CN113630385B - Dos attack prevention and control method and device under sdn network - Google Patents
Dos attack prevention and control method and device under sdn network Download PDFInfo
- Publication number
- CN113630385B CN113630385B CN202110791809.0A CN202110791809A CN113630385B CN 113630385 B CN113630385 B CN 113630385B CN 202110791809 A CN202110791809 A CN 202110791809A CN 113630385 B CN113630385 B CN 113630385B
- Authority
- CN
- China
- Prior art keywords
- network
- shunting
- abnormal flow
- neural network
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000002265 prevention Effects 0.000 title claims abstract description 34
- 230000002159 abnormal effect Effects 0.000 claims abstract description 106
- 238000013528 artificial neural network Methods 0.000 claims abstract description 47
- 238000004590 computer program Methods 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 18
- 238000012549 training Methods 0.000 claims description 17
- 238000013527 convolutional neural network Methods 0.000 claims description 12
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 230000002787 reinforcement Effects 0.000 abstract description 7
- 238000005457 optimization Methods 0.000 abstract description 3
- 230000000903 blocking effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013135 deep learning Methods 0.000 description 3
- 239000011159 matrix material Substances 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013439 planning Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000004148 unit process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a dos attack prevention and control method and device under an sdn network. The dos attack prevention and control method under the sdn network comprises the following steps: acquiring abnormal flow of which the flow value is greater than a preset threshold value in the sdn network; acquiring a neural network for shunting; shunting the abnormal flow according to a neural network for shunting; acquiring an abnormal flow judgment model; and judging the abnormal flow according to the abnormal flow judgment model, judging whether the abnormal flow is attack flow, and if so, generating a plugging instruction. According to the method, abnormal traffic is shunted according to the situation of the large network by utilizing a deep reinforcement learning algorithm, the traditional prevention and control scheme mostly adopts equal division and shunting without considering the link situation of different branches of the large network, and reinforcement learning can be realized by learning historical data to plan the most suitable optimization scheme.
Description
Technical Field
The application relates to the technical field of network attack defense, in particular to a dos attack prevention and control method and a dos attack prevention and control device under an sdn network.
Background
DoS attacks (Denial of Service attacks) consume certain resources of a computer, such as computing resources, network connections, and the like, so that the resources are exhausted, and a server cannot provide services for legitimate users or can only provide degraded services. In a centralized architecture of an SDN network, a controller is a natural network center, is responsible for management and control work of the entire network, and is easily a target of DoS attack, an attacker can attack a common switch, and the attacked switches send a large number of packets to the controller, so that a link between the controller and the switch is blocked, and the entire large network is paralyzed.
Accordingly, a technical solution is desired to overcome or at least alleviate at least one of the above-mentioned drawbacks of the prior art.
Disclosure of Invention
It is an object of the present invention to provide a method of dos attack prevention and control under sdn networks that overcomes or at least mitigates at least one of the above-mentioned disadvantages of the prior art.
One aspect of the present invention provides a dos attack prevention and control method under an sdn network, where the dos attack prevention and control method under the sdn network includes:
acquiring abnormal flow of which the flow value is greater than a preset threshold value in the sdn network;
acquiring a neural network for shunting;
shunting the abnormal flow according to a neural network for shunting;
acquiring an abnormal flow judgment model;
judging the abnormal flow according to the abnormal flow judgment model, judging whether the abnormal flow is attack flow, if so, judging whether the abnormal flow is attack flow
And generating a plugging instruction.
Optionally, the dos attack prevention and control method under the sdn network further includes:
and training the abnormal flow judgment model.
Optionally, before obtaining the abnormal traffic of which the traffic value is greater than the preset threshold in the sdn network, the dos attack prevention and control method in the sdn network further includes:
the network is initialized in an sdn large environment, initiating the state of the controllers and switches.
Optionally, the obtaining a neural network for shunting includes:
constructing a three-layer strategy neural network for shunting;
constructing a three-layer discrimination neural network for shunting;
constructing a six-layer convolutional neural network with extracted features;
inputting the topological structure of the whole sdn network into a convolutional neural network;
the convolutional neural network outputs abstracted sdn network characteristics;
inputting the sdn network characteristics into a strategic neural network;
outputting a shunting scheme by the strategy neural network;
inputting the shunting scheme into a discrimination network;
judging the score of the scheme output by the network;
the sdn network shunts according to the shunting scheme;
calculating a variation value of qos caused by the current shunt as the sdn network;
and minimizing the difference value between the variation value of the qos and the score value as an objective function, and training the discrimination neural network for shunting and the strategy neural network for shunting.
Optionally, the determining the abnormal traffic according to the abnormal traffic determination model, and determining whether the abnormal traffic is an attack traffic includes:
the abnormal flow is used as input and is transmitted into an abnormal flow judgment model;
acquiring an output result of the abnormal flow judgment model as a judgment result;
and transmitting the error of the judgment result in the reverse direction, and updating the network parameters.
Optionally, the training the abnormal traffic judgment model includes:
generating a confrontation sample according to the historical data;
attacking the sdn network through the challenge sample;
and judging each confrontation sample through the abnormal flow judgment model.
The application also provides a dos attack prevention and control device under the sdn network, which comprises:
the abnormal flow acquisition module is used for acquiring abnormal flow of which the flow value is greater than a preset threshold value in the sdn network;
the neural network acquisition module for shunting is used for acquiring a neural network for shunting;
the shunt module is used for shunting the abnormal flow according to a neural network for shunting;
the judgment model acquisition module is used for acquiring an abnormal flow judgment model;
the judging module is used for judging the abnormal flow according to the abnormal flow judging model and judging whether the abnormal flow is attack flow;
and the plugging command generating module is used for generating a plugging instruction when the judgment module judges that the current time is positive.
Optionally, the dos attack prevention and control device under the sdn network further includes:
a training module for training the abnormal flow judgment model,
the application also provides an electronic device, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the computer program to realize the dos attack prevention and control method under the sdn network.
The present application further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the method for preventing and controlling dos attacks under the sdn network can be implemented.
Has the advantages that:
the dos attack prevention and control method under the sdn network has the following advantages:
1. abnormal traffic is shunted according to the situation of the large network by utilizing a deep reinforcement learning algorithm, the traditional prevention and control scheme mostly adopts equal division and shunting without considering the link conditions of different branches of the large network, and the reinforcement learning can be used for planning the most suitable optimization scheme by learning historical data.
2. And analyzing the abnormal flow by utilizing deep learning, judging whether the abnormal flow is an attack flow, and issuing a plugging instruction if the abnormal flow is the attack flow.
3. In order to improve the accuracy and the robustness of the model, the scheme also designs a countermeasure layer module, the module applies a GAN technology to generate new counterattack samples based on historical data, the samples are used for attacking the network, and the overall identification accuracy of the model is detected.
Drawings
Fig. 1 is a schematic flowchart of a dos attack prevention and control method in an sdn network according to an embodiment of the present application.
Detailed Description
In order to make the implementation objects, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the drawings in the embodiments of the present application. In the drawings, the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The described embodiments are a subset of the embodiments in the present application and not all embodiments in the present application. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
It should be noted that the terms "first" and "second" in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Fig. 1 is a schematic flowchart of a dos attack prevention and control method in an sdn network according to an embodiment of the present application.
The dos attack prevention and control method under the sdn network shown in fig. 1 comprises the following steps:
step 1: acquiring abnormal flow of which the flow value is greater than a preset threshold value in the sdn network; it is understood that the preset threshold value can be set according to self-needs.
Step 2: acquiring a neural network for shunting;
and step 3: according to the shunt neural network, shunting the abnormal flow;
and 4, step 4: acquiring an abnormal flow judgment model;
and 5: judging abnormal flow according to the abnormal flow judgment model, judging whether the abnormal flow is attack flow, if so, judging whether the abnormal flow is attack flow
Step 6: and generating a plugging instruction.
The dos attack prevention and control method under the sdn network has the following advantages:
1. abnormal traffic is shunted according to the situation of the large network by utilizing a deep reinforcement learning algorithm, the traditional prevention and control scheme mostly adopts equal division and shunting without considering the link conditions of different branches of the large network, and the reinforcement learning can be used for planning the most suitable optimization scheme by learning historical data.
2. And analyzing the abnormal flow by utilizing deep learning, judging whether the abnormal flow is an attack flow, and issuing a plugging instruction if the abnormal flow is the attack flow.
