CN113194071B - Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) - Google Patents
Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) Download PDFInfo
- Publication number
- CN113194071B CN113194071B CN202110361206.7A CN202110361206A CN113194071B CN 113194071 B CN113194071 B CN 113194071B CN 202110361206 A CN202110361206 A CN 202110361206A CN 113194071 B CN113194071 B CN 113194071B
- Authority
- CN
- China
- Prior art keywords
- data
- deep learning
- stream
- sdn
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Medical Informatics (AREA)
- Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a DDoS detection method, a system and a medium based on unsupervised deep learning in an SDN, wherein the method comprises the following steps: setting a flow data collector on an SDN controller, and collecting flow data of a switch in a network; setting an independent detection engine, wherein the detection engine comprises a preprocessing module and a detector module; the data preprocessing module preprocesses the collected stream data and transmits the preprocessed stream data to the detector module; the detector module adopts an auto-encoder based on an unsupervised deep learning model to detect the received stream data and detect whether DDoS attack occurs. According to the invention, the calculation burden of the SDN controller is effectively reduced by arranging the independent detection engine; by adopting an unsupervised deep learning algorithm, no data label is needed for training the model, the overhead for data labeling is reduced, and the method can be widely applied to the technical field of DDoS detection.
Description
Technical Field
The invention relates to the technical field of DDoS detection, in particular to a DDoS detection method, a system and a medium based on unsupervised deep learning in an SDN.
Background
DDoS (distributed denial of service) attacks are frequently generated in networks in recent years, the DDoS attacks are attacks aiming at consuming target system resources, an attacker simultaneously sends a large number of data packets to a victim target from different positions, so that the target system is paralyzed and cannot provide services any more, and the DDoS becomes a very popular network attack in a simple violent attack mode.
SDN (Software Defined Network) is a novel Network architecture, SDN is widely applied in data centers and operator networks nowadays, SDN separates a control plane from a data plane, a control function is transferred to a controller with a centralized logic, devices in the Network are only responsible for forwarding data packets according to a forwarding policy issued by the controller, management and configuration of the Network become more convenient and more flexible, and the Network also has programmability.
The common technology for detecting DDoS attack in the SDN at present comprises a detection technology based on information entropy and a detection technology based on traditional machine learning, and is simply introduced as follows:
the first prior art is as follows: information entropy based detection techniques.
The principle is as follows: the information entropy of certain characteristics (such as destination IP addresses) in flow data in the network is counted, when the attack occurs, the information entropy of the characteristics is usually reduced, and if the entropy value is lower than a set threshold value, the DDoS attack is detected.
The disadvantages are as follows: this technique consumes a lot of computing resources of the controller, may cause scalability problems, and may not be easy to select a suitable feature.
The second prior art is: detection techniques based on traditional machine learning.
The principle is as follows: the data is classified after learning by using a traditional Machine learning classification model, such as KNN (K-Nearest Neighbor) and SVM (Support Vector Machine), so as to distinguish attack traffic from normal traffic.
The disadvantages are as follows: the data sets need labels, and labeling the data is a time-consuming and labor-consuming task, and the traditional machine learning method is not suitable for learning from large data.
In summary, the prior art has many problems in detecting DDoS attacks in the SDN, such as increasing the overhead of the controller and requiring to label data.
Interpretation of terms:
OpenFlow: in SDN, the control plane is separated from the data plane, openFlow is a communication protocol between two planes, which is a de facto standard of SDN southbound protocol.
Disclosure of Invention
In order to solve at least one of the technical problems in the prior art to a certain extent, the present invention aims to provide a method, a system and a medium for detecting DDoS based on unsupervised deep learning in SDN.
The technical scheme adopted by the invention is as follows:
a DDoS detection method based on unsupervised deep learning in an SDN comprises the following steps:
setting a flow data collector on an SDN controller, and collecting flow data of a switch in a network;
setting an independent detection engine, wherein the detection engine comprises a preprocessing module and a detector module;
the data preprocessing module preprocesses the collected stream data and transmits the preprocessed stream data to the detector module;
the detector module adopts an auto-encoder based on an unsupervised deep learning model to detect the received flow data and detect whether DDoS attack occurs.
Further, the detection engine resides as a stand-alone server in a network, the detection engine communicating with the SDN controller through a network socket.
Further, the preprocessing the collected flow data includes:
extracting 9 fields from the stream data: stream duration seconds, stream duration nanoseconds, number of packets contained in the stream, number of bytes contained in the stream, source IP address, destination IP address, protocol type, source port number, destination port number;
converting the IP addresses in the source IP address and the destination IP address into numerical values expressed in decimal system;
feature scaling was performed on the numerically converted 9 fields using the z-score normalization method.
Further, the collecting flow data of the switches in the network includes:
the flow data collector periodically sends a request message to the switch in the network by using an OpenFlow protocol;
after receiving the request message, the switch feeds back a reply message;
the reply message includes the flow table entry data in the switch. The flow table entry data includes fields: length (stream entry length), table _ id (stream id), pad (blank pad), duration _ sec (stream duration seconds), duration _ nsec (stream duration nanoseconds), priority, idle _ timeout (idle seconds before expiration), hard _ timeout (seconds before expiration), flags, pad2 (blank pad), cookie (identifier sent by controller), packet _ count (number of packets contained in stream), byte _ count (number of bytes contained in stream), ofp _ match (matching field), ofp _ instruction.
Further, the self-encoder comprises an encoder and a decoder, the network of self-encoders comprises an input layer, a first hidden layer, a bottleneck layer, a second hidden layer and an output layer; the input layer, the first hidden layer and the bottleneck layer form an encoder;
the input layer takes a 9-dimensional vector as input, the input is compressed and converted into a 4-dimensional vector in the first hidden layer, the 4-dimensional vector is encoded into a 2-dimensional vector of the bottleneck layer again, and the vector obtained by the bottleneck layer is an encoding Code;
in the decoder section, the encoding Code is extended into a 4-dimensional vector, and the 4-dimensional vector is decoded into a 9-dimensional vector of the output layer.
Further, the detecting the received flow data to detect whether DDoS attack occurs includes:
inputting the preprocessed stream data serving as input data into a model trained in an unsupervised mode to obtain output data;
and calculating the reconstruction error of the input data and the output data, and judging that the DDoS attack occurs if the reconstruction error exceeds a preset threshold value.
Further, the step of training the unsupervised deep learning model comprises:
dividing the preprocessed flow data into a training set and a testing set, wherein labels are not added in the training set, and labels are added in the testing set;
and training the unsupervised deep learning model by adopting a training set, and evaluating the trained unsupervised deep learning model by adopting a testing set.
The other technical scheme adopted by the invention is as follows:
a DDoS detection system based on unsupervised deep learning in an SDN comprises:
a plurality of switches;
the SDN controller is internally provided with a flow data collector, and the flow data collector is used for collecting flow data of a switch in a network;
a separate detection engine comprising a pre-processing module and a detector module;
the data preprocessing module is used for preprocessing the collected streaming data and transmitting the preprocessed streaming data to the detector module;
the detector module is used for detecting the received stream data by adopting an auto-encoder based on an unsupervised deep learning model and detecting whether DDoS attack occurs or not.
The other technical scheme adopted by the invention is as follows:
a DDoS detection system based on unsupervised deep learning in an SDN comprises:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the method described above.
The other technical scheme adopted by the invention is as follows:
a storage medium having stored therein a processor-executable program which, when executed by a processor, is for performing the method as described above.
The invention has the beneficial effects that: according to the invention, the data preprocessing and detector module is separated from the SDN controller, and the calculation burden of the SDN controller is effectively reduced by arranging an independent detection engine; meanwhile, an unsupervised deep learning algorithm is adopted, data labels are not needed for training the model, the expenditure for data labeling is reduced, and the deep learning algorithm is more suitable for learning from a large amount of data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description is made on the drawings of the embodiments of the present invention or the related technical solutions in the prior art, and it should be understood that the drawings in the following description are only for convenience and clarity of describing some embodiments in the technical solutions of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a non-supervised deep learning-based DDoS detection system in an SDN according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a network structure of an auto-encoder according to an embodiment of the present invention;
fig. 3 is a flowchart of DDoS detection performed in the embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. The step numbers in the following embodiments are provided only for convenience of illustration, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art.
In the description of the present invention, it should be understood that the orientation or positional relationship referred to in the description of the orientation, such as the upper, lower, front, rear, left, right, etc., is based on the orientation or positional relationship shown in the drawings, and is only for convenience of description and simplification of description, and does not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention.
In the description of the present invention, the meaning of a plurality of means is one or more, the meaning of a plurality of means is two or more, and larger, smaller, larger, etc. are understood as excluding the number, and larger, smaller, inner, etc. are understood as including the number. If the first and second are described for the purpose of distinguishing technical features, they are not to be understood as indicating or implying relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the precedence of the technical features indicated.
In the description of the present invention, unless otherwise explicitly limited, terms such as arrangement, installation, connection and the like should be understood in a broad sense, and those skilled in the art can reasonably determine the specific meanings of the above terms in the present invention in combination with the specific contents of the technical solutions.
Aiming at the problem of detecting DDoS attack in an SDN, the invention adds a flow data collector application on an SDN controller, and the application is responsible for collecting flow data in a network; an independent detection engine is arranged, and the detection engine comprises a data preprocessing module and a detector module; the data preprocessing module finishes the preprocessing work of the collected streaming data; the detector module adopts an unsupervised deep learning model self-encoder to detect the preprocessed data; DDoS attacks in the SDN are effectively detected, and the problem of detection of the DDoS attacks is solved.
As shown in fig. 1, a network includes a plurality of OpenFlow switches and hosts, an SDN controller manages the entire network, the switches and the controller communicate via an OpenFlow protocol, the controller includes a stream data collector, the network further includes a detection engine, the detection engine includes a preprocessing module and a detector module, and the controller and the detection engine communicate via a network socket. The flow data collector periodically sends an ofp _ flow _ stats _ request message to a switch in a network to collect flow data in the switch, the switch replies the ofp _ flow _ stats _ reply message, the messages contain original flow data information, the collected original flow data is sent to a detection engine, the original flow data is firstly preprocessed by a preprocessing module, the preprocessed data is sent to a detector, the detector finishes the detection of the data, and detects whether DDoS attack occurs.
The system comprises a controller, a flow data collector, a flow data storage module and a flow data storage module, wherein the flow data collector is programmed through an interface provided by the controller; the flow data collector periodically sends an ofp _ flow _ stats _ request type message to the switch in the network through an OpenFlow protocol, the switch replies the message containing the flow data information after receiving the message, and the information fields contained in the reply message include: length, table _ id, pad, duration _ sec, duration _ nsec, priority, idle _ time, hard _ timeout, flags, pad2, cookie, packet _ count, byte _ count, match.
The detection engine DE is arranged on an independent server and comprises a data preprocessing module and a detector module, and the DE and the controller communicate through a network socket.
The data preprocessing module completes the preprocessing work of the stream data and has the main functions of: extracting features from the original stream data, carrying out numerical conversion on the feature values, completing feature scaling, and dividing a training set and a test set. The data preprocessing module preprocesses the streaming data in the following way:
extracting source IP address ipv4_ src, destination IP address ipv4_ dst, protocol type IP _ proto, source port number src _ port, and destination port number dst _ port information from the match field in the reply message of the switch, and subsequently continuing to process the following 9 fields: stream duration (duration), stream duration nanosecond (duration _ nsec), packet number contained in the stream (packet _ count), byte number contained in the stream (byte _ count), source IP address (ipv 4_ src), destination IP address (ipv 4_ dst), protocol type (IP _ proto), source port number (src _ port), destination port number (dst _ port), and other fields of the original stream data will not be used.
Converting the IP address into a numerical value, wherein the conversion method is to convert the IP address into decimal representation of a corresponding binary number, other fields are numerical values, after the numerical value is obtained, feature scaling needs to be carried out on the 9 fields, a z-score normalization method is adopted, and finally, data are provided in a model training period; the processed data is also divided into a training set and a test set, wherein 80% of the data constitutes the training set and the remaining 20% of the data constitutes the test set.
The detector adopts an unsupervised deep learning model AE to complete the detection of DDoS attack, the working stage of the detector is divided into a training period and a detection period, and the model obtained after the training in the training period is used for detecting the flow data in the detection period. The method for detecting the DDoS attack by the detector by adopting the unsupervised deep learning model AE specifically comprises the following steps:
sufficient stream data is collected in a network in advance, original data is used for training a self-encoder after being preprocessed, AE is an unsupervised deep learning model, a training set containing labels (label) is not needed to be used for training the model, the labels are added in a test set in order to evaluate the model, the trained model is obtained and is used for detecting DDoS attacks, the detection basis is reconstruction errors (reconstruction errors), a threshold value is selected, and if the reconstruction errors of the obtained output and the previous input are larger than the threshold value after stream information is input into the model, the attacks are detected.
As shown in fig. 2, the network structure of the self-encoder used in this embodiment includes two parts, i.e., an encoder and a decoder, the network includes 5 layers, the input layer takes 9-dimensional vectors as input, the input is compressed and converted into 4-dimensional vectors in the hidden layer, and then is encoded again into 2-dimensional vectors of the bottleneck layer, the vectors obtained by the bottleneck layer are also called encoding codes, the network layers of the above parts constitute the encoder, and in the decoder part, the codes are expanded into 4-dimensional vectors and finally decoded into 9-dimensional vectors of the output layer.
As shown in fig. 3, implementing DDoS detection in this embodiment includes the following steps:
step S301: the input data comprises a training set S N And data S to be detected D ={x 1 ,x 2 ,…,x n }。
Step S302: using training set S N Training the self-encoder results in a model.
Step S303: a suitable threshold value is selected.
Step S304: the iterator i is assigned a value of 1.
Step S305: computing reconstruction error re = MSE (x) i ,model(x i ) Where MSE represents the mean square error.
Step S306: and judging whether re is larger than phi, if so, detecting DDoS attack, and turning to S309, otherwise, turning to S307.
Step S307: the iterator i increments by 1.
Step S308: and judging whether the iterator i is larger than n, if so, ending the program, and not detecting the attack, otherwise, turning to S305.
Step S309: an alarm is issued and an attack is detected.
In summary, the present embodiment provides a DDoS detection method based on unsupervised deep learning in an SDN, in which a data preprocessing and detection process is separated from a controller, and an independent detection engine is provided, so that a computational burden of the controller is effectively reduced; meanwhile, the method adopts an unsupervised deep learning algorithm, and does not need a data label for training the model, thereby reducing the expense for data labeling; furthermore, the deep learning algorithm is more suitable for learning from a large amount of data. The method can effectively detect the DDoS attack in the SDN.
The embodiment also provides a DDoS detection system based on unsupervised deep learning in the SDN, including:
a plurality of switches;
the SDN controller is internally provided with a flow data collector, and the flow data collector is used for collecting flow data of a switch in a network;
a separate detection engine comprising a pre-processing module and a detector module;
the data preprocessing module is used for preprocessing the collected streaming data and transmitting the preprocessed streaming data to the detector module;
the detector module is used for detecting the received stream data by adopting an auto-encoder based on an unsupervised deep learning model and detecting whether DDoS attack occurs or not.
The unsupervised deep learning-based DDoS detection system in the SDN according to the embodiment of the present invention can execute any combination of the implementation steps of the method embodiments, and has corresponding functions and beneficial effects.
The embodiment also provides a DDoS detection system based on unsupervised deep learning in the SDN, including:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the method of fig. 3.
The unsupervised deep learning-based DDoS detection system in the SDN according to this embodiment can execute any combination of the implementation steps of the method embodiments, and has corresponding functions and beneficial effects.
The embodiment of the application also discloses a computer program product or a computer program, which comprises computer instructions, and the computer instructions are stored in a computer readable storage medium. The computer instructions may be read by a processor of a computer device from a computer-readable storage medium, and the computer instructions executed by the processor cause the computer device to perform the method illustrated in fig. 3.
The embodiment also provides a storage medium, which stores an instruction or a program capable of executing the unsupervised deep learning-based DDoS detection method in the SDN provided by the embodiment of the method of the present invention, and when the instruction or the program is run, the step of any combination implementation of the embodiment of the method can be executed, and the method has corresponding functions and beneficial effects.
In alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flow charts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed and in which sub-operations described as part of larger operations are performed independently.
Furthermore, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise stated to the contrary, one or more of the described functions and/or features may be integrated in a single physical device and/or software module, or one or more functions and/or features may be implemented in a separate physical device or software module. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary for an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be understood within the ordinary skill of an engineer given the nature, function, and interrelationships of the modules. Accordingly, those skilled in the art can, using ordinary skill, practice the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative of and not intended to limit the scope of the invention, which is defined by the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the foregoing description of the specification, reference to the description of "one embodiment/example," "another embodiment/example," or "certain embodiments/examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (8)
1. A DDoS detection method based on unsupervised deep learning in an SDN is characterized by comprising the following steps:
setting a flow data collector on an SDN controller, and collecting flow data of a switch in a network;
setting an independent detection engine, wherein the detection engine comprises a preprocessing module and a detector module;
the data preprocessing module preprocesses the collected stream data and transmits the preprocessed stream data to the detector module;
the detector module adopts an auto-encoder based on an unsupervised deep learning model to detect the received stream data and detect whether DDoS attack occurs or not;
the preprocessing the collected flow data comprises:
extracting 9 fields from the stream data: stream duration seconds, stream duration nanoseconds, number of packets contained in the stream, number of bytes contained in the stream, source IP address, destination IP address, protocol type, source port number, destination port number;
converting the IP addresses in the source IP address and the destination IP address into numerical values expressed in decimal system;
carrying out feature scaling on the 9 fields subjected to numerical value conversion by adopting a z-score normalization method;
the detection engine resides as a stand-alone server in a network, the detection engine and the SDN controller communicating through a network socket.
2. The method of claim 1, wherein the collecting flow data of switches in a network comprises:
the flow data collector periodically sends a request message to the switch in the network by using an OpenFlow protocol;
after the switch receives the request message, feeding back a reply message;
the reply message includes the flow table entry data in the switch.
3. The unsupervised deep learning-based DDoS detection method in SDN of claim 1, wherein the self-encoder comprises an encoder and a decoder, and wherein the network of the self-encoder comprises an input layer, a first hidden layer, a bottleneck layer, a second hidden layer, and an output layer; the input layer, the first hidden layer and the bottleneck layer form an encoder;
the input layer takes a 9-dimensional vector as input, the input is compressed and converted into a 4-dimensional vector in the first hidden layer, the 4-dimensional vector is encoded into a 2-dimensional vector of the bottleneck layer again, and the vector obtained by the bottleneck layer is an encoding Code; in the decoder section, the encoding Code is extended into a 4-dimensional vector, and the 4-dimensional vector is decoded into a 9-dimensional vector of the output layer.
4. The DDoS detection method based on unsupervised deep learning in SDN according to claim 3, wherein the detecting received flow data and detecting whether a DDoS attack occurs includes:
inputting the preprocessed stream data serving as input data into a model trained in an unsupervised mode to obtain output data;
and calculating the reconstruction error of the input data and the output data, and judging that the DDoS attack occurs if the reconstruction error exceeds a preset threshold value.
5. The method of claim 1, wherein the step of training the unsupervised deep learning model comprises:
dividing the preprocessed flow data into a training set and a testing set, wherein labels are not added in the training set, and labels are added in the testing set;
and training the unsupervised deep learning model by adopting a training set, and evaluating the trained unsupervised deep learning model by adopting a testing set.
6. A DDoS detection system based on unsupervised deep learning in an SDN (software defined network), comprising:
a plurality of switches;
the SDN controller is internally provided with a flow data collector, and the flow data collector is used for collecting flow data of a switch in a network;
a separate detection engine comprising a pre-processing module and a detector module;
the data preprocessing module is used for preprocessing the collected streaming data and transmitting the preprocessed streaming data to the detector module;
the detector module is used for detecting the received flow data by adopting an auto-encoder based on an unsupervised deep learning model and detecting whether DDoS attack occurs or not;
the preprocessing the collected flow data comprises:
extracting 9 fields from the stream data: stream duration seconds, stream duration nanoseconds, number of packets contained in the stream, number of bytes contained in the stream, source IP address, destination IP address, protocol type, source port number, destination port number;
converting the IP addresses in the source IP address and the destination IP address into numerical values expressed in decimal system;
carrying out feature scaling on the 9 fields subjected to numerical value conversion by adopting a z-score normalization method;
the detection engine resides as a stand-alone server in a network, the detection engine and the SDN controller communicating through a network socket.
7. A DDoS detection system based on unsupervised deep learning in an SDN (software defined network), comprising:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the method of any one of claims 1-5.
8. A storage medium having stored therein a program executable by a processor, wherein the program executable by the processor is adapted to perform the method according to any one of claims 1-5 when executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110361206.7A CN113194071B (en) | 2021-04-02 | 2021-04-02 | Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110361206.7A CN113194071B (en) | 2021-04-02 | 2021-04-02 | Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113194071A CN113194071A (en) | 2021-07-30 |
| CN113194071B true CN113194071B (en) | 2023-03-21 |
Family
ID=76974736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110361206.7A Active CN113194071B (en) | 2021-04-02 | 2021-04-02 | Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113194071B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656846A (en) * | 2017-01-17 | 2017-05-10 | 大连理工大学 | Construction method of coordination layer in software defined network (SDN) architecture |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534133B (en) * | 2016-11-17 | 2019-10-29 | 浙江工商大学 | DDOS defence installation and method based on deep learning in a kind of SDN |
| US20180152475A1 (en) * | 2016-11-30 | 2018-05-31 | Foundation Of Soongsil University-Industry Cooperation | Ddos attack detection system based on svm-som combination and method thereof |
| CN110011999B (en) * | 2019-03-29 | 2021-02-26 | 东北大学 | IPv6 network DDoS attack detection system and method based on deep learning |
-
2021
- 2021-04-02 CN CN202110361206.7A patent/CN113194071B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656846A (en) * | 2017-01-17 | 2017-05-10 | 大连理工大学 | Construction method of coordination layer in software defined network (SDN) architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113194071A (en) | 2021-07-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9009830B2 (en) | Inline intrusion detection | |
| JP5518872B2 (en) | Network abnormal flow analysis device and method | |
| CN113489619B (en) | Network topology inference method and device based on time series analysis | |
| CN103929334A (en) | Network abnormity notification method and apparatus | |
| CN109150859B (en) | Botnet detection method based on network traffic flow direction similarity | |
| CN113268735B (en) | Distributed denial of service attack detection method, device, equipment and storage medium | |
| CN107769992B (en) | Message parsing and shunting method and device | |
| CN110944016B (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN113489711B (en) | DDoS attack detection method, system, electronic device and storage medium | |
| CN111970211A (en) | Elephant flow processing method and device based on IPFIX | |
| WO2019107149A1 (en) | Bit assignment assessment device, bit assignment assessment method, and program | |
| CN115484047A (en) | Method, device, equipment and storage medium for identifying flooding attack in cloud platform | |
| CN113595932B (en) | Processing method of data disorder message and application specific integrated circuit | |
| CN113194071B (en) | Method, system and medium for detecting DDoS (distributed denial of service) based on unsupervised deep learning in SDN (software defined network) | |
| CN111294318B (en) | IP address analysis method, device and storage medium for network attack | |
| US20200382541A1 (en) | Communication monitoring system, communication monitoring apparatus, and communication monitoring method | |
| CN101771575A (en) | Method, device and system for processing IP partitioned message | |
| CN112738808B (en) | DDoS attack detection method in wireless network, cloud server and mobile terminal | |
| CN111106977B (en) | Data stream detection method, device and storage medium | |
| CN112671670A (en) | VR video service identification method and device, intelligent terminal and storage medium | |
| CN114978561A (en) | Real-time high-speed network TCP (Transmission control protocol) bypass batch host blocking method and system | |
| CN107005476A (en) | Method and the first equipment for the data frame in switched network management network | |
| CN114745148B (en) | Vehicle-mounted network CAN bus intrusion detection method and system based on dynamic programming | |
| JP7435744B2 (en) | Identification method, identification device and identification program | |
| CN111953807B (en) | Message identifier processing method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |