CN111935152B - Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller - Google Patents

Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller Download PDF

Info

Publication number
CN111935152B
CN111935152B CN202010802601.XA CN202010802601A CN111935152B CN 111935152 B CN111935152 B CN 111935152B CN 202010802601 A CN202010802601 A CN 202010802601A CN 111935152 B CN111935152 B CN 111935152B
Authority
CN
China
Prior art keywords
controller
switch
agent
switches
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010802601.XA
Other languages
Chinese (zh)
Other versions
CN111935152A (en
Inventor
胡浩
张玉臣
张恒巍
蔡佳晔
周洪伟
宋莹炯
谭晶磊
董书琴
胡瑞欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202010802601.XA priority Critical patent/CN111935152B/en
Publication of CN111935152A publication Critical patent/CN111935152A/en
Application granted granted Critical
Publication of CN111935152B publication Critical patent/CN111935152B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of network security, and particularly relates to a DDoS attack autonomous filtering and dynamic defense method and system based on an agent controller, aiming at the problems that an SDN network controller is easy to be attacked by DDoS and the like, the agent controller is additionally arranged between the controller and a switch to form physical security protection on the controller; when the agent controller detects DDoS attack, the controller operates a switch migration mechanism to enable the SDN network control plane to present a dynamic change effect to the outside; the controller is used for controlling and executing multi-round switch migration, identifying and isolating the abnormal switches to destroy attack flow, finally realizing separation of the normal switches and the abnormal switches, achieving the purpose of protecting the controller, improving the autonomous filtering and active protection capability of the SDN network controller in DDoS attack, facilitating practical scene application and having better application prospect.

Description

Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attacks based on agent controller
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a DDoS attack autonomous filtering and dynamic defense method and system based on an agent controller.
Background
In recent years, with the rapid development of cloud computing and the internet of things, the network scale and the computing speed are greatly improved, more and more people acquire information through the internet and enjoy the convenience brought by the internet. At present, the number of netizens in China breaks through 5 hundred million, and the Internet becomes an indispensable part in the life of people. However, the great expansion of the network size also provides advantages for building botnets and launching Distributed Denial of Service (DDoS). DDoS attack technology threshold is low, and attack times are the growing trend in recent years, and its attack mode is also more complicated and changeable. DDoS attacks aim at destroying network services and network availability, and a network attack technology developed by deriving a denial-of-service attack has the characteristics of high occurrence frequency, strong destruction capability, poor early warning effect and the like, and is always one of important threats to network security. At present, two main flow modes of DDoS attack exist, one mode is the attack aiming at a transmission layer, and the purpose is to enable the DDoS attack to lose the capability of serving normal network users by occupying network bandwidth, network node processing capability, server resources and the like through large flow. The other is an attack on the application layer, aiming at exhausting network resources, such as resources of a CPU, a connection socket, a memory, a database and the like. According to incomplete statistics, the average loss caused by each attack launched by the DDoS is $ 50 ten thousand, and particularly, the DDoS is mainly used in industries such as software, games and the like.
Software Defined Networking (SDN) is a novel Network structure, and compared with a conventional Network, the SDN separates a control function from a data forwarding function, and can more flexibly control Network traffic. The SDN network system structure mainly comprises an application layer, a control layer and an infrastructure layer. The control layer is the most core part of the SDN network and mainly comprises a controller in a software or hardware form, the controller acquires information of bottom-layer physical forwarding equipment through a southbound interface, instructs the bottom-layer equipment to complete various data forwarding tasks and provides an open programming interface for application through a northbound interface. Due to the importance of the controller, the controller becomes a key target of DDoS attack, and if the controller is attacked, a single point failure is easily caused, so that the SDN network cannot normally perform functions such as data transmission and policy updating. Therefore, the research on the defense of the DDoS attack of the SDN network control layer is of great significance. At present, DDoS attack defense aiming at an SDN network control layer mainly focuses on realizing load balance on attack flows by utilizing a routing dynamic update strategy so as to reduce adverse effects on a network and solve the problems of poor overall defense effect and the like.
Disclosure of Invention
Therefore, the invention provides a DDoS attack autonomous filtering and dynamic defense method and system based on an agent controller, which destroy attack flow by identifying and isolating abnormal switches, achieve the aim of protecting the controller, and improve the autonomous filtering and active protection capabilities of an SDN network controller in DDoS attack.
According to the design scheme provided by the invention, the DDoS attack autonomous filtering and dynamic defense method based on the agent controller comprises the following contents:
arranging a plurality of agent controllers for carrying out physical safety protection on the controllers between the controllers and the switch; if DDoS attack is detected in the process of forwarding the data packet between the controller and the switch by the proxy controller, the proxy controller is informed to operate a switch migration mechanism, so that a network control plane is dynamically changed outwards, and the abnormal switch is migrated by executing multi-round switch migration, so that the normal switch and the abnormal switch are separated.
As the autonomous filtering and dynamic defense method of DDoS attack based on the agent controllers, further, a plurality of agent controllers comprise application layer agent controllers used for forwarding data packets between the controllers and the switches and carrying out abnormity detection on data flows of the switches and isolation layer agent controllers used for isolating the abnormal switches.
As the autonomous filtering and dynamic defending method of DDoS attack based on the agent controller, further, DDoS attack detection engines are respectively preset on the application layer agent controller and the isolation layer agent controller, the application layer agent controller carries out anomaly detection on data flow from the switch through the detection engines to judge an abnormal switch, and the isolation layer agent server isolates the identified abnormal switch through the detection engines and destroys an attack chain of the abnormal switch.
As the autonomous filtering and dynamic defense method for DDoS attack based on the proxy controller, further, based on a passive installation mode of a flow table rule of an SDN network of an Openflow protocol, when an Openflow switch receives a data message which cannot be matched with the flow table rule, the data message is packaged into a packet-in message and sent to the controller, the application layer proxy controller detects the packet-in data flow from the switch to judge whether the switch is an abnormal switch for DDoS attack on the controller, and if the switch is judged to be abnormal, the controller migrates the abnormal switch to an isolation layer proxy controller.
As the autonomous filtering and dynamic defense method for DDoS attack based on the agent controller of the present invention, further, assuming that the number of abnormal switches in the switches connected under the agent controller in the network is known, N switches are connected under the agent controller detecting the attack, including: n is a radical of a An exception switch and N m Normal switch, N = N a +N m (ii) a After detecting the attack, the controller distributes N switches to X new agent controllers, and the number of the switches on the jth agent controller is N j After one round of connection migration, the number of normal switches still connected with the abnormal switches under the same agent controller is N ma The number of normal switches not connected to the abnormal switch under the same proxy controller is N mn ,N m =N ma +N mn (ii) a The number N of normal switches which are not connected with the abnormal switches under the same agent controller by executing multi-round switch migration mn As large as possible.
As the autonomous filtering and dynamic defense method for DDoS attack based on the agent controller, further, the switch migration is executed by using a migration model, which is expressed as: max E (N) mn ),
Figure BDA0002627927730000021
Wherein p is j Is the probability that the jth agent controller is not under attack.
As the autonomous filtering and dynamic defense method of the DDoS attack based on the agent controller, further, a migration model is generated by using a Stirling approximate equation to represent that:
Figure BDA0002627927730000022
by determining the number of switches N on the jth proxy controller j So that the number of normal switches N after one round of migration m Maximum to achieve separation of abnormal switches from normal switches, N a And X is the number of new agent controllers redistributed by the switches connected under the agent controller detected by the controller.
As the autonomous filtering and dynamic defense method for the DDoS attack based on the agent controller, the invention further solves the migration model based on an average distribution method, and sets the number K of the isolation agent controllers and the number N of the suspicious exchangers r And taking into account the number of abnormal exchanges N a Influence on the final migration times is realized by introducing a boundary condition N r ≥N a So as to realize the separation of the abnormal switch and the normal switch.
As the autonomous filtering and dynamic defending method of DDoS attack based on the agent controller, further, when the agent controller of the application layer detects the attack, the suspicious exchanger information and the number N are sent to the controller r (ii) a The controller judges whether the number K of the isolation layer agent controllers is larger than the number N of the suspicious exchangers r If yes, the suspicious switches are migrated to the isolation layer agent controllers of the corresponding number one to one, abnormal switches are detected and identified, and the identified abnormal switches are migrated to the isolation layer agent controllers; otherwise, N is assigned to K isolation layer proxy controllers r K suspicious exchanges, detecting and identifying abnormal exchanges, updating the number of suspicious exchanges N r And judging the current time N r And number of abnormal exchanges N a If not, returning to judge that K is larger than the number N of the suspicious exchangers again r And performing, if equal,the identified abnormal switch is migrated to the isolation layer proxy controller.
Further, the invention also provides a DDoS attack autonomous filtering and dynamic defense system based on the agent controller, which comprises: the agent controllers are arranged between the controller and the switch and used for carrying out physical safety protection on the controller; the agent controllers comprise an application layer agent controller and an isolation layer agent controller, wherein the application layer agent controller is used for forwarding data packets between the controller and the switch and performing exception detection on switch data flow, and the isolation layer agent controller is used for isolating an abnormal switch.
The invention has the beneficial effects that:
aiming at the problems that an SDN network controller is easy to be attacked by DDoS and the like, a proxy controller is additionally arranged between the controller and a switch to form physical safety protection on the controller; when the agent controller detects DDoS attack, the controller operates a switch migration mechanism to enable the SDN network control surface to present a dynamic change effect to the outside; the multi-round switch migration is controlled and executed through the controller, the separation of a normal switch and an abnormal switch is finally realized, the autonomous filtering and active protection capability of the SDN network controller in DDoS attack is improved, the application in an actual scene is facilitated, and the application prospect is good.
Description of the drawings:
figure 1 is a logical diagram of an SDN network architecture in an embodiment;
fig. 2 is a schematic diagram of a DDoS attack model of an SDN controller in an embodiment;
FIG. 3 is a diagram of a dynamic defense architecture for DDoS attacks in an embodiment;
FIG. 4 is a hierarchical schematic of an agent controller in an embodiment;
FIG. 5 is a schematic diagram of an implementation principle of the agent controller migration mechanism in the embodiment;
fig. 6 is a flow diagram illustrating dynamic defense of DDoS attack in an SDN network in an embodiment;
FIG. 7 is a schematic representation of the results of simulation experiments in the examples.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
An SDN network architecture logic diagram is shown in fig. 1, and mainly includes an application layer, a control layer, and an infrastructure layer. The control layer is the most core part of the SDN network and mainly comprises a controller in a software or hardware form, the controller acquires information of bottom-layer physical forwarding equipment through a southbound interface, instructs the bottom-layer equipment to complete various data forwarding tasks and provides an open programming interface for application through a northbound interface. At present, a certain achievement exists for DDoS attack defense aiming at an SDN network control layer at home and abroad, flow characteristics shown by different users are analyzed from the perspective of user classification based on a source IP address filtering method, different strategies are adopted aiming at the different users, a lightweight DDoS attack blocking program is deployed on an SDN controller, the blocking program can distinguish legal users from zombie hosts and guides the legal users to real Web service ports; a DDoS attack detection and mitigation technology named Apache Spark can analyze DDoS attack behaviors and feed back an analysis result through a controller, so that targeted defense can be better performed; the DDoS attack detection method based on the FlowRange queue priority improves the capability of a controller for defending distributed denial of service attacks. However, the above methods mainly focus on using a dynamic routing update policy to implement load balancing on attack flows, reduce adverse effects on a network, and have situations of poor overall defense effect, and the like. Therefore, an embodiment of the present invention provides an autonomous filtering and dynamic defense method for DDoS attacks based on an agent controller, which includes the following contents: arranging a plurality of agent controllers for carrying out physical safety protection on the controllers between the controllers and the switch; if DDoS attack is detected in the process of forwarding the data packet between the controller and the switch by the agent controller, the controller is informed to operate a switch migration mechanism, so that a network control surface is enabled to present dynamic change to the outside, and the abnormal switch is migrated by executing multi-round switch migration, so that the normal switch and the abnormal switch are separated. The agent controllers are added between the controllers and the switch to achieve the purpose of isolating the controllers from the switch, and after the agent controllers detect DDoS attacks, abnormal switches are separated from normal switches through continuous migration of connection relations between the switches and the agent controllers, so that attack flow is further isolated, and the purpose of protecting the controllers is achieved.
The method comprises the steps that an Openflow switch receives a data message which cannot be matched with a flow table rule, the data message is packaged into a packet-in message and sent to a controller, a specific forwarding strategy is determined by the controller and issued to the switch in a packet-out message mode, and the mode is suitable for flow table items needing fine granularity matching and can better adapt to a dynamically adjusted network structure. Compared with the active mode, the switch in the passive mode only needs to maintain the flow table rules generated by the actual flow, does not need to maintain all the flow table rules, better meets the requirements of actual network application, and can be more suitable for the dynamic forwarding process of the data packet. Further, in the embodiment of the present invention, when the Openflow switch receives a data packet that cannot be matched with the flow table rule, the data packet is packaged into a packet-in message and sent to the controller, the application layer proxy controller determines whether the switch is an abnormal switch that performs DDoS attack on the controller by detecting the packet-in data stream from the switch, and if the switch is determined to be an abnormal switch, the controller migrates the abnormal switch to the isolation layer proxy controller. As shown in fig. 2, a DDoS attack model of an SDN controller is that an attacker forges a large number of flows that cannot be matched by a switch and sends the flows to the switch a, the switch a sends a large number of packet-in data frames to the controller because the switch a cannot inquire forwarding rules of the flows, at this time, a flow request of the switch a consumes a large amount of performance resources of the controller, a normal user cannot obtain a response through a flow table inquiry applied by the switch B, and the attack has the characteristics of a conventional DDoS attack, that is, the corresponding functions of a network node are destroyed, so that the network cannot normally provide services.
As the autonomous filtering and dynamic defense method for DDoS attack based on the proxy controllers in the embodiment of the present invention, further, the proxy controllers include an application layer proxy controller for forwarding data packets between the proxy controller and the switch and performing anomaly detection on data flows of the switch, and an isolation layer proxy controller for isolating an anomalous switch.
The Openflow controller DDoS attack dynamic defense architecture is shown in fig. 3. Introducing agent controllers in the control layer, and dividing each agent controller into an application layer agent controller and an isolation layer agent controller. The application layer proxy controller is responsible for forwarding data packets between the controller and the switch, and detects packet-in data streams from the switch by using a preset detection engine. Once a potential attacker starts a DDoS attack aiming at the controller, the Sibson entropy of a packet-in message sent to the controller is abnormal, and once the detection engine on the agent controller finds that the Sibson entropy of a packet-in data stream is abnormal, the DDoS attack aiming at the controller is considered to be started, and at the moment, the system enters an attacked state. The controller starts a migration mechanism to migrate the suspicious switches to the agent controller of the isolation layer, identifies abnormal switches through continuous migration and migrates the switches determined to be not malicious back to the agent controller of the application layer.
As the autonomous filtering and dynamic defense method for DDoS attack based on the agent controller in the embodiment of the present invention, further, DDoS attack detection engines are preset on both the application layer agent controller and the isolation layer agent controller, the application layer agent controller performs anomaly detection on data streams from the switch through the detection engines to determine an abnormal switch, and the isolation layer agent server isolates the identified abnormal switch through the detection engines and destroys an attack chain thereof.
The agent controller is divided into two layers of an application layer and an isolation layer, which are not partitions on a physical layer level but only partitions on logic and functions. The agent controller hierarchy is shown in figure 4. And the agent controller of the application layer is responsible for transmitting information between the controller and the switch and a detection result of the DDoS attack. The isolation layer proxy controller is responsible for isolating the identified abnormal switch, and since the proxy controller at the layer is not responsible for forwarding the data packet, no switch is connected with the proxy controller at the layer. DDoS attack detection engines are preset on both the application layer agent controller and the isolation layer agent controller.
As an autonomous filtering and dynamic defense method for DDoS attacks based on an agent controller in an embodiment of the present invention, further, assuming that the number of abnormal switches in switches connected under the agent controller in a network is known, N switches are connected under the agent controller that detects an attack, and the method includes: n is a radical of hydrogen a An exception switch and N m Normal switch, N = N a +N m (ii) a After detecting the attack, the controller allocates N switches to X new proxy controllers, the number of the switches on the jth proxy controller is N j After one round of connection migration, the number of normal switches still connected with the abnormal switches under the same proxy controller is N ma The number of normal switches not connected to the same proxy controller as the abnormal switches is N mn ,N m =N ma +N mn (ii) a The number N of normal switches which are not connected with the abnormal switches under the same agent controller by executing multi-round switch migration mn As large as possible.
As long as the separation of the abnormal switches and the normal switches can be realized, the defense effect that the abnormal switches are connected with the corresponding agent controllers and the abnormal switches are connected with the same agent controller is equivalent, and the attack is always carried out uninterruptedly in the process of the agent controller and the switch migration. In the initial case, the number of abnormal switches is known, and the number of abnormal switches is a small number among the switches connected under the actual network proxy controller. The SDN network has the characteristics of centralized control and dynamic management and control, and is beneficial to implementing proxy controller migration, the principle of which is shown in fig. 5, where 7 switches are shown in the figure, and switches 3 and 5 are potential abnormal switches. When the abnormal switch sends DDoS attack, the agent controllers 1 and 2 enter an attacked state, the controller starts a migration mechanism to provide service for the agent controllers 1,2,3,4 and 5 of the switches, the agent controllers 1,2 and 3 are dispatched by the controller, after one round of dispatch, the agent controllers 1 and 2 of the switches are forwarded by the agent controller 1, the agent controllers 3 and 4 of the switches are forwarded by the agent controller 2, and the agent controllers 3 and 5 of the switches are forwarded by the agent controller 3. At this time, the agent controller 1 is connected to only the switches 1 and 2 and is in an unapproved state, the agent controller 2 is connected to the switches 3 and 4, and the agent controller 3 is connected to the switches 5,6 and 7. At this time, the agent controllers 2,3 are in an attacked state, and therefore, it can be determined that the switches 3,5 are abnormal switches. All the agent controllers in the defense architecture have the same operation mechanism, and the migration of the switch among the agent controllers can be quickly realized through simple stream redirection.
As an autonomous filtering and dynamic defense method for DDoS attacks based on an agent controller in the embodiment of the present invention, further, a migration model is used to execute switch migration, where the migration model is expressed as: max E (N) mn ),
Figure BDA0002627927730000061
Figure BDA0002627927730000062
Wherein p is j Is the probability that the jth agent controller is not under attack.
The purpose of the defense is to make the number of normal switches N not connected with the abnormal switch under the same agent controller mn As large as possible. Let the probability of the jth proxy controller not being attacked be p j Is provided with
Figure BDA0002627927730000063
The number of normal switches that a single agent controller is not affected by an abnormal switch after a round of migration is expected to be
E(N j )=N j p j (2)
The number of normal switches on the X proxy controllers that are not affected by the abnormal switch is expected to be
Figure BDA0002627927730000064
The defense effect is to make E (N) mn ) To a maximum, i.e.
Figure BDA0002627927730000065
Known model
Figure BDA0002627927730000066
The method is an NP difficult problem, has high calculation complexity, and cannot be solved in a short time by utilizing the existing calculation power.
Simplifying the model, and reducing E (N) j ) Is treated by
Figure BDA0002627927730000067
It is expanded to approximate
Figure BDA0002627927730000068
As a DDoS attack autonomous filtering and dynamic defense method based on an agent controller in the embodiment of the present invention, a migration model is further generated by using a Stirling approximation equation, and represents:
Figure BDA0002627927730000071
by determining the number of switches N on the jth proxy controller j So that the number of normal switches N after one round of migration m Maximum to achieve separation of abnormal switches from normal switches, N a And X is the number of new agent controllers redistributed by the switches connected under the agent controller detected by the controller.
Stirling approximates the equation:
Figure BDA0002627927730000072
substituting and simplifying to obtain
Figure BDA0002627927730000073
Since N > N a And in practice N > N j . Therefore the above formula can be approximated as
Figure BDA0002627927730000074
Can obtain the product
Figure BDA0002627927730000075
When the agent controller is attacked by DDoS, the attack detection engine arranged on the agent controller can send alarm information, and the alarm information is irrelevant to the number of abnormal switches connected with the agent controller, namely the attack effect of one abnormal switch is the same as that of a plurality of abnormal switches. In summary, the problem translates into how to determine the allocation policy N j So that N is formed after one round of migration m And maximally, separating the abnormal switch from the normal switch.
The controller migrates the suspicious switch to the isolation layer agent controller, so that the influence on the application layer agent controller is reduced in the migration process, and the detection efficiency is improved. And the agent controller in the isolation layer isolates the identified abnormal exchanger to destroy an attack chain. And simultaneously, the controller migrates the rest switches identified as being free from malicious to the application layer proxy controller to continue to perform normal network functions.
The traditional average distribution method is simple to operate and easy to realize, and only the number K of the agent controllers and the number N of the suspicious switches need to be known during operation r The attack strength (number of abnormal switches N) is not considered a ) The influence on the final migration times prevents the abnormal switch from being quickly separated from the normal switch. The autonomous filtering and dynamic defense method for the DDoS attack based on the agent controller in the embodiment of the invention is further based on the averageThe distribution method solves the migration model, and sets the number K of the isolation agent controllers and the number N of the suspicious exchanges r And taking into account the number of abnormal exchanges N a Influence on the final migration times by introducing a boundary condition N r ≥N a So as to realize the separation of the abnormal switch and the normal switch.
In order to solve the above problem, in the embodiment of the present invention, based on the conventional average allocation method, a boundary condition is introduced, so that the migration mechanism can more quickly identify the abnormal switch and separate from the normal switch. In practice there is N r ≥N a The controller transfers the suspicious switch N according to the actual condition r Number of isolation layer agent controllers K and number of abnormal switches N a To determine the scheme for each migration. After the first migration, the first migration is carried out,
if N is present r >N a Indicating that the normal switch has not been separated from the abnormal switch;
if N is present r =N a If so, the method indicates that no normal switch exists under the currently attacked proxy controller, and the normal switch and the abnormal switch are completely separated.
As an autonomous filtering and dynamic defense method for DDoS attacks based on an agent controller in the embodiment of the present invention, further, referring to a dynamic defense process for DDoS attacks in an SDN network shown in fig. 6, the method may be specifically described as follows: when the application layer agent controller detects the attack, suspicious exchanger information and the number N are sent to the controller r (ii) a The controller judges whether the condition that the number K of the isolation layer agent controllers is larger than the number N of the suspicious exchanges is met r If yes, the suspicious switch is migrated to the isolation layer agent controllers of the corresponding number one to one, the isolation layer agent controllers detect and send abnormal switch information to the controllers, and the controllers migrate the remaining normal switches in the suspicious switch to the application layer agent controllers and migrate the identified abnormal switches to the isolation layer agent controllers; otherwise, N is assigned to K isolation layer proxy controllers r The isolation layer agent controller detects, judges abnormal switch information and feeds back the abnormal switch information to the controller, and the controller updates the abnormal switch informationMigrating the non-malicious switches back to the application layer proxy controller and updating the number of suspicious switches N r Judging the current time N r And number of abnormal exchanges N a If not, returning to judge that K is larger than the number N of the suspicious exchangers again r And executing, and if the abnormal switches are equal, migrating the identified abnormal switches to the isolation layer agent controller.
Further, based on the above network dynamic defense method, an embodiment of the present invention further provides an autonomous filtering and dynamic defense system for DDoS attacks based on a proxy controller, including: the agent controllers are arranged between the controller and the switch and used for carrying out physical safety protection on the controller; the agent controllers comprise an application layer agent controller and an isolation layer agent controller, wherein the application layer agent controller is used for forwarding data packets between the controller and the switch and performing exception detection on switch data flow, and the isolation layer agent controller is used for isolating an abnormal switch.
In order to verify the effectiveness of the technical scheme in the embodiment of the present application, the following further explanation is made by combining specific experimental data:
the experiment adopts Floodlight 1.0 controller and OpenFlow 1.3 protocol version, and the data plane uses Mininet 2.2 platform for network simulation. The experiment platform adopts two virtual machines to construct a system, and each virtual machine is allocated with two CPUs and 2G memories. The whole network is erected in the virtual machine, the controller and the agent controller are arranged on one virtual machine, and the Mininet is arranged on the other virtual machine.
Assume an abnormal number of switches N a Is known, but in practical applications this a priori information is not known. In the experimental process, a Maximum Likelihood Estimation (MLE) method is adopted, and the most probable abnormal switch number N is estimated by a probability method according to the number of attacked proxy controllers and the number of switches connected under each proxy controller a The value of (c).
In the experiment, N is randomly generated from N switches a The abnormal switches are used as attack sources, and the number of the isolation layer agent controllers is fixed to be 100. And carrying out a simulation experiment by utilizing the two virtual machines. Separately record the conventional average distribution method and the improved averageThe total migration times of the equipartition method in the defense process are shown in the figure 7. As can be seen from the figure, as the number of abnormal switches increases, the number of times of the switches performing migration increases substantially simultaneously; because the abnormal switches are randomly generated in the experiment, the abnormal switches are distributed in different switch groups in each experiment, so that the defense scenes are different under different total numbers of the switches, the migration times are fluctuated, and the phenomenon that the migration times are reduced on the contrary under the condition that the abnormal switches are increased in a curve graph can occur; in each case, the average allocation method provided in the embodiment of the present application performs migration for a number of times smaller than that of the conventional average allocation method without considering the number of abnormal switches, which indicates that the advantages of the defense mechanism provided herein are in line with the theoretical expectations.
In addition, as shown in fig. 7, (a) compared with the graph (b), it can be seen that, when the total number of switches is doubled, the influence on the number of migration times is small, and the overall trend of the curve is unchanged, which indicates that the influence of the total number of switches on the number of migration times (defense effect) is relatively small; (c) The same conclusion can be drawn from the comparative analysis with the graph (d), and when the number of abnormal switches and the number of agent controllers are constant, the number of migration will change with the increase of the total number of switches, but the fluctuation degree is lower. And further verifying that a proxy controller is additionally arranged between the controller and the switch to form physical safety protection on the controller. When the agent controller detects DDoS attack, the controller operates a switch migration mechanism to enable the SDN network control surface to present a dynamic change effect to the outside. The controller controls and executes the multi-round switch migration to finally realize the separation of the normal switch and the abnormal switch, and the self-protection and self-purification capacity of the SDN network controller in the DDoS attack is improved.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the above, the embodiment of the present invention further provides a computer-readable storage medium device, on which a computer program executed by a processor is stored, the computer program being configured to execute the above method.
Based on the foregoing, an embodiment of the present invention further provides a server, including: one or more processors; a storage device to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the system as described above.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the system embodiment, and for the sake of brief description, reference may be made to the corresponding content in the system embodiment for the part where the device embodiment is not mentioned.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing system embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as exemplary only and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and system may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention or a part thereof which contributes to the prior art in essence can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the system according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (5)

1. A DDoS attack autonomous filtering and dynamic defense method based on an agent controller is characterized by comprising the following contents: arranging a plurality of agent controllers for carrying out physical security protection on the controllers between the controllers and the switch so as to isolate the controllers from the switch; if DDoS attack is detected in the process of forwarding the data packet between the controller and the switch by the agent controller, the agent controller informs the controller to operate a switch migration mechanism to enable a network control surface to present dynamic change to the outside, and the abnormal switch is migrated by executing multi-round switch migration to realize the separation of a normal switch and the abnormal switch;
the agent controllers comprise an application layer agent controller used for forwarding data packets between the controller and the switch and performing exception detection on the data flow of the switch and an isolation layer agent controller used for isolating the exception switch;
the abnormal switch number is known in the switch that connects under the agent control ware in setting up the network, is connected with N switches under the agent control ware that detects the attack, contains: n is a radical of a An exception switch and N m Normal switch, N = N a +N m (ii) a After detecting the attack, the controller assigns N switches to X new agent controllers, jthThe number of switches on the proxy controller is N j After one round of connection migration, the number of normal switches still connected with the abnormal switches under the same agent controller is N ma The number of normal switches not connected to the same proxy controller as the abnormal switches is N mn ,N m =N ma +N mn (ii) a The number N of normal switches which are not connected with the abnormal switches under the same agent controller by executing multi-round switch migration mn As large as possible;
the migration model was generated using the Stirling approximation equation, representing:
Figure FDA0003822283330000011
by determining the number of switches N on the jth proxy controller j So that the number N of normal switches which are not connected with the abnormal switches under the same agent controller after one round of migration mn Maximum to achieve separation of abnormal switches from normal switches, N a X is the number of new agent controllers which are redistributed by the controller to the switches connected under the agent controller under the attack;
solving the migration model based on an average distribution method, and setting the number K of isolation agent controllers and the number N of suspicious switches r And taking account of the number N of abnormal exchanges a Influence on the final migration times by introducing a boundary condition N r ≥N a So as to realize the separation of the abnormal exchanger and the normal exchanger;
when the application layer agent controller detects the attack, suspicious switch information and the number N are sent to the controller r (ii) a The controller judges whether the number K of the isolation layer agent controllers is larger than the number N of the suspicious exchangers r If yes, the suspicious switches are migrated to the isolation layer agent controllers of the corresponding number one to one, abnormal switches are detected and identified, and the identified abnormal switches are migrated to the isolation layer agent controllers; otherwise, N is assigned to K isolation layer proxy controllers r K suspicious exchanges, detecting and identifying abnormal exchanges, updating the number of suspicious exchangesN r And judging the current time N r And number of abnormal exchanges N a If not, returning to judge that K is larger than the number N of the suspicious exchangers again r And executing, and if the abnormal switches are equal, migrating the identified abnormal switches to the isolation layer agent controller.
2. The autonomous filtering and dynamic defending method for DDoS attack based on the agent controller of claim 1, characterized in that a DDoS attack detection engine is preset on both the application layer agent controller and the isolation layer agent controller, the application layer agent controller performs anomaly detection on the data flow from the switch through the detection engine to determine an anomalous switch, and the isolation layer agent controller isolates the identified anomalous switch through the detection engine and destroys the attack chain thereof.
3. The autonomous filtering and dynamic defense method for DDoS attack based on the proxy controller as claimed in claim 1, wherein in a passive installation mode of a flow table rule of the SDN network based on an Openflow protocol, when an Openflow switch receives a data packet that cannot be matched with the flow table rule, the data packet is packed into a packet-in message and sent to the controller, the application layer proxy controller determines whether the switch is an abnormal switch for DDoS attack on the controller by detecting the packet-in data flow from the switch, and if the switch is determined to be abnormal, the controller migrates the abnormal switch to the isolation layer proxy controller.
4. A method for autonomous filtering and dynamic defense of DDoS attacks based on proxy controllers according to claim 1, characterized in that the switch migration is performed by using a migration model expressed as: max E (N) mn ),
Figure FDA0003822283330000021
Figure FDA0003822283330000022
Wherein,p j Is the probability that the jth agent controller is not under attack.
5. An autonomous filtering and dynamic defense system for DDoS attack based on a proxy controller is characterized by comprising: the agent controllers are arranged between the controller and the switch and used for carrying out physical safety protection on the controller; the agent controllers comprise an application layer agent controller used for forwarding data packets between the controller and the switch and performing exception detection on the data flow of the switch and an isolation layer agent controller used for isolating the exception switch; the method of claim 1 is adopted by a plurality of agent controllers, and after the agent controllers detect DDoS attacks, the connection relation between the switch and the agent controllers is continuously migrated through the isolation controllers and the switch, so that the abnormal switch is separated from the normal switch, and attack flow is isolated to protect the controllers.
CN202010802601.XA 2020-08-11 2020-08-11 Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller Active CN111935152B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010802601.XA CN111935152B (en) 2020-08-11 2020-08-11 Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010802601.XA CN111935152B (en) 2020-08-11 2020-08-11 Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller

Publications (2)

Publication Number Publication Date
CN111935152A CN111935152A (en) 2020-11-13
CN111935152B true CN111935152B (en) 2022-11-08

Family

ID=73310672

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010802601.XA Active CN111935152B (en) 2020-08-11 2020-08-11 Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller

Country Status (1)

Country Link
CN (1) CN111935152B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357661A (en) * 2016-09-30 2017-01-25 中国人民解放军信息工程大学 Switch-rotation-based distributed denial of service attach defending method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357661A (en) * 2016-09-30 2017-01-25 中国人民解放军信息工程大学 Switch-rotation-based distributed denial of service attach defending method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
MOTAG: Moving Target Defense Against Internet Denial of Service Attacks;Quan Jia等;《IEEE》;20131024;正文第Ⅲ-Ⅳ节 *
武泽慧 ; 魏强 ; 任开磊 ; 王清贤.基于OpenFlow交换机洗牌的DDoS攻击动态防御方法.《电子与信息学报》.2016, *
网络动态防御策略及其有效性评估研究;刘江;《中国博士学位论文全文数据库(电子期刊)》;20180615;正文第3.2.2.1节 *
蔡佳晔 ; 张红旗 ; 高坤.基于 Sibson 距离的 OpenFlow 网络DDoS 攻击检测方法研究.《计算机应用研究》.2017, *

Also Published As

Publication number Publication date
CN111935152A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
Imran et al. Toward an optimal solution against denial of service attacks in software defined networks
Rahman et al. DDoS attacks detection and mitigation in SDN using machine learning
US8089871B2 (en) Method and apparatus for traffic control of dynamic denial of service attacks within a communications network
CN106027513B (en) Propagation characteristic analysis method of the computer virus under SDN mobile environment
Ha et al. Suspicious flow forwarding for multiple intrusion detection systems on software-defined networks
CN109714372B (en) Network safety system and processing method based on block chain
CN110099046B (en) Network hopping method and system of super-convergence server
Imran et al. Reducing the effects of DoS attacks in software defined networks using parallel flow installation
Ramprasath et al. Mitigation of malicious flooding in software defined networks using dynamic access control list
Xu et al. DDoS attack in software defined networks: a survey
Nagarathna et al. SLAMHHA: A supervised learning approach to mitigate host location hijacking attack on SDN controllers
Hong et al. Dynamic threshold for DDoS mitigation in SDN environment
Dang-Van et al. A multi-criteria based software defined networking system Architecture for DDoS-attack mitigation
Ubale et al. SRL: An TCP SYNFLOOD DDoS mitigation approach in software-defined networks
Kansal et al. DDoS attack isolation using moving target defense
CN112702347A (en) SDN-based intrusion detection technology
RU2576488C1 (en) METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS
CN111935152B (en) Autonomous filtering and dynamic defense method and system for DDoS (distributed denial of service) attack based on agent controller
CN106357661B (en) A kind of distributed refusal service attack defending method based on interchanger rotation
Atli et al. Protecting SDN controller with per-flow buffering inside OpenFlow switches
Sanjeetha et al. Mitigation of controller induced DDoS attack on primary server in high traffic scenarios of software defined networks
AGR et al. Mitigating DDoS flooding attacks with dynamic path identifiers in wireless network
Manu et al. Intrusion tolerant architecture for SDN networks through flow monitoring
Somasundaram DDOS Mitigation In Cloud Computing Environment By Dynamic Resource Scaling With Elastic Load Balancing
Wu et al. On an integrated security framework for defense against various DDoS attacks in SDN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant