CN112134894A - Moving target defense method for DDoS attack - Google Patents
Moving target defense method for DDoS attack Download PDFInfo
- Publication number
- CN112134894A CN112134894A CN202011026007.2A CN202011026007A CN112134894A CN 112134894 A CN112134894 A CN 112134894A CN 202011026007 A CN202011026007 A CN 202011026007A CN 112134894 A CN112134894 A CN 112134894A
- Authority
- CN
- China
- Prior art keywords
- address
- sdn controller
- switch
- data packet
- ddos attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000007123 defense Effects 0.000 title claims abstract description 17
- 238000001514 detection method Methods 0.000 claims abstract description 19
- 230000006854 communication Effects 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 9
- 230000008859 change Effects 0.000 claims abstract description 8
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 4
- 238000009499 grossing Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 230000003247 decreasing effect Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000007423 decrease Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention relates to a moving target defense method for DDoS attack, belonging to the technical field of network information security. A DDoS defense method based on address hopping in an SDN environment is provided, a DDoS detection method based on information entropy is used, data packet information sent to an SDN controller is analyzed, whether DDoS attack is suffered or not is judged according to randomness change of destination addresses of data packets in a normal network environment and a DDoS attack network environment, the SDN controller filters malicious flow through flow table issuing, virtual IP addresses and ports are selected from a random address port table for communication, and server address hopping is achieved to avoid DDoS attack. Experiments show that the method not only can quickly detect DDoS attacks, but also can effectively relieve the influence caused by the DDoS attacks.
Description
Technical Field
The invention relates to a moving target defense method for DDoS (distributed denial of service) attack, in particular to an SDN (software defined network) moving target defense method for DDoS attack, belonging to the technical field of network information security.
Background
The Moving target defense technology is a revolutionary technology in the field of network security appearing in recent years, and MTD (Moving target defense) is an active defense technology which increases the attack difficulty and cost of an attacker through various and dynamically changed construction and deployment mechanisms and strategies, wherein an end address hopping technology is a main research direction in Moving target defense and has been paid more and more attention by researchers. Software Defined Networking (SDN) is a subversive innovation of the conventional network technology, and the greatest characteristic of the Software Defined Networking (SDN) is that decoupling of a data forwarding layer and a control layer is realized, and Distributed Denial of Service attacks (DDoS) are simple to initiate and have strong harm, because of the characteristics of the SDN architecture, the DDoS attacks are fatal to the network of the SDN architecture. Therefore, how to accurately and effectively detect the DDoS attack and actively defend the attack is a key research direction for the SDN security problem.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a moving target defense method for DDoS attack.
The technical scheme adopted by the invention is as follows: a moving target defense method for DDoS attack comprises the following steps:
(1) constructing a network system consisting of a controller, a plurality of OpenFlow switches, a plurality of clients and a plurality of servers;
(2) an end address hopping module and a DDoS attack detection module are deployed on an SDN controller, and each server is accessed to a network through an OpenFlow switch;
(3) the DDoS attack detection module is deployed on an SDN controller, when each new network data flow passes through an entrance switch in an SDN environment, Packet-in messages are uploaded to the controller for routing calculation, data Packet information sent to the SDN controller is analyzed, and the size of an entropy value of a target IP address of the data Packet is analyzed to judge whether an attack is generated. DDoS attack is rapidly detected according to the random change of the destination address of the data packet in the normal network environment and the DDoS attack network environment;
(4) the DDoS attack detection module detects the attack, issues a blocking flow table to the switch where the DDoS attack detection module is located according to the destination IP address of the data packet to filter the attack flow, meanwhile, adds the IP address into a blacklist, the controller sends a new flow table item to the OpenFlow switch where the attacked server is located to implement the address jump on the attacked server to avoid the DDoS attack,
(5) and the terminal address hopping module is deployed on the SDN controller, and each hop of OpenFlow switch through which the communication data flow passes randomly modifies the source and destination IP addresses and the source and destination ports in the data packet according to the matched random address port table. In the communication process of the two hosts, the process of terminal address jump is as follows:
1) host a reaches host B through switch 1, switch 2, and switch 3, source IP: rpipa, source port: rPORTa, destination IP: rIPb, destination Port: rPORTb;
2) when the switch 1 is reached, a Packet-in data Packet is sent from the switch 1 to an SDN controller, the SDN controller judges whether a destination address is directly connected to the current switch or not, the SDN controller receives an error message, namely the destination address is not directly connected to the current switch, a flow table entry is issued by the SDN controller according to a random address port table generated by the current time slot, the flow table entry is output to the switch, and a source IP is modified: vIP1, source port: vPORT1, destination IP: vIP2, destination port: vPORT2, forwarding the data packet to the next hop;
3) the method comprises the steps of transmitting a data Packet to a switch 2, sending a Packet-in data Packet from the switch 2 to an SDN controller, judging whether a destination address is directly connected to a current switch or not by the SDN controller, receiving an error message by the SDN controller, namely the destination address is not directly connected to the current switch, issuing a flow table item by the SDN controller according to a random address port table generated by a current time slot, and modifying a source IP: vIP3, source port: vPORT3, destination IP: vIP4, destination port: vPORT4, forwarding the data packet to the next hop;
4) the method comprises the steps of transmitting a data Packet to a switch 3, sending a Packet-in data Packet from the switch 3 to an SDN controller, judging whether a destination address is directly connected to a current switch or not by the SDN controller, receiving a real message by the SDN controller, sending a Packet-out data Packet from the SDN controller to the switch 3, and modifying a source IP: rpipa, source port: rPORTa, destination IP: rIPb, destination Port: and rPORTb, completing communication, and deleting the flow entry by the SDN controller when the connection is finished.
Specifically, in step (3) the analysis: the DDoS attack is detected by using an information entropy value based on an exponential weighted moving average algorithm, the exponential moving weighted average algorithm is a method for determining a predicted value, different weights are given to observed values, a moving average value is obtained according to the different weights, and then the predicted value at the next moment is obtained on the basis of the final moving average value. The weighting coefficient of each numerical value decreases exponentially with time, and the numerical value weighting coefficient is larger closer to the current time. The calculation formula is as follows:
θtthis can be understood as the predicted entropy value, f, of the packet at time ttWhich may be understood as the predicted entropy value of the packet at time t. Beta is a smoothing coefficient which indicates how fast the weight is falling.
Specifically, in step (3) the analysis: when a DDoS attack occurs in an SDN network, a large number of data packets which cannot be matched by an exchanger can appear in the network in a short time, then a large number of packet-in messages sent by the exchanger are sent to an SDN controller, the randomness of the whole network access can also change, the size of a window is set by analyzing the data packet information sent to the controller, then the number of the packet-in data packets of the controller is counted, after a preset window value is reached, a destination IP address in the data packet is analyzed, and the information entropy value of each destination IP of the data packet in the window is calculated. And calculating the moving weighted average entropy of the latest normal window as the threshold of the next window. If the entropy value of a certain window is lower than the prediction threshold value of the window, the window is marked as an abnormal window, and the number of the abnormal windows is counted, and if 3 continuous windows are marked as abnormal, the controller can be judged to be attacked by DDoS at the moment.
Specifically, in the analyzing in step (5), the address hopping module changes the random address port table generated by the SDN controller according to a random IP address generation algorithm and a random port generation algorithm.
The random IP address generation algorithm is as follows:
IP=Hash(Timestamp)16|(HashNonce)16 (2)
where Timestamp is the Timestamp, Nonce is the random number, Hash (Timestamp)16Representing the passing of a timestamp through HashThen front 16b, Hash (Nonce)16The random IP address is composed of 2 at the last 16b after the Hash of the random number.
The random port generation algorithm is as follows:
PORT=Hash(Timestamp|Nonce)16 (3)
wherein, Hash (Timestamp | Nonce)16The first 16b after the Hash of the timestamp and the random number is taken as the random port. Wherein the Timestamp and the random number Nonce are randomly generated by the SDN controller.
The invention has the beneficial effects that: the use of the terminal address hopping module can hide the real IP address and the port number of the server per se, effectively avoid network scanning and investigation attacks, realize the function of server terminal address hopping by the OpenFlow switch, is transparent to the server, avoids the load caused by implementing terminal address hopping on the server, and can provide the security service for defending DDoS attacks for the server without modifying software and hardware of the server. The random address port table generated by the SDN controller generates a random IP address and a random port by using a random IP address hopping algorithm and a random port hopping algorithm, so that the difficulty of monitoring and intercepting data streams by an attacker is increased, and the safety of network communication data can be better protected.
The DDoS attack detection method using the information entropy can quickly and effectively judge whether the DDoS attack is suffered or not according to the randomness of the destination address of the data packet, and has a detection alarm effect on the DDoS attack.
Drawings
Fig. 1 is an overall flowchart of an SDN moving target defense method for DDoS attack disclosed by the present invention;
FIG. 2 is a flow chart of packet processing;
FIG. 3 is a DDoS attack detection flow diagram;
FIG. 4 is a diagram illustrating an address hopping;
fig. 5 is an end address hopping network architecture diagram of DDoS attack detection based on information entropy.
Detailed Description
The invention is further described with reference to the following figures and specific examples.
Example 1: as shown in fig. 1 to 5, the method for defending against a moving target of a DDoS attack provided by the present invention includes the following steps:
(1) constructing a network system consisting of a controller, a plurality of OpenFlow switches, a plurality of clients and a plurality of servers;
(2) an end address hopping module and a DDoS attack detection module are deployed on an SDN controller, and each server is accessed to a network through an OpenFlow switch;
(3) the DDoS attack detection module is deployed on an SDN controller, when each new network data flow passes through an entrance switch in an SDN environment, Packet-in messages are uploaded to the controller for routing calculation, data Packet information sent to the SDN controller is analyzed, and the size of an entropy value of a target IP address of the data Packet is analyzed to judge whether an attack is generated. DDoS attack is rapidly detected according to the random change of the destination address of the data packet in the normal network environment and the DDoS attack network environment;
(4) the DDoS attack detection module detects the attack, issues a blocking flow table to the switch where the DDoS attack detection module is located according to the destination IP address of the data packet to filter the attack flow, meanwhile, adds the IP address into a blacklist, the controller sends a new flow table item to the OpenFlow switch where the attacked server is located to implement the address jump on the attacked server to avoid the DDoS attack,
(5) and the terminal address hopping module is deployed on the SDN controller, and each hop of OpenFlow switch through which the communication data flow passes randomly modifies the source and destination IP addresses and the source and destination ports in the data packet according to the matched random address port table. In the communication process of the two hosts, the process of terminal address jump is as follows:
1) host a reaches host B through switch 1, switch 2, and switch 3, source IP: rpipa, source port: rPORTa, destination IP: rIPb, destination Port: rPORTb;
2) when the switch 1 is reached, a Packet-in data Packet is sent from the switch 1 to an SDN controller, the SDN controller judges whether a destination address is directly connected to the current switch or not, the SDN controller receives an error message, namely the destination address is not directly connected to the current switch, a flow table entry is issued by the SDN controller according to a random address port table generated by the current time slot, the flow table entry is output to the switch, and a source IP is modified: vIP1, source port: vPORT1, destination IP: vIP2, destination port: vPORT2, forwarding the data packet to the next hop;
3) the method comprises the steps of transmitting a data Packet to a switch 2, sending a Packet-in data Packet from the switch 2 to an SDN controller, judging whether a destination address is directly connected to a current switch or not by the SDN controller, receiving an error message by the SDN controller, namely the destination address is not directly connected to the current switch, issuing a flow table item by the SDN controller according to a random address port table generated by a current time slot, and modifying a source IP: vIP3, source port: vPORT3, destination IP: vIP4, destination port: vPORT4, forwarding the data packet to the next hop;
4) the method comprises the steps of transmitting a data Packet to a switch 3, sending a Packet-in data Packet from the switch 3 to an SDN controller, judging whether a destination address is directly connected to a current switch or not by the SDN controller, receiving a real message by the SDN controller, sending a Packet-out data Packet from the SDN controller to the switch 3, and modifying a source IP: rpipa, source port: rPORTa, destination IP: rIPb, destination Port: and rPORTb, completing communication, and deleting the flow entry by the SDN controller when the connection is finished.
Further, in step (3) the analysis: the DDoS attack is detected by using an information entropy value based on an exponential weighted moving average algorithm, the exponential moving weighted average algorithm is a method for determining a predicted value, different weights are given to observed values, a moving average value is obtained according to the different weights, and then the predicted value at the next moment is obtained on the basis of the final moving average value. The weighting coefficient of each numerical value decreases exponentially with time, and the numerical value weighting coefficient is larger closer to the current time. The calculation formula is as follows:
θtthis can be understood as the predicted entropy value, f, of the packet at time ttWhich may be understood as the predicted entropy value of the packet at time t. Beta is a smoothing coefficient which indicates how fast the weight is falling.
Further, in step (3) the analysis: when a DDoS attack occurs in an SDN network, a large number of data packets which cannot be matched by an exchanger can appear in the network in a short time, then a large number of packet-in messages sent by the exchanger are sent to an SDN controller, the randomness of the whole network access can also change, the size of a window is set by analyzing the data packet information sent to the controller, then the number of the packet-in data packets of the controller is counted, after a preset window value is reached, a destination IP address in the data packet is analyzed, and the information entropy value of each destination IP of the data packet in the window is calculated. And calculating the moving weighted average entropy of the latest normal window as the threshold of the next window. If the entropy value of a certain window is lower than the prediction threshold value of the window, the window is marked as an abnormal window, and the number of the abnormal windows is counted, and if 3 continuous windows are marked as abnormal, the controller can be judged to be attacked by DDoS at the moment.
Further, in the analyzing in step (5), the random address port table generated by the SDN controller is changed in the address hopping module according to a random IP address generation algorithm and a random port generation algorithm.
The random IP address generation algorithm is as follows:
IP=Hash(Timestamp)16|(HashNonce)16 (2)
where Timestamp is the Timestamp, Nonce is the random number, Hash (Timestamp)16Shows the first 16b after the Hash, Hash (Nonce) of the timestamp16The random IP address is composed of 2 at the last 16b after the Hash of the random number.
The random port generation algorithm is as follows:
PORT=Hash(Timestamp|Nonce)16 (3)
wherein, Hash (Timestamp | Nonce)16Indicating time of dayThe first 16b after the Hash is passed by the stamp and the random number as a random port. Wherein the Timestamp and the random number Nonce are randomly generated by the SDN controller.
The following is illustrated by way of example in the accompanying drawings:
as shown in fig. 5: constructing a network system consisting of a controller, a plurality of OpenFlow switches, a plurality of clients and a plurality of servers; in the step (2), the endpoint hopping module is deployed on the SDN controller, in a network communication process, after the OpenFlow switch shown in fig. 2 receives a data flow, it first determines whether a corresponding flow entry exists, if so, performs a corresponding operation according to an instruction in the flow entry, if not, needs to send a Packet request to the SDN controller to issue a corresponding flow entry, at this time, the switch may encapsulate a header of the Packet into a Packet _ in message and send the Packet _ in message to the controller for processing, and by analyzing the Packet information sent to the SDN controller, analyzes a destination IP address of the Packet and calculates an entropy value thereof to determine whether an attack occurs. DDoS attack is rapidly detected according to the random change of the destination address of the data packet in the normal network environment and the DDoS attack network environment.
(1) Generally, when a DDoS attack occurs in an SDN network, a large number of data packets which cannot be matched by a switch appear in the network in a short time, and then a large number of Packet-in messages sent by the switch are sent to an SDN controller, which occupies a large amount of network resources. At this time, the randomness of the entire network access also changes. When DDoS attack occurs, whether the attack occurs is judged by counting the number of Packet-in messages reaching the controller and analyzing the destination IP address of the data Packet to calculate the size of the entropy value. The size of a window is set, then the number of Packet _ in data packets of a controller is counted, after a preset window value is reached, a destination IP address in the data Packet is analyzed, and an information entropy value of each destination IP of the data Packet in the window is calculated. And calculating the moving weighted average entropy of the latest normal window as the threshold of the next window. If the entropy value of a certain window is lower than the prediction threshold value of the window, the window is marked as an abnormal window, and the number of the abnormal windows is counted, and if 3 continuous windows are marked as abnormal, the controller can be judged to be attacked by DDoS at the moment. The specific detection flow is shown in fig. 3.
(2) The DDoS attack detection module detects an attack, issues a blocking flow table to a switch where the DDoS attack detection module is located according to a target IP address of a data packet to filter attack flow, meanwhile, the IP address is added into a blacklist, a controller sends a new flow table item to an OpenFlow switch where an attacked server is located, an address hopping module is deployed on an SDN controller, each OpenFlow switch where a communication data flow passes through randomly modifies a source IP address and a target IP address in the data packet and a source port and a target port according to a matched random address port table, and performs address hopping on the attacked server to avoid the DDoS attack.
While the present invention has been described in detail with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, and various changes can be made without departing from the spirit and scope of the present invention.
Claims (4)
1. A moving target defense method for DDoS attack is characterized in that: the method comprises the following steps:
(1) constructing a network system consisting of an SDN controller, a plurality of OpenFlow switches, a plurality of clients and a plurality of servers;
(2) an end address hopping module and a DDoS attack detection module are deployed on an SDN controller, and each server is accessed to a network through an OpenFlow switch;
(3) the DDoS attack detection module is deployed on an SDN controller, when each new network data flow passes through an entrance switch in an SDN environment, Packet-in information is uploaded to the controller for route calculation, data Packet information sent to the SDN controller is analyzed, a target IP address of a data Packet is analyzed, the size of an entropy value of the data Packet is calculated, whether attack is generated or not is judged, and DDoS attack is rapidly detected according to the normal network environment and the random change of the target address of the data Packet in the DDoS attack network environment;
(4) the DDoS attack detection module detects an attack, issues a blocking flow table to a switch where the DDoS attack detection module is located according to a target IP address of a data packet to filter attack flow, and meanwhile, adds the IP address into a blacklist, and a controller sends a new flow table item to an OpenFlow switch where an attacked server is located and implements address hopping on the attacked server to avoid the DDoS attack;
(5) an address hopping module is deployed on an SDN controller, each OpenFlow switch through which a communication data flow passes randomly modifies source and destination IP addresses and source and destination ports in a data packet according to a matched random address port table, and in the communication process of two hosts, the address hopping process is as follows:
1) host a reaches host B through switch 1, switch 2, and switch 3, source IP: rpipa, source port: rPORTa, destination IP: rIPb, destination Port: rPORTb;
2) when the switch 1 is reached, a Packet-in data Packet is sent from the switch 1 to an SDN controller, the SDN controller judges whether a destination address is directly connected to the current switch or not, the SDN controller receives an error message, namely the destination address is not directly connected to the current switch, a flow table entry is issued by the SDN controller according to a random address port table generated by the current time slot, the flow table entry is output to the switch, and a source IP is modified: vIP1, source port: vPORT1, destination IP: vIP2, destination port: vPORT2, forwarding the data packet to the next hop;
3) the method comprises the steps of transmitting a data Packet to a switch 2, sending a Packet-in data Packet from the switch 2 to an SDN controller, judging whether a destination address is directly connected to a current switch or not by the SDN controller, receiving an error message by the SDN controller, namely the destination address is not directly connected to the current switch, issuing a flow table item by the SDN controller according to a random address port table generated by a current time slot, and modifying a source IP: vIP3, source port: vPORT3, destination IP: vIP4, destination port: vPORT4, forwarding the data packet to the next hop;
4) the method comprises the steps of transmitting a data Packet to a switch 3, sending a Packet-in data Packet from the switch 3 to an SDN controller, judging whether a destination address is directly connected to a current switch or not by the SDN controller, receiving a real message by the SDN controller, sending a Packet-out data Packet from the SDN controller to the switch 3, and modifying a source IP: rpipa, source port: rPORTa, destination IP: rIPb, destination Port: and rPORTb, completing communication, and deleting the flow entry by the SDN controller when the connection is finished.
2. The moving object defense method for DDoS attack according to claim 1, characterized in that: the analysis in step (3): the DDoS attack is detected by using an information entropy value based on an exponential weighted moving average algorithm, the exponential moving weighted average algorithm is a method for determining a predicted value, different weights are given to observed values, a moving average value is obtained according to the different weights, then the predicted value at the next moment is obtained on the basis of the final moving average value, the weighting coefficient of each value is exponentially decreased along with time, the weighting coefficient of the value closer to the current moment is larger, and the calculation formula is as follows:
θtthis can be understood as the predicted entropy value, f, of the packet at time ttAnd beta is a smoothing coefficient representing the descending speed of the weight for the prediction entropy value of the data packet at the time t.
3. The moving object defense method for DDoS attack according to claim 1, characterized in that: the analysis in step (3): when a DDoS attack occurs in an SDN network, a large number of data packets which cannot be matched by an exchanger can appear in the network in a short time, then a large number of packet-in messages sent by the exchanger are sent to an SDN controller, the randomness of the whole network access can also change, the size of a window is set by analyzing the data packet information sent to the controller, then the number of the packet-in data packets of the controller is counted, after a preset window value is reached, a target IP address in the data packet is analyzed, an information entropy value of each target IP in the data packet in the window is calculated, and then the moving weighted average entropy of the latest normal window is calculated to be used as the threshold value of the next window; if the entropy value of a certain window is lower than the prediction threshold value of the window, marking the window as an abnormal window, starting to count the number of the abnormal windows, and determining that the controller is under DDoS attack at the moment if 3 continuous windows are marked as abnormal.
4. The moving object defense method for DDoS attack according to claim 1, characterized in that: in the analyzing in step (5), the address hopping module changes a random address port table generated by the SDN controller according to a random IP address generation algorithm and a random port generation algorithm:
the random IP address generation algorithm is as follows:
IP=Hash(Timestamp)16|(HashNonce)16 (2)
where Timestamp is the Timestamp, Nonce is the random number, Hash (Timestamp)16Shows the first 16b after the Hash, Hash (Nonce) of the timestamp16Representing that 2 persons form a random IP address after the random number is taken and subjected to Hash 16 b;
the random port generation algorithm is as follows:
PORT=Hash(Timestamp|Nonce)16 (3)
wherein, Hash (Timestamp | Nonce)16The first 16b after taking the Timestamp and the random number through Hash is shown as a random port, where the Timestamp and the random number Nonce are randomly generated by the SDN controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011026007.2A CN112134894A (en) | 2020-09-25 | 2020-09-25 | Moving target defense method for DDoS attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011026007.2A CN112134894A (en) | 2020-09-25 | 2020-09-25 | Moving target defense method for DDoS attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112134894A true CN112134894A (en) | 2020-12-25 |
Family
ID=73840234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011026007.2A Pending CN112134894A (en) | 2020-09-25 | 2020-09-25 | Moving target defense method for DDoS attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112134894A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112968880A (en) * | 2021-02-01 | 2021-06-15 | 浪潮思科网络科技有限公司 | SDN architecture-based permission control method and system |
| CN113079171A (en) * | 2021-04-13 | 2021-07-06 | 福建奇点时空数字科技有限公司 | SDN blind DDos attack resisting method based on multi-controller migration |
| CN113225314A (en) * | 2021-04-08 | 2021-08-06 | 福建奇点时空数字科技有限公司 | SDN network Dos resisting method based on port hopping MTD |
| CN115065531A (en) * | 2022-06-14 | 2022-09-16 | 天津理工大学 | SDN-based moving target defense method for IoT network sniffing attack |
| CN115189955A (en) * | 2022-07-15 | 2022-10-14 | 中国电信股份有限公司 | Data communication method, electronic device, and storage medium |
| CN115225353A (en) * | 2022-07-04 | 2022-10-21 | 安徽大学 | Attack detection method considering both DoS/DDoS flooding and slow HTTP DoS |
| CN115664740A (en) * | 2022-10-17 | 2023-01-31 | 济南大学 | Method and system for defending against data packet forwarding attack based on programmable data plane |
| CN116232777A (en) * | 2023-05-10 | 2023-06-06 | 北京交通大学 | DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment |
| CN117118738A (en) * | 2023-09-22 | 2023-11-24 | 北京远禾科技有限公司 | DDoS attack risk quantification defense method and system in software defined network |
| CN115225353B (en) * | 2022-07-04 | 2024-05-03 | 安徽大学 | Attack detection method considering both DoS/DDoS flooding and slow HTTP DoS |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170318043A1 (en) * | 2016-04-27 | 2017-11-02 | Korea Advanced Institute Of Science And Technology | Method for detecting network anomaly in distributed software defined networking environment, apparatus therefor, and computer program therefor |
| CN107483512A (en) * | 2017-10-11 | 2017-12-15 | 安徽大学 | SDN controllers DDoS detections and defence method based on temporal characteristics |
| CN109617931A (en) * | 2019-02-20 | 2019-04-12 | 电子科技大学 | A kind of the ddos attack defence method and system of defense of SDN controller |
-
2020
- 2020-09-25 CN CN202011026007.2A patent/CN112134894A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170318043A1 (en) * | 2016-04-27 | 2017-11-02 | Korea Advanced Institute Of Science And Technology | Method for detecting network anomaly in distributed software defined networking environment, apparatus therefor, and computer program therefor |
| CN107483512A (en) * | 2017-10-11 | 2017-12-15 | 安徽大学 | SDN controllers DDoS detections and defence method based on temporal characteristics |
| CN109617931A (en) * | 2019-02-20 | 2019-04-12 | 电子科技大学 | A kind of the ddos attack defence method and system of defense of SDN controller |
Non-Patent Citations (2)
| Title |
|---|
| 张连成等: ""基于路径与端址跳变的SDN网络主动防御技术"", 《计算机研究与发展》 * |
| 赵贝贝: ""SDN环境下基于信息熵的DDOS攻击检测方法改进"", 《现代信息科技》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112968880A (en) * | 2021-02-01 | 2021-06-15 | 浪潮思科网络科技有限公司 | SDN architecture-based permission control method and system |
| CN113225314A (en) * | 2021-04-08 | 2021-08-06 | 福建奇点时空数字科技有限公司 | SDN network Dos resisting method based on port hopping MTD |
| CN113079171A (en) * | 2021-04-13 | 2021-07-06 | 福建奇点时空数字科技有限公司 | SDN blind DDos attack resisting method based on multi-controller migration |
| CN115065531B (en) * | 2022-06-14 | 2023-09-08 | 天津理工大学 | SDN-based mobile target defense method for IoT network sniffing attack |
| CN115065531A (en) * | 2022-06-14 | 2022-09-16 | 天津理工大学 | SDN-based moving target defense method for IoT network sniffing attack |
| CN115225353A (en) * | 2022-07-04 | 2022-10-21 | 安徽大学 | Attack detection method considering both DoS/DDoS flooding and slow HTTP DoS |
| CN115225353B (en) * | 2022-07-04 | 2024-05-03 | 安徽大学 | Attack detection method considering both DoS/DDoS flooding and slow HTTP DoS |
| CN115189955A (en) * | 2022-07-15 | 2022-10-14 | 中国电信股份有限公司 | Data communication method, electronic device, and storage medium |
| CN115189955B (en) * | 2022-07-15 | 2024-01-30 | 中国电信股份有限公司 | Data communication method, electronic device and storage medium |
| CN115664740A (en) * | 2022-10-17 | 2023-01-31 | 济南大学 | Method and system for defending against data packet forwarding attack based on programmable data plane |
| CN116232777A (en) * | 2023-05-10 | 2023-06-06 | 北京交通大学 | DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment |
| CN116232777B (en) * | 2023-05-10 | 2023-07-18 | 北京交通大学 | DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment |
| CN117118738A (en) * | 2023-09-22 | 2023-11-24 | 北京远禾科技有限公司 | DDoS attack risk quantification defense method and system in software defined network |
| CN117118738B (en) * | 2023-09-22 | 2024-03-29 | 北京远禾科技有限公司 | DDoS attack risk quantification defense method and system in software defined network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112134894A (en) | Moving target defense method for DDoS attack | |
| CN109005157B (en) | DDoS attack detection and defense method and system in software defined network | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| Gu et al. | Worm detection, early warning and response based on local victim information | |
| KR101747079B1 (en) | Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack | |
| US10931711B2 (en) | System of defending against HTTP DDoS attack based on SDN and method thereof | |
| US20140189867A1 (en) | DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH | |
| CN101589595A (en) | A containment mechanism for potentially contaminated end systems | |
| CN112055956B (en) | Apparatus and method for network security | |
| Durner et al. | Detecting and mitigating denial of service attacks against the data plane in software defined networks | |
| Verma et al. | IP-CHOCK (filter)-Based detection scheme for Denial of Service (DoS) attacks in VANET | |
| Hong et al. | Dynamic threshold for DDoS mitigation in SDN environment | |
| Dang-Van et al. | A multi-criteria based software defined networking system Architecture for DDoS-attack mitigation | |
| Shah et al. | Hybridizing entropy based mechanism with adaptive threshold algorithm to detect RA flooding attack in IPv6 networks | |
| Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
| Mopari et al. | Detection and defense against DDoS attack with IP spoofing | |
| CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
| Unal et al. | Towards prediction of security attacks on software defined networks: A big data analytic approach | |
| Wang et al. | Credibility-based countermeasure against slow HTTP DoS attacks by using SDN | |
| Noh et al. | Protection against flow table overflow attack in software defined networks | |
| Nashat et al. | Detecting syn flooding agents under any type of ip spoofing | |
| Annamalai et al. | Secured system against DDoS attack in mobile adhoc network | |
| RU2531878C1 (en) | Method of detection of computer attacks in information and telecommunication network | |
| KR20110107880A (en) | Ddos detection method using fast information entropy and adaptive moving average window detector | |
| Khan et al. | Real-time cross-layer design for a large-scale flood detection and attack trace-back mechanism in IEEE 802.11 wireless mesh networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201225 |
|
| RJ01 | Rejection of invention patent application after publication |