CN113411351B - DDoS attack elastic defense method based on NFV and deep learning - Google Patents

DDoS attack elastic defense method based on NFV and deep learning Download PDF

Info

Publication number
CN113411351B
CN113411351B CN202110868763.8A CN202110868763A CN113411351B CN 113411351 B CN113411351 B CN 113411351B CN 202110868763 A CN202110868763 A CN 202110868763A CN 113411351 B CN113411351 B CN 113411351B
Authority
CN
China
Prior art keywords
flow
detection
cleaning
attack
nfv
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110868763.8A
Other languages
Chinese (zh)
Other versions
CN113411351A (en
Inventor
孟相如
韩晓阳
康巧燕
孟庆微
翟东
阳勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Air Force Engineering University of PLA
Original Assignee
Air Force Engineering University of PLA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Air Force Engineering University of PLA filed Critical Air Force Engineering University of PLA
Publication of CN113411351A publication Critical patent/CN113411351A/en
Application granted granted Critical
Publication of CN113411351B publication Critical patent/CN113411351B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention relates to a DDoS attack elastic defense method based on NFV and deep learning, and belongs to the technical field of networks. Firstly, designing a two-stage flow detection cleaning device based on an information entropy and a convolutional neural network, wherein the initial detection stage utilizes the method of the information entropy to improve the detection efficiency, and the cleaning stage utilizes the convolutional neural network to improve the detection precision; secondly, the NFV technology is deployed in a SFC (Service Function Chain) form, and the flow detection cleaning devices are deployed in a distributed manner at the network flow inflow nodes of each SFC, so that the problems of increased link length and time delay caused by centralized deployment of the flow detection cleaning devices are avoided. And finally, designing an on-demand expansion mechanism of the flow detection cleaning device, realizing rapid expansion of resources, and improving the capability of the network to cope with DDoS attacks.

Description

DDoS attack elastic defense method based on NFV and deep learning
Technical Field
The invention relates to a DDoS (Distributed Denial of Service) attack elastic defense method based on NFV (Network Function Virtulization) and deep learning, which comprises a two-stage flow detection cleaning device design based on information entropy and a convolutional neural network and an elastic expansion mechanism of the flow detection cleaning device in NFV, and belongs to the technical field of networks.
Background
The literature "Ihsan h.abdulqader, deqing Zou, israa t.aziz, bin Yuan, weiqi dai.depoyment of robust security scheme In SDN based 5G network over NFV enabled cloud environment" proposes an HFANN method for DDoS attacks. The method detects DDoS attack by using an entropy method in an SDN controller, and redirects suspicious data packets to virtualized flow cleaning equipment. In the virtualized flow cleaning equipment, suspicious flow is divided into legal flow and malicious flow through a mixed fuzzy neural network, the legal flow is delivered to a user, and the malicious flow is directly discarded. The document Nurefsan Sertbas Bulbul and Mathias Fischer/NFV-based DDoS mitigation via pushback provides a DDoS attack coping method based on SDN and NFV technologies, namely a pushback method for short, which can better distinguish legal traffic from malicious traffic and block DDoS malicious traffic sources by using a pushback mechanism, thus achieving better effects. However, the HFANN method and the pushback method have the following problems:
(1) The HFANN method and the pushback method respectively utilize a mixed fuzzy neural network and a pushback mechanism to detect and clean the flow, and the detection and cleaning precision is still improved.
(2) The HFANN method improves the DDoS attack coping capability through different cleaning module resource sharing, the attack coping capability can only extend energy within a limited range, the different cleaning module resource sharing also causes overlong deployed virtual links, and the resource utilization rate is lower.
(3) The pushback method has fixed processing capacity of the cleaning module, does not consider the expansion of the security module, and has poor elastic capacity for coping with DDoS attack. In order to ensure higher flow detection cleaning capability, a large amount of detection cleaning resource deployment is required to be deployed, and the resource utilization rate is lower.
Disclosure of Invention
Technical problem to be solved
Aiming at the problem that the DDoS attack coping method in the current NFV has weaker defending capability, the invention provides a DDoS attack elastic defending method based on NFV and deep learning.
Technical proposal
The flow detection cleaning device is characterized by comprising a flow primary detection module and a basic cleaning module, wherein the flow primary detection module monitors entropy change of a data packet on line, and when DDoS attack is detected, the primary detection module generates a flow cleaning request; the flow primary detection module is used for cleaning by using a deep learning method, filtering malicious flow and delivering legal flow to a user.
Preferably: if the arriving suspicious data packet exceeds the processing capacity of the basic cleaning module, an extended cleaning module is added after the basic cleaning module.
The DDoS attack elastic defense method based on NFV and deep learning is characterized in that the flow detection cleaning device is distributed and deployed at network flow inflow nodes of each SFC, and comprises the following steps:
when the number of the data packets reached in unit time exceeds a set threshold T1, a flow primary detection module is started, and the entropy method is utilized to perform flow primary detection; for a packet unit formed by M sampled data packets, if the entropy value does not exceed a threshold value T2, considering that malicious traffic does not exist in the packet unit, and directly delivering the malicious traffic to a user as legal traffic; if the entropy exceeds a threshold value T2, delivering the sampled data frame to a flow cleaning module to carry out cleaning and filtering by using a convolutional neural network method, and determining a suspicious flow cleaning strategy according to the number of suspicious flow data packets; if the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, the quick expansion is considered to realize quick on-demand deployment of the flow cleaning resources, the malicious flow is directly discarded by utilizing the flow cleaning module, and the cleaned flow is delivered to a user.
Preferably: the model used by the convolutional neural network method sequentially comprises a convolutional layer, a pooling layer, a convolutional layer and 2 full-connection layers, wherein the first layer of convolution selects 32 5*5 convolution kernels, the second layer of convolution and the third layer of convolution select 64 3*3 convolution kernels, the pooling layer selects 2 x 2 maximum pooling, the first full-connection layer contains 128 neurons, and the second full-connection layer contains 64 neurons.
An evaluation method of a DDoS attack elastic defense method based on NFV and deep learning is characterized in that three indexes of detection accuracy, false alarm rate and false error rate are adopted for evaluation;
the detection accuracy represents the percentage of the number of the truly attacked packets in the data packets judged to be the attack type by the detection model, and the percentage is represented as follows:
Figure BDA0003188287440000031
the missing report rate represents the percentage of the data packets of the attack type which cannot be accurately identified by the detection model to the number of the packets of all the attack types, and is expressed as follows:
Figure BDA0003188287440000032
the false detection rate indicates the percentage of the data packets which are not accurately identified by the detection model and can be expressed as follows:
Figure BDA0003188287440000033
wherein TP is the number of DDoS attacks determined by the classification model for samples of actual type DDoS attacks, TN is the number of samples of actual type legitimate traffic determined by the classification model for samples of legitimate traffic, FN is the number of samples of actual type DDoS attack traffic determined as legitimate traffic, FP is the number of samples of actual type legitimate traffic determined as DDoS attack traffic.
A computer system, comprising: one or more processors, a computer-readable storage medium storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a DDoS attack elastic defense method based on NFV and deep learning.
A computer readable storage medium, characterized by storing computer executable instructions that when executed are configured to implement a DDoS attack resilience defense method based on NFV and deep learning.
A computer program comprising computer executable instructions which when executed are adapted to implement a DDoS attack resilience defense method based on NFV and deep learning.
Advantageous effects
The invention provides a two-stage flow detection cleaning device based on an information entropy and a convolutional neural network and a distributed deployment method for determining the flow detection cleaning device. Secondly, an elastic expansion mechanism of the flow detection cleaning device in the NFV is provided, the NFV technology is utilized to realize the on-demand rapid expansion of resources, and the elastic capability of the network for coping with DDoS attacks is improved.
DDoS attacks may cause a drastic increase in traffic, and if all incoming network traffic is detected, a large resource consumption is caused, and an increase in network delay is unavoidable. When the attack traffic increases drastically beyond the network processing capacity, a serious degradation of the quality of service is caused. The invention provides a two-stage flow detection cleaning device based on an information entropy and a convolutional neural network and a distributed deployment method for determining the flow detection cleaning device. Firstly, designing a two-stage flow detection cleaning device based on an information entropy and a convolutional neural network, wherein the initial detection stage utilizes the method of the information entropy to improve the detection efficiency, and the cleaning stage utilizes the convolutional neural network to improve the detection precision; secondly, the NFV technology is deployed in a SFC (Service Function Chain) form, and the flow detection cleaning devices are deployed in a distributed manner at the network flow inflow nodes of each SFC, so that the problems of increased link length and time delay caused by centralized deployment of the flow detection cleaning devices are avoided. And finally, designing an on-demand expansion mechanism of the flow detection cleaning device, realizing rapid expansion of resources, and improving the capability of the network to cope with DDoS attacks.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to refer to like parts throughout the several views.
FIG. 1 is a flow detection purge module workflow in accordance with the present invention.
Fig. 2 is a convolutional neural network model constructed in accordance with the present invention.
FIG. 3 is a graph of the comparison of detection accuracy in the present invention.
FIG. 4 is a graph of the comparative results of the rate of missing report in the present invention.
FIG. 5 is a graph of false positive rate versus result in the method of the present invention.
Fig. 6 is a graph of the comparison of attack response success rate in the method of the present invention.
FIG. 7 is a graph of resource utilization versus results in the method of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
Referring to fig. 1 to 7, the specific implementation process is as follows:
1. flow detection cleaning device design
The special virtual flow detection cleaning device is distributed and deployed on the upstream of the flow inflow node of each SFC by utilizing the NFV technology, and the flow detection cleaning method is optimized, so that the capability of the network for coping with DDoS attack can be improved. The invention designs a two-stage flow detection cleaning device which is arranged at the flow inlet of each SFC service in the front, and improves the flow detection cleaning precision by using a deep learning method, thereby enhancing the capability of the network for coping with DDoS attack. The detection cleaning device comprises a flow primary detection module based on information entropy, a basic cleaning module and an expansion cleaning module. The flow primary detection module and the basic cleaning module based on the information entropy are basic configuration, and the expansion cleaning module can be temporarily expanded and withdrawn, and the specific design is shown in figure 1.
As shown in fig. 1, the two-stage flow detection cleaning method work flow is as follows: the flow detection module monitors data packets on line in the initial detection stage, and when the number of the data packets reaching in unit time exceeds a set threshold T 1 And when the flow initial detection module is started, the flow initial detection is carried out by utilizing an entropy method. For a packet unit formed by M data packets sampled, if the entropy value does not exceed the threshold value T 2 And if the malicious traffic is not found in the packet unit, the malicious traffic is directly delivered to the user as legal traffic. If the entropy exceeds the threshold value T 2 And delivering the sampled data frames to a flow cleaning module to carry out cleaning and filtering by using a convolutional neural network method, and determining a suspicious flow cleaning strategy according to the number of suspicious flow data packets. If the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, the quick expansion is considered to realize quick on-demand deployment of the flow cleaning resources, the malicious flow is directly discarded by utilizing the flow cleaning module, and the cleaned flow is delivered to a user. The two-stage flow detection cleaning method can reduce the load of the flow detection cleaning device, shorten the network time delay and improve the detection precision and the resource utilization rate.
2. Flow initial detection method based on information entropy
Entropy, also known as information entropy or shannon entropy, effectively reflects the uncertainty of random variables. The higher the random variable uncertainty, the greater the entropy. Therefore, the entropy change can effectively reflect the characteristic change of the data packet in the flow. We calculate the sample packet entropy using shannon's formula:
Figure BDA0003188287440000061
Figure BDA0003188287440000062
wherein the data sample x= { x i The method comprises the steps of carrying out a first treatment on the surface of the i=1, 2, …, N } indicates that x has occurred in one of the data samples i i And twice. p (x) i ) Representing the probability that sample i occurs in the sample.
The source address IP and the destination address IP can better reflect the state of the traffic, and because the invention considers that the traffic detection cleaning device is distributed and deployed at the traffic inflow node, we choose to calculate the entropy change of the source IP address to judge whether the traffic contains attack traffic. We divide successive packets into individual packet units according to a specific number of packets (M), calculate the entropy value of each packet unit, and select the value of M according to the load situation of the network. Typically, the source IP address of traffic in the network should be relatively stable in a continuously acquired dataset. When a DDoS attack is encountered, the randomness of the source IP address increases, and the entropy value changes significantly. Therefore, after the source IP address entropy interval of the normal network traffic is obtained, the threshold T can be set according to the interval 2 Interval. Reasonably select threshold T 2 The method can prevent higher false alarm rate and network time delay and lighten the load of the flow cleaning module.
In calculating the entropy of the packet units, the entropy of the consecutive M data packets in the first packet unit is calculated first if the entropy of its source IP address exceeds the threshold T 2 And if the network traffic is considered to be abnormal, starting a traffic cleaning module to clean the network traffic, discarding malicious traffic possibly existing in the network traffic and delivering legal traffic to a user. Otherwise, the network traffic is considered to be abnormal, the network traffic is directly delivered to the user, and the entropy value of the next packet unit is calculated. The number of data packets M in a packet unit is chosen in relation to the load of the experimental network. If the value is too large, the entropy change is not obvious, and the initial detection sensitivity is reduced. Otherwise, if the value is too small, the entropy change amplitude is too large, and the initial detection false alarm rate is high. In addition, when the M value is too large, the propagation delay of the message in the network is increased, and the service quality is affected, so that the M value is reasonably selected according to the network load condition.
When the DDoS attack traffic proportion is low, the entropy change of the packet unit is not obvious, and therefore the packet unit cannot be detected. The purpose of the initial inspection is to ensure the normal operation of the network service, so that data packets under DDoS attack may still exist in the delivered legal traffic, and when the entropy value of the packet unit does not exceed the threshold value, the packet unit is considered to not influence the normal network service. The processing mode can improve the detection efficiency, prevent higher false alarm rate and reduce the workload of the flow cleaning module.
3. Flow cleaning method based on deep learning
(1) Deep learning model
Compared with the conventional classification method, the method can directly learn the original flow through deep learning, and fits a more complex function through a multi-layer neural network, so that the classification of legal flow and attack flow with higher precision is realized. At present, deep learning is mainly developed in the fields of image, voice and natural language processing, so that the main idea of using deep learning for classifying network traffic is to convert the traffic into image or text information, and the current mature architecture and algorithm in the fields of image or language processing are utilized for processing.
Convolutional neural networks are a type of feedforward neural network, typically comprising one or more convolutional layers, and are composed of one or more fully connected layer connections in a standard multi-layer neural network. The invention preprocesses the flow into an image form and processes the flow by using a convolutional neural network, wherein the convolutional neural network model is shown in figure 2 and comprises 3 convolutional layers, 2 pooling layers and 2 full connection layers. The first layer convolution selects 32 5*5 convolution kernels, the second layer convolution and the third layer convolution select 64 3*3 convolution kernels, the pooling layers each select 2 x 2 max pooling, the first fully connected layer contains 128 neurons, and the second fully connected layer contains 64 neurons. Compared with a standard feedforward neural network with the same layer number, the convolution neural network model used by the invention can directly adopt the original data as input, can effectively learn corresponding features from a large number of samples, and avoids a complex feature extraction process. Moreover, the model has fewer neurons and parameters, is simple to train and has higher detection precision.
The input imaging flow can initially extract partial shallow flow characteristics through the first convolution layer, and can acquire partial key characteristics through the action of the maximum pooling layer, so that partial parameters and primary characteristics are simplified, the phenomenon of overfitting is prevented, and the generalization capability of the model is improved. And each convolution and pooling layer can abstract more complex high-dimensional features from the features extracted from the previous layer so as to distinguish different flows more accurately, and finally, the finally obtained multidimensional image features are paved and unfolded through the full-connection layer and are input into a softmax to form a classifier of legal flow and attack flow.
(2) Flow cleaning method
The flow cleaning method based on deep learning is a supervised learning method, and classification of legal flow and attack flow is realized through off-line training and on-line classification, so that accurate cleaning and filtering are carried out on the attack flow.
Training process: the offline training data set adopted by the invention comprises two parts of legal traffic and DDoS attack traffic, and the two types of traffic are converted into an image form through a corresponding preprocessing method (intercepting part of original traffic or primary characteristics). The traffic image and the marking information together form a training set, wherein the normal traffic is marked as 0, and the DDoS attack traffic is marked as 1. The marked legal and attack flow image training set is input into a convolutional neural network for offline learning and training, the cost function of the model can be obtained by comparing the model prediction output and the actual marked difference, the cost function is reversely transmitted, the model parameters can be further optimized, and finally a converged neural network model can be obtained, wherein the model is a classifier for obtaining legal flow and attack flow through offline learning and training.
And (3) flow cleaning: the test data is converted into image flow through the same preprocessing method, the image flow is input into a trained convolutional neural network, whether the test data is DDOS attack flow or not can be predicted and judged through analysis of the neural network, malicious attack flow is directly discarded, legal flow is delivered to a user, and therefore a flow cleaning task is completed.
4. Elastic expansion mechanism of flow cleaning device
Current research assumes that the capability of the network to cope with DDoS attack is fixed, and when the capability exceeds the limited coping capability, detection cleaning is performed by considering the utilization of a cooperative mechanism or the utilization of cloud service to introduce third party power, so that the problems of limited processing capability and user privacy security exist, and the real requirement is difficult to meet. The invention virtualizes and software the network flow cleaning function into a VNF (virtual network function), provides a special flow cleaning device for each SFC, and realizes flexible deployment and quick expansion of the flow cleaning function by researching the quick expansion mechanism of the VNF. When detecting that DDoS attack occurs, the primary detection module generates a flow cleaning request, and a MANO (Management and Orchestration) orchestrator in the NFV architecture timely formulates a cleaning strategy according to the flow cleaning request. When the attack flow exceeds the load of the basic cleaning module, the rapid expansion technology in the NFV is utilized to realize the rapid expansion of the DDoS attack on the resources, and the resources are allocated to the flow cleaning module according to the needs. The method is characterized in that the resource configuration is carried out by taking the vertical extension mode of the VNF into priority, if the vertical extension cannot meet the conditions, the rapid extension of the flow cleaning module can be completed on the adjacent nodes by the horizontal extension method of the VNF, the arriving suspicious flow is timely cleaned by the deep learning method, malicious flow is filtered, legal flow is delivered to the user, and the normal operation of the service is ensured. Since the VNF vertical extension and horizontal extension methods can be deployed faster, the quality of service is less affected. The available resource of a basic cleaning module of the flow cleaning device is BFR, the extended cleaning module is AFR, and the available resource of a deployment node of the flow cleaning device is RA. The specific algorithm comprises the following steps:
input: network traffic
And (3) outputting: traffic cleaning strategy FS
Figure BDA0003188287440000091
Figure BDA0003188287440000101
Figure BDA0003188287440000111
And executing a traffic cleaning task according to the traffic cleaning strategy FS generated by the algorithm result, directly discarding malicious traffic, and delivering legal traffic to a user. If the attack flow is too large and the expansion of the expansion cleaning module is unsuccessful, the service continuity is ensured by reducing the service quality according to the service level protocol.
5. Performance evaluation and analysis
The invention utilizes matlab to simulate and sets two groups of experiments to compare and verify the method proposed by the invention with the two methods which are the latest at present. Experiment one verifies the flow detection cleaning method provided by the invention, and experiment two verifies the elastic expansion mechanism provided by the invention.
(1) Experimental Environment setup
The physical network topology and SFC topology used for the experiment were generated by a modified Salam network topology random generation algorithm. The invention assumes that the switch nodes and the server nodes of the physical network are in the same position, the number is 100, and the connectivity between the nodes is 0.5. The available resources of the server node and the switch node obey an average distribution of [50-80] parameters, and the available resources of the link bandwidth among the switches obey an average distribution of [40-50] parameters. The experiment takes 10 time-sensitive SFCs as a background that the SFCs are running, the carrying services of the SFCs are different, the network service carried by each SFC is unchanged, one SFC is selected for verification, a flow cleaning module is added for the service function chain according to the service requirement, and the module can be rapidly expanded according to the requirement.
The invention selects 3 data sets shown in table 1 for simulation experiments, and divides the data sets into 60% training sets and 40% testing sets according to proportion, wherein the data sets also contain other network attacks, and the invention only focuses on DDoS attack flow. Experiment selection and HFANN method and pushback method are used for comparison experiment. In order to eliminate random errors, the experiment is carried out 10 times, different SFCs are selected each time for experimental verification, and finally, the average value of the experimental results of 10 times is taken as a final result.
Table 1 data set for experiments
Figure BDA0003188287440000121
(2) Experiment one: flow cleaning method performance evaluation based on deep learning
The experiment is that the performance of the detection method is put forward through three index evaluations of detection accuracy (accuracies), false alarm rate (false negative rate) and false error rate (detection error rate), and the performance analysis and the comparison verification are carried out on the three methods under the condition that the initial value of the flow cleaning module is 20.
The detection accuracy (Acc) represents the percentage of the number of the attack packets actually in the data packets judged to be attack type by the detection model, and may be expressed as:
Figure BDA0003188287440000122
the false negative rate (Fnr) represents the percentage of the data packets of the attack type that the detection model fails to accurately recognize to the number of packets of all attack types, and can be expressed as:
Figure BDA0003188287440000123
the false detection rate (Der) indicates the percentage of data packets that the detection model fails to accurately identify to the total number of data packets, and may be expressed as:
Figure BDA0003188287440000124
wherein TP (true positive) is the number of DDoS attacks determined by the classification model for samples of actual type DDoS attacks, TN (true negative) is the number of samples of actual type legitimate traffic determined by the classification model for samples of legitimate traffic, FN (false negative) is the number of samples of actual type DDoS attack traffic determined as legitimate traffic, FP (false positive) is the number of samples of actual type legitimate traffic determined as DDoS attack traffic.
As can be seen from fig. 3, under the condition that the initial value of the flow cleaning module is 20, the detection accuracy of the pushback method in three data sets is 92.26%,92.40% and 91.89%, respectively. The detection accuracy of the HFANN method in the three data sets was 94.25%,93.54% and 94.62%, respectively. The DCNN method detects 96.61%,96.09% and 96.38% accuracy in three data sets, respectively. It can be seen that under the condition that the initial value of the flow cleaning module is 20, the available resources of the flow cleaning module are sufficient, the detection accuracy of the three methods is more than 90%, and the performance is good. Compared with the other two methods, the DCNN method provided by the invention is always optimal and has better performance. This is because the DCNN method has the characteristics of local perception and weight sharing. The local sensing means that the DCNN senses only local pixels of the image, and then combines the local information at a higher layer so as to obtain all the characterization information of the image, and nerve units of different layers adopt a local connection mode, and each nerve unit only responds to the region in the receptive field. Such a local connection pattern ensures that the spatial local pattern of the learned convolution kernel input has the strongest response. The characteristic of weight sharing enables the DCNN network model to be closer to the biological neural network, reduces complexity of the network model and reduces the number of weights. The two characteristics determine that the DCNN method can realize higher detection precision with smaller layer depth, and ensure that the DCNN method can better filter attack flow.
As can be seen from fig. 4, under the condition that the initial value of the flow cleaning module is 20, the missing report rate of the pushback method in the three data sets is 9.31%,9.66% and 8.79%, respectively. The false negative rates of the HFANN method in the three data sets were 5.69%,6.39% and 6.60%, respectively. The method provided by the invention has the advantages that the missing report rate in three data sets is respectively 2.48%,2.03% and 1.96%, and compared with the other two methods, the missing report rate is the lowest, and the performance is the best. The method is characterized by local perception and weight sharing of the DCNN method, so that the network model can be closer to a biological neural network, the complexity of the model is reduced, the detection precision is improved, the lower report missing rate is further realized, malicious flow filtering is better realized, and the safety of network service is ensured.
As can be seen from fig. 5, the false detection rates of the pushback method in the three data sets are 8.54%,7.96% and 8.35% respectively under the condition that the initial value of the flow cleaning module is 20. The false detection rates of the HFANN method in the three data sets were 4.60%,5.34% and 4.83%, respectively. The false detection rates of the method in three data sets are respectively 4.36%, 4.59% and 3.98%, and compared with the other two methods, the false detection rate is the lowest, and the performance is the best. This is due to the local perceptions and weight sharing features of the DCNN method. The network model can be closer to a biological neural network, the detection precision is higher, the false alarm rate is reduced as much as possible, malicious flow filtering is better realized, and the safety of network business is ensured.
(3) Experiment II: elastic expansion mechanism performance evaluation of flow cleaning device
Experiment the elastic expansion mechanism provided by the invention is subjected to performance verification and evaluation under the condition that the initial resource values of the flow cleaning module are 5, 10 and 20 respectively, three data sets in table 1 are taken as input to carry out simulation experiments, and the final result is calculated statistically.
The attack response success rate refers to the ratio of the number of attacks that can be effectively applied to the number of attacks and the number of attacks that occur. By changing the initial resource value of the flow cleaning module, the algorithm performance can be reflected better than the attack response success rate of the three methods. In the case where the initial resource values of the traffic washing module are 5, 10 and 20, respectively, the attack response success rate pairs of the three methods are as shown in fig. 6.
As shown in fig. 6, as the initial resource value of the flow cleaning module increases, the attack response success rate of the three methods is improved, which indicates that the three methods can ensure better performance under the condition of sufficient resources. In the case of reserved resources of 5, attack response success rates of the pushback method, the HFANN method and the DCNN method are 76.31%,84.29% and 90.48%, respectively. In the case of a flow cleaning module with an initial resource value of 10, the attack response success rates of the three methods are 83.25%,90.89% and 92.31%, respectively. In the case of a flow cleaning module with an initial resource value of 20, the attack response success rates of the three methods are 90.52%,92.46% and 93.50, respectively. From the above data, it can be seen that, as the initial resource value of the flow cleaning module is continuously increased, the response success rate of the three methods is continuously increased, and under the condition that the resources are sufficient, the attack response success rate can reach more than 90%, and the performance gap is not large. However, in a real situation, due to resource limitation, it is difficult to ensure that sufficient available resources are deployed for each SFC, so that the method of the present invention still maintains higher performance under the condition that the initial resource value of the flow cleaning module is less, and the performance is superior to the other two methods.
The resource utilization rate refers to the ratio of the flow cleaning resources used by each method to the actual occupied flow cleaning resources under the condition of keeping the same attack coping success rate. Because the methods pushback and HFANN attack should cope with low success rates under the condition of the basic initial values 5 and 10 of the flow cleaning module, the invention only discusses the resource utilization ratio comparison of the three methods on the premise of keeping high success rate (the initial resource value of the flow cleaning module is 20), as shown in fig. 7.
As shown in fig. 7, the resource utilization rates of the pushback method, the HFANN method, and the DCNN method are 69.31%,83.80%, and 91.18%, respectively, while maintaining a high success rate (more than 90%). The cleaning module of the pushback method is fixed, the safety module expansion is not considered, and a large amount of flow detection cleaning resources must be deployed to ensure higher cleaning capacity, so that the resource utilization rate is lower. The HFANN method has the advantages that the cleaning modules are fixed, the attack coping capability can be improved through resource sharing of different cleaning modules, and compared with the pushback method, the resource utilization rate can be improved to a certain extent, but the problem that the resource utilization rate is not high due to overlong links is solved. The DCNN method has a small basic cleaning module, can be temporarily expanded and released when needed, and has the highest resource utilization rate. Therefore, under the realistic condition of limited resources, the DCNN method realizes higher flow detection and cleaning performance with fewer resources, and can better ensure the safety of network business.
Compared with other two DDoS attack coping methods, the DCNN method provided by the invention has higher detection and cleaning precision, stronger DDoS attack elastic capability facing flow dynamic change and superior overall performance.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made without departing from the spirit and scope of the invention.

Claims (5)

1. The DDoS attack elastic defense method based on NFV and deep learning is characterized in that a flow detection cleaning device is distributed at a network flow inflow node of each SFC by utilizing an NFV technology, the flow detection cleaning device comprises a flow primary detection module and a flow cleaning module, the flow cleaning module comprises a basic cleaning module, the flow primary detection module monitors entropy change of a data packet on line, and when detecting that DDoS attack occurs, the primary detection module generates a flow cleaning request; the flow cleaning module cleans by using a deep learning method, filters malicious flow and delivers legal flow to a user; if the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, adding an extended cleaning module after the basic cleaning module by utilizing the NFV rapid expansion technology; the method comprises the following steps:
when the number of the data packets reached in unit time exceeds a set threshold T1, a flow primary detection module is started, and the entropy method is utilized to perform flow primary detection; for a packet unit formed by M sampled data packets, if the entropy value does not exceed a threshold value T2, considering that malicious traffic does not exist in the packet unit, and directly delivering the malicious traffic to a user as legal traffic; if the entropy exceeds a threshold T2, delivering the sampled data packet to a flow cleaning module, cleaning and filtering by using a convolutional neural network method, and determining a suspicious flow cleaning strategy according to the number of suspicious data packets; if the arrived suspicious data packet exceeds the processing capacity of the basic cleaning module, the NFV rapid expansion technology is utilized to rapidly expand to realize rapid on-demand deployment of flow cleaning resources, the flow cleaning module is utilized to directly discard malicious flow, and the cleaned flow is delivered to a user.
2. The DDoS attack elastic defense method based on NFV and deep learning according to claim 1, wherein the model used in the convolutional neural network method sequentially comprises a convolutional layer, a pooling layer, a convolutional layer and 2 fully-connected layers, wherein the first layer of convolution selects 32 5*5 convolution kernels, the second layer of convolution and the third layer of convolution selects 64 3*3 convolution kernels, the pooling layer selects 2 x 2 max pooling, the first fully-connected layer contains 128 neurons, and the second fully-connected layer contains 64 neurons.
3. An evaluation method of a DDoS attack elastic defense method based on NFV and deep learning as claimed in claim 1, which is characterized in that five indexes of detection accuracy, missing report rate, false detection rate, attack response success rate and resource utilization rate are adopted for evaluation;
the detection accuracy represents the percentage of the number of the truly attacked packets in the data packets judged to be the attack type by the detection model, and the percentage is represented as follows:
Figure FDA0004227387180000021
the missing report rate represents the percentage of the data packets of the attack type which cannot be accurately identified by the detection model to the number of the packets of all the attack types, and is expressed as follows:
Figure FDA0004227387180000022
the false detection rate indicates the percentage of the data packets which are not accurately identified by the detection model and can be expressed as follows:
Figure FDA0004227387180000023
wherein TP is the number of DDoS attacks determined by the classification model for samples with actual type of DDoS attacks, TN is the number of samples with actual type of legal traffic determined by the classification model for samples with legal traffic, FN is the number of samples with actual type of DDoS attacks determined as legal traffic, FP is the number of samples with actual type of legal traffic determined as DDoS attacks;
the attack response success rate refers to the ratio of the number of times of attack and the number of times of attack occurrence; the method comprises the steps of cleaning an initial resource value of a module by changing flow;
the resource utilization rate refers to the ratio of the flow cleaning resources used by each method to the actual occupied flow cleaning resources under the condition of keeping the same attack coping success rate.
4. A computer system, comprising: one or more processors, a computer-readable storage medium storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of claim 3.
5. A computer readable storage medium, characterized by storing computer executable instructions that, when executed, are adapted to implement the method of claim 3.
CN202110868763.8A 2021-06-07 2021-07-30 DDoS attack elastic defense method based on NFV and deep learning Active CN113411351B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110631664 2021-06-07
CN2021106316648 2021-06-07

Publications (2)

Publication Number Publication Date
CN113411351A CN113411351A (en) 2021-09-17
CN113411351B true CN113411351B (en) 2023-06-27

Family

ID=77688089

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110868763.8A Active CN113411351B (en) 2021-06-07 2021-07-30 DDoS attack elastic defense method based on NFV and deep learning

Country Status (1)

Country Link
CN (1) CN113411351B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834459B (en) * 2022-10-10 2024-03-26 大连海事大学 Dynamic cleaning system and method for link flooding attack flow
CN117278262B (en) * 2023-09-13 2024-03-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549792A (en) * 2015-09-22 2017-03-29 中国移动通信集团公司 A kind of method of the security control of VNF, apparatus and system
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment
CN109639449A (en) * 2017-10-09 2019-04-16 中兴通讯股份有限公司 Virtualize method, equipment and the medium of the automatic management of traffic mirroring strategy
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN111586018A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Flow cleaning method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10764323B1 (en) * 2015-12-21 2020-09-01 Amdocs Development Limited System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack
CN110113435B (en) * 2019-05-27 2022-01-14 绿盟科技集团股份有限公司 Method and equipment for cleaning flow
CN110661781B (en) * 2019-08-22 2022-05-17 中科创达软件股份有限公司 DDoS attack detection method, device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549792A (en) * 2015-09-22 2017-03-29 中国移动通信集团公司 A kind of method of the security control of VNF, apparatus and system
CN109639449A (en) * 2017-10-09 2019-04-16 中兴通讯股份有限公司 Virtualize method, equipment and the medium of the automatic management of traffic mirroring strategy
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment
CN111586018A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Flow cleaning method and device
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113411351A (en) 2021-09-17

Similar Documents

Publication Publication Date Title
CN109981691B (en) SDN controller-oriented real-time DDoS attack detection system and method
CN106657107B (en) Adaptive starting ddos defense method and system based on trust value in SDN
CN113411351B (en) DDoS attack elastic defense method based on NFV and deep learning
Alkasassbeh et al. Detecting distributed denial of service attacks using data mining techniques
Ortet Lopes et al. Towards effective detection of recent DDoS attacks: A deep learning approach
CN114363093B (en) Honeypot deployment active defense method based on deep reinforcement learning
CN107896217B (en) Multi-parameter cache pollution attack detection method in content-centric network
CN109061569B (en) Space-time information fusion target detection method and system
CN113489619B (en) Network topology inference method and device based on time series analysis
CN114115068A (en) Heterogeneous redundancy defense strategy issuing method of endogenous security switch
CN111786967B (en) Defense method, system, node and storage medium for DDoS attack
Huang et al. Learning cascading failure interactions by deep convolutional generative adversarial network
Kopylova et al. Mutual information applied to anomaly detection
CN111835750B (en) DDoS attack defense method based on ARIMA model in SDN
TWI780411B (en) Abnormal network traffic detection system and method based on long short-term memory model
Qamar et al. Detecting Distributed Denial of Service attacks using Recurrent Neural Network
Meamarian et al. A Robust, Lightweight Deep Learning Approach for Detection and Mitigation of DDoS Attacks in SDN
Almohagri et al. Machine Learning Approach for Distributed Daniel of Service Attack Detection in SDNs
CN110971471A (en) Power communication backbone network fault recovery method and device based on state perception
CN114745283B (en) Network information protection method and device and electronic equipment
CN115001827B (en) Cloud-combined IoT botnet detection prototype system and method
CN116032632A (en) Active defense method for low-rate distributed denial of service attack of containerized edge scene
CN114139158A (en) On-chip network hardware Trojan detection platform based on machine learning
CN114915444A (en) DDoS attack detection method and device based on graph neural network
Gaballo et al. Steering Traffic via Recurrent Neural Networks in Challenged Edge Scenarios

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant