CN112953910B - DDoS attack detection method based on software defined network - Google Patents

DDoS attack detection method based on software defined network Download PDF

Info

Publication number
CN112953910B
CN112953910B CN202110117762.XA CN202110117762A CN112953910B CN 112953910 B CN112953910 B CN 112953910B CN 202110117762 A CN202110117762 A CN 202110117762A CN 112953910 B CN112953910 B CN 112953910B
Authority
CN
China
Prior art keywords
data
ddos attack
packet
attack detection
ddos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110117762.XA
Other languages
Chinese (zh)
Other versions
CN112953910A (en
Inventor
赵楠
刘越
张哲闻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202110117762.XA priority Critical patent/CN112953910B/en
Publication of CN112953910A publication Critical patent/CN112953910A/en
Application granted granted Critical
Publication of CN112953910B publication Critical patent/CN112953910B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a DDoS attack detection method based on a software defined network, which is used for solving the problem of DDoS attack detectionThe technical problems of low accuracy and high time delay in DDoS attack detection in an SDN network in the prior art are solved by the following steps: construction of DDoS attack detection architecture based on software defined network and each OpenFlow switch S in data layermReceiving and forwarding a data message, capturing and forwarding the data packet by a packet capturing module in the SDN controller, acquiring a stream data set by a stream data processing module in the SDN controller, and acquiring a detection result of DDoS attack by a DDoS attack detection module in the SDN controller. The DDoS attack detection framework and the DDoS attack detection module based on the software defined network adopt a method of combining entropy and network self-similarity to detect DDoS attack, and can obviously improve the accuracy rate of DDoS attack detection and reduce time delay.

Description

DDoS attack detection method based on software defined network
Technical Field
The invention belongs to the field of computer network security, relates to a DDoS attack detection method, and particularly relates to a distributed denial of service DDoS attack detection method based on a Software Defined Network (SDN).
Background
With the rapid development of computer network technology, the network attack destruction behavior is increasing. Among them, ddos (distributed Denial of service) attacks have remarkable destructive power and great influence, and are an attack means which seriously threatens network security. DDoS attacks refer to intentional defects of network protocol implementation or direct exhaustion of resources of an attack target, so that the attack target cannot provide normal service or stop responding or even completely crash.
SDN (software Defined network) is a novel network architecture, and its core technology is to implement separation of control and forwarding, control implementation by a control layer composed of an SDN controller, and forwarding implementation by a data layer composed of an OpenFlow switch device and a terminal device. The characteristic of centralized control provides great convenience for software programming and brings a series of safety problems. DDoS attacks are one of the main threats faced by current SDN networks, and because forwarding behaviors of switches are controlled by a unified SDN controller, the SDN controller becomes a main target of the DDoS attacks. Once an SDN controller is attacked by a large-scale DDoS, the entire network may be paralyzed. Therefore, how to accurately and quickly detect the DDoS attack in the SDN network is a main work for ensuring data processing and transmission security in the SDN network.
Currently, researchers are dedicated to DDoS attack detection research in an SDN network, and the detection methods mainly include two categories, namely statistical analysis-based detection and machine learning-based detection. Most of DDoS attack detection methods based on statistical analysis apply an attack detection algorithm of a non-SDN network in an SDN, and cannot fully utilize the centralized control characteristic of the SDN; the DDoS attack detection method based on machine learning needs a long-time training process and is difficult to adapt to the quick reconfiguration of the SDN. Therefore, some scholars also detect DDoS attacks by combining the two broad categories of methods.
For example, a patent application with application publication number CN109005157A entitled "a method and system for detecting and defending DDoS attacks in a software defined network" discloses a method for detecting DDoS attacks in a software defined network, which includes: collecting Packet _ In data packets; extracting quinary characteristics of a source IP, a source port, a destination IP, a destination port and a protocol type of a data packet in the window, and calculating a quinary characteristic entropy value; judging whether the IP entropy of the window source exceeds a threshold value, if so, judging that the flow is suspicious, and otherwise, filtering the window flow; and judging whether the suspicious traffic is attacked or not by adopting machine learning, if so, judging the suspicious traffic to be attacked, and otherwise, filtering the suspicious traffic. However, in the one-stage DDoS attack detection method in the invention, (1) suspicious traffic is filtered only by comparing the relationship between the source IP entropy and the set threshold thereof, which may cause misjudgment of the suspicious traffic as normal traffic, thereby reducing the accuracy of detection. (2) The two-stage detection DDoS attack method adopts a machine learning-based method, the adopted training data set is the flow in an experimental network and the normal flow and the attack flow in the existing DARPA data set, a DDoS attack detection function is generated through training, the two-stage detection can only detect the DDoS attack conforming to the function, and the detection precision is reduced because the concealment is stronger or the novel DDoS attack cannot be detected. (3) In the invention, a sliding window mechanism is adopted to calculate the entropy value, and counting the quinary eigenvalue of each current window can cause repeated counting of the quinary eigenvalue of the data packet, so that the calculated amount is huge, the detection has time delay, and when the time delay is too large, DDoS attack already occurs, and invalid detection is caused.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, provides a DDoS attack detection method based on a software defined network, and aims to improve the accuracy of DDoS attack detection and reduce detection time delay.
In order to achieve the purpose, the technical scheme adopted by the invention comprises the following steps:
(1) constructing a distributed denial of service (DDoS) attack detection framework based on a Software Defined Network (SDN):
constructing a distributed denial of service DDoS attack detection architecture based on a Software Defined Network (SDN), wherein the DDoS attack detection architecture comprises a control layer and a data layer; the control layer adopts an SDN controller comprising a packet capturing module, a flow data processing module and a DDoS attack detection module, and the data layer comprises M OpenFlow switches S ═ S1,...,Sm,...,SM]Each OpenFlow switch SmIncluding OpenFlow flow table Km,KmComprises a flow table item matching rule and R flow table items [ k ]m1,km2,...,kmr,...,kmR]Each flow entry kmrContaining a matching field and a processing instruction; wherein M is more than or equal to 1, SmDenotes the mth OpenFlow switch, kmrRepresents KmThe r-th flow table of (1);
(2) each OpenFlow switch S in the data layermReceiving and forwarding the data message:
(2a) m OpenFlow switches S ═ S in the data layer1,...,Sm,...,SM]Each OpenFlow switch S in (1)mContinuously receiving L transmitted by transmitting terminalmData of a Data message and according to KmThe flow table item matching rule in (1) is used for each Data message Data and KmEach flow table k in (2)mrIf the matching is successful, according to kmrThe successfully matched Data is forwarded to the receiving terminal indicated by the forwarding path in the processing instruction by the processing instruction, otherwise, the step (2b) is executed.
(2b) Each OpenFlow switch S in the data layermN that will not match successfullymEncapsulating Data of each Data message into NmA Packet _ In Packet pismTo obtain Q Packet _ In data packets pism
Figure BDA0002921371220000021
And all Packet _ In data packets pismForwarding to SDN controller, wherein Lm≥1,0≤Nm≤Lm
(3) A packet capturing module in the SDN controller captures data packets and forwards the data packets:
packet capturing modules In the SDN controller capture Packet _ In data packets pi one by one through Packet capturing software according to the sequence from front to back of receivingsmAnd each Packet _ In data Packet pi is processed one by one according to the grabbing sequencesmForwarding to a stream data processing module;
(4) a flow data processing module in the SDN controller acquires a flow data set:
(4a) the stream data processing module forwards the data packet pi according to the packet capturing modulesmOf the received Q data packets pismSorting and synthesizing ordered data packet set D ═ pi1,pi2,...,piq,...,piQIn which piqRepresenting the q data packet in the ordered data packet set D;
(4b) the stream data processing module extracts each data packet piqThe source IP address, the destination IP address, the source port number and the destination port number form a source IP address set f1, a destination IP address set f2, a source port number form a source port number set f3 and a destination port number form a destination port number set f4, and a stream data set DataSet formed by f1, f2, f3 and f4 is transmitted into a DDoS attack detection module;
DataSet={f1,f2,f3,f4}
={(f11,f21,...,fq1,...,fQ1),(f12,f22,...,fq2,...,fQ2),(f13,f23,...,fq3,...,fQ3),(f14,f24,...,fq4,...,fQ4)}
wherein f isq1、fq2、fq3And fq4Respectively representing data packets piqThe source IP address, destination IP address, source port number, and destination port number;
(5) a DDoS attack detection module in the SDN controller acquires a detection result of the DDoS attack:
(5a) the DDoS attack detection module calculates an entropy value H of a stream data set by adopting an entropy value method, judges whether the H and a preset lower limit threshold alpha meet the condition that H is less than alpha, if yes, DDoS flow of an attack controller does not exist in the DataSet, and sends a data packet in the DataSet data set to the OpenFlow switch, otherwise, executes the step (5 b);
(5b) the DDoS attack detection module judges whether H and a preset upper limit threshold value beta meet the condition that H is less than beta, if yes, the step (5c) is executed; otherwise, DDoS flow of the attack controller exists in the DataSet, and a detection result is fed back to the SDN controller;
(5c) the DDoS attack detection module calculates a network self-similarity index Hurst of a stream data set DataSet by adopting an R/S method, judges whether the Hurst and a preset threshold lambda meet the condition that Hurst is smaller than lambda or not, if yes, DDoS flow of an attack controller exists in the DataSet, and feeds back a detection result to the SDN controller; otherwise, the DDoS flow of the attack controller does not exist in the DataSet, and the data packet in the DataSet data set is issued to the OpenFlow switch.
Compared with the prior art, the invention has the following advantages:
1. the DDoS attack detection architecture based on the software defined network fully utilizes the characteristic of separation of an SDN data layer and a control layer, and an OpenFlow switch is only responsible for receiving and forwarding data in the data layer and does not perform other processing on the data; in the control layer, the SDN controller only concerns Packet _ In data packets forwarded by the data layer, and completes a series of processing detection on the Packet _ In data packets through a Packet capturing module, a stream data processing module and a DDoS attack detection module In the controller, so that the technical problems of low detection accuracy caused by possible data loss and overlarge time delay caused by overlong transmission time In the process of transmitting the data packets to the SDN controller after the data layer processes data In the prior art are avoided.
2. When detecting whether the DDoS attack occurs, the invention firstly detects the DDoS attack by an entropy method and detects most attacks; for a small part of DDoS attacks which are difficult to detect, the problem of missing DDoS attacks in the prior art is solved through network self-similarity detection, and the detection accuracy is further improved.
3. When the entropy is calculated, the method adopts a Count-Min Sketch counting method to Count, the Count-Min Sketch counting method compresses huge data into a key value pair model in a large scale, and the key value pair model is mapped for multiple times to obtain a counting value, so that repeated counting can be avoided, accurate counting can be realized through multiple times of mapping, and compared with the prior art, the method improves the detection accuracy and reduces the detection time delay.
Drawings
FIG. 1 is a schematic overall flow diagram of the present invention;
fig. 2 is a schematic diagram of a distributed denial of service DDoS attack detection architecture based on an SDN constructed by the present invention.
Detailed Description
The invention is described in further detail below with reference to the following figures and specific examples:
referring to fig. 1, the present invention includes the steps of:
step 1) a distributed denial of service DDoS attack detection framework based on a Software Defined Network (SDN) is constructed:
constructing a distributed denial of service (DDoS) attack detection architecture based on a Software Defined Network (SDN), wherein the DDoS attack detection architecture comprises a control layer and a data layer; the control layer adopts an SDN controller comprising a packet capturing module, a flow data processing module and a DDoS attack detection module, and the data layer comprises M OpenFlow switches S ═ S1,...,Sm,...,SM]Each OpenFlow switch SmIncluding OpenFlow flow Table Km,KmComprises a flow table item matching rule and R flow table items [ k ]m1,km2,...,kmr,...,kmR]Each flow entry kmrContaining a matching field and a processing instruction; wherein M is more than or equal to 1, SmDenotes the mth OpenFlow switch, kmrRepresents KmThe nth flow table of (1). And an SDN controller in the control layer controls the transmission and forwarding of data layer data by controlling an OpenFlow flow table in the data layer, and an OpenFlow switch stores the flow table issued by the SDN controller and processes data through the flow table. This embodiment M is 10.
Step 2) each OpenFlow switch S in the data layermReceiving and forwarding the data message:
step 2a) M OpenFlow switches S ═ S in the data layer1,...,Sm,...,SM]Each OpenFlow switch S in (1)mContinuously receiving L transmitted by transmitting terminalmData of a Data message and according to KmFor each Data message Data and K, the flow table item matching rule inmEach flow table k in (2)mrIf the matching is successful, according to kmrThe processing instruction forwards the successfully matched Data to the receiving terminal indicated by the forwarding path in the processing instruction, otherwise, the step (2b) is executed;
step 2b) Each OpenFlow switch S in the data layermN that will not match successfullymEncapsulating Data of each Data message into NmA Packet _ In Packet pismTo obtain Q Packet _ In data packets pism
Figure BDA0002921371220000051
And all Packet _ In data packets pismForwarding to SDN controller, wherein Lm≥1,0≤Nm≤Lm(ii) a Because in a DDoS attack, an attacker sends a large number of packets to a host or group of hosts. Usually, the source address of these packets is spoofed, the switch cannot find its matching entry In the OpenFlow entry, and can only encapsulate the Packet into a Packet _ In message and send the Packet to the controller. If a large number of Packet _ In messages exceed the bandwidth of a security channel or the processing capacity of the controller, the SDN controller is attacked by DDoS and cannot provide service for newly arrived legal data packets, so that the successfully matched data packets are directly forwarded to the data layer according to the instruction of the switchThe receiving terminal does not perform other processing; only Packet _ In packets are forwarded to the SDN controller. Example N1=100,N2=50,N3=50,N4=20,N5=10,N6=30,N2=50,N7=100,N8=30,N9=0,N10=60。
Step 3), a packet capturing module in the SDN controller captures data packets and forwards the data packets:
packet capturing modules In the SDN controller capture Packet _ In data packets pi one by one through Packet capturing software according to the sequence from front to back of receivingsmAnd each Packet _ In data Packet pi is processed one by one according to the grabbing sequencesmForwarding to a stream data processing module; the bale grabbing software used in the embodiment is WireShark software.
Step 4), a flow data processing module in the SDN controller acquires a flow data set:
step 4a) the stream data processing module forwards the data packet pi according to the packet capturing modulesmOf the received Q data packets pismSorting and synthesizing ordered data packet set D ═ { pi ═ pi1,pi2,...,piq,...,piQIn which piqRepresenting the q data packet in the ordered data packet set D; in this example
Figure BDA0002921371220000052
Is 500, D ═ p1,p2,...,p500}。
Step 4b) extracting each data packet pi by the stream data processing moduleqThe source IP address, the destination IP address, the source port number and the destination port number form a source IP address set f1, a destination IP address set f2, a source port number form a source port number set f3 and a destination port number form a destination port number set f4, and a stream data set DataSet formed by f1, f2, f3 and f4 is transmitted into a DDoS attack detection module;
DataSet={f1,f2,f3,f4}
={(f11,f21,...,fq1,...,fQ1),(f12,f22,...,fq2,...,fQ2),(f13,f23,...,fq3,...,fQ3),(f14,f24,...,fq4,...,fQ4)}
wherein f isq1、fq2、fq3And fq4Respectively representing data packets piqThe source IP address, destination IP address, source port number, and destination port number; when DDoS attack occurs, an attacker usually pretends that the source IP address, the destination IP address, the source port number, and the destination port number in the data packet are obviously different from the source IP address, the destination IP address, the source port number, and the destination port number in a normal network in distribution mode, so the stream data processing module in the invention extracts these characteristic values and further processes the characteristic values.
Step 5), a DDoS attack detection module in the SDN controller acquires a detection result of the DDoS attack:
step 5a) the DDoS attack detection module calculates the entropy value H of the stream data set DataSet by using an entropy method, and respectively counts the element values and f1, f2, f3 and f4 in the stream data set DataSet by using a Count-Min Sketch counting methodijNumber n of same valuefijAnd according to nfijF1 in f1, f2, f3, f4 in the stream data set DataSet, f2 in f3, f4ijProbability P (f) ofi1)、P(fi2)、P(fi3) And P (f)i4):
Figure BDA0002921371220000061
Then passing through P (f)i1)、P(fi2)、P(fi3) And P (f)i4) Calculating an entropy value H of a stream data set, judging whether H and a preset lower limit threshold alpha meet the condition that H is smaller than alpha, if so, issuing a data packet in the data set to an OpenFlow switch without DDoS flow of an attack controller, and otherwise, executing a step 5 b);
Figure BDA0002921371220000062
wherein a, b, c and d are weight items of f1, f2, f3 and f 4.
To explain the process of counting the same number of elements of eigenvalues in each eigenvalue set by the Count-Min Sketch counting method in detail, a source IP address is taken as an example, the source IP address set f1 is { IP1, IP2,.. so, IPn }, traffic data in f is modeled in the form of key value pairs (key, value), key is IP1 to IPn, and value is the size N of f 1. The internal data structure of Count-Min Sketch is a two-dimensional table X, X [ i [ ]][j]Table representing ith row and jth column in X, each X [ i [ ]][j]Maintain a counter Count [ i][j]Wherein i belongs to {0, w }, j belongs to {0, d }, d is the depth of the two-dimensional table X, and w is the width of the two-dimensional table X; giving an accuracy parameter epsilon, giving a certainty parameter delta that accuracy is achieved, and according to the formula w ═ e/epsilon],d=[ln(1/δ)]Calculating w and d; initialize Count [ i][j]Is 0, d mutually independent hash functions h are set1,h2,...,hi,...,hd},hiCorresponding to the ith row of the two-dimensional table; when the (key, value) key-value pair arrives, use { h1,h2,...,hi,...,hdMapping the key value d times by the function set, corresponding to Count [ i }][j]The value is added with 1 and is recorded as the result count [ h ]i(IPn)]When all (key, value) key-value pairs arrive, take count [ hi(IPn)]Minimum value mincount [ h ] in the resultsi(IPn)]As the number of source IP addresses with value IPn.
Step 5b) the DDoS attack detection module judges whether H and a preset upper limit threshold value beta meet the condition that H is less than beta, if yes, the step 5c) is executed; otherwise, DDoS flow of the attack controller exists in the DataSet, and the detection result is fed back to the SDN controller. The information entropy is used for describing the random degree of information source, and under the normal condition, the network flow in the SDN has stability, and then the eigenvalue of flow distributes also comparatively randomly, and when DDoS attacks taking place, directivity can appear in eigenvalue distribution, consequently utilizes the entropy method to detect out most DDoS attacks, and the imperceptibility that can not detect out to the entropy method is strong or neotype DDoS attacks, detects through the self-similar characteristic that network flow embodies. For the SDN, users are relatively stable within a period of time, services accessed by the users also have certain inertia, and further relative stability of network distribution components is formed, so that network traffic embodies self-similarity characteristics; therefore, a network self-similarity index Hurst is selected to further detect and analyze the flow which cannot be detected by the entropy method.
Step 5c) the DDoS attack detection module calculates the network self-similarity index Hurst of the stream data set DataSet by adopting an R/S method, performs matrix expansion on the stream data set DataSet first and then performs row-column interchange to obtain a new data set DataSetex
Figure BDA0002921371220000071
Then, the DataSet is addedexDividing into g groups of subsequences of length r, and calculating each subsequence XiCorrelation coefficient of middle element RSiValue, Xi={x(i-1)r+1,x(i-1)r+2,...,xir}={xi1,xi2,...,xijR is equal to or greater than 2, g is equal to or greater than 2, i is equal to 1,2, and g is equal to 1, 2; final pair of g groups (log X)i,log RSi) And performing linear regression on the data to obtain a straight slope Hurst, and taking the Hurst as a network self-similarity index of the stream data set DataSet. Judging whether Hurst and a preset threshold lambda meet the condition that Hurst is smaller than lambda or not, if yes, determining that DDoS flow of the attack controller exists in the DataSet, and feeding back a detection result to the SDN controller; otherwise, the DDoS flow of the attack controller does not exist in the DataSet, and the data packet in the DataSet data set is issued to the OpenFlow switch.

Claims (3)

1. A DDoS attack detection method based on a software defined network is characterized by comprising the following steps:
(1) constructing a distributed denial of service (DDoS) attack detection framework based on a Software Defined Network (SDN):
constructing a distributed denial of service (DDoS) attack detection architecture based on a Software Defined Network (SDN), wherein the DDoS attack detection architecture comprises a control layer and a data layer; the control layer adopts SDN control comprising a packet capturing module, a stream data processing module and a DDoS attack detection moduleA data layer comprising M OpenFlow switches S ═ S1,...,Sm,...,SM]Each OpenFlow switch SmIncluding OpenFlow flow table Km,KmComprises a flow table item matching rule and R flow table items [ k ]m1,km2,...,kmr,...,kmR]Each flow entry kmrContaining a matching field and a processing instruction; wherein M is more than or equal to 1, SmDenotes the mth OpenFlow switch, kmrRepresents KmThe r-th flow table of (1);
(2) each OpenFlow switch S in the data layermReceiving and forwarding the data message:
(2a) m OpenFlow switches S ═ S in the data layer1,...,Sm,...,SM]Each OpenFlow switch S in (1)mContinuously receiving L transmitted by transmitting terminalmData of a Data message and according to KmFor each Data message Data and K, the flow table item matching rule inmEach flow table k in (2)mrIf the matching is successful, according to kmrThe processing instruction forwards the successfully matched Data to the receiving terminal indicated by the forwarding path in the processing instruction, otherwise, the step (2b) is executed;
(2b) each OpenFlow switch S in the data layermN that will not match successfullymData of each Data message is packaged into NmA Packet _ In Packet pismTo obtain Q Packet _ In data packets pism
Figure FDA0002921371210000011
And all Packet _ In data packets pismForwarding to SDN controller, wherein Lm≥1,0≤Nm≤Lm
(3) A packet capturing module in the SDN controller captures data packets and forwards the data packets:
packet grabbing modules In the SDN controller grab Packet _ In data packets pi one by one through Packet grabbing software according to the sequence from front to back of receivingsmAnd each Packet _ In data Packet pi is processed one by one according to the grabbing sequencesmForwarding to a stream data processing module;
(4) a flow data processing module in the SDN controller acquires a flow data set:
(4a) the stream data processing module forwards the data packet pi according to the packet capturing modulesmOf the received Q data packets pismSorting and synthesizing ordered data packet set D ═ { pi ═ pi1,pi2,...,piq,...,piQIn which piqRepresenting the q data packet in the ordered data packet set D;
(4b) the stream data processing module extracts each data packet piqThe source IP address, the destination IP address, the source port number and the destination port number form a source IP address set f1, a destination IP address set f2, a source port number form a source port number set f3 and a destination port number form a destination port number set f4, and a stream data set DataSet formed by f1, f2, f3 and f4 is transmitted into a DDoS attack detection module;
DataSet={f1,f2,f3,f4}
={(f11,f21,...,fq1,...,fQ1),(f12,f22,...,fq2,...,fQ2),(f13,f23,...,fq3,...,fQ3),(f14,f24,...,fq4,...,fQ4)}
wherein f isq1、fq2、fq3And fq4Respectively representing data packets piqThe source IP address, destination IP address, source port number, and destination port number;
(5) a DDoS attack detection module in the SDN controller acquires a detection result of the DDoS attack:
(5a) the DDoS attack detection module calculates an entropy value H of a stream data set by adopting an entropy value method, judges whether the H and a preset lower limit threshold alpha meet the condition that H is less than alpha, if yes, DDoS flow of an attack controller does not exist in the DataSet, and sends a data packet in the DataSet data set to the OpenFlow switch, otherwise, executes the step (5 b);
(5b) the DDoS attack detection module judges whether H and a preset upper limit threshold value beta meet the condition that H is less than beta, if yes, the step (5c) is executed; otherwise, DDoS flow of the attack controller exists in the DataSet, and a detection result is fed back to the SDN controller;
(5c) the DDoS attack detection module calculates a network self-similarity index Hurst of a stream data set DataSet by adopting an R/S method, judges whether the Hurst and a preset threshold lambda meet the condition that Hurst is smaller than lambda or not, if yes, DDoS flow of an attack controller exists in the DataSet, and feeds back a detection result to the SDN controller; otherwise, the DDoS flow of the attack controller does not exist in the DataSet, and the data packet in the DataSet data set is issued to the OpenFlow switch.
2. A DDoS attack detection method based on software defined network according to claim 1, wherein said entropy H of stream data set is calculated by entropy method in step (5a), and the implementation steps are:
(5a1) respectively counting the element values and f in f1, f2, f3 and f4 in the stream data set DataSet by adopting a Count-Min Sketch counting methodijNumber n of same valuefijAnd according to nfijCalculating f1, f2, f3 in the flow data set DataSet { f1, f2, f3, f4} and f4 in f 3583ijProbability of (f) P (f)i1)、P(fi2)、P(fi3) And P (f)i4):
Figure FDA0002921371210000021
(5a2) By P (f)i1)、P(fi2)、P(fi3) And P (f)i4) Calculating an entropy value H of the stream data set DataSet:
Figure FDA0002921371210000022
wherein a, b, c and d are weight items of f1, f2, f3 and f 4.
3. A DDoS attack detection method based on software defined network according to claim 1, wherein said DDoS attack detection module in step (5c) calculates a network self-similarity index Hurst of a stream data set DataSet by using R/S method, and the implementation steps are:
(5c1) the DDoS attack detection module carries out matrix expansion on the flow data set and then carries out row-column interchange to obtain a new data set DataSetex
Figure FDA0002921371210000031
(5c2) DDoS attack detection module enables DataSetexDividing into g groups of subsequences of length r, and calculating each subsequence XiCorrelation coefficient of middle element RSiValue, Xi={x(i-1)r+1,x(i-1)r+2,...,xir}={xi1,xi2,...,xijR is equal to or greater than 2, g is equal to or greater than 2, i is equal to 1,2, and g is equal to 1, 2;
(5c3) DDoS attack detection module pair g group (logX)i,logRSi) And performing linear regression on the data to obtain a straight slope Hurst, and taking the Hurst as a network self-similarity index of the stream data set DataSet.
CN202110117762.XA 2021-01-28 2021-01-28 DDoS attack detection method based on software defined network Active CN112953910B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110117762.XA CN112953910B (en) 2021-01-28 2021-01-28 DDoS attack detection method based on software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110117762.XA CN112953910B (en) 2021-01-28 2021-01-28 DDoS attack detection method based on software defined network

Publications (2)

Publication Number Publication Date
CN112953910A CN112953910A (en) 2021-06-11
CN112953910B true CN112953910B (en) 2022-07-01

Family

ID=76238564

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110117762.XA Active CN112953910B (en) 2021-01-28 2021-01-28 DDoS attack detection method based on software defined network

Country Status (1)

Country Link
CN (1) CN112953910B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660209B (en) * 2021-07-16 2023-04-25 华东师范大学 DDoS attack detection system based on sketch and federal learning and application
CN114422276A (en) * 2022-03-30 2022-04-29 南京邮电大学 DDoS attack detection and threat information sharing method based on block chain technology

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106561016A (en) * 2015-11-19 2017-04-12 国网智能电网研究院 DDoS attack detection device and method for SDN controller based on entropy
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9647938B2 (en) * 2012-06-11 2017-05-09 Radware, Ltd. Techniques for providing value-added services in SDN-based networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106561016A (en) * 2015-11-19 2017-04-12 国网智能电网研究院 DDoS attack detection device and method for SDN controller based on entropy
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于软件定义物联网的分布式拒绝服务攻击检测方法;刘向聚;《计算机应用》;20191028;全文 *

Also Published As

Publication number Publication date
CN112953910A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
CN1330131C (en) System and method for detecting network worm in interactive mode
Wang et al. A DDoS attack detection method based on information entropy and deep learning in SDN
CN107483512B (en) SDN controller DDoS detection and defense method based on time characteristics
CN112953910B (en) DDoS attack detection method based on software defined network
CN111818052A (en) CNN-LSTM-based industrial control protocol homologous attack detection method
CN109194608B (en) DDoS attack and flash congestion event detection method based on flow
CN113114694B (en) DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene
WO2009135396A1 (en) Network attack processing method, processing device and network analyzing and monitoring center
CN112804253B (en) Network flow classification detection method, system and storage medium
CN112134894A (en) Moving target defense method for DDoS attack
CN108183917A (en) DDoS attack cross-layer cooperative detection method based on software defined network
Guozi et al. DDoS attacks and flash event detection based on flow characteristics in SDN
CN103701814A (en) Behavior-detection-based network traffic identification method and device
CN113660209A (en) DDoS attack detection system based on sketch and federal learning and application
CN113163406A (en) Threat detection system for mobile communication system and central device and local device thereof
CN116346418A (en) DDoS detection method and device based on federal learning
CN113630420A (en) SDN-based DDoS attack detection method
CN114760212A (en) SDN-based DDoS attack detection and mitigation method and system
Mohsin et al. Performance evaluation of SDN DDoS attack detection and mitigation based random forest and K-nearest neighbors machine learning algorithms
Wang et al. Abnormal traffic detection system in SDN based on deep learning hybrid models
CN116192504A (en) Malicious encryption flow detection method facing sample distribution imbalance
US11405358B2 (en) Network security monitoring of network traffic
Dharmadhikari et al. Comparative Analysis of DDoS Mitigation Algorithms in SDN
CN113377051A (en) Network safety protection equipment based on FPGA
CN115225301A (en) D-S evidence theory-based hybrid intrusion detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant