CN112788058A - LDoS attack detection and mitigation scheme based on SDN controller - Google Patents

LDoS attack detection and mitigation scheme based on SDN controller Download PDF

Info

Publication number
CN112788058A
CN112788058A CN202110121874.2A CN202110121874A CN112788058A CN 112788058 A CN112788058 A CN 112788058A CN 202110121874 A CN202110121874 A CN 202110121874A CN 112788058 A CN112788058 A CN 112788058A
Authority
CN
China
Prior art keywords
attack
port
flow
ldos
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110121874.2A
Other languages
Chinese (zh)
Other versions
CN112788058B (en
Inventor
汤澹
王曦茵
施玮
王思苑
郑芷青
刘泊儒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202110121874.2A priority Critical patent/CN112788058B/en
Publication of CN112788058A publication Critical patent/CN112788058A/en
Application granted granted Critical
Publication of CN112788058B publication Critical patent/CN112788058B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an LDoS attack detection and mitigation scheme based on an SDN controller, and belongs to the field of computer network security. The scheme comprises the following implementation steps: the method comprises the steps of fixing sampling time and sampling intervals, periodically calling an API (application program interface) of an SDN (software defined network) control plane based on the sampling intervals in the sampling time, acquiring port flow and flow table flow of a switch, and judging whether LDoS (laser induced degradation of service) attack exists in the sampling time of a network according to acquired flow information by combining a lightweight port anomaly detection method and a LightGBM (LightGBM) classification model. If the attack exists, the scheme locates the attacked port through the Smith-Waterman algorithm and issues the flow table rule to discard the attack flow. The scheme disclosed by the invention can realize LDoS attack detection with high speed, low consumption and high accuracy, and can effectively filter attack flow to achieve the purpose of relieving attacks.

Description

LDoS attack detection and mitigation scheme based on SDN controller
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an LDoS attack detection and mitigation scheme based on an SDN controller.
Background
With the appearance and development of cloud computing technology, the characteristics of dynamics, instantaneity and concurrency of computer networks are increasingly highlighted, and because a logic control function and a data forwarding function are tightly coupled on network equipment in a traditional network structure, the flexibility and expandability of the network equipment are reduced, and the development requirements of the networks are difficult to meet. In order to solve the drawback of the conventional network architecture, an SDN (Software defined network) architecture is developed. Different from the traditional network architecture, the SDN separates the logic control function on the network equipment by using an OpenFlow protocol, so that the openness and the programmability of the network are increased, and the expandability of the network function is realized.
SDN faces a variety of attacks. A DoS (Denial of service) attack with a high frequency occurs in a conventional network, and a good attack effect can still be achieved in an SDN. DoS attacks have many variant forms, one of which is a Low-rate Denial of service (LDoS) attack. An LDoS attacker initiates a periodical attack data packet with short duration and high attack rate by using a loophole of a TCP/IP protocol self-adaptive mechanism, so that a normal source end actively reduces the sending rate of the TCP data packet and seriously damages the network performance. Compared with DoS attack, LDoS attack can utilize less resource consumption, achieves an attack effect similar to that of DoS attack, and has stronger concealment and higher detection difficulty.
The detection and mitigation research aiming at the LDoS attack in the SDN mainly has the following problems: one is that the detection and mitigation method for DoS attacks cannot effectively detect and mitigate the LDoS attacks; secondly, the existing detection and mitigation method for LDoS attack generally has the defects of large algorithm resource consumption, poor adaptability and low detection accuracy.
The invention provides an LDoS attack detection and mitigation scheme based on an SDN controller according to the main problems in the LDoS attack detection and mitigation research in the SDN. According to the scheme, port flow and flow table flow are collected on a switch, based on collected flow information, a lightweight port abnormity detection method and a Light Gradient Boosting Machine (LDoS) classification model are combined to detect LDoS attack, whether the port flow is abnormal or not is judged based on a threshold value, if the port flow is abnormal, the LDoS attack does not exist in a detection result, and if the LDoS attack is abnormal, four-dimensional characteristics of the flow table flow are extracted according to the characteristics of the LDoS attack in the aspects of communication and effect and input into the trained LDoS classification model for classification. If the classification result value is closer to the label value 0 without the attack, that is, the classification result value is less than or equal to 0.5, the LDoS attack does not exist, and if the classification result value is closer to the label value 1 with the attack, that is, the classification result value is greater than 0.5, the LDoS attack exists in the network. When the LDoS attack is detected, the defense method carries out local comparison on the collected inflow flow sequence of each port and the attack flow sequence through a Smith-Waterman algorithm to position the attacked port, and then issues a relevant strategy to block the attack flow input into the port by utilizing the characteristics of SDN centralized control and an OpenFlow protocol so as to achieve the aim of relieving the LDoS attack.
Disclosure of Invention
According to the main problems in the detection and mitigation research of the LDoS attack in the SDN, the LDoS attack detection and mitigation scheme based on the SDN controller is provided. The scheme can realize high-precision LDoS attack detection, and has lower false alarm rate and missing report rate, lower complexity and stronger self-adaptability. Meanwhile, the scheme can also accurately position the attacked port, effectively filter the attacking traffic and ensure the throughput of the normal traffic. Therefore, the scheme can effectively realize detection and mitigation of the LDoS attack in the SDN.
The technical scheme adopted by the invention for realizing the aim is as follows: an LDoS attack detection and mitigation scheme based on an SDN controller mainly comprises the following steps: traffic information collection, attack detection and attack mitigation.
1. And collecting flow information. Fixed sample TimeCWAnd a sampling interval Δ t, periodically calling an Application Programming Interface (API) of the SDN control plane based on the sampling interval in sampling time, acquiring port traffic and flow table traffic of the switch, and recording an acquired traffic sequence as CW (collection window).
2. And (5) attack detection. The LDoS attack is detected by combining a lightweight port anomaly detection method and a LightGBM classification model, and the steps are as follows:
step 2.1: and analyzing whether the port inflow traffic and the outflow traffic of the switch acquired in the CW are balanced. Definitions Δ Packs ═ Packsin-PacksoutL, where PacksinIndicates the total number of packets, flowing into all ports of the switch within a CWoutRepresenting the total number of packets flowing out of all ports of the switch. If the value of Δ packages is smaller than the threshold 4500, it indicates that the incoming traffic and the outgoing traffic of the switch are in a relatively balanced state, and there is no LDoS attack in the network. When an LDoS attack exists in a network, a large number of data packets flow into a switch in a short time, and because an outlet of the switch is connected with a bottleneck link and is constrained by the bandwidth of the bottleneck link, the switch cannot forward a large number of data packets which flow in the short time in time, but only temporarily stores the data packets in a cache, once the cache is full, the data packets are lost, so that the inflow traffic and the outflow traffic of a port of the switch are unbalanced, and the value of delta packets is larger than or equal to a threshold 4500. Therefore, if the value of Δ packages is smaller than the threshold 4500, the port flow is normal, and no LDoS attack exists in the network; if the value of Δ packages is greater than or equal to the threshold 4500, the port traffic is abnormal, and an LDoS attack may exist in the network, and further determination is performed through step 2.2 and step 2.3.
Step 2.2: and aiming at the characteristics of two aspects of communication and effect of the LDoS attack, the four-dimensional characteristics of flow table flow are extracted.
(1) A communication feature. The LDoS attack continuously transmits a large number of UDP packets within the attack duration, resulting in a reduction of the transmission rate of normal TCP traffic to a lower level, whereas the transmission rate of the total traffic is almost the same as in a normal network due to the large number of UDP packets. However, when the attack is silent, the transmission rate of normal TCP traffic is slowly restored, but much worse than when the network is not under attack, the transmission rate of the total traffic is much lower than in a normal network. Therefore, the present invention proposes, as characteristic values, an average value Tr _ avg of the total flow rate and a MAD (mean absolute Deviation) Tr _ MAD of the total flow rate, as shown in the following formula:
Figure BDA0002922413540000031
Figure BDA0002922413540000032
wherein, TriA transmission rate representing the total flow collected in the ith Δ t, and n representing the number of samples collected in CW (n-Time)CW/Δt)。
(2) And (5) effect characteristics. The LDoS attack causes the normal source end to actively reduce the sending rate of the TCP data packet. Therefore, the transmission rate of normal TCP traffic in an LDoS attack network is lower compared to a normal network. When the LDoS attack continuously sends attack data packets, due to the existence of a large number of UDP packets, the transmission rate of the total flow is not obviously changed, the transmission rate of the normal TCP flow is very low, and the proportion of the normal TCP flow in the total flow is very small. When the attack is in the silent state, only normal TCP traffic and a small amount of background traffic exist, and the normal TCP traffic accounts for a very high ratio. Therefore, the present invention proposes the average value Norm _ Tr _ avg of the normal TCP traffic transmission rate and MADNorm _ TrRto _ MAD of the normal TCP traffic ratio as characteristic values, as shown in the following formula:
Figure BDA0002922413540000033
Figure BDA0002922413540000034
wherein, Norm _ TriAnd Norm _ TrRtoiRespectively, the transmission rate and the ratio of normal TCP traffic collected in the ith Δ t, and Norm _ TrRto _ avg represents the average value of the ratio of normal TCP traffic.
Step 2.3: and inputting the four-dimensional characteristics of the flow table flow into a trained LightGBM classification model for classification. If the classification result value is closer to the label value 0 without the attack, that is, the classification result value is less than or equal to 0.5, the LDoS attack does not exist, and if the classification result value is closer to the label value 1 with the attack, that is, the classification result value is greater than 0.5, the LDoS attack exists in the network.
3. And (5) attack mitigation. And positioning the attacked port by using a Smith-Waterman algorithm and issuing a flow table rule to discard the attack traffic.
Step 3.1: inflow traffic sequence A ═ a for each port of the switch using the Smith-Waterman algorithm1,a2,…,anAnd attack traffic sequence B ═ B1,b2,…,bmAnd carrying out local comparison, wherein the port with the maximum similarity score is the attacked port.
(1) Defining a scoring rule wkAnd S (a)i,bj)。wkIs the penalty score for the occurrence of consecutive k vacancies, increasing linearly as the value of k increases. S (a)i,bj) Is the similarity score of sequence a and sequence B, defined as shown in the following formula:
Figure BDA0002922413540000041
wherein, if the values at the two positions are matched, the score is +2, and if the values are not matched, the score is-2.
(2) A scoring matrix H is constructed. A scoring matrix of size (n +1) × (m +1) is constructed and 0 is used to fill the first column and first row of the matrix.
(3) The scoring matrix is populated according to the scoring rules. The scoring matrix is populated using the following equation:
Figure BDA0002922413540000042
wherein Hi-1,j-1+S(ai,bj) Is aiAnd bjFraction at the time of match, Hi-1,j-wrIs in sequence Ai-rThen adding the fraction obtained after r vacancies, Hi,j-1-wlB in the sequence Bj-lThe fraction obtained after the subsequent addition of l vacancies, 0 representing aiAnd bjScore H for a previously unmatched sub-segment, sitei,jThe scores of three related sites are selected and calculatedThe maximum value between the latter value and 0.
(4) And (3) repeating the steps (1) to (3) for each port inflow flow of the switch, and selecting the port with the maximum similarity score as the attacked port.
Step 3.2: and issuing a flow table rule by the controller, setting the value of the in _ port in the match field as the attacked port number, setting the value of the action field as drop, installing the flow table rule on the victim switch, and filtering the attacked flow from the attacked port.
Advantageous effects
The scheme can realize high-precision LDoS attack detection, and has lower false alarm rate and missing report rate, lower complexity and stronger self-adaptability. Meanwhile, the scheme can also accurately position the attacked port, effectively filter the attacking traffic and ensure the throughput of the normal traffic. Therefore, the scheme can effectively realize detection and mitigation of the LDoS attack in the SDN.
Drawings
Fig. 1 is an average value of total traffic transmission rates and MAD of the total traffic transmission rates in a non-attack network and an LDoS-attack network.
Fig. 2 is the MAD of the average of the transmission rates of normal TCP traffic and the ratio of normal TCP traffic in a non-attacking network and an LDoS attacking network.
Fig. 3 shows transmission rates of normal TCP traffic and LDoS attack traffic in an LDoS attack network. Fig. 3(a) shows that the LDoS attack detection and mitigation scheme based on the SDN controller is not implemented in the network, and fig. 3(b) shows that the LDoS attack detection and mitigation scheme based on the SDN controller is implemented in the network.
Fig. 4 is an overall framework of an SDN controller-based LDoS attack detection and mitigation scheme.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Fig. 4 is an overall framework of an LDoS attack detection and mitigation scheme based on an SDN controller, and the LDoS attack detection and mitigation scheme based on the SDN controller mainly includes the following steps: traffic information collection, attack detection and attack mitigation.
Fig. 1 is an average value of total traffic transmission rates and MAD of the total traffic transmission rates in a non-attack network and an LDoS-attack network. The average value of the total traffic transmission rate under the attack-free network is greater than the average value of the total traffic transmission rate under the LDoS attack network, and the MAD of the total traffic transmission rate under the attack-free network is less than the MAD of the total traffic transmission rate under the LDoS attack network.
Fig. 2 is the MAD of the average of the transmission rates of normal TCP traffic and the ratio of normal TCP traffic in a non-attacking network and an LDoS attacking network. The average value of the normal TCP traffic transmission rate under the attack-free network is greater than the average value of the normal TCP traffic transmission rate under the LDoS attack network, and the MAD of the normal TCP traffic proportion under the attack-free network is less than the MAD of the normal TCP traffic proportion under the LDoS attack network.
Fig. 3 shows transmission rates of normal TCP traffic and LDoS attack traffic in an LDoS attack network. Fig. 3(a) shows that, in the case where an LDoS attack detection and mitigation scheme based on an SDN controller is not implemented, normal TCP traffic in a network is seriously affected by the LDoS attack traffic, a transmission rate is continuously reduced, and is at an extremely low level after 95 seconds, and meanwhile, a peak value continuously appears due to unlimited attack traffic. Fig. 3(b) shows that, when the LDoS attack detection and mitigation scheme based on the SDN controller is implemented, the scheme detects the LDoS attack when the LDoS attack lasts for about 20 seconds, and then about 4 seconds later, the defense deployment is successful, the attack traffic is filtered out, and the normal TCP traffic is quickly restored to a higher level.

Claims (8)

1. An LDoS attack detection and mitigation scheme based on an SDN controller is characterized by comprising the following three steps:
step 1, flow information acquisition: fixing sampling time and sampling intervals, periodically calling an API (application program interface) of an SDN (software defined network) control plane based on the sampling intervals in the sampling time, and acquiring port flow and flow table flow of a switch;
step 2, attack detection: organically combining the lightweight port anomaly detection method with the LightGBM classification model, and judging whether the LDoS attack exists in the network within the sampling time according to the traffic obtained in the step 1;
step 3, attack mitigation: and positioning the attacked port through a Smith-Waterman algorithm, issuing a flow table rule and discarding the attack flow.
2. An LDoS attack detection and mitigation scheme as claimed in claim 1, wherein the detection of LDoS attacks in step 2 in combination with the lightweight port anomaly detection method and the LightGBM classification model comprises the following three steps:
step 2.1, analyzing whether the port inflow flow and the port outflow flow of the switch acquired in the sampling time are balanced to judge whether the port flow is abnormal;
2.2, extracting four-dimensional characteristics of flow table flow aiming at the characteristics of two aspects of communication and effect of the LDoS attack;
and 2.3, inputting the four-dimensional characteristics of the flow table flow into a trained LightGBM classification model for classification, and judging whether the attack exists according to a classification result.
3. The LDoS attack detection and mitigation scheme of claim 2, wherein in step 2.1, if the port inflow traffic and the outflow traffic are balanced, that is, the absolute value of the packet number difference between the port inflow traffic and the outflow traffic is less than 4500, the port traffic is normal, and the LDoS attack does not exist in the network, otherwise, the port traffic is abnormal, and the network may have the LDoS attack and further determination is needed through step 2.2 and step 2.3.
4. An LDoS attack detection and mitigation scheme according to claim 2, characterized in that, in step 2.2, four-dimensional features of average value and average absolute deviation of total traffic transmission rate, average value and average absolute deviation of ratio of normal TCP traffic transmission rate are extracted.
5. An LDoS attack detection and mitigation scheme as claimed in claim 2, characterized in that, in step 2.3, if the classification result value is closer to the label value 0 without attack, i.e. the classification result value is less than or equal to 0.5, then the LDoS attack does not exist, and if closer to the label value 1 with attack, i.e. the classification result value is greater than 0.5, then the LDoS attack exists in the network.
6. An LDoS attack detection and mitigation scheme as claimed in claim 1, wherein in step 3 a Smith-Waterman algorithm is used to locate the attacked port and filter out the attack traffic by issuing flow table rules, comprising the following two steps:
step 3.1, local comparison is carried out on the inflow flow sequence and the attack flow sequence of each port of the switch by using a Smith-Waterman algorithm, and the port with the maximum similarity score is the attacked port;
and 3.2, issuing a flow table rule through the controller, installing the flow table rule on the switch, and discarding the attack flow from the attacked port.
7. The LDoS attack detection and mitigation scheme according to claim 6, characterized in that, the attack traffic sequence in step 3.1 is a sequence created according to an ON/OFF mode of the LDoS attack traffic, which can effectively represent characteristics of the LDoS attack traffic, and the ON/OFF mode means that the LDoS attack exists in an attack period only in a small part of time, and remains silent in the rest of time.
8. The LDoS attack detection and mitigation scheme of claim 6, characterized in that, in step 3.2, a flow table rule is issued with a port matching field as the port number obtained in step 3.1 and an action matching field as discard, and is installed on a switch, and the traffic from the attacked port is discarded, thereby achieving the goal of mitigating the attack.
CN202110121874.2A 2021-01-28 2021-01-28 LDoS attack detection and mitigation scheme based on SDN controller Active CN112788058B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110121874.2A CN112788058B (en) 2021-01-28 2021-01-28 LDoS attack detection and mitigation scheme based on SDN controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110121874.2A CN112788058B (en) 2021-01-28 2021-01-28 LDoS attack detection and mitigation scheme based on SDN controller

Publications (2)

Publication Number Publication Date
CN112788058A true CN112788058A (en) 2021-05-11
CN112788058B CN112788058B (en) 2022-11-11

Family

ID=75759579

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110121874.2A Active CN112788058B (en) 2021-01-28 2021-01-28 LDoS attack detection and mitigation scheme based on SDN controller

Country Status (1)

Country Link
CN (1) CN112788058B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039780A (en) * 2021-11-10 2022-02-11 湖南大学 Low-speed DoS attack real-time response scheme based on flow coefficient
CN115580480A (en) * 2022-10-25 2023-01-06 湖南大学 FTO attack detection and mitigation method based on Kalman filtering and random forest
CN115865401A (en) * 2022-10-19 2023-03-28 湖南大学 APTS-based slow DoS attack real-time mitigation scheme

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180234454A1 (en) * 2017-02-16 2018-08-16 Dell Products, L.P. Securing devices using network traffic analysis and software-defined networking (sdn)
CN109040131A (en) * 2018-09-20 2018-12-18 天津大学 A kind of LDoS attack detection method under SDN environment
CN110572413A (en) * 2019-09-27 2019-12-13 湖南大学 Low-rate denial of service attack detection method based on Elman neural network
CN110719270A (en) * 2019-09-26 2020-01-21 湖南大学 FCM algorithm-based slow denial of service attack detection method
CN112202791A (en) * 2020-09-28 2021-01-08 湖南大学 P-F-based software defined network slow denial of service attack detection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180234454A1 (en) * 2017-02-16 2018-08-16 Dell Products, L.P. Securing devices using network traffic analysis and software-defined networking (sdn)
CN109040131A (en) * 2018-09-20 2018-12-18 天津大学 A kind of LDoS attack detection method under SDN environment
CN110719270A (en) * 2019-09-26 2020-01-21 湖南大学 FCM algorithm-based slow denial of service attack detection method
CN110572413A (en) * 2019-09-27 2019-12-13 湖南大学 Low-rate denial of service attack detection method based on Elman neural network
CN112202791A (en) * 2020-09-28 2021-01-08 湖南大学 P-F-based software defined network slow denial of service attack detection method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
XIAOCAI WANG: "Low-rate DoS Attack Detection Based on WPD-EE Algorithm", 《2020 IEEE INTL CONF ON PARALLEL & DISTRIBUTED PROCESSING WITH APPLICATIONS, BIG DATA & CLOUD COMPUTING, SUSTAINABLE COMPUTING & COMMUNICATIONS, SOCIAL COMPUTING & NETWORKING (ISPA/BDCLOUD/SOCIALCOM/SUSTAINCOM)》 *
ZHIQING ZHENG: "An Efficient Detection Approach for LDoS Attack based on NCS-SVM Algorithm", 《2020 29TH INTERNATIONAL CONFERENCE ON COMPUTER COMMUNICATIONS AND NETWORKS (ICCCN)》 *
姚四霞: "低速率拒绝服务攻击的协同检测方法研究", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 *
颜通等: "SDN环境下的LDoS攻击检测与防御技术", 《计算机科学与探索》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039780A (en) * 2021-11-10 2022-02-11 湖南大学 Low-speed DoS attack real-time response scheme based on flow coefficient
CN114039780B (en) * 2021-11-10 2022-08-16 湖南大学 Low-speed DoS attack real-time response method based on flow coefficient
CN115865401A (en) * 2022-10-19 2023-03-28 湖南大学 APTS-based slow DoS attack real-time mitigation scheme
CN115865401B (en) * 2022-10-19 2024-04-19 湖南大学 APTS-based slow DoS attack real-time mitigation scheme
CN115580480A (en) * 2022-10-25 2023-01-06 湖南大学 FTO attack detection and mitigation method based on Kalman filtering and random forest
CN115580480B (en) * 2022-10-25 2024-04-02 湖南大学 FTO attack detection and mitigation method based on Kalman filtering and random forest

Also Published As

Publication number Publication date
CN112788058B (en) 2022-11-11

Similar Documents

Publication Publication Date Title
CN112788058B (en) LDoS attack detection and mitigation scheme based on SDN controller
CN108494746B (en) Method and system for detecting abnormal flow of network port
Phan et al. OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN104836702B (en) Mainframe network unusual checking and sorting technique under a kind of large traffic environment
CN108092948B (en) Network attack mode identification method and device
Zhong et al. DDoS detection system based on data mining
Hussein et al. SDN security plane: An architecture for resilient security services
CN114513340B (en) Two-stage DDoS attack detection and defense method in software defined network
KR100684602B1 (en) Corresponding system for invasion on scenario basis using state-transfer of session and method thereof
CN112422584A (en) DDoS attack backtracking resisting method based on deep learning
CN107864110A (en) Botnet main control end detection method and device
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device
Ribeiro et al. Anomaly detection technique for intrusion detection in sdn environment using continuous data stream machine learning algorithms
Luo et al. Vanguard: A new detection scheme for a class of TCP-targeted denial-of-service attacks
CN109831428B (en) SDN network attack detection and defense method and device
CN117061214A (en) Security defense system and method for power transmission edge gateway network
CN108881241B (en) Dynamic source address verification method for software defined network
CN105897739A (en) Data packet deep filtering method
CN108206828B (en) Dual-monitoring safety control method and system
CN113691562B (en) Rule engine implementation method for accurately identifying malicious network communication
Hashim et al. Detection of DoS and DDoS attacks in NGMN using frequency domain analysis
Patil et al. Network intrusion detection and prevention techniques for DoS attacks
Xiang et al. Protecting information infrastructure from ddos attacks by madf
Zhang et al. An End-to-end Online DDoS Mitigation Scheme for Network Forwarding Devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant