CN112702309A - DDoS attack tracing method and terminal in SDN environment - Google Patents

DDoS attack tracing method and terminal in SDN environment Download PDF

Info

Publication number
CN112702309A
CN112702309A CN202011326700.1A CN202011326700A CN112702309A CN 112702309 A CN112702309 A CN 112702309A CN 202011326700 A CN202011326700 A CN 202011326700A CN 112702309 A CN112702309 A CN 112702309A
Authority
CN
China
Prior art keywords
monitoring
suspicious
switch
flow
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011326700.1A
Other languages
Chinese (zh)
Inventor
林晖
侯懿宸
汪晓丁
许传丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Normal University
Original Assignee
Fujian Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Normal University filed Critical Fujian Normal University
Priority to CN202011326700.1A priority Critical patent/CN112702309A/en
Publication of CN112702309A publication Critical patent/CN112702309A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The invention provides a DDoS attack tracing method in an SDN environment, which comprises the steps of judging the state of flow in the SDN environment, marking the flow as suspicious flow if the flow is in a suspicious state, judging the state of the suspicious flow again, marking a switch for forwarding the suspicious flow as a suspicious switch if the flow is in the suspicious state, monitoring the suspicious switch, marking the suspicious flow as dangerous flow if the flow is in a dangerous state, tracing back the path according to a conditional entropy path tracing back strategy to obtain an attack source, and clearing the attack source; the invention adopts different coping strategies according to different flow states; deploying corresponding monitoring nodes for the switch of the flow in the suspicious state, backtracking the path of the flow in the dangerous state, finding an attack source in time and finishing clearing; the SDN controller is prevented from carrying out high-strength tracing, and the load of the SDN controller is effectively reduced.

Description

DDoS attack tracing method and terminal in SDN environment
Technical Field
The invention relates to the field of information security, in particular to a DDoS attack tracing method and a terminal in an SDN environment.
Background
Software Defined Networking (SDN) as a new network architecture has the advantages of centralized control, high utilization rate and programmability, is an indispensable part for providing flexible and various connections and services for future networks, and has a wide application prospect in the fields of internet of things, cloud computing and the like. SDN, while bringing convenience, also presents a number of security challenges. Among them, Distributed Denial of Service (DDoS) attacks are one of the most significant security concerns. In an SDN network, DDoS attacks continuously exhaust resources of critical devices in the network, eventually causing the SDN network to fail to provide normal services and even to crash.
The DDoS attack form in the SDN mainly utilizes the characteristics of the SDN to launch the attack, the DDoS attack in the SDN has the problem of single-point failure which is not existed in the DDoS attack in the traditional network, namely once the controller fails, the whole SDN under the controller can fall into paralysis immediately. The attacker can attack the forwarding facility and increase the transmission load between the forwarding facility and the controller by utilizing the characteristic of control forwarding separation. These attacks increase the load on the controller and increase the possibility of failure of the controller.
As attackers continue to learn and try, it becomes increasingly difficult and limited for the system to accurately detect an attack. Therefore, it is necessary to find the attack source and complete the clearing in time to effectively enhance the network security. Only by establishing a DDoS attack tracing method, the attack path is reconstructed and the attack source is found, and the attack problem can be solved from the root.
Therefore, the attack tracing scheme plays an important role in defending against DDoS attacks in an SDN environment, but many existing tracing methods still do not fully utilize the advantages of the SDN. The DDoS attack tracing method in the traditional network environment has been studied abundantly so far, such as a log tracing method, a connection testing method, a packet marking method, and the like. However, research on DDoS attack tracing methods in the SDN network is relatively few. Chen et al (Computers & Electrical Engineering 81(2020), 106503) propose a DDoS attack tracing scheme based on statistics, which constructs an abnormal tree by using a characteristic value of traffic change of a base station node and constructs the abnormal tree by using an attack detection method, thereby completing the tracing of an attack path. Francois et al (International works on Information principles and Security,2014, 203-. According to the scheme, firstly, the SDN controller is used for periodically detecting the flow entries of the switch, once an attack is detected, the flow entries of the switch which is detected to be attacked and the flow entries of the neighbor switches of the switch are immediately positioned, and therefore attack backtracking is completed. Ali et al (Guide to Security in SDN and NFV,2017, 171-. The scheme centrally arranges virtual Network Functions for defense by introducing NFV (Network Functions Virtualization) technology, and dynamically allocates the virtual Network Functions.
However, the research result of DDoS attack tracing under the existing SDN network has the following disadvantages: the method of path backtracking is to sequentially examine all parts in the system, which causes that the backtracking efficiency is too low and a backtracking mechanism with quick response is not deployed.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a DDoS attack tracing method and a terminal in an SDN environment are provided, and fast tracing of DDoS attacks is achieved.
In order to solve the technical problems, the invention adopts a technical scheme that:
a DDoS attack tracing method in an SDN environment comprises the following steps:
s1, judging the state of the flow in the SDN environment, if the flow is in a suspicious state, marking the flow as a suspicious flow and executing S2;
s2, judging the state of the suspicious flow again, if the suspicious flow is in a suspicious state, executing S3, and if the suspicious flow is in a dangerous state, marking the suspicious flow as a dangerous flow and executing S4;
s3, marking the switch for forwarding the suspicious flow as a suspicious switch, and monitoring the suspicious switch;
and S4, performing path backtracking according to the conditional entropy path backtracking strategy to obtain an attack source, and clearing the attack source.
In order to solve the technical problem, the invention adopts another technical scheme as follows:
a DDoS attack tracing terminal in an SDN environment, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
s1, judging the state of the flow in the SDN environment, if the flow is in a suspicious state, marking the flow as a suspicious flow and executing S2;
s2, judging the state of the suspicious flow again, if the suspicious flow is in a suspicious state, executing S3, and if the suspicious flow is in a dangerous state, marking the suspicious flow as a dangerous flow and executing S4;
s3, marking the switch for forwarding the suspicious flow as a suspicious switch, and monitoring the suspicious switch;
and S4, performing path backtracking according to the conditional entropy path backtracking strategy to obtain an attack source, and clearing the attack source.
The invention has the beneficial effects that: dividing the flow in the SDN into different states including suspicious states and dangerous states based on the basis of attack detection, and adopting different coping strategies according to the different states; deploying corresponding monitoring nodes for the switch of the flow in the suspicious state so as to respond to the monitored switch in time in the next work; tracing the path of the flow in the dangerous state, finding an attack source in time and finishing the removal; the method has the advantages that the high-strength tracing of the SDN controller is avoided, the load of the SDN controller is effectively reduced, and the attack source is quickly found through the path tracing method based on the conditional entropy, so that the time of the system being attacked by the DDoS attack source is reduced, meanwhile, monitoring nodes are deployed for the flow with low risk, and the safety of the system is effectively improved.
Drawings
Fig. 1 is a flowchart illustrating steps of a DDoS attack tracing method in an SDN environment according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a DDoS attack tracing terminal in an SDN environment according to an embodiment of the present invention;
fig. 3 is a general flowchart of a DDoS attack tracing method in an SDN environment according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a suspect switch without a monitoring node within a radius according to an embodiment of the present invention;
fig. 5 is a layout diagram of a suspicious switch and monitoring nodes in one-to-one correspondence according to an embodiment of the present invention;
fig. 6 is a schematic layout diagram of a monitoring node shared by suspicious switches according to an embodiment of the present invention;
description of reference numerals:
1. a DDoS attack tracing terminal in an SDN environment; 2. a processor; 3. a memory.
Detailed Description
In order to explain technical contents, achieved objects, and effects of the present invention in detail, the following description is made with reference to the accompanying drawings in combination with the embodiments.
Referring to fig. 1, a DDoS attack tracing method in an SDN environment includes the steps of:
s1, judging the state of the flow in the SDN environment, if the flow is in a suspicious state, marking the flow as a suspicious flow and executing S2;
s2, judging the state of the suspicious flow again, if the suspicious flow is in a suspicious state, executing S3, and if the suspicious flow is in a dangerous state, marking the suspicious flow as a dangerous flow and executing S4;
s3, marking the switch for forwarding the suspicious flow as a suspicious switch, and monitoring the suspicious switch;
and S4, performing path backtracking according to the conditional entropy path backtracking strategy to obtain an attack source, and clearing the attack source.
From the above description, the beneficial effects of the present invention are: dividing the flow in the SDN into different states including suspicious states and dangerous states based on the basis of attack detection, and adopting different coping strategies according to the different states; deploying corresponding monitoring nodes for the switch of the flow in the suspicious state so as to respond to the monitored switch in time in the next work; tracing the path of the flow in the dangerous state, finding an attack source in time and finishing the removal; the method has the advantages that the high-strength tracing of the SDN controller is avoided, the load of the SDN controller is effectively reduced, and the attack source is quickly found through the path tracing method based on the conditional entropy, so that the time of the system being attacked by the DDoS attack source is reduced, meanwhile, monitoring nodes are deployed for the flow with low risk, and the safety of the system is effectively improved.
Further, the S1 further includes:
and judging whether an attack flow generated by the DDoS attack exists in the SDN environment, if so, executing the S4.
As can be seen from the above description, if an attack flow generated by DDoS attack is monitored, the step S4 is directly skipped to, so that multiple verification processes are omitted, the source tracing of DDoS attack can be ensured at the first time, and the security of the system is ensured.
Further, the monitoring of the suspicious switch in S3 specifically includes:
and determining a monitoring node, and monitoring the suspicious switch through the monitoring node.
According to the above description, the monitoring effect on the suspicious switch can be ensured by monitoring the suspicious switch through the monitoring node.
Further, the determining the monitoring node specifically includes:
s31, determining a monitoring alternative range corresponding to the suspicious switch, wherein nodes in the monitoring alternative range are alternative monitoring nodes;
s32, calculating the communication cost and the resource cost of each alternative monitoring node;
s33, calculating the monitoring cost of each alternative monitoring node according to the communication cost and the resource cost;
and S34, selecting the candidate monitoring node with the minimum monitoring cost as the monitoring node.
As can be seen from the above description, by defining nodes in a certain range around the suspicious switch as the candidate monitoring nodes, respectively calculating the costs of the candidate monitoring nodes after serving as the monitoring nodes, and selecting the candidate monitoring node with the smallest cost as the monitoring node to monitor the suspicious switch, the data exchange efficiency in the system is not affected while monitoring is achieved.
Further, the determining the monitoring node specifically includes:
s31, determining a circle with radius R as the circle center of the suspicious switch as a monitoring candidate range corresponding to the suspicious switch, wherein nodes in the monitoring candidate range are candidate monitoring nodes;
s32, calculating the communication cost and the resource cost of each alternative monitoring node;
Figure BDA0002794478430000051
wherein the content of the first and second substances,
Figure BDA0002794478430000052
representing said communication cost between monitoring node i and suspect switch j, diRepresenting a monitoring node etaiShortest path, η, to controller CjRepresenting a monitoring node etaiCorresponding suspect switch, ηcBandwidth factor, l, representing the communication of the monitoring node with the suspect switchijRepresenting the bandwidth consumed by the communication between the monitoring node i and the suspicious switch j;
Figure BDA0002794478430000053
wherein the content of the first and second substances,
Figure BDA0002794478430000054
wherein the content of the first and second substances,
Figure BDA0002794478430000055
representing the resource cost, q representing the resource required by the alternative monitoring node to be converted into the monitoring node, B representing the resource busy rate of the alternative monitoring node and B < 1, MiRepresents the resource consumed by the monitoring function in unit time of the ith candidate monitoring node, rfRepresenting resources of the alternative monitoring node for forwarding, riRepresenting the total resource of the alternative monitoring nodes;
s33, calculating the monitoring cost of each alternative monitoring node according to the communication cost and the resource cost;
Figure BDA0002794478430000061
among them, CostiRepresents the monitoring cost, and delta represents a scale factor;
and S34, selecting the candidate monitoring node with the minimum monitoring cost as the monitoring node.
According to the above description, the communication cost and the resource cost are calculated, the total cost of a node after being used as a monitoring node is obtained according to the communication cost and the resource cost, and the multidimensional factors are comprehensively considered, so that the cost for monitoring the suspicious switch in the final system is ensured to be the minimum.
Further, the S4 specifically includes:
s41, marking the switch for forwarding the dangerous flow as a dangerous switch;
s42, calculating conditional entropy H (XY);
Figure BDA0002794478430000062
wherein the content of the first and second substances,
Figure BDA0002794478430000063
x and Y represent random variables, X represents the value of the random variable X, Y represents the value of the random variable Y, and p (Y) represents the probability distribution when the random variable Y takes a specific value Y;
s43, calculating first conditional entropy of each dangerous switch, and if the first conditional entropy is not within a preset range value, marking the dangerous switch as an attack switch;
s44, calculating a second conditional entropy of the node to be confirmed, wherein the distance between the node to be confirmed and the attacking switch is within a preset range, and if the second conditional entropy is not within the preset range, marking the node to be confirmed as the attacked node;
s45, obtaining an attack source according to the attack switch and the attacked node;
and S46, clearing the attack source.
According to the above description, whether the node is attacked or not and whether the node is an attack switch or not are judged according to the conditional entropy, so that the backtracking of the attack path is finally realized, the attack source is obtained according to the attack path, the accurate determination and the clarity of the attack source are realized, the attack source of the DDoS can be processed in time, and the safety of other nodes is ensured.
Further, the S43 further includes:
and calculating a third conditional entropy of each suspicious switch, and marking the suspicious switch as an attack switch if the third conditional entropy is not within a preset range value.
According to the above description, not only the dangerous switch is calculated, but also the conditional entropy is calculated for the suspicious switch, the investigation is more comprehensive, and the accuracy of determining the final attack source is improved under the condition that the data volume of the path calculation is not too large.
Further, the determining the monitoring node further includes:
the monitoring nodes correspond to the suspicious switches one by one.
From the above description, one monitoring node is responsible for monitoring one suspicious switch, and the monitoring quality of the suspicious switch is ensured, and meanwhile, the normal use of the node which becomes the monitoring node is not greatly influenced.
Further, the determining the monitoring node further includes:
acquiring first positions of all the suspicious switches, judging whether monitoring alternative ranges corresponding to the first positions of different suspicious switches are overlapped, and if so, marking the overlapped monitoring alternative ranges as overlapped alternative ranges;
and selecting a monitoring node within the range of the superposition candidates.
According to the description, if the monitoring alternative ranges corresponding to the positions of the suspicious switches are overlapped, the nodes are selected as the monitoring nodes in the overlapping ranges, so that a plurality of suspicious switches can be monitored simultaneously, and the utilization rate of the monitoring nodes is improved.
Referring to fig. 2, a DDoS attack tracing terminal in an SDN environment includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the following steps when executing the computer program:
s1, judging the state of the flow in the SDN environment, if the flow is in a suspicious state, marking the flow as a suspicious flow and executing S2;
s2, judging the state of the suspicious flow again, if the suspicious flow is in a suspicious state, executing S3, and if the suspicious flow is in a dangerous state, marking the suspicious flow as a dangerous flow and executing S4;
s3, marking the switch for forwarding the suspicious flow as a suspicious switch, and monitoring the suspicious switch;
and S4, performing path backtracking according to the conditional entropy path backtracking strategy to obtain an attack source, and clearing the attack source.
The invention has the beneficial effects that: dividing the flow in the SDN into different states including suspicious states and dangerous states based on the basis of attack detection, and adopting different coping strategies according to the different states; deploying corresponding monitoring nodes for the switch of the flow in the suspicious state so as to respond to the monitored switch in time in the next work; tracing the path of the flow in the dangerous state, finding an attack source in time and finishing the removal; the method has the advantages that the high-strength tracing of the SDN controller is avoided, the load of the SDN controller is effectively reduced, and the attack source is quickly found through the path tracing method based on the conditional entropy, so that the time of the system being attacked by the DDoS attack source is reduced, meanwhile, monitoring nodes are deployed for the flow with low risk, and the safety of the system is effectively improved.
Referring to fig. 1, a first embodiment of the present invention is:
a DDoS attack tracing method in an SDN environment comprises the following steps:
in this specification, a node includes a switch;
s1, judging the state of the flow in the SDN environment, if the flow is in a suspicious state, marking the flow as a suspicious flow and executing S2;
s1 further includes: s1 further includes:
judging whether an attack flow generated by DDoS attack exists in the SDN environment, if so, executing the S4;
s2, judging the state of the suspicious flow again, if the suspicious flow is in a suspicious state, executing S3, and if the suspicious flow is in a dangerous state, marking the suspicious flow as a dangerous flow and executing S4;
s3, marking the switch for forwarding the suspicious flow as a suspicious switch, and monitoring the suspicious switch;
wherein, monitoring the suspicious switch specifically comprises:
determining a monitoring node, and monitoring the suspicious switch through the monitoring node;
in an optional implementation manner, the monitoring nodes correspond to the suspicious switches one to one;
in an optional implementation, determining the monitoring node further includes: acquiring first positions of all the suspicious switches, judging whether monitoring alternative ranges corresponding to the first positions of different suspicious switches are overlapped, and if so, marking the overlapped monitoring alternative ranges as overlapped alternative ranges; selecting a monitoring node in the superposition alternative range;
the method for determining the monitoring node specifically comprises the following steps:
s31, determining a circle with radius R as the circle center of the suspicious switch as a monitoring candidate range corresponding to the suspicious switch, wherein nodes in the monitoring candidate range are candidate monitoring nodes;
s32, calculating the communication cost and the resource cost of each alternative monitoring node;
Figure BDA0002794478430000081
wherein the content of the first and second substances,
Figure BDA0002794478430000091
representing said communication cost between monitoring node i and suspect switch j, diRepresenting a monitoring node etaiTo the controller CShortest path ofjRepresenting a monitoring node etaiCorresponding suspect switch, ηcBandwidth factor, l, representing the communication of the monitoring node with the suspect switchijRepresenting the bandwidth consumed by the communication between the monitoring node i and the suspicious switch j;
Figure BDA0002794478430000092
wherein the content of the first and second substances,
Figure BDA0002794478430000093
wherein the content of the first and second substances,
Figure BDA0002794478430000094
representing the resource cost, q representing the resource required by the alternative monitoring node to be converted into the monitoring node, B representing the resource busy rate of the alternative monitoring node and B < 1, MiRepresents the resource consumed by the monitoring function in unit time of the ith candidate monitoring node, rfRepresenting resources of the alternative monitoring node for forwarding, riThe total resources of the alternative monitoring nodes are represented, and the value range of j is a suspicious switch monitored by the alternative monitoring nodes;
s33, calculating the monitoring cost of each alternative monitoring node according to the communication cost and the resource cost;
Figure BDA0002794478430000095
among them, CostiRepresents the monitoring cost, and delta represents a scale factor;
s34, selecting the candidate monitoring node with the minimum monitoring cost as the monitoring node;
s4, performing path backtracking according to the conditional entropy path backtracking strategy to obtain an attack source, and clearing the attack source;
in this embodiment, S4 specifically includes:
s41, marking the switch for forwarding the dangerous flow as a dangerous switch;
s42, calculating conditional entropy H (X | Y);
Figure BDA0002794478430000096
wherein the content of the first and second substances,
Figure BDA0002794478430000097
x and Y represent random variables, X represents the value of the random variable X, Y represents the value of the random variable Y, and p (Y) represents the probability distribution when the random variable Y takes a specific value Y;
s43, calculating first conditional entropy of each dangerous switch, and if the first conditional entropy is not within a preset range value, marking the dangerous switch as an attack switch;
calculating third conditional entropies of the suspicious switches, and marking the suspicious switches as attack switches if the third conditional entropies are not within a preset range value;
s44, calculating a second conditional entropy of the node to be confirmed, wherein the distance between the node to be confirmed and the attacking switch is within a preset range, and if the second conditional entropy is not within the preset range, marking the node to be confirmed as the attacked node;
s45, obtaining the specific attack source according to the attack switch and the attacked node, rapidly positioning the network dangerous position by a method of preferentially processing switches with higher dangerousness, and rapidly finding the attack source according to the comparison result of the dangerous positions;
and S46, clearing the attack source.
Referring to fig. 3 to fig. 6, a second embodiment of the present invention is:
a DDoS attack tracing method in an SDN environment is different from the first embodiment in that:
the states of the flow include an initial state, a normal state, a suspicious state, and a dangerous state; the initial state is the state when the flow enters the SDN network;
the method comprises the steps that after the SDN network is entered, state monitoring is carried out on the flow, if an abnormal event is found, the state of the flow is represented as a suspicious state and needs to be marked as a suspicious flow, and if no abnormal event exists, the state of the flow is converted from an initial state to a normal state;
in an alternative embodiment, when the flow rate is detected to be higher than a set threshold, the state of the flow is determined to be a suspicious state;
s2 specifically includes: searching whether DDoS attack exists or not aiming at the suspicious flow, if so, marking the suspicious flow as a dangerous flow, and if not, monitoring a suspicious switch corresponding to the suspicious flow;
in the process of determining the monitoring nodes in the S3, if there is no node in the radius R of the suspicious switch, the radius is enlarged to obtain a monitoring candidate range, and a node in the monitoring candidate range is obtained as a candidate monitoring node;
in an alternative embodiment, please refer to FIG. 4, the radius is enlarged to
Figure BDA0002794478430000101
The circle of the monitoring node is used as a monitoring alternative range, and an alternative monitoring node with the minimum monitoring cost in the range is determined as a monitoring node through calculation in the monitoring alternative range; when the monitoring node is not selected (there are no nodes in the monitoring candidate range or there are multiple candidate monitoring nodes corresponding to the minimum monitoring cost), the radius is used
Figure BDA0002794478430000111
The increase rate of the selection range is continuously increased and the nodes are searched until the monitoring nodes exist in the monitoring alternative range;
referring to fig. 5, if the radius R ranges of the suspicious switches do not coincide with each other, or no node exists in the coincidence range, directly calculating the monitoring costs of all the alternative monitoring nodes in the radius R range by a single suspicious switch, and selecting the alternative monitoring node with the minimum monitoring cost as the monitoring node of the suspicious switch;
if the radius R ranges of the suspicious switches are overlapped and the nodes exist in the overlapped part, the suspicious switches can be used as alternative monitoring nodes, and the first scheme is that the multiple suspicious switches select the same monitoring node, namely the monitoring node monitors the multiple suspicious switches; the other scheme is that each suspicious exchanger selects a single monitoring node without repeated conditions; calculating the monitoring cost of the two schemes, and selecting the scheme with lower monitoring cost to deploy the monitoring nodes;
in an alternative embodiment, referring to fig. 6, in the case that the resource cost is the same, the communication cost of the first case is l1+d1+l2+d2And the second case has a communication cost of l3+d2+l2+d2. Thus, by comparison of l1、l3、d1、d2The value of (2) and the resource cost of the nodes in the two schemes are comprehensively considered, and the deployment of the monitoring nodes can be completed;
in this embodiment, S4 specifically includes:
s41, when DDoS attack is detected, determining dangerous flow, constructing a virtual source tracing module, and switching the system according to the received dangerous flow in the modulediAnd suspect switch SsiThe port receives the data packet, extracts the header characteristic in the data packet, including: determining the position of the dangerous switch by using the source IP address, the destination IP address and the destination port;
specifically, a condition entropy composed of a source IP address, a destination IP address and a destination port is utilized, and when the value of the condition entropy has certain regularity, the condition entropy is determined to be a dangerous switch;
s42, calculating conditional entropy H (X | Y):
Figure BDA0002794478430000112
s43 detection danger switch SdiWhen the conditional entropy ranges over an upper threshold value delta and a lower threshold value delta1And delta2In time of (S)diNot on the attack path; then continue to other SdiUntil all S are finisheddiBacktracking the path of (1).
S44, when the conditional entropy range is not delta1And delta2And detecting surrounding switches and judging whether the switches are on the attack path. After detecting SdiAll surrounding switches of (1) are normal in conditional entropy and for the next SdiAnd (6) performing path backtracking.
S45, after judging SdiThen, S is carried outsiIs determined, its method and SdiThe same is true. After all the abnormal switches are backtracked, all S are calculateddiAnd SsiAnd recording the attack path, and backtracking the attack path so as to search an attack source.
Referring to fig. 2, a third embodiment of the present invention is:
a DDoS attack tracing terminal 1 in an SDN environment includes a processor 2, a memory 3, and a computer program stored on the memory 3 and operable on the processor 2, where the processor 2 implements the steps in the first embodiment or the second embodiment when executing the computer program.
In summary, the present invention provides a DDoS attack tracing method and a terminal in an SDN environment, which are applied to DDoS attack tracing in the SDN environment, and provide conditional entropy-based path backtracking for dangerous locations and monitor node deployment for suspicious locations by using the DDoS attack tracing method based on a classification policy and based on a classification result, so that path backtracking can be quickly completed and DDoS attack is quickly responded, thereby improving tracing efficiency and shortening tracing response time; the monitoring nodes are designed for detecting the suspicious switch, the deployed monitoring nodes can successfully track the attack path, the tracing time is reduced, and the purpose of fast tracing can be realized by the deployed monitoring nodes; meanwhile, attack path backtracking based on conditional entropy is designed for a dangerous switch, and the value of the conditional entropy represents the variability of the attribute of the received flow of the switch, wherein the conditional entropy of the switch on the attack path basically keeps unchanged under most conditions, but suddenly becomes large at certain time and becomes regular, while the conditional entropy on a non-attack path shows irregular change at each time and the changed value is small; therefore, whether the switch is on the attack path or not can be quickly determined through the conditional entropy, the path backtracking efficiency is improved, and the attack source can be quickly found, so that the time of the system being attacked by the DDoS attack source is reduced, and the system safety is effectively improved.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.

Claims (10)

1. A DDoS attack tracing method in an SDN environment is characterized by comprising the following steps:
s1, judging the state of the flow in the SDN environment, if the flow is in a suspicious state, marking the flow as a suspicious flow and executing S2;
s2, judging the state of the suspicious flow again, if the suspicious flow is in a suspicious state, executing S3, and if the suspicious flow is in a dangerous state, marking the suspicious flow as a dangerous flow and executing S4;
s3, marking the switch for forwarding the suspicious flow as a suspicious switch, and monitoring the suspicious switch;
and S4, performing path backtracking according to the conditional entropy path backtracking strategy to obtain an attack source, and clearing the attack source.
2. The DDoS attack tracing method in an SDN environment according to claim 1, wherein said S1 further comprises:
and judging whether an attack flow generated by the DDoS attack exists in the SDN environment, if so, executing the S4.
3. The DDoS attack tracing method in an SDN environment according to claim 1, wherein the monitoring of the suspicious switch in S3 specifically is:
and determining a monitoring node, and monitoring the suspicious switch through the monitoring node.
4. The DDoS attack tracing method in an SDN environment according to claim 3, wherein the determining of the monitoring node specifically is:
s31, determining a monitoring alternative range corresponding to the suspicious switch, wherein nodes in the monitoring alternative range are alternative monitoring nodes;
s32, calculating the communication cost and the resource cost of each alternative monitoring node;
s33, calculating the monitoring cost of each alternative monitoring node according to the communication cost and the resource cost;
and S34, selecting the candidate monitoring node with the minimum monitoring cost as the monitoring node.
5. The DDoS attack tracing method in an SDN environment according to claim 4, wherein the determining of the monitoring node specifically is:
s31, determining a circle with radius R as the circle center of the suspicious switch as a monitoring candidate range corresponding to the suspicious switch, wherein nodes in the monitoring candidate range are candidate monitoring nodes;
s32, calculating the communication cost and the resource cost of each alternative monitoring node;
Figure FDA0002794478420000011
wherein the content of the first and second substances,
Figure FDA0002794478420000012
representing said communication cost between monitoring node i and suspect switch j, diRepresenting a monitoring node etaiShortest path, η, to controller CjRepresenting a monitoring node etaiCorresponding suspect switch, ηcBandwidth factor, l, representing the communication of the monitoring node with the suspect switchijRepresenting the bandwidth consumed by the communication between the monitoring node i and the suspicious switch j;
Figure FDA0002794478420000021
wherein the content of the first and second substances,
Figure FDA0002794478420000022
wherein the content of the first and second substances,
Figure FDA0002794478420000023
representing the resource cost, q representing the resource required by the alternative monitoring node to be converted into the monitoring node, B representing the resource busy rate of the alternative monitoring node and B < 1, MiRepresents the resource consumed by the monitoring function in unit time of the ith candidate monitoring node, rfRepresenting resources of the alternative monitoring node for forwarding, riRepresenting the total resource of the alternative monitoring nodes;
s33, calculating the monitoring cost of each alternative monitoring node according to the communication cost and the resource cost;
Figure FDA0002794478420000024
among them, CostiRepresents the monitoring cost, and delta represents a scale factor;
and S34, selecting the candidate monitoring node with the minimum monitoring cost as the monitoring node.
6. The DDoS attack tracing method in an SDN environment according to claim 1, wherein the S4 specifically is:
s41, marking the switch for forwarding the dangerous flow as a dangerous switch;
s42, calculating conditional entropy H (X | Y);
Figure FDA0002794478420000025
wherein the content of the first and second substances,
Figure FDA0002794478420000026
x and Y represent random variables, X represents the value of the random variable X, Y represents the value of the random variable Y, and p (Y) represents the probability distribution when the random variable Y takes a specific value Y;
s43, calculating first conditional entropy of each dangerous switch, and if the first conditional entropy is not within a preset range value, marking the dangerous switch as an attack switch;
s44, calculating a second conditional entropy of the node to be confirmed, wherein the distance between the node to be confirmed and the attacking switch is within a preset range, and if the second conditional entropy is not within the preset range, marking the node to be confirmed as the attacked node;
s45, obtaining an attack source according to the attack switch and the attacked node;
and S46, clearing the attack source.
7. The DDoS attack tracing method in an SDN environment according to claim 6, wherein said S43 further comprises:
and calculating a third conditional entropy of each suspicious switch, and marking the suspicious switch as an attack switch if the third conditional entropy is not within a preset range value.
8. The DDoS attack tracing method in an SDN environment according to claim 4, wherein said determining a monitoring node further comprises:
the monitoring nodes correspond to the suspicious switches one by one.
9. The DDoS attack tracing method in an SDN environment according to claim 4, wherein said determining a monitoring node further comprises:
acquiring first positions of all the suspicious switches, judging whether monitoring alternative ranges corresponding to the first positions of different suspicious switches are overlapped, and if so, marking the overlapped monitoring alternative ranges as overlapped alternative ranges;
and selecting a monitoring node within the range of the superposition candidates.
10. A DDoS attack tracing terminal in an SDN environment, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the DDoS attack tracing method in the SDN environment according to any one of claims 1 to 9 when executing the computer program.
CN202011326700.1A 2020-11-24 2020-11-24 DDoS attack tracing method and terminal in SDN environment Pending CN112702309A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011326700.1A CN112702309A (en) 2020-11-24 2020-11-24 DDoS attack tracing method and terminal in SDN environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011326700.1A CN112702309A (en) 2020-11-24 2020-11-24 DDoS attack tracing method and terminal in SDN environment

Publications (1)

Publication Number Publication Date
CN112702309A true CN112702309A (en) 2021-04-23

Family

ID=75506484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011326700.1A Pending CN112702309A (en) 2020-11-24 2020-11-24 DDoS attack tracing method and terminal in SDN environment

Country Status (1)

Country Link
CN (1) CN112702309A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN108881324A (en) * 2018-09-21 2018-11-23 电子科技大学 A kind of the DoS attack Distributed Detection and defence method of SDN network
CN109005157A (en) * 2018-07-09 2018-12-14 华中科技大学 Ddos attack detection and defence method and system in a kind of software defined network
CN109617931A (en) * 2019-02-20 2019-04-12 电子科技大学 A kind of the ddos attack defence method and system of defense of SDN controller

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN109005157A (en) * 2018-07-09 2018-12-14 华中科技大学 Ddos attack detection and defence method and system in a kind of software defined network
CN108881324A (en) * 2018-09-21 2018-11-23 电子科技大学 A kind of the DoS attack Distributed Detection and defence method of SDN network
CN109617931A (en) * 2019-02-20 2019-04-12 电子科技大学 A kind of the ddos attack defence method and system of defense of SDN controller

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
C. XU, H. LIN, Y. WU, X. GUO AND W. LIN: ""An SDNFV-Based DDoS Defense Technology for Smart Cities"", 《IEEE ACCESS》 *
CUI, YUNHE, ET AL.: ""SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks."", 《JOURNAL OF NETWORK AND COMPUTER APPLICATIONS》 *
RAMPRASATH, J., AND V. SEETHALAKSHMI.: ""Secure access of resources in software-defined networks using dynamic access control list."", 《INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS》 *
WANG, RUI, ZHIPING JIA, AND LEI JU.: ""An entropy-based distributed DDoS detection mechanism in software-defined networking."", 《2015 IEEE TRUSTCOM/BIGDATASE/ISPA》 *
张凤.: ""基于OpenFlow的SDN网络攻击溯源策略研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Similar Documents

Publication Publication Date Title
El Sayed et al. A flow-based anomaly detection approach with feature selection method against ddos attacks in sdns
Wang et al. A DDoS attack detection method based on information entropy and deep learning in SDN
De Souza et al. Two-step ensemble approach for intrusion detection and identification in IoT and fog computing environments
Muthamil Sudar et al. A two level security mechanism to detect a DDoS flooding attack in software-defined networks using entropy-based and C4. 5 technique
Muhammad et al. Robust early stage botnet detection using machine learning
KR20190009379A (en) Network attack defense system and method
Chkirbene et al. A combined decision for secure cloud computing based on machine learning and past information
Rathore et al. Hadoop based real-time intrusion detection for high-speed networks
Shen et al. Security in edge-assisted Internet of Things: challenges and solutions
Islam et al. Network anomaly detection using lightgbm: A gradient boosting classifier
Ma et al. DDoS detection for 6G Internet of Things: Spatial-temporal trust model and new architecture
Dai et al. Eclipse attack detection for blockchain network layer based on deep feature extraction
CN113722717B (en) Security vulnerability testing method, device, equipment and readable storage medium
CN112702347A (en) SDN-based intrusion detection technology
Rahman Detection of distributed denial of service attacks based on machine learning algorithms
CN112702309A (en) DDoS attack tracing method and terminal in SDN environment
Bahareth et al. Constructing attack scenario using sequential pattern mining with correlated candidate sequences
Mehndiratta et al. Malicious URL: Analysis and Detection using Machine Learning
CN113709097B (en) Network risk sensing method and defense method
Khalid et al. A Survey on the Latest Intrusion Detection Datasets for Software Defined Networking Environments
Vidhya Efficient classification of portscan attacks using Support Vector Machine
Fadel et al. HDLIDP: A Hybrid Deep Learning Intrusion Detection and Prevention Framework.
CN101854341B (en) Pattern matching method and device for data streams
CN115021983A (en) Penetration path determination method and system based on absorption Markov chain
Abdullayeva Detection of cyberattacks in cloud computing service delivery models using correlation based feature selection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210423