3. In order to improve the accuracy and the robustness of the model, the scheme also designs a countermeasure layer module, the module applies a GAN technology to generate new counterattack samples based on historical data, the samples are used for attacking the network, and the overall identification accuracy of the model is detected.
In this embodiment, the dos attack prevention and control method under the sdn network further includes:
and training the abnormal flow judgment model.
In this embodiment, before obtaining the abnormal traffic in the sdn network whose traffic value is greater than the preset threshold, the dos attack prevention and control method in the sdn network further includes:
the network is initialized in an sdn large environment, initiating the state of the controllers and switches.
In this embodiment, the obtaining a neural network for shunting includes:
constructing a three-layer strategy neural network for shunting;
constructing a three-layer discrimination neural network for shunting;
constructing a six-layer convolutional neural network with extracted features;
inputting the topological structure of the whole sdn network into a convolutional neural network;
the convolutional neural network outputs the abstracted sdn network characteristics;
inputting sdn network characteristics into a strategic neural network;
outputting a shunting scheme by the strategy neural network;
inputting the shunting scheme into a discrimination network;
judging the score of the scheme output by the network;
the sdn network shunts according to the shunting scheme;
calculating a variation value of qos caused by the current shunt as the sdn network;
and minimizing the difference value between the variation value of the qos and the score value as an objective function, and training the discrimination neural network for shunting and the strategy neural network for shunting.
In this embodiment, the abnormal flow rate determination model specifically includes: and constructing three layers of neural networks, namely an input layer, a hidden layer and an output layer, according to the flow characteristics.
In this embodiment, the determining the abnormal traffic according to the abnormal traffic determination model, and determining whether the abnormal traffic is an attack traffic includes:
the abnormal flow is used as input and is transmitted into an abnormal flow judgment model;
acquiring an output result of the abnormal flow judgment model as a judgment result;
and transmitting the error of the judgment result in the reverse direction, and updating the network parameters.
In this embodiment, the training the abnormal traffic determination model includes:
generating a confrontation sample according to the historical data;
attacking the sdn network through the challenge sample;
and judging each confrontation sample through the abnormal flow judgment model.
In this embodiment, in order to improve the accuracy and robustness of the model, the scheme further designs a countermeasure layer module, which applies GAN technology to generate new counterattack samples based on historical data, and uses the samples to attack the network to detect the overall recognition accuracy of the model. The specific process is as follows:
initializing a four-layer discrimination network;
initializing a five-layer generation network;
initializing a three-layer convolution network;
taking time as a dimension, abstracting the flow of a branch in a certain time network into a two-dimensional array with the length and the width being the number of nodes;
inputting the two-dimensional array into a convolution network to obtain the flow characteristic at a certain moment;
inputting the characteristics into a generating network to generate a flow matrix;
inputting the flow matrix into a discrimination network to obtain the fraction of the data generated at this time
And updating the discriminant network and the generation network by taking the discriminant network score as a loss function until the generation network can generate a higher traffic matrix.
The present application is described in further detail below by way of examples, it being understood that the examples do not constitute any limitation to the present application.
First, the network is initialized using the initSdnEnv () function in the sdn large environment, initiating the state of the underlying controllers and switches.
And collecting flow information in the network through a function searchlabnormalflow () to find abnormal flow.
And by using a function divideFlow (), abnormal flow is shunted by using a reinforcement learning algorithm, so that the normal work of the whole large network is ensured before judging whether the abnormal flow is dos attack.
Judging the abnormal flow by using a deep learning algorithm through a function judgFlow (), so as to judge whether the abnormal flow is dos attack flow, and if so, issuing a blocking instruction through the function stopFlow ().
When the whole network has no abnormal flow, the system calls generaFlow () to generate a countermeasure sample by using the GAN, so that the network attack is simulated, and the accuracy of the detection model is improved.
The application also provides a dos attack prevention and control device under the sdn network, which comprises an abnormal flow acquisition module, a neural network acquisition module for shunting, a shunting module, a judgment model acquisition module, a judgment module and a blocking command generation module, wherein the abnormal flow acquisition module is used for acquiring abnormal flow of which the flow value is greater than a preset threshold value in the sdn network; the shunt neural network acquisition module is used for acquiring a shunt neural network; the shunt module is used for shunting the abnormal flow according to the shunt neural network; the judgment model acquisition module is used for acquiring an abnormal flow judgment model; the judging module is used for judging the abnormal flow according to the abnormal flow judging model and judging whether the abnormal flow is attack flow; and the blocking command generating module is used for generating a blocking instruction when the judging module judges that the data is positive.
