DDoS attack detection algorithm (TDMC), a random forest algorithm (RF) and an SVM algorithm with multi-plane coordination is shown in fig. 10. The abscissa also represents the size of the sample subjected to the experiment, and the ordinate represents the value of the accuracy of the experiment. As can be seen from the graph, when data containing abnormal traffic enters the network, the TDMC algorithm maintains a lower false alarm rate than the other two algorithms as the number of samples increases.

In summary, the proposed two-stage DDoS attack detection algorithm based on multi-plane coordination can be basically implemented in a specified network environment, and can effectively identify abnormal traffic and normal traffic when abnormal traffic occurs in a network, and when the algorithm is compared with other algorithms, the algorithm has better effects in the aspects of detection rate, accuracy rate and false alarm rate, and has higher detection rate and lower false alarm rate compared with other algorithms.

Claims (4)

1. A DDoS attack detection system in an SDN environment is characterized by comprising an abnormality detection module, an anti-misjudgment module, a flow processing module, an abnormality storage module and an information checking module;

the anomaly detection module is used for light-weight detection of a data plane and heavy-weight detection of a control plane, wherein the light-weight detection performed by the data plane selects a representative characteristic of DDoS (distributed denial of service) to judge the flow, one of anomaly conditions is met when the new incoming flow characteristic exceeds the allowable range of the flow during training, and the flow detected in the light-weight detection of the data plane is considered to be abnormal when the selected characteristics are met; after the data plane detects abnormal flow, performing heavy-weight detection on the control plane, firstly training a data set of a specific feature set, wherein the algorithm is a random forest, performing feature extraction on abnormal flow information transmitted by the data plane, inputting the extracted feature set into the random forest for fine-grained classification, and analyzing abnormal conditions of flow;

the misjudgment prevention module is used for reducing the false alarm rate, selecting the flow with a set proportion for redistribution aiming at the abnormal flow screened out by the abnormal detection module, wherein one part is used for forwarding the normal flow, and the other part is used for discarding the abnormal flow;

the flow processing module is used for respectively processing the classified flows, the normal flows are normally forwarded, and the abnormal flows are processed by issuing corresponding flow table rules;

the exception storage module records corresponding threat information into the DataStore through the DataBroker, and the user checks the threat information recorded in the DataStore through the RPC;

and the information viewing module is used for enabling an administrator to view the attack record at the webpage end.

2. The DDoS attack detection system in an SDN environment according to claim 1, wherein if the flow processing module is a normal flow, the controller issues a flow table rule to the switch, performs a relevant setting according to information in the original flow, returns the normal flow to the switch, matches the relevant rule in the switch, and forwards the flow according to the flow table rule, so far, the flow passes through the anomaly detection module, is marked as a suspicious flow, is finally divided into normal flows through the classifier, and finally reaches a destination host;

if the abnormal flow exists, a blacklist is set in the controller, secondary storage is carried out on the flow table rule of the abnormal flow, the abnormal flow is recorded in the abnormal blacklist, when the flow information enters the controller, the blacklist is matched firstly, if the abnormal flow information does not enter the controller, detection of a control plane weight-level algorithm of the abnormal detection module is carried out, meanwhile, the identified abnormal flow is recorded in the blacklist, and if the corresponding flow table rule exists, the flow table rule is issued to the flow table, and the flow is not detected any more.

3. A DDoS attack detection system in an SDN environment according to claim 1, wherein the anomaly storage module is mainly configured to store detected anomaly information for subsequent invocation and review; storing data through a DataStore in the MD-SAL, and interacting with the DataStore through a DataBroker, wherein the change of the data stored in the DataStore triggers an onDataChange () event, and responding to the change of the DataStore in the onDataChange (); the data is stored in the DataStore through a tree structure, before the data is stored, a storage model is firstly defined through yang language, yang is carried out according to a hierarchical structure when the data is organized, and finally a tree form is built;

RPC, i.e. remote procedure call, belongs to a unicast mode in message passing, and communicates between a message consumer and a provider in a unicast mode, and the message consumer sends a request message to the provider as a response in an asynchronous mode.

4. The method for detecting the DDoS attack in the SDN environment of any one of claims 1-3, comprising the steps of:

(1) the flow entering the system is matched with the flow table rule in the flow table, if the matching is successful, the flow table is indicated to have the rule aiming at the flow, so the flow table rule is directly processed;

(2) and (3) entering an abnormal detection module for the flow which is not matched with the flow table rule, extracting flow characteristics by calculating a counter of the switch so as to carry out light-weight detection and analyze suspicious flow: training a range of a characteristic value of normal flow by using the normal flow, taking the range as a template for detecting abnormal flow in a lightweight stage, comparing the extracted characteristic value with the trained template, and when all characteristics are not in a specified range, determining the abnormal flow, otherwise, determining the normal flow, and directly carrying out normal forwarding without a heavyweight detection algorithm;

(3) if abnormal traffic cannot be identified in the step (2), the abnormal traffic is regarded as normal traffic, a flow table rule is issued to enable the abnormal traffic to be forwarded normally, and if suspicious traffic is identified, the suspicious traffic is matched with records in an abnormal blacklist, if the suspicious traffic exists in the abnormal blacklist, the flow is directly discarded, and if the suspicious traffic does not exist in the abnormal blacklist, the heavy-weight detection of a control plane is carried out;

(4) in the heavyweight detection stage, firstly extracting features, mainly extracting features of source IP acceleration, paired stream percentage, single flow increase, stream packet number median, stream duration median and port acceleration, and finally classifying by using a random forest;

(5) according to the classification result, the normal flow is issued to the flow table for normal forwarding, the abnormal flow is forwarded according to a set proportion, the rest is discarded, meanwhile, the information of the abnormal flow is stored in the DataStore, the subsequent remote calling is facilitated, and the abnormal blacklist is updated;

(6) and carrying out remote procedure call, using RPC to call and check the abnormal information at a webpage end provided by the controller, and calling through a source IP or a target IP according to a yang model defined in advance.

Images