In this embodiment, the dos attack prevention and control device under the sdn network further includes a training module, and the training module is configured to train the abnormal traffic determination model.
The above description of the method applies equally to the description of the apparatus.
The electronic device comprises an input device, an input interface, a central processing unit, a memory, an output interface and an output device. The input interface, the central processing unit, the memory and the output interface are mutually connected through a bus, and the input equipment and the output equipment are respectively connected with the bus through the input interface and the output interface and further connected with other components of the electronic equipment. Specifically, the input device 501 receives input information from the outside and transmits the input information to the central processor through the input interface; the central processing unit processes the input information based on the computer executable instructions stored in the memory to generate output information, temporarily or permanently stores the output information in the memory, and then transmits the output information to the output device through the output interface; the output device outputs the output information to the outside of the electronic device for use by the user.
That is, the electronic device may also be implemented to include: a memory storing computer-executable instructions; and one or more processors that, when executing the computer-executable instructions, may implement the dos attack prevention and control method under the sdn network described in connection with fig. 1.
In one embodiment, an electronic device may be implemented to include: a memory configured to store executable program code; one or more processors configured to execute the executable program code stored in the memory to execute the dos attack prevention and control method under the sdn network in the above embodiments.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media include both non-transitory and non-transitory, removable and non-removable media that implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Furthermore, it will be obvious that the term "comprising" does not exclude other elements or steps. A plurality of units, modules or devices recited in the device claims may also be implemented by one unit or overall device by software or hardware. The terms first, second, etc. are used to identify names, but not any particular order.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks identified in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The Processor in this embodiment may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may be used to store computer programs and/or modules, and the processor may implement various functions of the apparatus/terminal device by running or executing the computer programs and/or modules stored in the memory, as well as by invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
In this embodiment, the module/unit integrated with the apparatus/terminal device may be stored in a computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as a separate product. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by hardware related to instructions of a computer program, which may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, recording medium, U.S. disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like.
It should be noted that the computer readable medium may contain content that is appropriately increased or decreased as required by legislation and patent practice in the jurisdiction. Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application, and those skilled in the art can make variations and modifications without departing from the spirit and scope of the present application.
Although the invention has been described in detail hereinabove with respect to a general description and specific embodiments thereof, it will be apparent to those skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.
Claims (5)
1. A dos attack prevention and control method under an sdn network is characterized by comprising the following steps:
acquiring abnormal flow of which the flow value is greater than a preset threshold value in the sdn network;
obtaining a neural network for shunting, wherein the neural network for shunting comprises:
constructing a three-layer strategy neural network for shunting;
constructing a three-layer discrimination neural network for shunting;
constructing a six-layer convolutional neural network with extracted features;
inputting the topological structure of the whole sdn network into a convolutional neural network;
the convolutional neural network outputs the abstracted sdn network characteristics;
inputting the sdn network characteristics into a strategic neural network;
outputting a shunting scheme by the strategy neural network;
inputting the shunting scheme into a discrimination network;
judging the score of the scheme output by the network;
the sdn network shunts according to the shunting scheme;
calculating the variation value of the qos caused by the current shunt as the sdn network;
minimizing the difference value between the variation value of the qos and the score value as an objective function, and training the discrimination neural network for shunting and the strategy neural network for shunting;
shunting the abnormal flow according to a neural network for shunting;
acquiring an abnormal flow judgment model;
judging the abnormal flow according to the abnormal flow judgment model, judging whether the abnormal flow is attack flow, if so, judging whether the abnormal flow is attack flow
Generating a plugging instruction; wherein,
the judging the abnormal traffic according to the abnormal traffic judging model, and judging whether the abnormal traffic is attack traffic comprises the following steps:
the abnormal flow is used as input and is transmitted into an abnormal flow judgment model;
obtaining an output result of the abnormal flow judgment model as a judgment result;
transmitting the error of the judgment result in the reverse direction, and updating the network parameters;
the dos attack prevention and control method under the sdn network further comprises the following steps:
training the abnormal flow judgment model;
the training of the abnormal flow judgment model comprises:
generating a confrontation sample according to the historical data;
attacking the sdn network through the challenge sample;
and judging each confrontation sample through the abnormal flow judgment model.
2. The method for preventing and controlling dos attack under the sdn network of claim 1, wherein before obtaining the abnormal traffic in the sdn network whose traffic value is greater than the preset threshold, the method for preventing and controlling dos attack under the sdn network further comprises:
the network is initialized in an sdn large environment, initiating the state of the controllers and switches.
3. A dos attack prevention and control device under an sdn network is characterized by comprising:
the abnormal flow acquisition module is used for acquiring abnormal flow of which the flow value in the sdn network is greater than a preset threshold;
the neural network acquisition module for shunting is used for acquiring a neural network for shunting;
the shunt module is used for shunting the abnormal flow according to a neural network for shunting;
the judgment model acquisition module is used for acquiring an abnormal flow judgment model;
the judging module is used for judging the abnormal flow according to the abnormal flow judging model and judging whether the abnormal flow is attack flow;
the plugging command generating module is used for generating a plugging instruction when the judging module judges that the plugging command is positive; wherein,
the shunt neural network includes:
constructing a three-layer strategy neural network for shunting;
constructing a three-layer discrimination neural network for shunting;
constructing a six-layer convolutional neural network with extracted features;
inputting the topological structure of the whole sdn network into a convolutional neural network;
the convolutional neural network outputs the abstracted sdn network characteristics;
inputting the sdn network characteristics into a strategic neural network;
inputting a shunting scheme by a strategy neural network;
inputting the shunting scheme into a discrimination network;
judging the score of the scheme output by the network;
the sdn network shunts according to the shunting scheme;
calculating a variation value of qos caused by the current shunt as the sdn network;
minimizing the difference value between the variation value of the qos and the score value as an objective function, and training the discrimination neural network for shunting and the strategy neural network for shunting; wherein,
the judging the abnormal traffic according to the abnormal traffic judging model, and judging whether the abnormal traffic is attack traffic comprises the following steps:
the abnormal flow is used as input and is transmitted into an abnormal flow judgment model;
acquiring an output result of the abnormal flow judgment model as a judgment result;
transmitting the error of the judgment result in the reverse direction, and updating the network parameters;
the dos attack prevention and control device under the sdn network further comprises:
the training module is used for training the abnormal flow judgment model;
the training of the abnormal flow judgment model comprises:
generating a confrontation sample according to the historical data;
attacking the sdn network through the challenge sample;
and judging each confrontation sample through the abnormal flow judgment model.
4. An electronic device comprising a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor implements the dos attack prevention and control method under an sdn network according to any one of claims 1 to 2 when executing the computer program.
5. A computer-readable storage medium storing a computer program, wherein the computer program is capable of implementing the dos attack prevention and control method under sdn network according to any one of claims 1 to 2 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110791809.0A CN113630385B (en) | 2021-07-13 | 2021-07-13 | Dos attack prevention and control method and device under sdn network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110791809.0A CN113630385B (en) | 2021-07-13 | 2021-07-13 | Dos attack prevention and control method and device under sdn network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113630385A CN113630385A (en) | 2021-11-09 |
| CN113630385B true CN113630385B (en) | 2022-05-06 |
Family
ID=78379664
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110791809.0A Expired - Fee Related CN113630385B (en) | 2021-07-13 | 2021-07-13 | Dos attack prevention and control method and device under sdn network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113630385B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015058697A1 (en) * | 2013-10-25 | 2015-04-30 | Hangzhou H3C Technologies Co., Ltd. | Sdn packet forwarding |
| CN108566342A (en) * | 2018-04-12 | 2018-09-21 | 国家计算机网络与信息安全管理中心 | Multi-service flow separate system based on SDN frameworks and streamed data processing method |
| CN110691100A (en) * | 2019-10-28 | 2020-01-14 | 中国科学技术大学 | Hierarchical network attack identification and unknown attack detection method based on deep learning |
| CN111988277A (en) * | 2020-07-18 | 2020-11-24 | 郑州轻工业大学 | Attack detection method based on bidirectional generation counternetwork |
| CN112039906A (en) * | 2020-09-03 | 2020-12-04 | 华侨大学 | Cloud computing-oriented network flow anomaly detection system and method |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615818B (en) * | 2015-03-24 | 2021-12-03 | 华为技术有限公司 | SDN-based DDOS attack protection method, device and system |
| TWI607641B (en) * | 2016-07-12 | 2017-12-01 | 國立清華大學 | Software-defined network controller and multipath routing method |
| CN106357622B (en) * | 2016-08-29 | 2019-06-14 | 北京工业大学 | Exception flow of network based on software defined network detects system of defense |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| CN107968791B (en) * | 2017-12-15 | 2021-08-24 | 杭州迪普科技股份有限公司 | Attack message detection method and device |
| CN108718296A (en) * | 2018-04-27 | 2018-10-30 | 广州西麦科技股份有限公司 | Network management-control method, device and computer readable storage medium based on SDN network |
| CN109981691B (en) * | 2019-04-30 | 2022-06-21 | 山东工商学院 | SDN controller-oriented real-time DDoS attack detection system and method |
-
2021
- 2021-07-13 CN CN202110791809.0A patent/CN113630385B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015058697A1 (en) * | 2013-10-25 | 2015-04-30 | Hangzhou H3C Technologies Co., Ltd. | Sdn packet forwarding |
| CN108566342A (en) * | 2018-04-12 | 2018-09-21 | 国家计算机网络与信息安全管理中心 | Multi-service flow separate system based on SDN frameworks and streamed data processing method |
| CN110691100A (en) * | 2019-10-28 | 2020-01-14 | 中国科学技术大学 | Hierarchical network attack identification and unknown attack detection method based on deep learning |
| CN111988277A (en) * | 2020-07-18 | 2020-11-24 | 郑州轻工业大学 | Attack detection method based on bidirectional generation counternetwork |
| CN112039906A (en) * | 2020-09-03 | 2020-12-04 | 华侨大学 | Cloud computing-oriented network flow anomaly detection system and method |
Non-Patent Citations (1)
| Title |
|---|
| 基于软件定义的电力监控网络流量监控平台研究;李曼;《网络安全技术与应用》;20171015(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113630385A (en) | 2021-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
| US11444876B2 (en) | Method and apparatus for detecting abnormal traffic pattern | |
| CN106682906B (en) | Risk identification and service processing method and equipment | |
| WO2016022720A2 (en) | Method and apparatus of identifying a transaction risk | |
| CN109274692B (en) | Method and device for identifying malicious nodes of block chain network | |
| CN111586071B (en) | Encryption attack detection method and device based on recurrent neural network model | |
| CN111683084B (en) | Intelligent contract intrusion detection method and device, terminal equipment and storage medium | |
| CN111368289B (en) | Malicious software detection method and device | |
| CN112437037B (en) | Sketch-based DDoS flooding attack detection method and device | |
| CN112468487B (en) | Method and device for realizing model training and method and device for realizing node detection | |
| CN114189390B (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN105050103B (en) | A kind of recognition methods of signaling process and device | |
| CN113630385B (en) | Dos attack prevention and control method and device under sdn network | |
| CN115484105B (en) | Modeling method and device for attack tree, electronic equipment and readable storage medium | |
| CN114021112A (en) | Cryptographic algorithm energy analysis method and device, storage medium and electronic equipment | |
| CN112560085B (en) | Privacy protection method and device for business prediction model | |
| CN114172705A (en) | Network big data analysis method and system based on pattern recognition | |
| CN111224916B (en) | DDOS attack detection method and device | |
| CN116436649B (en) | Network security system and method based on cloud server crypto machine | |
| CN113782213B (en) | Patient track storage method and device based on blockchain, storage medium and electronic equipment | |
| JP7176630B2 (en) | DETECTION DEVICE, DETECTION METHOD AND DETECTION PROGRAM | |
| CN101651571B (en) | Analytic method and equipment for ports | |
| CN115913668A (en) | Network behavior detection method, device, equipment and storage medium | |
| CN116614265A (en) | Point cloud characteristic enhanced block chain DDoS attack classification and segmentation method | |
| CN118503707A (en) | Sample generation method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220506 |